From 527b684a183935fc02dbbd06b380338b3d85452e Mon Sep 17 00:00:00 2001 From: Chris Hofstaedtler Date: Sat, 22 Jun 2024 17:47:05 +0200 Subject: [PATCH] Rebase patches --- debian/copyright | 2 +- debian/patches/900_testsuite_groupmems.patch | 81 ------- debian/patches/901_testsuite_gcov.patch | 76 ------ ...> Document-the-shadowconfig-utility.patch} | 223 ++++++++++-------- ... Keep-using-Debian-adduser-defaults.patch} | 57 +++-- ...am_unix-handle-login-failure-delays.patch} | 57 +++-- debian/patches/README.patches | 22 -- ...Recommend-using-adduser-and-deluser.patch} | 30 ++- ...Relax-usernames-groupnames-checking.patch} | 93 ++++---- ...t-group-and-mode-for-g-shadow-files.patch} | 39 +-- ...x.patch => ccpw-add-selinux-support.patch} | 27 ++- ...401_cppw_src.patch => cppw-Add-tool.patch} | 83 ++++--- debian/patches/series | 23 +- ...e-O-flag-for-backward-compatibility.patch} | 32 ++- 14 files changed, 374 insertions(+), 471 deletions(-) delete mode 100644 debian/patches/900_testsuite_groupmems.patch delete mode 100644 debian/patches/901_testsuite_gcov.patch rename debian/patches/{503_shadowconfig.8.patch => Document-the-shadowconfig-utility.patch} (82%) rename debian/patches/{502_debian_useradd_defaults.patch => Keep-using-Debian-adduser-defaults.patch} (56%) rename debian/patches/{463_login_delay_obeys_to_PAM.patch => Let-pam_unix-handle-login-failure-delays.patch} (68%) delete mode 100644 debian/patches/README.patches rename debian/patches/{505_useradd_recommend_adduser.patch => Recommend-using-adduser-and-deluser.patch} (69%) rename debian/patches/{506_relaxed_usernames.patch => Relax-usernames-groupnames-checking.patch} (63%) rename debian/patches/{501_commonio_group_shadow.patch => Set-group-and-mode-for-g-shadow-files.patch} (61%) rename debian/patches/{402_cppw_selinux.patch => ccpw-add-selinux-support.patch} (70%) rename debian/patches/{401_cppw_src.patch => cppw-Add-tool.patch} (89%) rename debian/patches/{542_useradd-O_option.patch => useradd-accept-the-O-flag-for-backward-compatibility.patch} (60%) diff --git a/debian/copyright b/debian/copyright index 56922ad8..13c9b73e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -143,7 +143,7 @@ Copyright: 1991-1993, Chip Rosenthal 2007-2009, Nicolas François License: BSD-3-clause -Files: debian/patches/401_cppw_src.patch +Files: debian/patches/cppw-Add-tool.patch Copyright: 1997, Guy Maor 1999, Stephen Frost License: GPL-2+ diff --git a/debian/patches/900_testsuite_groupmems.patch b/debian/patches/900_testsuite_groupmems.patch deleted file mode 100644 index 6bdc4978..00000000 --- a/debian/patches/900_testsuite_groupmems.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- a/debian/passwd.install -+++ b/debian/passwd.install -@@ -9,6 +9,7 @@ - usr/sbin/cppw - usr/sbin/groupadd - usr/sbin/groupdel -+usr/sbin/groupmems - usr/sbin/groupmod - usr/sbin/grpck - usr/sbin/grpconv -@@ -33,6 +34,7 @@ - usr/share/man/*/man8/chpasswd.8 - usr/share/man/*/man8/groupadd.8 - usr/share/man/*/man8/groupdel.8 -+usr/share/man/*/man8/groupmems.8 - usr/share/man/*/man8/groupmod.8 - usr/share/man/*/man8/grpck.8 - usr/share/man/*/man8/grpconv.8 -@@ -59,6 +61,7 @@ - usr/share/man/man8/chpasswd.8 - usr/share/man/man8/groupadd.8 - usr/share/man/man8/groupdel.8 -+usr/share/man/man8/groupmems.8 - usr/share/man/man8/groupmod.8 - usr/share/man/man8/grpck.8 - usr/share/man/man8/grpconv.8 ---- a/debian/passwd.postinst -+++ b/debian/passwd.postinst -@@ -31,6 +31,24 @@ - exit 1 - ) - fi -+ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99' -+ then -+ groupadd -g 99 groupmems || ( -+ cat < +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: Document the shadowconfig utility Status wrt upstream: The shadowconfig utility is debian specific. - Its man page also (but it used to be distributed) +Its man page also (but it used to be distributed) -Index: git/man/shadowconfig.8 -=================================================================== +Gbp-Topic: debian +--- + man/fr/shadowconfig.8 | 26 +++++++++++++++++++++++++ + man/ja/shadowconfig.8 | 25 ++++++++++++++++++++++++ + man/pl/shadowconfig.8 | 27 ++++++++++++++++++++++++++ + man/shadowconfig.8 | 41 +++++++++++++++++++++++++++++++++++++++ + man/shadowconfig.8.