Pierre Warnier
7c6cf221bc
process: use rustix::param::linux_execfn instead of unsafe getauxval
2026-04-22 19:09:33 +02:00
Pierre Warnier
4ecf63ec1f
security: AT_EXECFN validation + audit.yml ( #154 , #155 )
...
#154 : Reject setuid multicall invocations where argv[0] doesn't match
AT_EXECFN from the ELF auxiliary vector. Prevents an attacker from
spoofing argv[0] to route the multicall binary to a different tool
in setuid context. Only enforced when euid != uid.
#155 : Add daily cargo-audit workflow matching uutils/coreutils pattern.
Also triggers on Cargo.toml/Cargo.lock changes.
Fixes #154 . Fixes #155 .
2026-04-22 18:13:36 +02:00
Pierre Warnier
86af8fc45b
chore: align all versions to 0.2.0
2026-04-22 17:41:16 +02:00
Pierre Warnier
95f8f2d917
readme: fix license badge HTTP → HTTPS
2026-04-22 17:37:07 +02:00
Pierre Warnier
7703f28173
chore: remove generated file
2026-04-22 17:32:49 +02:00
Pierre Warnier
93eb852924
release: v0.2.0 — uutils adoption
...
First release under the uutils organization.
Highlights:
- Repo transferred to uutils/shadow-rs
- uucore upgraded to 0.8
- nix crate fully replaced by rustix
- Default install now uses standalone per-tool binaries with
least-privilege setuid layout
- println!/eprintln! replaced with non-panicking writes
- Unwind tables suppressed in release builds
- NSS-backed user lookup via getpwuid_r
- 35+ security findings addressed across 6 review rounds
v0.2.0
2026-04-22 16:53:01 +02:00
Pierre Warnier
88f87a17d6
changelog: add uucore 0.8 upgrade, nix→rustix migration, org transfer
2026-04-22 16:36:09 +02:00
Pierre Warnier
c4fcb7387d
Merge pull request #150 from uutils/renovate/uucore-0.x
...
chore(deps): update rust crate uucore to 0.8
2026-04-22 16:35:38 +02:00
Pierre Warnier
e43a47a34e
Merge branch 'main' into renovate/uucore-0.x
2026-04-22 16:23:50 +02:00
Pierre Warnier
c23f2055fd
Merge pull request #153 from uutils/renovate/actions-checkout-6.x
...
chore(deps): update actions/checkout action to v6
2026-04-22 16:19:48 +02:00
Pierre Warnier
66abfbc3f0
Merge pull request #149 from uutils/renovate/debian-13.x
...
chore(deps): update debian docker tag to trixie-20260421
2026-04-22 16:19:44 +02:00
Pierre Warnier
a8d46488ad
Merge pull request #152 from uutils/docs/update-org-urls
...
docs: update all URLs from shadow-utils-rs to uutils org
2026-04-22 16:19:39 +02:00
renovate[bot]
e7c628256e
chore(deps): update actions/checkout action to v6
2026-04-22 13:36:46 +00:00
Pierre Warnier
3e6dab9b18
docs: update all URLs from shadow-utils-rs to uutils org
...
Repo transferred to uutils/shadow-rs. Update all references:
- README.md: CI badge, license badge, clone URL
- Cargo.toml: repository, homepage
- CONTRIBUTING.md: clone URL
- SECURITY.md: advisory URL
- shadow-rs.spec: source URL
- CLAUDE.md: PR review API URLs, kanban board
2026-04-22 15:31:42 +02:00
renovate[bot]
4639659b93
chore(deps): update rust crate uucore to 0.8
2026-04-22 12:35:58 +00:00
renovate[bot]
af8c607dd7
chore(deps): update debian docker tag to trixie-20260421
2026-04-22 12:35:54 +00:00
Pierre Warnier
0427a747ad
Merge pull request #148 from shadow-utils-rs/fix/147-rustix-review-findings
...
shadow-core: fix 6 Copilot findings from rustix migration (#147 )
2026-04-22 14:12:43 +02:00
Pierre Warnier
bd5861d964
process: guard CStr::from_ptr against null NSS fields
2026-04-22 14:04:11 +02:00
Pierre Warnier
b8aca4df24
shadow-core: fix 6 Copilot findings from rustix migration ( #147 )
...
