if interface does not support native mode
re-run xdp-loader with skb mode, got error
Attaching XDP program in native mode not supported - try SKB mode.
TCP Native mode not supported, try SKB
Replacing allowed ports
Added port 80
Added port 8090
libxdp: Retried more than 11 times, giving up
Couldn't attach XDP program on iface 'lo': Device or resource busy(-16)
UDP Native mode not supported, try SKB
Replacing allowed udp ports
Added port 10408
but it looks loaded ok
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
xdp-loader will only load the XDP program without
xdp dispatcher if bpffs is not mounted, flash image
has bpffs mounted already, add bpffs mount for ISO image
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add ddosctrl to start/stop/status XDP
program from ddos.cgi safely.
permission of ddosctrl
chown root.nobody /usr/local/bin/ddosctrl
chmod u+s /usr/local/bin/ddosctrl
result:
-rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/ddosctrl
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY rules needs to be first in filter table
INPUT user defined chain and raw table PREROUTING
user defined chain.
To list the custom chain evaluation order for example:
iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 INSYNPROXY all -- anywhere anywhere
2 IPSBYPASS all -- anywhere anywhere mark match 0xc0000000/0xc0000000
3 BADTCP tcp -- anywhere anywhere
4 CUSTOMINPUT all -- anywhere anywhere
5 HOSTILE all -- anywhere anywhere
6 BLOCKLISTIN !icmp -- anywhere anywhere
7 GUARDIAN all -- anywhere anywhere
8 OVPNBLOCK all -- anywhere anywhere
9 IPS_INPUT all -- anywhere anywhere mark match 0x0/0xc0000000
10 IPTVINPUT all -- anywhere anywhere
11 ICMPINPUT all -- anywhere anywhere
12 LOOPBACK all -- anywhere anywhere
13 CAPTIVE_PORTAL all -- anywhere anywhere
14 CONNTRACK all -- anywhere anywhere
15 DHCPGREENINPUT all -- anywhere anywhere
16 TOR_INPUT all -- anywhere anywhere
17 LOCATIONBLOCK all -- anywhere anywhere
18 IPSECINPUT all -- anywhere anywhere
19 GUIINPUT all -- anywhere anywhere
20 WIRELESSINPUT all -- anywhere anywhere ctstate NEW
21 OVPNINPUT all -- anywhere anywhere
22 INPUTFW all -- anywhere anywhere
23 REDINPUT all -- anywhere anywhere
24 POLICYIN all -- anywhere anywhere
iptables -t raw -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 RAWSYNPROXY all -- anywhere anywhere
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
We disable cores if the are affected by some cpu vulnerabilities
this cores report errors if you try to change the settings.
So only print the output for core0 and hide it for all cores.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
the initskript loads a test-modul for amd-pstate (which traces on intel)
and off course reports errors if firmware settings are missing.
this also fix the error at start because also amd-pstate doesn't support
ondemand mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
If GRUB could not be installed during installation, the installer
continued without reporting the error to the user.
This change will make the installer fail.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This v3 version now has two if loops allowing logging of incoming drop hostile or
outgoing drop hostile or both or neither.
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
dropped hostile traffic.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.2 with patch 1 to 8.2 with patches 1 to 10
- Update of rootfile not required
- Changelog
Patch 10
Fix the case where text to be completed from the line buffer (quoted) is
compared to the common prefix of the possible matches (unquoted) and the
quoting makes the former appear to be longer than the latter. Readline
assumes the match doesn't add any characters to the word and doesn't display
multiple matches.
Patch 9
Fix issue where the directory name portion of the word to be completed (the
part that is passed to opendir()) requires both tilde expansion and dequoting.
Readline only performed tilde expansion in this case, so filename completion
would fail.
Patch 8
Add missing prototypes for several function declarations.
Patch 7
If readline is called with no prompt, it should display a newline if return
is typed on an empty line. It should still suppress the final newline if
return is typed on the last (empty) line of a multi-line command.
Patch 6
This is a variant of the same issue as the one fixed by patch 5. In this
case, the signal arrives and is pending before readline calls rl_getc().
When this happens, the pending signal will be handled by the loop, but may
alter or destroy some state that the callback uses. Readline needs to treat
this case the same way it would if a signal interrupts pselect/select, so
compound operations like searches and reading numeric arguments get cleaned
up properly.
Patch 5
If an application is using readline in callback mode, and a signal arrives
after readline checks for it in rl_callback_read_char() but before it
restores the application's signal handlers, it won't get processed until the
next time the application calls rl_callback_read_char(). Readline needs to
check for and resend any pending signals after restoring the application's
signal handlers.
