testing/shadow
SHA256
3
0
Fork 0
forked from pool/shadow
Code Pull Requests Activity

Accepting request 700494 from home:sbrabec:branches:util-linux-2.33.1

Browse Source 
- Split shadow-login_defs.patch hunks to its logical components
  (bsc#1121197):
  * shadow-login_defs-unused-by-pam.patch
  * shadow-login_defs-comments.patch
  * shadow-login_defs-util-linux.patch
  * shadow-login_defs-suse.patch
  * Move appropriate hunks to chkname-regex.patch and
    encryption_method_nis.patch
  * Remove GROUPADD_CMD that is not supported (bsc#1121197#c14).
- Split getdef-new-defs.patch hunks to its logical components
  (bsc#1121197):
  * encryption_method_nis.patch
  * chkname-regex.patch
  * shadow-util-linux.patch
    Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT.
  * useradd-script.patch, userdel-script.patch
  * Remove duplicated definitions of MOTD_FILE and ENV_PATH.
- Add shadow-login_defs-unused-check.sh to allow verification of
  login.defs variable usage (bsc#1121197).
- Add virtual symbols for login.defs compatibility (bsc#1121197).

OBS-URL: https://build.opensuse.org/request/show/700494
OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=63
This commit is contained in:
Michael Vetter 2019-05-06 07:58:15 +00:00 committed by Git OBS Bridge
parent 999ade1779
commit 4e43c817a1
12 changed files with 822 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
chkname-regex.patch
View File

@ -1,3 +1,19 @@
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -274,3 +274,11 @@ USERGROUPS_ENAB yes
# missing.
#
#FORCE_SHADOW yes
+
+#
+# User/group names must match the following regex expression.
+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
+# but be aware that the result could depend on the locale settings.
+#
+#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
+CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig

28
encryption_method_nis.patch
View File

@ -1,10 +1,32 @@
--- lib/getdef.c
Add support for ENCRYPT_METHOD_NIS used by pam: modules/pam_unix/pam_unix_passwd.c.
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -58,6 +58,7 @@ static struct itemdef def_table[] = {
@@ -85,6 +85,7 @@ static struct itemdef def_table[] = {
{"CREATE_HOME", NULL},
{"DEFAULT_HOME", NULL},
{"ENCRYPT_METHOD", NULL},
+ {"ENCRYPT_METHOD_NIS", NULL},
{"ENV_PATH", NULL},
{"ENV_ROOTPATH", NULL},
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -187,10 +187,13 @@ CHFN_RESTRICT rwh
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
+# ENCRYPT_METHOD_NIS is used by pam_unix_passwd.so.
+#
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
#ENCRYPT_METHOD DES
+#ENCRYPT_METHOD_NIS DES
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.

34
getdef-new-defs.patch
View File

@ -1,34 +0,0 @@
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -91,6 +91,7 @@ static struct itemdef def_table[] = {
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
+ {"GROUPADD_CMD", NULL},
{"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL},
{"LOGIN_RETRIES", NULL},
@@ -126,7 +127,10 @@ static struct itemdef def_table[] = {
{"UID_MAX", NULL},
{"UID_MIN", NULL},
{"UMASK", NULL},
+ {"USERADD_CMD", NULL},
{"USERDEL_CMD", NULL},
+ {"USERDEL_PRECMD", NULL},
+ {"USERDEL_POSTCMD", NULL},
{"USERGROUPS_ENAB", NULL},
#ifndef USE_PAM
PAMDEFS
@@ -149,6 +153,10 @@ static struct itemdef knowndef_table[] =
#ifdef USE_PAM
PAMDEFS
#endif
+ /* Used by /bin/login */
+ {"MOTD_FILE", NULL},
+ {"ENV_PATH", NULL},
+ {"ENV_ROOTPATH", NULL},
{NULL, NULL}
};

