VesperOS/shadow
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rebase patches

Browse Source
This commit is contained in:
Chris Hofstaedtler
2024-06-22 17:47:05 +02:00
parent ae2c71761e
commit 527b684a18
14 changed files with 374 additions and 471 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
debian/copyright vendored
View File

@@ -143,7 +143,7 @@ Copyright: 1991-1993, Chip Rosenthal
2007-2009, Nicolas François
License: BSD-3-clause
Files: debian/patches/401_cppw_src.patch
Files: debian/patches/cppw-Add-tool.patch
Copyright: 1997, Guy Maor <maor@ece.utexas.edu>
1999, Stephen Frost <sfrost@snowman.net>
License: GPL-2+

81
debian/patches/900_testsuite_groupmems.patch vendored
View File

@@ -1,81 +0,0 @@
--- a/debian/passwd.install
+++ b/debian/passwd.install
@@ -9,6 +9,7 @@
usr/sbin/cppw
usr/sbin/groupadd
usr/sbin/groupdel
+usr/sbin/groupmems
usr/sbin/groupmod
usr/sbin/grpck
usr/sbin/grpconv
@@ -33,6 +34,7 @@
usr/share/man/*/man8/chpasswd.8
usr/share/man/*/man8/groupadd.8
usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmems.8
usr/share/man/*/man8/groupmod.8
usr/share/man/*/man8/grpck.8
usr/share/man/*/man8/grpconv.8
@@ -59,6 +61,7 @@
usr/share/man/man8/chpasswd.8
usr/share/man/man8/groupadd.8
usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmems.8
usr/share/man/man8/groupmod.8
usr/share/man/man8/grpck.8
usr/share/man/man8/grpconv.8
--- a/debian/passwd.postinst
+++ b/debian/passwd.postinst
@@ -31,6 +31,24 @@
exit 1
)
fi
+ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
+ then
+ groupadd -g 99 groupmems || (
+ cat <<EOF
+************************ TESTSUITE *****************************
+Group ID 99 has been allocated for the groupmems group. You have either
+used 99 yourself or created a groupmems group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+ exit 1
+ )
+# FIXME
+ chgrp groupmems /usr/sbin/groupmems
+ fi
;;
esac
--- a/debian/rules
+++ b/debian/rules
@@ -60,6 +60,7 @@
dh_installpam -p passwd --name=chsh
dh_installpam -p passwd --name=chpasswd
dh_installpam -p passwd --name=newusers
+ dh_installpam -p passwd --name=groupmems
ifeq ($(DEB_HOST_ARCH_OS),hurd)
# login is not built on The Hurd, but some utilities of passwd depends on
# /etc/login.defs.
@@ -87,3 +88,6 @@
chgrp shadow debian/passwd/usr/bin/expiry
chmod g+s debian/passwd/usr/bin/chage
chmod g+s debian/passwd/usr/bin/expiry
+ chgrp groupmems debian/passwd/usr/sbin/groupmems
+ chmod u+s debian/passwd/usr/sbin/groupmems
+ chmod o-x debian/passwd/usr/sbin/groupmems
--- /dev/null
+++ b/debian/passwd.groupmems.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupmod' service
+#
+
+# This allows root to modify groups without being prompted for a password
+auth sufficient pam_rootok.so
+
+@include common-auth
+@include common-account

