Date: Sunday, October 16, 2022 @ 19:01:36 Author: dvzrv Revision: 458265
Apply a patch on top of upstream's login.def instead of providing a file. Historically, Arch Linux has provided login.defs as a separate file, but this proved problematic, as new default options are missing (https://bugs.archlinux.org/task/68741) and it became unclear which parts had been changed (or omitted) for what reason (https://bugs.archlinux.org/task/69933). The patch comments all options not available due to the use of util-linux and adds the distributions current defaults. Added: shadow/trunk/shadow-4.11.1-login.defs.patch Modified: shadow/trunk/PKGBUILD Deleted: shadow/trunk/login.defs --------------------------------+ PKGBUILD | 18 +-- login.defs | 208 --------------------------------------- shadow-4.11.1-login.defs.patch | 205 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 215 insertions(+), 216 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-10-16 18:30:22 UTC (rev 458264) +++ PKGBUILD 2022-10-16 19:01:36 UTC (rev 458265) @@ -30,11 +30,11 @@ chgpasswd chpasswd defaults.pam - login.defs newusers passwd shadow.{timer,service} useradd.defaults + $pkgname-4.11.1-login.defs.patch ) sha512sums=('12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f' 'SKIP' @@ -41,25 +41,30 @@ 'aef316f283a0ba0387afd5bd049b20d748dcfe8aebc5f5ea1ce1308167d6a578ae7d0007a5ed4d9862de7d377851edd2c8771e1fb1076262468078c2c76e42fc' 'dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df' '41c856d893c4157b158d79341fe2b1892be463e17f7a007f1c17397b5625c1d2d5671bc0b37879064ae715a918fb9b05c32d18d1aaa64284cddd8ecbda9b2434' - 'edc3becca531dfa791fbeace4ae159e9d760689b979e8892c6eb60b93b12e1a88648ef23602d1ad3fd0ebcbed088bce5bed6eba4444cdb7165f91becce5856a1' 'dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df' '4fb7474ea9dedf86e4c65bf18f503a6d8c00d477a7c32be3cfdfd026bd62ef866d009c50e5a2dc2101bea332c5697bc1e0d55225f39c83252860f5b9b7461aeb' 'e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621' '67a49415f676a443f81021bfa29d198462008da1224086f8c549b19c2fd21514ca3302d5ac23edec28b9c724fef921596586423ebe41e852ebfbe7216af727e6' - 'b681401895de553674cfc7f51809565db03cb4351f85b492460d09abfd703e73c41ba1dfd708964e0f6ea356dc9c929818c62e7d740d55fb795a2e9b7de271fc') + 'b681401895de553674cfc7f51809565db03cb4351f85b492460d09abfd703e73c41ba1dfd708964e0f6ea356dc9c929818c62e7d740d55fb795a2e9b7de271fc' + 'f718a788a79c38860fe2bce4e03ba3c356d5d90534e06170646f25cadc37fd6ccebf38729a1084b7448d69af8ca0047dc899f0a028362df219cf271dfada4a06') b2sums=('d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f0b960554c8155af6dc0564c585335b27aecca6538b394a0d58d927588' 'SKIP' '31e74eebedf8cb6e5ade36096b4399892d7091b9dce4645fde591f64802dc8befd73ae8019e78f8d326a605b224c7828694d21788bd6073db43c41cf5a9c2805' '1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666' '5fde901d7d29995523cf261de973cc053265f37cf8fecc5511ccfff35a6ef4308f8cf36dc94e37c8b7604694ffa6ab87331c9b533b3538c6f7d7d911c9f94d19' - 'db8e794f6b55e00acebeb89a57e4b40facba8d0c039b5d9bcd6ff58a9e44639cffe826c6fb23744fd3c52de3c5b4a7a5ac28917d552980fb8a6d9f347f2a4028' '1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666' '5b4e20609d38dcec82eae66acdfb7d45288574e7bf9684fa0f66bc0fb1c45cd78ee503d04a5084e28755fb7a1c6cea95854c93b33d76ab20964f45420c68403c' '5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b' '4a9cb6fe6658f2182655d42761d9d669654c6f0e891610e1b7fd256ce32a561f05e71daf8e473d98f16f5ee9d16d46a097a2d0de42eac58b4ce3be1525a74856' - '75738ba7705fe4f8c22d07bff738a5c2c3bc0fd44d9aaca170cb4e6e7bb3f1e05f729f6decfaa4dec8a037e09fdea83b3500aaa8d6693fd4ae20d7fb0ede420e') + '75738ba7705fe4f8c22d07bff738a5c2c3bc0fd44d9aaca170cb4e6e7bb3f1e05f729f6decfaa4dec8a037e09fdea83b3500aaa8d6693fd4ae20d7fb0ede420e' + 'f386a0a84e33772f9d98f5ba9d2d97c4a904cff3a4ef52c223bc9c761c74d50bccb09833da185c09e0675bf3d04856e266f5578c0b250ef9c00f2cf1fcc03bd0') validpgpkeys=('66D0387DB85D320F8408166DB175CFA98F192AF2') # Serge Hallyn <ser...