Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| b0729855e8 |
@@ -1,8 +1,32 @@
|
|||||||
2016-05-17 Serge Hallyn <serge@hallyn.com>
|
2018-04-29 Serge Hallyn <serge@hallyn.com>
|
||||||
|
|
||||||
|
* Release 4.6
|
||||||
|
* Newgrp: avoid unnecessary lookups
|
||||||
|
* Make language less binary
|
||||||
|
* Add error when turning off man switch
|
||||||
|
* Spelling fixes
|
||||||
|
* Make userdel work with -R
|
||||||
|
* newgidmap: enforce setgroups=deny if self-mapping a group
|
||||||
|
* Norwegian bokmål translation
|
||||||
|
* pwck: prevent crash by not passing O_CREAT
|
||||||
|
* WITH_TCB fixes from Mandriva
|
||||||
|
* Fix pwconv and grpconv entry skips
|
||||||
|
* Fix -- slurping in su
|
||||||
|
* add --prefix option
|
||||||
|
|
||||||
|
2017-07-16 Serge Hallyn <serge@hallyn.com>
|
||||||
|
|
||||||
|
* Import new Dutch translations.
|
||||||
|
|
||||||
|
2017-07-10 Serge Hallyn <serge@hallyn.com>
|
||||||
|
|
||||||
|
* Expand error codes for groupmod.
|
||||||
|
|
||||||
|
2017-05-17 Serge Hallyn <serge@hallyn.com>
|
||||||
|
|
||||||
* Release 4.5
|
* Release 4.5
|
||||||
|
|
||||||
2016-05-17 Serge Hallyn <serge@hallyn.com>
|
2017-05-17 Serge Hallyn <serge@hallyn.com>
|
||||||
|
|
||||||
* Patch from Tobias Stoeckmann fixing regression in previous CVE fix
|
* Patch from Tobias Stoeckmann fixing regression in previous CVE fix
|
||||||
preventing SIGTERM to su from being propagated to the job.
|
preventing SIGTERM to su from being propagated to the job.
|
||||||
@@ -10,18 +34,18 @@
|
|||||||
* Merge Russian translation updates from Yuri Kozlov
|
* Merge Russian translation updates from Yuri Kozlov
|
||||||
* Fix missing close of subuid file on error
|
* Fix missing close of subuid file on error
|
||||||
|
|
||||||
2016-02-23 Serge Hallyn <serge@hallyn.com>
|
2017-02-23 Serge Hallyn <serge@hallyn.com>
|
||||||
|
|
||||||
* Merge patch by Tobias Stoeckmann <tobias@stoeckmann.org> to fix
|
* Merge patch by Tobias Stoeckmann <tobias@stoeckmann.org> to fix
|
||||||
the equivalent of util-linux CVE-2017-2616.
|
the equivalent of util-linux CVE-2017-2616.
|
||||||
|
|
||||||
2016-02-08 Serge Hallyn <serge@hallyn.com>
|
2017-02-08 Serge Hallyn <serge@hallyn.com>
|
||||||
|
|
||||||
* Update Kazakh translations
|
* Update Kazakh translations
|
||||||
* Consult configuration before calculating subuids
|
* Consult configuration before calculating subuids
|
||||||
* Remove misplaced semicolon
|
* Remove misplaced semicolon
|
||||||
|
|
||||||
2016-01-29 Serge Hallyn <serge@hallyn.com>
|
2017-01-29 Serge Hallyn <serge@hallyn.com>
|
||||||
|
|
||||||
* Patch from Fedora to improve performance with SSSD, Winbind,
|
* Patch from Fedora to improve performance with SSSD, Winbind,
|
||||||
or nss_ldap. (Tomas Mraz)
|
or nss_ldap. (Tomas Mraz)
|
||||||
|
|||||||
@@ -654,9 +654,9 @@ shadow-4.0.18.2 -> shadow-4.1.0 09-12-2007
|
|||||||
- Use MD5_CRYPT_ENAB, ENCRYPT_METHOD, SHA_CRYPT_MIN_ROUNDS, and
|
- Use MD5_CRYPT_ENAB, ENCRYPT_METHOD, SHA_CRYPT_MIN_ROUNDS, and
|
||||||
SHA_CRYPT_MAX_ROUNDS to define the default encryption algorithm for the
|
SHA_CRYPT_MAX_ROUNDS to define the default encryption algorithm for the
|
||||||
passwords.
|
passwords.
|
||||||
- chpaswd, chgpasswd, newusers: New options -c/--crypt-method and
|
- chpasswd, chgpasswd, newusers: New options -c/--crypt-method and
|
||||||
-s/--sha-rounds to supersede the system default encryption algorithm.
|
-s/--sha-rounds to supersede the system default encryption algorithm.
|
||||||
- chpaswd, chgpasswd, newusers: DES is no more the default algorithm. They
|
- chpasswd, chgpasswd, newusers: DES is no more the default algorithm. They
|
||||||
will respect the system default configured in /etc/login.defs
|
will respect the system default configured in /etc/login.defs
|
||||||
|
|
||||||
*** documentation:
|
*** documentation:
|
||||||
@@ -701,14 +701,14 @@ shadow-4.0.17 -> shadow-4.0.18 01-08-2006
|
|||||||
- groupadd, groupmod, useradd, usermod: fixed UID/GID overflow (fixed
|
- groupadd, groupmod, useradd, usermod: fixed UID/GID overflow (fixed
|
||||||
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198920)
|
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198920)
|
||||||
- passwd, useradd, usermod: fixed inactive/mindays/warndays/maxdays overflow
|
- passwd, useradd, usermod: fixed inactive/mindays/warndays/maxdays overflow
|
||||||
(simillar to RH#198920),
|
(similar to RH#198920),
|
||||||
- groupmems: rewrited for use PAM and getopt_long() and now it is enabled
|
- groupmems: rewritten for use PAM and getopt_long() and now it is enabled
|
||||||
for build and install (patch by George Kraft <gk4@swbell.net>),
|
for build and install (patch by George Kraft <gk4@swbell.net>),
|
||||||
- S/Key: removed assign getpass() to libshadow_getpass() on autoconf level
|
- S/Key: removed assign getpass() to libshadow_getpass() on autoconf level
|
||||||
(patch by Ulrich Mueller <ulm@kph.uni-mainz.de>; http://bugs.gentoo.org/139966),
|
(patch by Ulrich Mueller <ulm@kph.uni-mainz.de>; http://bugs.gentoo.org/139966),
|
||||||
- usermod: back to previous -a option semantics and clarify -a behavior
|
- usermod: back to previous -a option semantics and clarify -a behavior
|
||||||
on documentation level (by Greg Schafer <gschafer@zip.com.au>),
|
on documentation level (by Greg Schafer <gschafer@zip.com.au>),
|
||||||
- chsh, groupmod: rewrited for use getopt_long().
