forked from pool/shadow
Accepting request 931937 from home:sbrabec:branches:Base:System
- shadow-util-linux.patch: * Remove the section patching lib/getdef.c in favor of the upstream FOREIGNDEFS. * Add LOGIN_KEEP_USERNAME to login.defs. * Remove PREVENT_NO_AUTH from login.defs. Only used by the unpackaged login and su. - shadow-login_defs-unused-by-pam.patch: * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS, YESCRYPT_COST_FACTOR, not supported by the current configuratiton. - Update login_defs-support-for-pam symbol to version 1.5.2 (support for new variable HMAC_CRYPTO_ALGO). - Update login_defs-support-for-util-linux to version 2.37 (support for new variable LOGIN_KEEP_USERNAME). - Refresh shadow-login_defs-comments.patch and shadow-login_defs-suse.patch. - Improve shadow-login_defs-check.sh: * Add helper to import local new version in the parent dir. * Fix spec editing sed expression. * Add PREVENT_NO_AUTH to known unused variables. * Update pam sed expression to find HMAC_CRYPTO_ALGO. * Add more sanity checks. OBS-URL: https://build.opensuse.org/request/show/931937 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=114
This commit is contained in:
parent
c9c98a79f2
commit
2204667d89
@ -20,7 +20,18 @@ which osc >/dev/null
|
||||
# Extract list of referenced variables.
|
||||
if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
|
||||
echo "Checking out util-linux..."
|
||||
osc co openSUSE:Factory util-linux
|
||||
if test -d ../util-linux ; then
|
||||
echo -n "../util-linux found. Are you preparing new version? (y/N) "
|
||||
read
|
||||
if test "${REPLY:0:1}" = "y" ; then
|
||||
mkdir -p openSUSE:Factory
|
||||
cp -a ../util-linux openSUSE:Factory/
|
||||
else
|
||||
osc co openSUSE:Factory util-linux
|
||||
fi
|
||||
else
|
||||
osc co openSUSE:Factory util-linux
|
||||
fi
|
||||
cd openSUSE:Factory/util-linux
|
||||
quilt setup -d BUILD util-linux.spec
|
||||
cd BUILD/*
|
||||
@ -43,7 +54,18 @@ cd ../../../..
|
||||
# Extract list of referenced variables.
|
||||
if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
|
||||
echo "Checking out pam..."
|
||||
osc co openSUSE:Factory pam
|
||||
if test -d ../pam ; then
|
||||
echo -n "../pam found. Are you preparing new version? (y/N) "
|
||||
read
|
||||
if test "${REPLY:0:1}" = "y" ; then
|
||||
mkdir -p openSUSE:Factory
|
||||
cp -a ../pam openSUSE:Factory/
|
||||
else
|
||||
osc co openSUSE:Factory pam
|
||||
fi
|
||||
else
|
||||
osc co openSUSE:Factory pam
|
||||
fi
|
||||
cd openSUSE:Factory/pam
|
||||
quilt setup -d BUILD pam.spec
|
||||
cd BUILD/*
|
||||
@ -54,7 +76,7 @@ fi
|
||||
echo "Extracting variables from pam..."
|
||||
cd openSUSE:Factory/pam/BUILD/*
|
||||
grep -rh LOGIN_DEFS . |
|
||||
sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
||||
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
||||
LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
|
||||
cd ../../../..
|
||||
|
||||
@ -66,12 +88,24 @@ if ! test -f shadow-login_defs-check-build/stamp ; then
|
||||
# In case of shadow, variables extraction is more complicated. The list
|
||||
# depends on configure options, so we have to perform a fake build and
|
||||
# extract variables from prepreocessed sources.
|
||||
sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
|
||||
# sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
|
||||
sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec
|
||||
if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then
|
||||
echo "$0: Please fix sed expression modifying shadow.spec."
|
||||
mv shadow.spec.shadow-login_defs-check-save shadow.spec
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
osc build "$@" || :
|
||||
echo "This build command was expected to fail."
|
||||
echo ""
|
||||
if osc build "$@" ; then
|
||||
echo "This build command was expected to fail, but it succeeded."
|
||||
echo "$0: Please fix sed expression modifying shadow.spec."
|
||||
mv shadow.spec.shadow-login_defs-check-save shadow.spec
|
||||
exit 1
|
||||
else
|
||||
echo "This build command was expected to fail."
