From 9b4bfac4ef1a3b6e5ddbe1e39830a00eca2e3da5 Mon Sep 17 00:00:00 2001 From: Chris Hofstaedtler Date: Sun, 7 Jul 2024 14:08:06 +0200 Subject: [PATCH] Turn login.defs file into a patch Gbp-Dch: ignore --- debian/login.defs | 324 --------- debian/login.install | 2 +- debian/not-installed | 1 - .../debian/Adapt-login.defs-for-Debian.patch | 636 ++++++++++++++++++ debian/patches/series | 1 + 5 files changed, 638 insertions(+), 326 deletions(-) delete mode 100644 debian/login.defs create mode 100644 debian/patches/debian/Adapt-login.defs-for-Debian.patch diff --git a/debian/login.defs b/debian/login.defs deleted file mode 100644 index 3a933b76..00000000 --- a/debian/login.defs +++ /dev/null @@ -1,324 +0,0 @@ -# -# /etc/login.defs - Configuration control definitions for the login package. -# -# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. -# If unspecified, some arbitrary (and possibly incorrect) value will -# be assumed. All other items are optional - if not specified then -# the described action or option will be inhibited. -# -# Comment lines (lines beginning with "#") and blank lines are ignored. -# -# Modified for Linux. --marekm - -# REQUIRED for useradd/userdel/usermod -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, -# MAIL_DIR takes precedence. -# -# Essentially: -# - MAIL_DIR defines the location of users mail spool files -# (for mbox use) by appending the username to MAIL_DIR as defined -# below. -# - MAIL_FILE defines the location of the users mail spool files as the -# fully-qualified filename obtained by prepending the user home -# directory before $MAIL_FILE -# -# NOTE: This is no more used for setting up users MAIL environment variable -# which is, starting from shadow 4.0.12-1 in Debian, entirely the -# job of the pam_mail PAM modules -# See default PAM configuration files provided for -# login, su, etc. -# -# This is a temporary situation: setting these variables will soon -# move to /etc/default/useradd and the variables will then be -# no more supported -MAIL_DIR /var/mail -#MAIL_FILE .mail - -# -# Enable display of unknown usernames when login failures are recorded. -# -# WARNING: Unknown usernames may become world readable. -# See #290803 and #298773 for details about how this could become a security -# concern -LOG_UNKFAIL_ENAB no - -# -# Enable logging of successful logins -# -LOG_OK_LOGINS no - -# -# Enable "syslog" logging of su activity - in addition to sulog file logging. -# SYSLOG_SG_ENAB does the same for newgrp and sg. -# -SYSLOG_SU_ENAB yes -SYSLOG_SG_ENAB yes - -# -# If defined, all su activity is logged to this file. -# -#SULOG_FILE /var/log/sulog - -# -# If defined, file which maps tty line to TERM environment parameter. -# Each line of the file is in a format something like "vt100 tty01". -# -#TTYTYPE_FILE /etc/ttytype - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then a "ps" will display the -# command is "-su". If not defined, then "ps" would display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# If defined, file which inhibits all the usual chatter during the login -# sequence. If a full pathname, then hushed mode will be enabled if the -# user's name or shell are found in the file. If not a full pathname, then -# hushed mode will be enabled if the file exists in the user's home directory. -# -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins - -# -# *REQUIRED* The default PATH settings, for superuser and normal users. -# -# (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games - -# -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a "write" program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP to the group number and -# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign -# TTYPERM to either 622 or 600. -# -# In Debian /usr/bin/bsd-write or similar programs are setgid tty -# However, the default and recommended value for TTYPERM is still 0600 -# to not allow anyone to write to anyone else console or terminal - -# Users can still allow other people to write them by issuing -# the "mesg y" command. - -TTYGROUP tty -TTYPERM 0600 - -# -# Login configuration initializations: -# -# ERASECHAR Terminal ERASE character ('\010' = backspace). -# KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# -# The ERASECHAR and KILLCHAR are