forked from pool/shadow
Accepting request 700494 from home:sbrabec:branches:util-linux-2.33.1
- Split shadow-login_defs.patch hunks to its logical components (bsc#1121197): * shadow-login_defs-unused-by-pam.patch * shadow-login_defs-comments.patch * shadow-login_defs-util-linux.patch * shadow-login_defs-suse.patch * Move appropriate hunks to chkname-regex.patch and encryption_method_nis.patch * Remove GROUPADD_CMD that is not supported (bsc#1121197#c14). - Split getdef-new-defs.patch hunks to its logical components (bsc#1121197): * encryption_method_nis.patch * chkname-regex.patch * shadow-util-linux.patch Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT. * useradd-script.patch, userdel-script.patch * Remove duplicated definitions of MOTD_FILE and ENV_PATH. - Add shadow-login_defs-unused-check.sh to allow verification of login.defs variable usage (bsc#1121197). - Add virtual symbols for login.defs compatibility (bsc#1121197). OBS-URL: https://build.opensuse.org/request/show/700494 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=63
This commit is contained in:
parent
999ade1779
commit
4e43c817a1
@ -1,3 +1,19 @@
|
|||||||
|
Index: etc/login.defs
|
||||||
|
===================================================================
|
||||||
|
--- etc/login.defs.orig
|
||||||
|
+++ etc/login.defs
|
||||||
|
@@ -274,3 +274,11 @@ USERGROUPS_ENAB yes
|
||||||
|
# missing.
|
||||||
|
#
|
||||||
|
#FORCE_SHADOW yes
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# User/group names must match the following regex expression.
|
||||||
|
+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
|
||||||
|
+# but be aware that the result could depend on the locale settings.
|
||||||
|
+#
|
||||||
|
+#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
|
||||||
|
+CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
|
||||||
Index: lib/getdef.c
|
Index: lib/getdef.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- lib/getdef.c.orig
|
--- lib/getdef.c.orig
|
||||||
|
@ -1,10 +1,32 @@
|
|||||||
--- lib/getdef.c
|
Add support for ENCRYPT_METHOD_NIS used by pam: modules/pam_unix/pam_unix_passwd.c.
|
||||||
|
|
||||||
|
Index: lib/getdef.c
|
||||||
|
===================================================================
|
||||||
|
--- lib/getdef.c.orig
|
||||||
+++ lib/getdef.c
|
+++ lib/getdef.c
|
||||||
@@ -58,6 +58,7 @@ static struct itemdef def_table[] = {
|
@@ -85,6 +85,7 @@ static struct itemdef def_table[] = {
|
||||||
{"CREATE_HOME", NULL},
|
{"CREATE_HOME", NULL},
|
||||||
{"DEFAULT_HOME", NULL},
|
{"DEFAULT_HOME", NULL},
|
||||||
{"ENCRYPT_METHOD", NULL},
|
{"ENCRYPT_METHOD", NULL},
|
||||||
+ {"ENCRYPT_METHOD_NIS", NULL},
|
+ {"ENCRYPT_METHOD_NIS", NULL},
|
||||||
{"ENV_PATH", NULL},
|
{"ENV_PATH", NULL},
|
||||||
|
{"ENV_ROOTPATH", NULL},
|
||||||
{"ENV_SUPATH", NULL},
|
{"ENV_SUPATH", NULL},
|
||||||
{"ERASECHAR", NULL},
|
Index: etc/login.defs
|
||||||
|
===================================================================
|
||||||
|
--- etc/login.defs.orig
|
||||||
|
+++ etc/login.defs
|
||||||
|
@@ -187,10 +187,13 @@ CHFN_RESTRICT rwh
|
||||||
|
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||||
|
# Overrides the MD5_CRYPT_ENAB option
|
||||||
|
#
|
||||||
|
+# ENCRYPT_METHOD_NIS is used by pam_unix_passwd.so.
|
||||||
|
+#
|
||||||
|
# Note: If you use PAM, it is recommended to use a value consistent with
|
||||||
|
# the PAM modules configuration.
|
||||||
|
#
|
||||||
|
#ENCRYPT_METHOD DES
|
||||||
|
+#ENCRYPT_METHOD_NIS DES
|
||||||
|
|
||||||
|
#
|
||||||
|
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||||
|
@ -1,34 +0,0 @@
|
|||||||
Index: lib/getdef.c
|
|
||||||
===================================================================
|
|
||||||
--- lib/getdef.c.orig
|
|
||||||
+++ lib/getdef.c
|
|
||||||
@@ -91,6 +91,7 @@ static struct itemdef def_table[] = {
|
|
||||||
{"FAKE_SHELL", NULL},
|
|
||||||
{"GID_MAX", NULL},
|
|
||||||
{"GID_MIN", NULL},
|
|
||||||
+ {"GROUPADD_CMD", NULL},
|
|
||||||
{"HUSHLOGIN_FILE", NULL},
|
|
||||||
{"KILLCHAR", NULL},
|
|
||||||
{"LOGIN_RETRIES", NULL},
|
|
||||||
@@ -126,7 +127,10 @@ static struct itemdef def_table[] = {
|
|
||||||
{"UID_MAX", NULL},
|
|
||||||
{"UID_MIN", NULL},
|
|
||||||
{"UMASK", NULL},
|
|
||||||
+ {"USERADD_CMD", NULL},
|
|
||||||
{"USERDEL_CMD", NULL},
|
|
||||||
+ {"USERDEL_PRECMD", NULL},
|
|
||||||
+ {"USERDEL_POSTCMD", NULL},
|
|
||||||
{"USERGROUPS_ENAB", NULL},
|
|
||||||
#ifndef USE_PAM
|
|
||||||
PAMDEFS
|
|
||||||
@@ -149,6 +153,10 @@ static struct itemdef knowndef_table[] =
|
|
||||||
#ifdef USE_PAM
|
|
||||||
PAMDEFS
|
|
||||||
#endif
|
|
||||||
+ /* Used by /bin/login */
|
|
||||||
+ {"MOTD_FILE", NULL},
|
|
||||||
+ {"ENV_PATH", NULL},
|
|
||||||
+ {"ENV_ROOTPATH", NULL},
|
|
||||||
{NULL, NULL}
|
|
||||||
};
|
|
||||||
|
|
256
shadow-login_defs-check.sh
Normal file
256
shadow-login_defs-check.sh
Normal file
@ -0,0 +1,256 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# login.defs and lib/getdef.c contain support for third party variables.
|
||||||
|
# It also contains support for variables that are unusable in installations with PAM support enabled.
|
||||||
|
# This script generates a list of used and unused variables in login.defs
|
||||||
|
# with respect to the current configuration.
|
||||||
|
# Arguments: arguments of osc build
|
||||||
|
# If the shadow-login_defs-check-unused.lst is generated, you should
|
||||||
|
# update login.defs.
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
|
||||||
|
echo "Preparing..."
|
||||||
|
|
||||||
|
# Check for required commands
|
||||||
|
which quilt >/dev/null
|
||||||
|
which osc >/dev/null
|
||||||
|
|
||||||
|
# login.defs is shared with util-linux login, su and runuser.
|
||||||
|
# Extract list of referenced variables.
|
||||||
|
if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
|
||||||
|
echo "Checking out util-linux..."
|
||||||
|
osc co openSUSE:Factory util-linux
|
||||||
|
cd openSUSE:Factory/util-linux
|
||||||
|
quilt setup -d BUILD util-linux.spec
|
||||||
|
cd BUILD/*
|
||||||
|
quilt push -a
|
||||||
|
cd ../../../..
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Extracting variables from util-linux..."
|
||||||
|
cd openSUSE:Factory/util-linux/BUILD/*
|
||||||
|
(
|
||||||
|
grep -rh getlogindefs . |
|
||||||
|
sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
|
||||||
|
grep -rh logindefs_setenv . |
|
||||||
|
sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
|
||||||
|
) |
|
||||||
|
LC_ALL=C sort -u >../../../../shadow-login_defs-check-util-linux.lst
|
||||||
|
cd ../../../..
|
||||||
|
|
||||||
|
# login.defs is shared pam_unix*.so, pam_faildelay.so and pam_umask.so.
|
||||||
|
# Extract list of referenced variables.
|
||||||
|
if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
|
||||||
|
echo "Checking out pam..."
|
||||||
|
osc co openSUSE:Factory pam
|
||||||
|
cd openSUSE:Factory/pam
|
||||||
|
quilt setup -d BUILD pam.spec
|
||||||
|
cd BUILD/*
|
||||||
|
quilt push -a
|
||||||
|
cd ../../../..
