commit: c7da130a443ab9811b242ae2cbf8259cb85d43b1 Author: Michael Weiser <michael.weiser <AT> gmx <DOT> de> AuthorDate: Tue Dec 17 19:02:40 2019 +0000 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> CommitDate: Sun Jan 19 01:00:17 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a
sys-apps/shadow: Revbump to fix up PAM configuration shadow includes a number of administrative account management binaries like useradd, chage and chpasswd, traditionally only useable by root. In shadow they can be compiled with PAM support and installed setuid. PAM configuration can then be used to delegate account management to users other than root. The previous config contained the pam_rootok module to provide default behaviour of allowing account management when called as root. But it also contained pam_permit which would allow everyone else to also do account management without any authentication. To close this loophole we remove pam_permit from the config. Also, chpasswd, chgpasswd and newusers are batch-mode mass-change tools meant for scripting. They only contain PAM support if configure flag --enable-account-tools-setuid is in effect and are then installed setuid root. They should use the same restrictive PAM configuration as their siblings. But with setuid user management tools and PAM support within them disabled by commit f569e607 we can stop installing the configuration files as well. chfn and chsh are intended to be called by the user as self-service tools. For this reason they're always installed setuid root and contain PAM support. They should be allowed to work but maybe not without some prior authentication to avoid attacks such as someone finding an unlocked session and using chfn to redirect phone calls intended for the user to himself. The existing passwd config seems perfect for that and is aptly named in that both tools change user information normally stored in /etc/passwd. groupmems is another user self-service tool. It allows the user to add people to their user-private group, allowing them trusted access to normally private files. It is not installed setuid like chfn and chsh but always contains PAM support. Upstream installs a locked down PAM config by default. Since default shell profiles on Gentoo do not change umask to 0002 when a private user group is in use, impact will only be to allow read access to those additional users by default. Since the idea of adding more users to the user *private* group is questionable, go with upstream's default of locking the PAM config down so that an admin not only needs to make the binary suid but also adjust the PAM config, in the process hopefully considering what they're doing. Bug: https://bugs.gentoo.org/702252 Closes: https://github.com/gentoo/gentoo/pull/14032 Reviewed-by: Mikle Kolyada <zlogene <AT> gentoo.org> Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> sys-apps/shadow/files/pam.d-include/shadow-r1 | 7 + sys-apps/shadow/shadow-4.8-r3.ebuild | 233 ++++++++++++++++++++++++++ 2 files changed, 240 insertions(+) diff --git a/sys-apps/shadow/files/pam.d-include/shadow-r1 b/sys-apps/shadow/files/pam.d-include/shadow-r1 new file mode 100644 index 00000000000..e42e8493ffe --- /dev/null +++ b/sys-apps/shadow/files/pam.d-include/shadow-r1 @@ -0,0 +1,7 @@ +#%PAM-1.0 + +auth sufficient pam_rootok.so + +account include system-auth + +password required pam_permit.so diff --git a/sys-apps/shadow/shadow-4.8-r3.ebuild b/sys-apps/shadow/shadow-4.8-r3.ebuild new file mode 100644 index 00000000000..ce51a62e4d9 --- /dev/null +++ b/sys-apps/shadow/shadow-4.8-r3.ebuild @@ -0,0 +1,233 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools libtool pam + +DESCRIPTION="Utilities to deal with user accounts" +HOMEPAGE="https://github.com/shadow-maint/shadow"; +SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz"; + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86" +IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr" +# Taken from the man/Makefile.am file. +LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) + +DEPEND=" + acl? ( sys-apps/acl:0= ) + audit? ( >=sys-process/audit-2.6:0= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) + nls? ( virtual/libintl ) + pam? ( sys-libs/pam:0= ) + skey? ( sys-auth/skey:0= ) + selinux? ( + >=sys-libs/libselinux-1.28:0= + sys-libs/libsemanage:0= + ) + su? ( !sys-apps/util-linux[su] ) + xattr? ( sys-apps/attr:0= ) +" +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext +" +RDEPEND=" + ${DEPEND} + pam? ( >=sys-auth/pambase-20150213 ) +" + +PATCHES=( + "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" + "${FILESDIR}/${P}-revert-bin-merge.patch" +) + +src_prepare() { + default + eautoreconf + #elibtoolize +} + +src_configure() { + local myeconfargs=( + --disable-account-tools-setuid + --enable-shared=no + --enable-static=yes + --with-btrfs + --without-group-name-max-length + --without-tcb + $(use_enable nls) + $(use_with acl) + $(use_with audit) + $(use_with bcrypt) + $(use_with cracklib libcrack) + $(use_with elibc_glibc nscd) + $(use_with pam libpam) + $(use_with selinux) + $(use_with skey) + $(use_with su) + $(use_with xattr attr) + ) + econf "${myeconfargs[@]}" + + has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 + + if use nls ; then + local l langs="po" # These are the pot files. + for l in ${LANGS[*]} ; do + has ${l} ${LINGUAS-${l}} && langs+=" ${l}" + done + sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die + fi +} + +set_login_opt() { + local comment="" opt=$1 val=$2 + if [[ -z ${val} ]]; then + comment="#" + sed -i \ + -e "/^${opt}\>/s:^:#:" \ + "${ED}"/etc/login.defs || die + else + sed -i -r \ + -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ + "${ED}"/etc/login.defs + fi + local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) + einfo "${res:-Unable to find ${opt} in /etc/login.defs}" +} + +src_install() { + emake DESTDIR="${D}" suidperms=4711 install + + # Remove libshadow and libmisc; see bug 37725 and the following + # comment from shadow's README.linux: + # Currently, libshadow.a is for internal use only, so if you see + # -lshadow in a Makefile of some other package, it is safe to + # remove it. + rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} + + insinto /etc + if ! use pam ; then + insopts -m0600 + doins etc/login.access etc/limits + fi + + # needed for 'useradd -D' + insinto /etc/default + insopts -m0600 + doins "${FILESDIR}"/default/useradd + + if use split-usr ; then + # move passwd to / to help recover broke systems #64441 + # We cannot simply remove this or else net-misc/scponly + # and other tools will break because of hardcoded passwd + # location + dodir /bin + mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die + dosym ../../bin/passwd /usr/bin/passwd + fi + + cd "${S}" || die + insinto /etc + insopts -m0644 + newins etc/login.defs login.defs + + set_login_opt CREATE_HOME yes + if ! use pam ; then + set_login_opt MAIL_CHECK_ENAB no + set_login_opt SU_WHEEL_ONLY yes + set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict + set_login_opt LOGIN_RETRIES 3 + set_login_opt ENCRYPT_METHOD SHA512 + set_login_opt CONSOLE + else + dopamd "${FILESDIR}"/pam.d-include/shadow + + for x in chsh shfn ; do + newpamd "${FILESDIR}"/pam.d-include/passwd ${x} + done + + newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems + + # comment out login.defs options that pam hates + local opt sed_args=() + for opt in \ + CHFN_AUTH \ + CONSOLE \ + CRACKLIB_DICTPATH \ + ENV_HZ \ + ENVIRON_FILE \ + FAILLOG_ENAB \ + FTMP_FILE \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + MOTD_FILE \ + NOLOGINS_FILE \ + OBSCURE_CHECKS_ENAB \ + PASS_ALWAYS_WARN \ + PASS_CHANGE_TRIES \ + PASS_MIN_LEN \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + SU_WHEEL_ONLY + do + set_login_opt ${opt} + sed_args+=( -e "/^#${opt}\>/b pamnote" ) + done + sed -i "${sed_args[@]}" \ + -e 'b exit' \ + -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ + -e ': exit' \ + "${ED}"/etc/login.defs || die + + # remove manpages that pam will install for us + # and/or don't apply when using pam + find "${ED}"/usr/share/man -type f \ + '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ + -delete + + # Remove pam.d files provided by pambase. + rm "${ED}"/etc/pam.d/{login,passwd} || die + if use su ; then + rm "${ED}"/etc/pam.d/su || die + fi + fi + + # Remove manpages that are handled by other packages + find "${ED}"/usr/share/man \ + '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ + -delete + + cd "${S}" || die + dodoc ChangeLog NEWS TODO + newdoc README README.download + cd doc || die + dodoc HOWTO README* WISHLIST *.txt +} + +pkg_preinst() { + rm -f "${EROOT}"/etc/pam.d/system-auth.new \ + "${EROOT}/etc/login.defs.new" +} + +pkg_postinst() { + # Enable shadow groups. + if [ ! -f "${EROOT}"/etc/gshadow ] ; then + if grpck -r -R "${EROOT}" 2>/dev/null ; then + grpconv -R "${EROOT}" + else + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "run 'grpconv' afterwards!" + fi + fi + + [[ ! -f "${EROOT}"/etc/subgid ]] && + touch "${EROOT}"/etc/subgid + [[ ! -f "${EROOT}"/etc/subuid ]] && + touch "${EROOT}"/etc/subuid + + einfo "The 'adduser' symlink to 'useradd' has been dropped." +}
