Hello community, here is the log from the commit of package shadow for openSUSE:Factory checked in at 2019-05-12 11:31:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shadow (Old) and /work/SRC/openSUSE:Factory/.shadow.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shadow" Sun May 12 11:31:35 2019 rev:30 rq:700977 version:4.6 Changes: -------- --- /work/SRC/openSUSE:Factory/shadow/shadow.changes 2019-01-29 14:40:13.119420021 +0100 +++ /work/SRC/openSUSE:Factory/.shadow.new.5148/shadow.changes 2019-05-12 11:31:37.497558369 +0200 @@ -1,0 +2,24 @@ +Tue Apr 30 22:27:14 CEST 2019 - [email protected] + +- Split shadow-login_defs.patch hunks to its logical components + (bsc#1121197): + * shadow-login_defs-unused-by-pam.patch + * shadow-login_defs-comments.patch + * shadow-login_defs-util-linux.patch + * shadow-login_defs-suse.patch + * Move appropriate hunks to chkname-regex.patch and + encryption_method_nis.patch + * Remove GROUPADD_CMD that is not supported (bsc#1121197#c14). +- Split getdef-new-defs.patch hunks to its logical components + (bsc#1121197): + * encryption_method_nis.patch + * chkname-regex.patch + * shadow-util-linux.patch + Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT. + * useradd-script.patch, userdel-script.patch + * Remove duplicated definitions of MOTD_FILE and ENV_PATH. +- Add shadow-login_defs-unused-check.sh to allow verification of + login.defs variable usage (bsc#1121197). +- Add virtual symbols for login.defs compatibility (bsc#1121197). + +------------------------------------------------------------------- Old: ---- getdef-new-defs.patch shadow-login_defs.patch New: ---- shadow-login_defs-check.sh shadow-login_defs-comments.patch shadow-login_defs-suse.patch shadow-login_defs-unused-by-pam.patch shadow-util-linux.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shadow.spec ++++++ --- /var/tmp/diff_new_pack.xHoW0R/_old 2019-05-12 11:31:38.837562292 +0200 +++ /var/tmp/diff_new_pack.xHoW0R/_new 2019-05-12 11:31:38.837562292 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -33,18 +33,37 @@ Source7: shadow.timer Source42: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc Source43: %{name}.keyring -Patch0: shadow-login_defs.patch +# SOURCE-FEATURE-SUSE shadow-login_defs-check.sh [email protected] -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches. +Source44: shadow-login_defs-check.sh +# PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch [email protected] -- Remove variables that have no use with PAM. +Patch0: shadow-login_defs-unused-by-pam.patch +# PATCH-FEATURE-SUSE userdel-script.patch [email protected] -- Add support for USERDEL_PRECMD and USERDEL_POSTCMD. Patch1: userdel-script.patch +# PATCH-FEATURE-SUSE useradd-script.patch [email protected] -- Add support for USERADD_CMD. Patch2: useradd-script.patch +# PATCH-FEATURE-SUSE chkname-regex.patch [email protected] -- Username restriction by regex. Patch3: chkname-regex.patch +# PATCH-FEATURE-SUSE useradd-default.patch [email protected] -- Change useradd defaults group to 1000. Patch4: useradd-default.patch -Patch5: getdef-new-defs.patch +# PATCH-FEATURE-SUSE shadow-util-linux.patch [email protected] -- Add support for util-linux specific variables, delete shadow login, su runuser specific. +Patch5: shadow-util-linux.patch +# PATCH-FEATURE-FEDORA shadow-4.1.5.1-userdel-helpfix.patch [email protected] -- Give a hint about what happens when you force the removal of a user. Patch6: shadow-4.1.5.1-userdel-helpfix.patch +# PATCH-FIX-FEDORA shadow-4.1.5.1-userdel-helpfix.patch [email protected] -- Fix error message. Patch7: shadow-4.1.5.1-logmsg.patch +# PATCH-FEATURE-SUSE encryption_method_nis.patch [email protected] -- Add support for ENCRYPT_METHOD_NIS used by SUSE patch in pam (pam_unix). Patch10: encryption_method_nis.patch +# PATCH-FIX-SUSE useradd-mkdirs.patch bnc865563 [email protected] -- Create all parts of the path. Patch11: useradd-mkdirs.patch +# PATCH-FIX-SUSE shadow-4.6.0-fix-usermod-prefix-crash.patch https://github.com/shadow-maint/shadow/issues/110 [email protected] -- Fixes crash in usermod when called with --prefix. Patch12: shadow-4.6.0-fix-usermod-prefix-crash.patch +# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch [email protected] -- Adjust login.defs comments. +Patch13: shadow-login_defs-comments.patch +# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch [email protected] -- Customize login.defs. +Patch14: shadow-login_defs-suse.patch +# PATCH-FIX-SUSE disable_new_audit_function.patch [email protected] -- Disable newer libaudit functionality for older distributions. Patch20: disable_new_audit_function.patch +# PATCH-FEATURE-SUSE btrfs-subvolumes.patch fate316134 [email protected] -- Add support for btrfs subvolumes for user homes. Patch21: btrfs-subvolumes.