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Extracting variables from pam..."
|
||||||
|
cd openSUSE:Factory/pam/BUILD/*
|
||||||
|
grep -rh LOGIN_DEFS . |
|
||||||
|
sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
|
||||||
|
LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
|
||||||
|
cd ../../../..
|
||||||
|
|
||||||
|
if ! test -f shadow-login_defs-check-build/stamp ; then
|
||||||
|
echo "Performing preprocessing of shadow by osc..."
|
||||||
|
if ! test -f shadow.spec.shadow-login_defs-check-save ; then
|
||||||
|
cp -a shadow.spec shadow.spec.shadow-login_defs-check-save
|
||||||
|
|
||||||
|
# In case of shadow, variables extraction is more complicated. The list
|
||||||
|
# depends on configure options, so we have to perform a fake build and
|
||||||
|
# extract variables from prepreocessed sources.
|
||||||
|
patch <<EOF
|
||||||
|
--- shadow.spec
|
||||||
|
+++ shadow.spec
|
||||||
|
@@ -131,1 +131,1 @@
|
||||||
|
-make
|
||||||
|
+make V=1 -k CPPFLAGS="-E"
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
osc build "$@" || :
|
||||||
|
echo "This build command was expected to fail."
|
||||||
|
echo ""
|
||||||
|
mv shadow.spec.shadow-login_defs-check-save shadow.spec
|
||||||
|
|
||||||
|
BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
|
||||||
|
BUILD_DIR=$(osc lbl | sed -n 's/^.* cd //p' | head -n1)
|
||||||
|
rm -rf shadow-login_defs-check-build
|
||||||
|
mkdir shadow-login_defs-check-build
|
||||||
|
cp -a "$BUILD_ROOT/$BUILD_DIR"/shadow-* shadow-login_defs-check-build/
|
||||||
|
touch shadow-login_defs-check-build/stamp
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Extracting list of deleted binaries..."
|
||||||
|
sed -n 's~rm %{buildroot}/%{_\(s\|\)bindir}/\(.*\)$~\2~p' <shadow.spec >shadow-login_defs-check-deleted.lst
|
||||||
|
|
||||||
|
# The build above is optional only for case of failure or edits in the
|
||||||
|
# code below. If any other build was performed, don't expect correct
|
||||||
|
# results.
|
||||||
|
|
||||||
|
cd shadow-login_defs-check-build/shadow-*
|
||||||
|
|
||||||
|
echo "Extracting variables from etc/login.defs..."
|
||||||
|
# Extract variables referenced in login.defs, both active and commented out.
|
||||||
|
sed -n "s/^#//;s/\([A-Z0-9_]*\)[[:space:]].*$/\1/p" <etc/login.defs | sed '/^$/d' | uniq | sed '/^$/d' >../../shadow-login_defs-check-login_defs.lst
|
||||||
|
LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst
|
||||||
|
|
||||||
|
echo "Extracting variables from lib/getdef.c..."
|
||||||
|
# Extract variables referenced in lib/getdef.c using current defines.
|
||||||
|
sed -n 's/^\(},\|\) {"\([A-Z0-9_]*\)", /\2/p' <lib/getdef.o >../../shadow-login_defs-check-getdef.lst
|
||||||
|
LC_ALL=C sort -u ../../shadow-login_defs-check-getdef.lst >../../shadow-login_defs-check-getdef-sorted.lst
|
||||||
|
|
||||||
|
echo "Extracting variables from shadow..."
|
||||||
|
# Extract variables referenced in preprocessed files.
|
||||||
|
grep -r '\(getdef[a-z_]*\|call_script\|is_listed\) *( *"[A-Za-z0-9_]*"' |
|
||||||
|
grep '[^ ]*\.o:' >../../shadow-login_defs-check-shadow.log
|
||||||
|
|
||||||
|
cd ../..
|
||||||
|
|
||||||
|
export RC=0
|
||||||
|
echo ""
|
||||||
|
echo ""
|
||||||
|
echo "Performing checks..."
|
||||||
|
|
||||||
|
sed '
|
||||||
|
s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
|
||||||
|
' <shadow-login_defs-check-shadow.log | LC_ALL=C sort -u >../../shadow-login_defs-check-shadow-all.lst
|
||||||
|
|
||||||
|
sed 's%^\(.*\)%/^.*\\\/\1\.o:/d%' <shadow-login_defs-check-deleted.lst >shadow-login_defs-check-deleted.sed
|
||||||
|
sed -f shadow-login_defs-check-deleted.sed <shadow-login_defs-check-shadow.log |
|
||||||
|
sed '
|
||||||
|
s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
|
||||||
|
' | LC_ALL=C sort -u >shadow-login_defs-check-shadow-used.lst
|
||||||
|
|
||||||
|
if ! test -s shadow-login_defs-check-deleted.sed ; then
|
||||||
|
echo " BUG: Empty shadow-login_defs-check-deleted.sed Results will be unreliable!"
|
||||||
|
if test $RC -le 4 ; then export RC=4 ; fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Checking that variables in login.defs are referred only once..."
|
||||||
|
if test $(wc -l shadow-login_defs-check-login_defs.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-login_defs-sorted.lst | sed 's/ .*//') ; then
|
||||||
|
echo " ERROR: Some variable referred at more places of login.defs!"
|
||||||
|
LC_ALL=C sort shadow-login_defs-check-login_defs.lst >shadow-login_defs-check-login_defs-sorted-nu.lst
|
||||||
|
diff shadow-login_defs-check-login_defs-sorted-nu.lst shadow-login_defs-check-login_defs-sorted.lst
|
||||||
|
if test $RC -le 3 ; then export RC=3 ; fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Checking that variables in lib/getdef.c are referred only once..."
|
||||||
|
if test $(wc -l shadow-login_defs-check-getdef.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-getdef-sorted.lst | sed 's/ .*//') ; then
|
||||||
|
echo " ERROR: Some variable referred at more places of lib/getdef.c!"
|
||||||
|
LC_ALL=C sort shadow-login_defs-check-getdef.lst >shadow-login_defs-check-getdef-sorted-nu.lst
|
||||||
|
diff shadow-login_defs-check-getdef-sorted-nu.lst shadow-login_defs-check-getdef-sorted.lst
|
||||||
|
if test $RC -le 3 ; then export RC=3 ; fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat shadow-login_defs-check-shadow-used.lst shadow-login_defs-check-util-linux.lst shadow-login_defs-check-pam.lst | LC_ALL=C sort -u >shadow-login_defs-check-all-used.lst
|
||||||
|
# RC inside pipe cannot be read directly. Use 3 for a real stdout inside the pipe, and use stdout for RC.
|
||||||
|
exec 3>&1
|
||||||
|
function report_packages() {
|
||||||
|
echo -n " ("
|
||||||
|
grep -l $1 shadow-login_defs-check-{shadow-used,util-linux,pam}.lst |
|
||||||
|
sed 's/shadow-login_defs-check-//;s/\.lst//;s/-used//;s/$/, /;$s/, $//' |
|
||||||
|
tr -d '\n'
|
||||||
|
echo -n ")"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Extracting variables from shadow is not capable to identify compiled-but-unused library code.
|
||||||
|
# This function will identify known false matches.
|
||||||
|
function falsematch() {
|
||||||
|
case "$1" in
|
||||||
|
# MAIL_* used by library call mailcheck() used only by login.c that is deleted in the spec.
|
||||||
|
MAIL_* ) return 0 ;;
|
||||||
|
# FTMP_FILE used by library call failtmp() used only by login.c that is deleted in the spec.
|
||||||
|
FTMP_FILE ) return 0 ;;
|
||||||
|
# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
|
||||||
|
ISSUE_FILE ) return 0 ;;
|
||||||
|
* ) return 1 ;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Checking that all used variables are covered by login.defs..."
