Opened 7 years ago

Closed 7 years ago

#4037 closed task (fixed)


Reported by: bdubbs@… Owned by: lfs-book@…
Priority: normal Milestone: 8.0
Component: Book Version: SVN
Severity: normal Keywords:


It looks like shadow moved to git:

The 4.4 version was released on September 18.

Note that there is a security advisory for 4.2.1:

I don't know if that applies to 4.4 or not.

Download URL:

  • Changes since 4.2.1:
  • Documentation, error report and translations updates
  • Replace path_max with 32
  • User namespace support fixes/updates including:
    • Correct sanity checks in newXidmap
    • Fix building without subuid support
    • Add /etc/subuid support for UID matching
    • Support subuid for nonlocal users
    • Default to 65536 subuid allocations
    • Respect -r
    • Check for range overflows
  • Add tests from svn tree
  • Use AC_CHECK_SIZEOF for uid_t size checks
  • Accomodate missing /etc and login.defs
  • Support FORCE_SHADOW
  • Be more robust in hostile environment
  • Allow removing a primary group
  • Clear passwords on pw_dup errors
  • Memory leak fix in commonio_update and get_map_ranges
  • Fix resource leak in syslog_sg
  • Fix user busy error at userdel
  • Support set/clear lastlog record via lastlog command
  • Add --no-create-home as longopt for -M
  • Fix signal races
  • Reduce syslog priority of common usage events

Attachments (1) (645 bytes ) - added by bdubbs@… 7 years ago.
shadow script for use inside chroot

Download all attachments as: .zip

Change History (9)

comment:1 by bdubbs@…, 7 years ago

In my initial review, it appears that the new tarball is just a drop in. None of the seds or other instructions need ot be changed.

comment:2 by DJ Lucas, 7 years ago

su.c:376:3: error: too few arguments to function ‘snprintf’

Needs: sed '/snprintf/s@_msg,@_msg, 256,@' -i src/su.c

Edit: I had a broken search pattern, it needs the search string and was missing second comma above. Tested, checks OK.

Last edited 7 years ago by DJ Lucas (previous) (diff)

comment:3 by bdubbs@…, 7 years ago

I don't understand DJ. The book's current instructions worked fine for me.

OK. Made a script and logged it. Ran in chroot.

The only reference to su.c is:

gcc -DHAVE_CONFIG_H -I. -I.. -I../lib -I../libmisc -DLOCALEDIR=\"/usr/share/locale\" -g -O2 -MT su.o -MD -MP -MF .deps/su.Tpo -c -o su.o su.c
su.c: In function 'main':
su.c:1162:12: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

argv[-1] = cp;

mv -f .deps/su.Tpo .deps/su.Po

The LFS build was SVN-20170122.

Last edited 7 years ago by bdubbs@… (previous) (diff)

by bdubbs@…, 7 years ago

Attachment: added

shadow script for use inside chroot

comment:4 by DJ Lucas, 7 years ago

I'm sorry, that's for shadow with Linux-PAM, not needed for LFS, only BLFS.



From src/su.c:

#ifdef USE_PAM
static char kill_msg[256];
static char wait_msg[256];

comment:5 by bdubbs@…, 7 years ago

Yes, just figured that out.

comment:6 by DJ Lucas, 7 years ago

Okay, as to the security vulnerability using getlogin, still an issue in 4.4.

Fix for CVE-2016-6251: And the Suse bug (links to the patch): This one is clearly not applied.

I was not able to find a patch for CVE-2016-6252 to verify, but reading the bugs suggests that it was fixed in 4.3.1. The bugs were crossed, so ignore comment #1, but read comments 2-4 at for details.

comment:7 by bdubbs@…, 7 years ago

I checked the patch and two of the hunks are already applied. For the other:

sed -i -e '/47/d' -e /60,65/d' libmisc/myname.c

will do it.

comment:8 by bdubbs@…, 7 years ago

Resolution: fixed
Status: newclosed

Fixed at revision 11174.

Note: See TracTickets for help on using tickets.