Accepting request 931937 from home:sbrabec:branches:Base:System

- shadow-util-linux.patch: * Remove the section patching lib/getdef.c in favor of the upstream FOREIGNDEFS. * Add LOGIN_KEEP_USERNAME to login.defs. * Remove PREVENT_NO_AUTH from login.defs. Only used by the unpackaged login and su. - shadow-login_defs-unused-by-pam.patch: * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS, YESCRYPT_COST_FACTOR, not supported by the current configuratiton. - Update login_defs-support-for-pam symbol to version 1.5.2 (support for new variable HMAC_CRYPTO_ALGO). - Update login_defs-support-for-util-linux to version 2.37 (support for new variable LOGIN_KEEP_USERNAME). - Refresh shadow-login_defs-comments.patch and shadow-login_defs-suse.patch. - Improve shadow-login_defs-check.sh: * Add helper to import local new version in the parent dir. * Fix spec editing sed expression. * Add PREVENT_NO_AUTH to known unused variables. * Update pam sed expression to find HMAC_CRYPTO_ALGO. * Add more sanity checks. OBS-URL: https://build.opensuse.org/request/show/931937 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=114
2021-11-17 16:18:12 +00:00 · 2021-11-17 16:18:12 +00:00 · 2204667d89
commit 2204667d89
parent c9c98a79f2
7 changed files with 142 additions and 89 deletions
--- a/shadow-login_defs-check.sh
+++ b/shadow-login_defs-check.sh
@ -20,7 +20,18 @@ which osc >/dev/null
 # Extract list of referenced variables.
 if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
 	echo "Checking out util-linux..."
+	if test -d ../util-linux ; then
+		echo -n "../util-linux found. Are you preparing new version? (y/N) "
+		read
+		if test "${REPLY:0:1}" = "y" ; then
+		mkdir -p openSUSE:Factory
+			cp -a ../util-linux openSUSE:Factory/
+		else
 			osc co openSUSE:Factory util-linux
+		fi
+	else
+		osc co openSUSE:Factory util-linux
+	fi
 	cd openSUSE:Factory/util-linux
 	quilt setup -d BUILD util-linux.spec
 	cd BUILD/*
@ -43,7 +54,18 @@ cd ../../../..
 # Extract list of referenced variables.
 if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
 	echo "Checking out pam..."
+	if test -d ../pam ; then
+		echo -n "../pam found. Are you preparing new version? (y/N) "
+		read
+		if test "${REPLY:0:1}" = "y" ; then
+		mkdir -p openSUSE:Factory
+			cp -a ../pam openSUSE:Factory/
+		else
 			osc co openSUSE:Factory pam
+		fi
+	else
+		osc co openSUSE:Factory pam
+	fi
 	cd openSUSE:Factory/pam
 	quilt setup -d BUILD pam.spec
 	cd BUILD/*
@ -54,7 +76,7 @@ fi
 echo "Extracting variables from pam..."
 cd openSUSE:Factory/pam/BUILD/*
 grep -rh LOGIN_DEFS . |
-	sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
+	sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
 	LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
 cd ../../../..

@ -66,12 +88,24 @@ if ! test -f shadow-login_defs-check-build/stamp ; then
 # In case of shadow, variables extraction is more complicated. The list
 # depends on configure options, so we have to perform a fake build and
 # extract variables from prepreocessed sources.
-        sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
+#		sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
+		sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec
+		if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then
+			echo "$0: Please fix sed expression modifying shadow.spec."
+			mv shadow.spec.shadow-login_defs-check-save shadow.spec
+			exit 1
+		fi
 	fi

-	osc build "$@" || :
+	if osc build "$@" ; then
+		echo "This build command was expected to fail, but it succeeded."
+		echo "$0: Please fix sed expression modifying shadow.spec."
+		mv shadow.spec.shadow-login_defs-check-save shadow.spec
+		exit 1
+	else
 		echo "This build command was expected to fail."
 		echo ""
+	fi
 	mv shadow.spec.shadow-login_defs-check-save shadow.spec

 	BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
@ -167,6 +201,8 @@ function falsematch() {
 	FTMP_FILE ) return 0 ;;
 # ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
 	ISSUE_FILE ) return 0 ;;
+# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec.
+	PREVENT_NO_AUTH ) return 0 ;;
 	* ) return 1 ;;
 	esac
 }
@ -242,7 +278,7 @@ echo "Change in shadow.spec:"
 sed -n 's/^Version:[[:space:]]*/Provides:       login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec

 echo "
-If you ported encryption_method_nis.patch to the new pam version,
+If you ported shadow-login_defs-unused-by-pam.patch to the new pam version,
 please submit these updates:
 Change in pam.spec:"
 sed -n 's/^Version:[[:space:]]*/Requires:       login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
--- a/shadow-login_defs-comments.patch
+++ b/shadow-login_defs-comments.patch
@ -13,38 +13,6 @@ Index: etc/login.defs
 
 #
 # Delay in seconds before being allowed another attempt after a login failure
-@@ -23,15 +21,6 @@ LOG_UNKFAIL_ENAB	no
- #
- 
- #
-# Limit the highest user ID number for which the lastlog entries should
-# be updated.
-#
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-# lastlog entries.
-#
-#LASTLOG_UID_MAX
-
-#
- # Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
- # to sulog file logging.
- #
-@@ -46,6 +35,15 @@ CONSOLE		/etc/securetty
- #CONSOLE	console:tty01:tty02:tty03:tty04
- 
- #
-+# Limit the highest user ID number for which the lastlog entries should
-+# be updated.
-+#
-+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-+# lastlog entries.
-+#
-+#LASTLOG_UID_MAX
-+
-+#
- # If defined, all su(1) activity is logged to this file.
- #
- #SULOG_FILE	/var/log/sulog
@@ -99,11 +97,14 @@ ENV_PATH	/bin:/usr/bin
 ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
 #ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
@ -86,7 +54,7 @@ Index: etc/login.defs
 GID_MIN			 1000
 GID_MAX			60000
 # System accounts
-@@ -190,7 +201,6 @@ LOGIN_TIMEOUT		60
+@@ -196,7 +207,6 @@ LOGIN_TIMEOUT		60
 CHFN_RESTRICT		rwh
 
 #
@ -94,7 +62,7 @@ Index: etc/login.defs
 # If set to "yes", new passwords will be encrypted using the MD5-based
 # algorithm compatible with the one used by recent releases of FreeBSD.
 # It supports passwords of unlimited length and longer salt strings.
-@@ -205,7 +215,6 @@ CHFN_RESTRICT		rwh
+@@ -211,7 +221,6 @@ CHFN_RESTRICT		rwh
 #MD5_CRYPT_ENAB	no
 
 #
--- a/shadow-login_defs-suse.patch
+++ b/shadow-login_defs-suse.patch
@ -67,7 +67,7 @@ Index: etc/login.defs
 
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
-@@ -125,7 +128,7 @@
+@@ -133,7 +136,7 @@ UMASK		022
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
 # If HOME_MODE is not set, the value of UMASK is used to create the mode.
@ -106,8 +106,8 @@ Index: etc/login.defs
 +LOGIN_RETRIES		3
 
 #
- # Max time in seconds for login(1)
-@@ -201,18 +204,9 @@ LOGIN_TIMEOUT		60
+ # Tell login to only re-prompt for the password if authentication
+@@ -207,18 +210,9 @@ LOGIN_TIMEOUT		60
 CHFN_RESTRICT		rwh
 
 #
@ -128,7 +128,7 @@ Index: etc/login.defs
 
 #
 # If set to MD5, MD5-based algorithm will be used for encrypting password
-@@ -227,7 +221,7 @@ CHFN_RESTRICT		rwh
+@@ -233,7 +227,7 @@ CHFN_RESTRICT		rwh
 # Note: If you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
@ -137,7 +137,7 @@ Index: etc/login.defs
 
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-@@ -325,7 +319,7 @@ USERDEL_POSTCMD         /usr/sbin/userde
+@@ -303,7 +297,7 @@ USERDEL_POSTCMD         /usr/sbin/userde
 #
 # This also enables userdel(8) to remove user groups if no members exist.
 #
@ -146,7 +146,7 @@ Index: etc/login.defs
 
 #
 # If set to a non-zero number, the shadow utilities will make sure that
-@@ -344,7 +338,7 @@ USERGROUPS_ENAB yes
+@@ -322,7 +316,7 @@ USERGROUPS_ENAB yes
 # This option is overridden with the -M or -m flags on the useradd(8)
 # command-line.
 #
@ -155,4 +155,3 @@ Index: etc/login.defs
 
 #
 # Force use shadow, even if shadow passwd & shadow group files are
-
--- a/shadow-login_defs-unused-by-pam.patch
+++ b/shadow-login_defs-unused-by-pam.patch
@ -1,6 +1,9 @@
 Remove variables that are present in login.defs, but shadow with the
 current configuration (e. g. with PAM) does not use them.

+It also includes variables used by the current configuration, but deleted
+in the spec file.
+
 shadow-login_defs-unused-check.sh makes possible to verify that it is
 still up to date.

@ -221,10 +224,38 @@ Index: etc/login.defs
 # Only works if compiled with MD5_CRYPT defined:
 # If set to "yes", new passwords will be encrypted using the MD5-based
 # algorithm compatible with the one used by recent releases of FreeBSD.
-@@ -382,17 +252,6 @@ CHFN_RESTRICT		rwh
- #YESCRYPT_COST_FACTOR 5
+@@ -354,45 +224,6 @@ CHFN_RESTRICT		rwh
+ #SHA_CRYPT_MAX_ROUNDS 5000
 
 #
+-# Only works if ENCRYPT_METHOD is set to BCRYPT.
+-#
+-# Define the number of BCRYPT rounds.
+-# With a lot of rounds, it is more difficult to brute-force the password.
+-# However, more CPU resources will be needed to authenticate users if
+-# this value is increased.
+-#
+-# If not specified, 13 rounds will be attempted.
+-# If only one of the MIN or MAX values is set, then this value will be used.
+-# If MIN > MAX, the highest value will be used.
+-#
+-#BCRYPT_MIN_ROUNDS 13
+-#BCRYPT_MAX_ROUNDS 13
+-
+-#
+-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+-#
+-# Define the YESCRYPT cost factor.
+-# With a higher cost factor, it is more difficult to brute-force the password.
+-# However, more CPU time and more memory will be needed to authenticate users
+-# if this value is increased.
+-#
+-# If not specified, a cost factor of 5 will be used.
+-# The value must be within the 1-11 range.
+-#
+-#YESCRYPT_COST_FACTOR 5
+-
+-#
 -# List of groups to add to the user's supplementary group set
 -# when logging in from the console (as determined by the CONSOLE
 -# setting).  Default is none.
@ -239,7 +270,7 @@ Index: etc/login.defs
 # Should login be allowed if we can't cd to the home directory?
 # Default is no.
 #
-@@ -407,12 +266,6 @@ DEFAULT_HOME	yes
+@@ -407,12 +238,6 @@ DEFAULT_HOME	yes
 NONEXISTENT	/nonexistent
 
 #
--- a/shadow-util-linux.patch
+++ b/shadow-util-linux.patch
@ -109,39 +109,32 @@ Index: etc/login.defs
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-Index: lib/getdef.c
-===================================================================
--- lib/getdef.c.orig
-+++ lib/getdef.c
-@@ -67,6 +67,7 @@ struct itemdef {
- 	{"LOGIN_STRING", NULL},			\
- 	{"MAIL_CHECK_ENAB", NULL},		\
- 	{"MOTD_FILE", NULL},			\
-+	{"MOTD_FIRSTONLY", NULL},		\
- 	{"NOLOGINS_FILE", NULL},		\
- 	{"OBSCURE_CHECKS_ENAB", NULL},		\
- 	{"PASS_ALWAYS_WARN", NULL},		\
-@@ -91,6 +92,7 @@ struct itemdef {
+@@ -163,6 +177,12 @@ SUB_GID_COUNT		    65536
+ LOGIN_RETRIES		5
 
- #define NUMDEFS	(sizeof(def_table)/sizeof(def_table[0]))
- static struct itemdef def_table[] = {
-+	{"ALWAYS_SET_PATH", NULL},
- 	{"CHARACTER_CLASS", NULL},
- 	{"CHFN_RESTRICT", NULL},
- 	{"CONSOLE_GROUPS", NULL},
-@@ -99,6 +101,7 @@ static struct itemdef def_table[] = {
- 	{"DEFAULT_HOME", NULL},
- 	{"ENCRYPT_METHOD", NULL},
- 	{"ENV_PATH", NULL},
-+	{"ENV_ROOTPATH", NULL},
- 	{"ENV_SUPATH", NULL},
- 	{"ERASECHAR", NULL},
- 	{"FAIL_DELAY", NULL},
-@@ -110,6 +113,7 @@ static struct itemdef def_table[] = {
- 	{"KILLCHAR", NULL},
- 	{"LASTLOG_UID_MAX", NULL},
- 	{"LOGIN_RETRIES", NULL},
-+	{"LOGIN_PLAIN_PROMPT", NULL},
- 	{"LOGIN_TIMEOUT", NULL},
- 	{"LOG_OK_LOGINS", NULL},
- 	{"LOG_UNKFAIL_ENAB", NULL},
+ #
+# Tell login to only re-prompt for the password if authentication
+# failed, but the username is valid. The default value is no.
+#
+LOGIN_KEEP_USERNAME	no
+
+#
+ # Max time in seconds for login(1)
+ #
+ LOGIN_TIMEOUT		60
+@@ -315,15 +335,6 @@ CHARACTER_CLASS         [ABCDEFGHIJKLMNO
+ #GRANT_AUX_GROUP_SUBIDS yes
+ 
+ #
+-# Prevents an empty password field to be interpreted as "no authentication
+-# required".
+-# Set to "yes" to prevent for all accounts
+-# Set to "superuser" to prevent for UID 0 / root (default)
+-# Set to "no" to not prevent for any account (dangerous, historical default)
+-
+-PREVENT_NO_AUTH superuser
+-
+-#
+ # Select the HMAC cryptography algorithm.
+ # Used in pam_timestamp module to calculate the keyed-hash message
+ # authentication code.
--- a/shadow.changes
+++ b/shadow.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Tue Nov  9 01:39:44 UTC 2021 - Stanislav Brabec <sbrabec@suse.com>
+
+- shadow-util-linux.patch:
+  * Remove the section patching lib/getdef.c in favor of the
+    upstream FOREIGNDEFS.
+  * Add LOGIN_KEEP_USERNAME to login.defs.
+  * Remove PREVENT_NO_AUTH from login.defs. Only used by the
+    unpackaged login and su.
+- shadow-login_defs-unused-by-pam.patch:
+  * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
+    YESCRYPT_COST_FACTOR, not supported by the current
+    configuratiton.
+- Update login_defs-support-for-pam symbol to version 1.5.2
+  (support for new variable HMAC_CRYPTO_ALGO).
+- Update login_defs-support-for-util-linux to version 2.37
+  (support for new variable LOGIN_KEEP_USERNAME).
+- Refresh shadow-login_defs-comments.patch and
+  shadow-login_defs-suse.patch.
+- Improve shadow-login_defs-check.sh:
+  * Add helper to import local new version in the parent dir.
+  * Fix spec editing sed expression.
+  * Add PREVENT_NO_AUTH to known unused variables.
+  * Update pam sed expression to find HMAC_CRYPTO_ALGO.
+  * Add more sanity checks.
+
 -------------------------------------------------------------------
 Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter <mvetter@suse.com>

--- a/shadow.spec
+++ b/shadow.spec
@ -107,8 +107,8 @@ Summary:        The login.defs configuration file
 # encryption_method_nis.patch has to be ported!
 # Call shadow-login_defs-check.sh before!
 Group:          System/Base
-Provides:       login_defs-support-for-pam = 1.3.1
-Provides:       login_defs-support-for-util-linux = 2.36
+Provides:       login_defs-support-for-pam = 1.5.2
+Provides:       login_defs-support-for-util-linux = 2.37
 BuildArch:      noarch

 %description -n login_defs