|
||||||
|
RC=$(cat shadow-login_defs-check-all-used.lst | (
|
||||||
|
while read ; do
|
||||||
|
if falsematch "$REPLY" ; then
|
||||||
|
echo " FALSE MATCH: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
if ! grep -q -x "$REPLY" shadow-login_defs-check-login_defs-sorted.lst ; then
|
||||||
|
echo " NOTICE: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
|
||||||
|
if test $RC -le 2 ; then RC=2 ; fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo $RC
|
||||||
|
) )
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Checking that all used variables are covered by lib/getdef.c..."
|
||||||
|
RC=$(cat shadow-login_defs-check-all-used.lst | (
|
||||||
|
while read ; do
|
||||||
|
if falsematch "$REPLY" ; then continue ; fi
|
||||||
|
if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
|
||||||
|
echo " ERROR: Variable $REPLY is missing in the parser$(report_packages $REPLY)" >&3
|
||||||
|
if test $RC -le 3 ; then RC=3 ; fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo $RC
|
||||||
|
) )
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Checking that all used variables referred in login.defs are valid..."
|
||||||
|
RC=$(cat shadow-login_defs-check-login_defs.lst | (
|
||||||
|
while read ; do
|
||||||
|
if ! grep -q -x "$REPLY" shadow-login_defs-check-all-used.lst ; then
|
||||||
|
echo " ERROR: Failed to find reference for $REPLY" >&3
|
||||||
|
if test $RC -le 3 ; then RC=3 ; fi
|
||||||
|
fi
|
||||||
|
if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
|
||||||
|
echo " BUG: Parser does not contain reference for $REPLY" >&3
|
||||||
|
if test $RC -le 4 ; then RC=4 ; fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo $RC
|
||||||
|
) )
|
||||||
|
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo ""
|
||||||
|
echo "All checks finished."
|
||||||
|
echo -n "Result: "
|
||||||
|
case $RC in
|
||||||
|
0) echo "OK." ;;
|
||||||
|
1) echo "Notices only. Action is optional." ;;
|
||||||
|
2) echo "Warnings only. Evaluation is needed." ;;
|
||||||
|
3) echo "Errors found. Fix is recommended." ;;
|
||||||
|
4) echo "Fatal error. Fix has to be done." ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if test $RC -ge 1 ; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "
|
||||||
|
If you ported shadow-util-linux.patch to the new util-linux version,
|
||||||
|
please submit these updates:
|
||||||
|
Change in util-linux.spec:"
|
||||||
|
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-util-linux >= /p' <openSUSE\:Factory/util-linux/util-linux.spec
|
||||||
|
echo "Change in shadow.spec:"
|
||||||
|
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
|
||||||
|
|
||||||
|
echo "
|
||||||
|
If you ported encryption_method_nis.patch to the new pam version,
|
||||||
|
please submit these updates:
|
||||||
|
Change in pam.spec:"
|
||||||
|
sed -n 's/^Version:[[:space:]]*/Requires: login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
|
||||||
|
echo "Change in shadow.spec:"
|
||||||
|
sed -n 's/^Version:[[:space:]]*/Provides: login_defs-support-for-pam = /p' <openSUSE\:Factory/pam/pam.spec
|
87
shadow-login_defs-comments.patch
Normal file
87
shadow-login_defs-comments.patch
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
Improve comments in login.defs.
|
||||||
|
|
||||||
|
Index: etc/login.defs
|
||||||
|
===================================================================
|
||||||
|
--- etc/login.defs.orig
|
||||||
|
+++ etc/login.defs
|
||||||
|
@@ -3,8 +3,6 @@
|
||||||
|
# Some variables are used by login(1), su(1) and runuser(1) from util-linux
|
||||||
|
# package as well pam pam_unix(8) from pam package.
|
||||||
|
#
|
||||||
|
-# $Id$
|
||||||
|
-#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Delay in seconds before being allowed another attempt after a login failure
|
||||||
|
@@ -79,11 +77,14 @@ ENV_PATH /bin:/usr/bin
|
||||||
|
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
-# If this variable is set to "yes", su will always set path. every su
|
||||||
|
-# call will overwrite the PATH variable.
|
||||||
|
+# If this variable is set to "yes" (default is "no"), su will always set
|
||||||
|
+# path. every su call will overwrite the PATH variable.
|
||||||
|
#
|
||||||
|
# Per default, only "su -" will set a new PATH.
|
||||||
|
#
|
||||||
|
+# The recommended value is "yes". The default "no" behavior could have
|
||||||
|
+# a security implication in applications that use commands without path.
|
||||||
|
+#
|
||||||
|
ALWAYS_SET_PATH no
|
||||||
|
|
||||||
|
#
|
||||||
|
@@ -123,6 +124,11 @@ PASS_WARN_AGE 7
|
||||||
|
#
|
||||||
|
# Min/max values for automatic uid selection in useradd(8)
|
||||||
|
#
|
||||||
|
+# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
|
||||||
|
+# UIDs for dynamically allocated administrative and system accounts.
|
||||||
|
+# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
|
||||||
|
+# allocated user accounts.
|
||||||
|
+#
|
||||||
|
UID_MIN 1000
|
||||||
|
UID_MAX 60000
|
||||||
|
# System accounts
|
||||||
|
@@ -136,6 +142,11 @@ SUB_UID_COUNT 65536
|
||||||
|
#
|
||||||
|
# Min/max values for automatic gid selection in groupadd(8)
|
||||||
|
#
|
||||||
|
+# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
|
||||||
|
+# GIDs for dynamically allocated administrative and system groups.
|
||||||
|
+# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
|
||||||
|
+# allocated groups.
|
||||||
|
+#
|
||||||
|
GID_MIN 1000
|
||||||
|
GID_MAX 60000
|
||||||
|
# System accounts
|
||||||
|
@@ -165,7 +176,6 @@ LOGIN_TIMEOUT 60
|
||||||
|
CHFN_RESTRICT rwh
|
||||||
|
|
||||||
|
#
|
||||||
|
-# Only works if compiled with MD5_CRYPT defined:
|
||||||
|
# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||||
|
# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||||
|
# It supports passwords of unlimited length and longer salt strings.
|
||||||
|
@@ -180,7 +190,6 @@ CHFN_RESTRICT rwh
|
||||||
|
#MD5_CRYPT_ENAB no
|
||||||
|
|
||||||
|
#
|
||||||
|
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
|
||||||
|
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||||
|
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||||
|
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||||
|
@@ -196,6 +205,14 @@ CHFN_RESTRICT rwh
|
||||||
|
#ENCRYPT_METHOD_NIS DES
|
||||||
|
|
||||||
|
#
|
||||||
|
+# Number of rounds for salt.
|
||||||
|
+# Default values:
|
||||||
|
+# Minimum number of rounds.
|
||||||
|
+#SHA_CRYPT_MIN_ROUNDS 1000
|
||||||
|
+# Maximum number of rounds.
|
||||||
|
+#SHA_CRYPT_MAX_ROUNDS 999999999
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||||
|
#
|
||||||
|
# Define the number of SHA rounds.
|
137
shadow-login_defs-suse.patch
Normal file
137
shadow-login_defs-suse.patch
Normal file
@ -0,0 +1,137 @@
|
|||||||
|
Set login.defs defaults for SUSE Linux.
|
||||||
|
|
||||||
|
Index: etc/login.defs
|
||||||
|
===================================================================
|
||||||
|
--- etc/login.defs.orig
|
||||||
|
+++ etc/login.defs
|
||||||
|
@@ -3,6 +3,9 @@
|
||||||
|
# Some variables are used by login(1), su(1) and runuser(1) from util-linux
|
||||||
|
# package as well pam pam_unix(8) from pam package.
|
||||||
|
#
|
||||||
|
+# For more, see login.defs(5). Please note that SUSE supports only variables
|
||||||
|
+# listed here! Not listed variables from login.defs(5) have no effect.