|
- chsh, groupmod: rewritten for use getopt_long().
|
||||||
- updated translations: ca, cs, da, eu, fr, gl, hu, ko, pl, pt, ru, sv, tr, uk, vi.
|
- updated translations: ca, cs, da, eu, fr, gl, hu, ko, pl, pt, ru, sv, tr, uk, vi.
|
||||||
*** documentation:
|
*** documentation:
|
||||||
- fr and ru man pages are up to date,
|
- fr and ru man pages are up to date,
|
||||||
@@ -743,7 +743,7 @@ shadow-4.0.15 -> shadow-4.0.16 05-06-2006
|
|||||||
|
|
||||||
*** general:
|
*** general:
|
||||||
- userdel: better fix for old CERT VU#312962 (which was fixed in shadow 4.0.8):
|
- userdel: better fix for old CERT VU#312962 (which was fixed in shadow 4.0.8):
|
||||||
fixed forgoten checking of the return value from fchown() before
|
fixed forgotten checking of the return value from fchown() before
|
||||||
proceeding with the fchmod() (based on Owl patch prepared by
|
proceeding with the fchmod() (based on Owl patch prepared by
|
||||||
Rafal Wojtczuk <nergal@owl.openwall.com>),
|
Rafal Wojtczuk <nergal@owl.openwall.com>),
|
||||||
- userdel: use login.defs::MAIL_DIR instead hardcoded /var/mail in created
|
- userdel: use login.defs::MAIL_DIR instead hardcoded /var/mail in created
|
||||||
@@ -755,7 +755,7 @@ shadow-4.0.15 -> shadow-4.0.16 05-06-2006
|
|||||||
passwords and libshadow_getpass() is used only because libc getpass()
|
passwords and libshadow_getpass() is used only because libc getpass()
|
||||||
do not handles password prompting with echo enabled,
|
do not handles password prompting with echo enabled,
|
||||||
- move login.defs::MD5_CRYPT_ENAB to non-PAM part,
|
- move login.defs::MD5_CRYPT_ENAB to non-PAM part,
|
||||||
- userdel: rewrited for use getopt_log(),
|
- userdel: rewritten for use getopt_log(),
|
||||||
- install default/template configuration files:
|
- install default/template configuration files:
|
||||||
-- if shadow is configured with use PAM install /etc/pam.d/* files,
|
-- if shadow is configured with use PAM install /etc/pam.d/* files,
|
||||||
-- if shadow do not uses PAM install /etc/{limits,login.acces} files,
|
-- if shadow do not uses PAM install /etc/{limits,login.acces} files,
|
||||||
@@ -793,7 +793,7 @@ shadow-4.0.15 -> shadow-4.0.16 05-06-2006
|
|||||||
- updated ru login.defs(5), passwd(1), userdel(8), usermod(8) man pages,
|
- updated ru login.defs(5), passwd(1), userdel(8), usermod(8) man pages,
|
||||||
- pw_auth(3) man page removed (outdated),
|
- pw_auth(3) man page removed (outdated),
|
||||||
- install limits(5), login.access(5) and porttime(5) man pages only when
|
- install limits(5), login.access(5) and porttime(5) man pages only when
|
||||||
shadow is builded with PAM support disabled,
|
shadow is built with PAM support disabled,
|
||||||
- passwd(1): better document how password strength is checked
|
- passwd(1): better document how password strength is checked
|
||||||
(fixed http://bugs.debian.org/115380),
|
(fixed http://bugs.debian.org/115380),
|
||||||
- usermod(8): added missing -a option description
|
- usermod(8): added missing -a option description
|
||||||
@@ -816,7 +816,7 @@ shadow-4.0.14 -> shadow-4.0.15 13-03-2006
|
|||||||
- login: default UMASK if not specified in login.defs is 022 (pointed by
|
- login: default UMASK if not specified in login.defs is 022 (pointed by
|
||||||
Peter Vrabec <pvrabec@redhat.com>),
|
Peter Vrabec <pvrabec@redhat.com>),
|
||||||
- chgpasswd: new tool (by Jonas Meurer <mejo@debian.org>),
|
- chgpasswd: new tool (by Jonas Meurer <mejo@debian.org>),
|
||||||
- lastlog: print the usage and exit if an additional argument is profided to
|
- lastlog: print the usage and exit if an additional argument is provided to
|
||||||
lastlog (merge 488_laslog_verify_arguments Debian patch),
|
lastlog (merge 488_laslog_verify_arguments Debian patch),
|
||||||
- login, newgrp, nologin, su: do not link with libselinux (merge
|
- login, newgrp, nologin, su: do not link with libselinux (merge
|
||||||
490_link_selinux_only_when_needed Debian patch),
|
490_link_selinux_only_when_needed Debian patch),
|
||||||
@@ -830,9 +830,9 @@ shadow-4.0.14 -> shadow-4.0.15 13-03-2006
|
|||||||
tries exceeded,
|
tries exceeded,
|
||||||
- always prints the number of tries in the syslog entry.
|
- always prints the number of tries in the syslog entry.
|
||||||
- add special handling for PAM_ABORT
|
- add special handling for PAM_ABORT
|
||||||
- add an entry to failog, as when USE_PAM is not defined. (#53164)
|
- add an entry to faillog, as when USE_PAM is not defined. (#53164)
|
||||||
- changed pam_end to PAM_END. This is certainly was a mistake. PAM_END is
|
- changed pam_end to PAM_END. This is certainly was a mistake. PAM_END is
|
||||||
pam_close_seesion + pam_end. Here, the session is still not open, we
|
pam_close_session + pam_end. Here, the session is still not open, we
|
||||||
don't have to close it.
|
don't have to close it.
|
||||||
- a HAVE_PAM_FAIL_DELAY is missing,
|
- a HAVE_PAM_FAIL_DELAY is missing,
|
||||||
- su: fixed pam session support (patch from Topi Miettinen; fixed #57526,
|
- su: fixed pam session support (patch from Topi Miettinen; fixed #57526,
|
||||||
@@ -840,7 +840,7 @@ shadow-4.0.14 -> shadow-4.0.15 13-03-2006
|
|||||||
- userdel: user's group is already removed by update_groups().
|
- userdel: user's group is already removed by update_groups().
|
||||||
remove_group() is not needed (bug introduced in 4.0.14 on merge FC fixes).
|
remove_group() is not needed (bug introduced in 4.0.14 on merge FC fixes).