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 171 insertions(+) + create mode 100644 man/fr/shadowconfig.8 + create mode 100644 man/ja/shadowconfig.8 + create mode 100644 man/pl/shadowconfig.8 + create mode 100644 man/shadowconfig.8 + create mode 100644 man/shadowconfig.8.xml + +diff --git a/man/fr/shadowconfig.8 b/man/fr/shadowconfig.8 +new file mode 100644 +index 0000000..784da70 --- /dev/null -+++ git/man/shadowconfig.8 ++++ b/man/fr/shadowconfig.8 +@@ -0,0 +1,26 @@ ++.\" This file was generated with po4a. Translate the source file. ++.\" ++.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $ ++.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux" ++.SH NOM ++shadowconfig \- active ou désactive les mots de passe cachés ++.SH SYNOPSIS ++\fBshadowconfig\fP \fIon\fP | \fIoff\fP ++.SH DESCRIPTION ++.PP ++\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message ++d'erreur et quitte avec une valeur de retour non nulle s'il rencontre ++quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant ++de recommencer. ++ ++Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les ++désactiver lorsqu'ils ne sont pas actifs est sans effet. ++ ++Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux ++mots de passe cachés et à leurs fonctionnalités. ++ ++Notez que désactiver puis réactiver les mots de passe cachés aura pour ++conséquence la perte des informations d'âge sur les mots de passe. ++.SH TRADUCTION ++Nicolas FRANÇOIS, 2004. ++Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>. +diff --git a/man/ja/shadowconfig.8 b/man/ja/shadowconfig.8 +new file mode 100644 +index 0000000..a75c6f7 +--- /dev/null ++++ b/man/ja/shadowconfig.8 +@@ -0,0 +1,25 @@ ++.\" all right reserved, ++.\" Translated Tue Oct 30 11:59:11 JST 2001 ++.\" by Maki KURODA ++.\" ++.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux" ++.SH 名前 ++shadowconfig \- shadow パスワードの設定をオン及びオフに切替える ++.SH 書式 ++.B "shadowconfig" ++.IR on " | " off ++.SH 説明 ++.PP ++.B shadowconfig on ++は shadow パスワードを有効にする。 ++.B shadowconfig off ++は shadow パスワードを無効にする。 ++.B shadowconfig ++は何らかの間違いがあると、エラーメッセージを表示し、 ++ゼロではない返り値を返す。 ++もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。 ++shadow パスワードの設定がすでにオンの場合にオンに設定したり、 ++すでにオフの場合にオフに設定しても、何の影響もない。 ++ ++.I /usr/share/doc/passwd/README.debian.gz ++には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。 +diff --git a/man/pl/shadowconfig.8 b/man/pl/shadowconfig.8 +new file mode 100644 +index 0000000..2016c9f +--- /dev/null ++++ b/man/pl/shadowconfig.8 +@@ -0,0 +1,27 @@ ++.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $ ++.\" {PTM/WK/1999-09-14} ++.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux" ++.SH NAZWA ++shadowconfig - przełącza ochronę haseł i grup przez pliki shadow ++.SH SKŁADNIA ++.B "shadowconfig" ++.IR on " | " off ++.SH OPIS ++.PP ++.B shadowconfig on ++włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow); ++.B shadowconfig off ++wyłącza dodatkowe pliki haseł i grup. ++.B shadowconfig ++wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli ++znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd ++.\" if it finds anything awry. ++i uruchomić program ponownie. ++ ++Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie, ++gdy jest wyłączona jest nieszkodliwe. ++ ++Przeczytaj ++.IR /usr/share/doc/passwd/README.debian.gz , ++gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych ++plików haseł przesłanianych (shadow passwords) i związanych tematów. +diff --git a/man/shadowconfig.8 b/man/shadowconfig.8 +new file mode 100644 +index 0000000..c0ee0af +--- /dev/null ++++ b/man/shadowconfig.8 @@ -0,0 +1,41 @@ +.\"Generated by db2man.xsl. Don't modify this, modify the source. +.de Sh \" Subsection @@ -49,10 +162,11 @@ Index: git/man/shadowconfig.8 +.PP +Note that turning shadow passwords off and on again will lose all password aging information\&. + -Index: git/man/shadowconfig.8.xml -=================================================================== +diff --git a/man/shadowconfig.8.xml b/man/shadowconfig.8.xml +new file mode 100644 +index 0000000..b4080ea --- /dev/null -+++ git/man/shadowconfig.8.xml ++++ b/man/shadowconfig.8.xml @@ -0,0 +1,52 @@ + + + + -Index: git/man/fr/shadowconfig.8 -=================================================================== ---- /dev/null -+++ git/man/fr/shadowconfig.8 -@@ -0,0 +1,26 @@ -+.\" This file was generated with po4a. Translate the source file. -+.