Hello community, here is the log from the commit of package shadow for openSUSE:Factory checked in at 2016-07-03 12:18:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shadow (Old) and /work/SRC/openSUSE:Factory/.shadow.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shadow" Changes: -------- --- /work/SRC/openSUSE:Factory/shadow/shadow.changes 2016-01-26 10:14:18.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shadow.new/shadow.changes 2016-07-03 12:18:22.000000000 +0200 @@ -1,0 +2,46 @@ +Tue May 31 06:48:41 UTC 2016 - [email protected] + +- Add package dependency for aaa_base, fixing bnc#899409 + (was done by [email protected] but not submitted to Factory) + +------------------------------------------------------------------- +Mon May 30 09:41:55 UTC 2016 - [email protected] + +- shadow 4.2.1 requested by fate#320422 +- bsc#979069: Dont include shadow-4.1.5.1-bug935203-manpage.patch +- Dont set SUID bit yet. Once bsc#979282 is through, which will adapt the permissions package, we can enable the SUID bits. + Remove the files used to circumvent the check. +- Remove: + * shadow-rpmlintrc + * shadow-subids + * shadow-subids.easy + * shadow-subids.secure + * shadow-subids.paranoid + +------------------------------------------------------------------- +Thu May 19 12:28:47 UTC 2016 - [email protected] + +- Update to shadow-4.2.1: + - add support for subuids/subgids via newuidmap/newgidmap +- Rename chkname-regex.diff to chkname-regex.patch +- Rename encryption_method_nis.diff to encryption_method_nis.patch +- Rename getdef-new-defs.diff to getdef-new-defs.patch +- Rename shadow-login_defs.diff to shadow-login_defs.patch +- Rename userdel-scripts.diff to userdel-script.patch +- Rename useradd-script.diff to useradd-script.patch +- Rename useradd-default.diff to useradd-default.patch +- Rename useradd-mkdirs.diff to useradd-mkdirs.patch +- Add fixes from Red Hat/Fedora: + - shadow-4.1.5.1-audit-owner.patch.patch: + - log owner changes for home directory + - shadow-4.1.5.1-userdel-helpfix.patch.patch: + - give a hint about what happens when you force the removal of a user + - shadow-4.2.1-defs-chroot.patch.patch: + - initialize uid_t uid_min and uid_t uid_max not before we need them + - shadow-4.2.1-merge-group.patch.patch: + - simplify by using a single call to snprintf() +- Add upstream fix + - Fix-user-busy-errors-at-userdel.patch: + - call sub_uid_close() + +------------------------------------------------------------------- Old: ---- chkname-regex.diff encryption_method_nis.diff getdef-new-defs.diff shadow-4.1.5.1.tar.bz2 shadow-login_defs.diff useradd-default.diff useradd-mkdirs.diff useradd-script.diff userdel-scripts.diff New: ---- Fix-user-busy-errors-at-userdel.patch chkname-regex.patch encryption_method_nis.patch getdef-new-defs.patch shadow-4.1.5.1-audit-owner.patch shadow-4.1.5.1-userdel-helpfix.patch shadow-4.2.1-defs-chroot.patch shadow-4.2.1-merge-group.patch shadow-4.2.1.tar.xz shadow-login_defs.patch useradd-default.patch useradd-mkdirs.patch useradd-script.patch userdel-script.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shadow.spec ++++++ --- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200 +++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200 @@ -20,10 +20,10 @@ License: BSD-3-Clause and GPL-2.0+ Group: System/Base Name: shadow -Version: 4.1.5.1 +Version: 4.2.1 Release: 0 Url: http://pkg-shadow.alioth.debian.org/ -Source: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 +Source: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz Source1: pamd.tar.bz2 Source2: README.changes-pwdutils Source3: useradd.local @@ -31,18 +31,24 @@ Source5: userdel-post.local Source6: shadow.service Source7: shadow.timer -Patch: shadow-login_defs.diff -Patch1: userdel-scripts.diff -Patch2: useradd-script.diff -Patch3: chkname-regex.diff -Patch4: useradd-default.diff -Patch5: getdef-new-defs.diff +Patch: shadow-login_defs.patch +Patch1: userdel-script.patch +Patch2: useradd-script.patch +Patch3: chkname-regex.patch +Patch4: useradd-default.patch +Patch5: getdef-new-defs.patch Patch6: shadow-4.1.5.1-manfix.patch Patch7: shadow-4.1.5.1-logmsg.patch Patch8: shadow-4.1.5.1-errmsg.patch Patch9: shadow-4.1.5.1-backup-mode.patch -Patch10: encryption_method_nis.diff -Patch11: useradd-mkdirs.diff +Patch10: encryption_method_nis.patch +Patch11: useradd-mkdirs.patch +Patch12: shadow-4.1.5.1-audit-owner.patch +Patch13: shadow-4.1.5.1-userdel-helpfix.patch +Patch14: shadow-4.2.1-defs-chroot.patch +Patch15: shadow-4.2.1-merge-group.patch +Patch16: Fix-user-busy-errors-at-userdel.patch +Requires: aaa_base BuildRequires: audit-devel BuildRequires: libacl-devel BuildRequires: libattr-devel @@ -67,12 +73,17 @@ %patch3 -p0 %patch4 -p0 %patch5 -p0 -%patch6 -p1 -%patch7 -p1 +%patch6 -p0 +%patch7 -p0 %patch8 -p0 -%patch9 -p1 +%patch9 -p0 %patch10 -p0 -%patch11 -p1 +%patch11 -p0 +%patch12 -p0 +%patch13 -p0 +%patch14 -p0 +%patch15 -p0 +%patch16 -p0 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO @@ -181,6 +192,8 @@ %set_permissions /usr/bin/gpasswd %set_permissions /usr/bin/newgrp %set_permissions /usr/bin/passwd +%set_permissions /usr/bin/newgidmap +%set_permissions /usr/bin/newuidmap %service_add_post shadow.service shadow.timer @@ -192,6 +205,8 @@ %verify_permissions /usr/bin/gpasswd %verify_permissions /usr/bin/newgrp %verify_permissions /usr/bin/passwd +%verify_permissions /usr/bin/newgidmap +%verify_permissions /usr/bin/newuidmap %preun %service_del_preun shadow.service shadow.timer @@ -225,6 +240,8 @@ %{_bindir}/lastlog %attr(4755,root,root) %{_bindir}/newgrp %attr(4755,root,shadow) %{_bindir}/passwd +%attr(0755,root,shadow) %{_bindir}/newgidmap +%attr(0755,root,shadow) %{_bindir}/newuidmap %{_bindir}/sg %{_sbindir}/groupadd %{_sbindir}/groupdel @@ -268,6 +285,10 @@ %{_mandir}/man8/usermod.8* %{_mandir}/man8/vigr.8* %{_mandir}/man8/vipw.8* +%{_mandir}/man5/subuid.5* +%{_mandir}/man5/subgid.5* +%{_mandir}/man1/newgidmap.1* +%{_mandir}/man1/newuidmap.1* %{_unitdir}/* ++++++ Fix-user-busy-errors-at-userdel.patch ++++++ >From 546e2ae44955510b06a922647796ec54744f10ce Mon Sep 17 00:00:00 2001 From: Bastian Blank <[email protected]> Date: Tue, 17 Nov 2015 10:52:24 -0600 Subject: [PATCH 17/17] Fix user busy errors at userdel Acked-by: Serge Hallyn <[email protected]> --- libmisc/user_busy.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- libmisc/user_busy.c +++ libmisc/user_busy.c @@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid) if (stat ("/", &sbroot) != 0) { perror ("stat (\"/\")"); (void) closedir (proc); +#ifdef ENABLE_SUBIDS + sub_uid_close(); +#endif return 0; } @@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid) if (check_status (name, tmp_d_name, uid) != 0) { (void) closedir (proc); +#ifdef ENABLE_SUBIDS + sub_uid_close(); +#endif fprintf (stderr, _("%s: user %s is currently used by process %d\n"), Prog, name, pid); @@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid) } if (check_status (name, task_path+6, uid) != 0) { (void) closedir (proc); +#ifdef ENABLE_SUBIDS + sub_uid_close(); +#endif fprintf (stderr, _("%s: user %s is currently used by process %d\n"), Prog, name, pid); ++++++ chkname-regex.patch ++++++ --- lib/getdef.c +++ lib/getdef.c @@ -51,6 +51,7 @@ struct itemdef { #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) static struct itemdef def_table[] = { + {"CHARACTER_CLASS", NULL}, {"CHFN_RESTRICT", NULL}, {"CONSOLE_GROUPS", NULL}, {"CONSOLE", NULL}, --- libmisc/chkname.c +++ libmisc/chkname.c @@ -43,30 +43,57 @@ #ident "$Id$" #include <ctype.h> +#include <regex.h> #include "defines.h" #include "chkname.h" +#include "getdef.h" +#include <stdio.h> static bool is_valid_name (const char *name) { - /* - * User/group names must match [a-z_][a-z0-9_-]*[$] - */ - if (('\0' == *name) || - !