diff --git a/debian/patches/debian/Adapt-login.defs-for-Debian.patch b/debian/patches/debian/Adapt-login.defs-for-Debian.patch index 47f9ba6e..9bb78aa7 100644 --- a/debian/patches/debian/Adapt-login.defs-for-Debian.patch +++ b/debian/patches/debian/Adapt-login.defs-for-Debian.patch @@ -5,11 +5,11 @@ Subject: Adapt login.defs for Debian Remove settings only applicable to shadow's su, which we do not use. Remove settings only applicable without PAM support enabled. --- - etc/login.defs | 411 ++++++++++++--------------------------------------------- - 1 file changed, 83 insertions(+), 328 deletions(-) + etc/login.defs | 358 +++++++++------------------------------------------------ + 1 file changed, 56 insertions(+), 302 deletions(-) diff --git a/etc/login.defs b/etc/login.defs -index 33622c2..a338dc9 100644 +index 33622c2..579de9a 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -1,24 +1,38 @@ @@ -25,15 +25,11 @@ index 33622c2..a338dc9 100644 -# pam_unix(8) enforces a 2s delay) -# -FAIL_DELAY 3 -- + -# -# Enable logging and display of /var/log/faillog login(1) failure info. -# -FAILLOG_ENAB yes - --# --# Enable display of unknown usernames when login(1) failures are recorded. --# +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, @@ -58,10 +54,10 @@ index 33622c2..a338dc9 100644 +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail -+ -+# -+# Enable display of unknown usernames when login failures are recorded. -+# + + # + # Enable display of unknown usernames when login(1) failures are recorded. + # +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern @@ -143,8 +139,7 @@ index 33622c2..a338dc9 100644 - # # If defined, file which maps tty line to TERM environment parameter. --# Each line of the file is in a format similar to "vt100 tty01". -+# Each line of the file is in a format something like "vt100 tty01". + # Each line of the file is in a format similar to "vt100 tty01". # #TTYTYPE_FILE /etc/ttytype @@ -210,30 +205,21 @@ index 33622c2..a338dc9 100644 # # Terminal permissions -@@ -167,11 +68,18 @@ ENV_PATH PATH=/bin:/usr/bin - # TTYGROUP Login tty will be assigned this group ownership. - # TTYPERM Login tty will be set to this permission. +@@ -172,6 +73,13 @@ ENV_PATH PATH=/bin:/usr/bin + # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and + # set TTYPERM to either 622 or 600. # --# If you have a write(1) program which is "setgid" to a special group --# which owns the terminals, define TTYGROUP as the number of such group --# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and --# set TTYPERM to either 622 or 600. -+# If you have a "write" program which is "setgid" to a special group -+# which owns the terminals, define TTYGROUP to the group number and -+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign -+# TTYPERM to either 622 or 600. - # -+# In Debian /usr/bin/bsd-write or similar programs are setgid tty ++# In Debian, write(1) similar programs are setgid tty. +# However, the default and recommended value for TTYPERM is still 0600 -+# to not allow anyone to write to anyone else console or terminal -+ ++# to not allow anyone to write to anyone else console or terminal. ++# +# Users can still allow other people to write them by issuing +# the "mesg y" command. -+ ++# TTYGROUP tty TTYPERM 0600 -@@ -180,143 +88,106 @@ TTYPERM 0600 +@@ -180,61 +88,35 @@ TTYPERM 0600 # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). @@ -277,7 +263,7 @@ index 33622c2..a338dc9 100644 -PASS_MIN_LEN 5 PASS_WARN_AGE 7 - # +-# -# If "yes", the user must be listed as a member of the first gid 0 group -# in /etc/group (called "root" on most Linux systems) to be able to "su" -# to uid 0 accounts. If the group doesn't exist or is empty, no one @@ -285,107 +271,83 @@ index 33622c2..a338dc9 100644 -# -SU_WHEEL_ONLY no - --# --# Min/max values for automatic uid selection in useradd(8) -+# Min/max values for automatic uid selection in useradd + # + # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts -SYS_UID_MIN 101 -SYS_UID_MAX 999 -+#SYS_UID_MIN 100 ++#SYS_UID_MIN 101 +#SYS_UID_MAX 999 # Extra per user uids SUB_UID_MIN 100000 SUB_UID_MAX 600100000 - SUB_UID_COUNT 65536 - - # --# Min/max values for automatic gid selection in groupadd(8) -+# Min/max values for automatic gid selection in groupadd - # +@@ -246,8 +128,8 @@ SUB_UID_COUNT 65536 GID_MIN 1000 GID_MAX 60000 # System accounts -SYS_GID_MIN 101 -SYS_GID_MAX 999 -+#SYS_GID_MIN 100 ++#SYS_GID_MIN 101 +#SYS_GID_MAX 999 # Extra per user group ids SUB_GID_MIN 100000 SUB_GID_MAX 600100000 - SUB_GID_COUNT 65536 +@@ -255,6 +137,9 @@ SUB_GID_COUNT 65536 # --# Max number of login(1) retries if password is bad -+# Max number of login retries if password is bad. This will most likely be -+# overriden by PAM, since the default pam_unix module has it's own built -+# in of 3 retries. However, this is a safe fallback in case you are using -+# an authentication module that does not enforce PAM_MAXTRIES. + # Max number of login(1) retries if password is bad ++# This will most likely be overriden by PAM, since the default pam_unix module ++# has it's own built in of 3 retries. However, this is a safe fallback in case ++# you are using an authentication module that does not enforce PAM_MAXTRIES. # LOGIN_RETRIES 5 - # --# Max time in seconds for login(1) -+# Max time in seconds for login +@@ -263,28 +148,6 @@ LOGIN_RETRIES 5 # LOGIN_TIMEOUT 60 - # +-# -# Maximum number of attempts to change password if rejected (too easy) -# -PASS_CHANGE_TRIES 5 - -# -# Warn about