From a34eafaa3866a1f457d9c128f674cf9daeb2974e Mon Sep 17 00:00:00 2001 From: Jakub Jirutka Date: Sat, 23 Jul 2016 01:04:24 +0200 Subject: testing/shadow: add patch for verbose error when uid doesn't match --- testing/shadow/APKBUILD | 12 ++-- .../verbose-error-when-uid-doesnt-match.patch | 75 ++++++++++++++++++++++ 2 files changed, 83 insertions(+), 4 deletions(-) create mode 100644 testing/shadow/verbose-error-when-uid-doesnt-match.patch (limited to 'testing/shadow') diff --git a/testing/shadow/APKBUILD b/testing/shadow/APKBUILD index e7c4522eef..4e0587894f 100644 --- a/testing/shadow/APKBUILD +++ b/testing/shadow/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Stuart Cardall pkgname=shadow pkgver=4.2.1 -pkgrel=3 +pkgrel=4 pkgdesc="PAM-using login and passwd utilities (usermod / useradd / newuidmap etc)" url="http://pkg-shadow.alioth.debian.org/" arch="all" @@ -14,6 +14,7 @@ source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz login.pamd dots-in-usernames.patch cross-size-checks.patch + verbose-error-when-uid-doesnt-match.patch " options="suid" builddir="$srcdir/shadow-$pkgver" @@ -69,12 +70,15 @@ package() { md5sums="2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz 72dfc077a61ab7163e312640cc98bba8 login.pamd f5fe3d7351d5e4046588b652c482c170 dots-in-usernames.patch -75bc0cafb44aa86075d2ec056816cc3e cross-size-checks.patch" +75bc0cafb44aa86075d2ec056816cc3e cross-size-checks.patch +6d938a758cba620dde3b9e4ce6e87703 verbose-error-when-uid-doesnt-match.patch" sha256sums="3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 shadow-4.2.1.tar.xz c0d0f2f77133b0663c5a578afeba45d5a9c703ff6f3f6aba3727dfe01877dac0 login.pamd ee58c622d1e8283dc4b17e93cc5e68f4ea4336654ebcfb48e46e0efaa864b77f dots-in-usernames.patch -fc3e32ddfc8eeb284412e8df7ad045ad27b742f5ee733db1a0bc14c97480e013 cross-size-checks.patch" +fc3e32ddfc8eeb284412e8df7ad045ad27b742f5ee733db1a0bc14c97480e013 cross-size-checks.patch +7d9156d39afa3a937fc64130b1bfe0ddc1dd593caa629f29410ebbf84c258568 verbose-error-when-uid-doesnt-match.patch" sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz 46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd 745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch -c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch" +c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch +1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch" diff --git a/testing/shadow/verbose-error-when-uid-doesnt-match.patch b/testing/shadow/verbose-error-when-uid-doesnt-match.patch new file mode 100644 index 0000000000..6f104b438c --- /dev/null +++ b/testing/shadow/verbose-error-when-uid-doesnt-match.patch @@ -0,0 +1,75 @@ +From: Hank Leininger +Date: Mon, 6 Apr 2015 08:22:48 -0500 +Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not + like the user/group ownership of their target process. + +Currently the error is just: + +newuidmap: Target [pid] is owned by a different user + +With this patch it will be like: + +newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99 + +Why is this useful? Well, in my case... + +The grsecurity kernel-hardening patch includes an option to make parts +of /proc unreadable, such as /proc/pid/ dirs for processes not owned by +the current uid. This comes with an option to make /proc/pid/ +directories readable by a specific gid; sysadmins and the like are then +put into that group so they can see a full 'ps'. + +This means that the check in new[ug]idmap fails, as in the above quoted +error - /proc/[targetpid] is owned by root, but the group is 99 so that +users in group 99 can see the process. + +Some Googling finds dozens of people hitting this problem, but not +*knowing* that they have hit this problem, because the errors and +circumstances are non-obvious. + +Some graceful way of handling this and not failing, will be next ;) But +in the meantime it'd be nice to have new[ug]idmap emit a more useful +error, so that it's easier to troubleshoot. + +Thanks! + +Signed-off-by: Hank Leininger +Signed-off-by: Serge Hallyn +--- + src/newgidmap.c | 6 ++++-- + src/newuidmap.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/newgidmap.c b/src/newgidmap.c +index a532b45..451c6a6 100644 +--- a/src/newgidmap.c ++++ b/src/newgidmap.c +@@ -161,8 +161,10 @@ int main(int argc, char **argv) + (getgid() != pw->pw_gid) || + (pw->pw_uid != st.st_uid) || + (pw->pw_gid != st.st_gid)) { +- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), +- Prog, target); ++ fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), ++ Prog, target, ++ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, ++ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); + return EXIT_FAILURE; + } + +diff --git a/src/newuidmap.c b/src/newuidmap.c +index 5150078..9c8bc1b 100644 +--- a/src/newuidmap.c ++++ b/src/newuidmap.c +@@ -161,8 +161,10 @@ int main(int argc, char **argv) + (getgid() != pw->pw_gid) || + (pw->pw_uid != st.st_uid) || + (pw->pw_gid != st.st_gid)) { +- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), +- Prog, target); ++ fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), ++ Prog, target, ++ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, ++ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); + return EXIT_FAILURE; + } \ No newline at end of file -- cgit v1.2.3