|
||||||
Fixed by Nicolas François <nicolas.francois@centraliens.net>,
|
Fixed by Nicolas François <nicolas.francois@centraliens.net>,
|
||||||
- useradd: allways remove group and gshadow databases lock, Fixed by Nicolas
|
- useradd: always remove group and gshadow databases lock, Fixed by Nicolas
|
||||||
François <nicolas.francois@centraliens.net>
|
François <nicolas.francois@centraliens.net>
|
||||||
(http://bugs.debian.org/348250)
|
(http://bugs.debian.org/348250)
|
||||||
- auditing fixes:
|
- auditing fixes:
|
||||||
@@ -848,14 +848,14 @@ shadow-4.0.14 -> shadow-4.0.15 13-03-2006
|
|||||||
added audit_logger() prototype),
|
added audit_logger() prototype),
|
||||||
- useradd: fixed excess audit_logger() argument,
|
- useradd: fixed excess audit_logger() argument,
|
||||||
- chage: added missing \n on display password status if password must be
|
- chage: added missing \n on display password status if password must be
|
||||||
chaged,
|
changed,
|
||||||
- useradd: fixed allow non-unique UID (http://bugs.debian.org/351281),
|
- useradd: fixed allow non-unique UID (http://bugs.debian.org/351281),
|
||||||
- variouse code cleanups for make possible compilation of shadow with -Wall
|
- various code cleanups for make possible compilation of shadow with -Wall
|
||||||
-Werror (by Alexander Gattin <xrgtn@yandex.ru>),
|
-Werror (by Alexander Gattin <xrgtn@yandex.ru>),
|
||||||
- su: move exit() outside libmisc/shell.c::shell() for handle shell() errors
|
- su: move exit() outside libmisc/shell.c::shell() for handle shell() errors
|
||||||
on higher level (now is better visable where some programs exit with 126
|
on higher level (now is better visable where some programs exit with 126
|
||||||
and 127 exit codes); added new shell() parameter (char *const envp[])
|
and 127 exit codes); added new shell() parameter (char *const envp[])
|
||||||
which allow fix preserving enviloment in su on using -p, (patch by
|
which allow fix preserving enviroment in su on using -p, (patch by
|
||||||
Alexander Gattin <xrgtn@yandex.ru>),
|
Alexander Gattin <xrgtn@yandex.ru>),
|
||||||
- su: added handle -c,--command option for GNU su compliance (merge
|
- su: added handle -c,--command option for GNU su compliance (merge
|
||||||
437_su_-c_option Debian patch),
|
437_su_-c_option Debian patch),
|
||||||
@@ -903,7 +903,7 @@ shadow-4.0.13 -> shadow-4.0.14 03-01-2006
|
|||||||
- userdel: make the -f option force the removal of the user's group (even if it
|
- userdel: make the -f option force the removal of the user's group (even if it
|
||||||
is the primary group of another user)
|
is the primary group of another user)
|
||||||
(merge 453_userdel_-f_removes_group Debian patch),
|
(merge 453_userdel_-f_removes_group Debian patch),
|
||||||
- usermod: rewrited for use getopt_long() (Christian Perrier <bubulle@kheops.frmug.org>),
|
- usermod: rewritten for use getopt_long() (Christian Perrier <bubulle@kheops.frmug.org>),
|
||||||
- grpck: fixed segmentation fault on using -s when /etc/gshadow is empty (fix by
|
- grpck: fixed segmentation fault on using -s when /etc/gshadow is empty (fix by
|
||||||
Tomasz Lemiech <szpajder@staszic.waw.pl>),
|
Tomasz Lemiech <szpajder@staszic.waw.pl>),
|
||||||
- passwd: remove handle -f, -g and -s options.
|
- passwd: remove handle -f, -g and -s options.
|
||||||
@@ -912,7 +912,7 @@ shadow-4.0.13 -> shadow-4.0.14 03-01-2006
|
|||||||
Nicolas François <nicolas.francois@centraliens.net>)
|
Nicolas François <nicolas.francois@centraliens.net>)
|
||||||
- su: export $USER and $SHELL as well as $HOME (http://bugs.debian.org/11003 and
|
- su: export $USER and $SHELL as well as $HOME (http://bugs.debian.org/11003 and
|
||||||
http://bugs.debian.org/11189),
|
http://bugs.debian.org/11189),
|
||||||
- su, vipw: rewrited for use getopt_long(),
|
- su, vipw: rewritten for use getopt_long(),
|
||||||
- su: log successful/failed through syslog (http://bugs.debian.org/190215),
|
- su: log successful/failed through syslog (http://bugs.debian.org/190215),
|
||||||
- updated translations: ca, cs, da, eu, fi, fr, it, pl, pt, ru, sv, tl, vi,
|
- updated translations: ca, cs, da, eu, fi, fr, it, pl, pt, ru, sv, tl, vi,
|
||||||
- new translations: gl.
|
- new translations: gl.