256
shadow-login_defs-check.sh Normal file
View File

@ -0,0 +1,256 @@
#!/bin/bash
# login.defs and lib/getdef.c contain support for third party variables.
# It also contains support for variables that are unusable in installations with PAM support enabled.
# This script generates a list of used and unused variables in login.defs
# with respect to the current configuration.
# Arguments: arguments of osc build
# If the shadow-login_defs-check-unused.lst is generated, you should
# update login.defs.
set -o errexit
echo "Preparing..."
# Check for required commands
which quilt >/dev/null
which osc >/dev/null
# login.defs is shared with util-linux login, su and runuser.
# Extract list of referenced variables.
if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
echo "Checking out util-linux..."
osc co openSUSE:Factory util-linux
cd openSUSE:Factory/util-linux
quilt setup -d BUILD util-linux.spec
cd BUILD/*
quilt push -a
cd ../../../..
fi
echo "Extracting variables from util-linux..."
cd openSUSE:Factory/util-linux/BUILD/*
(
grep -rh getlogindefs . |
sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
grep -rh logindefs_setenv . |
sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
) |
LC_ALL=C sort -u >../../../../shadow-login_defs-check-util-linux.lst
cd ../../../..
# login.defs is shared pam_unix*.so, pam_faildelay.so and pam_umask.so.
# Extract list of referenced variables.
if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
echo "Checking out pam..."
osc co openSUSE:Factory pam
cd openSUSE:Factory/pam
quilt setup -d BUILD pam.spec
cd BUILD/*
quilt push -a
cd ../../../..
fi
echo "Extracting variables from pam..."
cd openSUSE:Factory/pam/BUILD/*
grep -rh LOGIN_DEFS . |
sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
cd ../../../..
if ! test -f shadow-login_defs-check-build/stamp ; then
echo "Performing preprocessing of shadow by osc..."
if ! test -f shadow.spec.shadow-login_defs-check-save ; then
cp -a shadow.spec shadow.spec.shadow-login_defs-check-save
# In case of shadow, variables extraction is more complicated. The list
# depends on configure options, so we have to perform a fake build and
# extract variables from prepreocessed sources.
patch <<EOF
--- shadow.spec
+++ shadow.spec
@@ -131,1 +131,1 @@
-make
+make V=1 -k CPPFLAGS="-E"
EOF
fi
osc build "$@" || :
echo "This build command was expected to fail."
echo ""
mv shadow.spec.shadow-login_defs-check-save shadow.spec
BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
BUILD_DIR=$(osc lbl | sed -n 's/^.* cd //p' | head -n1)
rm -rf shadow-login_defs-check-build
mkdir shadow-login_defs-check-build
cp -a "$BUILD_ROOT/$BUILD_DIR"/shadow-* shadow-login_defs-check-build/
touch shadow-login_defs-check-build/stamp
fi
echo "Extracting list of deleted binaries..."
sed -n 's~rm %{buildroot}/%{_\(s\|\)bindir}/\(.*\)$~\2~p' <shadow.spec >shadow-login_defs-check-deleted.lst
# The build above is optional only for case of failure or edits in the
# code below. If any other build was performed, don't expect correct
# results.
cd shadow-login_defs-check-build/shadow-*
echo "Extracting variables from etc/login.defs..."
# Extract variables referenced in login.defs, both active and commented out.
sed -n "s/^#//;s/\([A-Z0-9_]*\)[[:space:]].*$/\1/p" <etc/login.defs | sed '/^$/d' | uniq | sed '/^$/d' >../../shadow-login_defs-check-login_defs.lst
LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst
echo "Extracting variables from lib/getdef.c..."
# Extract variables referenced in lib/getdef.c using current defines.
sed -n 's/^\(},\|\) {"\([A-Z0-9_]*\)", /\2/p' <lib/getdef.o >../../shadow-login_defs-check-getdef.lst
LC_ALL=C sort -u ../../shadow-login_defs-check-getdef.lst >../../shadow-login_defs-check-getdef-sorted.lst
echo "Extracting variables from shadow..."
# Extract variables referenced in preprocessed files.
grep -r '\(getdef[a-z_]*\|call_script\|is_listed\) *( *"[A-Za-z0-9_]*"' |
grep '[^ ]*\.o:' >../../shadow-login_defs-check-shadow.log
cd ../..
export RC=0
echo ""
echo ""
echo "Performing checks..."
sed '
s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
' <shadow-login_defs-check-shadow.log | LC_ALL=C sort -u >../../shadow-login_defs-check-shadow-all.lst
sed 's%^\(.*\)%/^.*\\\/\1\.o:/d%' <shadow-login_defs-check-deleted.lst >shadow-login_defs-check-deleted.sed
sed -f shadow-login_defs-check-deleted.sed <shadow-login_defs-check-shadow.log |
sed '
s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
' | LC_ALL=C sort -u >shadow-login_defs-check-shadow-used.lst
