VesperOS/shadow
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

login.defs: resync comments with upstream

Browse Source
This commit is contained in:
Chris Hofstaedtler
2024-07-07 14:47:51 +02:00
parent f8e81f7293
commit 75904cfd05
1 changed files with 72 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

194
debian/patches/debian/Adapt-login.defs-for-Debian.patch vendored
View File

@@ -5,11 +5,11 @@ Subject: Adapt login.defs for Debian
Remove settings only applicable to shadow's su, which we do not use.
Remove settings only applicable without PAM support enabled.
---
etc/login.defs | 411 ++++++++++++---------------------------------------------
1 file changed, 83 insertions(+), 328 deletions(-)
etc/login.defs | 358 +++++++++------------------------------------------------
1 file changed, 56 insertions(+), 302 deletions(-)
diff --git a/etc/login.defs b/etc/login.defs
index 33622c2..a338dc9 100644
index 33622c2..579de9a 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -1,24 +1,38 @@
@@ -25,15 +25,11 @@ index 33622c2..a338dc9 100644
-# pam_unix(8) enforces a 2s delay)
-#
-FAIL_DELAY 3
-
-#
-# Enable logging and display of /var/log/faillog login(1) failure info.
-#
-FAILLOG_ENAB yes
-#
-# Enable display of unknown usernames when login(1) failures are recorded.
-#
+# REQUIRED for useradd/userdel/usermod
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
@@ -58,10 +54,10 @@ index 33622c2..a338dc9 100644
+# no more supported
+MAIL_DIR /var/mail
+#MAIL_FILE .mail
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
@@ -143,8 +139,7 @@ index 33622c2..a338dc9 100644
-
#
# If defined, file which maps tty line to TERM environment parameter.
-# Each line of the file is in a format similar to "vt100 tty01".
+# Each line of the file is in a format something like "vt100 tty01".
# Each line of the file is in a format similar to "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
@@ -210,30 +205,21 @@ index 33622c2..a338dc9 100644
#
# Terminal permissions
@@ -167,11 +68,18 @@ ENV_PATH PATH=/bin:/usr/bin
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
@@ -172,6 +73,13 @@ ENV_PATH PATH=/bin:/usr/bin
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
-# If you have a write(1) program which is "setgid" to a special group
-# which owns the terminals, define TTYGROUP as the number of such group
-# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
-# set TTYPERM to either 622 or 600.
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# In Debian, write(1) similar programs are setgid tty.
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# to not allow anyone to write to anyone else console or terminal.
+#
+# Users can still allow other people to write them by issuing
+# the "mesg y" command.
+
+#
TTYGROUP tty
TTYPERM 0600
@@ -180,143 +88,106 @@ TTYPERM 0600
@@ -180,61 +88,35 @@ TTYPERM 0600
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
@@ -277,7 +263,7 @@ index 33622c2..a338dc9 100644
-PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
-#
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts. If the group doesn't exist or is empty, no one
@@ -285,107 +271,83 @@ index 33622c2..a338dc9 100644
-#
-SU_WHEEL_ONLY no
-
-#
-# Min/max values for automatic uid selection in useradd(8)
+# Min/max values for automatic uid selection in useradd
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
-SYS_UID_MIN 101
-SYS_UID_MAX 999
+#SYS_UID_MIN 100
+#SYS_UID_MIN 101
+#SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
-# Min/max values for automatic gid selection in groupadd(8)
+# Min/max values for automatic gid selection in groupadd
#
@@ -246,8 +128,8 @@ SUB_UID_COUNT 65536
GID_MIN 1000
GID_MAX 60000
# System accounts
-SYS_GID_MIN 101
-SYS_GID_MAX 999
+#SYS_GID_MIN 100
+#SYS_GID_MIN 101
+#SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
@@ -255,6 +137,9 @@ SUB_GID_COUNT 65536
#
-# Max number of login(1) retries if password is bad
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