|
||||||
|
+#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Delay in seconds before being allowed another attempt after a login failure
|
||||||
|
@@ -53,8 +56,8 @@ MOTD_FILE /etc/motd
|
||||||
|
# user's name or shell are found in the file. If not a full pathname, then
|
||||||
|
# hushed mode will be enabled if the file exists in the user's home directory.
|
||||||
|
#
|
||||||
|
-HUSHLOGIN_FILE .hushlogin
|
||||||
|
-#HUSHLOGIN_FILE /etc/hushlogins
|
||||||
|
+#HUSHLOGIN_FILE .hushlogin
|
||||||
|
+HUSHLOGIN_FILE /etc/hushlogins
|
||||||
|
|
||||||
|
# If this variable is set to "yes", hostname will be suppressed in the
|
||||||
|
# login: prompt.
|
||||||
|
@@ -73,9 +76,9 @@ HUSHLOGIN_FILE .hushlogin
|
||||||
|
# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
|
||||||
|
# (and falback for login).
|
||||||
|
#
|
||||||
|
-ENV_PATH /bin:/usr/bin
|
||||||
|
-ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
-#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
+ENV_PATH /usr/local/bin:/bin:/usr/bin
|
||||||
|
+ENV_ROOTPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
+#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
# If this variable is set to "yes" (default is "no"), su will always set
|
||||||
|
# path. every su call will overwrite the PATH variable.
|
||||||
|
@@ -99,7 +102,7 @@ ALWAYS_SET_PATH no
|
||||||
|
# set TTYPERM to either 622 or 600.
|
||||||
|
#
|
||||||
|
TTYGROUP tty
|
||||||
|
-TTYPERM 0600
|
||||||
|
+TTYPERM 0620
|
||||||
|
|
||||||
|
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||||
|
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||||
|
@@ -132,8 +135,8 @@ PASS_WARN_AGE 7
|
||||||
|
UID_MIN 1000
|
||||||
|
UID_MAX 60000
|
||||||
|
# System accounts
|
||||||
|
-SYS_UID_MIN 101
|
||||||
|
-SYS_UID_MAX 999
|
||||||
|
+SYS_UID_MIN 100
|
||||||
|
+SYS_UID_MAX 499
|
||||||
|
# Extra per user uids
|
||||||
|
SUB_UID_MIN 100000
|
||||||
|
SUB_UID_MAX 600100000
|
||||||
|
@@ -150,8 +153,8 @@ SUB_UID_COUNT 65536
|
||||||
|
GID_MIN 1000
|
||||||
|
GID_MAX 60000
|
||||||
|
# System accounts
|
||||||
|
-SYS_GID_MIN 101
|
||||||
|
-SYS_GID_MAX 999
|
||||||
|
+SYS_GID_MIN 100
|
||||||
|
+SYS_GID_MAX 499
|
||||||
|
# Extra per user group ids
|
||||||
|
SUB_GID_MIN 100000
|
||||||
|
SUB_GID_MAX 600100000
|
||||||
|
@@ -160,7 +163,7 @@ SUB_GID_COUNT 65536
|
||||||
|
#
|
||||||
|
# Max number of login(1) retries if password is bad
|
||||||
|
#
|
||||||
|
-LOGIN_RETRIES 5
|
||||||
|
+LOGIN_RETRIES 3
|
||||||
|
|
||||||
|
#
|
||||||
|
# Max time in seconds for login(1)
|
||||||
|
@@ -176,18 +179,9 @@ LOGIN_TIMEOUT 60
|
||||||
|
CHFN_RESTRICT rwh
|
||||||
|
|
||||||
|
#
|
||||||
|
-# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||||
|
-# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||||
|
-# It supports passwords of unlimited length and longer salt strings.
|
||||||
|
-# Set to "no" if you need to copy encrypted passwords to other systems
|
||||||
|
-# which don't understand the new algorithm. Default is "no".
|
||||||
|
-#
|
||||||
|
-# Note: If you use PAM, it is recommended to use a value consistent with
|
||||||
|
-# the PAM modules configuration.
|
||||||
|
-#
|
||||||
|
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
|
||||||
|
+# This variable is deprecated. Use ENCRYPT_METHOD instead!
|
||||||
|
#
|
||||||
|
-#MD5_CRYPT_ENAB no
|
||||||
|
+#MD5_CRYPT_ENAB DO_NOT_USE
|
||||||
|
|
||||||
|
#
|
||||||
|
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||||
|
@@ -201,8 +195,8 @@ CHFN_RESTRICT rwh
|
||||||
|
# Note: If you use PAM, it is recommended to use a value consistent with
|
||||||
|
# the PAM modules configuration.
|
||||||
|
#
|
||||||
|
-#ENCRYPT_METHOD DES
|
||||||
|
-#ENCRYPT_METHOD_NIS DES
|
||||||
|
+ENCRYPT_METHOD SHA512
|
||||||
|
+ENCRYPT_METHOD_NIS DES
|
||||||
|
|
||||||
|
#
|
||||||
|
# Number of rounds for salt.
|
||||||
|
@@ -271,7 +265,7 @@ USERDEL_POSTCMD /usr/sbin/userde
|
||||||
|
#
|
||||||
|
# This also enables userdel(8) to remove user groups if no members exist.
|
||||||
|
#
|
||||||
|
-USERGROUPS_ENAB yes
|
||||||
|
+USERGROUPS_ENAB no
|
||||||
|
|
||||||
|
#
|
||||||
|
# If set to a non-zero number, the shadow utilities will make sure that
|
||||||
|
@@ -290,13 +284,13 @@ USERGROUPS_ENAB yes
|
||||||
|
# This option is overridden with the -M or -m flags on the useradd(8)
|
||||||
|
# command-line.
|
||||||
|
#
|
||||||
|
-#CREATE_HOME yes
|
||||||
|
+CREATE_HOME no
|
||||||
|
|
||||||
|
#
|
||||||
|
# Force use shadow, even if shadow passwd & shadow group files are
|
||||||
|
# missing.
|
||||||
|
#
|
||||||
|
-#FORCE_SHADOW yes
|
||||||
|
+FORCE_SHADOW no
|
||||||
|
|
||||||
|
#
|
||||||
|
# User/group names must match the following regex expression.
|
@ -1,17 +1,14 @@
|
|||||||
|
Remove variables that are present in login.defs, but shadow with the
|
||||||
|
current configuration (e. g. with PAM) does not use them.
|
||||||
|
|
||||||
|
shadow-login_defs-unused-check.sh makes possible to verify that it is
|
||||||
|
still up to date.
|
||||||
|
|
||||||
Index: etc/login.defs
|
Index: etc/login.defs
|
||||||
===================================================================
|
===================================================================
|
||||||
--- etc/login.defs.orig
|
--- etc/login.defs.orig
|
||||||
+++ etc/login.defs
|
+++ etc/login.defs
|
||||||
@@ -1,8 +1,5 @@
|
@@ -12,11 +12,6 @@
|
||||||
#
|
|
||||||
# /etc/login.defs - Configuration control definitions for the shadow package.
|
|
||||||
-#
|
|
||||||
-# $Id$
|
|
||||||
-#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Delay in seconds before being allowed another attempt after a login failure
|
|
||||||
@@ -12,11 +9,6 @@
|
|
||||||
FAIL_DELAY 3
|
FAIL_DELAY 3
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -23,7 +20,7 @@ Index: etc/login.defs
|
|||||||
# Enable display of unknown usernames when login(1) failures are recorded.
|
# Enable display of unknown usernames when login(1) failures are recorded.
|
||||||
#
|
#
|
||||||
LOG_UNKFAIL_ENAB no
|
LOG_UNKFAIL_ENAB no
|
||||||
@@ -27,34 +19,6 @@ LOG_UNKFAIL_ENAB no
|
@@ -27,34 +22,6 @@ LOG_UNKFAIL_ENAB no
|
||||||
LOG_OK_LOGINS no
|
LOG_OK_LOGINS no
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -58,7 +55,7 @@ Index: etc/login.defs
|
|||||||
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
|
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
|
||||||
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
|
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
|
||||||
#
|
#
|
||||||
@@ -82,75 +46,31 @@ MOTD_FILE /etc/motd
|
@@ -82,46 +49,12 @@ MOTD_FILE /etc/motd
|
||||||
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
|
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -105,12 +102,10 @@ Index: etc/login.defs
|
|||||||
# If defined, file which inhibits all the usual chatter during the login
|
# If defined, file which inhibits all the usual chatter during the login
|
||||||
# sequence. If a full pathname, then hushed mode will be enabled if the
|
# sequence. If a full pathname, then hushed mode will be enabled if the
|
||||||
# user's name or shell are found in the file. If not a full pathname, then
|
# user's name or shell are found in the file. If not a full pathname, then
|
||||||
# hushed mode will be enabled if the file exists in the user's home directory.
|
@@ -131,21 +64,6 @@ HUSHLOGIN_FILE .hushlogin
|
||||||
|
#HUSHLOGIN_FILE /etc/hushlogins
|
||||||
|
|
||||||
#
|
#
|
||||||
-HUSHLOGIN_FILE .hushlogin
|
|
||||||
-#HUSHLOGIN_FILE /etc/hushlogins
|
|
||||||
-
|
|
||||||
-#
|
|
||||||
-# If defined, either a TZ environment parameter spec or the
|
-# If defined, either a TZ environment parameter spec or the
|
||||||
-# fully-rooted pathname of a file containing such a spec.
