Add Build-Depends: libcmocka-dev to run build-time tests

2024-07-06 23:57:40 +02:00
11 changed files with 337 additions and 555 deletions
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,30 +1,3 @@
-shadow (1:4.15.3-3) unstable; urgency=medium
-
-  * Forbid backslashes in user/group-names.
-    They can still be used with --force-badname, but it's a start. In the
-    long run I want to remove our relax patch, and upstream should fix the
-    line continuation too. For #1076619.
-
- -- Chris Hofstaedtler <zeha@debian.org>  Sun, 21 Jul 2024 21:05:32 +0200
-
-shadow (1:4.15.3-2) unstable; urgency=medium
-
-  [ Pino Toscano ]
-  * d/rules: actually enable Linux-only options on Linux
-    This enables --enable-logind and --with-audit.
-
-  [ Chris Hofstaedtler ]
-  * Stop installing groupmems(8) (Closes: #1004472, LP: #2039541)
-  * login.defs: remove obsolete/confusing comments
-  * login.defs: resync comments with upstream
-  * login.defs: remove incomplete list of unused vars
-  * login.defs: remove obscure, defaulted vars
-  * login.defs: remove vars ignored by su(1)
-  * login.defs: remove CONSOLE_GROUPS, ignored with PAM
-  * login.defs: remove CONSOLE, ignored with PAM
-
- -- Chris Hofstaedtler <zeha@debian.org>  Sun, 07 Jul 2024 15:30:38 +0200
-
 shadow (1:4.15.3-1) unstable; urgency=medium

  * New upstream version 4.15.3
--- a/debian/control
+++ b/debian/control
@@ -19,6 +19,7 @@ Build-Depends:
 libaudit-dev [linux-any],
 libbsd-dev,
 libcrypt-dev,
+ libcmocka-dev <!nocheck>,
 libltdl-dev,
 libpam0g-dev,
 libselinux1-dev [linux-any],
--- a/debian/login.defs
+++ b/debian/login.defs
@@ -0,0 +1,324 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed.  All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux.  --marekm
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable. 
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing 
+# the "mesg y" command.
+
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# 
+ERASECHAR	0177
+KILLCHAR	025
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+HOME_MODE	0700
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+#SYS_UID_MIN		  100
+#SYS_UID_MAX		  999
+# Extra per user uids
+SUB_UID_MIN		   100000
+SUB_UID_MAX		600100000
+SUB_UID_COUNT		    65536
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+#SYS_GID_MIN		  100
+#SYS_GID_MAX		  999
+# Extra per user group ids
+SUB_GID_MIN		   100000
+SUB_GID_MAX		600100000
+SUB_GID_COUNT		    65536
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE	/etc/consoles
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD YESCRYPT
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist.  Some system accounts intentionally do
+# not have a home directory.  Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT	/nonexistent
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+#HMAC_CRYPTO_ALGO SHA512
+
+################# OBSOLETED BY PAM ##############
+#						#
+# These options are now handled by PAM. Please	#
+# edit the appropriate file in /etc/pam.d/ to	#
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+#						  #
+# These options are no more handled by shadow.    #
+#                                                 #
+# Shadow utilities will display a warning if they #
+# still appear.                                   #
+#                                                 #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR
+
+
+
--- a/debian/login.install
+++ b/debian/login.install
@@ -1,5 +1,5 @@
 bin/login usr/bin
-etc/login.defs etc
+debian/login.defs etc
 sbin/nologin usr/sbin
 usr/bin/newgrp
 usr/share/locale/*/LC_MESSAGES/shadow.mo
--- a/debian/not-installed
+++ b/debian/not-installed
@@ -1,5 +1,4 @@
 bin/groups
-# Workaround debhelper complaining about login.defs, although we install it.