1. sigprocmask comment: "process-wide" → "per-thread" (correct on
Linux; effectively process-wide for single-threaded shadow-rs tools)
2. sigemptyset/sigaddset: check return values, propagate errors
3. lookup_username_by_uid: restore NSS-backed lookup via getpwuid_r
instead of reading /etc/passwd directly. Fixes regression for
LDAP/SSSD/systemd-homed environments.
4. unsafe_code allowlist: update lib.rs comment to include process module
5. Doc comment: block_signals → block_critical_signals
Fixes #147 .
2026-04-22 13:15:38 +02:00
Pierre Warnier
05df435fce
Merge pull request #146 from shadow-utils-rs/feat/140-nix-to-rustix-phase1
...
shadow-core, tools: migrate nix to rustix — phase 1 (#140 )
2026-04-22 11:45:49 +02:00
Pierre Warnier
8c2d2609d5
Merge pull request #145 from shadow-utils-rs/docs/update-changelog-hardening
...
docs: backfill CHANGELOG and SECURITY-HARDENING for review rounds
2026-04-22 11:45:41 +02:00
Pierre Warnier
87a5c1bbe0
docs: fix CHANGELOG wording for unwind table suppression
2026-04-22 11:41:17 +02:00
Pierre Warnier
32c94fbc76
shadow-core, tools: complete nix removal — phase 2 ( #140 )
...
Fully remove nix as a direct dependency of the shadow-rs workspace.
New module shadow_core::process provides process-wide POSIX wrappers
via libc for setuid/setgid/initgroups/execv/sigprocmask. These MUST
use libc (not rustix) because rustix intentionally provides only
per-thread versions, which are incorrect for setuid-root tools.
Migrations:
- hardening.rs: setrlimit → rustix::process, sigprocmask → process
module, User::from_uid → /etc/passwd parser lookup
- pam.rs: nix::sys::termios → rustix::termios
- passwd.rs: full migration (seteuid, setuid, getuid, User lookup)
- newgrp.rs: full migration (termios, User lookup, setgid, initgroups,
execv)
- chpasswd/chage/chfn/chsh: setuid → shadow_core::process
- lock.rs tests: fcntl_getfd → rustix::io
libc stays for: PAM FFI, crypt(3) FFI, process-wide POSIX wrappers.
nix remains only as a transitive dep of uucore (upstream).
2026-04-22 11:26:49 +02:00
Pierre Warnier
bc8ea13328
shadow-core, tools: migrate nix to rustix — phase 1 ( #140 )
...
Replace straightforward nix API calls with rustix equivalents across
15 files. rustix is already a transitive dependency (via clap) and
provides raw syscall access without libc overhead.
Phase 1 covers simple 1:1 replacements:
- UID/GID: getuid/geteuid/getgid → rustix::process
- File ops: fsync, umask, chownat → rustix::fs
- Process: getpid, kill (stale lock detection) → rustix::process
- Filesystem: chroot, chdir → rustix::process
6 crates fully off nix: groupadd, groupdel, groupmod, useradd,
userdel, usermod.
4 crates partially migrated (nix kept for setuid()): chpasswd, chage,
chfn, chsh.
2 crates cleaned of unused nix/libc deps: pwck, grpck.
Phase 2 (hardening.rs, passwd.rs, newgrp.rs, pam.rs) deferred — these
have complex signal/termios/User::from_uid usage requiring more care.
Tested on debian/alpine/fedora — all pass.
2026-04-22 10:47:03 +02:00
Pierre Warnier
42d701e25f
docs: backfill CHANGELOG and SECURITY-HARDENING for review rounds
...
CHANGELOG [Unreleased]:
- Add Security section with review round 2 fixes (PAM zeroization,
initgroups, SignalBlocker scoping, UmaskGuard !Send/!Sync, targeted
newgrp hardening, atomic_write retry, crypt thread-safety docs,
centralized hardening, println panic fix, unwind table suppression)
- Update 0.1.0 test count from 460+ to 580+, fuzz targets from 4 to 6
SECURITY-HARDENING.md:
- Add 7 implemented items from review round 2
2026-04-22 10:27:46 +02:00