used only on System V machines. -# -ERASECHAR 0177 -KILLCHAR 025 - -# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new -# home directories. -HOME_MODE 0700 - -# -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 - -# -# Min/max values for automatic uid selection in useradd -# -UID_MIN 1000 -UID_MAX 60000 -# System accounts -#SYS_UID_MIN 100 -#SYS_UID_MAX 999 -# Extra per user uids -SUB_UID_MIN 100000 -SUB_UID_MAX 600100000 -SUB_UID_COUNT 65536 - -# -# Min/max values for automatic gid selection in groupadd -# -GID_MIN 1000 -GID_MAX 60000 -# System accounts -#SYS_GID_MIN 100 -#SYS_GID_MAX 999 -# Extra per user group ids -SUB_GID_MIN 100000 -SUB_GID_MAX 600100000 -SUB_GID_COUNT 65536 - -# -# Max number of login retries if password is bad. This will most likely be -# overriden by PAM, since the default pam_unix module has it's own built -# in of 3 retries. However, this is a safe fallback in case you are using -# an authentication module that does not enforce PAM_MAXTRIES. -# -LOGIN_RETRIES 5 - -# -# Max time in seconds for login -# -LOGIN_TIMEOUT 60 - -# -# Which fields may be changed by regular users using chfn - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# -CHFN_RESTRICT rwh - -# -# Should login be allowed if we can't cd to the home directory? -# Default is no. -# -DEFAULT_HOME yes - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -#USERDEL_CMD /usr/sbin/userdel_local - -# -# If set to yes, userdel will remove the user's group if it contains no -# more members, and useradd will create by default a group with the name -# of the user. -# -# Other former uses of this variable such as setting the umask when -# user==primary group are not used in PAM environments, such as Debian -# -USERGROUPS_ENAB yes - -# -# Instead of the real user shell, the program specified by this parameter -# will be launched, although its visible name (argv[0]) will be the shell's. -# The program may do whatever it wants (logging, additional authentification, -# banner, ...) before running the actual shell. -# -# FAKE_SHELL /bin/fakeshell - -# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# upon these devices. -# -# This variable is used by login and su. -# -#CONSOLE /etc/consoles -#CONSOLE console:tty01:tty02:tty03:tty04 - -# -# List of groups to add to the user's supplementary group set -# when logging in on the console (as determined by the CONSOLE -# setting). Default is none. -# -# Use with caution - it is possible for users to gain permanent -# access to these groups, even when not logged in on the console. -# How to do it is left as an exercise for the reader... -# -# This variable is used by login and su. -# -#CONSOLE_GROUPS floppy:audio:cdrom - -# -# If set to MD5, MD5-based algorithm will be used for encrypting password -# If set to SHA256, SHA256-based algorithm will be used for encrypting password -# If set to SHA512, SHA512-based algorithm will be used for encrypting password -# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password -# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password -# If set to DES, DES-based algorithm will be used for encrypting password (default) -# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. -# Overrides the MD5_CRYPT_ENAB option -# -# Note: It is recommended to use a value consistent with -# the PAM modules configuration. -# -ENCRYPT_METHOD YESCRYPT - -# -# The pwck(8) utility emits a warning for any system account with a home -# directory that does not exist. Some system accounts intentionally do -# not have a home directory. Such accounts may have this string as -# their home directory in /etc/passwd to avoid a spurious warning. -# -NONEXISTENT /nonexistent - -# -# Allow newuidmap and newgidmap when running under an alternative -# primary group. -# -#GRANT_AUX_GROUP_SUBIDS yes - -# -# Select the HMAC cryptography algorithm. -# Used in pam_timestamp module to calculate the keyed-hash message -# authentication code. -# -# Note: It is recommended to check hmac(3) to see the possible algorithms -# that are available in your system. -# -#HMAC_CRYPTO_ALGO SHA512 - -################# OBSOLETED BY PAM ############## -# # -# These options are now handled by PAM. Please # -# edit the appropriate file in /etc/pam.d/ to # -# enable the equivelants of