Accepting request 932263 from Base:System
- Fix segfaults in newgrp and pwck * Add shadow-4.9-newgrp-segfault.patch https://github.com/shadow-maint/shadow/pull/437 * Add shadow-4.9-pwck-segfault.patch https://github.com/shadow-maint/shadow/pull/445 - Added hardening to systemd service(s) (bsc#1181400). Modified: * shadow.service - shadow-util-linux.patch: * Remove the section patching lib/getdef.c in favor of the upstream FOREIGNDEFS. * Add LOGIN_KEEP_USERNAME to login.defs. * Remove PREVENT_NO_AUTH from login.defs. Only used by the unpackaged login and su. - shadow-login_defs-unused-by-pam.patch: * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS, YESCRYPT_COST_FACTOR, not supported by the current configuratiton. - Update login_defs-support-for-pam symbol to version 1.5.2 (support for new variable HMAC_CRYPTO_ALGO). - Update login_defs-support-for-util-linux to version 2.37 (support for new variable LOGIN_KEEP_USERNAME). - Refresh shadow-login_defs-comments.patch and shadow-login_defs-suse.patch. - Improve shadow-login_defs-check.sh: * Add helper to import local new version in the parent dir. * Fix spec editing sed expression. * Add PREVENT_NO_AUTH to known unused variables. * Update pam sed expression to find HMAC_CRYPTO_ALGO. OBS-URL: https://build.opensuse.org/request/show/932263 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=45
This commit is contained in:
commit
6f9efa1aed
15
shadow-4.9-newgrp-segfault.patch
Normal file
15
shadow-4.9-newgrp-segfault.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948
|
||||||
|
Index: shadow-4.9/src/newgrp.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.9.orig/src/newgrp.c
|
||||||
|
+++ shadow-4.9/src/newgrp.c
|
||||||
|
@@ -163,8 +163,8 @@ static void check_perms (const struct gr
|
||||||
|
spwd = xgetspnam (pwd->pw_name);
|
||||||
|
if (NULL != spwd) {
|
||||||
|
pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
|
||||||
|
+ spw_free (spwd);
|
||||||
|
}
|
||||||
|
- spw_free (spwd);
|
||||||
|
|
||||||
|
if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
|
||||||
|
needspasswd = true;
|
14
shadow-4.9-pwck-segfault.patch
Normal file
14
shadow-4.9-pwck-segfault.patch
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f
|
||||||
|
|
||||||
|
Index: shadow-4.9/src/pwck.c
|
||||||
|
===================================================================
|
||||||
|
--- shadow-4.9.orig/src/pwck.c
|
||||||
|
+++ shadow-4.9/src/pwck.c
|
||||||
|
@@ -857,6 +857,7 @@ int main (int argc, char **argv)
|
||||||
|
* Get my name so that I can use it to report errors.
|
||||||
|
*/
|
||||||
|
Prog = Basename (argv[0]);
|
||||||
|
+ shadow_logfd = stderr;
|
||||||
|
|
||||||
|
(void) setlocale (LC_ALL, "");
|
||||||
|
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
@ -20,7 +20,18 @@ which osc >/dev/null
|
|||||||
# Extract list of referenced variables.
|
# Extract list of referenced variables.
|
||||||
if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
|
if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
|
||||||
echo "Checking out util-linux..."
|
echo "Checking out util-linux..."
|
||||||
|
if test -d ../util-linux ; then
|
||||||
|
echo -n "../util-linux found. Are you preparing new version? (y/N) "
|
||||||
|
read
|
||||||
|
if test "${REPLY:0:1}" = "y" ; then
|
||||||
|
mkdir -p openSUSE:Factory
|
||||||
|
cp -a ../util-linux openSUSE:Factory/
|
||||||
|
else
|
||||||
osc co openSUSE:Factory util-linux
|
osc co openSUSE:Factory util-linux
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
osc co openSUSE:Factory util-linux
|
||||||
|
fi
|
||||||
cd openSUSE:Factory/util-linux
|
cd openSUSE:Factory/util-linux
|
||||||
quilt setup -d BUILD util-linux.spec
|
quilt setup -d BUILD util-linux.spec
|
||||||
cd BUILD/*
|
cd BUILD/*
|
||||||
@ -43,7 +54,18 @@ cd ../../../..
|
|||||||
# Extract list of referenced variables.
|
# Extract list of referenced variables.
|
||||||
if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
|
if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
|
||||||
echo "Checking out pam..."
|
echo "Checking out pam..."
