From 113257727e0ddde951433e8f23f881b7f39f9ef52941755ca860487b9952a1bc Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Tue, 31 Dec 2024 19:43:06 +0000 Subject: [PATCH] - Update to 4.17.1: * su: Fix `su -` regression #1163 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=186 --- .gitattributes | 23 + .gitignore | 1 + disable_new_audit_function.patch | 28 + pamd.tar.bz2 | 3 + shadow-4.16.0.tar.xz | 3 + shadow-4.16.0.tar.xz.asc | 16 + shadow-4.17.0.tar.xz | 3 + shadow-4.17.0.tar.xz.asc | 11 + shadow-4.17.1.tar.xz | 3 + shadow-4.17.1.tar.xz.asc | 11 + shadow-login_defs-check.sh | 286 ++++++ shadow-login_defs-comments.patch | 72 ++ shadow-login_defs-suse.patch | 148 +++ shadow-login_defs-unused-by-pam.patch | 280 ++++++ shadow-util-linux.patch | 139 +++ shadow.changes | 1229 +++++++++++++++++++++++++ shadow.keyring | 239 +++++ shadow.service | 23 + shadow.spec | 387 ++++++++ shadow.timer | 7 + useradd-default.patch | 13 + 21 files changed, 2925 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 disable_new_audit_function.patch create mode 100644 pamd.tar.bz2 create mode 100644 shadow-4.16.0.tar.xz create mode 100644 shadow-4.16.0.tar.xz.asc create mode 100644 shadow-4.17.0.tar.xz create mode 100644 shadow-4.17.0.tar.xz.asc create mode 100644 shadow-4.17.1.tar.xz create mode 100644 shadow-4.17.1.tar.xz.asc create mode 100644 shadow-login_defs-check.sh create mode 100644 shadow-login_defs-comments.patch create mode 100644 shadow-login_defs-suse.patch create mode 100644 shadow-login_defs-unused-by-pam.patch create mode 100644 shadow-util-linux.patch create mode 100644 shadow.changes create mode 100644 shadow.keyring create mode 100644 shadow.service create mode 100644 shadow.spec create mode 100644 shadow.timer create mode 100644 useradd-default.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/disable_new_audit_function.patch b/disable_new_audit_function.patch new file mode 100644 index 0000000..cb167f9 --- /dev/null +++ b/disable_new_audit_function.patch @@ -0,0 +1,28 @@ +Index: shadow-4.5/src/lastlog.c +=================================================================== +--- shadow-4.5.orig/src/lastlog.c ++++ shadow-4.5/src/lastlog.c +@@ -221,12 +221,15 @@ static void update_one (/*@null@*/const + strcpy (ll.ll_host, "localhost"); + #endif + strcpy (ll.ll_line, "lastlog"); ++/* + #ifdef WITH_AUDIT + audit_logger (AUDIT_ACCT_UNLOCK, Prog, + "clearing-lastlog", + pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); + #endif ++*/ + } ++/* + #ifdef WITH_AUDIT + else { + audit_logger (AUDIT_ACCT_UNLOCK, Prog, +@@ -234,6 +237,7 @@ static void update_one (/*@null@*/const + pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS); + } + #endif ++*/ + + if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) { + fprintf (stderr, diff --git a/pamd.tar.bz2 b/pamd.tar.bz2 new file mode 100644 index 0000000..a8fae08 --- /dev/null +++ b/pamd.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:63473938aff16f2bae3d68468d00f02d4a2172f9aa02d5642f47b501b25bc50e +size 979 diff --git a/shadow-4.16.0.tar.xz b/shadow-4.16.0.tar.xz new file mode 100644 index 0000000..99c6692 --- /dev/null +++ b/shadow-4.16.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b78e3921a95d53282a38e90628880624736bf6235e36eea50c50835f59a3530b +size 2204832 diff --git a/shadow-4.16.0.tar.xz.asc b/shadow-4.16.0.tar.xz.asc new file mode 100644 index 0000000..68f476d --- /dev/null +++ b/shadow-4.16.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEflbiwT+nfOMVWa3JfcJMNsM0HSAFAmZyBfQACgkQfcJMNsM0 +HSA4PxAA57RSvccAbXTTmp2sHMZVPbzizydThuGgqY/4F9egRvywUUlNy0vz/QAA +e0u8ja+paKhLjXg4HvA/Ejy+gtAE5NuvNCr/ihL8Xii6s/GH6OaW8EDcL0509j7L +PchWYkHYSqwdqdjLoy6NroaaEEllAzVEeNp2UzN9F7jllteF8gDjqY2j8SLqrkmm +Xb15kzk6mbqk5BxAOoZmgoRRDw+YRCBA2EzN0ztwR0h1rjwoCjebQk3E/qV+fM1t +pKKYVTnLRmb9E2tvPR1Oibzercisi/+6Z7br+Xh1Gz/mfZ++4CiOQrJndUTBj9zU +v7GEHMEdV8qz/Qzvh1eyxA7KX5zZqbXT3I/+kRvX01CJtI64MVdEOOqSeup794fr +QlaptfoAfe+ZS6exe1SwY2tZkoX4qXeeUNQXRBo8GJlG9auMA46U2CjtRGgyK6BK +cf/YkzUr9aTWExL3d2tZJzvEX80AHSR+MF2kW8UzIQI8hch1Pncp8an6NfLFbmsl +nyz5+GqrSuc1gNe7wnz5Lkxk3q4epmvdPcyrb16XDr42k3dP0IWZE50c8Caf05Nq +9zJC+It75nX7PFbGcZnNgE6sjsc6MB28O2wUb4Z51IU+s8hzthk2P4v0gq30TgrZ +vKTXxIYwp+yLii1sSTWUdE8a6vNK93cQki5uuB3R6VeNVBMZJA0= +=bB1D +-----END PGP SIGNATURE----- diff --git a/shadow-4.17.0.tar.xz b/shadow-4.17.0.tar.xz new file mode 100644 index 0000000..46593d6 --- /dev/null +++ b/shadow-4.17.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:df0d29d09ed1db609234aaec670f55ebf724bc7bd0b377c8a299913669b7878e +size 2215120 diff --git a/shadow-4.17.0.tar.xz.asc b/shadow-4.17.0.tar.xz.asc new file mode 100644 index 0000000..c62be2c --- /dev/null +++ b/shadow-4.17.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmdsil0ACgkQNXDaFycK +ziTmHggAxiGaTy3ji/emoJfqrShivle3axD3ZtMQlQfqPZxlYeGlAHjLNlWJwZ1T +G8rfyXCFNgYK0Y9gbrnKZE8bRtiDTCqZsNuy3hZ7GnMfmz+nRpW2xJebEg8IeKO6 +SSA7XrPvoCjoICYDq8oSnQ/eAkximD9/1BwXALJzi7SQ2nvuQh0J7LkhIB1rvfqN +EYlw1lRosxb6nRbX0NCd4RPI0e1TlrNyKOxiUdyHacxjDrmBtybpi038+O8qpzhB +TmdrJHYRh7tJKZWZx5s/hTlvY+b881/lHaPvOENhQ36Dw6YL7CflTgYemMLTv/rD +Ztp08iv/DogJzE1wPPrqw+LED3ePbQ== +=2jUF +-----END PGP SIGNATURE----- diff --git a/shadow-4.17.1.tar.xz b/shadow-4.17.1.tar.xz new file mode 100644 index 0000000..d0e3cad --- /dev/null +++ b/shadow-4.17.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4115a57f9404a038085e160920fb395827fe34363287f709bb9d8c1ed8cbce02 +size 2217588 diff --git a/shadow-4.17.1.tar.xz.asc b/shadow-4.17.1.tar.xz.asc new file mode 100644 index 0000000..01d9bc7 --- /dev/null +++ b/shadow-4.17.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmd0SHAACgkQNXDaFycK +ziR66Af/XxOlsvOU+ZUO/femk90p9isAzv3qT06EfcKCG/H4WHZ2j/exhR+YiZOD +Svp+yPMghv5pZQl1F5WhR96B6zvfh5ldulXDTItDDytwQTQCPS1PQa4nJXqWMX6f +K3DWhEQql2wnE4gxL5TpbvziQeigbPeDUvqfw1lLe4IzQyxGC+IHxSIN3J3t33xd +naC3FSrchnPAWUhk6iLy5MXJWDdTI4DX3Vy43BAWvDE+eg+RYqOU92QwnhZ98raS +O4a9ZPtWn4SkyssvG58IQjaZOAtm5atR4jD2z2W7fbh3So/dhkDijVwzJczLeOxj +ru7RkYTDCfYJBqF+HKZout9Fyv2opA== +=wDSA +-----END PGP SIGNATURE----- diff --git a/shadow-login_defs-check.sh b/shadow-login_defs-check.sh new file mode 100644 index 0000000..2e0377f --- /dev/null +++ b/shadow-login_defs-check.sh @@ -0,0 +1,286 @@ +#!/bin/bash + +# login.defs and lib/getdef.c contain support for third party variables. +# It also contains support for variables that are unusable in installations with PAM support enabled. +# This script generates a list of used and unused variables in login.defs +# with respect to the current configuration. +# Arguments: arguments of osc build +# If the shadow-login_defs-check-unused.lst is generated, you should +# update login.defs. + +set -o errexit + +echo "Preparing..." + +# Check for required commands +which quilt >/dev/null +which osc >/dev/null + +# login.defs is shared with util-linux login, su and runuser. +# Extract list of referenced variables. +if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then + echo "Checking out util-linux..." + if test -d ../util-linux ; then + echo -n "../util-linux found. Are you preparing new version? (y/N) " + read + if test "${REPLY:0:1}" = "y" ; then + mkdir -p openSUSE:Factory + cp -a ../util-linux openSUSE:Factory/ + else + osc co openSUSE:Factory util-linux + fi + else + osc co openSUSE:Factory util-linux + fi + cd openSUSE:Factory/util-linux + quilt setup -d BUILD util-linux.spec + cd BUILD/* + quilt push -a + cd ../../../.. +fi + +echo "Extracting variables from util-linux..." +cd openSUSE:Factory/util-linux/BUILD/* +( + grep -rh getlogindefs . | + sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p' + grep -rh logindefs_setenv . | + sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p' +) | + LC_ALL=C sort -u >../../../../shadow-login_defs-check-util-linux.lst +cd ../../../.. + +# login.defs is shared pam_unix*.so, pam_faildelay.so and pam_umask.so. +# Extract list of referenced variables. +if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then + echo "Checking out pam..." + if test -d ../pam ; then + echo -n "../pam found. Are you preparing new version? (y/N) " + read + if test "${REPLY:0:1}" = "y" ; then + mkdir -p openSUSE:Factory + cp -a ../pam openSUSE:Factory/ + else + osc co openSUSE:Factory pam + fi + else + osc co openSUSE:Factory pam + fi + cd openSUSE:Factory/pam + quilt setup -d BUILD pam.spec + cd BUILD/* + quilt push -a + cd ../../../.. +fi + +echo "Extracting variables from pam..." +cd openSUSE:Factory/pam/BUILD/* +grep -rh LOGIN_DEFS . | + sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | + LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst +cd ../../../.. + +if ! test -f shadow-login_defs-check-build/stamp ; then + echo "Performing preprocessing of shadow by osc..." + if ! test -f shadow.spec.shadow-login_defs-check-save ; then + cp -a shadow.spec shadow.spec.shadow-login_defs-check-save + +# In case of shadow, variables extraction is more complicated. The list +# depends on configure options, so we have to perform a fake build and +# extract variables from prepreocessed sources. +# sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec + sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec + if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then + echo "$0: Please fix sed expression modifying shadow.spec." + mv shadow.spec.shadow-login_defs-check-save shadow.spec + exit 1 + fi + fi + + if osc build "$@" ; then + echo "This build command was expected to fail, but it succeeded." + echo "$0: Please fix sed expression modifying shadow.spec." + mv shadow.spec.shadow-login_defs-check-save shadow.spec + exit 1 + else + echo "This build command was expected to fail." + echo "" + fi + mv shadow.spec.shadow-login_defs-check-save shadow.spec + + BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p') + BUILD_DIR=$(osc lbl | sed -n 's/^.* cd //p' | head -n1) + rm -rf shadow-login_defs-check-build + mkdir shadow-login_defs-check-build + cp -a "$BUILD_ROOT/$BUILD_DIR"/shadow-* shadow-login_defs-check-build/ + touch shadow-login_defs-check-build/stamp +fi + +echo "Extracting list of deleted binaries..." +sed -n 's~rm %{buildroot}/%{_\(s\|\)bindir}/\(.*\)$~\2~p' shadow-login_defs-check-deleted.lst + +# The build above is optional only for case of failure or edits in the +# code below. If any other build was performed, don't expect correct +# results. + +cd shadow-login_defs-check-build/shadow-* + +echo "Extracting variables from etc/login.defs..." +# Extract variables referenced in login.defs, both active and commented out. +sed -n "s/^#//;s/\([A-Z0-9_]*\)\([[:space:]].*\|\)$/\1/p" ../../shadow-login_defs-check-login_defs.lst +LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst + +echo "Extracting variables from lib/getdef.c..." +# Extract variables referenced in lib/getdef.c using current defines. +sed -n 's/^\(},\|\) {"\([A-Z0-9_]*\)", /\2/p' ../../shadow-login_defs-check-getdef.lst +LC_ALL=C sort -u ../../shadow-login_defs-check-getdef.lst >../../shadow-login_defs-check-getdef-sorted.lst + +echo "Extracting variables from shadow..." +# Extract variables referenced in preprocessed files. +grep -r '\(getdef[a-z_]*\|call_script\|is_listed\) *( *"[A-Za-z0-9_]*"' | + grep '[^ ]*\.o:' >../../shadow-login_defs-check-shadow.log + +cd ../.. + +export RC=0 +echo "" +echo "" +echo "Performing checks..." + +sed ' + s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/ +' ../../shadow-login_defs-check-shadow-all.lst + +sed 's%^\(.*\)%/^.*\\\/\1\.o:/d%' shadow-login_defs-check-deleted.sed +sed -f shadow-login_defs-check-deleted.sed shadow-login_defs-check-shadow-used.lst + +if ! test -s shadow-login_defs-check-deleted.sed ; then + echo " BUG: Empty shadow-login_defs-check-deleted.sed Results will be unreliable!" + if test $RC -le 4 ; then export RC=4 ; fi +fi + +echo "" +echo "Checking that variables in login.defs are referred only once..." +if test $(wc -l shadow-login_defs-check-login_defs.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-login_defs-sorted.lst | sed 's/ .