SLFO-pool/shadow
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main shadow revision ab29753a2cb22265ff261735245b461c

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-04 00:38:12 +02:00
commit 6a4d22a32d
16 changed files with 2829 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

28
disable_new_audit_function.patch Normal file
View File

@ -0,0 +1,28 @@
Index: shadow-4.5/src/lastlog.c
===================================================================
--- shadow-4.5.orig/src/lastlog.c
+++ shadow-4.5/src/lastlog.c
@@ -221,12 +221,15 @@ static void update_one (/*@null@*/const
strcpy (ll.ll_host, "localhost");
#endif
strcpy (ll.ll_line, "lastlog");
+/*
#ifdef WITH_AUDIT
audit_logger (AUDIT_ACCT_UNLOCK, Prog,
"clearing-lastlog",
pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
#endif
+*/
}
+/*
#ifdef WITH_AUDIT
else {
audit_logger (AUDIT_ACCT_UNLOCK, Prog,
@@ -234,6 +237,7 @@ static void update_one (/*@null@*/const
pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
}
#endif
+*/
if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) {
fprintf (stderr,

BIN
pamd.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
shadow-4.15.1.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
shadow-4.15.1.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEflbiwT+nfOMVWa3JfcJMNsM0HSAFAmX/ahcACgkQfcJMNsM0
HSBW5BAAwtMZjHRGfS7R7SnydwSaW7sDP+QOl1108a6rDk0vuu5jCqCcenN66Bwb
CfR9wmFXUtnnfVSj+z/ESsZOdp1gBkEj6updIQXHK+V2AKmCfe2U7Nuci5Yk1I2E
6bBAIETHV1YijZMTHSeMWQEmqmOXbF6xhHjbKscqBA4KvnasFuE6hn3Omw/TNCSg
uwVxapgtUv3RJ/nkQq4OIODKgyeQA4r4LkAQLbtAYmUnEhDQqeEa7tsIJATFYKNK
7xDyZrqRHb8Rzd9pKRJtYTkYOD18hmOr/vZidZPBhZ0Am1QaYsiRbjuxc9iF/AeE
pI+WeGKmAvHG1F6hRmjiLmH4gsozL9tZ7OGDWGSrVDGeraIiEYRguwdy6Fe96v0V
EkwhtcwIl9z8Elo6bIHPiSweOH+e00yHTiBqnkdwpFuOahWsNvcXTigKAEv6KAfR
bp1BacPRFuO5tgb2/S+Miyb+Fzim5E7Ch77fH2ggtHRNtqff/PqlznX0CchtAplE
pgI/BGNlnpCecnS/vu8M+SFuES34kh+pz7x4hWL2JICsTVZnJz2SB1tL+Z6p0y0G
Jt78+LdoJ4U6SKl2s+42RVqrvR0QU01IbWDEFdaQ2lkK1ecGQWNfoOYwzweJiG2M
RNfUX179KTEbQ4edhY2GmiZif8JUbp+amv9u5qUPrS3ZEgwrYUw=
=1W4Z
-----END PGP SIGNATURE-----

286
shadow-login_defs-check.sh Normal file
View File

@ -0,0 +1,286 @@
#!/bin/bash
# login.defs and lib/getdef.c contain support for third party variables.
# It also contains support for variables that are unusable in installations with PAM support enabled.
# This script generates a list of used and unused variables in login.defs
# with respect to the current configuration.
# Arguments: arguments of osc build
# If the shadow-login_defs-check-unused.lst is generated, you should
# update login.defs.
set -o errexit
echo "Preparing..."
# Check for required commands
which quilt >/dev/null
which osc >/dev/null
# login.defs is shared with util-linux login, su and runuser.
# Extract list of referenced variables.
if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
echo "Checking out util-linux..."
if test -d ../util-linux ; then
echo -n "../util-linux found. Are you preparing new version? (y/N) "
read
if test "${REPLY:0:1}" = "y" ; then
mkdir -p openSUSE:Factory
cp -a ../util-linux openSUSE:Factory/
else
osc co openSUSE:Factory util-linux
fi
else
osc co openSUSE:Factory util-linux
fi
cd openSUSE:Factory/util-linux
quilt setup -d BUILD util-linux.spec
cd BUILD/*
quilt push -a
cd ../../../..
fi
echo "Extracting variables from util-linux..."
cd openSUSE:Factory/util-linux/BUILD/*
(
grep -rh getlogindefs . |
sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
grep -rh logindefs_setenv . |
sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
) |
LC_ALL=C sort -u >../../../../shadow-login_defs-check-util-linux.lst
cd ../../../..
# login.defs is shared pam_unix*.so, pam_faildelay.so and pam_umask.so.
# Extract list of referenced variables.
if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
echo "Checking out pam..."
if test -d ../pam ; then
echo -n "../pam found. Are you preparing new version? (y/N) "
read
if test "${REPLY:0:1}" = "y" ; then
mkdir -p openSUSE:Factory
cp -a ../pam openSUSE:Factory/
else
osc co openSUSE:Factory pam
fi
else
osc co openSUSE:Factory pam
fi
cd openSUSE:Factory/pam
quilt setup -d BUILD pam.spec
cd BUILD/*
quilt push -a
cd ../../../..
fi
echo "Extracting variables from pam..."
cd openSUSE:Factory/pam/BUILD/*
grep -rh LOGIN_DEFS . |
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
cd ../../../..
if ! test -f shadow-login_defs-check-build/stamp ; then
echo "Performing preprocessing of shadow by osc..."
if ! test -f shadow.spec.shadow-login_defs-check-save ; then
cp -a shadow.spec shadow.spec.shadow-login_defs-check-save
# In case of shadow, variables extraction is more complicated. The list
# depends on configure options, so we have to perform a fake build and
# extract variables from prepreocessed sources.
# sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec
if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then
echo "$0: Please fix sed expression modifying shadow.spec."
mv shadow.spec.shadow-login_defs-check-save shadow.spec
exit 1
fi
fi
if osc build "$@" ; then
echo "This build command was expected to fail, but it succeeded."
echo "$0: Please fix sed expression modifying shadow.spec."
mv shadow.spec.shadow-login_defs-check-save shadow.spec
exit 1
else
echo "This build command was expected to fail."
echo ""
fi
mv shadow.spec.shadow-login_defs-check-save shadow.spec
BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
BUILD_DIR=$(osc lbl | sed -n 's/^.* cd //p' | head -n1)
rm -rf shadow-login_defs-check-build
mkdir shadow-login_defs-check-build
cp -a "$BUILD_ROOT/$BUILD_DIR"/shadow-* shadow-login_defs-check-build/
touch shadow-login_defs-check-build/stamp
fi
echo "Extracting list of deleted binaries..."
sed -n 's~rm %{buildroot}/%{_\(s\|\)bindir}/\(.*\)$~\2~p' <shadow.spec >shadow-login_defs-check-deleted.lst
# The build above is optional only for case of failure or edits in the
# code below. If any other build was performed, don't expect correct
# results.
cd shadow-login_defs-check-build/shadow-*
echo "Extracting variables from etc/login.defs..."
# Extract variables referenced in login.defs, both active and commented out.
sed -n "s/^#//;s/\([A-Z0-9_]*\)\([[:space:]].*\|\)$/\1/p" <etc/login.defs | sed '/^$/d' | uniq | sed '/^$/d' >../../shadow-login_defs-check-login_defs.lst
LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst
echo "Extracting variables from lib/getdef.c..."
# Extract variables referenced in lib/getdef.c using current defines.
sed -n 's/^\(},\|\) {"\([A-Z0-9_]*\)", /\2/p' <lib/libshadow_la-getdef.o >../../shadow-login_defs-check-getdef.lst
LC_ALL=C sort -u ../../shadow-login_defs-check-getdef.lst >../../shadow-login_defs-check-getdef-sorted.lst
echo "Extracting variables from shadow..."
# Extract variables referenced in preprocessed files.
grep -r '\(getdef[a-z_]*\|call_script\|is_listed\) *( *"[A-Za-z0-9_]*"' |
grep '[^ ]*\.o:' >../../shadow-login_defs-check-shadow.log
cd ../..
export RC=0
echo ""
echo ""
echo "Performing checks..."
sed '
s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
' <shadow-login_defs-check-shadow.log | LC_ALL=C sort -u >../../shadow-login_defs-check-shadow-all.lst
sed 's%^\(.*\)%/^.*\\\/\1\.o:/d%' <shadow-login_defs-check-deleted.lst >shadow-login_defs-check-deleted.sed
sed -f shadow-login_defs-check-deleted.sed <shadow-login_defs-check-shadow.log |
sed '
s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
' | LC_ALL=C sort -u >shadow-login_defs-check-shadow-used.lst
if ! test -s shadow-login_defs-check-deleted.sed ; then
echo " BUG: Empty shadow-login_defs-check-deleted.sed Results will be unreliable!"
if test $RC -le 4 ; then export RC=4 ; fi
fi
echo ""
echo "Checking that variables in login.defs are referred only once..."
if test $(wc -l shadow-login_defs-check-login_defs.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-login_defs-sorted.lst | sed 's/ .*//') ; then
echo " ERROR: Some variable referred at more places of login.defs!"
LC_ALL=C sort shadow-login_defs-check-login_defs.lst >shadow-login_defs-check-login_defs-sorted-nu.lst
diff shadow-login_defs-check-login_defs-sorted-nu.lst shadow-login_defs-check-login_defs-sorted.lst
if test $RC -le 3 ; then export RC=3 ; fi
fi
echo ""
echo "Checking that variables in lib/getdef.c are referred only once..."
if test $(wc -l shadow-login_defs-check-getdef.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-getdef-sorted.lst | sed 's/ .*//') ; then
echo " ERROR: Some variable referred at more places of lib/getdef.c!"
LC_ALL=C sort shadow-login_defs-check-getdef.lst >shadow-login_defs-check-getdef-sorted-nu.lst
diff shadow-login_defs-check-getdef-sorted-nu.lst shadow-login_defs-check-getdef-sorted.lst
if test $RC -le 3 ; then export RC=3 ; fi
fi
cat shadow-login_defs-check-shadow-used.lst shadow-login_defs-check-util-linux.lst shadow-login_defs-check-pam.lst | LC_ALL=C sort -u >shadow-login_defs-check-all-used.lst
# RC inside pipe cannot be read directly. Use 3 for a real stdout inside the pipe, and use stdout for RC.
exec 3>&1
function report_packages() {
echo -n " ("
grep -l $1 shadow-login_defs-check-{shadow-used,util-linux,pam}.lst |
sed 's/shadow-login_defs-check-//;s/\.lst//;s/-used//;s/$/, /;$s/, $//' |
tr -d '\n'
echo -n ")"
}
# Extracting variables from shadow is not capable to identify compiled-but-unused library code.
# This function will identify known false matches.
function falsematch() {
case "$1" in
# MAIL_* used by library call mailcheck() used only by login.c that is deleted in the spec.
MAIL_* ) return 0 ;;
# FTMP_FILE used by library call failtmp() used only by login.c that is deleted in the spec.
FTMP_FILE ) return 0 ;;
# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
ISSUE_FILE ) return 0 ;;
# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec.
PREVENT_NO_AUTH ) return 0 ;;
* ) return 1 ;;
esac
}
echo ""
echo "Checking that all used variables are covered by login.defs..."
RC=$(cat shadow-login_defs-check-all-used.lst | (
while read ; do
if falsematch "$REPLY" ; then
echo " FALSE MATCH: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
continue
fi
if ! grep -q -x "$REPLY" shadow-login_defs-check-login_defs-sorted.lst ; then
echo " NOTICE: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
if test $RC -le 2 ; then RC=2 ; fi
fi
done
echo $RC
) )
echo ""
echo "Checking that all used variables are covered by lib/getdef.c..."
RC=$(cat shadow-login_defs-check-all-used.lst | (
while read ; do
if falsematch "$REPLY" ; then continue ; fi
if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
echo " ERROR: Variable $REPLY is missing in the parser$(report_packages $REPLY)" >&3
if test $RC -le 3 ; then RC=3 ; fi
fi
done
echo $RC
) )
echo ""
echo "Checking that all used variables referred in login.defs are valid..."
RC=$(cat shadow-login_defs-check-login_defs.lst | (
while read ; do
if ! grep -q -x "$REPLY" shadow-login_defs-check-all-used.lst ; then
echo " ERROR: Failed to find reference for $REPLY" >&3
if test $RC -le 3 ; then RC=3 ; fi
fi
if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
echo " BUG: Parser does not contain reference for $REPLY" >&3
if test $RC -le 4 ; then RC=4 ; fi
fi
done
echo $RC
) )
echo ""
echo ""
echo "All checks finished."
echo -n "Result: "
case $RC in
0) echo "OK." ;;
1) echo "Notices only. Action is optional." ;;
2) echo "Warnings only. Evaluation is needed." ;;
3) echo "Errors found. Fix is recommended." ;;
4) echo "Fatal error. Fix has to be done." ;;
esac
if test $RC -ge 1 ; then
exit 1
fi
echo "
If you ported shadow-util-linux.patch to the new util-linux version,
please submit these updates:
Change in util-linux.spec:"
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-util-linux >= /p' <openSUSE\:Factory/util-linux/util-linux.spec
echo "Change in shadow.spec:"
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
echo "
If you ported shadow-login_defs-unused-by-pam.patch to the new pam version,
please submit these updates:
Change in pam.spec:"
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
echo "Change in shadow.spec:"
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-pam = /p' <openSUSE\:Factory/pam/pam.spec

