diff --git a/Makefile b/Makefile index d153284b..06d49f55 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ deb:: check_cheese include /usr/share/quilt/quilt.debbuild.mk check_cheese: - @dpkg-parsechangelog | grep -q "\* The \".*\" release\." || { \ + @dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \ echo ""; \ echo " ** **"; \ echo " ** Warning: not a cheesy release! **"; \ diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 00000000..1993b9f8 --- /dev/null +++ b/debian/README.source @@ -0,0 +1,17 @@ +This package uses quilt to patch the upstream source. + +You can find some info on how to generate the patched source, add a new +modification, and remove an existing modification on: + /usr/share/doc/quilt/README.source + +================================================================================ + +To package a new upstream release, you can use the Makefile: + svn://svn.debian.org/svn/pkg-shadow/debian/trunk/Makefile + +================================================================================ + +A testsuite is also available. Instruction on how to run this testsuite +are available on: + svn://svn.debian.org/svn/pkg-shadow/debian/trunk/tests/README + diff --git a/debian/changelog b/debian/changelog index 1c4c8bfc..e3454701 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ -shadow (1:4.1.1-2) UNRELEASED; urgency=low +shadow (1:4.1.2-1) experimental; urgency=low - * The "Brie de Meaux" and "Brie de Melun" double cheese release. + * The "" release. * debian/control: changed the "Replaces" on manpages-zh to a versioned one on 1.5.1-1 * debian/control: drop all Replaces on manpages-* when the version is @@ -12,6 +12,83 @@ shadow (1:4.1.1-2) UNRELEASED; urgency=low -- Christian Perrier Mon, 07 Apr 2008 23:00:26 +0200 +shadow (1:4.1.1-4) unstable; urgency=low + + * The "Rocamadour" release. + * debian/patches/302_remove_non_translated_polish_manpages, + debian/patches/series: Remove the (untranslated) su.1 and login.1 polish + translation. Closes: #491460 + * debian/patches/506_relaxed_usernames: Document that the naming policy is + also used for the group names policy. Differentiate the Debian + constraints in a separate paragraph. Added documentation of the username + length restriction. Closes: #493230 + * debian/patches/507_32char_grnames.dpatch: Update the documentation of the + group length restriction. Closes: #493230 + * debian/login.pam: Replace the "multiple" option of pam_selinux by + "select_context". This requires PAM 1.0.1, but is commented. + Closes: #493181 + * debian/patches/494_passwd_lock-no_account_lock: Fix typo (missing + parenthesis). Thanks to Moray Allan. + + -- Nicolas FRANCOIS (Nekral) Fri, 15 Aug 2008 12:36:15 -0300 + +shadow (1:4.1.1-3) unstable; urgency=low + + * The "Morbier" release. + * debian/patches/302_vim_selinux_support: Add SE Linux support to vipw/vigr. + Thanks to Russell Coker. Closes: #491907 + * debian/patches/494_passwd_lock-no_account_lock: Restore the previous + behavior of passwd -l (which changed in #389183): only lock the user's + password, not the user's account. Also explicitly document the + differences. This restores a behavior common with the previous versions of + passwd and with other implementations. Closes: #492307 + * debian/patches/494_passwd_lock-no_account_lock: Add a reference to + usermod(8) in passwd(1). Closes: #412234 + * debian/login.pam: Enforce a fail delay to avoid login brute-force. + Closes: #443322 + * debian/login.pam: Indicate why the pam_securetty module is used as a + requisite module and mentions the possible drawbacks. Closes: #482352 + * debian/login.defs: Do not mention the libpam-umask package (the module is + now provided by libpam-modules). Closes: #492410 + * debian/patches/200_Czech_binary_translation: Updated Czech translation. + Thanks to Miroslav Kure. Closes: #482823 + * debian/securetty.linux: Add the PA-RISC mux ports (ttyB0, ttyB1). + Closes: #488515 + + -- Nicolas FRANCOIS (Nekral) Sat, 26 Jul 2008 10:12:46 +0200 + +shadow (1:4.1.1-2) unstable; urgency=low + + * The "Brie de Meaux" and "Brie de Melun" double cheese release. + * Backported patches from upstream + - debian/patches/300_SHA_crypt_method: + This fixes bugs in the SHA encryption method that force the salt to have + 8 bytes (instead of a random length between 8 and 16 bytes), and force + the number of SHA rounds to be equal to the lowest limit (at least 1000 + SHA rounds). + - debian/patches/301_manpages_missing_options: + This add the missing documentation of options in useradd, groupadd, and + newusers. + * Tag patches already applied upstream + - debian/patches/487_passwd_chauthtok_failed_message + - debian/patches/406_vipw_resume_properly + - debian/patches/008_su_get_PAM_username + - debian/patches/491_configure.in_friendly_selinux_detection + - debian/patches/434_login_stop_checking_args_after-- + - debian/patches/414_remove-unwise-advices + * Added description of new variables in /etc/login.defs: + - SYS_UID_MIN, SYS_UID_MAX, SYS_GID_MIN, SYS_GID_MAX + - ENCRYPT_METHOD + - SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS + * New Debian Policy: + - debian/control: Bump Standards-Version to 3.8.0 (no changes needed). + - debian/README.source: Document how to patch the upstream source, how to + use quilt, how to package a new upstream and how to use the testsuite. + * debian/patches/505_useradd_recommend_adduser: Fix typo: userdel is used to + remove an user, not to add one. Closes: #475795 + + -- Nicolas FRANCOIS (Nekral) Fri, 13 Jun 2008 01:27:16 +0200 + shadow (1:4.1.1-1) unstable; urgency=low * New upstream release. This closes the following bugs: diff --git a/debian/control b/debian/control index 036bfd9b..72b79c25 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: shadow Section: admin Priority: required Maintainer: Shadow package maintainers -Standards-Version: 3.7.3.0 +Standards-Version: 3.8.0 Uploaders: Christian Perrier , Martin Quinson , Nicolas FRANCOIS (Nekral) Build-Depends: autoconf, automake1.9, libtool, gettext, libpam0g-dev, debhelper (>= 5.0.0), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64], gnome-doc-utils (>= 0.4.3-1) Vcs-Svn: svn://svn.debian.org/svn/pkg-shadow/debian/trunk diff --git a/debian/login.defs b/debian/login.defs index 84fb3cce..f0c8e166 100644 --- a/debian/login.defs +++ b/debian/login.defs @@ -140,8 +140,8 @@ TTYPERM 0600 # non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" # user and alike. # -# Therefore the use of pam_umask is recommended (Debian package libpam-umask) -# as the solution which catches all these cases on PAM-enabled systems. +# Therefore the use of pam_umask is recommended as the solution which +# catches all these cases on PAM-enabled systems. # # This avoids the confusion created by having the umask set # in two different places -- in login.defs and