them. -# -############### - -#MOTD_FILE -#DIALUPS_CHECK_ENAB -#LASTLOG_ENAB -#MAIL_CHECK_ENAB -#OBSCURE_CHECKS_ENAB -#PORTTIME_CHECKS_ENAB -#SU_WHEEL_ONLY -#CRACKLIB_DICTPATH -#PASS_CHANGE_TRIES -#PASS_ALWAYS_WARN -#ENVIRON_FILE -#NOLOGINS_FILE -#ISSUE_FILE -#PASS_MIN_LEN -#PASS_MAX_LEN -#ULIMIT -#ENV_HZ -#CHFN_AUTH -#CHSH_AUTH -#FAIL_DELAY - -################# OBSOLETED ####################### -# # -# These options are no more handled by shadow. # -# # -# Shadow utilities will display a warning if they # -# still appear. # -# # -################################################### - -# CLOSE_SESSIONS -# LOGIN_STRING -# NO_PASSWORD_CONSOLE -# QMAIL_DIR - - - diff --git a/debian/login.install b/debian/login.install index ab03fc51..0625ff34 100644 --- a/debian/login.install +++ b/debian/login.install @@ -1,5 +1,5 @@ bin/login usr/bin -debian/login.defs etc +etc/login.defs etc sbin/nologin usr/sbin usr/bin/newgrp usr/share/locale/*/LC_MESSAGES/shadow.mo diff --git a/debian/not-installed b/debian/not-installed index d72a23e1..35127d38 100644 --- a/debian/not-installed +++ b/debian/not-installed @@ -1,5 +1,4 @@ bin/groups -etc/login.defs etc/pam.d/chfn etc/pam.d/chage etc/pam.d/chpasswd diff --git a/debian/patches/debian/Adapt-login.defs-for-Debian.patch b/debian/patches/debian/Adapt-login.defs-for-Debian.patch new file mode 100644 index 00000000..5ec50795 --- /dev/null +++ b/debian/patches/debian/Adapt-login.defs-for-Debian.patch @@ -0,0 +1,636 @@ +From: Shadow package maintainers +Date: Sun, 7 Jul 2024 14:06:39 +0200 +Subject: Adapt login.defs for Debian + +--- + etc/login.defs | 465 ++++++++++++++++++++------------------------------------- + 1 file changed, 158 insertions(+), 307 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 33622c2..3a933b7 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -1,24 +1,46 @@ + # +-# /etc/login.defs - Configuration control definitions for the shadow package. ++# /etc/login.defs - Configuration control definitions for the login package. + # +-# $Id$ ++# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. ++# If unspecified, some arbitrary (and possibly incorrect) value will ++# be assumed. All other items are optional - if not specified then ++# the described action or option will be inhibited. + # +- +-# +-# Delay in seconds before being allowed another attempt after a login failure +-# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +-# pam_unix(8) enforces a 2s delay) +-# +-FAIL_DELAY 3 +- +-# +-# Enable logging and display of /var/log/faillog login(1) failure info. ++# Comment lines (lines beginning with "#") and blank lines are ignored. + # +-FAILLOG_ENAB yes ++# Modified for Linux. --marekm + +-# +-# Enable display of unknown usernames when login(1) failures are recorded. +-# ++# REQUIRED for useradd/userdel/usermod ++# Directory where mailboxes reside, _or_ name of file, relative to the ++# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, ++# MAIL_DIR takes precedence. ++# ++# Essentially: ++# - MAIL_DIR defines the location of users mail spool files ++# (for mbox use) by appending the username to MAIL_DIR as defined ++# below. ++# - MAIL_FILE defines the location of the users mail spool files as the ++# fully-qualified filename obtained by prepending the user home ++# directory before $MAIL_FILE ++# ++# NOTE: This is no more used for setting up users MAIL environment variable ++# which is, starting from shadow 4.0.12-1 in Debian, entirely the ++# job of the pam_mail PAM modules ++# See default PAM configuration files provided for ++# login, su, etc. ++# ++# This is a temporary situation: setting these variables will soon ++# move to /etc/default/useradd and the variables will then be ++# no more supported ++MAIL_DIR /var/mail ++#MAIL_FILE .mail ++ ++# ++# Enable display of unknown usernames when login failures are recorded. ++# ++# WARNING: Unknown usernames may become world readable. ++# See #290803 and #298773 for details about how this could become a security ++# concern + LOG_UNKFAIL_ENAB no + + # +@@ -27,109 +49,31 @@ LOG_UNKFAIL_ENAB no + LOG_OK_LOGINS no + + # +-# Enable logging and display of /var/log/lastlog login(1) time info. +-# +-LASTLOG_ENAB yes +- +-# +-# Limit the highest user ID number for which the lastlog entries should +-# be updated. +-# +-# No