72
shadow-login_defs-comments.patch Normal file
View File

@ -0,0 +1,72 @@
Improve comments in login.defs.
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -3,8 +3,6 @@
# Some variables are used by login(1), su(1) and runuser(1) from util-linux
# package as well pam pam_unix(8) from pam package.
#
-# $Id$
-#
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -99,11 +97,14 @@ ENV_PATH /bin:/usr/bin
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
-# If this variable is set to "yes", su will always set path. every su
-# call will overwrite the PATH variable.
+# If this variable is set to "yes" (default is "no"), su will always set
+# path. every su call will overwrite the PATH variable.
#
# Per default, only "su -" will set a new PATH.
#
+# The recommended value is "yes". The default "no" behavior could have
+# a security implication in applications that use commands without path.
+#
ALWAYS_SET_PATH no
#
@@ -148,6 +149,11 @@ PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd(8)
#
+# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
+# UIDs for dynamically allocated administrative and system accounts.
+# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
+# allocated user accounts.
+#
UID_MIN 1000
UID_MAX 60000
# System accounts
@@ -161,6 +167,11 @@ SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
+# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
+# GIDs for dynamically allocated administrative and system groups.
+# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
+# allocated groups.
+#
GID_MIN 1000
GID_MAX 60000
# System accounts
@@ -196,7 +207,6 @@ LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
#
-# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
@@ -211,7 +221,6 @@ CHFN_RESTRICT rwh
#MD5_CRYPT_ENAB no
#
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password

148
shadow-login_defs-suse.patch Normal file
View File

@ -0,0 +1,148 @@
Set login.defs defaults for SUSE Linux.
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -3,6 +3,9 @@
# Some variables are used by login(1), su(1) and runuser(1) from util-linux
# package as well pam pam_unix(8) from pam package.
#
+# For more, see login.defs(5). Please note that SUSE supports only variables
+# listed here! Not listed variables from login.defs(5) have no effect.
+#
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -52,8 +55,8 @@ CONSOLE /etc/securetty
# If defined, ":" delimited list of "message of the day" files to
# be displayed upon login.
#
-MOTD_FILE /etc/motd
-#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
+MOTD_FILE ""
+#MOTD_FILE /etc/motd:/usr/share/misc/motd
#
# If set to "yes", login stops display content specified by MOTD_FILE after
@@ -73,8 +76,8 @@ MOTD_FILE /etc/motd
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
-HUSHLOGIN_FILE .hushlogin
-#HUSHLOGIN_FILE /etc/hushlogins
+#HUSHLOGIN_FILE .hushlogin
+HUSHLOGIN_FILE /etc/hushlogins
# If this variable is set to "yes", hostname will be suppressed in the
# login: prompt.
@@ -93,9 +96,9 @@ HUSHLOGIN_FILE .hushlogin
# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
# (and falback for login).
#
-ENV_PATH /bin:/usr/bin
-ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
-#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH /usr/local/bin:/bin:/usr/bin
+ENV_ROOTPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# If this variable is set to "yes" (default is "no"), su will always set
# path. every su call will overwrite the PATH variable.
@@ -105,7 +108,7 @@ ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/b
# The recommended value is "yes". The default "no" behavior could have
# a security implication in applications that use commands without path.
#
-ALWAYS_SET_PATH no
+ALWAYS_SET_PATH yes
#
# Terminal permissions
@@ -119,7 +122,7 @@ ALWAYS_SET_PATH no
# set TTYPERM to either 622 or 600.
#
TTYGROUP tty
-TTYPERM 0600
+TTYPERM 0620
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -133,7 +136,7 @@ UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
-#HOME_MODE 0700
+HOME_MODE 0700
#
# Password aging controls:
@@ -157,8 +160,8 @@ PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
# System accounts
-SYS_UID_MIN 101
-SYS_UID_MAX 999
+SYS_UID_MIN 100
+SYS_UID_MAX 499
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
@@ -175,8 +178,8 @@ SUB_UID_COUNT 65536
GID_MIN 1000
GID_MAX 60000
# System accounts
-SYS_GID_MIN 101
-SYS_GID_MAX 999
+SYS_GID_MIN 100
+SYS_GID_MAX 499
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
@@ -185,7 +188,7 @@ SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
#
-LOGIN_RETRIES 5
+LOGIN_RETRIES 3
#
# Tell login to only re-prompt for the password if authentication
@@ -207,18 +210,9 @@ LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
#
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm. Default is "no".
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
+# This variable is deprecated. Use ENCRYPT_METHOD instead!
#
-#MD5_CRYPT_ENAB no
+#MD5_CRYPT_ENAB DO_NOT_USE
#
# If set to MD5, MD5-based algorithm will be used for encrypting password
@@ -233,7 +227,7 @@ CHFN_RESTRICT rwh
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
-#ENCRYPT_METHOD DES
+ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -322,7 +316,7 @@ USERGROUPS_ENAB yes
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
-#CREATE_HOME yes
+CREATE_HOME yes
#
# Force use shadow, even if shadow passwd & shadow group files are

