From 2204667d89630be04163872adf80bd98e013f1bda582a37de47502d2823a89c2 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Wed, 17 Nov 2021 16:18:12 +0000 Subject: [PATCH] Accepting request 931937 from home:sbrabec:branches:Base:System - shadow-util-linux.patch: * Remove the section patching lib/getdef.c in favor of the upstream FOREIGNDEFS. * Add LOGIN_KEEP_USERNAME to login.defs. * Remove PREVENT_NO_AUTH from login.defs. Only used by the unpackaged login and su. - shadow-login_defs-unused-by-pam.patch: * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS, YESCRYPT_COST_FACTOR, not supported by the current configuratiton. - Update login_defs-support-for-pam symbol to version 1.5.2 (support for new variable HMAC_CRYPTO_ALGO). - Update login_defs-support-for-util-linux to version 2.37 (support for new variable LOGIN_KEEP_USERNAME). - Refresh shadow-login_defs-comments.patch and shadow-login_defs-suse.patch. - Improve shadow-login_defs-check.sh: * Add helper to import local new version in the parent dir. * Fix spec editing sed expression. * Add PREVENT_NO_AUTH to known unused variables. * Update pam sed expression to find HMAC_CRYPTO_ALGO. * Add more sanity checks. OBS-URL: https://build.opensuse.org/request/show/931937 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=114 --- shadow-login_defs-check.sh | 52 ++++++++++++++++++---- shadow-login_defs-comments.patch | 36 +-------------- shadow-login_defs-suse.patch | 13 +++--- shadow-login_defs-unused-by-pam.patch | 37 ++++++++++++++-- shadow-util-linux.patch | 63 ++++++++++++--------------- shadow.changes | 26 +++++++++++ shadow.spec | 4 +- 7 files changed, 142 insertions(+), 89 deletions(-) diff --git a/shadow-login_defs-check.sh b/shadow-login_defs-check.sh index 958ed00..2e0377f 100644 --- a/shadow-login_defs-check.sh +++ b/shadow-login_defs-check.sh @@ -20,7 +20,18 @@ which osc >/dev/null # Extract list of referenced variables. if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then echo "Checking out util-linux..." - osc co openSUSE:Factory util-linux + if test -d ../util-linux ; then + echo -n "../util-linux found. Are you preparing new version? (y/N) " + read + if test "${REPLY:0:1}" = "y" ; then + mkdir -p openSUSE:Factory + cp -a ../util-linux openSUSE:Factory/ + else + osc co openSUSE:Factory util-linux + fi + else + osc co openSUSE:Factory util-linux + fi cd openSUSE:Factory/util-linux quilt setup -d BUILD util-linux.spec cd BUILD/* @@ -43,7 +54,18 @@ cd ../../../.. # Extract list of referenced variables. if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then echo "Checking out pam..." - osc co openSUSE:Factory pam + if test -d ../pam ; then + echo -n "../pam found. Are you preparing new version? (y/N) " + read + if test "${REPLY:0:1}" = "y" ; then + mkdir -p openSUSE:Factory + cp -a ../pam openSUSE:Factory/ + else + osc co openSUSE:Factory pam + fi + else + osc co openSUSE:Factory pam + fi cd openSUSE:Factory/pam quilt setup -d BUILD pam.spec cd BUILD/* @@ -54,7 +76,7 @@ fi echo "Extracting variables from pam..." cd openSUSE:Factory/pam/BUILD/* grep -rh LOGIN_DEFS . | - sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | + sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst cd ../../../.. @@ -66,12 +88,24 @@ if ! test -f shadow-login_defs-check-build/stamp ; then # In case of shadow, variables extraction is more complicated. The list # depends on configure options, so we have to perform a fake build and # extract variables from prepreocessed sources. - sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec +# sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec + sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec + if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then + echo "$0: Please fix sed expression modifying shadow.spec." + mv shadow.spec.shadow-login_defs-check-save shadow.spec + exit 1 + fi fi - osc build "$@" || : - echo "This build command was expected to fail." - echo "" + if osc build "$@" ; then + echo "This build command was expected to fail, but it succeeded." + echo "$0: Please fix sed expression modifying shadow.spec." + mv shadow.spec.shadow-login_defs-check-save shadow.spec + exit 1 + else + echo "This build command was expected to fail." + echo "" + fi mv shadow.spec.shadow-login_defs-check-save shadow.spec BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p') @@ -167,6 +201,8 @@ function falsematch() { FTMP_FILE ) return 0 ;; # ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec. ISSUE_FILE ) return 0 ;; +# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec. + PREVENT_NO_AUTH ) return 0 ;; * ) return 1 ;; esac } @@ -242,7 +278,7 @@ echo "Change in shadow.spec:" sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' = /p' MAX, the