diff --git a/debian/changelog b/debian/changelog index 97147ed8..8ae37aad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,8 @@ -shadow (1:4.1.3-1) experimental; urgency=low +shadow (1:4.1.3-1) unstable; urgency=low * The "" release. * New upstream release: + - Fix possible login DOS. Closes: #505071 - Remove patches applied upstream (4.1.2): + debian/patches/434_login_stop_checking_args_after-- + debian/patches/491_configure.in_friendly_selinux_detection @@ -14,17 +15,15 @@ shadow (1:4.1.3-1) experimental; urgency=low + debian/patches/200_Czech_binary_translation + debian/patches/302_remove_non_translated_polish_manpages + debian/patches/494_passwd_lock-no_account_lock + + debian/patches/200_Czech_binary_translation + + debian/patches/494_passwd_lock-no_account_lock - Updated patches: + debian/patches/431_su_uid_0_not_root + debian/patches/463_login_delay_obeys_to_PAM - + debian/patches/579_chowntty_debug - + debian/patches/200_Czech_binary_translation - + debian/patches/494_passwd_lock-no_account_lock + debian/patches/008_su_get_PAM_username + debian/patches/302_vim_selinux_support + debian/patches/008_login_log_failure_in_FTMP + debian/patches/429_login_FAILLOG_ENAB - + debian/patches/507_32char_grnames.dpatch + debian/patches/428_grpck_add_prune_option + debian/patches/401_cppw_src.dpatch + debian/patches/506_relaxed_usernames @@ -35,9 +34,9 @@ shadow (1:4.1.3-1) experimental; urgency=low defined, the mailbox is not in MAIL_SPOOL_DIR. * debian/patches/506_relaxed_usernames: Use an extra paragraph for the note on username with a '/'. - * debian/patches/504_undef_USE_PAM.dpatch: - - USE_PAM needs to be undef after inclusion of "defines.h". - - Added note about current upstream status + * debian/patches/504_undef_USE_PAM.nolibpam, + debian/patches/504_undef_USE_PAM.dpatch, debian/rules: Patches removed. + Replaced by the --disable-account-tools-setuid configure option. * debian/control: changed the "Replaces" on manpages-zh to a versioned one on 1.5.1-1 * debian/control: drop all Replaces on manpages-* when the version is @@ -49,8 +48,13 @@ shadow (1:4.1.3-1) experimental; urgency=low Added patches, only intended to be used in the testsuite. * debian/securetty.linux: Added ttyPZ0, ttyPZ1, ttyPZ2, ttyPZ3 for PowerMac machines. Closes: #511739 + * debian/patches/579_chowntty_debug: Removed. With the fix for 505071 and + 505271, this additional debug information is no more needed. + * debian/patches/507_32char_grnames.dpatch: Patch removed. Replaced by the + --with-group-name-max-length=32 configure option. + * debian/patches/592_manpages_typos: No more needed. - -- Christian Perrier Mon, 07 Apr 2008 23:00:26 +0200 + -- Nicolas FRANCOIS (Nekral) Sat, 14 Mar 2009 18:44:29 +0100 shadow (1:4.1.1-4) unstable; urgency=low diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP index 8a4ef02f..b1e0a8e3 100644 --- a/debian/patches/008_login_log_failure_in_FTMP +++ b/debian/patches/008_login_log_failure_in_FTMP @@ -11,7 +11,7 @@ Index: shadow-4.1.0/src/login.c @@ -722,6 +722,29 @@ #endif /* WITH_AUDIT */ - fprintf (stderr, "\nLogin incorrect\n"); + fprintf (stderr, "\nLogin incorrect\n"); + if (getdef_str("FTMP_FILE") != NULL) { +#if HAVE_UTMPX_H + failent = utxent; @@ -36,8 +36,8 @@ Index: shadow-4.1.0/src/login.c + failtmp(&failent); + } - /* Let's give it another go around */ - pam_set_item(pamh,PAM_USER,NULL); + /* + * Let's give it another go around. Index: shadow-4.1.0/lib/getdef.c =================================================================== --- shadow-4.1.0.orig/lib/getdef.c diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB index 24863eae..0cdfd289 100644 --- a/debian/patches/429_login_FAILLOG_ENAB +++ b/debian/patches/429_login_FAILLOG_ENAB @@ -24,18 +24,18 @@ Index: shadow-4.1.0/src/login.c static void check_nologin (void); #endif @@ -673,6 +673,8 @@ - SYSLOG ((LOG_NOTICE, - "TOO MANY LOGIN TRIES (%d)%s FOR `%s'", - failcount, fromhost, failent_user)); -+ if (pwd && getdef_bool("FAILLOG_ENAB")) -+ failure (pwent.pw_uid, tty, &faillog); - fprintf(stderr, - _("Maximum number of tries exceeded (%d)\n"), - failcount); + SYSLOG ((LOG_NOTICE, + "TOO MANY LOGIN TRIES (%d)%s FOR `%s'", + failcount, fromhost, failent_user)); ++ if (pwd && getdef_bool("FAILLOG_ENAB")) ++ failure (pwent.pw_uid, tty, &faillog); + fprintf(stderr, + _("Maximum number of tries exceeded (%d)\n"), + failcount); @@ -690,6 +692,13 @@ - pam_strerror (pamh, retcode))); - failed = 1; - } + pam_strerror (pamh, retcode))); + failed = true; + } + if (pwd && getdef_bool("FAILLOG_ENAB") && + ! failcheck (pwent.pw_uid, &faillog, failed)) { + SYSLOG((LOG_CRIT, @@ -44,14 +44,14 @@ Index: shadow-4.1.0/src/login.c + failed = 1; + } - if (!failed) - break; -@@ -722,6 +731,8 @@ + if (!failed) { + break; +@@ -766,6 +731,8 @@ #endif /* WITH_AUDIT */ - fprintf (stderr, "\nLogin incorrect\n"); -+ if (pwd && getdef_bool("FAILLOG_ENAB")) -+ failure (pwent.pw_uid, tty, &faillog); + fprintf (stderr, "\nLogin incorrect\n"); ++ if (pwd && getdef_bool("FAILLOG_ENAB")) ++ failure (pwent.pw_uid, tty, &faillog); if (getdef_str("FTMP_FILE") != NULL) { #if HAVE_UTMPX_H failent = utxent; diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM index 545ab463..d79e3a5c 100644 --- a/debian/patches/463_login_delay_obeys_to_PAM +++ b/debian/patches/463_login_delay_obeys_to_PAM @@ -12,13 +12,13 @@ Index: shadow-4.1.0/src/login.c --- shadow-4.1.0.orig/src/login.c +++ shadow-4.1.0/src/login.c @@ -331,7 +331,6 @@ + #if defined(HAVE_STRFTIME) && !defined(USE_PAM) char ptime[80]; #endif - int reason = PW_LOGIN; - int delay; int retries; - int failed; - int flag; + bool failed; + bool subroot = false; @@ -354,6 +353,7 @@ char *pam_user; char **ptr_pam_user = &pam_user; @@ -28,43 +28,44 @@ Index: shadow-4.1.0/src/login.c #endif /* @@ -578,7 +578,6 @@ - alarm (timeout); + } - environ = newenvp; /* make new environment active */ -- delay = getdef_num ("FAIL_DELAY", 1); - retries = getdef_num ("LOGIN_RETRIES", RETRIES); + environ = newenvp; /* make new environment active */ +- delay = getdef_num ("FAIL_DELAY", 1); + retries = getdef_num ("LOGIN_RETRIES", RETRIES); #ifdef USE_PAM @@ -594,17 +593,12 @@ - /* - * hostname & tty are either set to NULL or their correct values, -- * depending on how much we know. We also set PAM's fail delay to -- * ours. -+ * depending on how much we know. - */ - retcode = pam_set_item (pamh, PAM_RHOST, hostname); - PAM_FAIL_CHECK; - retcode = pam_set_item (pamh, PAM_TTY, tty); - PAM_FAIL_CHECK; + /* + * hostname & tty are either set to NULL or their correct values, +- * depending on how much we know. We also set PAM's fail delay to +- * ours. ++ * depending on how much we know. + */ + retcode = pam_set_item (pamh, PAM_RHOST, hostname); + PAM_FAIL_CHECK; + retcode = pam_set_item (pamh, PAM_TTY, tty); + PAM_FAIL_CHECK; -#ifdef HAS_PAM_FAIL_DELAY -- retcode = pam_fail_delay (pamh, 1000000 * delay); -- PAM_FAIL_CHECK; +- retcode = pam_fail_delay (pamh, 1000000 * delay); +- PAM_FAIL_CHECK; -#endif - /* if fflg, then the user has already been authenticated */ - if (!fflg || (getuid () != 0)) { - int failcount = 0; -@@ -645,11 +639,6 @@ - failed = 0; + /* if fflg, then the user has already been authenticated */ + if (!fflg || (getuid () != 0)) { + int failcount = 0; +@@ -645,12 +639,6 @@ + failed = false; - failcount++; + failcount++; -#ifdef HAS_PAM_FAIL_DELAY -- if (delay > 0) { -- retcode = pam_fail_delay(pamh, 1000000*delay); -- } +- if (delay > 0) { +- retcode = pam_fail_delay(pamh, 1000000*delay); +- PAM_FAIL_CHECK; +- } -#endif - retcode = pam_authenticate (pamh, 0); + retcode = pam_authenticate (pamh, 0); @@ -956,14 +948,17 @@ pw_auth ("!", username, reason, (char *) 0); diff --git a/debian/patches/504_undef_USE_PAM.dpatch b/debian/patches/504_undef_USE_PAM.dpatch deleted file mode 100755 index 9f13b318..00000000 --- a/debian/patches/504_undef_USE_PAM.dpatch +++ /dev/null @@ -1,206 +0,0 @@ -Goal: Do not use PAM for