shell rc files (i.e. @@ -176,12 +176,18 @@ PASS_WARN_AGE 7 # UID_MIN 1000 UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 # # Min/max values for automatic gid selection in groupadd # GID_MIN 100 GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 # # Max number of login retries if password is bad. This will most likely be @@ -266,8 +272,38 @@ USERGROUPS_ENAB yes # # This variable is used by chpasswd, gpasswd and newusers. # +# This variable is deprecated. You should use ENCRYPT_METHOD. +# #MD5_CRYPT_ENAB no +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + ################# OBSOLETED BY PAM ############## # # # These options are now handled by PAM. Please # diff --git a/debian/login.pam b/debian/login.pam index 1008af03..5fbeb9fe 100644 --- a/debian/login.pam +++ b/debian/login.pam @@ -2,12 +2,24 @@ # The PAM configuration file for the Shadow `login' service # +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) +# Note that it is included as a "requisite" module. No password prompts will +# be displayed if this module fails to avoid having the root password +# transmitted on unsecure ttys. +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root). auth requisite pam_securetty.so # Disallows other than root logins when /etc/nologin exists @@ -69,7 +81,7 @@ session optional pam_mail.so standard # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. # Uncomment the following line to enable SELinux -# session required pam_selinux.so multiple +# session required pam_selinux.so select_context # Standard Un*x account and session @include common-account diff --git a/debian/patches/008_su_get_PAM_username b/debian/patches/008_su_get_PAM_username index 4622ae6d..650a88eb 100644 --- a/debian/patches/008_su_get_PAM_username +++ b/debian/patches/008_su_get_PAM_username @@ -1,9 +1,22 @@ -Goal: ??? +Goal: Retrieve the PAM username in case a module changed the PAM_USER + item. -Notes: - * It still needs more investigation. - I don't know what this patch is used for. IMO, the user name is - already known before calling pam_get_item(pamh, PAM_USER, ...) +According to Linux-PAM_ADG: + * Note, modules can change the values of PAM_USER and PAM_RUSER during + any of the pam_*() library calls. For this reason, the application + should take care to use the pam_get_item() every time it wishes to + establish who the authenticated user is (or will currently be). + +PAM_USER description: + + The username of the entity under whose identity service will be given. That + is, following authentication, PAM_USER identifies the local entity that + gets to use the service. Note, this value can be mapped from something + (eg., "anonymous") to something else (eg. "guest119") by any module in the + PAM stack. As such an application should consult the value of PAM_USER + after each call to a PAM function. + +See also: https://www.redhat.com/archives/pam-list/2008-May/msg00009.html Index: shadow-4.1.0/src/su.c =================================================================== diff --git a/debian/patches/200_Czech_binary_translation b/debian/patches/200_Czech_binary_translation new file mode 100644 index 00000000..0908a099 --- /dev/null +++ b/debian/patches/200_Czech_binary_translation @@ -0,0 +1,822 @@ +Goal: Update the Czech translation of the shadow programs + +Fixes: #482823 + +Status wrt upstream: Still not applied. + +Index: shadow-4.1.1/po/cs.po +=================================================================== +--- shadow-4.1.1.orig/po/cs.po 2008-07-26 10:17:10.268439506 +0200 ++++ shadow-4.1.1/po/cs.po 2008-07-26 10:17:33.285941161 +0200 +@@ -1,13 +1,13 @@ + # Czech translation of shadow-utils. + # Jiří Pavlovský , 1999-2000 +-# Miroslav Kuře , 2004-2006 ++# Miroslav Kuře , 2004-2008 + # + msgid "" + msgstr "" + "Project-Id-Version: shadow 4.0.18\n" + "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n" +-"POT-Creation-Date: 2008-04-03 00:42+0200\n" +-"PO-Revision-Date: 2007-11-24 18:00+0100\n" ++"POT-Creation-Date: 2008-03-18 00:08+0100\n" ++"PO-Revision-Date: 2008-05-25 12:30+0200\n" + "Last-Translator: Miroslav Kure \n" + "Language-Team: Czech \n" + "MIME-Version: 1.0\n" +@@ -20,10 +20,12 @@ + msgid "" + "Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n" + msgstr "" ++"Zjištěno několik záznamů pojmenovaných „%s“ v souboru %s. Napravte to prosím " ++"pomocí pwck nebo grpck.\n" + + #, c-format + msgid "crypt method not supported by libcrypt? (%s)\n" +-msgstr "" ++msgstr "typ šifry není knihovnou libcrypt podporován? (%s)\n" + + msgid "Could not allocate space for config info.\n" + msgstr "Nemohu alokovat dostatek místa pro konfigurační údaje.\n" +@@ -31,7 +33,7 @@ + #, c-format + msgid "configuration error - unknown item '%s' (notify administrator)\n" + msgstr "" +-"konfigurační chyba - neznámý předmět '%s' (informujte správce systému)\n" ++"konfigurační chyba - neznámá položka „%s“ (informujte správce systému)\n" + + #, c-format + msgid "Warning: unknown group %s\n" +@@ -93,16 +95,14 @@ + "%d selhání od posledního přihlášení.\n" + "Poslední: %s na %s.\n" + +-#, fuzzy + msgid "Can't get unique UID (no more available UIDs)\n" +-msgstr "%s: nelze získat jedinečné UID\n" ++msgstr "Nelze získat jedinečné UID (další UID již nejsou dostupná)\n" + +-#, fuzzy + msgid "Can't get unique GID (no more available GIDs)\n" +-msgstr "%s: nelze získat jedinečné GID\n" ++msgstr "Nelze získat jedinečné GID (další GID již nejsou dostupná)\n" + + msgid "Too many logins.\n" +-msgstr "Příliš mnoho souběžných přihlášení.\n" ++msgstr "Příliš mnoho přihlášení.\n" + + msgid "You have new mail." + msgstr "Máte novou poštu." +@@ -146,6 +146,9 @@ + msgid "passwd: %s\n" + msgstr "passwd: %s\n" + ++msgid "passwd: password unchanged\n" ++msgstr "passwd: heslo nebylo změněno\n" ++ + msgid "passwd: password updated successfully\n" + msgstr "passwd: heslo bylo úspěšně změněno\n" + +@@ -158,10 +161,12 @@ + "Invalid ENCRYPT_METHOD value: '%s'.\n" + "Defaulting to DES.\n" + msgstr "" ++"Neplatná hodnota ENCRYPT_METHOD: „%s“.\n" ++"Používám DES.\n" + + #, c-format + msgid "Unable to cd to '%s'\n" +-msgstr "Nelze přejít do \"%s\"\n" ++msgstr "Nelze přejít do „%s“\n" + + msgid "No directory, logging in with HOME=/" + msgstr "Žádný adresář, nastavuji HOME na /" +@@ -172,14 +177,14 @@ + + #, c-format + msgid "Invalid root directory '%s'\n" +-msgstr "Chybný kořenový adresář \"%s\"\n" ++msgstr "Chybný kořenový adresář „%s“\n" + + #, c-format + msgid "Can't change root directory to '%s'\n" +-msgstr "Nelze změnit kořenový adresář na \"%s\"\n" ++msgstr "Nelze změnit kořenový adresář na „%s“\n" + + msgid "No utmp entry. You must exec \"login\" from the lowest level \"sh\"" +-msgstr "utmp záznam neexistuje. Musíte spustit \"login\" z nejnižšího \"sh\"" ++msgstr "utmp záznam neexistuje. Musíte spustit „login“ z nejnižšího „sh“" + + msgid "Unable to determine your tty name." + msgstr "Nelze zjistit vaše uživatelské jméno." +@@ -283,7 +288,7 @@ + + #, c-format + msgid "%s: do not include \"l\" with other flags\n" +-msgstr "%s: nepoužívejte \"l\" s ostatními příznaky\n" ++msgstr "%s: nepoužívejte „l“ s ostatními příznaky\n" + + #, c-format + msgid "%s: Permission denied.