# Max number of login(1) retries if password is bad
+# This will most likely be overriden by PAM, since the default pam_unix module
+# has it's own built in of 3 retries. However, this is a safe fallback in case
+# you are using an authentication module that does not enforce PAM_MAXTRIES.
#
LOGIN_RETRIES 5
#
-# Max time in seconds for login(1)
+# Max time in seconds for login
@@ -263,28 +148,6 @@ LOGIN_RETRIES 5
#
LOGIN_TIMEOUT 60
#
-#
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES 5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
-#
-PASS_ALWAYS_WARN yes
+CHFN_RESTRICT rwh
#
-
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
#
-#
-#PASS_MAX_LEN 8
+DEFAULT_HOME yes
#
-# Require password before chfn(1)/chsh(1) can make any changes.
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
#
-CHFN_AUTH yes
+#USERDEL_CMD /usr/sbin/userdel_local
#
-# Which fields may be changed by regular users using chfn(1) - use
-# any combination of letters "frwh" (full name, room number, work
-# phone, home phone). If not defined, no changes are allowed.
-# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
#
-CHFN_RESTRICT rwh
-
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH yes
-
#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
@@ -294,29 +157,14 @@ CHFN_AUTH yes
CHFN_RESTRICT rwh
#
-# Password prompt (%s will be replaced by user name).
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING "%s's Password: "
+USERGROUPS_ENAB yes
+# FAKE_SHELL /bin/fakeshell
#
-# Only works if compiled with MD5_CRYPT defined:
@@ -394,25 +356,20 @@ index 33622c2..a338dc9 100644
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm. Default is "no".
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
#
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-#
-#MD5_CRYPT_ENAB no
+# FAKE_SHELL /bin/fakeshell
#
-
-#
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
@@ -326,72 +197,10 @@ CHFN_RESTRICT rwh
@@ -326,66 +174,10 @@ CHFN_RESTRICT rwh
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
# Overrides the MD5_CRYPT_ENAB option
#
@@ -477,17 +434,11 @@ index 33622c2..a338dc9 100644
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS floppy:audio:cdrom
-
-#
-# Should login be allowed if we can't cd to the home directory?
-# Default is no.
-#
-DEFAULT_HOME yes
+ENCRYPT_METHOD YESCRYPT
#
# The pwck(8) utility emits a warning for any system account with a home
@@ -401,67 +210,12 @@ DEFAULT_HOME yes
# Should login be allowed if we can't cd to the home directory?
@@ -401,12 +193,6 @@ DEFAULT_HOME yes
#
NONEXISTENT /nonexistent
@@ -497,22 +448,26 @@ index 33622c2..a338dc9 100644
-#
-ENVIRON_FILE /etc/environment
-
-#
-# If defined, this command is run when removing a user.
-# It should remove any at/cron/print jobs etc. owned by
-# the user to be removed (passed as the first argument).
-#
-#USERDEL_CMD /usr/sbin/userdel_local
-
-#
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
@@ -415,53 +201,21 @@ ENVIRON_FILE /etc/environment
#USERDEL_CMD /usr/sbin/userdel_local
#
-# Enable setting of the umask group bits to be the same as owner bits
-# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
-# the same as gid, and username is the same as the primary group name.
-#
+# If set to yes, userdel(8) will remove the user's group if it contains no more
+# members, and useradd(8) will create by default a group with the name of the
+# user.
#
-# This also enables userdel(8) to remove user groups if no members exist.
-#
-USERGROUPS_ENAB yes
-
+# Other former uses of this variable are not used in PAM environments, such as
+# Debian.
#
USERGROUPS_ENAB yes
-#
-# If set to a non-zero number, the shadow utilities will make sure that
-# groups never have more than this number of users on one line.
@@ -555,8 +510,3 @@ index 33622c2..a338dc9 100644
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
@@ -471,3 +225,4 @@ PREVENT_NO_AUTH superuser
# that are available in your system.
#
#HMAC_CRYPTO_ALGO SHA512
+