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf @@ -62,6 +81,13 @@ PreReq: permissions Provides: pwdutils = 3.2.20 Obsoletes: pwdutils <= 3.2.19 +# Virtual provides for supported variables in login.defs. +# It prevents references to unknown variables. +# Upgrade them only if shadow-util-linux.patch or +# encryption_method_nis.patch has to be ported! +# Call shadow-login_defs-check.sh before! +Provides: login_defs-support-for-pam = 1.3.1 +Provides: login_defs-support-for-util-linux = 2.33.1 %description This package includes the necessary programs for converting plain @@ -71,7 +97,7 @@ %prep %setup -q -a 1 %patch0 -%patch1 -p1 +%patch1 %patch2 %patch3 %patch4 @@ -81,6 +107,8 @@ %patch10 %patch11 -p1 %patch12 -p1 +%patch13 +%patch14 %if 0%{?suse_version} < 1330 %patch20 -p1 %endif ++++++ chkname-regex.patch ++++++ --- /var/tmp/diff_new_pack.xHoW0R/_old 2019-05-12 11:31:39.237563464 +0200 +++ /var/tmp/diff_new_pack.xHoW0R/_new 2019-05-12 11:31:39.253563510 +0200 @@ -1,3 +1,19 @@ +Index: etc/login.defs +=================================================================== +--- etc/login.defs.orig ++++ etc/login.defs +@@ -274,3 +274,11 @@ USERGROUPS_ENAB yes + # missing. + # + #FORCE_SHADOW yes ++ ++# ++# User/group names must match the following regex expression. ++# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, ++# but be aware that the result could depend on the locale settings. ++# ++#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? ++CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? Index: lib/getdef.c =================================================================== --- lib/getdef.c.orig ++++++ encryption_method_nis.patch ++++++ --- /var/tmp/diff_new_pack.xHoW0R/_old 2019-05-12 11:31:39.405563955 +0200 +++ /var/tmp/diff_new_pack.xHoW0R/_new 2019-05-12 11:31:39.429564025 +0200 @@ -1,10 +1,32 @@ ---- lib/getdef.c +Add support for ENCRYPT_METHOD_NIS used by pam: modules/pam_unix/pam_unix_passwd.c. + +Index: lib/getdef.c +=================================================================== +--- lib/getdef.c.orig +++ lib/getdef.c -@@ -58,6 +58,7 @@ static struct itemdef def_table[] = { +@@ -85,6 +85,7 @@ static struct itemdef def_table[] = { {"CREATE_HOME", NULL}, {"DEFAULT_HOME", NULL}, {"ENCRYPT_METHOD", NULL}, + {"ENCRYPT_METHOD_NIS", NULL}, {"ENV_PATH", NULL}, + {"ENV_ROOTPATH", NULL}, {"ENV_SUPATH", NULL}, - {"ERASECHAR", NULL}, +Index: etc/login.defs +=================================================================== +--- etc/login.defs.orig ++++ etc/login.defs +@@ -187,10 +187,13 @@ CHFN_RESTRICT rwh + # If set to DES, DES-based algorithm will be used for encrypting password (default) + # Overrides the MD5_CRYPT_ENAB option + # ++# ENCRYPT_METHOD_NIS is used by pam_unix_passwd.so. ++# + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # + #ENCRYPT_METHOD DES ++#ENCRYPT_METHOD_NIS DES + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. ++++++ shadow-login_defs-check.sh ++++++ #!/bin/bash # login.defs and lib/getdef.c contain support for third party variables. # It also contains support for variables that are unusable in installations with PAM support enabled. # This script generates a list of used and unused variables in login.defs # with respect to the current configuration. # Arguments: arguments of osc build # If the shadow-login_defs-check-unused.lst is generated, you should # update login.defs. set -o errexit echo "Preparing..." # Check for required commands which quilt >/dev/null which osc >/dev/null # login.defs is shared with util-linux login, su and runuser. # Extract list of referenced variables. if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then echo "Checking out util-linux..." osc co openSUSE:Factory util-linux cd openSUSE:Factory/util-linux quilt setup -d BUILD util-linux.spec cd BUILD/* quilt push -a cd ../../../.. fi echo "Extracting variables from util-linux..." cd openSUSE:Factory/util-linux/BUILD/* ( grep -rh getlogindefs . | sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p' grep -rh logindefs_setenv . | sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p' ) | LC_ALL=C sort -u >../../../../shadow-login_defs-check-util-linux.lst cd ../../../.. # login.defs is shared pam_unix*.so, pam_faildelay.so and pam_umask.so. # Extract list of referenced variables. if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then