\" -+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $ -+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux" -+.SH NOM -+shadowconfig \- active ou désactive les mots de passe cachés -+.SH SYNOPSIS -+\fBshadowconfig\fP \fIon\fP | \fIoff\fP -+.SH DESCRIPTION -+.PP -+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message -+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre -+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant -+de recommencer. -+ -+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les -+désactiver lorsqu'ils ne sont pas actifs est sans effet. -+ -+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux -+mots de passe cachés et à leurs fonctionnalités. -+ -+Notez que désactiver puis réactiver les mots de passe cachés aura pour -+conséquence la perte des informations d'âge sur les mots de passe. -+.SH TRADUCTION -+Nicolas FRANÇOIS, 2004. -+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>. -Index: git/man/ja/shadowconfig.8 -=================================================================== ---- /dev/null -+++ git/man/ja/shadowconfig.8 -@@ -0,0 +1,25 @@ -+.\" all right reserved, -+.\" Translated Tue Oct 30 11:59:11 JST 2001 -+.\" by Maki KURODA -+.\" -+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux" -+.SH 名前 -+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える -+.SH 書式 -+.B "shadowconfig" -+.IR on " | " off -+.SH 説明 -+.PP -+.B shadowconfig on -+は shadow パスワードを有効にする。 -+.B shadowconfig off -+は shadow パスワードを無効にする。 -+.B shadowconfig -+は何らかの間違いがあると、エラーメッセージを表示し、 -+ゼロではない返り値を返す。 -+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。 -+shadow パスワードの設定がすでにオンの場合にオンに設定したり、 -+すでにオフの場合にオフに設定しても、何の影響もない。 -+ -+.I /usr/share/doc/passwd/README.debian.gz -+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。 -Index: git/man/pl/shadowconfig.8 -=================================================================== ---- /dev/null -+++ git/man/pl/shadowconfig.8 -@@ -0,0 +1,27 @@ -+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $ -+.\" {PTM/WK/1999-09-14} -+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux" -+.SH NAZWA -+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow -+.SH SKŁADNIA -+.B "shadowconfig" -+.IR on " | " off -+.SH OPIS -+.PP -+.B shadowconfig on -+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow); -+.B shadowconfig off -+wyłącza dodatkowe pliki haseł i grup. -+.B shadowconfig -+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli -+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd -+.\" if it finds anything awry. -+i uruchomić program ponownie. -+ -+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie, -+gdy jest wyłączona jest nieszkodliwe. -+ -+Przeczytaj -+.IR /usr/share/doc/passwd/README.debian.gz , -+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych -+plików haseł przesłanianych (shadow passwords) i związanych tematów. diff --git a/debian/patches/502_debian_useradd_defaults.patch b/debian/patches/Keep-using-Debian-adduser-defaults.patch similarity index 56% rename from debian/patches/502_debian_useradd_defaults.patch rename to debian/patches/Keep-using-Debian-adduser-defaults.patch index ec4e9c4f..51dfb885 100644 --- a/debian/patches/502_debian_useradd_defaults.patch +++ b/debian/patches/Keep-using-Debian-adduser-defaults.patch @@ -1,19 +1,41 @@ From: Balint Reczey -Description: Keep using Debian's adduser defaults - Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit - in 4.9 merged those values from upstream's default configuration file - which is not shipped in Debian. - This patch keeps the program's compiled in defaults in sync with the - configuration files shipped in Debian (debian/default/useradd). +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: Keep using Debian's adduser defaults + Bug: https://github.com/shadow-maint/shadow/issues/501 Bug-Debian: https://bugs.debian.org/1004710 Forwarded: not-needed -Index: shadow/src/useradd.c -=================================================================== ---- shadow.orig/src/useradd.c -+++ shadow/src/useradd.c -@@ -90,14 +90,14 @@ static const char Prog[] = "useradd"; +Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit +in 4.9 merged those values from upstream's default configuration file +which is not shipped in Debian. +This patch keeps the program's compiled in defaults in sync with the +configuration files shipped in Debian (debian/default/useradd). + +Gbp-Topic: debian +--- + man/useradd.8.xml | 2 +- + src/useradd.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/useradd.8.xml b/man/useradd.8.xml +index 001e7d1..4888100 100644 +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -248,7 +248,7 @@ + command line), useradd will set the primary group of the new + user to the value specified by the + variable in /etc/default/useradd, or +- 1000 by default. ++ 100 by default. + + + +diff --git a/src/useradd.c b/src/useradd.c +index 347334a..ac43edd 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -91,14 +91,14 @@ static const char Prog[] = "useradd"; /* * These defaults are used if there is no defaults file. */ @@ -30,16 +52,3 @@ Index: shadow/src/useradd.c static const char *def_log_init = "yes"; static long def_inactive = -1; -Index: shadow/man/useradd.8.xml -=================================================================== ---- shadow.orig/man/useradd.8.xml -+++ shadow/man/useradd.8.xml -@@ -248,7 +248,7 @@ - command line), useradd will set the primary group of the new - user to the value specified by the - variable in /etc/default/useradd, or -- 1000 by default. -+ 100 by default. - - - diff --git a/debian/patches/463_login_delay_obeys_to_PAM.patch b/debian/patches/Let-pam_unix-handle-login-failure-delays.patch similarity index 68% rename from debian/patches/463_login_delay_obeys_to_PAM.patch rename to debian/patches/Let-pam_unix-handle-login-failure-delays.patch index 41fd851a..66f50637 100644 --- a/debian/patches/463_login_delay_obeys_to_PAM.patch +++ b/debian/patches/Let-pam_unix-handle-login-failure-delays.patch @@ -1,5 +1,6 @@ -Goal: Do not hardcode pam_fail_delay and let pam_unix do its - job to set a delay...or not +From: Shadow package maintainers +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: Let pam_unix handle login failure delays Fixes: #87648 @@ -7,11 +8,29 @@ Status wrt upstream: Forwarded but not applied yet Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs -Index: shadow/src/login.c -=================================================================== ---- shadow.orig/src/login.c -+++ shadow/src/login.c -@@ -489,7 +489,6 @@ int main (int argc, char **argv) +Gbp-Topic: debian +--- + lib/getdef.c | 1 - + src/login.c | 19 +++++-------------- + 2 files changed, 5 insertions(+), 15 deletions(-) + +diff --git a/lib/getdef.c b/lib/getdef.c +index 30f54ba..21307bb 100644 +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -84,7 +84,6 @@ static struct itemdef def_table[] = { + {"ENV_PATH", NULL}, + {"ENV_SUPATH", NULL}, + {"ERASECHAR", NULL}, +- {"FAIL_DELAY", NULL}, + {"FAKE_SHELL", NULL}, + {"GID_MAX", NULL}, + {"GID_MIN", NULL}, +diff --git a/src/login.c b/src/login.c +index 9fed7b3..a5512d1 100644 +--- a/src/login.c ++++ b/src/login.c +@@ -490,7 +490,6 @@ int main (int argc, char **argv) const char *tmptty; const char *cp; const char *tmp; @@ -19,7 +38,7 @@ Index: shadow/src/login.c unsigned int retries; unsigned int timeout; struct passwd *pwd = NULL; -@@ -499,6 +498,7 @@ int main (int argc, char **argv) +@@ -500,6 +499,7 @@ int main (int argc, char **argv) char *pam_user = NULL; pid_t child; #else @@ -27,7 +46,7 @@ Index: shadow/src/login.c bool is_console; struct spwd *spwd = NULL; # if defined(ENABLE_LASTLOG) -@@ -667,7 +667,6 @@ int main (int argc, char **argv) +@@ -669,7 +669,6 @@ int main (int argc, char **argv) } environ = newenvp; /* make new environment active */ @@ -35,7 +54,7 @@ Index: shadow/src/login.c retries = getdef_unum ("LOGIN_RETRIES", RETRIES); #ifdef USE_PAM -@@ -683,8 +682,7 @@ int main (int argc, char **argv) +@@ -685,8 +684,7 @@ int main (int argc, char **argv) /* * hostname & tty are either set to NULL or their correct values, @@ -45,7 +64,7 @@ Index: shadow/src/login.c * * PAM_RHOST and PAM_TTY are used for authentication, only use * information coming from login or from the caller (e.g. no utmp) -@@ -693,10 +691,6 @@ int main (int argc, char **argv) +@@ -695,10 +693,6 @@ int main (int argc, char **argv) PAM_FAIL_CHECK; retcode = pam_set_item (pamh, PAM_TTY, tty); PAM_FAIL_CHECK; @@ -56,7 +75,7 @@ Index: shadow/src/login.c /* if fflg, then the user has already been authenticated */ if (!fflg) { char hostn[256]; -@@ -734,12 +728,6 @@ int main (int argc, char **argv) +@@ -736,12 +730,6 @@ int main (int argc, char **argv) bool failed = false; failcount++; @@ -69,7 +88,7 @@ Index: shadow/src/login.c retcode = pam_authenticate (pamh, 0); -@@ -1029,14 +1017,17 @@ int main (int argc, char **argv) +@@ -1032,14 +1020,17 @@ int main (int argc, char **argv) free (username); username = NULL; @@ -87,15 +106,3 @@ Index: shadow/src/login.c (void) puts (_("Login incorrect")); -Index: shadow/lib/getdef.c -=================================================================== ---- shadow.orig/lib/getdef.c -+++ shadow/lib/getdef.c -@@ -83,7 +83,6 @@ static struct itemdef def_table[] = { - {"ENV_PATH", NULL}, - {"ENV_SUPATH", NULL}, - {"ERASECHAR", NULL}, -- {"FAIL_DELAY", NULL}, - {"FAKE_SHELL", NULL}, - {"GID_MAX", NULL}, - {"GID_MIN", NULL}, diff --git a/debian/patches/README.patches b/debian/patches/README.patches deleted file mode 100644 index a804fe39..00000000 --- a/debian/patches/README.patches +++ /dev/null @@ -1,22 +0,0 @@ -Small intro to the system for numbering the patches here... - --The 00xx-... patches are forwarded to upstream's git repository - --The 0xx_... series of patches are patches isolated from the latest - version of the shadow Debian package not using quilt in order to - separate upstream from Debian-specific stuff. - - NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES - --The 4xx series are patches which have been applied to Debian's shadow - and have NOT been accepted and/or applied upstream. These patches MUST be kept - even after resynced with upstream - --The 5xx series are patches which are applied to Debian's shadow - and will never be proposed upstream because they're too specific - This list SHOULD BE AS SHORT AS POSSIBLE - -In short, while we are working towards synchronisation with upstream, -our goal is to make 0xx patches disappear by moving them either to 3xx -series (things already implemented upstream) or to 4xx series -(Debian-specific patches). diff --git a/debian/patches/505_useradd_recommend_adduser.patch b/debian/patches/Recommend-using-adduser-and-deluser.patch similarity index 69% rename from debian/patches/505_useradd_recommend_adduser.patch rename to debian/patches/Recommend-using-adduser-and-deluser.patch index 9fb3fe3f..79019a4b 100644 --- a/debian/patches/505_useradd_recommend_adduser.patch +++ b/debian/patches/Recommend-using-adduser-and-deluser.patch @@ -1,36 +1,48 @@ -Goal: Recommend using adduser and deluser. +From: Shadow package maintainers +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: Recommend using adduser and deluser Fixes: #406046 Status wrt upstream: Debian specific patch. +Gbp-Topic: debian +--- + man/useradd.8.xml | 6 ++++++ + man/userdel.8.xml | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/man/useradd.8.xml b/man/useradd.8.xml +index 4888100..17987a6 100644 --- a/man/useradd.8.xml +++ b/man/useradd.8.xml -@@ -83,6 +83,12 @@ +@@ -82,6 +82,12 @@ + DESCRIPTION - ++ + useradd is a low level utility for adding + users. On Debian, administrators should usually use + adduser + 8 instead. + -+ + When invoked without the option, the useradd command creates a new user account using - the values specified on the command line plus the default values from +diff --git a/man/userdel.8.xml b/man/userdel.8.xml +index 5bd2981..384cc86 100644 --- a/man/userdel.8.xml +++ b/man/userdel.8.xml -@@ -59,6 +59,12 @@ +@@ -58,6 +58,12 @@ + DESCRIPTION - ++ + userdel is a low level utility for removing + users. On Debian, administrators should usually use + deluser + 8 instead. + -+ + The userdel command modifies the system account files, deleting all entries that refer to the user name LOGIN. The named user must exist. diff --git a/debian/patches/506_relaxed_usernames.patch b/debian/patches/Relax-usernames-groupnames-checking.patch similarity index 63% rename from debian/patches/506_relaxed_usernames.patch rename to debian/patches/Relax-usernames-groupnames-checking.patch index bd9300dd..bb3c0270 100644 --- a/debian/patches/506_relaxed_usernames.patch +++ b/debian/patches/Relax-usernames-groupnames-checking.patch @@ -1,25 +1,33 @@ -Goal: Relaxed usernames/groupnames checking patch. +From: Shadow package maintainers +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: Relax usernames/groupnames checking + +Allows any non-empty user/grounames that don't contain ':', ',' or '\n' +characters and don't start with '-', '+', or '~'. This patch is more +restrictive than original Karl's version. closes: #264879 +Also closes: #377844 + +Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400): + +I can't come up with a good justification as to why characters other +than ':'s and '\0's should be disallowed in group and usernames (other +than '-' as the leading character). Thus, the maintenance tools don't +anymore. closes: #79682, #166798, #171179 Status wrt upstream: Debian specific. Not to be used upstream -Details: - Allows any non-empty user/grounames that don't contain ':', ',' or '\n' - characters and don't start with '-', '+', or '~'. This patch is more - restrictive than original Karl's version. closes: #264879 - Also closes: #377844 - - Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400): - - I can't come up with a good justification as to why characters other - than ':'s and '\0's should be disallowed in group and usernames (other - than '-' as the leading character). Thus, the maintenance tools don't - anymore. closes: #79682, #166798, #171179 +Gbp-Topic: debian +--- + lib/chkname.c | 47 +++++++++++++++-------------------------------- + man/groupadd.8.xml | 6 ++++++ + man/useradd.8.xml | 7 ++++++- + 3 files changed, 27 insertions(+), 33 deletions(-) -Index: shadow/lib/chkname.c -=================================================================== ---- shadow.orig/lib/chkname.c -+++ shadow/lib/chkname.c -@@ -32,44 +32,27 @@ static bool is_valid_name (const char *n +diff --git a/lib/chkname.c b/lib/chkname.c +index 995562f..d9678c6 100644 +--- a/lib/chkname.c ++++ b/lib/chkname.c +@@ -54,44 +54,27 @@ static bool is_valid_name (const char *name) } /* @@ -79,39 +87,38 @@ Index: shadow/lib/chkname.c } -Index: shadow/man/useradd.8.xml -=================================================================== ---- shadow.orig/man/useradd.8.xml -+++ shadow/man/useradd.8.xml -@@ -733,6 +733,14 @@ +diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml +index 61a548f..d472bd0 100644 +--- a/man/groupadd.8.xml ++++ b/man/groupadd.8.xml +@@ -71,6 +71,12 @@ + Fully numeric groupnames and groupnames . or .. are + also disallowed. + ++ ++ On Debian, the only constraints are that groupnames must neither start ++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a ++ colon (':'), a comma (','), or a whitespace (space:' ', ++ end of line: '\n', tabulation: '\t', etc.). ++ + + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. + +diff --git a/man/useradd.8.xml b/man/useradd.8.xml +index 17987a6..4fc95d1 100644 +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -733,7 +733,12 @@ the ls output. +- Usernames may only be up to 256 characters long. + On Debian, the only constraints are that usernames must neither start + with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a + colon (':'), a comma (','), or a whitespace (space: ' ', + end of line: '\n', tabulation: '\t', etc.). Note that using a slash + ('/') may break the default algorithm for the definition of the + user's home directory. -+ -+ - Usernames may only be up to 32 characters long. -Index: shadow/man/groupadd.8.xml -=================================================================== ---- shadow.orig/man/groupadd.8.xml -+++ shadow/man/groupadd.8.xml -@@ -72,6 +72,12 @@ - also disallowed. - - -+ On Debian, the only constraints are that groupnames must neither start -+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a -+ colon (':'), a comma (','), or a whitespace (space:' ', -+ end of line: '\n', tabulation: '\t', etc.). -+ -+ - Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. - - + diff --git a/debian/patches/501_commonio_group_shadow.patch b/debian/patches/Set-group-and-mode-for-g-shadow-files.patch similarity index 61% rename from debian/patches/501_commonio_group_shadow.patch rename to debian/patches/Set-group-and-mode-for-g-shadow-files.patch index 62de046a..c5e21ac9 100644 --- a/debian/patches/501_commonio_group_shadow.patch +++ b/debian/patches/Set-group-and-mode-for-g-shadow-files.patch @@ -1,11 +1,22 @@ -Goal: save the [g]shadow files with the 'shadow' group and mode 0440 +From: Shadow package maintainers +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: Set group and mode for [g]shadow files + +Set group 'shadow' and mode 0400. Fixes: #166793 -Index: shadow/lib/commonio.c -=================================================================== ---- shadow.orig/lib/commonio.c -+++ shadow/lib/commonio.c +Gbp-Topic: debian +--- + lib/commonio.c | 12 ++++++++++++ + lib/sgroupio.c | 2 +- + lib/shadowio.c | 2 +- + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/lib/commonio.c b/lib/commonio.c +index 01a26c9..72e53b0 100644 +--- a/lib/commonio.c ++++ b/lib/commonio.c @@ -21,6 +21,7 @@ #include #include @@ -14,7 +25,7 @@ Index: shadow/lib/commonio.c #include "alloc.h" #include "memzero.h" -@@ -956,12 +957,23 @@ int commonio_close (struct commonio_db * +@@ -956,12 +957,23 @@ int commonio_close (struct commonio_db *db) if (errors != 0) goto fail; } else { @@ -38,10 +49,10 @@ Index: shadow/lib/commonio.c } if (SNPRINTF(buf, "%s+", db->filename) == -1) -Index: shadow/lib/sgroupio.c -=================================================================== ---- shadow.orig/lib/sgroupio.c -+++ shadow/lib/sgroupio.c +diff --git a/lib/sgroupio.c b/lib/sgroupio.c +index 0297df4..107b1e5 100644 +--- a/lib/sgroupio.c ++++ b/lib/sgroupio.c @@ -209,7 +209,7 @@ static struct commonio_db gshadow_db = { #ifdef WITH_SELINUX NULL, /* scontext */ @@ -51,10 +62,10 @@ Index: shadow/lib/sgroupio.c 0, /* st_uid */ 0, /* st_gid */ NULL, /* head */ -Index: shadow/lib/shadowio.c -=================================================================== ---- shadow.orig/lib/shadowio.c -+++ shadow/lib/shadowio.c +diff --git a/lib/shadowio.c b/lib/shadowio.c +index d2c3b47..53dac0b 100644 +--- a/lib/shadowio.c ++++ b/lib/shadowio.c @@ -85,7 +85,7 @@ static struct commonio_db shadow_db = { #ifdef WITH_SELINUX NULL, /* scontext */ diff --git a/debian/patches/402_cppw_selinux.patch b/debian/patches/ccpw-add-selinux-support.patch similarity index 70% rename from debian/patches/402_cppw_selinux.patch rename to debian/patches/ccpw-add-selinux-support.patch index 5f2da1ba..d64210fa 100644 --- a/debian/patches/402_cppw_selinux.patch +++ b/debian/patches/ccpw-add-selinux-support.patch @@ -1,18 +1,19 @@ -Goal: Add selinux support to cppw - -Fix: +From: Shadow package maintainers +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: ccpw: add selinux support Status wrt upstream: cppw is not available upstream. - The patch was made based on the - 302_vim_selinux_support patch. It needs to be - reviewed by an SE-Linux aware person. +Needs to be reviewed by an SE-Linux aware person. -Depends on 401_cppw_src.dpatch +Gbp-Topic: debian +--- + src/cppw.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) -Index: git/src/cppw.c -=================================================================== ---- git.orig/src/cppw.c -+++ git/src/cppw.c +diff --git a/src/cppw.c b/src/cppw.c +index beb4c36..2cbbbc0 100644 +--- a/src/cppw.c ++++ b/src/cppw.c @@ -34,6 +34,9 @@ #include #include @@ -23,7 +24,7 @@ Index: git/src/cppw.c #include "exitcodes.h" #include "prototypes.h" #include "pwio.h" -@@ -139,6 +142,22 @@ +@@ -139,6 +142,22 @@ static void cppwcopy (const char *file, if (access (file, F_OK) != 0) { cppwexit (file, 1, 1); } @@ -46,7 +47,7 @@ Index: git/src/cppw.c if (file_lock () == 0) { cppwexit (_("Couldn't lock file"), 0, 5); } -@@ -167,6 +186,15 @@ +@@ -167,6 +186,15 @@ static void cppwcopy (const char *file, cppwexit (NULL,0,1); } diff --git a/debian/patches/401_cppw_src.patch b/debian/patches/cppw-Add-tool.patch similarity index 89% rename from debian/patches/401_cppw_src.patch rename to debian/patches/cppw-Add-tool.patch index 195281ff..a738898b 100644 --- a/debian/patches/401_cppw_src.patch +++ b/debian/patches/cppw-Add-tool.patch @@ -1,9 +1,52 @@ -# 401_cppw_src.patch by Nicolas FRANCOIS +From: Nicolas FRANCOIS +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: cppw: Add tool -Index: shadow/src/cppw.c -=================================================================== +Gbp-Topic: debian +--- + po/POTFILES.in | 1 + + src/Makefile.am | 2 + + src/cppw.c | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 241 insertions(+) + create mode 100644 src/cppw.c + +diff --git a/po/POTFILES.in b/po/POTFILES.in +index 9ff6100..a60c93e 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -86,6 +86,7 @@ src/chfn.c + src/chgpasswd.c + src/chpasswd.c + src/chsh.c ++src/cppw.c + src/expiry.c + src/faillog.c + src/gpasswd.c +diff --git a/src/Makefile.am