@kernel.org> +prepare() { + # comment options that are taken over by util-linux and apply defaults + patch -Np1 -d "$pkgname-$pkgver" -i ../$pkgname-4.11.1-login.defs.patch +} + build() { cd "$pkgname-$pkgver" @@ -103,9 +108,6 @@ install -vdm 755 "$pkgdir/usr/lib/systemd/system/timers.target.wants" ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer" - # login.defs - install -vDm 644 "../login.defs" -t "$pkgdir/etc/" - # PAM config - custom rm "$pkgdir/etc/pam.d"/* install -vDm 644 ../{passwd,chgpasswd,chpasswd,newusers} -t "$pkgdir/etc/pam.d/" Deleted: login.defs =================================================================== --- login.defs 2022-10-16 18:30:22 UTC (rev 458264) +++ login.defs 2022-10-16 19:01:36 UTC (rev 458265) @@ -1,208 +0,0 @@ -# -# /etc/login.defs - Configuration control definitions for the login package. -# -# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. -# If unspecified, some arbitrary (and possibly incorrect) value will -# be assumed. All other items are optional - if not specified then -# the described action or option will be inhibited. -# -# Comment lines (lines beginning with "#") and blank lines are ignored. -# -# Modified for Linux. --marekm - -# -# Delay in seconds before being allowed another attempt after a login failure -# -FAIL_DELAY 3 - -# -# Enable display of unknown usernames when login failures are recorded. -# -LOG_UNKFAIL_ENAB no - -# -# Enable logging of successful logins -# -LOG_OK_LOGINS no - -# -# Enable "syslog" logging of su activity - in addition to sulog file logging. -# SYSLOG_SG_ENAB does the same for newgrp and sg. -# -SYSLOG_SU_ENAB yes -SYSLOG_SG_ENAB yes - -# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# upon these devices. -# -CONSOLE /etc/securetty -#CONSOLE console:tty01:tty02:tty03:tty04 - -# -# If defined, all su activity is logged to this file. -# -#SULOG_FILE /var/log/sulog - -# -# If defined, file which maps tty line to TERM environment parameter. -# Each line of the file is in a format something like "vt100 tty01". -# -#TTYTYPE_FILE /etc/ttytype - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then a "ps" will display the -# command is "-su". If not defined, then "ps" would display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# QMAIL_DIR is for Qmail -# -#QMAIL_DIR Maildir -MAIL_DIR /var/spool/mail - -# -# If defined, file which inhibits all the usual chatter during the login -# sequence. If a full pathname, then hushed mode will be enabled if the -# user's name or shell are found in the file. If not a full pathname, then -# hushed mode will be enabled if the file exists in the user's home directory. -# -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins - -# -# *REQUIRED* The default PATH settings, for superuser and normal users. -# -# (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin - -# -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a "write" program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP to the group number and -# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign -# TTYPERM to either 622 or 600. -# -TTYGROUP tty -TTYPERM 0600 - -# -# Login configuration initializations: -# -# ERASECHAR Terminal ERASE character ('\010' = backspace). -# KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# UMASK Default "umask" value. -# -# The ERASECHAR and KILLCHAR are used only on System V machines. -# The ULIMIT is used only if the