From 51442fe678ccd74c4fe17b02cf6d8e11ae705cc2 Mon Sep 17 00:00:00 2001 From: "changjoo.lee" Date: Thu, 19 May 2016 16:16:32 +0900 Subject: [PATCH] Merged shadow-utils used in tizen_2.4 Change-Id: If2077603ff738ca743a84342483cb68e7ff6549d Signed-off-by: changjoo.lee --- COPYING.GPL-v2.0+ | 340 ++++++++++++++++++++ packaging/008_login_log_failure_in_FTMP | 51 +++ packaging/008_su_get_PAM_username | 46 +++ packaging/008_su_no_sanitize_env | 11 + packaging/401_cppw_src.dpatch | 237 ++++++++++++++ packaging/402_cppw_selinux | 62 ++++ packaging/428_grpck_add_prune_option | 50 +++ packaging/429_login_FAILLOG_ENAB | 92 ++++++ packaging/463_login_delay_obeys_to_PAM | 105 +++++++ packaging/483_su_fakelogin_wrong_arg0 | 15 + packaging/501_commonio_group_shadow | 37 +++ packaging/506_relaxed_usernames | 92 ++++++ packaging/508_nologin_in_usr_sbin | 18 ++ packaging/523_su_arguments_are_concatenated | 48 +++ ...u_arguments_are_no_more_concatenated_by_default | 50 +++ packaging/542_useradd-O_option | 21 ++ packaging/login-eng.defs | 348 +++++++++++++++++++++ packaging/login.defs | 348 +++++++++++++++++++++ packaging/securetty | 138 ++++++++ packaging/shadow-4.1.4.1-goodname.patch | 68 ++++ packaging/shadow-4.1.4.2-fixes.patch | 65 ++++ packaging/shadow-4.1.4.2-leak.patch | 108 +++++++ packaging/shadow-4.1.4.2-redhat.patch | 77 +++++ packaging/shadow-4.1.4.2-rounds_prefix.patch | 42 +++ packaging/shadow-utils.manifest | 11 + packaging/shadow-utils.spec | 161 ++++++++++ packaging/useradd.default | 37 +++ 27 files changed, 2678 insertions(+) create mode 100644 COPYING.GPL-v2.0+ create mode 100644 packaging/008_login_log_failure_in_FTMP create mode 100644 packaging/008_su_get_PAM_username create mode 100644 packaging/008_su_no_sanitize_env create mode 100644 packaging/401_cppw_src.dpatch create mode 100644 packaging/402_cppw_selinux create mode 100644 packaging/428_grpck_add_prune_option create mode 100644 packaging/429_login_FAILLOG_ENAB create mode 100644 packaging/463_login_delay_obeys_to_PAM create mode 100644 packaging/483_su_fakelogin_wrong_arg0 create mode 100644 packaging/501_commonio_group_shadow create mode 100644 packaging/506_relaxed_usernames create mode 100644 packaging/508_nologin_in_usr_sbin create mode 100644 packaging/523_su_arguments_are_concatenated create mode 100644 packaging/523_su_arguments_are_no_more_concatenated_by_default create mode 100644 packaging/542_useradd-O_option create mode 100644 packaging/login-eng.defs create mode 100644 packaging/login.defs create mode 100644 packaging/securetty create mode 100644 packaging/shadow-4.1.4.1-goodname.patch create mode 100644 packaging/shadow-4.1.4.2-fixes.patch create mode 100644 packaging/shadow-4.1.4.2-leak.patch create mode 100644 packaging/shadow-4.1.4.2-redhat.patch create mode 100644 packaging/shadow-4.1.4.2-rounds_prefix.patch create mode 100644 packaging/shadow-utils.manifest create mode 100755 packaging/shadow-utils.spec create mode 100644 packaging/useradd.default diff --git a/COPYING.GPL-v2.0+ b/COPYING.GPL-v2.0+ new file mode 100644 index 0000000..623b625 --- /dev/null +++ b/COPYING.GPL-v2.0+ @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/packaging/008_login_log_failure_in_FTMP b/packaging/008_login_log_failure_in_FTMP new file mode 100644 index 0000000..ea46d23 --- /dev/null +++ b/packaging/008_login_log_failure_in_FTMP @@ -0,0 +1,51 @@ +Goal: Log login failures to the btmp file + +Notes: + * I'm not sure login should add an entry in the FTMP file when PAM is used. + (but nothing in /etc/login.defs indicates that the failure is not logged) + +--- a/src/login.c ++++ b/src/login.c +@@ -832,6 +832,24 @@ + (void) puts (""); + (void) puts (_("Login incorrect")); + ++ if (getdef_str("FTMP_FILE") != NULL) { ++#ifdef USE_UTMPX ++ struct utmpx *failent = ++ prepare_utmpx (failent_user, ++ tty, ++ /* FIXME: or fromhost? */hostname, ++ utent); ++#else /* !USE_UTMPX */ ++ struct utmp *failent = ++ prepare_utmp (failent_user, ++ tty, ++ hostname, ++ utent); ++#endif /* !USE_UTMPX */ ++ failtmp (failent_user, failent); ++ free (failent); ++ } ++ + if (failcount >= retries) { + SYSLOG ((LOG_NOTICE, + "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -62,6 +62,7 @@ + {"ERASECHAR", NULL}, + {"FAIL_DELAY", NULL}, + {"FAKE_SHELL", NULL}, ++ {"FTMP_FILE", NULL}, + {"GID_MAX", NULL}, + {"GID_MIN", NULL}, + {"HUSHLOGIN_FILE", NULL}, +@@ -103,7 +104,6 @@ + {"ENVIRON_FILE", NULL}, + {"ENV_TZ", NULL}, + {"FAILLOG_ENAB", NULL}, +- {"FTMP_FILE", NULL}, + {"ISSUE_FILE", NULL}, + {"LASTLOG_ENAB", NULL}, + {"LOGIN_STRING", NULL}, diff --git a/packaging/008_su_get_PAM_username b/packaging/008_su_get_PAM_username new file mode 100644 index 0000000..ae128fc --- /dev/null +++ b/packaging/008_su_get_PAM_username @@ -0,0 +1,46 @@ +Goal: Retrieve the PAM username in case a module changed the PAM_USER + item. + +According to Linux-PAM_ADG: + * Note, modules can change the values of PAM_USER and PAM_RUSER during + any of the pam_*() library calls. For this reason, the application + should take care to use the pam_get_item() every time it wishes to + establish who the authenticated user is (or will currently be). + +PAM_USER description: + + The username of the entity under whose identity service will be given. That + is, following authentication, PAM_USER identifies the local entity that + gets to use the service. Note, this value can be mapped from something + (eg., "anonymous") to something else (eg. "guest119") by any module in the + PAM stack. As such an application should consult the value of PAM_USER + after each call to a PAM function. + +See also: https://www.redhat.com/archives/pam-list/2008-May/msg00009.html + +--- a/src/su.c ++++ b/src/su.c +@@ -325,6 +325,8 @@ + char **envp = environ; + char *shellstr = NULL; + char *command = NULL; ++ char *tmp_name; ++ char **ptr_tmp_name = &tmp_name; + + #ifdef USE_PAM + char **envcp; +@@ -728,6 +730,14 @@ + su_failure (tty); + } + } ++ ret = pam_get_item(pamh, PAM_USER, (const void **) ptr_tmp_name); ++ if (ret != PAM_SUCCESS) { ++ SYSLOG((LOG_ERR, "pam_get_item: internal PAM error\n")); ++ fprintf(stderr, "%s: Internal PAM error retrieving username\n", Prog); ++ (void) pam_end(pamh, ret); ++ su_failure(tty); ++ } ++ strncpy(name, tmp_name, sizeof(name) - 