if ! test -s shadow-login_defs-check-deleted.sed ; then
echo " BUG: Empty shadow-login_defs-check-deleted.sed Results will be unreliable!"
if test $RC -le 4 ; then export RC=4 ; fi
fi
echo ""
echo "Checking that variables in login.defs are referred only once..."
if test $(wc -l shadow-login_defs-check-login_defs.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-login_defs-sorted.lst | sed 's/ .*//') ; then
echo " ERROR: Some variable referred at more places of login.defs!"
LC_ALL=C sort shadow-login_defs-check-login_defs.lst >shadow-login_defs-check-login_defs-sorted-nu.lst
diff shadow-login_defs-check-login_defs-sorted-nu.lst shadow-login_defs-check-login_defs-sorted.lst
if test $RC -le 3 ; then export RC=3 ; fi
fi
echo ""
echo "Checking that variables in lib/getdef.c are referred only once..."
if test $(wc -l shadow-login_defs-check-getdef.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-getdef-sorted.lst | sed 's/ .*//') ; then
echo " ERROR: Some variable referred at more places of lib/getdef.c!"
LC_ALL=C sort shadow-login_defs-check-getdef.lst >shadow-login_defs-check-getdef-sorted-nu.lst
diff shadow-login_defs-check-getdef-sorted-nu.lst shadow-login_defs-check-getdef-sorted.lst
if test $RC -le 3 ; then export RC=3 ; fi
fi
cat shadow-login_defs-check-shadow-used.lst shadow-login_defs-check-util-linux.lst shadow-login_defs-check-pam.lst | LC_ALL=C sort -u >shadow-login_defs-check-all-used.lst
# RC inside pipe cannot be read directly. Use 3 for a real stdout inside the pipe, and use stdout for RC.
exec 3>&1
function report_packages() {
echo -n " ("
grep -l $1 shadow-login_defs-check-{shadow-used,util-linux,pam}.lst |
sed 's/shadow-login_defs-check-//;s/\.lst//;s/-used//;s/$/, /;$s/, $//' |
tr -d '\n'
echo -n ")"
}
# Extracting variables from shadow is not capable to identify compiled-but-unused library code.
# This function will identify known false matches.
function falsematch() {
case "$1" in
# MAIL_* used by library call mailcheck() used only by login.c that is deleted in the spec.
MAIL_* ) return 0 ;;
# FTMP_FILE used by library call failtmp() used only by login.c that is deleted in the spec.
FTMP_FILE ) return 0 ;;
# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
ISSUE_FILE ) return 0 ;;
* ) return 1 ;;
esac
}
echo ""
echo "Checking that all used variables are covered by login.defs..."
RC=$(cat shadow-login_defs-check-all-used.lst | (
while read ; do
if falsematch "$REPLY" ; then
echo " FALSE MATCH: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
continue
fi
if ! grep -q -x "$REPLY" shadow-login_defs-check-login_defs-sorted.lst ; then
echo " NOTICE: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
if test $RC -le 2 ; then RC=2 ; fi
fi
done
echo $RC
) )
echo ""
echo "Checking that all used variables are covered by lib/getdef.c..."
RC=$(cat shadow-login_defs-check-all-used.lst | (
while read ; do
if falsematch "$REPLY" ; then continue ; fi
if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
echo " ERROR: Variable $REPLY is missing in the parser$(report_packages $REPLY)" >&3
if test $RC -le 3 ; then RC=3 ; fi
fi
done
echo $RC
) )
echo ""
echo "Checking that all used variables referred in login.defs are valid..."
RC=$(cat shadow-login_defs-check-login_defs.lst | (
while read ; do
if ! grep -q -x "$REPLY" shadow-login_defs-check-all-used.lst ; then
echo " ERROR: Failed to find reference for $REPLY" >&3
if test $RC -le 3 ; then RC=3 ; fi
fi
if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
echo " BUG: Parser does not contain reference for $REPLY" >&3
if test $RC -le 4 ; then RC=4 ; fi
fi
done
echo $RC
) )
echo ""
echo ""
echo "All checks finished."
echo -n "Result: "
case $RC in
0) echo "OK." ;;
1) echo "Notices only. Action is optional." ;;
2) echo "Warnings only. Evaluation is needed." ;;
3) echo "Errors found. Fix is recommended." ;;
4) echo "Fatal error. Fix has to be done." ;;
esac
if test $RC -ge 1 ; then
exit 1
fi
echo "
If you ported shadow-util-linux.patch to the new util-linux version,
please submit these updates:
Change in util-linux.spec:"
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-util-linux >= /p' <openSUSE\:Factory/util-linux/util-linux.spec
echo "Change in shadow.spec:"
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
echo "
If you ported encryption_method_nis.patch to the new pam version,
please submit these updates:
Change in pam.spec:"
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
echo "Change in shadow.spec:"
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-pam = /p' <openSUSE\:Factory/pam/pam.spec

