shadow-util-linux.patch

Add variables referred by util-linux login, runuser and su, but not by
shadow.

Delete variables used by shadow implementation of login, su and runuser
that has no use in util-linux implementation.

Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -1,5 +1,7 @@
 #
 # /etc/login.defs - Configuration control definitions for the shadow package.
+# Some variables are used by login(1), su(1) and runuser(1) from util-linux
+# package as well pam pam_unix(8) from pam package.
 #
 #	$Id$
 #
@@ -17,9 +19,8 @@ FAIL_DELAY		3
 LOG_UNKFAIL_ENAB	no
 
 #
-# Enable logging of successful logins
+# Enable "syslog" logging of  newgrp(1) and sg(1) activity.
 #
-LOG_OK_LOGINS		no
 
 #
 # Limit the highest user ID number for which the lastlog entries should
@@ -31,10 +32,9 @@ LOG_OK_LOGINS		no
 #LASTLOG_UID_MAX
 
 #
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
+# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
+# to sulog file logging.
 #
-SYSLOG_SU_ENAB		yes
 SYSLOG_SG_ENAB		yes
 
 #
@@ -58,6 +58,12 @@ MOTD_FILE	/etc/motd
 #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
 
 #
+# If set to "yes", login stops display content specified by MOTD_FILE after
+# the first accessible item in the list.
+#
+#MOTD_FIRSTONLY	no
+
+#
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
 #
@@ -72,12 +78,33 @@ MOTD_FILE	/etc/motd
 HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 
+# If this variable is set to "yes", hostname will be suppressed in the
+# login: prompt.
+#LOGIN_PLAIN_PROMPT	no
+
 #
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH	PATH=/bin:/usr/bin
+#
+# ENV_PATH: The default PATH settings for non-root.
+#
+# ENV_ROOTPATH: The default PATH settings for root
+# (used by login, su and runuser).
+#
+# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
+# (and falback for login).
+#
+ENV_PATH	/bin:/usr/bin
+ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
+#ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
+
+# If this variable is set to "yes", su will always set path. every su
+# call will overwrite the PATH variable.
+#
+# Per default, only "su -" will set a new PATH.
+#
+ALWAYS_SET_PATH	no
 
 #
 # Terminal permissions
@@ -93,19 +120,6 @@ ENV_PATH	PATH=/bin:/usr/bin
 TTYGROUP	tty
 TTYPERM		0600
 
-#
-# Login configuration initializations:
-#
-#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
-#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#
-# The ERASECHAR and KILLCHAR are used only on System V machines.
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
-#
-ERASECHAR	0177
-KILLCHAR	025
-
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
@@ -163,6 +177,12 @@ SUB_GID_COUNT		    65536
 LOGIN_RETRIES		5
 
 #
+# Tell login to only re-prompt for the password if authentication
+# failed, but the username is valid. The default value is no.
+#
+LOGIN_KEEP_USERNAME	no
+
+#
 # Max time in seconds for login(1)
 #
 LOGIN_TIMEOUT		60
@@ -285,14 +305,6 @@ USERGROUPS_ENAB yes
 #GRANT_AUX_GROUP_SUBIDS yes
 