|
||||||
@@ -946,7 +946,7 @@ shadow-4.0.12 -> shadow-4.0.13 10-10-2005
|
|||||||
|
|
||||||
*** general:
|
*** general:
|
||||||
- chage: removed duplicated pam_start(),
|
- chage: removed duplicated pam_start(),
|
||||||
- chfn, chsh: finished PAM support usin pam_start() and co.,
|
- chfn, chsh: finished PAM support using pam_start() and co.,
|
||||||
- userdel: userdel should not remove the group which is primary for someone else
|
- userdel: userdel should not remove the group which is primary for someone else
|
||||||
(fix by Nicolas François <nicolas.francois@centraliens.net>
|
(fix by Nicolas François <nicolas.francois@centraliens.net>
|
||||||
http://bugs.debian.org/295416),
|
http://bugs.debian.org/295416),
|
||||||
@@ -955,7 +955,7 @@ shadow-4.0.12 -> shadow-4.0.13 10-10-2005
|
|||||||
- fixedlib/commonio.c: don't assume selinux is enabled if is_selinux_enabled()
|
- fixedlib/commonio.c: don't assume selinux is enabled if is_selinux_enabled()
|
||||||
returns -1 (merge isSelinuxEnabled FC patch by Jeremy Katz <katzj@redhat.com>),
|
returns -1 (merge isSelinuxEnabled FC patch by Jeremy Katz <katzj@redhat.com>),
|
||||||
- login, su (non-PAM case): fixed setup max address space limits (added missing break
|
- login, su (non-PAM case): fixed setup max address space limits (added missing break
|
||||||
statement in case) spoted by Lasse Collin <lasse.collin@tukaani.org>,
|
statement in case) spotted by Lasse Collin <lasse.collin@tukaani.org>,
|
||||||
- auditing support added. Patch prepared by Peter Vrabec <pvrabec@redhat.com> basing
|
- auditing support added. Patch prepared by Peter Vrabec <pvrabec@redhat.com> basing
|
||||||
on work by Steve Grubb from http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159215
|
on work by Steve Grubb from http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159215
|
||||||
Now auditing support have commands: chage, gpasswd, groupadd, groupdel, groupmod,
|
Now auditing support have commands: chage, gpasswd, groupadd, groupdel, groupmod,
|
||||||
@@ -972,12 +972,12 @@ shadow-4.0.12 -> shadow-4.0.13 10-10-2005
|
|||||||
This will permit to adduser Debian script to detect if chage failed because the
|
This will permit to adduser Debian script to detect if chage failed because the
|
||||||
system doesn't have shadowed passwords (fix for http://bugs.debian.org/317012),
|
system doesn't have shadowed passwords (fix for http://bugs.debian.org/317012),
|
||||||
- merge 010_more-i18ned-messages Debian patch which adds i18n support for few
|
- merge 010_more-i18ned-messages Debian patch which adds i18n support for few
|
||||||
more messages (orginaly patch was prepared by Guillem Jover <guillem@debian.org>),
|
more messages (originally patch was prepared by Guillem Jover <guillem@debian.org>),
|
||||||
- lastlog: added handle -b option which allow print only lastlog records older than
|
- lastlog: added handle -b option which allow print only lastlog records older than
|
||||||
specified DAYS (fix by <miles@lubin.us>),
|
specified DAYS (fix by <miles@lubin.us>),
|
||||||
- chpasswd, gpasswd, newusers: fixed libmisc/salt.c for use login.defs::MD5_CRYPT_ENAB
|
- chpasswd, gpasswd, newusers: fixed libmisc/salt.c for use login.defs::MD5_CRYPT_ENAB
|
||||||
only if PAM support is disabled (fix by John Gatewood Ham <zappaman@buraphalinux.org>),
|
only if PAM support is disabled (fix by John Gatewood Ham <zappaman@buraphalinux.org>),
|
||||||
- passwd: rewrited for use getopt_long(),
|
- passwd: rewritten for use getopt_long(),
|
||||||
- newgrp: when newgrp process sits between parent and child shells, it should
|
- newgrp: when newgrp process sits between parent and child shells, it should
|
||||||
propagate STOPs from child to parent and CONTs from parent to child,
|
propagate STOPs from child to parent and CONTs from parent to child,
|
||||||
otherwise e.g. bash's "suspend" command won't work
|
otherwise e.g. bash's "suspend" command won't work
|
||||||
@@ -987,11 +987,11 @@ shadow-4.0.12 -> shadow-4.0.13 10-10-2005
|
|||||||
- chsh(1), groupadd(8), newusers(8), pwconv(8), useradd(8), userdel(8), usermod(8):
|
- chsh(1), groupadd(8), newusers(8), pwconv(8), useradd(8), userdel(8), usermod(8):
|
||||||
added missing references to /etc/login.defs and login.defs(5)
|
added missing references to /etc/login.defs and login.defs(5)
|
||||||
(Christian Perrier <bubulle@kheops.frmug.org>),
|
(Christian Perrier <bubulle@kheops.frmug.org>),
|
||||||
- passwd(5): rewrited based on work by Greg Wooledge <greg@wooledge.org>
|
- passwd(5): rewritten based on work by Greg Wooledge <greg@wooledge.org>
|
||||||
http://bugs.debian.org/328113
|
http://bugs.debian.org/328113
|
||||||
- login(1): added securetty(5) to SEE ALSO section
|
- login(1): added securetty(5) to SEE ALSO section
|
||||||
(fixed Debian bug http://bugs.debian.org/325773),
|
(fixed Debian bug http://bugs.debian.org/325773),
|
||||||
- groupadd(8), useradd(8): fix regular expression describing alloved login/group
|
- groupadd(8), useradd(8): fix regular expression describing allowed login/group
|
||||||
names (pointed by Nicolas François <nicolas.francois@centraliens.net>)
|
names (pointed by Nicolas François <nicolas.francois@centraliens.net>)
|
||||||
(correct is [a-z_][a-z0-9_-]*[$]),
|
(correct is [a-z_][a-z0-9_-]*[$]),
|
||||||
- groupadd(8), useradd(8): documents in CAVEATS section the limitations shadow
|
- groupadd(8), useradd(8): documents in CAVEATS section the limitations shadow
|
||||||
@@ -1001,9 +1001,9 @@ shadow-4.0.12 -> shadow-4.0.13 10-10-2005
|
|||||||
shadow-4.0.11.1 -> shadow-4.0.12 22-08-2005
|
shadow-4.0.11.1 -> shadow-4.0.12 22-08-2005
|
||||||
|
|
||||||
*** general:
|
*** general:
|
||||||
- newgrp, login: remove using login.defs::CLOSE_SESSIONS variable and allways
|
- newgrp, login: remove using login.defs::CLOSE_SESSIONS variable and always
|
||||||
close PAM session,
|
close PAM session,
|
||||||
- fixed configure.in: realy enable shadow group support by default (pointed by
|
- fixed configure.in: really enable shadow group support by default (pointed by
|
||||||
Greg Schafer <gschafer@zip.com.au> and Peter Vrabec <pvrabec@redhat.com>),
|
Greg Schafer <gschafer@zip.com.au> and Peter Vrabec <pvrabec@redhat.com>),
|
||||||
- login.defs: removed handle QMAIL_DIR variable,
|
- login.defs: removed handle QMAIL_DIR variable,
|
||||||
- login: allow regular user to login on read-only root file system (not only for root)
|
- login: allow regular user to login on read-only root file system (not only for root)
|
||||||
@@ -1028,9 +1028,9 @@ shadow-4.0.11.1 -> shadow-4.0.12 22-08-2005
|
|||||||
period and permit brute-force attacks (fixed http://bugs.debian.org/288827),
|
period and permit brute-force attacks (fixed http://bugs.debian.org/288827),
|
||||||
- uClibc fixes (by Martin Schlemmer <azarah@nosferatu.za.org>):
|
- uClibc fixes (by Martin Schlemmer <azarah@nosferatu.za.org>):
|
||||||
added require ngettext (added [need-ngettext] to AM_GNU_GETTEXT() parameters)
|
added require ngettext (added [need-ngettext] to AM_GNU_GETTEXT() parameters)
|
||||||
and stub prototype for ngettext() in lib/prototypes.h (neccessary if shadow
|
and stub prototype for ngettext() in lib/prototypes.h (necessary if shadow
|
||||||
compiled with disabled NLS support)
|
compiled with disabled NLS support)
|
||||||
- groupadd: rewrited for use getopt_long(),
|
- groupadd: rewritten for use getopt_long(),
|
||||||
- groupadd, groupdel, groupmod, userdel: do OPENLOG() before pam_start(),
|
- groupadd, groupdel, groupmod, userdel: do OPENLOG() before pam_start(),
|
||||||
- groupadd: fixed double OPENLOG(),
|
- groupadd: fixed double OPENLOG(),
|
||||||
- removed lib/{grpack,gspack,pwpack,sppack}.c and prototypes from lib/prototypes.h
|
- removed lib/{grpack,gspack,pwpack,sppack}.c and prototypes from lib/prototypes.h
|
||||||
@@ -1066,7 +1066,7 @@ shadow-4.0.10 -> shadow-4.0.11 18-07-2005
|
|||||||
- su: ignore SIGINT while authenticating. A ^C could defeat the waiting period and
|
- su: ignore SIGINT while authenticating. A ^C could defeat the waiting period and
|
||||||
permit brute-force attacks. Also ignore SIGQUIT.