weak passwords (but still allow them) if you are root. -+# Which fields may be changed by regular users using chfn - use -+# any combination of letters "frwh" (full name, room number, work -+# phone, home phone). If not defined, no changes are allowed. -+# For backward compatibility, "yes" = "rwh" and "no" = "frwh". - # +-# -PASS_ALWAYS_WARN yes -+CHFN_RESTRICT rwh - - # +- +-# -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. -# Ignored if MD5_CRYPT_ENAB set to "yes". -+# Should login be allowed if we can't cd to the home directory? -+# Default is no. - # +-# -#PASS_MAX_LEN 8 -+DEFAULT_HOME yes - - # --# Require password before chfn(1)/chsh(1) can make any changes. -+# If defined, this command is run when removing a user. -+# It should remove any at/cron/print jobs etc. owned by -+# the user to be removed (passed as the first argument). - # --CHFN_AUTH yes -+#USERDEL_CMD /usr/sbin/userdel_local - - # --# Which fields may be changed by regular users using chfn(1) - use --# any combination of letters "frwh" (full name, room number, work --# phone, home phone). If not defined, no changes are allowed. --# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -+# If set to yes, userdel will remove the user's group if it contains no -+# more members, and useradd will create by default a group with the name -+# of the user. - # --CHFN_RESTRICT rwh - -# +-# Require password before chfn(1)/chsh(1) can make any changes. +-# +-CHFN_AUTH yes +- + # + # Which fields may be changed by regular users using chfn(1) - use + # any combination of letters "frwh" (full name, room number, work +@@ -294,29 +157,14 @@ CHFN_AUTH yes + CHFN_RESTRICT rwh + + # -# Password prompt (%s will be replaced by user name). -+# Other former uses of this variable such as setting the umask when -+# user==primary group are not used in PAM environments, such as Debian ++# Instead of the real user shell, the program specified by this parameter ++# will be launched, although its visible name (argv[0]) will be the shell's. ++# The program may do whatever it wants (logging, additional authentification, ++# banner, ...) before running the actual shell. # -# XXX - it doesn't work correctly yet, for now leave it commented out -# to use the default which is just "Password: ". -#LOGIN_STRING "%s's Password: " -+USERGROUPS_ENAB yes ++# FAKE_SHELL /bin/fakeshell # -# Only works if compiled with MD5_CRYPT defined: @@ -394,25 +356,20 @@ index 33622c2..a338dc9 100644 -# It supports passwords of unlimited length and longer salt strings. -# Set to "no" if you need to copy encrypted passwords to other systems -# which don't understand the new algorithm. Default is "no". -+# Instead of the real user shell, the program specified by this parameter -+# will be launched, although its visible name (argv[0]) will be the shell's. -+# The program may do whatever it wants (logging, additional authentification, -+# banner, ...) before running the actual shell. - # +-# -# Note: If you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. -# -# This variable is deprecated. You should use ENCRYPT_METHOD instead. -# -#MD5_CRYPT_ENAB no -+# FAKE_SHELL /bin/fakeshell - - # +- +-# -# Only works if compiled with ENCRYPTMETHOD_SELECT defined: # If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password -@@ -326,72 +197,10 @@ CHFN_RESTRICT rwh +@@ -326,66 +174,10 @@ CHFN_RESTRICT rwh # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. # Overrides the MD5_CRYPT_ENAB option # @@ -477,17 +434,11 @@ index 33622c2..a338dc9 100644 -# How to do it is left as an exercise for the reader... -# -#CONSOLE_GROUPS floppy:audio:cdrom -- --# --# Should login be allowed if we can't cd to the home directory? --# Default is no. --# --DEFAULT_HOME yes +ENCRYPT_METHOD YESCRYPT # - # The pwck(8) utility emits a warning for any system account with a home -@@ -401,67 +210,12 @@ DEFAULT_HOME yes + # Should login be allowed if we can't cd to the home directory? +@@ -401,12 +193,6 @@ DEFAULT_HOME yes # NONEXISTENT /nonexistent @@ -497,22 +448,26 @@ index 33622c2..a338dc9 100644 -# -ENVIRON_FILE /etc/environment - --# --# If defined, this command is run when removing a user. --# It should remove any at/cron/print jobs etc. owned by --# the user to be removed (passed as the first argument). --# --#USERDEL_CMD /usr/sbin/userdel_local -- --# + # + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by +@@ -415,53 +201,21 @@ ENVIRON_FILE /etc/environment + #USERDEL_CMD /usr/sbin/userdel_local + + # -# Enable setting of the umask group bits to be the same as owner bits -# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is -# the same as gid, and username is the same as the primary group name. --# ++# If set to yes, userdel(8) will remove the user's group if it contains no more ++# members, and useradd(8) will create by default a group with the name of the ++# user. + # -# This also enables userdel(8) to remove user groups if no members exist. --# --USERGROUPS_ENAB yes -- ++# Other former uses of this variable are not used in PAM environments, such as ++# Debian. + # + USERGROUPS_ENAB yes + -# -# If set to a non-zero number, the shadow utilities will make sure that -# groups never have more than this number of users on one line. @@ -555,8 +510,3 @@ index 33622c2..a338dc9 100644 # # Select the HMAC cryptography algorithm. # Used in pam_timestamp module to calculate the keyed-hash message -@@ -471,3 +225,4 @@ PREVENT_NO_AUTH superuser - # that are available in your system. - # - #HMAC_CRYPTO_ALGO SHA512 -+