Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package account-utils for openSUSE:Factory checked in at 2026-01-13 21:26:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/account-utils (Old) and /work/SRC/openSUSE:Factory/.account-utils.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "account-utils" Tue Jan 13 21:26:55 2026 rev:2 rq:1326796 version:1.0+git20260112.87262b5 Changes: -------- --- /work/SRC/openSUSE:Factory/account-utils/account-utils.changes 2025-12-17 17:44:13.475465206 +0100 +++ /work/SRC/openSUSE:Factory/.account-utils.new.1928/account-utils.changes 2026-01-13 21:27:25.662269249 +0100 @@ -1,0 +2,8 @@ +Mon Jan 12 14:43:26 UTC 2026 - Thorsten Kukuk <[email protected]> + +- Update to version 1.0+git20260112.87262b5: + * Add pwaccessd and pwupdd manual pages + * check_caller_perms: rework function description + * map_range.h: add missing stdint include + +------------------------------------------------------------------- Old: ---- account-utils-1.0+git20251216.774fa6e.tar.xz New: ---- account-utils-1.0+git20260112.87262b5.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ account-utils.spec ++++++ --- /var/tmp/diff_new_pack.C04tzA/_old 2026-01-13 21:27:29.362421967 +0100 +++ /var/tmp/diff_new_pack.C04tzA/_new 2026-01-13 21:27:29.374422463 +0100 @@ -17,7 +17,7 @@ %define lname libpwaccess0 Name: account-utils -Version: 1.0+git20251216.774fa6e +Version: 1.0+git20260112.87262b5 Release: 0 Summary: Service for authentication and account management License: GPL-2.0-or-later AND BSD-2-Clause AND LGPL-2.1-or-later @@ -147,6 +147,8 @@ %{_mandir}/man1/passwd.1%{?ext_man} %{_mandir}/man8/pam_debuginfo.8%{?ext_man} %{_mandir}/man8/pam_unix_ng.8%{?ext_man} +%{_mandir}/man8/pwaccessd.8%{?ext_man} +%{_mandir}/man8/pwupdd.8%{?ext_man} %{_datadir}/permissions/permissions.d/account-utils %files -n %{lname} ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.C04tzA/_old 2026-01-13 21:27:29.682435173 +0100 +++ /var/tmp/diff_new_pack.C04tzA/_new 2026-01-13 21:27:29.714436493 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/thkukuk/account-utils.git</param> -<param name="changesrevision">774fa6e933bd4a6d4c231578d28bdd719399ccc7</param></service></servicedata> +<param name="changesrevision">87262b535050421fb237334df0614c6e72105287</param></service></servicedata> (No newline at EOF) ++++++ account-utils-1.0+git20251216.774fa6e.tar.xz -> account-utils-1.0+git20260112.87262b5.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/account-utils-1.0+git20251216.774fa6e/libcommon/check_caller_perms.c new/account-utils-1.0+git20260112.87262b5/libcommon/check_caller_perms.c --- old/account-utils-1.0+git20251216.774fa6e/libcommon/check_caller_perms.c 2025-12-16 16:38:59.000000000 +0100 +++ new/account-utils-1.0+git20260112.87262b5/libcommon/check_caller_perms.c 2026-01-12 15:25:38.000000000 +0100 @@ -6,11 +6,12 @@ #include "check_caller_perms.h" -/* Don't allow access if query does not come from root - and the result is not the one of the calling user. - Exception: if the peer uid is in the list of exceptions. - "Lex mariadb": user mysql/mariadb needs to authenticate other - users to allow access to the database. */ +/* Do not allow access if the query does not originate from root + or the entry does not belong to the calling user. + Exception: if the peer uid is in the list of exceptions. + "Lex mariadb": user mysql/mariadb needs to authenticate as + database user so that the database user can get access to the + database. */ bool check_caller_perms(uid_t peer_uid, uid_t target_uid, uid_t *allowed) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/account-utils-1.0+git20251216.774fa6e/man/meson.build new/account-utils-1.0+git20260112.87262b5/man/meson.build --- old/account-utils-1.0+git20251216.774fa6e/man/meson.build 2025-12-16 16:38:59.000000000 +0100 +++ new/account-utils-1.0+git20260112.87262b5/man/meson.build 2026-01-12 15:25:38.000000000 +0100 @@ -57,4 +57,16 @@ command : xslt_cmd + [custom_man_xsl, '@INPUT@'], install : want_man, install_dir : mandir8) +custom_target('pwaccessd.8', + input : 'pwaccessd.8.xml', + output : 'pwaccessd.8', + command : xslt_cmd + [custom_man_xsl, '@INPUT@'], + install : want_man, + install_dir : mandir8) +custom_target('pwupdd.8', + input : 'pwupdd.8.xml', + output : 'pwupdd.8', + command : xslt_cmd + [custom_man_xsl, '@INPUT@'], + install : want_man, + install_dir : mandir8) endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/account-utils-1.0+git20251216.774fa6e/man/pwaccessd.8.xml new/account-utils-1.0+git20260112.87262b5/man/pwaccessd.8.xml --- old/account-utils-1.0+git20251216.774fa6e/man/pwaccessd.8.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/account-utils-1.0+git20260112.87262b5/man/pwaccessd.8.xml 2026-01-12 15:25:38.000000000 +0100 @@ -0,0 +1,194 @@ +<?xml version="1.0" encoding="UTF-8"?