\n" +@@ -413,24 +418,36 @@ + msgstr "Soubor s hesly nelze odemknout.\n" + + #, c-format ++msgid "%s: name with non-ASCII characters: '%s'\n" ++msgstr "%s: jméno obsahuje jiné znaky než ASCII: „%s“\n" ++ ++#, c-format + msgid "%s: invalid name: '%s'\n" +-msgstr "%s: chybné jméno: \"%s\"\n" ++msgstr "%s: chybné jméno: „%s“\n" ++ ++#, c-format ++msgid "%s: room number with non-ASCII characters: '%s'\n" ++msgstr "%s: číslo místnosti obsahuje jiné znaky než ASCII: „%s“\n" + + #, c-format + msgid "%s: invalid room number: '%s'\n" +-msgstr "%s: chybné číslo místnosti: \"%s\"\n" ++msgstr "%s: chybné číslo místnosti: „%s“\n" + + #, c-format + msgid "%s: invalid work phone: '%s'\n" +-msgstr "%s: chybné telefonní číslo do zaměstnání: \"%s\"\n" ++msgstr "%s: chybné telefonní číslo do zaměstnání: „%s“\n" + + #, c-format + msgid "%s: invalid home phone: '%s'\n" +-msgstr "%s: chybné telefonní číslo domů: \"%s\"\n" ++msgstr "%s: chybné telefonní číslo domů: „%s“\n" ++ ++#, c-format ++msgid "%s: '%s' contains non-ASCII characters\n" ++msgstr "%s: „%s“ obsahuje jiné znaky než ASCII\n" + + #, c-format + msgid "%s: '%s' contains illegal characters\n" +-msgstr "%s: \"%s\" obsahuje chybné znaky\n" ++msgstr "%s: „%s“ obsahuje chybné znaky\n" + + #, c-format + msgid "%s: Cannot determine your user name.\n" +@@ -438,11 +455,11 @@ + + #, c-format + msgid "%s: cannot change user '%s' on NIS client.\n" +-msgstr "%s: uživatele \"%s\" nelze na NIS klientu změnit.\n" ++msgstr "%s: uživatele „%s“ nelze na NIS klientu změnit.\n" + + #, c-format + msgid "%s: '%s' is the NIS master for this client.\n" +-msgstr "%s: \"%s\" je hlavním NIS serverem pro tohoto klienta.\n" ++msgstr "%s: „%s“ je hlavním NIS serverem pro tohoto klienta.\n" + + #, c-format + msgid "Changing the user information for %s\n" +@@ -452,7 +469,7 @@ + msgid "%s: fields too long\n" + msgstr "%s: položka je příliš dlouhá\n" + +-#, fuzzy, c-format ++#, c-format + msgid "" + "Usage: %s [options]\n" + "\n" +@@ -464,35 +481,36 @@ + " the MD5 algorithm\n" + "%s\n" + msgstr "" +-"Použití: chpasswd [volby]\n" ++"Použití: %s [volby]\n" + "\n" + "Volby:\n" ++" -c, --crypt-method typ šifry (jeden z %s)\n" + " -e, --encrypted zadaná hesla jsou zašifrovaná\n" + " -h, --help zobrazí tuto nápovědu a skončí\n" +-" -m, --md5 pokud zadaná hesla nejsou zašifrovaná,\n" +-" použije místo DES algoritmus MD5\n" +-"\n" ++" -m, --md5 zašifruje nešifrované heslo\n" ++" algoritmem MD5\n" ++"%s\n" + + msgid "" + " -s, --sha-rounds number of SHA rounds for the SHA*\n" + " crypt algorithms\n" +-msgstr "" ++msgstr " -s, --sha-rounds počet SHA iterací algoritmu SHA*\n" + + #, c-format + msgid "%s: invalid numeric argument '%s'\n" +-msgstr "%s: chybný numerický argument \"%s\"\n" ++msgstr "%s: chybný numerický argument „%s“\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: %s flag is ONLY allowed with the %s flag\n" +-msgstr "%s: přepínač -a je povolen POUZE s přepínačem -G\n" ++msgstr "%s: přepínač %s je povolen POUZE s přepínačem %s\n" + + #, c-format + msgid "%s: the -c, -e, and -m flags are exclusive\n" +-msgstr "" ++msgstr "%s: přepínače -c, -e a -m se navzájem vylučují\n" + + #, c-format + msgid "%s: unsupported crypt method: %s\n" +-msgstr "" ++msgstr "%s: nepodporovaný typ šifry: %s\n" + + #, c-format + msgid "%s: can't lock group file\n" +@@ -510,13 +528,13 @@ + msgid "%s: can't open shadow file\n" + msgstr "%s: soubor se stínovými hesly nelze otevřít\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: error updating gshadow file\n" +-msgstr "%s: chyba při aktualizaci souboru se stínovými hesly\n" ++msgstr "%s: chyba při aktualizaci souboru se stínovými skupinami\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: error updating group file\n" +-msgstr "%s: položku souboru se skupinami nelze aktualizovat\n" ++msgstr "%s: chyba při aktualizaci souboru se skupinami\n" + + #, c-format + msgid "%s: line %d: line too long\n" +@@ -530,9 +548,9 @@ + msgid "%s: line %d: unknown group %s\n" + msgstr "%s: řádek %d: neznámá skupina %s\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: line %d: cannot update group entry\n" +-msgstr "%s: řádek %d: položku nelze aktualizovat\n" ++msgstr "%s: řádek %d: položku nelze aktualizovat skupinu\n" + + #, c-format + msgid "%s: error detected, changes ignored\n" +@@ -640,7 +658,7 @@ + + #, c-format + msgid " [%lds left]" +-msgstr " [%lds zbylo]" ++msgstr " [%lds zbývá]" + + #, c-format + msgid " [%lds lock]" +@@ -710,13 +728,13 @@ + msgid "unknown group: %s\n" + msgstr "neznámá skupina %s\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: can't close file\n" +-msgstr "%s: nelze otevřít soubor\n" ++msgstr "%s: nelze zavřít soubor\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: can't close shadow file\n" +-msgstr "%s: soubor se stínovými hesly nelze otevřít\n" ++msgstr "%s: soubor se stínovými hesly nelze zavřít\n" + + #, c-format + msgid "Changing the password for group %s\n" +@@ -754,7 +772,6 @@ + msgid "%s: Not a tty\n" + msgstr "%s: Nejedná se o tty\n" + +-#, fuzzy + msgid "" + "Usage: groupadd [options] GROUP\n" + "\n" +@@ -780,11 +797,13 @@ + " -K, --key KLÍČ=HODNOTA přebije výchozí nastavení /etc/login.defs\n" + " -o, --non-unique povolí vytvoření skupiny s duplicitním\n" + " (nejedinečným) GID\n" ++" -p, --password HESLO pro novou skupinu použije šifrované heslo\n" ++" -r, --system vytvoří systémový účet\n" + "\n" + + #, c-format + msgid "%s: error adding new group entry\n" +-msgstr "%s: chyba při přidávání položky souboru se skupinami\n" ++msgstr "%s: chyba při přidávání nové skupiny\n" + + #, c-format + msgid "%s: %s is not a valid group name\n" +@@ -826,9 +845,9 @@ + msgid "%s: GID %u is not unique\n" + msgstr "%s: GID %u není jedinečné\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: can't create group\n" +-msgstr "%s: %s nelze vytvořit\n" ++msgstr "%s: nelze vytvořit skupinu\n" + + msgid "Usage: groupdel group\n" + msgstr "Použití: groupdel skupina\n" +@@ -887,7 +906,6 @@ + msgid "Cannot close group file\n" + msgstr "Soubor se skupinami nelze zavřít\n" + +-#, fuzzy + msgid "" + "Usage: groupmod [options] GROUP\n" + "\n" +@@ -908,6 +926,7 @@ + " -n, --new-name NOVÁ_SKUPINA vnutí SKUPINĚ jméno NOVÁ_SKUPINA\n" + " -o, --non-unique povolí skupině použít duplicitní\n" + " (nejedinečné) GID\n" ++" -p, --password HESLO pro SKUPINU použije šifrované heslo\n" + "\n" + + #, c-format +@@ -922,7 +941,7 @@ + msgid "%s: %s is not a unique name\n" + msgstr "%s: jméno %s není jedinečné\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: cannot rewrite passwd file\n" + msgstr "%s: soubor s hesly nelze přepsat\n" + +@@ -939,10 +958,12 @@ + "%s: cannot change the primary group of user '%s' from %u to %u, since it is " + "not in the passwd file.