|
||||||
|
if test -d ../pam ; then
|
||||||
|
echo -n "../pam found. Are you preparing new version? (y/N) "
|
||||||
|
read
|
||||||
|
if test "${REPLY:0:1}" = "y" ; then
|
||||||
|
mkdir -p openSUSE:Factory
|
||||||
|
cp -a ../pam openSUSE:Factory/
|
||||||
|
else
|
||||||
osc co openSUSE:Factory pam
|
osc co openSUSE:Factory pam
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
osc co openSUSE:Factory pam
|
||||||
|
fi
|
||||||
cd openSUSE:Factory/pam
|
cd openSUSE:Factory/pam
|
||||||
quilt setup -d BUILD pam.spec
|
quilt setup -d BUILD pam.spec
|
||||||
cd BUILD/*
|
cd BUILD/*
|
||||||
@ -54,7 +76,7 @@ fi
|
|||||||
echo "Extracting variables from pam..."
|
echo "Extracting variables from pam..."
|
||||||
cd openSUSE:Factory/pam/BUILD/*
|
cd openSUSE:Factory/pam/BUILD/*
|
||||||
grep -rh LOGIN_DEFS . |
|
grep -rh LOGIN_DEFS . |
|
||||||
sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
||||||
LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
|
LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
|
||||||
cd ../../../..
|
cd ../../../..
|
||||||
|
|
||||||
@ -66,12 +88,24 @@ if ! test -f shadow-login_defs-check-build/stamp ; then
|
|||||||
# In case of shadow, variables extraction is more complicated. The list
|
# In case of shadow, variables extraction is more complicated. The list
|
||||||
# depends on configure options, so we have to perform a fake build and
|
# depends on configure options, so we have to perform a fake build and
|
||||||
# extract variables from prepreocessed sources.
|
# extract variables from prepreocessed sources.
|
||||||
sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
|
# sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
|
||||||
|
sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec
|
||||||
|
if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then
|
||||||
|
echo "$0: Please fix sed expression modifying shadow.spec."
|
||||||
|
mv shadow.spec.shadow-login_defs-check-save shadow.spec
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
osc build "$@" || :
|
if osc build "$@" ; then
|
||||||
|
echo "This build command was expected to fail, but it succeeded."
|
||||||
|
echo "$0: Please fix sed expression modifying shadow.spec."
|
||||||
|
mv shadow.spec.shadow-login_defs-check-save shadow.spec
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
echo "This build command was expected to fail."
|
echo "This build command was expected to fail."
|
||||||
echo ""
|
echo ""
|
||||||
|
fi
|
||||||
mv shadow.spec.shadow-login_defs-check-save shadow.spec
|
mv shadow.spec.shadow-login_defs-check-save shadow.spec
|
||||||
|
|
||||||
BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
|
BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
|
||||||
@ -167,6 +201,8 @@ function falsematch() {
|
|||||||
FTMP_FILE ) return 0 ;;
|
FTMP_FILE ) return 0 ;;
|
||||||
# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
|
# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
|
||||||
ISSUE_FILE ) return 0 ;;
|
ISSUE_FILE ) return 0 ;;
|
||||||
|
# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec.
|
||||||
|
PREVENT_NO_AUTH ) return 0 ;;
|
||||||
* ) return 1 ;;
|
* ) return 1 ;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
@ -242,7 +278,7 @@ echo "Change in shadow.spec:"
|
|||||||
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
|
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
|
||||||
|
|
||||||
echo "
|
echo "
|
||||||
If you ported encryption_method_nis.patch to the new pam version,
|
If you ported shadow-login_defs-unused-by-pam.patch to the new pam version,
|
||||||
please submit these updates:
|
please submit these updates:
|
||||||
Change in pam.spec:"
|
Change in pam.spec:"
|
||||||
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
|
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
|
||||||
|
@ -13,38 +13,6 @@ Index: etc/login.defs
|
|||||||
|
|
||||||
#
|
#
|
||||||
# Delay in seconds before being allowed another attempt after a login failure
|
# Delay in seconds before being allowed another attempt after a login failure
|
||||||
@@ -23,15 +21,6 @@ LOG_UNKFAIL_ENAB no
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
-# Limit the highest user ID number for which the lastlog entries should
|
|
||||||
-# be updated.
|
|
||||||
-#
|
|
||||||
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
|
||||||
-# lastlog entries.