echo "Checking out pam..." osc co openSUSE:Factory pam cd openSUSE:Factory/pam quilt setup -d BUILD pam.spec cd BUILD/* quilt push -a cd ../../../.. fi echo "Extracting variables from pam..." cd openSUSE:Factory/pam/BUILD/* grep -rh LOGIN_DEFS . | sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' | LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst cd ../../../.. if ! test -f shadow-login_defs-check-build/stamp ; then echo "Performing preprocessing of shadow by osc..." if ! test -f shadow.spec.shadow-login_defs-check-save ; then cp -a shadow.spec shadow.spec.shadow-login_defs-check-save # In case of shadow, variables extraction is more complicated. The list # depends on configure options, so we have to perform a fake build and # extract variables from prepreocessed sources. patch <<EOF --- shadow.spec +++ shadow.spec @@ -131,1 +131,1 @@ -make +make V=1 -k CPPFLAGS="-E" EOF fi osc build "$@" || : echo "This build command was expected to fail." echo "" mv shadow.spec.shadow-login_defs-check-save shadow.spec BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p') BUILD_DIR=$(osc lbl | sed -n 's/^.* cd //p' | head -n1) rm -rf shadow-login_defs-check-build mkdir shadow-login_defs-check-build cp -a "$BUILD_ROOT/$BUILD_DIR"/shadow-* shadow-login_defs-check-build/ touch shadow-login_defs-check-build/stamp fi echo "Extracting list of deleted binaries..." sed -n 's~rm %{buildroot}/%{_\(s\|\)bindir}/\(.*\)$~\2~p' <shadow.spec >shadow-login_defs-check-deleted.lst # The build above is optional only for case of failure or edits in the # code below. If any other build was performed, don't expect correct # results. cd shadow-login_defs-check-build/shadow-* echo "Extracting variables from etc/login.defs..." # Extract variables referenced in login.defs, both active and commented out. sed -n "s/^#//;s/\([A-Z0-9_]*\)[[:space:]].*$/\1/p" <etc/login.defs | sed '/^$/d' | uniq | sed '/^$/d' >../../shadow-login_defs-check-login_defs.lst LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst echo "Extracting variables from lib/getdef.c..." # Extract variables referenced in lib/getdef.c using current defines. sed -n 's/^\(},\|\) {"\([A-Z0-9_]*\)", /\2/p' <lib/getdef.o >../../shadow-login_defs-check-getdef.lst LC_ALL=C sort -u ../../shadow-login_defs-check-getdef.lst >../../shadow-login_defs-check-getdef-sorted.lst echo "Extracting variables from shadow..." # Extract variables referenced in preprocessed files. grep -r '\(getdef[a-z_]*\|call_script\|is_listed\) *( *"[A-Za-z0-9_]*"' | grep '[^ ]*\.o:' >../../shadow-login_defs-check-shadow.log cd ../.. export RC=0 echo "" echo "" echo "Performing checks..." sed ' s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/ ' <shadow-login_defs-check-shadow.log | LC_ALL=C sort -u >../../shadow-login_defs-check-shadow-all.lst sed 's%^\(.*\)%/^.*\\\/\1\.o:/d%' <shadow-login_defs-check-deleted.lst >shadow-login_defs-check-deleted.sed sed -f shadow-login_defs-check-deleted.sed <shadow-login_defs-check-shadow.log | sed ' s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/ ' | LC_ALL=C sort -u >shadow-login_defs-check-shadow-used.lst if ! test -s shadow-login_defs-check-deleted.sed ; then echo " BUG: Empty shadow-login_defs-check-deleted.sed Results will be unreliable!" if test $RC -le 4 ; then export RC=4 ; fi fi echo "" echo "Checking that variables in login.defs are referred only once..." if test $(wc -l shadow-login_defs-check-login_defs.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-login_defs-sorted.lst | sed 's/ .*//') ; then echo " ERROR: Some variable referred at more places of login.defs!" LC_ALL=C sort shadow-login_defs-check-login_defs.lst >shadow-login_defs-check-login_defs-sorted-nu.lst diff shadow-login_defs-check-login_defs-sorted-nu.lst shadow-login_defs-check-login_defs-sorted.lst if test $RC -le 3 ; then export RC=3 ; fi fi echo "" echo "Checking that variables in lib/getdef.c are referred only once..." if test $(wc -l shadow-login_defs-check-getdef.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-getdef-sorted.lst | sed 's/ .