Releases: shadow-maint/shadow
Release 4.10
Note: From this release forward, su from this package should be
considered deprecated. Please replace any users of it with su from
util-linux. Please open an issue if there is a problem with that.
We intend to remove it in an upcoming release.
This release features many fixes expecially to the building of
libsubid, some SELinux labeling issues, and a few signaling
issues.
Changelog:
* libsubid fixes (Xi Ruoyao, Serge Hallyn, Iker Pedrosa, Mike Gilbert,
GalaxyMaster, and Luís Ferreira)
* Rename the test program list_subid_ranges to getsubids, write
a manpage, so distros can ship it. (Iker Pedrosa)
* Add libeconf dep for new*idmap (Iker Pedrosa)
* Allow all group types with usermod -G (Iker Pedrosa)
* Avoid useradd generating empty subid range (Iker Pedrosa)
* Handle NULL pw_passwd (Jaroslav Jindrak)
* Fix default value SHA_get_salt_rounds (Mike Gilbert)
* Use https where possible in README (Paul Menzel)
* Update content and format of README (Iker Pedrosa)
* Translation updates (Balint Reczey, Frans Spiesschaert)
* Switch from xml2po to itstool in 'make dist' (Serge Hallyn)
* Fix double frees (Michael Vetter)
* Add LOG_INIT configurable to useradd (Andy Zaugg)
* Add CREATE_MAIL_SPOOL documentation (Andy Zaugg)
* Create a security.md
* Fix su never being SIGKILLd when trapping TERM (Ruihan li)
* Fix wrong SELinux labels in several possible cases (Iker Pedrosa)
* Fix missing chmod in chadowtb_move (GalaxyMaster)
* Handle malformed hushlogins entries (Tobias Stoeckmann)
* Fix groupdel segv when passwd does not exist (François Rigault)
* Fix covscan-found newgrp segfault (Iker Pedrosa)
* Remove trailing slash on hoedir (Ed Neville)
* Fix passwd -l message - it does not change expirey (Ed Neville)
* Fix SIGCHLD handling bugs in su and vipw (Tobias Stoeckmann)
* Remove special case for "" in usermod (Alejandro Colomar)
* Implement usermod -rG to remove a specific group
(Andy Zaugg)
* call pam_end() after fork in child path for su and login
(Björn Fischer)
* useradd: In absence of /etc/passwd, assume 0 == root
(Ludwig Nussel)
* lib: check NULL before freeing data (Iker Pedrosa)
* Fix pwck segfault (Iker Pedrosa)
Release 4.9
Changelog:
- Updated translations (Björn Esser, Juergen Hoetzel)
- Major salt updates (Björn Esser)
- Various coverity and cleanup fixes (Iker Pedrosa)
- Consistently use 0 to disable PASS_MIN_DAYS in man (tzccinct)
- Implement NSS support for subids and a libsubid (Serge Hallyn)
- setfcap: retain setfcap when mapping uid 0 (Christian Brauner)
- login.defs: include HMAC_CRYPTO_ALGO key (Iker Pedrosa)
- selinux fixes (Christian Göttsche)
- Fix path prefix path handling (Lucas Servén Marín)
- Manpage updates (tzccinct, Sevan Janiyan, Iker Pedrosa, Geert Ijewski,
谭九鼎, Jamin W. Collins, towerpark, andydna, Frans Spiesschaert) - Treat an empty passwd field as invalid (Haelwenn Monnier)
- newxidmap: allow running under alternative gid (Martijn de Gouw)
- usermod: check that shell is executable (Geert Ijewski)
- Add yescript support (Rodolphe Bréard)
- useradd memleak fixes (whzhe)
- useradd: use built-in settings by default (Ludwig Nussel)
- getdefs: add foreign (non-shadow-utils) items (Karel Zak)
- buffer overflow fixes (Tobias Stoeckmann)
- Adding run-parts style for pre and post useradd/del ([email protected])
Release 4.8.1
This minor release was made mainly to revert the --sbindir/--bindir commit which broke some distributions.
Changelog:
* selinux: incluee stdio (Michael Vetter)
* man: don't suggest making groupmems user-writeable (Michael Weiser)
* Makefile: bail out on error in for loops (Wolfgang Bumiller)
* Adding logging of SSH_ORIGINAL_COMMAND to nologin. ([email protected])
* add new HOME_MODE login.defs option (Duncan Overbruck)
* Add tty logging to useradd ([email protected])
* Useradd: make non-executable shell check only a warning (Tomas Mraz)
* Update Dutch translation (Frans-Spiesschaert)
* user_busy: Do not mistake a regular user process for a namespaced one (Tomas Mraz)
* Revert "Honor --sbindir and --bindir for binary installation" Patrick McLean)
Release 4.8
* Initial optional bcrypt support.
* Make build/install of 'su' optional.