LASTLOG_UID_MAX means that there is no user ID limit for writing +-# lastlog entries. +-# +-#LASTLOG_UID_MAX +- +-# +-# Enable checking and display of mailbox status upon login. +-# +-# Disable if the shell startup files already check for mail +-# ("mailx -e" or equivalent). +-# +-MAIL_CHECK_ENAB yes +- +-# +-# Enable additional checks upon password changes. +-# +-OBSCURE_CHECKS_ENAB yes +- +-# +-# Enable checking of time restrictions specified in /etc/porttime. +-# +-PORTTIME_CHECKS_ENAB yes +- +-# +-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. +-# +-QUOTAS_ENAB yes +- +-# +-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). ++# Enable "syslog" logging of su activity - in addition to sulog file logging. ++# SYSLOG_SG_ENAB does the same for newgrp and sg. + # + SYSLOG_SU_ENAB yes + SYSLOG_SG_ENAB yes + + # +-# If defined, either full pathname of a file containing device names or +-# a ":" delimited list of device names. Root logins will be allowed only +-# from these devices. +-# +-CONSOLE /etc/securetty +-#CONSOLE console:tty01:tty02:tty03:tty04 +- +-# +-# If defined, all su(1) activity is logged to this file. ++# If defined, all su activity is logged to this file. + # + #SULOG_FILE /var/log/sulog + +-# +-# If defined, ":" delimited list of "message of the day" files to +-# be displayed upon login. +-# +-MOTD_FILE /etc/motd +-#MOTD_FILE /etc/motd:/usr/lib/news/news-motd +- +-# +-# If defined, this file will be output before each login(1) prompt. +-# +-#ISSUE_FILE /etc/issue +- + # + # If defined, file which maps tty line to TERM environment parameter. +-# Each line of the file is in a format similar to "vt100 tty01". ++# Each line of the file is in a format something like "vt100 tty01". + # + #TTYTYPE_FILE /etc/ttytype + +-# +-# If defined, login(1) failures will be logged here in a utmp format. +-# last(1), when invoked as lastb(1), will read /var/log/btmp, so... +-# +-FTMP_FILE /var/log/btmp +- +-# +-# If defined, name of file whose presence will inhibit non-root +-# logins. The content of this file should be a message indicating +-# why logins are inhibited. +-# +-NOLOGINS_FILE /etc/nologin +- + # + # If defined, the command name to display when running "su -". For +-# example, if this is defined as "su" then ps(1) will display the +-# command as "-su". If not defined, then ps(1) will display the ++# example, if this is defined as "su" then a "ps" will display the ++# command is "-su". If not defined, then "ps" would display the + # name of the shell actually being run, e.g. something like "-sh". + # + SU_NAME su + +-# +-# *REQUIRED* +-# Directory where mailboxes reside, _or_ name of file, relative to the +-# home directory. If you _do_ define both, MAIL_DIR takes precedence. +-# +-MAIL_DIR /var/spool/mail +-#MAIL_FILE .mail +- + # + # If defined, file which inhibits all the usual chatter during the login + # sequence. If a full pathname, then hushed mode will be enabled if the +@@ -139,27 +83,12 @@ MAIL_DIR /var/spool/mail + HUSHLOGIN_FILE .hushlogin + #HUSHLOGIN_FILE /etc/hushlogins + +-# +-# If defined, either a TZ environment parameter spec or the +-# fully-rooted pathname of a file containing such a spec. +-# +-#ENV_TZ TZ=CST6CDT +-#ENV_TZ /etc/tzname +- +-# +-# If defined, an HZ environment parameter spec. +-# +-# for Linux/x86 +-ENV_HZ HZ=100 +-# For Linux/Alpha... +-#ENV_HZ HZ=1024 +- + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ++ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + + # + # Terminal permissions +@@ -167,11 +96,18 @@ ENV_PATH PATH=/bin:/usr/bin + # TTYGROUP Login tty will be assigned this group ownership. + # TTYPERM Login tty will be set to this permission. + # +-# If you have a write(1) program which is "setgid" to a special group +-# which owns the terminals, define TTYGROUP as the number of such group +-# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +-# set TTYPERM to either 622 or 600. ++# If you have a "write" program which is "setgid" to a special group ++# which owns the terminals, define TTYGROUP to the group number and ++# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign ++# TTYPERM to either 622 or 600. + # ++# In Debian /usr/bin/bsd-write or similar programs are setgid tty ++# However, the default and recommended value for TTYPERM is still 0600 ++# to not allow anyone to write to anyone else console or terminal ++ ++# Users can still allow other people to write them by issuing ++# the "mesg y" command. ++ + TTYGROUP tty + TTYPERM 0600 + +@@ -180,218 +116,142 @@ TTYPERM 0600 + # + # ERASECHAR Terminal ERASE character ('\010' = backspace). + # KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# ULIMIT Default "ulimit" value. + # + # The ERASECHAR and KILLCHAR are used only on System V machines. +-# The ULIMIT is used only if the system supports it. +-# (now it works with setrlimit too; ulimit is in 512-byte units) +-# +-# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +-# ++# + ERASECHAR 0177 + KILLCHAR 025 +-#ULIMIT 2097152 +- +-# Default initial "umask" value used by login(1) on non-PAM enabled systems. +-# Default "umask" value for pam_umask(8) on PAM enabled systems. +-# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +-# home directories if HOME_MODE is not set. +-# 022 is the default value, but 027, or even 077, could be considered +-# for increased privacy. There is no One True Answer here: each sysadmin +-# must make up their mind. +-UMASK 022 + + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. +-# If HOME_MODE is not set, the value of UMASK is used to create the mode. +-#HOME_MODE 0700 ++HOME_MODE 0700 + + # + # Password aging controls: + # + # PASS_MAX_DAYS Maximum number of days a password may be used. + # PASS_MIN_DAYS Minimum number of days allowed between password changes. +-# PASS_MIN_LEN Minimum acceptable password length. + # PASS_WARN_AGE Number of days warning given before a password expires. + # + PASS_MAX_DAYS 99999 + PASS_MIN_DAYS 0 +-PASS_MIN_LEN 5 + PASS_WARN_AGE 7 + + # +-# If "yes", the user must be listed as a member of the first gid 0 group +-# in /etc/group (called "root" on most Linux systems) to be able to "su" +-# to uid 0 accounts. If the group doesn't exist or is empty, no one +-# will be able to "su" to uid 0. +-# +-SU_WHEEL_ONLY no +- +-# +-# Min/max values for automatic uid selection in useradd(8) ++# Min/max values for automatic uid selection in useradd + # + UID_MIN 1000 + UID_MAX 60000 + # System accounts +-SYS_UID_MIN 101 +-SYS_UID_MAX 999 ++#SYS_UID_MIN 100 ++#SYS_UID_MAX 999 + # Extra per user uids + SUB_UID_MIN 100000 + SUB_UID_MAX 600100000 + SUB_UID_COUNT 65536 + + # +-# Min/max values for automatic gid selection in groupadd(8) ++# Min/max values for automatic gid selection in groupadd + # + GID_MIN 1000 + GID_MAX 60000 + # System accounts +-SYS_GID_MIN 101 +-SYS_GID_MAX 999 ++#SYS_GID_MIN 100 ++#SYS_GID_MAX 999 + # Extra per user group ids + SUB_GID_MIN 100000 + SUB_GID_MAX 600100000 + SUB_GID_COUNT 65536 + + # +-# Max number of login(1) retries if password is bad ++# Max number of login retries if password is bad. This will most likely be ++# overriden by PAM, since the default pam_unix module has it's own built ++# in of 3 retries. However, this is a safe fallback in case you are using ++# an authentication module that does not enforce PAM_MAXTRIES. + # + LOGIN_RETRIES 5 + + # +-# Max time in seconds for login(1) ++# Max time in seconds for login + # + LOGIN_TIMEOUT 60 + + # +-# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +-# +-PASS_ALWAYS_WARN yes +- +-# +-# Number of significant characters in the password for crypt(). +-# Default is 8, don't change unless your crypt() is better. +-# Ignored if MD5_CRYPT_ENAB set to "yes". +-# +-#PASS_MAX_LEN 8 +- +-# +-# Require password before chfn(1)/chsh(1) can make any changes. +-# +-CHFN_AUTH yes +- +-# +-# Which fields may be changed by regular users using chfn(1) - use ++# Which fields may be changed by regular users using chfn - use + # any combination of letters "frwh" (full name, room number, work + # phone, home phone). If not defined, no changes are allowed. + # For backward compatibility, "yes" = "rwh" and "no" = "frwh". +-# ++# + CHFN_RESTRICT rwh + + # +-# Password prompt (%s will be replaced by user name). +-# +-# XXX - it doesn't work correctly yet, for now leave it commented out +-# to use the default which is just "Password: ". +-#LOGIN_STRING "%s's Password: " +- +-# +-# Only works if compiled with MD5_CRYPT defined: +-# If set to "yes", new passwords will be encrypted using the MD5-based +-# algorithm compatible with the one