From 5f784b3ef3a3fd9d1089f0de5c7fe027abb8a984 Mon Sep 17 00:00:00 2001 From: Chris Hofstaedtler Date: Sun, 7 Jul 2024 14:21:33 +0200 Subject: [PATCH] login.defs: remove vars ignored by su(1) --- .../debian/Adapt-login.defs-for-Debian.patch | 58 +++++++++---------- 1 file changed, 28 insertions(+), 30 deletions(-) diff --git a/debian/patches/debian/Adapt-login.defs-for-Debian.patch b/debian/patches/debian/Adapt-login.defs-for-Debian.patch index 3e096d5e..10cc9341 100644 --- a/debian/patches/debian/Adapt-login.defs-for-Debian.patch +++ b/debian/patches/debian/Adapt-login.defs-for-Debian.patch @@ -2,12 +2,14 @@ From: Shadow package maintainers Date: Sun, 7 Jul 2024 14:06:39 +0200 Subject: Adapt login.defs for Debian +Remove settings only applicable to shadow's su, which we do not use. +Remove settings only applicable without PAM support enabled. --- - etc/login.defs | 410 +++++++++++++++------------------------------------------ - 1 file changed, 104 insertions(+), 306 deletions(-) + etc/login.defs | 420 ++++++++++++++------------------------------------------- + 1 file changed, 99 insertions(+), 321 deletions(-) diff --git a/etc/login.defs b/etc/login.defs -index 33622c2..b0086db 100644 +index 33622c2..9711ad1 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -1,24 +1,38 @@ @@ -66,10 +68,11 @@ index 33622c2..b0086db 100644 LOG_UNKFAIL_ENAB no # -@@ -27,109 +41,31 @@ LOG_UNKFAIL_ENAB no +@@ -26,110 +40,12 @@ LOG_UNKFAIL_ENAB no + # LOG_OK_LOGINS no - # +-# -# Enable logging and display of /var/log/lastlog login(1) time info. -# -LASTLOG_ENAB yes @@ -109,13 +112,11 @@ index 33622c2..b0086db 100644 -# -# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. -# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). -+# Enable "syslog" logging of su activity - in addition to sulog file logging. -+# SYSLOG_SG_ENAB does the same for newgrp and sg. - # - SYSLOG_SU_ENAB yes - SYSLOG_SG_ENAB yes - - # +-# +-SYSLOG_SU_ENAB yes +-SYSLOG_SG_ENAB yes +- +-# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# from these devices. @@ -125,10 +126,9 @@ index 33622c2..b0086db 100644 - -# -# If defined, all su(1) activity is logged to this file. -+# If defined, all su activity is logged to this file. - # - #SULOG_FILE /var/log/sulog - +-# +-#SULOG_FILE /var/log/sulog +- -# -# If defined, ":" delimited list of "message of the day" files to -# be displayed upon login. @@ -161,16 +161,14 @@ index 33622c2..b0086db 100644 -# -NOLOGINS_FILE /etc/nologin - - # - # If defined, the command name to display when running "su -". For +-# +-# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then ps(1) will display the -# command as "-su". If not defined, then ps(1) will display the -+# example, if this is defined as "su" then a "ps" will display the -+# command is "-su". If not defined, then "ps" would display the - # name of the shell actually being run, e.g. something like "-sh". - # - SU_NAME su - +-# name of the shell actually being run, e.g. something like "-sh". +-# +-SU_NAME su +- -# -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the @@ -182,7 +180,7 @@ index 33622c2..b0086db 100644 # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the -@@ -139,27 +75,12 @@ MAIL_DIR /var/spool/mail +@@ -139,27 +55,12 @@ MAIL_DIR /var/spool/mail HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins @@ -212,7 +210,7 @@ index 33622c2..b0086db 100644 # # Terminal permissions -@@ -167,11 +88,18 @@ ENV_PATH PATH=/bin:/usr/bin +@@ -167,11 +68,18 @@ ENV_PATH PATH=/bin:/usr/bin # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # @@ -235,7 +233,7 @@ index 33622c2..b0086db 100644 TTYGROUP tty TTYPERM 0600 -@@ -180,113 +108,68 @@ TTYPERM 0600 +@@ -180,113 +88,68 @@ TTYPERM 0600 # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). @@ -362,7 +360,7 @@ index 33622c2..b0086db 100644 # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. # For backward compatibility, "yes" = "rwh" and "no" = "frwh". -@@ -294,104 +177,73 @@ CHFN_AUTH yes +@@ -294,104 +157,73 @@ CHFN_AUTH yes CHFN_RESTRICT rwh # @@ -507,7 +505,7 @@ index 33622c2..b0086db 100644 # # The pwck(8) utility emits a warning for any system account with a home -@@ -401,67 +253,12 @@ DEFAULT_HOME yes +@@ -401,67 +233,12 @@ DEFAULT_HOME yes # NONEXISTENT /nonexistent @@ -575,7 +573,7 @@ index 33622c2..b0086db 100644 # # Select the HMAC cryptography algorithm. # Used in pam_timestamp module to calculate the keyed-hash message -@@ -471,3 +268,4 @@ PREVENT_NO_AUTH superuser +@@ -471,3 +248,4 @@ PREVENT_NO_AUTH superuser # that are available in your system. # #HMAC_CRYPTO_ALGO SHA512