* Fix for vipw not resuming correctly when suspended
* Sync password field descriptions in manpages
* Check for valid shell argument in useradd
* Allow translation of new strings through POTFILES.in
* Migrate to itstool for translations
* Migrate to new SELinux api
* Support --enable-vendordir
* pwck: Only check homedir if set and not a system user
* Support nonstandard usernames
* sget{pw,gr}ent: check for data at EOL
* Add YYY-MM-DD support in chage
* Fix failing chmod calls for suidubins
* Fix --sbindir and --bindir for binary installations
* Fix LASTLOG_UID_MAX in login.defs
* Fix configure error with dash
Releasing 4.7
Changelog:
* Spawn: don't loop forever on ECHILD
* Do not fail locking if there is a stale lockfile Tomas Mraz)
* Use lckpwdf if prefix not set (Tomas Mraz)
* Build: check correct DocBook version (Jan Tojnar)
* Usermod: Print 'no changes' to stdout, not stderr (Serge Hallyn)
* Add support for btrfs subvolumes for home (Adam Majer)
* Fix chpasswd long line handling (Nathan Ruiz)
* Use secure_getenv for gettime (Chris Lamb)
* Make sp_lstchg reproducible (Chris Lamb)
* Do not crash commonio_close if db file is not open (Tomas Mraz)
* Don't flush nscd and sssd cache in read-only mode (Charlie Vuillemez)
* French manpage update (Alban VIDAL)
* Fix manpage defaults for SUB_UID/GID_COUNT (Tomas Mraz)
* Sync po files from shadow.pot (Alban VIDAL)
* Usermod: guard against unsafe chown of homedir contents (Tomas Mraz)
* Add LASTLOG_UID_MAX to login.defs (Tomas Mraz)
* new[ug]idmap file capabilities support (Giuseppe Scrivano and Christian Brauner)
* Fix segfault in useradd (Tomas Mraz)
* Coverity issues (Tomas Mraz)
* Flush sssd caches (Jakub Hrozek)
* Log UID in nologin (Vladimir Ivanov)
* run pam_getenvlist after setup_env in su.c (Michael Vogt)
* Support systems with only utmpx (A. Wilcox)
* Fix unguarded ENABLE_SUBIDS code (Jan Chren (rindeal))
* Update po/zh_CN translation (Lion Yang)
* Create parent dirs for useradd -m (Michael Vetter)
* Prevent usermod segv
* Fix usermod crash (fariouche)
Releasing 4.6
Changelog:
- Newgrp: avoid unnecessary lookups
- Make language less binary
- Add error when turning off man switch
- Spelling fixes
- Make userdel work with -R
- newgidmap: enforce setgroups=deny if self-mapping a group
- Norwegian bokmål translation
- pwck: prevent crash by not passing O_CREAT
- WITH_TCB fixes from Mandriva
- Fix pwconv and grpconv entry skips
- Fix -- slurping in su
- add --prefix option
- Import new Dutch translations.
- Expand error codes for groupmod.
Releasing 4.5
Changelog since 4.4:
* Patch from Tobias Stoeckmann fixing regression in previous CVE fix
preventing SIGTERM to su from being propagated to the job.
* Patch from Chris Lamb making sp_lstchg shadow field reproducible.
* Merge Russian translation updates from Yuri Kozlov
* Fix missing close of subuid file on error
* Merge patch by Tobias Stoeckmann <[email protected]> to fix
the equivalent of util-linux CVE-2017-2616.
* Update Kazakh translations
* Consult configuration before calculating subuids
* Remove misplaced semicolon
* Patch from Fedora to improve performance with SSSD, Winbind,
or nss_ldap. (Tomas Mraz)
* Make sure knowndef_table is NULL-terminated. (Bernhard Rosenkränzer)
* Drop leading underscore from _COMMONIO_H and _SHADOWIO_H
* Fix readability in usermod error messages.
* Reset user in tallylog
* Add audit support to su
* Use sizeof rather than hardcoding snprintf args
* Fix useradd improper default loading
* Update Vietnamese translations
* Update Polish translations
* Remove non-POSIX chmod option in Makefile
* Fix suidubins assignments
* Fix --add-subuids etc spelling in manpages
* Audit homedir ownership change.
* Print error on selinux file context update failure
* Keep original file perms when creating a backup
Shadow 4.4
* Changes since 4.2.1:
- Documentation, error report and translations updates
- Replace path_max with 32
- User namespace support fixes/updates including:
- Correct sanity checks in newXidmap
- Fix building without subuid support
- Add /etc/subuid support for UID matching
- Support subuid for nonlocal users
- Default to 65536 subuid allocations
- Respect -r
- Check for range overflows
- Add tests from svn tree
- Use AC_CHECK_SIZEOF for uid_t size checks
- Accomodate missing /etc and login.defs
- Support FORCE_SHADOW
- Be more robust in hostile environment
- Allow removing a primary group
- Clear passwords on __pw_dup errors
- Memory leak fix in commonio_update and get_map_ranges
- Fix resource leak in syslog_sg
- Fix user busy error at userdel
- Support set/clear lastlog record via lastlog command
- Add --no-create-home as longopt for -M
- Fix signal races
- Reduce syslog priority of common usage events