Compare commits

...

10 Commits

Author SHA1 Message Date
Chris Hofstaedtler 41662e422b Update changelog for 1:4.15.2-2 release 2024-06-25 19:42:56 +02:00
Chris Hofstaedtler ff20574597 passwd: add Depends: login
Stop-gap until passwd can takeover /etc/login.defs from login.

Gbp-Dch: full
2024-06-25 19:41:56 +02:00
Chris Hofstaedtler 712f360fcd shadowconfig.8: actually install again 2024-06-23 15:57:14 +02:00
Chris Hofstaedtler 551cf36757 Remove our copy of HOME_MODE.xml, identical upstream 2024-06-23 15:38:08 +02:00
Chris Hofstaedtler e4f60bc5b6 d/not-installed: Remove obsolete entry
Gbp-Dch: ignore
2024-06-23 15:27:48 +02:00
Chris Hofstaedtler 0a96fd2bf0 Drop useradd's backwards-compatibility -O flag
No users appear left in Debian.
2024-06-23 14:57:28 +02:00
Chris Hofstaedtler 019ffd5126 Use upstream's restrictions on user- and group names again
Upstream started supporting mixed-case names some time ago.
Purely numeric names (#79682) are now forbidden again, as there is no
way of distinguishing them from user/group IDs otherwise.

Gbp-Dch: full
2024-06-23 14:50:55 +02:00
Chris Hofstaedtler 45e98ea60a Remove faillog support
Stop installing faillog binary and man pages. Stop creating
/var/log/faillog in login.postinst.
PAM has removed support for /var/log/faillog by dropping pam_tally, and
login itself cannot write to it either.

Gbp-Dch: full
2024-06-23 03:07:36 +02:00
Chris Hofstaedtler 878710fb7a d/rules: explicitly set --with-audit and --enable-subordinate-ids 2024-06-22 18:12:09 +02:00
Chris Hofstaedtler 771535fa07 useradd(8): Fix missing paragraph on username length 2024-06-22 18:05:22 +02:00
15 changed files with 109 additions and 264 deletions
-43
View File
@@ -1,43 +0,0 @@
<!--
Copyright (c) 1991 - 1993, Julianne Frances Haugh
Copyright (c) 1991 - 1993, Chip Rosenthal
Copyright (c) 2007 - 2009, Nicolas François
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the copyright holders or contributors may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<varlistentry>
<term><option>HOME_MODE</option> (number)</term>
<listitem>
<para>
The mode for new home directories. If not specified,
the <option>UMASK</option> is used to create the mode.
</para>
<para>
<command>useradd</command> and <command>newusers</command> use this
to set the mode of the home directory they create.
</para>
</listitem>
</varlistentry>
+21
View File
@@ -1,3 +1,24 @@
shadow (1:4.15.2-2) unstable; urgency=medium
* useradd(8): Fix missing paragraph on username length
* d/rules: explicitly set --with-audit and --enable-subordinate-ids
* Remove faillog support.
Stop installing faillog binary and man pages. Stop creating
/var/log/faillog in login.postinst.
PAM has removed support for /var/log/faillog by dropping pam_tally, and
login itself cannot write to it either.
* Use upstream's restrictions on user- and group names again.
Upstream started supporting mixed-case names some time ago.
Purely numeric names (#79682) are now forbidden again, as there is no
way of distinguishing them from user/group IDs otherwise.
* Drop useradd's backwards-compatibility -O flag
* Remove our copy of HOME_MODE.xml, identical upstream
* shadowconfig.8: actually install again
* passwd: add Depends: login.
Stop-gap until passwd can takeover /etc/login.defs from login.