 etc/login.defs
 etc/pam.d/chfn
 etc/pam.d/chage
@@ -18,7 +17,6 @@ etc/pam.d/usermod
 usr/bin/faillog
 usr/bin/sg
 usr/lib/*/libsubid.la
-usr/sbin/groupmems
 usr/sbin/logoutd
 usr/sbin/vigr
 usr/share/man/*/man1/groups.1
@@ -29,9 +27,7 @@ usr/share/man/*/man3/shadow.3
 usr/share/man/*/man5/faillog.5
 usr/share/man/*/man5/suauth.5
 usr/share/man/*/man8/faillog.8
-usr/share/man/*/man8/groupmems.8
 usr/share/man/*/man8/logoutd.8
-usr/share/man/man8/groupmems.8
 usr/share/man/man1/groups.1
 usr/share/man/man1/logoutd.1
 usr/share/man/man1/su.1
--- a/debian/passwd.install
+++ b/debian/passwd.install
@@ -11,6 +11,7 @@ usr/sbin/chpasswd
 usr/sbin/cppw
 usr/sbin/groupadd
 usr/sbin/groupdel
+usr/sbin/groupmems
 usr/sbin/groupmod
 usr/sbin/grpck
 usr/sbin/grpconv
--- a/debian/passwd.manpages
+++ b/debian/passwd.manpages
@@ -15,6 +15,7 @@ usr/share/man/*/man8/chgpasswd.8
 usr/share/man/*/man8/chpasswd.8
 usr/share/man/*/man8/groupadd.8
 usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmems.8
 usr/share/man/*/man8/groupmod.8
 usr/share/man/*/man8/grpck.8
 usr/share/man/*/man8/grpconv.8
@@ -44,6 +45,7 @@ usr/share/man/man8/chgpasswd.8
 usr/share/man/man8/chpasswd.8
 usr/share/man/man8/groupadd.8
 usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmems.8
 usr/share/man/man8/groupmod.8
 usr/share/man/man8/grpck.8
 usr/share/man/man8/grpconv.8
--- a/debian/patches/debian/Adapt-login.defs-for-Debian.patch
+++ b/debian/patches/debian/Adapt-login.defs-for-Debian.patch
@@ -1,514 +0,0 @@
-From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Date: Sun, 7 Jul 2024 14:06:39 +0200
-Subject: Adapt login.defs for Debian
-
-Remove settings only applicable to shadow's su, which we do not use.
-Remove settings only applicable without PAM support enabled.
-Remove obscure commented-out settings.
---
- etc/login.defs | 372 ++++++++-------------------------------------------------
- 1 file changed, 51 insertions(+), 321 deletions(-)
-
-diff --git a/etc/login.defs b/etc/login.defs
-index 33622c2..f44f381 100644
--- a/etc/login.defs
-+++ b/etc/login.defs
-@@ -1,24 +1,38 @@
- #
- # /etc/login.defs - Configuration control definitions for the shadow package.
- #
-#	$Id$
-#
- 
-#
-# Delay in seconds before being allowed another attempt after a login failure
-# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
-#       pam_unix(8) enforces a 2s delay)
-#
-FAIL_DELAY		3
-
-#
-# Enable logging and display of /var/log/faillog login(1) failure info.
-#
-FAILLOG_ENAB		yes
-+# REQUIRED for useradd/userdel/usermod
-+#   Directory where mailboxes reside, _or_ name of file, relative to the
-+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
-+#   MAIL_DIR takes precedence.
-+#
-+#   Essentially:
-+#      - MAIL_DIR defines the location of users mail spool files
-+#        (for mbox use) by appending the username to MAIL_DIR as defined
-+#        below.
-+#      - MAIL_FILE defines the location of the users mail spool files as the
-+#        fully-qualified filename obtained by prepending the user home
-+#        directory before $MAIL_FILE
-+#
-+# NOTE: This is no more used for setting up users MAIL environment variable
-+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
-+#       job of the pam_mail PAM modules
-+#       See default PAM configuration files provided for
-+#       login, su, etc.
-+#
-+# This is a temporary situation: setting these variables will soon
-+# move to /etc/default/useradd and the variables will then be
-+# no more supported
-+MAIL_DIR        /var/mail
-+#MAIL_FILE      .mail
- 
- #
- # Enable display of unknown usernames when login(1) failures are recorded.
- #
-+# WARNING: Unknown usernames may become world readable.
-+# See #290803 and #298773 for details about how this could become a security
-+# concern
- LOG_UNKFAIL_ENAB	no
- 
- #
-@@ -26,110 +40,12 @@ LOG_UNKFAIL_ENAB	no
- #
- LOG_OK_LOGINS		no
- 
-#
-# Enable logging and display of /var/log/lastlog login(1) time info.
-#
-LASTLOG_ENAB		yes
-
-#
-# Limit the highest user ID number for which the lastlog entries should
-# be updated.
-#
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-# lastlog entries.