|
-# fully-rooted pathname of a file containing such a spec.
|
||||||
-#
|
-#
|
||||||
@ -124,33 +119,12 @@ Index: etc/login.defs
|
|||||||
-ENV_HZ HZ=100
|
-ENV_HZ HZ=100
|
||||||
-# For Linux/Alpha...
|
-# For Linux/Alpha...
|
||||||
-#ENV_HZ HZ=1024
|
-#ENV_HZ HZ=1024
|
||||||
+# HUSHLOGIN_FILE .hushlogin
|
-
|
||||||
+HUSHLOGIN_FILE /etc/hushlogins
|
-#
|
||||||
|
|
||||||
#
|
|
||||||
# *REQUIRED* The default PATH settings, for superuser and normal users.
|
# *REQUIRED* The default PATH settings, for superuser and normal users.
|
||||||
#
|
#
|
||||||
# (they are minimal, add the rest in the shell startup files)
|
# (they are minimal, add the rest in the shell startup files)
|
||||||
ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
@@ -171,17 +89,13 @@ TTYPERM 0600
|
||||||
-ENV_PATH PATH=/bin:/usr/bin
|
|
||||||
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# The default PATH settings for root (used by login):
|
|
||||||
+#
|
|
||||||
+ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
|
||||||
|
|
||||||
#
|
|
||||||
# Terminal permissions
|
|
||||||
@@ -164,24 +84,20 @@ ENV_PATH PATH=/bin:/usr/bin
|
|
||||||
# set TTYPERM to either 622 or 600.
|
|
||||||
#
|
|
||||||
TTYGROUP tty
|
|
||||||
-TTYPERM 0600
|
|
||||||
+TTYPERM 0620
|
|
||||||
|
|
||||||
#
|
|
||||||
# Login configuration initializations:
|
|
||||||
#
|
#
|
||||||
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
||||||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
||||||
@ -168,7 +142,7 @@ Index: etc/login.defs
|
|||||||
|
|
||||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||||
@@ -197,35 +113,25 @@ UMASK 022
|
@@ -197,28 +111,13 @@ UMASK 022
|
||||||
#
|
#
|
||||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||||
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
||||||
@ -196,50 +170,8 @@ Index: etc/login.defs
|
|||||||
-#
|
-#
|
||||||
# Min/max values for automatic uid selection in useradd(8)
|
# Min/max values for automatic uid selection in useradd(8)
|
||||||
#
|
#
|
||||||
+# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
|
|
||||||
+# UIDs for dynamically allocated administrative and system accounts.
|
|
||||||
+# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
|
|
||||||
+# allocated user accounts.
|
|
||||||
+#
|
|
||||||
UID_MIN 1000
|
UID_MIN 1000
|
||||||
UID_MAX 60000
|
@@ -255,28 +154,6 @@ LOGIN_RETRIES 5
|
||||||
# System accounts
|
|
||||||
-SYS_UID_MIN 101
|
|
||||||
-SYS_UID_MAX 999
|
|
||||||
+SYS_UID_MIN 100
|
|
||||||
+SYS_UID_MAX 499
|
|
||||||
# Extra per user uids
|
|
||||||
SUB_UID_MIN 100000
|
|
||||||
SUB_UID_MAX 600100000
|
|
||||||
@@ -234,11 +140,16 @@ SUB_UID_COUNT 65536
|
|
||||||
#
|
|
||||||
# Min/max values for automatic gid selection in groupadd(8)
|
|
||||||
#
|
|
||||||
+# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
|
|
||||||
+# GIDs for dynamically allocated administrative and system groups.
|
|
||||||
+# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
|
|
||||||
+# allocated groups.
|
|
||||||
+#
|
|
||||||
GID_MIN 1000
|
|
||||||
GID_MAX 60000
|
|
||||||
# System accounts
|
|
||||||
-SYS_GID_MIN 101
|
|
||||||
-SYS_GID_MAX 999
|
|
||||||
+SYS_GID_MIN 100
|
|
||||||
+SYS_GID_MAX 499
|
|
||||||
# Extra per user group ids
|
|
||||||
SUB_GID_MIN 100000
|
|
||||||
SUB_GID_MAX 600100000
|
|
||||||
@@ -247,7 +158,7 @@ SUB_GID_COUNT 65536
|
|
||||||
#
|
|
||||||
# Max number of login(1) retries if password is bad
|
|
||||||
#
|
|
||||||
-LOGIN_RETRIES 5
|
|
||||||
+LOGIN_RETRIES 3
|
|
||||||
|
|
||||||
#
|
|
||||||
# Max time in seconds for login(1)
|
|
||||||
@@ -255,28 +166,6 @@ LOGIN_RETRIES 5
|
|
||||||
LOGIN_TIMEOUT 60
|
LOGIN_TIMEOUT 60
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -268,7 +200,7 @@ Index: etc/login.defs
|
|||||||
# Which fields may be changed by regular users using chfn(1) - use
|
# Which fields may be changed by regular users using chfn(1) - use
|
||||||
# any combination of letters "frwh" (full name, room number, work
|
# any combination of letters "frwh" (full name, room number, work
|
||||||
# phone, home phone). If not defined, no changes are allowed.
|
# phone, home phone). If not defined, no changes are allowed.
|
||||||
@@ -285,28 +174,6 @@ CHFN_AUTH yes
|
@@ -285,13 +162,6 @@ CHFN_AUTH yes
|
||||||
CHFN_RESTRICT rwh
|
CHFN_RESTRICT rwh
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -279,35 +211,27 @@ Index: etc/login.defs
|
|||||||
-#LOGIN_STRING "%s's Password: "
|
-#LOGIN_STRING "%s's Password: "
|
||||||
-
|
-
|
||||||
-#
|
-#
|
||||||
-# Only works if compiled with MD5_CRYPT defined:
|
# Only works if compiled with MD5_CRYPT defined:
|
||||||
-# If set to "yes", new passwords will be encrypted using the MD5-based
|
# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||||
-# algorithm compatible with the one used by recent releases of FreeBSD.
|
# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||||
-# It supports passwords of unlimited length and longer salt strings.
|
@@ -336,29 +206,12 @@ CHFN_RESTRICT rwh
|
||||||
-# Set to "no" if you need to copy encrypted passwords to other systems
|
# SHA_CRYPT_MAX_ROUNDS 5000
|
||||||
-# which don't understand the new algorithm. Default is "no".
|
|
||||||
-#
|
|
||||||
-# Note: If you use PAM, it is recommended to use a value consistent with
|
|
||||||
-# the PAM modules configuration.
|
|
||||||
-#
|
|
||||||
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
|
|
||||||
-#
|
|
||||||
-#MD5_CRYPT_ENAB no
|
|
||||||
-
|
|
||||||
-#
|
|
||||||
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
|
|
||||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
|
||||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
|
||||||
@@ -317,7 +184,8 @@ CHFN_RESTRICT rwh
|
|
||||||
# Note: If you use PAM, it is recommended to use a value consistent with
|
|
||||||
# the PAM modules configuration.
|
|
||||||
#
|
|
||||||
-#ENCRYPT_METHOD DES
|
|
||||||
+ENCRYPT_METHOD SHA512
|
|
||||||
+ENCRYPT_METHOD_NIS DES
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
-# List of groups to add to the user's supplementary group set
|
||||||
@@ -353,16 +221,12 @@ CHFN_RESTRICT rwh
|
-# when logging in from the console (as determined by the CONSOLE
|
||||||
|
-# setting). Default is none.
|
||||||
|
-#
|
||||||
|
-# Use with caution - it is possible for users to gain permanent
|
||||||
|
-# access to these groups, even when not logged in from the console.