87
shadow-login_defs-comments.patch Normal file
View File

@ -0,0 +1,87 @@
Improve comments in login.defs.
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -3,8 +3,6 @@
# Some variables are used by login(1), su(1) and runuser(1) from util-linux
# package as well pam pam_unix(8) from pam package.
#
-# $Id$
-#
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -79,11 +77,14 @@ ENV_PATH /bin:/usr/bin
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
-# If this variable is set to "yes", su will always set path. every su
-# call will overwrite the PATH variable.
+# If this variable is set to "yes" (default is "no"), su will always set
+# path. every su call will overwrite the PATH variable.
#
# Per default, only "su -" will set a new PATH.
#
+# The recommended value is "yes". The default "no" behavior could have
+# a security implication in applications that use commands without path.
+#
ALWAYS_SET_PATH no
#
@@ -123,6 +124,11 @@ PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd(8)
#
+# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
+# UIDs for dynamically allocated administrative and system accounts.
+# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
+# allocated user accounts.
+#
UID_MIN 1000
UID_MAX 60000
# System accounts
@@ -136,6 +142,11 @@ SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
+# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
+# GIDs for dynamically allocated administrative and system groups.
+# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
+# allocated groups.
+#
GID_MIN 1000
GID_MAX 60000
# System accounts
@@ -165,7 +176,6 @@ LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
#
-# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
@@ -180,7 +190,6 @@ CHFN_RESTRICT rwh
#MD5_CRYPT_ENAB no
#
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
@@ -196,6 +205,14 @@ CHFN_RESTRICT rwh
#ENCRYPT_METHOD_NIS DES
#
+# Number of rounds for salt.
+# Default values:
+# Minimum number of rounds.
+#SHA_CRYPT_MIN_ROUNDS 1000
+# Maximum number of rounds.
+#SHA_CRYPT_MAX_ROUNDS 999999999
+
+#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.

137
shadow-login_defs-suse.patch Normal file
View File

@ -0,0 +1,137 @@
Set login.defs defaults for SUSE Linux.
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -3,6 +3,9 @@
# Some variables are used by login(1), su(1) and runuser(1) from util-linux
# package as well pam pam_unix(8) from pam package.
#
+# For more, see login.defs(5). Please note that SUSE supports only variables
+# listed here! Not listed variables from login.defs(5) have no effect.
+#
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -53,8 +56,8 @@ MOTD_FILE /etc/motd
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
-HUSHLOGIN_FILE .hushlogin
-#HUSHLOGIN_FILE /etc/hushlogins
+#HUSHLOGIN_FILE .hushlogin
+HUSHLOGIN_FILE /etc/hushlogins
# If this variable is set to "yes", hostname will be suppressed in the
# login: prompt.
@@ -73,9 +76,9 @@ HUSHLOGIN_FILE .hushlogin
# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
# (and falback for login).
#
-ENV_PATH /bin:/usr/bin
-ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
-#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH /usr/local/bin:/bin:/usr/bin
+ENV_ROOTPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# If this variable is set to "yes" (default is "no"), su will always set
# path. every su call will overwrite the PATH variable.
@@ -99,7 +102,7 @@ ALWAYS_SET_PATH no
# set TTYPERM to either 622 or 600.
#
TTYGROUP tty
-TTYPERM 0600
+TTYPERM 0620
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -132,8 +135,8 @@ PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
# System accounts
-SYS_UID_MIN 101
-SYS_UID_MAX 999
+SYS_UID_MIN 100
+SYS_UID_MAX 499
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
@@ -150,8 +153,8 @@ SUB_UID_COUNT 65536
GID_MIN 1000
GID_MAX 60000
# System accounts
-SYS_GID_MIN 101
-SYS_GID_MAX 999
+SYS_GID_MIN 100
+SYS_GID_MAX 499
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
@@ -160,7 +163,7 @@ SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
#
-LOGIN_RETRIES 5
+LOGIN_RETRIES 3
#
# Max time in seconds for login(1)
@@ -176,18 +179,9 @@ LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
#
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm. Default is "no".
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
+# This variable is deprecated. Use ENCRYPT_METHOD instead!
#
-#MD5_CRYPT_ENAB no
+#MD5_CRYPT_ENAB DO_NOT_USE
#
# If set to MD5, MD5-based algorithm will be used for encrypting password
@@ -201,8 +195,8 @@ CHFN_RESTRICT rwh
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
-#ENCRYPT_METHOD DES
-#ENCRYPT_METHOD_NIS DES
+ENCRYPT_METHOD SHA512
+ENCRYPT_METHOD_NIS DES
#
# Number of rounds for salt.
@@ -271,7 +265,7 @@ USERDEL_POSTCMD /usr/sbin/userde
#
# This also enables userdel(8) to remove user groups if no members exist.
#
-USERGROUPS_ENAB yes
+USERGROUPS_ENAB no
#
# If set to a non-zero number, the shadow utilities will make sure that
@@ -290,13 +284,13 @@ USERGROUPS_ENAB yes
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
-#CREATE_HOME yes
+CREATE_HOME no
#
# Force use shadow, even if shadow passwd & shadow group files are
# missing.
#
-#FORCE_SHADOW yes
+FORCE_SHADOW no
#
# User/group names must match the following regex expression.