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { + const char *class; + regex_t reg; + int result; + char *buf; + + /* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?. + This is the POSIX portable character class. The $ at the end is + needed for SAMBA. But user can also specify something else in + /etc/login.defs. */ + class = getdef_str ("CHARACTER_CLASS"); + if (!class) + class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?"; + + if (asprintf (&buf, "^%s$", class) < 0) + return -1; + + memset (®, 0, sizeof (regex_t)); + result = regcomp (®, buf, 0); + free (buf); + + if (result) { + size_t length = regerror (result, ®, NULL, 0); + char *buffer = malloc (length); + if (buffer == NULL) + fputs ("running out of memory!\n", stderr); + + /* else + { + regerror (result, ®, buffer, length); + fprintf (stderr, _("Can't compile regular expression: %s\n"), + buffer); + } */ + + regfree(®); return false; } - while ('\0' != *++name) { - if (!(( ('a' <= *name) && ('z' >= *name) ) || - ( ('0' <= *name) && ('9' >= *name) ) || - ('_' == *name) || - ('-' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) - )) { - return false; - } + if (regexec (®, name, 0, NULL, 0) != 0) { + regfree(®); + return false; } + regfree(®); return true; } ++++++ encryption_method_nis.patch ++++++ --- lib/getdef.c +++ lib/getdef.c @@ -58,6 +58,7 @@ static struct itemdef def_table[] = { {"CREATE_HOME", NULL}, {"DEFAULT_HOME", NULL}, {"ENCRYPT_METHOD", NULL}, + {"ENCRYPT_METHOD_NIS", NULL}, {"ENV_PATH", NULL}, {"ENV_SUPATH", NULL}, {"ERASECHAR", NULL}, ++++++ getdef-new-defs.patch ++++++ --- lib/getdef.c +++ lib/getdef.c @@ -65,6 +65,7 @@ static struct itemdef def_table[] = { {"FAKE_SHELL", NULL}, {"GID_MAX", NULL}, {"GID_MIN", NULL}, + {"GROUPADD_CMD", NULL}, {"HUSHLOGIN_FILE", NULL}, {"KILLCHAR", NULL}, {"LOGIN_RETRIES", NULL}, @@ -100,7 +101,10 @@ static struct itemdef def_table[] = { {"UID_MAX", NULL}, {"UID_MIN", NULL}, {"UMASK", NULL}, + {"USERADD_CMD", NULL}, {"USERDEL_CMD", NULL}, + {"USERDEL_PRECMD", NULL}, + {"USERDEL_POSTCMD", NULL}, {"USERGROUPS_ENAB", NULL}, #ifndef USE_PAM {"CHFN_AUTH", NULL}, @@ -136,6 +140,10 @@ static struct itemdef def_table[] = { {"TCB_SYMLINKS", NULL}, {"USE_TCB", NULL}, #endif + /* Used by /bin/login */ + {"MOTD_FILE", NULL}, + {"ENV_PATH", NULL}, + {"ENV_ROOTPATH", NULL}, {NULL, NULL} }; ++++++ shadow-4.1.5.1-audit-owner.patch ++++++ --- src/usermod.c +++ src/usermod.c @@ -1808,6 +1808,14 @@ static void move_home (void) fail_exit (E_HOMEDIR); } +#ifdef WITH_AUDIT + if (uflg || gflg) { + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "changing home directory owner", + user_newname, (unsigned int) user_newid, 1); + } +#endif + if (rename (user_home, user_newhome) == 0) { /* FIXME: rename above may have broken symlinks * pointing to the user's home directory @@ -2254,6 +2262,13 @@ int main (int argc, char **argv) * ownership. * */ +#ifdef WITH_AUDIT + if (uflg || gflg) { + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "changing home directory owner", + user_newname, (unsigned int) user_newid, 1); + } +#endif if (chown_tree (dflg ? user_newhome : user_home, user_id, uflg ? user_newid : (uid_t)-1, ++++++ shadow-4.1.5.1-backup-mode.patch ++++++ --- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200 +++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200 @@ -1,7 +1,6 @@ -diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c ---- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200 -+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200 -@@ -301,15 +301,12 @@ static int create_backup (const char *ba +--- lib/commonio.c ++++ lib/commonio.c +@@ -301,15 +301,12 @@ static int create_backup (const char *backup, FILE * fp) struct utimbuf ub; FILE *bkfp; int c; ++++++ shadow-4.1.5.1-errmsg.patch ++++++ --- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200 +++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200 @@ -1,6 +1,6 @@ --- src/useradd.c -+++ src/useradd.c 2013/09/17 12:30:31 -@@ -1759,6 +1759,9 @@ ++++ src/useradd.c +@@ -1896,6 +1896,9 @@ static void create_home (void) if (access (user_home, F_OK) != 0) { #ifdef