system supports it. -# (now it works with setrlimit too; ulimit is in 512-byte units) -# -# Prefix these values with "0" to get octal, "0x" to get hexadecimal. -# -ERASECHAR 0177 -KILLCHAR 025 -UMASK 077 - -# -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 - -# -# Min/max values for automatic uid selection in useradd -# -UID_MIN 1000 -UID_MAX 60000 -# System accounts -SYS_UID_MIN 500 -SYS_UID_MAX 999 - -# -# Min/max values for automatic gid selection in groupadd -# -GID_MIN 1000 -GID_MAX 60000 -# System accounts -SYS_GID_MIN 500 -SYS_GID_MAX 999 - -# -# Max number of login retries if password is bad -# -LOGIN_RETRIES 5 - -# -# Max time in seconds for login -# -LOGIN_TIMEOUT 60 - -# -# Which fields may be changed by regular users using chfn - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# -CHFN_RESTRICT rwh - -# -# List of groups to add to the user's supplementary group set -# when logging in on the console (as determined by the CONSOLE -# setting). Default is none. -# -# Use with caution - it is possible for users to gain permanent -# access to these groups, even when not logged in on the console. -# How to do it is left as an exercise for the reader... -# -#CONSOLE_GROUPS floppy:audio:cdrom - -# -# Should login be allowed if we can't cd to the home directory? -# Default in no. -# -DEFAULT_HOME yes - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -#USERDEL_CMD /usr/sbin/userdel_local - -# -# Enable setting of the umask group bits to be the same as owner bits -# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is -# the same as gid, and username is the same as the primary group name. -# -# This also enables userdel to remove user groups if no members exist. -# -USERGROUPS_ENAB yes - -# -# Controls display of the motd file. This is better handled by pam_motd.so -# so the declaration here is empty is suppress display by readers of this -# file. -# -MOTD_FILE - -# -# Hash shadow passwords with SHA512. -# -ENCRYPT_METHOD SHA512 Added: shadow-4.11.1-login.defs.patch =================================================================== --- shadow-4.11.1-login.defs.patch (rev 0) +++ shadow-4.11.1-login.defs.patch 2022-10-16 19:01:36 UTC (rev 458265) @@ -0,0 +1,205 @@ +diff --git i/etc/login.defs w/etc/login.defs +index 114dbcd9..0496c56c 100644 +--- i/etc/login.defs ++++ w/etc/login.defs +@@ -3,6 +3,8 @@ + # + # $Id$ + # ++# This file is adapted for the use on Arch Linux. ++# Options overlapping with tooling from util-linux are commented. + + # + # Delay in seconds before being allowed another attempt after a login failure +@@ -14,7 +16,7 @@ FAIL_DELAY 3 + # + # Enable logging and display of /var/log/faillog login(1) failure info. + # +-FAILLOG_ENAB yes ++# FAILLOG_ENAB yes + + # + # Enable display of unknown usernames when login(1) failures are recorded. +@@ -24,12 +26,12 @@ LOG_UNKFAIL_ENAB no + # + # Enable logging of successful logins + # +-LOG_OK_LOGINS no ++# LOG_OK_LOGINS no + + # + # Enable logging and display of /var/log/lastlog login(1) time info. + # +-LASTLOG_ENAB yes ++# LASTLOG_ENAB yes + + # + # Limit the highest user ID number for which the lastlog entries should +@@ -46,22 +48,22 @@ LASTLOG_ENAB yes + # Disable if the shell startup files already check for mail + # ("mailx -e" or equivalent). + # +-MAIL_CHECK_ENAB yes ++# MAIL_CHECK_ENAB yes + + # + # Enable additional checks upon password changes. + # +-OBSCURE_CHECKS_ENAB yes ++# OBSCURE_CHECKS_ENAB yes + + # + # Enable checking of time restrictions specified in /etc/porttime. + # +-PORTTIME_CHECKS_ENAB yes ++# PORTTIME_CHECKS_ENAB yes + + # + # Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. + # +-QUOTAS_ENAB yes ++# QUOTAS_ENAB yes + + # + # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +@@ -87,7 +89,7 @@ CONSOLE /etc/securetty + # If defined, ":" delimited list of "message of the day" files to + # be displayed upon login. + # +-MOTD_FILE /etc/motd ++MOTD_FILE + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + + # +@@ -105,14 +107,14 @@ MOTD_FILE /etc/motd + # If defined, login(1) failures will be logged here in a utmp format. + # last(1), when invoked as lastb(1), will read /var/log/btmp, so... + # +-FTMP_FILE /var/log/btmp ++# FTMP_FILE /var/log/btmp + + # + # If defined, name of file whose presence will inhibit non-root + # logins. The content of this file should be a message indicating + # why logins are inhibited. + # +-NOLOGINS_FILE /etc/nologin ++# NOLOGINS_FILE /etc/nologin + + # + # If defined, the command name to display when running "su -". For +@@ -120,7 +122,7 @@ NOLOGINS_FILE /etc/nologin + # command as "-su". If not defined, then ps(1) will display the + # name of the shell actually being run, e.g. something like "-sh". + # +-SU_NAME su ++# SU_NAME su + + # + # *REQUIRED* +@@ -150,7 +152,7 @@ HUSHLOGIN_FILE .hushlogin + # If defined, an HZ environment parameter spec. + # + # for Linux/x86 +-ENV_HZ HZ=100 ++# ENV_HZ HZ=100 + # For Linux/Alpha... + #ENV_HZ HZ=1024 + +@@ -158,8 +160,8 @@ ENV_HZ HZ=100 + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ++ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + + # + # Terminal permissions +@@ -188,8 +190,8 @@ TTYPERM 0600 + # + # Prefix these values with "0" to get octal, "0x" to get hexadecimal. + # +-ERASECHAR 0177 +-KILLCHAR 025 ++# ERASECHAR 0177 ++# KILLCHAR 025 + #ULIMIT 2097152 + + # Default initial "umask" value used by login(1) on non-PAM enabled systems. +@@ -225,12 +227,12 @@ PASS_WARN_AGE 7 + # to uid 0 accounts. If the group doesn't exist or is empty, no one + # will be able to "su" to uid 0. + # +-SU_WHEEL_ONLY no ++# SU_WHEEL_ONLY no + + # + # If compiled with cracklib support, sets the path to the dictionaries + # +-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict ++# CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict + + # + # Min/max values for automatic uid selection in useradd(8) +@@ -238,7 +240,7 @@ CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict + UID_MIN 1000 + UID_MAX 60000 + # System accounts +-SYS_UID_MIN 101 ++SYS_UID_MIN 500 + SYS_UID_MAX 999 + # Extra per user uids + SUB_UID_MIN 100000 +@@ -251,7 +253,7 @@ SUB_UID_COUNT 65536 + GID_MIN 1000 + GID_MAX 60000 + # System accounts +-SYS_GID_MIN 101 ++SYS_GID_MIN 500 + SYS_GID_MAX 999 + # Extra per user group ids + SUB_GID_MIN 100000 +@@ -271,12 +273,12 @@ LOGIN_TIMEOUT 60 + # + # Maximum number of attempts to change password if rejected (too easy) + # +-PASS_CHANGE_TRIES 5 ++# PASS_CHANGE_TRIES 5 + + # + # Warn about weak passwords (but still allow them) if you are root. + # +-PASS_ALWAYS_WARN yes ++# PASS_ALWAYS_WARN yes + + # + # Number of significant characters in the password for crypt(). +@@ -288,7 +290,7 @@ PASS_ALWAYS_WARN yes + # + # Require password before chfn(1)/chsh(1) can make any changes. + # +-CHFN_AUTH yes ++# CHFN_AUTH yes + + # + # Which fields may be changed by regular users using chfn(1) - use +@@ -334,7 +336,7 @@ CHFN_RESTRICT rwh + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # +-#ENCRYPT_METHOD DES ++ENCRYPT_METHOD SHA512 + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +@@ -410,7 +412,7 @@ NONEXISTENT /nonexistent + # If this file exists and is readable, login environment will be + # read from it. Every line should be in the form name=value. + # +-ENVIRON_FILE /etc/environment ++# ENVIRON_FILE /etc/environment + + # + # If defined, this command is run when removing a user.