*//') ; then + echo " ERROR: Some variable referred at more places of login.defs!" + LC_ALL=C sort shadow-login_defs-check-login_defs.lst >shadow-login_defs-check-login_defs-sorted-nu.lst + diff shadow-login_defs-check-login_defs-sorted-nu.lst shadow-login_defs-check-login_defs-sorted.lst + if test $RC -le 3 ; then export RC=3 ; fi +fi + +echo "" +echo "Checking that variables in lib/getdef.c are referred only once..." +if test $(wc -l shadow-login_defs-check-getdef.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-getdef-sorted.lst | sed 's/ .*//') ; then + echo " ERROR: Some variable referred at more places of lib/getdef.c!" + LC_ALL=C sort shadow-login_defs-check-getdef.lst >shadow-login_defs-check-getdef-sorted-nu.lst + diff shadow-login_defs-check-getdef-sorted-nu.lst shadow-login_defs-check-getdef-sorted.lst + if test $RC -le 3 ; then export RC=3 ; fi +fi + +cat shadow-login_defs-check-shadow-used.lst shadow-login_defs-check-util-linux.lst shadow-login_defs-check-pam.lst | LC_ALL=C sort -u >shadow-login_defs-check-all-used.lst +# RC inside pipe cannot be read directly. Use 3 for a real stdout inside the pipe, and use stdout for RC. +exec 3>&1 +function report_packages() { + echo -n " (" + grep -l $1 shadow-login_defs-check-{shadow-used,util-linux,pam}.lst | + sed 's/shadow-login_defs-check-//;s/\.lst//;s/-used//;s/$/, /;$s/, $//' | + tr -d '\n' + echo -n ")" +} + +# Extracting variables from shadow is not capable to identify compiled-but-unused library code. +# This function will identify known false matches. +function falsematch() { + case "$1" in +# MAIL_* used by library call mailcheck() used only by login.c that is deleted in the spec. + MAIL_* ) return 0 ;; +# FTMP_FILE used by library call failtmp() used only by login.c that is deleted in the spec. + FTMP_FILE ) return 0 ;; +# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec. + ISSUE_FILE ) return 0 ;; +# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec. + PREVENT_NO_AUTH ) return 0 ;; + * ) return 1 ;; + esac +} + +echo "" +echo "Checking that all used variables are covered by login.defs..." +RC=$(cat shadow-login_defs-check-all-used.lst | ( + while read ; do + if falsematch "$REPLY" ; then + echo " FALSE MATCH: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3 + continue + fi + if ! grep -q -x "$REPLY" shadow-login_defs-check-login_defs-sorted.lst ; then + echo " NOTICE: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3 + if test $RC -le 2 ; then RC=2 ; fi + fi + done + echo $RC +) ) + +echo "" +echo "Checking that all used variables are covered by lib/getdef.c..." +RC=$(cat shadow-login_defs-check-all-used.lst | ( + while read ; do + if falsematch "$REPLY" ; then continue ; fi + if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then + echo " ERROR: Variable $REPLY is missing in the parser$(report_packages $REPLY)" >&3 + if test $RC -le 3 ; then RC=3 ; fi + fi + done + echo $RC +) ) + +echo "" +echo "Checking that all used variables referred in login.defs are valid..." +RC=$(cat shadow-login_defs-check-login_defs.lst | ( + while read ; do + if ! grep -q -x "$REPLY" shadow-login_defs-check-all-used.lst ; then + echo " ERROR: Failed to find reference for $REPLY" >&3 + if test $RC -le 3 ; then RC=3 ; fi + fi + if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then + echo " BUG: Parser does not contain reference for $REPLY" >&3 + if test $RC -le 4 ; then RC=4 ; fi + fi + done + echo $RC +) ) + + +echo "" +echo "" +echo "All checks finished." +echo -n "Result: " +case $RC in +0) echo "OK." ;; +1) echo "Notices only. Action is optional." ;; +2) echo "Warnings only. Evaluation is needed." ;; +3) echo "Errors found. Fix is recommended." ;; +4) echo "Fatal error. Fix has to be done." ;; +esac + +if test $RC -ge 1 ; then + exit 1 +fi + +echo " +If you ported shadow-util-linux.patch to the new util-linux version, +please submit these updates: +Change in util-linux.spec:" +sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-util-linux >= /p' = /p' MAX, the highest value will be used. +-# +-#BCRYPT_MIN_ROUNDS 13 +-#BCRYPT_MAX_ROUNDS 13 +- +-# +-# Only works if ENCRYPT_METHOD is set to YESCRYPT. +-# +-# Define the YESCRYPT cost factor. +-# With a higher cost factor, it is more difficult to brute-force the password. +-# However, more CPU time and more memory will be needed to authenticate users +-# if this value is increased. +-# +-# If not specified, a cost factor of 5 will be used. +-# The value must be within the 1-11 range. +-# +-#YESCRYPT_COST_FACTOR 5 +- +-# +-# List of groups to add to the user's supplementary group set +-# when logging in from the console (as determined by the CONSOLE +-# setting). Default is none. +-# +-# Use with caution - it is possible for users to gain permanent +-# access to these groups, even when not logged in from the console. +-# How to do it is left as an exercise for the reader... +-# +-#CONSOLE_GROUPS floppy:audio:cdrom +- +-# + # Should login be allowed if we can't cd to the home directory? + # Default is no. + # +@@ -402,12 +238,6 @@ DEFAULT_HOME yes + NONEXISTENT /nonexistent + + # +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- +-# + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by + # the user to be removed (passed as the first argument). diff --git a/shadow-util-linux.patch b/shadow-util-linux.patch new file mode 100644 index 0000000..96ea5ae --- /dev/null +++ b/shadow-util-linux.patch @@ -0,0 +1,139 @@ +Add variables referred by util-linux login, runuser and su, but not by +shadow. + +Delete variables used by shadow implementation of login, su and runuser +that has no use in util-linux implementation. + +Index: etc/login.defs +=================================================================== +--- etc/login.defs.orig ++++ etc/login.defs +@@ -1,5 +1,7 @@ + # + # /etc/login.defs - Configuration control definitions for the shadow package. ++# Some variables are used by login(1), su(1) and runuser(1) from util-linux ++# package as well pam pam_unix(8) from pam package. + # + # $Id$ + # +@@ -17,9 +19,8 @@ FAIL_DELAY 3 + LOG_UNKFAIL_ENAB no + + # +-# Enable logging of successful logins ++# Enable "syslog" logging of newgrp(1) and sg(1) activity. + # +-LOG_OK_LOGINS no + + # + # Limit the highest user ID number for which the lastlog entries should +@@ -31,10 +32,9 @@ LOG_OK_LOGINS no + #LASTLOG_UID_MAX + + # +-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). ++# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition ++# to sulog file logging. + # +-SYSLOG_SU_ENAB yes + SYSLOG_SG_ENAB yes + + # +@@ -58,6 +58,12 @@ MOTD_FILE /etc/motd + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + + # ++# If set to "yes", login stops display content specified by MOTD_FILE after ++# the first accessible item in the list. ++# ++#MOTD_FIRSTONLY no ++ ++# + # If defined, file which maps tty line to TERM environment parameter. + # Each line of the file is in a format similar to "vt100 tty01". + # +@@ -72,12 +78,33 @@ MOTD_FILE /etc/motd + HUSHLOGIN_FILE .hushlogin + #HUSHLOGIN_FILE /etc/hushlogins + ++# If this variable is set to "yes", hostname will be suppressed in the ++# login: prompt. ++#LOGIN_PLAIN_PROMPT no ++ + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++# ++# ENV_PATH: The default PATH settings for non-root. ++# ++# ENV_ROOTPATH: The default PATH settings for root ++# (used by login, su and runuser). ++# ++# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser ++# (and falback for login). ++# ++ENV_PATH /bin:/usr/bin ++ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin ++#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin ++ ++# If this variable is set to "yes", su will always set path. every su ++# call will overwrite the PATH variable. ++# ++# Per default, only "su -" will set a new PATH. ++# ++ALWAYS_SET_PATH no + + # + # Terminal permissions +@@ -93,19 +120,6 @@ ENV_PATH PATH=/bin:/usr/bin + TTYGROUP tty + TTYPERM 0600 + +-# +-# Login configuration initializations: +-# +-# ERASECHAR Terminal ERASE character ('\010' = backspace). +-# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# +-# The ERASECHAR and KILLCHAR are used only on System V machines. +-# +-# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +-# +-ERASECHAR 0177 +-KILLCHAR 025 +- + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. + # UMASK is also used by useradd(8) and newusers(8) to set the mode for new +@@ -163,6 +177,12 @@ SUB_GID_COUNT 65536 + LOGIN_RETRIES 5 + + # ++# Tell login to only re-prompt for the password if authentication ++# failed, but the username is valid. The default value is no. ++# ++LOGIN_KEEP_USERNAME no ++ ++# + # Max time in seconds for login(1) + # + LOGIN_TIMEOUT 60 +@@ -315,14 +335,6 @@ CHARACTER_CLASS [ABCDEFGHIJKLMNO + #GRANT_AUX_GROUP_SUBIDS yes + + # +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +-PREVENT_NO_AUTH superuser +- +-# + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message + # authentication code. diff --git a/shadow.changes b/shadow.changes new file mode 100644 index 0000000..c2193af --- /dev/null +++ b/shadow.changes @@ -0,0 +1,1229 @@ +------------------------------------------------------------------- +Tue Dec 31 19:41:57 UTC 2024 - Michael Vetter + +- Update to 4.17.1: + * su: Fix `su -` regression #1163 + +------------------------------------------------------------------- +Fri Dec 27 16:06:45 UTC 2024 - Michael Vetter + +- Update to 4.17.0: + * Fix the lower part of the domain of csrand_uniform() + * Fix use of volatile pointer + * Use 'dist-hook' to clean up + * Use str2[u]l() instead of atoi(3) + * Use a2i() in various places + * Fix const correctness + * Use uid_t for holding UIDs (and GIDs) + * Move all sprintf(3)-like APIs to a subdirectory + * Move all copying APIs to a subdirectory + * Fix forever loop on ENOMEM + * Fix REALLOC() nmemb calculation + * Remove id(1) + * Remove groups(1) + * Use local time for human-readable dates + * Use %F instead of %Y-%m-%d with strftime(3) + * is_valid{user,group}_name(): Set errno to distinguish the reasons + * Recommend --badname only if it is useful + * Add fmkomstemp() to fix mode of + * Fix use-after-free bug in sgetgrent() + * Update Catalan translation + * Remove references to cppw, cpgr + * groupadd, groupmod: Update gshadow file with -U + * Added option -a for listing active users only, optimized using if aflg,return + * Added information in lastlog man page for new option '-a' + * Plenty of code cleanup and clarifications + +------------------------------------------------------------------- +Fri Dec 6 08:56:10 UTC 2024 - Michael Vetter + +- Update to 4.17.0 RC1: + Pre-release without changelog + +------------------------------------------------------------------- +Mon Jul 8 11:13:17 UTC 2024 - Samuel Cabrero + +- Disable flushing sssd caches. The sssd's files provider is no + longer available. + +------------------------------------------------------------------- +Mon Jun 24 13:02:56 UTC 2024 - Michael Vetter + +- bsc#1226850: Drop incorrect econf patch (until time to fix it) + Drop shadow-4.16.0-econf.patch + +------------------------------------------------------------------- +Wed Jun 19 06:51:45 UTC 2024 - Michael Vetter + +- Update to 4.16.0: + * The shadow implementations of id(1) and groups(1) are deprecated + in favor of the GNU coreutils and binutils versions. + They will be removed in 4.17.0. + * The rlogind implementation has been removed. + * The libsubid major version has been bumped, since it now requires + specification of the module's free() implementation. +- Update shadow-login_defs-suse.patch +- Add shadow-4.16.0-econf.patch: + Replace deprecated econf_readDirs with econf_readConfig + +------------------------------------------------------------------- +Sun Mar 24 09:06:48 UTC 2024 - Michael Vetter + +- Update to 4.15.1: + * Fix a bug that caused spurious error messages about unknown + login.defs configuration options #967 + * Adding checks for fd omission #964 + * Use temporary stat buffer #974 + * Fix wrong french translation #975 +- Drop shadow-4.15.0-fix-definition.patch + +------------------------------------------------------------------- +Thu Mar 21 06:37:27 UTC 2024 - Michael Vetter + +- Add shadow-4.15.0-fix-definition.patch: + Fix error messages about config options. + See gh/shadow-maint/shadow#967 + +------------------------------------------------------------------- +Sun Mar 10 07:02:35 UTC 2024 - Michael Vetter + +- Update to 4.15.0 + * libshadow: + + Use utmpx instead of utmp. This fixes a regression introduced + in 4.14.0. + + Fix build error (parameter name omitted). + * Build system: + + Link correctly with libdl. + + Install pam configs for chpasswd(8) and newusers(8) when using + ./configure --with-libpam --disable-account-tools-setuid. + + Merge libshadow and libmisc into a single libshadow. This fixes + problems in the linker, which were reported at least in Gentoo. + + Fix build with musl libc. + + Support out of tree builds + * useradd(8): + + Set proper SELinux labels for def_usrtemplate +- Update Serge Hallyns GPG key +- Update shadow-login_defs-unused-by-pam.patch + +------------------------------------------------------------------- +Sun Mar 3 06:03:25 UTC 2024 - Michael Vetter + +- Update to 4.14.6: + * login(1): + + Fix off-by-one bugs. + * passwd(1): + + Don't silently truncate passwords of length >= 200 characters. + Instead, accept a length of PASS_MAX, and reject longer ones. + * libshadow: + + Fix calculation in strtoday(), which caused a wrong half-day + offset in some cases (bsc#1176006) + + Fix parsing of dates in get_date() (bsc#1176006) + + Use utmpx instead of utmp. This fixes a regression introduced in + 4.14.0. + +------------------------------------------------------------------- +Tue Feb 13 18:33:26 UTC 2024 - Michael Vetter + +- Update to 4.14.5: + * Build system: + + Fix regression introduced in 4.14.4, due to a typo. chgpasswd had + been deleted from a Makefile variable, but it should have been + chpasswd. +- Remove shadow-4.14.4-chgpasswd-typo.patch + +------------------------------------------------------------------- +Mon Feb 12 19:37:52 UTC 2024 - Michael Vetter + +- Update to 4.14.4: + * Build system: + + Link correctly with libdl. + + Install pam configs for chpasswd(8) and newusers(8) when using + ./configure --with-libpam --disable-account-tools-setuid. + * libshadow: + + Fix build error (parameter name omitted). + + Fix off-by-one bug. + + Remove warning. +- Add shadow-4.14.4-chgpasswd-typo.patch: to fix build. See #926 +- Update patch macro `patchN` -> `patch -P N` + +------------------------------------------------------------------- +Tue Jan 16 06:57:35 UTC 2024 - Michael Vetter + +- Update to 4.14.3: + * libshadow: + + Avoid null pointer dereference (#904) + +------------------------------------------------------------------- +Tue Jan 9 12:51:12 UTC 2024 - Michael Vetter + +- bsc#1199026 bsc#1203823: + Remove pam_keyinit from PAM configuration. + This was introduced for bsc#1144060. + +------------------------------------------------------------------- +Mon Oct 30 07:20:29 UTC 2023 - Michael Vetter + +- Update to 4.14.2: + * libshadow: + + Fix build with musl libc. + + Avoid NULL dereference. + + Update utmp at an initial login + * useradd(8): + + Set proper SELinux labels for def_usrtemplate + * Manual: + + Document --prefix in chage(1), chpasswd(8), and passwd(1) +- Drop upstreamed shadow-4.14.0-selinux-labels.patch + +------------------------------------------------------------------- +Fri Oct 6 08:32:09 UTC 2023 - Michael Vetter + +- Update to 4.14.1: + Build system: Merge libshadow and libmisc into a single libshadow. + This fixes problems in the linker, which were reported at least + in Gentoo. #791 +- Add Alejandro Colomar (new stable branch maintainer) to shadow.keyring + +------------------------------------------------------------------- +Tue Sep 26 13:20:59 UTC 2023 - Johannes Segitz + +- Add shadow-4.14.0-selinux-labels.patch: + Set proper SELinux labels for new homedirs. + See gh/shadow-maint/shadow#812. + +------------------------------------------------------------------- +Thu Aug 17 10:14:14 UTC 2023 - Michael Vetter + +- Remove dependency on libbsd: + On Tumbleweed we have glibc 2.38 already thus string functions + like strlcpy will be present and won't be needed from libbsd. + `readpassphrase()` is then the only function from libbsd not present. + Upstream shadow has an in tree copy of it, that is used when the + `--without-libbsd` flag is passed along. + By relying on glibc 2.38 we don't need to add libbsd and libmd + to our ring0 but can't easily upgrade on SLE. + +------------------------------------------------------------------- +Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter + +- Update to 4.14.0: + * configure: add with-libbsd option + * Code cleanup + * Replace utmp interface #757 + * new option enable-logind #674 + * shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh + * chsh: warn if root sets a shell not listed in /etc/shells #535 + * newgrp: fix potential string injection + * lastlog: fix alignment of Latest header + * Fix yescrypt support #748 + * chgpasswd: Fix segfault in command-line options + * gpasswd: Fix password leak + * Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627) + * usermod: fix off-by-one issues #701 + * ch(g)passwd: Check selinux permissions upon startup #675 + * sub_[ug]id_{add,remove}: fix return values + * chsh: Verify that login shell path is absolute #730 + * process_prefix_flag: Drop privileges + * run_parts for groupadd and groupdel #706 + * newgrp/useradd: always set SIGCHLD to default + * useradd/usermod: add --selinux-range argument #698 + * sssd: skip flushing if executable does not exist #699 + * semanage: Do not set default SELinux range #676 + * Add control character check #687 + * usermod: respect --prefix for --gid option + * Fix null dereference in basename + * newuidmap and newgidmap: support passing pid as fd + * Prevent out of boundary access #633 + * Explicitly override only newlines #633 + * Correctly handle illegal system file in tz #633 + * Supporting vendor given -shells- configuration file #599 + * Warn if failed to read existing /etc/nsswitch.conf + * chfn: new_fields: fix wrong fields printed + * Allow supplementary groups to be added via config file #586 + * useradd: check if subid range exists for user #592 (rh#2012929) +- Refresh useradd-default.patch +- Remove upstreamed patches: + * useradd-userkeleton.patch + * shadow-audit-no-id.patch + * shadow-fix-print-login-timeout.patch + * shadow-CVE-2023-29383.patch +- Dont build lastlog (lastlog.legacy) anymore since we + use lastlog2 by default now. +- This release depends either on libbsd or on glibc >= 2.38 + which only recently got released. libbsd (and libmd) would be + new packages in our ring0 + +------------------------------------------------------------------- +Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter + +- bsc#1210507 (CVE-2023-29383): + Check for control characters +- Add shadow-CVE-2023-29383.patch + +------------------------------------------------------------------- +Wed Apr 12 12:08:43 UTC 2023 - Thorsten Kukuk + +- Rename lastlog to lastlog.legacy to be able to switch to + Y2038 safe lastlog2 as default [jsc#PED-3144] + +------------------------------------------------------------------- +Thu Feb 16 11:31:33 UTC 2023 - Michael Vetter + +- Update shadow-fix-print-login-timeout.patch +- Reorder source files and patches + +------------------------------------------------------------------- +Wed Feb 15 10:49:33 UTC 2023 - Ludwig Nussel + +- Remove scripts that claim to be config but are in /usr (boo#1191578) + * userdel-script.patch + * useradd-script.patch + * useradd.local + * userdel-post.local + * userdel-pre.local + +------------------------------------------------------------------- +Fri Jan 13 08:21:46 UTC 2023 - Michael Vetter + +- Add shadow-fix-print-login-timeout.patch: + Fix printing full login timeout message + See gh/shadow-maint/shadow#621 + +------------------------------------------------------------------- +Fri Dec 16 10:04:44 UTC 2022 - Michael Vetter + +- bsc#1205502: Fix useradd audit event logging of ID field + * Add shadow-audit-no-id.patch + See gh/shadow-maint/shadow#606 + +------------------------------------------------------------------- +Tue Nov 8 21:15:44 UTC 2022 - Michael Vetter + +- Update to 4.13: + * useradd.8: fix default group ID + * Revert drop of subid_init() + * Georgian translation + * useradd: Avoid taking unneeded space: do not reset non-existent data + in lastlog + * relax username restrictions + * selinux: check MLS enabled before setting serange + * copy_tree: use fchmodat instead of chmod + * copy_tree: don't block on FIFOs + * add shell linter + * copy_tree: carefully treat permissions + * lib/commonio: make lock failures more detailed + * lib: use strzero and memzero where applicable + * Update Dutch translation + * Don't test for NULL before calling free + * Use libc MAX() and MIN() + * chage: Fix regression in print_date + * usermod: report error if homedir does not exist + * libmisc: minimum id check for system accounts + * fix usermod -rG x y wrongly adding a group + * man: add missing space in useradd.8.xml + * lastlog: check for localtime() return value + * Raise limit for passwd and shadow entry length + * Remove adduser-old.c + * useradd: Fix buffer overflow when using a prefix + * Don't warn when failed to open /etc/nsswitch.conf +- Remove patches we took from upstream pre-release: + * shadow-copytree-usermod-fifo.patch + * shadow-chage-format.patch + * shadow-prefix-overflow.patch +- Remove chkname-regex.patch: + Upstream now also relaxed the usernames requirements. + They don't use regex for this but the result is similar. + Plus they also check that the name is less than 32 characters long. +- Rebase useradd-userkeleton.patch + +------------------------------------------------------------------- +Mon Nov 7 11:20:36 UTC 2022 - Michael Vetter + +- Add shadow-copytree-usermod-fifo.patch: + Fix regression that prevented `usermod -m` to work when their + home directory contained at least one fifo + See https://github.com/shadow-maint/shadow/pull/565 + +------------------------------------------------------------------- +Wed Nov 2 10:59:16 UTC 2022 - Michael Vetter + +- bsc#1204811: Fix chage date format string regression + * Add shadow-chage-format.patch + +------------------------------------------------------------------- +Mon Oct 24 22:04:41 UTC 2022 - Michael Vetter + +- Add shadow-prefix-overflow.patch: + Fix buffer overflow when calling useradd with --prefix + See https://github.com/shadow-maint/shadow/pull/588 + +------------------------------------------------------------------- +Mon Aug 22 13:59:35 UTC 2022 - Michael Vetter + +- Update to 4.12.3: + Revert removal of subid_init, which should have bumped soname. + So note that 4.12 through 4.12.2 were broken for subid users. + +------------------------------------------------------------------- +Fri Aug 19 06:32:28 UTC 2022 - Michael Vetter + +- Update to 4.12.2: + * Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845] +- Refresh useradd-userkeleton.patch: + LSTAT() was removed with https://github.com/shadow-maint/shadow/pull/545 + Let's use fstatat() now. + +------------------------------------------------------------------- +Mon Aug 15 17:42:01 UTC 2022 - Michael Vetter + +- Update to 4.12.1: + * Fix uk manpages +- Remove shadow-4.12-remove-uk.patch: fixed upstream + +------------------------------------------------------------------- +Fri Aug 12 06:05:35 UTC 2022 - Michael Vetter + +- Update to 4.12: + * Add absolute path hint to --root + * Various cleanups + * Fix Ubuntu release used in CI tests + * add -F options to userad + * useradd manpage updates + * Check for ownerid (not just username) in subid ranges + * Declare file local functions static + * Use strict prototypes + * Do not drop const qualifier for Basename + * Constify various pointers + * Don't return uninitialized memory + * Don't let compiler optimize away memory cleaning + * Remove many