215
shadow-login_defs.patch → shadow-login_defs-unused-by-pam.patch
View File

@ -1,17 +1,14 @@
Remove variables that are present in login.defs, but shadow with the
current configuration (e. g. with PAM) does not use them.
shadow-login_defs-unused-check.sh makes possible to verify that it is
still up to date.
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -1,8 +1,5 @@
#
# /etc/login.defs - Configuration control definitions for the shadow package.
-#
-# $Id$
-#
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -12,11 +9,6 @@
@@ -12,11 +12,6 @@
FAIL_DELAY 3
#
@ -23,7 +20,7 @@ Index: etc/login.defs
# Enable display of unknown usernames when login(1) failures are recorded.
#
LOG_UNKFAIL_ENAB no
@@ -27,34 +19,6 @@ LOG_UNKFAIL_ENAB no
@@ -27,34 +22,6 @@ LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
#
@ -58,7 +55,7 @@ Index: etc/login.defs
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
#
@@ -82,75 +46,31 @@ MOTD_FILE /etc/motd
@@ -82,46 +49,12 @@ MOTD_FILE /etc/motd
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
#
@ -105,12 +102,10 @@ Index: etc/login.defs
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
@@ -131,21 +64,6 @@ HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
-HUSHLOGIN_FILE .hushlogin
-#HUSHLOGIN_FILE /etc/hushlogins
-
-#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
@ -124,33 +119,12 @@ Index: etc/login.defs
-ENV_HZ HZ=100
-# For Linux/Alpha...
-#ENV_HZ HZ=1024
+# HUSHLOGIN_FILE .hushlogin
+HUSHLOGIN_FILE /etc/hushlogins
#
-
-#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH PATH=/bin:/usr/bin
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin
+
+#
+# The default PATH settings for root (used by login):
+#
+ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
#
# Terminal permissions
@@ -164,24 +84,20 @@ ENV_PATH PATH=/bin:/usr/bin
# set TTYPERM to either 622 or 600.
#
TTYGROUP tty
-TTYPERM 0600
+TTYPERM 0620
#
# Login configuration initializations:
@@ -171,17 +89,13 @@ TTYPERM 0600
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
@ -168,7 +142,7 @@ Index: etc/login.defs
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -197,35 +113,25 @@ UMASK 022
@@ -197,28 +111,13 @@ UMASK 022
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
@ -196,50 +170,8 @@ Index: etc/login.defs
-#
# Min/max values for automatic uid selection in useradd(8)
#
+# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
+# UIDs for dynamically allocated administrative and system accounts.
+# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
+# allocated user accounts.
+#
UID_MIN 1000
UID_MAX 60000
# System accounts
-SYS_UID_MIN 101
-SYS_UID_MAX 999
+SYS_UID_MIN 100
+SYS_UID_MAX 499
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
@@ -234,11 +140,16 @@ SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
+# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
+# GIDs for dynamically allocated administrative and system groups.
+# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
+# allocated groups.
+#
GID_MIN 1000
GID_MAX 60000
# System accounts
-SYS_GID_MIN 101
-SYS_GID_MAX 999
+SYS_GID_MIN 100
+SYS_GID_MAX 499
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
@@ -247,7 +158,7 @@ SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
#
-LOGIN_RETRIES 5
+LOGIN_RETRIES 3
#
# Max time in seconds for login(1)
@@ -255,28 +166,6 @@ LOGIN_RETRIES 5
@@ -255,28 +154,6 @@ LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
#
@ -268,7 +200,7 @@ Index: etc/login.defs
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
@@ -285,28 +174,6 @@ CHFN_AUTH yes
@@ -285,13 +162,6 @@ CHFN_AUTH yes
CHFN_RESTRICT rwh
#
@ -279,35 +211,27 @@ Index: etc/login.defs
-#LOGIN_STRING "%s's Password: "
-
-#
-# Only works if compiled with MD5_CRYPT defined:
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm. Default is "no".
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-#
-#MD5_CRYPT_ENAB no
-
-#
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
@@ -317,7 +184,8 @@ CHFN_RESTRICT rwh
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
-#ENCRYPT_METHOD DES
+ENCRYPT_METHOD SHA512
+ENCRYPT_METHOD_NIS DES
# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
@@ -336,29 +206,12 @@ CHFN_RESTRICT rwh
# SHA_CRYPT_MAX_ROUNDS 5000
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -353,16 +221,12 @@ CHFN_RESTRICT rwh
-# List of groups to add to the user's supplementary group set
-# when logging in from the console (as determined by the CONSOLE
-# setting). Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in from the console.
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS floppy:audio:cdrom
-
-#
# Should login be allowed if we can't cd to the home directory?
# Default is no.
#
DEFAULT_HOME yes
#
@ -320,68 +244,3 @@ Index: etc/login.defs
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
+# See USERDEL_PRECMD/POSTCMD below.
+#
#USERDEL_CMD /usr/sbin/userdel_local
#
@@ -372,7 +236,7 @@ ENVIRON_FILE /etc/environment
#
# This also enables userdel(8) to remove user groups if no members exist.
#
-USERGROUPS_ENAB yes
+USERGROUPS_ENAB no
#
# If set to a non-zero number, the shadow utilities will make sure that
@@ -391,10 +255,47 @@ USERGROUPS_ENAB yes
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
-#CREATE_HOME yes
+CREATE_HOME no
#
# Force use shadow, even if shadow passwd & shadow group files are
# missing.
#
-#FORCE_SHADOW yes
+FORCE_SHADOW no
+
+#
+# User/group names must match the following regex expression.
+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
+# but be aware that the result could depend on the locale settings.
+#
+#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
+CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
+
+#
+# If defined, this command is run when adding a group.
+# It should rebuild any NIS database etc. to add the
+# new created group.
+#
+GROUPADD_CMD /usr/sbin/groupadd.local
+
+#
+# If defined, this command is run when adding a user.
+# It should rebuild any NIS database etc. to add the
+# new created account.
+#
+USERADD_CMD /usr/sbin/useradd.local
+
+#
+# If defined, this command is run before removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed.
+#
+USERDEL_PRECMD /usr/sbin/userdel-pre.local
+
+#
+# If defined, this command is run after removing a user.
+# It should rebuild any NIS database etc. to remove the
+# account from it.
+#
+USERDEL_POSTCMD /usr/sbin/userdel-post.local
+