Patch 4
There are systems that supply one of select or pselect, but not both.
Patch 3
The custom color prefix that readline uses to color possible completions
must have a leading `.'.
Patch 2
It's possible for readline to try to zero out a line that's not null-
terminated, leading to a memory fault.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These include (amongst others) fixes for:
GLIBC-SA-2024-0001:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
containing a long program name failed to update the required buffer
size, leading to the allocation and overflow of a too-small buffer on
the heap.
GLIBC-SA-2024-0002:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779)
__vsyslog_internal used the return value of snprintf/vsnprintf to
calculate buffer sizes for memory allocation. If these functions (for
any reason) failed and returned -1, the resulting buffer would be too
small to hold output.
GLIBC-SA-2024-0003:
===================
syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780)
__vsyslog_internal calculated a buffer size by adding two integers, but
did not first check if the addition would overflow.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Calling a global sync operation manually is generally a bad idea as it
can block for forever. If people have storage that does not retain
anything that is being written to it, they need to fix their hardware.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.2 with patches 1 to 21 to 5.2 with patches 1 to 26
- Update of rootfile not required
- Changelog
Patch 26
The custom color prefix that readline uses to color possible completions
must have a leading `.'.
Patch 25
Make sure a subshell checks for and handles any terminating signals before
exiting (which might have arrived after the command completed) so the parent
and any EXIT trap will see the correct value for $?.
Patch 24
Fix bug where associative array compound assignment would not expand tildes
in values.
Patch 23
Running `local -' multiple times in a shell function would overwrite the
original saved set of options.
Patch 22
It's possible for readline to try to zero out a line that's not null-
terminated, leading to a memory fault.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
myMPD is written in C and has a nice WebGUI to play
local music and also a WebRadio browser.
This is to replace the removec client175.
After install it can reached via
https://IP_OF_THE_IPFIRE:8800
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated from version 4.14.2 to 4.14.3
- Update of rootfile not required
- Patch renamed to new version number
- Changelog
4.14.3
libshadow:
Avoid null pointer dereference.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.5.3 to 1.6.0
- Update of rootfile
- A build bug was found with 1.6.0 if --enable-read-both-confs was set in the configure.
A commit fixing this has been released and converted into a patch for IPFire. This
will end up in the next pam release version and the IPFire patch can then be removed.
- Changelog
1.6.0
* Added support of configuration files with arbitrarily long lines.
* build: fixed build outside of the source tree.
* libpam: added use of getrandom(2) as a source of randomness if available.
* libpam: fixed calculation of fail delay with very long delays.
* libpam: fixed potential infinite recursion with includes.
* libpam: implemented string to number conversions validation when parsing
controls in configuration.
* pam_access: added quiet_log option.
* pam_access: fixed truncation of very long group names.
* pam_canonicalize_user: new module to canonicalize user name.
* pam_echo: fixed file handling to prevent overflows and short reads.
* pam_env: added support of '\' character in environment variable values.
* pam_exec: allowed expose_authtok for password PAM_TYPE.
* pam_exec: fixed stack overflow with binary output of programs.
* pam_faildelay: implemented parameter ranges validation.
* pam_listfile: changed to treat \r and \n exactly the same in configuration.
* pam_mkhomedir: hardened directory creation against timing attacks.
Please note that using *at functions leads to more open file handles
during creation.
* pam_namespace: fixed potential local DoS (CVE-2024-22365).
* pam_nologin: fixed file handling to prevent short reads.
* pam_pwhistory: helper binary is now built only if SELinux support is enabled.
* pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
* pam_shells: changed to allow shell entries with absolute paths only.
* pam_succeed_if: fixed treating empty strings as numerical value 0.
* pam_unix: added support of disabled password aging.
* pam_unix: synchronized password aging with shadow.
* pam_unix: implemented string to number conversions validation.
* pam_unix: fixed truncation of very long user names.
* pam_unix: corrected rounds retrieval for configured encryption method.
* pam_unix: implemented reliable usernames handling when remembering passwords.
* pam_unix: changed to always run the helper to obtain shadow password entries.
* pam_unix: unix_update helper binary is now built only if SELinux support
is enabled.
* pam_unix: added audit support to unix_update helper.
* pam_userdb: added gdbm support.
* Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.9.4 to 0.9.5
- Update of rootfile not required
- force-netlink-include-path patch updated due to chganges in file in source tarball
- Changelog
0.9.5
Info Screen:
improve format of percentages (use fixed format rather than auto-format).
Configuration:
fix ncurses support for white backgrounds (#119),
configuration file now either in $XDG_CONFIG_HOME/wavemon/wavemonrc or in
$HOME/.config/wavemon/wavemonrc (#106).
Miscellaneous
avoid including include linux/if.h (#109),
check and set support for C99 standard (#108),
updated README (#107),
configuration file can now be located in XDG_CONFIG_HOME (#105),
added portable implementation of asprintf(3),
updated copied nl80211 header file,
make -Wpedantic the default when building.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.3 to 3.5
- Update of rootfile not required
- Two patches no longer required as fixes are now in source tarball
- Changelog
3.5 (Tue Mar 14 2023)
- Decode HPE OEM records 216, 224, 230, 238 and 242.
- Fortify entry point length checks.
- Add a --no-quirks option.
- Drop the CPUID exception list.
- Do not let --dump-bin overwrite an existing file.
- Ensure /dev/mem is a character device file.
- Bug fixes:
Fix segmentation fault in HPE OEM record 240
- Minor improvements:
Typo fixes
Write the whole dump file at once
Fix a build warning when USE_MMAP isn't set
3.4 (Mon Jun 27 2022)
- Support for SMBIOS 3.4.0. This includes new memory device types, new
processor upgrades, new slot types and characteristics, decoding of memory
module extended speed, new system slot types, new processor characteristics
and new format of Processor ID.
- Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS
characteristics, new slot characteristics, new on-board device types, new
pointing device interface types, and a new record type (type 45 -
Firmware Inventory Information).
- Decode HPE OEM records 194, 199, 203, 236, 237, 238 and 240.
- Bug fixes:
Fix OEM vendor name matching
Fix ASCII filtering of strings
Fix crash with option -u
- Minor improvements:
Skip details of uninstalled memory modules
Don't display the raw CPU ID in quiet mode
Improve the formatting of the manual pages
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This updated version of this script avoids any errors if collectd is not
running (yet) which might happen during the boot process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The "ping" plugin does not re-resolve the gateway IP address after
pinging it for the first time. For most people this won't be a big
problem, but if the default gateway changes, the latency graph won't
work any more.
In order to do re-resolve "gateway", the only way is to restart
collectd.
Fixes: #13522
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3.8.3 to 3.8.4
- Update of rootfile not required
- Permanent fix for smtp smuggling will be in version 3.9. However the fix has been
backported into version 3.8.4 but with the default for the parameter of "no".
- This patch sets the defaults for all the main.cf parameters highlighted by Wietse
Venema in http://www.postfix.org/smtp-smuggling.html
- Additionally the implementation of smtpd_forbid_bare_newline = yes has been added to
the install.sh pak for postfix so that it will be included into any main.cf file being
restored from backup. This parameter is available for the first time in 3.8.4 so will
not be in any backup prior to this release and can therefore be safely applied to
restored versions of main.cf.
- This fix in install.sh will be able to be removed when version 3.9 is released early
in 2024 as the default for that parameter in that version onwards will then be "yes"
- Changelog
3.8.4
Security: with "smtpd_forbid_bare_newline = yes" (default
"no" for Postfix < 3.9), reply with "Error: bare <LF>
received" and disconnect when an SMTP client sends a line
ending in <LF>, violating the RFC 5321 requirement that
lines must end in <CR><LF>. This prevents SMTP smuggling
attacks that target a recipient at a Postfix server. For
backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks". Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update the patches to include patches 16 to 21
- Update of rootfile not required
- Changelog
patch 21: fix for expanding command substitutions in a word expansion in a
here-document
patch 20: allow time reserved word as first token in command substitution
patch 19: fix case where background job set the terminal process group
patch 18: fix for returning unknown tokens to the bison parser
patch 17: fix for optimizing forks when using the . builtin in a subshell
patch 16: fix for a crash if one of the expressions in an arithmetic for command
expands to NULL
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- libxml2 since version 2.12.0 has removed a variable that was specified in the apache
apache mod_xml2enc code.
- This dependency caused the apache2 build to fail with the updated libxml2.
- This patch removes the dependency. It will be able to be removed when the next apache
update is carried out as the patch was created from an apache commit.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
the kernel has no CONFIG_MICROCODE_{AMD|INTEL} anymore so this patch change the check
to CONFIG_MICROCODE.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Previously, we sent Apache a signal to relaunch itself which caused
Apache to kill all child processes, and re-execute them.
