RHBA-2011:1650 - Bug Fix Advisory

Topic

An updated shadow-utils package that fixes multiple bugs and adds three
enhancements is now available for Red Hat Enterprise Linux 6.

Description

The shadow-utils package includes programs for converting UNIX password files to
the shadow password format, as well as tools for managing user and group
accounts.

This update fixes the following bugs:

• Previously, the extended access control lists (ACL) on a file or directory

below the /etc/skel directory were not preserved when a new user was created. As
a result, the file or directory was copied but the extended ACLs that were
associated with the file or directory were lost. This update preserves these
extended ACLs. (BZ#586796)

• Previously,the switch-group (sg) command failed with a segmentation fault when

using password protected groups. This update modifies the gshadow functions in
shadow-utils and also uses the gshadow functions from glibc so that the sg
command now handles password protected groups as expected. (BZ#667593)

• Previously, the new group (newgrp) command failed with a segmentation fault

when using password protected groups. This update modifies the newgrp command so
that the newgrp command now handles password protected groups as expected.
(BZ#672510)

• Previously, the man page for the useradd command contained misleading

information about the -m option. The -m option is described correctly.
(BZ#674878, BZ#696213)

• Previously, the useradd command failed with a segmentation fault when the user

ID (UID) range exceeded the maximum of 2147483647 (UID_MAX) accounts on a 64bit
system. This update replaces the alloca() function with the malloc() function
and checks the return value. Now, the useradd command operates in this range as
expected. (BZ#693377)

• Previously, the lastlog command did not work correctly with large UIDs on

32bit system due to integer overflow. As a result, lastlog showed only users
that were logged in. This update modifies the code so that lastlog now shows
also users that were never logged in. (BZ#706321)

This update also adds the following enhancements:

• This update is compiled with the position-independent executable (PIE) and

relocation read-only (RELRO) flags which enhance the security of the system.
(BZ#723921)

• With this update, the userdel command offers the option to delete both from

the SELinux login mapping. (BZ#639900)

• This update adds additional comments in "/etc/login.defs". These comments

inform the administrator that certain configuration options are ignored in favor
of the pam-cracklib module. (BZ#629277, BZ#696213)

All users of shadow-utils are advised to upgrade to this updated package, which
fixes these bugs and adds these enhancements.

Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 629277 - /etc/login.defs ought to refer to pam(cracklib)
• BZ - 639900 - RFE: userdel supports an option to remove Linux login <-> SELinux login mapping
• BZ - 639975 - RFE: useradd ends up with special exit value if SELinux user mapping is invalid
• BZ - 639976 - RFE: usermod ends up with special exit value if SELinux user mapping is invalid
• BZ - 667593 - /usr/bin/sg has ceased to function for groups with a password; "Invalid password"
• BZ - 672510 - newgrp command : Invalid password.
• BZ - 674878 - man useradd is incorrect
• BZ - 693377 - useradd segfaults when UID_MAX >= 2147483647
• BZ - 696213 - Mistakes in the description of -M in the useradd manual page
• BZ - 706321 - lastlog shows that user has been logged in while he was not
• BZ - 723921 - Add PIE and RELRO flags when building setuid programs

CVEs

(none)

References

(none)