WITH_SELINUX if (set_selinux_file_context (user_home) != 0) { @@ -10,7 +10,7 @@ fail_exit (E_HOMEDIR); } #endif -@@ -1788,6 +1791,9 @@ +@@ -1925,6 +1928,9 @@ static void create_home (void) #ifdef WITH_SELINUX /* Reset SELinux to create files with default contexts */ if (reset_selinux_file_context () != 0) { ++++++ shadow-4.1.5.1-logmsg.patch ++++++ --- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200 +++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200 @@ -1,7 +1,6 @@ -diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c ---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 -+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100 -@@ -275,7 +275,7 @@ static void fail_exit (int code) +--- src/useradd.c ++++ src/useradd.c +@@ -320,7 +320,7 @@ static void fail_exit (int code) user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE); #endif ++++++ shadow-4.1.5.1-manfix.patch ++++++ --- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200 +++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200 @@ -1,16 +1,6 @@ -diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml ---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-06-14 15:25:44.000000000 +0200 -+++ shadow-4.1.5.1/man/useradd.8.xml 2013-07-19 07:33:53.768619759 +0200 -@@ -161,7 +161,7 @@ - </varlistentry> - <varlistentry> - <term> -- <option>-d</option>, <option>--home</option> -+ <option>-d</option>, <option>--home-dir</option> - <replaceable>HOME_DIR</replaceable> - </term> - <listitem> -@@ -362,7 +362,7 @@ +--- man/useradd.8.xml ++++ man/useradd.8.xml +@@ -351,7 +351,7 @@ </varlistentry> <varlistentry> <term> ++++++ shadow-4.1.5.1-userdel-helpfix.patch ++++++ --- src/userdel.c +++ src/userdel.c @@ -143,8 +143,9 @@ static void usage (int status) "\n" "Options:\n"), Prog); - (void) fputs (_(" -f, --force force removal of files,\n" - " even if not owned by user\n"), + (void) fputs (_(" -f, --force force some actions that would fail otherwise\n" + " e.g. removal of user still logged in\n" + " or files, even if not owned by the user\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); (void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout); ++++++ shadow-4.2.1-defs-chroot.patch ++++++ --- src/useradd.c +++ src/useradd.c @@ -2054,8 +2054,8 @@ int main (int argc, char **argv) #endif /* ACCT_TOOLS_SETUID */ /* Needed for userns check */ - uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); - uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + uid_t uid_min; + uid_t uid_max; /* * Get my name so that I can use it to report errors. @@ -2073,6 +2073,9 @@ int main (int argc, char **argv) audit_help_open (); #endif + uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + sys_ngroups = sysconf (_SC_NGROUPS_MAX); user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *)); /* ++++++ shadow-4.2.1-merge-group.patch ++++++ --- lib/groupio.c +++ lib/groupio.c @@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry *merge_group_entries ( errno = ENOMEM; return NULL; } - snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line); - new_line[new_line_len] = '\0'; + snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line); /* Concatenate the 2 list of members */ for (i=0; NULL != gptr1->gr_mem[i]; i++); ++++++ shadow-login_defs.patch ++++++ --- etc/login.defs +++ etc/login.defs @@ -1,8 +1,5 @@ # # /etc/login.defs - Configuration control definitions for the shadow package. -# -# $Id$ -# # # Delay in seconds before being allowed another attempt after a login failure @@ -12,11 +9,6 @@ FAIL_DELAY 3 # -# Enable logging and display of /var/log/faillog login(1) failure info. -# -FAILLOG_ENAB yes - -# # Enable display of unknown usernames when login(1) failures are recorded. # LOG_UNKFAIL_ENAB no @@ -27,34 +19,6 @@ LOG_UNKFAIL_ENAB no LOG_OK_LOGINS no # -# Enable logging and display of /var/log/lastlog login(1) time info. -# -LASTLOG_ENAB yes - -# -# Enable checking and display of mailbox status upon