|
|
||||||
-#
|
|
||||||
-#LASTLOG_UID_MAX
|
|
||||||
-
|
|
||||||
-#
|
|
||||||
# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
|
|
||||||
# to sulog file logging.
|
|
||||||
#
|
|
||||||
@@ -46,6 +35,15 @@ CONSOLE /etc/securetty
|
|
||||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
|
||||||
|
|
||||||
#
|
|
||||||
+# Limit the highest user ID number for which the lastlog entries should
|
|
||||||
+# be updated.
|
|
||||||
+#
|
|
||||||
+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
|
||||||
+# lastlog entries.
|
|
||||||
+#
|
|
||||||
+#LASTLOG_UID_MAX
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
# If defined, all su(1) activity is logged to this file.
|
|
||||||
#
|
|
||||||
#SULOG_FILE /var/log/sulog
|
|
||||||
@@ -99,11 +97,14 @@ ENV_PATH /bin:/usr/bin
|
@@ -99,11 +97,14 @@ ENV_PATH /bin:/usr/bin
|
||||||
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
|
#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
@ -86,7 +54,7 @@ Index: etc/login.defs
|
|||||||
GID_MIN 1000
|
GID_MIN 1000
|
||||||
GID_MAX 60000
|
GID_MAX 60000
|
||||||
# System accounts
|
# System accounts
|
||||||
@@ -190,7 +201,6 @@ LOGIN_TIMEOUT 60
|
@@ -196,7 +207,6 @@ LOGIN_TIMEOUT 60
|
||||||
CHFN_RESTRICT rwh
|
CHFN_RESTRICT rwh
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -94,7 +62,7 @@ Index: etc/login.defs
|
|||||||
# If set to "yes", new passwords will be encrypted using the MD5-based
|
# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||||
# algorithm compatible with the one used by recent releases of FreeBSD.
|
# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||||
# It supports passwords of unlimited length and longer salt strings.
|
# It supports passwords of unlimited length and longer salt strings.
|
||||||
@@ -205,7 +215,6 @@ CHFN_RESTRICT rwh
|
@@ -211,7 +221,6 @@ CHFN_RESTRICT rwh
|
||||||
#MD5_CRYPT_ENAB no
|
#MD5_CRYPT_ENAB no
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -67,7 +67,7 @@ Index: etc/login.defs
|
|||||||
|
|
||||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||||
@@ -125,7 +128,7 @@
|
@@ -133,7 +136,7 @@ UMASK 022
|
||||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||||
# home directories.
|
# home directories.
|
||||||
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
||||||
@ -106,8 +106,8 @@ Index: etc/login.defs
|
|||||||
+LOGIN_RETRIES 3
|
+LOGIN_RETRIES 3
|
||||||
|
|
||||||
#
|
#
|
||||||
# Max time in seconds for login(1)
|
# Tell login to only re-prompt for the password if authentication
|
||||||
@@ -201,18 +204,9 @@ LOGIN_TIMEOUT 60
|
@@ -207,18 +210,9 @@ LOGIN_TIMEOUT 60
|
||||||
CHFN_RESTRICT rwh
|
CHFN_RESTRICT rwh
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -128,7 +128,7 @@ Index: etc/login.defs