76
debian/patches/901_testsuite_gcov.patch vendored
View File

@@ -1,76 +0,0 @@
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -1,6 +1,8 @@
AUTOMAKE_OPTIONS = 1.0 foreign
+CFLAGS += -fprofile-arcs -ftest-coverage
+
DEFS =
noinst_LTLIBRARIES = libshadow.la
--- a/libmisc/Makefile.am
+++ b/libmisc/Makefile.am
@@ -1,6 +1,8 @@
EXTRA_DIST = .indent.pro xgetXXbyYY.c
+CFLAGS += -fprofile-arcs -ftest-coverage
+
INCLUDES = -I$(top_srcdir)/lib
noinst_LIBRARIES = libmisc.a
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -7,6 +7,8 @@
suidperms = 4755
sgidperms = 2755
+CFLAGS += -fprofile-arcs -ftest-coverage
+
INCLUDES = \
-I${top_srcdir}/lib \
-I$(top_srcdir)/libmisc
--- a/debian/rules
+++ b/debian/rules
@@ -40,6 +40,12 @@
endif
export CFLAGS
+clean:: clean_gcov
+
+clean_gcov:
+ find . -name "*.gcda" -delete
+ find . -name "*.gcno" -delete
+
# Add extras to the install process:
binary-install/login::
dh_installpam -p login
--- a/lib/defines.h
+++ b/lib/defines.h
@@ -174,23 +174,9 @@
trust the formatted time received from the unix domain (or worse,
UDP) socket. -MM */
/* Avoid translated PAM error messages: Set LC_ALL to "C".
+ * This is disabled for coverage testing
* --Nekral */
-#define SYSLOG(x) \
- do { \
- char *old_locale = setlocale (LC_ALL, NULL); \
- char *saved_locale = NULL; \
- if (NULL != old_locale) { \
- saved_locale = strdup (old_locale); \
- } \
- if (NULL != saved_locale) { \
- (void) setlocale (LC_ALL, "C"); \
- } \
- syslog x ; \
- if (NULL != saved_locale) { \
- (void) setlocale (LC_ALL, saved_locale); \
- free (saved_locale); \
- } \
- } while (false)
+#define SYSLOG(x) syslog x
#else /* !ENABLE_NLS */
#define SYSLOG(x) syslog x
#endif /* !ENABLE_NLS */

223
debian/patches/503_shadowconfig.8.patch → debian/patches/Document-the-shadowconfig-utility.patch vendored
View File