|
||||
echo ""
|
||||
fi
|
||||
mv shadow.spec.shadow-login_defs-check-save shadow.spec
|
||||
|
||||
BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
|
||||
@ -167,6 +201,8 @@ function falsematch() {
|
||||
FTMP_FILE ) return 0 ;;
|
||||
# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
|
||||
ISSUE_FILE ) return 0 ;;
|
||||
# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec.
|
||||
PREVENT_NO_AUTH ) return 0 ;;
|
||||
* ) return 1 ;;
|
||||
esac
|
||||
}
|
||||
@ -242,7 +278,7 @@ echo "Change in shadow.spec:"
|
||||
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
|
||||
|
||||
echo "
|
||||
If you ported encryption_method_nis.patch to the new pam version,
|
||||
If you ported shadow-login_defs-unused-by-pam.patch to the new pam version,
|
||||
please submit these updates:
|
||||
Change in pam.spec:"
|
||||
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
|
||||
|
@ -13,38 +13,6 @@ Index: etc/login.defs
|
||||
|
||||
#
|
||||
# Delay in seconds before being allowed another attempt after a login failure
|
||||
@@ -23,15 +21,6 @@ LOG_UNKFAIL_ENAB no
|
||||
#
|
||||
|
||||
#
|
||||
-# Limit the highest user ID number for which the lastlog entries should
|
||||
-# be updated.
|
||||
-#
|
||||
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
||||
-# lastlog entries.
|
||||
-#
|
||||
-#LASTLOG_UID_MAX
|
||||
-
|
||||
-#
|
||||
# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
|
||||
# to sulog file logging.
|
||||
#
|
||||
@@ -46,6 +35,15 @@ CONSOLE /etc/securetty
|
||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
|
||||
#
|
||||
+# Limit the highest user ID number for which the lastlog entries should
|
||||
+# be updated.
|
||||
+#
|
||||
+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
||||
+# lastlog entries.
|
||||
+#
|
||||
+#LASTLOG_UID_MAX
|
||||
+
|
||||
+#
|
||||
# If defined, all su(1) activity is logged to this file.
|
||||
#
|
||||
#SULOG_FILE /var/log/sulog
|
||||
@@ -99,11 +97,14 @@ ENV_PATH /bin:/usr/bin
|
||||
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||
#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||
@ -86,7 +54,7 @@ Index: etc/login.defs
|
||||
GID_MIN 1000
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
@@ -190,7 +201,6 @@ LOGIN_TIMEOUT 60
|
||||
@@ -196,7 +207,6 @@ LOGIN_TIMEOUT 60
|
||||
CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
@ -94,7 +62,7 @@ Index: etc/login.defs
|
||||
# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||
# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||
# It supports passwords of unlimited length and longer salt strings.
|
||||
@@ -205,7 +215,6 @@ CHFN_RESTRICT rwh
|
||||
@@ -211,7 +221,6 @@ CHFN_RESTRICT rwh
|
||||
#MD5_CRYPT_ENAB no
|
||||
|
||||
#
|
||||
|
@ -67,7 +67,7 @@ Index: etc/login.defs
|
||||
|
||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||
@@ -125,7 +128,7 @@
|
||||
@@ -133,7 +136,7 @@ UMASK 022
|
||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories.
|
||||
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
||||
@ -106,8 +106,8 @@ Index: etc/login.defs
|
||||
+LOGIN_RETRIES 3
|
||||
|
||||
#
|
||||
# Max time in seconds for login(1)
|
||||
@@ -201,18 +204,9 @@ LOGIN_TIMEOUT 60
|
||||
# Tell login to only re-prompt for the password if authentication
|
||||
@@ -207,18 +210,9 @@ LOGIN_TIMEOUT 60
|
||||
CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
@ -128,7 +128,7 @@ Index: etc/login.defs
|
||||
|
||||
#
|
||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
@@ -227,7 +221,7 @@ CHFN_RESTRICT rwh
|
||||
@@ -233,7 +227,7 @@ CHFN_RESTRICT rwh
|
||||
# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
@ -137,7 +137,7 @@ Index: etc/login.defs
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
@@ -325,7 +319,7 @@ USERDEL_POSTCMD /usr/sbin/userde
|
||||
@@ -303,7 +297,7 @@ USERDEL_POSTCMD /usr/sbin/userde
|
||||
#
|
||||
# This also enables userdel(8) to remove user groups if no members exist.
|
||||
#
|
||||
@ -146,7 +146,7 @@ Index: etc/login.defs
|
||||
|
||||
#
|
||||
# If set to a non-zero number, the shadow utilities will make sure that
|
||||
@@ -344,7 +338,7 @@ USERGROUPS_ENAB yes
|
||||
@@ -322,7 +316,7 @@ USERGROUPS_ENAB yes
|
||||
# This option is overridden with the -M or -m flags on the useradd(8)
|
||||
# command-line.
|
||||
#
|
||||
@ -155,4 +155,3 @@ Index: etc/login.defs
|
||||
|
||||
#
|
||||
# Force use shadow, even if shadow passwd & shadow group files are
|
||||
|
||||
|
@ -1,6 +1,9 @@
|
||||
Remove variables that are present in login.defs, but shadow with the
|
||||
current configuration (e. g. with PAM) does not use them.
|
||||
|
||||
It also includes variables used by the current configuration, but deleted
|
||||
in the spec file.
|
||||
|
||||
shadow-login_defs-unused-check.sh makes possible to verify that it is
|
||||
still up to date.
|
||||
|
||||
@ -221,10 +224,38 @@ Index: etc/login.defs
|
||||
# Only works if compiled with MD5_CRYPT defined:
|
||||
# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||
# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||
@@ -382,17 +252,6 @@ CHFN_RESTRICT rwh
|
||||
#YESCRYPT_COST_FACTOR 5
|
||||
@@ -354,45 +224,6 @@ CHFN_RESTRICT rwh
|
||||
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
|
||||
#
|
||||
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
||||
-#
|
||||
-# Define the number of BCRYPT rounds.
|
||||
-# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
-# However, more CPU resources will be needed to authenticate users if
|
||||
-# this value is increased.
|
||||
-#
|
||||
-# If not specified, 13 rounds will be attempted.
|
||||
-# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
-# If MIN > MAX, the highest value will be used.
|
||||
-#
|
||||
-#BCRYPT_MIN_ROUNDS 13
|
||||
-#BCRYPT_MAX_ROUNDS 13
|
||||
-
|
||||
-#
|
||||
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
||||
-#
|
||||
-# Define the YESCRYPT cost factor.
|
||||
-# With a higher cost factor, it is more difficult to brute-force the password.
|
||||
-# However, more CPU time and more memory will be needed to authenticate users
|
||||
-# if this value is increased.
|
||||
-#
|
||||
-# If not specified, a cost factor of 5 will be used.
|
||||
-# The value must be within the 1-11 range.
|
||||
-#
|
||||
-#YESCRYPT_COST_FACTOR 5
|
||||
-
|
||||
-#
|
||||
-# List of groups to add to the user's supplementary group set
|
||||
-# when logging in from the console (as determined by the CONSOLE
|
||||
-# setting). Default is none.
|
||||
@ -239,7 +270,7 @@ Index: etc/login.defs
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
# Default is no.
|
||||
#
|
||||
@@ -407,12 +266,6 @@ DEFAULT_HOME yes
|
||||
@@ -407,12 +238,6 @@ DEFAULT_HOME yes
|
||||
NONEXISTENT /nonexistent
|
||||
|
||||
#
|
||||
|
@ -109,39 +109,32 @@ Index: etc/login.defs
|
||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||
Index: lib/getdef.c
|
||||
===================================================================
|
||||
--- lib/getdef.c.orig
|
||||
+++ lib/getdef.c
|
||||
@@ -67,6 +67,7 @@ struct itemdef {
|
||||
{"LOGIN_STRING", NULL}, \
|
||||
{"MAIL_CHECK_ENAB", NULL}, \
|
||||
{"MOTD_FILE", NULL}, \
|
||||
+ {"MOTD_FIRSTONLY", NULL}, \
|
||||
{"NOLOGINS_FILE", NULL}, \
|
||||
{"OBSCURE_CHECKS_ENAB", NULL}, \
|
||||
{"PASS_ALWAYS_WARN", NULL}, \
|
||||
@@ -91,6 +92,7 @@ struct itemdef {
|
||||
@@ -163,6 +177,12 @@ SUB_GID_COUNT 65536
|
||||
LOGIN_RETRIES 5
|
||||
|
||||
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
|
||||
static struct itemdef def_table[] = {
|
||||
+ {"ALWAYS_SET_PATH", NULL},
|
||||
{"CHARACTER_CLASS", NULL},
|
||||
{"CHFN_RESTRICT", NULL},
|
||||
{"CONSOLE_GROUPS", NULL},
|
||||
@@ -99,6 +101,7 @@ static struct itemdef def_table[] = {
|
||||
{"DEFAULT_HOME", NULL},
|
||||
{"ENCRYPT_METHOD", NULL},
|
||||
{"ENV_PATH", NULL},
|
||||
+ {"ENV_ROOTPATH", NULL},
|
||||
{"ENV_SUPATH", NULL},
|
||||
{"ERASECHAR", NULL},
|
||||
{"FAIL_DELAY", NULL},
|
||||
@@ -110,6 +113,7 @@ static struct itemdef def_table[] = {
|
||||
{"KILLCHAR", NULL},
|
||||
{"LASTLOG_UID_MAX", NULL},
|
||||
{"LOGIN_RETRIES", NULL},
|
||||
+ {"LOGIN_PLAIN_PROMPT", NULL},
|
||||
{"LOGIN_TIMEOUT", NULL},
|
||||
{"LOG_OK_LOGINS", NULL},
|
||||
{"LOG_UNKFAIL_ENAB", NULL},
|
||||
#
|
||||
+# Tell login to only re-prompt for the password if authentication
|
||||
+# failed, but the username is valid. The default value is no.