280
shadow-login_defs-unused-by-pam.patch Normal file
View File

@ -0,0 +1,280 @@
Remove variables that are present in login.defs, but shadow with the
current configuration (e. g. with PAM) does not use them.
It also includes variables used by the current configuration, but deleted
in the spec file.
shadow-login_defs-unused-check.sh makes possible to verify that it is
still up to date.
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -12,11 +12,6 @@
FAIL_DELAY 3
#
-# Enable logging and display of /var/log/faillog login(1) failure info.
-#
-FAILLOG_ENAB yes
-
-#
# Enable display of unknown usernames when login(1) failures are recorded.
#
LOG_UNKFAIL_ENAB no
@@ -27,11 +22,6 @@ LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
#
-# Enable logging and display of /var/log/lastlog login(1) time info.
-#
-LASTLOG_ENAB yes
-
-#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
@@ -41,29 +31,6 @@ LASTLOG_ENAB yes
#LASTLOG_UID_MAX
#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
-#
-QUOTAS_ENAB yes
-
-#
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
#
@@ -91,46 +58,12 @@ MOTD_FILE /etc/motd
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
#
-# If defined, this file will be output before each login(1) prompt.
-#
-#ISSUE_FILE /etc/issue
-
-#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format similar to "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
-# If defined, login(1) failures will be logged here in a utmp format.
-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
-#
-FTMP_FILE /var/log/btmp
-
-#
-# If defined, name of file whose presence will inhibit non-root
-# logins. The content of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE /etc/nologin
-
-#
-# If defined, the command name to display when running "su -". For
-# example, if this is defined as "su" then ps(1) will display the
-# command as "-su". If not defined, then ps(1) will display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME su
-
-#
-# *REQUIRED*
-# Directory where mailboxes reside, _or_ name of file, relative to the
-# home directory. If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR /var/spool/mail
-#MAIL_FILE .mail
-
-#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
@@ -140,21 +73,6 @@ HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ TZ=CST6CDT
-#ENV_TZ /etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ HZ=100
-# For Linux/Alpha...
-#ENV_HZ HZ=1024
-
-#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
@@ -180,17 +98,13 @@ TTYPERM 0600
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
-# ULIMIT Default "ulimit" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
-#ULIMIT 2097152
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -211,23 +125,13 @@ UMASK 022
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
-# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
-PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts. If the group doesn't exist or is empty, no one
-# will be able to "su" to uid 0.
-#
-SU_WHEEL_ONLY no
-
-#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
@@ -264,28 +168,6 @@ LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
#
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES 5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
-#
-PASS_ALWAYS_WARN yes
-
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
-#
-#PASS_MAX_LEN 8
-
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH yes
-
-#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
@@ -294,13 +176,6 @@ CHFN_AUTH yes
CHFN_RESTRICT rwh
#
-# Password prompt (%s will be replaced by user name).
-#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING "%s's Password: "
-
-#
# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
@@ -349,45 +224,6 @@ CHFN_RESTRICT rwh
#SHA_CRYPT_MAX_ROUNDS 5000
#
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 13
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
-#
-#YESCRYPT_COST_FACTOR 5
-
-#
-# List of groups to add to the user's supplementary group set
-# when logging in from the console (as determined by the CONSOLE
-# setting). Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in from the console.
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS floppy:audio:cdrom
-
-#
# Should login be allowed if we can't cd to the home directory?
# Default is no.
#
@@ -402,12 +238,6 @@ DEFAULT_HOME yes
NONEXISTENT /nonexistent
#
-# If this file exists and is readable, login environment will be
-# read from it. Every line should be in the form name=value.
-#
-ENVIRON_FILE /etc/environment
-
-#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).

139
shadow-util-linux.patch Normal file
View File

@ -0,0 +1,139 @@
Add variables referred by util-linux login, runuser and su, but not by
shadow.
Delete variables used by shadow implementation of login, su and runuser
that has no use in util-linux implementation.
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -1,5 +1,7 @@
#
# /etc/login.defs - Configuration control definitions for the shadow package.
+# Some variables are used by login(1), su(1) and runuser(1) from util-linux
+# package as well pam pam_unix(8) from pam package.
#
# $Id$
#
@@ -17,9 +19,8 @@ FAIL_DELAY 3
LOG_UNKFAIL_ENAB no
#
-# Enable logging of successful logins
+# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
-LOG_OK_LOGINS no
#
# Limit the highest user ID number for which the lastlog entries should
@@ -31,10 +32,9 @@ LOG_OK_LOGINS no
#LASTLOG_UID_MAX
#
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
+# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
+# to sulog file logging.
#
-SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
@@ -58,6 +58,12 @@ MOTD_FILE /etc/motd
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
#
+# If set to "yes", login stops display content specified by MOTD_FILE after
+# the first accessible item in the list.
+#
+#MOTD_FIRSTONLY no
+
+#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format similar to "vt100 tty01".
#
@@ -72,12 +78,33 @@ MOTD_FILE /etc/motd
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
+# If this variable is set to "yes", hostname will be suppressed in the
+# login: prompt.
+#LOGIN_PLAIN_PROMPT no
+
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH PATH=/bin:/usr/bin
+#
+# ENV_PATH: The default PATH settings for non-root.
+#
+# ENV_ROOTPATH: The default PATH settings for root
+# (used by login, su and runuser).
+#
+# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
+# (and falback for login).
+#
+ENV_PATH /bin:/usr/bin
+ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
+#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
+
+# If this variable is set to "yes", su will always set path. every su
+# call will overwrite the PATH variable.
+#
+# Per default, only "su -" will set a new PATH.
+#
+ALWAYS_SET_PATH no
#
# Terminal permissions
@@ -93,19 +120,6 @@ ENV_PATH PATH=/bin:/usr/bin
TTYGROUP tty
TTYPERM 0600
-#
-# Login configuration initializations:
-#
-# ERASECHAR Terminal ERASE character ('\010' = backspace).
-# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
-#
-# The ERASECHAR and KILLCHAR are used only on System V machines.
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
-#
-ERASECHAR 0177
-KILLCHAR 025
-
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
@@ -163,6 +177,12 @@ SUB_GID_COUNT 65536
LOGIN_RETRIES 5
#
+# Tell login to only re-prompt for the password if authentication
+# failed, but the username is valid. The default value is no.
+#
+LOGIN_KEEP_USERNAME no
+
+#
# Max time in seconds for login(1)
#
LOGIN_TIMEOUT 60
@@ -315,14 +335,6 @@ CHARACTER_CLASS [ABCDEFGHIJKLMNO
#GRANT_AUX_GROUP_SUBIDS yes
#
-# Prevents an empty password field to be interpreted as "no authentication
-# required".
-# Set to "yes" to prevent for all accounts
-# Set to "superuser" to prevent for UID 0 / root (default)
-# Set to "no" to not prevent for any account (dangerous, historical default)
-PREVENT_NO_AUTH superuser
-
-#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
# authentication code.

1161
shadow.changes Normal file
View File

File diff suppressed because it is too large Load Diff

239
shadow.keyring Normal file
View File

@ -0,0 +1,239 @@
Serge Hallyn <sergeh@kernel.org>
Serge Hallyn <serge@hallyn.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBE+oKZQBCACz5WylGAr+eitZjuSigzR+y30W3E+gkU0DSNlBB3WlorOtmzMX
9F2d+z+ozJuez4NPqwfQ5y2ExKSbL8i1rwYmExZIzTDpm1Q6N3hG+vLbxwbrbsKT
qW9rPiXriU5yRwuvVJl4NOU6T/Pau3/VD8iFN7U4mVpNFVPlB8vCvDJ+07Z0xIH9
MXe8uaERG3v2EL7Mv8L5w05XEeuTT/CJiw6NdzwjZc1FymVoFjntetl8HaJ+5JCB
2ylAbnw/wZJHORgsLxZhOL6/zrJRG8GvjgB+1l8izgl4n0DOqjyyoQIZJ+mfuHR0
6wDqwvP5F9RZqCh8Md4hYujop5a0BKfAzLfdABEBAAG0IFNlcmdlIEhhbGx5biA8
c2VyZ2VoQGtlcm5lbC5vcmc+iQFOBBMBCgA4FiEEZtA4fbhdMg+ECBZtsXXPqY8Z
KvIFAl2r0d0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQsXXPqY8ZKvIM
nAgAiTpLlXuzyD4C+9I/yCA9N/BqK43jnMfJOl/Ky56vgJ/WbrFJLuO3wubMlRLD
3jurC6SK2g0TpygyoX2MjwZVT60Sq3ZcgIh71yyWHhtZ29NuUiKsKnajb9IlP+AM
1V0g9py41YdDUmAuC/5crqyK+8u1CVrB/is7Eym598gIl9nyGvaZrzgjG1cRCjzf
ZU8pRG+VPMr5Xla8rDKBZl+LcusV90eAUa0E/KVFS5N1dQ6HKckYXPSBN3DKHZy+
qKa1k7Dq0CnkTjQmjaMu3j5sdOXg4QUfhCHeLDFAtadNdP04I6g5KZRvC44XdQ1A
bxFMLyObhCsq/QxSh/nYrKsw0rQsU2VyZ2UgSGFsbHluIChrZXJuZWwub3JnKSA8
c2VyZ2VAaGFsbHluLmNvbT6JATgEEwECACIFAk+oKZQCGwMGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJELF1z6mPGSryYfEIAJviOHYwzXjnHWrsbQQ75rJq2wQ4
NlM5FRljskufCXtIz/DUpKKT3aqG3y7ywtEwl4ePofJmLbC0O5bZF9blgSSCV02z
zGdeUosAJsxumYHVi9CRHWsiAaNMX8gif9vePqz/iY/caPS4w4gBXJK8vLwvxToI
4CZDwIlMkMov//3HQ5v5OKfeqbA1rnsGI74vUw9Zt/Sqgudz5bY65693OqeRRWU6
tOH8zo4HkFew26Ydh80qAn1R7ALnk68zwfXj8vdyR9f05dEqbg/4thZWcjWC/Frn
QOjcTwKu5DnUCE937a1MPzt4t1FCYUHrqcLN99uzGuOD42o9/S+JAa2HWhe5Ag0E
Zb/8ygEQAPBwca/apgMnuaVqUSYOCz3qyQ9S65yyifznXrLRYjS3WwCl/yb8imer
Hw5ykDij2WjlHQbod2j/pooCJuhOUfqg1JI5o2nNNFsLOxrYSGsScsK1pSDyOgA4
Kg+wnAGzNAmW47fI05HfCILeK8CvHylxbpEHM0Ola/KivBmg9mqq7I/zTElL9oDT
oOyyO7B0IHZUCbjjkApHZY8VH89kcyBsrXKh5o8BwjwyqiZKvt4uzEjOS58iUYts
rxCDnyGLfp4MFsOWhQi2Z8mN+7iPEApUiKKu+Z4ESCq+/YUtjlIrmcAmw6aqlxLT
/6RqEpoUj57zq+JuYZQKsnEJpnUayG/cFomrsPQuAz4pbWDb0Q/yXLqCw3QR1vjm
kFmgaT8gtO4Idn2qfQ0Nnj8LCcSXjSsWBCaEPVF6Tq5TGMaJOjTwSCFWrW6AsNkw
PI9G8OWfpUWB7ciF4sdGYnBpT11xhUeUg0UsBbOLWQCC8fVIs1gsrwDLbIxXx1lV
XRncM9/6FYQ5IX95N8te2GBDkYzdpTpxgQAqaPHsHvbEoop10qn+HDem0zV66zT2
6EAmD3w9PVlRFYqxGjiAjXC8nwsdnNxuGVBqrZjy2YFDI7JIk9k0qKVDrx3o7/L3
tj0kPjg69Zg2QqgozBSLc4CCS2DzXKjeelxY7IAqfmXel4p5QHRnABEBAAGJA2wE
GAEKACAWIQRm0Dh9uF0yD4QIFm2xdc+pjxkq8gUCZb/8ygIbAgJACRCxdc+pjxkq
8sF0IAQZAQoAHRYhBH5W4sE/p3zjFVmtyX3CTDbDNB0gBQJlv/zKAAoJEH3CTDbD
NB0gUxgQAMW3d6UYo3HdM56El7B8f1PiPKjNBU4A4rZTm/veZFvlr2hSlTQXxxgf
5Y/Eh8VDal9yMhoI8VjfEsyDEmRBgv+KteDaC9YWv/WycImS1tcjF6ddX8s5sVLm
yie1C+SZKxw0ExgWJJzQgJD0xCgEo/2ci4Xc14Et8ay4CiOscfONngAu0Su2WFSg
dtFEcQcYtxR87E8wyPya34OtQuKpwS2+Om5m75/qi6odtnuaB84/TajMyFz/9Fvo
lleUJ0HvnVOpbd2wdmprkTGP7lnhxrBYi2JCZTcaO32gvADZEY9m6zEimFx1fYJJ
QPpl4mO5XhRHtImsg2BKSJZSKhp7IxWP4O2GkrL714c+BiOAYtXnGijBPW3K6h0P
pToGS9DkNwBHJAULXQXydIbvy6knSvgrG44aOS/M1MnbgbfW8GuKOgYtOVyCRk/1
463gsr92BkM1zHF/+Q0I88wB+ZiYjSyYXtJx1jtaUUUhio1GM76Z35YFCiZ9sdi3
IA8hgc8WSW4FESFZq2hbaOc9j0uifPbsZY+uE1vcQN7niBGvdEidAzkKtroOhzBM
I5qWDh3UxWj5pXeNntExucf4bhM9abb57NshNd1GFGE8uIIgiJAF45JAh922vHCr
9T4NaKwf3MC7fGo+kBSTNNh7V35gxg96NTk+cq71eh13007l5GWy7B0H+gJ/V5J6
5xXkUnIx04oUztD2a6YIPuWVRwuyRsHSCzpqFR8K2iRzJFBlrQdMslUSXQJ0kFcM
W70cC0LO+nXF7G57mS5z3ZMILfEkLSFUIwHRdzFu0j9nDjQwcF9ws8ExBAgkAMi+
2VzqMVHz4TekGMEgE/vP2RQSSR4T6JycYRI4gLyhDX9+uZsHBkb46Nn4nUGEqjJ1
umVMYg1Ww6vJqzkKLjWnibkA0fKaUmhVJS2RZ1Dr6Xm+LFFFzSpHGGhy4vvik0FO
RyTNv5jBmMwRcebLcodl8m22KpwjRTkSOOzx+cXlB9KOVlbLj1UxCxFirufHRqxy
F9sprm3IKJxe4/65AQ0EXavhqwEIAMKECc/f8f0/CenKkz3wXGEtlG46YLjtTt2t
WYXdt9Z04ihVaYePanFtvuujyO3I3jUQNv2foU1CtOuVyfZqX+TXqs0BUPXWwTCk
MOyc/fEQ5u0BFJjWYtmr2sZY4Ag1juJsmzI7g3cnMLL9LbjpbHRruFIT5rnv9NwG