-#
-#LASTLOG_UID_MAX
-
-#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB		yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB	yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB	yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
-#
-QUOTAS_ENAB		yes
-
-#
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
-#
-SYSLOG_SU_ENAB		yes
-SYSLOG_SG_ENAB		yes
-
-#
-# If defined, either full pathname of a file containing device names or
-# a ":" delimited list of device names.  Root logins will be allowed only
-# from these devices.
-#
-CONSOLE		/etc/securetty
-#CONSOLE	console:tty01:tty02:tty03:tty04
-
-#
-# If defined, all su(1) activity is logged to this file.
-#
-#SULOG_FILE	/var/log/sulog
-
-#
-# If defined, ":" delimited list of "message of the day" files to
-# be displayed upon login.
-#
-MOTD_FILE	/etc/motd
-#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
-
-#
-# If defined, this file will be output before each login(1) prompt.
-#
-#ISSUE_FILE	/etc/issue
-
- #
- # If defined, file which maps tty line to TERM environment parameter.
- # Each line of the file is in a format similar to "vt100  tty01".
- #
- #TTYTYPE_FILE	/etc/ttytype
- 
-#
-# If defined, login(1) failures will be logged here in a utmp format.
-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
-#
-FTMP_FILE	/var/log/btmp
-
-#
-# If defined, name of file whose presence will inhibit non-root
-# logins.  The content of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE	/etc/nologin
-
-#
-# If defined, the command name to display when running "su -".  For
-# example, if this is defined as "su" then ps(1) will display the
-# command as "-su".  If not defined, then ps(1) will display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME		su
-
-#
-# *REQUIRED*
-#   Directory where mailboxes reside, _or_ name of file, relative to the
-#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR	/var/spool/mail
-#MAIL_FILE	.mail
-
- #
- # If defined, file which inhibits all the usual chatter during the login
- # sequence.  If a full pathname, then hushed mode will be enabled if the
-@@ -139,27 +55,12 @@ MAIL_DIR	/var/spool/mail
- HUSHLOGIN_FILE	.hushlogin
- #HUSHLOGIN_FILE	/etc/hushlogins
- 
-#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ		TZ=CST6CDT
-#ENV_TZ		/etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ		HZ=100
-# For Linux/Alpha...
-#ENV_HZ		HZ=1024
-
- #
- # *REQUIRED*  The default PATH settings, for superuser and normal users.
- #
- # (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH	PATH=/bin:/usr/bin
-+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
- 
- #
- # Terminal permissions
-@@ -172,6 +73,13 @@ ENV_PATH	PATH=/bin:/usr/bin
- # and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
- # set TTYPERM to either 622 or 600.
- #
-+# In Debian, write(1) similar programs are setgid tty.
-+# However, the default and recommended value for TTYPERM is still 0600
-+# to not allow anyone to write to anyone else console or terminal.
-+#
-+# Users can still allow other people to write them by issuing
-+# the "mesg y" command.
-+#
- TTYGROUP	tty
- TTYPERM		0600
- 
-@@ -180,61 +88,35 @@ TTYPERM		0600
- #
- #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
- #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#	ULIMIT		Default "ulimit" value.
- #
- # The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
- #
- ERASECHAR	0177
- KILLCHAR	025
-#ULIMIT		2097152
-
-# Default initial "umask" value used by login(1) on non-PAM enabled systems.
-# Default "umask" value for pam_umask(8) on PAM enabled systems.
-# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories if HOME_MODE is not set.
-# 022 is the default value, but 027, or even 077, could be considered
-# for increased privacy. There is no One True Answer here: each sysadmin
-# must make up their mind.
-UMASK		022
- 
- # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
- # home directories.
-# If HOME_MODE is not set, the value of UMASK is used to create the mode.
-#HOME_MODE	0700
-+HOME_MODE	0700
- 
- #
- # Password aging controls:
- #
- #	PASS_MAX_DAYS	Maximum number of days a password may be used.
- #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
-#	PASS_MIN_LEN	Minimum acceptable password length.
- #	PASS_WARN_AGE	Number of days warning given before a password expires.
- #
- PASS_MAX_DAYS	99999
- PASS_MIN_DAYS	0
-PASS_MIN_LEN	5
- PASS_WARN_AGE	7
- 
-#
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts.  If the group doesn't exist or is empty, no one
-# will be able to "su" to uid 0.