b/src/Makefile.am +index b6cb09e..c86ba52 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -39,6 +39,7 @@ if WITH_SU + bin_PROGRAMS += su + endif + usbin_PROGRAMS = \ ++ cppw \ + chgpasswd \ + chpasswd \ + groupadd \ +@@ -104,6 +105,7 @@ newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -l + newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl + chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) + chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) ++cppw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) + chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl + expiry_LDADD = $(LDADD) $(LIBECONF) +diff --git a/src/cppw.c b/src/cppw.c +new file mode 100644 +index 0000000..beb4c36 --- /dev/null -+++ shadow/src/cppw.c ++++ b/src/cppw.c @@ -0,0 +1,238 @@ +/* + cppw, cpgr copy with locking given file over the password or group file @@ -243,35 +286,3 @@ Index: shadow/src/cppw.c + return 0; +} + -Index: shadow/src/Makefile.am -=================================================================== ---- shadow.orig/src/Makefile.am -+++ shadow/src/Makefile.am -@@ -39,6 +39,7 @@ if WITH_SU - bin_PROGRAMS += su - endif - usbin_PROGRAMS = \ -+ cppw \ - chgpasswd \ - chpasswd \ - groupadd \ -@@ -104,6 +105,7 @@ newuidmap_LDADD = $(LDADD) $(LIBAUDIT - newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl - chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) - chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -+cppw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) - chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) - chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl - expiry_LDADD = $(LDADD) $(LIBECONF) -Index: shadow/po/POTFILES.in -=================================================================== ---- shadow.orig/po/POTFILES.in -+++ shadow/po/POTFILES.in -@@ -87,6 +87,7 @@ src/chfn.c - src/chgpasswd.c - src/chpasswd.c - src/chsh.c -+src/cppw.c - src/expiry.c - src/faillog.c - src/gpasswd.c diff --git a/debian/patches/series b/debian/patches/series index fbc227b3..d4bee877 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,14 +1,9 @@ -# These patches are only for the testsuite: -#900_testsuite_groupmems -#901_testsuite_gcov - -401_cppw_src.patch -# 402 should be merged in 401, but should be reviewed by SE Linux experts first -402_cppw_selinux.patch -463_login_delay_obeys_to_PAM.patch -501_commonio_group_shadow.patch -502_debian_useradd_defaults.patch -503_shadowconfig.8.patch -505_useradd_recommend_adduser.patch -506_relaxed_usernames.patch -542_useradd-O_option.patch +cppw-Add-tool.patch +ccpw-add-selinux-support.patch +Let-pam_unix-handle-login-failure-delays.patch +Set-group-and-mode-for-g-shadow-files.patch +Keep-using-Debian-adduser-defaults.patch +Document-the-shadowconfig-utility.patch +Recommend-using-adduser-and-deluser.patch +Relax-usernames-groupnames-checking.patch +useradd-accept-the-O-flag-for-backward-compatibility.patch diff --git a/debian/patches/542_useradd-O_option.patch b/debian/patches/useradd-accept-the-O-flag-for-backward-compatibility.patch similarity index 60% rename from debian/patches/542_useradd-O_option.patch rename to debian/patches/useradd-accept-the-O-flag-for-backward-compatibility.patch index 669e509c..74b41c86 100644 --- a/debian/patches/542_useradd-O_option.patch +++ b/debian/patches/useradd-accept-the-O-flag-for-backward-compatibility.patch @@ -1,14 +1,22 @@ -Goal: accepts the -O flag for backward compatibility. (was used by adduser?) +From: Shadow package maintainers +Date: Sat, 22 Jun 2024 17:39:41 +0200 +Subject: useradd: accept the -O flag for backward compatibility Note: useradd.8 needs to be regenerated. -Status wrt upstream: not included as this is just specific +Status wrt upstream: not included as this is just specific backward compatibility for Debian -Index: shadow/man/useradd.8.xml -=================================================================== ---- shadow.orig/man/useradd.8.xml -+++ shadow/man/useradd.8.xml +Gbp-Topic: debian +--- + man/useradd.8.xml | 5 +++++ + src/useradd.c | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/man/useradd.8.xml b/man/useradd.8.xml +index 4fc95d1..c513e56 100644 +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml @@ -333,6 +333,11 @@ =100   UID_MAX=499 @@ -21,11 +29,11 @@ Index: shadow/man/useradd.8.xml