From 2204667d89630be04163872adf80bd98e013f1bda582a37de47502d2823a89c2 Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Wed, 17 Nov 2021 16:18:12 +0000
Subject: [PATCH] Accepting request 931937 from
 home:sbrabec:branches:Base:System

- shadow-util-linux.patch:
  * Remove the section patching lib/getdef.c in favor of the
    upstream FOREIGNDEFS.
  * Add LOGIN_KEEP_USERNAME to login.defs.
  * Remove PREVENT_NO_AUTH from login.defs. Only used by the
    unpackaged login and su.
- shadow-login_defs-unused-by-pam.patch:
  * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
    YESCRYPT_COST_FACTOR, not supported by the current
    configuratiton.
- Update login_defs-support-for-pam symbol to version 1.5.2
  (support for new variable HMAC_CRYPTO_ALGO).
- Update login_defs-support-for-util-linux to version 2.37
  (support for new variable LOGIN_KEEP_USERNAME).
- Refresh shadow-login_defs-comments.patch and
  shadow-login_defs-suse.patch.
- Improve shadow-login_defs-check.sh:
  * Add helper to import local new version in the parent dir.
  * Fix spec editing sed expression.
  * Add PREVENT_NO_AUTH to known unused variables.
  * Update pam sed expression to find HMAC_CRYPTO_ALGO.
  * Add more sanity checks.

OBS-URL: https://build.opensuse.org/request/show/931937
OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=114
---
 shadow-login_defs-check.sh            | 52 ++++++++++++++++++----
 shadow-login_defs-comments.patch      | 36 +--------------
 shadow-login_defs-suse.patch          | 13 +++---
 shadow-login_defs-unused-by-pam.patch | 37 ++++++++++++++--
 shadow-util-linux.patch               | 63 ++++++++++++---------------
 shadow.changes                        | 26 +++++++++++
 shadow.spec                           |  4 +-
 7 files changed, 142 insertions(+), 89 deletions(-)

diff --git a/shadow-login_defs-check.sh b/shadow-login_defs-check.sh
index 958ed00..2e0377f 100644
--- a/shadow-login_defs-check.sh
+++ b/shadow-login_defs-check.sh
@@ -20,7 +20,18 @@ which osc >/dev/null
 # Extract list of referenced variables.
 if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
 	echo "Checking out util-linux..."
-	osc co openSUSE:Factory util-linux
+	if test -d ../util-linux ; then
+		echo -n "../util-linux found. Are you preparing new version? (y/N) "
+		read
+		if test "${REPLY:0:1}" = "y" ; then
+		mkdir -p openSUSE:Factory
+			cp -a ../util-linux openSUSE:Factory/
+		else
+			osc co openSUSE:Factory util-linux
+		fi
+	else
+		osc co openSUSE:Factory util-linux
+	fi
 	cd openSUSE:Factory/util-linux
 	quilt setup -d BUILD util-linux.spec
 	cd BUILD/*
@@ -43,7 +54,18 @@ cd ../../../..
 # Extract list of referenced variables.
 if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
 	echo "Checking out pam..."
-	osc co openSUSE:Factory pam
+	if test -d ../pam ; then
+		echo -n "../pam found. Are you preparing new version? (y/N) "
+		read
+		if test "${REPLY:0:1}" = "y" ; then
+		mkdir -p openSUSE:Factory
+			cp -a ../pam openSUSE:Factory/
+		else
+			osc co openSUSE:Factory pam
+		fi
+	else
+		osc co openSUSE:Factory pam
+	fi
 	cd openSUSE:Factory/pam
 	quilt setup -d BUILD pam.spec
 	cd BUILD/*
@@ -54,7 +76,7 @@ fi
 echo "Extracting variables from pam..."
 cd openSUSE:Factory/pam/BUILD/*
 grep -rh LOGIN_DEFS . |
-	sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
+	sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
 	LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
 cd ../../../..
 
@@ -66,12 +88,24 @@ if ! test -f shadow-login_defs-check-build/stamp ; then
 # In case of shadow, variables extraction is more complicated. The list
 # depends on configure options, so we have to perform a fake build and
 # extract variables from prepreocessed sources.
-        sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
+#		sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
+		sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec
+		if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then
+			echo "$0: Please fix sed expression modifying shadow.spec."
+			mv shadow.spec.shadow-login_defs-check-save shadow.spec
+			exit 1
+		fi
 	fi
 
-	osc build "$@" || :
-	echo "This build command was expected to fail."
-	echo ""
+	if osc build "$@" ; then
+		echo "This build command was expected to fail, but it succeeded."
+		echo "$0: Please fix sed expression modifying shadow.spec."
+		mv shadow.spec.shadow-login_defs-check-save shadow.spec
+		exit 1
+	else
+		echo "This build command was expected to fail."
+		echo ""
+	fi
 	mv shadow.spec.shadow-login_defs-check-save shadow.spec
 