-#
-SU_WHEEL_ONLY	no
-
- #
- # Min/max values for automatic uid selection in useradd(8)
- #
- UID_MIN			 1000
- UID_MAX			60000
- # System accounts
-SYS_UID_MIN		  101
-SYS_UID_MAX		  999
-+#SYS_UID_MIN		  101
-+#SYS_UID_MAX		  999
- # Extra per user uids
- SUB_UID_MIN		   100000
- SUB_UID_MAX		600100000
-@@ -246,8 +128,8 @@ SUB_UID_COUNT		    65536
- GID_MIN			 1000
- GID_MAX			60000
- # System accounts
-SYS_GID_MIN		  101
-SYS_GID_MAX		  999
-+#SYS_GID_MIN		  101
-+#SYS_GID_MAX		  999
- # Extra per user group ids
- SUB_GID_MIN		   100000
- SUB_GID_MAX		600100000
-@@ -255,6 +137,9 @@ SUB_GID_COUNT		    65536
- 
- #
- # Max number of login(1) retries if password is bad
-+# This will most likely be overriden by PAM, since the default pam_unix module
-+# has it's own built in of 3 retries. However, this is a safe fallback in case
-+# you are using an authentication module that does not enforce PAM_MAXTRIES.
- #
- LOGIN_RETRIES		5
- 
-@@ -263,28 +148,6 @@ LOGIN_RETRIES		5
- #
- LOGIN_TIMEOUT		60
- 
-#
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES	5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
-#
-PASS_ALWAYS_WARN	yes
-
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
-#
-#PASS_MAX_LEN		8
-
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH		yes
-
- #
- # Which fields may be changed by regular users using chfn(1) - use
- # any combination of letters "frwh" (full name, room number, work
-@@ -294,29 +157,6 @@ CHFN_AUTH		yes
- CHFN_RESTRICT		rwh
- 
- #
-# Password prompt (%s will be replaced by user name).
-#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING		"%s's Password: "
-
-#
-# Only works if compiled with MD5_CRYPT defined:
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm.  Default is "no".
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-#
-#MD5_CRYPT_ENAB	no
-
-#
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
- # If set to MD5, MD5-based algorithm will be used for encrypting password
- # If set to SHA256, SHA256-based algorithm will be used for encrypting password
- # If set to SHA512, SHA512-based algorithm will be used for encrypting password
-@@ -326,66 +166,10 @@ CHFN_RESTRICT		rwh
- # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
- # Overrides the MD5_CRYPT_ENAB option
- #
-# Note: If you use PAM, it is recommended to use a value consistent with
-+# Note: It is recommended to use a value consistent with
- # the PAM modules configuration.
- #
-#ENCRYPT_METHOD DES
-
-#
-# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-#
-# Define the number of SHA rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, the libc will choose the default number of rounds (5000),
-# which is orders of magnitude too low for modern hardware.
-# The values must be within the 1000-999999999 range.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#SHA_CRYPT_MIN_ROUNDS 5000
-#SHA_CRYPT_MAX_ROUNDS 5000
-
-#
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 13
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
-#
-#YESCRYPT_COST_FACTOR 5
-
-#
-# List of groups to add to the user's supplementary group set
-# when logging in from the console (as determined by the CONSOLE
-# setting).  Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in from the console.
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS		floppy:audio:cdrom
-+ENCRYPT_METHOD YESCRYPT
- 
- #
- # Should login be allowed if we can't cd to the home directory?
-@@ -401,12 +185,6 @@ DEFAULT_HOME	yes
- #
- NONEXISTENT	/nonexistent
- 
-#
-# If this file exists and is readable, login environment will be
-# read from it.  Every line should be in the form name=value.
-#
-ENVIRON_FILE	/etc/environment
-
- #
- # If defined, this command is run when removing a user.
- # It should remove any at/cron/print jobs etc. owned by
-@@ -415,59 +193,11 @@ ENVIRON_FILE	/etc/environment
- #USERDEL_CMD	/usr/sbin/userdel_local
- 
- #
-# Enable setting of the umask group bits to be the same as owner bits
-# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
-# the same as gid, and username is the same as the primary group name.
-+# If set to yes, userdel(8) will remove the user's group if it contains no more
-+# members, and useradd(8) will create by default a group with the name of the
-+# user.
- #
-# This also enables userdel(8) to remove user groups if no members exist.
-+# Other former uses of this variable are not used in PAM environments, such as
-+# Debian.