|
||||||
|
-# How to do it is left as an exercise for the reader...
|
||||||
|
-#
|
||||||
|
-#CONSOLE_GROUPS floppy:audio:cdrom
|
||||||
|
-
|
||||||
|
-#
|
||||||
|
# Should login be allowed if we can't cd to the home directory?
|
||||||
|
# Default is no.
|
||||||
|
#
|
||||||
DEFAULT_HOME yes
|
DEFAULT_HOME yes
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -320,68 +244,3 @@ Index: etc/login.defs
|
|||||||
# If defined, this command is run when removing a user.
|
# If defined, this command is run when removing a user.
|
||||||
# It should remove any at/cron/print jobs etc. owned by
|
# It should remove any at/cron/print jobs etc. owned by
|
||||||
# the user to be removed (passed as the first argument).
|
# the user to be removed (passed as the first argument).
|
||||||
#
|
|
||||||
+# See USERDEL_PRECMD/POSTCMD below.
|
|
||||||
+#
|
|
||||||
#USERDEL_CMD /usr/sbin/userdel_local
|
|
||||||
|
|
||||||
#
|
|
||||||
@@ -372,7 +236,7 @@ ENVIRON_FILE /etc/environment
|
|
||||||
#
|
|
||||||
# This also enables userdel(8) to remove user groups if no members exist.
|
|
||||||
#
|
|
||||||
-USERGROUPS_ENAB yes
|
|
||||||
+USERGROUPS_ENAB no
|
|
||||||
|
|
||||||
#
|
|
||||||
# If set to a non-zero number, the shadow utilities will make sure that
|
|
||||||
@@ -391,10 +255,47 @@ USERGROUPS_ENAB yes
|
|
||||||
# This option is overridden with the -M or -m flags on the useradd(8)
|
|
||||||
# command-line.
|
|
||||||
#
|
|
||||||
-#CREATE_HOME yes
|
|
||||||
+CREATE_HOME no
|
|
||||||
|
|
||||||
#
|
|
||||||
# Force use shadow, even if shadow passwd & shadow group files are
|
|
||||||
# missing.
|
|
||||||
#
|
|
||||||
-#FORCE_SHADOW yes
|
|
||||||
+FORCE_SHADOW no
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# User/group names must match the following regex expression.
|
|
||||||
+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
|
|
||||||
+# but be aware that the result could depend on the locale settings.
|
|
||||||
+#
|
|
||||||
+#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
|
|
||||||
+CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# If defined, this command is run when adding a group.
|
|
||||||
+# It should rebuild any NIS database etc. to add the
|
|
||||||
+# new created group.
|
|
||||||
+#
|
|
||||||
+GROUPADD_CMD /usr/sbin/groupadd.local
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# If defined, this command is run when adding a user.
|
|
||||||
+# It should rebuild any NIS database etc. to add the
|
|
||||||
+# new created account.
|
|
||||||
+#
|
|
||||||
+USERADD_CMD /usr/sbin/useradd.local
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# If defined, this command is run before removing a user.
|
|
||||||
+# It should remove any at/cron/print jobs etc. owned by
|
|
||||||
+# the user to be removed.
|
|
||||||
+#
|
|
||||||
+USERDEL_PRECMD /usr/sbin/userdel-pre.local
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# If defined, this command is run after removing a user.
|
|
||||||
+# It should rebuild any NIS database etc. to remove the
|
|
||||||
+# account from it.
|
|
||||||
+#
|
|
||||||
+USERDEL_POSTCMD /usr/sbin/userdel-post.local
|
|
||||||
+
|
|
119
shadow-util-linux.patch
Normal file
119
shadow-util-linux.patch
Normal file
@ -0,0 +1,119 @@
|
|||||||
|
Add variables referred by util-linux login, runuser and su, but not by
|
||||||
|
shadow.
|
||||||
|
|
||||||
|
Delete variables used by shadow implementation of login, su and runuser
|
||||||
|
that has no use in util-linux implementation.
|
||||||
|
|
||||||
|
Index: etc/login.defs
|
||||||
|
===================================================================
|
||||||
|
--- etc/login.defs.orig
|
||||||
|
+++ etc/login.defs
|
||||||
|
@@ -1,5 +1,7 @@
|
||||||
|
#
|
||||||
|
# /etc/login.defs - Configuration control definitions for the shadow package.
|
||||||
|
+# Some variables are used by login(1), su(1) and runuser(1) from util-linux
|
||||||
|
+# package as well pam pam_unix(8) from pam package.
|
||||||
|
#
|
||||||
|
# $Id$
|
||||||
|
#
|
||||||
|
@@ -17,15 +19,8 @@ FAIL_DELAY 3
|
||||||
|
LOG_UNKFAIL_ENAB no
|
||||||
|
|
||||||
|
#
|
||||||
|
-# Enable logging of successful logins
|
||||||
|
+# Enable "syslog" logging of newgrp(1) and sg(1) activity.
|
||||||
|
#
|
||||||
|
-LOG_OK_LOGINS no
|
||||||
|
-
|
||||||
|
-#
|
||||||
|
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
|
||||||
|
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
|
||||||
|
-#
|
||||||
|
-SYSLOG_SU_ENAB yes
|
||||||
|
SYSLOG_SG_ENAB yes
|
||||||
|
|
||||||
|
#
|
||||||
|
@@ -63,12 +58,33 @@ MOTD_FILE /etc/motd
|
||||||
|
HUSHLOGIN_FILE .hushlogin
|
||||||
|
#HUSHLOGIN_FILE /etc/hushlogins
|
||||||
|
|
||||||
|
+# If this variable is set to "yes", hostname will be suppressed in the
|
||||||
|
+# login: prompt.
|
||||||
|
+#LOGIN_PLAIN_PROMPT no
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# *REQUIRED* The default PATH settings, for superuser and normal users.
|
||||||
|
#
|
||||||
|
# (they are minimal, add the rest in the shell startup files)
|
||||||
|
-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
-ENV_PATH PATH=/bin:/usr/bin
|
||||||
|
+#
|
||||||
|
+# ENV_PATH: The default PATH settings for non-root.
|
||||||
|
+#
|
||||||
|
+# ENV_ROOTPATH: The default PATH settings for root
|
||||||
|
+# (used by login, su and runuser).
|
||||||
|
+#
|
||||||
|
+# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
|
||||||
|
+# (and falback for login).
|
||||||
|
+#
|
||||||
|
+ENV_PATH /bin:/usr/bin
|
||||||
|
+ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
+#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
+
|
||||||
|
+# If this variable is set to "yes", su will always set path. every su
|
||||||
|
+# call will overwrite the PATH variable.
|
||||||
|
+#
|
||||||
|
+# Per default, only "su -" will set a new PATH.
|
||||||
|
+#
|
||||||
|
+ALWAYS_SET_PATH no
|
||||||
|
|
||||||
|
#
|
||||||
|
# Terminal permissions
|
||||||
|
@@ -84,19 +100,6 @@ ENV_PATH PATH=/bin:/usr/bin
|
||||||
|
TTYGROUP tty
|
||||||
|
TTYPERM 0600
|
||||||
|
|
||||||
|
-#
|
||||||
|
-# Login configuration initializations:
|
||||||
|
-#
|
||||||
|
-# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
||||||
|
-# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
||||||
|
-#
|
||||||
|
-# The ERASECHAR and KILLCHAR are used only on System V machines.