@@ -1,12 +1,125 @@
Goal: Document the shadowconfig utility
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Document the shadowconfig utility
Status wrt upstream: The shadowconfig utility is debian specific.
Its man page also (but it used to be distributed)
Its man page also (but it used to be distributed)
Index: git/man/shadowconfig.8
===================================================================
Gbp-Topic: debian
---
man/fr/shadowconfig.8 | 26 +++++++++++++++++++++++++
man/ja/shadowconfig.8 | 25 ++++++++++++++++++++++++
man/pl/shadowconfig.8 | 27 ++++++++++++++++++++++++++
man/shadowconfig.8 | 41 +++++++++++++++++++++++++++++++++++++++
man/shadowconfig.8.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 171 insertions(+)
create mode 100644 man/fr/shadowconfig.8
create mode 100644 man/ja/shadowconfig.8
create mode 100644 man/pl/shadowconfig.8
create mode 100644 man/shadowconfig.8
create mode 100644 man/shadowconfig.8.xml
diff --git a/man/fr/shadowconfig.8 b/man/fr/shadowconfig.8
new file mode 100644
index 0000000..784da70
--- /dev/null
+++ git/man/shadowconfig.8
+++ b/man/fr/shadowconfig.8
@@ -0,0 +1,26 @@
+.\" This file was generated with po4a. Translate the source file.
+.\"
+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
+.SH NOM
+shadowconfig \- active ou désactive les mots de passe cachés
+.SH SYNOPSIS
+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
+.SH DESCRIPTION
+.PP
+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
+de recommencer.
+
+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
+désactiver lorsqu'ils ne sont pas actifs est sans effet.
+
+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
+mots de passe cachés et à leurs fonctionnalités.
+
+Notez que désactiver puis réactiver les mots de passe cachés aura pour
+conséquence la perte des informations d'âge sur les mots de passe.
+.SH TRADUCTION
+Nicolas FRANÇOIS, 2004.
+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
diff --git a/man/ja/shadowconfig.8 b/man/ja/shadowconfig.8
new file mode 100644
index 0000000..a75c6f7
--- /dev/null
+++ b/man/ja/shadowconfig.8
@@ -0,0 +1,25 @@
+.\" all right reserved,
+.\" Translated Tue Oct 30 11:59:11 JST 2001
+.\" by Maki KURODA <mkuroda@aisys-jp.com>
+.\"
+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
+.SH 名前
+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
+.SH 書式
+.B "shadowconfig"
+.IR on " | " off
+.SH 説明
+.PP
+.B shadowconfig on
+は shadow パスワードを有効にする。
+.B shadowconfig off
+は shadow パスワードを無効にする。
+.B shadowconfig
+は何らかの間違いがあると、エラーメッセージを表示し、
+ゼロではない返り値を返す。
+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
+すでにオフの場合にオフに設定しても、何の影響もない。
+
+.I /usr/share/doc/passwd/README.debian.gz
+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
diff --git a/man/pl/shadowconfig.8 b/man/pl/shadowconfig.8
new file mode 100644
index 0000000..2016c9f
--- /dev/null
+++ b/man/pl/shadowconfig.8
@@ -0,0 +1,27 @@
+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
+.\" {PTM/WK/1999-09-14}
+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
+.SH NAZWA
+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
+.SH SKŁADNIA
+.B "shadowconfig"
+.IR on " | " off
+.SH OPIS
+.PP
+.B shadowconfig on
+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
+.B shadowconfig off
+wyłącza dodatkowe pliki haseł i grup.
+.B shadowconfig
+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
+.\" if it finds anything awry.
+i uruchomić program ponownie.
+
+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
+gdy jest wyłączona jest nieszkodliwe.
+
+Przeczytaj
+.IR /usr/share/doc/passwd/README.debian.gz ,
+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
+plików haseł przesłanianych (shadow passwords) i związanych tematów.
diff --git a/man/shadowconfig.8 b/man/shadowconfig.8
new file mode 100644
index 0000000..c0ee0af
--- /dev/null
+++ b/man/shadowconfig.8
@@ -0,0 +1,41 @@
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
@@ -49,10 +162,11 @@ Index: git/man/shadowconfig.8
+.PP
+Note that turning shadow passwords off and on again will lose all password aging information\&.
+
Index: git/man/shadowconfig.8.xml
===================================================================
diff --git a/man/shadowconfig.8.xml b/man/shadowconfig.8.xml
new file mode 100644
index 0000000..b4080ea
--- /dev/null
+++ git/man/shadowconfig.8.xml
+++ b/man/shadowconfig.8.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
@@ -106,96 +220,3 @@ Index: git/man/shadowconfig.8.xml
+ </para>
+ </refsect1>
+</refentry>
Index: git/man/fr/shadowconfig.8
===================================================================
--- /dev/null
+++ git/man/fr/shadowconfig.8
@@ -0,0 +1,26 @@
+.\" This file was generated with po4a. Translate the source file.
+.\"
+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
+.SH NOM
+shadowconfig \- active ou désactive les mots de passe cachés
+.SH SYNOPSIS
+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
+.SH DESCRIPTION
+.PP
+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
+de recommencer.
+
+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
+désactiver lorsqu'ils ne sont pas actifs est sans effet.
+
+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
+mots de passe cachés et à leurs fonctionnalités.
+
+Notez que désactiver puis réactiver les mots de passe cachés aura pour
+conséquence la perte des informations d'âge sur les mots de passe.
+.SH TRADUCTION
+Nicolas FRANÇOIS, 2004.
+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
Index: git/man/ja/shadowconfig.8
===================================================================
--- /dev/null
+++ git/man/ja/shadowconfig.8
@@ -0,0 +1,25 @@
+.\" all right reserved,
+.\" Translated Tue Oct 30 11:59:11 JST 2001
+.\" by Maki KURODA <mkuroda@aisys-jp.com>
+.\"
+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
+.SH 名前
+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
+.SH 書式
+.B "shadowconfig"
+.IR on " | " off
+.SH 説明
+.PP
+.B shadowconfig on
+は shadow パスワードを有効にする。
+.B shadowconfig off
+は shadow パスワードを無効にする。
+.B shadowconfig
+は何らかの間違いがあると、エラーメッセージを表示し、
+ゼロではない返り値を返す。
+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
+すでにオフの場合にオフに設定しても、何の影響もない。
+
+.I /usr/share/doc/passwd/README.debian.gz
+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
Index: git/man/pl/shadowconfig.8
===================================================================
--- /dev/null
+++ git/man/pl/shadowconfig.8
@@ -0,0 +1,27 @@
+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
+.\" {PTM/WK/1999-09-14}
+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
+.SH NAZWA
+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
+.SH SKŁADNIA
+.B "shadowconfig"
+.IR on " | " off
+.SH OPIS
+.PP
+.B shadowconfig on
+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
+.B shadowconfig off
+wyłącza dodatkowe pliki haseł i grup.
+.B shadowconfig
+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
+.\" if it finds anything awry.
+i uruchomić program ponownie.
+
+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
+gdy jest wyłączona jest nieszkodliwe.
+
+Przeczytaj
+.IR /usr/share/doc/passwd/README.debian.gz ,
+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
+plików haseł przesłanianych (shadow passwords) i związanych tematów.

