mirror of
https://github.com/uutils/shadow.git
synced 2026-06-10 16:14:57 -07:00
Merge pull request #145 from shadow-utils-rs/docs/update-changelog-hardening
docs: backfill CHANGELOG and SECURITY-HARDENING for review rounds
This commit is contained in:
+17
-1
@@ -28,6 +28,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
`passwd`/`chfn`/`chsh`/`newgrp` are setuid-root; the other 10 are `0755`.
|
||||
The previous multicall install is available as `make install-multicall`.
|
||||
|
||||
### Security
|
||||
|
||||
- PAM password buffers zeroed immediately after use (`zeroize`)
|
||||
- `initgroups()` called in newgrp before exec (prevents supplementary group leak)
|
||||
- `SignalBlocker` scoped to file-mutation critical sections only; dropped before
|
||||
long-running operations (home deletion, recursive chown, skel copy)
|
||||
- `UmaskGuard` marked `!Send`/`!Sync` via `PhantomData<Rc<()>>` (thread-safety)
|
||||
- `newgrp` uses targeted hardening (`suppress_core_dumps` + `sanitized_env`)
|
||||
instead of `harden_process()` to avoid leaking `RLIMIT_FSIZE` to exec'd shell
|
||||
- `atomic_write` retries once on stale temp file from prior crash
|
||||
- `crypt(3)` wrapper documented as non-thread-safe (uses global state)
|
||||
- Centralized hardening utilities in `shadow_core::hardening` (deduplicated
|
||||
from per-tool copies)
|
||||
- `println!`/`eprintln!` replaced with non-panicking writes (#141)
|
||||
- Unwind tables suppressed via `-C force-unwind-tables=no` (#143)
|
||||
|
||||
### Fixed
|
||||
|
||||
- Password hash validation rejects `:`, `\n`, `\r` (field injection prevention)
|
||||
@@ -55,7 +71,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- Recursive chown on UID change (usermod)
|
||||
- Proper date validation with leap year and month-length rules
|
||||
- GNU-compatible output and exit codes for all tools
|
||||
- 460+ unit tests, property-based tests (proptest), 4 fuzz targets
|
||||
- 580+ unit tests, property-based tests (proptest), 6 fuzz targets
|
||||
- Integration tests for 14 tools
|
||||
- Docker test matrix: Debian (glibc), Alpine (musl), Fedora (SELinux)
|
||||
- CI gates: fmt, clippy, test, MSRV (1.94.0), cargo-deny
|
||||
|
||||
@@ -25,6 +25,13 @@ Techniques adopted from OpenBSD and best practices for setuid-root tools.
|
||||
- [x] O_CLOEXEC on file descriptors (#50)
|
||||
- [x] Umask reset (#51 — `UmaskGuard` RAII)
|
||||
- [x] Landlock filesystem restriction (#41 — `apply_landlock()` in passwd)
|
||||
- [x] PAM password buffer zeroization (immediate `zeroize` after use)
|
||||
- [x] `initgroups()` in newgrp (prevent supplementary group leak across exec)
|
||||
- [x] `UmaskGuard` `!Send`/`!Sync` (`PhantomData<Rc<()>>` — prevent cross-thread umask corruption)
|
||||
- [x] `atomic_write` retry on stale temp file from prior crash
|
||||
- [x] `SignalBlocker` scoped to critical sections only (dropped before long-running ops)
|
||||
- [x] Centralized hardening in `shadow_core::hardening` (deduplicated across tools)
|
||||
- [x] Targeted hardening in newgrp (no `RLIMIT_FSIZE` leak to exec'd shell)
|
||||
|
||||
## Not Yet Implemented
|
||||
|
||||
|
||||
Reference in New Issue
Block a user