On Thu, 20 Aug 2015 23:45:33 +0000
Stuart Cardall <developer@it-offshore.co.uk> wrote:
> 2 patches from gentoo were also added
>
> the segfault breaking unprivileged lxc containers is traced at:
>
> http://bugs.alpinelinux.org/issues/4544
> ---
> testing/shadow/APKBUILD | 27 ++++++++++++++++------
> testing/shadow/cross-size-checks.patch | 42 ++++++++++++++++++++++++++++++++++
> testing/shadow/dots-in-usernames.patch | 11 +++++++++
> 3 files changed, 73 insertions(+), 7 deletions(-)
> create mode 100644 testing/shadow/cross-size-checks.patch
> create mode 100644 testing/shadow/dots-in-usernames.patch
>
> diff --git a/testing/shadow/APKBUILD b/testing/shadow/APKBUILD
> index 2dd17de..5be9e70 100644
> --- a/testing/shadow/APKBUILD
> +++ b/testing/shadow/APKBUILD
> @@ -10,10 +10,12 @@ license="GPL"
> depends=
> depends_dev="linux-pam-dev"
> makedepends="$depends_dev"
> -install=""
> -subpackages="$pkgname-doc"
> +subpackages="$pkgname-doc $pkgname-dbg"
> source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz
> - login.pamd"
> + login.pamd
> + dots-in-usernames.patch
> + cross-size-checks.patch
> + "
why do we need the dots in usernames check?
> options="suid"
>
> _builddir="$srcdir"/shadow-$pkgver
> @@ -29,14 +31,15 @@ prepare() {
>
> build() {
> cd "$_builddir"
> + CFLAGS="$CFLAGS -O0"
why do we need to set -O0?
> ./configure --prefix=/usr \
> --sysconfdir=/etc \
> --mandir=/usr/share/man \
> --infodir=/usr/share/info \
> --localstatedir=/var \
> --without-nscd \
> - --without-nologin \
> --disable-nls \
> + --without-group-name-max-length \
What has --without-group-name-max-lenght to do with this? Why is it
needed?
> || return 1
> make || return 1
> }
> @@ -61,11 +64,21 @@ package() {
> # avoid conflict with man-pages
> rm "$pkgdir"/usr/share/man/man3/getspnam.3* \
> "$pkgdir"/usr/share/man/man5/passwd.5* || return 1
> +
> + # for unprivileged lxc containera
> + touch "$pkgdir"/etc/subuid
> + touch "$pkgdir"/etc/subgid
> }
>
> md5sums="2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz
> -72dfc077a61ab7163e312640cc98bba8 login.pamd"
> +72dfc077a61ab7163e312640cc98bba8 login.pamd
> +f5fe3d7351d5e4046588b652c482c170 dots-in-usernames.patch
> +75bc0cafb44aa86075d2ec056816cc3e cross-size-checks.patch"
> sha256sums="3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 shadow-4.2.1.tar.xz
> -c0d0f2f77133b0663c5a578afeba45d5a9c703ff6f3f6aba3727dfe01877dac0 login.pamd"
> +c0d0f2f77133b0663c5a578afeba45d5a9c703ff6f3f6aba3727dfe01877dac0 login.pamd
> +ee58c622d1e8283dc4b17e93cc5e68f4ea4336654ebcfb48e46e0efaa864b77f dots-in-usernames.patch
> +fc3e32ddfc8eeb284412e8df7ad045ad27b742f5ee733db1a0bc14c97480e013 cross-size-checks.patch"
> sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz
> -46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd"
> +46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd
> +745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch
> +c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch"
> diff --git a/testing/shadow/cross-size-checks.patch b/testing/shadow/cross-size-checks.patch
> new file mode 100644
> index 0000000..bd451ba
> --- /dev/null
> +++ b/testing/shadow/cross-size-checks.patch
> @@ -0,0 +1,42 @@
> +From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001
> +From: James Le Cuirot <chewi@aura-online.co.uk>
> +Date: Sat, 23 Aug 2014 09:46:39 +0100
> +Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF
> +
> +This built-in check is simpler than the previous method and, most
> +importantly, works when cross-compiling.