|
permit brute-force attacks. Also ignore SIGQUIT.
|
||||||
Fixed: http://bugs.debian.org/52372 and http://bugs.debian.org/288827
|
Fixed: http://bugs.debian.org/52372 and http://bugs.debian.org/288827
|
||||||
- useradd: rewrited for use getopt_long(),
|
- useradd: rewritten for use getopt_long(),
|
||||||
- newgrp: add fix for handle splitted NIS groups: extends the functionality that,
|
- newgrp: add fix for handle splitted NIS groups: extends the functionality that,
|
||||||
if the requested group is given, all groups of the same GID are tested for
|
if the requested group is given, all groups of the same GID are tested for
|
||||||
membership of the requesting user.
|
membership of the requesting user.
|
||||||
@@ -1097,7 +1097,7 @@ shadow-4.0.10 -> shadow-4.0.11 18-07-2005
|
|||||||
- updated translations: cs, da, de, es, fi, pl, pt, ro, ru, sk.
|
- updated translations: cs, da, de, es, fi, pl, pt, ro, ru, sk.
|
||||||
*** documentation:
|
*** documentation:
|
||||||
- pwck(8): document -q option (based on Debian patch for fix http://bugs.debian.org/309408)
|
- pwck(8): document -q option (based on Debian patch for fix http://bugs.debian.org/309408)
|
||||||
- pwck(8): rewrited OPTIONS section and better SYNOPSIS,
|
- pwck(8): rewritten OPTIONS section and better SYNOPSIS,
|
||||||
- lastlog(8): document that lastlog is a sparse file, and don't need to be rotated
|
- lastlog(8): document that lastlog is a sparse file, and don't need to be rotated
|
||||||
http://bugs.debian.org/219321
|
http://bugs.debian.org/219321
|
||||||
- login(8): better explain the respective roles of login, init and getty with regards
|
- login(8): better explain the respective roles of login, init and getty with regards
|
||||||
@@ -1111,12 +1111,12 @@ shadow-4.0.9 -> shadow-4.0.10 28-06-2005
|
|||||||
|
|
||||||
*** general:
|
*** general:
|
||||||
- mkpasswd: removed,
|
- mkpasswd: removed,
|
||||||
- userdel: now deletes user groups from /etc/gshdow as well as /etc/group.
|
- userdel: now deletes user groups from /etc/gshadow as well as /etc/group.
|
||||||
Fix by Nicolas François <nicolas.francois@centraliens.net>.
|
Fix by Nicolas François <nicolas.francois@centraliens.net>.
|
||||||
http://bugs.debian.org/99442
|
http://bugs.debian.org/99442
|
||||||
- usermod: when relocating a user's home directory, don't fail and remove the new
|
- usermod: when relocating a user's home directory, don't fail and remove the new
|
||||||
home directory if we can't remove the old home directory for some
|
home directory if we can't remove the old home directory for some
|
||||||
reason; the results can be spectularly poort if, for instance, only
|
reason; the results can be spectacularly poor if, for instance, only
|
||||||
the rmdir() fails. Patch prepared by Timo Lindfors <lindi-spamtrap@newmail.com>.
|
the rmdir() fails. Patch prepared by Timo Lindfors <lindi-spamtrap@newmail.com>.
|
||||||
http://bugs.debian.org/166369
|
http://bugs.debian.org/166369
|
||||||
- su: fix syslogs to be less ambiguous. Use old:new format instead of old-new
|
- su: fix syslogs to be less ambiguous. Use old:new format instead of old-new
|
||||||
@@ -1124,7 +1124,7 @@ shadow-4.0.9 -> shadow-4.0.10 28-06-2005
|
|||||||
http://bugs.debian.org/213592
|
http://bugs.debian.org/213592
|
||||||
- removed not used now libmisc/setup.c,
|
- removed not used now libmisc/setup.c,
|
||||||
- login: use also UTMPX API instead UTMP on failure (login was affected for this
|
- login: use also UTMPX API instead UTMP on failure (login was affected for this
|
||||||
when shadow was builded without PAM support)
|
when shadow was built without PAM support)
|
||||||
patch by Nicolas François <nicolas.francois@centraliens.net>
|
patch by Nicolas François <nicolas.francois@centraliens.net>
|
||||||
- login: the PAM session needs to be closed as root, thus before change_uid()
|
- login: the PAM session needs to be closed as root, thus before change_uid()
|
||||||
http://bugs.debian.org/53570 http://bugs.debian.org/195048 http://bugs.debian.org/211884
|
http://bugs.debian.org/53570 http://bugs.debian.org/195048 http://bugs.debian.org/211884
|
||||||
@@ -1135,12 +1135,12 @@ shadow-4.0.9 -> shadow-4.0.10 28-06-2005
|
|||||||
http://bugs.debian.org/48002
|
http://bugs.debian.org/48002
|
||||||
- login: fixed username on succesful login (was using the normal username,
|
- login: fixed username on succesful login (was using the normal username,
|
||||||
when it should have used pam_user) http://bugs.debian.org/47819
|
when it should have used pam_user) http://bugs.debian.org/47819
|
||||||
- remove using SHADOWPWD #define so now shadow is allways builded with shadow
|
- remove using SHADOWPWD #define so now shadow is always built with shadow
|
||||||
passwowd support,
|
password support,
|
||||||
- chage: rewrited for use getopt_long(),
|
- chage: rewritten for use getopt_long(),
|
||||||
- updated translations: ca, cs, da, fi, pl, ru, zh_TW.
|
- updated translations: ca, cs, da, fi, pl, ru, zh_TW.