chage, chpasswd, groupadd, groupdel, groupmod - newusers, useradd, userdel, usermod, chgpasswd (keep them low-level) -Fixes: #283961, #162181, #162199, #162228, #369806. - -Status wrt upstream: A configure option was added. To be tested with 4.1.3. - -Index: shadow-4.1.2/src/chage.c -=================================================================== ---- shadow-4.1.2.orig/src/chage.c 2008-06-13 23:23:11.000000000 +0200 -+++ shadow-4.1.2/src/chage.c 2008-06-16 02:29:28.463262026 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: chage.c 2162 2008-06-13 21:23:09Z nekral-guest $" - -@@ -53,6 +54,7 @@ - #include "exitcodes.h" - #include "prototypes.h" - #include "defines.h" -+#undef USE_PAM - #include "pwio.h" - #include "shadowio.h" - /* -Index: shadow-4.1.2/src/chpasswd.c -=================================================================== ---- shadow-4.1.2.orig/src/chpasswd.c 2008-06-13 20:11:10.000000000 +0200 -+++ shadow-4.1.2/src/chpasswd.c 2008-06-16 02:30:16.079421379 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: chpasswd.c 2130 2008-06-13 18:11:09Z nekral-guest $" - -@@ -43,6 +44,7 @@ - #include "pam_defs.h" - #endif /* USE_PAM */ - #include "defines.h" -+#undef USE_PAM - #include "exitcodes.h" - #include "nscd.h" - #include "prototypes.h" -Index: shadow-4.1.2/src/groupadd.c -=================================================================== ---- shadow-4.1.2.orig/src/groupadd.c 2008-06-13 23:19:12.000000000 +0200 -+++ shadow-4.1.2/src/groupadd.c 2008-06-16 02:30:41.299262034 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: groupadd.c 2161 2008-06-13 21:19:07Z nekral-guest $" - -@@ -47,6 +48,7 @@ - #endif /* USE_PAM */ - #include "chkname.h" - #include "defines.h" -+#undef USE_PAM - #include "getdef.h" - #include "groupio.h" - #include "nscd.h" -Index: shadow-4.1.2/src/groupdel.c -=================================================================== ---- shadow-4.1.2.orig/src/groupdel.c 2008-06-13 22:59:07.000000000 +0200 -+++ shadow-4.1.2/src/groupdel.c 2008-06-16 02:30:49.651262093 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: groupdel.c 2154 2008-06-13 20:59:04Z nekral-guest $" - -@@ -44,6 +45,7 @@ - #include - #include - #include "defines.h" -+#undef USE_PAM - #include "groupio.h" - #include "nscd.h" - #include "prototypes.h" -Index: shadow-4.1.2/src/groupmod.c -=================================================================== ---- shadow-4.1.2.orig/src/groupmod.c 2008-06-13 23:08:07.000000000 +0200 -+++ shadow-4.1.2/src/groupmod.c 2008-06-16 02:30:58.227367347 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: groupmod.c 2158 2008-06-13 21:08:06Z nekral-guest $" - -@@ -46,6 +47,7 @@ - #endif /* USE_PAM */ - #include "chkname.h" - #include "defines.h" -+#undef USE_PAM - #include "groupio.h" - #include "pwio.h" - #include "nscd.h" -Index: shadow-4.1.2/src/newusers.c -=================================================================== ---- shadow-4.1.2.orig/src/newusers.c 2008-06-13 22:56:45.000000000 +0200 -+++ shadow-4.1.2/src/newusers.c 2008-06-16 02:31:41.669480684 +0200 -@@ -39,6 +39,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: newusers.c 2152 2008-06-13 20:56:44Z nekral-guest $" - -@@ -55,6 +56,7 @@ - #endif /* USE_PAM */ - #include "prototypes.h" - #include "defines.h" -+#undef USE_PAM - #include "getdef.h" - #include "groupio.h" - #include "nscd.h" -Index: shadow-4.1.2/src/useradd.c -=================================================================== ---- shadow-4.1.2.orig/src/useradd.c 2008-06-16 01:33:59.000000000 +0200 -+++ shadow-4.1.2/src/useradd.c 2008-06-16 02:31:09.347908114 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: useradd.c 2189 2008-06-15 22:25:51Z nekral-guest $" - -@@ -51,6 +52,7 @@ - #include - #include "chkname.h" - #include "defines.h" -+#undef USE_PAM - #include "faillog.h" - #include "getdef.h" - #include "groupio.h" -Index: shadow-4.1.2/src/userdel.c -=================================================================== ---- shadow-4.1.2.orig/src/userdel.c 