|
||||
+#
|
||||
+LOGIN_KEEP_USERNAME no
|
||||
+
|
||||
+#
|
||||
# Max time in seconds for login(1)
|
||||
#
|
||||
LOGIN_TIMEOUT 60
|
||||
@@ -315,15 +335,6 @@ CHARACTER_CLASS [ABCDEFGHIJKLMNO
|
||||
#GRANT_AUX_GROUP_SUBIDS yes
|
||||
|
||||
#
|
||||
-# Prevents an empty password field to be interpreted as "no authentication
|
||||
-# required".
|
||||
-# Set to "yes" to prevent for all accounts
|
||||
-# Set to "superuser" to prevent for UID 0 / root (default)
|
||||
-# Set to "no" to not prevent for any account (dangerous, historical default)
|
||||
-
|
||||
-PREVENT_NO_AUTH superuser
|
||||
-
|
||||
-#
|
||||
# Select the HMAC cryptography algorithm.
|
||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||
# authentication code.
|
||||
|
@ -1,3 +1,29 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 9 01:39:44 UTC 2021 - Stanislav Brabec <sbrabec@suse.com>
|
||||
|
||||
- shadow-util-linux.patch:
|
||||
* Remove the section patching lib/getdef.c in favor of the
|
||||
upstream FOREIGNDEFS.
|
||||
* Add LOGIN_KEEP_USERNAME to login.defs.
|
||||
* Remove PREVENT_NO_AUTH from login.defs. Only used by the
|
||||
unpackaged login and su.
|
||||
- shadow-login_defs-unused-by-pam.patch:
|
||||
* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
|
||||
YESCRYPT_COST_FACTOR, not supported by the current
|
||||
configuratiton.
|
||||
- Update login_defs-support-for-pam symbol to version 1.5.2
|
||||
(support for new variable HMAC_CRYPTO_ALGO).
|
||||
- Update login_defs-support-for-util-linux to version 2.37
|
||||
(support for new variable LOGIN_KEEP_USERNAME).
|
||||
- Refresh shadow-login_defs-comments.patch and
|
||||
shadow-login_defs-suse.patch.
|
||||
- Improve shadow-login_defs-check.sh:
|
||||
* Add helper to import local new version in the parent dir.
|
||||
* Fix spec editing sed expression.
|
||||
* Add PREVENT_NO_AUTH to known unused variables.
|
||||
* Update pam sed expression to find HMAC_CRYPTO_ALGO.
|
||||
* Add more sanity checks.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter <mvetter@suse.com>
|
||||
|
||||
|
@ -107,8 +107,8 @@ Summary: The login.defs configuration file
|
||||
# encryption_method_nis.patch has to be ported!
|
||||
# Call shadow-login_defs-check.sh before!
|
||||
Group: System/Base
|
||||
Provides: login_defs-support-for-pam = 1.3.1
|
||||
Provides: login_defs-support-for-util-linux = 2.36
|
||||
Provides: login_defs-support-for-pam = 1.5.2
|
||||
Provides: login_defs-support-for-util-linux = 2.37
|
||||
BuildArch: noarch
|
||||
|
||||
%description -n login_defs
|
||||
|
Loading…
Reference in New Issue
Block a user