|
||||||
*** documentation:
|
*** documentation:
|
||||||
- most of the man pages now are generated from XML files so in case submiting any
|
- most of the man pages now are generated from XML files so in case submitting any
|
||||||
chages to this resources please make diff to XML files,
|
chages to this resources please make diff to XML files,
|
||||||
- chfn: give more details about the influence of login.defs on what's allowed to
|
- chfn: give more details about the influence of login.defs on what's allowed to
|
||||||
users.
|
users.
|
||||||
@@ -1148,7 +1148,7 @@ shadow-4.0.9 -> shadow-4.0.10 28-06-2005
|
|||||||
shadow-4.0.8 -> shadow-4.0.9 23-05-2005
|
shadow-4.0.8 -> shadow-4.0.9 23-05-2005
|
||||||
|
|
||||||
*** general:
|
*** general:
|
||||||
- passwd: fixed segfault in non-PAM connfiguration
|
- passwd: fixed segfault in non-PAM configuration
|
||||||
(submited by Greg Schafer <gschafer@zip.com.au>),
|
(submited by Greg Schafer <gschafer@zip.com.au>),
|
||||||
- newgrp: fixed NULL pointer dereference - getlogin() and ttyname() can
|
- newgrp: fixed NULL pointer dereference - getlogin() and ttyname() can
|
||||||
return NULL which is not checked (http://bugs.debian.org/162303),
|
return NULL which is not checked (http://bugs.debian.org/162303),
|
||||||
@@ -1170,15 +1170,15 @@ shadow-4.0.7 -> shadow-4.0.8 26-04-2005
|
|||||||
- configure.in: add using AC_GNU_SOURCE macro for kill compilation warnings about
|
- configure.in: add using AC_GNU_SOURCE macro for kill compilation warnings about
|
||||||
implicit declaration of function `fseeko',
|
implicit declaration of function `fseeko',
|
||||||
- faillog: changed faillog record display format for allow fit in 80 columns all
|
- faillog: changed faillog record display format for allow fit in 80 columns all
|
||||||
faillog atributies,
|
faillog attributes,
|
||||||
- removed NDBM code (unused),
|
- removed NDBM code (unused),
|
||||||
- fixed use of SU_WHEEL_ONLY in su. Now su realy is avalaible for wheel group
|
- fixed use of SU_WHEEL_ONLY in su. Now su really is available for wheel group
|
||||||
members. Thanks to Mike Frysinger <vapier@gentoo.org> for report:
|
members. Thanks to Mike Frysinger <vapier@gentoo.org> for report:
|
||||||
http://bugs.gentoo.org/show_bug.cgi?id=80345
|
http://bugs.gentoo.org/show_bug.cgi?id=80345
|
||||||
- drop never finished kerberos and des_rpc support (for kerberos support back firs
|
- drop never finished kerberos and des_rpc support (for kerberos support back firs
|
||||||
must be prepared modularization),
|
must be prepared modularization),
|
||||||
- fixed UTMP path detection (by Kelledin <kelledin@users.sf.net>),
|
- fixed UTMP path detection (by Kelledin <kelledin@users.sf.net>),
|
||||||
- useradd: rewrited group count to dynamic (by John Newbigin
|
- useradd: rewritten group count to dynamic (by John Newbigin
|
||||||
<jnewbigin@ict.swin.edu.au>),
|
<jnewbigin@ict.swin.edu.au>),
|
||||||
- login: fixed create lastlog entry fo users never loged in on non-PAM
|
- login: fixed create lastlog entry fo users never loged in on non-PAM
|
||||||
variant of login (fix by <oracular@ziplip.com>),
|
variant of login (fix by <oracular@ziplip.com>),
|
||||||
@@ -1193,7 +1193,7 @@ shadow-4.0.7 -> shadow-4.0.8 26-04-2005
|
|||||||
fchmod() is executed. (Actually, we could also pass the final "mode" to
|
fchmod() is executed. (Actually, we could also pass the final "mode" to
|
||||||
the open() call and then save the consequent fchmod().)
|
the open() call and then save the consequent fchmod().)
|
||||||
- SELinux changes: added changes in chage, chfn, chsh, passwd for allow
|
- SELinux changes: added changes in chage, chfn, chsh, passwd for allow
|
||||||
construct more grained user password/accuunt properties on SELinux
|
construct more grained user password/account properties on SELinux
|
||||||
policies level. Patch originally based on RH changes (submited by Chris
|
policies level. Patch originally based on RH changes (submited by Chris
|
||||||
PeBenito <pebenito@gentoo.org>),
|
PeBenito <pebenito@gentoo.org>),
|
||||||
- added SELinux changes: in libmisc/copydir.c (based on Fedora patch),
|
- added SELinux changes: in libmisc/copydir.c (based on Fedora patch),
|
||||||
@@ -1211,7 +1211,7 @@ shadow-4.0.7 -> shadow-4.0.8 26-04-2005
|
|||||||
- newgrp(1): fix #251926, #166173, #113191 Debian bugs: explain why editing /etc/group
|
- newgrp(1): fix #251926, #166173, #113191 Debian bugs: explain why editing /etc/group
|
||||||
(without gshadow) doesn't permit to use newgrp,
|
(without gshadow) doesn't permit to use newgrp,
|
||||||
- newgrp(1): newgrp uses /bin/sh (not bash),
|
- newgrp(1): newgrp uses /bin/sh (not bash),
|
||||||
- faillog(8): updated after rewrited faillog command for use getopt_long(),
|
- faillog(8): updated after rewritten faillog command for use getopt_long(),
|
||||||
- login(1): removed fragment about abilities pass enviroment variables in login prompt,
|
- login(1): removed fragment about abilities pass enviroment variables in login prompt,
|
||||||
- gshadow(5): new file (by Nicolas Nicolas François <nicolas.francois@centraliens.net>),
|
- gshadow(5): new file (by Nicolas Nicolas François <nicolas.francois@centraliens.net>),
|
||||||
- usermod(8): fixed #302388 Debian bug: added separated -o option description,
|
- usermod(8): fixed #302388 Debian bug: added separated -o option description,
|
||||||
@@ -1229,24 +1229,24 @@ shadow-4.0.6 -> shadow-4.0.7 26-01-2005
|
|||||||
-- use fseeko() instead fseek() and remove casting file offsets to unsigned
|
-- use fseeko() instead fseek() and remove casting file offsets to unsigned
|
||||||
long.
|
long.
|
||||||
- lastlog:
|
- lastlog:
|
||||||
-- rewrited source code using the same style as in chpasswd.c,
|
-- rewritten source code using the same style as in chpasswd.c,
|
||||||
-- open lastlog file after finish parse comman line optiomns
|
-- open lastlog file after finish parse commandline options
|
||||||
(now --help otput can be displayd for users without lastlog
|
(now --help output can be displayed for users without lastlog
|
||||||
file read permission),
|
file read permission),
|
||||||
-- cleanups in lastlog(8) man page using the same style as in
|
-- cleanups in lastlog(8) man page using the same style as in
|
||||||
chpasswd(8).