7PURn1XnCt9tdZ/d0h7vEaNkD37j67rjy8UElVVcwVGhsCR8CkqwZ6ZwpQxE9wyq
/Txb+v8qEJcohc5SWbYl70AtzHObokkW6cvRjNz+BcEpnPfu10lbPO/8a16B96VD
djDGPj2shfNsFLaT8MtFfDAdjZRGlrfv3Wp4qFRlSUGrjInvOLMAEQEAAYkBNgQY
AQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+GrAhsgAAoJELF1z6mPGSry
W4wH/3Xk9x+WUxeJNtm+5hOfe/KBsXQUbBz+JHGFjd9YQw98jUvPNN1RfgtKf31b
+FDKbk/cu+9bNLSfhKDz2AEREViogKRcVjJDy9XmmWQd1oo+M4GHNYhpIt5ZK1d3
CROIiqisLQsih64/gl9gboMcsUuHRkc3hVKUb2umCZPG37hUdAvOmOMS7/0KCGS5
pXnfsX+zegSKjps12siExYXiRpkxbF9MW7er6/6ukvHLx4jHpgiZ5Sjt/9OqUiAO
gUSQfhpAUJlaLxe9E3nj+ABs7LV+FOjtI64skqgqbYo5VXobFSJhqFTog1+KmMzn
fsdKaOZQuZh3v3TtGUzkxoMUHPe5AQ0EXavhYgEIAMd+iVOTx6FC3Ghv2PASeXsn
xtb9Af+aBjNf0m8WKTLgIS9xQbxgNJctG6AEptkBfAStRLIA5qOa0iYIpkJynEPb
onJ12qvtlJ6b6g1h3AThYXQBjTQ89X+rlFzVGQsieqanjI+fiSNbDarOLQUbeJOr
kfFukr34o5xloKENL/kwu1lDG/Y2GMxZRLe1aVJUXQg4FiEiaE+LNFbrUHxdNR2P
E4XuJHetneHEiT/zXpvEF4MCisjJTGAHEC43rl7OqHU/GDdcW0udyf9v33LCFWTR
LlgKKHVyUrHVhVzbB2z1+xnxxh/bQXjgttIP3Zqn8LXiLnUNU5+ejJiuAwdwcn8A
EQEAAYkBNgQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+FiAhsMAAoJ
ELF1z6mPGSry9/UH/0vOoYu6b57UxsJNR5dCMhsPYV7FFIX9uj5XIDo/bQt2RTMa
2PuKMbcDGINsDqHXqOFpZq5WDHhq0cEoIqhlkgj1uC77LLGw7mWyiaMbITQDlRzP
9c9Qj3NkGNKW6FTwR7LPh43kgXygO1StVADIdHapiw9hI52rF8FrNYy4oNRXhUcD
Pfn03akuIbF75saCHaYO/xoQeEqE+0qV82V/FT5tISMygkzgq+9zUhiA4XQjxiVh
SK2cAi0iUTXZecyEueLk6zZ9vkD8JZagSirTFgxtLrnhVpUBJMOgffv5jmO/Sun4
s+3JbAdicmsFqw90hWmGNwa0F5HZ20rEVAwkdt25AQ0EXavgpgEIAOk8dMgYu4Q7
hU461EC/MtxIiwSD8i7lizUB8SzxFPnyWgkvG2Fik5lUiDJmEstLdCm3dpapiJud
zcTgl9Abo4xgoq+VbKRCPk0017JE2bNSbF3TmxhaHAHiBvhU/U+kRz+lDnUE1Smh
zGd1yn1kCvmG9MmWjiQPkG9vLx3d46DBnqHO6wn1AFeKiKuyCs1igvtT2qz+2+iz
Y9tyd+s2O95+1CDQslqQ8IQNP00cFTJljsk3dmZXQb6SkxxTNG+E/2vMdUZhUbb7
UIFUOmFekZvGZMIf9sNMJGCVIN+vyMMhE1MA17iJGxtAFVqeMN4wA9+MA4z5udke
gdbxnWxLtg0AEQEAAYkCbAQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJd
q+CmAhsCAUAJELF1z6mPGSrywHQgBBkBCgAdFiEEqb0/8XByttt4D8+UNXDaFycK
ziQFAl2r4KYACgkQNXDaFycKziT2fAf+PgS08m9Uiks9LWAp9BpaiVn0SXx/XYhT
JmRr78UrCHogZstAET2haLqWwMIoyOpie5Vutxi2WXQtzsJ1BHV9LB/NP3nFT/P9
asZXzFtBBRQsDwxW5ii20hkHKG10M2+QGiC0ssfi1zjQFKbaOpxvou5Pi+zBQuT1
RQ65NQrFYQI4zdyLbnniX2EZpDipLFJeGs881HQt7RjwSUtAjXW9M/pQQDp/JWEj
p6D3R4ys0/Y4cJblCci5rM8Un/aVvXYGBqEpsddhH9xGpk0JTWtGAfw1a0ovRv39
D1uwG8uXTQiUDTGGlllXhzpLkcJBtT8VeogiAGZC99pbNW5BU8cbFyOHB/9Q/HBm
Iqmj5MYvQZCQ//cf9Af9gc+o2YA4/Kg2pSf9GKZizd3J8NO05O6YSsXqIsBr2lIG
jw4klkE7GyRd/KVMQOxrFY9vFcdSxQuklnFUeiH73RFP3nsdzw+MRr4Hcpbm9F0f
CnB6aU1gqf74e/6Qiv6d2pq7Dzyzx7ZCm8BRLT2HZbFeYQ6GsdOIYgWzWXqurk/6
8rlE1D7Fo9KK9lmrLOwrr7ez1pOLHA8pPDhZhxI5D3ZhDsLUux3caCUfFdP/VpaJ
ijGNc1HYt8mk4U1Qb6ZlafTYb75F9d61v8/M/HATZ5KpT9gr0aGkfwptzCwlBJ8y
pcRI9AuUUDCTAXIGuQENBE+oKZQBCADc9sYSnWAj3y6QE9sGNDUFaKpAFUsprpQ8
LeA05nh3RUxYDd75qc0ewtGR1+SlgpehKQfSXVQT254jM5lJanNDPYffk9k9lMwg
SVoTP2QaszfDgir7WKKQuj3dBwnmYHdIY2mq+eaAh/1cCU//ggdaATo4ENQhKTAI
iuviGKBpYX/zHAlPIvyFjERsBmq0woQKvDGsoQEObx1zu1GaTWeTSIEnHyRhajMQ
rKUAxSCh9Th2Vj6xOhvx9TK6li+ecxYuuBVP0Xllg1GdoQBC8KWITDOrU18suj1v
EGK4YOzQQPxANs6I81SvVddd2bh71cyAjhHr1kugw3PWQvLe4yHHABEBAAGJAR8E
GAECAAkFAk+oKZQCGwwACgkQsXXPqY8ZKvJrVAgAi7CVXJt8mZiN+yzwiZVlzrkR
QduB2cgvGZD6Hm3MJc1aVA3Gh0tJcLo+SdutCOzKSmPRSsnWT19EKxpDMrc9j97P
i9SDrGyUOx7Bz8gKjTI6BcfPNAhAyIr5Gr9SDyTx6tUduSmmErrvjYWP1/Jz7spI
nN2wQd5ZVRSvS/rNZGh1NU31oeWlbpkU0JpGbZkMXv4JIy+1caH5zzrcRMC9JFxf
m/bYdaq+jHhMufnSy0Qa3QgJkKvzxzvlIG9BaUmuNeR+XoA9ISEMQzAYXqxJQSL2
8Er9IVaNgtz5mqCMf8vuDTPGpkYyqGnOjtQNF695wiA7CAr3/WTeiEl6kKsBFg==
=/+gu
-----END PGP PUBLIC KEY BLOCK-----
Alejandro Colomar <alx@kernel.org>
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGI/tA8BEACYC5fPDOMDrT8SxNlsB9fRj9YAZt7okGtbCIlVuSPs81YMkeJm
BxtPPnps5Vw2whZS13zaoyPykMg6k+komDWctWQKIF0VgpVYtIuezq4q8kMNmKLc
MnHiZRKRh8dOqlK6jHcUlF8rBgQhk+RUBUPOqFEYeTveoZ9qqVmWhOVce5uUX01k
iU2SjoGAGkNDBqmOkhhVUSQg/AVcc4web6Gu184VUbOXx7J5MPpRmXE610fAUeeJ