 	BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
@@ -167,6 +201,8 @@ function falsematch() {
 	FTMP_FILE ) return 0 ;;
 # ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
 	ISSUE_FILE ) return 0 ;;
+# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec.
+	PREVENT_NO_AUTH ) return 0 ;;
 	* ) return 1 ;;
 	esac
 }
@@ -242,7 +278,7 @@ echo "Change in shadow.spec:"
 sed -n 's/^Version:[[:space:]]*/Provides:       login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
 
 echo "
-If you ported encryption_method_nis.patch to the new pam version,
+If you ported shadow-login_defs-unused-by-pam.patch to the new pam version,
 please submit these updates:
 Change in pam.spec:"
 sed -n 's/^Version:[[:space:]]*/Requires:       login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
diff --git a/shadow-login_defs-comments.patch b/shadow-login_defs-comments.patch
index 5c9e4f1..67411fe 100644
--- a/shadow-login_defs-comments.patch
+++ b/shadow-login_defs-comments.patch
@@ -13,38 +13,6 @@ Index: etc/login.defs
  
  #
  # Delay in seconds before being allowed another attempt after a login failure
-@@ -23,15 +21,6 @@ LOG_UNKFAIL_ENAB	no
- #
- 
- #
--# Limit the highest user ID number for which the lastlog entries should
--# be updated.
--#
--# No LASTLOG_UID_MAX means that there is no user ID limit for writing
--# lastlog entries.
--#
--#LASTLOG_UID_MAX
--
--#
- # Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
- # to sulog file logging.
- #
-@@ -46,6 +35,15 @@ CONSOLE		/etc/securetty
- #CONSOLE	console:tty01:tty02:tty03:tty04
- 
- #
-+# Limit the highest user ID number for which the lastlog entries should
-+# be updated.
-+#
-+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-+# lastlog entries.
-+#
-+#LASTLOG_UID_MAX
-+
-+#
- # If defined, all su(1) activity is logged to this file.
- #
- #SULOG_FILE	/var/log/sulog
 @@ -99,11 +97,14 @@ ENV_PATH	/bin:/usr/bin
  ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
  #ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
@@ -86,7 +54,7 @@ Index: etc/login.defs
  GID_MIN			 1000
  GID_MAX			60000
  # System accounts
-@@ -190,7 +201,6 @@ LOGIN_TIMEOUT		60
+@@ -196,7 +207,6 @@ LOGIN_TIMEOUT		60
  CHFN_RESTRICT		rwh
  
  #
@@ -94,7 +62,7 @@ Index: etc/login.defs
  # If set to "yes", new passwords will be encrypted using the MD5-based
  # algorithm compatible with the one used by recent releases of FreeBSD.
  # It supports passwords of unlimited length and longer salt strings.
-@@ -205,7 +215,6 @@ CHFN_RESTRICT		rwh
+@@ -211,7 +221,6 @@ CHFN_RESTRICT		rwh
  #MD5_CRYPT_ENAB	no
  
  #
diff --git a/shadow-login_defs-suse.patch b/shadow-login_defs-suse.patch
index 3a4757e..3950730 100644
--- a/shadow-login_defs-suse.patch
+++ b/shadow-login_defs-suse.patch
@@ -67,7 +67,7 @@ Index: etc/login.defs
  
  # Default initial "umask" value used by login(1) on non-PAM enabled systems.
  # Default "umask" value for pam_umask(8) on PAM enabled systems.
-@@ -125,7 +128,7 @@
+@@ -133,7 +136,7 @@ UMASK		022
  # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
  # home directories.
  # If HOME_MODE is not set, the value of UMASK is used to create the mode.
@@ -106,8 +106,8 @@ Index: etc/login.defs
 +LOGIN_RETRIES		3
  
  #
- # Max time in seconds for login(1)
-@@ -201,18 +204,9 @@ LOGIN_TIMEOUT		60
+ # Tell login to only re-prompt for the password if authentication
+@@ -207,18 +210,9 @@ LOGIN_TIMEOUT		60
  CHFN_RESTRICT		rwh
  
  #
@@ -128,7 +128,7 @@ Index: etc/login.defs
  
  #
  # If set to MD5, MD5-based algorithm will be used for encrypting password
-@@ -227,7 +221,7 @@ CHFN_RESTRICT		rwh
+@@ -233,7 +227,7 @@ CHFN_RESTRICT		rwh
  # Note: If you use PAM, it is recommended to use a value consistent with
  # the PAM modules configuration.
  #
@@ -137,7 +137,7 @@ Index: etc/login.defs
  
