Compare commits

..

525 Commits

Author SHA1 Message Date
nekral-guest b8a41d9480 Tag release 4.1.2 2008-05-25 12:58:59 +00:00
nekral-guest 2303ddd0de Set the version to 4.1.2. 2008-05-24 23:15:47 +00:00
nekral-guest b5b636b8b7 Prepare the 4.1.2 release
* NEWS: set the release date.
	* man/po/*.po, po/*.po: Updated PO files.
2008-05-24 23:03:24 +00:00
nekral-guest a665e829ae Run msgmerge with --previous. (This requires gettext >= 0.16) 2008-05-24 22:58:21 +00:00
nekral-guest 6124b59aff * libmisc/copydir.c (remove_tree): As we always use remove_tree
followed by rmdir to remove the directory itself, delete also the
	root directory in remove_tree.
	* src/userdel.c, src/usermod.c: Do not call rmdir after
	remove_tree.
2008-05-24 15:35:15 +00:00
nekral-guest 9c41a8ad38 * libmisc/fields.c: Avoid assignments in comparisons, assignments
with post increments (x++), use of integers as booleans, and
	explicitly mark blocks with brackets.
	* libmisc/copydir.c: Likewise.
	* libmisc/fields.c: Add comments.
	* libmisc/copydir.c: Mark function whose return value is not
	checked as such.

	* libmisc/copydir.c (remove_tree): Make sure unlink is successful
	when removing files.
2008-05-24 15:19:02 +00:00
nekral-guest cda1f9a23d Simply passwd_check since it's never used when configured with PAM support. 2008-05-24 14:11:31 +00:00
nekral-guest 0219d72f48 * libmisc/list.c: Avoid assignments in comparisons, assignments
with post increments (x++), use of integers as booleans, and
	explicitly mark blocks with brackets.
2008-05-24 14:09:35 +00:00
nekral-guest d99423405c Fix compiler warnings:
* libmisc/audit_help.c: Include prototypes.h to get the prototype
	of audit_help_open.
	* libmisc/salt.c: Use booleans instead of negating integers.
	* src/passwd.c: Declare the check_selinux_access prototype and
	avoid name clashes (change_user -> changed_user; change_uid ->
	changed_uid; access -> requested_access)
2008-05-24 13:08:58 +00:00
nekral-guest eeb9592ded Use fputs rather than fprintf for constant strings. 2008-05-23 20:55:11 +00:00
nekral-guest 0120fc10e1 Added TODO items. 2008-05-23 20:47:45 +00:00
nekral-guest b9ac46305f Indicate that login should be executed with "exec login" if called from a shell. 2008-05-21 18:58:06 +00:00
nekral-guest ec9e63b7de Remove the advices for the choice of a good password (they are debatable). Point to http://en.wikipedia.org/wiki/Password_strength instead. 2008-05-21 18:25:48 +00:00
nekral-guest a917ba4fb9 *** security:
- generation of SHA encrypted passwords (chpasswd, gpasswd, newusers,
  chgpasswd; and also passwd if configured without PAM support).
  The number of rounds and number of salt bytes was fixed to their lower
  allowed values (resp. configurable and 8), hence voiding some of the
  advantages of this encryption method. Dictionary attacks with
  precomputed tables were easier than expected, but still harder than with
  the MD5 (or DES) methods.

	* NEWS, libmisc/salt.c (SHA_salt_size): Seed the RNG, and fix a
	overflow. These caused the SHA salt size to always be 8 bytes,
	instead of being in the 8-16 range. Thanks to Peter Vrabec
	pvrabec@redhat.com for noticing.
	* NEWS, libmisc/salt.c (SHA_salt_rounds): Seed the RNG with
	seedRNG instead of srand, and fix the same overflow. This caused
	the number of rounds to always be the smallest one.
2008-05-20 13:34:06 +00:00
nekral-guest 9c69fe73b1 Tag the section which require --enable-shadowgrp or --with-sha-crypt
accordingly.
2008-05-19 22:18:14 +00:00
nekral-guest 63228ac1c6 SHA_CRYPT_MAX_ROUNDS and SHA_CRYPT_MIN_ROUNDS can only exist if configured with --with-sha-crypt. 2008-05-19 21:57:48 +00:00
nekral-guest a071d72e48 Document the -k, --skel option, and update the -m, --create-home documentation. 2008-05-19 21:32:19 +00:00
nekral-guest 7ab3a97dfe Sort options. 2008-05-19 21:04:34 +00:00
nekral-guest ae7aeda621 SHA_CRYPT_MAX_ROUNDS and SHA_CRYPT_MIN_ROUNDS can
only exist if configured with --with-sha-crypt.
2008-05-19 20:59:51 +00:00
nekral-guest 0d6b2221ab SHA_CRYPT_MAX_ROUNDS and SHA_CRYPT_MIN_ROUNDS can
only exist if configured with --with-sha-crypt.
2008-05-19 20:58:59 +00:00
nekral-guest 337a97ceab Document the sections closed by #endif 2008-05-19 20:56:48 +00:00
nekral-guest 461d69522f * NEWS, man/groupadd.8.xml: Document the -r, --system option.
* NEWS, man/newusers.8.xml: Document the -r, --system option.
	* NEWS, man/newusers.8.xml: Document the -c, --crypt-method and
	-s, --sha-rounds options.
2008-05-19 20:53:12 +00:00
nekral-guest 537496c019 Fix formatting. 2008-05-19 20:31:48 +00:00
nekral-guest 300f7416c4 Document the -r, --system option. 2008-05-19 19:43:24 +00:00
nekral-guest 243809af3a Fix typo. 2008-05-18 16:38:13 +00:00
nekral-guest 3fed00196c Import Debian patch 487_passwd_chauthtok_failed_message
* libmisc/pam_pass.c: Be more verbose and indicate that the
	password was not changed when pam_chauthtok fails (in addition to
	the PAM error, which may not be comprehensible for the users).
2008-05-18 15:06:51 +00:00
nekral-guest fb4271bdf9 Import Debian patch 434_login_stop_checking_args_after--
* NEWS, src/login.c (check_flags): Stop checking the arguments
	after --. The later options will be sent to the shell, and do not
	need to be checked.
2008-05-18 14:54:35 +00:00
nekral-guest 6a17c2b27f * src/vipw.c, src/su.c, src/newgrp.c: Harmonize the children's
SIGSTOP handling. Raise the signal which stopped the child instead
	of always SIGSTOP.

	Import Debian patch 406_vipw_resume_properly.
	Thanks to Dean Gaudet.
	* NEWS, src/vipw.c: Resume properly after ^Z.
2008-05-18 13:41:56 +00:00
nekral-guest c7302b61ef Make sure every source files are distributed with a copyright and license.
Files with no license use the default 3-clauses BSD license. The copyright
were mostly not recorded; they were updated according to the Changelog.
"Julianne Frances Haugh and contributors" changed to "copyright holders
and contributors".
2008-04-27 00:40:09 +00:00
nekral-guest 8a8072a563 If the SULOG_FILE does not exist when an su session is logged, make sure
the file is created with group root, instead of using the group of the
caller.
2008-04-27 00:27:59 +00:00
nekral-guest 4196525702 Allow non-US-ASCII characters in the GECOS fields ("name", "room number",
and "other info" fields).
2008-04-27 00:24:49 +00:00
nekral-guest 4d7d6a1a9f Fix build failure when configured with audit support. Thanks to Mike
Frysinger for reporting it.
2008-04-16 22:04:46 +00:00
nekral-guest 2542732a0c Fix ident. 2008-04-16 22:03:43 +00:00
nekral-guest 7baffa5e74 Ensure that getpwent() is used in setpwent(), getpwent(),
endpwend() sequences (ditto for getgrent(), getspent(), and
getsgent()). The only real (minor) issue was in login, which kept
the passwd file open.
* libmisc/entry.c: Remove unneeded setspent() and endspent() (only
  getspnam is called in the middle).
* libmisc/find_new_ids.c: Make sure to close the password and
  group files with endpwent() and endgrent().
* libmisc/pwdcheck.c: Remove unneeded endspent() (only getspnam()
  is called before).
* src/lastlog.c, src/passwd.c, src/groupmod.c, src/faillog.c,
  src/groups.c: Make sure to close
  the password file with endpwent().
* src/login.c: Remove unneeded setpwent() (only xgetpwnam is
  called before).
* src/login.c, src/newgrp.c: Fix typos in comments.
2008-04-16 21:52:46 +00:00
nekral-guest 10ebb14481 Fix typo. 2008-04-16 21:24:14 +00:00
nekral-guest 8e82ae234e Also fix the detection of the pam and selinux features:
Fail if the feature is requested but the library (or
header file) could not be found. If nothing is specified, enable
the feature only if we can find the library (or header file).
2008-04-16 21:18:20 +00:00
nekral-guest 17cb7c754e Document --with-selinux as "yes if found" rather than "autodetected" for consistency with other options. 2008-04-16 20:16:43 +00:00
nekral-guest 70bf7cca33 Fix the detection of the audit library and header file. 2008-04-16 20:09:03 +00:00
nekral-guest f89cf0cf20 * NEWS, etc/pam.d/Makefile.am: Add chfn, chsh, and userdel to
$(pamd_files). Remove the duplicate useradd. And sort
  alphabetically. Thanks to Mark Rosenstand  <mark@borkware.net>.
* NEWS: Prepare next release, 4.1.2.
2008-04-04 18:50:22 +00:00
nekral-guest 1dd0a7e836 Commit the PO and POTs released with 4.1.1. 2008-04-03 20:27:37 +00:00
nekral-guest 1de80f9457 * NEWS, configure.in: Prepare release 4.1.1
* NEWS: Fix the release date of 4.1.0. Was in 2007, not 2008.
2008-04-02 21:55:27 +00:00
nekral-guest b345316e49 Update according to the file under review. Thanks to Jean-Luc Coulon. 2008-04-02 21:54:23 +00:00
nekral-guest e8a2633984 Add TODO items for SELINUX. 2008-04-02 21:42:04 +00:00
bubulle 5c9143c432 German translation update 2008-04-01 19:01:16 +00:00
bubulle 9dda0ada5f Basque translation update 2008-03-31 17:54:52 +00:00
nekral-guest 57144e2820 updated to 360t71f. Thanks to Leandro Azevedo <leorock182@gmail.com>. 2008-03-30 12:52:57 +00:00
bubulle d7a926d69a Turkish translation update 2008-03-30 12:18:40 +00:00
nekral-guest 0a5fad05a8 updated to 431t. Thanks to Clytie Siddall 2008-03-30 12:06:33 +00:00
nekral-guest ad135f478a Updated Swedish translation. Thanks to Daniel Nylander. 2008-03-30 11:54:19 +00:00
nekral-guest f2b518a31f Updated to 431t. Thanks to helix84 <helix84@centrum.sk>. 2008-03-28 23:23:41 +00:00
bubulle 231bb00904 Italian translation update 2008-03-27 18:54:34 +00:00
nekral-guest f7a256fc19 * src/passwd.c, NEWS: Make SE Linux tests more strict, when the
real UID is 0 SE Linux checks will be performed. Thanks to
 Russell Coker  <russell@coker.com.au>
* TODO: Added entries regarding SE Linux.
2008-03-26 22:00:50 +00:00
nekral-guest eca5208c20 Added TODO entries. 2008-03-26 21:44:50 +00:00
bubulle 9a6f0d3969 Russian translation update 2008-03-24 18:34:04 +00:00
bubulle fed294e11e Updated Korean and Portuguese translations 2008-03-23 08:39:58 +00:00
nekral-guest 04af9cb9f8 Fix manpages generation. The SYS_GID_MAX and SYS_UID_MAX entities were not defined. 2008-03-17 23:07:04 +00:00
nekral-guest 32b424e507 Fix minor compilation warning (assignment used as a comparison). 2008-03-17 23:05:59 +00:00
nekral-guest d94602add8 login_access() is used in src/login.c, and defined in src/login_nopam.c
(which lacks a prototype). Move its prototype from src/login.c to
lib/prototypes.h.
2008-03-17 23:04:46 +00:00
nekral-guest e33e2b7d79 Compilation fix. gshadow_locked should only be used if SHADOWGRP is defined. 2008-03-17 23:02:23 +00:00
nekral-guest 78c59b7261 Fix some warnings. compare_members_lists() is only used if SHADOWGRP is defined. 2008-03-17 23:00:49 +00:00
nekral-guest 8377303981 Remove unused global variable. 2008-03-08 23:52:50 +00:00
nekral-guest a8a614c515 * NEWS, src/groupmod.c: Make sure the passwd, group, and gshadow
files are unlocked on exit. Unlock locked files in fail_exit().
  Prefer fail_exit() over exit().
* NEWS, src/groupmod.c: When the GID of a group is changed, update
  also the GID of the passwd entries of the users whose primary
  group is the group being modified.
2008-03-08 23:01:49 +00:00
nekral-guest b1a0769d3d * lib/commonio.c (commonio_remove): Fail when the name to be
removed is used by different entries (like commonio_update does).
* NEWS: This fix the behavior of groupdel when the system is not
  configured to support split group but different group entries
  have the name of the group to be deleted.
2008-03-08 22:52:44 +00:00
nekral-guest 1b808e62df Make sure the passwd, group, shadow, and gshadow files are unlocked on
exit. Unlock locked files in fail_exit(). Prefer fail_exit() over exit().
2008-03-08 22:44:53 +00:00
nekral-guest 5af8a5d74d * NEWS, src/groupdel.c: Make sure the group, and gshadow files are
unlocked on exit. Add function fail_exit(). Use fail_exit()
	instead of exit().
	* src/groupdel.c: Fail immediately instead of increasing errors.
	Better handling of error cases, like locked group or gshadow file.
2008-03-08 21:13:54 +00:00
nekral-guest d1290c0d5d Make sure the passwd, group, shadow, and gshadow files are unlocked on
exit. Add function fail_exit(). Use fail_exit() instead of exit().
2008-03-08 21:04:31 +00:00
nekral-guest bded00fd11 Make sure the group and gshadow files are unlocked on exit. Add function fail_exit(). 2008-03-08 20:54:54 +00:00
nekral-guest a2242f6f1b Do not rewrite the group and gshadow file in case of error. 2008-03-08 16:23:22 +00:00
nekral-guest 9e07fec6ba Do not log that the group was deleted if an error occurred. 2008-03-08 16:20:55 +00:00
nekral-guest d44f1dfeca Do not raise an error if the group does not exist in the gshadow file. 2008-03-08 16:17:07 +00:00
nekral-guest 987d853aa9 Document MAX_MEMBERS_PER_GROUP. 2008-03-08 16:05:30 +00:00
nekral-guest e0579449d8 Fix typo 2008-03-07 20:46:47 +00:00
nekral-guest 1b2618d688 * src/newgrp.c: Add missing end of line in message.
* src/newgrp.c: Add audit events for the authentication
  (AUDIT_GRP_AUTH). Thansk to Peter Vrabec.
2008-03-07 20:21:15 +00:00
nekral-guest 6ea65c8992 Only reset the entries of existing users with faillog -r (not all numeric
IDs starting from 0). Thanks to Peter Vrabec.
2008-03-05 00:10:25 +00:00
nekral-guest 52cfc3372b Fix typo. One "can't open" message is a "can't lock". 2008-03-04 23:53:00 +00:00
nekral-guest 528346cb3b When a password is moved to the gshadow file, use "x" instead of "x"
to indicate that the password is shadowed (consistency with grpconv).
2008-02-26 20:09:56 +00:00
nekral-guest f43a4659c6 Re-indent. 2008-02-26 19:17:20 +00:00
nekral-guest 2a2b2b3aa4 * NEWS: Fix failures when the gshadow file is not present. Thanks
to Christian Henz (http://bugs.debian.org/467488)
 * src/gpasswd.c (get_group): Do not fail if gshadow is not present. Just use
   the group file and set the grent structure
 * src/gpasswd.c (check_perms): The permissions should be checked
   using both the gshadow and group file. Add a <struct group *>
   parameter, and check if the gshadow file exists (is_shadowgrp).
 * src/gpasswd.c (main): Do not use sgent.sg_mem or sgent.sg_adm if
   the gshadow file is not present (sgent is not initialized in that
   case). The fields of sgent can be set, but not used.
2008-02-26 19:09:10 +00:00
nekral-guest db479122f3 * Fix typo in comment.
* Move comment regarding FIRST_MEMBER_IS_ADMIN to
   where it belongs.
 * Indicate the end of the #ifdef FIRST_MEMBER_IS_ADMIN
   section.
2008-02-26 18:59:28 +00:00
nekral-guest 4160d8c1fb Add the new XML documentation files to EXTRA_DIST. 2008-02-25 21:46:27 +00:00
nekral-guest dead78e4d9 Use --previous when merging PO files of the manpages.
(I need to find a way to do it for the PO files of the binaries)
2008-02-25 21:27:31 +00:00
nekral-guest 7ce94164c7 * man/login.defs.d/SYS_UID_MAX.xml, man/login.defs.d/SYS_GID_MAX.xml:
Document new variables.
* man/newusers.8.xml, man/login.defs.5.xml,
  man/login.defs.d/GID_MAX.xml, man/login.defs.d/UID_MAX.xml:
  newusers uses now the GID_MAX, GID_MIN, UID_MAX, UID_MIN,
  SYS_GID_MAX, SYS_GID_MIN, SYS_UID_MAX, and SYS_UID_MIN variables.
* man/groupadd.8.xml, man/login.defs.5.xml: groupadd uses now the
  SYS_GID_MAX, and SYS_GID_MIN variables.
* man/login.defs.5.xml: useradd uses now the SYS_GID_MAX,
  SYS_GID_MIN, SYS_UID_MAX, and SYS_UID_MIN variables.
2008-02-25 21:17:18 +00:00
nekral-guest 77f722ae9d Added missing SYS_GID_MAX, SYS_GID_MIN, SYS_UID_MAX, and SYS_UID_MIN. 2008-02-25 21:06:30 +00:00
nekral-guest 93e2f66a60 * NEWS, src/useradd.c, man/useradd.8.xml: Added options
-user-group (-U, Uflg) and --no-user-group (-N, Nflg) to replace
  nflg.
* man/login.defs.d/USERGROUPS_ENAB.xml: useradd now also uses
  USERGROUPS_ENAB.
2008-02-25 21:03:46 +00:00
nekral-guest 2a5c015cd1 Add missing 'p' to the getopt_long's optstring. 2008-02-19 21:26:04 +00:00
nekral-guest dc641054a1 Add missing -p, --password description to the Usage message. 2008-02-19 21:21:52 +00:00
nekral-guest 23ac189d48 Add missing space in comment. 2008-02-19 21:18:04 +00:00
nekral-guest 29e71bf1b3 Fix --non-unique's has_arg field to no_argument instead of required_argument. 2008-02-19 21:16:28 +00:00
nekral-guest 7ec4a64cdb Add missing 'p' to the getopt_long's optstring. 2008-02-19 21:10:17 +00:00
nekral-guest c81db0b178 Fix alphabetical order. 2008-02-19 21:05:44 +00:00
nekral-guest bb824221a4 This entry was for login, not su:
* If started as init, start a new session.
2008-02-19 21:04:55 +00:00
nekral-guest ca2636f08a Re-indent. 2008-02-19 21:02:24 +00:00
nekral-guest 18c914f086 Added new option -r, --system for system accounts in useradd, groupadd,
and newusers.
2008-02-19 21:01:38 +00:00
nekral-guest ed52b88b92 Fix buffer overflow when adding an user to a group. Thanks to Peter Vrabec. 2008-02-18 21:36:03 +00:00
nekral-guest 280fcebae8 Change the default HOME directory in /etc/default/useradd according FHS
(/home instead of /home/users).  This fixes Alioth's bug #310559.
Thanks to Dale E. Edmons.
2008-02-17 15:29:41 +00:00
nekral-guest 80ef1db3b3 One AUDIT_USER_START remained. Replace it with AUDIT_CHGRP_ID also. 2008-02-14 18:51:37 +00:00
nekral-guest a8bc585e33 Use the correct AUDIT_CHGRP_ID event instead of
AUDIT_USER_START, when changing the user space group ID with
newgrp or sg. Thanks to sgrubb@redhat.com for the patch.
2008-02-14 18:35:51 +00:00
nekral-guest 1599d3d128 * Reset oflg with uflg if the new UID is equal to
the old one.
* Reset mflg with dflg if the new home directory is
  the same as the old one.
2008-02-10 21:35:17 +00:00
nekral-guest a5f949165a Fix the handling of -a when a user is being renamed (with -l). The new
name of the user was used for the new supplementary groups, but not in the
existing ones.
2008-02-10 20:25:39 +00:00
nekral-guest ead95673a5 Set the shadow's password instead of the passwd's password.
Fix wrong cut&paste.
2008-02-10 19:14:20 +00:00
nekral-guest 132eb55983 Fix typo. 2008-02-03 21:53:30 +00:00
nekral-guest f08833fba2 Fix typo. 2008-02-03 21:42:08 +00:00
nekral-guest f8679b385a No need to check audit_fd, audit_logger() will take care of this. 2008-02-03 21:40:01 +00:00
nekral-guest ae5db5d36b Really log the expiration date change as human readable strings instead of
integers.
2008-02-03 21:37:45 +00:00
nekral-guest fdae41eb63 Use a function to convert the dates from /etc/shadow to human readable dates. 2008-02-03 21:30:47 +00:00
nekral-guest 25433a17e7 TODO cleanup
- newusers: i = 100; not a nice initial value, use login.defs
	This is done. newusers now uses (UID|GID)_(MIN|MAX)
- remove the entries regarding outdated translation of documentation.
	The manpages translation should use the PO.
- the manpages should mention when the options were added.
	This should help user to choose option for portable scripts
2008-02-03 18:51:11 +00:00
nekral-guest 737806a53a Add ideas for new tests in the testsuite. 2008-02-03 17:58:16 +00:00
nekral-guest feb2e41181 Do not translate the fromhost variable. It is always used for syslog messages. 2008-02-03 17:57:43 +00:00
nekral-guest 6e9078f16c Switch to the C locale before sending messages to syslog. The messages
sent by shadow were not translated, but error messages from PAM returned
by pam_strerror() were translated in the users's locale.
2008-02-03 17:53:21 +00:00
nekral-guest 4e01ea6c33 * NEWS: newusers will behave more like useradd.
* src/newusers.c: The user's ID must be found before the group ID
	to mimic useradd's behavior choices of UID and GID.
	* src/newusers.c: Reuse the generic find_new_uid() and
	find_new_gid() functions. This permits to respect the
	UID_MIN/UID_MAX and GID_MIN/GID_MAX variables, should 
	* src/newusers.c: Check if the user or group exist using the
	external databases (with the libc getpwnam/getgrnam functions).
	Refuse to update an user which exist in an external database but
	does not exist in the local database.
	* src/newusers.c: Check the usernames and groupnames with
	check_user_name() and check_group_name()
	* src/newusers.c: Use isdigit() for readability.
	* src/newusers.c: Check if numerical IDs are valid (no remaining
	chars).

	* NEWS, src/newusers.c: Fix the support for the NONE crypt method.

	* src/newusers.c: Fix shadow group support (the list of admins was
	not defined; it is now set to an empty list).
2008-02-03 17:45:58 +00:00
nekral-guest 65ed10d75c Do not seed the random number generator each time, and use the time in
microseconds to avoid having the same salt for different passwords
generated in the same second.  This permits to avoid using the same salt
for different passwords in newusers.
2008-02-03 17:23:58 +00:00
nekral-guest aed929ae90 Add libmisc/find_new_ids.c to the sources of the libmisc library. 2008-02-03 16:57:21 +00:00
nekral-guest 04190741e7 Use the find_new_uid() and find_new_gid() from the library instead of the
local functions.
2008-02-03 16:56:23 +00:00
nekral-guest 72cfa974d8 Add libmisc/find_new_ids.c to the sources of the libmisc library. 2008-02-03 16:55:37 +00:00
nekral-guest a1ae1c4fba The new libmisc/find_new_ids.c file contains translatable strings. 2008-02-03 16:53:53 +00:00
nekral-guest e21f90fd68 Add new generic functions to find the next user or group ID available:
find_new_uid() and find_new_gid(). They work the same way as the functions
with the same name of useradd or groupadd, except that they check in the
local database to make sure an ID was not reserved in an uncommitted
change (this is needed to be used in newusers), they report a status
instead of calling exit(), and they can receive a preferred ID. They
should later support system IDs. This should be a little bit slower, but
not too much (if the database is not open the checks against the local
database will exit immediately, and if it is already open, all the checks
will be done regarding the data in memory).
2008-02-03 16:53:07 +00:00
nekral-guest be7c51d27a New function to find a group by its GID on the local database. 2008-02-03 16:51:08 +00:00
nekral-guest 7344e055be New function to find an user by its UID on the local database. 2008-02-03 16:50:14 +00:00
nekral-guest 57f713e426 * libmisc/age.c, libmisc/yesno.c, src/lastlog.c, src/grpck.c,
src/chfn.c, src/passwd.c, src/chage.c, src/login.c, src/sulogin.c,
   src/chsh.c: Fix call to puts (remove end of line, or use fputs).
 * po/*.po: Unfuzzy PO files according to above change.
2008-02-03 16:28:03 +00:00
bubulle 5672b53263 French translation update (obvious things only) 2008-02-03 06:20:06 +00:00
nekral-guest e899b34160 Updated PO files. 2008-02-02 17:20:42 +00:00
nekral-guest 3755086645 Fix comment. find_new_fid is no more called is the user specified a group
ID.
2008-01-27 14:31:23 +00:00
nekral-guest ae99674e9b Fix build failures with --disable-shadowgrp. Thanks to Jürgen
Daubert for the patch.
* libmisc/salt.c: Include <stdio.h>, needed for stderr and printf
  functions.
* lib/encrypt.c: Include <stdio.h>, needed for perror, stderr and
  printf functions
* src/usermod.c: sgr_locked exists only if SHADOWGRP is defined.
* src/chgpasswd.c: Only check is the gshadow file exists if
  SHADOWGRP is defined.
2008-01-26 17:41:20 +00:00
nekral-guest 28a9441f4f Replace printf by puts for fixed strings. This would avoid issues caused
by formats introduced in translated strings.
2008-01-24 21:07:14 +00:00
nekral-guest 8c229ea473 Re-indent. 2008-01-24 20:54:42 +00:00
nekral-guest 3dd5866244 Replace printf by puts for fixed strings. This would avoid issues caused
by formats introduced in translated strings.
2008-01-24 20:42:12 +00:00
nekral-guest 96f7a7588f Re-indent. 2008-01-24 19:50:09 +00:00
nekral-guest 01f9705dd5 Replace printf by puts for fixed strings. This would avoid issues caused
by formats introduced in translated strings.
2008-01-24 19:38:06 +00:00
nekral-guest 1b246725c5 Re-indent. 2008-01-24 19:24:03 +00:00
nekral-guest de239d9b01 Replace printf by puts for fixed strings. This would avoid issues caused
by formats introduced in translated strings.
2008-01-24 18:39:05 +00:00
nekral-guest f4b9f1b2e0 adduser was a typo. Move the adduser entries to the useradd section. 2008-01-23 23:48:39 +00:00
nekral-guest 926aeec06a Apply Christian's recommendation:
s/can't get unique/no more available/
2008-01-23 22:31:38 +00:00
nekral-guest 934ac07b06 Check that the new fields set with -u, -s, -l, -g, -f, -e, -d, and -c
differ from the old ones. If a requested new value is equal to the old
one, no changes will be performed for that field. If no fields are
changed, usermod will exist successfully with a warning. This avoids
logging changes to syslog when there are actually no changes.
2008-01-23 21:50:27 +00:00
nekral-guest 0d1be15e0f Always define user_newcomment, user_newshell, user_newexpire, and
user_newinactive. It is more simple to always have user_<x> as the old
field, and user_new<x> as the new field (even if the field did not change)
instead of changing the algorithm depending on WITH_AUDIT.
2008-01-23 21:19:08 +00:00
nekral-guest 294e3a632e user_newname can only be used in WITH_AUDIT code or when lflg is set. This
issue was introduced in the code refactoring of usermod.
2008-01-23 20:08:16 +00:00
nekral-guest 229e6cbdd8 Fix typo in comment: s/find_new_uid/find_new_gid/ 2008-01-22 22:59:06 +00:00
nekral-guest 53561134a9 * s/gid/GID/ in message string.
* Set this string for translation.
2008-01-22 22:57:55 +00:00
nekral-guest 7535467358 * man/grpck.8.xml: Conditionally include the parts mentioning the
gshadow file (based on SHADOWGRP).
* man/grpck.8.xml: Add reference to the gshadow(5) manpage
 (conditionally included).
2008-01-22 21:42:48 +00:00
nekral-guest 20153121be Fix typo. Remove "the" from "All entries in the <filename></filename> are
checked [...]"
2008-01-22 21:15:58 +00:00
nekral-guest caf3f2603e Indicate that the shadow parameter is optional (i.e. a passwd file can be
specified without a shadow file, and the group file can be specified
without the gshadow file).
2008-01-22 21:13:43 +00:00
nekral-guest 03e5a3a181 Document the options with a list of options, as in the pwck(8) manpage. 2008-01-22 20:56:13 +00:00
nekral-guest ae8cbbc34d * NEWS, src/newgrp.c: Fix segfault when an user returns to an
unknown GID (either the user was deleted during the user's newgrp
  session or the user's passwd entry referenced an invalid group).
  Add a syslog warning in that case.
* src/newgrp.c: Add an end of line when reporting an invalid
  password.
2008-01-21 23:33:43 +00:00
nekral-guest b082ebead2 * NEWS, src/useradd.c: Fix the handling of the --defaults option
(it required an argument, but should behave as -D)
* NEWS, man/useradd.8.xml: Document the --defaults option, which
  was already described in the useradd's Usage information.
2008-01-12 21:09:46 +00:00
nekral-guest 85febc5729 Avoid setting the password to a const empty string, but set the first char to \0. This avoids a warning. 2008-01-06 19:26:58 +00:00
nekral-guest e663f6c0b4 * libmisc/salt.c: Add prototype for l64a(), gensalt(),
SHA_salt_size(), and SHA_salt_rounds().
* libmisc/salt.c: l64a() and gensalt() are static.
* libmisc/salt.c: The `meth' parameter of crypt_make_salt() is a
  const. (ditto for the method variable).
* libmisc/salt.c: SHA_salt_rounds returns a const string.
* libmisc/salt.c: Avoid warnings with cast of random() to double.
* libmisc/salt.c: Replace rand() by random().
2008-01-06 14:50:26 +00:00
nekral-guest 8a1abbe80b * lib/Makefile.am: Do not link libshadow.la with the intl, crypt,
skey and md libraries...
* src/Makefile.am: ...Specify for each binary which library is
  required. skey and md are required for the binaries with
  authentication of the user (chfn, chsh, login, passwd, su). intl
  is required for all. mcrypt is required for user (chfn, chsh,
  login, passwd, su, sulogin) and group (newgrp, gpasswd)
  authentication and for the creation of passwords (chpasswd,
  chgpasswd, gpasswd, newusers, passwd).
2008-01-06 14:19:32 +00:00
nekral-guest 39c9007f67 * lib/nscd.c, lib/nscd.h: Set the service parameter of
nscd_flush_cache() to const. This avoids a lot of warnings.
* lib/nscd.c: Include "nscd.h" to avoid inconsistent prototypes.
2008-01-06 13:57:17 +00:00
nekral-guest ee268550d9 Remove prototypes for __gr_dup() and __gr_set_changed(). 2008-01-06 13:52:21 +00:00
nekral-guest e5b7987764 Set the method string as a constant string. 2008-01-06 13:49:00 +00:00
nekral-guest 06691758e8 Assume <errno.h> declares errno. 2008-01-06 13:42:47 +00:00
nekral-guest 1d63dfd1d4 * Remove prototype for sgetgrent().
* Add the name of the parameters for merge_group_entries() and split_groups().
2008-01-06 13:38:16 +00:00
nekral-guest 9d6d2de4d3 Fix typo: s/rend compte indiqué/rend le compte indiqué/ 2008-01-06 13:32:25 +00:00
nekral-guest 9104a7a4a4 * Remove prototype of check_su_auth(). It is redundant with prototypes.h.
* isgrp() is static.
2008-01-06 13:30:18 +00:00
nekral-guest 1520a0ae3e * libmisc/obscure.c: Tag the `old' parameter of palindrome(),
similar(), and simple() as unused.
* libmisc/loginprompt.c: Tag the `sig' parameter of login_exit()
  as unused.
* src/expiry.c: Tag the `sig' parameter of catch_signals() as
  unused.
* src/su.c: Tag the `sig' parameter of catch_signals() as unused.
* src/su.c: Add int parameter to the prototype of oldsig().
* src/login.c: Tag the `sig' parameter of alarm_handler() as
  unused.
* src/sulogin.c: Tag the `sig' parameter of catch_signals() as
  unused.
* libmisc/getdate.y: Tag the `string' parameter of yyerror() as
  unused.
* libmisc/getdate.y: The string provided to yyerror() is const.
* libmisc/getdate.y: Fix the prototypes of yylex() and yyerror().
2008-01-06 13:20:25 +00:00
nekral-guest 7b22265d4e * Remove teh macro definition of SETXXENT_TYPE,
SETXXENT_RET, and SETXXENT_TEST. They were used by the now
  removed pwent.c and grent.c.
* Remove the definition of PASSWD_PAG_FILE,
  GROUP_PAG_FILE, SHADOW_PAG_FILE, and SGROUP_PAG_FILE. They are
  never used.
* Don't include "snprintf.h". The file does not
  exist in shadow.
* Add new macro unused to tag unused parameters.
2008-01-06 13:12:09 +00:00
nekral-guest 116a76e528 Remove prototypes for __pw_del_entry(), __pw_get_head(), __spw_del_entry(), and __spw_get_head(). 2008-01-06 13:00:17 +00:00
nekral-guest 93177a5615 Assume optarg and optind are declared in <getopt.h>. 2008-01-06 12:52:23 +00:00
nekral-guest 0c867d23ad Remove the pw_name argument of new_pw_passwd. Use the user_newname global
variable instead. This avoid using a parameter with the same name as a function.
2008-01-06 12:50:22 +00:00
nekral-guest 5c6f68cd8f * Removed unused gid parameter of syslog_sg().
* The loginname and tty buffers are never changed. Add the const qualifier.
2008-01-06 12:31:06 +00:00
nekral-guest d85b926a14 The crypt_method string always points to a constant string. Add the const qualifier. 2008-01-06 12:26:20 +00:00
nekral-guest 8289eabc55 Remove prototype of l64a() (not used in pwunconv). 2008-01-06 12:12:30 +00:00
nekral-guest 58176a821d Remove prototypes for __gr_del_entry(), __gr_get_head(),
__sgr_del_entry(), and __sgr_get_head().
2008-01-06 12:09:38 +00:00
nekral-guest 4cdbd1fa1d * src/login_nopam.c: Use an ANSI prototype for resolve_hostname()
instead of K&R prototype.
* src/login_nopam.c: Fix the prototypes of list_match(),
  user_match(), from_match(), string_match(). There were no
  parameters in the prototypes.
* src/login_nopam.c: Fix the prototypes of the function parameter
  match_fn of list_match().
2008-01-06 12:07:42 +00:00
nekral-guest 0e07f3e48d Remove the src parameter of copy_special().
The entry's information are taken from the stat structure.
2008-01-06 12:02:24 +00:00
nekral-guest 569a3b8e59 * libmisc/console.c, libmisc/ulimit.c, lib/sgetgrent.c,
lib/sgetpwent.c: Include "prototypes.h" to make
  sure the exported prototypes are the ones used for the definition
  of functions.
* lib/prototypes.h: Added prototypes for __gr_del_entry(),
  __gr_get_db(), __gr_get_head(), __gr_set_changed(), __gr_dup(),
  __pw_del_entry(), __pw_get_db(), __pw_get_head(), __pw_dup(),
  sgetgrent(), sgetpwent(), __sgr_del_entry(), __sgr_dup(),
  __sgr_get_head(), __sgr_set_changed(), __spw_get_head(),
  __spw_del_entry(), __spw_dup().
* lib/prototypes.h: Removed prototype for is_listed().
* lib/prototypes.h: Added name of the check_su_auth()'s parameters.
* lib/groupio.h: Removed prototypes for __gr_dup() and
  __gr_set_changed().
* lib/sgroupio.c: Removed prototypes for putsgent(), sgetsgent(),
  and __gr_get_db().