|
||||||
|
-#
|
||||||
|
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
|
||||||
|
-#
|
||||||
|
-ERASECHAR 0177
|
||||||
|
-KILLCHAR 025
|
||||||
|
-
|
||||||
|
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||||
|
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||||
|
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||||
|
Index: lib/getdef.c
|
||||||
|
===================================================================
|
||||||
|
--- lib/getdef.c.orig
|
||||||
|
+++ lib/getdef.c
|
||||||
|
@@ -77,6 +77,7 @@ struct itemdef {
|
||||||
|
|
||||||
|
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
|
||||||
|
static struct itemdef def_table[] = {
|
||||||
|
+ {"ALWAYS_SET_PATH", NULL},
|
||||||
|
{"CHARACTER_CLASS", NULL},
|
||||||
|
{"CHFN_RESTRICT", NULL},
|
||||||
|
{"CONSOLE_GROUPS", NULL},
|
||||||
|
@@ -85,6 +86,7 @@ static struct itemdef def_table[] = {
|
||||||
|
{"DEFAULT_HOME", NULL},
|
||||||
|
{"ENCRYPT_METHOD", NULL},
|
||||||
|
{"ENV_PATH", NULL},
|
||||||
|
+ {"ENV_ROOTPATH", NULL},
|
||||||
|
{"ENV_SUPATH", NULL},
|
||||||
|
{"ERASECHAR", NULL},
|
||||||
|
{"FAIL_DELAY", NULL},
|
||||||
|
@@ -93,6 +95,7 @@ static struct itemdef def_table[] = {
|
||||||
|
{"GID_MIN", NULL},
|
||||||
|
{"HUSHLOGIN_FILE", NULL},
|
||||||
|
{"KILLCHAR", NULL},
|
||||||
|
+ {"LOGIN_PLAIN_PROMPT", NULL},
|
||||||
|
{"LOGIN_RETRIES", NULL},
|
||||||
|
{"LOGIN_TIMEOUT", NULL},
|
||||||
|
{"LOG_OK_LOGINS", NULL},
|
@ -1,3 +1,27 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 30 22:27:14 CEST 2019 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- Split shadow-login_defs.patch hunks to its logical components
|
||||||
|
(bsc#1121197):
|
||||||
|
* shadow-login_defs-unused-by-pam.patch
|
||||||
|
* shadow-login_defs-comments.patch
|
||||||
|
* shadow-login_defs-util-linux.patch
|
||||||
|
* shadow-login_defs-suse.patch
|
||||||
|
* Move appropriate hunks to chkname-regex.patch and
|
||||||
|
encryption_method_nis.patch
|
||||||
|
* Remove GROUPADD_CMD that is not supported (bsc#1121197#c14).
|
||||||
|
- Split getdef-new-defs.patch hunks to its logical components
|
||||||
|
(bsc#1121197):
|
||||||
|
* encryption_method_nis.patch
|
||||||
|
* chkname-regex.patch
|
||||||
|
* shadow-util-linux.patch
|
||||||
|
Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT.
|
||||||
|
* useradd-script.patch, userdel-script.patch
|
||||||
|
* Remove duplicated definitions of MOTD_FILE and ENV_PATH.
|
||||||
|
- Add shadow-login_defs-unused-check.sh to allow verification of
|
||||||
|
login.defs variable usage (bsc#1121197).
|
||||||
|
- Add virtual symbols for login.defs compatibility (bsc#1121197).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Jan 23 09:35:01 UTC 2019 - adam.majer@suse.de
|
Wed Jan 23 09:35:01 UTC 2019 - adam.majer@suse.de
|
||||||
|
|
||||||
|
36
shadow.spec
36
shadow.spec
@ -12,7 +12,7 @@
|
|||||||
# license that conforms to the Open Source Definition (Version 1.9)
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
# published by the Open Source Initiative.
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
@ -33,18 +33,37 @@ Source6: shadow.service
|
|||||||
Source7: shadow.timer
|
Source7: shadow.timer
|
||||||
Source42: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
|
Source42: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
|
||||||
Source43: %{name}.keyring
|
Source43: %{name}.keyring
|
||||||
Patch0: shadow-login_defs.patch
|
# SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
|
||||||
|
Source44: shadow-login_defs-check.sh
|
||||||
|
# PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM.
|
||||||
|
Patch0: shadow-login_defs-unused-by-pam.patch
|
||||||
|
# PATCH-FEATURE-SUSE userdel-script.patch kukuk@suse.com -- Add support for USERDEL_PRECMD and USERDEL_POSTCMD.
|
||||||
Patch1: userdel-script.patch
|
Patch1: userdel-script.patch
|
||||||
|
# PATCH-FEATURE-SUSE useradd-script.patch kukuk@suse.com -- Add support for USERADD_CMD.
|
||||||
Patch2: useradd-script.patch
|
Patch2: useradd-script.patch
|
||||||
|
# PATCH-FEATURE-SUSE chkname-regex.patch kukuk@suse.com -- Username restriction by regex.
|
||||||
Patch3: chkname-regex.patch
|
Patch3: chkname-regex.patch
|
||||||
|
# PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
|
||||||
Patch4: useradd-default.patch
|
Patch4: useradd-default.patch
|
||||||
Patch5: getdef-new-defs.patch
|
# PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
|
||||||
|
Patch5: shadow-util-linux.patch
|
||||||
|
# PATCH-FEATURE-FEDORA shadow-4.1.5.1-userdel-helpfix.patch christian.brauner@mailbox.org -- Give a hint about what happens when you force the removal of a user.
|
||||||
Patch6: shadow-4.1.5.1-userdel-helpfix.patch
|
Patch6: shadow-4.1.5.1-userdel-helpfix.patch
|
||||||
|
# PATCH-FIX-FEDORA shadow-4.1.5.1-userdel-helpfix.patch kukuk@suse.com -- Fix error message.
|
||||||
Patch7: shadow-4.1.5.1-logmsg.patch
|
Patch7: shadow-4.1.5.1-logmsg.patch
|
||||||
|
# PATCH-FEATURE-SUSE encryption_method_nis.patch kukuk@suse.com -- Add support for ENCRYPT_METHOD_NIS used by SUSE patch in pam (pam_unix).
|
||||||
Patch10: encryption_method_nis.patch
|
Patch10: encryption_method_nis.patch
|
||||||
|
# PATCH-FIX-SUSE useradd-mkdirs.patch bnc865563 tbehrens@suse.com -- Create all parts of the path.
|
||||||
Patch11: useradd-mkdirs.patch
|
Patch11: useradd-mkdirs.patch
|
||||||
|
# PATCH-FIX-SUSE shadow-4.6.0-fix-usermod-prefix-crash.patch https://github.com/shadow-maint/shadow/issues/110 mvetter@suse.com -- Fixes crash in usermod when called with --prefix.
|
||||||
Patch12: shadow-4.6.0-fix-usermod-prefix-crash.patch
|
Patch12: shadow-4.6.0-fix-usermod-prefix-crash.patch
|
||||||
|
# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
|
||||||
|
Patch13: shadow-login_defs-comments.patch
|
||||||
|
# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
|
||||||
|
Patch14: shadow-login_defs-suse.patch
|
||||||
|
# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
|
||||||
Patch20: disable_new_audit_function.patch
|
Patch20: disable_new_audit_function.patch
|
||||||
|
# PATCH-FEATURE-SUSE btrfs-subvolumes.patch fate316134 adam.majer@suse.de -- Add support for btrfs subvolumes for user homes.
|
||||||
Patch21: btrfs-subvolumes.patch
|
Patch21: btrfs-subvolumes.patch
|
||||||
BuildRequires: audit-devel > 2.3
|
BuildRequires: audit-devel > 2.3
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
@ -62,6 +81,13 @@ Requires(pre): user(root)
|
|||||||
PreReq: permissions
|
PreReq: permissions
|
||||||
Provides: pwdutils = 3.2.20
|
Provides: pwdutils = 3.2.20
|
||||||
Obsoletes: pwdutils <= 3.2.19
|
Obsoletes: pwdutils <= 3.2.19
|
||||||
|
# Virtual provides for supported variables in login.defs.
|
||||||
|
# It prevents references to unknown variables.
|
||||||
|
# Upgrade them only if shadow-util-linux.patch or
|
||||||
|
# encryption_method_nis.patch has to be ported!
|
||||||
|
# Call shadow-login_defs-check.sh before!
|
||||||
|
Provides: login_defs-support-for-pam = 1.3.1
|
||||||
|
Provides: login_defs-support-for-util-linux = 2.33.1
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package includes the necessary programs for converting plain
|
This package includes the necessary programs for converting plain
|
||||||
@ -71,7 +97,7 @@ group accounts.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -a 1
|
%setup -q -a 1
|
||||||
%patch0
|
%patch0
|
||||||
%patch1 -p1
|
%patch1
|
||||||
%patch2
|
%patch2
|
||||||
%patch3
|
%patch3
|
||||||
%patch4
|
%patch4
|
||||||
@ -81,6 +107,8 @@ group accounts.