> +
> +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
> +---
> + configure.in | 14 ++++----------
> + 1 file changed, 4 insertions(+), 10 deletions(-)
> +
> +diff --git a/configure.in b/configure.in
> +index 1a3f841..4a4d6d0 100644
> +--- a/configure.in
> ++++ b/configure.in
> +@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then
> + dnl
> + dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
> + dnl
> +- AC_RUN_IFELSE([AC_LANG_SOURCE([
> +-#include <sys/types.h>
> +-int main(void) {
> +- uid_t u;
> +- gid_t g;
> +- return (sizeof u < 4) || (sizeof g < 4);
> +-}
> +- ])], [id32bit="yes"], [id32bit="no"])
> +-
> +- if test "x$id32bit" = "xyes"; then
> ++ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
> ++ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
> ++
> ++ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
> + AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
> + enable_subids="yes"
> + else
> +--
> +2.3.6
> +
> +
> diff --git a/testing/shadow/dots-in-usernames.patch b/testing/shadow/dots-in-usernames.patch
> new file mode 100644
> index 0000000..b684c9d
> --- /dev/null
> +++ b/testing/shadow/dots-in-usernames.patch
> @@ -0,0 +1,11 @@
> +--- shadow-4.1.3/libmisc/chkname.c
> ++++ shadow-4.1.3/libmisc/chkname.c
> +@@ -66,6 +66,7 @@
> + ( ('0' <= *name) && ('9' >= *name) ) ||
> + ('_' == *name) ||
> + ('-' == *name) ||
> ++ ('.' == *name) ||
> + ( ('$' == *name) && ('\0' == *(name + 1)) )
> + )) {
> + return false;
> +
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---
The 2 patches are used by gentoo in shadow.
http://data.gpo.zugaina.org/gentoo/sys-apps/shadow/files/
The CFLAGS change is temporary & is to help find the segfault. It stops
"<optimized out>" appearing in GDB
Stuart.
On 31/08/15 10:07, Natanael Copa wrote:
> On Thu, 20 Aug 2015 23:45:33 +0000
> Stuart Cardall <developer@it-offshore.co.uk> wrote:
>
>> 2 patches from gentoo were also added
>>
>> the segfault breaking unprivileged lxc containers is traced at:
>>
>> http://bugs.alpinelinux.org/issues/4544
>> ---
>> testing/shadow/APKBUILD | 27 ++++++++++++++++------
>> testing/shadow/cross-size-checks.patch | 42 ++++++++++++++++++++++++++++++++++
>> testing/shadow/dots-in-usernames.patch | 11 +++++++++
>> 3 files changed, 73 insertions(+), 7 deletions(-)
>> create mode 100644 testing/shadow/cross-size-checks.patch
>> create mode 100644 testing/shadow/dots-in-usernames.patch
>>
>> diff --git a/testing/shadow/APKBUILD b/testing/shadow/APKBUILD
>> index 2dd17de..5be9e70 100644
>> --- a/testing/shadow/APKBUILD
>> +++ b/testing/shadow/APKBUILD
>> @@ -10,10 +10,12 @@ license="GPL"
>> depends=
>> depends_dev="linux-pam-dev"
>> makedepends="$depends_dev"
>> -install=""
>> -subpackages="$pkgname-doc"
>> +subpackages="$pkgname-doc $pkgname-dbg"
>> source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz
>> - login.pamd"
>> + login.pamd
>> + dots-in-usernames.patch
>> + cross-size-checks.patch
>> + "
> why do we need the dots in usernames check?
>
>> options="suid"
>>
>> _builddir="$srcdir"/shadow-$pkgver
>> @@ -29,14 +31,15 @@ prepare() {
>>
>> build() {
>> cd "$_builddir"
>> + CFLAGS="$CFLAGS -O0"
> why do we need to set -O0?
>
>
>> ./configure --prefix=/usr \
>> --sysconfdir=/etc \
>> --mandir=/usr/share/man \
>> --infodir=/usr/share/info \
>> --localstatedir=/var \
>> --without-nscd \
>> - --without-nologin \
>> --disable-nls \
>> + --without-group-name-max-length \
> What has --without-group-name-max-lenght to do with this? Why is it
> needed?