used by recent releases of FreeBSD. +-# It supports passwords of unlimited length and longer salt strings. +-# Set to "no" if you need to copy encrypted passwords to other systems +-# which don't understand the new algorithm. Default is "no". +-# +-# Note: If you use PAM, it is recommended to use a value consistent with +-# the PAM modules configuration. +-# +-# This variable is deprecated. You should use ENCRYPT_METHOD instead. ++# Should login be allowed if we can't cd to the home directory? ++# Default is no. + # +-#MD5_CRYPT_ENAB no ++DEFAULT_HOME yes + + # +-# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +-# If set to MD5, MD5-based algorithm will be used for encrypting password +-# If set to SHA256, SHA256-based algorithm will be used for encrypting password +-# If set to SHA512, SHA512-based algorithm will be used for encrypting password +-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +-# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password +-# If set to DES, DES-based algorithm will be used for encrypting password (default) +-# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +-# Overrides the MD5_CRYPT_ENAB option +-# +-# Note: If you use PAM, it is recommended to use a value consistent with +-# the PAM modules configuration. ++# If defined, this command is run when removing a user. ++# It should remove any at/cron/print jobs etc. owned by ++# the user to be removed (passed as the first argument). + # +-#ENCRYPT_METHOD DES ++#USERDEL_CMD /usr/sbin/userdel_local + + # +-# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +-# +-# Define the number of SHA rounds. +-# With a lot of rounds, it is more difficult to brute-force the password. +-# However, more CPU resources will be needed to authenticate users if +-# this value is increased. ++# If set to yes, userdel will remove the user's group if it contains no ++# more members, and useradd will create by default a group with the name ++# of the user. + # +-# If not specified, the libc will choose the default number of rounds (5000), +-# which is orders of magnitude too low for modern hardware. +-# The values must be within the 1000-999999999 range. +-# If only one of the MIN or MAX values is set, then this value will be used. +-# If MIN > MAX, the highest value will be used. ++# Other former uses of this variable such as setting the umask when ++# user==primary group are not used in PAM environments, such as Debian + # +-#SHA_CRYPT_MIN_ROUNDS 5000 +-#SHA_CRYPT_MAX_ROUNDS 5000 ++USERGROUPS_ENAB yes + + # +-# Only works if ENCRYPT_METHOD is set to BCRYPT. +-# +-# Define the number of BCRYPT rounds. +-# With a lot of rounds, it is more difficult to brute-force the password. +-# However, more CPU resources will be needed to authenticate users if +-# this value is increased. +-# +-# If not specified, 13 rounds will be attempted. +-# If only one of the MIN or MAX values is set, then this value will be used. +-# If MIN > MAX, the highest value will be used. ++# Instead of the real user shell, the program specified by this parameter ++# will be launched, although its visible name (argv[0]) will be the shell's. ++# The program may do whatever it wants (logging, additional authentification, ++# banner, ...) before running the actual shell. + # +-#BCRYPT_MIN_ROUNDS 13 +-#BCRYPT_MAX_ROUNDS 13 ++# FAKE_SHELL /bin/fakeshell + + # +-# Only works if ENCRYPT_METHOD is set to YESCRYPT. +-# +-# Define the YESCRYPT cost factor. +-# With a higher cost factor, it is more difficult to brute-force the password. +-# However, more CPU time and more memory will be needed to authenticate users +-# if this value is increased. ++# If defined, either full pathname of a file containing device names or ++# a ":" delimited list of device names. Root logins will be allowed only ++# upon these devices. + # +-# If not specified, a cost factor of 5 will be used. +-# The value must be within the 1-11 range. ++# This variable is used by login and su. + # +-#YESCRYPT_COST_FACTOR 5 ++#CONSOLE /etc/consoles ++#CONSOLE console:tty01:tty02:tty03:tty04 + + # + # List of groups to add to the user's supplementary group set +-# when logging in from the console (as determined by the CONSOLE ++# when logging in on the console (as determined by the CONSOLE + # setting). Default is