However, when updating glibc, any newly compiled modules could not be
loaded as Apache was running with the previous version of glibc until
the next reboot.
This change will now properly stop Apache and restart it which solves
this problem.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this is the first version that support booting linux kernel on
riscv. The release of the final version was delayed again and again
so i have bootstrapped the rc1 from the git and fixed the path in 25_bli.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20230804 to 20231030
- Update of rootfile - process defined by Peter Mueller used on rootfile to identify
changes and check if the entries were commented out in previous rootfile.
This is second time that I have used this approach so probably still worthwhile for
Peter to confirm I got it correct.
- Patch for amd family 19h removed as it is now included in the source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 181 to 196
- Update of rootfile not required
- Fix python call patch removed as correct python call now in the source tarball
- Changelog file is no longer used. Review of changes has to be done via the git repo.
https://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 5.4.4 to 5.4.6
- Update of rootfile
- Updated version number in shared library patch
- Changelog
5.4.6
read overflow in 'l_strcmp'. Reported by Xmilia Hermit on 09 Jun 2023. existed
since 5.0 (at least). fixed in github.
Call hook may be called twice when count hook yields. Reported by G.k Ray on
20 Jul 2023. existed since 5.4.0 (at least). fixed in github.
Wrong line number for function calls. Reported by Thadeu de Paula on 20 Aug 2023.
existed since 5.2. fixed in github.
5.4.5
Changing the signature of 'lua_resetthread' broke ABI. Reported by Andrew Gierth
on 29 Apr 2023. fixed in 5.4.6. fixed in github
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 4.13 to 4.14.2
- Update of rootfile not required
- Supress installation of groups patch updated for changed layout of source tarball
- Changelog
4.14.2:
libshadow:
Fix build with musl libc.
Avoid NULL dereference.
Update utmp at an initial login
useradd(8):
Set proper SELinux labels for def_usrtemplate
Manual:
Document --prefix in chage(1), chpasswd(8), and passwd(1)
4.14.1:
Build system:
Merge libshadow and libmisc into a single libshadow. This fixes
problems in the linker, which were reported at least in Gentoo.
4.14.0
This release includes some steps toward preparing for the Y2038 (e.g. removing
lastlog conditionally), a great deal of removal of obsolete function checks (like
rmdir), and overhaul of some string manipulation functions, of which there is
more to come. And a great deal more. The abbreviated git log follows:
Serge Hallyn: configure.ac: check for strlcpy
Michael Vetter: Remove intree website
Serge Hallyn: 4.14.0-rc4 pre-release
Serge Hallyn: Releases: add etc/shadow-maint to distfiles
Serge Hallyn: 4.14.0-rc3
Iker Pedrosa: libmisc: include freezero
Iker Pedrosa: libmisc: add freezero source code
Iker Pedrosa: libmisc: add readpassphrase source code
Iker Pedrosa: configure: add with-libbsd option
Iker Pedrosa: man: include shadow-man.xsl in tarball
Iker Pedrosa: man: include its.rules in tarball
Iker Pedrosa: autogen: enable lastlog build
Christian Göttsche: Add wrapper for write(2)
Serge Hallyn: tag 4.14.0-rc2
Michael Vetter: Add new files to libmisc_la_SOURCES
Serge Hallyn: Add a make dist CI test
Serge Hallyn: 4.14.0-rc1
Serge Hallyn: remove xmalloc.c from POTFILES.in
Iker Pedrosa: logoutd: add missing <utmp.h> include
Iker Pedrosa: CI: compile old utmp interface in Fedora
Iker Pedrosa: src: add SELINUX library
Iker Pedrosa: libmisc: conditionally compile utmp.c and logind.c
Iker Pedrosa: lib: replace USER_NAME_MAX_LENGTH macro
Iker Pedrosa: libmisc: call active_sessions_count()
Iker Pedrosa: libmisc: implement active_sessions_count()
Iker Pedrosa: utmp: update update_utmp()
Iker Pedrosa: utmp: move update_utmp
Iker Pedrosa: utmp: move failtmp()
Iker Pedrosa: libmisc: implement get_session_host()
