From 7313beaf685bd5a9e4247772340ee069204f0f3026c477e82d0b20e43817e777 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Fri, 19 Jul 2019 10:00:36 +0000 Subject: [PATCH 1/5] Accepting request 716648 from home:sbrabec:branches:Base:System Structured comment typo fix that should be part of Tue Apr 30 22:27:14 CEST 2019 change. If you want changes entry for that, feel free to reject. OBS-URL: https://build.opensuse.org/request/show/716648 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=70 --- shadow.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shadow.spec b/shadow.spec index a1a1fcd..dd5b262 100644 --- a/shadow.spec +++ b/shadow.spec @@ -49,7 +49,7 @@ Patch4: useradd-default.patch Patch5: shadow-util-linux.patch # PATCH-FEATURE-FEDORA shadow-4.1.5.1-userdel-helpfix.patch christian.brauner@mailbox.org -- Give a hint about what happens when you force the removal of a user. Patch6: shadow-4.1.5.1-userdel-helpfix.patch -# PATCH-FIX-FEDORA shadow-4.1.5.1-userdel-helpfix.patch kukuk@suse.com -- Fix error message. +# PATCH-FIX-FEDORA shadow-4.1.5.1-logmsg.patch kukuk@suse.com -- Fix error message. Patch7: shadow-4.1.5.1-logmsg.patch # PATCH-FEATURE-SUSE encryption_method_nis.patch kukuk@suse.com -- Add support for ENCRYPT_METHOD_NIS used by SUSE patch in pam (pam_unix). Patch10: encryption_method_nis.patch From f88d9bfee4adcd4a5f3ca766ed3c481ee60ac945498cbab1b29eb238ef007b70 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Fri, 19 Jul 2019 10:20:29 +0000 Subject: [PATCH 2/5] - Fix comment about patch in spec file OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=71 --- shadow.changes | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shadow.changes b/shadow.changes index 2b6a588..6c0aafa 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jul 19 10:19:44 UTC 2019 - sbrabec@suse.com + +- Fix comment about patch in spec file + ------------------------------------------------------------------- Fri Jun 14 06:20:46 UTC 2019 - mvetter@suse.com From 7e24d2adf75729beb88f564e7ec0ba663b08b79a1d6d3253bd31f831f4b7ec8f Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Thu, 25 Jul 2019 08:37:25 +0000 Subject: [PATCH 3/5] Accepting request 718317 from home:sbrabec:branches:Base:System - shadow-login_defs-suse.patch: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7). And fix patch name in older changes entry: * shadow-util-linux.patch OBS-URL: https://build.opensuse.org/request/show/718317 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=72 --- shadow-login_defs-suse.patch | 9 +++++++++ shadow.changes | 8 +++++++- shadow.spec | 2 +- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/shadow-login_defs-suse.patch b/shadow-login_defs-suse.patch index 8893bc0..646a317 100644 --- a/shadow-login_defs-suse.patch +++ b/shadow-login_defs-suse.patch @@ -48,6 +48,15 @@ Index: etc/login.defs # If this variable is set to "yes" (default is "no"), su will always set # path. every su call will overwrite the PATH variable. +@@ -85,7 +87,7 @@ ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/b + # The recommended value is "yes". The default "no" behavior could have + # a security implication in applications that use commands without path. + # +-ALWAYS_SET_PATH no ++ALWAYS_SET_PATH yes + + # + # Terminal permissions @@ -99,7 +101,7 @@ ALWAYS_SET_PATH no # set TTYPERM to either 622 or 600. # diff --git a/shadow.changes b/shadow.changes index 6c0aafa..5d01ca2 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Sat Jul 20 02:11:10 CEST 2019 - sbrabec@suse.com + +- shadow-login_defs-suse.patch: Set ALWAYS_SET_PATH default to + "yes" (bsc#353876#c7). + ------------------------------------------------------------------- Fri Jul 19 10:19:44 UTC 2019 - sbrabec@suse.com @@ -64,7 +70,7 @@ Tue Apr 30 22:27:14 CEST 2019 - sbrabec@suse.com (bsc#1121197): * shadow-login_defs-unused-by-pam.patch * shadow-login_defs-comments.patch - * shadow-login_defs-util-linux.patch + * shadow-util-linux.patch * shadow-login_defs-suse.patch * Move appropriate hunks to chkname-regex.patch and encryption_method_nis.patch diff --git a/shadow.spec b/shadow.spec index dd5b262..ae95d55 100644 --- a/shadow.spec +++ b/shadow.