commit 37abeb5bf8ed280e3e5ab0f762db505762e8a72f20a0aadab6b2496117a836ac Author: Thorsten Kukuk Date: Mon Oct 29 15:15:23 2012 +0000 Accepting request 139680 from home:kukuk FATE#314473: Replace pwdutils with shadow utilities OBS-URL: https://build.opensuse.org/request/show/139680 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.changes-pwdutils b/README.changes-pwdutils new file mode 100644 index 0000000..ed44744 --- /dev/null +++ b/README.changes-pwdutils @@ -0,0 +1,62 @@ +This file lists changes between pwdutils used in the past and +the shadow utils used now. + +General changes: +================ +- No support to modify LDAP accounts anymore (-D and --service option) +- No -P/--path option +- /etc/default/passwd was removed. The configure options are + partly available in /etc/login.defs. + +/etc/login.defs: +---------------- +SYSTEM_UID_MIN/SYSTEM_UID_MAX were renamed to SYS_UID_MIN/SYS_UID_MAX +SYSTEM_GID_MIN/SYSTEM_GID_MAX were renamed to SYS_GID_MIN/SYS_GID_MAX + +chfn +---- +-m/--other has changed to -o/--other +-o/--office has changed to -r/--room. +-p/--phone has changed to -w/--work-phone + +chpasswd +-------- +-c blowfish is now longer supported, instead SHA256 and SHA512 were added. + +chsh +---- +-l/--list-shells was removed. + +gpasswd +------- +-l/-u option are missing + +groupadd +-------- +/usr/sbin/groupadd.local is missing +--preferred-gid was removed + +groupmod +-------- +-A/--add-user was removed +-R/--remove-user was removed + +passwd +------ +-f was dropped (use chfn instead) +-g was dropped (use gpasswd instead) +-s was dropped (use chsh instead) + +useradd +------- +-e/--expire has changed to -e/--expiredate (incompatible arguments!) +-U/--umask was removed, -U has now another meaning +--preferred-uid was removed + +userdel +------- +-r/--remove-home was renamed to -r/--remove + +usermod +------- +-e/--expire has changed to -e/--expiredate (incompatible arguments!) diff --git a/chkname-regex.diff b/chkname-regex.diff new file mode 100644 index 0000000..16a12bf --- /dev/null +++ b/chkname-regex.diff @@ -0,0 +1,91 @@ +--- lib/getdef.c ++++ lib/getdef.c 2012/09/26 14:14:15 +@@ -51,6 +51,7 @@ + + #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) + static struct itemdef def_table[] = { ++ {"CHARACTER_CLASS", NULL}, + {"CHFN_RESTRICT", NULL}, + {"CONSOLE_GROUPS", NULL}, + {"CONSOLE", NULL}, +--- libmisc/chkname.c ++++ libmisc/chkname.c 2012/09/27 12:32:18 +@@ -43,31 +43,55 @@ + #ident "$Id: chkname.c 2828 2009-04-28 19:14:05Z nekral-guest $" + + #include ++#include + #include "defines.h" + #include "chkname.h" ++#include "getdef.h" ++#include + + static bool is_valid_name (const char *name) + { +- /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { +- return false; +- } ++ const char *class; ++ regex_t reg; ++ int result; ++ char *buf; ++ ++ /* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?. ++ This is the POSIX portable character class. The $ at the end is ++ needed for SAMBA. But user can also specify something else in ++ /etc/login.defs. */ ++ class = getdef_str ("CHARACTER_CLASS"); ++ if (!class) ++ class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?"; ++ ++ if (asprintf (&buf, "^%s$", class) < 0) ++ return -1; ++ ++ memset (®, 0, sizeof (regex_t)); ++ result = regcomp (®, buf, 0); ++ free (buf); ++ ++ if (result) ++ { ++ size_t length = regerror (result, ®, NULL, 0); ++ char *buffer = malloc (length); ++ if (buffer == NULL) ++ fputs ("running out of memory!\n", stderr); ++ ++ /* else ++ { ++ regerror (result, ®, buffer, length); ++ fprintf (stderr, _("Can't compile regular expression: %s\n"), ++ buffer); ++ } */ + +- while ('\0' != *++name) { +- if (!(( ('a' <= *name) && ('z' >= *name) ) || +- ( ('0' <= *name) && ('9' >= *name) ) || +- ('_' == *name) || +- ('-' == *name) || +- ( ('$' == *name) && ('\0' == *(name + 1)) ) +- )) { +- return false; +- } +- } ++ return false; ++ } ++ ++ if (regexec (®, name, 0, NULL, 0) != 0) ++ return false; + +- return true; ++ return true; + } + + bool is_valid_user_name (const char *name) +@@ -96,4 +120,3 @@ + + return is_valid_name (name); + } +- diff --git a/pamd.tar.bz2 b/pamd.tar.bz2 new file mode 100644 index 0000000..8fbae20 --- /dev/null +++ b/pamd.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:51dc6651d0c5abcc777db007b1dadfb8a5a1f2d7985e3cb93a24de91753eb1b4 +size 577 diff --git a/shadow-4.1.5.1.tar.bz2 b/shadow-4.1.5.1.tar.bz2 new file mode 100644 index 0000000..ff4486e --- /dev/null +++ b/shadow-4.1.5.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa32333748d68b58ed3a83625f0165e0f6b9dc4639e6377c9300c6bf4fe978fb +size 2193325 diff --git a/shadow-login_defs.diff b/shadow-login_defs.diff new file mode 100644 index 0000000..e49ecac --- /dev/null +++ b/shadow-login_defs.diff @@ -0,0 +1,338 @@ +--- etc/login.defs ++++ etc/login.defs 2012/09/26 12:02:14 +@@ -1,8 +1,6 @@ + # + # /etc/login.defs - Configuration control definitions for the shadow package. + # +-# $Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $ +-# + + # + # Delay in seconds before being allowed another attempt after a login failure +@@ -12,11 +10,6 @@ + FAIL_DELAY 3 + + # +-# Enable logging and display of /var/log/faillog login failure info. +-# +-FAILLOG_ENAB yes +- +-# + # Enable display of unknown usernames when login failures are recorded. + # + LOG_UNKFAIL_ENAB no +@@ -27,34 +20,6 @@ + LOG_OK_LOGINS no + + # +-# Enable logging and display of /var/log/lastlog login time info. +-# +-LASTLOG_ENAB yes +- +-# +-# Enable checking and display of mailbox status upon login. +-# +-# Disable if the shell startup files already check for mail +-# ("mailx -e" or equivalent). +-# +-MAIL_CHECK_ENAB yes +- +-# +-# Enable additional checks upon password changes. +-# +-OBSCURE_CHECKS_ENAB yes +- +-# +-# Enable checking of time restrictions specified in /etc/porttime. +-# +-PORTTIME_CHECKS_ENAB yes +- +-# +-# Enable setting of ulimit, umask, and niceness from passwd gecos field. +-# +-QUOTAS_ENAB yes +- +-# + # Enable "syslog" logging of su activity - in addition to sulog file logging. + # SYSLOG_SG_ENAB does the same for newgrp and sg. + # +@@ -82,75 +47,31 @@ + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + + # +-# If defined, this file will be output before each login prompt. +-# +-#ISSUE_FILE /etc/issue +- +-# + # If defined, file which maps tty line to TERM environment parameter. + # Each line of the file is in a format something like "vt100 tty01". + # + #TTYTYPE_FILE /etc/ttytype + + # +-# If defined, login failures will be logged here in a utmp format. +-# last, when invoked as lastb, will read /var/log/btmp, so... +-# +-FTMP_FILE /var/log/btmp +- +-# +-# If defined, name of file whose presence which will inhibit non-root +-# logins. The contents of this file should be a message indicating +-# why logins are inhibited. +-# +-NOLOGINS_FILE /etc/nologin +- +-# +-# If defined, the command name to display when running "su -". For +-# example, if this is defined as "su" then a "ps" will display the +-# command is "-su". If not defined, then "ps" would display the +-# name of the shell actually being run, e.g. something like "-sh". +-# +-SU_NAME su +- +-# +-# *REQUIRED* +-# Directory where mailboxes reside, _or_ name of file, relative to the +-# home directory. If you _do_ define both, MAIL_DIR takes precedence. +-# +-MAIL_DIR /var/spool/mail +-#MAIL_FILE .mail +- +-# + # If defined, file which inhibits all the usual chatter during the login + # sequence. If a full pathname, then hushed mode will be enabled if the + # user's name or shell are found in the file. If not a full pathname, then + # hushed mode will be enabled if the file exists in the user's home directory. + # +-HUSHLOGIN_FILE .hushlogin +-#HUSHLOGIN_FILE /etc/hushlogins +- +-# +-# If defined, either a TZ environment parameter spec or the +-# fully-rooted pathname of a file containing such a spec. +-# +-#ENV_TZ TZ=CST6CDT +-#ENV_TZ /etc/tzname +- +-# +-# If defined, an HZ environment parameter spec. +-# +-# for Linux/x86 +-ENV_HZ HZ=100 +-# For Linux/Alpha... +-#ENV_HZ HZ=1024 ++#HUSHLOGIN_FILE .hushlogin ++HUSHLOGIN_FILE /etc/hushlogins + + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) + ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin ++ ++# ++# The default PATH settings for root (used by login): ++# ++ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin + + # + # Terminal permissions +@@ -164,24 +85,20 @@ + # TTYPERM to either 622 or 600. + # + TTYGROUP tty +-TTYPERM 0600 ++TTYPERM 0620 + + # + # Login configuration initializations: + # + # ERASECHAR Terminal ERASE character ('\010' = backspace). + # KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# ULIMIT Default "ulimit" value. + # + # The ERASECHAR and KILLCHAR are used only on System V machines. +-# The ULIMIT is used only if the system supports it. +-# (now it works with setrlimit too; ulimit is in 512-byte units) + # + # Prefix these values with "0" to get octal, "0x" to get hexadecimal. + # + ERASECHAR 0177 + KILLCHAR 025 +-#ULIMIT 2097152 + + # Default initial "umask" value used by login on non-PAM enabled systems. + # Default "umask" value for pam_umask on PAM enabled systems. +@@ -206,40 +123,37 @@ + PASS_WARN_AGE 7 + + # +-# If "yes", the user must be listed as a member of the first gid 0 group +-# in /etc/group (called "root" on most Linux systems) to be able to "su" +-# to uid 0 accounts. If the group doesn't exist or is empty, no one +-# will be able to "su" to uid 0. +-# +-SU_WHEEL_ONLY no +- +-# +-# If compiled with cracklib support, where are the dictionaries +-# +-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict +- +-# + # Min/max values for automatic uid selection in useradd + # ++# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for ++# UIDs for dynamically allocated administrative and system accounts. ++# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically ++# allocated user accounts. ++# + UID_MIN 1000 + UID_MAX 60000 + # System accounts +-SYS_UID_MIN 101 +-SYS_UID_MAX 999 ++SYS_UID_MIN 100 ++SYS_UID_MAX 499 + + # + # Min/max values for automatic gid selection in groupadd + # ++# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for ++# GIDs for dynamically allocated administrative and system groups. ++# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically ++# allocated groups. ++# + GID_MIN 1000 + GID_MAX 60000 + # System accounts +-SYS_GID_MIN 101 +-SYS_GID_MAX 999 ++SYS_GID_MIN 100 ++SYS_GID_MAX 499 + + # + # Max number of login retries if password is bad + # +-LOGIN_RETRIES 5 ++LOGIN_RETRIES 3 + + # + # Max time in seconds for login +@@ -247,28 +161,6 @@ + LOGIN_TIMEOUT 60 + + # +-# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +-# +-PASS_ALWAYS_WARN yes +- +-# +-# Number of significant characters in the password for crypt(). +-# Default is 8, don't change unless your crypt() is better. +-# Ignored if MD5_CRYPT_ENAB set to "yes". +-# +-#PASS_MAX_LEN 8 +- +-# +-# Require password before chfn/chsh can make any changes. +-# +-CHFN_AUTH yes +- +-# + # Which fields may be changed by regular users using chfn - use + # any combination of letters "frwh" (full name, room number, work + # phone, home phone). If not defined, no changes are allowed. +@@ -277,13 +169,6 @@ + CHFN_RESTRICT rwh + + # +-# Password prompt (%s will be replaced by user name). +-# +-# XXX - it doesn't work correctly yet, for now leave it commented out +-# to use the default which is just "Password: ". +-#LOGIN_STRING "%s's Password: " +- +-# + # Only works if compiled with MD5_CRYPT defined: + # If set to "yes", new passwords will be encrypted using the MD5-based + # algorithm compatible with the one used by recent releases of FreeBSD. +@@ -345,16 +230,12 @@ + DEFAULT_HOME yes + + # +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- +-# + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by + # the user to be removed (passed as the first argument). + # ++# See USERDEL_PRECMD/POSTCMD below. ++# + #USERDEL_CMD /usr/sbin/userdel_local + + # +@@ -364,7 +245,7 @@ + # + # This also enables userdel to remove user groups if no members exist. + # +-USERGROUPS_ENAB yes ++USERGROUPS_ENAB no + + # + # If set to a non-nul number, the shadow utilities will make sure that +@@ -383,5 +264,41 @@ + # This option is overridden with the -M or -m flags on the useradd command + # line. + # +-#CREATE_HOME yes ++CREATE_HOME no ++ ++# ++# User/group names must match the following regex expression. ++# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, ++# but be aware that the result could depend on the locale settings. ++# ++#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? ++CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? ++ ++# ++# If defined, this command is run when adding a group. ++# It should rebuild any NIS database etc. to add the ++# new created group. ++# ++GROUPADD_CMD /usr/sbin/groupadd.local ++ ++# ++# If defined, this command is run when adding a user. ++# It should rebuild any NIS database etc. to add the ++# new created account. ++# ++USERADD_CMD /usr/sbin/useradd.local ++ ++# ++# If defined, this command is run before removing a user. ++# It should remove any at/cron/print jobs etc. owned by ++# the user to be removed. ++# ++USERDEL_PRECMD /usr/sbin/userdel-pre.local ++ ++# ++# If defined, this command is run after removing a user. ++# It should rebuild any NIS database etc. to remove the ++# account from it. ++# ++USERDEL_POSTCMD /usr/sbin/userdel-post.local + diff --git a/shadow.changes b/shadow.changes new file mode 100644 index 0000000..a7de446 --- /dev/null +++ b/shadow.changes @@ -0,0 +1,25 @@ +------------------------------------------------------------------- +Thu Sep 27 15:20:44 CEST 2012 - kukuk@suse.de + +- Implement CHARACTER_CLASS support + (chkname-regex.diff) + +------------------------------------------------------------------- +Wed Sep 26 15:20:06 CEST 2012 - kukuk@suse.de + +- Add support for useradd.local + (useradd-script.diff) + +------------------------------------------------------------------- +Tue Sep 25 16:22:18 CEST 2012 - kukuk@suse.de + +- Fix spec file +- Adjust login.defs + (shadow-login_defs.diff) +- Add userdel*.local script support and scrips + (userdel-scripts.diff) + +------------------------------------------------------------------- +Mon Sep 24 16:04:03 CEST 2012 - kukuk@suse.de + +- Initial package [FATE#314473] diff --git a/shadow.spec b/shadow.spec new file mode 100644 index 0000000..ab404b4 --- /dev/null +++ b/shadow.spec @@ -0,0 +1,242 @@ +# +# spec file for package shadow-utils +# +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +Summary: Utilities to Manage User and Group Accounts +Name: shadow +Version: 4.1.5.1 +Release: 1 +License: BSD-3-Clause ; GPL-2.0+ +Group: System/Base +Url: http://pkg-shadow.alioth.debian.org/ +Source: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 +Source1: pamd.tar.bz2 +Source2: README.changes-pwdutils +Source3: useradd.local +Source4: userdel-pre.local +Source5: userdel-post.local +Patch: shadow-login_defs.diff +Patch1: userdel-scripts.diff +Patch2: useradd-script.diff +Patch3: chkname-regex.diff +BuildRequires: pam-devel +BuildRequires: libselinux-devel +BuildRequires: audit-devel +BuildRequires: libsemanage-devel +BuildRequires: libacl-devel libattr-devel +BuildRoot: %{_tmppath}/%{name}-%{version}-build +PreReq: permissions +Provides: pwdutils = 3.2.20 +Obsoletes: pwdutils <= 3.2.19 + +%description +This package includes the necessary programs for converting plain +password files to the shadow password format and to manage user and +group accounts. + +%prep +%setup -q -a 1 +%patch -p0 +%patch1 -p0 +%patch2 -p0 +%patch3 -p0 + +iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 +mv -v doc/HOWTO.utf8 doc/HOWTO + +%build +export CFLAGS="$RPM_OPT_FLAGS -fpie" +export LDFLAGS="-pie" + +%configure \ + --disable-shadowgrp \ + --enable-account-tools-setuid \ + --with-audit \ + --with-libpam \ + --with-sha-crypt \ + --with-acl \ + --with-attr \ + --with-nscd \ + --with-selinux \ + --without-libcrack \ + --disable-shared \ + --with-group-name-max-length=32 +make + +%install +cp %SOURCE2 . +make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs + +# install useradd.local, userdel.local, ... +install -m 0755 %SOURCE3 $RPM_BUILD_ROOT/%{_sbindir}/ +install -m 0755 %SOURCE4 $RPM_BUILD_ROOT/%{_sbindir}/ +install -m 0755 %SOURCE5 $RPM_BUILD_ROOT/%{_sbindir}/ + + +# Remove binaries we don't use. +rm $RPM_BUILD_ROOT/%{_bindir}/groups +rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.* + +rm $RPM_BUILD_ROOT/%{_sbindir}/grpconv +rm $RPM_BUILD_ROOT/%{_mandir}/man8/grpconv.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/grpconv.* +rm $RPM_BUILD_ROOT/%{_sbindir}/grpunconv +rm $RPM_BUILD_ROOT/%{_mandir}/man8/grpunconv.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/grpunconv.* + +rm $RPM_BUILD_ROOT/%{_sbindir}/groupmems +rm $RPM_BUILD_ROOT/%{_mandir}/man8/groupmems.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/groupmems.* +rm $RPM_BUILD_ROOT/etc/pam.d/groupmems + +rm $RPM_BUILD_ROOT/%{_bindir}/login +rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.* +rm $RPM_BUILD_ROOT/etc/pam.d/login + +rm $RPM_BUILD_ROOT/%{_bindir}/su +rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.* +rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.* +rm $RPM_BUILD_ROOT/etc/pam.d/su + +rm $RPM_BUILD_ROOT/%{_bindir}/faillog +rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.* +rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.* + +rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd +rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* +rm $RPM_BUILD_ROOT/%{_sbindir}/nologin +rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* + +rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd +rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* +rm $RPM_BUILD_ROOT/etc/pam.d/chgpasswd + +rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* +rm $RPM_BUILD_ROOT/%{_mandir}/man5/gshadow.5* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/gshadow.5* +rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.5* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.5* +rm $RPM_BUILD_ROOT/%{_mandir}/man5/shadow.5* +rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/shadow.5* + + +rm -rf $RPM_BUILD_ROOT%{_mandir}/{??,??_??} + +%find_lang shadow + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +%set_permissions /usr/bin/chage +%set_permissions /usr/bin/chfn +%set_permissions /usr/bin/chsh +%set_permissions /usr/bin/expiry +%set_permissions /usr/bin/gpasswd +%set_permissions /usr/bin/newgrp +%set_permissions /usr/bin/passwd + +%verifyscript +%verify_permissions /usr/bin/chage +%verify_permissions /usr/bin/chfn +%verify_permissions /usr/bin/chsh +%verify_permissions /usr/bin/expiry +%verify_permissions /usr/bin/gpasswd +%verify_permissions /usr/bin/newgrp +%verify_permissions /usr/bin/passwd + +%files -f shadow.lang +%defattr(-,root,root) +%doc NEWS doc/HOWTO README README.changes-pwdutils +%attr(0644,root,root) %config %{_sysconfdir}/login.defs +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd +%config /etc/pam.d/chage +%config /etc/pam.d/chfn +%config /etc/pam.d/chsh +%config /etc/pam.d/passwd +%config /etc/pam.d/useradd +%config /etc/pam.d/chpasswd +%config /etc/pam.d/groupadd +%config /etc/pam.d/groupdel +%config /etc/pam.d/groupmod +%config /etc/pam.d/newusers +%config /etc/pam.d/useradd +%config /etc/pam.d/userdel +%config /etc/pam.d/usermod +%attr(4755,root,shadow) %{_bindir}/chage +%attr(4755,root,shadow) %{_bindir}/chfn +%attr(4755,root,shadow) %{_bindir}/chsh +%attr(4755,root,shadow) %{_bindir}/expiry +%attr(4755,root,shadow) %{_bindir}/gpasswd +%{_bindir}/lastlog +%attr(4755,root,root) %{_bindir}/newgrp +%attr(4755,root,shadow) %{_bindir}/passwd +%{_bindir}/sg +%{_sbindir}/groupadd +%{_sbindir}/groupdel +%{_sbindir}/groupmod +%{_sbindir}/grpck +%{_sbindir}/pwck +%{_sbindir}/useradd +%{_sbindir}/userdel +%{_sbindir}/usermod +%{_sbindir}/pwconv +%{_sbindir}/pwunconv +%{_sbindir}/chpasswd +%{_sbindir}/newusers +%{_sbindir}/vipw +%{_sbindir}/vigr +%verify(not md5 size mtime) %config(noreplace) %{_sbindir}/useradd.local +%verify(not md5 size mtime) %config(noreplace) %{_sbindir}/userdel-pre.local +%verify(not md5 size mtime) %config(noreplace) %{_sbindir}/userdel-post.local +%{_mandir}/man1/chage.1* +%{_mandir}/man1/chfn.1* +%{_mandir}/man1/chsh.1* +%{_mandir}/man1/expiry.1* +%{_mandir}/man1/gpasswd.1* +%{_mandir}/man1/newgrp.1* +%{_mandir}/man1/passwd.1* +%{_mandir}/man1/sg.1* +%{_mandir}/man3/shadow.3* +%{_mandir}/man5/login.defs.5* +%{_mandir}/man8/chpasswd.8* +%{_mandir}/man8/groupadd.8* +%{_mandir}/man8/groupdel.8* +%{_mandir}/man8/groupmod.8* +%{_mandir}/man8/grpck.8* +%{_mandir}/man8/lastlog.8* +%{_mandir}/man8/newusers.8* +%{_mandir}/man8/pwck.8* +%{_mandir}/man8/pwconv.8* +%{_mandir}/man8/pwunconv.8* +%{_mandir}/man8/useradd.8* +%{_mandir}/man8/userdel.8* +%{_mandir}/man8/usermod.8* +%{_mandir}/man8/vigr.8* +%{_mandir}/man8/vipw.8* + +%changelog diff --git a/useradd-script.diff b/useradd-script.diff new file mode 100644 index 0000000..b6ad5f2 --- /dev/null +++ b/useradd-script.diff @@ -0,0 +1,42 @@ +--- src/useradd.c ++++ src/useradd.c 2012/09/26 13:06:50 +@@ -1845,6 +1845,30 @@ + } + + /* ++ * call_script - call a script to do some work ++ * ++ * call_script calls a script for additional changes to the ++ * account. ++ */ ++ ++static void call_script (const char *user) ++{ ++ const char *cmd; ++ const char *argv[3]; ++ int status; ++ ++ cmd = getdef_str ("USERADD_CMD"); ++ if (NULL == cmd) { ++ return; ++ } ++ argv[0] = cmd; ++ argv[1] = user; ++ argv[2] = (char *)0; ++ (void) run_command (cmd, argv, NULL, &status); ++} ++ ++ ++/* + * main - useradd command + */ + int main (int argc, char **argv) +@@ -2076,6 +2100,7 @@ + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + ++ call_script (user_name); ++ + return E_SUCCESS; + } +- diff --git a/useradd.local b/useradd.local new file mode 100644 index 0000000..2caf444 --- /dev/null +++ b/useradd.local @@ -0,0 +1,44 @@ +#!/bin/bash +# +# Here you can add your own stuff, that should be done for every user who +# was new created. +# +# When you create a user with useradd, this script will be called +# with the login name as parameter. Optional, UID, GID and the HOME +# directory are added. +# + +case "$1" in + --help|--version) + echo Usage: $0 username [uid gid home] + exit 0 + ;; +esac + +# Check for the required argument. +if [ $# -lt 1 -o $# -gt 4 ]; then + echo Usage: $0 username [uid gid home] + exit 1 +fi + +# Update NIS database +# make -C /var/yp + +# If SELinux is enabled, we have to run restorecon to assign +# appropriate fcontexts to the respective $HOME and files under it +if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then + test -x /sbin/restorecon || exit 2 + + if [ $# -lt 4 ]; then + home_dir=/home/$1 + else + home_dir=$4 + fi + + if [ -d $home_dir ]; then + /sbin/restorecon -R $home_dir + fi +fi + +# All done. +exit 0 diff --git a/userdel-post.local b/userdel-post.local new file mode 100644 index 0000000..6f780a1 --- /dev/null +++ b/userdel-post.local @@ -0,0 +1,29 @@ +#!/bin/bash +# +# Here you can add your own stuff, that should be done for every user +# which we deleted. +# +# If you delete a user with userdel, this script will be called +# with the login name as parameter after the account and optional +# home directory was removed from the system. +# + +case "$1" in + --help|--version) + echo Usage: $0 username uid gid home + exit 0 + ;; +esac + +# Check for the required argument. +if [ $# != 1 ]; then + echo Usage: $0 username + exit 1 +fi + +# Rebuild NIS database to remove the account from it. +# make -C /var/yp + +# All done. +exit 0 + diff --git a/userdel-pre.local b/userdel-pre.local new file mode 100644 index 0000000..9924962 --- /dev/null +++ b/userdel-pre.local @@ -0,0 +1,28 @@ +#!/bin/bash +# +# Here you can add your own stuff, that should be done for every user +# who will be deleted. +# +# When you delete a user with userdel, this script will be called +# with the login name as parameter before any other action is done. +# + +case "$1" in + --help|--version) + echo Usage: $0 username uid gid home + exit 0 + ;; +esac + +# Check for the required argument. +if [ $# != 1 ]; then + echo Usage: $0 username + exit 1 +fi + +# Remove cron jobs +test -x /usr/bin/crontab && /usr/bin/crontab -r -u $1 + +# All done. +exit 0 + diff --git a/userdel-scripts.diff b/userdel-scripts.diff new file mode 100644 index 0000000..d44833a --- /dev/null +++ b/userdel-scripts.diff @@ -0,0 +1,50 @@ +--- src/userdel.c ++++ src/userdel.c 2012/09/25 13:46:38 +@@ -635,13 +635,13 @@ + * cron, at, or print jobs. + */ + +-static void user_cancel (const char *user) ++static void call_script (const char *program, const char *user) + { + const char *cmd; + const char *argv[3]; + int status; + +- cmd = getdef_str ("USERDEL_CMD"); ++ cmd = getdef_str (program); + if (NULL == cmd) { + return; + } +@@ -1032,9 +1032,10 @@ + } + + /* +- * Do the hard stuff - open the files, create the user entries, +- * create the home directory, then close and update the files. ++ * Do the hard stuff - open the files, remove the user entries, ++ * remove the home directory, then close and update the files. + */ ++ call_script ("USERDEL_PRECMD", user_name); + open_files (); + update_user (); + update_groups (); +@@ -1137,7 +1138,7 @@ + * Cancel any crontabs or at jobs. Have to do this before we remove + * the entry from /etc/passwd. + */ +- user_cancel (user_name); ++ call_script ("USERDEL_CMD", user_name); + close_files (); + + #ifdef WITH_TCB +@@ -1147,6 +1148,8 @@ + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + ++ /* Call the post script, for example to rebuild NIS database */ ++ call_script ("USERDEL_POSTCMD", user_name); ++ + return ((0 != errors) ? E_HOMEDIR : E_SUCCESS); + } +-