highest value will be used. +-# +-#BCRYPT_MIN_ROUNDS 13 +-#BCRYPT_MAX_ROUNDS 13 +- +-# +-# Only works if ENCRYPT_METHOD is set to YESCRYPT. +-# +-# Define the YESCRYPT cost factor. +-# With a higher cost factor, it is more difficult to brute-force the password. +-# However, more CPU time and more memory will be needed to authenticate users +-# if this value is increased. +-# +-# If not specified, a cost factor of 5 will be used. +-# The value must be within the 1-11 range. +-# +-#YESCRYPT_COST_FACTOR 5 +- +-# -# List of groups to add to the user's supplementary group set -# when logging in from the console (as determined by the CONSOLE -# setting). Default is none. @@ -239,7 +270,7 @@ Index: etc/login.defs # Should login be allowed if we can't cd to the home directory? # Default is no. # -@@ -407,12 +266,6 @@ DEFAULT_HOME yes +@@ -407,12 +238,6 @@ DEFAULT_HOME yes NONEXISTENT /nonexistent # diff --git a/shadow-util-linux.patch b/shadow-util-linux.patch index b885e5c..a732cbc 100644 --- a/shadow-util-linux.patch +++ b/shadow-util-linux.patch @@ -109,39 +109,32 @@ Index: etc/login.defs # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new -Index: lib/getdef.c -=================================================================== ---- lib/getdef.c.orig -+++ lib/getdef.c -@@ -67,6 +67,7 @@ struct itemdef { - {"LOGIN_STRING", NULL}, \ - {"MAIL_CHECK_ENAB", NULL}, \ - {"MOTD_FILE", NULL}, \ -+ {"MOTD_FIRSTONLY", NULL}, \ - {"NOLOGINS_FILE", NULL}, \ - {"OBSCURE_CHECKS_ENAB", NULL}, \ - {"PASS_ALWAYS_WARN", NULL}, \ -@@ -91,6 +92,7 @@ struct itemdef { +@@ -163,6 +177,12 @@ SUB_GID_COUNT 65536 + LOGIN_RETRIES 5 - #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) - static struct itemdef def_table[] = { -+ {"ALWAYS_SET_PATH", NULL}, - {"CHARACTER_CLASS", NULL}, - {"CHFN_RESTRICT", NULL}, - {"CONSOLE_GROUPS", NULL}, -@@ -99,6 +101,7 @@ static struct itemdef def_table[] = { - {"DEFAULT_HOME", NULL}, - {"ENCRYPT_METHOD", NULL}, - {"ENV_PATH", NULL}, -+ {"ENV_ROOTPATH", NULL}, - {"ENV_SUPATH", NULL}, - {"ERASECHAR", NULL}, - {"FAIL_DELAY", NULL}, -@@ -110,6 +113,7 @@ static struct itemdef def_table[] = { - {"KILLCHAR", NULL}, - {"LASTLOG_UID_MAX", NULL}, - {"LOGIN_RETRIES", NULL}, -+ {"LOGIN_PLAIN_PROMPT", NULL}, - {"LOGIN_TIMEOUT", NULL}, - {"LOG_OK_LOGINS", NULL}, - {"LOG_UNKFAIL_ENAB", NULL}, + # ++# Tell login to only re-prompt for the password if authentication ++# failed, but the username is valid. The default value is no. ++# ++LOGIN_KEEP_USERNAME no ++ ++# + # Max time in seconds for login(1) + # + LOGIN_TIMEOUT 60 +@@ -315,15 +335,6 @@ CHARACTER_CLASS [ABCDEFGHIJKLMNO + #GRANT_AUX_GROUP_SUBIDS yes + + # +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +- +-PREVENT_NO_AUTH superuser +- +-# + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message + # authentication code. diff --git a/shadow.changes b/shadow.changes index 4f403b5..14acf6d 100644 --- a/shadow.changes +++ b/shadow.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Tue Nov 9 01:39:44 UTC 2021 - Stanislav Brabec + +- shadow-util-linux.patch: + * Remove the section patching lib/getdef.c in favor of the + upstream FOREIGNDEFS. + * Add LOGIN_KEEP_USERNAME to login.defs. + * Remove PREVENT_NO_AUTH from login.defs. Only used by the + unpackaged login and su. +- shadow-login_defs-unused-by-pam.patch: + * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS, + YESCRYPT_COST_FACTOR, not supported by the current + configuratiton. +- Update login_defs-support-for-pam symbol to version 1.5.2 + (support for new variable HMAC_CRYPTO_ALGO). +- Update login_defs-support-for-util-linux to version 2.37 + (support for new variable LOGIN_KEEP_USERNAME). +- Refresh shadow-login_defs-comments.patch and + shadow-login_defs-suse.patch. +- Improve shadow-login_defs-check.sh: + * Add helper to import local new version in the parent dir. + * Fix spec editing sed expression. + * Add PREVENT_NO_AUTH to known unused variables. + * Update pam sed expression to find HMAC_CRYPTO_ALGO. + * Add more sanity checks. + ------------------------------------------------------------------- Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter diff --git a/shadow.spec b/shadow.spec index d0c0b4b..279c748 100644 --- a/shadow.spec +++ b/shadow.spec @@ -107,8 +107,8 @@ Summary: The login.defs configuration file # encryption_method_nis.patch has to be ported! # Call shadow-login_defs-check.sh before! Group: System/Base -Provides: login_defs-support-for-pam = 1.3.1 -Provides: login_defs-support-for-util-linux = 2.36 +Provides: login_defs-support-for-pam = 1.5.2 +Provides: login_defs-support-for-util-linux = 2.37 BuildArch: noarch %description -n login_defs