1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Set group and mode for [g]shadow files
Set group 'shadow' and mode 0400.
Fixes: #166793
Gbp-Topic: debian
---
lib/commonio.c | 12 ++++++++++++
lib/sgroupio.c | 2 +-
lib/shadowio.c | 2 +-
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/lib/commonio.c b/lib/commonio.c
index 01a26c9..72e53b0 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -21,6 +21,7 @@
#include <errno.h>
#include <stdio.h>
#include <signal.h>
+#include <grp.h>
#include "alloc.h"
#include "memzero.h"
@@ -956,12 +957,23 @@ int commonio_close (struct commonio_db *db)
if (errors != 0)
goto fail;
} else {
+ struct group *grp;
/*
* Default permissions for new [g]shadow files.
*/
sb.st_mode = db->st_mode;
sb.st_uid = db->st_uid;
sb.st_gid = db->st_gid;
+
+ /*
+ * Try to retrieve the shadow's GID, and fall back to GID 0.
+ */
+ if (sb.st_gid == 0) {
+ if ((grp = getgrnam("shadow")) != NULL)
+ sb.st_gid = grp->gr_gid;
+ else
+ sb.st_gid = 0;
+ }
}
if (SNPRINTF(buf, "%s+", db->filename) == -1)
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
index 0297df4..107b1e5 100644
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -209,7 +209,7 @@ static struct commonio_db gshadow_db = {
#ifdef WITH_SELINUX
NULL, /* scontext */
#endif
- 0400, /* st_mode */
+ 0440, /* st_mode */
0, /* st_uid */
0, /* st_gid */
NULL, /* head */
diff --git a/lib/shadowio.c b/lib/shadowio.c
index d2c3b47..53dac0b 100644
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -85,7 +85,7 @@ static struct commonio_db shadow_db = {
#ifdef WITH_SELINUX
NULL, /* scontext */
#endif /* WITH_SELINUX */
- 0400, /* st_mode */
+ 0440, /* st_mode */
0, /* st_uid */
0, /* st_gid */
NULL, /* head */
|