\n" + msgstr "" ++"%s: nelze změnit primární skupinu uživatele „%s“ z %u na %u, protože se " ++"nenachází v souboru passwd.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: cannot change the primary group of user '%s' from %u to %u.\n" +-msgstr "%s: uživatele \"%s\" nelze na NIS klientu změnit.\n" ++msgstr "%s: nelze změnit primární skupinu uživatele „%s“ z %u na %u.\n" + + #, c-format + msgid "Usage: %s [-r] [-s] [group [gshadow]]\n" +@@ -974,14 +995,14 @@ + + #, c-format + msgid "delete line '%s'? " +-msgstr "smazat řádek \"%s\"?" ++msgstr "smazat řádek „%s“?" + + msgid "duplicate group entry" + msgstr "tato položka se v souboru se skupinami vyskytuje vícekrát" + + #, c-format + msgid "invalid group name '%s'\n" +-msgstr "jméno skupiny \"%s\" je chybné\n" ++msgstr "jméno skupiny „%s“ je chybné\n" + + #, c-format + msgid "group %s: no user %s\n" +@@ -989,7 +1010,7 @@ + + #, c-format + msgid "delete member '%s'? " +-msgstr "smazat člena \"%s\"? " ++msgstr "smazat člena „%s“? " + + #, c-format + msgid "no matching group file entry in %s\n" +@@ -997,7 +1018,7 @@ + + #, c-format + msgid "add group '%s' in %s ?" +-msgstr "přidat skupinu \"%s\" do %s ?" ++msgstr "přidat skupinu „%s“ do %s ?" + + #, c-format + msgid "%s: can't update shadow entry for %s\n" +@@ -1019,7 +1040,7 @@ + + #, c-format + msgid "delete administrative member '%s'? " +-msgstr "smazat administrátora \"%s\"? " ++msgstr "smazat administrátora „%s“? " + + #, c-format + msgid "shadow group %s: no user %s\n" +@@ -1095,9 +1116,9 @@ + msgid "**Never logged in**" + msgstr "**Nikdy nebyl přihlášen**" + +-#, fuzzy, c-format ++#, c-format + msgid "Unknown user or range: %s\n" +-msgstr "Neznámý uživatel: %s\n" ++msgstr "Neznámý uživatel nebo rozsah: %s\n" + + #, c-format + msgid "lastlog: unexpected argument: %s\n" +@@ -1176,7 +1197,7 @@ + + #, c-format + msgid "TIOCSCTTY failed on %s" +-msgstr "" ++msgstr "TIOCSCTTY selhalo na %s" + + msgid "Warning: login re-enabled after temporary lockout." + msgstr "Varování: po dočasném zákazu je přihlašování opět povoleno." +@@ -1206,13 +1227,12 @@ + msgid "Usage: sg group [[-c] command]\n" + msgstr "Použití: sg skupina [[-c] příkaz]\n" + +-#, fuzzy + msgid "Invalid password.\n" +-msgstr "Staré heslo: " ++msgstr "Neplatné heslo.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: failure forking: %s\n" +-msgstr "%s: chyba rozdvojení: %s" ++msgstr "%s: chyba rozdvojení: %s\n" + + #, c-format + msgid "unknown UID: %u\n" +@@ -1233,52 +1253,59 @@ + " -r, --system create system accounts\n" + "%s\n" + msgstr "" ++"Použití: %s [volby] [vstup]\n" ++"\n" ++" -c, --crypt-method typ šifry (jeden z %s)\n" ++" -r, --system vytvoří systémové účty\n" ++"%s\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: group ID `%s' is not valid\n" +-msgstr "%s: skupina %s neexistuje\n" ++msgstr "%s: skupinové ID „%s“ není platné\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: invalid group name `%s'\n" +-msgstr "jméno skupiny \"%s\" je chybné\n" ++msgstr "%s: neplatné jméno skupiny „%s“\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: group %s is a shadow group, but does not exist in /etc/group\n" +-msgstr "%s: skupina %s neexistuje\n" ++msgstr "%s: skupina %s je stínovou skupinou, ale neexistuje v /etc/group\n" + + #, c-format + msgid "" + "%s: group %s created, failure during the creation of the corresponding " + "gshadow group\n" + msgstr "" ++"%s: skupina %s byla vytvořena, ale nastala chyba při vytváření odpovídající " ++"stínové skupiny\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: user ID `%s' is not valid\n" +-msgstr "%s: uživatel %s neexistuje\n" ++msgstr "%s: uživatelské ID „%s“ není platné\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: user `%s' does not exist\n" +-msgstr "%s: uživatel %s neexistuje\n" ++msgstr "%s: uživatel „%s“ neexistuje\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: invalid user name `%s'\n" +-msgstr "%s: chybné uživatelské jméno \"%s\"\n" ++msgstr "%s: neplatné uživatelské jméno „%s“\n" + + #, c-format + msgid "%s: can't lock /etc/passwd.\n" + msgstr "%s: soubor /etc/passwd nelze zamknout.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: can't lock /etc/shadow.\n" +-msgstr "%s: soubor /etc/passwd nelze zamknout.\n" ++msgstr "%s: soubor /etc/shadow nelze zamknout.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: can't lock /etc/group.\n" +-msgstr "%s: soubor /etc/passwd nelze zamknout.\n" ++msgstr "%s: soubor /etc/group nelze zamknout.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: can't lock /etc/gshadow.\n" +-msgstr "%s: soubor /etc/passwd nelze zamknout.\n" ++msgstr "%s: soubor /etc/gshadow nelze zamknout.\n" + + #, c-format + msgid "%s: can't open files\n" +@@ -1292,17 +1319,18 @@ + msgid "%s: line %d: invalid line\n" + msgstr "%s: řádek %d: chybný řádek\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: cannot update the entry of user %s (not in the passwd database)\n" +-msgstr "%s: položku pro uživatele %s nelze aktualizovat\n" ++msgstr "" ++"%s: položku pro uživatele %s nelze aktualizovat (není v passwd databázi)\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: line %d: can't create user\n" +-msgstr "%s: řádek %d: nelze vytvořit GID\n" ++msgstr "%s: řádek %d: nelze vytvořit uživatele\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: line %d: can't create group\n" +-msgstr "%s: řádek %d: nelze vytvořit GID\n" ++msgstr "%s: řádek %d: nelze vytvořit skupinu\n" + + #, c-format + msgid "%s: line %d: cannot find user %s\n" +@@ -1374,12 +1402,12 @@ + msgid "Old password: " + msgstr "Staré heslo: " + +-#, fuzzy, c-format ++#, c-format + msgid "" + "Enter the new password (minimum of %d characters)\n" + "Please use a combination of upper and lower case letters and numbers.\n" + msgstr "" +-"Zadejte nové heslo (počet znaků v intervalu %d až %d).\n" ++"Zadejte nové heslo (minimální délka %d znaků).\n" + "Použijte kombinaci velkých a malých písmen s číslicemi.\n" + + #, c-format +@@ -1410,9 +1438,9 @@ + msgid "The password for %s cannot be changed.\n" + msgstr "Heslo uživatele %s nelze změnit.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "The password for %s cannot be changed yet.\n" +-msgstr "Heslo uživatele %s nelze změnit.\n" ++msgstr "Heslo uživatele %s nelze zatím změnit.\n" + + #, c-format + msgid "%s: out of memory\n" +@@ -1423,6 +1451,9 @@ + "%s: unlocking the user would result in a passwordless account.\n" + "You should set a password with usermod -p to unlock this user account.\n" + msgstr "" ++"%s odemknutí uživatele by znamenalo mít účet bez hesla.\n" ++"Pro odemknutí tohoto uživatelského účtu byste měli nastavit heslo pomocí " ++"usermod -p.