|
chpasswd(8).
|
||||||
- chpasswd:
|
- chpasswd:
|
||||||
-- switch chpasswd to use getopt_long() and adds a --md5 option
|
-- switch chpasswd to use getopt_long() and adds a --md5 option
|
||||||
(by Ian Gulliver <ian@penguinhosting.net>),
|
(by Ian Gulliver <ian@penguinhosting.net>),
|
||||||
-- rewrited chpasswd(8) man page.
|
-- rewritten chpasswd(8) man page.
|
||||||
|
|
||||||
shadow-4.0.5 -> shadow-4.0.6 08-11-2004
|
shadow-4.0.5 -> shadow-4.0.6 08-11-2004
|
||||||
|
|
||||||
- su: fixed adding of pam_env env variables to enviroment
|
- su: fixed adding of pam_env env variables to enviroment
|
||||||
(Martin Schlemmer <azarah@nosferatu.za.org>),
|
(Martin Schlemmer <azarah@nosferatu.za.org>),
|
||||||
- autoconf: fixed filling MAIL_SPOOL_DIR and MAIL_SPOOL_FILE variables
|
- autoconf: fixed filling MAIL_SPOOL_DIR and MAIL_SPOOL_FILE variables
|
||||||
which was allways empty (Gregorio Guidi <g.guidi@sns.it>),
|
which was always empty (Gregorio Guidi <g.guidi@sns.it>),
|
||||||
- realuy closse security bug in libmisc/pwdcheck.c,
|
- really close security bug in libmisc/pwdcheck.c,
|
||||||
- added missing template/example PAM service config files for chfn, chsh and
|
- added missing template/example PAM service config files for chfn, chsh and
|
||||||
userdel,
|
userdel,
|
||||||
- do not translate variable names from /etc/default/useradd during
|
- do not translate variable names from /etc/default/useradd during
|
||||||
@@ -1257,10 +1257,10 @@ shadow-4.0.4.1 -> shadow-4.0.5 27-10-2004
|
|||||||
- change libmisc to private static library,
|
- change libmisc to private static library,
|
||||||
- added SELinux support (basing on patch from Gentoo),
|
- added SELinux support (basing on patch from Gentoo),
|
||||||
- chage: more verbose/human readable -l output. This output is much more
|
- chage: more verbose/human readable -l output. This output is much more
|
||||||
beter for send directly via email for each users as message with account
|
better for send directly via email for each users as message with account
|
||||||
status (for example as message with warning about account/password expiration),
|
status (for example as message with warning about account/password expiration),
|
||||||
- login: fixed handle -f option: now it works correctly without specify "-h
|
- login: fixed handle -f option: now it works correctly without specify "-h
|
||||||
<host>" if open login session localy is required (thanks for help
|
<host>" if open login session locally is required (thanks for help
|
||||||
investigate bug for Krzysztof Kotlenga),
|
investigate bug for Krzysztof Kotlenga),
|
||||||
- userdel: when removing a user with userdel, userdel was always exits with 1 (fixed).
|
- userdel: when removing a user with userdel, userdel was always exits with 1 (fixed).
|
||||||
Based on http://bugs.gentoo.org/show_bug.cgi?id=66687,
|
Based on http://bugs.gentoo.org/show_bug.cgi?id=66687,
|
||||||
@@ -1274,7 +1274,7 @@ shadow-4.0.4.1 -> shadow-4.0.5 27-10-2004
|
|||||||
makes httpd Option SymlinkIfOwnerMatch break for default weg pages
|
makes httpd Option SymlinkIfOwnerMatch break for default weg pages
|
||||||
including symlinks placed into /etc/skel/public_html for example.
|
including symlinks placed into /etc/skel/public_html for example.
|
||||||
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=66819
|
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=66819
|
||||||
- su: add pam_open_session() support. If builded without PAM support
|
- su: add pam_open_session() support. If built without PAM support
|
||||||
propagate $DISPLAY and $XAUTHORITY enviroment variables.
|
propagate $DISPLAY and $XAUTHORITY enviroment variables.
|
||||||
Based on http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch?rev=1.1
|
Based on http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch?rev=1.1
|
||||||
- applied 036_pam_access_with_preauth.patch Debian patch submited by Bjorn
|
- applied 036_pam_access_with_preauth.patch Debian patch submited by Bjorn
|
||||||
@@ -1287,11 +1287,11 @@ shadow-4.0.4.1 -> shadow-4.0.5 27-10-2004
|
|||||||
Use constant strings rather than argv[0] for syslog ident in the user
|
Use constant strings rather than argv[0] for syslog ident in the user
|
||||||
management commands,
|
management commands,
|
||||||
shadow-4.0.4.1-owl-tmp.diff:
|
shadow-4.0.4.1-owl-tmp.diff:
|
||||||
Remove using mktemp() if mkstemp() prototype not found (use allways mkstemp()),
|
Remove using mktemp() if mkstemp() prototype not found (use always mkstemp()),
|
||||||
shadow-4.0.4.1-owl-check-reads.diff:
|
shadow-4.0.4.1-owl-check-reads.diff:
|
||||||
Add checking for read errors in commonio and vipw/vigr (not doing so could
|
Add checking for read errors in commonio and vipw/vigr (not doing so could
|
||||||
result in data loss when the records are written back),
|
result in data loss when the records are written back),
|
||||||
- fixed securirty bug in libmisc/pwdcheck.c which allow unauthorized
|
- fixed security bug in libmisc/pwdcheck.c which allow unauthorized
|
||||||
account properties modification.
|
account properties modification.
|
||||||
Affected tools: chfn and chsh.
|
Affected tools: chfn and chsh.
|
||||||
Bug was discovered by Martin Schulze <joey@infodrom.org>.
|
Bug was discovered by Martin Schulze <joey@infodrom.org>.
|
||||||
@@ -1307,12 +1307,12 @@ shadow-4.0.4.1 -> shadow-4.0.5 27-10-2004
|
|||||||
|
|
||||||
shadow-4.0.4 => shadow-4.0.4.1 14-01-2004
|
shadow-4.0.4 => shadow-4.0.4.1 14-01-2004
|
||||||
- bug fixes in automake files for generate correct tar ball on "make dist":
|
- bug fixes in automake files for generate correct tar ball on "make dist":
|
||||||
added mising "EXTRA_DIST = $(man_MANS)" in man/*/Makefile.am.
|
added missing "EXTRA_DIST = $(man_MANS)" in man/*/Makefile.am.