*//') ; then echo " ERROR: Some variable referred at more places of lib/getdef.c!" LC_ALL=C sort shadow-login_defs-check-getdef.lst >shadow-login_defs-check-getdef-sorted-nu.lst diff shadow-login_defs-check-getdef-sorted-nu.lst shadow-login_defs-check-getdef-sorted.lst if test $RC -le 3 ; then export RC=3 ; fi fi cat shadow-login_defs-check-shadow-used.lst shadow-login_defs-check-util-linux.lst shadow-login_defs-check-pam.lst | LC_ALL=C sort -u >shadow-login_defs-check-all-used.lst # RC inside pipe cannot be read directly. Use 3 for a real stdout inside the pipe, and use stdout for RC. exec 3>&1 function report_packages() { echo -n " (" grep -l $1 shadow-login_defs-check-{shadow-used,util-linux,pam}.lst | sed 's/shadow-login_defs-check-//;s/\.lst//;s/-used//;s/$/, /;$s/, $//' | tr -d '\n' echo -n ")" } # Extracting variables from shadow is not capable to identify compiled-but-unused library code. # This function will identify known false matches. function falsematch() { case "$1" in # MAIL_* used by library call mailcheck() used only by login.c that is deleted in the spec. MAIL_* ) return 0 ;; # FTMP_FILE used by library call failtmp() used only by login.c that is deleted in the spec. FTMP_FILE ) return 0 ;; # ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec. ISSUE_FILE ) return 0 ;; * ) return 1 ;; esac } echo "" echo "Checking that all used variables are covered by login.defs..." RC=$(cat shadow-login_defs-check-all-used.lst | ( while read ; do if falsematch "$REPLY" ; then echo " FALSE MATCH: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3 continue fi if ! grep -q -x "$REPLY" shadow-login_defs-check-login_defs-sorted.lst ; then echo " NOTICE: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3 if test $RC -le 2 ; then RC=2 ; fi fi done echo $RC ) ) echo "" echo "Checking that all used variables are covered by lib/getdef.c..." RC=$(cat shadow-login_defs-check-all-used.lst | ( while read ; do if falsematch "$REPLY" ; then continue ; fi if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then echo " ERROR: Variable $REPLY is missing in the parser$(report_packages $REPLY)" >&3 if test $RC -le 3 ; then RC=3 ; fi fi done echo $RC ) ) echo "" echo "Checking that all used variables referred in login.defs are valid..." RC=$(cat shadow-login_defs-check-login_defs.lst | ( while read ; do if ! grep -q -x "$REPLY" shadow-login_defs-check-all-used.lst ; then echo " ERROR: Failed to find reference for $REPLY" >&3 if test $RC -le 3 ; then RC=3 ; fi fi if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then echo " BUG: Parser does not contain reference for $REPLY" >&3 if test $RC -le 4 ; then RC=4 ; fi fi done echo $RC ) ) echo "" echo "" echo "All checks finished." echo -n "Result: " case $RC in 0) echo "OK." ;; 1) echo "Notices only. Action is optional." ;; 2) echo "Warnings only. Evaluation is needed." ;; 3) echo "Errors found. Fix is recommended." ;; 4) echo "Fatal error. Fix has to be done." ;; esac if test $RC -ge 1 ; then exit 1 fi echo " If you ported shadow-util-linux.patch to the new util-linux version, please submit these updates: Change in util-linux.spec:" sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-util-linux >= /p' <openSUSE\:Factory/util-linux/util-linux.spec echo "Change in shadow.spec:" sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec echo " If you ported encryption_method_nis.patch to the new pam version, please submit these updates: Change in pam.spec:" sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec echo "Change in shadow.spec:" sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-pam = /p' <openSUSE\:Factory/pam/pam.spec ++++++ shadow-login_defs-comments.patch ++++++ Improve comments in login.defs. Index: etc/login.defs =================================================================== --- etc/login.defs.orig +++ etc/login.defs @@ -3,8 +3,6 @@ # Some variables are used by login(1), su(1) and runuser(1) from util-linux # package as well pam pam_unix(8) from pam package. # -# $Id$ -# # # Delay in seconds before being allowed another attempt after a login failure @@ -79,11 +77,14 @@ ENV_PATH /bin:/usr/bin ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin #ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin -# If this variable is set to "yes", su will always set path. every su -# call will overwrite the PATH variable. +# If this variable is set to "yes" (default is "no"), su will always set +# path. every su call will overwrite the PATH variable. # # Per default, only "su -" will set a new PATH. # +# The recommended value is "yes". The default "no" behavior could have +# a security implication in applications that use commands without path. +# ALWAYS_SET_PATH no # @@ -123,6 +124,11 @@ PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd(8) # +# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for +# UIDs for dynamically allocated administrative and system accounts. +# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically +# allocated user accounts. +# UID_MIN 1000 UID_MAX 60000 # System