Iker Pedrosa: configure: new option enable-logind
xiongshenglan: shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh
Michael Vetter: chsh: warn if root sets a shell not listed in /etc/shells
Michael Vetter: doc: mention ci workflow file to learn about deps
Serge Hallyn: man/po/Makefile: add a comment to shadow-man-pages.pot
Vegard Nossum: newgrp: fix potential string injection
Todd Zullinger: lastlog: fix alignment of Latest header
Iker Pedrosa: configure: fix lastlog check
Alan D. Salewski: subuid.5: reference newusers(8) rather than newusers(1)
Iker Pedrosa: CI: build lastlog in Fedora
Iker Pedrosa: man: conditionally build lastlog documentation
Iker Pedrosa: usermod: conditionally build lastlog functionality
Iker Pedrosa: useradd: conditionally build lastlog functionality
Iker Pedrosa: login: conditionally build lastlog functionality
Iker Pedrosa: lastlog: stop building by default
Iker Pedrosa: CI: update debian repos
Bernd Kuhls: Fix yescrypt support
Jeffrey Bencteux: chgpasswd: fix segfault in command-line options
Alejandro Colomar: gpasswd(1): Fix password leak
Alejandro Colomar: src/useradd.c: create_mail(): Cosmetic
Alejandro Colomar: src/useradd.c: create_home(): Cosmetic
Alejandro Colomar: src/useradd.c: create_home(): Cosmetic
Alejandro Colomar: src/useradd.c: create_home(): Cosmetic
Alejandro Colomar: src/useradd.c: close_group_files(): Cosmetic
Alejandro Colomar: src/useradd.c: check_uid_range(): Cosmetic
Jaroslav Jindrak: build: link passwd, chpasswd and chage against libdl
Jaroslav Jindrak: configure: check whether fgetpwent_r is available before marking xprefix_getpwnam_r as reentrant
Jaroslav Jindrak: passwd: fall back to non-PAM code when prefix is used
Jaroslav Jindrak: chpasswd: fall back to non-PAM code when prefix is used
Jaroslav Jindrak: chpasswd: add --prefix/-P options
Jaroslav Jindrak: chage: add --prefix/-P options
Jaroslav Jindrak: passwd: Respect --prefix/-P options
Michael Vetter: prefix: add prefix support
Iker Pedrosa: strtoday: remove unnecessary cast
Alejandro Colomar: Use temporary variable
Alejandro Colomar: realloc(NULL, ...) is equivalent to malloc(...)
Alejandro Colomar: Simplify allocation APIs
Christian Göttsche: Drop alloca(3)
Christian Göttsche: usermod: fix off-by-one issues
Alejandro Colomar: libmisc/csrand.c: Update comments
Alejandro Colomar: lib/nss.c: Fix use of invalid p
Alejandro Colomar: lib/nss.c: Fix use of uninitialized p
Alejandro Colomar: Centralize error handling
Alejandro Colomar: Second verse, it gets worse; it gets no better than this
Alejandro Colomar: ROFL: Rolling on the floor looping
Alejandro Colomar: This ain't no loop
Iker Pedrosa: newusers: Improve error message
Martin Kletzander: ch(g)passwd: Check selinux permissions upon startup
Skyler Ferrante: Check if crypt_method null before dereferencing
Alejandro Colomar: xgetXXbyYY: Simplify elifs
Alejandro Colomar: xgetXXbyYY: Centralize error handling
Alejandro Colomar: xgetXXbyYY: tfix
Samanta Navarro: xgetXXbyYY: Avoid duplicated error handling block
Samanta Navarro: xgetXXbyYY: Handle DUP_FUNCTION failure
Serge Hallyn: sub_[ug]id_{add,remove}: fix return values
Martin Kletzander: usermod: Small optimization using memmove for password unlock
Alejandro Colomar: Reorder logic to improve comprehensibility
Alejandro Colomar: newusers: Fail early
Alejandro Colomar: newusers: Add missing error handling
Samanta Navarro: libmisc: Use safer chroot/chdir sequence
Samanta Navarro: su: Prevent stack overflow in check_perms
Samanta Navarro: subsystem: Prevent endless loop
Serge Hallyn: def_load: avoid NULL deref
Serge Hallyn: def_load: split the econf from non-econf definition
Tobias Stoeckmann: Plug econf memory leaks
Samanta Navarro: chsh: Verify that login shell path is absolute
Samanta Navarro: process_prefix_flag: Drop privileges
bubu: Update French translations
Samanta Navarro: get_pid.c: Use tighter validation checks
Markus Hiereth: replace inadequate German translation of login error message
Markus Hiereth: Update German translations
Samanta Navarro: Remove some static char arrays
Samanta Navarro: commonio: Use do_lock_file again