 #
-# Prevents an empty password field to be interpreted as "no authentication
-# required".
-# Set to "yes" to prevent for all accounts
-# Set to "superuser" to prevent for UID 0 / root (default)
-# Set to "no" to not prevent for any account (dangerous, historical default)
-PREVENT_NO_AUTH superuser
-
-#
 # Select the HMAC cryptography algorithm.
 # Used in pam_timestamp module to calculate the keyed-hash message
 # authentication code.
@@ -301,3 +313,10 @@ PREVENT_NO_AUTH superuser
 # that are available in your system.
 #
 #HMAC_CRYPTO_ALGO SHA512
+
+# Forces login to protect the specified environment variables if -p is not
+# used. The string value is a comma-separated list of variable names. For
+# example: "LANG,LC_MESSAGES,LC_COLLATE".  The safelist is ignored for the
+# environment variables HOME, SHELL and USER.
+#LOGIN_ENV_SAFELIST
+
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -76,6 +76,7 @@ struct itemdef {
 #define FOREIGNDEFS				\
 	{"ALWAYS_SET_PATH", NULL},		\
 	{"ENV_ROOTPATH", NULL},			\
+	{"LOGIN_ENV_SAFELIST", NULL},		\
 	{"LOGIN_KEEP_USERNAME", NULL},		\
 	{"LOGIN_PLAIN_PROMPT", NULL},		\
 	{"MOTD_FIRSTONLY", NULL},		\
- Update to 4.18.0: * CI: purge man-db #1241 * passwd: document exit code when PAM has errored #1244 * Man patches #1175 * Quick fix: define E_PAM_ERR in lib/pam_pass.c #1245 * Accept /usr/sbin/nologin as an alternate to /sbin/nologin #1246 * Add LOGIN_ENV_SAFELIST to FOREIGNDEFS #1248 * ci: add gawk as a fedora dependency #1252 * man/useradd.8.xml: fix the CREATE_HOME description #1251 * lib/getdate.y: Restrict the date formats that we support #1238 * newuidmap: better error logging on failure #1254 * Extend basic test cases to check shadow and gshadow entries #1237 * lib/sizeof.h: Make sure STRLEN() only accepts string literals #1260 * Add strprefix(), and use it instead of its pattern #1152 * src/: Simplify, using strpbrk(3) #1167 * lib/string/strdup/: STRNDUPA(): Reimplement in terms of strndupa(3) #1189 * Remove dead beef #1230 * lib/atoi/a2i/: Simplify these macros #1137 * strtolower(): Add API, and use it instead of its pattern #1211 * lib/: sgetent(): Simplify #1146 fields #1150 * yacc(1) is a dead language; bury it deep in the ground #1217 * Test expiration date #1233 * [scp] Add strcaseprefix(), and use it instead of its pattern #1262 * valid_field(): Improve readability #1208 * lib/, src/, tests/: Use the standard countof() instead of our NITEMS() #1259 * lib/fs/mkstemp/, src/: Move fmkomstemp() to separate files under lib/fs/mkstemp/, and split into mkomstemp() #1139 * [x][v]aprintf(): Add APIs, and use them instead of [x][v]asprintf(3) #1168 * lib/get_pid.c: pid_t is a signed integer #1264 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=205 2025-06-25 04:31:06 +00:00			`Add variables referred by util-linux login, runuser and su, but not by`
			`shadow.`

			`Delete variables used by shadow implementation of login, su and runuser`
			`that has no use in util-linux implementation.`

			`Index: etc/login.defs`
			`===================================================================`
			`--- etc/login.defs.orig`
			`+++ etc/login.defs`
			`@@ -1,5 +1,7 @@`
			`#`
			`# /etc/login.defs - Configuration control definitions for the shadow package.`
			`+# Some variables are used by login(1), su(1) and runuser(1) from util-linux`
			`+# package as well pam pam_unix(8) from pam package.`
			`#`
			`# $Id$`
			`#`
			`@@ -17,9 +19,8 @@ FAIL_DELAY 3`
			`LOG_UNKFAIL_ENAB no`

			`#`
			`-# Enable logging of successful logins`
			`+# Enable "syslog" logging of newgrp(1) and sg(1) activity.`
			`#`
			`-LOG_OK_LOGINS no`

			`#`
			`# Limit the highest user ID number for which the lastlog entries should`
			`@@ -31,10 +32,9 @@ LOG_OK_LOGINS no`
			`#LASTLOG_UID_MAX`

			`#`
			`-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.`
			`-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).`
			`+# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition`
			`+# to sulog file logging.`
			`#`
			`-SYSLOG_SU_ENAB yes`
			`SYSLOG_SG_ENAB yes`

			`#`
			`@@ -58,6 +58,12 @@ MOTD_FILE /etc/motd`
			`#MOTD_FILE /etc/motd:/usr/lib/news/news-motd`

			`#`
			`+# If set to "yes", login stops display content specified by MOTD_FILE after`
			`+# the first accessible item in the list.`
			`+#`
			`+#MOTD_FIRSTONLY no`
			`+`
			`+#`
			`# If defined, file which maps tty line to TERM environment parameter.`
			`# Each line of the file is in a format similar to "vt100 tty01".`
			`#`
			`@@ -72,12 +78,33 @@ MOTD_FILE /etc/motd`
			`HUSHLOGIN_FILE .hushlogin`
			`#HUSHLOGIN_FILE /etc/hushlogins`

