Re: [Buildroot] [PATCH v3 1/1] package/shadow: new package

["Yann E. MORIN" <yann.morin.1998@free.fr>]

Raphael, All,

On 2022-10-13 18:34 +0200, Raphael Pavlidis spake thusly:
> shadow provides utilities to deal with user accounts.
> 
> The shadow package includes the necessary programs for converting UNIX
> password files to the shadow password format, plus programs for managing
> user and group accounts. Especially it is useful if rootless podman
> container should be used, which requires newuidmap and newgidmap.
> 
> Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>

I was about to apply this, after fixing the minor issues (see below),
but there is a rather major blocker, see below too...

> ---
[--SNIP--]
> diff --git a/package/shadow/Config.in b/package/shadow/Config.in
> new file mode 100644
> index 0000000000..6b1fe0a61f
> --- /dev/null
> +++ b/package/shadow/Config.in
> @@ -0,0 +1,61 @@
[--SNIP--]
> +config BR2_PACKAGE_SHADOW_ACCOUNT_TOOLS_SETUID
> +	bool "account-tools-setuid"
> +	depends on BR2_USE_MMU  # linux-pam
> +	depends on BR2_ENABLE_LOCALE  # linux-pam
> +	depends on BR2_USE_WCHAR  # linux-pam
> +	depends on !BR2_STATIC_LIBS  # linux-pam
> +	select BR2_PACKAGE_LINUX_PAM
> +	help
> +	  Install the user and group management tools (e.g. groupadd) with setuid and

    $ make check-package
    package/shadow/Config.in:24: help text: <tab><2 spaces><62 chars> (http://nightly.buildroot.org/#writing-rules-config-in)

[--SNIP--]
> +config BR2_PACKAGE_SHADOW_SUBORDINATE_IDS
> +	bool "subordinate-ids"
> +	help
> +	  Support subordinate ids. Helpful to use container solution like podman

    $ make check-package
    package/shadow/Config.in:39: help text: <tab><2 spaces><62 chars> (http://nightly.buildroot.org/#writing-rules-config-in)

[--SNIP--]
> diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
> new file mode 100644
> index 0000000000..261f28dd28
> --- /dev/null
> +++ b/package/shadow/shadow.mk
> @@ -0,0 +1,133 @@
> +################################################################################
> +#
> +# shadow
> +#
> +################################################################################
> +
> +SHADOW_VERSION = 4.11.1

Why 4.11.1? It was released in 2022-01-03, and is affected by
CVE-2013-4235, with version 4.12.2 being the first to include the fix
for it, and there is now 4.13:

    https://www.cve.org/CVERecord?id=CVE-2013-4235
    https://github.com/shadow-maint/shadow/releases/tag/4.12.2
    https://github.com/shadow-maint/shadow/pull/545

> +SHADOW_SITE = https://github.com/shadow-maint/shadow/releases/download/v$(SHADOW_VERSION)
> +SHADOW_SOURCE = shadow-$(SHADOW_VERSION).tar.xz
> +SHADOW_LICENSE = BSD-3-Clause
> +SHADOW_LICENSE_FILES = COPYING

And:

    SHADOW_CPE_ID_VENDOR = debian

=> https://nvd.nist.gov/products/cpe/detail/11DE0412-97D8-4ABC-9807-101628A40DBE?namingFormat=2.3&orderBy=CPEURI&keyword=shadow&status=FINAL

> +SHADOW_CONF_OPTS = \
> +	--disable-man \
> +    --without-btrfs \
> +    --without-nscd \
> +    --without-skey \
> +    --without-sssd \
> +    --without-su \
> +    --without-tcb

    $ make check-package
    package/shadow/shadow.mk:15: expected indent with tabs
    package/shadow/shadow.mk:16: expected indent with tabs
    package/shadow/shadow.mk:17: expected indent with tabs
    package/shadow/shadow.mk:18: expected indent with tabs
    package/shadow/shadow.mk:19: expected indent with tabs
    package/shadow/shadow.mk:20: expected indent with tabs

> +ifeq ($(BR2_PACKAGE_SHADOW_SHADOWGRP),y)
> +SHADOW_CONF_OPTS += --enable-shadowgrp
> +else
> +SHADOW_CONF_OPTS += --disable-shadowgrp
> +endif
> +
> +ifeq ($(BR2_PACKAGE_SHADOW_ACCOUNT_TOOLS_SETUID),y)
> +SHADOW_CONF_OPTS += --enable-account-tools-setuid
> +define SHADOW_ACCOUNT_TOOLS_SETUID_PERMISSIONS

This is named SHADOW_ACCOUNT_TOOLS_SETUID_PERMISSIONS, but [0]...

> +	/usr/sbin/chgpasswd f 4755 0 0 - - - - -
> +	/usr/sbin/chpasswd f 4755 0 0 - - - - -
> +	/usr/sbin/groupadd f 4755 0 0 - - - - -
> +	/usr/sbin/groupdel f 4755 0 0 - - - - -
> +	/usr/sbin/groupmod f 4755 0 0 - - - - -
> +	/usr/sbin/newusers f 4755 0 0 - - - - -
> +	/usr/sbin/useradd f 4755 0 0 - - - - -
> +	/usr/sbin/usermod f 4755 0 0 - - - - -

What about userdel?

[--SNIP--]
> +define SHADOW_PERMISSIONS
> +	/usr/bin/chage f 4755 0 0 - - - - -
> +	/usr/bin/chfn f 4755 0 0 - - - - -
> +	/usr/bin/chsh f 4755 0 0 - - - - -
> +	/usr/bin/expiry f 4755 0 0 - - - - -
> +	/usr/bin/gpasswd f 4755 0 0 - - - - -
> +	/usr/bin/newgrp f 4755 0 0 - - - - -
> +	/usr/bin/passwd f 4755 0 0 - - - - -
> +	$(SHADOW_ACCOUNT_TOOLS_SETUID)

... [0] here the expansion uses the wrong name...

So, I had fixed all the minor issues, but the version bump will require
a bit more testing that I can do locally. Nicolas (in Cc) who reviewed
this patch, said he had a runtime test; maybe you can both sync to get
that test part of the series when you respin?

Regards,
Yann E. MORIN.

> +	$(SHADOW_SUBORDINATE_IDS_PERMISSIONS)
> +endef
> +
> +$(eval $(autotools-package))
> -- 
> 2.35.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot