SHA256
1
0
forked from pool/shadow

Accepting request 765745 from Base:System

- Set 0755 for chpasswd, groupadd, groupdel, groupmod, newusers,
  useradd, userdel, usermod explicitly.

- bsc#1160729: Make valid shell check only a warning
  * Add shadow-4.8-shell-check.patch

- Update to 4.8:
  * Initial optional bcrypt support.
  * Make build/install of 'su' optional.
  * Fix for vipw not resuming correctly when suspended
  * Sync password field descriptions in manpages
  * Check for valid shell argument in useradd
  * Allow translation of new strings through POTFILES.in
  * Migrate to itstool for translations
  * Migrate to new SELinux api
  * Support --enable-vendordir
  * pwck: Only check homedir if set and not a system user
  * Support nonstandard usernames
  * sget{pw,gr}ent: check for data at EOL
  * Add YYY-MM-DD support in chage
  * Fix failing chmod calls for suidubins
  * Fix --sbindir and --bindir for binary installations
  * Fix LASTLOG_UID_MAX in login.defs
  * Fix configure error with dash
- Remove because upstreamed:
  * libeconf.patch
  * shadow-usermod-variable.patch
- Rebase:
  * shadow-login_defs-unused-by-pam.patch
  * chkname-regex.patch

OBS-URL: https://build.opensuse.org/request/show/765745
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=36
This commit is contained in:
Dominique Leuenberger 2020-01-25 12:22:40 +00:00 committed by Git OBS Bridge
commit 9f37ba3939
14 changed files with 171 additions and 471 deletions

View File

@ -2,7 +2,7 @@ Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -274,3 +274,11 @@ USERGROUPS_ENAB yes
@@ -299,3 +299,11 @@ USERGROUPS_ENAB yes
# missing.
#
#FORCE_SHADOW yes
@ -18,7 +18,7 @@ Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -77,6 +77,7 @@ struct itemdef {
@@ -80,6 +80,7 @@ struct itemdef {
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
static struct itemdef def_table[] = {
@ -30,7 +30,7 @@ Index: libmisc/chkname.c
===================================================================
--- libmisc/chkname.c.orig
+++ libmisc/chkname.c
@@ -43,30 +43,57 @@
@@ -43,8 +43,11 @@
#ident "$Id$"
#include <ctype.h>
@ -40,13 +40,15 @@ Index: libmisc/chkname.c
+#include "getdef.h"
+#include <stdio.h>
static bool is_valid_name (const char *name)
{
int allow_bad_names = false;
@@ -54,24 +57,46 @@ static bool is_valid_name (const char *n
return true;
}
- /*
- * User/group names must match [a-z_][a-z0-9_-]*[$]
- */
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ const char *class;
+ regex_t reg;
+ int result;
@ -79,7 +81,9 @@ Index: libmisc/chkname.c
+ fprintf (stderr, _("Can't compile regular expression: %s\n"),
+ buffer);
+ } */
+
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ regfree(&reg);
return false;
}
@ -98,7 +102,4 @@ Index: libmisc/chkname.c
+ return false;
}
+ regfree(&reg);
return true;
}

View File

@ -1,362 +0,0 @@
From b52ce71c276d6dafceac6b942b534af77b647f48 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Fri, 20 Sep 2019 10:27:31 +0200
Subject: [PATCH] Add support for a vendor directory and libeconf
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where the shadow suite should additional
look for login.defs if this file is not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
---
configure.ac | 13 +++++++-
lib/Makefile.am | 4 +++
lib/getdef.c | 76 +++++++++++++++++++++++++++++++++++++++++++
libmisc/Makefile.am | 2 +-
libmisc/prefix_flag.c | 18 ++++++----
src/Makefile.am | 55 ++++++++++++++++---------------
6 files changed, 132 insertions(+), 36 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1907afbd..6a273766 100644
--- a/configure.ac
+++ b/configure.ac
@@ -247,7 +247,7 @@ AC_ARG_ENABLE(subordinate-ids,
[enable_subids="maybe"]
)
-AC_ARG_WITH(audit,
+AC_ARG_WITH(audit,
[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
[with_audit=$withval], [with_audit=maybe])
AC_ARG_WITH(libpam,
@@ -321,6 +321,17 @@ AC_SEARCH_LIBS(inet_ntoa, inet)
AC_SEARCH_LIBS(socket, socket)
AC_SEARCH_LIBS(gethostbyname, nsl)
+AC_CHECK_LIB([econf],[econf_readDirs],[LIBECONF="-leconf"],[LIBECONF=""])
+if test -n "$LIBECONF"; then
+ ECONF_CPPFLAGS="-DUSE_ECONF=1"
+ AC_ARG_ENABLE([vendordir],
+ AS_HELP_STRING([--enable-vendordir=DIR], [Directory for distribution provided configuration files]),,[])
+fi
+AC_SUBST(ECONF_CPPFLAGS)
+AC_SUBST(LIBECONF)
+AC_SUBST([VENDORDIR], [$enable_vendordir])
+AM_CONDITIONAL([HAVE_VENDORDIR], [test "x$enable_vendordir" != x])
+
if test "$enable_shadowgrp" = "yes"; then
AC_DEFINE(SHADOWGRP, 1, [Define to support the shadow group file.])
fi
diff --git a/lib/Makefile.am b/lib/Makefile.am
index fd634542..a40c08a1 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -6,6 +6,10 @@ DEFS =
noinst_LTLIBRARIES = libshadow.la
libshadow_la_LDFLAGS = -version-info 0:0:0
+libshadow_la_CPPFLAGS = $(ECONF_CPPFLAGS)
+if HAVE_VENDORDIR
+libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
+endif
libshadow_la_SOURCES = \
commonio.c \
diff --git a/lib/getdef.c b/lib/getdef.c
index ece33a78..939aea29 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -40,6 +40,9 @@
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
+#ifdef USE_ECONF
+#include <libeconf.h>
+#endif
#include "getdef.h"
/*
* A configuration item definition.
@@ -152,11 +155,20 @@ static struct itemdef knowndef_table[] = {
{NULL, NULL}
};
+#ifdef USE_ECONF
+#ifdef VENDORDIR
+static const char* vendordir = VENDORDIR;
+#else
+static const char* vendordir = NULL;
+#endif
+static const char* sysconfdir = "/etc";
+#else
#ifndef LOGINDEFS
#define LOGINDEFS "/etc/login.defs"
#endif
static const char* def_fname = LOGINDEFS; /* login config defs file */
+#endif
static bool def_loaded = false; /* are defs already loaded? */
/* local function prototypes */
@@ -433,7 +445,27 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
void setdef_config_file (const char* file)
{
+#ifdef USE_ECONF
+ size_t len;
+ char* cp;
+
+ len = strlen(file) + strlen(sysconfdir) + 2;
+ cp = malloc(len);
+ if (cp == NULL)
+ exit (13);
+ snprintf(cp, len, "%s/%s", file, sysconfdir);
+ sysconfdir = cp;
+#ifdef VENDORDIR
+ len = strlen(file) + strlen(vendordir) + 2;
+ cp = malloc(len);
+ if (cp == NULL)
+ exit (13);
+ snprintf(cp, len, "%s/%s", file, vendordir);
+ vendordir = cp;
+#endif
+#else
def_fname = file;
+#endif
}
/*
@@ -444,9 +476,16 @@ void setdef_config_file (const char* file)
static void def_load (void)
{
+#ifdef USE_ECONF
+ econf_file *defs_file = NULL;
+ econf_err error;
+ char **keys;
+ size_t key_number;
+#else
int i;
FILE *fp;
char buf[1024], *name, *value, *s;
+#endif
/*
* Set the initialized flag.
@@ -454,6 +493,42 @@ static void def_load (void)
*/
def_loaded = true;
+#ifdef USE_ECONF
+
+ error = econf_readDirs (&defs_file, vendordir, sysconfdir, "login", "defs", " \t", "#");
+ if (error) {
+ if (error == ECONF_NOFILE)
+ return;
+
+ SYSLOG ((LOG_CRIT, "cannot open login definitions [%s]",
+ econf_errString(error)));
+ exit (EXIT_FAILURE);
+ }
+
+ if ((error = econf_getKeys(defs_file, NULL, &key_number, &keys))) {
+ SYSLOG ((LOG_CRIT, "cannot read login definitions [%s]",
+ econf_errString(error)));
+ exit (EXIT_FAILURE);
+ }
+
+ for (size_t i = 0; i < key_number; i++) {
+ char *value;
+
+ econf_getStringValue(defs_file, NULL, keys[i], &value);
+
+ /*
+ * Store the value in def_table.
+ *
+ * Ignore failures to load the login.defs file.
+ * The error was already reported to the user and to
+ * syslog. The tools will just use their default values.
+ */
+ (void)putdef_str (keys[i], value);
+ }
+
+ econf_free (keys);
+ econf_free (defs_file);
+#else
/*
* Open the configuration definitions file.
*/
@@ -517,6 +592,7 @@ static void def_load (void)
}
(void) fclose (fp);
+#endif
}
diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
index 9aed980f..7f43161f 100644
--- a/libmisc/Makefile.am