1VzyB8U/hgPLrbZX3jQMJbcCSM+Qdxdr/gsptfx1XIm4NsvKXTUOpWg1DQFiQYTJ
FN6Kz0NKN6MV/3AqbKGtWDqKhFt3u3a7T+uUP/qzi9jma+DruQuzQztI6xnthZCb
RjFkQ/iUUtuGgmpOB14HrgwNaRjKWddzab+A7BL971Q3fFqDsvrntD+koYVUgTfq
ErcQo9ZdGRAUL5icyyDg4cC6xgjdmYfnX1s4Rlo3cXJXTZpIOx5AvZV6HYNNm9pu
EoPm5gjNtk4F+FENNjkB3c2ntFr2prpoxaN9ceNd8a1tkWAgh6ueFVA/tkd1hy+2
bP7e5+Nk9NjsWLvnL2slep1cX38DU9hx91t21+x/8hCxN4gqtvDJY/eqUZ2d0uAR
KhPEDZ8GzchxVtX9bGx1HSAVcdnkSzKIGFOJi3ivYqUEihXd5WQE57UovQARAQAB
tCJBbGVqYW5kcm8gQ29sb21hciA8YWx4QGtlcm5lbC5vcmc+iQJOBBMBCgA4FiEE
qTSFlM4xKDqCb73Y1XYz1EHiW7UFAmNDAAYCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AACgkQ1XYz1EHiW7Vm4g/+NDfrYWHAHSMBkQnTZdhrOFCR1tJsWTLABwe1
fMLBW7djLZMZweDMU76UBrucAEsarKkIHyhqpBES5EXwmlvKSnEhzPjXZ+PoHmM0
M8Lq7QFZ5IEbrhuJbvpfTCa0gleHKIVYCCeaf2AUpgwX1XMkG2mmRdvUDQ2M8NMH
ljM/OZ+6tBGpw7zvx1kYsSfBerlHxmLXlRxHrr9nWi7zXa+HrHZQAhopuufIb1we
8lI/gdfywq7s/e5Xelk4dnr/pEFx56G1vh0bc+zU36+C9gX5IXOJv2WrTmOfG3Am
gaJgWZapJQlPFEByk+2oJf5UOgPRhdX7qLR8mVnQ4EHM1sr9B6UGwcySZpVwag9n
51WhjgdqYoSPt9dpPSNfNavLJDR+paM0aEHi3/t3mGJSyOPM4E6ejrYk7791fOJF
0J3VhKr9KR1rMxQpE1kMs7qO1uUJvnF+opzrueMELffwTfDDyvY1bV/ZNou/MPi4
EbUJyZDvsq2shaKj/NB4nzYJIoGbUzUrz008buTagf+WZ+uTDIdOJbaVPcUUjtzr
21KifSWxcokNhqSIrsCLzCJkbiKEK7nUoOvl9q3Wl9L5CWAOflr5499iyGqxlJ+E
7xzerWy1ZqgQHJ3Zp0wVMgHTKvPsmDvwaXBvEZkrUQ4PnInWTNJ2yiNxJU/we7Xx
kxo4Qk20MUFsZWphbmRybyBDb2xvbWFyIEFuZHJlcyA8YWx4Lm1hbnBhZ2VzQGdt
YWlsLmNvbT6JAk4EEwEKADgWIQSpNIWUzjEoOoJvvdjVdjPUQeJbtQUCYj+0DwIb
AQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDVdjPUQeJbtTdsD/97XSXo3Dqb
eaAWhjreKTwO9sPh9n79tS5CZMne44jvC7OCNGeFYq/MGyk0aDPcfN27dO4YSJXN
d82t2K5vC85W5+tbnREN+OTNy8b6U4XxpeQhHP7jr5xeQt0aTkUH3Eo+0mzUq4fS
hxMMch4FuDvMcohkOQs6LMKyvNo0jXAM3nE6nJeRipBjG5d8KKlx9dqmS5Zee9FA
YayikSFp77aSGIvWFejTS3YDaN/APotN1SheEWHtGRY1zvbPbGKJKMy/k8O0b0TJ
gGGe0RzFmPaQSCc/ZlpG2jk5BrnnspCDTq1I/2zcpgdwcR3/3Iuw2VAlOU48w7Qs
fZecvYw+8zlrsJlB/NNU6s1YzeTi37jo43aqgyw4E7iev18f14W2ZQuIQY36hUmf
4z49hAliWcoq7SZL6tsdmeQPjYWJb1lxds8s+iEH1PUsGObWUkjy1iIfJ+gXCe8E
uKZKPGY7RWwYoSBliCVVXfgmD2XQja9i3pjRiJ6S7sYjZnugNwFaVbeptHE8NL4J
Y3eRJpZdGizW58zTfxhvU/AjjDMhqqshW8ZSbAIRI05eGxzwk82qGq+cUVxsBeU8
7i9DbqNOF50cYyltYVVJ9qPAxO+5sBtW6rq+yxkLArjTlpIRJsrXSiFJFqAp7FkC
pUx66xvV8LgAVMKeD2o+Ae8mCTmYJfiCabkCDQRj2/4qARAAw4VXqcdlHsnCDqcC
x5U+nHDOMsyEqG7F8mivt9covXkGUGoLI3ZlGU/5EoRwQB91uHJMU9zJwumQ4tLs
szhOB/CNBSDZ4XTCcEej+dhQounRIdbY+DcXn4dVdx/mYCFPVb7OtUe68m6vyiai
2KG288QbjnkzNA222caPQNDy6NsIGh8V5WDKCa7Jk0Zti+tTdi+vhkFjk7+brh5I
qzahfuk/uVDWBUVT3OiNRywtouTBdfT33JhQyRqSMty6gjkkYyxX0QD5r5EIVrtr
gre6aBWw3dy64pVs9nxVBhVCH4h6PwReXFB4kfjgw82Q1/DkF/ZMsH8bPPtvjI1N
Yz+TMaLcUQX7fWlW7YbQSXSwF4mUSMYgdOZ8CTNQjKmpnpVhHYuL67cG26ev/+T4
OrcT103j/InLipKvYUC3HwFMbq2P/9edqf85d/Nl1KMdByJ3qVVFMuXjiJr0uf1K
oc7nfP3mqkPUHEdjsHnQnpNWZPBr5xs8iNtGmgltnJE2jacXFqtvJ6M9ugrMauoK
s5sNMhqvf/zyZiLWkcZ8bWi6cGl/JD1RS66ViFFmVeg5xpVgspUAsADCZLneTCAW
46DJ2Esq92afIVSz/AUtVjLUJyZIOBaVzY2JXR9s5/ePJAd4T42cg1Kdrdsi0dPY
MOwPjQBpiuetA4dCWeL5qucnSAUAEQEAAYkCPAQYAQoAJhYhBKk0hZTOMSg6gm+9
2NV2M9RB4lu1BQJj2/4qAhsMBQkB4TOAAAoJENV2M9RB4lu17J0P/3LN+ueOR4q4
G5KOnLA5+u1y84d0LI16Z43iAm2NyAWCNkvjGj3RqQD8ZwFmckulf05mhvLOcwxE
i8aAnEcsK4YfsGjgQRDJIChPnZCfssCkFVjfTyEcMgI4sr8hBjbp+ULL4LOnHu4B
LjWjeWc48dtVQ7qcetVw7u9ZABfRBPxVBgY8Idxv1qVOQE13P2sPzbYKsFz+2mH5
54VnMO64zqCbecxgV4NRFcTeNUaDgl6D7zNlNmh4j6c7sKjoEzYIVizApM4xMtOB
syL4fGXRcNtenuBDc/1/PeHdDhqGGlZds1RmTLJm+gCzVio4z5EXPJMKjAVBHapM
NMl4TiTay6gMG6QJMwkgVmS2F28wxj9KztkdnC+2YWJdWDeM07Le231X2hnRQE/D
epN4MouHofOB3I3WY+sSR2KUik9WceL+ICIvUisCNk3GvXVg6hYXIukN8ZR4Sf3A
rRPpePofDK0vZeWIGt6ZksVY9A3GQc0cMagqgCTK0gUxeDk/tPH8xyz/VvRZPGaC
GlzeSQ1giSwgNXX1FDfnGOdn/rJh/aoDl1PzTBjyZcZ15s9HSPA6h36TMgCrSCai
kWjbk8mOJhIhTbxclyI9JLu2AeKu+zP41Gi0AEEGkhFKZ9cG6cGG7AuSsiZ3OqOu
sym/ZKz1uuXGo1iJJgkZ2yiq3ox7KHMZuQINBGI/t3UBEACr9ldxakkNdKp/Pc8+
