RHBA-2010:0209 - Bug Fix Advisory

Topic

An updated shadow-utils package that fixes several bugs is now available.

Description

The shadow-utils package includes programs for converting UNIX password
files to the shadow password format, as well as tools for managing user
and group accounts.

The updated shadow-utils package fixes the following bugs:

• shadow-utils package updates would overwrite the /etc/default/useradd

directory. This would cause site configuration settings to be lost. Updates
no longer overwrite the /etc/default/useradd directory, and site
configuration changes are maintained. (BZ#510102)

• the newusers utility allows a batch of new users to be created and

updated. The utility was not checking the range of generated UIDs (user
identifiers) or GIDs (group identifiers). When used on AMD64 and Intel 64
systems, identifiers could be negative numbers outside the valid range of
500 to 60,000. The newusers utility now checks the range of generated UIDs
and GIDs so that they do not appear outside the valid range.
(BZ#306241)

• the newusers utility failed if a specified parent directory did not

exist. The error message, 'mkdir failed', did not detail the cause of the
failure. The newusers utility has been updated to note when the parent
directory does not exist, and the manual page now emphasizes how
non-existent parent directories are dealt with. The behavior of the
newusers utility in this situation is now clearer. (BZ#461455)

• the useradd utility is used to create or update a new user's default

information. The useradd utility did not recognize the base directory
option (-b, --base-dir), and commands using this option would not succeed.
The useradd utility has been updated to recognize the base directory option
properly, and useradd commands now work as expected. (BZ#469158)

• the useradd utility did not reset the error number variable before

checking function return values. As a consequence, error numbers could be
affected by retained values, and the utility would fail with 'invalid
numeric argument'. The error number variable is now reset before each
function call, and error numbers in the useradd utility are reported
correctly. (BZ#487575)

• the useradd utility handled the creation of UIDs differently on x86 and

PowerPC 64 architectures than it did on others. As a consequence, UIDs
greater than 2147483647 were rejected on these systems. The useradd utility
now treats UIDs the same across architectures, and large UIDs are not
rejected on x86 and PowerPC 64 architectures. (BZ#505033)

• the usermod utility allows a user account to be modified. The usermod

utility did not support LDAP (Lightweight Directory Access Protocol) users,
despite support in other utilities. As a result, the usermod utility could
not add LDAP users to local groups. LDAP support has now been added to the
usermod utility, and LDAP users can be added to local groups. (BZ#449154)

• the restorecon command sets file security contexts. The usermod utility

was calling the restorecon command every time a user's home directory was
changed. This would result in an error if expected files no longer existed.
The restorecon command is no longer called by the usermod utility, and
changing a user's home directory succeeds as expected. (BZ#494575)

• the faillog utility displays failure logs and sets login failure limits.

When the utility was used with the print option (-p), the log was read
sequentially to print in UID order. This was unnecessary and caused long
print times. The faillog utility has been updated to print without
ordering, and printing now completes in an acceptable time. (BZ#473054)

• the grpconv utility converts shadow passwords and groups. The utility was

not checking whether duplicate group entries existed in the /etc/group
directory. Running the utility with duplicate entries would consume too
much memory. The grpconv utility now checks for duplicate group entries in
the /etc/group directory, and excess memory is no longer consumed.
(BZ#507706)

All users of shadow-utils are advised to upgrade to this updated package,
which resolves these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 306241 - newusers creates users with negative UID and GID on x86_64
• BZ - 461455 - newusers will fail with an uninformative message if the new user's parent directory does not exist
• BZ - 469158 - base directory option (--base-dir) not recognized
• BZ - 473054 - faillog -p takes forever if /var/log/faillog has gone huge sparse.
• BZ - 487575 - useradd: does not clear errno prior to checking fn returns
• BZ - 494575 - RFE: add usermod switch - prevent calling restorecon
• BZ - 505033 - useradd cannot create an user with UID above 2147483647
• BZ - 507706 - runaway grpconv when parsing duplicate entries in /etc/group
• BZ - 510102 - /etc/default/useradd customizations overwritten on package update

CVEs

(none)

References

(none)