+++ b/libmisc/Makefile.am
@@ -1,7 +1,7 @@
EXTRA_DIST = .indent.pro xgetXXbyYY.c
-AM_CPPFLAGS = -I$(top_srcdir)/lib
+AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
noinst_LIBRARIES = libmisc.a
diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c
index cd1eec47..4fe6d195 100644
--- a/libmisc/prefix_flag.c
+++ b/libmisc/prefix_flag.c
@@ -96,7 +96,7 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
}
}
-
+
if (prefix != NULL) {
if ( prefix[0] == '\0' || !strcmp(prefix, "/"))
@@ -113,7 +113,7 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
group_db_file = xmalloc(len);
snprintf(group_db_file, len, "%s/%s", prefix, GROUP_FILE);
gr_setdbname(group_db_file);
-
+
#ifdef SHADOWGRP
len = strlen(prefix) + strlen(SGROUP_FILE) + 2;
sgroup_db_file = xmalloc(len);
@@ -128,7 +128,7 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
spw_db_file = xmalloc(len);
snprintf(spw_db_file, len, "%s/%s", prefix, SHADOW_FILE);
spw_setdbname(spw_db_file);
-
+
#ifdef ENABLE_SUBIDS
len = strlen(prefix) + strlen("/etc/subuid") + 2;
suid_db_file = xmalloc(len);
@@ -141,11 +141,15 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
sub_gid_setdbname(sgid_db_file);
#endif
+#ifdef USE_ECONF
+ setdef_config_file(prefix);
+#else
len = strlen(prefix) + strlen("/etc/login.defs") + 2;
def_conf_file = xmalloc(len);
snprintf(def_conf_file, len, "%s/%s", prefix, "/etc/login.defs");
setdef_config_file(def_conf_file);
- }
+#endif
+ }
if (prefix == NULL)
return "";
@@ -169,7 +173,7 @@ extern struct group *prefix_getgrnam(const char *name)
fclose(fg);
return grp;
}
-
+
return getgrnam(name);
}
@@ -262,7 +266,7 @@ extern void prefix_setpwent()
}
if (fp_pwent)
fclose (fp_pwent);
-
+
fp_pwent = fopen(passwd_db_file, "rt");
if(!fp_pwent)
return;
@@ -293,7 +297,7 @@ extern void prefix_setgrent()
}
if (fp_grent)
fclose (fp_grent);
-
+
fp_grent = fopen(group_db_file, "rt");
if(!fp_grent)
return;
diff --git a/src/Makefile.am b/src/Makefile.am
index f7f132ee..451816d7 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -88,42 +88,43 @@ else
LIBCRYPT_NOPAM = $(LIBCRYPT)
endif
-chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
newuidmap_LDADD = $(LDADD) $(LIBSELINUX) $(LIBCAP)
newgidmap_LDADD = $(LDADD) $(LIBSELINUX) $(LIBCAP)
-chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
-chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
-gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
-groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
-groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
-groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX)
-groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
-grpck_LDADD = $(LDADD) $(LIBSELINUX)
-grpconv_LDADD = $(LDADD) $(LIBSELINUX)
-grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
-lastlog_LDADD = $(LDADD) $(LIBAUDIT)
+chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+expiry_LDADD = $(LDADD) $(LIBECONF)
+gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
+groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
+groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBECONF)
+groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
+grpck_LDADD = $(LDADD) $(LIBSELINUX) $(LIBECONF)
+grpconv_LDADD = $(LDADD) $(LIBSELINUX) $(LIBECONF)
+grpunconv_LDADD = $(LDADD) $(LIBSELINUX) $(LIBECONF)
+lastlog_LDADD = $(LDADD) $(LIBAUDIT) $(LIBECONF)
login_SOURCES = \
login.c \
login_nopam.c
-login_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-newgrp_LDADD = $(LDADD) $(LIBAUDIT) $(LIBCRYPT)
-newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+login_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+newgrp_LDADD = $(LDADD) $(LIBAUDIT) $(LIBCRYPT) $(LIBECONF)
+newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
nologin_LDADD =
-passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM)
-pwck_LDADD = $(LDADD) $(LIBSELINUX)
-pwconv_LDADD = $(LDADD) $(LIBSELINUX)
-pwunconv_LDADD = $(LDADD) $(LIBSELINUX)
+passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBECONF)
+pwck_LDADD = $(LDADD) $(LIBSELINUX) $(LIBECONF)
+pwconv_LDADD = $(LDADD) $(LIBSELINUX) $(LIBECONF)
+pwunconv_LDADD = $(LDADD) $(LIBSELINUX) $(LIBECONF)
su_SOURCES = \
su.c \
suauth.c
-su_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
-sulogin_LDADD = $(LDADD) $(LIBCRYPT)
-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR)
-userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE)
-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR)
-vipw_LDADD = $(LDADD) $(LIBSELINUX)
+su_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF)
+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF)
+userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF)
+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF)
+vipw_LDADD = $(LDADD) $(LIBSELINUX) $(LIBECONF)
install-am: all-am
$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e5e196a4a7e3b228c812f3163d368be3e932e6eaa4e616677a148d9ec921e16c
size 1624340