> +<refentry xmlns="http://docbook.org/ns/docbook"; version="5.0" xml:id="pwaccessd"> + <refmeta> + <refentrytitle>pwaccessd</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">account-utils %version%</refmiscinfo> + <refmiscinfo class="manual">pwaccessd</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>pwaccessd</refname> + <refname>pwaccessd.service</refname> + <refname>pwaccessd.socket</refname> + <refpurpose>manage passwd and shadow information</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis> + <command>pwaccessd.service</command> + </cmdsynopsis> + <cmdsynopsis> + <command>pwaccessd.socket</command> + </cmdsynopsis> + <cmdsynopsis> + <command>/usr/libexec/pwaccessd</command> + <arg choice="opt">OPTIONS</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + <para> + <command>pwaccessd</command> is a <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> socket-activated service + which provides account information in <structname>struct passwd</structname> and <structname>struct shadow</structname> format. + It is capable of checking if a password or account has expired and verifies passwords. + </para> + <para> + By default, normal users only have access to their own <filename>passwd</filename> and <filename>shadow</filename> entries. + The <systemitem class="username">root</systemitem> user has access to all accounts. + Specific users can be granted extended access via configuration. + </para> + </refsect1> + + <refsect1> + <title>Options</title> + <variablelist> + <varlistentry> + <term><option>-s</option></term> + <term><option>--socket</option></term> + <listitem> + <para>Activation through socket. This is the standard mode when running under systemd.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-d</option></term> + <term><option>--debug</option></term> + <listitem> + <para>Enable debug mode.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-v</option></term> + <term><option>--verbose</option></term> + <listitem> + <para>Enable verbose logging.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-?</option></term> + <term><option>--help</option></term> + <listitem> + <para>Give the help list.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--version</option></term> + <listitem> + <para>Print program version.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>Varlink Interfaces</title> + <para> + The <command>pwaccessd</command> daemon exposes the following functionality via Varlink interfaces: + </para> + <variablelist> + <varlistentry> + <term><function>GetAccountName</function></term> + <listitem> + <para>Provides the user name corresponding to a given UID.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><function>GetUserRecord</function></term> + <listitem> + <para>Provides the <structname>passwd</structname> and <structname>shadow</structname> entry for a given UID or account name.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><function>GetGroupRecord</function></term> + <listitem> + <para>Provides the group entry for a given GID or group name.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><function>VerifyPassword</function></term> + <listitem> + <para>Validates a password for a specific user.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><function>ExpiredCheck</function></term> + <listitem> + <para>Checks if a user account or password is expired.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>Configuration</title> + <para> + <command>pwaccessd</command> reads its configuration from <filename>pwaccessd.conf</filename>. + It follows the UAPI Configuration Files Specification, meaning it searches for configuration files in directories such as + <filename>/usr/share/account-utils/</filename>, <filename>/run/account-utils/</filename>, and <filename>/etc/account-utils/</filename>. + Files in <filename>/etc/account-utils/</filename> take precedence. + </para> + <para> + The configuration format is INI-style. The primary configuration key is <varname>allow</varname>. + This key accepts a list of user accounts that are allowed to read all passwd and shadow entries, in addition to root. + </para> + <para> + The <varname>allow</varname> key can be defined within specific sections (groups) corresponding to the Varlink interface methods: + </para> + <itemizedlist> + <listitem><para><literal>[GetUserRecord]</literal></para></listitem> + <listitem><para><literal>[VerifyPassword]</literal></para></listitem> + <listitem><para><literal>[ExpiredCheck]</literal></para></listitem> + </itemizedlist> + <para> + If the key is not found in the specific section, <command>pwaccessd</command> will fall back to looking in the <literal>[global]</literal> section. + </para> + + <example> + <title>Example pwaccessd.conf</title> + <programlisting> +[global] +# Allow user 'admin' to perform all actions +allow = admin + +[VerifyPassword] +# Allow 'auth-service' to verify passwords, overriding global +allow = auth-service + </programlisting> + </example> + </refsect1> + + <refsect1> + <title>Files</title> + <variablelist> + <varlistentry> + <term><filename>/usr/libexec/pwaccessd</filename></term> + <listitem> + <para>The daemon binary.