accounts @@ -136,6 +142,11 @@ SUB_UID_COUNT 65536 # # Min/max values for automatic gid selection in groupadd(8) # +# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for +# GIDs for dynamically allocated administrative and system groups. +# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically +# allocated groups. +# GID_MIN 1000 GID_MAX 60000 # System accounts @@ -165,7 +176,6 @@ LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh # -# Only works if compiled with MD5_CRYPT defined: # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. # It supports passwords of unlimited length and longer salt strings. @@ -180,7 +190,6 @@ CHFN_RESTRICT rwh #MD5_CRYPT_ENAB no # -# Only works if compiled with ENCRYPTMETHOD_SELECT defined: # If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password @@ -196,6 +205,14 @@ CHFN_RESTRICT rwh #ENCRYPT_METHOD_NIS DES # +# Number of rounds for salt. +# Default values: +# Minimum number of rounds. +#SHA_CRYPT_MIN_ROUNDS 1000 +# Maximum number of rounds. +#SHA_CRYPT_MAX_ROUNDS 999999999 + +# # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # # Define the number of SHA rounds. ++++++ shadow-login_defs-suse.patch ++++++ Set login.defs defaults for SUSE Linux. Index: etc/login.defs =================================================================== --- etc/login.defs.orig +++ etc/login.defs @@ -3,6 +3,9 @@ # Some variables are used by login(1), su(1) and runuser(1) from util-linux # package as well pam pam_unix(8) from pam package. # +# For more, see login.defs(5). Please note that SUSE supports only variables +# listed here! Not listed variables from login.defs(5) have no effect. +# # # Delay in seconds before being allowed another attempt after a login failure @@ -53,8 +56,8 @@ MOTD_FILE /etc/motd # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins +#HUSHLOGIN_FILE .hushlogin +HUSHLOGIN_FILE /etc/hushlogins # If this variable is set to "yes", hostname will be suppressed in the # login: prompt. @@ -73,9 +76,9 @@ HUSHLOGIN_FILE .hushlogin # ENV_SUPATH is an ENV_ROOTPATH override for su and runuser # (and falback for login). # -ENV_PATH /bin:/usr/bin -ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin -#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin +ENV_PATH /usr/local/bin:/bin:/usr/bin +ENV_ROOTPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # If this variable is set to "yes" (default is "no"), su will always set # path. every su call will overwrite the PATH variable. @@ -99,7 +102,7 @@ ALWAYS_SET_PATH no # set TTYPERM to either 622 or 600. # TTYGROUP tty -TTYPERM 0600 +TTYPERM 0620 # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. @@ -132,8 +135,8 @@ PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 # System accounts -SYS_UID_MIN 101 -SYS_UID_MAX 999 +SYS_UID_MIN 100 +SYS_UID_MAX 499 # Extra per user uids SUB_UID_MIN 100000 SUB_UID_MAX 600100000 @@ -150,8 +153,8 @@ SUB_UID_COUNT 65536 GID_MIN 1000 GID_MAX 60000 # System accounts -SYS_GID_MIN 101 -SYS_GID_MAX 999 +SYS_GID_MIN 100 +SYS_GID_MAX 499 # Extra per user group ids SUB_GID_MIN 100000 SUB_GID_MAX 600100000 @@ -160,7 +163,7 @@ SUB_GID_COUNT 65536 # # Max number of login(1) retries if password is bad # -LOGIN_RETRIES 5 +LOGIN_RETRIES 3 # # Max time in seconds for login(1) @@ -176,18 +179,9 @@ LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh # -# If set to "yes", new passwords will be encrypted using the MD5-based -# algorithm compatible with the one used by recent releases of FreeBSD. -# It supports passwords of unlimited length and longer salt strings. -# Set to "no" if you need to copy encrypted passwords to other systems -# which don't understand the new algorithm. Default is "no". -# -# Note: If you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. -# -# This variable is deprecated. You should use ENCRYPT_METHOD instead. +# This variable is deprecated. Use ENCRYPT_METHOD instead! # -#MD5_CRYPT_ENAB no +#MD5_CRYPT_ENAB DO_NOT_USE # # If set to MD5, MD5-based algorithm will be used for encrypting password @@ -201,8 +195,8 @@ CHFN_RESTRICT rwh # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # -#ENCRYPT_METHOD DES -#ENCRYPT_METHOD_NIS DES +ENCRYPT_METHOD SHA512 +ENCRYPT_METHOD_NIS DES # # Number of rounds for salt. @@ -271,7 +265,7 @@ USERDEL_POSTCMD /usr/sbin/userde # # This also enables userdel(8) to remove user groups if no members exist. # -USERGROUPS_ENAB yes +USERGROUPS_ENAB no # # If set to a non-zero number, the shadow utilities will make sure that @@ -290,13 +284,13 @@ USERGROUPS_ENAB yes # This option is overridden with