\n" + + #, c-format + msgid "%s: repository %s not supported\n" +@@ -1430,7 +1461,7 @@ + + #, c-format + msgid "%s: %s is not authorized to change the password of %s\n" +-msgstr "" ++msgstr "%s: %s není oprávněn změnit heslo %s\n" + + #, c-format + msgid "%s: You may not view or modify password information for %s.\n" +@@ -1483,7 +1514,7 @@ + + #, c-format + msgid "add user '%s' in %s? " +-msgstr "přidat uživatele \"%s\" do %s? " ++msgstr "přidat uživatele „%s“ do %s? " + + #, c-format + msgid "%s: can't update passwd entry for %s\n" +@@ -1600,7 +1631,7 @@ + msgstr "Soubor s hesly neexistuje" + + msgid "TIOCSCTTY failed" +-msgstr "" ++msgstr "TIOCSCTTY selhalo" + + msgid "No password entry for 'root'" + msgstr "V databázi není položka pro uživatele 'root'" +@@ -1639,13 +1670,12 @@ + + #, c-format + msgid "%s: group '%s' is a NIS group.\n" +-msgstr "%s: skupina \"%s\" je NIS skupinou.\n" ++msgstr "%s: skupina „%s“ je NIS skupinou.\n" + + #, c-format + msgid "%s: too many groups specified (max %d).\n" + msgstr "%s: zadáno příliš mnoho skupin (max %d).\n" + +-#, fuzzy + msgid "" + "Usage: useradd [options] LOGIN\n" + "\n" +@@ -1701,39 +1731,46 @@ + " -h, --help zobrazí tuto nápovědu a skončí\n" + " -k, --skel VZOR_ADR zadá alternativní vzorový adresář\n" + " -K, --key KLÍČ=HODNOTA přebije výchozí nastavení /etc/login.defs\n" ++" -l, nepřidá uživatele do databází lastlog\n" ++" a faillog\n" + " -m, --create-home vytvoří domovský adresář pro nový\n" + " uživatelský účet\n" ++" -N, --no-user-group nevytvoří skupinu se stejným jménem jako\n" ++" uživatel\n" + " -o, --non-unique povolí vytvoření uživatele s duplicitním\n" + " (nejedinečným) UID\n" + " -p, --password HESLO použije pro nový účet zadané zašifrované\n" + " heslo\n" ++" -r, --system vytvoří systémový účet\n" + " -s, --shell SHELL přihlašovací shell nového účtu\n" + " -u, --uid UID vynutí použití tohoto UID pro nový účet\n" ++" -U, --user-group vytvoří skupinu se stejným jménem jako\n" ++" uživatel\n" + "\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: Out of memory. Cannot update the group database.\n" +-msgstr "%s nedostatek paměti v update_group\n" ++msgstr "%s: Nedostatek paměti. Nelze aktualizovat databázi skupin.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: Out of memory. Cannot update the shadow group database.\n" +-msgstr "%s: nedostatek paměti v update_gshadow\n" ++msgstr "%s: Nedostatek paměti. Nelze aktualizovat databázi stínových skupin.\n" + + #, c-format + msgid "%s: invalid base directory '%s'\n" +-msgstr "%s: chybný základní adresář \"%s\"\n" ++msgstr "%s: chybný základní adresář „%s“\n" + + #, c-format + msgid "%s: invalid comment '%s'\n" +-msgstr "%s: chybný komentář \"%s\"\n" ++msgstr "%s: chybný komentář „%s“\n" + + #, c-format + msgid "%s: invalid home directory '%s'\n" +-msgstr "%s: chybný domácí adresář \"%s\"\n" ++msgstr "%s: chybný domácí adresář „%s“\n" + + #, c-format + msgid "%s: invalid date '%s'\n" +-msgstr "%s: chybné datum \"%s\"\n" ++msgstr "%s: chybné datum „%s“\n" + + #, c-format + msgid "%s: shadow passwords required for -e\n" +@@ -1745,19 +1782,19 @@ + + #, c-format + msgid "%s: invalid field '%s'\n" +-msgstr "%s: chybná položka \"%s\"\n" ++msgstr "%s: chybná položka „%s“\n" + + #, c-format + msgid "%s: invalid shell '%s'\n" +-msgstr "%s: chybný shell \"%s\"\n" ++msgstr "%s: chybný shell „%s“\n" + + #, c-format + msgid "%s: options %s and %s conflict\n" +-msgstr "" ++msgstr "%s: volby %s a %s kolidují\n" + + #, c-format + msgid "%s: invalid user name '%s'\n" +-msgstr "%s: chybné uživatelské jméno \"%s\"\n" ++msgstr "%s: chybné uživatelské jméno „%s“\n" + + #, c-format + msgid "%s: cannot rewrite password file\n" +@@ -1809,7 +1846,7 @@ + msgid "" + "Group 'mail' not found. Creating the user mailbox file with 0600 mode.\n" + msgstr "" +-"Skupina \"mail\" nebyla nalezena. Vytvářím uživatelovu poštovní schránku s " ++"Skupina „mail“ nebyla nalezena. Vytvářím uživatelovu poštovní schránku s " + "právy 0600.\n" + + msgid "Setting mailbox file permissions" +@@ -1826,9 +1863,9 @@ + "%s: skupina %s existuje - chcete-li přidat uživatele do této skupiny, " + "použijte -g.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: can't create user\n" +-msgstr "%s: %s nelze vytvořit\n" ++msgstr "%s: nelze vytvořit uživatele\n" + + #, c-format + msgid "%s: UID %u is not unique\n" +@@ -1876,9 +1913,9 @@ + "%s: Nemohu odstranit skupinu %s, která je primární skupinou jiného " + "uživatele.\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: error updating shadow group entry\n" +-msgstr "%s: položku souboru se skupinami nelze aktualizovat\n" ++msgstr "%s: chyba při aktualizaci stínové skupiny\n" + + #, c-format + msgid "%s: cannot open group file\n" +@@ -1924,7 +1961,6 @@ + msgid "%s: error removing directory %s\n" + msgstr "%s: chyba při mazání adresáře %s\n" + +-#, fuzzy + msgid "" + "Usage: usermod [options] LOGIN\n" + "\n" +@@ -1954,8 +1990,6 @@ + "Použití: usermod [volby] ÚČET\n" + "\n" + "Volby:\n" +-" -a, --append přidá uživatele do dalších SKUPIN\n" +-" (používejte jen s volbou -G)\n" + " -c, --comment KOMENTÁŘ nová hodnota pole GECOS\n" + " -d, --home-dir DOMOV_ADR nový domovský adresář uživatele\n" + " -e, --expiredate EXP_DATUM nastaví vypršení platnosti účtu na " +@@ -1964,6 +1998,8 @@ + " -g, --gid SKUPINA nastaví novou primární SKUPINU\n" + " -G, --groups SKUPINY nový seznam dodatečných skupin, do kterých\n" + " má účet patřit\n" ++" -a, --append přidá uživatele do dalších SKUPIN zadaných\n" ++" volbou -G; neruší členství v ostatních sk.\n" + " -h, --help zobrazí tuto nápovědu a skončí\n" + " -l, --login NOVÝ_ÚČET nová hodnota přihlašovacího jména\n" + " -L, --lock zamkne uživatelský účet\n" +@@ -1977,9 +2013,9 @@ + " -U, --unlock odemkne uživatelský účet\n" + "\n" + +-#, fuzzy, c-format ++#, c-format + msgid "%s: error adding new shadow group entry\n" +-msgstr "%s: chyba při přidávání položky souboru se skupinami\n" ++msgstr "%s: chyba při přidávání nové stínové skupiny\n" + + #, c-format + msgid "%s: no flags given\n" +@@ -1991,7 +2027,7 @@ + + #, c-format + msgid "%s: the -L, -p, and -U flags are exclusive\n" +-msgstr "" ++msgstr "%s: přepínače -L, -p a -U se navzájem vylučují\n" + + #, c-format + msgid "%s: uid %lu is not unique\n" +@@ -2045,6 +2081,9 @@ + "You may need to modify %s for consistency.\n" + "Please use the command `%s' to do so.\n" + msgstr "" ++"Změnili jste %s.\n" ++"Z důvodu konzistence byste měli změnit i %s.\n" ++"Můžete to provést příkazem „%s“.\n" + + msgid "" + "Usage: vipw [options]\n" +@@ -2089,10 +2128,10 @@ + #~ msgstr "%s: nelze získat jedinečné GID\n" + + #~ msgid " on '%.100s' from '%.200s'" +-#~ msgstr " na \"%.100s\" z \"%.200s\"" ++#~ msgstr " na „%.100s“ z „%.200s“" + + #~ msgid " on '%.100s'" +-#~ msgstr " na \"%.100s\"" ++#~ msgstr " na „%.100s“" + + #~ msgid "%s: can't lock files, try again later\n" + #~ msgstr "%s: soubory nelze zamknout. Zkuste to opět později.