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>/etc/account-utils/pwaccessd.conf</filename></term> + <listitem> + <para>The main configuration file.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>expiry</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam_unix_ng</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> +</refentry> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/account-utils-1.0+git20251216.774fa6e/man/pwupdd.8.xml new/account-utils-1.0+git20260112.87262b5/man/pwupdd.8.xml --- old/account-utils-1.0+git20251216.774fa6e/man/pwupdd.8.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/account-utils-1.0+git20260112.87262b5/man/pwupdd.8.xml 2026-01-12 15:25:38.000000000 +0100 @@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="UTF-8"?> +<refentry xmlns="http://docbook.org/ns/docbook"; version="5.0" xml:id="pwupdd" xml:lang="en"> + <refmeta> + <refentrytitle>pwupdd</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">account-utils %version%</refmiscinfo> + <refmiscinfo class="manual">pwupdd</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>pwupdd</refname> + <refname>pwupdd.service</refname> + <refname>pwupdd.socket</refname> + <refpurpose>update passwd and shadow entries</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis> + <command>pwupdd.service</command> + </cmdsynopsis> + <cmdsynopsis> + <command>pwupdd.socket</command> + </cmdsynopsis> + <cmdsynopsis> + <command>/usr/libexec/pwupdd</command> + <arg choice="opt" rep="repeat">OPTIONS</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + <para> + <command>pwupdd</command> is an <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> style + socket-activated service. A new instance of the daemon is started for every incoming request. + </para> + <para> + It exposes a Varlink interface to allow authorized users to modify their own account data, including passwords, + login shells, and GECOS field information. Authentication is handled via <citerefentry><refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum></citerefentry>. + Additionally, the root user can utilize specific methods to update any <filename>/etc/passwd</filename> or + <filename>/etc/shadow</filename> entry. + </para> + </refsect1> + + <refsect1> + <title>Options</title> + <variablelist> + <varlistentry> + <term><option>-d</option>, <option>--debug</option></term> + <listitem> + <para>Enable debug mode.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-v</option>, <option>--verbose</option></term> + <listitem> + <para>Enable verbose logging.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-?</option>, <option>--help</option></term> + <listitem> + <para>Give the help list.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--version</option></term> + <listitem> + <para>Print program version.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>Varlink Interfaces</title> + <para> + The service exposes the following methods via Varlink: + </para> + <variablelist> + <varlistentry> + <term><function>Chauthtok</function></term> + <listitem> + <para> + Changes the password for a provided user. Authentication is performed via PAM using the + configuration <filename>pwupd-passwd</filename>. This method may be called by the root user + or the user owning the record. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><function>Chfn</function></term> + <listitem> + <para> + Changes the finger (GECOS) information of a user. Authentication is performed via PAM using the + configuration <filename>pwupd-chfn</filename>. This method may be called by the root user + or the user owning the record. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><function>Chsh</function></term> + <listitem> + <para> + Changes the login shell of an account. Authentication is performed via PAM using the + configuration <filename>pwupd-chsh</filename>. This method may be called by the root user + or the user owning the record. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><function>UpdatePasswdShadow</function></term> + <listitem> + <para> + Updates the <filename>passwd</filename> and <filename>shadow</filename> entry of a specified user. + <emphasis role="bold">Only root is allowed to call this method.</emphasis> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>chfn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>chsh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + +</refentry> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/account-utils-1.0+git20251216.774fa6e/src/map_range.h new/account-utils-1.0+git20260112.87262b5/src/map_range.h --- old/account-utils-1.0+git20251216.774fa6e/src/map_range.h 2025-12-16 16:38:59.000000000 +0100 +++ new/account-utils-1.0+git20260112.87262b5/src/map_range.h 2026-01-12 15:25:38.000000000 +0100 @@ -2,6 +2,8 @@ #pragma once +#include <stdint.h> + struct map_range { int64_t upper; /* first ID inside the namespace */ int64_t lower; /* first ID outside the namespace */