|
|||||||
|
|
||||||
#
|
#
|
||||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||||
@@ -227,7 +221,7 @@ CHFN_RESTRICT rwh
|
@@ -233,7 +227,7 @@ CHFN_RESTRICT rwh
|
||||||
# Note: If you use PAM, it is recommended to use a value consistent with
|
# Note: If you use PAM, it is recommended to use a value consistent with
|
||||||
# the PAM modules configuration.
|
# the PAM modules configuration.
|
||||||
#
|
#
|
||||||
@ -137,7 +137,7 @@ Index: etc/login.defs
|
|||||||
|
|
||||||
#
|
#
|
||||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||||
@@ -325,7 +319,7 @@ USERDEL_POSTCMD /usr/sbin/userde
|
@@ -303,7 +297,7 @@ USERDEL_POSTCMD /usr/sbin/userde
|
||||||
#
|
#
|
||||||
# This also enables userdel(8) to remove user groups if no members exist.
|
# This also enables userdel(8) to remove user groups if no members exist.
|
||||||
#
|
#
|
||||||
@ -146,7 +146,7 @@ Index: etc/login.defs
|
|||||||
|
|
||||||
#
|
#
|
||||||
# If set to a non-zero number, the shadow utilities will make sure that
|
# If set to a non-zero number, the shadow utilities will make sure that
|
||||||
@@ -344,7 +338,7 @@ USERGROUPS_ENAB yes
|
@@ -322,7 +316,7 @@ USERGROUPS_ENAB yes
|
||||||
# This option is overridden with the -M or -m flags on the useradd(8)
|
# This option is overridden with the -M or -m flags on the useradd(8)
|
||||||
# command-line.
|
# command-line.
|
||||||
#
|
#
|
||||||
@ -155,4 +155,3 @@ Index: etc/login.defs
|
|||||||
|
|
||||||
#
|
#
|
||||||
# Force use shadow, even if shadow passwd & shadow group files are
|
# Force use shadow, even if shadow passwd & shadow group files are
|
||||||
|
|
||||||
|
@ -1,6 +1,9 @@
|
|||||||
Remove variables that are present in login.defs, but shadow with the
|
Remove variables that are present in login.defs, but shadow with the
|
||||||
current configuration (e. g. with PAM) does not use them.
|
current configuration (e. g. with PAM) does not use them.
|
||||||
|
|
||||||
|
It also includes variables used by the current configuration, but deleted
|
||||||
|
in the spec file.
|
||||||
|
|
||||||
shadow-login_defs-unused-check.sh makes possible to verify that it is
|
shadow-login_defs-unused-check.sh makes possible to verify that it is
|
||||||
still up to date.
|
still up to date.
|
||||||
|
|
||||||
@ -221,10 +224,38 @@ Index: etc/login.defs
|
|||||||
# Only works if compiled with MD5_CRYPT defined:
|
# Only works if compiled with MD5_CRYPT defined:
|
||||||
# If set to "yes", new passwords will be encrypted using the MD5-based
|
# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||||
# algorithm compatible with the one used by recent releases of FreeBSD.
|
# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||||
@@ -382,17 +252,6 @@ CHFN_RESTRICT rwh
|
@@ -354,45 +224,6 @@ CHFN_RESTRICT rwh
|
||||||
#YESCRYPT_COST_FACTOR 5
|
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||||
|
|
||||||
#
|
#
|
||||||
|
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
||||||
|
-#
|
||||||
|
-# Define the number of BCRYPT rounds.
|
||||||
|
-# With a lot of rounds, it is more difficult to brute-force the password.
|
||||||
|
-# However, more CPU resources will be needed to authenticate users if
|
||||||
|
-# this value is increased.
|
||||||
|
-#
|
||||||
|
-# If not specified, 13 rounds will be attempted.
|
||||||
|
-# If only one of the MIN or MAX values is set, then this value will be used.
|
||||||
|
-# If MIN > MAX, the highest value will be used.
|
||||||
|
-#
|
||||||
|
-#BCRYPT_MIN_ROUNDS 13
|
||||||
|
-#BCRYPT_MAX_ROUNDS 13
|
||||||
|
-
|
||||||
|
-#
|
||||||
|
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
||||||
|
-#
|
||||||
|
-# Define the YESCRYPT cost factor.
|
||||||
|
-# With a higher cost factor, it is more difficult to brute-force the password.
|
||||||
|
-# However, more CPU time and more memory will be needed to authenticate users
|
||||||
|
-# if this value is increased.
|
||||||
|
-#
|
||||||
|
-# If not specified, a cost factor of 5 will be used.
|
||||||
|
-# The value must be within the 1-11 range.
|
||||||
|
-#
|
||||||
|
-#YESCRYPT_COST_FACTOR 5
|
||||||
|
-
|
||||||
|
-#
|
||||||
-# List of groups to add to the user's supplementary group set
|
-# List of groups to add to the user's supplementary group set
|
||||||
-# when logging in from the console (as determined by the CONSOLE
|
-# when logging in from the console (as determined by the CONSOLE
|
||||||
-# setting). Default is none.
|
-# setting). Default is none.