57
debian/patches/502_debian_useradd_defaults.patch → debian/patches/Keep-using-Debian-adduser-defaults.patch vendored
View File

@@ -1,19 +1,41 @@
From: Balint Reczey <balint@balintreczey.hu>
Description: Keep using Debian's adduser defaults
Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit
in 4.9 merged those values from upstream's default configuration file
which is not shipped in Debian.
This patch keeps the program's compiled in defaults in sync with the
configuration files shipped in Debian (debian/default/useradd).
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Keep using Debian's adduser defaults
Bug: https://github.com/shadow-maint/shadow/issues/501
Bug-Debian: https://bugs.debian.org/1004710
Forwarded: not-needed
Index: shadow/src/useradd.c
===================================================================
--- shadow.orig/src/useradd.c
+++ shadow/src/useradd.c
@@ -90,14 +90,14 @@ static const char Prog[] = "useradd";
Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit
in 4.9 merged those values from upstream's default configuration file
which is not shipped in Debian.
This patch keeps the program's compiled in defaults in sync with the
configuration files shipped in Debian (debian/default/useradd).
Gbp-Topic: debian
---
man/useradd.8.xml | 2 +-
src/useradd.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 001e7d1..4888100 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -248,7 +248,7 @@
command line), useradd will set the primary group of the new
user to the value specified by the <option>GROUP</option>
variable in <filename>/etc/default/useradd</filename>, or
- 1000 by default.
+ 100 by default.
</para>
</listitem>
</varlistentry>
diff --git a/src/useradd.c b/src/useradd.c
index 347334a..ac43edd 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -91,14 +91,14 @@ static const char Prog[] = "useradd";
/*
* These defaults are used if there is no defaults file.
*/
@@ -30,16 +52,3 @@ Index: shadow/src/useradd.c
static const char *def_log_init = "yes";
static long def_inactive = -1;
Index: shadow/man/useradd.8.xml
===================================================================
--- shadow.orig/man/useradd.8.xml
+++ shadow/man/useradd.8.xml
@@ -248,7 +248,7 @@
command line), useradd will set the primary group of the new
user to the value specified by the <option>GROUP</option>
variable in <filename>/etc/default/useradd</filename>, or
- 1000 by default.
+ 100 by default.
</para>
</listitem>
</varlistentry>

57
debian/patches/463_login_delay_obeys_to_PAM.patch → debian/patches/Let-pam_unix-handle-login-failure-delays.patch vendored
View File

