forked from pool/shadow
4e43c817a1
- Split shadow-login_defs.patch hunks to its logical components (bsc#1121197): * shadow-login_defs-unused-by-pam.patch * shadow-login_defs-comments.patch * shadow-login_defs-util-linux.patch * shadow-login_defs-suse.patch * Move appropriate hunks to chkname-regex.patch and encryption_method_nis.patch * Remove GROUPADD_CMD that is not supported (bsc#1121197#c14). - Split getdef-new-defs.patch hunks to its logical components (bsc#1121197): * encryption_method_nis.patch * chkname-regex.patch * shadow-util-linux.patch Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT. * useradd-script.patch, userdel-script.patch * Remove duplicated definitions of MOTD_FILE and ENV_PATH. - Add shadow-login_defs-unused-check.sh to allow verification of login.defs variable usage (bsc#1121197). - Add virtual symbols for login.defs compatibility (bsc#1121197). OBS-URL: https://build.opensuse.org/request/show/700494 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=63
138 lines
4.1 KiB
Diff
138 lines
4.1 KiB
Diff
Set login.defs defaults for SUSE Linux.
|
|
|
|
Index: etc/login.defs
|
|
===================================================================
|
|
--- etc/login.defs.orig
|
|
+++ etc/login.defs
|
|
@@ -3,6 +3,9 @@
|
|
# Some variables are used by login(1), su(1) and runuser(1) from util-linux
|
|
# package as well pam pam_unix(8) from pam package.
|
|
#
|
|
+# For more, see login.defs(5). Please note that SUSE supports only variables
|
|
+# listed here! Not listed variables from login.defs(5) have no effect.
|
|
+#
|
|
|
|
#
|
|
# Delay in seconds before being allowed another attempt after a login failure
|
|
@@ -53,8 +56,8 @@ MOTD_FILE /etc/motd
|
|
# user's name or shell are found in the file. If not a full pathname, then
|
|
# hushed mode will be enabled if the file exists in the user's home directory.
|
|
#
|
|
-HUSHLOGIN_FILE .hushlogin
|
|
-#HUSHLOGIN_FILE /etc/hushlogins
|
|
+#HUSHLOGIN_FILE .hushlogin
|
|
+HUSHLOGIN_FILE /etc/hushlogins
|
|
|
|
# If this variable is set to "yes", hostname will be suppressed in the
|
|
# login: prompt.
|
|
@@ -73,9 +76,9 @@ HUSHLOGIN_FILE .hushlogin
|
|
# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
|
|
# (and falback for login).
|
|
#
|
|
-ENV_PATH /bin:/usr/bin
|
|
-ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
|
-#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
|
|
+ENV_PATH /usr/local/bin:/bin:/usr/bin
|
|
+ENV_ROOTPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
+#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
|
|
# If this variable is set to "yes" (default is "no"), su will always set
|
|
# path. every su call will overwrite the PATH variable.
|
|
@@ -99,7 +102,7 @@ ALWAYS_SET_PATH no
|
|
# set TTYPERM to either 622 or 600.
|
|
#
|
|
TTYGROUP tty
|
|
-TTYPERM 0600
|
|
+TTYPERM 0620
|
|
|
|
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
|
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
|
@@ -132,8 +135,8 @@ PASS_WARN_AGE 7
|
|
UID_MIN 1000
|
|
UID_MAX 60000
|
|
# System accounts
|
|
-SYS_UID_MIN 101
|
|
-SYS_UID_MAX 999
|
|
+SYS_UID_MIN 100
|
|
+SYS_UID_MAX 499
|
|
# Extra per user uids
|
|
SUB_UID_MIN 100000
|
|
SUB_UID_MAX 600100000
|
|
@@ -150,8 +153,8 @@ SUB_UID_COUNT 65536
|
|
GID_MIN 1000
|
|
GID_MAX 60000
|
|
# System accounts
|
|
-SYS_GID_MIN 101
|
|
-SYS_GID_MAX 999
|
|
+SYS_GID_MIN 100
|
|
+SYS_GID_MAX 499
|
|
# Extra per user group ids
|
|
SUB_GID_MIN 100000
|
|
SUB_GID_MAX 600100000
|
|
@@ -160,7 +163,7 @@ SUB_GID_COUNT 65536
|
|
#
|
|
# Max number of login(1) retries if password is bad
|
|
#
|
|
-LOGIN_RETRIES 5
|
|
+LOGIN_RETRIES 3
|
|
|
|
#
|
|
# Max time in seconds for login(1)
|
|
@@ -176,18 +179,9 @@ LOGIN_TIMEOUT 60
|
|
CHFN_RESTRICT rwh
|
|
|
|
#
|
|
-# If set to "yes", new passwords will be encrypted using the MD5-based
|
|
-# algorithm compatible with the one used by recent releases of FreeBSD.
|
|
-# It supports passwords of unlimited length and longer salt strings.
|
|
-# Set to "no" if you need to copy encrypted passwords to other systems
|
|
-# which don't understand the new algorithm. Default is "no".
|
|
-#
|
|
-# Note: If you use PAM, it is recommended to use a value consistent with
|
|
-# the PAM modules configuration.
|
|
-#
|
|
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
|
|
+# This variable is deprecated. Use ENCRYPT_METHOD instead!
|
|
#
|
|
-#MD5_CRYPT_ENAB no
|
|
+#MD5_CRYPT_ENAB DO_NOT_USE
|
|
|
|
#
|
|
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
|
@@ -201,8 +195,8 @@ CHFN_RESTRICT rwh
|
|
# Note: If you use PAM, it is recommended to use a value consistent with
|
|
# the PAM modules configuration.
|
|
#
|
|
-#ENCRYPT_METHOD DES
|
|
-#ENCRYPT_METHOD_NIS DES
|
|
+ENCRYPT_METHOD SHA512
|
|
+ENCRYPT_METHOD_NIS DES
|
|
|
|
#
|
|
# Number of rounds for salt.
|
|
@@ -271,7 +265,7 @@ USERDEL_POSTCMD /usr/sbin/userde
|
|
#
|
|
# This also enables userdel(8) to remove user groups if no members exist.
|
|
#
|
|
-USERGROUPS_ENAB yes
|
|
+USERGROUPS_ENAB no
|
|
|
|
#
|
|
# If set to a non-zero number, the shadow utilities will make sure that
|
|
@@ -290,13 +284,13 @@ USERGROUPS_ENAB yes
|
|
# This option is overridden with the -M or -m flags on the useradd(8)
|
|
# command-line.
|
|
#
|
|
-#CREATE_HOME yes
|
|
+CREATE_HOME no
|
|
|
|
#
|
|
# Force use shadow, even if shadow passwd & shadow group files are
|
|
# missing.
|
|
#
|
|
-#FORCE_SHADOW yes
|
|
+FORCE_SHADOW no
|
|
|
|
#
|
|
# User/group names must match the following regex expression.
|