|
||||||
@ -239,7 +270,7 @@ Index: etc/login.defs
|
|||||||
# Should login be allowed if we can't cd to the home directory?
|
# Should login be allowed if we can't cd to the home directory?
|
||||||
# Default is no.
|
# Default is no.
|
||||||
#
|
#
|
||||||
@@ -407,12 +266,6 @@ DEFAULT_HOME yes
|
@@ -407,12 +238,6 @@ DEFAULT_HOME yes
|
||||||
NONEXISTENT /nonexistent
|
NONEXISTENT /nonexistent
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -109,39 +109,32 @@ Index: etc/login.defs
|
|||||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||||
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||||
Index: lib/getdef.c
|
@@ -163,6 +177,12 @@ SUB_GID_COUNT 65536
|
||||||
===================================================================
|
LOGIN_RETRIES 5
|
||||||
--- lib/getdef.c.orig
|
|
||||||
+++ lib/getdef.c
|
|
||||||
@@ -67,6 +67,7 @@ struct itemdef {
|
|
||||||
{"LOGIN_STRING", NULL}, \
|
|
||||||
{"MAIL_CHECK_ENAB", NULL}, \
|
|
||||||
{"MOTD_FILE", NULL}, \
|
|
||||||
+ {"MOTD_FIRSTONLY", NULL}, \
|
|
||||||
{"NOLOGINS_FILE", NULL}, \
|
|
||||||
{"OBSCURE_CHECKS_ENAB", NULL}, \
|
|
||||||
{"PASS_ALWAYS_WARN", NULL}, \
|
|
||||||
@@ -91,6 +92,7 @@ struct itemdef {
|
|
||||||
|
|
||||||
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
|
#
|
||||||
static struct itemdef def_table[] = {
|
+# Tell login to only re-prompt for the password if authentication
|
||||||
+ {"ALWAYS_SET_PATH", NULL},
|
+# failed, but the username is valid. The default value is no.
|
||||||
{"CHARACTER_CLASS", NULL},
|
+#
|
||||||
{"CHFN_RESTRICT", NULL},
|
+LOGIN_KEEP_USERNAME no
|
||||||
{"CONSOLE_GROUPS", NULL},
|
+
|
||||||
@@ -99,6 +101,7 @@ static struct itemdef def_table[] = {
|
+#
|
||||||
{"DEFAULT_HOME", NULL},
|
# Max time in seconds for login(1)
|
||||||
{"ENCRYPT_METHOD", NULL},
|
#
|
||||||
{"ENV_PATH", NULL},
|
LOGIN_TIMEOUT 60
|
||||||
+ {"ENV_ROOTPATH", NULL},
|
@@ -315,15 +335,6 @@ CHARACTER_CLASS [ABCDEFGHIJKLMNO
|
||||||
{"ENV_SUPATH", NULL},
|
#GRANT_AUX_GROUP_SUBIDS yes
|
||||||
{"ERASECHAR", NULL},
|
|
||||||
{"FAIL_DELAY", NULL},
|
#
|
||||||
@@ -110,6 +113,7 @@ static struct itemdef def_table[] = {
|
-# Prevents an empty password field to be interpreted as "no authentication
|
||||||
{"KILLCHAR", NULL},
|
-# required".
|
||||||
{"LASTLOG_UID_MAX", NULL},
|
-# Set to "yes" to prevent for all accounts
|
||||||
{"LOGIN_RETRIES", NULL},
|
-# Set to "superuser" to prevent for UID 0 / root (default)
|
||||||
+ {"LOGIN_PLAIN_PROMPT", NULL},
|
-# Set to "no" to not prevent for any account (dangerous, historical default)
|
||||||
{"LOGIN_TIMEOUT", NULL},
|
-
|
||||||
{"LOG_OK_LOGINS", NULL},
|
-PREVENT_NO_AUTH superuser
|
||||||
{"LOG_UNKFAIL_ENAB", NULL},
|
-
|
||||||
|
-#
|
||||||
|
# Select the HMAC cryptography algorithm.
|
||||||
|
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||||
|
# authentication code.
|
||||||
|
@ -1,3 +1,44 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 18 13:46:03 UTC 2021 - Michael Vetter <mvetter@suse.com>
|
||||||
|
|
||||||
|
- Fix segfaults in newgrp and pwck
|
||||||
|
* Add shadow-4.9-newgrp-segfault.patch
|
||||||
|
https://github.com/shadow-maint/shadow/pull/437
|
||||||
|
* Add shadow-4.9-pwck-segfault.patch
|
||||||
|
https://github.com/shadow-maint/shadow/pull/445
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 16 15:58:46 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Added hardening to systemd service(s) (bsc#1181400). Modified:
|
||||||
|
* shadow.service
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 9 01:39:44 UTC 2021 - Stanislav Brabec <sbrabec@suse.com>
|
||||||
|
|
||||||
|
- shadow-util-linux.patch:
|
||||||
|
* Remove the section patching lib/getdef.c in favor of the
|
||||||
|
upstream FOREIGNDEFS.
|
||||||
|
* Add LOGIN_KEEP_USERNAME to login.defs.
|
||||||
|
* Remove PREVENT_NO_AUTH from login.defs. Only used by the
|
||||||
|
unpackaged login and su.