1); + #else /* !USE_PAM */ + /* + * Set up a signal handler in case the user types QUIT. diff --git a/packaging/008_su_no_sanitize_env b/packaging/008_su_no_sanitize_env new file mode 100644 index 0000000..625eb47 --- /dev/null +++ b/packaging/008_su_no_sanitize_env @@ -0,0 +1,11 @@ +--- a/src/su.c ++++ b/src/su.c +@@ -342,7 +342,7 @@ + #endif + #endif /* !USE_PAM */ + +- sanitize_env (); ++ /* sanitize_env (); */ + + (void) setlocale (LC_ALL, ""); + (void) bindtextdomain (PACKAGE, LOCALEDIR); diff --git a/packaging/401_cppw_src.dpatch b/packaging/401_cppw_src.dpatch new file mode 100644 index 0000000..8dab458 --- /dev/null +++ b/packaging/401_cppw_src.dpatch @@ -0,0 +1,237 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 401_cppw_src.dpatch by Nicolas FRANCOIS +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Add cppw / cpgr + +@DPATCH@ +--- /dev/null ++++ b/src/cppw.c +@@ -0,0 +1,199 @@ ++/* ++ cppw, cpgr copy with locking given file over the password or group file ++ with -s will copy with locking given file over shadow or gshadow file ++ ++ Copyright (C) 1999 Stephen Frost ++ ++ Based on vipw, vigr by: ++ Copyright (C) 1997 Guy Maor ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, but ++ WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ ++ */ ++ ++#include ++#include "defines.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "prototypes.h" ++#include "pwio.h" ++#include "shadowio.h" ++#include "groupio.h" ++#include "sgroupio.h" ++ ++ ++static const char *progname, *filename, *filenewname; ++static int filelocked = 0; ++static int (*unlock)(); ++ ++/* local function prototypes */ ++static int create_backup_file (FILE *, const char *, struct stat *); ++static void cppwexit (const char *, int, int); ++static void cppwcopy (const char *, const char *, int (*) (void), int (*) (void)); ++int main (int, char **); ++ ++static int ++create_backup_file(FILE *fp, const char *backup, struct stat *sb) ++{ ++ struct utimbuf ub; ++ FILE *bkfp; ++ int c; ++ mode_t mask; ++ ++ mask = umask(077); ++ bkfp = fopen(backup, "w"); ++ umask(mask); ++ if (!bkfp) return -1; ++ ++ rewind(fp); ++ while ((c = getc(fp)) != EOF) { ++ if (putc(c, bkfp) == EOF) break; ++ } ++ ++ if (c != EOF || fflush(bkfp)) { ++ fclose(bkfp); ++ unlink(backup); ++ return -1; ++ } ++ if ( (fsync (fileno (bkfp)) != 0) ++ || (fclose(bkfp) != 0)) { ++ unlink(backup); ++ return -1; ++ } ++ ++ ub.actime = sb->st_atime; ++ ub.modtime = sb->st_mtime; ++ if (utime(backup, &ub) || ++ chmod(backup, sb->st_mode) || ++ chown(backup, sb->st_uid, sb->st_gid)) { ++ unlink(backup); ++ return -1; ++ } ++ return 0; ++} ++ ++static void ++cppwexit(const char *msg, int syserr, int ret) ++{ ++ int err = errno; ++ if (filelocked) (*unlock)(); ++ if (msg) fprintf(stderr, "%s: %s", progname, msg); ++ if (syserr) fprintf(stderr, ": %s", strerror(err)); ++ fprintf(stderr, "\n%s: %s is unchanged\n", progname, filename); ++ exit(ret); ++} ++ ++static void ++cppwcopy(const char *file, const char *in_file, int (*file_lock) (void), int (*file_unlock) (void)) ++{ ++ struct stat st1; ++ FILE *f; ++ char filenew[1024]; ++ ++ snprintf(filenew, sizeof filenew, "%s.new", file); ++ unlock = file_unlock; ++ filename = file; ++ filenewname = filenew; ++ ++ if (access(file, F_OK)) cppwexit(file, 1, 1); ++ if (!file_lock()) cppwexit("Couldn't lock file", errno, 5); ++ filelocked = 1; ++ ++ /* file to copy has same owners, perm */ ++ if (stat(file, &st1)) cppwexit(file, 1, 1); ++ if (!(f = fopen(in_file, "r"))) cppwexit(file, 1, 1); ++ if (create_backup_file(f, filenew, &st1)) ++ cppwexit("Couldn't make backup", errno, 1); ++ ++ /* XXX - here we should check filenew for errors; if there are any, ++ fail w/ an appropriate error code and let the user manually fix ++ it. Use pwck or grpck to do the check. - Stephen (Shamelessly ++ stolen from '--marekm's comment) */ ++ ++ if (rename(filenew, file) == -1) { ++ fprintf(stderr, "%s: can't copy %s: %s)\n", ++ progname, filenew, strerror(errno)); ++ cppwexit(0,0,1); ++ } ++ ++ (*file_unlock)(); ++} ++ ++ ++int ++main(int argc, char **argv) ++{ ++ int flag; ++ int cpshadow = 0; ++ char *in_file; ++ char *c; ++ int e = 1; ++ int do_cppw; ++ ++ progname = ((c = strrchr(*argv, '/')) ? c+1 : *argv); ++ do_cppw = (strcmp(progname, "cpgr") != 0); ++ ++ while ((flag = getopt(argc, argv, "ghps")) != EOF) { ++ switch (flag) { ++ case 'p': ++ do_cppw = 1; ++ break; ++ case 'g': ++ do_cppw = 0; ++ break; ++ case 's': ++ cpshadow = 1; ++ break; ++ case 'h': ++ e = 0; ++ default: ++ printf("Usage:\n\ ++`cppw ' copys over /etc/passwd `cppw -s ' copys over /etc/shadow\n\ ++`cpgr ' copys over /etc/group `cpgr -s ' copys over /etc/gshadow\n\ ++"); ++ exit(e); ++ } ++ } ++ ++ if (optind >= argc) { ++ cppwexit ("missing file argument, -h for usage",0,1); ++ } ++ ++ in_file = argv[argc - 1]; ++ ++ if (do_cppw) { ++ if (cpshadow) ++ cppwcopy(SHADOW_FILE, in_file, spw_lock, spw_unlock); ++ else ++ cppwcopy(PASSWD_FILE, in_file, pw_lock, pw_unlock); ++ } ++ else { ++#ifdef SHADOWGRP ++ if (cpshadow) ++ cppwcopy(SGROUP_FILE, in_file, sgr_lock, sgr_unlock); ++ else ++#endif ++ cppwcopy(GROUP_FILE, in_file, gr_lock, gr_unlock); ++ } ++ ++ return 0; ++} +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -25,6 +25,7 @@ + sbin_PROGRAMS = nologin + ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd + usbin_PROGRAMS = \ ++ cppw \ + chgpasswd \ + chpasswd \ + groupadd \ +@@ -75,6 +76,7 @@ + chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++cppw_LDADD = $(LDADD) $(LIBSELINUX) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -79,6 +79,7 @@ + src/chgpasswd.c + src/chpasswd.c + src/chsh.c ++src/cppw.c + src/expiry.c + src/faillog.c + src/gpasswd.c diff --git a/packaging/402_cppw_selinux b/packaging/402_cppw_selinux new file mode 100644 index 0000000..5beb3a9 --- /dev/null +++ b/packaging/402_cppw_selinux @@ -0,0 +1,62 @@ +Goal: Add selinux support to cppw + +Fix: + +Status wrt upstream: cppw is not available upstream. + The patch was made based on the + 302_vim_selinux_support patch. It needs to be + reviewed by an SE-Linux aware person. + +Depends on 401_cppw_src.dpatch + +--- a/src/cppw.c ++++ b/src/cppw.c +@@ -34,6 +34,9 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#endif + #include "prototypes.h" + #include "pwio.h" + #include "shadowio.h" +@@ -115,6 +118,22 @@ + filenewname = filenew; + + if (access(file, F_OK)) cppwexit(file, 1, 1); ++#ifdef WITH_SELINUX ++ /* if SE Linux is enabled then set the context of all new files ++ to be the context of the file we are editing */ ++ if (is_selinux_enabled ()) { ++ security_context_t passwd_context=NULL; ++ int ret = 0; ++ if (getfilecon (file, &passwd_context) < 0) { ++ cppwexit (_("Couldn't get file context"), errno, 1); ++ } ++ ret = setfscreatecon (passwd_context); ++ freecon (passwd_context); ++ if (0 != ret) { ++ cppwexit (_("setfscreatecon () failed"), errno, 1); ++ } ++ } ++#endif + if (!file_lock()) cppwexit("Couldn't lock file", errno, 5); + filelocked = 1; + +@@ -135,6 +154,15 @@ + cppwexit(0,0,1); + } + ++#ifdef WITH_SELINUX ++ /* unset the fscreatecon */ ++ if (is_selinux_enabled ()) { ++ if (setfscreatecon (NULL)) { ++ cppwexit (_("setfscreatecon() failed"), errno, 1); ++ } ++ } ++#endif ++ + (*file_unlock)(); + } + diff --git a/packaging/428_grpck_add_prune_option b/packaging/428_grpck_add_prune_option new file mode 100644 index 0000000..8d5592b --- /dev/null +++ b/packaging/428_grpck_add_prune_option @@ -0,0 +1,50 @@ +Goal: grpck now has an (otherwise undocumented) -p option, so that + shadowconfig can clean up the results of the above, so the config + script will fail randomly less often. +Fixes: #103385 + +Status wrt upstream: It could certainly be submitted to upstream. + +--- a/src/grpck.c ++++ b/src/grpck.c +@@ -79,6 +79,7 @@ + /* Options */ + static bool read_only = false; + static bool sort_mode = false; ++static bool prune = false; + + /* local function prototypes */ + static void fail_exit (int status); +@@ -178,7 +179,7 @@ + /* + * Parse the command line arguments + */ +- while ((arg = getopt (argc, argv, "qrs")) != EOF) { ++ while ((arg = getopt (argc, argv, "qprs")) != EOF) { + switch (arg) { + case 'q': + /* quiet - ignored for now */ +@@ -189,6 +190,9 @@ + case 's': + sort_mode = true; + break; ++ case 'p': ++ prune = true; ++ break; + default: + usage (); + } +@@ -474,7 +478,12 @@ + /* + * prompt the user to delete the entry or not + */ +- if (!yes_or_no (read_only)) { ++ if (!prune) { ++ if (!yes_or_no (read_only)) { ++ continue; ++ } ++ } else { ++ puts (_("Yes")); + continue; + } + diff --git a/packaging/429_login_FAILLOG_ENAB b/packaging/429_login_FAILLOG_ENAB new file mode 100644 index 0000000..a6a1e34 --- /dev/null +++ b/packaging/429_login_FAILLOG_ENAB @@ -0,0 +1,92 @@ +Goal: Re-enable logging and displaying failures on login when login is + compiled with PAM and when FAILLOG_ENAB is set to yes. And create the + faillog file if it does not exist on postinst (as on Woody). +Depends: 008_login_more_LOG_UNKFAIL_ENAB +Fixes: #192849 + +Note: It could be removed if pam_tally could report the number of failures + preceding a successful login. + +--- a/src/login.c ++++ b/src/login.c +@@ -131,9 +131,9 @@ + const char *host, + /*@null@*/const struct utmp *utent); + +-#ifndef USE_PAM + static struct faillog faillog; + ++#ifndef USE_PAM + static void bad_time_notify (void); + static void check_nologin (bool login_to_root); + #else +@@ -792,6 +792,9 @@ + SYSLOG ((LOG_NOTICE, + "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", + failcount, fromhost, failent_user)); ++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { ++ failure (pwd->pw_uid, tty, &faillog); ++ } + fprintf(stderr, + _("Maximum number of tries exceeded (%u)\n"), + failcount); +@@ -809,6 +812,14 @@ + pam_strerror (pamh, retcode))); + failed = true; + } ++ if ( (NULL != pwd) ++ && getdef_bool("FAILLOG_ENAB") ++ && ! failcheck (pwd->pw_uid, &faillog, failed)) { ++ SYSLOG((LOG_CRIT, ++ "exceeded failure limit for `%s' %s", ++ failent_user, fromhost)); ++ failed = 1; ++ } + + if (!failed) { + break; +@@ -832,6 +843,10 @@ + (void) puts (""); + (void) puts (_("Login incorrect")); + ++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { ++ failure (pwd->pw_uid, tty, &faillog); ++ } ++ + if (getdef_str("FTMP_FILE") != NULL) { + #ifdef USE_UTMPX + struct utmpx *failent = +@@ -1282,6 +1297,7 @@ + */ + #ifndef USE_PAM + motd (); /* print the message of the day */ ++#endif + if ( getdef_bool ("FAILLOG_ENAB") + && (0 != faillog.fail_cnt)) { + failprint (&faillog); +@@ -1294,6 +1310,7 @@ + username, (int) faillog.fail_cnt)); + } + } ++#ifndef USE_PAM + if ( getdef_bool ("LASTLOG_ENAB") + && (ll.ll_time != 0)) { + time_t ll_time = ll.ll_time; +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -61,6 +61,7 @@ + {"ENV_SUPATH", NULL}, + {"ERASECHAR", NULL}, + {"FAIL_DELAY", NULL}, ++ {"FAILLOG_ENAB", NULL}, + {"FAKE_SHELL", NULL}, + {"FTMP_FILE", NULL}, + {"GID_MAX", NULL}, +@@ -103,7 +104,6 @@ + {"ENV_HZ", NULL}, + {"ENVIRON_FILE", NULL}, + {"ENV_TZ", NULL}, +- {"FAILLOG_ENAB", NULL}, + {"ISSUE_FILE", NULL}, + {"LASTLOG_ENAB", NULL}, + {"LOGIN_STRING", NULL}, diff --git a/packaging/463_login_delay_obeys_to_PAM b/packaging/463_login_delay_obeys_to_PAM new file mode 100644 index 0000000..4173aee --- /dev/null +++ b/packaging/463_login_delay_obeys_to_PAM @@ -0,0 +1,105 @@ +Goal: Do not hardcode pam_fail_delay and let pam_unix do its + job to set a delay...or not + +Fixes: #87648 + +Status wrt upstream: Forwarded but not applied yet + +Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs + +--- a/src/login.c ++++ b/src/login.c +@@ -525,7 +525,6 @@ + #if defined(HAVE_STRFTIME) && !defined(USE_PAM) + char ptime[80]; + #endif +- unsigned int delay; + unsigned int retries; + bool failed; + bool subroot = false; +@@ -546,6 +545,7 @@ + pid_t child; + char *pam_user = NULL; + #else ++ unsigned int delay; + struct spwd *spwd = NULL; + #endif + /* +@@ -706,7 +706,6 @@ + } + + environ = newenvp; /* make new environment active */ +- delay = getdef_unum ("FAIL_DELAY", 1); + retries = getdef_unum ("LOGIN_RETRIES", RETRIES); + + #ifdef USE_PAM +@@ -722,8 +721,7 @@ + + /* + * hostname & tty are either set to NULL or their correct values, +- * depending on how much we know. We also set PAM's fail delay to +- * ours. ++ * depending on how much we know. + * + * PAM_RHOST and PAM_TTY are used for authentication, only use + * information coming from login or from the caller (e.g. no utmp) +@@ -732,10 +730,6 @@ + PAM_FAIL_CHECK; + retcode = pam_set_item (pamh, PAM_TTY, tty); + PAM_FAIL_CHECK; +-#ifdef HAS_PAM_FAIL_DELAY +- retcode = pam_fail_delay (pamh, 1000000 * delay); +- PAM_FAIL_CHECK; +-#endif + /* if fflg, then the user has already been authenticated */ + if (!fflg) { + unsigned int failcount = 0; +@@ -776,12 +770,6 @@ + failed = false; + + failcount++; +-#ifdef HAS_PAM_FAIL_DELAY +- if (delay > 0) { +- retcode = pam_fail_delay(pamh, 1000000*delay); +- PAM_FAIL_CHECK; +- } +-#endif + + retcode = pam_authenticate (pamh, 0); + +@@ -1100,14 +1088,17 @@ + free (username); + username = NULL; + ++#ifndef USE_PAM + /* + * Wait a while (a la SVR4 /usr/bin/login) before attempting + * to login the user again. If the earlier alarm occurs + * before the sleep() below completes, login will exit. + */ ++ delay = getdef_unum ("FAIL_DELAY", 1); + if (delay > 0) { + (void) sleep (delay); + } ++#endif + + (void) puts (_("Login incorrect")); + +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -60,7 +60,6 @@ + {"ENV_PATH", NULL}, + {"ENV_SUPATH", NULL}, + {"ERASECHAR", NULL}, +- {"FAIL_DELAY", NULL}, + {"FAILLOG_ENAB", NULL}, + {"FAKE_SHELL", NULL}, + {"FTMP_FILE", NULL}, +@@ -104,6 +103,7 @@ + {"ENV_HZ", NULL}, + {"ENVIRON_FILE", NULL}, + {"ENV_TZ", NULL}, ++ {"FAIL_DELAY", NULL}, + {"ISSUE_FILE", NULL}, + {"LASTLOG_ENAB", NULL}, + {"LOGIN_STRING", NULL}, diff --git a/packaging/483_su_fakelogin_wrong_arg0 b/packaging/483_su_fakelogin_wrong_arg0 new file mode 100644 index 0000000..de877b6 --- /dev/null +++ b/packaging/483_su_fakelogin_wrong_arg0 @@ -0,0 +1,15 @@ +Goal: shell's name must be -su when a su fakes a login + +Status wrt upstream: not reported yet + +--- a/src/su.c ++++ b/src/su.c +@@ -1001,7 +1001,7 @@ + * Use the shell and create an argv + * with the rest of the command line included. + */ +- argv[-1] = shellstr; ++ argv[-1] = cp; + #ifndef USE_PAM + (void) execve (shellstr, &argv[-1], environ); + err = errno; diff --git a/packaging/501_commonio_group_shadow b/packaging/501_commonio_group_shadow new file mode 100644 index 0000000..4c227df --- /dev/null +++ b/packaging/501_commonio_group_shadow @@ -0,0 +1,37 @@ +Goal: save the [g]shadow files with the 'shadow' group and mode 0440 + +Fixes: #166793 + +--- a/lib/commonio.c ++++ b/lib/commonio.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #include "nscd.h" + #ifdef WITH_SELINUX + #include +@@ -868,13 +869,20 @@ + goto fail; + } + } else { ++ struct group *grp; + /* + * Default permissions for new [g]shadow files. + * (passwd and group always exist...) + */ +- sb.st_mode = 0400; ++ sb.st_mode = 0440; + sb.st_uid = 0; +- sb.st_gid = 0; ++ /* ++ * Try to retrieve the shadow's GID, and fall back to GID 0. ++ */ ++ if ((grp = getgrnam("shadow")) != NULL) ++ sb.st_gid = grp->gr_gid; ++ else ++ sb.st_gid = 0; + } + + snprintf (buf, sizeof buf, "%s+", db->filename); diff --git a/packaging/506_relaxed_usernames b/packaging/506_relaxed_usernames new file mode 100644 index 0000000..d8ac342 --- /dev/null +++ b/packaging/506_relaxed_usernames @@ -0,0 +1,92 @@ +Goal: Relaxed usernames/groupnames checking patch. + +Status wrt upstream: Debian specific. Not to be used upstream + +Details: + Allows any non-empty user/grounames that don't contain ':' and '\n' + characters and don't start with '-'. This patch is more restrictive + than original Karl's version. closes: #264879 + Also closes: #377844 + + Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400): + + I can't come up with a good justification as to why characters other + than ':'s and '\0's should be disallowed in group and usernames (other + than '-' as the leading character). Thus, the maintenance tools don't + anymore. closes: #79682, #166798, #171179 + +--- a/libmisc/chkname.c ++++ b/libmisc/chkname.c +@@ -48,6 +48,7 @@ + + static bool is_valid_name (const char *name) + { ++#if 0 + /* + * User/group names must match [a-z_][a-z0-9_-]*[$] + */ +@@ -66,6 +67,20 @@ + return false; + } + } ++#endif ++ /* ++ * POSIX indicate that usernames are composed of characters from the ++ * portable filename character set [A-Za-z0-9._-], and that the hyphen ++ * should not be used as the first character of a portable user name. ++ * ++ * Allow more relaxed user/group names in Debian -- ^[^-:\s][^:\s]*$ ++ */ ++ if (!*name || isspace(*name)) ++ return 0; ++ do ++ if (*name == ':' || isspace(*name)) ++ return 0; ++ while (*++name); + + return true; + } +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -607,12 +607,19 @@ + + + +- Usernames must start with a lower case letter or an underscore, ++ It is usually recommended to only use usernames that begin with a lower case letter or an underscore, + followed by lower case letters, digits, underscores, or dashes. + They can end with a dollar sign. + In regular expression terms: [a-z_][a-z0-9_-]*[$]? + + ++ On Debian, the only constraints are that usernames must neither start ++ with a dash ('-') nor contain a colon (':') or a whitespace (space: ' ', ++ end of line: '\n', tabulation: '\t', etc.). Note that using a slash ++ ('/') may break the default algorithm for the definition of the ++ user's home directory. ++ ++ + Usernames may only be up to 32 characters long. + + +--- a/man/groupadd.8.xml ++++ b/man/groupadd.8.xml +@@ -223,12 +223,17 @@ + + CAVEATS + +- Groupnames must start with a lower case letter or an underscore, ++ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore, + followed by lower case letters, digits, underscores, or dashes. + They can end with a dollar sign. + In regular expression terms: [a-z_][a-z0-9_-]*[$]? + + ++ On Debian, the only constraints are that groupnames must neither start ++ with a dash ('-') nor contain a colon (':') or a whitespace (space:' ', ++ end of line: '\n', tabulation: '\t', etc.). ++ ++ + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. + + diff --git a/packaging/508_nologin_in_usr_sbin b/packaging/508_nologin_in_usr_sbin new file mode 100644 index 0000000..f1247b9 --- /dev/null +++ b/packaging/508_nologin_in_usr_sbin @@ -0,0 +1,18 @@ +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -22,7 +22,6 @@ + # $prefix/bin and $prefix/sbin, no install-data hacks...) + + bin_PROGRAMS = groups login su +-sbin_PROGRAMS = nologin + ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd + usbin_PROGRAMS = \ + cppw \ +@@ -37,6 +36,7 @@ + grpunconv \ + logoutd \ + newusers \ ++ nologin \ + pwck \ + pwconv \ + pwunconv \ diff --git a/packaging/523_su_arguments_are_concatenated b/packaging/523_su_arguments_are_concatenated new file mode 100644 index 0000000..397fe49 --- /dev/null +++ b/packaging/523_su_arguments_are_concatenated @@ -0,0 +1,48 @@ +Goal: Concatenate the non-su arguments and provide them to the shell with + the -c option +Fixes: #317264 + see also #276419 + +Status wrt upstream: This is a Debian specific patch. + +Note: the fix of the man page is still missing. + (to be taken from the trunk) + +--- a/src/su.c ++++ b/src/su.c +@@ -953,6 +953,35 @@ + argv[0] = "-c"; + argv[1] = command; + } ++ /* On Debian, the arguments are concatenated and the ++ * resulting string is always given to the shell with its ++ * -c option. ++ */ ++ { ++ char **parg; ++ unsigned int cmd_len = 0; ++ char *cmd = NULL; ++ if (strcmp(argv[0], "-c") != 0) { ++ argv--; ++ argv[0] = "-c"; ++ } ++ /* Now argv[0] is always -c, and other arguments ++ * can be concatenated ++ */ ++ cmd_len = 1; /* finale '\0' */ ++ for (parg = &argv[1]; *parg; parg++) { ++ cmd_len += strlen (*parg) + 1; ++ } ++ cmd = (char *) xmalloc (sizeof (char) * cmd_len); ++ cmd[0] = '\0'; ++ for (parg = &argv[1]; *parg; parg++) { ++ strcat (cmd, " "); ++ strcat (cmd, *parg); ++ } ++ cmd[cmd_len - 1] = '\0'; ++ argv[1] = &cmd[1]; /* do not take first space */ ++ argv[2] = NULL; ++ } + /* + * Use the shell and create an argv + * with the rest of the command line included. diff --git a/packaging/523_su_arguments_are_no_more_concatenated_by_default b/packaging/523_su_arguments_are_no_more_concatenated_by_default new file mode 100644 index 0000000..42e5fb1 --- /dev/null +++ b/packaging/523_su_arguments_are_no_more_concatenated_by_default @@ -0,0 +1,50 @@ +Goal: Do not concatenate the additional arguments, and support an + environment variable to revert to the old Debian's su behavior. + +This patch needs the su_arguments_are_concatenated patch. + +This patch, and su_arguments_are_concatenated should be dropped after +Etch. + +Status wrt upstream: This patch is Debian specific. + +--- a/src/su.c ++++ b/src/su.c +@@ -86,6 +86,19 @@ + /* If nonzero, change some environment vars to indicate the user su'd to. */ + static bool change_environment; + ++/* ++ * If nonzero, keep the old Debian behavior: ++ * * concatenate all the arguments and provide them to the -c option of ++ * the shell ++ * * If there are some additional arguments, but no -c, add a -c ++ * argument anyway ++ * Drawbacks: ++ * * you can't provide options to the shell (other than -c) ++ * * you can't rely on the argument count ++ * See http://bugs.debian.org/276419 ++ */ ++static int old_debian_behavior; ++ + #ifdef USE_PAM + static pam_handle_t *pamh = NULL; + static bool caught = false; +@@ -344,6 +357,8 @@ + #endif + #endif /* !USE_PAM */ + ++ old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL); ++ + /* sanitize_env (); */ + + (void) setlocale (LC_ALL, ""); +@@ -957,7 +972,7 @@ + * resulting string is always given to the shell with its + * -c option. + */ +- { ++ if (old_debian_behavior) { + char **parg; + unsigned int cmd_len = 0; + char *cmd = NULL; diff --git a/packaging/542_useradd-O_option b/packaging/542_useradd-O_option new file mode 100644 index 0000000..299659b --- /dev/null +++ b/packaging/542_useradd-O_option @@ -0,0 +1,21 @@ +Goal: accepts the -O flag for backward compatibility. (was used by adduser?) + +Note: useradd.8 needs to be regenerated. + +Status wrt upstream: not included as this is just specific + backward compatibility for Debian + +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -300,6 +300,11 @@ + UID_MIN=10,UID_MAX=499 + doesn't work yet. + ++ ++ For the compatibility with previous Debian's ++ useradd, the option is ++ also supported. ++ + + + diff --git a/packaging/login-eng.defs b/packaging/login-eng.defs new file mode 100644 index 0000000..f8c89c3 --- /dev/null +++ b/packaging/login-eng.defs @@ -0,0 +1,348 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/usr/devel/usr/sbin:/opt/usr/devel/usr/bin:/opt/usr/devel/sbin:/opt/usr/devel/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended as the solution which +# catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/packaging/login.defs b/packaging/login.defs new file mode 100644 index 0000000..bdb0972 --- /dev/null +++ b/packaging/login.defs @@ -0,0 +1,348 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended as the solution which +# catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/packaging/securetty b/packaging/securetty new file mode 100644 index 0000000..941b59c --- /dev/null +++ b/packaging/securetty @@ -0,0 +1,138 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). +console +s3c-console + +# Standard serial ports +ttyS0 +ttyS1 +ttyS2 +ttyS3 +ttyS4 +ttyS5 + +# USB dongles +ttyUSB0 +ttyUSB1 +ttyUSB2 + +# PowerMac +ttyPZ0 +ttyPZ1 +ttyPZ2 +ttyPZ3 + +# Embedded MPC platforms +ttyPSC0 +ttyPSC1 +ttyPSC2 +ttyPSC3 +ttyPSC4 +ttyPSC5 + +# PA-RISC mux ports +ttyB0 +ttyB1 + +# Standard hypervisor virtual console +hvc0 + +# Oldstyle Xen console +xvc0 + +# Standard consoles +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 +tty11 +tty12 +tty13 +tty14 +tty15 +tty16 +tty17 +tty18 +tty19 +tty20 +tty21 +tty22 +tty23 +tty24 +tty25 +tty26 +tty27 +tty28 +tty29 +tty30 +tty31 +tty32 +tty33 +tty34 +tty35 +tty36 +tty37 +tty38 +tty39 +tty40 +tty41 +tty42 +tty43 +tty44 +tty45 +tty46 +tty47 +tty48 +tty49 +tty50 +tty51 +tty52 +tty53 +tty54 +tty55 +tty56 +tty57 +tty58 +tty59 +tty60 +tty61 +tty62 +tty63 + +# Local X displays (allows empty passwords with pam_unix's nullok_secure) +:0 +:0.0 +:0.1 +:1 +:1.0 +:1.1 +:2 +:2.0 +:2.1 +:3 +:3.0 +:3.1 + +# Embedded Freescale i.MX ports +ttymxc0 +ttymxc1 +ttymxc2 +ttymxc3 +ttymxc4 +ttymxc5 + +# Embedded Renesas SuperH ports +ttySC0 +ttySC1 +ttySC2 +ttySC3 +ttySC4 +ttySC5 + + diff --git a/packaging/shadow-4.1.4.1-goodname.patch b/packaging/shadow-4.1.4.1-goodname.patch new file mode 100644 index 0000000..7ba4c2c --- /dev/null +++ b/packaging/shadow-4.1.4.1-goodname.patch @@ -0,0 +1,68 @@ +diff -up shadow-4.1.4.1/libmisc/chkname.c.goodname shadow-4.1.4.1/libmisc/chkname.c +--- shadow-4.1.4.1/libmisc/chkname.c.goodname 2009-04-28 21:14:04.000000000 +0200 ++++ shadow-4.1.4.1/libmisc/chkname.c 2009-06-16 13:47:08.000000000 +0200 +@@ -49,20 +49,28 @@ + static bool is_valid_name (const char *name) + { + /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { ++ * User/group names must match gnu e-regex: ++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? ++ * ++ * as a non-POSIX, extension, allow "$" as the last char for ++ * sake of Samba 3.x "add machine script" ++ */ ++ if ( ('\0' == *name) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') ++ )) { + return false; + } + + while ('\0' != *++name) { +- if (!(( ('a' <= *name) && ('z' >= *name) ) || +- ( ('0' <= *name) && ('9' >= *name) ) || +- ('_' == *name) || +- ('-' == *name) || +- ( ('$' == *name) && ('\0' == *(name + 1)) ) +- )) { ++ if (!( (*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') || (*name == '-') || ++ (*name == '$' && *(name + 1) == '\0') ++ )) { + return false; + } + } +diff -up shadow-4.1.4.1/man/groupadd.8.goodname shadow-4.1.4.1/man/groupadd.8 +--- shadow-4.1.4.1/man/groupadd.8.goodname 2009-05-22 15:56:08.000000000 +0200 ++++ shadow-4.1.4.1/man/groupadd.8 2009-06-16 13:50:41.000000000 +0200 +@@ -153,9 +153,7 @@ Shadow password suite configuration\&. + .RE + .SH "CAVEATS" + .PP +-Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-.PP +-Groupnames may only be up to 16 characters long\&. ++Groupnames may only be up to 32 characters long\&. + .PP + You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. + .PP +diff -up shadow-4.1.4.1/man/useradd.8.goodname shadow-4.1.4.1/man/useradd.8 +--- shadow-4.1.4.1/man/useradd.8.goodname 2009-05-22 15:56:28.000000000 +0200 ++++ shadow-4.1.4.1/man/useradd.8 2009-06-16 13:51:17.000000000 +0200 +@@ -405,8 +405,6 @@ Similarly, if the username already exist + \fBuseradd\fR + will deny the user account creation request\&. + .PP +-Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]? +-.PP + Usernames may only be up to 32 characters long\&. + .SH "CONFIGURATION" + .PP diff --git a/packaging/shadow-4.1.4.2-fixes.patch b/packaging/shadow-4.1.4.2-fixes.patch new file mode 100644 index 0000000..a7ab5b4 --- /dev/null +++ b/packaging/shadow-4.1.4.2-fixes.patch @@ -0,0 +1,65 @@ +diff -up shadow-4.1.4.2/lib/commonio.c.fixes shadow-4.1.4.2/lib/commonio.c +--- shadow-4.1.4.2/lib/commonio.c.fixes 2009-09-07 15:51:28.312139467 +0200 ++++ shadow-4.1.4.2/lib/commonio.c 2009-09-07 15:52:00.788140456 +0200 +@@ -710,7 +710,7 @@ commonio_sort (struct commonio_db *db, i + db->tail->prev = entries[n - 1]; + db->tail->next = NULL; + +- for (i = 1; i < n; i++) { ++ for (i = 1; i < (n-1); i++) { + entries[i]->prev = entries[i - 1]; + entries[i]->next = entries[i + 1]; + } +diff -up shadow-4.1.4.2/libmisc/cleanup.c.fixes shadow-4.1.4.2/libmisc/cleanup.c +--- shadow-4.1.4.2/libmisc/cleanup.c.fixes 2009-09-07 15:52:22.449035388 +0200 ++++ shadow-4.1.4.2/libmisc/cleanup.c 2009-09-07 15:55:06.632033653 +0200 +@@ -107,7 +107,7 @@ void del_cleanup (cleanup_function pcf) + assert (i limit) { +- SYSLOG ((LOG_WARN, "Too many logins (max %d) for %s\n", ++ SYSLOG ((LOG_WARN, "Too many logins (max %lu) for %s\n", + limit, name)); + return LOGIN_ERROR_LOGIN; + } +diff -up shadow-4.1.4.2/libmisc/utmp.c.fixes shadow-4.1.4.2/libmisc/utmp.c +--- shadow-4.1.4.2/libmisc/utmp.c.fixes 2009-09-07 15:56:30.534033865 +0200 ++++ shadow-4.1.4.2/libmisc/utmp.c 2009-09-07 16:11:23.049069289 +0200 +@@ -56,7 +56,7 @@ static bool is_my_tty (const char *tty) + /* full_tty shall be at least sizeof utmp.ut_line + 5 */ + char full_tty[200]; + /* tmptty shall be bigger than full_tty */ +- static char tmptty[sizeof (full_tty)+1]; ++ static char tmptty[sizeof (full_tty)+1] = ""; + + if ('/' != *tty) { + (void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty); +@@ -71,7 +71,7 @@ static bool is_my_tty (const char *tty) + } + } + +- if (NULL == tmptty) { ++ if ('\0' == tmptty[0]) { + (void) puts (_("Unable to determine your tty name.")); + exit (EXIT_FAILURE); + } else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) { +@@ -200,7 +200,6 @@ static void updwtmpx (const char *filena + strcpy (hostname, host); + #ifdef HAVE_STRUCT_UTMP_UT_HOST + } else if ( (NULL != ut) +- && (NULL != ut->ut_host) + && ('\0' != ut->ut_host[0])) { + hostname = (char *) xmalloc (sizeof (ut->ut_host) + 1); + strncpy (hostname, ut->ut_host, sizeof (ut->ut_host)); diff --git a/packaging/shadow-4.1.4.2-leak.patch b/packaging/shadow-4.1.4.2-leak.patch new file mode 100644 index 0000000..0d6aa09 --- /dev/null +++ b/packaging/shadow-4.1.4.2-leak.patch @@ -0,0 +1,108 @@ +diff -up shadow-4.1.4.2/lib/groupmem.c.leak shadow-4.1.4.2/lib/groupmem.c +--- shadow-4.1.4.2/lib/groupmem.c.leak 2009-04-23 19:43:27.000000000 +0200 ++++ shadow-4.1.4.2/lib/groupmem.c 2009-09-07 15:43:23.314129427 +0200 +@@ -51,10 +51,13 @@ + *gr = *grent; + gr->gr_name = strdup (grent->gr_name); + if (NULL == gr->gr_name) { ++ free(gr); + return NULL; + } + gr->gr_passwd = strdup (grent->gr_passwd); + if (NULL == gr->gr_passwd) { ++ free(gr->gr_name); ++ free(gr); + return NULL; + } + +@@ -62,11 +65,21 @@ + + gr->gr_mem = (char **) malloc ((i + 1) * sizeof (char *)); + if (NULL == gr->gr_mem) { ++ free(gr->gr_passwd); ++ free(gr->gr_name); ++ free(gr); + return NULL; + } + for (i = 0; grent->gr_mem[i]; i++) { + gr->gr_mem[i] = strdup (grent->gr_mem[i]); + if (NULL == gr->gr_mem[i]) { ++ int j; ++ for (j=0; jgr_mem[j]); ++ free(gr->gr_mem); ++ free(gr->gr_passwd); ++ free(gr->gr_name); ++ free(gr); + return NULL; + } + } +diff -up shadow-4.1.4.2/libmisc/copydir.c.leak shadow-4.1.4.2/libmisc/copydir.c +--- shadow-4.1.4.2/libmisc/copydir.c.leak 2009-05-22 12:16:14.000000000 +0200 ++++ shadow-4.1.4.2/libmisc/copydir.c 2009-09-07 15:41:49.217192095 +0200 +@@ -443,6 +443,7 @@ static char *readlink_malloc (const char + nchars = readlink (filename, buffer, size); + + if (nchars < 0) { ++ free(buffer); + return NULL; + } + +diff -up shadow-4.1.4.2/lib/pwmem.c.leak shadow-4.1.4.2/lib/pwmem.c +--- shadow-4.1.4.2/lib/pwmem.c.leak 2009-04-23 19:43:27.000000000 +0200 ++++ shadow-4.1.4.2/lib/pwmem.c 2009-09-07 15:41:49.218203063 +0200 +@@ -51,22 +51,37 @@ + *pw = *pwent; + pw->pw_name = strdup (pwent->pw_name); + if (NULL == pw->pw_name) { ++ free(pw); + return NULL; + } + pw->pw_passwd = strdup (pwent->pw_passwd); + if (NULL == pw->pw_passwd) { ++ free(pw->pw_name); ++ free(pw); + return NULL; + } + pw->pw_gecos = strdup (pwent->pw_gecos); + if (NULL == pw->pw_gecos) { ++ free(pw->pw_passwd); ++ free(pw->pw_name); ++ free(pw); + return NULL; + } + pw->pw_dir = strdup (pwent->pw_dir); + if (NULL == pw->pw_dir) { ++ free(pw->pw_gecos); ++ free(pw->pw_passwd); ++ free(pw->pw_name); ++ free(pw); + return NULL; + } + pw->pw_shell = strdup (pwent->pw_shell); + if (NULL == pw->pw_shell) { ++ free(pw->pw_dir); ++ free(pw->pw_gecos); ++ free(pw->pw_passwd); ++ free(pw->pw_name); ++ free(pw); + return NULL; + } + +diff -up shadow-4.1.4.2/lib/shadowmem.c.leak shadow-4.1.4.2/lib/shadowmem.c +--- shadow-4.1.4.2/lib/shadowmem.c.leak 2009-04-23 19:43:27.000000000 +0200 ++++ shadow-4.1.4.2/lib/shadowmem.c 2009-09-07 15:41:49.218203063 +0200 +@@ -52,10 +52,13 @@ + *sp = *spent; + sp->sp_namp = strdup (spent->sp_namp); + if (NULL == sp->sp_namp) { ++ free(sp); + return NULL; + } + sp->sp_pwdp = strdup (spent->sp_pwdp); + if (NULL == sp->sp_pwdp) { ++ free(sp->sp_namp); ++ free(sp); + return NULL; + } + diff --git a/packaging/shadow-4.1.4.2-redhat.patch b/packaging/shadow-4.1.4.2-redhat.patch new file mode 100644 index 0000000..2b9e334 --- /dev/null +++ b/packaging/shadow-4.1.4.2-redhat.patch @@ -0,0 +1,77 @@ +diff -up shadow-4.1.4.2/libmisc/find_new_gid.c.redhat shadow-4.1.4.2/libmisc/find_new_gid.c +--- shadow-4.1.4.2/libmisc/find_new_gid.c.redhat 2009-07-18 01:53:42.000000000 +0200 ++++ shadow-4.1.4.2/libmisc/find_new_gid.c 2009-09-07 16:34:26.640814090 +0200 +@@ -58,11 +58,11 @@ int find_new_gid (bool sys_group, + assert (gid != NULL); + + if (!sys_group) { +- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL); ++ gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL); + gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL); + } else { +- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL); +- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1; ++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL); ++ gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1; + gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max); + } + used_gids = alloca (sizeof (bool) * (gid_max +1)); +diff -up shadow-4.1.4.2/libmisc/find_new_uid.c.redhat shadow-4.1.4.2/libmisc/find_new_uid.c +--- shadow-4.1.4.2/libmisc/find_new_uid.c.redhat 2009-07-18 01:53:43.000000000 +0200 ++++ shadow-4.1.4.2/libmisc/find_new_uid.c 2009-09-07 16:34:19.695877000 +0200 +@@ -58,11 +58,11 @@ int find_new_uid (bool sys_user, + assert (uid != NULL); + + if (!sys_user) { +- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL); + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + } else { +- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL); +- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1; ++ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 201UL); ++ uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1; + uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max); + } + used_uids = alloca (sizeof (bool) * (uid_max +1)); +diff -up shadow-4.1.4.2/src/useradd.c.redhat shadow-4.1.4.2/src/useradd.c +--- shadow-4.1.4.2/src/useradd.c.redhat 2009-06-06 00:16:58.000000000 +0200 ++++ shadow-4.1.4.2/src/useradd.c 2009-09-07 16:34:01.402878101 +0200 +@@ -90,7 +90,7 @@ char *Prog; + static gid_t def_group = 100; + static const char *def_gname = "other"; + static const char *def_home = "/home"; +-static const char *def_shell = ""; ++static const char *def_shell = "/sbin/nologin"; + static const char *def_template = SKEL_DIR; + static const char *def_create_mail_spool = "no"; + +@@ -102,7 +102,7 @@ static char def_file[] = USER_DEFAULTS_F + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + + static const char *user_name = ""; +-static const char *user_pass = "!"; ++static const char *user_pass = "!!"; + static uid_t user_id; + static gid_t user_gid; + static const char *user_comment = ""; +@@ -989,9 +989,9 @@ static void process_flags (int argc, cha + }; + while ((c = getopt_long (argc, argv, + #ifdef WITH_SELINUX +- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:", ++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", + #else +- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", ++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", + #endif + long_options, NULL)) != -1) { + switch (c) { +@@ -1141,6 +1141,7 @@ static void process_flags (int argc, cha + case 'M': + Mflg = true; + break; ++ case 'n': + case 'N': + Nflg = true; + break; diff --git a/packaging/shadow-4.1.4.2-rounds_prefix.patch b/packaging/shadow-4.1.4.2-rounds_prefix.patch new file mode 100644 index 0000000..7af9c93 --- /dev/null +++ b/packaging/shadow-4.1.4.2-rounds_prefix.patch @@ -0,0 +1,42 @@ +diff -ruN shadow-4.1.4.2-orig/libmisc/loginprompt.c shadow-4.1.4.2/libmisc/loginprompt.c +--- shadow-4.1.4.2-orig/libmisc/loginprompt.c 2012-12-03 19:11:51.416226723 +0900 ++++ shadow-4.1.4.2/libmisc/loginprompt.c 2012-12-03 19:16:28.636237330 +0900 +@@ -158,10 +158,9 @@ + envp[envc] = nvar; + } else { + size_t len = strlen (nvar) + 32; +- int wlen; + envp[envc] = xmalloc (len); +- wlen = snprintf (envp[envc], len, "L%d=%s", count++, nvar); +- assert (wlen == (int) len -1); ++ (void) snprintf (envp[envc], len, ++ "L%d=%s", count++, nvar); + } + } + set_env (envc, envp); +diff -ruN shadow-4.1.4.2-orig/libmisc/salt.c shadow-4.1.4.2/libmisc/salt.c +--- shadow-4.1.4.2-orig/libmisc/salt.c 2012-12-03 19:11:51.412226719 +0900 ++++ shadow-4.1.4.2/libmisc/salt.c 2012-12-03 19:15:11.840234397 +0900 +@@ -106,7 +106,7 @@ + */ + static /*@observer@*/const char *SHA_salt_rounds (/*@null@*/int *prefered_rounds) + { +- static char rounds_prefix[18]; ++ static char rounds_prefix[18]; /* Max size: rounds=999999999$ */ + long rounds; + + if (NULL == prefered_rounds) { +@@ -152,11 +152,8 @@ + + snprintf (rounds_prefix, 18, "rounds=%ld$", rounds); + +- /* Sanity checks. That should not be necessary. */ +- rounds_prefix[17] = '\0'; +- if ('$' != rounds_prefix[16]) { +- rounds_prefix[17] = '$'; +- } ++ (void) snprintf (rounds_prefix, sizeof rounds_prefix, ++ "rounds=%ld$", rounds); + + return rounds_prefix; + } diff --git a/packaging/shadow-utils.manifest b/packaging/shadow-utils.manifest new file mode 100644 index 0000000..ede5999 --- /dev/null +++ b/packaging/shadow-utils.manifest @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/packaging/shadow-utils.spec b/packaging/shadow-utils.spec new file mode 100755 index 0000000..a061101 --- /dev/null +++ b/packaging/shadow-utils.spec @@ -0,0 +1,161 @@ +Summary: Utilities for managing accounts and shadow password files +Name: shadow-utils +Version: 4.1.4.2 +Release: 7 +URL: http://pkg-shadow.alioth.debian.org/ +License: BSD-2.0 and GPL-2.0+ +Group: System/Base + +Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.gz +%if 0%{?tizen_build_binary_release_type_eng:1} +Source1: login-eng.defs +%else +Source1: login.defs +%endif +Source2: securetty +Source3: useradd.default +Source1001: %{name}.manifest + +Patch0: 008_login_log_failure_in_FTMP +Patch1: 008_su_get_PAM_username +Patch2: 008_su_no_sanitize_env +Patch3: 401_cppw_src.dpatch +Patch4: 402_cppw_selinux +Patch5: 428_grpck_add_prune_option +Patch6: 429_login_FAILLOG_ENAB +Patch7: 463_login_delay_obeys_to_PAM +Patch8: 483_su_fakelogin_wrong_arg0 +Patch9: 501_commonio_group_shadow +Patch10: 506_relaxed_usernames +Patch11: 508_nologin_in_usr_sbin +Patch12: 523_su_arguments_are_concatenated +Patch13: 523_su_arguments_are_no_more_concatenated_by_default +Patch14: 542_useradd-O_option +Patch15: shadow-4.1.4.2-redhat.patch +Patch16: shadow-4.1.4.1-goodname.patch +Patch17: shadow-4.1.4.2-leak.patch +Patch18: shadow-4.1.4.2-fixes.patch +Patch19: shadow-4.1.4.2-rounds_prefix.patch + +Requires: setup + +%description +The shadow package includes the necessary programs for +converting UNIX password files to the shadow password format, plus +programs for managing user and group accounts. The pwconv command +converts passwords to the shadow password format. The pwunconv command +unconverts shadow passwords and generates an npasswd file (a standard +UNIX password file). The pwck command checks the integrity of password +and shadow files. The lastlog command prints out the last login times +for all users. The useradd, userdel, and usermod commands are used for +managing user accounts. The groupadd, groupdel, and groupmod commands +are used for managing group accounts. + +%prep +%setup -q + +%patch0 -p1 -b .008_login_log_failure_in_FTMP +%patch1 -p1 -b .008_su_get_PAM_username +%patch2 -p1 -b .008_su_no_sanitize_env +%patch3 -p1 -b .401_cppw_src.dpatch +%patch4 -p1 -b .402_cppw_selinux +%patch5 -p1 -b .428_grpck_add_prune_option +%patch6 -p1 -b .429_login_FAILLOG_ENAB +%patch7 -p1 -b .463_login_delay_obeys_to_PAM +%patch8 -p1 -b .483_su_fakelogin_wrong_arg0 +%patch9 -p1 -b .501_commonio_group_shadow +%patch10 -p1 -b .506_relaxed_usernames +%patch11 -p1 -b .508_nologin_in_usr_sbin +%patch12 -p1 -b .523_su_arguments_are_concatenated +%patch13 -p1 -b .523_su_arguments_are_no_more_concatenated_by_default +%patch14 -p1 -b .542_useradd-O_option +%patch15 -p1 -b .redhat +%patch16 -p1 -b .goodname +%patch17 -p1 -b .leak +%patch18 -p1 -b .fixes +%patch19 -p1 -b .rounds_prefix + +%build +cp %{SOURCE1001} . +%configure --without-libcrack --without-audit --mandir=/usr/share/man --without-libpam --without-selinux --enable-shadowgrp --disable-man --disable-account-tools-setuid --with-group-name-max-length=32 --disable-nls + +make + +%install +make install DESTDIR=%{buildroot} +install -d %{buildroot}/%{_sysconfdir}/default +install -c -m 444 %SOURCE1 %{buildroot}/%{_sysconfdir}/login.defs +install -c -m 444 %SOURCE2 %{buildroot}/%{_sysconfdir}/ +install -c -m 644 %SOURCE3 %{buildroot}/%{_sysconfdir}/default/useradd +install -d %{buildroot}/sbin + +chmod u+s %{buildroot}/%{_bindir}/su + +install -d %{buildroot}/bin +mv %{buildroot}/%{_bindir}/su %{buildroot}/bin/ +mv %{buildroot}/%{_bindir}/login %{buildroot}/bin/ + +# remove not needed files +rm %{buildroot}/%{_sbindir}/logoutd +rm %{buildroot}/%{_bindir}/groups +rm %{buildroot}/%{_sysconfdir}/login.access +rm %{buildroot}/%{_sysconfdir}/limits +rm %{buildroot}/%{_sysconfdir}/securetty +rm %{buildroot}/%{_bindir}/chfn +rm %{buildroot}/%{_bindir}/chsh +rm %{buildroot}/%{_bindir}/expiry +rm %{buildroot}/%{_sbindir}/chgpasswd +rm %{buildroot}/%{_sbindir}/grpck +rm %{buildroot}/%{_sbindir}/grpconv +rm %{buildroot}/%{_sbindir}/grpunconv +rm %{buildroot}/%{_sbindir}/pwck +rm %{buildroot}/%{_sbindir}/pwconv +rm %{buildroot}/%{_sbindir}/pwunconv +rm %{buildroot}/%{_sbindir}/vigr +rm %{buildroot}/%{_sbindir}/vipw + +%remove_docs + +mkdir -p $RPM_BUILD_ROOT%{_datadir}/license +for keyword in LICENSE COPYING COPYRIGHT COPYING.GPL-v2.0+; +do + for file in `find %{_builddir} -name $keyword`; + do + cat $file >> $RPM_BUILD_ROOT%{_datadir}/license/%{name}; + echo ""; + done; +done + +%files +%manifest %{name}.manifest +%{_datadir}/license/%{name} +%dir %{_sysconfdir}/default +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/default/useradd +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs +/bin/login +%{_bindir}/faillog +%{_bindir}/lastlog +%{_bindir}/sg +%{_sbindir}/chpasswd +%{_sbindir}/groupadd +%{_sbindir}/groupdel +%{_sbindir}/groupmems +%{_sbindir}/groupmod +%{_sbindir}/newusers +%{_sbindir}/nologin +%{_sbindir}/useradd +%{_sbindir}/userdel +%{_sbindir}/usermod +%if 0%{?tizen_build_binary_release_type_eng} == 1 +/bin/su +%{_bindir}/chage +%{_bindir}/gpasswd +%{_bindir}/newgrp +%{_bindir}/passwd +%else +%exclude /bin/su +%exclude %{_bindir}/chage +%exclude %{_bindir}/gpasswd +%exclude %{_bindir}/newgrp +%exclude %{_bindir}/passwd +%endif diff --git a/packaging/useradd.default b/packaging/useradd.default new file mode 100644 index 0000000..a834fef --- /dev/null +++ b/packaging/useradd.default @@ -0,0 +1,37 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/sh +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +# GROUP=100 +# +# The default home directory. Same as DHOME for adduser +# HOME=/home +# +# The number of days after a password expires until the account +# is permanently disabled +# INACTIVE=-1 +# +# The default expire date +# EXPIRE= +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes + -- 2.7.4