the -M or -m flags on the useradd(8) # command-line. # -#CREATE_HOME yes +CREATE_HOME no # # Force use shadow, even if shadow passwd & shadow group files are # missing. # -#FORCE_SHADOW yes +FORCE_SHADOW no # # User/group names must match the following regex expression. ++++++ shadow-login_defs-unused-by-pam.patch ++++++ Remove variables that are present in login.defs, but shadow with the current configuration (e. g. with PAM) does not use them. shadow-login_defs-unused-check.sh makes possible to verify that it is still up to date. Index: etc/login.defs =================================================================== --- etc/login.defs.orig +++ etc/login.defs @@ -12,11 +12,6 @@ FAIL_DELAY 3 # -# Enable logging and display of /var/log/faillog login(1) failure info. -# -FAILLOG_ENAB yes - -# # Enable display of unknown usernames when login(1) failures are recorded. # LOG_UNKFAIL_ENAB no @@ -27,34 +22,6 @@ LOG_UNKFAIL_ENAB no LOG_OK_LOGINS no # -# Enable logging and display of /var/log/lastlog login(1) time info. -# -LASTLOG_ENAB yes - -# -# Enable checking and display of mailbox status upon login. -# -# Disable if the shell startup files already check for mail -# ("mailx -e" or equivalent). -# -MAIL_CHECK_ENAB yes - -# -# Enable additional checks upon password changes. -# -OBSCURE_CHECKS_ENAB yes - -# -# Enable checking of time restrictions specified in /etc/porttime. -# -PORTTIME_CHECKS_ENAB yes - -# -# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. -# -QUOTAS_ENAB yes - -# # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). # @@ -82,46 +49,12 @@ MOTD_FILE /etc/motd #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # -# If defined, this file will be output before each login(1) prompt. -# -#ISSUE_FILE /etc/issue - -# # If defined, file which maps tty line to TERM environment parameter. # Each line of the file is in a format similar to "vt100 tty01". # #TTYTYPE_FILE /etc/ttytype # -# If defined, login(1) failures will be logged here in a utmp format. -# last(1), when invoked as lastb(1), will read /var/log/btmp, so... -# -FTMP_FILE /var/log/btmp - -# -# If defined, name of file whose presence will inhibit non-root -# logins. The content of this file should be a message indicating -# why logins are inhibited. -# -NOLOGINS_FILE /etc/nologin - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then ps(1) will display the -# command as "-su". If not defined, then ps(1) will display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# -MAIL_DIR /var/spool/mail -#MAIL_FILE .mail - -# # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then @@ -131,21 +64,6 @@ HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # -# If defined, either a TZ environment parameter spec or the -# fully-rooted pathname of a file containing such a spec. -# -#ENV_TZ TZ=CST6CDT -#ENV_TZ /etc/tzname - -# -# If defined, an HZ environment parameter spec. -# -# for Linux/x86 -ENV_HZ HZ=100 -# For Linux/Alpha... -#ENV_HZ HZ=1024 - -# # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) @@ -171,17 +89,13 @@ TTYPERM 0600 # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# ULIMIT Default "ulimit" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. -# The ULIMIT is used only if the system supports it. -# (now it works with setrlimit too; ulimit is in 512-byte units) # # Prefix these values with "0" to get octal, "0x" to get hexadecimal. # ERASECHAR 0177 KILLCHAR 025 -#ULIMIT 2097152 # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. @@ -197,28 +111,13 @@ UMASK 022 # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 -PASS_MIN_LEN 5 PASS_WARN_AGE 7 # -# If "yes", the user must be listed as a member of the first gid 0 group -# in /etc/group (called "root" on most Linux systems) to be able to "su" -# to uid 0 accounts. If the group doesn't exist or is empty, no one -# will be able to "su" to uid 0. -# -SU_WHEEL_ONLY no - -# -# If compiled with cracklib support, sets the path to the dictionaries -# -CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict - -# # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 @@ -255,28 +154,6 @@ LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 # -# Maximum number of attempts to change password if rejected (too easy) -# -PASS_CHANGE_TRIES 5 - -# -# Warn about weak passwords (but still allow them) if you are root. -# -PASS_ALWAYS_WARN yes - -# -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. -# Ignored if MD5_CRYPT_ENAB set to "yes". -# -#PASS_MAX_LEN 8 - -# -# Require password before chfn(1)/chsh(1) can make any changes. -# -CHFN_AUTH