@@ -1,5 +1,6 @@
Goal: Do not hardcode pam_fail_delay and let pam_unix do its
job to set a delay...or not
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Let pam_unix handle login failure delays
Fixes: #87648
@@ -7,11 +8,29 @@ Status wrt upstream: Forwarded but not applied yet
Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
Index: shadow/src/login.c
===================================================================
--- shadow.orig/src/login.c
+++ shadow/src/login.c
@@ -489,7 +489,6 @@ int main (int argc, char **argv)
Gbp-Topic: debian
---
lib/getdef.c | 1 -
src/login.c | 19 +++++--------------
2 files changed, 5 insertions(+), 15 deletions(-)
diff --git a/lib/getdef.c b/lib/getdef.c
index 30f54ba..21307bb 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -84,7 +84,6 @@ static struct itemdef def_table[] = {
{"ENV_PATH", NULL},
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
- {"FAIL_DELAY", NULL},
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
diff --git a/src/login.c b/src/login.c
index 9fed7b3..a5512d1 100644
--- a/src/login.c
+++ b/src/login.c
@@ -490,7 +490,6 @@ int main (int argc, char **argv)
const char *tmptty;
const char *cp;
const char *tmp;
@@ -19,7 +38,7 @@ Index: shadow/src/login.c
unsigned int retries;
unsigned int timeout;
struct passwd *pwd = NULL;
@@ -499,6 +498,7 @@ int main (int argc, char **argv)
@@ -500,6 +499,7 @@ int main (int argc, char **argv)
char *pam_user = NULL;
pid_t child;
#else
@@ -27,7 +46,7 @@ Index: shadow/src/login.c
bool is_console;
struct spwd *spwd = NULL;
# if defined(ENABLE_LASTLOG)
@@ -667,7 +667,6 @@ int main (int argc, char **argv)
@@ -669,7 +669,6 @@ int main (int argc, char **argv)
}
environ = newenvp; /* make new environment active */
@@ -35,7 +54,7 @@ Index: shadow/src/login.c
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
#ifdef USE_PAM
@@ -683,8 +682,7 @@ int main (int argc, char **argv)
@@ -685,8 +684,7 @@ int main (int argc, char **argv)
/*
* hostname & tty are either set to NULL or their correct values,
@@ -45,7 +64,7 @@ Index: shadow/src/login.c
*
* PAM_RHOST and PAM_TTY are used for authentication, only use
* information coming from login or from the caller (e.g. no utmp)
@@ -693,10 +691,6 @@ int main (int argc, char **argv)
@@ -695,10 +693,6 @@ int main (int argc, char **argv)
PAM_FAIL_CHECK;
retcode = pam_set_item (pamh, PAM_TTY, tty);
PAM_FAIL_CHECK;
@@ -56,7 +75,7 @@ Index: shadow/src/login.c
/* if fflg, then the user has already been authenticated */
if (!fflg) {
char hostn[256];
@@ -734,12 +728,6 @@ int main (int argc, char **argv)
@@ -736,12 +730,6 @@ int main (int argc, char **argv)
bool failed = false;
failcount++;
@@ -69,7 +88,7 @@ Index: shadow/src/login.c
retcode = pam_authenticate (pamh, 0);
@@ -1029,14 +1017,17 @@ int main (int argc, char **argv)
@@ -1032,14 +1020,17 @@ int main (int argc, char **argv)
free (username);
username = NULL;
@@ -87,15 +106,3 @@ Index: shadow/src/login.c
(void) puts (_("Login incorrect"));
Index: shadow/lib/getdef.c
===================================================================
--- shadow.orig/lib/getdef.c
+++ shadow/lib/getdef.c
@@ -83,7 +83,6 @@ static struct itemdef def_table[] = {
{"ENV_PATH", NULL},
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
- {"FAIL_DELAY", NULL},
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},

22
debian/patches/README.patches vendored
View File

@@ -1,22 +0,0 @@
Small intro to the system for numbering the patches here...
-The 00xx-... patches are forwarded to upstream's git repository
-The 0xx_... series of patches are patches isolated from the latest
version of the shadow Debian package not using quilt in order to
separate upstream from Debian-specific stuff.
NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
-The 4xx series are patches which have been applied to Debian's shadow
and have NOT been accepted and/or applied upstream. These patches MUST be kept
even after resynced with upstream
-The 5xx series are patches which are applied to Debian's shadow
and will never be proposed upstream because they're too specific
This list SHOULD BE AS SHORT AS POSSIBLE
In short, while we are working towards synchronisation with upstream,
our goal is to make 0xx patches disappear by moving them either to 3xx
series (things already implemented upstream) or to 4xx series
(Debian-specific patches).

30
debian/patches/505_useradd_recommend_adduser.patch → debian/patches/Recommend-using-adduser-and-deluser.patch vendored
View File

@@ -1,36 +1,48 @@
Goal: Recommend using adduser and deluser.
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Recommend using adduser and deluser
Fixes: #406046
Status wrt upstream: Debian specific patch.
Gbp-Topic: debian
---
man/useradd.8.xml | 6 ++++++
man/userdel.8.xml | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 4888100..17987a6 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -83,6 +83,12 @@
@@ -82,6 +82,12 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ <para>
+ <command>useradd</command> is a low level utility for adding
+ users. On Debian, administrators should usually use
+ <citerefentry><refentrytitle>adduser</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> instead.
+ </para>
+ <para>
<para>
When invoked without the <option>-D</option> option, the
<command>useradd</command> command creates a new user account using
the values specified on the command line plus the default values from
diff --git a/man/userdel.8.xml b/man/userdel.8.xml
index 5bd2981..384cc86 100644
--- a/man/userdel.8.xml
+++ b/man/userdel.8.xml
@@ -59,6 +59,12 @@
@@ -58,6 +58,12 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ <para>
+ <command>userdel</command> is a low level utility for removing
+ users. On Debian, administrators should usually use
+ <citerefentry><refentrytitle>deluser</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> instead.
+ </para>
+ <para>
<para>
The <command>userdel</command> command modifies the system account
files, deleting all entries that refer to the user name <emphasis
remap='I'>LOGIN</emphasis>. The named user must exist.