-- Chris Hofstaedtler <zeha@debian.org> Tue, 25 Jun 2024 19:42:24 +0200
shadow (1:4.15.2-1) unstable; urgency=medium
* New upstream version 4.15.2
+2 -1
View File
@@ -39,7 +39,8 @@ Package: passwd
Architecture: any
Multi-Arch: foreign
Depends:
libpam-modules
libpam-modules,
login
Recommends:
sensible-utils
Description: change and administer password and group data
-6
View File
@@ -137,12 +137,6 @@ Copyright: 1999-2001, Ben Collins <bcollins@debian.org>
2017-2022 Balint Reczey <balint@balintreczey.hu>
License: BSD-3-clause
Files: debian/HOME_MODE.xml
Copyright: 1991-1993, Chip Rosenthal
1991-1993, Julianne Frances Haugh
2007-2009, Nicolas François
License: BSD-3-clause
Files: debian/patches/cppw-Add-tool.patch
Copyright: 1997, Guy Maor <maor@ece.utexas.edu>
1999, Stephen Frost <sfrost@snowman.net>
-1
View File
@@ -1,6 +1,5 @@
bin/login usr/bin
debian/login.defs etc
sbin/nologin usr/sbin
usr/bin/faillog
usr/bin/newgrp
usr/share/locale/*/LC_MESSAGES/shadow.mo
-4
View File
@@ -1,14 +1,10 @@
usr/share/man/*/man1/login.1
usr/share/man/*/man1/newgrp.1
usr/share/man/*/man1/sg.1
usr/share/man/*/man5/faillog.5
usr/share/man/*/man5/login.defs.5
usr/share/man/*/man8/faillog.8
usr/share/man/*/man8/nologin.8
usr/share/man/man1/login.1
usr/share/man/man1/newgrp.1
usr/share/man/man1/sg.1
usr/share/man/man5/faillog.5
usr/share/man/man5/login.defs.5
usr/share/man/man8/faillog.8
usr/share/man/man8/nologin.8
-9
View File
@@ -1,16 +1,7 @@
#!/bin/sh
set -e
if [ "$1" = "configure" ]; then
# Install faillog during initial installs only
if [ "$2" = "" ] && [ ! -f "$DPKG_ROOT/var/log/faillog" ] ; then
touch "$DPKG_ROOT/var/log/faillog"
chown 0:0 "$DPKG_ROOT/var/log/faillog"
chmod 644 "$DPKG_ROOT/var/log/faillog"
fi
# Create subuid/subgid if missing
if [ ! -e "$DPKG_ROOT/etc/subuid" ]; then
touch "$DPKG_ROOT/etc/subuid"
+5 -1
View File
@@ -1,5 +1,4 @@
bin/groups
etc/default/useradd
etc/login.defs
etc/pam.d/chfn
etc/pam.d/chage
@@ -15,6 +14,7 @@ etc/pam.d/passwd
etc/pam.d/useradd
etc/pam.d/userdel
etc/pam.d/usermod
usr/bin/faillog
usr/bin/sg
usr/lib/*/libsubid.la
usr/sbin/logoutd
@@ -24,13 +24,17 @@ usr/share/man/*/man1/logoutd.1
usr/share/man/*/man1/su.1
usr/share/man/*/man3/getspnam.3
usr/share/man/*/man3/shadow.3
usr/share/man/*/man5/faillog.5
usr/share/man/*/man5/suauth.5
usr/share/man/*/man8/faillog.8
usr/share/man/*/man8/logoutd.8
usr/share/man/man1/groups.1
usr/share/man/man1/logoutd.1
usr/share/man/man1/su.1
usr/share/man/man3/getspnam.3
usr/share/man/man3/shadow.3
usr/share/man/man5/faillog.5
usr/share/man/man5/suauth.5
usr/share/man/man8/faillog.8
usr/share/man/man8/logoutd.8
+2
View File
@@ -24,6 +24,7 @@ usr/share/man/*/man8/newusers.8
usr/share/man/*/man8/pwck.8
usr/share/man/*/man8/pwconv.8