login. -# -# Disable if the shell startup files already check for mail -# ("mailx -e" or equivalent). -# -MAIL_CHECK_ENAB yes - -# -# Enable additional checks upon password changes. -# -OBSCURE_CHECKS_ENAB yes - -# -# Enable checking of time restrictions specified in /etc/porttime. -# -PORTTIME_CHECKS_ENAB yes - -# -# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. -# -QUOTAS_ENAB yes - -# # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). # @@ -82,75 +46,31 @@ MOTD_FILE /etc/motd #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # -# If defined, this file will be output before each login(1) prompt. -# -#ISSUE_FILE /etc/issue - -# # If defined, file which maps tty line to TERM environment parameter. # Each line of the file is in a format similar to "vt100 tty01". # #TTYTYPE_FILE /etc/ttytype # -# If defined, login(1) failures will be logged here in a utmp format. -# last(1), when invoked as lastb(1), will read /var/log/btmp, so... -# -FTMP_FILE /var/log/btmp - -# -# If defined, name of file whose presence will inhibit non-root -# logins. The content of this file should be a message indicating -# why logins are inhibited. -# -NOLOGINS_FILE /etc/nologin - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then ps(1) will display the -# command as "-su". If not defined, then ps(1) will display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# -MAIL_DIR /var/spool/mail -#MAIL_FILE .mail - -# # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins - -# -# If defined, either a TZ environment parameter spec or the -# fully-rooted pathname of a file containing such a spec. -# -#ENV_TZ TZ=CST6CDT -#ENV_TZ /etc/tzname - -# -# If defined, an HZ environment parameter spec. -# -# for Linux/x86 -ENV_HZ HZ=100 -# For Linux/Alpha... -#ENV_HZ HZ=1024 +# HUSHLOGIN_FILE .hushlogin +HUSHLOGIN_FILE /etc/hushlogins # # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin -ENV_PATH PATH=/bin:/usr/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin + +# +# The default PATH settings for root (used by login): +# +ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin # # Terminal permissions @@ -164,24 +84,20 @@ ENV_PATH PATH=/bin:/usr/bin # set TTYPERM to either 622 or 600. # TTYGROUP tty -TTYPERM 0600 +TTYPERM 0620 # # Login configuration initializations: # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# ULIMIT Default "ulimit" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. -# The ULIMIT is used only if the system supports it. -# (now it works with setrlimit too; ulimit is in 512-byte units) # # Prefix these values with "0" to get octal, "0x" to get hexadecimal. # ERASECHAR 0177 KILLCHAR 025 -#ULIMIT 2097152 # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. @@ -197,35 +113,25 @@ UMASK 022 # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 -PASS_MIN_LEN 5 PASS_WARN_AGE 7 # -# If "yes", the user must be listed as a member of the first gid 0 group -# in /etc/group (called "root" on most Linux systems) to be able to "su" -# to uid 0 accounts. If the group doesn't exist or is empty, no one -# will be able to "su" to uid 0. -# -SU_WHEEL_ONLY no - -# -# If compiled with cracklib support, sets the path to the dictionaries -# -CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict - -# # Min/max values for automatic uid selection in useradd(8) # +# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for +# UIDs for dynamically allocated administrative and system accounts. +# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically +# allocated user accounts. +# UID_MIN 1000 UID_MAX 60000 # System accounts -SYS_UID_MIN 101 -SYS_UID_MAX 999 +SYS_UID_MIN 100 +SYS_UID_MAX 499 # Extra per user uids SUB_UID_MIN 100000 SUB_UID_MAX 600100000 @@ -234,11 +140,16 @@ SUB_UID_COUNT 65536 # # Min/max values for automatic gid selection in groupadd(8) # +# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for +# GIDs for dynamically allocated administrative and system