fRznR/+b29CfQWjOEv2njByhQa5CU18jMT6DIOokv2vU7xwaNJviBouaKWAIe5iy
a3BWHhRpk6e2WnST/X3Zxmm8NjBZAMVl1JXS/vDEDhUu76y/Z82YcHZi52fRXRr3
jwza/jGFyjLwem04G/CrS+tUHiWd3cbeh09LlQ/zN7cO8oOoYZWyoX0GNtXbUovy
ssdUt1RODrSVde+8ec7AQm8fg7mRt3HCXhjwrdLxvqVRgG3wYCR3TnzL+rGuhYxa
TEmbcjPLrKqSfZatsmVir1JJ2Cn8O9Ns5ROsqnulYa0foTo4LDwgqR82uel8mEaZ
EQh4B7ob8mvqPLKBHbQXVeRTxuqLdyd3W/2yu5nIUi7kA6CIm5mdK8MT6CiHqYYx
QD33HTN4OtFqrf3TbyjBG5wlzCD2mSrGB52FYgrkfSiKXBOxiqoFo++SpK1wSuHN
a2ge1hkIdlE8wEPDBDSRqPta8t8ZazNPuc5tR6g0B/JUTIa6r8bDk5NgNj8jrGqv
MvTWl+txcQ5uYo5OlvdiwHy2/YzEDhWcb1ls0faQQHn2CYFr6S9Ad9dOsMJZ2E29
K4v/apGnGEjLqqqXWfIxPBq01bZY1pQI8fy+PJkp8IHZfQ2RrmUFaSOufLOgQE7c
w8j/SxlSdbFrBZA7cMfGLPLT0QARAQABiQRsBBgBCgAgFiEEqTSFlM4xKDqCb73Y
1XYz1EHiW7UFAmI/t3UCGwICQAkQ1XYz1EHiW7XBdCAEGQEKAB0WIQTqOofwpOug
MORd8kCejBr7vv/bMgUCYj+3dQAKCRCejBr7vv/bMkq3D/48Y7jLfIB5jY9dzVCm
ikbuexOAb0YDSZQS3Pt6GnPryIm1gLaRt0jw8HWVI80bMRvTKvJ7D7+kc6GCLK90
MjxMBdlL/BfBFj8jNuVeaNfI7dTbon0kri56bMI3Ad/G7jryRcnPrRZo/nzGKcMD
WxV3tgZkamh0pHYWjSttt0fr8t2qXzK74XO3PnU1RkGY1QAlMa89FJXUyW+veFpy
AJWNW9zYVatjPKPyMLr8I7t9KLjviJBBWwE2fbXgvT58IqhqADKt+YJdXlNiD1Mn
ZaBbbBCO7Mn+aG+yAJBJKPqmjoN1dOXy1FtuNrHHnTYIHyoRD/IR1DtEwlIYHlhZ
+8uy2rXPMA/I8hSCxFgMEJaY8IzfP49sPvwFMfGgnEFk7jmTAczP7rwSeDuvRnWQ
ztJqu9PQp3Wmek/ea7WV93rBmI6Vipl8P69m3CzQErnuIZUutsjP0BaiU+hENoXu
ZmlV0MtnNix0j28sTIe49vtb5UTVRJjIwwI1BDGtM4Ukij9tNkDkntrTkpBE3MFk
9SYi8aAN99kBCNmkwRdY0opwNhGFJwBEwycv7I7d7s/Y79ZSuZBrjB6nB5gU+Xh1
tDdQZxzHLctnZ2cAjE8BcU2wrgZghWiRZ7YlI0bozXl6/VJaAVhZU7f6ebklXSYF
JwTrCwam8VbcgoiukMsdv831NmkPD/4sjSJfoqdE4kGHHX/S/N/Q8LiflefYivLX
X/WtGyRguuYH+8YDqGaCGco8IKmlRDhaME1achjMp/O808B2rxogpsLWu08AF4PJ
97w01RfjBr8aA5qvZXnCfAnmpRzQjDrjIuNOle834dXvOAANugR22dBbjv7MRtOp
Xn1whyAEJIwBeAgKe+p1zwWyQNv2Gq+9C0IQ2w4uJsodjNi6YzFnTvm3HulnNr4s
L+x/i+24iuz0Gf2KbGiR2FtCyKIek0N2NAhPquoI7L0HEP2FKh3OeEH0aCdFcZf/
Dw19fjqEROaJhVvSgTvXIVh3dnB4e7qlYsMSNQxqCcKQD4D79kjFrOygySU+6xMp
vUQvOiF46MrPx8KtfiuPTuEji0Y0F9qz1u5vqwelsg5vpoa12h9qSdX/uWKbRqqQ
x5gHERLoTXT7aMKYuDU3UAMxEEEOaXnOtWNlr3n4H7zMrZ3qvkTRRmGiH8iGkSFn
w2WO3rr/flfIQAJLSUH5lTmR4j/XBNtOGSAWKaRU3N5cX2zHcS5YxkaBx3u4Ew+D
qnBNL6oazpe1iaIoxsyC8MOFyoWHmv/ivv7FbpkWFHgN+R2nenIMiHuHQd/62/RC
PVEoGmaL+XCfSpmstYz9phejRW7LacBt4BMCV7ghqD6vYCR0QBoENp0V5mKyXQ6P
R2OsYRFGG7kCDQRiP7s5ARAAktZGlZIjclF0dkQxIpJ2cQ0FOEgzzG0hZzIfHzLW
T7HvuY0XHWAI64yZbDSdHkKTSKbVnrToCayBDu0oISa3gZh+cd5a+Igf4NsIkGNR
askGnmZYUM+RP1PzKPlVqdPIcXedZvTermRHIyO73f3p5kw+vDryGyubrt2n2IFb
J7SopNed2kXIs5dyk89mvJ+muPCDD5wYHbdXfpEH+KznROMHOVHzwfHYQ++finuw
2cjdJbAyZz6QSopAQeg46UEAk/aTGuI3cEFIzDq6cpqS8fvpbHGL5Oi657t2i1TL
zUCo/4FK027ZLkTXpcB8hbmKFWhfWueDx3aRNvbloJn7kq97RhnE3tgewi+syJsK
CrOlHc1rD8/JNL9lcr2yuSTmwY80QDVNU3U2ZeqLdxx47O31zR5VCpGu09Ro57bJ
j5YaMukwmYLiPwTExkTqqryf7QsLq47Tgd+0YnUyq79XEv067ow+FCxbIoSNlQWB
W2LbNi3JeNPCM0pWdgFuiQE2KFH0s4qulKxEbEtwpVXOH9fmUN23VkI1TnarfRlG
XgSdOISRbXa0O9Ta85BF/NtoBXRU4CtDdcmT7343PjRPbAF1ixU+KOhDDuaDBUV5
iD6BXqyHyL6rciYvqHQwmg2ztdFmTewapV112Vv2wpqvbyrzszTtMw8c92Y7Kfge
fY8AEQEAAYkCPAQYAQoAJhYhBKk0hZTOMSg6gm+92NV2M9RB4lu1BQJiP7s5AhsM
BQkB4TOAAAoJENV2M9RB4lu1mAsP/R/4E68Rt7oUI/30eTuiRb9C/Zx6EaZVIJBw
G2cwKB9GkU4vGR2PU1f25vym92fywSP9OavWyDeVqtN8Ar4U4CbD/L9f2JgZMTXr
HFgxU94uywKOxhLEL8ylgaU89l6af1BynBn3YU/mLQyMHAMTs0uaifjAedeNJq08
XWP3bVdxRywj/rqAf52KA9Y/C59mCfx4vmYu2r2jbwCCVWOsL5sgWyThyGKuNv1A
7+k0JYJlsJ8aro9sS0fjscvoyxajDX2u0Mq/dTbjFWiJQbdT2mWMgiOHxpGDGst9
NH5+JbYZGV/TfeJFDIAW/Pw3gktKt40IP2t6y5vjyUCHEEn2E6pfnr1XmY6EOae5
hPYJQNUbJw98RdpPPY3l4FY49M312v6dphAj2kBmMv7mbyLrIZoTsHw5Q++ig83V
i/I1u4tTvZomFn2po3MO3+QL0FTqzwPjiTyUmSO4rMi5EZiLJF5ITSaESFXNGQb4
UBTuXYgKXY4spWeYpSB2qREhrkXgXrDWEJBwIBJW4ppPI4hRhefGV6wHTRxF24No
iVPz4ABaTQFkvZbpyTT+DT0CL8tHMwF7Tq3wFQ4Rr82LBS/fWxgzeyYTgZwXXUFY
YqM7OXwJKVjlgC2B+OEwgXcdRxB4y5asd//D9wVeD0pfiWk+Ohmi/YF9WmFgmrWe
vK53nZUH
=V1ID
-----END PGP PUBLIC KEY BLOCK-----