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAl0CfrYACgkQ6f7qBqhe
P50xqQgAgmeu46zmQ7A+8nzcna8aaKQ5aftc9QVCQuPg94DvkXNuUjz384os1PBa
9DM5ukiDiDWhkmoKDCro9d/JVfKg0v0W2Ee29JvaZRhpUFlk3xWZAM55Na22ywbv
JYIF94wLfH0+AZQvjTpJmlJgeCK5K0L2LvAsPoEsHNuAKjpz7tFGJgqBKgK2+xAv
csmBhPRShZypXH3tQ/jcMT8itPSRBGt4W55zuNUT2OKc5ioXxc1TJ5jn0YX8AsOQ
5ZkBbGHL416QRonhiKfWsntB3RnmJQMcL8R72MpemKjVw+q+QYnnKIE/Fta7J0+N
EkUBRYdbbiAsUNW3syN/Q2o+DF00aw==
=dbPQ
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,12 @@
Index: shadow-4.8/lib/selinux.c
===================================================================
--- shadow-4.8.orig/lib/selinux.c
+++ shadow-4.8/lib/selinux.c
@@ -31,6 +31,7 @@
#ifdef WITH_SELINUX
+#include <stdio.h>
#include "defines.h"
#include <selinux/selinux.h>

View File

@ -0,0 +1,43 @@
From 4ed08824e511fa5247006c71490b0440e1c17319 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 16 Jan 2020 12:55:30 +0100
Subject: [PATCH] Make the check for non-executable shell only a warning.
Although it is a good idea to check for an inadvertent typo
in the shell name it is possible that the shell might not be present
on the system yet when the user is added.
---
src/useradd.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/useradd.c b/src/useradd.c
index c29ae949..a679392d 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -1328,15 +1328,22 @@ static void process_flags (int argc, char **argv)
if ( ( !VALID (optarg) )
|| ( ('\0' != optarg[0])
&& ('/' != optarg[0])
- && ('*' != optarg[0]) )
- || (stat(optarg, &st) != 0)
- || (S_ISDIR(st.st_mode))
- || (access(optarg, X_OK) != 0)) {
+ && ('*' != optarg[0]) )) {
fprintf (stderr,
_("%s: invalid shell '%s'\n"),
Prog, optarg);
exit (E_BAD_ARG);
}
+ if ( '\0' != optarg[0]
+ && '*' != optarg[0]
+ && strcmp(optarg, "/sbin/nologin") != 0
+ && ( stat(optarg, &st) != 0
+ || S_ISDIR(st.st_mode)
+ || access(optarg, X_OK) != 0)) {
+ fprintf (stderr,
+ _("%s: Warning: missing or non-executable shell '%s'\n"),
+ Prog, optarg);
+ }
user_shell = optarg;
def_shell = optarg;
sflg = true;

3
shadow-4.8.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:64b46683b9c1f35b2cd2da9fa87a1383917666e85a56b35e081c7257d10dac64
size 1609060