  #
  # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-@@ -325,7 +319,7 @@ USERDEL_POSTCMD         /usr/sbin/userde
+@@ -303,7 +297,7 @@ USERDEL_POSTCMD         /usr/sbin/userde
  #
  # This also enables userdel(8) to remove user groups if no members exist.
  #
@@ -146,7 +146,7 @@ Index: etc/login.defs
  
  #
  # If set to a non-zero number, the shadow utilities will make sure that
-@@ -344,7 +338,7 @@ USERGROUPS_ENAB yes
+@@ -322,7 +316,7 @@ USERGROUPS_ENAB yes
  # This option is overridden with the -M or -m flags on the useradd(8)
  # command-line.
  #
@@ -155,4 +155,3 @@ Index: etc/login.defs
  
  #
  # Force use shadow, even if shadow passwd & shadow group files are
-
diff --git a/shadow-login_defs-unused-by-pam.patch b/shadow-login_defs-unused-by-pam.patch
index 1c4dbd9..2599774 100644
--- a/shadow-login_defs-unused-by-pam.patch
+++ b/shadow-login_defs-unused-by-pam.patch
@@ -1,6 +1,9 @@
 Remove variables that are present in login.defs, but shadow with the
 current configuration (e. g. with PAM) does not use them.
 
+It also includes variables used by the current configuration, but deleted
+in the spec file.
+
 shadow-login_defs-unused-check.sh makes possible to verify that it is
 still up to date.
 
@@ -221,10 +224,38 @@ Index: etc/login.defs
  # Only works if compiled with MD5_CRYPT defined:
  # If set to "yes", new passwords will be encrypted using the MD5-based
  # algorithm compatible with the one used by recent releases of FreeBSD.
-@@ -382,17 +252,6 @@ CHFN_RESTRICT		rwh
- #YESCRYPT_COST_FACTOR 5
+@@ -354,45 +224,6 @@ CHFN_RESTRICT		rwh
+ #SHA_CRYPT_MAX_ROUNDS 5000
  
  #
+-# Only works if ENCRYPT_METHOD is set to BCRYPT.
+-#
+-# Define the number of BCRYPT rounds.
+-# With a lot of rounds, it is more difficult to brute-force the password.
+-# However, more CPU resources will be needed to authenticate users if
+-# this value is increased.
+-#
+-# If not specified, 13 rounds will be attempted.
+-# If only one of the MIN or MAX values is set, then this value will be used.
+-# If MIN > MAX, the highest value will be used.
+-#
+-#BCRYPT_MIN_ROUNDS 13
+-#BCRYPT_MAX_ROUNDS 13
+-
+-#
+-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+-#
+-# Define the YESCRYPT cost factor.
+-# With a higher cost factor, it is more difficult to brute-force the password.
+-# However, more CPU time and more memory will be needed to authenticate users
+-# if this value is increased.
+-#
+-# If not specified, a cost factor of 5 will be used.
+-# The value must be within the 1-11 range.
+-#
+-#YESCRYPT_COST_FACTOR 5
+-
+-#
 -# List of groups to add to the user's supplementary group set
 -# when logging in from the console (as determined by the CONSOLE
 -# setting).  Default is none.
@@ -239,7 +270,7 @@ Index: etc/login.defs
  # Should login be allowed if we can't cd to the home directory?
  # Default is no.
  #
-@@ -407,12 +266,6 @@ DEFAULT_HOME	yes
+@@ -407,12 +238,6 @@ DEFAULT_HOME	yes
  NONEXISTENT	/nonexistent
  
  #
diff --git a/shadow-util-linux.patch b/shadow-util-linux.patch
index b885e5c..a732cbc 100644
--- a/shadow-util-linux.patch
+++ b/shadow-util-linux.patch
@@ -109,39 +109,32 @@ Index: etc/login.defs
  # Default initial "umask" value used by login(1) on non-PAM enabled systems.
  # Default "umask" value for pam_umask(8) on PAM enabled systems.
  # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-Index: lib/getdef.c
-===================================================================
---- lib/getdef.c.orig
-+++ lib/getdef.c
-@@ -67,6 +67,7 @@ struct itemdef {
- 	{"LOGIN_STRING", NULL},			\
- 	{"MAIL_CHECK_ENAB", NULL},		\
- 	{"MOTD_FILE", NULL},			\
-+	{"MOTD_FIRSTONLY", NULL},		\
- 	{"NOLOGINS_FILE", NULL},		\
- 	{"OBSCURE_CHECKS_ENAB", NULL},		\
- 	{"PASS_ALWAYS_WARN", NULL},		\
-@@ -91,6 +92,7 @@ struct itemdef {
+@@ -163,6 +177,12 @@ SUB_GID_COUNT		    65536
+ LOGIN_RETRIES		5
  