93
debian/patches/506_relaxed_usernames.patch → debian/patches/Relax-usernames-groupnames-checking.patch vendored
View File

@@ -1,25 +1,33 @@
Goal: Relaxed usernames/groupnames checking patch.
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Relax usernames/groupnames checking
Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
characters and don't start with '-', '+', or '~'. This patch is more
restrictive than original Karl's version. closes: #264879
Also closes: #377844
Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
I can't come up with a good justification as to why characters other
than ':'s and '\0's should be disallowed in group and usernames (other
than '-' as the leading character). Thus, the maintenance tools don't
anymore. closes: #79682, #166798, #171179
Status wrt upstream: Debian specific. Not to be used upstream
Details:
Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
characters and don't start with '-', '+', or '~'. This patch is more
restrictive than original Karl's version. closes: #264879
Also closes: #377844
Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
I can't come up with a good justification as to why characters other
than ':'s and '\0's should be disallowed in group and usernames (other
than '-' as the leading character). Thus, the maintenance tools don't
anymore. closes: #79682, #166798, #171179
Gbp-Topic: debian
---
lib/chkname.c | 47 +++++++++++++++--------------------------------
man/groupadd.8.xml | 6 ++++++
man/useradd.8.xml | 7 ++++++-
3 files changed, 27 insertions(+), 33 deletions(-)
Index: shadow/lib/chkname.c
===================================================================
--- shadow.orig/lib/chkname.c
+++ shadow/lib/chkname.c
@@ -32,44 +32,27 @@ static bool is_valid_name (const char *n
diff --git a/lib/chkname.c b/lib/chkname.c
index 995562f..d9678c6 100644
--- a/lib/chkname.c
+++ b/lib/chkname.c
@@ -54,44 +54,27 @@ static bool is_valid_name (const char *name)
}
/*
@@ -79,39 +87,38 @@ Index: shadow/lib/chkname.c
}
Index: shadow/man/useradd.8.xml
===================================================================
--- shadow.orig/man/useradd.8.xml
+++ shadow/man/useradd.8.xml
@@ -733,6 +733,14 @@
diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml
index 61a548f..d472bd0 100644
--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
@@ -71,6 +71,12 @@
Fully numeric groupnames and groupnames . or .. are
also disallowed.
</para>
+ <para>
+ On Debian, the only constraints are that groupnames must neither start
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+ colon (':'), a comma (','), or a whitespace (space:' ',
+ end of line: '\n', tabulation: '\t', etc.).
+ </para>
<para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
</para>
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 17987a6..4fc95d1 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -733,7 +733,12 @@
the <command>ls</command> output.
</para>
<para>
- Usernames may only be up to 256 characters long.
+ On Debian, the only constraints are that usernames must neither start
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+ colon (':'), a comma (','), or a whitespace (space: ' ',
+ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
+ ('/') may break the default algorithm for the definition of the
+ user's home directory.
+ </para>
+ <para>
Usernames may only be up to 32 characters long.
</para>
</refsect1>
Index: shadow/man/groupadd.8.xml
===================================================================
--- shadow.orig/man/groupadd.8.xml
+++ shadow/man/groupadd.8.xml
@@ -72,6 +72,12 @@
also disallowed.
</para>
<para>
+ On Debian, the only constraints are that groupnames must neither start
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+ colon (':'), a comma (','), or a whitespace (space:' ',
+ end of line: '\n', tabulation: '\t', etc.).
+ </para>
+ <para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
</para>
</refsect1>

39
debian/patches/501_commonio_group_shadow.patch → debian/patches/Set-group-and-mode-for-g-shadow-files.patch vendored
View File