>
>> || return 1
>> make || return 1
>> }
>> @@ -61,11 +64,21 @@ package() {
>> # avoid conflict with man-pages
>> rm "$pkgdir"/usr/share/man/man3/getspnam.3* \
>> "$pkgdir"/usr/share/man/man5/passwd.5* || return 1
>> +
>> + # for unprivileged lxc containera
>> + touch "$pkgdir"/etc/subuid
>> + touch "$pkgdir"/etc/subgid
>> }
>>
>> md5sums="2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz
>> -72dfc077a61ab7163e312640cc98bba8 login.pamd"
>> +72dfc077a61ab7163e312640cc98bba8 login.pamd
>> +f5fe3d7351d5e4046588b652c482c170 dots-in-usernames.patch
>> +75bc0cafb44aa86075d2ec056816cc3e cross-size-checks.patch"
>> sha256sums="3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 shadow-4.2.1.tar.xz
>> -c0d0f2f77133b0663c5a578afeba45d5a9c703ff6f3f6aba3727dfe01877dac0 login.pamd"
>> +c0d0f2f77133b0663c5a578afeba45d5a9c703ff6f3f6aba3727dfe01877dac0 login.pamd
>> +ee58c622d1e8283dc4b17e93cc5e68f4ea4336654ebcfb48e46e0efaa864b77f dots-in-usernames.patch
>> +fc3e32ddfc8eeb284412e8df7ad045ad27b742f5ee733db1a0bc14c97480e013 cross-size-checks.patch"
>> sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz
>> -46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd"
>> +46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd
>> +745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch
>> +c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch"
>> diff --git a/testing/shadow/cross-size-checks.patch b/testing/shadow/cross-size-checks.patch
>> new file mode 100644
>> index 0000000..bd451ba
>> --- /dev/null
>> +++ b/testing/shadow/cross-size-checks.patch
>> @@ -0,0 +1,42 @@
>> +From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001
>> +From: James Le Cuirot <chewi@aura-online.co.uk>
>> +Date: Sat, 23 Aug 2014 09:46:39 +0100
>> +Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF
>> +
>> +This built-in check is simpler than the previous method and, most
>> +importantly, works when cross-compiling.
>> +
>> +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
>> +---
>> + configure.in | 14 ++++----------
>> + 1 file changed, 4 insertions(+), 10 deletions(-)
>> +
>> +diff --git a/configure.in b/configure.in
>> +index 1a3f841..4a4d6d0 100644
>> +--- a/configure.in
>> ++++ b/configure.in
>> +@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then
>> + dnl
>> + dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
>> + dnl
>> +- AC_RUN_IFELSE([AC_LANG_SOURCE([
>> +-#include <sys/types.h>
>> +-int main(void) {
>> +- uid_t u;
>> +- gid_t g;
>> +- return (sizeof u < 4) || (sizeof g < 4);
>> +-}
>> +- ])], [id32bit="yes"], [id32bit="no"])
>> +-
>> +- if test "x$id32bit" = "xyes"; then
>> ++ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
>> ++ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
>> ++
>> ++ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
>> + AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
>> + enable_subids="yes"
>> + else
>> +--
>> +2.3.6
>> +
>> +
>> diff --git a/testing/shadow/dots-in-usernames.patch b/testing/shadow/dots-in-usernames.patch
>> new file mode 100644
>> index 0000000..b684c9d
>> --- /dev/null
>> +++ b/testing/shadow/dots-in-usernames.patch
>> @@ -0,0 +1,11 @@
>> +--- shadow-4.1.3/libmisc/chkname.c
>> ++++ shadow-4.1.3/libmisc/chkname.c
>> +@@ -66,6 +66,7 @@
>> + ( ('0' <= *name) && ('9' >= *name) ) ||
>> + ('_' == *name) ||
>> + ('-' == *name) ||
>> ++ ('.' == *name) ||
>> + ( ('$' == *name) && ('\0' == *(name + 1)) )
>> + )) {
>> + return false;
>> +