groups. +# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically +# allocated groups. +# GID_MIN 1000 GID_MAX 60000 # System accounts -SYS_GID_MIN 101 -SYS_GID_MAX 999 +SYS_GID_MIN 100 +SYS_GID_MAX 499 # Extra per user group ids SUB_GID_MIN 100000 SUB_GID_MAX 600100000 @@ -247,7 +158,7 @@ SUB_GID_COUNT 65536 # # Max number of login(1) retries if password is bad # -LOGIN_RETRIES 5 +LOGIN_RETRIES 3 # # Max time in seconds for login(1) @@ -255,28 +166,6 @@ LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 # -# Maximum number of attempts to change password if rejected (too easy) -# -PASS_CHANGE_TRIES 5 - -# -# Warn about weak passwords (but still allow them) if you are root. -# -PASS_ALWAYS_WARN yes - -# -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. -# Ignored if MD5_CRYPT_ENAB set to "yes". -# -#PASS_MAX_LEN 8 - -# -# Require password before chfn(1)/chsh(1) can make any changes. -# -CHFN_AUTH yes - -# # Which fields may be changed by regular users using chfn(1) - use # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. @@ -285,28 +174,6 @@ CHFN_AUTH yes CHFN_RESTRICT rwh # -# Password prompt (%s will be replaced by user name). -# -# XXX - it doesn't work correctly yet, for now leave it commented out -# to use the default which is just "Password: ". -#LOGIN_STRING "%s's Password: " - -# -# Only works if compiled with MD5_CRYPT defined: -# If set to "yes", new passwords will be encrypted using the MD5-based -# algorithm compatible with the one used by recent releases of FreeBSD. -# It supports passwords of unlimited length and longer salt strings. -# Set to "no" if you need to copy encrypted passwords to other systems -# which don't understand the new algorithm. Default is "no". -# -# Note: If you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. -# -# This variable is deprecated. You should use ENCRYPT_METHOD instead. -# -#MD5_CRYPT_ENAB no - -# # Only works if compiled with ENCRYPTMETHOD_SELECT defined: # If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password @@ -317,7 +184,8 @@ CHFN_RESTRICT rwh # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # -#ENCRYPT_METHOD DES +ENCRYPT_METHOD SHA512 +ENCRYPT_METHOD_NIS DES # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. @@ -353,16 +221,12 @@ CHFN_RESTRICT rwh DEFAULT_HOME yes # -# If this file exists and is readable, login environment will be -# read from it. Every line should be in the form name=value. -# -ENVIRON_FILE /etc/environment - -# # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # +# See USERDEL_PRECMD/POSTCMD below. +# #USERDEL_CMD /usr/sbin/userdel_local # @@ -372,7 +236,7 @@ ENVIRON_FILE /etc/environment # # This also enables userdel(8) to remove user groups if no members exist. # -USERGROUPS_ENAB yes +USERGROUPS_ENAB no # # If set to a non-zero number, the shadow utilities will make sure that @@ -391,5 +255,40 @@ USERGROUPS_ENAB yes # This option is overridden with the -M or -m flags on the useradd(8) # command-line. # -#CREATE_HOME yes +CREATE_HOME no + +# +# User/group names must match the following regex expression. +# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, +# but be aware that the result could depend on the locale settings. +# +#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? +CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? +# +# If defined, this command is run when adding a group. +# It should rebuild any NIS database etc. to add the +# new created group. +# +GROUPADD_CMD /usr/sbin/groupadd.local + +# +# If defined, this command is run when adding a user. +# It should rebuild any NIS database etc. to add the +# new created account. +# +USERADD_CMD /usr/sbin/useradd.local + +# +# If defined, this command is run before removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed. +# +USERDEL_PRECMD /usr/sbin/userdel-pre.local + +# +# If defined, this command is run after removing a user. +# It should rebuild any NIS database etc. to remove the +# account from it. +# +USERDEL_POSTCMD /usr/sbin/userdel-post.local ++++++ useradd-default.patch ++++++ --- etc/useradd +++ etc/useradd @@ -1,5 +1,5 @@ # useradd defaults file -GROUP=1000 +GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= ++++++ useradd-mkdirs.patch ++++++ --- src/useradd.c +++ src/useradd.c @@ -1894,6 +1894,13 @@ static void usr_update (void) static void create_home (void) { if (access (user_home, F_OK) != 0) { + char path[strlen (user_home) + 2]; + char *bhome, *cp; + + path[0] = '\0'; + bhome = strdup (user_home); + ++bhome; + #ifdef WITH_SELINUX if (set_selinux_file_context (user_home) != 0) { fprintf (stderr, @@ -1902,19 +1909,42 @@ static void create_home (void) fail_exit (E_HOMEDIR); } #endif - /* XXX - create missing parent directories. --marekm */ - if (mkdir (user_home, 0) != 0) { - fprintf (stderr, - _("%s: cannot create directory %s\n"), - Prog, user_home); + + /* Check for every part of the path, if the directory + exists. If not, create it with permissions 755 and + owner root:root. + */ + cp = strtok (bhome, "/"); + while (cp) { + strcat (path, "/"); + strcat (path, cp); + if (access (path, F_OK) != 0) { + if (mkdir (path, 0) != 0) { + fprintf (stderr, + _("%s: cannot create directory %s\n"), + Prog, path); #ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_FAILURE); + audit_logger (AUDIT_ADD_USER, Prog, + "adding home directory", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); #endif - fail_exit (E_HOMEDIR); + fail_exit (E_HOMEDIR); + } + if (chown (path, 0, 0) < 0) { + fprintf (stderr, + _("%s: warning: chown on `%s' failed: %m\n"), + Prog, path); + } + if (chmod (path, 0777) < 0) { + fprintf (stderr, + _("%s: warning: chmod on `%s' failed: %m\n"), + Prog, path); + } + } + cp = strtok (NULL, "/"); } + chown (user_home, user_id, user_gid); chmod (user_home, 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++++++ useradd-script.patch ++++++ --- src/useradd.c +++ src/useradd.c @@ -1982,6 +1982,30 @@ static void create_mail (void) } /* + * call_script - call a script to do some work + * + * call_script calls a script for additional changes to the + * account. + */ + +static void call_script (const char *user) +{ + const char *cmd; + const char *argv[3]; + int status; + + cmd = getdef_str ("USERADD_CMD"); + if (NULL == cmd) { + return; + } + argv[0] = cmd; + argv[1] = user; + argv[2] = (char *)0; + (void) run_command (cmd, argv, NULL, &status); +} + + +/* * main - useradd command */ int main (int argc, char **argv) @@ -2242,6 +2266,7 @@ int main (int argc, char **argv) nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); + call_script (user_name); + return E_SUCCESS; } - ++++++ userdel-script.patch ++++++ --- src/userdel.c +++ src/userdel.c @@ -762,13 +762,13 @@ static void update_user (void) * cron, at, or print jobs. */ -static void user_cancel (const char *user) +static void call_script (const char *program, const char *user) { const char *cmd; const char *argv[3]; int status; - cmd = getdef_str ("USERDEL_CMD"); + cmd = getdef_str (program); if (NULL == cmd) { return; } @@ -1163,9 +1163,10 @@ int main (int argc, char **argv) } /* - * Do the hard stuff - open the files, create the user entries, - * create the home directory, then close and update the files. + * Do the hard stuff - open the files, remove the user entries, + * remove the home directory, then close and update the files. */ + call_script ("USERDEL_PRECMD", user_name); open_files (); update_user (); update_groups (); @@ -1268,7 +1269,7 @@ int main (int argc, char **argv) * Cancel any crontabs or at jobs. Have to do this before we remove * the entry from /etc/passwd. */ - user_cancel (user_name); + call_script ("USERDEL_CMD", user_name); close_files (); #ifdef WITH_TCB @@ -1278,6 +1279,8 @@ int main (int argc, char **argv) nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); + /* Call the post script, for example to rebuild NIS database */ + call_script ("USERDEL_POSTCMD", user_name); + return ((0 != errors) ? E_HOMEDIR : E_SUCCESS); } -