* lib/sgroupio.h: Removed prototypes for __sgr_dup() and
  __sgr_set_changed().
* lib/shadowio.c: Removed prototype for __pw_get_db().
* lib/pwio.c: Removed prototype for sgetpwent() and putpwent().
* lib/shadowio.h: Removed prototypes for __spw_dup() and
  __spw_set_changed().
* lib/pwio.h: Removed prototypes for __pw_dup() and
  __pw_set_changed().
* lib/commonio.h: Add protection against multiple inclusions.
* lib/prototypes.h: Include commonio.h (needed for the
  __xx_del_entry() functions).
2008-01-06 11:59:01 +00:00
nekral-guest 747e174bec Add documentation for the new --password options. 2008-01-05 17:25:00 +00:00
nekral-guest ff49a02023 Fix find_new_gid() prototype. Add a void parameter. 2008-01-05 17:23:46 +00:00
nekral-guest 9c7ddf94c9 Remove old comments in the header. 2008-01-05 17:22:38 +00:00
nekral-guest 050364aba2 Include <lastlog.h> for the declaration of struct lastlog. 2008-01-05 17:20:45 +00:00
nekral-guest 23e8564812 Fix typos. 2008-01-05 16:44:51 +00:00
nekral-guest 462be08456 * lib/prototypes.h: Add the dolastlog() prototype.
* lib/prototypes.h: Typo: login.c -> loginprompt.c
* src/login.c: Remove declaration of dolastlog().
* libmisc/log.c: dolastlog() should not have been changed to static.
  Include prototypes.h instead.
2008-01-05 16:44:28 +00:00
nekral-guest db0dddc6e9 * libmisc/pwdcheck.c: Do not include <pwd.h>. Include <shadow.h>
and "pwauth.h" only when compiled without PAM support.
* src/chfn.c, src/chsh.c: Do not include <shadow.h>
* lib/commonio.c: Do not include <shadow.h>. Do not include
  <pwd.h>. Include "nscd.h" instead of <nscd.h>.
* configure.in: Do not check if shadow.h exist, but make sure it
  exists.
* libmisc/pwdcheck.c, src/chfn.c, src/chsh.c, lib/defines.h,
  lib/shadowmem.c, lib/shadowio.c, lib/commonio.c:
  HAVE_SHADOW_H is no more needed (shadow.h should always exist).
2008-01-05 16:33:43 +00:00
nekral-guest cea5c823a1 Fix the do_pam_passwd() prototype (it returns void). 2008-01-05 15:43:33 +00:00
nekral-guest 5a4848c8cc do_pam_passwd should not have been defined static, prototypes.h needed
to be included instead.
2008-01-05 15:41:58 +00:00
nekral-guest 6cf5b05493 Remove prototype of putgrent(), add parameter's name of sgetgrent(). 2008-01-05 14:35:13 +00:00
nekral-guest f8a95f7ca1 Add option --password to groupadd and groupmod (similar to useradd and usermod). 2008-01-05 14:17:43 +00:00
nekral-guest e94d2da45e Remove the declaration of getutent(), getutline(), setutent(), and
endutent() which are declared in <utmp.h>
2008-01-05 14:09:56 +00:00
nekral-guest 8d440a2a52 stat shadows another stat variable. Remove this
variable, and directly check the result of getfscreatecon().
2008-01-05 14:01:34 +00:00
nekral-guest 616ad5252d Changelog entry forgotten in previous src/gshadow.c commit:
* list() is an external function. DO not shadow it
   with a static function. The internal list() was renamed
   build_list().
2008-01-05 13:58:56 +00:00
nekral-guest 8d9c39789b The prototypes of fgetsx() and fputsx() are already defined in
prototypes.h. Remove the declaration of these functions.
2008-01-05 13:56:21 +00:00
nekral-guest bbb9470661 loginsh is a global variable, use newshell for the update_shell()'s parameter. 2008-01-05 13:54:39 +00:00
nekral-guest f11bbd3b70 login_prompt is the name of a function, use loginprompt for the internal variable. 2008-01-05 13:53:14 +00:00
nekral-guest 239b2d7bee Make a proper prototype for the main() function declaration. (add void) 2008-01-05 13:51:43 +00:00
nekral-guest 2040826791 Add changelog entry for previous commit. 2008-01-05 13:49:32 +00:00
nekral-guest 83b7153b40 Add missing include "shadowio.h". (This was OK as long as prototypes.h included this file.) 2008-01-05 13:40:49 +00:00
nekral-guest 53b075a760 * libmisc/pam_pass.c: Define do_pam_passwd() as static and add its prototype.
* libmisc/log.c: Define dolastlog() as static and add its prototype.
* src/chage.c: Define isnum() as static and add its prototype.
2008-01-05 13:37:32 +00:00
nekral-guest b8ce324a66 Include config.h as a system include, as recommended by the autoconf documentation. 2008-01-05 13:32:32 +00:00
nekral-guest 99dc2b1abf Define is_listed() as static and add its prototype. 2008-01-05 13:29:24 +00:00
nekral-guest 96bca84ca4 Include "prototypes.h" to make sure the exported prototypes are
the ones used for the definition of functions.
2008-01-05 13:23:22 +00:00
nekral-guest b7d372d8e3 "shadowio.h" was included for the definition of the spwd structure.
Replace this include by <shadow.h>
2008-01-05 13:07:54 +00:00
nekral-guest 867034e3ba grent.c does not exist anymore. Remove the putgrent prototype. 2008-01-05 13:05:21 +00:00
nekral-guest 3c800f5880 Add the syslog_sg prototype. 2008-01-01 23:56:03 +00:00
nekral-guest 11864d22b4 Also split syslog_sg() out of main(). 2008-01-01 23:54:51 +00:00
nekral-guest 1ff4e28748 Remove duplicate logging to syslog. 2008-01-01 23:45:44 +00:00
nekral-guest d590d0ccee Split check_perms() out of main(). 2008-01-01 23:35:55 +00:00
nekral-guest 94b3b98196 Avoid assignments in conditionals. 2008-01-01 23:07:55 +00:00
nekral-guest 1d76eb6ef7 Avoid assignments in conditionals. 2008-01-01 22:21:55 +00:00
nekral-guest 631fa3b4f3 (split_groups): Test the pointer returned by malloc. 2008-01-01 20:47:31 +00:00
nekral-guest 6f45325d6e Document add_one_entry_nis(), write_all(), commonio_remove(),
commonio_locate(), and commonio_rewind().
2008-01-01 20:34:47 +00:00
nekral-guest e700196c17 Fix typo s/groupadd/chpasswd/ 2008-01-01 19:56:29 +00:00
nekral-guest 53ecd8e0c0 New TODO item:
- newusers: add logging to SYSLOG & AUDIT
2008-01-01 19:54:37 +00:00
nekral-guest 97d7df1ef4 Fix typo s/groupadd/chage/ 2008-01-01 19:53:33 +00:00
nekral-guest 376d990101 Fix typo s/groupadd/chgpasswd/. 2008-01-01 19:53:02 +00:00
nekral-guest 4c2f65d7d0 Avoid implicit conversions to booleans. 2008-01-01 18:27:40 +00:00
nekral-guest 92d8cbb26c Avoid implicit brackets. 2008-01-01 18:04:46 +00:00
nekral-guest 7080370042 Re-indent. 2008-01-01 17:56:33 +00:00
nekral-guest a9ae2a8710 Avoid implicit conversions to booleans. 2008-01-01 17:51:54 +00:00
nekral-guest 94266e1360 use_system_pw_file and use_system_spw_file were not reset. 2008-01-01 17:43:18 +00:00
nekral-guest f6e79f59be Re-indent. 2008-01-01 16:58:13 +00:00
nekral-guest 27ed5ec8b9 Avoid implicit brackets. 2008-01-01 16:54:18 +00:00
nekral-guest f9f420b107 ignore libmisc.a 2008-01-01 16:40:50 +00:00
nekral-guest 1c2f4f0428 No functional changes were introduced by the previous pwck and grpck
changes, except for the following bug fix: no syslog logging if a passwd
or group file was specified on the command line without a shadowed
database file, even if the system shadowed database was changed).
2008-01-01 16:36:06 +00:00
nekral-guest 42a5b75c5a * Fix open_files prototype (void argument).
* close_file documentation (s:password/shadow:group/gshadow:)
2008-01-01 16:28:01 +00:00
nekral-guest 6ac97a708c Fix typos in comments (gshadow/shadow). 2008-01-01 16:25:57 +00:00
nekral-guest d022527b71 Simplify pwck's main(). Remove gotos. 2008-01-01 15:52:07 +00:00
nekral-guest 3ad9a439d5 Split also check_pw_file() and check_spw_file() out of main(). 2008-01-01 15:49:33 +00:00
nekral-guest ef2c12e560 Also split open_files and close_files out of main().
New global variables use_system_pw_file and use_system_spw_file
2008-01-01 15:29:47 +00:00
nekral-guest 6912ac253a Split process_flags() out of main(). New global variables is_shadow,
sort_mode.
2008-01-01 15:07:41 +00:00
nekral-guest a3501dfd95 De-comment code (duplicate the entry when the _R function is not present on the system). 2008-01-01 14:48:04 +00:00
nekral-guest 09a95ed70a * src/lastlog.c: Remove statbuf, not used.
* src/lastlog.c: Fix types, cast umin and umax to uid_t.
* src/lastlog.c: (option -u) user needs to be a signed long, not
  uid_t (to accept rangees like -<uid>
2008-01-01 14:38:47 +00:00
nekral-guest d0de685c7a Avoid ?: construct without the middle term. 2008-01-01 14:34:07 +00:00
nekral-guest 72713d0b73 Forgot to commit that one.
Avoid empty file when USE_PAM is set.
2008-01-01 14:32:41 +00:00
nekral-guest b681e50ff2 * libmisc/copydir.c, src/usermod.c, lib/prototypes.h: The uid and
gid parameters can be set to -1 to indicate that the original
  owners must be kept. Change the types from uid_t/gid_t to a
  long int (signed).
* libmisc/copydir.c: Change the copy_entry(), copy_dir(),
  copy_symlink(), copy_special(), and copy_file() prototypes
  accordingly.
* lib/prototypes.h: Add the parameters' name for the
  libmisc/copydir.c functions.
2008-01-01 14:31:00 +00:00
nekral-guest bb8af02978 Avoid empty file when WITH_AUDIT is not set. 2008-01-01 14:20:36 +00:00
nekral-guest bca732693b * libmisc/limits.c, libmisc/obscure.c, src/login_nopam.c,
lib/pwauth.c: Avoid empty file when USE_PAM is set.
* src/login_nopam.c: Fix warnings: resolve_hostname takes and
  returns a constant string.
2008-01-01 14:18:55 +00:00
nekral-guest 0dccafcd23 Remove inaccurate documentation.
The password file is no more opened in read only mode.
2008-01-01 14:12:34 +00:00
nekral-guest b25feca14c Add missing prototype declarations.
Document the new functions.
2008-01-01 14:10:21 +00:00
nekral-guest 0aaddfaf29 I forgot to mention compare_members_lists(). 2008-01-01 14:09:47 +00:00
nekral-guest 3d82d5e452 Split check_members() out of check_grp_file() and check_sgr_file(). 2008-01-01 13:50:06 +00:00
nekral-guest 612820cb9a Split check_grp_file() and check_sgr_file() out of main(). 2008-01-01 13:48:49 +00:00
nekral-guest f6f6eeda8e Split process_flags(), open_files(), and close_files() out of main(). New
global variables is_shadow, sort_mode, use_system_grp_file, and
use_system_sgr_file.
2008-01-01 13:13:47 +00:00
nekral-guest 83b9a376a2 If remove-potcdate.sin does not exist, use the one from teh po directory
(it is not installed automatically by autopoint.
2007-12-31 20:16:46 +00:00
nekral-guest ca9fbc0d8e Compilation fix. pamh needs to be global since the split of check_perms(). 2007-12-31 20:15:15 +00:00
nekral-guest 1ec694eae7 Compilation fix. user was removed from the list of global variables. 2007-12-31 20:14:31 +00:00
nekral-guest b9a00ea0ee Fix the type of the bitfields in the commonio_entry and commonio_db
structures to unsigned int (instead of int).
2007-12-31 20:12:48 +00:00
nekral-guest 0cc661a2cf Re-indent. 2007-12-31 15:34:29 +00:00
nekral-guest d6cabcde78 Re-indent. 2007-12-31 15:32:15 +00:00
nekral-guest 4c9686df0c Avoid assignments in comparisons. 2007-12-31 15:30:29 +00:00
nekral-guest ce4e74c1b9 Avoid implicit brackets. 2007-12-31 15:27:23 +00:00
nekral-guest 3709183127 (compil fix) Use pw->pw_name instead of user. 2007-12-31 15:13:39 +00:00
nekral-guest 9a67b445b1 sflg needs to be global. 2007-12-31 15:07:59 +00:00
nekral-guest ca035a53a0 Also split update_shell() out of main(). 2007-12-31 15:06:22 +00:00
nekral-guest f031095d9f * Split also check_perms() out of main().
* Before pam_end(), the return value of the previous
  pam API was already checked. No need to validate it again.
2007-12-31 14:54:46 +00:00
nekral-guest 7ed7e14dee Split process_flags() out of main(). 2007-12-31 14:52:52 +00:00
nekral-guest 4af02cb083 Avoid assignments in comparisons. 2007-12-31 14:37:24 +00:00
nekral-guest ce3c44b0f7 Avoid assignments in comparisons. 2007-12-31 14:25:06 +00:00
nekral-guest c086f6c931 Avoid implicit conversions to booleans. 2007-12-31 14:15:29 +00:00
nekral-guest ca468cb988 Document may_change_field(). 2007-12-31 14:03:14 +00:00
nekral-guest 3d04ff4037 Avoid implicit brackets. 2007-12-31 13:48:48 +00:00
nekral-guest 7279ff37f3 * New function: process_flags() split out of main().
The flags variables are now global.
* New functions: check_perms(), update_gecos(),
  get_old_fields(), and check_fields() split out of main().
* Before pam_end(), the return value of the previous
  pam API was already checked. No need to validate it again.
2007-12-31 13:43:04 +00:00
nekral-guest d0b984528a * src/newusers.c: Compilation fix for PAM support (pamh needs to be
global since the function split).
* src/chpasswd.c: Likewise.
* src/chgpasswd.c: Likewise.
* src/chpasswd.c: Avoid implicit conversions to booleans.
2007-12-31 04:57:54 +00:00
nekral-guest e448d1acb1 Sort the tools in the NEWS entries of 4.1.1. 2007-12-31 04:34:10 +00:00
nekral-guest f09b1404eb Rewrote to match the previous commit message. 2007-12-31 04:31:28 +00:00
nekral-guest db38d0b104 * src/chage.c: Fix typo: s/maximim/maximum/
* src/chage.c: New function: fail_exit(). Change most of the exit()
	to a fail_exit, which makes sure the files are unlocked (new global
	variables: pw_locked, spw_locked), the PAM transaction is ended, and
	the failure is logged to libaudit (use a global user_name and user_uid
	for logging).
	* src/chage.c: Compilation fix for PAM support (pamh needs to be
	global since the function split).
	* src/chage.c: Document process_flags(), check_flags(), check_perms(),
	open_files(), and close_files().
	* src/chage.c: Split update_age() and get_defaults() out of main()
	* src/chage.c: Drop the privileges just after opening the files.
	* src/chage.c: Do not log to audit only if the user has an entry in
	the shadow file.
	* NEWS, src/chage.c (open_files): Also open the password file for
	writing. This fix chage when the user only has a password entry (and
	no shadow entries).
	* src/chage.c (get_defaults): Use default values that don't change the
	behavior of the account for the fields that are not specified when the
	user has no shadow entry.
2007-12-31 04:29:30 +00:00
nekral-guest 3b7497b063 * Compilation fix for PAM support (pamh needs to be
global since the function split).
* End the PAM transaction in fail_exit().
* Document check_flags().
2007-12-30 21:48:55 +00:00
nekral-guest d1bee8b593 Compilation fix for non-gshadow support. 2007-12-30 21:39:57 +00:00
nekral-guest 99230a30ad I forgot to open and close gshadow. 2007-12-29 17:34:02 +00:00
nekral-guest 623010396c Added support for gshadow. 2007-12-29 17:26:28 +00:00
nekral-guest 098173e1df Do not add the new user to the group's members, because the group is already
the primary group of the new user.
2007-12-29 17:05:13 +00:00
nekral-guest 67b9c423fe Avoid variables with the name of a type. 2007-12-29 14:52:35 +00:00
nekral-guest b040f047fd Avoid assignments in comparisons. 2007-12-29 14:48:33 +00:00
nekral-guest 8c4efbb8ce Avoid implicit brackets and re-indent. 2007-12-29 14:34:39 +00:00
nekral-guest 9923513271 Before pam_end(), the return value of the previous
pam API was already checked. No need to validate it again.
2007-12-29 14:17:06 +00:00
nekral-guest 60a422b284 newusers cleanups
main() split in new functions: process_flags(), check_flags(), check_perms(),
open_files(), and close_files().
2007-12-29 14:11:54 +00:00
nekral-guest 3c890a55d8 Avoid assignments in comparisons. 2007-12-29 11:34:31 +00:00
nekral-guest 37ccc0a3d4 Re-indent. 2007-12-29 11:19:39 +00:00
nekral-guest a7cbfedc85 * Avoid implicit brackets.
* Avoid implicit conversion to booleans.
2007-12-29 11:06:35 +00:00
nekral-guest 2d771a97b7 Remove dead code. It was probably put here to add more
information to the audit_logger.
2007-12-29 10:50:03 +00:00
nekral-guest 6ca79a36b0 Avoid using a variable with the same name as a type. 2007-12-29 10:47:04 +00:00
nekral-guest 388dcee3e4 chage cleanups
* src/chage.c: Before pam_end(), the return value of the previous
	pam API was already checked. No need to validate it again.
	* src/chage.c: main() split in new functions: process_flags(),
	check_flags(), check_perms(), open_files(), and close_files().
2007-12-29 10:42:25 +00:00
nekral-guest 8563319b8b * src/chgpasswd.c: Avoid assignments in comparisons.
* src/chgpasswd.c: Avoid implicit brackets.
	* src/chgpasswd.c: Fix comments to match chgpasswd (group instead of
	user's passwords are changed).

	Fix the previous ChangeLog entries regarding chgpasswd.
2007-12-28 23:14:59 +00:00
nekral-guest 9fe450e216 Same changes as for chpasswd:
* src/chpasswd.c: main() split in process_flags(), check_flags(),
	check_perms(), open_files(), and close_files().
2007-12-28 22:59:17 +00:00
nekral-guest 28cd038c35 Same changes as for chpasswd:
* src/chpasswd.c: main() split in process_flags(), check_flags(),
	check_perms(), open_files(), and close_files().
2007-12-28 22:54:35 +00:00
nekral-guest 8dc959ea1f Avoid implicit brackets. 2007-12-28 22:34:14 +00:00
nekral-guest f54464bcf6 Re-indent. 2007-12-28 22:31:45 +00:00
nekral-guest 05651a338e Re-indent. 2007-12-28 22:30:02 +00:00
nekral-guest 908e2cbcc7 Avoid assignments in comparisons. 2007-12-28 22:24:02 +00:00
nekral-guest b9eec1ea49 Other new functions: open_files(), close_files().
This force flushing the password database after the password file is unlocked.
2007-12-28 22:18:55 +00:00
nekral-guest 566b357f99 New functions: process_flags(), check_flags(),
check_perms(). Split out of main().
2007-12-28 22:05:51 +00:00
nekral-guest dc1dccd9e2 Before pam_end(), the return value of the previous
pam API was already checked. No need to validate it again.
2007-12-28 21:29:06 +00:00
nekral-guest 8dc4ca297c New function check_flags(). Split the validation of
options and arguments out of process_flags.
2007-12-28 21:04:04 +00:00
nekral-guest 605a338216 (main, check_perms): New function check_perms().
Split the validation of the user's permissions out of main()
2007-12-28 20:46:24 +00:00
nekral-guest 6d09b4ce4d (main): Before pam_end(), the return value of the previous pam API was already
checked. No need to validate it again.
2007-12-28 20:40:59 +00:00
nekral-guest 147c37789a Re-indent. 2007-12-28 20:35:05 +00:00
nekral-guest ffa34c5afd (process_flags): prefer fail_exit to exit. This avoid
an explicit call to audit_logger().
2007-12-28 19:15:14 +00:00
nekral-guest da37da30e1 I forgot the initialization of group_id in find_new_gid(). 2007-12-28 19:08:33 +00:00
nekral-guest b4f6b853f8 * process_args renamed process_flags
* Add the options checks in process_flags (group_name, group ID uniqueness)
 * Add the parameters' names in the prototypes.
2007-12-28 11:22:27 +00:00
nekral-guest cc1f6c10be Split the processing of options out of main(). 2007-12-28 10:41:22 +00:00
nekral-guest 08e09354b2 find_new_gid is never called when an
GID is specified with -g. Simplify find_new_gid accordingly.
2007-12-28 10:30:39 +00:00
nekral-guest 0b6b9fe090 typo cleared/clearer 2007-12-28 10:20:02 +00:00
nekral-guest 83b546beef (find_new_gid): If oflg is set, gflg is also set.
Use (!gflg), which is cleared than (!gflg || !oflg).
2007-12-28 10:19:21 +00:00
nekral-guest b4071939e0 A group with the specified name cannot exist at that time in find_new_gid.
Remove the check.
2007-12-28 10:15:42 +00:00
nekral-guest 0a4424ef00 Avoid implict brackets. 2007-12-28 10:12:09 +00:00
nekral-guest 18a654d13b When compiled without AUDIT support, if the return code was E_SUCCESS,
fail_exit() wouldn't have exited. Fix the scope of #idef WITH_AUDIT.
2007-12-28 09:39:22 +00:00
nekral-guest b8650378c1 Document the new functions. 2007-12-28 00:35:41 +00:00
nekral-guest 9a9a9c0414 Other cleanups and documentation.
Do the checks, then build the filenames. Do not mix both.
2007-12-28 00:23:33 +00:00
nekral-guest 523392dc0b Stop at the first error. 2007-12-28 00:08:16 +00:00
nekral-guest ed1dd1bb99 Avoid assignement in comparison. 2007-12-28 00:04:46 +00:00
nekral-guest 6987e6f12a Avoid implicit conversions to booleans. 2007-12-28 00:03:26 +00:00
nekral-guest 9c79c77de4 Avoid implicit casts. 2007-12-27 23:41:36 +00:00
nekral-guest 7f5a4e15c6 Avoid implicit brackets. 2007-12-27 23:40:00 +00:00
nekral-guest 6bc43fea06 Document selinux_file_context. 2007-12-27 23:32:47 +00:00
nekral-guest cc4b37f65c Avoid assignment in comparisons. 2007-12-27 23:30:36 +00:00
nekral-guest dfb6416a5b libmisc/copydir.c cleanup
* libmisc/copydir.c: Split copy_tree() in more maintainable functions:
	copy_entry(), copy_dir(), copy_symlink(), copy_hardlink(),
	copy_special(), and copy_file().
	* libmisc/copydir.c: -1 is used to indicate an error, directly set err
	to -1, instead of incrementing it, and checking if not nul at the
	end.
2007-12-27 23:23:51 +00:00
nekral-guest bfa8ef3e75 Avoid implicit conversions to booleans. 2007-12-27 21:56:45 +00:00
nekral-guest b58df6280d Avoid assignment in comparisons. 2007-12-27 21:43:29 +00:00
nekral-guest 641d73ab83 Document check_list's return value. 2007-12-27 21:30:12 +00:00
nekral-guest a77eb6b49d Avoid implicit brackets. 2007-12-27 21:28:50 +00:00
nekral-guest c919701466 Simplify gpasswd's main():
Also split check_flags() out of main().
2007-12-27 21:19:57 +00:00
nekral-guest c81bf3e06f Simplify gpasswd's main():
Split also get_group() and change_passwd() out of main().
2007-12-27 21:04:22 +00:00
nekral-guest 586181bf71 Simplify gpasswd's main():
New function: check_perms(). Split out of main() to simplify main().
2007-12-27 19:08:31 +00:00
nekral-guest 55d581d041 Simplify gpasswd's main():
New functions: open_files(), close_files(), update_group(). Split out
	from main() to simplify this (too) big function.
2007-12-27 18:52:40 +00:00
nekral-guest f429f3e38d Simplify gpasswd's main():
New function: process_flags(). Split the processing of options out of main().
2007-12-27 18:27:57 +00:00
nekral-guest 7b05484494 gpasswd cleanup
* src/gpasswd.c: Add argument name to the internal function
	prototypes.
	* src/gpasswd.c: Document global variables.
2007-12-27 17:36:08 +00:00
nekral-guest 5714adb090 Recommend editing the shadowed (resp. regular) file if the regular (resp.
shadowed) file was edited.
2007-12-26 23:43:55 +00:00
nekral-guest ac7693ef7b End of the previous changelog entry... 2007-12-26 23:17:27 +00:00
nekral-guest 5cbc86b7d9 Merge Debian's patch 451_login_PATH
* NEWS, libmisc/setupenv.c: Export PATH according to ENV_PATH and
	ENV_SUPATH, as for su. This impacts login.
	* man/login.1.xml: PATH and SUPATH are now used both when PAM support
	is disabled and enabled.
2007-12-26 23:15:43 +00:00
nekral-guest b44a6c316d If started as init, login and sulogin need to start a new session. 2007-12-26 22:36:54 +00:00
nekral-guest f5461ff01e Merge Debian's patch 408_passwd_check_arguments
* NEWS, src/passwd.c: Make sure that no more than one username
	argument was provided.
2007-12-26 22:17:13 +00:00
nekral-guest b77cef01a9 Re-indent. 2007-12-26 21:56:47 +00:00
nekral-guest 3a48f0954c Merge Debian's patch 412_lastlog_-u_numerical_range
* NEWS, src/lastlog.c, man/lastlog.8.xml: Accept numerical user, or
  ranges with the -u option.
* TODO: The same change should be done on faillog.
2007-12-26 21:54:04 +00:00
nekral-guest fd970ab62c Merge Debian's patch 466_fflush-prompt
* libmisc/Makefile.am, lib/prototypes.h, libmisc/yesno.c, src/grpck.c,
	src/pwck.c: move yes_or_no() from grpck/pwck to a separate
	libmisc/yesno.c (with a read_only argument).
	* libmisc/fields.c, libmisc/yesno.c: Make sure stdout is flushed before
	reading the user's answer.
2007-12-26 16:50:38 +00:00
nekral-guest e663c696c2 su's arguments are now reordered. If needed, use -- to separate su's
options from the shell's options.
2007-12-26 15:10:48 +00:00
nekral-guest 65d0682647 Merge RedHat's patch shadow-4.0.18.1-mtime.patch:
* NEWS: Document that usermod will now preserve user's file modification
    and access time.
    * libmisc/copydir.c: Preserve the access and modification time of copied
    files. This is important for usermod. This will also impact useradd, for
    the skeleton files, but this is not important.
    * libmisc/copydir.c: Stop and return an error if a file could not be
    closed after during a copy.
2007-12-26 13:54:23 +00:00
nekral-guest 3935d32676 Mention RedHat's patches for previous commits.
Merge RedHat's patch shadow-4.0.18.1-findNewUidOnce.patch:
	* src/useradd.c (usr_update): Do not call find_new_uid(). The UID was
	already either specified or found by another call to find_new_uid().
	* src/useradd.c (find_new_uid): Always start with uid_min (find_new_uid()
	is never called when user_id was already specified).
	* src/useradd.c (find_new_uid): Fix the comments (find_new_uid() is not
	called when the UID is specified (uflg)).
	* src/useradd.c (main): Only call find_new_uid() if (!oflg) and (!uflg).
	If uflg is set (but not oflg), check the UID uniqueness.
	* src/useradd.c (find_new_uid): Don't check the uid and user name
	uniqueness in find_new_uid(). The user name uniqueness is already checked
	during the parameter validation. UID uniqueness is also checked (see
	above).
	* src/useradd.c (find_new_uid): Don't check uflg in find_new_uid().
	* src/useradd.c (find_new_uid): Make sure that find_new_uid() is not
	called when uflg is set (assert).

Cleanups in find_new_gid:
	* src/useradd.c (find_new_gid): Check that gflg is not set (assert).
	* src/useradd.c (find_new_gid): Do not check the group name uniqueness
	(already checked in main).
	* src/useradd.c (find_new_gid): Avoid a "continue" in the loop.
	* src/useradd.c (find_new_gid): Remove irrelevant comments.
	* src/useradd.c (find_new_gid): Fix the function definition's comment.
2007-12-26 13:18:27 +00:00
nekral-guest c57e8983ff Add option -l to avoid adding the user to the lastlog and faillog databases
Fix the release numbers for the current NEWS entries.
2007-12-26 10:15:20 +00:00
nekral-guest a840bc8c99 The manpages should indicate how common options are. 2007-12-26 10:13:57 +00:00
nekral-guest 20dfe6ba98 NO_GETPWENT is no more supported. Remove associated chunks of code. 2007-12-26 09:28:02 +00:00
nekral-guest 60c167838f Document the long options (--force, --gid, --key, --non-unique). 2007-12-26 09:22:49 +00:00
nekral-guest d6ee05ef93 Do not install the shadow library per default.
lib_LTLIBRARIES changed to noinst_LTLIBRARIES.
2007-12-26 09:18:45 +00:00
nekral-guest 34ed03d978 * NEWS, configure.in: Prepare the 4.1.0 release.
* NEWS, src/chgpasswd.c: Use chgpasswd PAM policy file instead of
  chpasswd's one.
* NEWS: The login.defs variables are documented.
2007-12-09 22:54:53 +00:00
nekral-guest 82ab505d1a Updated TODO list. 2007-12-09 22:51:47 +00:00
nekral-guest 8418f76979 New TODO. 2007-12-09 14:51:42 +00:00
nekral-guest 15989f16f7 * man/pwconv.8.xml: Fix typos.
* man/chpasswd.8.xml, man/chgpasswd.8.xml: Document the NONE crypt
  method.
* man/login.defs.d/MAIL_DIR.xml: Add comment regarding useradd not
  using MAIL_FILE.
* man/login.defs.d/ERASECHAR.xml, man/login.defs.d/KILLCHAR.xml,
  man/login.defs.d/CONSOLE_GROUPS.xml, man/login.defs.d/ENV_HZ.xml,
  man/login.defs.d/ENV_PATH.xml, man/login.defs.d/ENV_SUPATH.xml:
  These variables are also used by some tools when compiled with PAM
  support.
* man/login.defs.d/ENV_HZ.xml: Add note that it is only used by
  sulogin when compiled with PAM support.
* man/login.defs.d/ENV_SUPATH.xml: Typos: ENV_PATH -> ENV_SUPATH,
  and mention sbin in the path.
* man/login.defs.d/LOGIN_STRING.xml: Fix typo: confition ->
  condition.
* man/sg.1.xml: Add CONFIGURATION section (SYSLOG_SG_ENAB).
* man/su.1.xml: ENV_HZ, LOGIN_STRING, MAIL_DIR, USERGROUPS_ENAB
  are only used when su is compiled without PAM support.
* man/login.defs.5.xml: Added variables: OBSCURE_CHECKS_ENAB
  PASS_ALWAYS_WARN PASS_CHANGE_TRIES SULOG_FILE SU_NAME
  SU_WHEEL_ONLY SYSLOG_SG_ENAB SYSLOG_SU_ENAB.
* man/login.defs.5.xml: ENVIRON_FILE is only used when compiled
  without PAM support.
* man/login.defs.5.xml: sulogin uses variables even when compiled
  with PAM support.
* man/login.1.xml: ENV_HZ ENV_PATH ENV_SUPATH MAIL_DIR UMASK are
  only used when login is not compiled with PAM support.
2007-12-09 14:50:14 +00:00
nekral-guest 9ac8c65e37 Make sure is_console is only defined when USE_PAM is not defined. 2007-12-08 23:27:35 +00:00
nekral-guest 462794685f Fix time () prototype. 2007-12-08 23:25:52 +00:00
nekral-guest 8c4d98edc1 * man/login.defs.d/CONSOLE_GROUPS.xml,
man/login.defs.d/CONSOLE.xml, man/login.defs.d/DEFAULT_HOME.xml,
  man/login.defs.d/ENV_HZ.xml, man/login.defs.d/ENVIRON_FILE.xml,
  man/login.defs.d/ENV_PATH.xml, man/login.defs.d/ENV_SUPATH.xml,
  man/login.defs.d/ENV_TZ.xml, man/login.defs.d/ERASECHAR.xml,
  man/login.defs.d/FAIL_DELAY.xml,
  man/login.defs.d/FAILLOG_ENAB.xml,
  man/login.defs.d/FAKE_SHELL.xml, man/login.defs.d/FTMP_FILE.xml,
  man/login.defs.d/HUSHLOGIN_FILE.xml,
  man/login.defs.d/ISSUE_FILE.xml, man/login.defs.d/KILLCHAR.xml,
  man/login.defs.d/LASTLOG_ENAB.xml, man/login.defs.d/LOGIN_RETRIES.xml,
  man/login.defs.d/LOGIN_TIMEOUT.xml, man/login.defs.d/LOG_OK_LOGINS.xml,
  man/login.defs.d/LOG_UNKFAIL_ENAB.xml,
  man/login.defs.d/MAIL_CHECK_ENAB.xml, man/login.defs.d/MOTD_FILE.xml,
  man/login.defs.d/NOLOGINS_FILE.xml,
  man/login.defs.d/OBSCURE_CHECKS_ENAB.xml,
  man/login.defs.d/PASS_ALWAYS_WARN.xml,
  man/login.defs.d/PASS_CHANGE_TRIES.xml,
  man/login.defs.d/PASS_MAX_LEN.xml,
  man/login.defs.d/PORTTIME_CHECKS_ENAB.xml,
  man/login.defs.d/QUOTAS_ENAB.xml, man/login.defs.d/SULOG_FILE.xml,
  man/login.defs.d/SU_NAME.xml, man/login.defs.d/SU_WHEEL_ONLY.xml,
  man/login.defs.d/SYSLOG_SG_ENAB.xml,
  man/login.defs.d/SYSLOG_SU_ENAB.xml,
  man/login.defs.d/TTYGROUP.xml, man/login.defs.d/TTYTYPE_FILE.xml,
  man/login.defs.d/ULIMIT.xml, man/login.defs.d/USERGROUPS_ENAB.xml:
  New documentation of login.defs variables.
* man/login.defs.d/MAIL_DIR.xml: Updated. It now contains the
  MAIL_FILE documentation.
* man/login.defs.d/LOGIN_STRING.xml: Updated. Mentions %s.
* man/pwconv.8.xml, man/groupmems.8.xml, man/groupdel.8.xml,
  man/useradd.8.xml, man/pwck.8.xml, man/groupadd.8.xml,
  man/sulogin.8.xml, man/newgrp.1.xml, man/usermod.8.xml,
  man/su.1.xml, man/vipw.8.xml, man/passwd.1.xml,
  man/groupmod.8.xml, man/login.1.xml, man/userdel.8.xml,
  man/grpck.8.xml: Added CONFIGURATION section.
* man/generate_mans.mak: The generations of manpages depends on
  the variables from the Makefiles. Add the dependency on Makefile.
* man/login.defs.5.xml: New login.defs variable documented.
* man/Makefile.am: Added XML variable documentation to the
  distributed files.
2007-12-08 23:24:40 +00:00
nekral-guest 6c6a220b2e Fix the newgrp section in the gshadow.5 manpage.
Thanks to Andre Majorel <aym-naibed@teaser.fr>.
2007-12-05 21:31:21 +00:00
nekral-guest 50452e30fc Prepare the 4.1.0-rc1 release. 2007-11-27 20:08:16 +00:00
nekral-guest 713d777c61 New TODOs. 2007-11-27 19:45:36 +00:00
nekral-guest 5a00c2a03e Added the login.defs variables description to the man's EXTRA_DIST. 2007-11-27 19:42:23 +00:00
nekral-guest 0f7f0ea467 * man/chfn.1.xml: Uses CHFN_AUTH, CHFN_RESTRICT, LOGIN_STRING.
* man/chgpasswd.8.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
  MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS (SHA_CRYPT_MAX_ROUNDS).
* man/chpasswd.8.xml: Switch to using entities for ENCRYPT_METHOD,
  MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS (SHA_CRYPT_MAX_ROUNDS).
* man/chsh.1.xml: Uses CHSH_AUTH, LOGIN_STRING.