119
shadow-util-linux.patch Normal file
View File

@ -0,0 +1,119 @@
Add variables referred by util-linux login, runuser and su, but not by
shadow.
Delete variables used by shadow implementation of login, su and runuser
that has no use in util-linux implementation.
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -1,5 +1,7 @@
#
# /etc/login.defs - Configuration control definitions for the shadow package.
+# Some variables are used by login(1), su(1) and runuser(1) from util-linux
+# package as well pam pam_unix(8) from pam package.
#
# $Id$
#
@@ -17,15 +19,8 @@ FAIL_DELAY 3
LOG_UNKFAIL_ENAB no
#
-# Enable logging of successful logins
+# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
-LOG_OK_LOGINS no
-
-#
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
-#
-SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
@@ -63,12 +58,33 @@ MOTD_FILE /etc/motd
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
+# If this variable is set to "yes", hostname will be suppressed in the
+# login: prompt.
+#LOGIN_PLAIN_PROMPT no
+
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH PATH=/bin:/usr/bin
+#
+# ENV_PATH: The default PATH settings for non-root.
+#
+# ENV_ROOTPATH: The default PATH settings for root
+# (used by login, su and runuser).
+#
+# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
+# (and falback for login).
+#
+ENV_PATH /bin:/usr/bin
+ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
+#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
+
+# If this variable is set to "yes", su will always set path. every su
+# call will overwrite the PATH variable.
+#
+# Per default, only "su -" will set a new PATH.
+#
+ALWAYS_SET_PATH no
#
# Terminal permissions
@@ -84,19 +100,6 @@ ENV_PATH PATH=/bin:/usr/bin
TTYGROUP tty
TTYPERM 0600
-#
-# Login configuration initializations:
-#
-# ERASECHAR Terminal ERASE character ('\010' = backspace).
-# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
-#
-# The ERASECHAR and KILLCHAR are used only on System V machines.
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
-#
-ERASECHAR 0177
-KILLCHAR 025
-
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -77,6 +77,7 @@ struct itemdef {
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
static struct itemdef def_table[] = {
+ {"ALWAYS_SET_PATH", NULL},
{"CHARACTER_CLASS", NULL},
{"CHFN_RESTRICT", NULL},
{"CONSOLE_GROUPS", NULL},
@@ -85,6 +86,7 @@ static struct itemdef def_table[] = {
{"DEFAULT_HOME", NULL},
{"ENCRYPT_METHOD", NULL},
{"ENV_PATH", NULL},
+ {"ENV_ROOTPATH", NULL},
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
{"FAIL_DELAY", NULL},
@@ -93,6 +95,7 @@ static struct itemdef def_table[] = {
{"GID_MIN", NULL},
{"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL},
+ {"LOGIN_PLAIN_PROMPT", NULL},
{"LOGIN_RETRIES", NULL},
{"LOGIN_TIMEOUT", NULL},
{"LOG_OK_LOGINS", NULL},