@@ -1,11 +1,22 @@
Goal: save the [g]shadow files with the 'shadow' group and mode 0440
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Set group and mode for [g]shadow files
Set group 'shadow' and mode 0400.
Fixes: #166793
Index: shadow/lib/commonio.c
===================================================================
--- shadow.orig/lib/commonio.c
+++ shadow/lib/commonio.c
Gbp-Topic: debian
---
lib/commonio.c | 12 ++++++++++++
lib/sgroupio.c | 2 +-
lib/shadowio.c | 2 +-
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/lib/commonio.c b/lib/commonio.c
index 01a26c9..72e53b0 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -21,6 +21,7 @@
#include <errno.h>
#include <stdio.h>
@@ -14,7 +25,7 @@ Index: shadow/lib/commonio.c
#include "alloc.h"
#include "memzero.h"
@@ -956,12 +957,23 @@ int commonio_close (struct commonio_db *
@@ -956,12 +957,23 @@ int commonio_close (struct commonio_db *db)
if (errors != 0)
goto fail;
} else {
@@ -38,10 +49,10 @@ Index: shadow/lib/commonio.c
}
if (SNPRINTF(buf, "%s+", db->filename) == -1)
Index: shadow/lib/sgroupio.c
===================================================================
--- shadow.orig/lib/sgroupio.c
+++ shadow/lib/sgroupio.c
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
index 0297df4..107b1e5 100644
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -209,7 +209,7 @@ static struct commonio_db gshadow_db = {
#ifdef WITH_SELINUX
NULL, /* scontext */
@@ -51,10 +62,10 @@ Index: shadow/lib/sgroupio.c
0, /* st_uid */
0, /* st_gid */
NULL, /* head */
Index: shadow/lib/shadowio.c
===================================================================
--- shadow.orig/lib/shadowio.c
+++ shadow/lib/shadowio.c
diff --git a/lib/shadowio.c b/lib/shadowio.c
index d2c3b47..53dac0b 100644
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -85,7 +85,7 @@ static struct commonio_db shadow_db = {
#ifdef WITH_SELINUX
NULL, /* scontext */

27
debian/patches/402_cppw_selinux.patch → debian/patches/ccpw-add-selinux-support.patch vendored
View File

@@ -1,18 +1,19 @@
Goal: Add selinux support to cppw
Fix:
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: ccpw: add selinux support
Status wrt upstream: cppw is not available upstream.
The patch was made based on the
302_vim_selinux_support patch. It needs to be
reviewed by an SE-Linux aware person.
Needs to be reviewed by an SE-Linux aware person.
Depends on 401_cppw_src.dpatch
Gbp-Topic: debian
---
src/cppw.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
Index: git/src/cppw.c
===================================================================
--- git.orig/src/cppw.c
+++ git/src/cppw.c
diff --git a/src/cppw.c b/src/cppw.c
index beb4c36..2cbbbc0 100644
--- a/src/cppw.c
+++ b/src/cppw.c
@@ -34,6 +34,9 @@
#include <sys/types.h>
#include <signal.h>
@@ -23,7 +24,7 @@ Index: git/src/cppw.c
#include "exitcodes.h"
#include "prototypes.h"
#include "pwio.h"
@@ -139,6 +142,22 @@
@@ -139,6 +142,22 @@ static void cppwcopy (const char *file,
if (access (file, F_OK) != 0) {
cppwexit (file, 1, 1);
}
@@ -46,7 +47,7 @@ Index: git/src/cppw.c
if (file_lock () == 0) {
cppwexit (_("Couldn't lock file"), 0, 5);
}
@@ -167,6 +186,15 @@
@@ -167,6 +186,15 @@ static void cppwcopy (const char *file,
cppwexit (NULL,0,1);
}

83
debian/patches/401_cppw_src.patch → debian/patches/cppw-Add-tool.patch vendored
View File