Serge Hallyn: Fix broken docbook translations
ed neville: open with O_CREAT when lock path does not exist
Samanta Navarro: commonio_open: Remove fcntl call
Samanta Navarro: commonio_lock_nowait: Remove deprecated code
Samanta Navarro: login_prompt: Simplify login_prompt API
Samanta Navarro: login_prompt: Use _exit in signal handler
Samanta Navarro: login_prompt: Do not parse environment variables
Samanta Navarro: libmisc/yesno.c: Fix regression
Alejandro Colomar: libmisc, man: Drop old check and advice for complex character sets in passwords
Christian Göttsche: semanage: disconnect to free libsemanage internals
Christian Göttsche: commonio: free removed database entries
ed neville: run_parts for groupadd and groupdel
lilinjie: fix typos
Alejandro Colomar: libmisc/yesno.c: Use getline(3) and rpmatch(3)
Samanta Navarro: newgrp/useradd: always set SIGCHLD to default
Serge Hallyn: Update AUTHORS to add Marek Michałkiewicz
Samanta Navarro: Read whole line in yes_or_no
Christian Göttsche: useradd/usermod: add --selinux-range argument
Alejandro Colomar: CI: Make build logs more readable
Iker Pedrosa: ci: remove explicit fedora dependencies
Iker Pedrosa: README: add reference to contribution guidelines
Iker Pedrosa: doc: add contributions introduction
Iker Pedrosa: doc: add license
Iker Pedrosa: doc: add releases
Iker Pedrosa: doc: add Continuous Integration
Iker Pedrosa: doc: add tests
Iker Pedrosa: doc: add coding style
Iker Pedrosa: doc: add build & install
Serge Hallyn: trivial: vipw.8: fix grammar
Christian Göttsche: sssd: skip flushing if executable does not exist
Christian Göttsche: Overhaul valid_field()
Martin Kletzander: semanage: Do not set default SELinux range
Michael Vetter: Fix typo in groupadd usage
Christian Göttsche: ci: update Differential ShellCheck
tomspiderlabs: Added control character check
Mike Gilbert: usermod: respect --prefix for --gid option
Alejandro Colomar: Fix su(1) silent truncation
Alejandro Colomar: Simplify is_my_tty()
Alejandro Colomar: Fix is_my_tty() buffer overrun
Alejandro Colomar: Add STRLEN(): a constexpr strlen(3) for string literals
Alejandro Colomar: Fix crash with large timestamps
Paul Eggert: Prefer strcpy(3) to strlcpy(3) when either works
Paul Eggert: Fix change_field() buffer underrun
Paul Eggert: Omit unneeded test in change_field()
Paul Eggert: Simplify change_field() by using strcpy
skyler-ferrante: Fix null dereference in basename
Iker Pedrosa: CI: script for local container build
Iker Pedrosa: CI: build project in containers
Iker Pedrosa: container: add fedora
Iker Pedrosa: container: add debian
Iker Pedrosa: container: add alpine
Iker Pedrosa: SECURITY.md: add Iker Pedrosa
Christian Göttsche: selinux: use type safe function pointer assignment
Christian Göttsche: Use strict prototype in definition
Vinícius dos Santos Oliveira: Add .editorconfig
Serge Hallyn: run_some: fix shellcheck warning
Serge Hallyn: fail on any run_some test failure
Serge Hallyn: ignore first test in run_some
Serge Hallyn: swap first two tests - does the first one still fail?
Serge Hallyn: tests: remove some github runner PATH tweaking
Alejandro Colomar: tests: Support git-worktree(1)
Serge Hallyn: tests: newuidmap and newgidmap: update expected fail message
Serge Hallyn: libsubid: include alloc.h
Serge Hallyn: run_some: log stderr
Vinícius dos Santos Oliveira: Validate fds created by the user
Serge Hallyn: get_pidfd_from_fd: return -1 on error, not 0
Serge Hallyn: g-h-a workflow: workaround
Serge Hallyn: Fix regression in some translation strings
Iker Pedrosa: lib: bit_ceil_wrapul(): stop recursion
Iker Pedrosa: lib: define ULONG_WIDTH if non-existent
maqi: Update translation
Serge Hallyn: newuidmap and newgidmap: support passing pid as fd
Alejandro Colomar: Fix use-after-free of pointer after realloc(3)
Alejandro Colomar: Use safer allocation macros
Alejandro Colomar: libmisc: Add safer allocation macros
Alejandro Colomar: Use xreallocarray() instead of its pattern
Alejandro Colomar: Use reallocarrayf() instead of its pattern
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