|
|||||||
%patch10
|
%patch10
|
||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
|
%patch13
|
||||||
|
%patch14
|
||||||
%if 0%{?suse_version} < 1330
|
%if 0%{?suse_version} < 1330
|
||||||
%patch20 -p1
|
%patch20 -p1
|
||||||
%endif
|
%endif
|
||||||
|
@ -1,6 +1,38 @@
|
|||||||
--- src/useradd.c
|
Index: etc/login.defs
|
||||||
|
===================================================================
|
||||||
|
--- etc/login.defs.orig
|
||||||
|
+++ etc/login.defs
|
||||||
|
@@ -212,6 +212,13 @@ CHFN_RESTRICT rwh
|
||||||
|
DEFAULT_HOME yes
|
||||||
|
|
||||||
|
#
|
||||||
|
+# If defined, this command is run when adding a user.
|
||||||
|
+# It should rebuild any NIS database etc. to add the
|
||||||
|
+# new created account.
|
||||||
|
+#
|
||||||
|
+USERADD_CMD /usr/sbin/useradd.local
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
# If defined, this command is run when removing a user.
|
||||||
|
# It should remove any at/cron/print jobs etc. owned by
|
||||||
|
# the user to be removed (passed as the first argument).
|
||||||
|
Index: lib/getdef.c
|
||||||
|
===================================================================
|
||||||
|
--- lib/getdef.c.orig
|
||||||
|
+++ lib/getdef.c
|
||||||
|
@@ -125,6 +125,7 @@ static struct itemdef def_table[] = {
|
||||||
|
{"UID_MAX", NULL},
|
||||||
|
{"UID_MIN", NULL},
|
||||||
|
{"UMASK", NULL},
|
||||||
|
+ {"USERADD_CMD", NULL},
|
||||||
|
{"USERDEL_CMD", NULL},
|
||||||
|
{"USERDEL_PRECMD", NULL},
|
||||||
|
{"USERDEL_POSTCMD", NULL},
|
||||||
|
Index: src/useradd.c
|
||||||
|
===================================================================
|
||||||
|
--- src/useradd.c.orig
|
||||||
+++ src/useradd.c
|
+++ src/useradd.c
|
||||||
@@ -1982,6 +1982,30 @@ static void create_mail (void)
|
@@ -2115,6 +2115,30 @@ static void create_mail (void)
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -31,7 +63,7 @@
|
|||||||
* main - useradd command
|
* main - useradd command
|
||||||
*/
|
*/
|
||||||
int main (int argc, char **argv)
|
int main (int argc, char **argv)
|
||||||
@@ -2242,6 +2266,7 @@ int main (int argc, char **argv)
|
@@ -2390,6 +2414,7 @@ int main (int argc, char **argv)
|
||||||
nscd_flush_cache ("passwd");
|
nscd_flush_cache ("passwd");
|
||||||
nscd_flush_cache ("group");
|
nscd_flush_cache ("group");
|
||||||
|
|
||||||
|
@ -1,7 +1,51 @@
|
|||||||
diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
|
Index: lib/getdef.c
|
||||||
--- shadow-4.6/src/userdel.c 2018-04-29 18:42:37.000000000 +0200
|
===================================================================
|
||||||
+++ shadow-4.6.new/src/userdel.c 2018-05-14 16:13:43.996280216 +0200
|
--- lib/getdef.c.orig
|
||||||
@@ -125,7 +125,7 @@
|
+++ lib/getdef.c
|
||||||
|
@@ -126,6 +126,8 @@ static struct itemdef def_table[] = {
|
||||||
|
{"UID_MIN", NULL},
|
||||||
|
{"UMASK", NULL},
|
||||||
|
{"USERDEL_CMD", NULL},
|
||||||
|
+ {"USERDEL_PRECMD", NULL},
|
||||||
|
+ {"USERDEL_POSTCMD", NULL},
|
||||||
|
{"USERGROUPS_ENAB", NULL},
|
||||||
|
#ifndef USE_PAM
|
||||||
|
PAMDEFS
|
||||||
|
Index: etc/login.defs
|
||||||
|
===================================================================
|
||||||
|
--- etc/login.defs.orig
|
||||||
|
+++ etc/login.defs
|
||||||
|
@@ -216,9 +216,25 @@ DEFAULT_HOME yes
|
||||||
|
# It should remove any at/cron/print jobs etc. owned by
|
||||||
|
# the user to be removed (passed as the first argument).
|
||||||
|
#
|
||||||
|
+# See also USERDEL_PRECMD and USERDEL_POSTCMD below.
|
||||||
|
+#
|
||||||
|
#USERDEL_CMD /usr/sbin/userdel_local
|
||||||
|
|
||||||
|
#
|
||||||
|
+# If defined, this command is run before removing a user.
|
||||||
|
+# It should remove any at/cron/print jobs etc. owned by
|
||||||
|
+# the user to be removed.
|
||||||
|
+#
|
||||||
|
+USERDEL_PRECMD /usr/sbin/userdel-pre.local
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# If defined, this command is run after removing a user.
|
||||||
|
+# It should rebuild any NIS database etc. to remove the
|
||||||
|
+# account from it.
|
||||||
|
+#
|
||||||
|
+USERDEL_POSTCMD /usr/sbin/userdel-post.local
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
# Enable setting of the umask group bits to be the same as owner bits
|
||||||
|
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
|
||||||
|
# the same as gid, and username is the same as the primary group name.
|
||||||
|
Index: src/userdel.c
|
||||||
|
===================================================================
|
||||||
|
--- src/userdel.c.orig
|
||||||
|
+++ src/userdel.c
|
||||||
|
@@ -125,7 +125,7 @@ static void close_files (void);
|
||||||
static void fail_exit (int);
|
static void fail_exit (int);
|
||||||
static void open_files (void);
|
static void open_files (void);
|
||||||
static void update_user (void);
|
static void update_user (void);
|
||||||
@ -10,7 +54,7 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
|
|||||||
|
|
||||||
#ifdef EXTRA_CHECK_HOME_DIR
|
#ifdef EXTRA_CHECK_HOME_DIR
|
||||||
static bool path_prefix (const char *, const char *);
|
static bool path_prefix (const char *, const char *);
|
||||||
@@ -767,13 +767,13 @@
|
@@ -767,13 +767,13 @@ static void update_user (void)
|
||||||
* cron, at, or print jobs.
|
* cron, at, or print jobs.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@ -26,7 +70,7 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
|
|||||||
if (NULL == cmd) {
|
if (NULL == cmd) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -1213,9 +1213,10 @@
|
@@ -1213,9 +1213,10 @@ int main (int argc, char **argv)
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -35,20 +79,20 @@ diff -urEbwB shadow-4.6/src/userdel.c shadow-4.6.new/src/userdel.c
|
|||||||
+ * Do the hard stuff - open the files, remove the user entries,
|
+ * Do the hard stuff - open the files, remove the user entries,
|
||||||
+ * remove the home directory, then close and update the files.
|
+ * remove the home directory, then close and update the files.
|
||||||
*/
|
*/
|
||||||
+ call_script ("USERDEL_PRECMD", user_name);
|
+ call_script ("USERDEL_PRECMD", user_name);
|
||||||
open_files ();
|
open_files ();
|
||||||
update_user ();
|
update_user ();
|
||||||
update_groups ();
|
update_groups ();
|
||||||
@@ -1319,7 +1320,7 @@
|
@@ -1319,7 +1320,7 @@ int main (int argc, char **argv)
|
||||||
* the entry from /etc/passwd.
|
* the entry from /etc/passwd.
|
||||||
*/
|
*/
|
||||||
if(prefix[0] == '\0')
|
if(prefix[0] == '\0')
|
||||||
- user_cancel (user_name);
|
- user_cancel (user_name);
|
||||||
+ call_script ("USERDEL_CMD", user_name);
|
+ call_script ("USERDEL_CMD", user_name);
|
||||||
close_files ();
|
close_files ();
|
||||||
|
|
||||||
#ifdef WITH_TCB
|
#ifdef WITH_TCB
|
||||||
@@ -1329,6 +1330,9 @@
|
@@ -1329,6 +1330,9 @@ int main (int argc, char **argv)
|
||||||
nscd_flush_cache ("passwd");
|
nscd_flush_cache ("passwd");
|
||||||
nscd_flush_cache ("group");
|
nscd_flush_cache ("group");
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user