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # From 934d6edc81e39fffb0b3e6c7d82428b9d5f750df4c1c0581c2d52ba55a0f66ea Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Fri, 26 Jul 2019 08:31:05 +0000 Subject: [PATCH 4/5] Accepting request 718763 from home:kukuk:container - Provide "useradd_or_adduser_dep" for sysuser-shadow OBS-URL: https://build.opensuse.org/request/show/718763 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=73 --- shadow.changes | 5 +++++ shadow.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/shadow.changes b/shadow.changes index 5d01ca2..e87c725 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jul 25 15:27:15 CEST 2019 - kukuk@suse.de + +- Provide "useradd_or_adduser_dep" for sysuser-shadow + ------------------------------------------------------------------- Sat Jul 20 02:11:10 CEST 2019 - sbrabec@suse.com diff --git a/shadow.spec b/shadow.spec index ae95d55..42d4799 100644 --- a/shadow.spec +++ b/shadow.spec @@ -82,6 +82,7 @@ Obsoletes: pwdutils <= 3.2.19 # Call shadow-login_defs-check.sh before! Provides: login_defs-support-for-pam = 1.3.1 Provides: login_defs-support-for-util-linux = 2.33.1 +Provides: useradd_or_adduser_dep %description This package includes the necessary programs for converting plain From 1b97de0f5fd59759fae043bd899fb1d2ecd28e44c88cedd0781e3722a7ec7d2e Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 29 Jul 2019 05:36:59 +0000 Subject: [PATCH 5/5] Accepting request 719010 from home:sbrabec:branches:util-linux-2.34 - Fix incorrect variable name in usermod (shadow-usermod-variable.patch). - shadow-login_defs-comments.patch: * Drop SHA_CRYPT_*_ROUNDS that are in the upstream login.defs. * Add missing LASTLOG_UID_MAX. * Refresh shadow-login_defs-suse.patch. - Port shadow-login_defs-check.sh to match the current spec file and login.defs. OBS-URL: https://build.opensuse.org/request/show/719010 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=74 --- shadow-login_defs-check.sh | 8 +++--- shadow-login_defs-comments.patch | 48 ++++++++++++++++++++------------ shadow-login_defs-suse.patch | 26 ++++++++--------- shadow-usermod-variable.patch | 28 +++++++++++++++++++ shadow.changes | 12 ++++++++ shadow.spec | 3 ++ 6 files changed, 90 insertions(+), 35 deletions(-) create mode 100644 shadow-usermod-variable.patch diff --git a/shadow-login_defs-check.sh b/shadow-login_defs-check.sh index 2b4fa26..21b74c1 100644 --- a/shadow-login_defs-check.sh +++ b/shadow-login_defs-check.sh @@ -69,9 +69,9 @@ if ! test -f shadow-login_defs-check-build/stamp ; then patch <../../shadow-login_defs-check-login_defs.lst +sed -n "s/^#//;s/\([A-Z0-9_]*\)\([[:space:]].*\|\)$/\1/p" ../../shadow-login_defs-check-login_defs.lst LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst echo "Extracting variables from lib/getdef.c..." diff --git a/shadow-login_defs-comments.patch b/shadow-login_defs-comments.patch index 87ffead..31c190e 100644 --- a/shadow-login_defs-comments.patch +++ b/shadow-login_defs-comments.patch @@ -13,7 +13,23 @@ Index: etc/login.defs # # Delay in seconds before being allowed another attempt after a login failure -@@ -79,11 +77,14 @@ ENV_PATH /bin:/usr/bin +@@ -32,6 +30,15 @@ CONSOLE /etc/securetty + #CONSOLE console:tty01:tty02:tty03:tty04 + + # ++# Limit the highest user ID number for which the lastlog entries should ++# be updated. ++# ++# No LASTLOG_UID_MAX means that there is no user ID limit for writing ++# lastlog entries. ++# ++#LASTLOG_UID_MAX ++ ++# + # If defined, all su(1) activity is