* man/expiry.1.xml: Does not use any login.defs parameter.
* man/gpasswd.1.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
  MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS.
* man/login.defs.5.xml: Added CHSH_AUTH.
* man/login.defs.5.xml: Cross reference -> cross references.
* man/login.defs.5.xml: chfn only uses CHFN_AUTH when no_pam.
* man/login.defs.5.xml: chsh uses CHSH_AUTH, not CHFN_AUTH.
* man/login.defs.d/CHSH_AUTH.xml: Added.
* man/login.defs.5.xml: chsh uses parameters only when no_pam.
* man/login.defs.5.xml: expiry does not use CONSOLE_GROUPS, even
  if linked in the binary.
* man/newusers.8.xml: Uses ENCRYPT_METHOD, MAX_MEMBERS_PER_GROUP,
  MD5_CRYPT_ENAB, PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE,
  SHA_CRYPT_MIN_ROUNDS, UMASK.
2007-11-26 23:27:56 +00:00
nekral-guest 7fd329721a The previous commit to man/login.defs.5.xml also describeb the usage of
variables by each tools when compiled without PAM support.
2007-11-26 22:14:45 +00:00
nekral-guest 4183905c3a Add --expand-all-entities to the call to xml2po to avoid translating the
external entities separately.
2007-11-26 22:13:16 +00:00
nekral-guest b75fe4940b Put each variable description in an external entities. This will permit to
reference them in the various utils manpages.
2007-11-26 22:11:23 +00:00
nekral-guest cb041d775f Do not generate gmo files. 2007-11-26 22:04:20 +00:00
nekral-guest a428137884 End of the PO unfuzzyfication (after tabulation removal in Usage strings) 2007-11-26 22:00:57 +00:00
nekral-guest ece64e4195 Fix typo. 2007-11-25 22:05:08 +00:00
nekral-guest 8ed5ead77b * man/po/LINGUAS: Added missing LINGUAS.
* man/po/de.po, man/po/fr.po, man/po/it.po, man/po/pl.po,
  man/po/ru.po, man/po/sv.po: Updated.
2007-11-25 21:28:26 +00:00
nekral-guest 1683c26db3 Added POTFILES to the ignored files in man/po 2007-11-25 21:06:49 +00:00
nekral-guest 543b693547 * configure.in, man/po/Makefile.in.in, man/po/Makevars,
man/po/POTFILES.in, man/Makefile.am: Generate the PO files for the
  manpages in the man/po directory (instead of man/<lang>). Use a
  Makefile.in.in based on gettext's one. This ensure that the PO are
  generated before being used in the <lang> directories.
* man/generate_mans.mak, man/generate_translations.mak,
  man/Makefile.am: New makefile for the generation of manpages from
  XML (generate_mans.mak). This avoid duplicate chunks in
  generate_translations.mak and Makefile.am
* man/de/de.po, man/fr/fr.po, man/it/it.po, man/pl/pl.po,
  man/ru/ru.po, man/sv/sv.po: Moved to...
* man/po/de.po, man/po/fr.po, man/po/it.po, man/po/pl.po,
  man/po/ru.po, man/po/sv.po: ... here.
2007-11-25 21:02:32 +00:00
nekral-guest fabc69e9d8 One more fix to avoid a fuzzy string. 2007-11-25 20:27:25 +00:00
nekral-guest 971c43c0e5 Unfuzzy other Usage strings translations.
Note: km.po and ne.po contain translated options.
2007-11-25 20:21:53 +00:00
nekral-guest 6831c45533 Do not use tabulations in Usage strings. 2007-11-24 22:41:24 +00:00
nekral-guest 0e400eae56 Run "make update-po" in the po directory. 2007-11-24 14:02:10 +00:00
nekral-guest 4d606cc690 * configure.in: New configure option: --with-sha-crypt enabled by
default. Keeping the feature enabled is safe. Disabling it permits
  to disable the references to the SHA256 and SHA512 password
  encryption algorithms from the usage help and manuals (in addition
  to the support for these algorithms in the code).
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
  src/chpasswd.c, src/chgpasswd.c, src/passwd.c: ENCRYPT_METHOD is
  always supported in login.defs. Remove the ENCRYPTMETHOD_SELECT
  preprocessor condition.
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
  src/chpasswd.c, src/chgpasswd.c, src/passwd.c: Disable SHA256 and
  SHA512 if USE_SHA_CRYPT is not defined (this corresponds to a
  subset of the ENCRYPTMETHOD_SELECT sections).
2007-11-24 13:08:08 +00:00
nekral-guest ee5c48d51c If we requested a non DES encryption, make sure crypt returned a encrypted
password longer than 13 chars. This protects against the GNU crypt() which
does not return NULL if the algorithm is not supported, and return a DES
encrypted password.
2007-11-24 00:37:37 +00:00
nekral-guest 6ffc0f820a Add missing #include "getdef.h" 2007-11-24 00:28:25 +00:00
nekral-guest afbf2094a8 * Provide the crypt method to all the
crypt_make_salt invocations.
* Tag the ENCRYPTMETHOD_SELECT dependent code
  accordingly.
2007-11-24 00:26:31 +00:00
nekral-guest 2e782e3d7d * libmisc/salt.c: Make sure method is not NULL, defaulting to DES.
Thanks to Dan Kopecek <dkopecek@redhat.com>.
* src/chpasswd.c, src/chgpasswd.c: Do not use DES by default, but
  the system default define in /Etc/login.defs. Thanks to Dan
  Kopecek <dkopecek@redhat.com>.
* NEWS, man/chpasswd.8.xml, man/chgpasswd.8.xml: Do not mention
  DES as the default algorithm.
* src/chpasswd.c, src/chgpasswd.c: Tag the ENCRYPTMETHOD_SELECT
  dependent code accordingly.
2007-11-24 00:16:41 +00:00
nekral-guest e1e619074c Re-indent. 2007-11-24 00:00:12 +00:00
nekral-guest a99bec34a9 Make sure method is not NULL, defaulting to DES. Thanks to Dan Kopecek <dkopecek@redhat.com>. 2007-11-23 23:57:47 +00:00
nekral-guest 963bfaf521 * Move the srandom call to gensalt.
* Replace the test on salt_size by an assert.
2007-11-23 21:04:43 +00:00
nekral-guest 43b10b311a Applied patch shadow-utils-4.0.18.2-salt.patch. Thanks to Dan Kopecek <dkopecek@redhat.com> 2007-11-23 20:51:43 +00:00
nekral-guest 1cc6fd0d16 News options -c/--crypt-method -s/--sha-rounds to newusers.
Document also new login.defs variables.
2007-11-23 20:24:42 +00:00
nekral-guest acba134aae Added prototype for getlong. 2007-11-23 20:11:00 +00:00
nekral-guest add1c18b2e * src/chpasswd.c: Added crypt method: NONE.
* src/chpasswd.c: Added --sha-rounds to the usage().
* libmisc/Makefile.am, libmisc/getlong.c, src/chgpasswd.c,
  src/chpasswd.c: New getlong function. Replace chpasswd's and
  chgpasswd's getnumber.
2007-11-23 20:09:57 +00:00
nekral-guest d8d8f70b0e Removed unused variable 'member'. 2007-11-23 20:00:03 +00:00
nekral-guest f0ccf72107 Document the variables used by chpasswd. The definitions are copied from
login.defs. I should try to use a less error prone process for this.
2007-11-23 19:58:10 +00:00
nekral-guest d316ba1b87 * Use <replaceable> for the values set by
users. (was sometimes <emphasis remap='I'>)
* Use <option> vor the variable names. This
  makes the manpage much more readable.
* (ENCRYPT_METHOD, MD5_CRYPT_ENAB,
  SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS): Mention that command
  line option may supersede the system setting.
* Document the variables used by chpasswd
  and chgpasswd.
2007-11-23 19:55:47 +00:00
nekral-guest ba1e26e25f svn propset svn:keywords Id 2007-11-23 19:44:57 +00:00
nekral-guest e15fbb905c * NEWS, lib/getdef.c, man/login.defs.5.xml: New login.defs
variable: MAX_MEMBERS_PER_GROUP. Used for the split groups support.
* lib/commonio.c, lib/commonio.h: Add an open_hook and close_hook
  operation. They are called after the database is actually opened
  and parse, or before it is closed.
* lib/groupio.c: Add an open_hook to merge split groups, and an
  close group to split groups if MAX_MEMBERS_PER_GROUP is set.
  This fixes gpasswd and chgpasswd when split groups are used.
* lib/sgroupio.c, lib/shadowio.c, lib/pwio.c: No open or close
  hooks for these databases. (unsure about what should be the gshadow
  behavior for split groups)
2007-11-23 00:07:59 +00:00
nekral-guest a0488ccac2 * NEWS, src/gpasswd.c: Read the group and shadow groups using
gr_locate and sgr_locate. gpasswd write in the file database. Thus
  it should read information from the file database, not using
  getgrnam. The change to sgr_locate is just for consistency. This
  requires opening the group databases (read only) using
  gr_open/sgr_open.
* NEWS: Indicate that manpages should be re-generated if configure
  option are changed, due to conditions.
2007-11-22 21:55:12 +00:00
nekral-guest b2c58c81ed * configure.in: SHADOWGRP added to AM_CONDITIONAL for the
generation of manpages.
* man/generate_translations.mak: Added pam/no_pam condition (like
  in man/Makefile.am).
* man/Makefile.am, man/generate_translations.mak: Added
  gshadow/no_gshadow condition.
* man/gpasswd.1.xml: Use the gshadow/no_gshadow condition to
  change the manpage depending on the shadow group support.
2007-11-22 21:36:38 +00:00
nekral-guest 905596ced5 Remove chunk that should not have been committed. 2007-11-22 09:27:51 +00:00
nekral-guest 3dbf1efbc3 Updated to 757t. Thanks to Yuri Kozlov <kozlov.y@gmail.com>. 2007-11-22 00:15:25 +00:00
nekral-guest 08dadcb2b7 Updated to 399t. Thanks to Yuri Kozlov <kozlov.y@gmail.com>. 2007-11-22 00:06:50 +00:00
nekral-guest f171d63b5b Add support for conditionally including paragraphs. (e.g. to support the
documentation of PAM and !PAM features).

I hate docbook!
2007-11-22 00:01:58 +00:00
nekral-guest a34110320f * man/newusers.8.xml: Added /etc/gshadow, /etc/group, /etc/shadow,
and /etc/passwd to section FILES.
* man/newusers.8.xml: Mentions that PAM is not used to set the
  passwords.
* man/chpasswd.8.xml: Added section FILES (/etc/passwd,
  /etc/shadow, /etc/login.defs).
* man/chpasswd.8.xml: Use the same paragraph as in newusers.8.xml
  to indicate that PAM is not used.
* man/chgpasswd.8.xml: Added section FILES (/etc/group,
  /etc/gshadow, /etc/login.defs).
2007-11-21 22:12:14 +00:00
nekral-guest 46ae2113b6 * Try harder to get the GID equal to the UID.
This was not the case when the GID is not specified, and a GID
  exist with an ID higher than the all the UIDs.
* Typo in comment: contrained -> constrained.
2007-11-21 21:27:44 +00:00
nekral-guest 6f7ed628e2 Compile fix (related to last commit on src/chgpasswd.c). 2007-11-21 20:28:13 +00:00
nekral-guest fd0b22cb55 If the shadow group file is not present, do not try to locate the group
entry from /etc/gshadow, and set the password in /etc/group.
2007-11-20 20:59:42 +00:00
nekral-guest 9aa40bb96d * libmisc/obscure.c, libmisc/salt.c, src/passwd.c: Match DES, MD5,
SHA256, and SHA512 exactly (not only the first 3/6 chars).
* libmisc/salt.c (SHA_salt_rounds): Set rounds to the specified
  prefered_rounds value, if specified.
* src/gpasswd.c, libmisc/salt.c: Fix compilation warnings (use
  size_t for lengths).
* src/chpasswd.c, src/chgpasswd.c: Add missing parenthesis.
2007-11-20 20:00:16 +00:00
nekral-guest 1d4b67c773 Ignore the generated manpages. Add *.[1358] to the svn:ignore property. 2007-11-20 19:15:34 +00:00
nekral-guest cda805ff4e New TODOs. 2007-11-20 13:42:18 +00:00
nekral-guest a30c0a8192 The -c, -e, and -m options are exclusives. 2007-11-20 13:09:55 +00:00
nekral-guest 6e3ad7a275 * man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the
encryption algorithm is chosen for the passwords. Document the new
  -c and -s options. Add a reference to login.defs(5).
* man/login.defs.5.xml: Document the ENCRYPT_METHOD,
  MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS
  variables.
* etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated.
  Document the relationship with PAM for MD5_CRYPT_ENAB and
  ENCRYPT_METHOD.
2007-11-20 12:59:20 +00:00
nekral-guest 5cb462d767 Increase the size of crypt_passwd from 128 to 256 to avoid overflow in
case of SHA512 (161 should be sufficient).
2007-11-20 12:18:36 +00:00
nekral-guest 63a4e65ca1 Fix typo s/method/crypt_method/ 2007-11-20 12:10:55 +00:00
nekral-guest 90de228897 passwd also use crypt_make_salt(). 2007-11-20 09:51:36 +00:00
nekral-guest 0b695f5a76 * lib/prototypes.h, libmisc/salt.c: Add parameters to
crypt_make_salt to force the crypt method and number of rounds.
* libmisc/salt.c: Add parameter to SHA_salt_rounds to force the
  number of rounds.
* libmisc/salt.c, lib/getdef.c: ENCRYPT_METHOD and MD5_CRYPT_ENAB
  are needed also when USE_PAM (e.g. for chpasswd).
* src/newusers.c, src/gpasswd.c: Use the new crypt_make_salt prototype.
* src/chpasswd.c, src/chgpasswd.c: Add option -c, --crypt-method
  and -s, --sha-rounds to specify the crypt method and number of
  rounds in case of one of the SHA methods. The new prototype of
  crypt_make_salt simplifies the handling of -m, --md5.
2007-11-20 09:33:52 +00:00
nekral-guest eb23bbfd98 Hopefully, I review my commits in the morning... 2007-11-20 09:20:34 +00:00
nekral-guest e406b7fe4a * libmisc/salt.c: The salt has a random size (between 8 and 16
bytes).
* lib/getdef.c, etc/login.defs: Add definitions for
  SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS.
* libmisc/salt.c: Use SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS
  to add a random number of rounds if needed.
2007-11-20 00:05:54 +00:00
nekral-guest c214b26ee6 * libmisc/salt.c (MAGNUM): Terminate the array with nul (the array
is then used with strcat).
* libmisc/salt.c (crypt_make_salt): Initialize result[0] to nul at
  the beginning (was not initialized when USE_PAM).
* libmisc/salt.c (crypt_make_salt): Check that ENCRYPT_METHOD is a
  valid crypt method.
2007-11-19 22:34:48 +00:00
nekral-guest 65f536165d Fix typo introduced while merging RedHat patch shadow-4.0.18.1-sha256.patch. 2007-11-19 22:16:50 +00:00
nekral-guest b8d8d0de00 Add support for SHA256 and SHA512 encrypt methods. Apply RedHat's patch
shadow-4.0.18.1-sha256.patch. Thanks to Peter Vrabec. Hardly no changes
except re-indent and changes related to recent modifications (max_salt_len
in crypt_make_salt). Changes in lib/defines.h not applied (definition of
ENCRYPTMETHOD_SELECT). I will add a configure check or flag.
2007-11-19 22:14:19 +00:00
nekral-guest cfc3378a0b All the manpages in de, fr, it, pl are auto-generated. 2007-11-19 20:33:39 +00:00
nekral-guest 39e5c0a1ab Fix some compilation warnings:
* src/login.c: "dereferencing type-punned pointer will break
   strict-aliasing rules", add a variable indirection: ptr_pam_user.
 * lib/commonio.c: do not initialize the sb stat structure.
 * lib/pwio.c, lib/shadowio.c, lib/sgroupio.c, lib/groupio.c:
   initialize the security context if WITH_SELINUX.
 * lib/nscd.c: The service argument is not const (used in the exec*
   parameters). This matches with the prototype definition.
 * src/groupmems.c: Avoid ++i when i is also used in the same line.
 * src/newusers.c: i is positive every time it is compared. Add
   cast to unsigned int.
 * src/nologin.c: Use a main() prototype with no arguments.
 * libmisc/getdate.y: Initialize the type and value fields of the
   terminating entry for each TABLE.
 * libmisc/tz.c: Use "TZ=CST6CDT" as the default timezone.
2007-11-19 20:25:36 +00:00
nekral-guest d16cc1ea89 Add a NEWS entry to indicate the review of the usage of getpwnam(),
getpwuid(), getgrnam(), getgrgid(), and getspnam().
2007-11-19 01:19:45 +00:00
nekral-guest 6a0a7171d2 * man/pl/Makefile.am: Add getspnam.3 to EXTRA_DIST since it is
generated with shadow.3.
* man/generate_translations.mak: Clean all the manpages, based on
  $(EXTRA_DIST), not $(man_MANS).
2007-11-19 01:16:42 +00:00
nekral-guest 398c993e67 Additional removed translated manpages: man/pl/shadow.3 man/pl/sulogin.8 man/pl/id.1 man/ru/sulogin.8 man/ru/id.1 man/it/id.1 2007-11-19 01:13:44 +00:00
nekral-guest 221856ccc2 Remove generated translated manpages. They are still distributed with the shadow tarballs. 2007-11-18 23:58:27 +00:00
nekral-guest 9cf3af04f7 Remove chgpassw.8 since the real manpage should be named chgpasswd.8. 2007-11-18 23:43:58 +00:00
nekral-guest 03047a3980 Why does chgpasswd uses chpasswd's pam config file? 2007-11-18 23:24:44 +00:00
nekral-guest ecc11d5542 Really delete man/vigr.8.xml. 2007-11-18 23:22:28 +00:00
nekral-guest 03118ffb9b Remove file. The vigr man page is generated from the vipw XML file. 2007-11-18 23:21:49 +00:00
nekral-guest dcedc12f36 Add forgotten files in the previous ChangeLog entry. 2007-11-18 23:20:02 +00:00
nekral-guest 9adfc136b6 * lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
  libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
  Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
  xgetgrgid(), and xgetspnam(). They allocate memory for the
  returned structure and are more robust to successive calls. They
  are implemented with the libc's getxxyyy_r() functions if
  available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
  libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
  libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
  src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
  src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
  src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
  src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
  src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
  src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
  usage of one of the getpwnam(), getpwuid(), getgrnam(),
  getgrgid(), and getspnam() functions. It was noticed on
  http://bugs.debian.org/341230 that chfn and chsh use a passwd
  structure after calling a pam function, which result in using
  information from the passwd structure requested by pam, not the
  original one. It is much easier to use the new xget... functions
  to avoid these issues. I've checked which call to the original
  get... functions could be left (reducing the scope of the
  structure if possible), and I've left comments to ease future
  reviews (e.g. /* local, no need for xgetpwnam */).
  Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
  lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
  functions (used by the xget... functions) from the <xx>io.c files
  to the new <xx>mem.c files. This avoid linking some utils against
  the SELinux library.
2007-11-18 23:15:26 +00:00
nekral-guest ea63711c2c Some fixes for the manpages:
* man/pl/pl.po: Fix typo: chgpassw -> chgpasswd.
 * man/pl/Makefile.am: Fix typo: chgpassw -> chgpasswd.
 * man/de/de.po: groups shall not be translated (for command,
   refname, or refentrytitle).
2007-11-18 22:58:31 +00:00
nekral-guest 69525890db Fix typo introduced while fixing http://bugs.debian.org/451521 (compile fix). 2007-11-18 22:52:56 +00:00
nekral-guest 0b13ea5676 * Why isgroup always return TRUE in groupmems?
* why is there a USE_PAM section?
2007-11-18 17:08:42 +00:00
nekral-guest ce579ac6d2 Fix typo: EXTRA_DOST -> EXTRA_DIST. 2007-11-18 01:21:43 +00:00
nekral-guest cd1089e6f0 Fix a typo in a comment. 2007-11-18 01:20:10 +00:00
nekral-guest 311f4baa27 Do not document the behavior compared to old versions. 2007-11-17 23:11:02 +00:00
nekral-guest 7b50ff67f9 Do not mention the patch names in the NEWS entries. They are mentioned in
the ChangeLog.
2007-11-17 22:21:50 +00:00
nekral-guest a8aa7028f4 Add NEWS entries for the previous changes. 2007-11-17 22:17:42 +00:00
nekral-guest 722941eae1 Document the differences between locking an account and locking a password. 2007-11-17 22:07:47 +00:00
nekral-guest 0743a7236d Same fixes as applied to usermod: refuse to unlock an account when it
would result in a passwordless account.
2007-11-17 22:05:31 +00:00
nekral-guest 85463e754d Refuse to unlock an account when it would result in a passwordless
account.  Based on Openwall's patch shadow-4.0.4.1-owl-usermod-unlock.diff
2007-11-17 22:02:22 +00:00
nekral-guest 5e438aa46c Make sure that the prefix is the name of a directory (not only the
beginning of a directory).
Openwall patch shadow-4.0.4.1-owl-userdel-path_prefix.diff.
2007-11-17 21:24:06 +00:00
nekral-guest 1f4488f963 * src/newgrp.c: Do not give an indication that the group has no
password.
* src/newgrp.c: Do not only bail on syslog if the password is not
  valid. Also give an indication to the user on stderr.
2007-11-17 21:03:33 +00:00
nekral-guest 225b096838 Remove a comment which states that an user shall provide a password to
switch to her group.
2007-11-17 20:41:49 +00:00
nekral-guest 8e568ef697 Last parts of the Openwall patch shadow-4.0.4.1-owl-chage-drop-priv.diff:
* src/chage.c: Make chage -l also drop the saved GID.
 * src/chage.c: Prefer setregid/setreuid to setgid/setuid.
2007-11-17 20:28:32 +00:00
nekral-guest 24cfb1c158 * src/chage.c: Remove cleanup(). pw_lock is never called. Replace
cleanup(2) by spw_unlock and remove the calls to cleanup(1).
* src/chage.c: Remove variable pwrw. It is always set to 0. The
  password database is always read only.
2007-11-17 20:09:54 +00:00
nekral-guest cbb2911b7f * man/generate_translations.mak: Generic rules for all the
generated translated manpages (if ENABLE_REGENERATE_MAN).
* man/Makefile.am: Removed rules for all the generated translated
  manpages.
* man/sv/Makefile.am, man/de/Makefile.am, man/fr/Makefile.am,
  man/pl/Makefile.am, man/ru/Makefile.am, man/it/Makefile.am:
  Include generate_translations.mak to handle the generated
  translations (XML and roff files).
* man/Makefile.am: Translated XML files moved from the CLEANFILES
  variable of man/Makefile.am to the various languages Makefiles.
2007-11-17 18:45:22 +00:00
nekral-guest a9f2f60c68 Fixes from Openwall patch shadow-4.0.4.1-alt-man.diff:
* man/useradd.8.xml: Indicate that the NIS caveats is also valid
   for any external database as LDAP.
 * man/groupadd.8.xml: Likewise.
 * man/groupadd.8.xml: Reorder and reformat the caveats bullets.
2007-11-17 18:13:17 +00:00
nekral-guest 1bcf56c8b2 Start applying Debian patch 409_man_generate_from_PO:
* NEWS: Applied Debian patch 409_man_generate_from_PO to
   automatically generate the translated manpages from the POs.
 * man/Makefile.am: Replace the individual rules for the generation
   of the manpages (from XML) by a generic Makefile rule an
   dependencies for the linked manpages.
2007-11-17 17:47:02 +00:00
nekral-guest 77bfba3017 Document that chpasswd does not use PAM to update the passwords. This fixes
http://bugs.debian.org/396726.  Debian patch 411_chpasswd_document_no_pam.
2007-11-17 17:31:54 +00:00
nekral-guest 7eed43550c Provide URLs for the Debian bugs. 2007-11-17 17:24:23 +00:00
nekral-guest 0fd1ed4517 Avoid terminating the PAM library in the forked child. This is done later
in the parent after closing the PAM session.
This fixes http://bugs.debian.org/412061.
Debian patch 405_su_no_pam_end_before_exec.
2007-11-17 17:19:44 +00:00
nekral-guest 7503c8a029 Mention sg in the newgrp manpage. Debian patch 410_newgrp_man_mention_sg. 2007-11-17 17:03:01 +00:00
nekral-guest be972d7db3 Fix typo: the warndays option was called warning. This is now warndays,
as documented in the manpage and usage.  Debian patch 417_passwd_warndays.
2007-11-17 16:57:37 +00:00
nekral-guest fb6cb07a60 Remove the preprocessor check SHADOWPWD. The variable is no more defined
(and always assumed).  Debian patch 493_pwck_no_SHADOWPWD.
2007-11-17 16:50:26 +00:00
nekral-guest 5bcc89ffe7 Add NEWS entries for the last 2 changes. 2007-11-17 16:43:00 +00:00
nekral-guest e47ee90033 -l/-u options: edit the shadow account expiry field *in addition* to
editing the password field.  Debian patch 494_passwd_lock.
2007-11-17 16:40:39 +00:00
nekral-guest f16a859ff8 Fix typos. 2007-11-17 16:33:33 +00:00
nekral-guest ae5f08b1cb New TODO for later. 2007-11-17 16:27:30 +00:00
nekral-guest 5d2ca8b240 Do not request a password when a user uses newgrp to switch to her primary
group.  Debian patch 497_newgrp_primary_group.
2007-11-17 16:19:00 +00:00
nekral-guest 90ef765c2e Log an error if the password entry could not be
found (respect LOG_UNKFAIL_ENAB to avoid logging a password). This
fixes the Debian bug http://bugs.debian.org/451521
2007-11-17 16:05:54 +00:00
nekral-guest ca875647b9 -b documenation: Use the same notation for the -d argument as in the -d documentation. 2007-11-17 15:27:12 +00:00
nekral-guest e39a941413 Allow the -b option even without the -D option. 2007-11-17 15:07:59 +00:00
nekral-guest 87b5ce3036 Use the same error message for the below errors.
(option working ONLY if another is specified).
2007-11-17 14:49:39 +00:00
nekral-guest af045a0733 Make usermod -o and -u work independently of the argument order. 2007-11-17 14:40:54 +00:00
nekral-guest 488184394e Validate that two of the -L, -p, and -U options are not used at the same
time after the parsing of options. -U used to be allowed after -p or -L,
but not before.
2007-11-17 14:33:26 +00:00
nekral-guest 71392cdc8f Make usermod -d and -m work independant of the argument order. Thanks to
Justin Pryzby <jpryzby+d@quoininc.com> for the patch. This fixes Debian's
bug #451518.
2007-11-17 14:21:05 +00:00
nekral-guest 4aafb131ca * NEWS, lib/nscd.c: Execute nscd -i instead of using the private
glibc socket to flush the nscd tables. This comes from the RedHat
  patch shadow-4.0.16-nscd.c.
* lib/commonio.c: Forbid inheritance of the passwd and group files
  to the spawed processes (like nscd). This comes from the RedHat
  patch shadow-4.0.17-notInheritFd.patch.
* lib/nscd.h: Update header.
2007-11-17 14:04:05 +00:00
nekral-guest 6c2e7c124f Remove remaining return value in update_group. 2007-11-17 13:48:56 +00:00
nekral-guest 24e742d202 * src/usermod.c (fail_exit): Add static variables pw_locked,
spw_locked, gr_locked, and sgr_locked to indicate which files must
  be unlocked.
* src/usermod.c (open_files, close_files): Open and close the
  group files as well as the passwd files. This permit to check if
  the group files modification are allowed before writing the passwd
  files.
* src/usermod.c (grp_update, update_gshadow, update_group): Do not
  return a status code, but call fail_exit() in case of error. The
  group files are no more opened and closed in update_gshadow() and
  update_group().
* src/usermod.c (main): move the call to grp_update between
  open_files and close_files.
* src/usermod.c: Differentiate failure to add a group entry and
  failure to add a shadow group entry.
2007-11-17 11:42:47 +00:00
nekral-guest 326074388c Differentiate failure to update a group entry and failure to update a shadow group entry. 2007-11-17 11:31:06 +00:00
nekral-guest 9afe59af3e Inform the user if out of memory while updating a group database. 2007-11-16 23:39:42 +00:00
nekral-guest 7ecdf9b71f Update the group database before flushing the nscd caches. 2007-11-16 23:29:41 +00:00
nekral-guest 0325483ee4 Abort if an error is found while updating the user or group database. No
changes will be written in the databases.
2007-11-16 23:26:56 +00:00
nekral-guest b370e1502e It is no more needed to check that the user's groups are specified only
once in the group file. This is checked by gr_update().
2007-11-16 23:05:24 +00:00
nekral-guest 07c2610170 * lib/commonio.c (next_entry_by_name): New function.
* NEWS, lib/commonio.c (commonio_update): When an entry is updated, make
   sure that there are no other entry with the same name. This fixes
   an infinite loop in userdel and usermod when an (erroneous) group 
   file contains two entries with the same name.
   (https://bugzilla.redhat.com/show_bug.cgi?id=240915)
2007-11-16 22:59:14 +00:00
nekral-guest c2ebdc4b5d Fix date entry. 2007-11-16 22:33:59 +00:00
nekral-guest 449f17385a * libmisc/salt.c: Make sure the salt string is terminated at the
right place (either 8th, or 11th position).
 * NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
   not need 15 chars. No need for a temporary buffer.
   This change the fix committed on 2007-11-10. The salt provided to
   pw_encrypt could have been too long.
2007-11-16 19:02:00 +00:00
nekral-guest e163c5fe9c Fix typo: missing / in <placeholder-1/>. This caused the gpasswd title to be incomplete in the French manpage. 2007-11-16 14:10:29 +00:00
nekral-guest f55e00dc4e Add support for uClibc with no l64a(). 2007-11-16 12:36:21 +00:00
nekral-guest e0edb7db17 Add support for systems with no innetgr(). On those systems, username
with an @ will be treated like any other username (i.e. lookup in the
local database for an user with an @). Thanks to Mike Frysinger for the
patch.
2007-11-16 11:32:42 +00:00
nekral-guest 690f7aee2e Indentation fix. 2007-11-16 10:50:38 +00:00
nekral-guest 8d527f156d Declare the child and pid variable at the beginning of a block. This
fixes a compilation issue with gcc 2.95. The intent is the same as
Gentoo's patch shadow-4.0.12-gcc2.patch.
2007-11-14 13:46:15 +00:00
nekral-guest 15f43716c1 Add a variable to set the suid permissions. This should simplify Gentoo's
patch shadow-4.0.11.1-perms.patch.
2007-11-14 13:32:25 +00:00
nekral-guest b2120265fd Added the subversion svn:keywords property (Id) for proper identification. 2007-11-10 23:46:11 +00:00
nekral-guest fb3b2ddbff Restore the ignore patterns from the previous repository. 2007-11-10 23:34:37 +00:00
nekral-guest 0f09d5378a Update the PO files. 2007-11-10 22:36:37 +00:00
nekral-guest f9de15fdcf Don't ask for a password if there are no group passwords. Just directly
give up. This comes from the Fedora's patch shadow-4.0.13-newgrpPwd.patch,
and seems to be the only part with an effect.
2007-11-10 18:54:40 +00:00
nekral-guest 1bdb92706e Fix chpasswd and chgpasswd stack overflow. Based on Fedora's shadow-4.0.18.1-overflow.patch. 2007-11-10 18:48:23 +00:00
nekral-guest 6a051e1544 Allow non numerical group identifier to be specified with useradd's -g
option. Applied Debian patch 397_non_numerical_identifier. Thanks also to
Greg Schafer <gschafer@zip.com.au>.
2007-11-10 15:51:38 +00:00
nekral-guest 6a73df0b18 Update the release date. 2007-10-28 15:36:14 +00:00
nekral-guest 8609e24880 Update the version number to 4.0.18.2 and the gettext version to 0.16. 2007-10-27 23:22:11 +00:00
nekral-guest 4bb174fa8c Remove the generate_translations.mak inclusion. This file does not exist
and will be introduced later when the Debian patch
409_man_generate_from_PO will be included.
2007-10-27 23:19:32 +00:00
nekral-guest a8856cbfbd Remove a plural form. nplurals=1 for japanese. Moreover, msgstr[0] was identical to msgstr[1]. 2007-10-27 23:18:08 +00:00
nekral-guest afbacaaba4 Make autogen.sh executable. 2007-10-27 23:15:42 +00:00
nekral-guest 16285e6768 Add support for 2 new resource limits. Thanks to Justin Bronder for the
patch. This was reported in the Debian bug #442334.
This only impact shadow when it is not compiled with PAM support.
2007-10-27 19:45:21 +00:00
nekral-guest 93acdeb8ff Document all gpasswd.1 options separately. This clarify the gpasswd.1
manpages (reported in debian bug #445480).
2007-10-27 14:00:31 +00:00
bubulle 3ada732dc0 Mention the GNU origin of some parts from su. Debian patch 438 2007-10-27 13:50:40 +00:00
bubulle e942010304 Fix spelling error. Debian patch 433 2007-10-27 13:45:14 +00:00
bubulle 4e796db54f Merge Debian patch 416_man-fr_newgrp (yet another French fry^W fix) 2007-10-27 13:13:24 +00:00
nekral-guest 5e8dbee79a Update contact information. 2007-10-27 13:11:28 +00:00
nekral-guest 600347a7e8 Update contact informations. 2007-10-27 13:08:46 +00:00
bubulle 84b79dd20d Merge Debian patch 402: clarify usermod "-a" help 2007-10-27 13:01:19 +00:00
bubulle 4750ec187b Merged in Debian patch 203 (german man pages translation) 2007-10-27 12:57:25 +00:00
bubulle c8933a922b Merge in Debian patch 202: switch Italian man pages to gettext 2007-10-27 12:53:06 +00:00
bubulle 6487e675b2 Mention 102 in the "fix sorry" changelog entry 2007-10-27 12:49:56 +00:00
bubulle 30d15b861f Merged patch 201: fix translation error in French man pages 2007-10-27 12:49:12 +00:00
bubulle d059ef6780 No longer apologize to users 2007-10-27 12:46:30 +00:00
bubulle d254707b96 Apply patch 102 from Debian. No mention in Changelog as we will immediately
fuzzy the strings with "sorry"
2007-10-27 12:42:21 +00:00
nekral-guest f0a3e8b09e Updated Chinese translation (zh_CN: 385t11f4t). 2007-10-27 12:35:57 +00:00
nekral-guest 3d67951f15 Updated Finish translation.
Thanks to Tommi Vainikainen <thv+debian@iki.fi>.
2007-10-27 12:08:44 +00:00
nekral-guest e3f303fdb5 If compiled without PAM support, enforce the limits from /etc/limits when
one of the -, -l, or --login options is set, even if called by root.
Thanks to Justin Bronder.
2007-10-12 22:36:26 +00:00
nekral-guest 756b6812a6 Convert the Changelog and NEWS to UTF-8. 2007-10-07 14:57:03 +00:00
nekral-guest 9873619e22 Fix the NEWS entries. The shadow-4.0.18.1 header was missing and
shadow-4.0.18.1/shadow-4.0.18.2 entries were mixed.
2007-10-07 14:52:16 +00:00
nekral-guest 79bf2081fe Commit the last version from the PLD CVS repository.
(last changelog entry: 2007-02-01)
This also adds the files which were present in the CVS repository, but not
present in the shadow archives.
2007-10-07 14:36:51 +00:00
nekral-guest 0d93a36930 Remove generated files present in the shadow archives but not in the CVS
repository.