\n" +@@ -2125,9 +2164,8 @@ + #~ "\t\t\tpoužije místo DES algoritmus MD5\n" + #~ "\n" + +-#, fuzzy + #~ msgid "No password.\n" +-#~ msgstr "Soubor s hesly neexistuje\n" ++#~ msgstr "Žádné heslo.\n" + + #~ msgid "Usage: %s [input]\n" + #~ msgstr "Použití: %s [vstup]\n" diff --git a/debian/patches/300_SHA_crypt_method b/debian/patches/300_SHA_crypt_method new file mode 100644 index 00000000..f2fa93b0 --- /dev/null +++ b/debian/patches/300_SHA_crypt_method @@ -0,0 +1,36 @@ +Goal: Fix bugs in the SHA encryption method that force the salt to have 8 + bytes (instead of a random length between 8 and 16 bytes), and force + the number of SHA rounds to be equal to the lowest limit (at least + 1000 SHA rounds). + +Status wrt upstream: Already applied upstream. + +Index: shadow-4.1.1/libmisc/salt.c +=================================================================== +--- shadow-4.1.1.orig/libmisc/salt.c 2008-02-03 18:23:31.000000000 +0100 ++++ shadow-4.1.1/libmisc/salt.c 2008-05-21 22:24:32.734281067 +0200 +@@ -90,9 +90,10 @@ + */ + static unsigned int SHA_salt_size (void) + { +- double rand_rounds = 9 * random (); +- rand_rounds /= RAND_MAX; +- return 8 + rand_rounds; ++ double rand_size; ++ seedRNG (); ++ rand_size = (double) 9.0 * random () / RAND_MAX; ++ return 8 + rand_size; + } + + /* ! Arguments evaluated twice ! */ +@@ -131,8 +132,8 @@ + if (min_rounds > max_rounds) + max_rounds = min_rounds; + +- srand (time (NULL)); +- rand_rounds = (max_rounds-min_rounds+1) * random (); ++ seedRNG (); ++ rand_rounds = (double) (max_rounds-min_rounds+1.0) * random (); + rand_rounds /= RAND_MAX; + rounds = min_rounds + rand_rounds; + } else if (0 == *prefered_rounds) diff --git a/debian/patches/301_manpages_missing_options b/debian/patches/301_manpages_missing_options new file mode 100644 index 00000000..78cc56ca --- /dev/null +++ b/debian/patches/301_manpages_missing_options @@ -0,0 +1,233 @@ +Goal: Add missing documentation of options in useradd, groupadd and + newusers + Implement the -r, --system option of newusers (already documented in + --help, implemented in code, but missing getopt handling) + +Status wrt upstream: Already applied. + +Index: shadow-4.1.1/man/useradd.8.xml +=================================================================== +--- shadow-4.1.1.orig/man/useradd.8.xml 2008-06-12 23:29:12.210795802 +0200 ++++ shadow-4.1.1/man/useradd.8.xml 2008-06-12 23:29:12.258795502 +0200 +@@ -189,23 +189,25 @@ + + + +- , ++ , ++ SKEL_DIR + + + +- The user's home directory will be created if it does not exist. +- The files contained in SKEL_DIR will +- be copied to the home directory if the +- option is used, otherwise the files contained in +- /etc/skel will be used instead. Any +- directories contained in SKEL_DIR or +- /etc/skel will be created in the user's +- home directory as well. The option is only +- valid in conjunction with the option. The +- default is to not create the directory and to not copy any +- files. +- This option may not function correctly if the username has a / in it. ++ The skeleton directory, which contains files and directories ++ to be copied in the user's home directory, when the home ++ directory is created by useradd. ++ ++ ++ This option is only valid if the (or ++ ) option is specified. + ++ ++ If this option is not set, the skeleton directory is defined ++ in /etc/default/useradd or, by default, ++ /etc/skel. ++ ++ This option may not function correctly if the username has a / in it. + + + +@@ -255,6 +257,22 @@ + + + ++ , ++ ++ ++ ++ Create the user's home directory if it does not exist. ++ The files and directories contained in the skeleton directory ++ (which can be defined with the option) ++ will be copied to the home directory. ++ ++ ++ By default, no home directories are created. ++ ++ ++ ++ ++ + , + + +@@ -295,6 +313,25 @@ + + + ++ , ++ ++ ++ ++ Create a system account. ++ ++ ++ System users will be created with no aging information in ++ /etc/shadow, and their numeric ++ identifiers are choosen in the ++ - ++ range, defined in login.defs, instead of ++ - (and their ++ counterparts for the creation of groups). ++ ++ ++ ++ ++ + , + SHELL + +Index: shadow-4.1.1/man/groupadd.8.xml +=================================================================== +--- shadow-4.1.1.orig/man/groupadd.8.xml 2008-02-25 22:14:56.000000000 +0100 ++++ shadow-4.1.1/man/groupadd.8.xml 2008-06-12 23:29:12.258795502 +0200 +@@ -126,6 +126,22 @@ + + + ++ ++ ++ , ++ ++ ++ ++ Create a system group. ++ ++ ++ The numeric identifiers of new system groups are choosen in ++ the - ++ range, defined in login.defs, instead of ++ -. ++ ++ ++ + + + +Index: shadow-4.1.1/man/newusers.8.xml +=================================================================== +--- shadow-4.1.1.orig/man/newusers.8.xml 2008-02-25 22:14:56.000000000 +0100 ++++ shadow-4.1.1/man/newusers.8.xml 2008-06-12 23:29:12.258795502 +0200 +@@ -94,6 +94,68 @@ + + + ++ ++ OPTIONS ++ The options which apply to the newusers command are: ++ ++ ++ ++ , ++ ++ Use the specified method to encrypt the passwords. ++ ++ The available methods are DES, MD5, NONE, and SHA256 or SHA512 ++ if your libc support these methods. ++ ++ ++ ++ ++ ++ , ++ ++ ++ ++ Create a system account. ++ ++ ++ System users will be created with no aging information in ++ /etc/shadow, and their numeric ++ identifiers are choosen in the ++ - ++ range, defined in login.defs, instead of ++ - (and their ++ counterparts for the creation of groups). ++ ++ ++ ++ ++ , ++ ++ ++ Use the specified number of rounds to encrypt the passwords. ++ ++ ++ The value 0 means that the system will choose the default ++ number of rounds for the crypt method (5000). ++ ++ ++ A minimal value of 1000 and a maximal value of 999,999,999 ++ will be enforced. ++ ++ ++ You can only use this option with the SHA256 or SHA512 ++ crypt method. ++ ++ ++ By default, the number of rounds is defined by the ++ SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in ++ /etc/login.defs. ++ ++ ++ ++ ++ ++ + + CAVEATS + +Index: shadow-4.1.1/src/newusers.c +=================================================================== +--- shadow-4.1.1.orig/src/newusers.c 2008-06-12 23:34:34.859795564 +0200 ++++ shadow-4.1.1/src/newusers.c 2008-06-12 23:38:33.290795654 +0200 +@@ -443,6 +443,7 @@ + static struct option long_options[] = { + {"crypt-method", required_argument, NULL, 'c'}, + {"help", no_argument, NULL, 'h'}, ++ {"system", no_argument, NULL, 'r'}, + #ifdef USE_SHA_CRYPT + {"sha-rounds", required_argument, NULL, 's'}, + #endif +@@ -451,9 +452,9 @@ + + while ((c = getopt_long (argc, argv, + #ifdef USE_SHA_CRYPT +- "c:hs:", ++ "c:hrs:", + #else +- "c:h", ++ "c:hr", + #endif + long_options, &option_index)) != -1) { + switch (c) { +@@ -464,6 +465,9 @@ + case 'h': + usage (); + break; ++ case 'r': ++ rflg = 1; ++ break; + #ifdef USE_SHA_CRYPT + case 's': + sflg = 1; diff --git a/debian/patches/302_remove_non_translated_polish_manpages b/debian/patches/302_remove_non_translated_polish_manpages new file mode 100644 index 00000000..08881fdb --- /dev/null +++ b/debian/patches/302_remove_non_translated_polish_manpages @@ -0,0 +1,26 @@ +Goal: Do not distribute the login.1 and su.1 Polish translations + +Fixes: #491460 + +Status wrt upstream: Already applied + +Index: shadow-4.1.1/man/pl/Makefile.am +=================================================================== +--- shadow-4.1.1.orig/man/pl/Makefile.am ++++ shadow-4.1.1/man/pl/Makefile.am +@@ -20,7 +20,6 @@ + grpconv.8 \ + grpunconv.8 \ + lastlog.8 \ +- login.1 \ + login.defs.5 \ + logoutd.8 \ + newgrp.1 \ +@@ -32,7 +31,6 @@ + pwunconv.8 \ + sg.1 \ + shadow.5 \ +- su.1 \ + suauth.5 \ + useradd.8 \ + userdel.8 \ diff --git a/debian/patches/302_vim_selinux_support b/debian/patches/302_vim_selinux_support new file mode 100644 index 00000000..84a7f60d --- /dev/null +++ b/debian/patches/302_vim_selinux_support @@ -0,0 +1,59 @@ +Add SE Linux support to vipw/vigr + +Fixes: #491907 + +Status wrt upsream: Still not applied. + +Index: shadow-4.1.1/src/vipw.c +=================================================================== +--- shadow-4.1.1.orig/src/vipw.c 2008-07-26 01:00:51.095214653 +0200 ++++ shadow-4.1.1/src/vipw.c 2008-07-26 01:12:49.295214798 +0200 +@@ -42,6 +42,10 @@ + #include "sgroupio.h" + #include "shadowio.h" + ++#ifdef WITH_SELINUX ++#include ++#endif ++ + #define MSG_WARN_EDIT_OTHER_FILE _( \ + "You have modified %s.\n"\ + "You may need to modify %s for consistency.\n"\ +@@ -167,6 +171,22 @@ + + if (access (file, F_OK)) + vipwexit (file, 1, 1); ++#ifdef WITH_SELINUX ++ /* if SE Linux is enabled then set the context of all new files ++ to be the context of the file we are editing */ ++ if (is_selinux_enabled ()) { ++ security_context_t passwd_context=NULL; ++ int ret = 0; ++ if (getfilecon (file, &passwd_context) < 0) { ++ vipwexit (_("Couldn't get file context"), errno, 1); ++ } ++ ret = setfscreatecon (passwd_context); ++ freecon (passwd_context); ++ if (0 != ret) { ++ vipwexit (_("setfscreatecon () failed"), errno, 1); ++ } ++ } ++#endif + if (!file_lock ()) + vipwexit (_("Couldn't lock file"), errno, 5); + filelocked = 1; +@@ -236,6 +256,14 @@ + progname, file, strerror (errno), fileedit); + vipwexit (0, 0, 1); + } ++#ifdef WITH_SELINUX ++ /* unset the fscreatecon */ ++ if (is_selinux_enabled ()) { ++ if (setfscreatecon (NULL)) { ++ vipwexit (_("setfscreatecon() failed"), errno, 1); ++ } ++ } ++#endif + + (*file_unlock) (); + } diff --git a/debian/patches/406_vipw_resume_properly b/debian/patches/406_vipw_resume_properly index aed7a389..274d67c0 100644 --- a/debian/patches/406_vipw_resume_properly +++ b/debian/patches/406_vipw_resume_properly @@ -4,7 +4,7 @@ Fix: #414542 Author: dean gaudet -Status wrt upstream: should be forwarded +Status wrt upstream: Fixed upstream Index: shadow-4.1.0/src/vipw.c =================================================================== diff --git a/debian/patches/414_remove-unwise-advices b/debian/patches/414_remove-unwise-advices index f1b9e0e0..215bdc6c 100644 --- a/debian/patches/414_remove-unwise-advices +++ b/debian/patches/414_remove-unwise-advices @@ -1,7 +1,7 @@ Goal: Remove quite unwise password choice advices in passwd manpage Fixes: #386818 -Status wrt upstream: Forwarded without patch but ignored up to now +Status wrt upstream: Applied upstream Note: @@ -9,14 +9,16 @@ Index: shadow-4.1.0/man/passwd.1.xml =================================================================== --- shadow-4.1.0.orig/man/passwd.1.xml +++ shadow-4.1.0/man/passwd.1.xml -@@ -114,35 +114,9 @@ +@@ -113,36 +113,10 @@ + - Your password must be easily remembered so that you will not be forced +- Your password must be easily remembered so that you will not be forced - to write it on a piece of paper. This can be accomplished by - appending two small words together and separating each with a - special character or digit. For example, Pass%word. -+ to write it on a piece of paper. ++ You can find advices on how to choose a strong password on ++ http://en.wikipedia.org/wiki/Password_strength - diff --git a/debian/patches/434_login_stop_checking_args_after-- b/debian/patches/434_login_stop_checking_args_after-- index c5a09868..e8c33e2f 100644 --- a/debian/patches/434_login_stop_checking_args_after-- +++ b/debian/patches/434_login_stop_checking_args_after-- @@ -1,9 +1,7 @@ Goal: terminate argument validation in login when it hits a '--'. Fixes: #66368 -Status wrt upstream: It could certainly be submitted to upstream. - Upstream comment: "Better will be rewrite login - for use getopt_long()." +Status wrt upstream: Applied upstream. Index: shadow-4.1.0/src/login.c =================================================================== diff --git a/debian/patches/487_passwd_chauthtok_failed_message b/debian/patches/487_passwd_chauthtok_failed_message index 0184adf4..c164a893 100644 --- a/debian/patches/487_passwd_chauthtok_failed_message +++ b/debian/patches/487_passwd_chauthtok_failed_message @@ -4,7 +4,7 @@ Goal: Be more verbose and indicate that the password was not changed when Fixes: #352137 -Status wrt upstream: not forwarded yet +Status wrt upstream: Applied upstream. Index: shadow-4.1.0/libmisc/pam_pass.c =================================================================== diff --git a/debian/patches/491_configure.in_friendly_selinux_detection b/debian/patches/491_configure.in_friendly_selinux_detection index 6d0be300..a4d6b873 100644 --- a/debian/patches/491_configure.in_friendly_selinux_detection +++ b/debian/patches/491_configure.in_friendly_selinux_detection @@ -5,7 +5,7 @@ Fix: FTBFS on kfreebsd (and probably The Hurd) Author: Mike Frysinger -Status wrt upstream: reported by Mike, not applied yet +Status wrt upstream: Fixed upstream. Index: shadow-4.1.0/configure.in =================================================================== diff --git a/debian/patches/494_passwd_lock-no_account_lock b/debian/patches/494_passwd_lock-no_account_lock new file mode 100644 index 00000000..8596e8f4 --- /dev/null +++ b/debian/patches/494_passwd_lock-no_account_lock @@ -0,0 +1,111 @@ +Goal: Restore the behavior of passwd -l / passwd -u to only touch the + password field, not the account expiry. Better document the + differences between locked password and locked account. + +Fixes: #492307 (and indirectly #412234). + +Status wrt upstream: Still not applied. + +Index: shadow-4.1.1/man/passwd.1.xml +=================================================================== +--- shadow-4.1.1.orig/man/passwd.1.xml 2008-07-26 14:19:16.001439567 +0200 ++++ shadow-4.1.1/man/passwd.1.xml 2008-07-26 16:08:30.562285434 +0200 +@@ -197,9 +197,21 @@ + + + +- Lock the named account. This option disables an account by changing +- the password to a value which matches no possible encrypted value, +- and by setting the account expiry field to 1. ++ Lock the password of the named account. This option disables a password by changing ++ it to a value which matches no possible encrypted value ++ (it adds a '!' at the beginning of the password). ++ ++ ++ Note that this does not disable the account. The user may ++ still be able to login using another authentication token (e.g. ++ an SSH key). ++ To disable the account, administrators should use ++ usermod --expiredate 1 (this set the account's ++ expire date to Jan 2, 1970). ++ ++ ++ Users with a locked password are not allowed to change their ++ password. + + + +@@ -258,10 +270,9 @@ + + + +- Unlock the named account. This option re-enables an account by +- changing the password back to its previous value (to value before +- using option), and by resetting the account +- expiry field. ++ Unlock the password of the named account. This option re-enables a password by ++ changing the password back to its previous value (to the value before ++ using option, by removing the leading '!'). + + + +@@ -402,6 +413,9 @@ + , + + shadow5 ++ , ++ ++ usermod8 + . + + +Index: shadow-4.1.1/src/passwd.c +=================================================================== +--- shadow-4.1.1.orig/src/passwd.c 2008-07-26 14:19:02.809439918 +0200 ++++ shadow-4.1.1/src/passwd.c 2008-07-26 16:17:14.104439588 +0200 +@@ -76,11 +76,11 @@ + eflg = 0, /* -e - force password change */ + iflg = 0, /* -i - set inactive days */ + kflg = 0, /* -k - change only if expired */ +- lflg = 0, /* -l - lock account */ ++ lflg = 0, /* -l - lock the user's password */ + nflg = 0, /* -n - set minimum days */ + qflg = 0, /* -q - quiet mode */ + Sflg = 0, /* -S - show password status */ +- uflg = 0, /* -u - unlock account */ ++ uflg = 0, /* -u - unlock the user's password */ + wflg = 0, /* -w - set warning days */ + xflg = 0; /* -x - set maximum days */ + +@@ -155,13 +155,13 @@ + " -k, --keep-tokens change password only if expired\n" + " -i, --inactive INACTIVE set password inactive after expiration\n" + " to INACTIVE\n" +- " -l, --lock lock the named account\n" ++ " -l, --lock lock the password of the named account\n" + " -n, --mindays MIN_DAYS set minimum number of days before password\n" + " change to MIN_DAYS\n" + " -q, --quiet quiet mode\n" + " -r, --repository REPOSITORY change password in REPOSITORY repository\n" + " -S, --status report password status on the named account\n" +- " -u, --unlock unlock the named account\n" ++ " -u, --unlock unlock the password of the named account\n" + " -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS\n" + " -x, --maxdays MAX_DAYS set maximim number of days before password\n" + " change to MAX_DAYS\n" +@@ -570,15 +570,6 @@ + nsp->sp_inact = (inact * DAY) / SCALE; + if (do_update_age) + nsp->sp_lstchg = time ((time_t *) 0) / SCALE; +- if (lflg) { +- /* Set the account expiry field to 1. +- * Some PAM implementation consider zero as a non expired +- * account. +- */ +- nsp->sp_expire = 1; +- } +- if (uflg) +- nsp->sp_expire = -1; + + /* + * Force change on next login, like SunOS 4.x passwd -e or Solaris diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames index 6494fc11..64a862cb 100755 --- a/debian/patches/506_relaxed_usernames +++ b/debian/patches/506_relaxed_usernames @@ -1,6 +1,8 @@ Goal: Relaxed usernames/groupnames checking patch. Status wrt upstream: Debian specific. Not to be used upstream + The documentation of the username length restriction + was added upstream Details: Allows any non-empty user/grounames that don't contain ':' and '\n' @@ -60,7 +62,7 @@ Index: shadow-4.1.0/man/useradd.8.xml -@@ -372,9 +373,13 @@ +@@ -372,9 +373,18 @@ @@ -71,9 +73,37 @@ Index: shadow-4.1.0/man/useradd.8.xml + a lower case letter or an underscore, and are only followed by lower + case letters, digits, underscores, dashes, and optionally terminated by + a dollar sign. In regular expression terms: [a-z_][a-z0-9_-]*[$]? ++ ++ + On Debian, the only constraints are that usernames must neither start + with a dash ('-') nor contain a colon (':') or a whitespace (space:' ', + end of line: '\n', tabulation: '\t', etc.). ++ ++ ++ Usernames may only be up to 32 characters long. +Index: shadow-4.1.1/man/groupadd.8.xml +=================================================================== +--- shadow-4.1.1.orig/man/groupadd.8.xml 2008-08-15 09:07:37.033120372 -0300 ++++ shadow-4.1.1/man/groupadd.8.xml 2008-08-15 09:10:24.961112507 -0300 +@@ -170,9 +170,15 @@ + + CAVEATS + +- Groupnames must begin with a lower case letter or an underscore, +- and only lower case letters, underscores, dashes, and dollar signs +- may follow. In regular expression terms: [a-z_][a-z0-9_-]*[$] ++ It is usually recommended to only use usernames that begin with ++ a lower case letter or an underscore, and are only followed by lower ++ case letters, digits, underscores, dashes, and optionally terminated by ++ a dollar sign. In regular expression terms: [a-z_][a-z0-9_-]*[$]? ++ ++ ++ On Debian, the only constraints are that usernames must neither start ++ with a dash ('-') nor contain a colon (':') or a whitespace (space:' ', ++ end of line: '\n', tabulation: '\t', etc.). + + + Groupnames may only be up to 16 characters long. diff --git a/debian/patches/507_32char_grnames.dpatch b/debian/patches/507_32char_grnames.dpatch index 6148dde5..4d7bb171 100755 --- a/debian/patches/507_32char_grnames.dpatch +++ b/debian/patches/507_32char_grnames.dpatch @@ -49,3 +49,16 @@ Index: shadow-4.1.0/libmisc/chkname.c return 0; return good_name (name); +Index: shadow-4.1.1/man/groupadd.8.xml +=================================================================== +--- shadow-4.1.1.orig/man/groupadd.8.xml ++++ shadow-4.1.1/man/groupadd.8.xml +@@ -175,7 +175,7 @@ + may follow. In regular expression terms: [a-z_][a-z0-9_-]*[$] + + +- Groupnames may only be up to 16 characters long. ++ Groupnames may only be up to 32 characters long. + + + You may not add a NIS or LDAP group. This must be performed on the diff --git a/debian/patches/series b/debian/patches/series index 8e2353a3..ba04ce6e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,3 +28,9 @@ 406_vipw_resume_properly 414_remove-unwise-advices 415_login_put-echoctl-back +300_SHA_crypt_method +301_manpages_missing_options +302_vim_selinux_support +200_Czech_binary_translation +494_passwd_lock-no_account_lock +302_remove_non_translated_polish_manpages diff --git a/debian/securetty.linux b/debian/securetty.linux index 3d2f8cc3..2705baaa 100644 --- a/debian/securetty.linux +++ b/debian/securetty.linux @@ -19,6 +19,10 @@ ttyPSC3 ttyPSC4 ttyPSC5 +# PA-RISC mux ports +ttyB0 +ttyB1 + # Standard hypervisor virtual console hvc0