logged to this file. + # + #SULOG_FILE /var/log/sulog +@@ -79,11 +86,14 @@ ENV_PATH /bin:/usr/bin ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin #ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin @@ -30,7 +46,7 @@ Index: etc/login.defs ALWAYS_SET_PATH no # -@@ -123,6 +124,11 @@ PASS_WARN_AGE 7 +@@ -123,6 +133,11 @@ PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd(8) # @@ -42,7 +58,7 @@ Index: etc/login.defs UID_MIN 1000 UID_MAX 60000 # System accounts -@@ -136,6 +142,11 @@ SUB_UID_COUNT 65536 +@@ -136,6 +151,11 @@ SUB_UID_COUNT 65536 # # Min/max values for automatic gid selection in groupadd(8) # @@ -54,7 +70,7 @@ Index: etc/login.defs GID_MIN 1000 GID_MAX 60000 # System accounts -@@ -165,7 +176,6 @@ LOGIN_TIMEOUT 60 +@@ -165,7 +185,6 @@ LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh # @@ -62,7 +78,7 @@ Index: etc/login.defs # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. # It supports passwords of unlimited length and longer salt strings. -@@ -180,7 +190,6 @@ CHFN_RESTRICT rwh +@@ -180,7 +199,6 @@ CHFN_RESTRICT rwh #MD5_CRYPT_ENAB no # @@ -70,18 +86,14 @@ Index: etc/login.defs # If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password -@@ -196,6 +205,14 @@ CHFN_RESTRICT rwh - #ENCRYPT_METHOD_NIS DES +@@ -208,8 +226,8 @@ CHFN_RESTRICT rwh + # If only one of the MIN or MAX values is set, then this value will be used. + # If MIN > MAX, the highest value will be used. + # +-# SHA_CRYPT_MIN_ROUNDS 5000 +-# SHA_CRYPT_MAX_ROUNDS 5000 ++#SHA_CRYPT_MIN_ROUNDS 5000 ++#SHA_CRYPT_MAX_ROUNDS 5000 # -+# Number of rounds for salt. -+# Default values: -+# Minimum number of rounds. -+#SHA_CRYPT_MIN_ROUNDS 1000 -+# Maximum number of rounds. -+#SHA_CRYPT_MAX_ROUNDS 999999999 -+ -+# - # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. - # - # Define the number of SHA rounds. + # Should login be allowed if we can't cd to the home directory? diff --git a/shadow-login_defs-suse.patch b/shadow-login_defs-suse.patch index 646a317..961c3a5 100644 --- a/shadow-login_defs-suse.patch +++ b/shadow-login_defs-suse.patch @@ -14,7 +14,7 @@ Index: etc/login.defs # # Delay in seconds before being allowed another attempt after a login failure -@@ -38,8 +41,7 @@ CONSOLE /etc/securetty +@@ -47,8 +50,7 @@ CONSOLE /etc/securetty # If defined, ":" delimited list of "message of the day" files to # be displayed upon login. # @@ -24,7 +24,7 @@ Index: etc/login.defs # # If defined, file which maps tty line to TERM environment parameter. -@@ -53,8 +55,8 @@ MOTD_FILE /etc/motd +@@ -62,8 +64,8 @@ MOTD_FILE /etc/motd # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # @@ -35,7 +35,7 @@ Index: etc/login.defs # If this variable is set to "yes", hostname will be suppressed in the # login: prompt. -@@ -73,9 +75,9 @@ HUSHLOGIN_FILE .hushlogin +@@ -82,9 +84,9 @@ HUSHLOGIN_FILE .hushlogin # ENV_SUPATH is an ENV_ROOTPATH override for su and runuser # (and falback for login). # @@ -48,7 +48,7 @@ Index: etc/login.defs # If this variable is set to "yes" (default is "no"), su will always set # path. every su call will overwrite the PATH variable. -@@ -85,7 +87,7 @@ ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/b +@@ -94,7 +96,7 @@ ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/b # The recommended value is "yes". The default "no" behavior could have # a security implication in applications that use commands without path. # @@ -57,7 +57,7 @@ Index: etc/login.defs # # Terminal permissions -@@ -99,7 +101,7 @@ ALWAYS_SET_PATH no +@@ -108,7 +110,7 @@ ALWAYS_SET_PATH no # set TTYPERM to either 622 or 600. # TTYGROUP tty @@ -66,7 +66,7 @@ Index: etc/login.defs # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. -@@ -132,8 +134,8 @@ PASS_WARN_AGE 7 +@@ -141,8 +143,8 @@ PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 # System accounts @@ -77,7 +77,7 @@ Index: etc/login.defs # Extra per user uids SUB_UID_MIN 100000 SUB_UID_MAX 600100000 -@@ -150,8 +152,8 @@ SUB_UID_COUNT 65536 +@@ -159,8 +161,8 @@ SUB_UID_COUNT 65536 GID_MIN 1000 GID_MAX 60000 # System accounts @@ -88,7 +88,7 @@ Index: etc/login.defs # Extra per user group ids SUB_GID_MIN 100000 SUB_GID_MAX 600100000 -@@ -160,7 +162,7 @@ SUB_GID_COUNT 65536 +@@ -169,7 +171,7 @@ SUB_GID_COUNT 65536 # # Max number of login(1) retries if password is bad # @@ -97,7 +97,7 @@ Index: etc/login.defs # # Max time in seconds for login(1) -@@ -176,18 +178,9 @@ LOGIN_TIMEOUT 60 +@@ -185,18 +187,9 @@ LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh # @@ -118,7 +118,7 @@ Index: etc/login.defs # # If set to MD5, MD5-based algorithm will be used for encrypting password -@@ -201,8 +194,8 @@ CHFN_RESTRICT rwh +@@ -210,8 +203,8 @@ CHFN_RESTRICT rwh # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # @@ -128,8 +128,8 @@ Index: etc/login.defs +ENCRYPT_METHOD_NIS DES # - # Number of rounds for salt. -@@ -271,7 +264,7 @@ USERDEL_POSTCMD /usr/sbin/userde + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +@@ -272,7 +265,7 @@ USERDEL_POSTCMD /usr/sbin/userde # # This also enables userdel(8) to remove user groups if no members exist. # @@ -138,7 +138,7 @@ Index: etc/login.defs # # If set to a non-zero number, the shadow utilities will make sure that -@@ -290,13 +283,13 @@ USERGROUPS_ENAB yes +@@ -291,13 +284,13 @@ USERGROUPS_ENAB yes # This option is overridden with the -M or -m flags on the useradd(8) # command-line. # diff --git a/shadow-usermod-variable.patch b/shadow-usermod-variable.patch new file mode 100644 index 0000000..2ccf3a9 --- /dev/null +++ b/shadow-usermod-variable.patch @@ -0,0 +1,28 @@ +From fc0ed79e5d700b4a730235fe88e60951717edc6e Mon Sep 17 00:00:00 2001 +From: Stanislav Brabec +Date: Fri, 26 Jul 2019 21:39:42 +0200 +Subject: [PATCH] usermod.c: Fix invalid variable name + +Fix invalid LASTLOG_MAX_UID variable name to correct LASTLOG_UID_MAX. + +Signed-off-by: Stanislav Brabec +--- + src/usermod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/usermod.c b/src/usermod.c +index c3718864..0ae50e34 100644 +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -1879,7 +1879,7 @@ static void update_lastlog (void) + return; + } + +- max_uid = (uid_t) getdef_ulong ("LASTLOG_MAX_UID", 0xFFFFFFFFUL); ++ max_uid = (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL); + if (user_newid > max_uid) { + /* do not touch lastlog for large uids */ + return; +-- +2.22.0 + diff --git a/shadow.changes b/shadow.changes index e87c725..67f8157 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri Jul 26 23:44:56 CEST 2019 - sbrabec@suse.com + +- Fix incorrect variable name in usermod + (shadow-usermod-variable.patch). +- shadow-login_defs-comments.patch: + * Drop SHA_CRYPT_*_ROUNDS that are in the upstream login.defs. + * Add missing LASTLOG_UID_MAX. + * Refresh shadow-login_defs-suse.patch. +- Port shadow-login_defs-check.sh to match the current spec file + and login.defs. + ------------------------------------------------------------------- Thu Jul 25 15:27:15 CEST 2019 - kukuk@suse.de diff --git a/shadow.spec b/shadow.spec index 42d4799..f3ca36e 100644 --- a/shadow.spec +++ b/shadow.spec @@ -59,6 +59,8 @@ Patch13: shadow-login_defs-comments.patch Patch14: shadow-login_defs-suse.patch # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions. Patch20: disable_new_audit_function.patch +# PATCH-FIX-UPSTREAM shadow-usermod-variable.patch https://github.com/shadow-maint/shadow/pull/170 sbrabec@suse.com -- Fix variable name. +Patch21: shadow-usermod-variable.patch BuildRequires: audit-devel > 2.3 BuildRequires: autoconf BuildRequires: automake @@ -105,6 +107,7 @@ group accounts. %if 0%{?suse_version} < 1330 %patch20 -p1 %endif +%patch21 -p1 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO