[Pkg-shadow-devel] getting tcb patches into shadow

Nicolas François nicolas.francois at centraliens.net
Fri Jan 29 17:08:44 UTC 2010 

Hi,

On Fri, Jan 29, 2010 at 05:32:51PM +0100, phajdan.jr at gentoo.org wrote:
> Okay, attached an updated patch. Please review it, as for me it's ready.
> I can fix any remaining issues, but feel free to make some further
> changes to make it better.

Not really a review, just some thoughts (and this will not prevent
committing anyway)

> Index: src/pwconv.c
> ===================================================================
> --- src/pwconv.c	(revision 3088)
> +++ src/pwconv.c	(working copy)
> @@ -133,6 +133,11 @@
>  
>  	OPENLOG ("pwconv");
>  
> +	if (getdef_bool("USE_TCB")) {
> +		fprintf(stderr, _("%s: can't work with tcb enabled\n"), Prog);
> +		fail_exit(E_FAILURE);
> +	}
> +

Is it impossible to implement a pwconv with TCP?
Or should it be something like "does not work yet with tcb enabled\n"?

> Index: src/vipw.c
> ===================================================================
> --- src/vipw.c	(revision 3088)
> +++ src/vipw.c	(working copy)
> @@ -300,15 +337,41 @@
>  	 * without saving). Use pwck or grpck to do the check.  --marekm
>  	 */
>  	createedit = false;
> +#ifdef WITH_TCB
> +	if (tcb_mode) {
> +		if (!(f = fopen(fileedit, "r")))
> +			vipwexit (_("failed to open scratch file"), errno, 1);
> +		if (unlink(fileedit))
> +			vipwexit (_("failed to unlink scratch file"), errno, 1);
> +		if (!shadowtcb_drop_priv())
> +			vipwexit (_("failed to gain privileges"), errno, 1);

That's a failed to drop privileges.

> +		if (stat(file, &st1))
> +			vipwexit (_("failed to stat edited file"), errno, 1);
> +		asprintf(&to_rename, "%s+", file);

asprintf is GNU specific, if it could be avoided, that would be better.

> Index: man/login.defs.d/TCB_SYMLINKS.xml
> Index: man/login.defs.d/TCB_AUTH_GROUP.xml
> Index: man/login.defs.d/USE_TCB.xml
> Index: man/generate_mans.mak
> Index: man/login.defs.5.xml
> Index: man/vipw.8.xml
> Index: man/generate_mans.deps
> Index: man/Makefile.am
> Index: NEWS

Thanks a lot for thinking about these!

BTW, do you think the format should be described in shadow(5)?

Best Regards,
-- 
Nekral

More information about the Pkg-shadow-devel mailing list