23
shadow.service Normal file
View File

@ -0,0 +1,23 @@
[Unit]
Description=Verify integrity of password and group files
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=read-only
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=oneshot
ExecStart=/usr/sbin/pwck -r
ExecStart=/usr/sbin/grpck -r
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7

388
shadow.spec Normal file
View File

@ -0,0 +1,388 @@
#
# spec file for package shadow
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if ! %{defined _distconfdir}
%define _distconfdir %{_sysconfdir}
%else
%define no_config 1
%endif
Name: shadow
Version: 4.15.1
Release: 0
Summary: Utilities to Manage User and Group Accounts
License: BSD-3-Clause AND GPL-2.0-or-later
Group: System/Base
URL: https://github.com/shadow-maint/shadow
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
Source1: pamd.tar.bz2
Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
Source3: %{name}.keyring
Source4: shadow.service
Source5: shadow.timer
# SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
Source40: shadow-login_defs-check.sh
# PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM.
Patch0: shadow-login_defs-unused-by-pam.patch
# PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
Patch1: useradd-default.patch
# PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
Patch2: shadow-util-linux.patch
# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
Patch3: shadow-login_defs-comments.patch
# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
Patch4: shadow-login_defs-suse.patch
# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
Patch5: disable_new_audit_function.patch
BuildRequires: audit-devel > 2.3
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libacl-devel
BuildRequires: libattr-devel
BuildRequires: libselinux-devel
BuildRequires: libsemanage-devel
BuildRequires: libtool
BuildRequires: pam-devel
BuildRequires: xz
# we depend on libbsd or glibc >= 2.38 for the strlcpy() (and readpassphrase()) functions
BuildRequires: glibc-devel >= 2.38
Requires: login_defs >= %{version}
Requires(pre): group(root)
Requires(pre): group(shadow)
Requires(pre): permissions
Requires(pre): user(root)
Provides: pwdutils = 3.2.20
Obsoletes: pwdutils <= 3.2.19
Provides: useradd_or_adduser_dep
BuildRequires: libeconf-devel
%description
This package includes the necessary programs for converting plain
password files to the shadow password format and to manage user and
group accounts.
%package -n login_defs
Summary: The login.defs configuration file
# Virtual provides for supported variables in login.defs.
# It prevents references to unknown variables.
# Upgrade them only if shadow-util-linux.patch or
# encryption_method_nis.patch has to be ported!
# Call shadow-login_defs-check.sh before!
Group: System/Base
Provides: login_defs-support-for-pam = 1.5.2
Provides: login_defs-support-for-util-linux = 2.37
BuildArch: noarch
%description -n login_defs
This package contains the default login.defs configuration file
as used by util-linux, pam and shadow.
%package -n libsubid4
Summary: A library to manage subordinate uid and gid ranges
Group: System/Base
%description -n libsubid4
Utility library that provides a way to manage subid ranges.
%package -n libsubid-devel
Summary: Development files for libsubid4
Group: System/Base
Requires: libsubid4 = %{version}
%description -n libsubid-devel
Development files for libsubid4.
%prep
%setup -q -a 1
%patch -P 0
%patch -P 1
%patch -P 2
%patch -P 3
%patch -P 4
%if 0%{?suse_version} < 1330
%patch -P 5 -p1
%endif
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
mv -v doc/HOWTO.utf8 doc/HOWTO
%build
export CFLAGS="%{optflags} -fpie"
export LDFLAGS="-pie"
autoreconf -fvi
%configure \
--enable-shadowgrp \
--enable-account-tools-setuid \
--with-audit \
--with-libpam \
--with-sha-crypt \
--with-acl \
--with-attr \
--with-nscd \
--with-selinux \
--without-libcrack \
--without-libbsd \
--with-group-name-max-length=32 \
--enable-vendordir=%{_distconfdir}
%make_build
# --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336
%install
%make_install gnulocaledir=%{buildroot}/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
# Separate call to install man pages. See https://github.com/shadow-maint/shadow/issues/389
%make_install -C man install-man
install -Dm644 %{SOURCE4} %{buildroot}%{_unitdir}/shadow.service
install -Dm644 %{SOURCE5} %{buildroot}%{_unitdir}/shadow.timer
# add empty /etc/sub{u,g}id files
touch %{buildroot}/%{_sysconfdir}/subuid
touch %{buildroot}/%{_sysconfdir}/subgid
# Remove binaries we don't use.
rm %{buildroot}/%{_bindir}/groups
rm %{buildroot}/%{_mandir}/man1/groups.*
rm %{buildroot}/%{_mandir}/*/man1/groups.*
rm %{buildroot}/%{_sbindir}/grpconv
rm %{buildroot}/%{_mandir}/man8/grpconv.*
rm %{buildroot}/%{_mandir}/*/man8/grpconv.*
rm %{buildroot}/%{_sbindir}/grpunconv
rm %{buildroot}/%{_mandir}/man8/grpunconv.*
rm %{buildroot}/%{_mandir}/*/man8/grpunconv.*
rm %{buildroot}/%{_sbindir}/groupmems
rm %{buildroot}/%{_mandir}/man8/groupmems.*
rm %{buildroot}/%{_mandir}/*/man8/groupmems.*
rm %{buildroot}%{_sysconfdir}/pam.d/groupmems
rm %{buildroot}/%{_bindir}/login
rm %{buildroot}/%{_mandir}/man1/login.*
rm %{buildroot}/%{_mandir}/*/man1/login.*
rm %{buildroot}%{_sysconfdir}/pam.d/login
rm %{buildroot}/%{_bindir}/su
rm %{buildroot}/%{_mandir}/man1/su.*
rm %{buildroot}/%{_mandir}/*/man1/su.*
rm %{buildroot}/%{_mandir}/man5/suauth.*
rm %{buildroot}/%{_mandir}/*/man5/suauth.*
rm %{buildroot}%{_sysconfdir}/pam.d/su
rm %{buildroot}/%{_bindir}/faillog
rm %{buildroot}/%{_mandir}/man5/faillog.*
rm %{buildroot}/%{_mandir}/*/man5/faillog.*
rm %{buildroot}/%{_mandir}/man8/faillog.*
rm %{buildroot}/%{_mandir}/*/man8/faillog.*
rm %{buildroot}/%{_sbindir}/logoutd
rm %{buildroot}/%{_mandir}/man8/logoutd.*
rm %{buildroot}/%{_mandir}/*/man8/logoutd.*
rm %{buildroot}/%{_sbindir}/nologin
rm %{buildroot}/%{_mandir}/man8/nologin.*
rm %{buildroot}/%{_mandir}/*/man8/nologin.*
rm %{buildroot}/%{_sbindir}/chgpasswd
rm %{buildroot}/%{_mandir}/man8/chgpasswd.*
rm %{buildroot}/%{_mandir}/*/man8/chgpasswd.*
rm %{buildroot}%{_sysconfdir}/pam.d/chgpasswd
rm %{buildroot}/%{_mandir}/man3/getspnam.*
rm %{buildroot}/%{_mandir}/*/man3/getspnam.*
rm %{buildroot}/%{_mandir}/man5/gshadow.5*
rm %{buildroot}/%{_mandir}/*/man5/gshadow.5*
rm %{buildroot}/%{_mandir}/man5/passwd.5*
rm %{buildroot}/%{_mandir}/*/man5/passwd.5*
rm -rf %{buildroot}%{_mandir}/{??,??_??}
rm %{buildroot}/%{_libdir}/libsubid.{la,a}
# Move /etc to /usr/etc
if [ ! -d %{buildroot}%{_distconfdir} ]; then
mkdir -p %{buildroot}%{_distconfdir}
mkdir -p %{buildroot}%{_pam_vendordir}
mv %{buildroot}%{_sysconfdir}/login.defs %{buildroot}%{_distconfdir}
mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/
fi
mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d
%find_lang shadow
%pre
%service_add_pre shadow.service shadow.timer
for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%pre -n login_defs
test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs.rpmsave.old ||:
%post
%set_permissions %{_bindir}/chage
%set_permissions %{_bindir}/chfn
%set_permissions %{_bindir}/chsh
%set_permissions %{_bindir}/expiry
%set_permissions %{_bindir}/gpasswd
%set_permissions %{_bindir}/newgrp
%set_permissions %{_bindir}/passwd
%set_permissions %{_bindir}/newgidmap
%set_permissions %{_bindir}/newuidmap
%service_add_post shadow.service shadow.timer
%verifyscript
%verify_permissions %{_bindir}/chage
%verify_permissions %{_bindir}/chfn
%verify_permissions %{_bindir}/chsh
%verify_permissions %{_bindir}/expiry
%verify_permissions %{_bindir}/gpasswd
%verify_permissions %{_bindir}/newgrp
%verify_permissions %{_bindir}/passwd
%verify_permissions %{_bindir}/newgidmap
%verify_permissions %{_bindir}/newuidmap
%preun
%service_del_preun shadow.service shadow.timer
%postun
%service_del_postun shadow.service shadow.timer
%posttrans
%if %{defined no_config}
# Migration to /usr/etc
for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
%posttrans -n login_defs
# rpmsave file can be created by
# - change of owning package (SLE15 SP2->SP3, Leap 15.2->15.3)
# - Migration to /usr/etc (after SLE15 and Leap 15)
test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs ||:
%post -n libsubid4 -p /sbin/ldconfig
%postun -n libsubid4 -p /sbin/ldconfig
%files -f shadow.lang
%license COPYING
%doc NEWS doc/HOWTO README
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid
%if %{defined no_config}
%{_pam_vendordir}/chage
%{_pam_vendordir}/chfn
%{_pam_vendordir}/chsh
%{_pam_vendordir}/passwd
%{_pam_vendordir}/chpasswd
%{_pam_vendordir}/groupadd
%{_pam_vendordir}/groupdel
%{_pam_vendordir}/groupmod
%{_pam_vendordir}/newusers
%{_pam_vendordir}/useradd
%{_pam_vendordir}/userdel
%{_pam_vendordir}/usermod
%else
%config %{_sysconfdir}/pam.d/chage
%config %{_sysconfdir}/pam.d/chfn
%config %{_sysconfdir}/pam.d/chsh
%config %{_sysconfdir}/pam.d/passwd
%config %{_sysconfdir}/pam.d/chpasswd
%config %{_sysconfdir}/pam.d/groupadd
%config %{_sysconfdir}/pam.d/groupdel
%config %{_sysconfdir}/pam.d/groupmod
%config %{_sysconfdir}/pam.d/newusers
%config %{_sysconfdir}/pam.d/useradd
%config %{_sysconfdir}/pam.d/userdel
%config %{_sysconfdir}/pam.d/usermod
%endif
%verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/gpasswd
%verify(not mode) %attr(4755,root,root) %{_bindir}/newgrp
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newuidmap
%{_bindir}/sg
%{_bindir}/getsubids
%attr(0755,root,root) %{_sbindir}/groupadd
%attr(0755,root,root) %{_sbindir}/groupdel
%attr(0755,root,root) %{_sbindir}/groupmod
%{_sbindir}/grpck
%{_sbindir}/pwck
%attr(0755,root,root) %{_sbindir}/useradd
%attr(0755,root,root) %{_sbindir}/userdel
%attr(0755,root,root) %{_sbindir}/usermod
%{_sbindir}/pwconv
%{_sbindir}/pwunconv
%attr(0755,root,root) %{_sbindir}/chpasswd
%attr(0755,root,root) %{_sbindir}/newusers
%{_sbindir}/vipw
%{_sbindir}/vigr
%{_mandir}/man1/chage.1%{?ext_man}
%{_mandir}/man1/chfn.1%{?ext_man}
%{_mandir}/man1/chsh.1%{?ext_man}
%{_mandir}/man1/expiry.1%{?ext_man}
%{_mandir}/man1/gpasswd.1%{?ext_man}
%{_mandir}/man1/newgrp.1%{?ext_man}
%{_mandir}/man1/passwd.1%{?ext_man}
%{_mandir}/man1/sg.1%{?ext_man}
%{_mandir}/man3/shadow.3%{?ext_man}
%{_mandir}/man5/shadow.5%{?ext_man}
%{_mandir}/man8/chpasswd.8%{?ext_man}
%{_mandir}/man8/groupadd.8%{?ext_man}
%{_mandir}/man8/groupdel.8%{?ext_man}
%{_mandir}/man8/groupmod.8%{?ext_man}
%{_mandir}/man8/grpck.8%{?ext_man}
%{_mandir}/man8/newusers.8%{?ext_man}
%{_mandir}/man8/pwck.8%{?ext_man}
%{_mandir}/man8/pwconv.8%{?ext_man}
%{_mandir}/man8/pwunconv.8%{?ext_man}
%{_mandir}/man8/useradd.8%{?ext_man}
%{_mandir}/man8/userdel.8%{?ext_man}
%{_mandir}/man8/usermod.8%{?ext_man}
%{_mandir}/man8/vigr.8%{?ext_man}
%{_mandir}/man8/vipw.8%{?ext_man}
%{_mandir}/man5/subuid.5%{?ext_man}
%{_mandir}/man5/subgid.5%{?ext_man}
%{_mandir}/man1/newgidmap.1%{?ext_man}
%{_mandir}/man1/newuidmap.1%{?ext_man}
%{_mandir}/man1/getsubids.1%{?ext_man}
%{_unitdir}/*
%files -n login_defs
%dir %{_sysconfdir}/login.defs.d
%if %{defined no_config}
%attr(0644,root,root) %{_distconfdir}/login.defs
%else
%attr(0644,root,root) %config %{_sysconfdir}/login.defs
%endif
%{_mandir}/man5/login.defs.5%{?ext_man}
%files -n libsubid4
%{_libdir}/libsubid.so.*
%files -n libsubid-devel
%dir %{_includedir}/shadow
%{_includedir}/shadow/subid.h
%{_libdir}/libsubid.so
%changelog

7
shadow.timer Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Description=Daily verification of password and group files
[Timer]
OnCalendar=daily
AccuracySec=12h
Persistent=true

13
useradd-default.patch Normal file
View File

@ -0,0 +1,13 @@
Index: src/useradd.c
===================================================================
--- src/useradd.c.orig
+++ src/useradd.c
@@ -87,7 +87,7 @@ const char *Prog;
/*
* These defaults are used if there is no defaults file.
*/
-static gid_t def_group = 1000;
+static gid_t def_group = 100;
static const char *def_groups = "";
static const char *def_gname = "other";
static const char *def_home = "/home";