11
shadow-4.8.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAl3j/d0ACgkQ6f7qBqhe
P5185Qf9E2/IuxNWXdL30l+rA9w5WAIiQ61UHf/Z4HXPaVQnSmjGruHeuCbEDhyF
Lcqqmhfi84CdFSJe3F+0JrpgFQ1wfc+j/n1jPjrtpjtje7cuuwFTTVx8LDL+hULl
ylQKneQdDfX1vZnmcD5Us8YifG+eiTOHsLnk+HpgRekMpr6mIzJm8SkyJiVp8kAO
Rfp60+XlCW4Q0bExQ9Ig4ElEagQTODwQ6xPxM5pHvc/pEvJyH/2fq9BzSfDRMU8q
h9pO3gDgXp0A7hmkBlQVPsG9vXCwNuvrAj4p7TTYqdn03uTTcknFqhoECuQjJ+BM
z2WaKWY2NAn53AWzABsoaPW6t8Y+cg==
=4/Ig
-----END PGP SIGNATURE-----

View File

@ -13,7 +13,7 @@ Index: etc/login.defs
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -32,6 +30,15 @@ CONSOLE /etc/securetty
@@ -47,6 +45,15 @@ CONSOLE /etc/securetty
#CONSOLE console:tty01:tty02:tty03:tty04
#
@ -29,7 +29,7 @@ Index: etc/login.defs
# If defined, all su(1) activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
@@ -79,11 +86,14 @@ ENV_PATH /bin:/usr/bin
@@ -94,11 +101,14 @@ ENV_PATH /bin:/usr/bin
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
@ -46,7 +46,7 @@ Index: etc/login.defs
ALWAYS_SET_PATH no
#
@@ -123,6 +133,11 @@ PASS_WARN_AGE 7
@@ -138,6 +148,11 @@ PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd(8)
#
@ -58,7 +58,7 @@ Index: etc/login.defs
UID_MIN 1000
UID_MAX 60000
# System accounts
@@ -136,6 +151,11 @@ SUB_UID_COUNT 65536
@@ -151,6 +166,11 @@ SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
@ -70,7 +70,7 @@ Index: etc/login.defs
GID_MIN 1000
GID_MAX 60000
# System accounts
@@ -165,7 +185,6 @@ LOGIN_TIMEOUT 60
@@ -180,7 +200,6 @@ LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
#
@ -78,7 +78,7 @@ Index: etc/login.defs
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
@@ -180,7 +199,6 @@ CHFN_RESTRICT rwh
@@ -195,7 +214,6 @@ CHFN_RESTRICT rwh
#MD5_CRYPT_ENAB no
#
@ -86,14 +86,3 @@ Index: etc/login.defs
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
@@ -208,8 +226,8 @@ CHFN_RESTRICT rwh
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
-# SHA_CRYPT_MIN_ROUNDS 5000
-# SHA_CRYPT_MAX_ROUNDS 5000
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
#
# Should login be allowed if we can't cd to the home directory?

View File

@ -20,7 +20,7 @@ Index: etc/login.defs
# Enable display of unknown usernames when login(1) failures are recorded.
#
LOG_UNKFAIL_ENAB no
@@ -27,34 +22,6 @@ LOG_UNKFAIL_ENAB no
@@ -27,11 +22,6 @@ LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
#
@ -29,6 +29,13 @@ Index: etc/login.defs
-LASTLOG_ENAB yes
-
-#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
@@ -41,29 +31,6 @@ LASTLOG_ENAB yes
#LASTLOG_UID_MAX
#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
@ -55,7 +62,7 @@ Index: etc/login.defs
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
#
@@ -82,46 +49,12 @@ MOTD_FILE /etc/motd
@@ -91,46 +58,12 @@ MOTD_FILE /etc/motd
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
#
@ -102,7 +109,7 @@ Index: etc/login.defs
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
@@ -131,21 +64,6 @@ HUSHLOGIN_FILE .hushlogin
@@ -140,21 +73,6 @@ HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
@ -124,7 +131,7 @@ Index: etc/login.defs
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
@@ -171,17 +89,13 @@ TTYPERM 0600
@@ -180,17 +98,13 @@ TTYPERM 0600
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
@ -142,7 +149,7 @@ Index: etc/login.defs
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -197,28 +111,13 @@ UMASK 022
@@ -206,28 +120,13 @@ UMASK 022
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
@ -171,7 +178,7 @@ Index: etc/login.defs
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
@@ -255,28 +154,6 @@ LOGIN_RETRIES 5
@@ -264,28 +163,6 @@ LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
#
@ -200,7 +207,7 @@ Index: etc/login.defs
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
@@ -285,13 +162,6 @@ CHFN_AUTH yes
@@ -294,13 +171,6 @@ CHFN_AUTH yes
CHFN_RESTRICT rwh
#
@ -214,8 +221,8 @@ Index: etc/login.defs
# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
@@ -336,29 +206,12 @@ CHFN_RESTRICT rwh
# SHA_CRYPT_MAX_ROUNDS 5000
@@ -361,29 +231,12 @@ CHFN_RESTRICT rwh
#BCRYPT_MAX_ROUNDS 13
#
-# List of groups to add to the user's supplementary group set