24
shadow.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Tue Apr 30 22:27:14 CEST 2019 - sbrabec@suse.com
- Split shadow-login_defs.patch hunks to its logical components
(bsc#1121197):
* shadow-login_defs-unused-by-pam.patch
* shadow-login_defs-comments.patch
* shadow-login_defs-util-linux.patch
* shadow-login_defs-suse.patch
* Move appropriate hunks to chkname-regex.patch and
encryption_method_nis.patch
* Remove GROUPADD_CMD that is not supported (bsc#1121197#c14).
- Split getdef-new-defs.patch hunks to its logical components
(bsc#1121197):
* encryption_method_nis.patch
* chkname-regex.patch
* shadow-util-linux.patch
Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT.
* useradd-script.patch, userdel-script.patch
* Remove duplicated definitions of MOTD_FILE and ENV_PATH.
- Add shadow-login_defs-unused-check.sh to allow verification of
login.defs variable usage (bsc#1121197).
- Add virtual symbols for login.defs compatibility (bsc#1121197).
-------------------------------------------------------------------
Wed Jan 23 09:35:01 UTC 2019 - adam.majer@suse.de

36
shadow.spec
View File

@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -33,18 +33,37 @@ Source6: shadow.service
Source7: shadow.timer
Source42: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
Source43: %{name}.keyring
Patch0: shadow-login_defs.patch
# SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
Source44: shadow-login_defs-check.sh
# PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM.
Patch0: shadow-login_defs-unused-by-pam.patch
# PATCH-FEATURE-SUSE userdel-script.patch kukuk@suse.com -- Add support for USERDEL_PRECMD and USERDEL_POSTCMD.
Patch1: userdel-script.patch
# PATCH-FEATURE-SUSE useradd-script.patch kukuk@suse.com -- Add support for USERADD_CMD.
Patch2: useradd-script.patch
# PATCH-FEATURE-SUSE chkname-regex.patch kukuk@suse.com -- Username restriction by regex.
Patch3: chkname-regex.patch
# PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
Patch4: useradd-default.patch
Patch5: getdef-new-defs.patch
# PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
Patch5: shadow-util-linux.patch
# PATCH-FEATURE-FEDORA shadow-4.1.5.1-userdel-helpfix.patch christian.brauner@mailbox.org -- Give a hint about what happens when you force the removal of a user.
Patch6: shadow-4.1.5.1-userdel-helpfix.patch
# PATCH-FIX-FEDORA shadow-4.1.5.1-userdel-helpfix.patch kukuk@suse.com -- Fix error message.
Patch7: shadow-4.1.5.1-logmsg.patch
# PATCH-FEATURE-SUSE encryption_method_nis.patch kukuk@suse.com -- Add support for ENCRYPT_METHOD_NIS used by SUSE patch in pam (pam_unix).
Patch10: encryption_method_nis.patch
# PATCH-FIX-SUSE useradd-mkdirs.patch bnc865563 tbehrens@suse.com -- Create all parts of the path.
Patch11: useradd-mkdirs.patch
# PATCH-FIX-SUSE shadow-4.6.0-fix-usermod-prefix-crash.patch https://github.com/shadow-maint/shadow/issues/110 mvetter@suse.com -- Fixes crash in usermod when called with --prefix.
Patch12: shadow-4.6.0-fix-usermod-prefix-crash.patch
# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
Patch13: shadow-login_defs-comments.patch
# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
Patch14: shadow-login_defs-suse.patch
# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
Patch20: disable_new_audit_function.patch
# PATCH-FEATURE-SUSE btrfs-subvolumes.patch fate316134 adam.majer@suse.de -- Add support for btrfs subvolumes for user homes.
Patch21: btrfs-subvolumes.patch
BuildRequires: audit-devel > 2.3
BuildRequires: autoconf
@ -62,6 +81,13 @@ Requires(pre): user(root)
PreReq: permissions
Provides: pwdutils = 3.2.20
Obsoletes: pwdutils <= 3.2.19
# Virtual provides for supported variables in login.defs.
# It prevents references to unknown variables.
# Upgrade them only if shadow-util-linux.patch or
# encryption_method_nis.patch has to be ported!
# Call shadow-login_defs-check.sh before!
Provides: login_defs-support-for-pam = 1.3.1
Provides: login_defs-support-for-util-linux = 2.33.1
%description
This package includes the necessary programs for converting plain
@ -71,7 +97,7 @@ group accounts.
%prep
%setup -q -a 1
%patch0
%patch1 -p1
%patch1
%patch2
%patch3
%patch4
@ -81,6 +107,8 @@ group accounts.
%patch10
%patch11 -p1
%patch12 -p1
%patch13
%patch14
%if 0%{?suse_version} < 1330
%patch20 -p1
%endif