usr/share/man/*/man8/pwunconv.8
usr/share/man/*/man8/shadowconfig.8
usr/share/man/*/man8/useradd.8
usr/share/man/*/man8/userdel.8
usr/share/man/*/man8/usermod.8
@@ -53,6 +54,7 @@ usr/share/man/man8/newusers.8
usr/share/man/man8/pwck.8
usr/share/man/man8/pwconv.8
usr/share/man/man8/pwunconv.8
usr/share/man/man8/shadowconfig.8
usr/share/man/man8/useradd.8
usr/share/man/man8/userdel.8
usr/share/man/man8/usermod.8
+75 -15
View File
@@ -7,23 +7,59 @@ Its man page also (but it used to be distributed)
Gbp-Topic: debian
---
man/fr/shadowconfig.8 | 26 +++++++++++++++++++++++++
man/ja/shadowconfig.8 | 25 ++++++++++++++++++++++++
man/pl/shadowconfig.8 | 27 ++++++++++++++++++++++++++
man/shadowconfig.8 | 41 +++++++++++++++++++++++++++++++++++++++
man/shadowconfig.8.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 171 insertions(+)
create mode 100644 man/fr/shadowconfig.8
create mode 100644 man/ja/shadowconfig.8
create mode 100644 man/pl/shadowconfig.8
man/Makefile.am | 2 ++
man/fr/Makefile.am | 1 +
man/fr/man8/shadowconfig.8 | 26 +++++++++++++++++++++++
man/ja/Makefile.am | 1 +
man/ja/man8/shadowconfig.8 | 25 ++++++++++++++++++++++
man/pl/Makefile.am | 1 +
man/pl/man8/shadowconfig.8 | 27 ++++++++++++++++++++++++
man/shadowconfig.8 | 41 ++++++++++++++++++++++++++++++++++++
man/shadowconfig.8.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++
9 files changed, 176 insertions(+)
create mode 100644 man/fr/man8/shadowconfig.8
create mode 100644 man/ja/man8/shadowconfig.8
create mode 100644 man/pl/man8/shadowconfig.8
create mode 100644 man/shadowconfig.8
create mode 100644 man/shadowconfig.8.xml
diff --git a/man/fr/shadowconfig.8 b/man/fr/shadowconfig.8
diff --git a/man/Makefile.am b/man/Makefile.am
index 83b1d68..dab98f4 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -37,6 +37,7 @@ man_MANS = \
man8/pwck.8 \
man8/pwconv.8 \
man8/pwunconv.8 \
+ man8/shadowconfig.8 \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
@@ -108,6 +109,7 @@ man_XMANS = \
porttime.5.xml \
pwck.8.xml \
pwconv.8.xml \
+ shadowconfig.8.xml \
shadow.3.xml \
shadow.5.xml \
sg.1.xml \
diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am
index 335e029..78aee9a 100644
--- a/man/fr/Makefile.am
+++ b/man/fr/Makefile.am
@@ -32,6 +32,7 @@ man_MANS = \
man8/pwck.8 \
man8/pwconv.8 \
man8/pwunconv.8 \
+ man8/shadowconfig.8 \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
diff --git a/man/fr/man8/shadowconfig.8 b/man/fr/man8/shadowconfig.8
new file mode 100644
index 0000000..784da70
--- /dev/null
+++ b/man/fr/shadowconfig.8
+++ b/man/fr/man8/shadowconfig.8
@@ -0,0 +1,26 @@
+.\" This file was generated with po4a. Translate the source file.
+.\"
@@ -51,11 +87,23 @@ index 0000000..784da70
+.SH TRADUCTION
+Nicolas FRANÇOIS, 2004.