View File

@ -1,28 +0,0 @@
From fc0ed79e5d700b4a730235fe88e60951717edc6e Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.cz>
Date: Fri, 26 Jul 2019 21:39:42 +0200
Subject: [PATCH] usermod.c: Fix invalid variable name
Fix invalid LASTLOG_MAX_UID variable name to correct LASTLOG_UID_MAX.
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
---
src/usermod.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/usermod.c b/src/usermod.c
index c3718864..0ae50e34 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -1879,7 +1879,7 @@ static void update_lastlog (void)
return;
}
- max_uid = (uid_t) getdef_ulong ("LASTLOG_MAX_UID", 0xFFFFFFFFUL);
+ max_uid = (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL);
if (user_newid > max_uid) {
/* do not touch lastlog for large uids */
return;
--
2.22.0

View File

@ -16,7 +16,7 @@ Index: etc/login.defs
#
# $Id$
#
@@ -17,15 +19,8 @@ FAIL_DELAY 3
@@ -17,9 +19,8 @@ FAIL_DELAY 3
LOG_UNKFAIL_ENAB no
#
@ -24,16 +24,10 @@ Index: etc/login.defs
+# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
-LOG_OK_LOGINS no
-
-#
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
-#
-SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
@@ -63,12 +58,33 @@ MOTD_FILE /etc/motd
# Limit the highest user ID number for which the lastlog entries should
@@ -72,12 +73,33 @@ MOTD_FILE /etc/motd
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
@ -69,7 +63,7 @@ Index: etc/login.defs
#
# Terminal permissions
@@ -84,19 +100,6 @@ ENV_PATH PATH=/bin:/usr/bin
@@ -93,19 +115,6 @@ ENV_PATH PATH=/bin:/usr/bin
TTYGROUP tty
TTYPERM 0600
@ -93,7 +87,7 @@ Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -77,6 +77,7 @@ struct itemdef {
@@ -80,6 +80,7 @@ struct itemdef {
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
static struct itemdef def_table[] = {
@ -101,7 +95,7 @@ Index: lib/getdef.c
{"CHARACTER_CLASS", NULL},
{"CHFN_RESTRICT", NULL},
{"CONSOLE_GROUPS", NULL},
@@ -85,6 +86,7 @@ static struct itemdef def_table[] = {
@@ -88,6 +89,7 @@ static struct itemdef def_table[] = {
{"DEFAULT_HOME", NULL},
{"ENCRYPT_METHOD", NULL},
{"ENV_PATH", NULL},
@ -109,7 +103,7 @@ Index: lib/getdef.c
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
{"FAIL_DELAY", NULL},
@@ -95,6 +97,7 @@ static struct itemdef def_table[] = {
@@ -98,6 +100,7 @@ static struct itemdef def_table[] = {
{"KILLCHAR", NULL},
{"LASTLOG_UID_MAX", NULL},
{"LOGIN_RETRIES", NULL},