- #define NUMDEFS	(sizeof(def_table)/sizeof(def_table[0]))
- static struct itemdef def_table[] = {
-+	{"ALWAYS_SET_PATH", NULL},
- 	{"CHARACTER_CLASS", NULL},
- 	{"CHFN_RESTRICT", NULL},
- 	{"CONSOLE_GROUPS", NULL},
-@@ -99,6 +101,7 @@ static struct itemdef def_table[] = {
- 	{"DEFAULT_HOME", NULL},
- 	{"ENCRYPT_METHOD", NULL},
- 	{"ENV_PATH", NULL},
-+	{"ENV_ROOTPATH", NULL},
- 	{"ENV_SUPATH", NULL},
- 	{"ERASECHAR", NULL},
- 	{"FAIL_DELAY", NULL},
-@@ -110,6 +113,7 @@ static struct itemdef def_table[] = {
- 	{"KILLCHAR", NULL},
- 	{"LASTLOG_UID_MAX", NULL},
- 	{"LOGIN_RETRIES", NULL},
-+	{"LOGIN_PLAIN_PROMPT", NULL},
- 	{"LOGIN_TIMEOUT", NULL},
- 	{"LOG_OK_LOGINS", NULL},
- 	{"LOG_UNKFAIL_ENAB", NULL},
+ #
++# Tell login to only re-prompt for the password if authentication
++# failed, but the username is valid. The default value is no.
++#
++LOGIN_KEEP_USERNAME	no
++
++#
+ # Max time in seconds for login(1)
+ #
+ LOGIN_TIMEOUT		60
+@@ -315,15 +335,6 @@ CHARACTER_CLASS         [ABCDEFGHIJKLMNO
+ #GRANT_AUX_GROUP_SUBIDS yes
+ 
+ #
+-# Prevents an empty password field to be interpreted as "no authentication
+-# required".
+-# Set to "yes" to prevent for all accounts
+-# Set to "superuser" to prevent for UID 0 / root (default)
+-# Set to "no" to not prevent for any account (dangerous, historical default)
+-
+-PREVENT_NO_AUTH superuser
+-
+-#
+ # Select the HMAC cryptography algorithm.
+ # Used in pam_timestamp module to calculate the keyed-hash message
+ # authentication code.
diff --git a/shadow.changes b/shadow.changes
index 4f403b5..14acf6d 100644
--- a/shadow.changes
+++ b/shadow.changes
@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Tue Nov  9 01:39:44 UTC 2021 - Stanislav Brabec <sbrabec@suse.com>
+
+- shadow-util-linux.patch:
+  * Remove the section patching lib/getdef.c in favor of the
+    upstream FOREIGNDEFS.
+  * Add LOGIN_KEEP_USERNAME to login.defs.
+  * Remove PREVENT_NO_AUTH from login.defs. Only used by the
+    unpackaged login and su.
+- shadow-login_defs-unused-by-pam.patch:
+  * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
+    YESCRYPT_COST_FACTOR, not supported by the current
+    configuratiton.
+- Update login_defs-support-for-pam symbol to version 1.5.2
+  (support for new variable HMAC_CRYPTO_ALGO).
+- Update login_defs-support-for-util-linux to version 2.37
+  (support for new variable LOGIN_KEEP_USERNAME).
+- Refresh shadow-login_defs-comments.patch and
+  shadow-login_defs-suse.patch.
+- Improve shadow-login_defs-check.sh:
+  * Add helper to import local new version in the parent dir.
+  * Fix spec editing sed expression.
+  * Add PREVENT_NO_AUTH to known unused variables.
+  * Update pam sed expression to find HMAC_CRYPTO_ALGO.
+  * Add more sanity checks.
+
 -------------------------------------------------------------------
 Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter <mvetter@suse.com>
 
diff --git a/shadow.spec b/shadow.spec
index d0c0b4b..279c748 100644
--- a/shadow.spec
+++ b/shadow.spec
@@ -107,8 +107,8 @@ Summary:        The login.defs configuration file
 # encryption_method_nis.patch has to be ported!
 # Call shadow-login_defs-check.sh before!
 Group:          System/Base
-Provides:       login_defs-support-for-pam = 1.3.1
-Provides:       login_defs-support-for-util-linux = 2.36
+Provides:       login_defs-support-for-pam = 1.5.2
+Provides:       login_defs-support-for-util-linux = 2.37
 BuildArch:      noarch
 
 %description -n login_defs