@@ -1,9 +1,52 @@
# 401_cppw_src.patch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
From: Nicolas FRANCOIS <nicolas.francois@centraliens.net>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: cppw: Add tool
Index: shadow/src/cppw.c
===================================================================
Gbp-Topic: debian
---
po/POTFILES.in | 1 +
src/Makefile.am | 2 +
src/cppw.c | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 241 insertions(+)
create mode 100644 src/cppw.c
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 9ff6100..a60c93e 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -86,6 +86,7 @@ src/chfn.c
src/chgpasswd.c
src/chpasswd.c
src/chsh.c
+src/cppw.c
src/expiry.c
src/faillog.c
src/gpasswd.c
diff --git a/src/Makefile.am b/src/Makefile.am
index b6cb09e..c86ba52 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -39,6 +39,7 @@ if WITH_SU
bin_PROGRAMS += su
endif
usbin_PROGRAMS = \
+ cppw \
chgpasswd \
chpasswd \
groupadd \
@@ -104,6 +105,7 @@ newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -l
newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+cppw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl
expiry_LDADD = $(LDADD) $(LIBECONF)
diff --git a/src/cppw.c b/src/cppw.c
new file mode 100644
index 0000000..beb4c36
--- /dev/null
+++ shadow/src/cppw.c
+++ b/src/cppw.c
@@ -0,0 +1,238 @@
+/*
+ cppw, cpgr copy with locking given file over the password or group file
@@ -243,35 +286,3 @@ Index: shadow/src/cppw.c
+ return 0;
+}
+
Index: shadow/src/Makefile.am
===================================================================
--- shadow.orig/src/Makefile.am
+++ shadow/src/Makefile.am
@@ -39,6 +39,7 @@ if WITH_SU
bin_PROGRAMS += su
endif
usbin_PROGRAMS = \
+ cppw \
chgpasswd \
chpasswd \
groupadd \
@@ -104,6 +105,7 @@ newuidmap_LDADD = $(LDADD) $(LIBAUDIT
newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+cppw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl
expiry_LDADD = $(LDADD) $(LIBECONF)
Index: shadow/po/POTFILES.in
===================================================================
--- shadow.orig/po/POTFILES.in
+++ shadow/po/POTFILES.in
@@ -87,6 +87,7 @@ src/chfn.c
src/chgpasswd.c
src/chpasswd.c
src/chsh.c
+src/cppw.c
src/expiry.c
src/faillog.c
src/gpasswd.c

23
debian/patches/series vendored
View File

@@ -1,14 +1,9 @@
# These patches are only for the testsuite:
#900_testsuite_groupmems
#901_testsuite_gcov
401_cppw_src.patch
# 402 should be merged in 401, but should be reviewed by SE Linux experts first
402_cppw_selinux.patch
463_login_delay_obeys_to_PAM.patch
501_commonio_group_shadow.patch
502_debian_useradd_defaults.patch
503_shadowconfig.8.patch
505_useradd_recommend_adduser.patch
506_relaxed_usernames.patch
542_useradd-O_option.patch
cppw-Add-tool.patch
ccpw-add-selinux-support.patch
Let-pam_unix-handle-login-failure-delays.patch
Set-group-and-mode-for-g-shadow-files.patch
Keep-using-Debian-adduser-defaults.patch
Document-the-shadowconfig-utility.patch
Recommend-using-adduser-and-deluser.patch
Relax-usernames-groupnames-checking.patch
useradd-accept-the-O-flag-for-backward-compatibility.patch

32
debian/patches/542_useradd-O_option.patch → debian/patches/useradd-accept-the-O-flag-for-backward-compatibility.patch vendored
View File

@@ -1,14 +1,22 @@
Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: useradd: accept the -O flag for backward compatibility
Note: useradd.8 needs to be regenerated.
Status wrt upstream: not included as this is just specific
Status wrt upstream: not included as this is just specific
backward compatibility for Debian
Index: shadow/man/useradd.8.xml
===================================================================
--- shadow.orig/man/useradd.8.xml
+++ shadow/man/useradd.8.xml
Gbp-Topic: debian
---
man/useradd.8.xml | 5 +++++
src/useradd.c | 3 ++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 4fc95d1..c513e56 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -333,6 +333,11 @@
=<replaceable>100</replaceable>&nbsp;<option>-K</option>&nbsp;
<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
@@ -21,11 +29,11 @@ Index: shadow/man/useradd.8.xml
<!--para>
Note: <option>-K</option>&nbsp;<replaceable>UID_MIN</replaceable>=<replaceable>10</replaceable>,<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
doesn't work yet.
Index: shadow/src/useradd.c
===================================================================
--- shadow.orig/src/useradd.c
+++ shadow/src/useradd.c
@@ -1218,7 +1218,7 @@ static void process_flags (int argc, cha
diff --git a/src/useradd.c b/src/useradd.c
index ac43edd..1cf3349 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -1215,7 +1215,7 @@ static void process_flags (int argc, char **argv)
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
@@ -34,7 +42,7 @@ Index: shadow/src/useradd.c
#ifdef WITH_SELINUX
"Z:"
#endif /* WITH_SELINUX */
@@ -1358,6 +1358,7 @@ static void process_flags (int argc, cha
@@ -1355,6 +1355,7 @@ static void process_flags (int argc, char **argv)
kflg = true;
break;
case 'K':