none. + # + # Use with caution - it is possible for users to gain permanent +-# access to these groups, even when not logged in from the console. ++# access to these groups, even when not logged in on the console. + # How to do it is left as an exercise for the reader... + # ++# This variable is used by login and su. ++# + #CONSOLE_GROUPS floppy:audio:cdrom + + # +-# Should login be allowed if we can't cd to the home directory? +-# Default is no. ++# If set to MD5, MD5-based algorithm will be used for encrypting password ++# If set to SHA256, SHA256-based algorithm will be used for encrypting password ++# If set to SHA512, SHA512-based algorithm will be used for encrypting password ++# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password ++# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password ++# If set to DES, DES-based algorithm will be used for encrypting password (default) ++# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. ++# Overrides the MD5_CRYPT_ENAB option + # +-DEFAULT_HOME yes ++# Note: It is recommended to use a value consistent with ++# the PAM modules configuration. ++# ++ENCRYPT_METHOD YESCRYPT + + # + # The pwck(8) utility emits a warning for any system account with a home +@@ -401,67 +261,12 @@ DEFAULT_HOME yes + # + NONEXISTENT /nonexistent + +-# +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- +-# +-# If defined, this command is run when removing a user. +-# It should remove any at/cron/print jobs etc. owned by +-# the user to be removed (passed as the first argument). +-# +-#USERDEL_CMD /usr/sbin/userdel_local +- +-# +-# Enable setting of the umask group bits to be the same as owner bits +-# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +-# the same as gid, and username is the same as the primary group name. +-# +-# This also enables userdel(8) to remove user groups if no members exist. +-# +-USERGROUPS_ENAB yes +- +-# +-# If set to a non-zero number, the shadow utilities will make sure that +-# groups never have more than this number of users on one line. +-# This permits to support split groups (groups split into multiple lines, +-# with the same group ID, to avoid limitation of the line length in the +-# group file). +-# +-# 0 is the default value and disables this feature. +-# +-#MAX_MEMBERS_PER_GROUP 0 +- +-# +-# If useradd(8) should create home directories for users by default (non +-# system users only). +-# This option is overridden with the -M or -m flags on the useradd(8) +-# command-line. +-# +-#CREATE_HOME yes +- +-# +-# Force use shadow, even if shadow passwd & shadow group files are +-# missing. +-# +-#FORCE_SHADOW yes +- + # + # Allow newuidmap and newgidmap when running under an alternative + # primary group. + # + #GRANT_AUX_GROUP_SUBIDS yes + +-# +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +-PREVENT_NO_AUTH superuser +- + # + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message +@@ -471,3 +276,49 @@ PREVENT_NO_AUTH superuser + # that are available in your system. + # + #HMAC_CRYPTO_ALGO SHA512 ++ ++################# OBSOLETED BY PAM ############## ++# # ++# These options are now handled by PAM. Please # ++# edit the appropriate file in /etc/pam.d/ to # ++# enable the equivelants of them. ++# ++############### ++ ++#MOTD_FILE ++#DIALUPS_CHECK_ENAB ++#LASTLOG_ENAB ++#MAIL_CHECK_ENAB ++#OBSCURE_CHECKS_ENAB ++#PORTTIME_CHECKS_ENAB ++#SU_WHEEL_ONLY ++#CRACKLIB_DICTPATH ++#PASS_CHANGE_TRIES ++#PASS_ALWAYS_WARN ++#ENVIRON_FILE ++#NOLOGINS_FILE ++#ISSUE_FILE ++#PASS_MIN_LEN ++#PASS_MAX_LEN ++#ULIMIT ++#ENV_HZ ++#CHFN_AUTH ++#CHSH_AUTH ++#FAIL_DELAY ++ ++################# OBSOLETED ####################### ++# # ++# These options are no more handled by shadow. # ++# # ++# Shadow utilities will display a warning if they # ++# still appear. # ++# # ++################################################### ++ ++# CLOSE_SESSIONS ++# LOGIN_STRING ++# NO_PASSWORD_CONSOLE ++# QMAIL_DIR ++ ++ ++ diff --git a/debian/patches/series b/debian/patches/series index c0d742a7..5a27fb0f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ debian/Recommend-using-adduser-and-deluser.patch debian/Relax-usernames-groupnames-checking.patch debian/tests-disable-su.patch debian/tests-libsubid-04_nss-fix-setting-basedir.patch +debian/Adapt-login.defs-for-Debian.patch