38
useradd-script.patch
View File

@ -1,6 +1,38 @@
--- src/useradd.c
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -212,6 +212,13 @@ CHFN_RESTRICT rwh
DEFAULT_HOME yes
#
+# If defined, this command is run when adding a user.
+# It should rebuild any NIS database etc. to add the
+# new created account.
+#
+USERADD_CMD /usr/sbin/useradd.local
+
+#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -125,6 +125,7 @@ static struct itemdef def_table[] = {
{"UID_MAX", NULL},
{"UID_MIN", NULL},
{"UMASK", NULL},
+ {"USERADD_CMD", NULL},
{"USERDEL_CMD", NULL},
{"USERDEL_PRECMD", NULL},
{"USERDEL_POSTCMD", NULL},
Index: src/useradd.c
===================================================================
--- src/useradd.c.orig
+++ src/useradd.c
@@ -1982,6 +1982,30 @@ static void create_mail (void)
@@ -2115,6 +2115,30 @@ static void create_mail (void)
}
/*
@ -31,7 +63,7 @@
* main - useradd command
*/
int main (int argc, char **argv)
@@ -2242,6 +2266,7 @@ int main (int argc, char **argv)
@@ -2390,6 +2414,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");

64
userdel-script.patch
View File

@ -1,7 +1,51 @@
diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
--- shadow-4.6/src/userdel.c 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6.new/src/userdel.c 2018-05-14 16:13:43.996280216 +0200
@@ -125,7 +125,7 @@
Index: lib/getdef.c
===================================================================
--- lib/getdef.c.orig
+++ lib/getdef.c
@@ -126,6 +126,8 @@ static struct itemdef def_table[] = {
{"UID_MIN", NULL},
{"UMASK", NULL},
{"USERDEL_CMD", NULL},
+ {"USERDEL_PRECMD", NULL},
+ {"USERDEL_POSTCMD", NULL},
{"USERGROUPS_ENAB", NULL},
#ifndef USE_PAM
PAMDEFS
Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -216,9 +216,25 @@ DEFAULT_HOME yes
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
+# See also USERDEL_PRECMD and USERDEL_POSTCMD below.
+#
#USERDEL_CMD /usr/sbin/userdel_local
#
+# If defined, this command is run before removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed.
+#
+USERDEL_PRECMD /usr/sbin/userdel-pre.local
+
+#
+# If defined, this command is run after removing a user.
+# It should rebuild any NIS database etc. to remove the
+# account from it.
+#
+USERDEL_POSTCMD /usr/sbin/userdel-post.local
+
+#
# Enable setting of the umask group bits to be the same as owner bits
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
# the same as gid, and username is the same as the primary group name.
Index: src/userdel.c
===================================================================
--- src/userdel.c.orig
+++ src/userdel.c
@@ -125,7 +125,7 @@ static void close_files (void);
static void fail_exit (int);
static void open_files (void);
static void update_user (void);
@ -10,7 +54,7 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
#ifdef EXTRA_CHECK_HOME_DIR
static bool path_prefix (const char *, const char *);
@@ -767,13 +767,13 @@
@@ -767,13 +767,13 @@ static void update_user (void)
* cron, at, or print jobs.
*/
@ -26,7 +70,7 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
if (NULL == cmd) {
return;
}
@@ -1213,9 +1213,10 @@
@@ -1213,9 +1213,10 @@ int main (int argc, char **argv)
}
/*
@ -35,20 +79,20 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
+ * Do the hard stuff - open the files, remove the user entries,
+ * remove the home directory, then close and update the files.
*/
+ call_script ("USERDEL_PRECMD", user_name);
+ call_script ("USERDEL_PRECMD", user_name);
open_files ();
update_user ();
update_groups ();
@@ -1319,7 +1320,7 @@
@@ -1319,7 +1320,7 @@ int main (int argc, char **argv)
* the entry from /etc/passwd.
*/
if(prefix[0] == '\0')
- user_cancel (user_name);
+ call_script ("USERDEL_CMD", user_name);
+ call_script ("USERDEL_CMD", user_name);
close_files ();
#ifdef WITH_TCB
@@ -1329,6 +1330,9 @@
@@ -1329,6 +1330,9 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");