2007-10-07 13:59:23 +00:00
nekral-guest c187b2be78 [svn-upgrade] Integrating new upstream version, shadow (4.0.18.1) 2007-10-07 11:48:07 +00:00
nekral-guest 5e20c4359f [svn-upgrade] Integrating new upstream version, shadow (4.0.18) 2007-10-07 11:47:57 +00:00
nekral-guest 8a78a8d68c [svn-upgrade] Integrating new upstream version, shadow (4.0.17) 2007-10-07 11:47:45 +00:00
nekral-guest 0fa9083026 [svn-upgrade] Integrating new upstream version, shadow (4.0.16) 2007-10-07 11:47:33 +00:00
nekral-guest 591830e43b [svn-upgrade] Integrating new upstream version, shadow (4.0.15) 2007-10-07 11:47:22 +00:00
nekral-guest 24178ad677 [svn-upgrade] Integrating new upstream version, shadow (4.0.14) 2007-10-07 11:47:11 +00:00
nekral-guest 8451bed8b0 [svn-upgrade] Integrating new upstream version, shadow (4.0.13) 2007-10-07 11:47:01 +00:00
nekral-guest e89f3546f2 [svn-upgrade] Integrating new upstream version, shadow (4.0.12) 2007-10-07 11:46:52 +00:00
nekral-guest 1de90a599c [svn-upgrade] Integrating new upstream version, shadow (4.0.11.1) 2007-10-07 11:46:43 +00:00
nekral-guest b48129fcbb [svn-upgrade] Integrating new upstream version, shadow (4.0.11) 2007-10-07 11:46:34 +00:00
nekral-guest 8c50e06102 [svn-upgrade] Integrating new upstream version, shadow (4.0.10) 2007-10-07 11:46:25 +00:00
nekral-guest 7c47e0fde3 [svn-upgrade] Integrating new upstream version, shadow (4.0.9) 2007-10-07 11:46:16 +00:00
nekral-guest 8e167d28af [svn-upgrade] Integrating new upstream version, shadow (4.0.8) 2007-10-07 11:46:07 +00:00
nekral-guest 0ee095abd8 [svn-upgrade] Integrating new upstream version, shadow (4.0.7) 2007-10-07 11:45:58 +00:00
nekral-guest 164b557066 [svn-upgrade] Integrating new upstream version, shadow (4.0.6) 2007-10-07 11:45:49 +00:00
nekral-guest b0e078d9c8 [svn-upgrade] Integrating new upstream version, shadow (4.0.5) 2007-10-07 11:45:40 +00:00
nekral-guest e637799f9b [svn-upgrade] Integrating new upstream version, shadow (4.0.4.1) 2007-10-07 11:45:31 +00:00
nekral-guest effd479bff [svn-upgrade] Integrating new upstream version, shadow (4.0.4) 2007-10-07 11:45:23 +00:00
nekral-guest 4903ce068e [svn-upgrade] Integrating new upstream version, shadow (4.0.3) 2007-10-07 11:45:14 +00:00
nekral-guest 37dc61340b [svn-upgrade] Integrating new upstream version, shadow (4.0.2) 2007-10-07 11:45:07 +00:00
nekral-guest 9db6abfa42 [svn-upgrade] Integrating new upstream version, shadow (4.0.1) 2007-10-07 11:44:59 +00:00
nekral-guest 3bc4996775 [svn-upgrade] Integrating new upstream version, shadow (4.0.0) 2007-10-07 11:44:51 +00:00
nekral-guest 8fee8c57ae [svn-upgrade] Integrating new upstream version, shadow (20001016) 2007-10-07 11:44:44 +00:00
nekral-guest 4e3fe42600 [svn-upgrade] Integrating new upstream version, shadow (20001012) 2007-10-07 11:44:38 +00:00
nekral-guest d6e9891ad7 [svn-upgrade] Integrating new upstream version, shadow (20000902) 2007-10-07 11:44:32 +00:00
nekral-guest be1f391d2a [svn-upgrade] Integrating new upstream version, shadow (20000826) 2007-10-07 11:44:26 +00:00
nekral-guest 5cd76a407a [svn-upgrade] Integrating new upstream version, shadow (20000902) 2007-10-07 11:44:20 +00:00
nekral-guest efd7efa9f1 [svn-upgrade] Integrating new upstream version, shadow (20000826) 2007-10-07 11:44:14 +00:00
nekral-guest 446e664caa [svn-upgrade] Integrating new upstream version, shadow (19990827) 2007-10-07 11:44:08 +00:00
nekral-guest 45c6603cc8 [svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 11:44:02 +00:00
nekral-guest 9c72ed9062 Create a svn-buildpackage like repository layout 2007-10-07 11:43:59 +00:00
10592 changed files with 66963 additions and 576438 deletions
-50
View File
@@ -1,50 +0,0 @@
*~
lib*.a
*.o
*.lo
*.la
*.gmo
.deps
.libs
*.patch
*.rej
*.orig
Makefile
Makefile.in
/ABOUT-NLS
/aclocal.m4
/autom4te.cache
/compile
/config.cache
/config.guess
/config.h
/config.h.in
/config.log
/config.rpath
/config.status
/config.sub
/configure
/depcomp
/install-sh
/libtool
/ltmain.sh
/m4
/missing
/stamp-h1
/ylwrap
/po/*.header
/po/*.sed
/po/*.sin
/po/Makefile.in.in
/po/Makevars.template
/po/POTFILES
/po/Rules-quot
/po/stamp-po
/shadow.spec
/shadow-*.tar.*
/libmisc/getdate.c
-20
View File
@@ -1,20 +0,0 @@
sudo: false
language: c
compiler:
- gcc
- clang
addons:
apt:
packages:
- autopoint
- xsltproc
script:
- ./autogen.sh --without-selinux --disable-man
- grep ENABLE_ config.status
- make
# vim:et:ts=2:sw=2
+1 -6746
View File
File diff suppressed because it is too large Load Diff
+2
View File
@@ -2,5 +2,7 @@
EXTRA_DIST = NEWS README TODO shadow.spec.in
AUTOMAKE_OPTIONS = 1.5 dist-bzip2 foreign
SUBDIRS = po man libmisc lib src \
contrib doc etc
+1 -446
View File
@@ -1,450 +1,5 @@
$Id$
shadow-4.1.5.1 -> shadow-4.2 UNRELEASED
*** general
* Handle libc whose crypt() returns NULL when passed a salt that
violates specs or system requirements (e.g. FIPS140). This is needed
with glibc/eglibc 2.17 for tools checking passwords (passwd (non PAM
enabled) or newgrp), and for tools generating encrypted passwords
(chgpasswd, chpasswd, or gpasswd when non PAM enabled or when a fixed
crypt method is requested on the command line, and newusers, or passwd
in their non PAM enabled versions)
* Fix segfault when reading groups split on multiple lines. This impacts
most user/group management tools when MAX_MEMBERS_PER_GROUP is set.
- su
* When su receives a signal (SIGTERM, or SIGINT/SIGQUIT in non
interactive mode), kill the child process group, rather than just the
immediate child.
* Fix segmentation faults for users without a proper home or shell in
their passwd entries.
- login
* Fix segmentation faults for users without a proper home or shell in
their passwd entries.
*** documentation
* Fixed useradd man page (--home-dir option, instead of --home).
*** translation
* Updated Russian translation.
* Updated German man pages translation.
* Fixed gshadow Japanese man page translation.
shadow-4.1.5 -> shadow-4.1.5.1 2012-05-25
- login
* Log into utmp(x) when PAM is enabled, but do not log into wtmp.
This complete pam_lastlog which logs into wtmp and in into utmp(x).
- su
* non PAM enabled versions: do not fail if su is called without a
controlling terminal.
- userdel
* Fix segfault when userdel removes the user's group.
*** documentation
* .so links now point to paths relative to the top-level manual hierarchy
*** translation
* Updated French man pages translation.
* Updated German man pages translation.
* Updated Polish man pages translation. (logoutd.8)
shadow-4.1.4.3 -> shadow-4.1.5 2012-02-12
*** security
* su -c could be abused by the executed command to invoke commands with
the caller privileges. See below. (CVE-2005-4890)
*** general
* report usage error to stderr, but report usage help to stdout (and return
zero) when explicitly requested (e.g. with --help).
* initial support for tcb (http://openwall.com/tcb/) for useradd,
userdel, usermod, chage, pwck, vipw.
* Added support for ACLs and Extended Attributes in useradd and usermod.
Support shall be enabled with the new --with-acl or --with-attr
configure options.
* Added diagnosis for lock failures.
* use libsemanage instead of the semanage tool.
- chage
* Add --root option.
- chfn
* Add --root option.
- chgpasswd
* When the gshadow file exists but there are no gshadow entries, an entry
is created if the password is changed and group requires a
shadow entry.
* Add --root option.
- chpasswd
* PAM enabled versions: restore the -e option to allow restoring
passwords without knowing those passwords. Restore together the -m
and -c options. (These options were removed in shadow-4.1.4 on PAM
enabled versions)
* When the shadow file exists but there are no shadow entries, an entry
is created if the password is changed and passwd requires a
shadow entry.
* Add --root option.
- chsh
* Add --root option.
- faillog
* The -l, -m, -r, -t options only act on the existing users, unless -a is
specified.
* Add --root option.
- gpasswd
* Add --root option.
- groupadd
* Add --root option.
- groupdel
* Add --root option.
- groupmems
* Fix parsing of gshadow entries.
* Add --root option.
- groupmod
* Fixed groupmod when configured with --enable-account-tools-setuid.
* When the gshadow file exists but there are no gshadow entries, an entry
is created if the password is changed and group requires a
shadow entry.
* Add --root option.
- grpck
* Add --root option.
* NIS entries were dropped by -s (sort).
- grpconv
* Add --root option.
- grpunconv
* Add --root option.
- lastlog
* Add --root option.
- login
* Fixed limits support (non PAM enabled versions only)
* Added support for infinite limits and group based limits (non PAM
enabled versions only)
* Fixed infinite loop when CONSOLE is configured with a colon-separated
list of TTYs.
* Fixed warning and support for CONSOLE_GROUPS for users member of more
than 16 groups.
* Do not log into utmp(x) or wtmp when PAM is enabled. This is done by
pam_lastlog.
- newgrp, sg
* Fix parsing of gshadow entries.
- newusers
* Add --root option.
- passwd
* Add --root option.
- pwpck
* NIS entries were dropped by -s (sort).
* Add --root option.
- pwconv
* Add --root option.
- pwunconv
* Add --root option.
- useradd
* If the skeleton directory contained hardlinked files, copies of the
hardlink were removed from the skeleton directory.
* Add --root option.
- userdel
* Check the existence of the user's mail spool before trying to remove
it. If it does not exist, a warning is issued, but no failure.
* Do not remove a group with the same name as the user (usergroup) if
this group isn't the user's primary group.
* Add --root option.
* Add --selinux-user option.
- usermod
* Accept options in any order (username not necessarily at the end)
* When the shadow file exists but there are no shadow entries, an entry
is created if the password is changed and passwd requires a
shadow entry, or if aging features are used (-e or -f).
* Add --root option.
- su
* Document the su exit values.
* When su receives a signal, wait for the child to terminate (after
sending a SIGTERM), and kill it only if it did not terminate by itself.
No delay will be enforced if the child cooperates.
* Default ENV_SUPATH is /sbin:/bin:/usr/sbin:/usr/bin
* Fixed infinite loop when CONSOLE is configured with a colon-separated
list of TTYs.
* Fixed warning and support for CONSOLE_GROUPS for users member of more
than 16 groups.
* Do not forward the controlling terminal to commands executed with -c.
This prevents tty hijacking which could lead to execution with the
caller's privileges.
* Close PAM sessions as root. This will be more friendly to PAM modules
like pam_mount or pam_systemd.
* Added support for PAM modules which change PAM_USER.
*** translation
* Updated Brazilian Portuguese translation.
* Updated Catalan translation.
* Updated Czech translation.
* Updated Danish translation.
* New Danish man pages translation.
* Updated French translation.
* Updated French man pages translation.
* Updated German translation.
* Updated German man pages translation.
* Updated Greek translation.
* Updated Italian man pages translation.
* Updated Japanese translation.
* Updated Kazakh translation.
* Updated Norwegian Bokmål translation.
* Updated Portuguese translation.
* Updated Russian translation.
* Updated Simplified Chinese translation.
* Updated Simplified Chinese man pages translation.
* Updated Swedish translation.
* Updated Vietnamese translation.
shadow-4.1.4.2 -> shadow-4.1.4.3 2011-02-15
*** security
- CVE-2011-0721: An insufficient input sanitation in chfn can be exploited
to create users or groups in a NIS environment.
shadow-4.1.4.1 -> shadow-4.1.4.2 2009-07-24
- general
* Improved support for large groups (impacts most user/group management
tools).
- addition of system users or groups
* Speed improvement. This should be noticeable in case of LDAP configured
systems. This should impact useradd, groupadd, and newusers
* Since system accounts are allocated from SYS_?ID_MIN to SYS_?ID_MAX in
reverse order, accounts are packed close to SYS_?ID_MAX if SYS_?ID_MIN
is already used but there are still dome gaps.
- login
* Add support for shells being a shell script without a shebang.
- su
* Preserve the DISPLAY and XAUTHORITY environment variables. This was
only the case in the non PAM enabled versions.
* Add support for shells being a shell script without a shebang.
*** translation
* The Finnish translation of passwd(1) was outdated and is no more
distributed.
shadow-4.1.4 -> shadow-4.1.4.1 2009-05-22
- login
* Fix failures with empty usernames on non PAM versions.
* Fix CONSOLE (securetty) support on non PAM versions.
- newgrp
* Return the exit status of the child.
- userdel
* On Linux, do not check if an user is logged in with utmp, but check if
the user is running some processes.
* If not on Linux, continue to search for an utmp record, but make sure
the process recorded in the utmp entry is still running.
* Report failures to remove the user's mailbox
* When USERGROUPS_ENAB is enabled, remove the user's group when the
user was the only member.
* Do not fail when -r is used and the home directory does not exist.
- usermod
* Check if the user is busy when the user's UID, name or home directory
is changed.
shadow-4.1.3.1 -> shadow-4.1.4 2009-05-10
- packaging
* Enable --enable-account-tools-setuid by default for PAM builds.
* Add configure option --enable-utmpx, disabled by default to mimic
the previous behavior on Linux (where utmp and utmpx are identical).
* Fix build failure on non-PAM systems when --without-pam is not
specified.
- chpasswd
* Change the passwords using PAM. This permits to define the password
policy in a central place. The -c/--crypt-method, -e/--encrypted,
-m/--md5 and -s/--sha-rounds options are no more supported on PAM
enabled systems.
- grpck
* Warn if a group has an entry in group and gshadow, and the password
field in group is not 'x'.
- login
* Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
lead to DOS attacks.
* (PAM) Even if the user was already authenticated (-f flag), ask the
user to update his authentication token if needed.
- lastlog
* Fix regression causing empty reports.
- newusers
* Change the passwords using PAM. This permits to define the password
policy in a central place. The -c/--crypt-method and -s/--sha-rounds
options are no more supported on PAM enabled systems.
- pwck
* Warn if an user has an entry in passwd and shadow, and the password
field in passwd is not 'x'.
*** translation
- Updated Czech translation
- Updated French translation
- Updated German translation
- Updated Japanese translation
- Updated Korean translation
- Updated Portuguese translation
- Updated Russian translation
shadow-4.1.3 -> shadow-4.1.3.1 2009-04-15
*** security:
- Due to bad parsing of octal permissions, the permissions on tty (login)
but also UMASK were set wrongly (and weirdly). Only shadow-4.1.3 was
affected.
*** general
- login
* Fix regression when no user is specified on the command line.
- userdel
* Fixed SE Linux support
- vipw
* SE Linux: Set the default context to the context of the file being
edited. This ensures that the backup file inherit from the file's
context.
*** translation
- Updated Norwegian Bokmål translation
shadow-4.1.2.2 -> shadow-4.1.3 2009-04-12
*** general:
- packaging
* Fixed support for OpenPAM.
* Fixed support for uclibc.
* Added configure --enable-account-tools-setuid (default) /
--disable-account-tools-setuid options. This permits to disable the
PAM authentication of the caller for chage, chgpasswd, chpasswd,
groupadd, groupdel, groupmod, newusers, useradd, userdel, and usermod.
This authentication is not necessary when these tools are not
installed setuid root.
* Added configure --with-group-name-max-length (default) /
--without-group-name-max-length options. This permits to configure the maximum length allowed for group names:
<no option> -> default of 16 (like today)
--with-group-name-max-length -> default of 16
--without-group-name-max-length -> no max length
--with-group-name-max-length=n > max is set to n
No sanity checking is performed on n so people could do
something neat like --with-group-name-max-length=MAX_INT
- addition of users or groups
* Speed improvement in case UID_MAX/SYS_UID_MAX/GID_MAX/SYS_GID_MAX is
used for an user/group. This should be noticeable in case of LDAP
configured systems. This should impact useradd, groupadd, and newusers
- error handling improvement
* Make sure errors and incomplete changes are reported to syslog and
audit in case of unexpected failures.
* Report system inconsistencies to syslog and audit.
* Only report success to syslog and audit if the changes are really
performed in the system databases.
This is still not complete.
- /etc/login.defs
* New CREATE_HOME variable to tell useradd to create a home directory by
default.
- Translations
* New Kazakh translation.
* Spanish manpages are no more distributed. They are outdated. Please
contact pkg-shadow-devel@lists.alioth.debian.org if you wish to
provide updates.
- faillog
* Accept users specified as a numerical UID, or ranges of users (-user,
user-, user1-user2).
* -l, -m, and -r now apply not only to existing users, but to all the
specified UIDs.
* Options can be specified in any order.
- gpasswd
* Added support for long options --add (-a), --delete (-d),
--remove-password (-r), --restrict (-R), --administrators (-A), and
--members (-M).
* Added support for usernames with arbitrary length.
* audit logging improvements.
* error handling improvement (see above).
* Log permission denied to syslog and audit.
- groupadd
* audit logging improvements.
* error handling improvement (see above).
* Speedup (see "addition of users or groups" above).
* do not create groups with GID set to (gid_t)-1.
* Allocate system group GIDs in reverse order. This could be useful
later to increase the static IDs range.
- groupdel
* audit logging improvements.
* error handling improvement (see above).
- groupmems
* Check if user exist before they are added to groups.
* Avoid segfault in case the specified group does not exist in /etc/group.
* Everybody is allowed to list the users of a group.
* /etc/group is open readonly when one just wants to list the users of a
group.
* Added syslog support.
* Use the groupmems PAM service name instead of groupmod.
* Fix segmentation faults when adding or removing users from a group.
* Added support for shadow groups.
* Added support long options --add (-a), --delete (-d), --purge (-p),
--list (-l), --group (-g).
- groupmod
* audit logging improvements.
* error handling improvement (see above).
* do not create groups with GID set to (gid_t)-1.
- grpck
* warn for groups with GID set to (gid_t)-1.
- login
* Restore the echoctl, echoke, onclr flags to the terminal termio flags.
Reset echoprt, noflsh, tostop. This behavior seems to have change by
mistake in earlier releases (4.0.8, for no obvious reason).
- newusers
* Implement the -r, --system option.
* Speedup (see "addition of users or groups" above).
* do not create users with UID set to (gid_t)-1.
* do not create groups with GID set to (gid_t)-1.
* Allocate system account UIDs/GIDs in reverse order. This could be useful
later to increase the static IDs range.
- passwd
* For compatibility with other passwd version, the --lock an --unlock
options do not lock or unlock the user account anymore. They only
lock or unlock the user's password.
- pwck
* warn for users with UID set to (uid_t)-1.
- su
* Preserve COLORTERM in addition to TERM when su is called with the -l
option.
- useradd
* audit logging improvements.
* Speedup (see "addition of users or groups" above).
* See CREATE_HOME above.
* New -M/--no-create-home option to disable CREATE_HOME.
* do not create users with UID set to (gid_t)-1.
* Added -Z option to map SELinux user for user's login.
* Allocate system user UIDs in reverse order. This could be useful
later to increase the static IDs range.
- userdel
* audit logging improvements.
* Do not fail if the removed user is not in the shadow database.
* When the user's group shall be removed, do not fail if this group is
not in the gshadow file.
* Delete the SELinux user mapping for user's login.
- usermod
* Allow adding LDAP users (or any user not present in the local passwd
file) to local groups
* do not create users with UID set to (gid_t)-1.
* Added -Z option to map SELinux user for user's login.
shadow-4.1.2.1 -> shadow-4.1.2.2 23-11-2008
*** security
- Fix a race condition in login that could lead to gaining ownership or
changing mode of arbitrary files.
- Fix a possible login DOS, which could be caused by injecting forged
entries in utmp.
shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008
*** security
- Fix an "audit log injection" vulnerability in login.
This vulnerability makes it easier for attackers to hide activities by
modifying portions of log events, e.g. by appending an addr= statement
to the login name.
shadow-4.1.1 -> shadow-4.1.2 25-05-2008
*** security:
@@ -511,7 +66,7 @@ shadow-4.1.0 -> shadow-4.1.1 02-04-2008
faillog faster.
- gpasswd
* Fix failures when the gshadow file is not present.
* When a password is moved to the gshadow file, use "x" instead of "!"
* When a password is moved to the gshadow file, use "x" instead of "x"
to indicate that the password is shadowed (consistency with grpconv).
* Make sure the group and gshadow files are unlocked on exit.
- groupadd
+4 -20
View File
@@ -1,19 +1,14 @@
Shadow SITES
============
Homepage
http://pkg-shadow.alioth.debian.org/
FTP site
ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow
SVN repository
anonymous read only access: svn://svn.debian.org/pkg-shadow/upstream
anonymous read only access: svn://svn.debian.org/pkg-shadow/
SVN web interface
http://svn.debian.org/wsvn/pkg-shadow/upstream
or
http://svn.debian.org/viewsvn/pkg-shadow/upstream
http://svn.debian.org/wsvn/pkg-shadow
Mailing lists
for general discuss: pkg-shadow-devel@lists.alioth.debian.org
@@ -37,7 +32,7 @@ S/Key support:
Authors and contributors
========================
Thanks to at least the following people for sending patches, bug
Thanks to at least the following people for sending me patches, bug
reports and various comments. This list may be incomplete, I received
a lot of mail...
@@ -56,7 +51,6 @@ Calle Karlsson <ckn@kash.se>
Chip Rosenthal <chip@unicom.com>
Chris Evans <lady0110@sable.ox.ac.uk>
Cristian Gafton <gafton@sorosis.ro>
Dan Walsh <dwalsh@redhat.com>
Darcy Boese <possum@chardonnay.niagara.com>
Dave Hagewood <admin@arrowweb.com>
David A. Holland <dholland@hcs.harvard.edu>
@@ -69,7 +63,6 @@ Greg Mortensen <loki@world.std.com>
Guido van Rooij
Guy Maor <maor@debian.org>
Hrvoje Dogan <hdogan@bjesomar.srce.hr>
Jakub Hrozek <jhrozek@redhat.com>
Janos Farkas <chexum@bankinf.banki.hu>
Jay Soffian <jay@lw.net>
Jesse Thilo <Jesse.Thilo@pobox.com>
@@ -81,30 +74,23 @@ Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
Judd Bourgeois <shagboy@bluesky.net>
Juergen Heinzl <unicorn@noris.net>
Juha Virtanen <jiivee@iki.fi>
Julian Pidancet <julian.pidancet@gmail.com>
Julianne Frances Haugh <jockgrrl@ix.netcom.com>
Leonard N. Zubkoff <lnz@dandelion.com>
Luca Berra <bluca@www.polimi.it>
Lukáš Kuklínek <lkukline@redhat.com>
Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
Marc Ewing <marc@redhat.com>
Martin Bene <mb@sime.com>
Martin Mares <mj@gts.cz>
Michael Meskes <meskes@topsystem.de>
Michael Talbot-Wilson <mike@calypso.bns.com.au>
Mike Frysinger <vapier@gentoo.org>
Mike Pakovic <mpakovic@users.southeast.net>
Nicolas François <nicolas.francois@centraliens.net>
Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
Pavel Machek <pavel@bug.ucw.cz>
Peter Vrabec <pvrabec@redhat.com>
Phillip Street
Rafał Maszkowski <rzm@icm.edu.pl>
Rani Chouha <ranibey@smartec.com>
Sami Kerola <kerolasa@rocketmail.com>
Scott Garman <scott.a.garman@intel.com>
Sebastian Rick Rijkers <srrijkers@gmail.com>
Seraphim Mellos <mellos@ceid.upatras.gr>
Shane Watts <shane@nexus.mlckew.edu.au>
Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
Thorsten Kukuk <kukuk@suse.de>
@@ -116,7 +102,5 @@ Werner Fink <werner@suse.de>
Maintainers
===========
Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
Serge E. Hallyn <serge@hallyn.com> (2014-now)
Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2006)
+40 -81
View File
@@ -1,45 +1,11 @@
* Create a common usage function that'd take the array of
long options and an array of descriptions and output that so things would
be standardized across the utils.
Usage strings should be normalized and split first.
Investigate optparse.
passwd -l should lock the password, not the account.
vipw: Test SHADOWGRP support before using gshadow features.
/etc/default/useradd
* GROUP=1000 should accept a group name.
PAM: add support for customization of the PAM support (i.e. support the
Debian PAM configuration)
Check when RLOGIN is enabled if ruserok() exists
Move selinux_file_context out of libmisc/copydir.c
Review hardcoded root account?
review all call to strto
libmisc/cleanup_user.c
cleanup needed (cleanup_report_add_user* not used)
libxcrypt support
* http://wiki.linuxfromscratch.org/patches/browser/trunk/shadow/shadow-4.0.18.1-owl_blowfish-1.patch
implement getlong, getulong.
avoid atoi, atol, atoul, strtol, strtoul, ...
manpages: comment the RLOGIN parts
Replace build_list (in lib/gshadow.c) and list (in lib/sgetgrent.c) by
comma_to_list()
Revert the modified files if all files could not be changed.
* or warn and indicate which files were modified and which were not.
* check the order the files are modified.
report nscd_flush_cache failures?
call nscd from the programs or from lib (commonio?)
PAM: check if a non-interactive conversation function could be used to set
the password in chpasswd and newusers
PAM: check if a non-interactive conversation function could be used to
WITH_SELINUX
- review all tools to check that the strategies are consistent
@@ -47,20 +13,33 @@ WITH_SELINUX
chage, chfn, chsh: same change needed as in passwd.
- probably need moving check_selinux_access to a separate file.
man useradd
document default behavior for GROUP
remove "The default group number is 1 or whatever is..."
useradd manpage
- add -k option
- mention that -o require -u
testsuite
- newgrp
- test with unknown user's GID
newusers
- add logging to SYSLOG & AUDIT
- use CREATE_HOME
- Add a -Z option (see useradd / usermod)
faillog
- accept numerical user and range of users
Document when/where option appeared, document whether an option is standard
or not.
depends rules for the manpages
Check all the expiry semantics
Add options --crypt-method and --sha-rounds to gpasswd
ALL:
- move base passwd/shadow/group/gshadow operation to module for allow write
different backend modules for db, NIS, LDAP and others. Default backend it
@@ -70,58 +49,38 @@ ALL:
passwd have old piece of code with handling -r option and it will be good
finish this and propagate on other shadow tools for allow operate on other
user databases by well known tools.
- Protect against signals. Register do_cleanups in a signal handler.
- login.defs
- generate depending on configuration
- useradd:
- add handle create user mail spool in maildir format.
- Add support for -k in -D mode
- Add support for -K in -D mode
- Add option to create or not the mail spool (and set the default in -D
mode)
- Change -l to reset the entry if an entry was already there
- set the mask in mkdir?
- add handle -n switch in groups and id command for allow query is
group/user with specified id/gid exist - this will be very usable
on automation in packages for query/check is group/user exist in system
or not,
- groupmems:
- need some work on add PAM and i18n support.
- userdel:
- add backup option for the removal of user resources,
- add lookop and remove per user group.
- user_busy: check that the user is not running any processes.
- missing "deleting group" FAILED
- home dir removed, but userdel may fail and may leave the user
=> warning needed
- usermod
- add an option equivalent to useradd's -l (only when uid is changed)
- the mode of new home directories should be set according to the
original mode. Does copy_tree does this?
- user renamed, order is not kept in /etc/group (see
47_usermod-l_no_shadow_file). This is a problem when the first user is
considered as the admin.
- see mail "user ID change" on April, 15
+ fix call to chown (combination of -m and -u/-g)
+ add tests
- passwd:
- check combination of options (e.g. -u/-l)
- when -u refuse to unlock because it would create an empty password, it
should not display "Password changed."
exit instead?
- newgrp: check the USE_PAM section.
- pwck
- Add check to move passwd passwords to shadow if there is a shadow
entry (with a password).
- Add check to move passwd passwords to shadow if there is a shadow
file.
- Support an alternative /etc/tcb directory as second parameter.
- add options -g / -G to specify alternative group / gshadow files
- groupmems: check reason for isgroup
- su
- add a login.defs configuration parameter to add variables to keep in
the environment with "su -l" (TERM/TERMCOLOR/...)
- newusers: doc for pw_gid not clear. Differentiate
pw_gid specified and exist
pw_gid specified but does not exist
* name
* number
pw_gid not specified.
- newusers: document what happens when no uid is specified.
- newusers: add option --system?
- vipw
- set ACLs and XATTRs on the temporary file (and backups?)
- vipw + selinux -> use lib/selinux.c
-Documentation:
* document when options were added.
-2
View File
@@ -1,7 +1,5 @@
#! /bin/sh
autoreconf -v -f --install || exit 1
./configure \
CFLAGS="-O2 -Wall" \
--enable-man \
-682
View File
@@ -1,682 +0,0 @@
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ([2.64])
AC_INIT([shadow], [4.5], [pkg-shadow-devel@lists.alioth.debian.org], [],
[https://github.com/shadow-maint/shadow])
AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
AM_SILENT_RULES([yes])
AC_CONFIG_HEADERS([config.h])
dnl Some hacks...
test "$prefix" = "NONE" && prefix="/usr"
test "$prefix" = "/usr" && exec_prefix=""
AC_GNU_SOURCE
AM_DISABLE_SHARED
AM_ENABLE_STATIC
AM_MAINTAINER_MODE
dnl Checks for programs.
AC_PROG_CC
AC_ISC_POSIX
AC_PROG_LN_S
AC_PROG_YACC
AM_PROG_LIBTOOL
dnl Checks for libraries.
dnl Checks for header files.
AC_HEADER_DIRENT
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_HEADER_STDBOOL
AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
attr/error_context.h)
dnl shadow now uses the libc's shadow implementation
AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])
AC_CHECK_FUNCS(l64a fchmod fchown fsync futimes getgroups gethostname getspnam \
gettimeofday getusershell getutent initgroups lchown lckpwdf lstat \
lutimes memcpy memset setgroups sigaction strchr updwtmp updwtmpx innetgr \
getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo \
ruserok)
AC_SYS_LARGEFILE
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
AC_TYPE_UID_T
AC_TYPE_OFF_T
AC_TYPE_PID_T
AC_TYPE_MODE_T
AC_HEADER_STAT
AC_CHECK_MEMBERS([struct stat.st_rdev])
AC_CHECK_MEMBERS([struct stat.st_atim])
AC_CHECK_MEMBERS([struct stat.st_atimensec])
AC_CHECK_MEMBERS([struct stat.st_mtim])
AC_CHECK_MEMBERS([struct stat.st_mtimensec])
AC_HEADER_TIME
AC_STRUCT_TM
AC_CHECK_MEMBERS([struct utmp.ut_type,
struct utmp.ut_id,
struct utmp.ut_name,
struct utmp.ut_user,
struct utmp.ut_host,
struct utmp.ut_syslen,
struct utmp.ut_addr,
struct utmp.ut_addr_v6,
struct utmp.ut_time,
struct utmp.ut_xtime,
struct utmp.ut_tv],,,[[#include <utmp.h>]])
dnl There are dependencies:
dnl If UTMPX has to be used, the utmp structure shall have a ut_id field.
if test "$ac_cv_header_utmpx_h" = "yes" &&
test "$ac_cv_member_struct_utmp_ut_id" != "yes"; then
AC_MSG_ERROR(Systems with UTMPX and no ut_id field in the utmp structure are not supported)
fi
AC_CHECK_MEMBERS([struct utmpx.ut_name,
struct utmpx.ut_host,
struct utmpx.ut_syslen,
struct utmpx.ut_addr,
struct utmpx.ut_addr_v6,
struct utmpx.ut_time,
struct utmpx.ut_xtime],,,[[#include <utmpx.h>]])
if test "$ac_cv_header_lastlog_h" = "yes"; then
AC_CACHE_CHECK(for ll_host in struct lastlog,
ac_cv_struct_lastlog_ll_host,
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <lastlog.h>],
[struct lastlog ll; char *cp = ll.ll_host;]
)],
[ac_cv_struct_lastlog_ll_host=yes],
[ac_cv_struct_lastlog_ll_host=no]
)
)
if test "$ac_cv_struct_lastlog_ll_host" = "yes"; then
AC_DEFINE(HAVE_LL_HOST, 1,
[Define if struct lastlog has ll_host])
fi
fi
dnl Checks for library functions.
AC_TYPE_GETGROUPS
AC_TYPE_SIGNAL
AC_FUNC_UTIME_NULL
AC_FUNC_STRFTIME
AC_REPLACE_FUNCS(mkdir putgrent putpwent putspent rename rmdir)
AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
AC_REPLACE_FUNCS(snprintf strcasecmp strdup strerror strstr)
AC_CHECK_FUNC(setpgrp)
if test "$ac_cv_header_shadow_h" = "yes"; then
AC_CACHE_CHECK(for working shadow group support,
ac_cv_libc_shadowgrp,
AC_RUN_IFELSE([AC_LANG_SOURCE([
#include <shadow.h>
main()
{
struct sgrp *sg = sgetsgent("test:x::");
/* NYS libc on Red Hat 3.0.3 has broken shadow group support */
return !sg || !sg->sg_adm || !sg->sg_mem;
}]
)],
[ac_cv_libc_shadowgrp=yes],
[ac_cv_libc_shadowgrp=no],
[ac_cv_libc_shadowgrp=no]
)
)
if test "$ac_cv_libc_shadowgrp" = "yes"; then
AC_DEFINE(HAVE_SHADOWGRP, 1, [Have working shadow group support in libc])
fi
fi
AC_CACHE_CHECK([location of shared mail directory], shadow_cv_maildir,
[for shadow_cv_maildir in /var/mail /var/spool/mail /usr/spool/mail /usr/mail none; do
if test -d $shadow_cv_maildir; then
break
fi
done])
if test $shadow_cv_maildir != none; then
AC_DEFINE_UNQUOTED(MAIL_SPOOL_DIR, "$shadow_cv_maildir",
[Location of system mail spool directory.])
fi
AC_CACHE_CHECK([location of user mail file], shadow_cv_mailfile,
[for shadow_cv_mailfile in Mailbox mailbox Mail mail .mail none; do
if test -f $HOME/$shadow_cv_mailfile; then
break
fi
done])
if test $shadow_cv_mailfile != none; then
AC_DEFINE_UNQUOTED(MAIL_SPOOL_FILE, "$shadow_cv_mailfile",
[Name of user's mail spool file if stored in user's home directory.])
fi
AC_CACHE_CHECK([location of utmp], shadow_cv_utmpdir,
[for shadow_cv_utmpdir in /var/run /var/adm /usr/adm /etc none; do
if test -f $shadow_cv_utmpdir/utmp; then
break
fi
done])
if test "$shadow_cv_utmpdir" = "none"; then
AC_MSG_WARN(utmp file not found)
fi
AC_DEFINE_UNQUOTED(_UTMP_FILE, "$shadow_cv_utmpdir/utmp",
[Path for utmp file.])
AC_CACHE_CHECK([location of faillog/lastlog/wtmp], shadow_cv_logdir,
[for shadow_cv_logdir in /var/log /var/adm /usr/adm /etc; do
if test -d $shadow_cv_logdir; then
break
fi
done])
AC_DEFINE_UNQUOTED(_WTMP_FILE, "$shadow_cv_logdir/wtmp",
[Path for wtmp file.])
AC_DEFINE_UNQUOTED(LASTLOG_FILE, "$shadow_cv_logdir/lastlog",
[Path for lastlog file.])
AC_DEFINE_UNQUOTED(FAILLOG_FILE, "$shadow_cv_logdir/faillog",
[Path for faillog file.])
AC_CACHE_CHECK([location of the passwd program], shadow_cv_passwd_dir,
[if test -f /usr/bin/passwd; then
shadow_cv_passwd_dir=/usr/bin
else
shadow_cv_passwd_dir=/bin
fi])
AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd",
[Path to passwd program.])
dnl XXX - quick hack, should disappear before anyone notices :).
AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().])
if test "$ac_cv_func_ruserok" = "yes"; then
AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for rlogind.])
AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value (0 or 1).])
fi
AC_ARG_ENABLE(shadowgrp,
[AC_HELP_STRING([--enable-shadowgrp], [enable shadow group support @<:@default=yes@:>@])],
[case "${enableval}" in
yes) enable_shadowgrp="yes" ;;
no) enable_shadowgrp="no" ;;
*) AC_MSG_ERROR(bad value ${enableval} for --enable-shadowgrp) ;;
esac],
[enable_shadowgrp="yes"]
)
AC_ARG_ENABLE(man,
[AC_HELP_STRING([--enable-man],
[regenerate roff man pages from Docbook @<:@default=no@:>@])],
[enable_man="${enableval}"],
[enable_man="no"]
)
AC_ARG_ENABLE(account-tools-setuid,
[AC_HELP_STRING([--enable-account-tools-setuid],
[Install the user and group management tools setuid and authenticate the callers. This requires --with-pam.])],
[case "${enableval}" in
yes) enable_acct_tools_setuid="yes" ;;
no) enable_acct_tools_setuid="no" ;;
*) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
;;
esac],
[enable_acct_tools_setuid="maybe"]
)
AC_ARG_ENABLE(utmpx,
[AC_HELP_STRING([--enable-utmpx],
[enable loggin in utmpx / wtmpx @<:@default=no@:>@])],
[case "${enableval}" in
yes) enable_utmpx="yes" ;;
no) enable_utmpx="no" ;;
*) AC_MSG_ERROR(bad value ${enableval} for --enable-utmpx) ;;
esac],
[enable_utmpx="no"]
)
AC_ARG_ENABLE(subordinate-ids,
[AC_HELP_STRING([--enable-subordinate-ids],
[support subordinate ids @<:@default=yes@:>@])],
[enable_subids="${enableval}"],
[enable_subids="maybe"]
)
AC_ARG_WITH(audit,
[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
[with_audit=$withval], [with_audit=maybe])
AC_ARG_WITH(libpam,
[AC_HELP_STRING([--with-libpam], [use libpam for PAM support @<:@default=yes if found@:>@])],
[with_libpam=$withval], [with_libpam=maybe])
AC_ARG_WITH(selinux,
[AC_HELP_STRING([--with-selinux], [use SELinux support @<:@default=yes if found@:>@])],
[with_selinux=$withval], [with_selinux=maybe])
AC_ARG_WITH(acl,
[AC_HELP_STRING([--with-acl], [use ACL support @<:@default=yes if found@:>@])],
[with_acl=$withval], [with_acl=maybe])
AC_ARG_WITH(attr,
[AC_HELP_STRING([--with-attr], [use Extended Attribute support @<:@default=yes if found@:>@])],
[with_attr=$withval], [with_attr=maybe])
AC_ARG_WITH(skey,
[AC_HELP_STRING([--with-skey], [use S/Key support @<:@default=no@:>@])],
[with_skey=$withval], [with_skey=no])
AC_ARG_WITH(tcb,
[AC_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
[with_tcb=$withval], [with_tcb=maybe])
AC_ARG_WITH(libcrack,
[AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=no@:>@])],
[with_libcrack=$withval], [with_libcrack=no])
AC_ARG_WITH(sha-crypt,
[AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
[with_sha_crypt=$withval], [with_sha_crypt=yes])
AC_ARG_WITH(nscd,
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
[with_nscd=$withval], [with_nscd=yes])
AC_ARG_WITH(group-name-max-length,
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
if test "$with_group_name_max_length" = "no" ; then
with_group_name_max_length=0
elif test "$with_group_name_max_length" = "yes" ; then
with_group_name_max_length=16
fi
AC_DEFINE_UNQUOTED(GROUP_NAME_MAX_LENGTH, $with_group_name_max_length, [max group name length])
AC_SUBST(GROUP_NAME_MAX_LENGTH)
GROUP_NAME_MAX_LENGTH="$with_group_name_max_length"
AM_CONDITIONAL(USE_SHA_CRYPT, test "x$with_sha_crypt" = "xyes")
if test "$with_sha_crypt" = "yes"; then
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
fi
if test "$with_nscd" = "yes"; then
AC_CHECK_FUNC(posix_spawn,
[AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
fi
dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
AC_SEARCH_LIBS(inet_ntoa, inet)
AC_SEARCH_LIBS(socket, socket)
AC_SEARCH_LIBS(gethostbyname, nsl)
if test "$enable_shadowgrp" = "yes"; then
AC_DEFINE(SHADOWGRP, 1, [Define to support the shadow group file.])
fi
AM_CONDITIONAL(SHADOWGRP, test "x$enable_shadowgrp" = "xyes")
if test "$enable_man" = "yes"; then
dnl
dnl Check for xsltproc
dnl
AC_PATH_PROG([XSLTPROC], [xsltproc])
if test -z "$XSLTPROC"; then
enable_man=no
fi
dnl check for DocBook DTD and stylesheets in the local catalog.
JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN],
[DocBook XML DTD V4.1.2], [], enable_man=no)
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
[DocBook XSL Stylesheets >= 1.70.1], [], enable_man=no)
fi
AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test "x$enable_man" != "xno")
if test "$enable_subids" != "no"; then
dnl
dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
dnl
AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
enable_subids="yes"
else
if test "x$enable_subids" = "xyes"; then
AC_MSG_ERROR([Cannot enable support the subordinate IDs on systems where gid_t or uid_t has less than 32 bits])
fi
enable_subids="no"
fi
fi
AM_CONDITIONAL(ENABLE_SUBIDS, test "x$enable_subids" != "xno")
AC_SUBST(LIBCRYPT)
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
[AC_MSG_ERROR([crypt() not found])])
AC_SUBST(LIBACL)
if test "$with_acl" != "no"; then
AC_CHECK_HEADERS(acl/libacl.h attr/error_context.h, [acl_header="yes"], [acl_header="no"])
if test "$acl_header$with_acl" = "noyes" ; then
AC_MSG_ERROR([acl/libacl.h or attr/error_context.h is missing])
elif test "$acl_header" = "yes" ; then
AC_CHECK_LIB(acl, perm_copy_file,
[AC_CHECK_LIB(acl, perm_copy_fd,
[acl_lib="yes"],
[acl_lib="no"])],
[acl_lib="no"])
if test "$acl_lib$with_acl" = "noyes" ; then
AC_MSG_ERROR([libacl not found])
elif test "$acl_lib" = "no" ; then
with_acl="no"
else
AC_DEFINE(WITH_ACL, 1,
[Build shadow with ACL support])
LIBACL="-lacl"
with_acl="yes"
fi
else
with_acl="no"
fi
fi
AC_SUBST(LIBATTR)
if test "$with_attr" != "no"; then
AC_CHECK_HEADERS(attr/libattr.h attr/error_context.h, [attr_header="yes"], [attr_header="no"])
if test "$attr_header$with_attr" = "noyes" ; then
AC_MSG_ERROR([attr/libattr.h or attr/error_context.h is missing])
elif test "$attr_header" = "yes" ; then
AC_CHECK_LIB(attr, attr_copy_file,
[AC_CHECK_LIB(attr, attr_copy_fd,
[attr_lib="yes"],
[attr_lib="no"])],
[attr_lib="no"])
if test "$attr_lib$with_attr" = "noyes" ; then
AC_MSG_ERROR([libattr not found])
elif test "$attr_lib" = "no" ; then
with_attr="no"
else
AC_DEFINE(WITH_ATTR, 1,
[Build shadow with Extended Attributes support])
LIBATTR="-lattr"
with_attr="yes"
fi
else
with_attr="no"
fi
fi
AC_SUBST(LIBAUDIT)
if test "$with_audit" != "no"; then
AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
if test "$audit_header$with_audit" = "noyes" ; then
AC_MSG_ERROR([libaudit.h is missing])
elif test "$audit_header" = "yes"; then
AC_CHECK_DECL(AUDIT_ADD_USER,,[audit_header="no"],[#include <libaudit.h>])
AC_CHECK_DECL(AUDIT_DEL_USER,,[audit_header="no"],[#include <libaudit.h>])
AC_CHECK_DECL(AUDIT_ADD_GROUP,,[audit_header="no"],[#include <libaudit.h>])
AC_CHECK_DECL(AUDIT_DEL_GROUP,,[audit_header="no"],[#include <libaudit.h>])
if test "$audit_header$with_audit" = "noyes" ; then
AC_MSG_ERROR([AUDIT_ADD_USER AUDIT_DEL_USER AUDIT_ADD_GROUP or AUDIT_DEL_GROUP missing from libaudit.h])
fi
fi
if test "$audit_header" = "yes"; then
AC_CHECK_LIB(audit, audit_log_acct_message,
[audit_lib="yes"], [audit_lib="no"])
if test "$audit_lib$with_audit" = "noyes" ; then
AC_MSG_ERROR([libaudit not found])
elif test "$audit_lib" = "no" ; then
with_audit="no"
else
AC_DEFINE(WITH_AUDIT, 1,
[Define if you want to enable Audit messages])
LIBAUDIT="-laudit"
with_audit="yes"
fi
else
with_audit="no"
fi
fi
AC_SUBST(LIBCRACK)
if test "$with_libcrack" = "yes"; then
echo "checking cracklib flavour, don't be surprised by the results"
AC_CHECK_LIB(crack, FascistCheck,
[LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
AC_CHECK_LIB(crack, FascistHistory,
AC_DEFINE(HAVE_LIBCRACK_HIST, 1, [Defined if you have the ts&szs cracklib.]))
AC_CHECK_LIB(crack, FascistHistoryPw,
AC_DEFINE(HAVE_LIBCRACK_PW, 1, [Defined if it includes *Pw functions.]))
fi
AC_SUBST(LIBSELINUX)
AC_SUBST(LIBSEMANAGE)
if test "$with_selinux" != "no"; then
AC_CHECK_HEADERS(selinux/selinux.h, [selinux_header="yes"], [selinux_header="no"])
if test "$selinux_header$with_selinux" = "noyes" ; then
AC_MSG_ERROR([selinux/selinux.h is missing])
fi
AC_CHECK_HEADERS(semanage/semanage.h, [semanage_header="yes"], [semanage_header="no"])
if test "$semanage_header$with_selinux" = "noyes" ; then
AC_MSG_ERROR([semanage/semanage.h is missing])
fi
if test "$selinux_header$semanage_header" = "yesyes" ; then
AC_CHECK_LIB(selinux, is_selinux_enabled, [selinux_lib="yes"], [selinux_lib="no"])
if test "$selinux_lib$with_selinux" = "noyes" ; then
AC_MSG_ERROR([libselinux not found])
fi
AC_CHECK_LIB(semanage, semanage_connect, [semanage_lib="yes"], [semanage_lib="no"])
if test "$semanage_lib$with_selinux" = "noyes" ; then
AC_MSG_ERROR([libsemanage not found])
fi
if test "$selinux_lib$semanage_lib" == "yesyes" ; then
AC_DEFINE(WITH_SELINUX, 1,
[Build shadow with SELinux support])
LIBSELINUX="-lselinux"
LIBSEMANAGE="-lsemanage"
with_selinux="yes"
else
with_selinux="no"
fi
else
with_selinux="no"
fi
fi
AC_SUBST(LIBTCB)
if test "$with_tcb" != "no"; then
AC_CHECK_HEADERS(tcb.h, [tcb_header="yes"], [tcb_header="no"])
if test "$tcb_header$with_tcb" = "noyes" ; then
AC_MSG_ERROR([tcb.h is missing])
elif test "$tcb_header" = "yes" ; then
AC_CHECK_LIB(tcb, tcb_is_suspect, [tcb_lib="yes"], [tcb_lib="no"])
if test "$tcb_lib$with_tcb" = "noyes" ; then
AC_MSG_ERROR([libtcb not found])
elif test "$tcb_lib" = "no" ; then
with_tcb="no"
else
AC_DEFINE(WITH_TCB, 1, [Build shadow with tcb support (incomplete)])
LIBTCB="-ltcb"
with_tcb="yes"
fi
else
with_tcb="no"
fi
fi
AM_CONDITIONAL(WITH_TCB, test x$with_tcb = xyes)
AC_SUBST(LIBPAM)
if test "$with_libpam" != "no"; then
AC_CHECK_LIB(pam, pam_start,
[pam_lib="yes"], [pam_lib="no"])
if test "$pam_lib$with_libpam" = "noyes" ; then
AC_MSG_ERROR(libpam not found)
fi
LIBPAM="-lpam"
pam_conv_function="no"
AC_CHECK_LIB(pam, openpam_ttyconv,
[pam_conv_function="openpam_ttyconv"],
AC_CHECK_LIB(pam_misc, misc_conv,
[pam_conv_function="misc_conv"; LIBPAM="$LIBPAM -lpam_misc"])
)
if test "$pam_conv_function$with_libpam" = "noyes" ; then
AC_MSG_ERROR(PAM conversation function not found)
fi
pam_headers_found=no
AC_CHECK_HEADERS( [security/openpam.h security/pam_misc.h],
[ pam_headers_found=yes ; break ], [],
[ #include <security/pam_appl.h> ] )
if test "$pam_headers_found$with_libpam" = "noyes" ; then
AC_MSG_ERROR(PAM headers not found)
fi
if test "$pam_lib$pam_headers_found" = "yesyes" -a "$pam_conv_function" != "no" ; then
with_libpam="yes"
else
with_libpam="no"
unset LIBPAM
fi
fi
dnl Now with_libpam is either yes or no
if test "$with_libpam" = "yes"; then
AC_CHECK_DECLS([PAM_ESTABLISH_CRED,
PAM_DELETE_CRED,
PAM_NEW_AUTHTOK_REQD,
PAM_DATA_SILENT],
[], [], [#include <security/pam_appl.h>])
save_libs=$LIBS
LIBS="$LIBS $LIBPAM"
# We do not use AC_CHECK_FUNCS to avoid duplicated definition with
# Linux PAM.
AC_CHECK_FUNC(pam_fail_delay, [AC_DEFINE(HAS_PAM_FAIL_DELAY, 1, [Define to 1 if you have the declaration of 'pam_fail_delay'])])
LIBS=$save_libs
AC_DEFINE(USE_PAM, 1, [Define to support Pluggable Authentication Modules])
AC_DEFINE_UNQUOTED(SHADOW_PAM_CONVERSATION, [$pam_conv_function],[PAM converstation to use])
AM_CONDITIONAL(USE_PAM, [true])
AC_MSG_CHECKING(use login and su access checking if PAM not used)
AC_MSG_RESULT(no)
else
AC_DEFINE(SU_ACCESS, 1, [Define to support /etc/suauth su access control.])
AM_CONDITIONAL(USE_PAM, [false])
AC_MSG_CHECKING(use login and su access checking if PAM not used)
AC_MSG_RESULT(yes)
fi
if test "$enable_acct_tools_setuid" != "no"; then
if test "$with_libpam" != "yes"; then
if test "$enable_acct_tools_setuid" = "yes"; then
AC_MSG_ERROR(PAM support is required for --enable-account-tools-setuid)
else
enable_acct_tools_setuid="no"
fi
else
enable_acct_tools_setuid="yes"
fi
if test "$enable_acct_tools_setuid" = "yes"; then
AC_DEFINE(ACCT_TOOLS_SETUID,
1,
[Define if account management tools should be installed setuid and authenticate the callers])
fi
fi
AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
AC_SUBST(LIBSKEY)
AC_SUBST(LIBMD)
if test "$with_skey" = "yes"; then
AC_CHECK_LIB(md, MD5Init, [LIBMD=-lmd])
AC_CHECK_LIB(skey, skeychallenge, [LIBSKEY=-lskey],
[AC_MSG_ERROR([liskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2])])
AC_DEFINE(SKEY, 1, [Define to support S/Key logins.])
AC_TRY_COMPILE([
#include <stdio.h>
#include <skey.h>
],[
skeychallenge((void*)0, (void*)0, (void*)0, 0);
],[AC_DEFINE(SKEY_BSD_STYLE, 1, [Define to support newer BSD S/Key API])])
fi
if test "$enable_utmpx" = "yes"; then
if test "$ac_cv_header_utmpx_h" != "yes"; then
AC_MSG_ERROR([The utmpx.h header file is required for utmpx support.])
fi
AC_DEFINE(USE_UTMPX,
1,
[Define if utmpx should be used])
fi
AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])
AM_GNU_GETTEXT_VERSION(0.16)
AM_GNU_GETTEXT([external], [need-ngettext])
AM_CONDITIONAL(USE_NLS, test "x$USE_NLS" = "xyes")
AC_CONFIG_FILES([
Makefile
po/Makefile.in
doc/Makefile
man/Makefile
man/config.xml
man/po/Makefile
man/cs/Makefile
man/da/Makefile
man/de/Makefile
man/es/Makefile
man/fi/Makefile
man/fr/Makefile
man/hu/Makefile
man/id/Makefile
man/it/Makefile
man/ja/Makefile
man/ko/Makefile
man/pl/Makefile
man/pt_BR/Makefile
man/ru/Makefile
man/sv/Makefile
man/tr/Makefile
man/zh_CN/Makefile
man/zh_TW/Makefile
libmisc/Makefile
lib/Makefile
src/Makefile
contrib/Makefile
etc/Makefile
etc/pam.d/Makefile
shadow.spec
])
AC_OUTPUT
echo
echo "shadow will be compiled with the following features:"
echo
echo " auditing support: $with_audit"
echo " CrackLib support: $with_libcrack"
echo " PAM support: $with_libpam"
if test "$with_libpam" = "yes"; then
echo " suid account management tools: $enable_acct_tools_setuid"
fi
echo " SELinux support: $with_selinux"
echo " ACL support: $with_acl"
echo " Extended Attributes support: $with_attr"
echo " tcb support (incomplete): $with_tcb"
echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt"
echo " nscd support: $with_nscd"
echo " subordinate IDs support: $enable_subids"
echo
+430
View File
@@ -0,0 +1,430 @@
dnl Process this file with autoconf to produce a configure script.
AC_INIT
AM_INIT_AUTOMAKE(shadow, 4.1.2)
AC_CONFIG_HEADERS([config.h])
dnl Some hacks...
test "$prefix" = "NONE" && prefix="/usr"
test "$prefix" = "/usr" && exec_prefix=""
AC_GNU_SOURCE
AM_DISABLE_SHARED
AM_ENABLE_STATIC
AM_MAINTAINER_MODE
dnl Checks for programs.
AC_PROG_CC
AC_ISC_POSIX
AC_PROG_LN_S
AC_PROG_YACC
AM_C_PROTOTYPES
AM_PROG_LIBTOOL
dnl Checks for libraries.
dnl Checks for header files.
AC_HEADER_DIRENT
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
locale.h rpc/key_prot.h netdb.h)
dnl shadow now uses the libc's shadow implementation
AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])
AC_CHECK_FUNCS(l64a fchmod fchown fsync getgroups gethostname getspnam \
gettimeofday getusershell getutent initgroups lchown lckpwdf lstat \
memcpy memset setgroups sigaction strchr updwtmp updwtmpx innetgr \
getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_SYS_LARGEFILE
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
AC_TYPE_UID_T
AC_TYPE_OFF_T
AC_TYPE_PID_T
AC_TYPE_MODE_T
AC_HEADER_STAT
AC_CHECK_MEMBERS([struct stat.st_rdev])
AC_HEADER_TIME
AC_STRUCT_TM
if test "$ac_cv_header_utmp_h" = "yes"; then
AC_CACHE_CHECK(for ut_host in struct utmp,
ac_cv_struct_utmp_ut_host,
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([#include <utmp.h>],
[struct utmp ut; char *cp = ut.ut_host;]
)],
[ac_cv_struct_utmp_ut_host=yes],
[ac_cv_struct_utmp_ut_host=no]
)
)
if test "$ac_cv_struct_utmp_ut_host" = "yes"; then
AC_DEFINE(UT_HOST, 1, [Define if you have ut_host in struct utmp.])
fi
AC_CACHE_CHECK(for ut_user in struct utmp,
ac_cv_struct_utmp_ut_user,
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <utmp.h>],
[struct utmp ut; char *cp = ut.ut_user;]
)],
[ac_cv_struct_utmp_ut_user=yes],
[ac_cv_struct_utmp_ut_user=no]
)
)
if test "$ac_cv_struct_utmp_ut_user" = "no"; then
AC_DEFINE(ut_user, ut_name,
[Define to ut_name if struct utmp has ut_name (not ut_user).])
fi
fi
if test "$ac_cv_header_lastlog_h" = "yes"; then
AC_CACHE_CHECK(for ll_host in struct lastlog,
ac_cv_struct_lastlog_ll_host,
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <lastlog.h>],
[struct lastlog ll; char *cp = ll.ll_host;]
)],
[ac_cv_struct_lastlog_ll_host=yes],
[ac_cv_struct_lastlog_ll_host=no]
)
)
if test "$ac_cv_struct_lastlog_ll_host" = "yes"; then
AC_DEFINE(HAVE_LL_HOST, 1,
[Define if struct lastlog has ll_host])
fi
fi
dnl Checks for library functions.
AC_TYPE_GETGROUPS
AC_TYPE_SIGNAL
AC_FUNC_UTIME_NULL
AC_FUNC_STRFTIME
AC_REPLACE_FUNCS(mkdir putgrent putpwent putspent rename rmdir)
AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
AC_REPLACE_FUNCS(snprintf strcasecmp strdup strerror strstr)
AC_CHECK_FUNC(setpgrp)
AC_FUNC_SETPGRP
if test "$ac_cv_header_shadow_h" = "yes"; then
AC_CACHE_CHECK(for working shadow group support,
ac_cv_libc_shadowgrp,
AC_RUN_IFELSE([AC_LANG_SOURCE([
#include <shadow.h>
main()
{
struct sgrp *sg = sgetsgent("test:x::");
/* NYS libc on Red Hat 3.0.3 has broken shadow group support */
return !sg || !sg->sg_adm || !sg->sg_mem;
}]
)],
[ac_cv_libc_shadowgrp=yes],
[ac_cv_libc_shadowgrp=no],
[ac_cv_libc_shadowgrp=no]
)
)
if test "$ac_cv_libc_shadowgrp" = "yes"; then
AC_DEFINE(HAVE_SHADOWGRP, 1, [Have working shadow group support in libc])
fi
fi
AC_CACHE_CHECK([location of shared mail directory], shadow_cv_maildir,
[for shadow_cv_maildir in /var/mail /var/spool/mail /usr/spool/mail /usr/mail none; do
if test -d $shadow_cv_maildir; then
break
fi
done])
if test $shadow_cv_maildir != none; then
AC_DEFINE_UNQUOTED(MAIL_SPOOL_DIR, "$shadow_cv_maildir",
[Location of system mail spool directory.])
fi
AC_CACHE_CHECK([location of user mail file], shadow_cv_mailfile,
[for shadow_cv_mailfile in Mailbox mailbox Mail mail .mail none; do
if test -f $HOME/$shadow_cv_mailfile; then
break
fi
done])
if test $shadow_cv_mailfile != none; then
AC_DEFINE_UNQUOTED(MAIL_SPOOL_FILE, "$shadow_cv_mailfile",
[Name of user's mail spool file if stored in user's home directory.])
fi
AC_CACHE_CHECK([location of utmp], shadow_cv_utmpdir,
[for shadow_cv_utmpdir in /var/run /var/adm /usr/adm /etc none; do
if test -f $shadow_cv_utmpdir/utmp; then
break
fi
done])
if test "$shadow_cv_utmpdir" = "none"; then
AC_MSG_WARN(utmp file not found)
fi
AC_DEFINE_UNQUOTED(_UTMP_FILE, "$shadow_cv_utmpdir/utmp",
[Path for utmp file.])
AC_CACHE_CHECK([location of faillog/lastlog/wtmp], shadow_cv_logdir,
[for shadow_cv_logdir in /var/log /var/adm /usr/adm /etc; do
if test -d $shadow_cv_logdir; then
break
fi
done])
AC_DEFINE_UNQUOTED(_WTMP_FILE, "$shadow_cv_logdir/wtmp",
[Path for wtmp file.])
AC_DEFINE_UNQUOTED(LASTLOG_FILE, "$shadow_cv_logdir/lastlog",
[Path for lastlog file.])
AC_DEFINE_UNQUOTED(FAILLOG_FILE, "$shadow_cv_logdir/faillog",
[Path for faillog file.])
AC_CACHE_CHECK([location of the passwd program], shadow_cv_passwd_dir,
[if test -f /usr/bin/passwd; then
shadow_cv_passwd_dir=/usr/bin
else
shadow_cv_passwd_dir=/bin
fi])
AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd",
[Path to passwd program.])
dnl XXX - quick hack, should disappear before anyone notices :).
AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().])
AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for rlogind.])
AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value (0 or 1).])
AC_ARG_ENABLE(shadowgrp,
[AC_HELP_STRING([--enable-shadowgrp], [enable shadow group support @<:@default=yes@:>@])],
[case "${enableval}" in
yes) enable_shadowgrp="yes" ;;
no) enable_shadowgrp="no" ;;
*) AC_MSG_ERROR(bad value ${enableval} for --enable-shadowgrp) ;;
esac],
[enable_shadowgrp="yes"]
)
AC_ARG_ENABLE(man,
[AC_HELP_STRING([--enable-man],
[regenerate roff man pages from Docbook @<:@default=no@:>@])],
[enable_man=yes],
[enable_man=no]
)
AC_ARG_WITH(audit,
[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
[with_audit=$withval], [with_audit=maybe])
AC_ARG_WITH(libpam,
[AC_HELP_STRING([--with-libpam], [use libpam for PAM support @<:@default=yes if found@:>@])],
[with_libpam=$withval], [with_libpam=maybe])
AC_ARG_WITH(selinux,
[AC_HELP_STRING([--with-selinux], [use SELinux support @<:@default=yes if found@:>@])],
[with_selinux=$withval], [with_selinux=maybe])
AC_ARG_WITH(skey,
[AC_HELP_STRING([--with-skey], [use S/Key support @<:@default=no@:>@])],
[with_skey=$withval], [with_skey=no])
AC_ARG_WITH(libcrack,
[AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=yes if found and if PAM not enabled@:>@])],
[with_libcrack=$withval], [with_libcrack=no])
AC_ARG_WITH(sha-crypt,
[AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
[with_sha_crypt=$withval], [with_sha_crypt=yes])
AM_CONDITIONAL(USE_SHA_CRYPT, test "x$with_sha_crypt" = "xyes")
if test "$with_sha_crypt" = "yes"; then
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
fi
dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
AC_SEARCH_LIBS(inet_ntoa, inet)
AC_SEARCH_LIBS(socket, socket)
AC_SEARCH_LIBS(gethostbyname, nsl)
if test "$enable_shadowgrp" = "yes"; then
AC_DEFINE(SHADOWGRP, 1, [Define to support the shadow group file.])
fi
AM_CONDITIONAL(SHADOWGRP, test "x$enable_shadowgrp" = "xyes")
if test "$enable_man" = "yes"; then
dnl
dnl Check for xsltproc
dnl
AC_PATH_PROG([XSLTPROC], [xsltproc])
if test -z "$XSLTPROC"; then
enable_man=no
fi
dnl check for DocBook DTD and stylesheets in the local catalog.
JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN],
[DocBook XML DTD V4.1.2], [], enable_man=no)
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
[DocBook XSL Stylesheets >= 1.70.1], [], enable_man=no)
fi
AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test x$enable_man != xno)
AC_SUBST(LIBCRYPT)
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
[AC_MSG_ERROR([crypt() not found])])
AC_SUBST(LIBAUDIT)
if test "$with_audit" != "no"; then
AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
if test "$audit_header$with_audit" = "noyes" ; then
AC_MSG_ERROR([libaudit.h is missing])
elif test "$audit_header" = "yes"; then
AC_CHECK_LIB(audit, audit_log_acct_message,
[audit_lib="yes"], [audit_lib="no"])
if test "$audit_lib$with_audit" = "noyes" ; then
AC_MSG_ERROR([libaudit not found])
elif test "$audit_lib" = "no" ; then
with_audit="no"
else
AC_DEFINE(WITH_AUDIT, 1,
[Define if you want to enable Audit messages])
LIBAUDIT="-laudit"
with_audit="yes"
fi
else
with_audit="no"
fi
fi
AC_SUBST(LIBCRACK)
if test "$with_libcrack" = "yes"; then
echo "checking cracklib flavour, don't be surprised by the results"
AC_CHECK_LIB(crack, FascistCheck,
[LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
AC_CHECK_LIB(crack, FascistHistory,
AC_DEFINE(HAVE_LIBCRACK_HIST, 1, [Defined if you have the ts&szs cracklib.]))
AC_CHECK_LIB(crack, FascistHistoryPw,
AC_DEFINE(HAVE_LIBCRACK_PW, 1, [Defined if it includes *Pw functions.]))
fi
AC_SUBST(LIBSELINUX)
if test "$with_selinux" != "no"; then
AC_CHECK_HEADERS(selinux/selinux.h, [selinux_header="yes"], [selinux_header="no"])
if test "$selinux_header$with_selinux" = "noyes" ; then
AC_MSG_ERROR([selinux/selinux.h is missing])
elif test "$selinux_header" = "yes" ; then
AC_CHECK_LIB(selinux, is_selinux_enabled,
[selinux_lib="yes"], [selinux_lib="no"])
if test "$selinux_lib$with_selinux" = "noyes" ; then
AC_MSG_ERROR([libselinux not found])
elif test "$selinux_lib" = "no" ; then
with_selinux="no"
else
AC_DEFINE(WITH_SELINUX, 1,
[Build shadow with SELinux support])
LIBSELINUX="-lselinux"
with_selinux="yes"
fi
else
with_selinux="no"
fi
fi
AC_SUBST(LIBPAM)
if test "$with_libpam" != "no"; then
AC_CHECK_LIB(pam, pam_start,
[pam_lib="yes"], [pam_lib="no"])
if test "$pam_lib$with_libpam" = "noyes" ; then
AC_MSG_ERROR(libpam not found)
fi
AC_CHECK_LIB(pam_misc, main,
[pam_misc_lib="yes"], [pam_misc_lib="no"])
if test "$pam_misc_lib$with_libpam" = "noyes" ; then
AC_MSG_ERROR(libpam_misc not found)
fi
if test "$pam_lib$pam_misc_lib" = "yesyes" ; then
with_libpam="yes"
else
with_libpam="no"
fi
fi
dnl Now with_libpam is either yes or no
if test "$with_libpam" = "yes"; then
AC_DEFINE(USE_PAM, 1, [Define to support Pluggable Authentication Modules])
AM_CONDITIONAL(USE_PAM, [true])
LIBPAM="-lpam -lpam_misc"
AC_MSG_CHECKING(use login and su access checking if PAM not used)
AC_MSG_RESULT(no)
else
AC_DEFINE(SU_ACCESS, 1, [Define to support /etc/suauth su access control.])
AM_CONDITIONAL(USE_PAM, [false])
AC_MSG_CHECKING(use login and su access checking if PAM not used)
AC_MSG_RESULT(yes)
fi
AC_SUBST(LIBSKEY)
AC_SUBST(LIBMD)
if test "$with_skey" = "yes"; then
AC_CHECK_LIB(md, MD5Init, [LIBMD=-lmd])
AC_CHECK_LIB(skey, skeychallenge, [LIBSKEY=-lskey],
[AC_MSG_ERROR([liskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2])])
AC_DEFINE(SKEY, 1, [Define to support S/Key logins.])
AC_TRY_COMPILE([
#include <stdio.h>
#include <skey.h>
],[
skeychallenge((void*)0, (void*)0, (void*)0, 0);
],[AC_DEFINE(SKEY_BSD_STYLE, 1, [Define to support newer BSD S/Key API])])
fi
AM_GNU_GETTEXT_VERSION(0.16)
AM_GNU_GETTEXT([external], [need-ngettext])
AM_CONDITIONAL(USE_NLS, test "x$USE_NLS" = "xyes")
AC_CONFIG_FILES([
Makefile
po/Makefile.in
doc/Makefile
man/Makefile
man/po/Makefile.in
man/cs/Makefile
man/de/Makefile
man/es/Makefile
man/fi/Makefile
man/fr/Makefile
man/hu/Makefile
man/id/Makefile
man/it/Makefile
man/ja/Makefile
man/ko/Makefile
man/pl/Makefile
man/pt_BR/Makefile
man/ru/Makefile
man/sv/Makefile
man/tr/Makefile
man/zh_CN/Makefile
man/zh_TW/Makefile
libmisc/Makefile
lib/Makefile
src/Makefile
contrib/Makefile
etc/Makefile
etc/pam.d/Makefile
shadow.spec
])
AC_OUTPUT
echo
echo "shadow will be compiled with the following features:"
echo
echo " auditing support: $with_audit"
echo " CrackLib support: $with_libcrack"
echo " PAM support: $with_libpam"
echo " SELinux support: $with_selinux"
echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt"
echo
+1 -1
View File
@@ -230,7 +230,7 @@ void main()
fflush(stdin);
} else
if (dir[strlen(dir)-1]=='/')
sprintf(dir+strlen(dir),"%s",uname);
sprintf(dir,"%s%s",dir,uname);
printf("\nShell [%s]: ",DEFAULT_SHELL);
fflush(stdout);
+1 -1
View File
@@ -296,7 +296,7 @@ main (void)
sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
}
else if (dir[strlen (dir) - 1] == '/')
sprintf (dir+strlen(dir), "%s", usrname);
sprintf (dir, "%s%s", dir, usrname);
}
else
{
-16
View File
@@ -1,16 +0,0 @@
PKG=shadow
SITE=ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/
deb:: check_cheese
include /usr/share/quilt/quilt.debbuild.mk
check_cheese:
@dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \
echo ""; \
echo " ** **"; \
echo " ** Warning: not a cheesy release! **"; \
echo " ** **"; \
echo ""; \
exit 1; \
}
Vendored
-36
View File
@@ -1,36 +0,0 @@
shadow (1:4.0.15-5) unstable; urgency=low
* commands passed in argument to su must use su's -c option and must quote
the command if it contains a space, as in:
su - root -c "ls -l /"
The following commands won't work anymore:
su - root -c ls -l /
su - root "ls -l /"
su - root ls -l /
-- Christian Perrier <bubulle@debian.org> Sat, 8 Apr 2006 20:11:38 +0200
shadow (1:4.0.14-1) unstable; urgency=low
* passwd does not support the -f, -s, and -g options anymore. You should use
the chfn, chsh and gpasswd utilities instead.
* login now distributes the nologin utility, which can be used as a shell
to politely refuse a login
-- Christian Perrier <bubulle@debian.org> Thu, 5 Jan 2006 08:47:44 +0100
shadow (1:4.0.12-1) unstable; urgency=low
CLOSE_SESSIONS and other variables are not used anymore in
/etc/login/defs.
As shadow utilities which use this file now warn about unknown
entries there, administrators should remove such unknown entries.
The supplied login.defs file does not include them anymore.
dpasswd is no more distributed by upstream. Login do not support
dialup password anymore. Re-introducing this functionality in
upstream is not trivial.
-- Christian Perrier <bubulle@debian.org> Thu, 25 Aug 2005 08:38:47 +0200
-62
View File
@@ -1,62 +0,0 @@
Read this file first for a brief overview of the new versions of login
and passwd.
---Shadow passwords
The command `shadowconfig on' will turn on shadow password support.
`shadowconfig off' will turn it back off. If you turn on shadow
password support, you'll gain the ability to set password ages and
expirations with chage(1).
NOTE: If you use the nscd package, you may have problems with a
slight delay in updating the password information. You may notice
this during upgrades of certain packages that try to add a system
user and then access the users information immediately afterwards.
To avoid this, it is suggested that you stop the nscd daemon before
upgrades, then restart it again.
---General configuration
Most of the configuration for the shadow utilities is in
/etc/login.defs. See login.defs(5). The defaults are quite
reasonable.
Also see the /etc/pam.d/* files for each program to configure the PAM
support. PAM documentation is available in several formats in the
libpam-doc package.
---MD5 Encryption
This is enabled now using the /etc/pam.d/* files. Examples are given.
---Adding users and groups
Though you may add users and groups with the SysV type commands,
useradd and groupadd, I recommend you add them with Debian adduser
version 3+. adduser gives you more configuration and conforms to the
Debian UID and GID allocation.
Editing user and group parameters can be done with usermod and
groupmod. Removing users and groups can be done with userdel and
groupdel.
--- Group administration
Local group allocation is much easier. With gpasswd(1) you can
designate users to administer groups. They can then securely add or
remove users from the group.
--- What to read next?
Read the manpages, the other files in this directory, and the Shadow
Password HOWTO (included in the doc-linux package). A large portion
of these files deals with getting shadow installed. You can, of
course, ignore those parts.
Also, the libpam-doc package will go a long way to allowing you to take
full advantage of the PAM authentication scheme.
-4
View File
@@ -1,4 +0,0 @@
A testsuite is also available. Instruction on how to run this testsuite
are available in tests/README
-- Balint Reczey <rbalint@ubuntu.com>, Sat, 12 Aug 2017 18:46:44 -0400
Vendored
-19
View File
@@ -1,19 +0,0 @@
Things that should be done:
* Verify the files left in debian/tmp
+ e.g. /etc/default/adduser should be installed
* Check the build system: rebuilding the package twoce in the same tree
doubles the size of the diff.gz file
Other points (not related to the release of a syncronized shadow):
* compare the source with the usages and man pages
+ probably add a sentence to chsh/chfn's manpages about authentication
required for ordinary users
* do something (a tool) for the variables in login.defs
In Debian, some tools are not compiled with the PAM support, so upstream
getdef.c won't be OK.
It should be nice to see in each man page the set of variables used.
The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
with the debugging informations. This may be used to extract the set of
variables used in Debian/for each tools.
* verify all the patches around (I've found patches for at least RedHat,
OWL, LFS, Mandriva, Gentoo; are they already applied?)
-25
View File
@@ -1,25 +0,0 @@
This described the usertags used by the team.
For usertags documentation, see
http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
All bugs tagged by team members must be tagged with
"user pkg-shadow-devel@lists.alioth.debian.org"
Tags list
---------
toclose: This bug has been announced to be closed in case no more news
or information is received from the bug submitter or someone
else until the delay specified in the limits_YYYYMMDD tag
limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
bugs can be closed without other action in case no news
is received
manpages-replace A bug reported angainst a manpages-xx package to indicate
conflicting man pages. This tag can be used to tune the
Replaces fields.
su-transition: This bug is related to the su transition (#276419)
-3849
View File
File diff suppressed because it is too large Load Diff
-1
View File
@@ -1 +0,0 @@
10
-78
View File
@@ -1,78 +0,0 @@
Source: shadow
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Uploaders: Christian Perrier <bubulle@debian.org>,
Balint Reczey <rbalint@ubuntu.com>,
Serge Hallyn <serge@hallyn.com>
Section: admin
Priority: required
Build-Depends: dh-autoreconf,
gettext,
libpam0g-dev,
debhelper (>= 10~),
quilt,
xsltproc,
docbook-xsl,
docbook-xml,
libxml2-utils,
cdbs,
libselinux1-dev [linux-any],
libsemanage1-dev [linux-any],
gnome-doc-utils,
bison,
libaudit-dev [linux-any]
Standards-Version: 3.9.5
Vcs-Browser: https://anonscm.debian.org/git/pkg-shadow/shadow.git
Vcs-Git: https://anonscm.debian.org/git/pkg-shadow/shadow.git
Homepage: https://github.com/shadow-maint/shadow
Package: passwd
Architecture: any
Multi-Arch: foreign
Depends: ${shlibs:Depends},
${misc:Depends},
libpam-modules
Replaces: manpages-tr (<< 1.0.5),
manpages-zh (<< 1.5.1-1)
Description: change and administer password and group data
This package includes passwd, chsh, chfn, and many other programs to
maintain password and group data.
.
Shadow passwords are supported. See /usr/share/doc/passwd/README.Debian
Package: login
Architecture: any
Essential: yes
Pre-Depends: ${shlibs:Depends},
${misc:Depends},
libpam-runtime,
libpam-modules (>= 1.1.8-1)
Breaks: coreutils (<< 8.21~) [hurd-any],
passwd (<< 1:4.1.5.1-2~) [hurd-any],
hurd (<< 20140206~) [hurd-any],
util-linux (<< 2.32-0.2~)
Conflicts: gnunet (<< 0.7.0c-2),
amavisd-new (<< 2.3.3-8),
python-4suite (<< 0.99cvs20060405-1),
backupninja (<< 0.9.3-5),
echolot (<< 2.1.8-4)
Replaces: manpages-de (<< 0.5-3),
manpages-tr (<< 1.0.5),
manpages-zh (<< 1.5.1-1),
passwd (<< 1:4.1.5.1-2~) [hurd-any],
coreutils (<< 8.21~) [hurd-any],
hurd (<< 20140206~) [hurd-any]
Description: system login tools
These tools are required to be able to login and use your system. The
login program invokes your user shell and enables command execution. The
newgrp program is used to change your effective group ID (useful for
workgroup type situations). The su program allows changing your effective
user ID (useful being able to execute commands as another user).
Package: uidmap
Architecture: any
Priority: optional
Depends: ${shlibs:Depends},
${misc:Depends}
Description: programs to help use subuids
These programs help unprivileged users to create uid and gid mappings in
user namespaces.
-103
View File
@@ -1,103 +0,0 @@
This is Debian GNU/Linux's prepackaged version of the shadow utilities.
It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>.
As of May 2007, this site is no longer available.
Copyright:
Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
All rights reserved.
Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
All rights reserved.
Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
All rights reserved.
Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of Julianne F. Haugh nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
This source code is currently archived on ftp.uu.net in the
comp.sources.misc portion of the USENET archives. You may also contact
the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
any questions regarding this package.
THIS SOFTWARE IS BEING DISTRIBUTED AS-IS. THE AUTHORS DISCLAIM ALL
LIABILITY FOR ANY CONSEQUENCES OF USE. THE USER IS SOLELY RESPONSIBLE
FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE. THE AUTHORS ARE UNDER NO
OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS. THE USER IS
ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
LOSS OF INFORMATION OR MACHINE RESOURCES.
Special thanks are due to Chip Rosenthal for his fine testing efforts;
to Steve Simmons for his work in porting this code to BSD; and to Bill
Kennedy for his contributions of LaserJet printer time and energies.
Also, thanks for Dennis L. Mumaugh for the initial shadow password
information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
V Release 4 changes. Effort in porting to SunOS has been contributed
by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
(mke@kaberd.rain.com). Effort in porting to AT&T UNIX System V Release
4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
for taking over the Linux port of this software.
Source files: login_access.c, login_desrpc.c, login_krb.c are derived
from the logdaemon-5.0 package, which is under the following license:
/************************************************************************
* Copyright 1995 by Wietse Venema. All rights reserved. Individual files
* may be covered by other copyrights (as noted in the file itself.)
*
* This material was originally written and compiled by Wietse Venema at
* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
* 1992, 1993, 1994 and 1995.
*
* Redistribution and use in source and binary forms are permitted
* provided that this entire copyright notice is duplicated in all such
* copies.
*
* This software is provided "as is" and without any expressed or implied
* warranties, including, without limitation, the implied warranties of
* merchantibility and fitness for any particular purpose.
************************************************************************/
Some parts substantially in src/su.c derived from an ancestor of
su for GNU. Run a shell with substitute user and group IDs.
Copyright (C) 1992-2003 Free Software Foundation, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in '/usr/share/common-licenses/GPL-2'
-1
View File
@@ -1 +0,0 @@
.so man8/cppw.8
-27
View File
@@ -1,27 +0,0 @@
.TH CPPW 8 "7 Apr 2005"
.SH NAME
cppw, cpgr \- copy with locking the given file to the password or group file
.SH SYNOPSIS
\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
.br
\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
.SH DESCRIPTION
.BR cppw " and " cpgr
will copy, with locking, the given file to
.IR /etc/passwd " and " /etc/group ", respectively."
With the \fB\-s\fR flag, they will copy the shadow versions of those files,
.IR /etc/shadow " and " /etc/gshadow ", respectively."
With the \fB\-h\fR flag, the commands display a short help message and exit
silently.
.SH "SEE ALSO"
.BR vipw (8),
.BR vigr (8),
.BR group (5),
.BR passwd (5),
.BR shadow (5),
.BR gshadow (5)
.SH AUTHOR
\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
\fBvipw\fR and \fBvigr\fR written by Guy Maor.
-94
View File
@@ -1,94 +0,0 @@
Build-Depends:
==============
* autoconf
* automake1.9
works with 1.7 or 1.9 (at least)
* libtool
* gettext
POT, PO, GMO regenerated?
* libpam0g-dev
OK
* debhelper (>= 4.1.16)
* po-debconf
OK
* quilt
patch system
* dpkg-dev (>= 1.13.5)
* xsltproc
used to generate the manpages
* docbook-xsl
needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
* docbook-xml
manpages/docbook.xsl includes html/docbook.xsl
(But it is not strictly needed. The generated manpages are identical.
Without it, a warning is generated.)
Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
* libxml2-utils
needed by the JH_CHECK_XML_CATALOG macros
* cdbs
used in debian/rules
* libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
* gnome-doc-utils (>= 0.4.3-1)
xml2po, 0.4.3-1 needed for the -l switch.
passwd Depends:
===============
* ${shlibs:Depends}
OK
* ${loginpam}
- hurd
login
libpam-modules (>= 0.72-5)
- other archs
+ login (>= 970502-1)
login is needed because some passwd utils need /etc/login.defs
login is Essential, so this is just to enforce the version
+ libpam-modules (>= 0.72-5)
* debianutils (>= 2.15.2)
After 1:4.0.12-6, {add,remove}-shell are distributed in debianutils (2.15)
/etc/shell was forgotten and introduced in debianutils in 2.15.2
passwd Conflicts:
=================
passwd Replaces:
================
Some of the passwd man pages are also distributed in some manpages* packages.
Look at the debian/02/run test to optimize these dependencies.
NOTE: Not all maintainers have been notified.
* manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3)
All those packages have been updated during sarge->etch. So these Replaces
should be removed after lenny release
* manpages-tr, manpages-zh
Those packages are still in etch, so the Replaces should be kept even
after lenny release
login Pre-Depends:
==================
* ${shlibs:Depends}
* libpam-runtime (>= 0.76-14)
sarge contained 0.76-22
Why Pre-Depends? (because it's an essential package?)
login Depends:
==============
* libpam-modules (>= 0.72-5)
libpam-modules is needed.
potato contained 0.72-9
login Conflicts:
================
login Replaces:
===============
* Some of the login man pages are also distributed in some manpages* packages.
Look at the debian/02/run test to optimize these dependencies.
NOTE: Not all maintainers have been notified.
- manpages-fi, manpages-fr (<<1.64.0-1), manpages-hu, manpages-it, manpages-ko, manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15)
Those are packages that have been updated during sarge->etch. These
Replaces should be removed after lenny
- manpages-tr, manpages-zh
Those packages are still in etch, so the Replaces should be kept even
after lenny release
-340
View File
@@ -1,340 +0,0 @@
#
# /etc/login.defs - Configuration control definitions for the login package.
#
# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
# If unspecified, some arbitrary (and possibly incorrect) value will
# be assumed. All other items are optional - if not specified then
# the described action or option will be inhibited.
#
# Comment lines (lines beginning with "#") and blank lines are ignored.
#
# Modified for Linux. --marekm
# REQUIRED for useradd/userdel/usermod
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
# MAIL_DIR takes precedence.
#
# Essentially:
# - MAIL_DIR defines the location of users mail spool files
# (for mbox use) by appending the username to MAIL_DIR as defined
# below.
# - MAIL_FILE defines the location of the users mail spool files as the
# fully-qualified filename obtained by prepending the user home
# directory before $MAIL_FILE
#
# NOTE: This is no more used for setting up users MAIL environment variable
# which is, starting from shadow 4.0.12-1 in Debian, entirely the
# job of the pam_mail PAM modules
# See default PAM configuration files provided for
# login, su, etc.
#
# This is a temporary situation: setting these variables will soon
# move to /etc/default/useradd and the variables will then be
# no more supported
MAIL_DIR /var/mail
#MAIL_FILE .mail
#
# Enable logging and display of /var/log/faillog login failure info.
# This option conflicts with the pam_tally PAM module.
#
FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login failures are recorded.
#
# WARNING: Unknown usernames may become world readable.
# See #290803 and #298773 for details about how this could become a security
# concern
LOG_UNKFAIL_ENAB no
#
# Enable logging of successful logins
#
LOG_OK_LOGINS no
#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
# If defined, login failures will be logged here in a utmp format
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE /var/log/btmp
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su". If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME su
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
# However, the default and recommended value for TTYPERM is still 0600
# to not allow anyone to write to anyone else console or terminal
# Users can still allow other people to write them by issuing
# the "mesg y" command.
TTYGROUP tty
TTYPERM 0600
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
#
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
#
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
# for private user groups, i. e. the uid is the same as gid, and username is
# the same as the primary group name: for these, the user permissions will be
# used as group permissions, e. g. 022 will become 002.
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
UMASK 022
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
#SYS_GID_MIN 100
#SYS_GID_MAX 999
#
# Max number of login retries if password is bad. This will most likely be
# overriden by PAM, since the default pam_unix module has it's own built
# in of 3 retries. However, this is a safe fallback in case you are using
# an authentication module that does not enforce PAM_MAXTRIES.
#
LOGIN_RETRIES 5
#
# Max time in seconds for login
#
LOGIN_TIMEOUT 60
#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT rwh
#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME yes
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If set to yes, userdel will remove the user's group if it contains no
# more members, and useradd will create by default a group with the name
# of the user.
#
# Other former uses of this variable such as setting the umask when
# user==primary group are not used in PAM environments, such as Debian
#
USERGROUPS_ENAB yes
#
# Instead of the real user shell, the program specified by this parameter
# will be launched, although its visible name (argv[0]) will be the shell's.
# The program may do whatever it wants (logging, additional authentification,
# banner, ...) before running the actual shell.
#
# FAKE_SHELL /bin/fakeshell
#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names. Root logins will be allowed only
# upon these devices.
#
# This variable is used by login and su.
#
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
# This variable is used by login and su.
#
#CONSOLE_GROUPS floppy:audio:cdrom
#
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no
#
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD SHA512
#
# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# users.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000
################# OBSOLETED BY PAM ##############
# #
# These options are now handled by PAM. Please #
# edit the appropriate file in /etc/pam.d/ to #
# enable the equivelants of them.
#
###############
#MOTD_FILE
#DIALUPS_CHECK_ENAB
#LASTLOG_ENAB
#MAIL_CHECK_ENAB
#OBSCURE_CHECKS_ENAB
#PORTTIME_CHECKS_ENAB
#SU_WHEEL_ONLY
#CRACKLIB_DICTPATH
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#ENVIRON_FILE
#NOLOGINS_FILE
#ISSUE_FILE
#PASS_MIN_LEN
#PASS_MAX_LEN
#ULIMIT
#ENV_HZ
#CHFN_AUTH
#CHSH_AUTH
#FAIL_DELAY
################# OBSOLETED #######################
# #
# These options are no more handled by shadow. #
# #
# Shadow utilities will display a warning if they #
# still appear. #
# #
###################################################
# CLOSE_SESSIONS
# LOGIN_STRING
# NO_PASSWORD_CONSOLE
# QMAIL_DIR
-1
View File
@@ -1 +0,0 @@
usr/share/lintian/overrides
-22
View File
@@ -1,22 +0,0 @@
usr/share/locale/*/LC_MESSAGES/shadow.mo
usr/share/man/*/man1/login.1
usr/share/man/*/man1/newgrp.1
usr/share/man/*/man1/sg.1
usr/share/man/*/man5/faillog.5
usr/share/man/*/man5/login.defs.5
usr/share/man/*/man8/faillog.8
usr/share/man/*/man8/lastlog.8
usr/share/man/*/man8/nologin.8
usr/share/man/man1/login.1
usr/share/man/man1/newgrp.1
usr/share/man/man1/sg.1
usr/share/man/man5/faillog.5
usr/share/man/man5/login.defs.5
usr/share/man/man8/faillog.8
usr/share/man/man8/lastlog.8
usr/share/man/man8/nologin.8
usr/sbin/nologin
usr/bin/faillog
usr/bin/lastlog
usr/bin/newgrp
bin/login
-1
View File
@@ -1 +0,0 @@
usr/bin/newgrp usr/bin/sg
-3
View File
@@ -1,3 +0,0 @@
login: setuid-binary usr/bin/newgrp 4755 root/root
login: setuid-binary bin/su 4755 root/root
login: possible-missing-colon-in-closes l667:closes bug 336321
-116
View File
@@ -1,116 +0,0 @@
#
# The PAM configuration file for the Shadow `login' service
#
# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000
# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Sets the loginuid process attribute
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set
# time restraint on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# Prints the last login info upon successful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Prints the status of the user's mailbox upon successful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
-56
View File
@@ -1,56 +0,0 @@
#!/bin/sh
set -e
if test "$1" = configure
then
if test -f /etc/init.d/logoutd
then
if test "$(md5sum /etc/init.d/logoutd)" = "9080f92783dd53f6f2108e698c06bd53 /etc/init.d/logoutd"
then
echo "removing logoutd cruft"
rm /etc/init.d/logoutd
update-rc.d logoutd remove
fi
fi
fi
rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
if [ "$1" = "configure" ]; then
# Install faillog during initial installs only
if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
touch /var/log/faillog
chown root:root /var/log/faillog
chmod 644 /var/log/faillog
fi
# Create subuid/subgid if missing
if [ ! -e /etc/subuid ]; then
touch /etc/subuid
chown root:root /etc/subuid
chmod 644 /etc/subuid
fi
if [ ! -e /etc/subgid ]; then
touch /etc/subgid
chown root:root /etc/subgid
chmod 644 /etc/subgid
fi
fi
# Create subuid/subgid if missing
if [ ! -e /etc/subuid ]; then
touch /etc/subuid
chown root:root /etc/subuid
chmod 644 /etc/subuid
fi
if [ ! -e /etc/subgid ]; then
touch /etc/subgid
chown root:root /etc/subgid
chmod 644 /etc/subgid
fi
#DEBHELPER#
exit 0
-52
View File
@@ -1,52 +0,0 @@
#! /bin/sh
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <new-preinst> `install'
# * <new-preinst> `install' <old-version>
# * <new-preinst> `upgrade' <old-version>
# * <old-preinst> `abort-upgrade' <new-version>
#
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
remove_md5() {
if md5sum $1 2>/dev/null |grep -q $2; then
cp $1 $1.pre-upgrade
sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
&& mv $1.post-upgrade $1
fi
}
case "$1" in
install|upgrade)
if [ "x$2" != "x" ] ; then
if dpkg --compare-versions $2 lt 1:4.0.3 ; then
remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
fi
fi
;;
abort-upgrade)
;;
*)
echo "preinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0
-61
View File
@@ -1,61 +0,0 @@
#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
-8
View File
@@ -1,8 +0,0 @@
# The PAM configuration file for the Shadow 'chage' service
#
# This allows root to change password aging being prompted for a password
auth sufficient pam_rootok.so
# checks for account validity
account required pam_permit.so
-16
View File
@@ -1,16 +0,0 @@
#
# The PAM configuration file for the Shadow `chfn' service
#
# This allows root to change user infomation without being
# prompted for a password
auth sufficient pam_rootok.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
-5
View File
@@ -1,5 +0,0 @@
# The PAM configuration file for the Shadow 'chpasswd' service
#
@include common-password
-20
View File
@@ -1,20 +0,0 @@
#
# The PAM configuration file for the Shadow `chsh' service
#
# This will not allow a user to change their shell unless
# their current one is listed in /etc/shells. This keeps
# accounts with special shells from changing them.
auth required pam_shells.so
# This allows root to change user shell without being
# prompted for a password
auth sufficient pam_rootok.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
-9
View File
@@ -1,9 +0,0 @@
#!/bin/sh
cd /var/backups || exit 0
for FILE in passwd group shadow gshadow; do
test -f /etc/$FILE || continue
cmp -s $FILE.bak /etc/$FILE && continue
cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak
done
-2
View File
@@ -1,2 +0,0 @@
usr/share/lintian/overrides
etc/default
-1
View File
@@ -1 +0,0 @@
debian/passwd.expire.cron
-57
View File
@@ -1,57 +0,0 @@
#!/usr/bin/perl
#
# passwd.expire.cron: sample expiry notification script for use as a cronjob
#
# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
# for use, distribution, modification, etc.
#
# Usage:
# edit the listed options, including the actual email, then rename to
# /etc/cron.daily/passwd
#
# If your users don't have a valid login shell (ie. they are ftp or mail
# users only), they will need some other way to change their password
# (telnet will work since login will handle password aging, or a poppasswd
# program, if they are mail users).
# <CONFIG> #
# should be same as /etc/adduser.conf
$LOW_UID=1000;
$HIGH_UID=29999;
# this let's the MTA handle the domain,
# set it manually if you want. Make sure
# you also add the @ like "\@domain.com"
$MAIL_DOM="";
# </CONFIG> #
# Set the current day reference
$curdays = int(time() / (60 * 60 * 24));
# Now go through the list
open(SH, "< /etc/shadow");
while (<SH>) {
@shent = split(':', $_);
@userent = getpwnam($shent[0]);
if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
$shent[4] != -1 && $shent[4] != 0 &&
$shent[5] != -1 && $shent[5] != 0) {
$daysleft = ($shent[2] + $shent[4]) - $curdays;
if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
if ($daysleft < 0) { next; }
open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
print MAIL <<EOF;
Your account will expire in $daysleft $days. Please change your password before
then or your account will expire
EOF
close (MAIL);
# This makes sure we also get a list of almost expired users
print "$shent[0]'s account will expire in $daysleft days\n";
}
}
@userent = getpwent();
}
-8
View File
@@ -1,8 +0,0 @@
# The PAM configuration file for the Shadow 'groupadd' service
#
# This allows root to add groups without being prompted for a password
auth sufficient pam_rootok.so
# checks for account validity
account required pam_permit.so
-8
View File
@@ -1,8 +0,0 @@
# The PAM configuration file for the Shadow 'groupdel' service
#
# This allows root to remove groups without being prompted for a password
auth sufficient pam_rootok.so
# checks for account validity
account required pam_permit.so
-8
View File
@@ -1,8 +0,0 @@
# The PAM configuration file for the Shadow 'groupmod' service
#
# This allows root to modify groups without being prompted for a password
auth sufficient pam_rootok.so
# checks for account validity
account required pam_permit.so
-80
View File
@@ -1,80 +0,0 @@
usr/bin/chage
usr/bin/chfn
usr/bin/chsh
usr/bin/expiry
usr/bin/gpasswd
usr/bin/passwd
usr/sbin/chpasswd
usr/sbin/chgpasswd
usr/sbin/cppw
usr/sbin/groupadd
usr/sbin/groupdel
usr/sbin/groupmod
usr/sbin/groupmems
usr/sbin/grpck
usr/sbin/grpconv
usr/sbin/grpunconv
usr/sbin/newusers
usr/sbin/pwck
usr/sbin/pwconv
usr/sbin/pwunconv
usr/sbin/useradd
usr/sbin/userdel
usr/sbin/usermod
usr/sbin/vipw
usr/share/man/*/man1/chage.1
usr/share/man/*/man1/chfn.1
usr/share/man/*/man1/chsh.1
usr/share/man/*/man1/expiry.1
usr/share/man/*/man1/gpasswd.1
usr/share/man/*/man1/passwd.1
usr/share/man/*/man5/passwd.5
usr/share/man/*/man5/shadow.5
usr/share/man/*/man5/gshadow.5
usr/share/man/*/man8/chpasswd.8
usr/share/man/*/man8/groupadd.8
usr/share/man/*/man8/groupdel.8
usr/share/man/*/man8/groupmod.8
usr/share/man/*/man8/groupmems.8
usr/share/man/*/man8/grpck.8
usr/share/man/*/man8/grpconv.8
usr/share/man/*/man8/grpunconv.8
usr/share/man/*/man8/newusers.8
usr/share/man/*/man8/pwck.8
usr/share/man/*/man8/pwconv.8
usr/share/man/*/man8/pwunconv.8
usr/share/man/*/man8/useradd.8
usr/share/man/*/man8/userdel.8
usr/share/man/*/man8/usermod.8
usr/share/man/*/man8/vigr.8
usr/share/man/*/man8/vipw.8
usr/share/man/man1/chage.1
usr/share/man/man1/chfn.1
usr/share/man/man1/chsh.1
usr/share/man/man1/expiry.1
usr/share/man/man1/gpasswd.1
usr/share/man/man1/passwd.1
usr/share/man/man5/passwd.5
usr/share/man/man5/shadow.5
usr/share/man/man5/gshadow.5
usr/share/man/man5/subuid.5
usr/share/man/man5/subgid.5
usr/share/man/man5/subgid.5
usr/share/man/man5/subuid.5
usr/share/man/man8/chgpasswd.8
usr/share/man/man8/chpasswd.8
usr/share/man/man8/groupadd.8
usr/share/man/man8/groupdel.8
usr/share/man/man8/groupmod.8
usr/share/man/man8/grpck.8
usr/share/man/man8/grpconv.8
usr/share/man/man8/grpunconv.8
usr/share/man/man8/newusers.8
usr/share/man/man8/pwck.8
usr/share/man/man8/pwconv.8
usr/share/man/man8/pwunconv.8
usr/share/man/man8/useradd.8
usr/share/man/man8/userdel.8
usr/share/man/man8/usermod.8
usr/share/man/man8/vigr.8
usr/share/man/man8/vipw.8
-2
View File
@@ -1,2 +0,0 @@
usr/sbin/vipw usr/sbin/vigr
usr/sbin/cppw usr/sbin/cpgr
-6
View File
@@ -1,6 +0,0 @@
passwd: setgid-binary usr/bin/chage 2755 root/shadow
passwd: setuid-binary usr/bin/chfn 4755 root/root
passwd: setuid-binary usr/bin/chsh 4755 root/root
passwd: setgid-binary usr/bin/expiry 2755 root/shadow
passwd: setuid-binary usr/bin/gpasswd 4755 root/root
passwd: setuid-binary usr/bin/passwd 4755 root/root
-5
View File
@@ -1,5 +0,0 @@
# The PAM configuration file for the Shadow 'newusers' service
#
@include common-password
-6
View File
@@ -1,6 +0,0 @@
#
# The PAM configuration file for the Shadow `passwd' service
#
@include common-password
-44
View File
@@ -1,44 +0,0 @@
#!/bin/sh
set -e
case "$1" in
configure)
# Fix permissions on various log files from old versions of the debian
# installer, some unrelated to passwd but we decided to put the fix
# here since there was no better place. This can safely be removed
# after etch is released.
if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
for log in /var/log/base-config* \
$(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
if [ -e "$log" ]; then
chmod 600 "$log"
fi
done
fi
rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
if ! getent group shadow | grep -q '^shadow:[^:]*:42'
then
groupadd -g 42 shadow || (
cat <<EOF
Group ID 42 has been allocated for the shadow group. You have either
used 42 yourself or created a shadow group with a different ID.
Please correct this problem and reconfigure with ``dpkg --configure passwd''.
Note that both user and group IDs in the range 0-99 are globally
allocated by the Debian project and must be the same on every Debian
system.
EOF
exit 1
)
fi
;;
esac
# Run shadowconfig only on new installs
[ -z "$2" ] && shadowconfig on
#DEBHELPER#
exit 0
-51
View File
@@ -1,51 +0,0 @@
#! /bin/sh
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <new-preinst> `install'
# * <new-preinst> `install' <old-version>
# * <new-preinst> `upgrade' <old-version>
# * <old-preinst> `abort-upgrade' <new-version>
#
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
remove_md5() {
if md5sum $1 2>/dev/null |grep -q $2; then
cp $1 $1.pre-upgrade
sed -e '/^[^#]*[ \t]*password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
&& mv $1.post-upgrade $1
fi
}
case "$1" in
install|upgrade)
if [ "x$2" != "x" ] ; then
if dpkg --compare-versions $2 lt 1:4.0.3 ; then
remove_md5 /etc/pam.d/passwd 23a5d1465bbc1e39ca6e0c32f22a75c9
fi
fi
;;
abort-upgrade)
;;
*)
echo "preinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0
-8
View File
@@ -1,8 +0,0 @@
# If a password operation is in progress and we lose power, stale lockfiles
# can be left behind. Clear them on boot.
r! /etc/gshadow.lock
r! /etc/shadow.lock
r! /etc/passwd.lock
r! /etc/group.lock
r! /etc/subuid.lock
r! /etc/subgid.lock
-8
View File
@@ -1,8 +0,0 @@
# The PAM configuration file for the Shadow 'useradd' service
#
# This allows root to add users without being prompted for a password
auth sufficient pam_rootok.so
# checks for account validity
account required pam_permit.so
-8
View File
@@ -1,8 +0,0 @@
# The PAM configuration file for the Shadow 'userdel' service
#
# This allows root to remove users without being prompted for a password
auth sufficient pam_rootok.so
# checks for account validity
account required pam_permit.so
-8
View File
@@ -1,8 +0,0 @@
# The PAM configuration file for the Shadow 'groupdel' service
#
# This allows root to remove groups without being prompted for a password
auth sufficient pam_rootok.so
# checks for account validity
account required pam_permit.so
@@ -1,183 +0,0 @@
From 11fc74ffc7172c587bbd2a6399defbd53eab97c6 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 15 Feb 2018 23:49:40 +1100
Subject: newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.
This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).
We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".
Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
src/newgidmap.c | 89 ++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 80 insertions(+), 9 deletions(-)
diff --git a/src/newgidmap.c b/src/newgidmap.c
index b1e33513..59a2e75c 100644
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -46,32 +46,37 @@
*/
const char *Prog;
-static bool verify_range(struct passwd *pw, struct map_range *range)
+
+static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
{
/* An empty range is invalid */
if (range->count == 0)
return false;
- /* Test /etc/subgid */
- if (have_sub_gids(pw->pw_name, range->lower, range->count))
+ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
+ if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
+ *allow_setgroups = true;
return true;
+ }
- /* Allow a process to map its own gid */
- if ((range->count == 1) && (pw->pw_gid == range->lower))
+ /* Allow a process to map its own gid. */
+ if ((range->count == 1) && (pw->pw_gid == range->lower)) {
+ /* noop -- if setgroups is enabled already we won't disable it. */
return true;
+ }
return false;
}
static void verify_ranges(struct passwd *pw, int ranges,
- struct map_range *mappings)
+ struct map_range *mappings, bool *allow_setgroups)
{
struct map_range *mapping;
int idx;
mapping = mappings;
for (idx = 0; idx < ranges; idx++, mapping++) {
- if (!verify_range(pw, mapping)) {
+ if (!verify_range(pw, mapping, allow_setgroups)) {
fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
Prog,
mapping->upper,
@@ -89,6 +94,70 @@ static void usage(void)
exit(EXIT_FAILURE);
}
+void write_setgroups(int proc_dir_fd, bool allow_setgroups)
+{
+ int setgroups_fd;
+ char *policy, policy_buffer[4096];
+
+ /*
+ * Default is "deny", and any "allow" will out-rank a "deny". We don't
+ * forcefully write an "allow" here because the process we are writing
+ * mappings for may have already set themselves to "deny" (and "allow"
+ * is the default anyway). So allow_setgroups == true is a noop.
+ */
+ policy = "deny\n";
+ if (allow_setgroups)
+ return;
+
+ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
+ if (setgroups_fd < 0) {
+ /*
+ * If it's an ENOENT then we are on too old a kernel for the setgroups
+ * code to exist. Emit a warning and bail on this.
+ */
+ if (ENOENT == errno) {
+ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
+ goto out;
+ }
+ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
+ Prog,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
+ /*
+ * Check whether the policy is already what we want. /proc/self/setgroups
+ * is write-once, so attempting to write after it's already written to will
+ * fail.
+ */
+ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
+ fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
+ Prog,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ if (!strncmp(policy_buffer, policy, strlen(policy)))
+ goto out;
+
+ /* Write the policy. */
+ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
+ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
+ Prog,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ if (dprintf(setgroups_fd, "%s", policy) < 0) {
+ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
+ Prog,
+ policy,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
+out:
+ close(setgroups_fd);
+}
+
/*
* newgidmap - Set the gid_map for the specified process
*/
@@ -103,6 +172,7 @@ int main(int argc, char **argv)
struct stat st;
struct passwd *pw;
int written;
+ bool allow_setgroups = false;
Prog = Basename (argv[0]);
@@ -145,7 +215,7 @@ int main(int argc, char **argv)
(unsigned long) getuid ()));
return EXIT_FAILURE;
}
-
+
/* Get the effective uid and effective gid of the target process */
if (fstat(proc_dir_fd, &st) < 0) {
fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
@@ -177,8 +247,9 @@ int main(int argc, char **argv)
if (!mappings)
usage();
- verify_ranges(pw, ranges, mappings);
+ verify_ranges(pw, ranges, mappings, &allow_setgroups);
+ write_setgroups(proc_dir_fd, allow_setgroups);
write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
sub_gid_close();
--
2.30.2
-142
View File
@@ -1,142 +0,0 @@
From cbfa2ff40ce629f55ddd67e3490c311dfcaa4462 Mon Sep 17 00:00:00 2001
From: Alejandro Colomar <alx@kernel.org>
Date: Sat, 10 Jun 2023 16:20:05 +0200
Subject: gpasswd(1): Fix password leak
How to trigger this password leak?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When gpasswd(1) asks for the new password, it asks twice (as is usual
for confirming the new password). Each of those 2 password prompts
uses agetpass() to get the password. If the second agetpass() fails,
the first password, which has been copied into the 'static' buffer
'pass' via STRFCPY(), wasn't being zeroed.
agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
can fail for any of the following reasons:
- malloc(3) or readpassphrase(3) failure.
These are going to be difficult to trigger. Maybe getting the system
to the limits of memory utilization at that exact point, so that the
next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
About readpassphrase(3), ENFILE and EINTR seem the only plausible
ones, and EINTR probably requires privilege or being the same user;
but I wouldn't discard ENFILE so easily, if a process starts opening
files.
- The password is longer than PASS_MAX.
The is plausible with physical access. However, at that point, a
keylogger will be a much simpler attack.
And, the attacker must be able to know when the second password is being
introduced, which is not going to be easy.
How to read the password after the leak?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Provoking the leak yourself at the right point by entering a very long
password is easy, and inspecting the process stack at that point should
be doable. Try to find some consistent patterns.
Then, search for those patterns in free memory, right after the victim
leaks their password.
Once you get the leak, a program should read all the free memory
searching for patterns that gpasswd(1) leaves nearby the leaked
password.
On 6/10/23 03:14, Seth Arnold wrote:
> An attacker process wouldn't be able to use malloc(3) for this task.
> There's a handful of tools available for userspace to allocate memory:
>
> - brk / sbrk
> - mmap MAP_ANONYMOUS
> - mmap /dev/zero
> - mmap some other file
> - shm_open
> - shmget
>
> Most of these return only pages of zeros to a process. Using mmap of an
> existing file, you can get some of the contents of the file demand-loaded
> into the memory space on the first use.
>
> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
>
> malloc(3) doesn't zero memory, to our collective frustration, but all the
> garbage in the allocations is from previous allocations in the current
> process. It isn't leftover from other processes.
>
> The avenues available for reading the memory:
> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
> - ptrace (requires ptrace privileges, mediated by YAMA)
> - causing memory to be swapped to disk, and then inspecting the swap
>
> These all require a certain amount of privileges.
How to fix it?
~~~~~~~~~~~~~~
memzero(), which internally calls explicit_bzero(3), or whatever
alternative the system provides with a slightly different name, will
make sure that the buffer is zeroed in memory, and optimizations are not
allowed to impede this zeroing.
This is not really 100% effective, since compilers may place copies of
the string somewhere hidden in the stack. Those copies won't get zeroed
by explicit_bzero(3). However, that's arguably a compiler bug, since
compilers should make everything possible to avoid optimizing strings
that are later passed to explicit_bzero(3). But we all know that
sometimes it's impossible to have perfect knowledge in the compiler, so
this is plausible. Nevertheless, there's nothing we can do against such
issues, except minimizing the time such passwords are stored in plain
text.
Security concerns
~~~~~~~~~~~~~~~~~
We believe this isn't easy to exploit. Nevertheless, and since the fix
is trivial, this fix should probably be applied soon, and backported to
all supported distributions, to prevent someone else having more
imagination than us to find a way.
Affected versions
~~~~~~~~~~~~~~~~~
All. Bug introduced in shadow 19990709. That's the second commit in
the git history.
Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Reported-by: Alejandro Colomar <alx@kernel.org>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Seth Arnold <seth.arnold@canonical.com>
Cc: Christian Brauner <christian@brauner.io>
Cc: Balint Reczey <rbalint@debian.org>
Cc: Sam James <sam@gentoo.org>
Cc: David Runge <dvzrv@archlinux.org>
Cc: Andreas Jaeger <aj@suse.de>
Cc: <~hallyn/shadow@lists.sr.ht>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
src/gpasswd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/gpasswd.c b/src/gpasswd.c
index c4a492b1..cbbd8068 100644
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -917,6 +917,7 @@ static void change_passwd (struct group *gr)
strzero (cp);
cp = getpass (_("Re-enter new password: "));
if (NULL == cp) {
+ memzero (pass, sizeof pass);
exit (1);
}
--
2.30.2
-45
View File
@@ -1,45 +0,0 @@
From b42c60bc8f026b250810a75bafe865338d734ec3 Mon Sep 17 00:00:00 2001
From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
Date: Thu, 23 Mar 2023 23:39:38 +0000
Subject: Added control character check
Added control character check, returning -1 (to "err") if control characters are present.
---
lib/fields.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/lib/fields.c b/lib/fields.c
index 649fae17..b8f13ba7 100644
--- a/lib/fields.c
+++ b/lib/fields.c
@@ -44,9 +44,9 @@
*
* The supplied field is scanned for non-printable and other illegal
* characters.
- * + -1 is returned if an illegal character is present.
- * + 1 is returned if no illegal characters are present, but the field
- * contains a non-printable character.
+ * + -1 is returned if an illegal or control character is present.
+ * + 1 is returned if no illegal or control characters are present,
+ * but the field contains a non-printable character.
* + 0 is returned otherwise.
*/
int valid_field (const char *field, const char *illegal)
@@ -68,10 +68,13 @@ int valid_field (const char *field, const char *illegal)
}
if (0 == err) {
- /* Search if there are some non-printable characters */
+ /* Search if there are non-printable or control characters */
for (cp = field; '\0' != *cp; cp++) {
if (!isprint (*cp)) {
err = 1;
+ }
+ if (!iscntrl (*cp)) {
+ err = -1;
break;
}
}
--
2.30.2
-61
View File
@@ -1,61 +0,0 @@
From 261c9cd274f07361c304d3993e325fe29d4bad14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 31 Mar 2023 14:46:50 +0200
Subject: Overhaul valid_field()
e5905c4b ("Added control character check") introduced checking for
control characters but had the logic inverted, so it rejects all
characters that are not control ones.
Cast the character to `unsigned char` before passing to the character
checking functions to avoid UB.
Use strpbrk(3) for the illegal character test and return early.
---
lib/fields.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/lib/fields.c b/lib/fields.c
index b8f13ba7..191257e8 100644
--- a/lib/fields.c
+++ b/lib/fields.c
@@ -60,26 +60,22 @@ int valid_field (const char *field, const char *illegal)
/* For each character of field, search if it appears in the list
* of illegal characters. */
+ if (illegal && NULL != strpbrk (field, illegal)) {
+ return -1;
+ }
+
+ /* Search if there are non-printable or control characters */
for (cp = field; '\0' != *cp; cp++) {
- if (strchr (illegal, *cp) != NULL) {
+ unsigned char c = *cp;
+ if (!isprint (c)) {
+ err = 1;
+ }
+ if (iscntrl (c)) {
err = -1;
break;
}
}
- if (0 == err) {
- /* Search if there are non-printable or control characters */
- for (cp = field; '\0' != *cp; cp++) {
- if (!isprint (*cp)) {
- err = 1;
- }
- if (!iscntrl (*cp)) {
- err = -1;
- break;
- }
- }
- }
-
return err;
}
--
2.30.2
-55
View File
@@ -1,55 +0,0 @@
Goal: Log login failures to the btmp file
Notes:
* I'm not sure login should add an entry in the FTMP file when PAM is used.
(but nothing in /etc/login.defs indicates that the failure is not logged)
Index: shadow-4.4/src/login.c
===================================================================
--- shadow-4.4.orig/src/login.c
+++ shadow-4.4/src/login.c
@@ -834,6 +834,24 @@ int main (int argc, char **argv)
(void) puts ("");
(void) puts (_("Login incorrect"));
+ if (getdef_str("FTMP_FILE") != NULL) {
+#ifdef USE_UTMPX
+ struct utmpx *failent =
+ prepare_utmpx (failent_user,
+ tty,
+ /* FIXME: or fromhost? */hostname,
+ utent);
+#else /* !USE_UTMPX */
+ struct utmp *failent =
+ prepare_utmp (failent_user,
+ tty,
+ hostname,
+ utent);
+#endif /* !USE_UTMPX */
+ failtmp (failent_user, failent);
+ free (failent);
+ }
+
if (failcount >= retries) {
SYSLOG ((LOG_NOTICE,
"TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
Index: shadow-4.4/lib/getdef.c
===================================================================
--- shadow-4.4.orig/lib/getdef.c
+++ shadow-4.4/lib/getdef.c
@@ -57,7 +57,6 @@ struct itemdef {
{"ENVIRON_FILE", NULL}, \
{"ENV_TZ", NULL}, \
{"FAILLOG_ENAB", NULL}, \
- {"FTMP_FILE", NULL}, \
{"ISSUE_FILE", NULL}, \
{"LASTLOG_ENAB", NULL}, \
{"LOGIN_STRING", NULL}, \
@@ -88,6 +87,7 @@ static struct itemdef def_table[] = {
{"ERASECHAR", NULL},
{"FAIL_DELAY", NULL},
{"FAKE_SHELL", NULL},
+ {"FTMP_FILE", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
{"HUSHLOGIN_FILE", NULL},
-276
View File
@@ -1,276 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Add cppw / cpgr
@DPATCH@
--- /dev/null
+++ b/src/cppw.c
@@ -0,0 +1,238 @@
+/*
+ cppw, cpgr copy with locking given file over the password or group file
+ with -s will copy with locking given file over shadow or gshadow file
+
+ Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
+
+ Based on vipw, vigr by:
+ Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+ */
+
+#include <config.h>
+#include "defines.h"
+
+#include <errno.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <utime.h>
+#include "exitcodes.h"
+#include "prototypes.h"
+#include "pwio.h"
+#include "shadowio.h"
+#include "groupio.h"
+#include "sgroupio.h"
+
+
+const char *Prog;
+
+const char *filename, *filenewname;
+static bool filelocked = false;
+static int (*unlock) (void);
+
+/* local function prototypes */
+static int create_copy (FILE *fp, const char *dest, struct stat *sb);
+static void cppwexit (const char *msg, int syserr, int ret);
+static void cppwcopy (const char *file,
+ const char *in_file,
+ int (*file_lock) (void),
+ int (*file_unlock) (void));
+
+static int create_copy (FILE *fp, const char *dest, struct stat *sb)
+{
+ struct utimbuf ub;
+ FILE *bkfp;
+ int c;
+ mode_t mask;
+
+ mask = umask (077);
+ bkfp = fopen (dest, "w");
+ (void) umask (mask);
+ if (NULL == bkfp) {
+ return -1;
+ }
+
+ rewind (fp);
+ while ((c = getc (fp)) != EOF) {
+ if (putc (c, bkfp) == EOF) {
+ break;
+ }
+ }
+
+ if ( (c != EOF)
+ || (fflush (bkfp) != 0)) {
+ (void) fclose (bkfp);
+ (void) unlink (dest);
+ return -1;
+ }
+ if ( (fsync (fileno (bkfp)) != 0)
+ || (fclose (bkfp) != 0)) {
+ (void) unlink (dest);
+ return -1;
+ }
+
+ ub.actime = sb->st_atime;
+ ub.modtime = sb->st_mtime;
+ if ( (utime (dest, &ub) != 0)
+ || (chmod (dest, sb->st_mode) != 0)
+ || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
+ (void) unlink (dest);
+ return -1;
+ }
+ return 0;
+}
+
+static void cppwexit (const char *msg, int syserr, int ret)
+{
+ int err = errno;
+ if (filelocked) {
+ (*unlock) ();
+ }
+ if (NULL != msg) {
+ fprintf (stderr, "%s: %s", Prog, msg);
+ if (0 != syserr) {
+ fprintf (stderr, ": %s", strerror (err));
+ }
+ (void) fputs ("\n", stderr);
+ }
+ if (NULL != filename) {
+ fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
+ } else {
+ fprintf (stderr, _("%s: no changes\n"), Prog);
+ }
+
+ exit (ret);
+}
+
+static void cppwcopy (const char *file,
+ const char *in_file,
+ int (*file_lock) (void),
+ int (*file_unlock) (void))
+{
+ struct stat st1;
+ FILE *f;
+ char filenew[1024];
+
+ snprintf (filenew, sizeof filenew, "%s.new", file);
+ unlock = file_unlock;
+ filename = file;
+ filenewname = filenew;
+
+ if (access (file, F_OK) != 0) {
+ cppwexit (file, 1, 1);
+ }
+ if (file_lock () == 0) {
+ cppwexit (_("Couldn't lock file"), 0, 5);
+ }
+ filelocked = true;
+
+ /* file to copy has same owners, perm */
+ if (stat (file, &st1) != 0) {
+ cppwexit (file, 1, 1);
+ }
+ f = fopen (in_file, "r");
+ if (NULL == f) {
+ cppwexit (in_file, 1, 1);
+ }
+ if (create_copy (f, filenew, &st1) != 0) {
+ cppwexit (_("Couldn't make copy"), errno, 1);
+ }
+
+ /* XXX - here we should check filenew for errors; if there are any,
+ * fail w/ an appropriate error code and let the user manually fix
+ * it. Use pwck or grpck to do the check. - Stephen (Shamelessly
+ * stolen from '--marekm's comment) */
+
+ if (rename (filenew, file) != 0) {
+ fprintf (stderr, _("%s: can't copy %s: %s)\n"),
+ Prog, filenew, strerror (errno));
+ cppwexit (NULL,0,1);
+ }
+
+ (*file_unlock) ();
+}
+
+int main (int argc, char **argv)
+{
+ int flag;
+ bool cpshadow = false;
+ char *in_file;
+ int e = E_USAGE;
+ bool do_cppw = true;
+
+ (void) setlocale (LC_ALL, "");
+ (void) bindtextdomain (PACKAGE, LOCALEDIR);
+ (void) textdomain (PACKAGE);
+
+ Prog = Basename (argv[0]);
+ if (strcmp (Prog, "cpgr") == 0) {
+ do_cppw = false;
+ }
+
+ while ((flag = getopt (argc, argv, "ghps")) != EOF) {
+ switch (flag) {
+ case 'p':
+ do_cppw = true;
+ break;
+ case 'g':
+ do_cppw = false;
+ break;
+ case 's':
+ cpshadow = true;
+ break;
+ case 'h':
+ e = E_SUCCESS;
+ /*pass through*/
+ default:
+ (void) fputs (_("Usage:\n\
+`cppw <file>' copys over /etc/passwd `cppw -s <file>' copys over /etc/shadow\n\
+`cpgr <file>' copys over /etc/group `cpgr -s <file>' copys over /etc/gshadow\n\
+"), (E_SUCCESS != e) ? stderr : stdout);
+ exit (e);
+ }
+ }
+
+ if (argc != optind + 1) {
+ cppwexit (_("wrong number of arguments, -h for usage"),0,1);
+ }
+
+ in_file = argv[optind];
+
+ if (do_cppw) {
+ if (cpshadow) {
+ cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
+ } else {
+ cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
+ }
+ } else {
+#ifdef SHADOWGRP
+ if (cpshadow) {
+ cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
+ } else
+#endif /* SHADOWGRP */
+ {
+ cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
+ }
+ }
+
+ return 0;
+}
+
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -30,6 +30,7 @@
ubin_PROGRAMS += newgidmap newuidmap
endif
usbin_PROGRAMS = \
+ cppw \
chgpasswd \
chpasswd \
groupadd \
@@ -90,6 +91,7 @@
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+cppw_LDADD = $(LDADD) $(LIBSELINUX)
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -85,6 +85,7 @@
src/chgpasswd.c
src/chpasswd.c
src/chsh.c
+src/cppw.c
src/expiry.c
src/faillog.c
src/gpasswd.c
-64
View File
@@ -1,64 +0,0 @@
Goal: Add selinux support to cppw
Fix:
Status wrt upstream: cppw is not available upstream.
The patch was made based on the
302_vim_selinux_support patch. It needs to be
reviewed by an SE-Linux aware person.
Depends on 401_cppw_src.dpatch
Index: git/src/cppw.c
===================================================================
--- git.orig/src/cppw.c
+++ git/src/cppw.c
@@ -34,6 +34,9 @@
#include <sys/types.h>
#include <signal.h>
#include <utime.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /* WITH_SELINUX */
#include "exitcodes.h"
#include "prototypes.h"
#include "pwio.h"
@@ -139,6 +142,22 @@
if (access (file, F_OK) != 0) {
cppwexit (file, 1, 1);
}
+#ifdef WITH_SELINUX
+ /* if SE Linux is enabled then set the context of all new files
+ * to be the context of the file we are editing */
+ if (is_selinux_enabled () > 0) {
+ security_context_t passwd_context=NULL;
+ int ret = 0;
+ if (getfilecon (file, &passwd_context) < 0) {
+ cppwexit (_("Couldn't get file context"), errno, 1);
+ }
+ ret = setfscreatecon (passwd_context);
+ freecon (passwd_context);
+ if (0 != ret) {
+ cppwexit (_("setfscreatecon () failed"), errno, 1);
+ }
+ }
+#endif /* WITH_SELINUX */
if (file_lock () == 0) {
cppwexit (_("Couldn't lock file"), 0, 5);
}
@@ -167,6 +186,15 @@
cppwexit (NULL,0,1);
}
+#ifdef WITH_SELINUX
+ /* unset the fscreatecon */
+ if (is_selinux_enabled () > 0) {
+ if (setfscreatecon (NULL)) {
+ cppwexit (_("setfscreatecon() failed"), errno, 1);
+ }
+ }
+#endif /* WITH_SELINUX */
+
(*file_unlock) ();
}
-88
View File
@@ -1,88 +0,0 @@
Goal: Re-enable logging and displaying failures on login when login is
compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
faillog file if it does not exist on postinst (as on Woody).
Depends: 008_login_more_LOG_UNKFAIL_ENAB
Fixes: #192849
Note: It could be removed if pam_tally could report the number of failures
preceding a successful login.
Index: shadow-4.4/src/login.c
===================================================================
--- shadow-4.4.orig/src/login.c
+++ shadow-4.4/src/login.c
@@ -131,9 +131,9 @@ static void update_utmp (const char *use
const char *host,
/*@null@*/const struct utmp *utent);
-#ifndef USE_PAM
static struct faillog faillog;
+#ifndef USE_PAM
static void bad_time_notify (void);
static void check_nologin (bool login_to_root);
#else
@@ -794,6 +794,9 @@ int main (int argc, char **argv)
SYSLOG ((LOG_NOTICE,
"TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
failcount, fromhost, failent_user));
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
+ failure (pwd->pw_uid, tty, &faillog);
+ }
fprintf (stderr,
_("Maximum number of tries exceeded (%u)\n"),
failcount);
@@ -811,6 +814,14 @@ int main (int argc, char **argv)
pam_strerror (pamh, retcode)));
failed = true;
}
+ if ( (NULL != pwd)
+ && getdef_bool("FAILLOG_ENAB")
+ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
+ SYSLOG((LOG_CRIT,
+ "exceeded failure limit for `%s' %s",
+ failent_user, fromhost));
+ failed = 1;
+ }
if (!failed) {
break;
@@ -834,6 +845,10 @@ int main (int argc, char **argv)
(void) puts ("");
(void) puts (_("Login incorrect"));
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
+ failure (pwd->pw_uid, tty, &faillog);
+ }
+
if (getdef_str("FTMP_FILE") != NULL) {
#ifdef USE_UTMPX
struct utmpx *failent =
@@ -1288,6 +1303,7 @@ int main (int argc, char **argv)
*/
#ifndef USE_PAM
motd (); /* print the message of the day */
+#endif
if ( getdef_bool ("FAILLOG_ENAB")
&& (0 != faillog.fail_cnt)) {
failprint (&faillog);
@@ -1300,6 +1316,7 @@ int main (int argc, char **argv)
username, (int) faillog.fail_cnt));
}
}
+#ifndef USE_PAM
if ( getdef_bool ("LASTLOG_ENAB")
&& (ll.ll_time != 0)) {
time_t ll_time = ll.ll_time;
Index: shadow-4.4/lib/getdef.c
===================================================================
--- shadow-4.4.orig/lib/getdef.c
+++ shadow-4.4/lib/getdef.c
@@ -86,6 +86,7 @@ static struct itemdef def_table[] = {
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
{"FAIL_DELAY", NULL},
+ {"FAILLOG_ENAB", NULL},
{"FAKE_SHELL", NULL},
{"FTMP_FILE", NULL},
{"GID_MAX", NULL},
-101
View File
@@ -1,101 +0,0 @@
Goal: Do not hardcode pam_fail_delay and let pam_unix do its
job to set a delay...or not
Fixes: #87648
Status wrt upstream: Forwarded but not applied yet
Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
Index: shadow-4.4/src/login.c
===================================================================
--- shadow-4.4.orig/src/login.c
+++ shadow-4.4/src/login.c
@@ -525,7 +525,6 @@ int main (int argc, char **argv)
#if defined(HAVE_STRFTIME) && !defined(USE_PAM)
char ptime[80];
#endif
- unsigned int delay;
unsigned int retries;
bool subroot = false;
#ifndef USE_PAM
@@ -546,6 +545,7 @@ int main (int argc, char **argv)
pid_t child;
char *pam_user = NULL;
#else
+ unsigned int delay;
struct spwd *spwd = NULL;
#endif
/*
@@ -708,7 +708,6 @@ int main (int argc, char **argv)
}
environ = newenvp; /* make new environment active */
- delay = getdef_unum ("FAIL_DELAY", 1);
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
#ifdef USE_PAM
@@ -724,8 +723,7 @@ int main (int argc, char **argv)
/*
* hostname & tty are either set to NULL or their correct values,
- * depending on how much we know. We also set PAM's fail delay to
- * ours.
+ * depending on how much we know.
*
* PAM_RHOST and PAM_TTY are used for authentication, only use
* information coming from login or from the caller (e.g. no utmp)
@@ -734,10 +732,6 @@ int main (int argc, char **argv)
PAM_FAIL_CHECK;
retcode = pam_set_item (pamh, PAM_TTY, tty);
PAM_FAIL_CHECK;
-#ifdef HAS_PAM_FAIL_DELAY
- retcode = pam_fail_delay (pamh, 1000000 * delay);
- PAM_FAIL_CHECK;
-#endif
/* if fflg, then the user has already been authenticated */
if (!fflg) {
unsigned int failcount = 0;
@@ -778,12 +772,6 @@ int main (int argc, char **argv)
bool failed = false;
failcount++;
-#ifdef HAS_PAM_FAIL_DELAY
- if (delay > 0) {
- retcode = pam_fail_delay(pamh, 1000000*delay);
- PAM_FAIL_CHECK;
- }
-#endif
retcode = pam_authenticate (pamh, 0);
@@ -1106,14 +1094,17 @@ int main (int argc, char **argv)
free (username);
username = NULL;
+#ifndef USE_PAM
/*
* Wait a while (a la SVR4 /usr/bin/login) before attempting
* to login the user again. If the earlier alarm occurs
* before the sleep() below completes, login will exit.
*/
+ delay = getdef_unum ("FAIL_DELAY", 1);
if (delay > 0) {
(void) sleep (delay);
}
+#endif
(void) puts (_("Login incorrect"));
Index: shadow-4.4/lib/getdef.c
===================================================================
--- shadow-4.4.orig/lib/getdef.c
+++ shadow-4.4/lib/getdef.c
@@ -85,7 +85,6 @@ static struct itemdef def_table[] = {
{"ENV_PATH", NULL},
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
- {"FAIL_DELAY", NULL},
{"FAILLOG_ENAB", NULL},
{"FAKE_SHELL", NULL},
{"FTMP_FILE", NULL},
-60
View File
@@ -1,60 +0,0 @@
Goal: save the [g]shadow files with the 'shadow' group and mode 0440
Fixes: #166793
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -44,6 +44,7 @@
#include <errno.h>
#include <stdio.h>
#include <signal.h>
+#include <grp.h>
#include "nscd.h"
#ifdef WITH_TCB
#include <tcb.h>
@@ -963,12 +964,23 @@
goto fail;
}
} else {
+ struct group *grp;
/*
* Default permissions for new [g]shadow files.
*/
sb.st_mode = db->st_mode;
sb.st_uid = db->st_uid;
sb.st_gid = db->st_gid;
+
+ /*
+ * Try to retrieve the shadow's GID, and fall back to GID 0.
+ */
+ if (sb.st_gid == 0) {
+ if ((grp = getgrnam("shadow")) != NULL)
+ sb.st_gid = grp->gr_gid;
+ else
+ sb.st_gid = 0;
+ }
}
snprintf (buf, sizeof buf, "%s+", db->filename);
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -229,7 +229,7 @@
#ifdef WITH_SELINUX
NULL, /* scontext */
#endif
- 0400, /* st_mode */
+ 0440, /* st_mode */
0, /* st_uid */
0, /* st_gid */
NULL, /* head */
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -105,7 +105,7 @@
#ifdef WITH_SELINUX
NULL, /* scontext */
#endif /* WITH_SELINUX */
- 0400, /* st_mode */
+ 0440, /* st_mode */
0, /* st_uid */
0, /* st_gid */
NULL, /* head */
-201
View File
@@ -1,201 +0,0 @@
Goal: Document the shadowconfig utility
Status wrt upstream: The shadowconfig utility is debian specific.
Its man page also (but it used to be distributed)
Index: git/man/shadowconfig.8
===================================================================
--- /dev/null
+++ git/man/shadowconfig.8
@@ -0,0 +1,41 @@
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
+.SH NAME
+shadowconfig \- toggle shadow passwords on and off
+.SH "SYNOPSIS"
+.ad l
+.hy 0
+.HP 13
+\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
+.ad
+.hy
+
+.SH "DESCRIPTION"
+
+.PP
+\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
+
+.PP
+Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
+
+.PP
+Note that turning shadow passwords off and on again will lose all password aging information\&.
+
Index: git/man/shadowconfig.8.xml
===================================================================
--- /dev/null
+++ git/man/shadowconfig.8.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+<refentry id='shadowconfig.8'>
+ <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
+ <refentryinfo>
+ <date>19 Apr 1997</date>
+ </refentryinfo>
+ <refmeta>
+ <refentrytitle>shadowconfig</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
+ <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
+ </refmeta>
+ <refnamediv id='name'>
+ <refname>shadowconfig</refname>
+ <refpurpose>toggle shadow passwords on and off</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>shadowconfig</command>
+ <group choice='plain'>
+ <arg choice='plain'><replaceable>on</replaceable></arg>
+ <arg choice='plain'><replaceable>off</replaceable></arg>
+ </group>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para><command>shadowconfig</command> on will turn shadow passwords on;
+ <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
+ passwords off. <command>shadowconfig</command> will print an error
+ message and exit with a nonzero code if it finds anything awry. If
+ that happens, you should correct the error and run it again. Turning
+ shadow passwords on when they are already on, or off when they are
+ already off, is harmless.
+ </para>
+
+ <para>
+ Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
+ brief introduction
+ to shadow passwords and related features.
+ </para>
+
+ <para>Note that turning shadow passwords off and on again will lose all
+ password
+ aging information.
+ </para>
+ </refsect1>
+</refentry>
Index: git/man/fr/shadowconfig.8
===================================================================
--- /dev/null
+++ git/man/fr/shadowconfig.8
@@ -0,0 +1,26 @@
+.\" This file was generated with po4a. Translate the source file.
+.\"
+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
+.SH NOM
+shadowconfig \- active ou désactive les mots de passe cachés
+.SH SYNOPSIS
+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
+.SH DESCRIPTION
+.PP
+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
+de recommencer.
+
+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
+désactiver lorsqu'ils ne sont pas actifs est sans effet.
+
+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
+mots de passe cachés et à leurs fonctionnalités.
+
+Notez que désactiver puis réactiver les mots de passe cachés aura pour
+conséquence la perte des informations d'âge sur les mots de passe.
+.SH TRADUCTION
+Nicolas FRANÇOIS, 2004.
+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
Index: git/man/ja/shadowconfig.8
===================================================================
--- /dev/null
+++ git/man/ja/shadowconfig.8
@@ -0,0 +1,25 @@
+.\" all right reserved,
+.\" Translated Tue Oct 30 11:59:11 JST 2001
+.\" by Maki KURODA <mkuroda@aisys-jp.com>
+.\"
+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
+.SH 名前
+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
+.SH 書式
+.B "shadowconfig"
+.IR on " | " off
+.SH 説明
+.PP
+.B shadowconfig on
+は shadow パスワードを有効にする。
+.B shadowconfig off
+は shadow パスワードを無効にする。
+.B shadowconfig
+は何らかの間違いがあると、エラーメッセージを表示し、
+ゼロではない返り値を返す。
+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
+すでにオフの場合にオフに設定しても、何の影響もない。
+
+.I /usr/share/doc/passwd/README.debian.gz
+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
Index: git/man/pl/shadowconfig.8
===================================================================
--- /dev/null
+++ git/man/pl/shadowconfig.8
@@ -0,0 +1,27 @@
+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
+.\" {PTM/WK/1999-09-14}
+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
+.SH NAZWA
+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
+.SH SKŁADNIA
+.B "shadowconfig"
+.IR on " | " off
+.SH OPIS
+.PP
+.B shadowconfig on
+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
+.B shadowconfig off
+wyłącza dodatkowe pliki haseł i grup.
+.B shadowconfig
+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
+.\" if it finds anything awry.
+i uruchomić program ponownie.
+
+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
+gdy jest wyłączona jest nieszkodliwe.
+
+Przeczytaj
+.IR /usr/share/doc/passwd/README.debian.gz ,
+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
+plików haseł przesłanianych (shadow passwords) i związanych tematów.
-40
View File
@@ -1,40 +0,0 @@
Goal: Recommend using adduser and deluser.
Fixes: #406046
Status wrt upstream: Debian specific patch.
Index: git/man/useradd.8.xml
===================================================================
--- git.orig/man/useradd.8.xml
+++ git/man/useradd.8.xml
@@ -105,6 +105,12 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ <command>useradd</command> is a low level utility for adding
+ users. On Debian, administrators should usually use
+ <citerefentry><refentrytitle>adduser</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> instead.
+ </para>
+ <para>
When invoked without the <option>-D</option> option, the
<command>useradd</command> command creates a new user account using
the values specified on the command line plus the default values from
Index: git/man/userdel.8.xml
===================================================================
--- git.orig/man/userdel.8.xml
+++ git/man/userdel.8.xml
@@ -83,6 +83,12 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
+ <command>userdel</command> is a low level utility for removing
+ users. On Debian, administrators should usually use
+ <citerefentry><refentrytitle>deluser</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> instead.
+ </para>
+ <para>
The <command>userdel</command> command modifies the system account
files, deleting all entries that refer to the user name <emphasis
remap='I'>LOGIN</emphasis>. The named user must exist.
-106
View File
@@ -1,106 +0,0 @@
Goal: Relaxed usernames/groupnames checking patch.
Status wrt upstream: Debian specific. Not to be used upstream
Details:
Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
characters and don't start with '-', '+', or '~'. This patch is more
restrictive than original Karl's version. closes: #264879
Also closes: #377844
Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
I can't come up with a good justification as to why characters other
than ':'s and '\0's should be disallowed in group and usernames (other
than '-' as the leading character). Thus, the maintenance tools don't
anymore. closes: #79682, #166798, #171179
Index: git/libmisc/chkname.c
===================================================================
--- git.orig/libmisc/chkname.c
+++ git/libmisc/chkname.c
@@ -48,6 +48,7 @@
static bool is_valid_name (const char *name)
{
+#if 0
/*
* User/group names must match [a-z_][a-z0-9_-]*[$]
*/
@@ -66,6 +67,26 @@
return false;
}
}
+#endif
+ /*
+ * POSIX indicate that usernames are composed of characters from the
+ * portable filename character set [A-Za-z0-9._-], and that the hyphen
+ * should not be used as the first character of a portable user name.
+ *
+ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
+ */
+ if ( ('\0' == *name)
+ || ('-' == *name)
+ || ('~' == *name)
+ || ('+' == *name)) {
+ return false;
+ }
+ do {
+ if ((':' == *name) || (',' == *name) || isspace(*name)) {
+ return false;
+ }
+ name++;
+ } while ('\0' != *name);
return true;
}
Index: git/man/useradd.8.xml
===================================================================
--- git.orig/man/useradd.8.xml
+++ git/man/useradd.8.xml
@@ -633,12 +633,20 @@
</para>
<para>
- Usernames must start with a lower case letter or an underscore,
+ It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
followed by lower case letters, digits, underscores, or dashes.
They can end with a dollar sign.
In regular expression terms: [a-z_][a-z0-9_-]*[$]?
</para>
<para>
+ On Debian, the only constraints are that usernames must neither start
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+ colon (':'), a comma (','), or a whitespace (space: ' ',
+ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
+ ('/') may break the default algorithm for the definition of the
+ user's home directory.
+ </para>
+ <para>
Usernames may only be up to 32 characters long.
</para>
</refsect1>
Index: git/man/groupadd.8.xml
===================================================================
--- git.orig/man/groupadd.8.xml
+++ git/man/groupadd.8.xml
@@ -256,12 +256,18 @@
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
- Groupnames must start with a lower case letter or an underscore,
+ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
followed by lower case letters, digits, underscores, or dashes.
They can end with a dollar sign.
In regular expression terms: [a-z_][a-z0-9_-]*[$]?
</para>
<para>
+ On Debian, the only constraints are that groupnames must neither start
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+ colon (':'), a comma (','), or a whitespace (space:' ',
+ end of line: '\n', tabulation: '\t', etc.).
+ </para>
+ <para>
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
</para>
<para>
-18
View File
@@ -1,18 +0,0 @@
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -24,7 +24,6 @@
# $prefix/bin and $prefix/sbin, no install-data hacks...)
bin_PROGRAMS = groups login su
-sbin_PROGRAMS = nologin
ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
if ENABLE_SUBIDS
ubin_PROGRAMS += newgidmap newuidmap
@@ -42,6 +41,7 @@
grpunconv \
logoutd \
newusers \
+ nologin \
pwck \
pwconv \
pwunconv \
-43
View File
@@ -1,43 +0,0 @@
Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
Note: useradd.8 needs to be regenerated.
Status wrt upstream: not included as this is just specific
backward compatibility for Debian
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -329,6 +329,11 @@
databases are reset to avoid reusing the entry from a previously
deleted user.
</para>
+ <para>
+ For the compatibility with previous Debian's
+ <command>useradd</command>, the <option>-O</option> option is
+ also supported.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -1059,9 +1059,9 @@
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_SELINUX
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:UZ:",
#else /* !WITH_SELINUX */
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:U",
#endif /* !WITH_SELINUX */
long_options, NULL)) != -1) {
switch (c) {
@@ -1184,6 +1184,7 @@
kflg = true;
break;
case 'K':
+ case 'O': /* compatibility with previous Debian useradd */
/*
* override login.defs defaults (-K name=value)
* example: -K UID_MIN=100 -K UID_MAX=499
-81
View File
@@ -1,81 +0,0 @@
--- a/debian/passwd.install
+++ b/debian/passwd.install
@@ -9,6 +9,7 @@
usr/sbin/cppw
usr/sbin/groupadd
usr/sbin/groupdel
+usr/sbin/groupmems
usr/sbin/groupmod
usr/sbin/grpck
usr/sbin/grpconv
@@ -33,6 +34,7 @@
usr/share/man/*/man8/chpasswd.8
usr/share/man/*/man8/groupadd.8
usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmems.8
usr/share/man/*/man8/groupmod.8
usr/share/man/*/man8/grpck.8
usr/share/man/*/man8/grpconv.8
@@ -59,6 +61,7 @@
usr/share/man/man8/chpasswd.8
usr/share/man/man8/groupadd.8
usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmems.8
usr/share/man/man8/groupmod.8
usr/share/man/man8/grpck.8
usr/share/man/man8/grpconv.8
--- a/debian/passwd.postinst
+++ b/debian/passwd.postinst
@@ -31,6 +31,24 @@
exit 1
)
fi
+ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
+ then
+ groupadd -g 99 groupmems || (
+ cat <<EOF
+************************ TESTSUITE *****************************
+Group ID 99 has been allocated for the groupmems group. You have either
+used 99 yourself or created a groupmems group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+ exit 1
+ )
+# FIXME
+ chgrp groupmems /usr/sbin/groupmems
+ fi
;;
esac
--- a/debian/rules
+++ b/debian/rules
@@ -60,6 +60,7 @@
dh_installpam -p passwd --name=chsh
dh_installpam -p passwd --name=chpasswd
dh_installpam -p passwd --name=newusers
+ dh_installpam -p passwd --name=groupmems
ifeq ($(DEB_HOST_ARCH_OS),hurd)
# login is not built on The Hurd, but some utilities of passwd depends on
# /etc/login.defs.
@@ -87,3 +88,6 @@
chgrp shadow debian/passwd/usr/bin/expiry
chmod g+s debian/passwd/usr/bin/chage
chmod g+s debian/passwd/usr/bin/expiry
+ chgrp groupmems debian/passwd/usr/sbin/groupmems
+ chmod u+s debian/passwd/usr/sbin/groupmems
+ chmod o-x debian/passwd/usr/sbin/groupmems
--- /dev/null
+++ b/debian/passwd.groupmems.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupmod' service
+#
+
+# This allows root to modify groups without being prompted for a password
+auth sufficient pam_rootok.so
+
+@include common-auth
+@include common-account
-76
View File
@@ -1,76 +0,0 @@
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -1,6 +1,8 @@
AUTOMAKE_OPTIONS = 1.0 foreign
+CFLAGS += -fprofile-arcs -ftest-coverage
+
DEFS =
noinst_LTLIBRARIES = libshadow.la
--- a/libmisc/Makefile.am
+++ b/libmisc/Makefile.am
@@ -1,6 +1,8 @@
EXTRA_DIST = .indent.pro xgetXXbyYY.c
+CFLAGS += -fprofile-arcs -ftest-coverage
+
INCLUDES = -I$(top_srcdir)/lib
noinst_LIBRARIES = libmisc.a
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -7,6 +7,8 @@
suidperms = 4755
sgidperms = 2755
+CFLAGS += -fprofile-arcs -ftest-coverage
+
INCLUDES = \
-I${top_srcdir}/lib \
-I$(top_srcdir)/libmisc
--- a/debian/rules
+++ b/debian/rules
@@ -40,6 +40,12 @@
endif
export CFLAGS
+clean:: clean_gcov
+
+clean_gcov:
+ find . -name "*.gcda" -delete
+ find . -name "*.gcno" -delete
+
# Add extras to the install process:
binary-install/login::
dh_installpam -p login
--- a/lib/defines.h
+++ b/lib/defines.h
@@ -174,23 +174,9 @@
trust the formatted time received from the unix domain (or worse,
UDP) socket. -MM */
/* Avoid translated PAM error messages: Set LC_ALL to "C".
+ * This is disabled for coverage testing
* --Nekral */
-#define SYSLOG(x) \
- do { \
- char *old_locale = setlocale (LC_ALL, NULL); \
- char *saved_locale = NULL; \
- if (NULL != old_locale) { \
- saved_locale = strdup (old_locale); \
- } \
- if (NULL != saved_locale) { \
- (void) setlocale (LC_ALL, "C"); \
- } \
- syslog x ; \
- if (NULL != saved_locale) { \
- (void) setlocale (LC_ALL, saved_locale); \
- free (saved_locale); \
- } \
- } while (false)
+#define SYSLOG(x) syslog x
#else /* !ENABLE_NLS */
#define SYSLOG(x) syslog x
#endif /* !ENABLE_NLS */
-22
View File
@@ -1,22 +0,0 @@
Small intro to the system for numbering the patches here...
-The 00xx-... patches are forwarded to upstream's git repository
-The 0xx_... series of patches are patches isolated from the latest
version of the shadow Debian package not using quilt in order to
separate upstream from Debian-specific stuff.
NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
-The 4xx series are patches which have been applied to Debian's shadow
and have NOT been accepted and/or applied upstream. These patches MUST be kept
even after resynced with upstream
-The 5xx series are patches which are applied to Debian's shadow
and will never be proposed upstream because they're too specific
This list SHOULD BE AS SHORT AS POSSIBLE
In short, while we are working towards synchronisation with upstream,
our goal is to make 0xx patches disappear by moving them either to 3xx
series (things already implemented upstream) or to 4xx series
(Debian-specific patches).
-20
View File
@@ -1,20 +0,0 @@
# These patches are only for the testsuite:
#900_testsuite_groupmems
#901_testsuite_gcov
503_shadowconfig.8
008_login_log_failure_in_FTMP
429_login_FAILLOG_ENAB
401_cppw_src.dpatch
# 402 should be merged in 401, but should be reviewed by SE Linux experts first
402_cppw_selinux
506_relaxed_usernames
542_useradd-O_option
463_login_delay_obeys_to_PAM
508_nologin_in_usr_sbin
505_useradd_recommend_adduser
501_commonio_group_shadow
0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch
0002-gpasswd-1-Fix-password-leak.patch
0003-Added-control-character-check.patch
0004-Overhaul-valid_field.patch
-96
View File
@@ -1,96 +0,0 @@
#!/usr/bin/make -f
# -*- mode: makefile; coding: utf-8 -*-
DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
# Enable PIE, BINDNOW, and possible future flags.
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
# Call autoreconf since we need to regenerate all the autofoo files
include /usr/share/cdbs/1/rules/autoreconf.mk
include /usr/share/cdbs/1/rules/debhelper.mk
# Specify where dh_install will find the files that it needs to move:
DEB_DH_INSTALL_SOURCEDIR=debian/tmp
# Specify the destination of shadow's "make install"
# (This is only needed on The Hurd, where only one package is built. On
# the other arch, DEB_DESTDIR already points to debian/tmp)
DEB_DESTDIR=$(CURDIR)/debian/tmp
include /usr/share/cdbs/1/class/autotools.mk
# Adds extra options when calling the configure script:
DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
--without-libcrack \
--mandir=/usr/share/man \
--with-libpam \
--enable-shadowgrp \
--enable-man \
--disable-account-tools-setuid \
--with-group-name-max-length=32 \
--without-acl \
--without-attr \
--without-tcb \
SHELL=/bin/sh
ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
DEB_CONFIGURE_EXTRA_FLAGS += --host=$(DEB_HOST_GNU_TYPE)
endif
# Set the default editor for vipw/vigr
CFLAGS += -DDEFAULT_EDITOR=\\\"sensible-editor\\\"
# Add extras to the install process:
binary-install/login::
ifeq ($(DEB_HOST_ARCH_OS),hurd)
# /bin/login is provided by the hurd package.
rm -f debian/login/bin/login
endif
ifneq ($(DEB_HOST_ARCH_OS),linux)
sed -i 's/session optional pam_keyinit.so/# Linux only # session optional pam_keyinit.so/' debian/login.pam
endif
dh_installpam -p login
install -c -m 444 debian/login.defs debian/login/etc/login.defs
install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
dh_lintian -p login
binary-install/passwd::
install -c -m 444 man/shadowconfig.8 debian/passwd/usr/share/man/man8
install -c -m 444 man/ja/shadowconfig.8 debian/passwd/usr/share/man/ja/man8
install -c -m 444 man/pl/shadowconfig.8 debian/passwd/usr/share/man/pl/man8
install -c -m 444 man/fr/shadowconfig.8 debian/passwd/usr/share/man/fr/man8
# Distribute the pam.d files; unless for the commands with disabled PAM
# support
dh_installpam -p passwd --name=passwd
dh_installpam -p passwd --name=chfn
dh_installpam -p passwd --name=chsh
dh_installpam -p passwd --name=chpasswd
dh_installpam -p passwd --name=newusers
install -c -m 644 debian/useradd.default debian/passwd/etc/default/useradd
install -d debian/passwd/sbin
install -c -m 555 debian/shadowconfig.sh debian/passwd/sbin/shadowconfig
install -c -m 444 debian/cpgr.8 debian/passwd/usr/share/man/man8
install -c -m 444 debian/cppw.8 debian/passwd/usr/share/man/man8
dh_lintian -p passwd
binary-predeb/uidmap::
chmod u+s debian/uidmap/usr/bin/newuidmap
chmod u+s debian/uidmap/usr/bin/newgidmap
binary-predeb/login::
# No real need for login to be setuid root
# chmod u+s debian/login/bin/login
chmod u+s debian/login/usr/bin/newgrp
binary-predeb/passwd::
chmod u+s debian/passwd/usr/bin/chfn
chmod u+s debian/passwd/usr/bin/chsh
chmod u+s debian/passwd/usr/bin/gpasswd
chmod u+s debian/passwd/usr/bin/passwd
chgrp shadow debian/passwd/usr/bin/chage
chgrp shadow debian/passwd/usr/bin/expiry
chmod g+s debian/passwd/usr/bin/chage
chmod g+s debian/passwd/usr/bin/expiry
clean::
sed -i 's/# Linux only # //' debian/login.pam
-71
View File
@@ -1,71 +0,0 @@
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
# for people with serial port consoles
com0
# Standard consoles
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12
tty13
tty14
tty15
tty16
tty17
tty18
tty19
tty20
tty21
tty22
tty23
tty24
tty25
tty26
tty27
tty28
tty29
tty30
tty31
tty32
tty33
tty34
tty35
tty36
tty37
tty38
tty39
tty40
tty41
tty42
tty43
tty44
tty45
tty46
tty47
tty48
tty49
tty50
tty51
tty52
tty53
tty54
tty55
tty56
tty57
tty58
tty59
tty60
tty61
tty62
tty63
-24
View File
@@ -1,24 +0,0 @@
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
# for people with serial port consoles
ttyd0
ttyd1
# Standard consoles
ttyv0
ttyv1
ttyv2
ttyv3
ttyv4
ttyv5
ttyv6
ttyv7
ttyva
ttyvb
ttyvc
ttyvd
ttyve
ttyvf
-12
View File
@@ -1,12 +0,0 @@
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
# for people with serial port consoles
tty00
# Standard consoles
ttyE0
ttyE1
ttyE2
ttyE3
-412
View File
@@ -1,412 +0,0 @@
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
# Local X displays (allows empty passwords with pam_unix's nullok_secure)
:0
:0.0
:0.1
:1
:1.0
:1.1
:2
:2.0
:2.1
:3
:3.0
:3.1
#...
# ==========================================================
#
# TTYs sorted by major number according to Documentation/devices.txt
#
# ==========================================================
# Virtual consoles
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12
tty13
tty14
tty15
tty16
tty17
tty18
tty19
tty20
tty21
tty22
tty23
tty24
tty25
tty26
tty27
tty28
tty29
tty30
tty31
tty32
tty33
tty34
tty35
tty36
tty37
tty38
tty39
tty40
tty41
tty42
tty43
tty44
tty45
tty46
tty47
tty48
tty49
tty50
tty51
tty52
tty53
tty54
tty55
tty56
tty57
tty58
tty59
tty60
tty61
tty62
tty63
# UART serial ports
ttyS0
ttyS1
ttyS2
ttyS3
ttyS4
ttyS5
#...ttyS191
# Serial Mux devices (Linux/PA-RISC only)
ttyB0
ttyB1
#...
# Chase serial card
ttyH0
ttyH1
#...
# Cyclades serial cards
ttyC0
ttyC1
#...ttyC31
# Digiboard serial cards
ttyD0
ttyD1
#...
# Stallion serial cards
ttyE0
ttyE1
#...ttyE255
# Specialix serial cards
ttyX0
ttyX1
#...
# Comtrol Rocketport serial cards
ttyR0
ttyR1
#...
# SDL RISCom serial cards
ttyL0
ttyL1
#...
# Hayes ESP serial card
ttyP0
ttyP1
#...
# Computone IntelliPort II serial card
ttyF0
ttyF1
#...ttyF255
# Specialix IO8+ serial card
ttyW0
ttyW1
#...
# Comtrol VS-1000 serial controller
ttyV0
ttyV1
#...
# ISI serial card
ttyM0
ttyM1
#...
# Technology Concepts serial card
ttyT0
ttyT1
#...
# Specialix RIO serial card
ttySR0
ttySR1
#...ttySR511
# Chase Research AT/PCI-Fast serial card
ttyCH0
ttyCH1
#...ttyCH63
# Moxa Intellio serial card
ttyMX0
ttyMX1
#...ttyMX127
# SmartIO serial card
ttySI0
ttySI1
#...
# USB dongles
ttyUSB0
ttyUSB1
ttyUSB2
#...
# LinkUp Systems L72xx UARTs
ttyLU0
ttyLU1
ttyLU2
ttyLU3
# StrongARM builtin serial ports
ttySA0
ttySA1
ttySA2
# SCI serial port (SuperH) ports and SC26xx serial ports
ttySC0
ttySC1
ttySC2
ttySC3
ttySC4
ttySC5
ttySC6
ttySC7
ttySC8
ttySC9
# ARM "AMBA" serial ports
ttyAM0
ttyAM1
ttyAM2
ttyAM3
ttyAM4
ttyAM5
ttyAM6
ttyAM7
ttyAM8
ttyAM9
ttyAM10
ttyAM11
ttyAM12
ttyAM13
ttyAM14
ttyAM15
# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
ttyAMA0
ttyAMA1
ttyAMA2
ttyAMA3
# DataBooster serial ports
ttyDB0
ttyDB1
ttyDB2
ttyDB3
ttyDB4
ttyDB5
ttyDB6
ttyDB7
# SGI Altix console ports
ttySG0
# Motorola i.MX ports
ttySMX0
ttySMX1
ttySMX2
# Marvell MPSC ports
ttyMM0
ttyMM1
# PPC CPM (SCC or SMC) ports
ttyCPM0
ttyCPM1
ttyCPM2
ttyCPM3
ttyCPM4
ttyCPM5
# Altix serial cards
ttyIOC0
ttyIOC1
#...ttyIOC31
# NEC VR4100 series SIU
ttyVR0
# NEC VR4100 series SSIU
ttyVR1
# Altix ioc4 serial cards
ttyIOC84
ttyIOC85
#...ttyIOC115
# Altix ioc3 serial cards
ttySIOC0
ttySIOC1
#...ttySIOC31
# PPC PSC ports
ttyPSC0
ttyPSC1
ttyPSC2
ttyPSC3
ttyPSC4
ttyPSC5
# ATMEL serial ports
ttyAT0
ttyAT1
#...ttyAT15
# Hilscher netX serial port
ttyNX0
ttyNX1
#...ttyNX15
# Xilinx uartlite - port
ttyUL0
ttyUL1
ttyUL2
ttyUL3
# Xen virtual console - port 0
xvc0
# pmac_zilog - port
ttyPZ0
ttyPZ1
ttyPZ2
ttyPZ3
# TX39/49 serial port
ttyTX0
ttyTX1
ttyTX2
ttyTX3
ttyTX4
ttyTX5
ttyTX6
ttyTX7
# SC26xx serial ports (see SCI serial ports (SuperH))
# MAX3100 serial ports
ttyMAX0
ttyMAX1
ttyMAX2
ttyMAX3
# OMAP serial ports
ttyO0
ttyO1
ttyO2
ttyO3
# User space serial ports
ttyU0
ttyU1
# A2232 serial card
ttyY0
ttyY1
# IBM 3270 terminal Unix tty access
3270/tty1
3270/tty2
#...
# IBM iSeries/pSeries virtual console
hvc0
hvc1
#...
#IBM pSeries console ports
hvsi0
hvsi1
hvsi2
# Equinox SST multi-port serial boards
ttyEQ0
ttyEQ1
#...ttyEQ1027
# ==========================================================
#
# Not in Documentation/Devices.txt
#
# ==========================================================
# Embedded Freescale i.MX ports
ttymxc0
ttymxc1
ttymxc2
ttymxc3
ttymxc4
ttymxc5
# LXC (Linux Containers)
lxc/console
lxc/tty1
lxc/tty2
lxc/tty3
lxc/tty4
# Serial Console for MIPS Swarm
duart0
duart1
# s390 and s390x ports in LPAR mode
ttysclp0
# ODROID XU4 serial console
ttySAC0
ttySAC1
ttySAC2
ttySAC3
-49
View File
@@ -1,49 +0,0 @@
#!/bin/sh
# turn shadow passwords on or off on a Debian system
set -e
shadowon () {
set -e
pwck -q -r
grpck -r
pwconv
grpconv
chown root:root /etc/passwd /etc/group
chmod 644 /etc/passwd /etc/group
chown root:shadow /etc/shadow /etc/gshadow
chmod 640 /etc/shadow /etc/gshadow
}
shadowoff () {
set -e
pwck -q -r
grpck -r
pwunconv
grpunconv
# sometimes the passwd perms get munged
chown root:root /etc/passwd /etc/group
chmod 644 /etc/passwd /etc/group
}
case "$1" in
"on")
if shadowon ; then
echo Shadow passwords are now on.
else
echo Please correct the error and rerun \`$0 on\'
exit 1
fi
;;
"off")
if shadowoff ; then
echo Shadow passwords are now off.
else
echo Please correct the error and rerun \`$0 off\'
exit 1
fi
;;
*)
echo Usage: $0 on \| off
;;
esac
-1
View File
@@ -1 +0,0 @@
3.0 (quilt)
-4
View File
@@ -1,4 +0,0 @@
usr/bin/newuidmap
usr/bin/newgidmap
usr/share/man/man1/newuidmap.1
usr/share/man/man1/newgidmap.1
-2
View File
@@ -1,2 +0,0 @@
uidmap: setuid-binary usr/bin/newgidmap 4755 root/root
uidmap: setuid-binary usr/bin/newuidmap 4755 root/root
-8196
View File
File diff suppressed because it is too large Load Diff
-37
View File
@@ -1,37 +0,0 @@
# Default values for useradd(8)
#
# The SHELL variable specifies the default login shell on your
# system.
# Similar to DHSELL in adduser. However, we use "sh" here because
# useradd is a low level utility and should be as general
# as possible
SHELL=/bin/sh
#
# The default group for users
# 100=users on Debian systems
# Same as USERS_GID in adduser
# This argument is used when the -n flag is specified.
# The default behavior (when -n and -g are not specified) is to create a
# primary user group with the same name as the user being added to the
# system.
# GROUP=100
#
# The default home directory. Same as DHOME for adduser
# HOME=/home
#
# The number of days after a password expires until the account
# is permanently disabled
# INACTIVE=-1
#
# The default expire date
# EXPIRE=
#
# The SKEL variable specifies the directory containing "skeletal" user
# files; in other words, files such as a sample .profile that will be
# copied to the new user's home directory when it is created.
# SKEL=/etc/skel
#
# Defines whether the mail spool should be created while
# creating the account
# CREATE_MAIL_SPOOL=yes
-4
View File
@@ -1,4 +0,0 @@
version=4
opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%shadow-$1.tar.gz%" \
https://github.com/shadow-maint/shadow/tags \
(?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
+2
View File
@@ -31,6 +31,8 @@ New ideas to add to this list are welcome, too. --marekm
- new option for /etc/suauth: don't load user's environment (force "su -")
suggested by Ulisses Alonso Camaro
- find out why recent releases won't compile on Solaris
- newusers UID/GID selection algorithm should be the same as useradd
(and use UID_MIN, UID_MAX from login.defs)
- newusers should be able to copy /etc/skel to the new home directory
(like useradd)
- add directories where other packages can add hooks for package-specific
+43 -74
View File
@@ -6,18 +6,16 @@
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
FAIL_DELAY 3
#
# Enable logging and display of /var/log/faillog login(1) failure info.
# Enable logging and display of /var/log/faillog login failure info.
#
FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login(1) failures are recorded.
# Enable display of unknown usernames when login failures are recorded.
#
LOG_UNKFAIL_ENAB no
@@ -27,7 +25,7 @@ LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
#
# Enable logging and display of /var/log/lastlog login(1) time info.
# Enable logging and display of /var/log/lastlog login time info.
#
LASTLOG_ENAB yes
@@ -50,13 +48,13 @@ OBSCURE_CHECKS_ENAB yes
PORTTIME_CHECKS_ENAB yes
#
# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
# Enable setting of ulimit, umask, and niceness from passwd gecos field.
#
QUOTAS_ENAB yes
#
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
@@ -64,13 +62,13 @@ SYSLOG_SG_ENAB yes
#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names. Root logins will be allowed only
# from these devices.
# upon these devices.
#
CONSOLE /etc/securetty
#CONSOLE console:tty01:tty02:tty03:tty04
#
# If defined, all su(1) activity is logged to this file.
# If defined, all su activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
@@ -82,33 +80,33 @@ MOTD_FILE /etc/motd
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
#
# If defined, this file will be output before each login(1) prompt.
# If defined, this file will be output before each login prompt.
#
#ISSUE_FILE /etc/issue
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format similar to "vt100 tty01".
# Each line of the file is in a format something like "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
# If defined, login(1) failures will be logged here in a utmp format.
# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
# If defined, login failures will be logged here in a utmp format.
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE /var/log/btmp
#
# If defined, name of file whose presence will inhibit non-root
# logins. The content of this file should be a message indicating
# If defined, name of file whose presence which will inhibit non-root
# logins. The contents of this file should be a message indicating
# why logins are inhibited.
#
NOLOGINS_FILE /etc/nologin
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then ps(1) will display the
# command as "-su". If not defined, then ps(1) will display the
# example, if this is defined as "su" then a "ps" will display the
# command is "-su". If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME su
@@ -158,10 +156,10 @@ ENV_PATH PATH=/bin:/usr/bin
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
TTYGROUP tty
TTYPERM 0600
@@ -171,6 +169,7 @@ TTYPERM 0600
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
# ULIMIT Default "ulimit" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
@@ -181,16 +180,8 @@ TTYPERM 0600
#
ERASECHAR 0177
KILLCHAR 025
#ULIMIT 2097152
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up his/her mind.
UMASK 022
#ULIMIT 2097152
#
# Password aging controls:
@@ -214,43 +205,35 @@ PASS_WARN_AGE 7
SU_WHEEL_ONLY no
#
# If compiled with cracklib support, sets the path to the dictionaries
# If compiled with cracklib support, where are the dictionaries
#
CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
#
# Min/max values for automatic uid selection in useradd(8)
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 101
SYS_UID_MIN 100
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 101
SYS_GID_MIN 100
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
# Max number of login retries if password is bad
#
LOGIN_RETRIES 5
#
# Max time in seconds for login(1)
# Max time in seconds for login
#
LOGIN_TIMEOUT 60
@@ -272,12 +255,12 @@ PASS_ALWAYS_WARN yes
#PASS_MAX_LEN 8
#
# Require password before chfn(1)/chsh(1) can make any changes.
# Require password before chfn/chsh can make any changes.
#
CHFN_AUTH yes
#
# Which fields may be changed by regular users using chfn(1) - use
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
@@ -302,13 +285,13 @@ CHFN_RESTRICT rwh
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
# This variable is deprecated. You should use ENCRYPT_METHOD instead.
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no
#
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
@@ -323,12 +306,12 @@ CHFN_RESTRICT rwh
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# users.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be within the 1000-999999999 range.
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
@@ -337,18 +320,18 @@ CHFN_RESTRICT rwh
#
# List of groups to add to the user's supplementary group set
# when logging in from the console (as determined by the CONSOLE
# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in from the console.
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
#CONSOLE_GROUPS floppy:audio:cdrom
#
# Should login be allowed if we can't cd to the home directory?
# Default is no.
# Default in no.
#
DEFAULT_HOME yes
@@ -370,31 +353,17 @@ ENVIRON_FILE /etc/environment
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
# the same as gid, and username is the same as the primary group name.
#
# This also enables userdel(8) to remove user groups if no members exist.
# This also enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
# If set to a non-zero number, the shadow utilities will make sure that
# If set to a non-nul number, the shadow utilities will make sure that
# groups never have more than this number of users on one line.
# This permits to support split groups (groups split into multiple lines,
# This permit to support split groups (groups split into multiple lines,
# with the same group ID, to avoid limitation of the line length in the
# group file).
#
# 0 is the default value and disables this feature.
#
#MAX_MEMBERS_PER_GROUP 0
#
# If useradd(8) should create home directories for users by default (non
# system users only).
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
#CREATE_HOME yes
#
# Force use shadow, even if shadow passwd & shadow group files are
# missing.
#
#FORCE_SHADOW yes
+7 -12
View File
@@ -2,21 +2,19 @@
# and also cooperate to make a distribution for `make dist'
pamd_files = \
chfn \
chsh \
groupmems \
login \
passwd \
su
pamd_acct_tools_files = \
chage \
chfn \
chgpasswd \
chpasswd \
chsh \
groupadd \
groupdel \
groupmems \
groupmod \
login \
newusers \
passwd \
su \
useradd \
userdel \
usermod
@@ -24,9 +22,6 @@ pamd_acct_tools_files = \
if USE_PAM
pamddir = $(sysconfdir)/pam.d
pamd_DATA = $(pamd_files)
if ACCT_TOOLS_SETUID
pamd_DATA += $(pamd_acct_tools_files)
endif
endif
EXTRA_DIST = $(pamd_files) $(pamd_acct_tools_files)
EXTRA_DIST = $(pamd_files)
-16
View File
@@ -14,15 +14,9 @@ libshadow_la_SOURCES = \
encrypt.c \
exitcodes.h \
faillog.h \
fields.c \
fputsx.c \
getdef.c \
getdef.h \
get_gid.c \
getlong.c \
get_pid.c \
get_uid.c \
getulong.c \
groupio.c \
groupmem.c \
groupio.h \
@@ -39,26 +33,16 @@ libshadow_la_SOURCES = \
pwio.c \
pwio.h \
pwmem.c \
subordinateio.h \
subordinateio.c \
selinux.c \
semanage.c \
sgetgrent.c \
sgetpwent.c \
sgetspent.c \
sgroupio.c \
sgroupio.h\
shadow.c \
shadowio.c \
shadowio.h \
shadowmem.c \
spawn.c \
utent.c
if WITH_TCB
libshadow_la_SOURCES += tcbfuncs.c tcbfuncs.h
endif
# These files are unneeded for some reason, listed in
# order of appearance:
#
+251 -519
View File
File diff suppressed because it is too large Load Diff
+27 -42
View File
@@ -2,7 +2,7 @@
* Copyright (c) 1990 - 1994, Julianne Frances Haugh
* Copyright (c) 1996 - 2000, Marek Michałkiewicz
* Copyright (c) 2001 - 2005, Tomasz Kłoczko
* Copyright (c) 2007 - 2010, Nicolas François
* Copyright (c) 2007 - 2008, Nicolas François
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -31,24 +31,20 @@
*/
/* $Id$ */
#ifndef COMMONIO_H
#define COMMONIO_H
#ifndef _COMMONIO_H
#define _COMMONIO_H
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#endif
#include "defines.h" /* bool */
/*
* Linked list entry.
*/
struct commonio_entry {
/*@null@*/char *line;
/*@null@*/void *eptr; /* struct passwd, struct spwd, ... */
/*@dependent@*/ /*@null@*/struct commonio_entry *prev;
/*@owned@*/ /*@null@*/struct commonio_entry *next;
bool changed:1;
char *line;
void *eptr; /* struct passwd, struct spwd, ... */
struct commonio_entry *prev, *next;
unsigned int changed:1;
};
/*
@@ -59,12 +55,12 @@ struct commonio_ops {
* Make a copy of the object (for example, struct passwd)
* and all strings pointed by it, in malloced memory.
*/
/*@null@*/ /*@only@*/void *(*dup) (const void *);
void *(*dup) (const void *);
/*
* free() the object including any strings pointed by it.
*/
void (*free) (/*@out@*/ /*@only@*/void *);
void (*free) (void *);
/*
* Return the name of the object (for example, pw_name
@@ -88,7 +84,7 @@ struct commonio_ops {
* fgets and fputs (can be replaced by versions that
* understand line continuation conventions).
*/
/*@null@*/char *(*fgets) (/*@returned@*/ /*@out@*/char *s, int n, FILE *stream);
char *(*fgets) (char *, int, FILE *);
int (*fputs) (const char *, FILE *);
/*
@@ -97,8 +93,8 @@ struct commonio_ops {
* is open or before it is closed.
* They return 0 on failure and 1 on success.
*/
/*@null@*/int (*open_hook) (void);
/*@null@*/int (*close_hook) (void);
int (*open_hook) (void);
int (*close_hook) (void);
};
/*
@@ -113,58 +109,47 @@ struct commonio_db {
/*
* Operations from above.
*/
/*@observer@*/const struct commonio_ops *ops;
struct commonio_ops *ops;
/*
* Currently open file stream.
*/
/*@dependent@*/ /*@null@*/FILE *fp;
FILE *fp;
#ifdef WITH_SELINUX
/*@null@*/security_context_t scontext;
security_context_t scontext;
#endif
/*
* Default permissions and owner for newly created data file.
*/
mode_t st_mode;
uid_t st_uid;
gid_t st_gid;
/*
* Head, tail, current position in linked list.
*/
/*@owned@*/ /*@null@*/struct commonio_entry *head;
/*@dependent@*/ /*@null@*/struct commonio_entry *tail;
/*@dependent@*/ /*@null@*/struct commonio_entry *cursor;
struct commonio_entry *head, *tail, *cursor;
/*
* Various flags.
*/
bool changed:1;
bool isopen:1;
bool locked:1;
bool readonly:1;
unsigned int changed:1;
unsigned int isopen:1;
unsigned int locked:1;
unsigned int readonly:1;
};
extern int commonio_setname (struct commonio_db *, const char *);
extern bool commonio_present (const struct commonio_db *db);
extern int commonio_present (const struct commonio_db *);
extern int commonio_lock (struct commonio_db *);
extern int commonio_lock_nowait (struct commonio_db *, bool log);
extern int commonio_lock_nowait (struct commonio_db *);
extern int commonio_open (struct commonio_db *, int);
extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
extern const void *commonio_locate (struct commonio_db *, const char *);
extern int commonio_update (struct commonio_db *, const void *);
#ifdef ENABLE_SUBIDS
extern int commonio_append (struct commonio_db *, const void *);
#endif /* ENABLE_SUBIDS */
extern int commonio_remove (struct commonio_db *, const char *);
extern int commonio_rewind (struct commonio_db *);
extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);
extern const void *commonio_next (struct commonio_db *);
extern int commonio_close (struct commonio_db *);
extern int commonio_unlock (struct commonio_db *);
extern void commonio_del_entry (struct commonio_db *,
const struct commonio_entry *);
const struct commonio_entry *);
extern int commonio_sort_wrt (struct commonio_db *shadow,
const struct commonio_db *passwd);
struct commonio_db *passwd);
extern int commonio_sort (struct commonio_db *db,
int (*cmp) (const void *, const void *));
int (*cmp) (const void *, const void *));
#endif
+15 -76
View File
@@ -4,60 +4,29 @@
#ifndef _DEFINES_H_
#define _DEFINES_H_
#if HAVE_STDBOOL_H
# include <stdbool.h>
#else
# if ! HAVE__BOOL
# ifdef __cplusplus
typedef bool _Bool;
# else
typedef unsigned char _Bool;
# endif
# endif
# define bool _Bool
# define false (0)
# define true (1)
# define __bool_true_false_are_defined 1
#endif
#define ISDIGIT_LOCALE(c) (IN_CTYPE_DOMAIN (c) && isdigit (c))
/* Take care of NLS matters. */
#ifdef S_SPLINT_S
extern char *setlocale(int categorie, const char *locale);
# define LC_ALL (6)
extern char * bindtextdomain (const char * domainname, const char * dirname);
extern char * textdomain (const char * domainname);
# define _(Text) Text
# define ngettext(Msgid1, Msgid2, N) \
((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2))
#else
#ifdef HAVE_LOCALE_H
#if HAVE_LOCALE_H
# include <locale.h>
#else
# undef setlocale
# define setlocale(category, locale) (NULL)
# ifndef LC_ALL
# define LC_ALL 6
# endif
#endif
#define gettext_noop(String) (String)
/* #define gettext_def(String) "#define String" */
#ifdef ENABLE_NLS
#if ENABLE_NLS
# include <libintl.h>
# define _(Text) gettext (Text)
#else
# undef bindtextdomain
# define bindtextdomain(Domain, Directory) (NULL)
# define bindtextdomain(Domain, Directory) /* empty */
# undef textdomain
# define textdomain(Domain) (NULL)
# define textdomain(Domain) /* empty */
# define _(Text) Text
# define ngettext(Msgid1, Msgid2, N) \
((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2))
#endif
#endif
#if STDC_HEADERS
# include <stdlib.h>
@@ -167,7 +136,7 @@ char *strchr (), *strrchr (), *strtok ();
/* cleaner than lots of #ifdefs everywhere - use this as follows:
SYSLOG((LOG_CRIT, "user %s cracked root", user)); */
#ifdef ENABLE_NLS
#if ENABLE_NLS
/* Temporarily set LC_TIME to "C" to avoid strange dates in syslog.
This is a workaround for a more general syslog(d) design problem -
syslogd should log the current system time for each event, and not
@@ -177,20 +146,17 @@ char *strchr (), *strrchr (), *strtok ();
* --Nekral */
#define SYSLOG(x) \
do { \
char *old_locale = setlocale (LC_ALL, NULL); \
char *saved_locale = NULL; \
if (NULL != old_locale) { \
saved_locale = strdup (old_locale); \
} \
if (NULL != saved_locale) { \
(void) setlocale (LC_ALL, "C"); \
} \
char *saved_locale = setlocale(LC_ALL, NULL); \
if (saved_locale) \
saved_locale = strdup(saved_locale); \
if (saved_locale) \
setlocale(LC_ALL, "C"); \
syslog x ; \
if (NULL != saved_locale) { \
(void) setlocale (LC_ALL, saved_locale); \
free (saved_locale); \
if (saved_locale) { \
setlocale(LC_ALL, saved_locale); \
free(saved_locale); \
} \
} while (false)
} while (0)
#else /* !ENABLE_NLS */
#define SYSLOG(x) syslog x
#endif /* !ENABLE_NLS */
@@ -337,8 +303,6 @@ extern char *strerror ();
#define SHADOW_PASSWD_STRING "x"
#endif
#define SHADOW_SP_FLAG_UNSET ((unsigned long int)-1)
#ifdef WITH_AUDIT
#ifdef __u8 /* in case we use pam < 0.80 */
#undef __u8
@@ -357,29 +321,4 @@ extern char *strerror ();
# define unused
#endif
/* ! Arguments evaluated twice ! */
#ifndef MIN
#define MIN(a,b) (((a) < (b)) ? (a) : (b))
#endif
#ifndef MAX
#define MAX(x,y) (((x) > (y)) ? (x) : (y))
#endif
/* Maximum length of usernames */
#ifdef HAVE_UTMPX_H
# include <utmpx.h>
# define USER_NAME_MAX_LENGTH (sizeof (((struct utmpx *)NULL)->ut_user))
#else
# include <utmp.h>
# ifdef HAVE_STRUCT_UTMP_UT_USER
# define USER_NAME_MAX_LENGTH (sizeof (((struct utmp *)NULL)->ut_user))
# else
# ifdef HAVE_STRUCT_UTMP_UT_NAME
# define USER_NAME_MAX_LENGTH (sizeof (((struct utmp *)NULL)->ut_name))
# else
# define USER_NAME_MAX_LENGTH 32
# endif
# endif
#endif
#endif /* _DEFINES_H_ */
+15 -17
View File
@@ -2,7 +2,7 @@
* Copyright (c) 1990 - 1993, Julianne Frances Haugh
* Copyright (c) 1996 - 2000, Marek Michałkiewicz
* Copyright (c) 2005 , Tomasz Kłoczko
* Copyright (c) 2007 - 2010, Nicolas François
* Copyright (c) 2007 - 2008, Nicolas François
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -40,26 +40,27 @@
#include "prototypes.h"
#include "defines.h"
/*@exposed@*//*@null@*/char *pw_encrypt (const char *clear, const char *salt)
char *pw_encrypt (const char *clear, const char *salt)
{
static char cipher[128];
char *cp;
cp = crypt (clear, salt);
if (NULL == cp) {
if (!cp) {
/*
* Single Unix Spec: crypt() may return a null pointer,
* and set errno to indicate an error. In this case return
* the NULL so the caller can handle appropriately.
* and set errno to indicate an error. The caller doesn't
* expect us to return NULL, so...
*/
return NULL;
perror ("crypt");
exit (1);
}
/* Some crypt() do not return NULL if the algorithm is not
/* The GNU crypt does not return NULL if the algorithm is not
* supported, and return a DES encrypted password. */
if ((NULL != salt) && (salt[0] == '$') && (strlen (cp) <= 13))
if (salt && salt[0] == '$' && strlen (cp) <= 13)
{
/*@observer@*/const char *method;
const char *method;
switch (salt[1])
{
case '1':
@@ -78,18 +79,15 @@
method = &nummethod[0];
}
}
(void) fprintf (stderr,
_("crypt method not supported by libcrypt? (%s)\n"),
method);
exit (EXIT_FAILURE);
fprintf (stderr,
_("crypt method not supported by libcrypt? (%s)\n"),
method);
exit (1);
}
if (strlen (cp) != 13) {
if (strlen (cp) != 13)
return cp; /* nonstandard crypt() in libc, better bail out */
}
strcpy (cipher, cp);
return cipher;
}
+1 -6
View File
@@ -32,12 +32,7 @@
/*
* Exit codes used by shadow programs
*/
#define E_SUCCESS EXIT_SUCCESS /* success */
/*
* FIXME: other values should differ from EXIT_FAILURE (and EXIT_SUCCESS).
*
* FIXME: reserve EXIT_FAILURE for internal failures.
*/
#define E_SUCCESS 0 /* success */
#define E_NOPERM 1 /* permission denied */
#define E_USAGE 2 /* invalid command syntax */
#define E_BAD_ARG 3 /* invalid argument to option */
+10 -18
View File
@@ -39,29 +39,23 @@
#ident "$Id$"
/*@null@*/char *fgetsx (/*@returned@*/ /*@out@*/char *buf, int cnt, FILE * f)
char *fgetsx (char *buf, int cnt, FILE * f)
{
char *cp = buf;
char *ep;
while (cnt > 0) {
if (fgets (cp, cnt, f) != cp) {
if (cp == buf) {
if (fgets (cp, cnt, f) == 0) {
if (cp == buf)
return 0;
} else {
else
break;
}
}
ep = strrchr (cp, '\\');
if ((NULL != ep) && (*(ep + 1) == '\n')) {
cnt -= ep - cp;
if (cnt > 0) {
cp = ep;
*cp = '\0';
}
} else {
if ((ep = strrchr (cp, '\\')) && *(ep + 1) == '\n') {
if ((cnt -= ep - cp) > 0)
*(cp = ep) = '\0';
} else
break;
}
}
return buf;
}
@@ -70,10 +64,9 @@ int fputsx (const char *s, FILE * stream)
{
int i;
for (i = 0; '\0' != *s; i++, s++) {
if (putc (*s, stream) == EOF) {
for (i = 0; *s; i++, s++) {
if (putc (*s, stream) == EOF)
return EOF;
}
#if 0 /* The standard getgr*() can't handle that. --marekm */
if (i > (BUFSIZ / 2)) {
@@ -87,4 +80,3 @@ int fputsx (const char *s, FILE * stream)
}
return 0;
}
-54
View File
@@ -1,54 +0,0 @@
/*
* Copyright (c) 2009 , Nicolas François
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the copyright holders or contributors may not be used to
* endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <config.h>
#ident "$Id$"
#include "prototypes.h"
#include "defines.h"
int get_gid (const char *gidstr, gid_t *gid)
{
long long int val;
char *endptr;
errno = 0;
val = strtoll (gidstr, &endptr, 10);
if ( ('\0' == *gidstr)
|| ('\0' != *endptr)
|| (ERANGE == errno)
|| (/*@+longintegral@*/val != (gid_t)val)/*@=longintegral@*/) {
return 0;
}
*gid = (gid_t)val;
return 1;
}
-54
View File
@@ -1,54 +0,0 @@
/*
* Copyright (c) 2009 , Nicolas François
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the copyright holders or contributors may not be used to
* endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <config.h>
#ident "$Id$"
#include "prototypes.h"
#include "defines.h"
int get_pid (const char *pidstr, pid_t *pid)
{
long long int val;
char *endptr;
errno = 0;
val = strtoll (pidstr, &endptr, 10);
if ( ('\0' == *pidstr)
|| ('\0' != *endptr)
|| (ERANGE == errno)
|| (/*@+longintegral@*/val != (pid_t)val)/*@=longintegral@*/) {
return 0;
}
*pid = (pid_t)val;
return 1;
}
-54
View File
@@ -1,54 +0,0 @@
/*
* Copyright (c) 2009 , Nicolas François
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the copyright holders or contributors may not be used to
* endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <config.h>
#ident "$Id$"
#include "prototypes.h"
#include "defines.h"
int get_uid (const char *uidstr, uid_t *uid)
{
long long int val;
char *endptr;
errno = 0;
val = strtoll (uidstr, &endptr, 10);
if ( ('\0' == *uidstr)
|| ('\0' != *endptr)
|| (ERANGE == errno)
|| (/*@+longintegral@*/val != (uid_t)val)/*@=longintegral@*/) {
return 0;
}
*uid = (uid_t)val;
return 1;
}

Some files were not shown because too many files have changed in this diff Show More