View File

@ -1,3 +1,47 @@
-------------------------------------------------------------------
Mon Jan 20 10:36:20 UTC 2020 - Michael Vetter <mvetter@suse.com>
- Set 0755 for chpasswd, groupadd, groupdel, groupmod, newusers,
useradd, userdel, usermod explicitly.
-------------------------------------------------------------------
Thu Jan 16 12:54:39 UTC 2020 - Michael Vetter <mvetter@suse.com>
- bsc#1160729: Make valid shell check only a warning
* Add shadow-4.8-shell-check.patch
-------------------------------------------------------------------
Tue Dec 17 12:43:01 UTC 2019 - Michael Vetter <mvetter@suse.com>
- Update to 4.8:
* Initial optional bcrypt support.
* Make build/install of 'su' optional.
* Fix for vipw not resuming correctly when suspended
* Sync password field descriptions in manpages
* Check for valid shell argument in useradd
* Allow translation of new strings through POTFILES.in
* Migrate to itstool for translations
* Migrate to new SELinux api
* Support --enable-vendordir
* pwck: Only check homedir if set and not a system user
* Support nonstandard usernames
* sget{pw,gr}ent: check for data at EOL
* Add YYY-MM-DD support in chage
* Fix failing chmod calls for suidubins
* Fix --sbindir and --bindir for binary installations
* Fix LASTLOG_UID_MAX in login.defs
* Fix configure error with dash
- Remove because upstreamed:
* libeconf.patch
* shadow-usermod-variable.patch
- Rebase:
* shadow-login_defs-unused-by-pam.patch
* chkname-regex.patch
* shadow-util-linux.patch
* shadow-login_defs-comments.patch
- Add shadow-4.8-selinux-include.patch
See https://github.com/shadow-maint/shadow/pull/200
-------------------------------------------------------------------
Mon Oct 7 09:50:30 CEST 2019 - kukuk@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package shadow
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -23,7 +23,7 @@
%endif
Name: shadow
Version: 4.7
Version: 4.8
Release: 0
Summary: Utilities to Manage User and Group Accounts
License: BSD-3-Clause AND GPL-2.0-or-later
@ -61,12 +61,12 @@ Patch7: shadow-4.1.5.1-logmsg.patch
Patch13: shadow-login_defs-comments.patch
# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
Patch14: shadow-login_defs-suse.patch
# PATCH-FIX-UPSTREAM shadow-4.8-selinux-include.patch mvetter@suse.com -- https://github.com/shadow-maint/shadow/pull/200
Patch15: shadow-4.8-selinux-include.patch
# PATCH-FEATURE mvetter@suse.com -- bsc#1160729 https://github.com/shadow-maint/shadow/pull/210
Patch16: shadow-4.8-shell-check.patch
# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
Patch20: disable_new_audit_function.patch
# PATCH-FIX-UPSTREAM shadow-usermod-variable.patch https://github.com/shadow-maint/shadow/pull/170 sbrabec@suse.com -- Fix variable name.
Patch21: shadow-usermod-variable.patch
# PATCH-FEATURE-UPSTREAM libeconf.patch https://github.com/shadow-maint/shadow/pull/180 kukuk@suse.com -- Add support for a vendor directory and libeconf
Patch22: libeconf.patch
BuildRequires: audit-devel > 2.3
BuildRequires: autoconf
BuildRequires: automake
@ -110,11 +110,11 @@ group accounts.
%patch7
%patch13
%patch14
%patch15 -p1
%patch16 -p1
%if 0%{?suse_version} < 1330
%patch20 -p1
%endif
%patch21 -p1
%patch22 -p1
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
mv -v doc/HOWTO.utf8 doc/HOWTO
@ -312,18 +312,18 @@ done
%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newuidmap
%{_bindir}/lastlog
%{_bindir}/sg
%{_sbindir}/groupadd
%{_sbindir}/groupdel
%{_sbindir}/groupmod
%attr(0755,root,root) %{_sbindir}/groupadd
%attr(0755,root,root) %{_sbindir}/groupdel
%attr(0755,root,root) %{_sbindir}/groupmod
%{_sbindir}/grpck
%{_sbindir}/pwck
%{_sbindir}/useradd
%{_sbindir}/userdel
%{_sbindir}/usermod
%attr(0755,root,root) %{_sbindir}/useradd
%attr(0755,root,root) %{_sbindir}/userdel
%attr(0755,root,root) %{_sbindir}/usermod
%{_sbindir}/pwconv
%{_sbindir}/pwunconv
%{_sbindir}/chpasswd
%{_sbindir}/newusers
%attr(0755,root,root) %{_sbindir}/chpasswd
%attr(0755,root,root) %{_sbindir}/newusers
%{_sbindir}/vipw
%{_sbindir}/vigr
%verify(not md5 size mtime) %config(noreplace) %{_sbindir}/useradd.local