2008-06-13 22:23:28.000000000 +0200 -+++ shadow-4.1.2/src/userdel.c 2008-06-16 02:31:15.268028621 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: userdel.c 2147 2008-06-13 20:23:26Z nekral-guest $" - -@@ -47,6 +48,7 @@ - #include "pam_defs.h" - #endif /* USE_PAM */ - #include "defines.h" -+#undef USE_PAM - #include "getdef.h" - #include "groupio.h" - #include "nscd.h" -Index: shadow-4.1.2/src/usermod.c -=================================================================== ---- shadow-4.1.2.orig/src/usermod.c 2008-06-16 01:52:28.000000000 +0200 -+++ shadow-4.1.2/src/usermod.c 2008-06-16 02:31:21.364381584 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: usermod.c 2151 2008-06-13 20:40:04Z nekral-guest $" - -@@ -50,6 +51,7 @@ - #include - #include "chkname.h" - #include "defines.h" -+#undef USE_PAM - #include "faillog.h" - #include "getdef.h" - #include "groupio.h" -Index: shadow-4.1.2/src/chgpasswd.c -=================================================================== ---- shadow-4.1.2.orig/src/chgpasswd.c 2008-06-13 20:11:10.000000000 +0200 -+++ shadow-4.1.2/src/chgpasswd.c 2008-06-16 02:31:48.547282333 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#undef USE_PAM - - #ident "$Id: chgpasswd.c 2130 2008-06-13 18:11:09Z nekral-guest $" - -@@ -43,6 +44,7 @@ - #include "pam_defs.h" - #endif /* USE_PAM */ - #include "defines.h" -+#undef USE_PAM - #include "nscd.h" - #include "prototypes.h" - #include "groupio.h" diff --git a/debian/patches/504_undef_USE_PAM.nolibpam b/debian/patches/504_undef_USE_PAM.nolibpam deleted file mode 100644 index 7fc2e444..00000000 --- a/debian/patches/504_undef_USE_PAM.nolibpam +++ /dev/null @@ -1,60 +0,0 @@ -Status wrt upstream: A configure option was added. To be tested with - 4.1.3. - -Index: shadow-4.1.0/src/Makefile.am -=================================================================== ---- shadow-4.1.0.orig/src/Makefile.am -+++ shadow-4.1.0/src/Makefile.am -@@ -55,17 +55,17 @@ - $(top_builddir)/lib/libshadow.la - AM_CPPFLAGS = -DLOCALEDIR=\"$(datadir)/locale\" - --chage_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) -+chage_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) --chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) -+chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) --chgpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) -+chgpasswd_LDADD = $(LDADD) $(LIBSELINUX) $(LIBCRYPT) --chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) -+chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) --chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) -+chpasswd_LDADD = $(LDADD) $(LIBSELINUX) $(LIBCRYPT) - cppw_LDADD = $(LDADD) $(LIBSELINUX) - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) --groupadd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) --groupdel_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) -+groupadd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) -+groupdel_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) - groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) --groupmod_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) -+groupmod_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) - grpck_LDADD = $(LDADD) $(LIBSELINUX) - grpconv_LDADD = $(LDADD) $(LIBSELINUX) - grpunconv_LDADD = $(LDADD) $(LIBSELINUX) -@@ -74,7 +74,7 @@ - login_nopam.c --login_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) -+login_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) --newgrp_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT) -+newgrp_LDADD = $(LDADD) $(LIBAUDIT) $(LIBCRYPT) --newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) -+newusers_LDADD = $(LDADD) $(LIBSELINUX) $(LIBCRYPT) - nologin_LDADD = --passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) -+passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) - pwck_LDADD = $(LDADD) $(LIBSELINUX) -@@ -84,10 +84,10 @@ - su.c \ - suauth.c --su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) -+su_LDADD = $(LDADD) $(LIBPAM) - sulogin_LDADD = $(LDADD) $(LIBCRYPT) --useradd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) --userdel_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) --usermod_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) -+useradd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) -+userdel_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) -+usermod_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) - vipw_LDADD = $(LDADD) $(LIBSELINUX) - - install-am: all-am diff --git a/debian/patches/507_32char_grnames.dpatch b/debian/patches/507_32char_grnames.dpatch deleted file mode 100755 index 4a0dcfff..00000000 --- a/debian/patches/507_32char_grnames.dpatch +++ /dev/null @@ -1,65 +0,0 @@ -#! /bin/sh -e -## 407_32char_grnames_240456.dpatch by xrgtn -## -## All lines beginning with `## DP:' are a description of the patch. -## -## DP: The patch allows 32 character long group names instead of only 16 -## DP: characters. -## DP: -## DP: Comments from Karl Ramm (shadow 1:4.0.3-23, 28 Mar 2004 19:46:34 -0500): -## DP: -## DP: increase maximum group name size to 32 for no particularly good reason -## DP: closes: #240456 - -if [ $# -lt 1 ]; then - echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 - exit 1 -fi - -[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts -patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}" - -case "$1" in - -patch) patch -p1 ${patch_opts} < $0;; - -unpatch) patch -R -p1 ${patch_opts} < $0;; - *) - echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 - exit 1;; -esac - -exit 0 - -@DPATCH@ - -Index: shadow-4.1.0/libmisc/chkname.c -=================================================================== ---- shadow-4.1.0.orig/libmisc/chkname.c -+++ shadow-4.1.0/libmisc/chkname.c -@@ -70,10 +70,10 @@ - bool is_valid_group_name (const char *name) - { - /* -- * Arbitrary limit for group names - max 16 -- * characters (same as on HP-UX 10). -+ * Arbitrary limit for group names - max 32 -+ * same as linux UT_NAMESIZE - */ -- if (strlen (name) > 16) { -+ if (strlen (name) > 32) { - return false; - } - - return good_name (name); -Index: shadow-4.1.1/man/groupadd.8.xml -=================================================================== ---- shadow-4.1.1.orig/man/groupadd.8.xml -+++ shadow-4.1.1/man/groupadd.8.xml -@@ -175,7 +175,7 @@ - may follow. In regular expression terms: [a-z_][a-z0-9_-]*[$] - - -- Groupnames may only be up to 16 characters long. -+ Groupnames may only be up to 32 characters long. - - - You may not add a NIS or LDAP group. This must be performed on the diff --git a/debian/patches/579_chowntty_debug b/debian/patches/579_chowntty_debug deleted file mode 100644 index 2844e18b..00000000 --- a/debian/patches/579_chowntty_debug +++ /dev/null @@ -1,62 +0,0 @@ -Goal: Provide more info when chown_tty() phase of login fails (see #332198). - -Related: #332198 (helps to debug) - -Status wrt upstream: Not forwarded (dunno if there's any point in this). - -This patch increases verbosity of is_my_tty() routine which is called -from chown_tty() which in turn is part of login sequence. Submitter of -the bug #332198 sometimes gets telnet session refused, but message in -syslog is not at all helpful: -> ... login[453]: unable to determine TTY name, got /dev/pts/1 -and in fact it's misleading, because tty name is detected OK, it's -is_my_tty() which is failing for a reason yet unknown (I suspect -corruption of utmp file). - -Index: shadow-4.1.0/libmisc/chowntty.c -=================================================================== ---- shadow-4.1.0.orig/libmisc/chowntty.c -+++ shadow-4.1.0/libmisc/chowntty.c -@@ -40,6 +40,7 @@ - #include "defines.h" - #include - #include "getdef.h" -+#include - /* - * is_my_tty -- determine if "tty" is the same as TTY stdin is using - */ -@@ -47,13 +48,31 @@ - { - struct stat by_name, by_fd; - -- if ((stat (tty, &by_name) != 0) || (fstat (0, &by_fd) != 0)) { -+ if (stat (tty, &by_name) != 0) { -+ /* Can use neither strerror() nor "%m" sequence -- first -+ * is locale-dependent (while SYSLOG isn't) and for second -+ * the SYSLOG macro isn't errno-transparent. --xrgtn */ -+ int e = errno; -+ SYSLOG ((LOG_WARN, "can't stat(`%s'): errno %i\n", tty, e)); - return false; - } - -- if (by_name.st_rdev != by_fd.st_rdev) { -+ if (fstat (0, &by_fd) != 0) { -+ int e = errno; -+ SYSLOG ((LOG_WARN, "can't fstat(stdin): errno %i\n", e)); - return false; -- } else { -+ } -+ -+ if (by_name.st_rdev != by_fd.st_rdev) { -+ SYSLOG ((LOG_WARN, -+ "`%s'.st_rdev(%u,%u) != stdin.st_rdev(%u,%u)\n", -+ tty, -+ /* XXX: dev_t is 64bit, gnu_dev_mXXor are used -+ * which are GNU extn */ -+ major(by_name.st_rdev), minor(by_name.st_rdev), -+ major(by_fd.st_rdev), minor(by_fd.st_rdev))); -+ return false; -+ } else { - return true; - } - } diff --git a/debian/patches/592_manpages_typos b/debian/patches/592_manpages_typos deleted file mode 100644 index 13847014..00000000 --- a/debian/patches/592_manpages_typos +++ /dev/null @@ -1,36 +0,0 @@ -Goal: fix some typos in the XML manpages. - -Fixes: #352135, 369806 - -Status wrt upstream: Debian specific. - -It is probably a bug of docbook-xsl 1.68.1-0.1 - -Index: shadow-4.1.0/man/passwd.1.xml -=================================================================== ---- shadow-4.1.0.orig/man/passwd.1.xml -+++ shadow-4.1.0/man/passwd.1.xml -@@ -97,8 +97,8 @@ - Hints for user passwords - - The security of a password depends upon the strength of the -- encryption algorithm and the size of the key space. The -- UNIX System encryption method is based on the -+ encryption algorithm and the size of the key space. -+ The UNIX System encryption method is based on the - NBS DES algorithm and is very secure. The size of the key space - depends upon the randomness of the password which is selected. - -Index: shadow-4.1.0/man/useradd.8.xml -=================================================================== ---- shadow-4.1.0.orig/man/useradd.8.xml -+++ shadow-4.1.0/man/useradd.8.xml -@@ -46,7 +46,7 @@ - DESCRIPTION - - When invoked without the option, the -- useradd command creates a new user account using -+ useradd command creates a new user account using - the values specified on the command line plus the default values from - the system. Depending on command line options, the - useradd command diff --git a/debian/patches/series b/debian/patches/series index 8de1d914..5c83ab75 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,24 +10,16 @@ 008_login_log_failure_in_FTMP 429_login_FAILLOG_ENAB 401_cppw_src.dpatch -504_undef_USE_PAM.dpatch -504_undef_USE_PAM.nolibpam 506_relaxed_usernames -507_32char_grnames.dpatch 542_useradd-O_option 501_commonio_group_shadow 463_login_delay_obeys_to_PAM 523_su_arguments_are_concatenated 523_su_arguments_are_no_more_concatenated_by_default -579_chowntty_debug 483_su_fakelogin_wrong_arg0 -592_manpages_typos 403_fix_PATH-MAX_hurd 508_nologin_in_usr_sbin 505_useradd_recommend_adduser 415_login_put-echoctl-back 302_vim_selinux_support -200_Czech_binary_translation -494_passwd_lock-no_account_lock -302_remove_non_translated_polish_manpages 402_cppw_selinux diff --git a/debian/rules b/debian/rules index 0505629b..180ac0fd 100755 --- a/debian/rules +++ b/debian/rules @@ -23,7 +23,7 @@ DEB_AUTO_UPDATE_AUTOCONF = 1.9 DEB_AUTO_UPDATE_AUTOMAKE = 1.9 # Adds extra options when calling the configure script: -DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared --without-libcrack --without-audit --mandir=/usr/share/man --with-libpam --enable-shadowgrp --enable-man +DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared --without-libcrack --without-audit --mandir=/usr/share/man --with-libpam --enable-shadowgrp --enable-man --disable-account-tools-setuid --with-group-name-max-length=32 ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) DEB_CONFIGURE_EXTRA_FLAGS += --host=$(DEB_HOST_GNU_TYPE) endif