|
||||||
|
- shadow-login_defs-unused-by-pam.patch:
|
||||||
|
* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
|
||||||
|
YESCRYPT_COST_FACTOR, not supported by the current
|
||||||
|
configuratiton.
|
||||||
|
- Update login_defs-support-for-pam symbol to version 1.5.2
|
||||||
|
(support for new variable HMAC_CRYPTO_ALGO).
|
||||||
|
- Update login_defs-support-for-util-linux to version 2.37
|
||||||
|
(support for new variable LOGIN_KEEP_USERNAME).
|
||||||
|
- Refresh shadow-login_defs-comments.patch and
|
||||||
|
shadow-login_defs-suse.patch.
|
||||||
|
- Improve shadow-login_defs-check.sh:
|
||||||
|
* Add helper to import local new version in the parent dir.
|
||||||
|
* Fix spec editing sed expression.
|
||||||
|
* Add PREVENT_NO_AUTH to known unused variables.
|
||||||
|
* Update pam sed expression to find HMAC_CRYPTO_ALGO.
|
||||||
|
* Add more sanity checks.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter <mvetter@suse.com>
|
Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter <mvetter@suse.com>
|
||||||
|
|
||||||
|
@ -2,6 +2,19 @@
|
|||||||
Description=Verify integrity of password and group files
|
Description=Verify integrity of password and group files
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
# added automatically, for details please see
|
||||||
|
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectHome=read-only
|
||||||
|
PrivateDevices=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
# end of automatic additions
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStart=/usr/sbin/pwck -r
|
ExecStart=/usr/sbin/pwck -r
|
||||||
ExecStart=/usr/sbin/grpck -r
|
ExecStart=/usr/sbin/grpck -r
|
||||||
|
10
shadow.spec
10
shadow.spec
@ -71,6 +71,10 @@ Patch13: shadow-passwd-handle-null.patch
|
|||||||
Patch14: shadow-4.9-sgent-free.patch
|
Patch14: shadow-4.9-sgent-free.patch
|
||||||
# PATCH-FIX-UPSTREAM shadow-4.9-useradd-subuid.patch mvetter@suse.de -- Fix generating empty subid range and undeclared subid_count (boo#1190146)
|
# PATCH-FIX-UPSTREAM shadow-4.9-useradd-subuid.patch mvetter@suse.de -- Fix generating empty subid range and undeclared subid_count (boo#1190146)
|
||||||
Patch15: shadow-4.9-useradd-subuid.patch
|
Patch15: shadow-4.9-useradd-subuid.patch
|
||||||
|
# PATCH-FIX-UPSTREAM shadow-4.9-newgrp-segfault.patch mvetter@suse.de -- Fix segfault in newgrp (gh#437)
|
||||||
|
Patch16: shadow-4.9-newgrp-segfault.patch
|
||||||
|
# PATCH-FIX-UPSTREAM shadow-4.9-pwck-segfault.patch mvetter@suse.de -- Fix segfault in pwck (gh#445)
|
||||||
|
Patch17: shadow-4.9-pwck-segfault.patch
|
||||||
BuildRequires: audit-devel > 2.3
|
BuildRequires: audit-devel > 2.3
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
@ -107,8 +111,8 @@ Summary: The login.defs configuration file
|
|||||||
# encryption_method_nis.patch has to be ported!
|
# encryption_method_nis.patch has to be ported!
|
||||||
# Call shadow-login_defs-check.sh before!
|
# Call shadow-login_defs-check.sh before!
|
||||||
Group: System/Base
|
Group: System/Base
|
||||||
Provides: login_defs-support-for-pam = 1.3.1
|
Provides: login_defs-support-for-pam = 1.5.2
|
||||||
Provides: login_defs-support-for-util-linux = 2.36
|
Provides: login_defs-support-for-util-linux = 2.37
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
%description -n login_defs
|
%description -n login_defs
|
||||||
@ -150,6 +154,8 @@ Development files for libsubid3.
|
|||||||
%patch13 -p1
|
%patch13 -p1
|
||||||
%patch14 -p1
|
%patch14 -p1
|
||||||
%patch15 -p1
|
%patch15 -p1
|
||||||
|
%patch16 -p1
|
||||||
|
%patch17 -p1
|
||||||
|
|
||||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||||
mv -v doc/HOWTO.utf8 doc/HOWTO
|
mv -v doc/HOWTO.utf8 doc/HOWTO
|
||||||
|
Loading…
Reference in New Issue
Block a user