			`+# If this variable is set to "yes", hostname will be suppressed in the`
			`+# login: prompt.`
			`+#LOGIN_PLAIN_PROMPT no`
			`+`
			`#`
			`# REQUIRED The default PATH settings, for superuser and normal users.`
			`#`
			`# (they are minimal, add the rest in the shell startup files)`
			`-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin`
			`-ENV_PATH PATH=/bin:/usr/bin`
			`+#`
			`+# ENV_PATH: The default PATH settings for non-root.`
			`+#`
			`+# ENV_ROOTPATH: The default PATH settings for root`
			`+# (used by login, su and runuser).`
			`+#`
			`+# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser`
			`+# (and falback for login).`
			`+#`
			`+ENV_PATH /bin:/usr/bin`
			`+ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin`
			`+#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin`
			`+`
			`+# If this variable is set to "yes", su will always set path. every su`
			`+# call will overwrite the PATH variable.`
			`+#`
			`+# Per default, only "su -" will set a new PATH.`
			`+#`
			`+ALWAYS_SET_PATH no`

			`#`
			`# Terminal permissions`
			`@@ -93,19 +120,6 @@ ENV_PATH PATH=/bin:/usr/bin`
			`TTYGROUP tty`
			`TTYPERM 0600`

			`-#`
			`-# Login configuration initializations:`
			`-#`
			`-# ERASECHAR Terminal ERASE character ('\010' = backspace).`
			`-# KILLCHAR Terminal KILL character ('\025' = CTRL/U).`
			`-#`
			`-# The ERASECHAR and KILLCHAR are used only on System V machines.`
			`-#`
			`-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.`
			`-#`
			`-ERASECHAR 0177`
			`-KILLCHAR 025`
			`-`
			`# Default initial "umask" value used by login(1) on non-PAM enabled systems.`
			`# Default "umask" value for pam_umask(8) on PAM enabled systems.`
			`# UMASK is also used by useradd(8) and newusers(8) to set the mode for new`
			`@@ -163,6 +177,12 @@ SUB_GID_COUNT 65536`
			`LOGIN_RETRIES 5`

			`#`
			`+# Tell login to only re-prompt for the password if authentication`
			`+# failed, but the username is valid. The default value is no.`
			`+#`
			`+LOGIN_KEEP_USERNAME no`
			`+`
			`+#`
			`# Max time in seconds for login(1)`
			`#`
			`LOGIN_TIMEOUT 60`
			`@@ -285,14 +305,6 @@ USERGROUPS_ENAB yes`
			`#GRANT_AUX_GROUP_SUBIDS yes`

			`#`
			`-# Prevents an empty password field to be interpreted as "no authentication`
			`-# required".`
			`-# Set to "yes" to prevent for all accounts`
			`-# Set to "superuser" to prevent for UID 0 / root (default)`
			`-# Set to "no" to not prevent for any account (dangerous, historical default)`
			`-PREVENT_NO_AUTH superuser`
			`-`
			`-#`
			`# Select the HMAC cryptography algorithm.`
			`# Used in pam_timestamp module to calculate the keyed-hash message`
			`# authentication code.`
			`@@ -301,3 +313,10 @@ PREVENT_NO_AUTH superuser`
			`# that are available in your system.`
			`#`
			`#HMAC_CRYPTO_ALGO SHA512`
			`+`
			`+# Forces login to protect the specified environment variables if -p is not`
			`+# used. The string value is a comma-separated list of variable names. For`
			`+# example: "LANG,LC_MESSAGES,LC_COLLATE". The safelist is ignored for the`
			`+# environment variables HOME, SHELL and USER.`
			`+#LOGIN_ENV_SAFELIST`
			`+`
Sync changes to SLFO-1.2 branch 2025-08-20 13:27:32 +02:00			`Index: lib/getdef.c`
			`===================================================================`
			`--- lib/getdef.c.orig`
			`+++ lib/getdef.c`
			`@@ -76,6 +76,7 @@ struct itemdef {`
			`#define FOREIGNDEFS \`
			`{"ALWAYS_SET_PATH", NULL}, \`
			`{"ENV_ROOTPATH", NULL}, \`
			`+ {"LOGIN_ENV_SAFELIST", NULL}, \`
			`{"LOGIN_KEEP_USERNAME", NULL}, \`
			`{"LOGIN_PLAIN_PROMPT", NULL}, \`
			`{"MOTD_FIRSTONLY", NULL}, \`