- #
- USERGROUPS_ENAB yes
-
-#
-# If set to a non-zero number, the shadow utilities will make sure that
-# groups never have more than this number of users on one line.
-# This permits to support split groups (groups split into multiple lines,
-# with the same group ID, to avoid limitation of the line length in the
-# group file).
-#
-# 0 is the default value and disables this feature.
-#
-#MAX_MEMBERS_PER_GROUP	0
-
-#
-# If useradd(8) should create home directories for users by default (non
-# system users only).
-# This option is overridden with the -M or -m flags on the useradd(8)
-# command-line.
-#
-#CREATE_HOME     yes
-
-#
-# Force use shadow, even if shadow passwd & shadow group files are
-# missing.
-#
-#FORCE_SHADOW    yes
-
-#
-# Allow newuidmap and newgidmap when running under an alternative
-# primary group.
-#
-#GRANT_AUX_GROUP_SUBIDS yes
-
-#
-# Prevents an empty password field to be interpreted as "no authentication
-# required".
-# Set to "yes" to prevent for all accounts
-# Set to "superuser" to prevent for UID 0 / root (default)
-# Set to "no" to not prevent for any account (dangerous, historical default)
-PREVENT_NO_AUTH superuser
-
-#
-# Select the HMAC cryptography algorithm.
-# Used in pam_timestamp module to calculate the keyed-hash message
-# authentication code.
-#
-# Note: It is recommended to check hmac(3) to see the possible algorithms
-# that are available in your system.
-#
-#HMAC_CRYPTO_ALGO SHA512
--- a/debian/patches/debian/Relax-usernames-groupnames-checking.patch
+++ b/debian/patches/debian/Relax-usernames-groupnames-checking.patch
@@ -2,10 +2,10 @@ From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
 Date: Sat, 22 Jun 2024 17:39:41 +0200
 Subject: Relax usernames/groupnames checking

-Allows any non-empty user/grounames that don't contain ':', ',', '\\' or
-'\n' characters and don't start with '-', '+', or '~'. This patch is
-more restrictive than original Karl's version. closes: #264879 Also
-closes: #377844
+Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
+characters and don't start with '-', '+', or '~'. This patch is more
+restrictive than original Karl's version. closes: #264879
+Also closes: #377844

 Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):

@@ -22,7 +22,7 @@ Status wrt upstream: Debian specific. Not to be used upstream
 3 files changed, 29 insertions(+), 32 deletions(-)

 diff --git a/lib/chkname.c b/lib/chkname.c
-index 995562f..9954410 100644
+index 995562f..d9678c6 100644
 --- a/lib/chkname.c
 +++ b/lib/chkname.c
@@ -54,44 +54,27 @@ static bool is_valid_name (const char *name)
@@ -51,7 +51,7 @@ index 995562f..9954410 100644
 +	 * portable filename character set [A-Za-z0-9._-], and that the hyphen
 +	 * should not be used as the first character of a portable user name.
 +	 *
-+	 * Allow more relaxed user/group names in Debian -- ^[^-~+:,\\\s][^:,\\\s]*$
+	 * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
 +	 */
 +	if (   ('\0' == *name)
 +	    || ('-'  == *name)
@@ -72,7 +72,7 @@ index 995562f..9954410 100644
 -		      (*name == '$' && name[1] == '\0')
 -		     )) {
 +	do {
-+		if ((':' == *name) || (',' == *name) || ('\\' == *name) || isspace(*name)) {
+		if ((':' == *name) || (',' == *name) || isspace(*name)) {
 			return false;
 		}
 -		numeric &= isdigit(*name);
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,4 +8,3 @@ debian/Recommend-using-adduser-and-deluser.patch
 debian/Relax-usernames-groupnames-checking.patch
 debian/tests-disable-su.patch
 debian/tests-libsubid-04_nss-fix-setting-basedir.patch
-debian/Adapt-login.defs-for-Debian.patch
--- a/debian/rules
+++ b/debian/rules
@@ -24,7 +24,7 @@ DEB_CONFIGURE_EXTRA_FLAGS := \
 	--without-tcb \


-ifeq ($(DEB_HOST_ARCH_OS),linux)
+ifneq ($(DEB_HOST_ARCH_OS),linux)
 DEB_CONFIGURE_EXTRA_FLAGS += --enable-logind
 DEB_CONFIGURE_EXTRA_FLAGS += --with-audit
 endif