obsolete compatibility checks and defines + * Modify ID range check in useradd + * Use "extern "C"" to make libsubid easier to use from C++ + * French translation updates + * Fix s/with-pam/with-libpam/ + * Spanish translation updates + * French translation fixes + * Default max group name length to 32 + * Fix PAM service files without-selinux + * Improve manpages + - groupadd, useradd, usermod + - groups and id + - pwck + * Add fedora to CI builds + * Fix condition under which pw_dir check happens + * logoutd: switch to strncat + * AUTHORS: improve markdown output + * Handle ERANGE errors correctly + * Check for fopen NULL return + * Split get_salt() into its own fn juyin) + * Get salt before chroot to ensure /dev/urandom. + * Chpasswd code cleanup + * Work around git safe.directory enforcement + * Alphabetize order in usermod help + * Erase password copy on error branches + * Suggest using --badname if needed + * Update translation files + * Correct badnames option to badname + * configure: replace obsolete autoconf macros + * tests: replace egrep with grep -E + * Update Ukrainian translations + * Cleanups + - Remove redeclared variable + - Remove commented out code and FIXMEs + - Add header guards + - Initialize local variables + * CI updates + - Create github workflow to install dependencies + - Enable CodeQL + - Update actions version + * libmisc: use /dev/urandom as fallback if other methods fail +- Add shadow-4.12-remove-uk.patch: + Disable non working Ukranian translation for now + https://github.com/shadow-maint/shadow/issues/547 + +------------------------------------------------------------------- +Tue Aug 9 06:29:07 UTC 2022 - Thorsten Kukuk + +- Remove duplicate pam.d/useradd entry +- Provide /etc/login.defs.d on SLE15 since we support and use it + +------------------------------------------------------------------- +Mon Aug 8 13:00:46 UTC 2022 - Thorsten Kukuk + +- Use %_pam_vendordir macro + +------------------------------------------------------------------- +Wed Jan 12 16:52:39 UTC 2022 - Stanislav Brabec + +- The legacy code does not support /etc/login.defs.d used by YaST. + Enable libeconf to read it (bsc#1192954). + +------------------------------------------------------------------- +Mon Jan 3 10:36:15 UTC 2022 - Michael Vetter + +- Update to 4.11.1: + * build: include lib/shadowlog_internal.h in dist tarballs + +------------------------------------------------------------------- +Mon Jan 3 10:35:30 UTC 2022 - Michael Vetter + +- Update to 4.11: + * Handle possible TOCTTOU issues in usermod/userdel + - (CVE-2013-4235) + - Use O_NOFOLLOW when copying file + - Kill all user tasks in userdel + * Fix useradd -D segfault + * Clean up obsolete libc feature-check ifdefs + * Fix -fno-common build breaks due to duplicate Prog declarations + * Have single date_to_str definition + * Fix libsubid SONAME version + * Clarify licensing info, use SPDX. + +------------------------------------------------------------------- +Mon Jan 3 10:29:39 UTC 2022 - Michael Vetter + +- Update to 4.10: + * From this release forward, su from this package should be + considered deprecated. Please replace any users of it with su + from util-linux + * libsubid fixes + * Rename the test program list_subid_ranges to getsubids, write + a manpage, so distros can ship it. + * Add libeconf dep for new*idmap + * Allow all group types with usermod -G + * Avoid useradd generating empty subid range + * Handle NULL pw_passwd + * Fix default value SHA_get_salt_rounds + * Use https where possible in README + * Update content and format of README + * Translation updates + * Switch from xml2po to itstool in 'make dist' + * Fix double frees + * Add LOG_INIT configurable to useradd + * Add CREATE_MAIL_SPOOL documentation + * Create a security.md + * Fix su never being SIGKILLd when trapping TERM + * Fix wrong SELinux labels in several possible cases + * Fix missing chmod in chadowtb_move + * Handle malformed hushlogins entries + * Fix groupdel segv when passwd does not exist + * Fix covscan-found newgrp segfault + * Remove trailing slash on hoedir + * Fix passwd -l message - it does not change expirey + * Fix SIGCHLD handling bugs in su and vipw + * Remove special case for "" in usermod + * Implement usermod -rG to remove a specific group + * call pam_end() after fork in child path for su and login + * useradd: In absence of /etc/passwd, assume 0 == root + * lib: check NULL before freeing data + * Fix pwck segfault +- Remove because upstreamed: + * shadow-4.9-pwck-segfault.patch + * shadow-4.9-newgrp-segfault.patch + * shadow-4.9-useradd-subuid.patch + * shadow-4.9-sgent-free.patch + * shadow-passwd-handle-null.patch + * shadow-fix-sigabrt.patch + * shadow-libeconf-include.patch + * libsubid-build-fix.patch +- Refreshed: + * shadow-util-linux.patch + * shadow.changes + * shadow.keyring + * shadow.spec + * useradd-script.patch + * useradd-userkeleton.patch + * userdel-script.patch +- Update shadow.keyring: + * Serge Hallyn serge@hallyn.com (B175CFA98F192AF2) + * Christian Brauner christian@brauner.io (4880B8C9BD0E5106FC070F4F7B3C391EFEA93624) + +------------------------------------------------------------------- +Tue Nov 30 17:12:40 UTC 2021 - Thorsten Kukuk + +- Really enable USERGROUPS_ENAB [bsc#1189139]. + Did go lost during merges. + +------------------------------------------------------------------- +Thu Nov 18 13:46:03 UTC 2021 - Michael Vetter + +- Fix segfaults in newgrp and pwck + * Add shadow-4.9-newgrp-segfault.patch + https://github.com/shadow-maint/shadow/pull/437 + * Add shadow-4.9-pwck-segfault.patch + https://github.com/shadow-maint/shadow/pull/445 + +------------------------------------------------------------------- +Tue Nov 16 15:58:46 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * shadow.service + +------------------------------------------------------------------- +Tue Nov 9 01:39:44 UTC 2021 - Stanislav Brabec + +- shadow-util-linux.patch: + * Remove the section patching lib/getdef.c in favor of the + upstream FOREIGNDEFS. + * Add LOGIN_KEEP_USERNAME to login.defs. + * Remove PREVENT_NO_AUTH from login.defs. Only used by the + unpackaged login and su. +- shadow-login_defs-unused-by-pam.patch: + * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS, + YESCRYPT_COST_FACTOR, not supported by the current + configuratiton. +- Update login_defs-support-for-pam symbol to version 1.5.2 + (support for new variable HMAC_CRYPTO_ALGO). +- Update login_defs-support-for-util-linux to version 2.37 + (support for new variable LOGIN_KEEP_USERNAME). +- Refresh shadow-login_defs-comments.patch and + shadow-login_defs-suse.patch. +- Improve shadow-login_defs-check.sh: + * Add helper to import local new version in the parent dir. + * Fix spec editing sed expression. + * Add PREVENT_NO_AUTH to known unused variables. + * Update pam sed expression to find HMAC_CRYPTO_ALGO. + * Add more sanity checks. + +------------------------------------------------------------------- +Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter + +- bsc#1190146: Fix empty subid range + Add shadow-4.9-useradd-subuid.patch + https://github.com/shadow-maint/shadow/pull/399 + +------------------------------------------------------------------- +Mon Sep 20 09:09:13 UTC 2021 - Michael Vetter + +- bsc#1190145: Fix double free in gpasswd: + Add shadow-4.9-sgent-free.patch upstreamed as + https://github.com/shadow-maint/shadow/pull/417 + +------------------------------------------------------------------- +Tue Sep 7 15:08:19 UTC 2021 - Michael Vetter + +- Fix shadow-login_defs-check.sh: + In the last update we switched from calling make to %make_build + macro. Using sed to adapt the spec file now. + +------------------------------------------------------------------- +Wed Aug 18 15:17:52 UTC 2021 - Thorsten Kukuk + +- libsubid-devel: add missing requires for libsubid3 +- Remove README.changes-pwdutils, all distros you can upgrade from + use already shadow + +------------------------------------------------------------------- +Wed Aug 18 14:59:15 UTC 2021 - Thorsten Kukuk + +- login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to + be compatible with other Linux distros and the other tools + creating user accounts in use on openSUSE. Set HOME_MODE to 700 + for security reasons and compatibility. [bsc#1189139] [bsc#1182850] + +------------------------------------------------------------------- +Tue Aug 17 15:08:09 UTC 2021 - Michael Vetter + +- Update to 4.9: + * Updated translations + * Major salt updates + * Various coverity and cleanup fixes + * Consistently use 0 to disable PASS_MIN_DAYS in man + * Implement NSS support for subids and a libsubid + * setfcap: retain setfcap when mapping uid 0 + * login.defs: include HMAC_CRYPTO_ALGO key + * selinux fixes + * Fix path prefix path handling + * Manpage updates + * Treat an empty passwd field as invalid(Haelwenn Monnier) + * newxidmap: allow running under alternative gid + * usermod: check that shell is executable + * Add yescript support + * useradd memleak fixes + * useradd: use built-in settings by default + * getdefs: add foreign + * buffer overflow fixes + * Adding run-parts style for pre and post useradd/del +- Refresh: + * shadow-login_defs-unused-by-pam.patch + * userdel-script.patch + * useradd-script.patch + * chkname-regex.patch + * useradd-default.patch: bbf4b79 stopped shipping default file. + change group in code now. + * shadow-login_defs-suse.patch + * useradd-userkeleton.patch +- Remove because upstreamed: + * shadow-4.1.5.1-userdel-helpfix.patch + * shadow-4.1.5.1-logmsg.patch +- Add libsubid-build-fix.patch: + See https://github.com/shadow-maint/shadow/issues/387 +- Add shadow-libeconf-include.patch: + See c6847011e8b656adacd9a0d2a78418cad0de34cb +- Add shadow-fix-sigabrt.patch: + See https://github.com/shadow-maint/shadow/issues/394 +- Add shadow-passwd-handle-null.patch [bsc#1188307]: + See https://github.com/shadow-maint/shadow/pull/398 +- Remove %{_sysconfdir}/default/useradd: file not shipped anymore +- Remove --disable-shared: Dont need it anymore + See https://github.com/shadow-maint/shadow/issues/336 + +------------------------------------------------------------------- +Thu Jul 1 11:51:39 UTC 2021 - Thorsten Kukuk + +- login.defs/MOTD_FILE: Use "" instead of blank entry [bsc#1187536] +- Add /etc/login.defs.d directory + +------------------------------------------------------------------- +Sat Jun 5 13:38:52 UTC 2021 - Maurizio Galli + +- Enable shadowgrp so that we can set more secure group passwords + using shadow. + +------------------------------------------------------------------- +Fri Jun 4 07:46:34 UTC 2021 - Thorsten Kukuk + +- Disable MOTD_FILE to allow the use of pam_motd to unify motd + message output [bsc#1185897]. Else motd entries of e.g. cockpit + will not be shown. + +------------------------------------------------------------------- +Thu Jan 28 22:28:02 UTC 2021 - Stanislav Brabec + +- Do not require libeconf-devel on products without /usr/etc. + +------------------------------------------------------------------- +Thu Jan 21 06:52:30 UTC 2021 - Thorsten Kukuk + +- Split login.defs configuration file into own sub-package, which + allows to install util-linux or pam on small embedded/edge + systems or container without the need to pull in the full shadow + suite. + +------------------------------------------------------------------- +Wed Nov 11 14:38:13 UTC 2020 - Fabian Vogt + +- Amend patches/useradd-userkeleton.patch to also write into + existing directories and prefer files from /etc + +------------------------------------------------------------------- +Wed Nov 11 11:28:09 UTC 2020 - Dr. Werner Fink + +- Add patch useradd-userkeleton.patch to extend original C code + of useradd to handle /usr/etc/skel (boo#1173321) +- Remove /usr/etc/skel support in useradd.local script + +------------------------------------------------------------------- +Mon Nov 2 15:54:02 UTC 2020 - Dr. Werner Fink + +- Change again useradd.local script to let it work even for system + accounts and work together with SELinux (bsc#1178296) +- Change patch useradd-script.patch to support the four arguments + used by the useradd.local script (bsc#1178296) + +------------------------------------------------------------------- +Fri Oct 9 13:12:11 UTC 2020 - Dr. Werner Fink + +- Add support for /usr/etc/skel to useradd.local script (boo#1173321) + +------------------------------------------------------------------- +Thu Oct 8 03:16:58 UTC 2020 - Stanislav Brabec + +- shadow-login_defs-check.sh: Fix the regexp to get a real variable + list (boo#1164274). + +------------------------------------------------------------------- +Tue Sep 8 00:56:37 UTC 2020 - Stanislav Brabec + +- login.defs: Add support for new util-linux-2.36 login variable + MOTD_FIRSTONLY (shadow-util-linux.patch). +- shadow-login_defs-comments.patch: Remove duplicated + LASTLOG_UID_MAX. +- shadow-login_defs-check.sh: Update for new build system. +- shadow-util-linux.patch: Restore lost chunk: SYSLOG_SU_ENAB is + not used in SUSE Linux. +- Refresh shadow-login_defs-suse.patch and + shadow-login_defs-comments.patch. + +------------------------------------------------------------------- +Fri May 22 11:21:15 UTC 2020 - Fabian Vogt + +- Use pure #!