6 Commits

Author SHA1 Message Date
Pierre Warnier d89b4aaa64 Makefile: drop PROFILE var, fix stale comments
Address Copilot review round 2:

- Remove PROFILE variable and hardcode --release / target/release/.
  Cargo maps "dev" profile to target/debug/ (not target/dev/), so
  PROFILE=dev would silently break install. Nobody installs debug
  builds of setuid-root tools.

- Fix stale comments in Makefile and README that referenced the old
  "chmod on symlink follows through" approach. The current code uses
  install -Dm4755 directly.
2026-04-16 10:43:14 +02:00
Pierre Warnier de1e96c605 Makefile: single cargo build + atomic install -Dm mode
Address review comments on #139:

- build: replace 14-call loop with a single
  `cargo build --workspace --bins --exclude shadow-rs` invocation,
  eliminating per-tool Cargo startup/metadata overhead. Matches the
  uutils/coreutils GNUmakefile pattern.

- install: use `install -Dm4755` / `install -Dm0755` to set mode atomically
  during install instead of post-install chmod. Errors no longer swallowed:
  if install can't set the setuid bit, `make install` now fails loudly.

- install-multicall: same — `install -Dm4755` sets the shadow-rs binary
  setuid in one step.
2026-04-15 14:40:52 +02:00
Pierre Warnier 698eaf7cf3 make install: default to standalone per-tool binaries (#138)
Switch the default install to build and install 14 standalone per-tool
binaries with a least-privilege setuid layout matching GNU shadow-utils.
Only passwd/chfn/chsh/newgrp are setuid-root; the other 10 tools are 0755.

The previous multicall install is preserved as `make install-multicall`
for container/embedded use cases where the ~14x disk savings matter and
the enlarged setuid attack surface is acceptable.

The old layout chmod'd symlinks pointing to the multicall binary, which
(because chmod follows symlinks) marked the underlying ELF setuid-root.
That meant all 14 tools ran with euid=0 when invoked via symlink. Each
tool's internal getuid() check was defense-in-depth, not OS-level least
privilege. The standalone layout gives the latter.

Raised by @oech3 in uutils/coreutils#11828.
2026-04-15 14:19:21 +02:00
Pierre Warnier 5d8ac9587d review: address all 13 Copilot review comments
- Fix cargo build --release --workspace in test scripts
- Document setuid-on-symlinks as intentional in Makefile
- Warn (not abort) on subid allocation failure in useradd
- Propagate subid file read errors instead of unwrap_or_default
- Update SELinux docs to describe best-effort behavior
- Add env_clear() to getfattr subprocess in selinux.rs
- Use hardening::sanitized_env() in nscd.rs instead of local reimpl
- Create testuser in pam-e2e.sh, add cleanup
- Document su-as-root limitation in pam-e2e.sh
- Fix set -e exit code capture in gnu-compat.sh
- Add 5 date validation unit tests in chage
- Wire audit::log_user_event into all 7 tools
2026-03-24 15:42:08 +01:00
Pierre Warnier 8ba8f940fd prod: GNU compat tests, PAM e2e, setuid, SELinux, audit, packaging
Fixes #93 — GNU compatibility test suite (tests/gnu-compat.sh)
Fixes #94 — PAM end-to-end test script (tests/pam-e2e.sh)
Fixes #95 — Setuid permissions in Makefile (chmod 4755)
Fixes #96 — nscd env_clear() on subprocess spawning
Fixes #97 — SELinux file context support (getfattr/chcon/restorecon)
Fixes #98 — Audit logging to syslog/auditd
Fixes #99 — subuid/subgid allocation in useradd
Fixes #100 — Debian packaging (debian/control, debian/rules)
Fixes #101 — Fedora packaging (shadow-rs.spec)
Fixes #103 — Recursive chown on usermod UID change
Fixes #104 — Proper date validation (Feb 31 rejected)

456 tests, zero clippy warnings. Binary: 894KB (release-small).
2026-03-24 15:15:21 +01:00
Pierre Warnier 896a4214b6 infra: uutils compliance — edition 2024, unsafe deny, dead_code deny
Fixes #79 — CODE_OF_CONDUCT.md (Contributor Covenant 2.1)
Fixes #80 — locales/en-US.ftl for all 14 tools
Fixes #81 — rust-version = "1.85.0" in workspace
Fixes #82 — edition 2024 (resolver 3, unsafe extern blocks)
Fixes #83 — GitHub Actions CI (fmt, clippy, test, cargo-deny)
Fixes #84 — .clippy.toml with MSRV and quality thresholds
Fixes #85 — deny.toml tightened (multiple-versions=deny)
Fixes #87 — panic=abort, codegen-units=1 in release profile
Fixes #89 — Makefile with install/uninstall/clean targets
Fixes #90 — workspace lints: cargo group, unused_qualifications

Key policy changes enforced by cargo:
- unsafe_code = "deny" workspace-wide. Only pam.rs and crypt.rs
  have #[allow(unsafe_code)] (C FFI boundaries).
- dead_code = "deny" workspace-wide. No unused code allowed.
- Edition 2024: set_var/remove_var are unsafe, so sanitize_env
  returns a Vec instead of mutating. Signal handler removed
  (was unsafe). localtime_r replaced with pure Rust calendar math.

456 tests, zero clippy warnings.
2026-03-24 14:30:22 +01:00