+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
diff --git a/man/ja/shadowconfig.8 b/man/ja/shadowconfig.8
diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am
index 13f18da..c72097f 100644
--- a/man/ja/Makefile.am
+++ b/man/ja/Makefile.am
@@ -27,6 +27,7 @@ man_MANS = \
man8/pwck.8 \
man8/pwconv.8 \
man8/pwunconv.8 \
+ man8/shadowconfig.8 \
man1/sg.1 \
man5/shadow.5 \
man1/su.1 \
diff --git a/man/ja/man8/shadowconfig.8 b/man/ja/man8/shadowconfig.8
new file mode 100644
index 0000000..a75c6f7
--- /dev/null
+++ b/man/ja/shadowconfig.8
+++ b/man/ja/man8/shadowconfig.8
@@ -0,0 +1,25 @@
+.\" all right reserved,
+.\" Translated Tue Oct 30 11:59:11 JST 2001
@@ -82,11 +130,23 @@ index 0000000..a75c6f7
+
+.I /usr/share/doc/passwd/README.debian.gz
+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
diff --git a/man/pl/shadowconfig.8 b/man/pl/shadowconfig.8
diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am
index b2f096f..aa79af2 100644
--- a/man/pl/Makefile.am
+++ b/man/pl/Makefile.am
@@ -18,6 +18,7 @@ man_MANS = \
man8/logoutd.8 \
man1/newgrp.1 \
man1/sg.1 \
+ man8/shadowconfig.8 \
man3/shadow.3 \
man8/userdel.8 \
man8/usermod.8 \
diff --git a/man/pl/man8/shadowconfig.8 b/man/pl/man8/shadowconfig.8
new file mode 100644
index 0000000..2016c9f
--- /dev/null
+++ b/man/pl/shadowconfig.8
+++ b/man/pl/man8/shadowconfig.8
@@ -0,0 +1,27 @@
+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
+.\" {PTM/WK/1999-09-14}
-124
View File
@@ -1,124 +0,0 @@
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Relax usernames/groupnames checking
Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
characters and don't start with '-', '+', or '~'. This patch is more
restrictive than original Karl's version. closes: #264879
Also closes: #377844
Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
I can't come up with a good justification as to why characters other
than ':'s and '\0's should be disallowed in group and usernames (other
than '-' as the leading character). Thus, the maintenance tools don't
anymore. closes: #79682, #166798, #171179
Status wrt upstream: Debian specific. Not to be used upstream
Gbp-Topic: debian
---
lib/chkname.c | 47 +++++++++++++++--------------------------------
man/groupadd.8.xml | 6 ++++++
man/useradd.8.xml | 7 ++++++-
3 files changed, 27 insertions(+), 33 deletions(-)
diff --git a/lib/chkname.c b/lib/chkname.c
index 995562f..d9678c6 100644
--- a/lib/chkname.c
+++ b/lib/chkname.c
@@ -54,44 +54,27 @@ static bool is_valid_name (const char *name)
}
/*
- * User/group names must match BRE regex:
- * [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
- *
- * as a non-POSIX, extension, allow "$" as the last char for
- * sake of Samba 3.x "add machine script"
- *
- * Also do not allow fully numeric names or just "." or "..".
- */
- int numeric;
-
- if ('\0' == *name ||
- ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
- '\0' == name[1])) ||
- !((*name >= 'a' && *name <= 'z') ||
- (*name >= 'A' && *name <= 'Z') ||
- (*name >= '0' && *name <= '9') ||
- *name == '_' ||
- *name == '.')) {
+ * POSIX indicate that usernames are composed of characters from the
+ * portable filename character set [A-Za-z0-9._-], and that the hyphen
+ * should not be used as the first character of a portable user name.
+ *
+ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
+ */
+ if ( ('\0' == *name)
+ || ('-' == *name)
+ || ('~' == *name)
+ || ('+' == *name)) {
return false;
}
- numeric = isdigit(*name);
-
- while ('\0' != *++name) {
- if (!((*name >= 'a' && *name <= 'z') ||
- (*name >= 'A' && *name <= 'Z') ||
- (*name >= '0' && *name <= '9') ||
- *name == '_' ||
- *name == '.' ||
- *name == '-' ||
- (*name == '$' && name[1] == '\0')
- )) {
+ do {
+ if ((':' == *name) || (',' == *name) || isspace(*name)) {
return false;
}
- numeric &= isdigit(*name);
- }
+ name++;
+ } while ('\0' != *name);
- return !numeric;
+ return true;
}
diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml
index 61a548f..d472bd0 100644
--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
@@ -71,6 +71,12 @@
Fully numeric groupnames and groupnames . or .. are
also disallowed.
</para>
+ <para>
+ On Debian, the only constraints are that groupnames must neither start
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+ colon (':'), a comma (','), or a whitespace (space:' ',
+ end of line: '\n', tabulation: '\t', etc.).
+ </para>
<para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
</para>
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 17987a6..4fc95d1 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -733,7 +733,12 @@
the <command>ls</command> output.
</para>
<para>
- Usernames may only be up to 256 characters long.
+ On Debian, the only constraints are that usernames must neither start
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+ colon (':'), a comma (','), or a whitespace (space: ' ',
+ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
+ ('/') may break the default algorithm for the definition of the
+ user's home directory.
</para>
</refsect1>
@@ -1,6 +1,6 @@
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: ccpw: add selinux support
Subject: cppw: add selinux support
Status wrt upstream: cppw is not available upstream.
Needs to be reviewed by an SE-Linux aware person.
+1 -3
View File
@@ -1,9 +1,7 @@
cppw-Add-tool.patch
ccpw-add-selinux-support.patch
cppw-add-selinux-support.patch
Let-pam_unix-handle-login-failure-delays.patch
Set-group-and-mode-for-g-shadow-files.patch
Keep-using-Debian-adduser-defaults.patch
Document-the-shadowconfig-utility.patch
Recommend-using-adduser-and-deluser.patch
Relax-usernames-groupnames-checking.patch
useradd-accept-the-O-flag-for-backward-compatibility.patch
@@ -1,52 +0,0 @@
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: useradd: accept the -O flag for backward compatibility
Note: useradd.8 needs to be regenerated.
Status wrt upstream: not included as this is just specific
backward compatibility for Debian
Gbp-Topic: debian
---
man/useradd.8.xml | 5 +++++
src/useradd.c | 3 ++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 4fc95d1..c513e56 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -333,6 +333,11 @@
=<replaceable>100</replaceable>&nbsp;<option>-K</option>&nbsp;
<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
</para>
+ <para>
+ For the compatibility with previous Debian's
+ <command>useradd</command>, the <option>-O</option> option is
+ also supported.
+ </para>
<!--para>
Note: <option>-K</option>&nbsp;<replaceable>UID_MIN</replaceable>=<replaceable>10</replaceable>,<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
doesn't work yet.
diff --git a/src/useradd.c b/src/useradd.c
index ac43edd..1cf3349 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -1215,7 +1215,7 @@ static void process_flags (int argc, char **argv)
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U"
+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:U"
#ifdef WITH_SELINUX
"Z:"
#endif /* WITH_SELINUX */
@@ -1355,6 +1355,7 @@ static void process_flags (int argc, char **argv)
kflg = true;
break;
case 'K':
+ case 'O': /* compatibility with previous Debian useradd */
/*
* override login.defs defaults (-K name=value)
* example: -K UID_MIN=100 -K UID_MAX=499
+2 -4
View File
@@ -13,6 +13,7 @@ DEB_CONFIGURE_EXTRA_FLAGS := \
--with-libpam \
--with-yescrypt \
--enable-shadowgrp \
--enable-subordinate-ids \
--enable-lastlog=no \
--enable-man \
--disable-account-tools-setuid \
@@ -25,6 +26,7 @@ DEB_CONFIGURE_EXTRA_FLAGS := \
ifneq ($(DEB_HOST_ARCH_OS),linux)
DEB_CONFIGURE_EXTRA_FLAGS += --enable-logind
DEB_CONFIGURE_EXTRA_FLAGS += --with-audit
endif
ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
@@ -40,7 +42,6 @@ CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
dh $@
override_dh_auto_configure:
cp debian/HOME_MODE.xml man/login.defs.d/HOME_MODE.xml
dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_FLAGS)
override_dh_install-arch:
@@ -66,6 +67,3 @@ override_dh_installpam:
override_dh_auto_clean:
sed -i 's/# Linux only # //' debian/login.pam
dh_auto_clean
override_dh_clean:
dh_clean ./man/login.defs.d/HOME_MODE.xml