/bin/sh in: + * useradd.local + * userdel-post.local + * userdel-pre.local + +------------------------------------------------------------------- +Fri Jan 24 08:09:23 UTC 2020 - Michael Vetter + +- Update to 4.8.1: + * selinux: include stdio + * man: don't suggest making groupmems user-writeable + * Makefile: bail out on error in for loops + * Adding logging of SSH_ORIGINAL_COMMAND to nologin + * add new HOME_MODE login.defs option + * Add tty logging to useradd + * Useradd: make non-executable shell check only a warning + * Update Dutch translation + * user_busy: Do not mistake a regular user process for a namespaced one + * Revert "Honor --sbindir and --bindir for binary installation" +- Remove shadow-4.8-shell-check.patch: included +- Remove shadow-4.8-selinux-include.patch: upstreamed + +------------------------------------------------------------------- +Mon Jan 20 10:36:20 UTC 2020 - Michael Vetter + +- Set 0755 for chpasswd, groupadd, groupdel, groupmod, newusers, + useradd, userdel, usermod explicitly. + +------------------------------------------------------------------- +Thu Jan 16 12:54:39 UTC 2020 - Michael Vetter + +- bsc#1160729: Make valid shell check only a warning + * Add shadow-4.8-shell-check.patch + +------------------------------------------------------------------- +Tue Dec 17 12:43:01 UTC 2019 - Michael Vetter + +- Update to 4.8: + * Initial optional bcrypt support. + * Make build/install of 'su' optional. + * Fix for vipw not resuming correctly when suspended + * Sync password field descriptions in manpages + * Check for valid shell argument in useradd + * Allow translation of new strings through POTFILES.in + * Migrate to itstool for translations + * Migrate to new SELinux api + * Support --enable-vendordir + * pwck: Only check homedir if set and not a system user + * Support nonstandard usernames + * sget{pw,gr}ent: check for data at EOL + * Add YYY-MM-DD support in chage + * Fix failing chmod calls for suidubins + * Fix --sbindir and --bindir for binary installations + * Fix LASTLOG_UID_MAX in login.defs + * Fix configure error with dash +- Remove because upstreamed: + * libeconf.patch + * shadow-usermod-variable.patch +- Rebase: + * shadow-login_defs-unused-by-pam.patch + * chkname-regex.patch + * shadow-util-linux.patch + * shadow-login_defs-comments.patch +- Add shadow-4.8-selinux-include.patch + See https://github.com/shadow-maint/shadow/pull/200 + +------------------------------------------------------------------- +Mon Oct 7 09:50:30 CEST 2019 - kukuk@suse.de + +- libeconf.patch: Add support for libeconf and /usr/etc for + login.defs. +- Move first configuration files and pam config files to /usr/etc + +------------------------------------------------------------------- +Mon Sep 2 11:12:59 UTC 2019 - mvetter@suse.com + +- bsc#1144060: Add pam_keyinit.so to /etc/pam.d configuration files + to support kernel keyring feature +- Update pamd.tar.bz2 with pam configuration files accordingly + +------------------------------------------------------------------- +Mon Aug 19 14:50:02 CEST 2019 - kukuk@suse.de + +- encryption_method_nis.patch: drop, DES should really not be used + anymore anywhere, even with NIS +- shadow-login_defs-suse.patch: remove encryption NIS entry + +------------------------------------------------------------------- +Fri Jul 26 23:44:56 CEST 2019 - sbrabec@suse.com + +- Fix incorrect variable name in usermod + (shadow-usermod-variable.patch). +- shadow-login_defs-comments.patch: + * Drop SHA_CRYPT_*_ROUNDS that are in the upstream login.defs. + * Add missing LASTLOG_UID_MAX. + * Refresh shadow-login_defs-suse.patch. +- Port shadow-login_defs-check.sh to match the current spec file + and login.defs. + +------------------------------------------------------------------- +Thu Jul 25 15:27:15 CEST 2019 - kukuk@suse.de + +- Provide "useradd_or_adduser_dep" for sysuser-shadow + +------------------------------------------------------------------- +Sat Jul 20 02:11:10 CEST 2019 - sbrabec@suse.com + +- shadow-login_defs-suse.patch: Set ALWAYS_SET_PATH default to + "yes" (bsc#353876#c7). + +------------------------------------------------------------------- +Fri Jul 19 10:19:44 UTC 2019 - sbrabec@suse.com + +- Fix comment about patch in spec file + +------------------------------------------------------------------- +Fri Jun 14 06:20:46 UTC 2019 - mvetter@suse.com + +- Update to 4.7: + * Spawn: don't loop forever on ECHILD + * Do not fail locking if there is a stale lockfile (Tomas Mraz) + * Use lckpwdf if prefix not set (Tomas Mraz) + * Build: check correct DocBook version (Jan Tojnar) + * Usermod: Print 'no changes' to stdout, not stderr (Serge Hallyn) + * Add support for btrfs subvolumes for home (Adam Majer) + * Fix chpasswd long line handling (Nathan Ruiz) + * Use secure_getenv for gettime (Chris Lamb) + * Make sp_lstchg reproducible (Chris Lamb) + * Do not crash commonio_close if db file is not open (Tomas Mraz) + * Don't flush nscd and sssd cache in read-only mode (Charlie Vuillemez) + * French manpage update (Alban VIDAL) + * Fix manpage defaults for SUB_UID/GID_COUNT (Tomas Mraz) + * Sync po files from shadow.pot (Alban VIDAL) + * Usermod: guard against unsafe chown of homedir contents (Tomas Mraz) + * Add LASTLOG_UID_MAX to login.defs (Tomas Mraz) + * new[ug]idmap file capabilities support (Giuseppe Scrivano and Christian Brauner) + * Fix segfault in useradd (bsc#1141113, Tomas Mraz) + * Coverity issues (Tomas Mraz) + * Flush sssd caches (Jakub Hrozek) + * Log UID in nologin (Vladimir Ivanov) + * run pam_getenvlist after setup_env in su.c (Michael Vogt) + * Support systems with only utmpx (A. Wilcox) + * Fix unguarded ENABLE_SUBIDS code (Jan Chren (rindeal)) + * Update po/zh_CN translation (Lion Yang) + * Create parent dirs for useradd -m (Michael Vetter) + * Prevent usermod segv + * Fix usermod crash (fariouche) +- Remove btrfs-subvolumes.patch (fate#316134): + upstreamed: https://github.com/shadow-maint/shadow/pull/149 +- Remove useradd-mkdirs.patch (bsc#865563): + upstreamed https://github.com/shadow-maint/shadow/pull/112 +- Remove shadow-4.6.0-fix-usermod-prefix-crash.patch + upstreamed https://github.com/shadow-maint/shadow/issues/110 +- Remove shadow-4.6-bsc1141113-useradd-segfault.patch + (SLE15 SP3 and openSUSE Leap 15.3 only) + upstreamed https://github.com/shadow-maint/shadow/issues/125 +- Rebase userdel-script.patch +- Rebase useradd-script.patch +- Rebase shadow-util-linux.patch + +------------------------------------------------------------------- +Thu May 30 11:15:49 UTC 2019 - Martin Pluskal + +- Make building more verbose +- Use spec-cleaner + +------------------------------------------------------------------- +Thu May 2 09:45:48 UTC 2019 - lnussel@suse.de + +- don't specify MOTD_FILE in login.defs but fall back to built in + defaults of login (boo#1133929) + +------------------------------------------------------------------- +Tue Apr 30 22:27:14 CEST 2019 - sbrabec@suse.com + +- Split shadow-login_defs.patch hunks to its logical components + (bsc#1121197): + * shadow-login_defs-unused-by-pam.patch + * shadow-login_defs-comments.patch + * shadow-util-linux.patch + * shadow-login_defs-suse.patch + * Move appropriate hunks to chkname-regex.patch and + encryption_method_nis.patch + * Remove GROUPADD_CMD that is not supported (bsc#1121197#c14). +- Split getdef-new-defs.patch hunks to its logical components + (bsc#1121197): + * encryption_method_nis.patch + * chkname-regex.patch + * shadow-util-linux.patch + Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT. + * useradd-script.patch, userdel-script.patch + * Remove duplicated definitions of MOTD_FILE and ENV_PATH. +- Add shadow-login_defs-unused-check.sh to allow verification of + login.defs variable usage (bsc#1121197). +- Add virtual symbols for login.defs compatibility (bsc#1121197). + +------------------------------------------------------------------- +Wed Jan 23 09:35:01 UTC 2019 - adam.majer@suse.de + +- btrfs-subvolumes.patch: implement support for creating user home + directories on btrfs subvolumes (fate#316134) + +------------------------------------------------------------------- +Wed Oct 31 14:17:29 UTC 2018 - Valentin Rothberg + +- Add empty /etc/sub{u,g}id files. useradd and usermod add entries for users + only when those files exist. Having those entries is a requirement to create + user namespaces, for instance, when running podman as a non-root user. + +------------------------------------------------------------------- +Mon May 14 12:45:42 UTC 2018 - mvetter@suse.com + +- Update to 4.6: + * Newgrp: avoid unnecessary lookups + * Make language less binary + * Add error when turning off man switch + * Spelling fixes + * Make userdel work with -R + * newgidmap: enforce setgroups=deny if self-mapping a group + * Norwegian bokmål translation + * pwck: prevent crash by not passing O_CREAT + * WITH_TCB fixes from Mandriva + * Fix pwconv and grpconv entry skips + * Fix -- slurping in su + * add --prefix option +- Remove CVE-2018-7169.patch: upstreamed +- Remove shadow-4.1.5.1-pam_group.patch: upstreamed +- Update userdel-script.patch: change due to prefix +- Update useradd-mkdirs.patch: change due to prefix + Additionally changed in that patch (bsc#1106914): + * Test for strdup() failure + * Directory to 0755 instead 0777 +- Add shadow-4.6.0-fix-usermod-prefix-crash.patch: + Fixes crash in usermod when called with --prefix. + See https://github.com/shadow-maint/shadow/issues/110 + +------------------------------------------------------------------- +Thu Feb 22 15:10:45 UTC 2018 - fvogt@suse.com + +- Use %license (boo#1082318) + +------------------------------------------------------------------- +Fri Feb 16 08:39:08 UTC 2018 - kbabioch@suse.com + +- Added CVE-2018-7169.patch: Fixed an privilege escalation in newgidmap, + which allowed an unprivileged user to be placed in a user namespace where + setgroups(2) is allowed. (CVE-2018-7169 bsc#1081294) + +------------------------------------------------------------------- +Wed Nov 8 12:39:12 UTC 2017 - mvetter@suse.com + +- bsc#1061838: + Revert: Requires: group(mail) + Introduced circular dependency + +------------------------------------------------------------------- +Fri Oct 13 15:44:28 UTC 2017 - adam.majer@suse.de + +- Revert accidentalied prerequisites. + Use PreReq for permissions + +------------------------------------------------------------------- +Thu Oct 12 08:59:28 UTC 2017 - schwab@suse.de + +- Prequire group(shadow), group(root), user(root) + +------------------------------------------------------------------- +Mon Oct 9 11:53:44 UTC 2017 - mvetter@suse.com + +- bsc#1061838: + Add Requires for group(mail) + +------------------------------------------------------------------- +Thu Sep 14 08:18:27 UTC 2017 - mvetter@suse.com + +- boo#1048645: + Set suid bit for newuidmap and newgimap + +------------------------------------------------------------------- +Thu Sep 14 08:17:08 UTC 2017 - mvetter@suse.com + +- Revert the changes for bsc#1023895 back + Pulls in too many deps into ring0. + Next version of shadow plans to have no conditional man pages. + +------------------------------------------------------------------- +Fri Sep 8 11:41:13 UTC 2017 - mvetter@suse.com + +- run spec-cleaner +- bsc#1023895: + man page contained invalid options because they depend + on compile flags and we shipped pre built ones. + New BuildRequires: docbook-xsl-stylesheets docbook_4 xml2po + xsltproc + +------------------------------------------------------------------- +Thu Jun 8 17:00:57 CEST 2017 - kukuk@suse.de + +- Adjust requires (we need user/group root instead of aaa_base now) + +------------------------------------------------------------------- +Mon May 22 13:31:25 UTC 2017 - adam.majer@suse.de + +- New upstream version 4.5 +- Refreshed patches: + * shadow-login_defs.patch + * chkname-regex.patch + * getdef-new-defs.patch + * useradd-mkdirs.patch +- Upstreamed patches: + * shadow-4.1.5.1-manfix.patch + * shadow-4.1.5.1-errmsg.patch + * shadow-4.1.5.1-backup-mode.patch + * shadow-4.1.5.1-audit-owner.patch + * shadow-4.2.1-defs-chroot.patch + * shadow-4.2.1-merge-group.patch + * Fix-user-busy-errors-at-userdel.patch + * useradd-clear-tallylog.patch +- shadow-4.1.5.1-pam_group.patch + dynamically added users via pam_group are not listed in groups + databases but are still valid +- shadow.keyring: update keyring with current maintainer's keyid + only - Serge Hallyn 'F1D08DB778185BF784002DFFE9FEEA06A85E3F9D' +- disable_new_audit_function.patch: + Disable newer libaudit functionality for older distributions + +------------------------------------------------------------------- +Mon Feb 20 07:28:24 UTC 2017 - josef.moellers@suse.com + +- useradd: call external program "/sbin/pam_tally2" to reset + failed login counter in "/var/log/tallylog" + (bsc#980486, useradd-clear-tallylog.patch) + +------------------------------------------------------------------- +Wed Nov 2 07:41:51 UTC 2016 - meissner@suse.com + +- add keyring, three public keys from https://pkg-shadow.alioth.debian.org/download.php + +------------------------------------------------------------------- +Tue Oct 18 15:55:43 UTC 2016 - mvetter@suse.com + +- bsc#1002975: Use permissions according to permissions package + and dont try to manipulate them in %files section. + +------------------------------------------------------------------- +Wed Sep 14 07:46:33 UTC 2016 - mvetter@suse.com + +- boo#994486: Include shadow.5 manpage + Previously this was provided by man-pages package in + the man-pages-addons tarball which got removed later on. + +------------------------------------------------------------------- +Tue May 31 06:48:41 UTC 2016 - mvetter@suse.com + +- Add package dependency for aaa_base, fixing bnc#899409 + (was done by tbehrens@suse.com but not submitted to Factory) + +------------------------------------------------------------------- +Mon May 30 09:41:55 UTC 2016 - mvetter@suse.com + +- shadow 4.2.1 requested by fate#320422 +- bsc#979069: Dont include shadow-4.1.5.1-bug935203-manpage.patch +- Dont set SUID bit yet. Once bsc#979282 is through, which will adapt the permissions package, we can enable the SUID bits. + Remove the files used to circumvent the check. +- Remove: + * shadow-rpmlintrc + * shadow-subids + * shadow-subids.easy + * shadow-subids.secure + * shadow-subids.paranoid + +------------------------------------------------------------------- +Thu May 19 12:28:47 UTC 2016 - christian.brauner@mailbox.org + +- Update to shadow-4.2.1: + - add support for subuids/subgids via newuidmap/newgidmap +- Rename chkname-regex.diff to chkname-regex.patch +- Rename encryption_method_nis.diff to encryption_method_nis.patch +- Rename getdef-new-defs.diff to getdef-new-defs.patch +- Rename shadow-login_defs.diff to shadow-login_defs.patch +- Rename userdel-scripts.diff to userdel-script.patch +- Rename useradd-script.diff to useradd-script.patch +- Rename useradd-default.diff to useradd-default.patch +- Rename useradd-mkdirs.diff to useradd-mkdirs.patch +- Add fixes from Red Hat/Fedora: + - shadow-4.1.5.1-audit-owner.patch.patch: + - log owner changes for home directory + - shadow-4.1.5.1-userdel-helpfix.patch.patch: + - give a hint about what happens when you force the removal of a user + - shadow-4.2.1-defs-chroot.patch.patch: + - initialize uid_t uid_min and uid_t uid_max not before we need them + - shadow-4.2.1-merge-group.patch.patch: + - simplify by using a single call to snprintf() +- Add upstream fix + - Fix-user-busy-errors-at-userdel.patch: + - call sub_uid_close() + +------------------------------------------------------------------- +Fri Jan 15 11:08:29 UTC 2016 - fvogt@suse.com + +- Moved call from %verifyscript into %post: + * Caused call to %service_add_post shadow.service shadow.timer + during rpm -qV shadow + +------------------------------------------------------------------- +Wed Jul 15 13:25:11 UTC 2015 - jkeil@suse.de + +- Add systemd unit files to continuously check password & groupfile integrity + * Idea from Arch Linux + * pending request to systemd-presets-branding-openSUSE to enable by default + +------------------------------------------------------------------- +Mon Mar 31 22:00:00 UTC 2014 - tbehrens@suse.com + +- Add patch useradd-mkdirs.diff: fix for bnc#865563, create all parts + of the path + +------------------------------------------------------------------- +Fri Nov 22 10:15:25 UTC 2013 - werner@suse.de + +- Stop any systemd user manager instance in case a user entry will + be deleted (bnc#849870). Nevertheless a running process requires + the option --force for the userdel command. + +------------------------------------------------------------------- +Tue Nov 12 14:47:30 CET 2013 - kukuk@suse.de + +- Add ENCRYPT_METHOD_NIS for pam_unix.so (encryption_method_nis.diff) + +------------------------------------------------------------------- +Tue Sep 17 14:56:44 CEST 2013 - kukuk@suse.de + +- Add some fixes from Fedora: + - shadow-4.1.5.1-backup-mode.patch: open backup file with correct + permissions. + - shadow-4.1.5.1-logmsg.patch: fix error message + - shadow-4.1.5.1-errmsg.patch: print error reason + - shadow-4.1.5.1-manfix.patch: fix manual page + +------------------------------------------------------------------- +Tue Feb 5 13:19:46 CET 2013 - kukuk@suse.de + +- Cleanup login.defs and enable ENCRYPT_METHOD [bnc#802006] + +------------------------------------------------------------------- +Tue Nov 13 17:31:50 CET 2012 - kukuk@suse.de + +- Fix getdef default variables (getdef-new-defs.diff) + +------------------------------------------------------------------- +Tue Nov 13 10:36:28 CET 2012 - kukuk@suse.de + +- Fix default group value in /etc/default/useradd + (useradd-default.diff) + +------------------------------------------------------------------- +Thu Sep 27 15:20:44 CEST 2012 - kukuk@suse.de + +- Implement CHARACTER_CLASS support + (chkname-regex.diff) + +------------------------------------------------------------------- +Wed Sep 26 15:20:06 CEST 2012 - kukuk@suse.de + +- Add support for useradd.local + (useradd-script.diff) + +------------------------------------------------------------------- +Tue Sep 25 16:22:18 CEST 2012 - kukuk@suse.de + +- Fix spec file +- Adjust login.defs + (shadow-login_defs.diff) +- Add userdel*.local script support and scrips + (userdel-scripts.diff) + +------------------------------------------------------------------- +Mon Sep 24 16:04:03 CEST 2012 - kukuk@suse.de + +- Initial package [FATE#314473] diff --git a/shadow.keyring b/shadow.keyring new file mode 100644 index 0000000..669b83e --- /dev/null +++ b/shadow.keyring @@ -0,0 +1,239 @@ +Serge Hallyn +Serge Hallyn + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBE+oKZQBCACz5WylGAr+eitZjuSigzR+y30W3E+gkU0DSNlBB3WlorOtmzMX +9F2d+z+ozJuez4NPqwfQ5y2ExKSbL8i1rwYmExZIzTDpm1Q6N3hG+vLbxwbrbsKT +qW9rPiXriU5yRwuvVJl4NOU6T/Pau3/VD8iFN7U4mVpNFVPlB8vCvDJ+07Z0xIH9 +MXe8uaERG3v2EL7Mv8L5w05XEeuTT/CJiw6NdzwjZc1FymVoFjntetl8HaJ+5JCB +2ylAbnw/wZJHORgsLxZhOL6/zrJRG8GvjgB+1l8izgl4n0DOqjyyoQIZJ+mfuHR0 +6wDqwvP5F9RZqCh8Md4hYujop5a0BKfAzLfdABEBAAG0IFNlcmdlIEhhbGx5biA8 +c2VyZ2VoQGtlcm5lbC5vcmc+iQFOBBMBCgA4FiEEZtA4fbhdMg+ECBZtsXXPqY8Z +KvIFAl2r0d0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQsXXPqY8ZKvIM +nAgAiTpLlXuzyD4C+9I/yCA9N/BqK43jnMfJOl/Ky56vgJ/WbrFJLuO3wubMlRLD +3jurC6SK2g0TpygyoX2MjwZVT60Sq3ZcgIh71yyWHhtZ29NuUiKsKnajb9IlP+AM +1V0g9py41YdDUmAuC/5crqyK+8u1CVrB/is7Eym598gIl9nyGvaZrzgjG1cRCjzf +ZU8pRG+VPMr5Xla8rDKBZl+LcusV90eAUa0E/KVFS5N1dQ6HKckYXPSBN3DKHZy+ +qKa1k7Dq0CnkTjQmjaMu3j5sdOXg4QUfhCHeLDFAtadNdP04I6g5KZRvC44XdQ1A +bxFMLyObhCsq/QxSh/nYrKsw0rQsU2VyZ2UgSGFsbHluIChrZXJuZWwub3JnKSA8 +c2VyZ2VAaGFsbHluLmNvbT6JATgEEwECACIFAk+oKZQCGwMGCwkIBwMCBhUIAgkK +CwQWAgMBAh4BAheAAAoJELF1z6mPGSryYfEIAJviOHYwzXjnHWrsbQQ75rJq2wQ4 +NlM5FRljskufCXtIz/DUpKKT3aqG3y7ywtEwl4ePofJmLbC0O5bZF9blgSSCV02z +zGdeUosAJsxumYHVi9CRHWsiAaNMX8gif9vePqz/iY/caPS4w4gBXJK8vLwvxToI +4CZDwIlMkMov//3HQ5v5OKfeqbA1rnsGI74vUw9Zt/Sqgudz5bY65693OqeRRWU6 +tOH8zo4HkFew26Ydh80qAn1R7ALnk68zwfXj8vdyR9f05dEqbg/4thZWcjWC/Frn +QOjcTwKu5DnUCE937a1MPzt4t1FCYUHrqcLN99uzGuOD42o9/S+JAa2HWhe5Ag0E +Zb/8ygEQAPBwca/apgMnuaVqUSYOCz3qyQ9S65yyifznXrLRYjS3WwCl/yb8imer +Hw5ykDij2WjlHQbod2j/pooCJuhOUfqg1JI5o2nNNFsLOxrYSGsScsK1pSDyOgA4 +Kg+wnAGzNAmW47fI05HfCILeK8CvHylxbpEHM0Ola/KivBmg9mqq7I/zTElL9oDT +oOyyO7B0IHZUCbjjkApHZY8VH89kcyBsrXKh5o8BwjwyqiZKvt4uzEjOS58iUYts +rxCDnyGLfp4MFsOWhQi2Z8mN+7iPEApUiKKu+Z4ESCq+/YUtjlIrmcAmw6aqlxLT +/6RqEpoUj57zq+JuYZQKsnEJpnUayG/cFomrsPQuAz4pbWDb0Q/yXLqCw3QR1vjm +kFmgaT8gtO4Idn2qfQ0Nnj8LCcSXjSsWBCaEPVF6Tq5TGMaJOjTwSCFWrW6AsNkw +PI9G8OWfpUWB7ciF4sdGYnBpT11xhUeUg0UsBbOLWQCC8fVIs1gsrwDLbIxXx1lV +XRncM9/6FYQ5IX95N8te2GBDkYzdpTpxgQAqaPHsHvbEoop10qn+HDem0zV66zT2 +6EAmD3w9PVlRFYqxGjiAjXC8nwsdnNxuGVBqrZjy2YFDI7JIk9k0qKVDrx3o7/L3 +tj0kPjg69Zg2QqgozBSLc4CCS2DzXKjeelxY7IAqfmXel4p5QHRnABEBAAGJA2wE +GAEKACAWIQRm0Dh9uF0yD4QIFm2xdc+pjxkq8gUCZb/8ygIbAgJACRCxdc+pjxkq +8sF0IAQZAQoAHRYhBH5W4sE/p3zjFVmtyX3CTDbDNB0gBQJlv/zKAAoJEH3CTDbD +NB0gUxgQAMW3d6UYo3HdM56El7B8f1PiPKjNBU4A4rZTm/veZFvlr2hSlTQXxxgf +5Y/Eh8VDal9yMhoI8VjfEsyDEmRBgv+KteDaC9YWv/WycImS1tcjF6ddX8s5sVLm +yie1C+SZKxw0ExgWJJzQgJD0xCgEo/2ci4Xc14Et8ay4CiOscfONngAu0Su2WFSg +dtFEcQcYtxR87E8wyPya34OtQuKpwS2+Om5m75/qi6odtnuaB84/TajMyFz/9Fvo +lleUJ0HvnVOpbd2wdmprkTGP7lnhxrBYi2JCZTcaO32gvADZEY9m6zEimFx1fYJJ +QPpl4mO5XhRHtImsg2BKSJZSKhp7IxWP4O2GkrL714c+BiOAYtXnGijBPW3K6h0P +pToGS9DkNwBHJAULXQXydIbvy6knSvgrG44aOS/M1MnbgbfW8GuKOgYtOVyCRk/1 +463gsr92BkM1zHF/+Q0I88wB+ZiYjSyYXtJx1jtaUUUhio1GM76Z35YFCiZ9sdi3 +IA8hgc8WSW4FESFZq2hbaOc9j0uifPbsZY+uE1vcQN7niBGvdEidAzkKtroOhzBM +I5qWDh3UxWj5pXeNntExucf4bhM9abb57NshNd1GFGE8uIIgiJAF45JAh922vHCr +9T4NaKwf3MC7fGo+kBSTNNh7V35gxg96NTk+cq71eh13007l5GWy7B0H+gJ/V5J6 +5xXkUnIx04oUztD2a6YIPuWVRwuyRsHSCzpqFR8K2iRzJFBlrQdMslUSXQJ0kFcM +W70cC0LO+nXF7G57mS5z3ZMILfEkLSFUIwHRdzFu0j9nDjQwcF9ws8ExBAgkAMi+ +2VzqMVHz4TekGMEgE/vP2RQSSR4T6JycYRI4gLyhDX9+uZsHBkb46Nn4nUGEqjJ1 +umVMYg1Ww6vJqzkKLjWnibkA0fKaUmhVJS2RZ1Dr6Xm+LFFFzSpHGGhy4vvik0FO +RyTNv5jBmMwRcebLcodl8m22KpwjRTkSOOzx+cXlB9KOVlbLj1UxCxFirufHRqxy +F9sprm3IKJxe4/65AQ0EXavhqwEIAMKECc/f8f0/CenKkz3wXGEtlG46YLjtTt2t +WYXdt9Z04ihVaYePanFtvuujyO3I3jUQNv2foU1CtOuVyfZqX+TXqs0BUPXWwTCk +MOyc/fEQ5u0BFJjWYtmr2sZY4Ag1juJsmzI7g3cnMLL9LbjpbHRruFIT5rnv9NwG +7PURn1XnCt9tdZ/d0h7vEaNkD37j67rjy8UElVVcwVGhsCR8CkqwZ6ZwpQxE9wyq +/Txb+v8qEJcohc5SWbYl70AtzHObokkW6cvRjNz+BcEpnPfu10lbPO/8a16B96VD +djDGPj2shfNsFLaT8MtFfDAdjZRGlrfv3Wp4qFRlSUGrjInvOLMAEQEAAYkBNgQY +AQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+GrAhsgAAoJELF1z6mPGSry +W4wH/3Xk9x+WUxeJNtm+5hOfe/KBsXQUbBz+JHGFjd9YQw98jUvPNN1RfgtKf31b ++FDKbk/cu+9bNLSfhKDz2AEREViogKRcVjJDy9XmmWQd1oo+M4GHNYhpIt5ZK1d3 +CROIiqisLQsih64/gl9gboMcsUuHRkc3hVKUb2umCZPG37hUdAvOmOMS7/0KCGS5 +pXnfsX+zegSKjps12siExYXiRpkxbF9MW7er6/6ukvHLx4jHpgiZ5Sjt/9OqUiAO +gUSQfhpAUJlaLxe9E3nj+ABs7LV+FOjtI64skqgqbYo5VXobFSJhqFTog1+KmMzn +fsdKaOZQuZh3v3TtGUzkxoMUHPe5AQ0EXavhYgEIAMd+iVOTx6FC3Ghv2PASeXsn +xtb9Af+aBjNf0m8WKTLgIS9xQbxgNJctG6AEptkBfAStRLIA5qOa0iYIpkJynEPb +onJ12qvtlJ6b6g1h3AThYXQBjTQ89X+rlFzVGQsieqanjI+fiSNbDarOLQUbeJOr +kfFukr34o5xloKENL/kwu1lDG/Y2GMxZRLe1aVJUXQg4FiEiaE+LNFbrUHxdNR2P +E4XuJHetneHEiT/zXpvEF4MCisjJTGAHEC43rl7OqHU/GDdcW0udyf9v33LCFWTR +LlgKKHVyUrHVhVzbB2z1+xnxxh/bQXjgttIP3Zqn8LXiLnUNU5+ejJiuAwdwcn8A +EQEAAYkBNgQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+FiAhsMAAoJ +ELF1z6mPGSry9/UH/0vOoYu6b57UxsJNR5dCMhsPYV7FFIX9uj5XIDo/bQt2RTMa +2PuKMbcDGINsDqHXqOFpZq5WDHhq0cEoIqhlkgj1uC77LLGw7mWyiaMbITQDlRzP +9c9Qj3NkGNKW6FTwR7LPh43kgXygO1StVADIdHapiw9hI52rF8FrNYy4oNRXhUcD +Pfn03akuIbF75saCHaYO/xoQeEqE+0qV82V/FT5tISMygkzgq+9zUhiA4XQjxiVh +SK2cAi0iUTXZecyEueLk6zZ9vkD8JZagSirTFgxtLrnhVpUBJMOgffv5jmO/Sun4 +s+3JbAdicmsFqw90hWmGNwa0F5HZ20rEVAwkdt25AQ0EXavgpgEIAOk8dMgYu4Q7 +hU461EC/MtxIiwSD8i7lizUB8SzxFPnyWgkvG2Fik5lUiDJmEstLdCm3dpapiJud +zcTgl9Abo4xgoq+VbKRCPk0017JE2bNSbF3TmxhaHAHiBvhU/U+kRz+lDnUE1Smh +zGd1yn1kCvmG9MmWjiQPkG9vLx3d46DBnqHO6wn1AFeKiKuyCs1igvtT2qz+2+iz +Y9tyd+s2O95+1CDQslqQ8IQNP00cFTJljsk3dmZXQb6SkxxTNG+E/2vMdUZhUbb7 +UIFUOmFekZvGZMIf9sNMJGCVIN+vyMMhE1MA17iJGxtAFVqeMN4wA9+MA4z5udke +gdbxnWxLtg0AEQEAAYkCbAQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJd +q+CmAhsCAUAJELF1z6mPGSrywHQgBBkBCgAdFiEEqb0/8XByttt4D8+UNXDaFycK +ziQFAl2r4KYACgkQNXDaFycKziT2fAf+PgS08m9Uiks9LWAp9BpaiVn0SXx/XYhT +JmRr78UrCHogZstAET2haLqWwMIoyOpie5Vutxi2WXQtzsJ1BHV9LB/NP3nFT/P9 +asZXzFtBBRQsDwxW5ii20hkHKG10M2+QGiC0ssfi1zjQFKbaOpxvou5Pi+zBQuT1 +RQ65NQrFYQI4zdyLbnniX2EZpDipLFJeGs881HQt7RjwSUtAjXW9M/pQQDp/JWEj +p6D3R4ys0/Y4cJblCci5rM8Un/aVvXYGBqEpsddhH9xGpk0JTWtGAfw1a0ovRv39 +D1uwG8uXTQiUDTGGlllXhzpLkcJBtT8VeogiAGZC99pbNW5BU8cbFyOHB/9Q/HBm +Iqmj5MYvQZCQ//cf9Af9gc+o2YA4/Kg2pSf9GKZizd3J8NO05O6YSsXqIsBr2lIG +jw4klkE7GyRd/KVMQOxrFY9vFcdSxQuklnFUeiH73RFP3nsdzw+MRr4Hcpbm9F0f +CnB6aU1gqf74e/6Qiv6d2pq7Dzyzx7ZCm8BRLT2HZbFeYQ6GsdOIYgWzWXqurk/6 +8rlE1D7Fo9KK9lmrLOwrr7ez1pOLHA8pPDhZhxI5D3ZhDsLUux3caCUfFdP/VpaJ +ijGNc1HYt8mk4U1Qb6ZlafTYb75F9d61v8/M/HATZ5KpT9gr0aGkfwptzCwlBJ8y +pcRI9AuUUDCTAXIGuQENBE+oKZQBCADc9sYSnWAj3y6QE9sGNDUFaKpAFUsprpQ8 +LeA05nh3RUxYDd75qc0ewtGR1+SlgpehKQfSXVQT254jM5lJanNDPYffk9k9lMwg +SVoTP2QaszfDgir7WKKQuj3dBwnmYHdIY2mq+eaAh/1cCU//ggdaATo4ENQhKTAI +iuviGKBpYX/zHAlPIvyFjERsBmq0woQKvDGsoQEObx1zu1GaTWeTSIEnHyRhajMQ +rKUAxSCh9Th2Vj6xOhvx9TK6li+ecxYuuBVP0Xllg1GdoQBC8KWITDOrU18suj1v +EGK4YOzQQPxANs6I81SvVddd2bh71cyAjhHr1kugw3PWQvLe4yHHABEBAAGJAR8E +GAECAAkFAk+oKZQCGwwACgkQsXXPqY8ZKvJrVAgAi7CVXJt8mZiN+yzwiZVlzrkR +QduB2cgvGZD6Hm3MJc1aVA3Gh0tJcLo+SdutCOzKSmPRSsnWT19EKxpDMrc9j97P +i9SDrGyUOx7Bz8gKjTI6BcfPNAhAyIr5Gr9SDyTx6tUduSmmErrvjYWP1/Jz7spI +nN2wQd5ZVRSvS/rNZGh1NU31oeWlbpkU0JpGbZkMXv4JIy+1caH5zzrcRMC9JFxf +m/bYdaq+jHhMufnSy0Qa3QgJkKvzxzvlIG9BaUmuNeR+XoA9ISEMQzAYXqxJQSL2 +8Er9IVaNgtz5mqCMf8vuDTPGpkYyqGnOjtQNF695wiA7CAr3/WTeiEl6kKsBFg== +=/+gu +-----END PGP PUBLIC KEY BLOCK----- + + +Alejandro Colomar + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGI/tA8BEACYC5fPDOMDrT8SxNlsB9fRj9YAZt7okGtbCIlVuSPs81YMkeJm +BxtPPnps5Vw2whZS13zaoyPykMg6k+komDWctWQKIF0VgpVYtIuezq4q8kMNmKLc +MnHiZRKRh8dOqlK6jHcUlF8rBgQhk+RUBUPOqFEYeTveoZ9qqVmWhOVce5uUX01k +iU2SjoGAGkNDBqmOkhhVUSQg/AVcc4web6Gu184VUbOXx7J5MPpRmXE610fAUeeJ +1VzyB8U/hgPLrbZX3jQMJbcCSM+Qdxdr/gsptfx1XIm4NsvKXTUOpWg1DQFiQYTJ +FN6Kz0NKN6MV/3AqbKGtWDqKhFt3u3a7T+uUP/qzi9jma+DruQuzQztI6xnthZCb +RjFkQ/iUUtuGgmpOB14HrgwNaRjKWddzab+A7BL971Q3fFqDsvrntD+koYVUgTfq +ErcQo9ZdGRAUL5icyyDg4cC6xgjdmYfnX1s4Rlo3cXJXTZpIOx5AvZV6HYNNm9pu +EoPm5gjNtk4F+FENNjkB3c2ntFr2prpoxaN9ceNd8a1tkWAgh6ueFVA/tkd1hy+2 +bP7e5+Nk9NjsWLvnL2slep1cX38DU9hx91t21+x/8hCxN4gqtvDJY/eqUZ2d0uAR +KhPEDZ8GzchxVtX9bGx1HSAVcdnkSzKIGFOJi3ivYqUEihXd5WQE57UovQARAQAB +tCJBbGVqYW5kcm8gQ29sb21hciA8YWx4QGtlcm5lbC5vcmc+iQJOBBMBCgA4FiEE +qTSFlM4xKDqCb73Y1XYz1EHiW7UFAmNDAAYCGwEFCwkIBwIGFQoJCAsCBBYCAwEC +HgECF4AACgkQ1XYz1EHiW7Vm4g/+NDfrYWHAHSMBkQnTZdhrOFCR1tJsWTLABwe1 +fMLBW7djLZMZweDMU76UBrucAEsarKkIHyhqpBES5EXwmlvKSnEhzPjXZ+PoHmM0 +M8Lq7QFZ5IEbrhuJbvpfTCa0gleHKIVYCCeaf2AUpgwX1XMkG2mmRdvUDQ2M8NMH +ljM/OZ+6tBGpw7zvx1kYsSfBerlHxmLXlRxHrr9nWi7zXa+HrHZQAhopuufIb1we +8lI/gdfywq7s/e5Xelk4dnr/pEFx56G1vh0bc+zU36+C9gX5IXOJv2WrTmOfG3Am +gaJgWZapJQlPFEByk+2oJf5UOgPRhdX7qLR8mVnQ4EHM1sr9B6UGwcySZpVwag9n +51WhjgdqYoSPt9dpPSNfNavLJDR+paM0aEHi3/t3mGJSyOPM4E6ejrYk7791fOJF +0J3VhKr9KR1rMxQpE1kMs7qO1uUJvnF+opzrueMELffwTfDDyvY1bV/ZNou/MPi4 +EbUJyZDvsq2shaKj/NB4nzYJIoGbUzUrz008buTagf+WZ+uTDIdOJbaVPcUUjtzr +21KifSWxcokNhqSIrsCLzCJkbiKEK7nUoOvl9q3Wl9L5CWAOflr5499iyGqxlJ+E +7xzerWy1ZqgQHJ3Zp0wVMgHTKvPsmDvwaXBvEZkrUQ4PnInWTNJ2yiNxJU/we7Xx +kxo4Qk20MUFsZWphbmRybyBDb2xvbWFyIEFuZHJlcyA8YWx4Lm1hbnBhZ2VzQGdt +YWlsLmNvbT6JAk4EEwEKADgWIQSpNIWUzjEoOoJvvdjVdjPUQeJbtQUCYj+0DwIb +AQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDVdjPUQeJbtTdsD/97XSXo3Dqb +eaAWhjreKTwO9sPh9n79tS5CZMne44jvC7OCNGeFYq/MGyk0aDPcfN27dO4YSJXN +d82t2K5vC85W5+tbnREN+OTNy8b6U4XxpeQhHP7jr5xeQt0aTkUH3Eo+0mzUq4fS +hxMMch4FuDvMcohkOQs6LMKyvNo0jXAM3nE6nJeRipBjG5d8KKlx9dqmS5Zee9FA +YayikSFp77aSGIvWFejTS3YDaN/APotN1SheEWHtGRY1zvbPbGKJKMy/k8O0b0TJ +gGGe0RzFmPaQSCc/ZlpG2jk5BrnnspCDTq1I/2zcpgdwcR3/3Iuw2VAlOU48w7Qs +fZecvYw+8zlrsJlB/NNU6s1YzeTi37jo43aqgyw4E7iev18f14W2ZQuIQY36hUmf +4z49hAliWcoq7SZL6tsdmeQPjYWJb1lxds8s+iEH1PUsGObWUkjy1iIfJ+gXCe8E +uKZKPGY7RWwYoSBliCVVXfgmD2XQja9i3pjRiJ6S7sYjZnugNwFaVbeptHE8NL4J +Y3eRJpZdGizW58zTfxhvU/AjjDMhqqshW8ZSbAIRI05eGxzwk82qGq+cUVxsBeU8 +7i9DbqNOF50cYyltYVVJ9qPAxO+5sBtW6rq+yxkLArjTlpIRJsrXSiFJFqAp7FkC +pUx66xvV8LgAVMKeD2o+Ae8mCTmYJfiCabkCDQRj2/4qARAAw4VXqcdlHsnCDqcC +x5U+nHDOMsyEqG7F8mivt9covXkGUGoLI3ZlGU/5EoRwQB91uHJMU9zJwumQ4tLs +szhOB/CNBSDZ4XTCcEej+dhQounRIdbY+DcXn4dVdx/mYCFPVb7OtUe68m6vyiai +2KG288QbjnkzNA222caPQNDy6NsIGh8V5WDKCa7Jk0Zti+tTdi+vhkFjk7+brh5I +qzahfuk/uVDWBUVT3OiNRywtouTBdfT33JhQyRqSMty6gjkkYyxX0QD5r5EIVrtr +gre6aBWw3dy64pVs9nxVBhVCH4h6PwReXFB4kfjgw82Q1/DkF/ZMsH8bPPtvjI1N +Yz+TMaLcUQX7fWlW7YbQSXSwF4mUSMYgdOZ8CTNQjKmpnpVhHYuL67cG26ev/+T4 +OrcT103j/InLipKvYUC3HwFMbq2P/9edqf85d/Nl1KMdByJ3qVVFMuXjiJr0uf1K +oc7nfP3mqkPUHEdjsHnQnpNWZPBr5xs8iNtGmgltnJE2jacXFqtvJ6M9ugrMauoK +s5sNMhqvf/zyZiLWkcZ8bWi6cGl/JD1RS66ViFFmVeg5xpVgspUAsADCZLneTCAW +46DJ2Esq92afIVSz/AUtVjLUJyZIOBaVzY2JXR9s5/ePJAd4T42cg1Kdrdsi0dPY +MOwPjQBpiuetA4dCWeL5qucnSAUAEQEAAYkCPAQYAQoAJhYhBKk0hZTOMSg6gm+9 +2NV2M9RB4lu1BQJj2/4qAhsMBQkB4TOAAAoJENV2M9RB4lu17J0P/3LN+ueOR4q4 +G5KOnLA5+u1y84d0LI16Z43iAm2NyAWCNkvjGj3RqQD8ZwFmckulf05mhvLOcwxE +i8aAnEcsK4YfsGjgQRDJIChPnZCfssCkFVjfTyEcMgI4sr8hBjbp+ULL4LOnHu4B +LjWjeWc48dtVQ7qcetVw7u9ZABfRBPxVBgY8Idxv1qVOQE13P2sPzbYKsFz+2mH5 +54VnMO64zqCbecxgV4NRFcTeNUaDgl6D7zNlNmh4j6c7sKjoEzYIVizApM4xMtOB +syL4fGXRcNtenuBDc/1/PeHdDhqGGlZds1RmTLJm+gCzVio4z5EXPJMKjAVBHapM +NMl4TiTay6gMG6QJMwkgVmS2F28wxj9KztkdnC+2YWJdWDeM07Le231X2hnRQE/D +epN4MouHofOB3I3WY+sSR2KUik9WceL+ICIvUisCNk3GvXVg6hYXIukN8ZR4Sf3A +rRPpePofDK0vZeWIGt6ZksVY9A3GQc0cMagqgCTK0gUxeDk/tPH8xyz/VvRZPGaC +GlzeSQ1giSwgNXX1FDfnGOdn/rJh/aoDl1PzTBjyZcZ15s9HSPA6h36TMgCrSCai +kWjbk8mOJhIhTbxclyI9JLu2AeKu+zP41Gi0AEEGkhFKZ9cG6cGG7AuSsiZ3OqOu +sym/ZKz1uuXGo1iJJgkZ2yiq3ox7KHMZuQINBGI/t3UBEACr9ldxakkNdKp/Pc8+ +fRznR/+b29CfQWjOEv2njByhQa5CU18jMT6DIOokv2vU7xwaNJviBouaKWAIe5iy +a3BWHhRpk6e2WnST/X3Zxmm8NjBZAMVl1JXS/vDEDhUu76y/Z82YcHZi52fRXRr3 +jwza/jGFyjLwem04G/CrS+tUHiWd3cbeh09LlQ/zN7cO8oOoYZWyoX0GNtXbUovy +ssdUt1RODrSVde+8ec7AQm8fg7mRt3HCXhjwrdLxvqVRgG3wYCR3TnzL+rGuhYxa +TEmbcjPLrKqSfZatsmVir1JJ2Cn8O9Ns5ROsqnulYa0foTo4LDwgqR82uel8mEaZ +EQh4B7ob8mvqPLKBHbQXVeRTxuqLdyd3W/2yu5nIUi7kA6CIm5mdK8MT6CiHqYYx +QD33HTN4OtFqrf3TbyjBG5wlzCD2mSrGB52FYgrkfSiKXBOxiqoFo++SpK1wSuHN +a2ge1hkIdlE8wEPDBDSRqPta8t8ZazNPuc5tR6g0B/JUTIa6r8bDk5NgNj8jrGqv +MvTWl+txcQ5uYo5OlvdiwHy2/YzEDhWcb1ls0faQQHn2CYFr6S9Ad9dOsMJZ2E29 +K4v/apGnGEjLqqqXWfIxPBq01bZY1pQI8fy+PJkp8IHZfQ2RrmUFaSOufLOgQE7c +w8j/SxlSdbFrBZA7cMfGLPLT0QARAQABiQRsBBgBCgAgFiEEqTSFlM4xKDqCb73Y +1XYz1EHiW7UFAmI/t3UCGwICQAkQ1XYz1EHiW7XBdCAEGQEKAB0WIQTqOofwpOug +MORd8kCejBr7vv/bMgUCYj+3dQAKCRCejBr7vv/bMkq3D/48Y7jLfIB5jY9dzVCm +ikbuexOAb0YDSZQS3Pt6GnPryIm1gLaRt0jw8HWVI80bMRvTKvJ7D7+kc6GCLK90 +MjxMBdlL/BfBFj8jNuVeaNfI7dTbon0kri56bMI3Ad/G7jryRcnPrRZo/nzGKcMD +WxV3tgZkamh0pHYWjSttt0fr8t2qXzK74XO3PnU1RkGY1QAlMa89FJXUyW+veFpy +AJWNW9zYVatjPKPyMLr8I7t9KLjviJBBWwE2fbXgvT58IqhqADKt+YJdXlNiD1Mn +ZaBbbBCO7Mn+aG+yAJBJKPqmjoN1dOXy1FtuNrHHnTYIHyoRD/IR1DtEwlIYHlhZ ++8uy2rXPMA/I8hSCxFgMEJaY8IzfP49sPvwFMfGgnEFk7jmTAczP7rwSeDuvRnWQ +ztJqu9PQp3Wmek/ea7WV93rBmI6Vipl8P69m3CzQErnuIZUutsjP0BaiU+hENoXu +ZmlV0MtnNix0j28sTIe49vtb5UTVRJjIwwI1BDGtM4Ukij9tNkDkntrTkpBE3MFk +9SYi8aAN99kBCNmkwRdY0opwNhGFJwBEwycv7I7d7s/Y79ZSuZBrjB6nB5gU+Xh1 +tDdQZxzHLctnZ2cAjE8BcU2wrgZghWiRZ7YlI0bozXl6/VJaAVhZU7f6ebklXSYF +JwTrCwam8VbcgoiukMsdv831NmkPD/4sjSJfoqdE4kGHHX/S/N/Q8LiflefYivLX +X/WtGyRguuYH+8YDqGaCGco8IKmlRDhaME1achjMp/O808B2rxogpsLWu08AF4PJ +97w01RfjBr8aA5qvZXnCfAnmpRzQjDrjIuNOle834dXvOAANugR22dBbjv7MRtOp +Xn1whyAEJIwBeAgKe+p1zwWyQNv2Gq+9C0IQ2w4uJsodjNi6YzFnTvm3HulnNr4s +L+x/i+24iuz0Gf2KbGiR2FtCyKIek0N2NAhPquoI7L0HEP2FKh3OeEH0aCdFcZf/ +Dw19fjqEROaJhVvSgTvXIVh3dnB4e7qlYsMSNQxqCcKQD4D79kjFrOygySU+6xMp +vUQvOiF46MrPx8KtfiuPTuEji0Y0F9qz1u5vqwelsg5vpoa12h9qSdX/uWKbRqqQ +x5gHERLoTXT7aMKYuDU3UAMxEEEOaXnOtWNlr3n4H7zMrZ3qvkTRRmGiH8iGkSFn +w2WO3rr/flfIQAJLSUH5lTmR4j/XBNtOGSAWKaRU3N5cX2zHcS5YxkaBx3u4Ew+D +qnBNL6oazpe1iaIoxsyC8MOFyoWHmv/ivv7FbpkWFHgN+R2nenIMiHuHQd/62/RC +PVEoGmaL+XCfSpmstYz9phejRW7LacBt4BMCV7ghqD6vYCR0QBoENp0V5mKyXQ6P +R2OsYRFGG7kCDQRiP7s5ARAAktZGlZIjclF0dkQxIpJ2cQ0FOEgzzG0hZzIfHzLW +T7HvuY0XHWAI64yZbDSdHkKTSKbVnrToCayBDu0oISa3gZh+cd5a+Igf4NsIkGNR +askGnmZYUM+RP1PzKPlVqdPIcXedZvTermRHIyO73f3p5kw+vDryGyubrt2n2IFb +J7SopNed2kXIs5dyk89mvJ+muPCDD5wYHbdXfpEH+KznROMHOVHzwfHYQ++finuw +2cjdJbAyZz6QSopAQeg46UEAk/aTGuI3cEFIzDq6cpqS8fvpbHGL5Oi657t2i1TL +zUCo/4FK027ZLkTXpcB8hbmKFWhfWueDx3aRNvbloJn7kq97RhnE3tgewi+syJsK +CrOlHc1rD8/JNL9lcr2yuSTmwY80QDVNU3U2ZeqLdxx47O31zR5VCpGu09Ro57bJ +j5YaMukwmYLiPwTExkTqqryf7QsLq47Tgd+0YnUyq79XEv067ow+FCxbIoSNlQWB +W2LbNi3JeNPCM0pWdgFuiQE2KFH0s4qulKxEbEtwpVXOH9fmUN23VkI1TnarfRlG +XgSdOISRbXa0O9Ta85BF/NtoBXRU4CtDdcmT7343PjRPbAF1ixU+KOhDDuaDBUV5 +iD6BXqyHyL6rciYvqHQwmg2ztdFmTewapV112Vv2wpqvbyrzszTtMw8c92Y7Kfge +fY8AEQEAAYkCPAQYAQoAJhYhBKk0hZTOMSg6gm+92NV2M9RB4lu1BQJiP7s5AhsM +BQkB4TOAAAoJENV2M9RB4lu1mAsP/R/4E68Rt7oUI/30eTuiRb9C/Zx6EaZVIJBw +G2cwKB9GkU4vGR2PU1f25vym92fywSP9OavWyDeVqtN8Ar4U4CbD/L9f2JgZMTXr +HFgxU94uywKOxhLEL8ylgaU89l6af1BynBn3YU/mLQyMHAMTs0uaifjAedeNJq08 +XWP3bVdxRywj/rqAf52KA9Y/C59mCfx4vmYu2r2jbwCCVWOsL5sgWyThyGKuNv1A +7+k0JYJlsJ8aro9sS0fjscvoyxajDX2u0Mq/dTbjFWiJQbdT2mWMgiOHxpGDGst9 +NH5+JbYZGV/TfeJFDIAW/Pw3gktKt40IP2t6y5vjyUCHEEn2E6pfnr1XmY6EOae5 +hPYJQNUbJw98RdpPPY3l4FY49M312v6dphAj2kBmMv7mbyLrIZoTsHw5Q++ig83V +i/I1u4tTvZomFn2po3MO3+QL0FTqzwPjiTyUmSO4rMi5EZiLJF5ITSaESFXNGQb4 +UBTuXYgKXY4spWeYpSB2qREhrkXgXrDWEJBwIBJW4ppPI4hRhefGV6wHTRxF24No +iVPz4ABaTQFkvZbpyTT+DT0CL8tHMwF7Tq3wFQ4Rr82LBS/fWxgzeyYTgZwXXUFY +YqM7OXwJKVjlgC2B+OEwgXcdRxB4y5asd//D9wVeD0pfiWk+Ohmi/YF9WmFgmrWe +vK53nZUH +=V1ID +-----END PGP PUBLIC KEY BLOCK----- diff --git a/shadow.service b/shadow.service new file mode 100644 index 0000000..4137da1 --- /dev/null +++ b/shadow.service @@ -0,0 +1,23 @@ +[Unit] +Description=Verify integrity of password and group files + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=read-only +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=oneshot +ExecStart=/usr/sbin/pwck -r +ExecStart=/usr/sbin/grpck -r +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 diff --git a/shadow.spec b/shadow.spec new file mode 100644 index 0000000..71bd798 --- /dev/null +++ b/shadow.spec @@ -0,0 +1,387 @@ +# +# spec file for package shadow +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%if ! %{defined _distconfdir} + %define _distconfdir %{_sysconfdir} +%else + %define no_config 1 +%endif +Name: shadow +Version: 4.17.1 +Release: 0 +Summary: Utilities to Manage User and Group Accounts +License: BSD-3-Clause AND GPL-2.0-or-later +Group: System/Base +URL: https://github.com/shadow-maint/shadow +Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz +Source1: pamd.tar.bz2 +Source2: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc +Source3: %{name}.keyring +Source4: shadow.service +Source5: shadow.timer +# SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches. +Source40: shadow-login_defs-check.sh +# PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM. +Patch0: shadow-login_defs-unused-by-pam.patch +# PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000. +Patch1: useradd-default.patch +# PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific. +Patch2: shadow-util-linux.patch +# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments. +Patch3: shadow-login_defs-comments.patch +# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs. +Patch4: shadow-login_defs-suse.patch +# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions. +Patch5: disable_new_audit_function.patch +BuildRequires: audit-devel > 2.3 +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libacl-devel +BuildRequires: libattr-devel +BuildRequires: libselinux-devel +BuildRequires: libsemanage-devel +BuildRequires: libtool +BuildRequires: pam-devel +BuildRequires: xz +# we depend on libbsd or glibc >= 2.38 for the strlcpy() (and readpassphrase()) functions +BuildRequires: glibc-devel >= 2.38 +Requires: login_defs >= %{version} +Requires(pre): group(root) +Requires(pre): group(shadow) +Requires(pre): permissions +Requires(pre): user(root) +Provides: pwdutils = 3.2.20 +Obsoletes: pwdutils <= 3.2.19 +Provides: useradd_or_adduser_dep +BuildRequires: libeconf-devel + +%description +This package includes the necessary programs for converting plain +password files to the shadow password format and to manage user and +group accounts. + +%package -n login_defs +Summary: The login.defs configuration file +# Virtual provides for supported variables in login.defs. +# It prevents references to unknown variables. +# Upgrade them only if shadow-util-linux.patch or +# encryption_method_nis.patch has to be ported! +# Call shadow-login_defs-check.sh before! +Group: System/Base +Provides: login_defs-support-for-pam = 1.5.2 +Provides: login_defs-support-for-util-linux = 2.37 +BuildArch: noarch + +%description -n login_defs +This package contains the default login.defs configuration file +as used by util-linux, pam and shadow. + +%package -n libsubid5 +Summary: A library to manage subordinate uid and gid ranges +Group: System/Base + +%description -n libsubid5 +Utility library that provides a way to manage subid ranges. + +%package -n libsubid-devel +Summary: Development files for libsubid5 +Group: System/Base +Requires: libsubid5 = %{version} + +%description -n libsubid-devel +Development files for libsubid5. + +%prep +%setup -q -a 1 +%patch -P 0 +%patch -P 1 +%patch -P 2 +%patch -P 3 +%patch -P 4 +%if 0%{?suse_version} < 1330 +%patch -P 5 -p1 +%endif + +iconv -c -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 +mv -v doc/HOWTO.utf8 doc/HOWTO + +%build +export CFLAGS="%{optflags} -fpie" +export LDFLAGS="-pie" + +autoreconf -fvi +# SSSD files provider is deprecated since 2.9.0, but still enabled in openSUSE Leap 15.6 and SLE 15 SP6 +%configure \ + --enable-shadowgrp \ + --enable-account-tools-setuid \ + --with-audit \ + --with-libpam \ + --with-sha-crypt \ + --with-acl \ + --with-attr \ + --with-nscd \ + --with-selinux \ + --without-libcrack \ + --without-libbsd \ +%if 0%{?suse_version} >= 1600 + --without-sssd \ +%endif + --with-group-name-max-length=32 \ + --enable-vendordir=%{_distconfdir} +%make_build +# --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336 + +%install +%make_install gnulocaledir=%{buildroot}/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs +# Separate call to install man pages. See https://github.com/shadow-maint/shadow/issues/389 +%make_install -C man install-man + +install -Dm644 %{SOURCE4} %{buildroot}%{_unitdir}/shadow.service +install -Dm644 %{SOURCE5} %{buildroot}%{_unitdir}/shadow.timer + +# add empty /etc/sub{u,g}id files +touch %{buildroot}/%{_sysconfdir}/subuid +touch %{buildroot}/%{_sysconfdir}/subgid + +rm %{buildroot}/%{_sbindir}/grpconv +rm %{buildroot}/%{_mandir}/man8/grpconv.* +rm %{buildroot}/%{_mandir}/*/man8/grpconv.* +rm %{buildroot}/%{_sbindir}/grpunconv +rm %{buildroot}/%{_mandir}/man8/grpunconv.* +rm %{buildroot}/%{_mandir}/*/man8/grpunconv.* + +rm %{buildroot}/%{_sbindir}/groupmems +rm %{buildroot}/%{_mandir}/man8/groupmems.* +rm %{buildroot}/%{_mandir}/*/man8/groupmems.* +rm %{buildroot}%{_sysconfdir}/pam.d/groupmems + +rm %{buildroot}/%{_bindir}/login +rm %{buildroot}/%{_mandir}/man1/login.* +rm %{buildroot}/%{_mandir}/*/man1/login.* +rm %{buildroot}%{_sysconfdir}/pam.d/login + +rm %{buildroot}/%{_bindir}/su +rm %{buildroot}/%{_mandir}/man1/su.* +rm %{buildroot}/%{_mandir}/*/man1/su.* +rm %{buildroot}/%{_mandir}/man5/suauth.* +rm %{buildroot}/%{_mandir}/*/man5/suauth.* +rm %{buildroot}%{_sysconfdir}/pam.d/su + +rm %{buildroot}/%{_bindir}/faillog +rm %{buildroot}/%{_mandir}/man5/faillog.* +rm %{buildroot}/%{_mandir}/*/man5/faillog.* +rm %{buildroot}/%{_mandir}/man8/faillog.* +rm %{buildroot}/%{_mandir}/*/man8/faillog.* + +rm %{buildroot}/%{_sbindir}/logoutd +rm %{buildroot}/%{_mandir}/man8/logoutd.* +rm %{buildroot}/%{_mandir}/*/man8/logoutd.* +rm %{buildroot}/%{_sbindir}/nologin +rm %{buildroot}/%{_mandir}/man8/nologin.* +rm %{buildroot}/%{_mandir}/*/man8/nologin.* + +rm %{buildroot}/%{_sbindir}/chgpasswd +rm %{buildroot}/%{_mandir}/man8/chgpasswd.* +rm %{buildroot}/%{_mandir}/*/man8/chgpasswd.* +rm %{buildroot}%{_sysconfdir}/pam.d/chgpasswd + +rm %{buildroot}/%{_mandir}/man3/getspnam.* +rm %{buildroot}/%{_mandir}/*/man3/getspnam.* +rm %{buildroot}/%{_mandir}/man5/gshadow.5* +rm %{buildroot}/%{_mandir}/*/man5/gshadow.5* +rm %{buildroot}/%{_mandir}/man5/passwd.5* +rm %{buildroot}/%{_mandir}/*/man5/passwd.5* + +rm -rf %{buildroot}%{_mandir}/{??,??_??} + +rm %{buildroot}/%{_libdir}/libsubid.{la,a} + +# Move /etc to /usr/etc +if [ ! -d %{buildroot}%{_distconfdir} ]; then + mkdir -p %{buildroot}%{_distconfdir} + mkdir -p %{buildroot}%{_pam_vendordir} + mv %{buildroot}%{_sysconfdir}/login.defs %{buildroot}%{_distconfdir} + mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/ +fi +mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d + +%find_lang shadow + +%pre +%service_add_pre shadow.service shadow.timer +for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done + +%pre -n login_defs +test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs.rpmsave.old ||: + +%post +%set_permissions %{_bindir}/chage +%set_permissions %{_bindir}/chfn +%set_permissions %{_bindir}/chsh +%set_permissions %{_bindir}/expiry +%set_permissions %{_bindir}/gpasswd +%set_permissions %{_bindir}/newgrp +%set_permissions %{_bindir}/passwd +%set_permissions %{_bindir}/newgidmap +%set_permissions %{_bindir}/newuidmap + +%service_add_post shadow.service shadow.timer + +%verifyscript +%verify_permissions %{_bindir}/chage +%verify_permissions %{_bindir}/chfn +%verify_permissions %{_bindir}/chsh +%verify_permissions %{_bindir}/expiry +%verify_permissions %{_bindir}/gpasswd +%verify_permissions %{_bindir}/newgrp +%verify_permissions %{_bindir}/passwd +%verify_permissions %{_bindir}/newgidmap +%verify_permissions %{_bindir}/newuidmap + +%preun +%service_del_preun shadow.service shadow.timer + +%postun +%service_del_postun shadow.service shadow.timer + +%posttrans +%if %{defined no_config} +# Migration to /usr/etc +for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%posttrans -n login_defs +# rpmsave file can be created by +# - change of owning package (SLE15 SP2->SP3, Leap 15.2->15.3) +# - Migration to /usr/etc (after SLE15 and Leap 15) +test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs ||: + +%post -n libsubid5 -p /sbin/ldconfig +%postun -n libsubid5 -p /sbin/ldconfig + +%files -f shadow.lang +%license COPYING +%doc NEWS doc/HOWTO README +%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid +%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid +%if %{defined no_config} +%{_pam_vendordir}/chage +%{_pam_vendordir}/chfn +%{_pam_vendordir}/chsh +%{_pam_vendordir}/passwd +%{_pam_vendordir}/chpasswd +%{_pam_vendordir}/groupadd +%{_pam_vendordir}/groupdel +%{_pam_vendordir}/groupmod +%{_pam_vendordir}/newusers +%{_pam_vendordir}/useradd +%{_pam_vendordir}/userdel +%{_pam_vendordir}/usermod +%else +%config %{_sysconfdir}/pam.d/chage +%config %{_sysconfdir}/pam.d/chfn +%config %{_sysconfdir}/pam.d/chsh +%config %{_sysconfdir}/pam.d/passwd +%config %{_sysconfdir}/pam.d/chpasswd +%config %{_sysconfdir}/pam.d/groupadd +%config %{_sysconfdir}/pam.d/groupdel +%config %{_sysconfdir}/pam.d/groupmod +%config %{_sysconfdir}/pam.d/newusers +%config %{_sysconfdir}/pam.d/useradd +%config %{_sysconfdir}/pam.d/userdel +%config %{_sysconfdir}/pam.d/usermod +%endif +%verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage +%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn +%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh +%verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry +%verify(not mode) %attr(4755,root,shadow) %{_bindir}/gpasswd +%verify(not mode) %attr(4755,root,root) %{_bindir}/newgrp +%verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd +%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap +%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newuidmap +%{_bindir}/sg +%{_bindir}/getsubids +%attr(0755,root,root) %{_sbindir}/groupadd +%attr(0755,root,root) %{_sbindir}/groupdel +%attr(0755,root,root) %{_sbindir}/groupmod +%{_sbindir}/grpck +%{_sbindir}/pwck +%attr(0755,root,root) %{_sbindir}/useradd +%attr(0755,root,root) %{_sbindir}/userdel +%attr(0755,root,root) %{_sbindir}/usermod +%{_sbindir}/pwconv +%{_sbindir}/pwunconv +%attr(0755,root,root) %{_sbindir}/chpasswd +%attr(0755,root,root) %{_sbindir}/newusers +%{_sbindir}/vipw +%{_sbindir}/vigr +%{_mandir}/man1/chage.1%{?ext_man} +%{_mandir}/man1/chfn.1%{?ext_man} +%{_mandir}/man1/chsh.1%{?ext_man} +%{_mandir}/man1/expiry.1%{?ext_man} +%{_mandir}/man1/gpasswd.1%{?ext_man} +%{_mandir}/man1/newgrp.1%{?ext_man} +%{_mandir}/man1/passwd.1%{?ext_man} +%{_mandir}/man1/sg.1%{?ext_man} +%{_mandir}/man3/shadow.3%{?ext_man} +%{_mandir}/man5/shadow.5%{?ext_man} +%{_mandir}/man8/chpasswd.8%{?ext_man} +%{_mandir}/man8/groupadd.8%{?ext_man} +%{_mandir}/man8/groupdel.8%{?ext_man} +%{_mandir}/man8/groupmod.8%{?ext_man} +%{_mandir}/man8/grpck.8%{?ext_man} +%{_mandir}/man8/newusers.8%{?ext_man} +%{_mandir}/man8/pwck.8%{?ext_man} +%{_mandir}/man8/pwconv.8%{?ext_man} +%{_mandir}/man8/pwunconv.8%{?ext_man} +%{_mandir}/man8/useradd.8%{?ext_man} +%{_mandir}/man8/userdel.8%{?ext_man} +%{_mandir}/man8/usermod.8%{?ext_man} +%{_mandir}/man8/vigr.8%{?ext_man} +%{_mandir}/man8/vipw.8%{?ext_man} +%{_mandir}/man5/subuid.5%{?ext_man} +%{_mandir}/man5/subgid.5%{?ext_man} +%{_mandir}/man1/newgidmap.1%{?ext_man} +%{_mandir}/man1/newuidmap.1%{?ext_man} +%{_mandir}/man1/getsubids.1%{?ext_man} + +%{_unitdir}/* + +%files -n login_defs +%dir %{_sysconfdir}/login.defs.d +%if %{defined no_config} +%attr(0644,root,root) %{_distconfdir}/login.defs +%else +%attr(0644,root,root) %config %{_sysconfdir}/login.defs +%endif +%{_mandir}/man5/login.defs.5%{?ext_man} + +%files -n libsubid5 +%{_libdir}/libsubid.so.* + +%files -n libsubid-devel +%dir %{_includedir}/shadow +%{_includedir}/shadow/subid.h +%{_libdir}/libsubid.so + +%changelog diff --git a/shadow.timer b/shadow.timer new file mode 100644 index 0000000..3823cbb --- /dev/null +++ b/shadow.timer @@ -0,0 +1,7 @@ +[Unit] +Description=Daily verification of password and group files + +[Timer] +OnCalendar=daily +AccuracySec=12h +Persistent=true diff --git a/useradd-default.patch b/useradd-default.patch new file mode 100644 index 0000000..8e633d0 --- /dev/null +++ b/useradd-default.patch @@ -0,0 +1,13 @@ +Index: src/useradd.c +=================================================================== +--- src/useradd.c.orig ++++ src/useradd.c +@@ -87,7 +87,7 @@ const char *Prog; + /* + * These defaults are used if there is no defaults file. + */ +-static gid_t def_group = 1000; ++static gid_t def_group = 100; + static const char *def_groups = ""; + static const char *def_gname = "other"; + static const char *def_home = "/home";