yes - -# # Which fields may be changed by regular users using chfn(1) - use # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. @@ -285,13 +162,6 @@ CHFN_AUTH yes CHFN_RESTRICT rwh # -# Password prompt (%s will be replaced by user name). -# -# XXX - it doesn't work correctly yet, for now leave it commented out -# to use the default which is just "Password: ". -#LOGIN_STRING "%s's Password: " - -# # Only works if compiled with MD5_CRYPT defined: # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. @@ -336,29 +206,12 @@ CHFN_RESTRICT rwh # SHA_CRYPT_MAX_ROUNDS 5000 # -# List of groups to add to the user's supplementary group set -# when logging in from the console (as determined by the CONSOLE -# setting). Default is none. -# -# Use with caution - it is possible for users to gain permanent -# access to these groups, even when not logged in from the console. -# How to do it is left as an exercise for the reader... -# -#CONSOLE_GROUPS floppy:audio:cdrom - -# # Should login be allowed if we can't cd to the home directory? # Default is no. # DEFAULT_HOME yes # -# If this file exists and is readable, login environment will be -# read from it. Every line should be in the form name=value. -# -ENVIRON_FILE /etc/environment - -# # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). ++++++ shadow-util-linux.patch ++++++ Add variables referred by util-linux login, runuser and su, but not by shadow. Delete variables used by shadow implementation of login, su and runuser that has no use in util-linux implementation. Index: etc/login.defs =================================================================== --- etc/login.defs.orig +++ etc/login.defs @@ -1,5 +1,7 @@ # # /etc/login.defs - Configuration control definitions for the shadow package. +# Some variables are used by login(1), su(1) and runuser(1) from util-linux +# package as well pam pam_unix(8) from pam package. # # $Id$ # @@ -17,15 +19,8 @@ FAIL_DELAY 3 LOG_UNKFAIL_ENAB no # -# Enable logging of successful logins +# Enable "syslog" logging of newgrp(1) and sg(1) activity. # -LOG_OK_LOGINS no - -# -# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. -# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). -# -SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes # @@ -63,12 +58,33 @@ MOTD_FILE /etc/motd HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins +# If this variable is set to "yes", hostname will be suppressed in the +# login: prompt. +#LOGIN_PLAIN_PROMPT no + # # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin -ENV_PATH PATH=/bin:/usr/bin +# +# ENV_PATH: The default PATH settings for non-root. +# +# ENV_ROOTPATH: The default PATH settings for root +# (used by login, su and runuser). +# +# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser +# (and falback for login). +# +ENV_PATH /bin:/usr/bin +ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin +#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin + +# If this variable is set to "yes", su will always set path. every su +# call will overwrite the PATH variable. +# +# Per default, only "su -" will set a new PATH. +# +ALWAYS_SET_PATH no # # Terminal permissions @@ -84,19 +100,6 @@ ENV_PATH PATH=/bin:/usr/bin TTYGROUP tty TTYPERM 0600 -# -# Login configuration initializations: -# -# ERASECHAR Terminal ERASE character ('\010' = backspace). -# KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# -# The ERASECHAR and KILLCHAR are used only on System V machines. -# -# Prefix these values with "0" to get octal, "0x" to get hexadecimal. -# -ERASECHAR 0177 -KILLCHAR 025 - # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new Index: lib/getdef.c =================================================================== --- lib/getdef.c.orig +++ lib/getdef.c @@ -77,6 +77,7 @@ struct itemdef { #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) static struct itemdef def_table[] = { + {"ALWAYS_SET_PATH", NULL}, {"CHARACTER_CLASS", NULL}, {"CHFN_RESTRICT", NULL}, {"CONSOLE_GROUPS", NULL}, @@ -85,6 +86,7 @@ static struct itemdef def_table[] = { {"DEFAULT_HOME", NULL}, {"ENCRYPT_METHOD", NULL}, {"ENV_PATH", NULL}, + {"ENV_ROOTPATH", NULL}, {"ENV_SUPATH", NULL}, {"ERASECHAR", NULL}, {"FAIL_DELAY", NULL}, @@ -93,6 +95,7 @@ static struct itemdef def_table[] = { {"GID_MIN", NULL}, {"HUSHLOGIN_FILE", NULL}, {"KILLCHAR", NULL}, + {"LOGIN_PLAIN_PROMPT", NULL}, {"LOGIN_RETRIES", NULL}, {"LOGIN_TIMEOUT", NULL}, {"LOG_OK_LOGINS", NULL}, ++++++ useradd-script.patch ++++++ --- /var/tmp/diff_new_pack.xHoW0R/_old 2019-05-12 11:31:40.577567386 +0200 +++ /var/tmp/diff_new_pack.xHoW0R/_new 2019-05-12 11:31:40.601567457 +0200 @@ -1,6 +1,38 @@ ---- src/useradd.c +Index: etc/login.defs +=================================================================== +--- etc/login.defs.orig ++++ etc/login.defs +@@ -212,6 +212,13 @@ CHFN_RESTRICT rwh + DEFAULT_HOME yes + + # ++# If defined, this command is run when adding a user. ++# It should rebuild any NIS database etc. to add the ++# new created account. ++# ++USERADD_CMD /usr/sbin/useradd.local ++ ++# + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by + # the user to be removed (passed as the first argument). +Index: lib/getdef.c +=================================================================== +--- lib/getdef.c.orig ++++ lib/getdef.c +@@ -125,6 +125,7 @@ static struct itemdef def_table[] = { + {"UID_MAX", NULL}, + {"UID_MIN", NULL}, + {"UMASK", NULL}, ++ {"USERADD_CMD", NULL}, + {"USERDEL_CMD", NULL}, + {"USERDEL_PRECMD", NULL}, + {"USERDEL_POSTCMD", NULL}, +Index: src/useradd.c +=================================================================== +--- src/useradd.c.orig +++ src/useradd.c -@@ -1982,6 +1982,30 @@ static void create_mail (void) +@@ -2115,6 +2115,30 @@ static void create_mail (void) } /* @@ -31,7 +63,7 @@ * main - useradd command */ int main (int argc, char **argv) -@@ -2242,6 +2266,7 @@ int main (int argc, char **argv) +@@ -2390,6 +2414,7 @@ int main (int argc, char **argv) nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); ++++++ userdel-script.patch ++++++ --- /var/tmp/diff_new_pack.xHoW0R/_old 2019-05-12 11:31:40.817568089 +0200 +++ /var/tmp/diff_new_pack.xHoW0R/_new 2019-05-12 11:31:40.817568089 +0200 @@ -1,7 +1,51 @@ -diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c ---- shadow-4.6/src/userdel.c 2018-04-29 18:42:37.000000000 +0200 -+++ shadow-4.6.new/src/userdel.c 2018-05-14 16:13:43.996280216 +0200 -@@ -125,7 +125,7 @@ +Index: lib/getdef.c +=================================================================== +--- lib/getdef.c.orig ++++ lib/getdef.c +@@ -126,6 +126,8 @@ static struct itemdef def_table[] = { + {"UID_MIN", NULL}, + {"UMASK", NULL}, + {"USERDEL_CMD", NULL}, ++ {"USERDEL_PRECMD", NULL}, ++ {"USERDEL_POSTCMD", NULL}, + {"USERGROUPS_ENAB", NULL}, + #ifndef USE_PAM + PAMDEFS +Index: etc/login.defs +=================================================================== +--- etc/login.defs.orig ++++ etc/login.defs +@@ -216,9 +216,25 @@ DEFAULT_HOME yes + # It should remove any at/cron/print jobs etc. owned by + # the user to be removed (passed as the first argument). + # ++# See also USERDEL_PRECMD and USERDEL_POSTCMD below. ++# + #USERDEL_CMD /usr/sbin/userdel_local + + # ++# If defined, this command is run before removing a user. ++# It should remove any at/cron/print jobs etc. owned by ++# the user to be removed. ++# ++USERDEL_PRECMD /usr/sbin/userdel-pre.local ++ ++# ++# If defined, this command is run after removing a user. ++# It should rebuild any NIS database etc. to remove the ++# account from it. ++# ++USERDEL_POSTCMD /usr/sbin/userdel-post.local ++ ++# + # Enable setting of the umask group bits to be the same as owner bits + # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is + # the same as gid, and username is the same as the primary group name. +Index: src/userdel.c +=================================================================== +--- src/userdel.c.orig ++++ src/userdel.c +@@ -125,7 +125,7 @@ static void close_files (void); static void fail_exit (int); static void open_files (void); static void update_user (void); @@ -10,7 +54,7 @@ #ifdef EXTRA_CHECK_HOME_DIR static bool path_prefix (const char *, const char *); -@@ -767,13 +767,13 @@ +@@ -767,13 +767,13 @@ static void update_user (void) * cron, at, or print jobs. */ @@ -26,7 +70,7 @@ if (NULL == cmd) { return; } -@@ -1213,9 +1213,10 @@ +@@ -1213,9 +1213,10 @@ int main (int argc, char **argv) } /* @@ -35,20 +79,20 @@ + * Do the hard stuff - open the files, remove the user entries, + * remove the home directory, then close and update the files. */ -+ call_script ("USERDEL_PRECMD", user_name); ++ call_script ("USERDEL_PRECMD", user_name); open_files (); update_user (); update_groups (); -@@ -1319,7 +1320,7 @@ +@@ -1319,7 +1320,7 @@ int main (int argc, char **argv) * the entry from /etc/passwd. */ if(prefix[0] == '\0') - user_cancel (user_name); -+ call_script ("USERDEL_CMD", user_name); ++ call_script ("USERDEL_CMD", user_name); close_files (); #ifdef WITH_TCB -@@ -1329,6 +1330,9 @@ +@@ -1329,6 +1330,9 @@ int main (int argc, char **argv) nscd_flush_cache ("passwd"); nscd_flush_cache ("group");