|
||||||
|
|
||||||
shadow-4.0.3 => shadow-4.0.4 14-01-2004
|
shadow-4.0.3 => shadow-4.0.4 14-01-2004
|
||||||
|
|
||||||
*** general:
|
*** general:
|
||||||
- added missing information about -f options in groupadd usage mesage
|
- added missing information about -f options in groupadd usage message
|
||||||
(document this also in man page),
|
(document this also in man page),
|
||||||
- removed TCFS support (tcfs is dead),
|
- removed TCFS support (tcfs is dead),
|
||||||
- convert all po/*.po files to utf-8,
|
- convert all po/*.po files to utf-8,
|
||||||
@@ -1320,7 +1320,7 @@ shadow-4.0.3 => shadow-4.0.4 14-01-2004
|
|||||||
per service flushing method instead HUPing nscd process),
|
per service flushing method instead HUPing nscd process),
|
||||||
- removed old AUTH_METHODS dependent code,
|
- removed old AUTH_METHODS dependent code,
|
||||||
- chage: now all code depend on SHADOWPWD. If shadow will not be configured
|
- chage: now all code depend on SHADOWPWD. If shadow will not be configured
|
||||||
on autoconf level for using shadow possword chage is olny stub which
|
on autoconf level for using shadow password chage is olny stub which
|
||||||
informs "chage not configured for shadow password support."
|
informs "chage not configured for shadow password support."
|
||||||
- dpasswd: removed,
|
- dpasswd: removed,
|
||||||
- login: remove handle login.defs::DIALUPS_CHECK_ENAB code,
|
- login: remove handle login.defs::DIALUPS_CHECK_ENAB code,
|
||||||
@@ -1328,7 +1328,7 @@ shadow-4.0.3 => shadow-4.0.4 14-01-2004
|
|||||||
- ALL tools, libraries: remove old SVR4, SVR4_SI86_EUA BSD_QUOTA and ATT_AGE
|
- ALL tools, libraries: remove old SVR4, SVR4_SI86_EUA BSD_QUOTA and ATT_AGE
|
||||||
dependent code,
|
dependent code,
|
||||||
- ALL: ready for gettext 0.11.5, automake 1.7.4, autoconf 2.57,
|
- ALL: ready for gettext 0.11.5, automake 1.7.4, autoconf 2.57,
|
||||||
- logoutd, userd: handle also utmpx if avalaile,
|
- logoutd, userd: handle also utmpx if available,
|
||||||
- newgrp: fix for non-PAM version
|
- newgrp: fix for non-PAM version
|
||||||
Use CLOSE_SESSIONS depending code only when USE_PAM.
|
Use CLOSE_SESSIONS depending code only when USE_PAM.
|
||||||
The problem was reported by Mattias Webjorn Eriksson using Slackware
|
The problem was reported by Mattias Webjorn Eriksson using Slackware
|
||||||
@@ -1356,7 +1356,7 @@ shadow-4.0.3 => shadow-4.0.4 14-01-2004
|
|||||||
|
|
||||||
shadow-4.0.2 => shadow-4.0.3 13-03-2002
|
shadow-4.0.2 => shadow-4.0.3 13-03-2002
|
||||||
|
|
||||||
- added variouse cs, de, fr, id, it, ko man pages found mainly in national
|
- added various cs, de, fr, id, it, ko man pages found mainly in national
|
||||||
man pages translations projects (this documents are not synced with
|
man pages translations projects (this documents are not synced with
|
||||||
current en version but you know .. "Documentations is lik sex. When it is
|
current en version but you know .. "Documentations is lik sex. When it is
|
||||||
good it very very good. Whet it is bad it is better than nothing."). Any
|
good it very very good. Whet it is bad it is better than nothing."). Any
|
||||||
@@ -1372,9 +1372,9 @@ shadow-4.0.2 => shadow-4.0.3 13-03-2002
|
|||||||
shadow-4.0.1 => shadow-4.0.2 17-02-2002
|
shadow-4.0.1 => shadow-4.0.2 17-02-2002
|
||||||
|
|
||||||
- resolve many fuzzy translations also all this which may cause problems on
|
- resolve many fuzzy translations also all this which may cause problems on
|
||||||
displaing long uid/gid,
|
displaying long uid/gid,
|
||||||
- allow use "$" on ending in cereated by useradd usermname accounts for allow
|
- allow use "$" on ending in created by useradd username accounts for allow
|
||||||
create machine acounts for samba (thanks to Jerome Borsboom
|
create machine accounts for samba (thanks to Jerome Borsboom
|
||||||
<borsboom@tch.fgg.eur.nl> for point this problem in 4.0.1),
|
<borsboom@tch.fgg.eur.nl> for point this problem in 4.0.1),
|
||||||
- fix small but ugly bug in configure.in in libpam_mics library detection.
|
- fix small but ugly bug in configure.in in libpam_mics library detection.
|
||||||
|
|
||||||
@@ -1394,7 +1394,7 @@ shadow-4.0.0 => shadow-4.0.1
|
|||||||
as root. If root does read-only, there's no lock needed. Added missing
|
as root. If root does read-only, there's no lock needed. Added missing
|
||||||
"#include <errno.h>" for above (me).
|
"#include <errno.h>" for above (me).
|
||||||
shadow-4.0.0-owl-warnings.diff
|
shadow-4.0.0-owl-warnings.diff
|
||||||
Olny one fix from this patch was aplayd because other was fixed few days
|
Olny one fix from this patch was applied because other was fixed few days
|
||||||
before :)
|
before :)
|
||||||
shadow-4.0.0-owl-check_names.diff
|
shadow-4.0.0-owl-check_names.diff
|
||||||
Merge only prat this patch with checking login name matching; checking
|
Merge only prat this patch with checking login name matching; checking
|
||||||
@@ -1402,7 +1402,7 @@ shadow-4.0.0 => shadow-4.0.1
|
|||||||
probably _POSIX_LOGIN_NAME_MAX from <bits/posix1_lim.h>,
|
probably _POSIX_LOGIN_NAME_MAX from <bits/posix1_lim.h>,
|
||||||
shadow-4.0.0-owl-chage-drop-priv.diff
|
shadow-4.0.0-owl-chage-drop-priv.diff
|
||||||
shadow-4.0.0-owl-pam-auth.diff
|
shadow-4.0.0-owl-pam-auth.diff
|
||||||
Merge part with reorder initialize PAM and checkin is chage is runed by
|
Merge part with reorder initialize PAM and checking if chage is runed by
|
||||||
root or not - now chage can be runed from non-root account for checking
|
root or not - now chage can be runed from non-root account for checking
|
||||||
by user own account information (if PAM enabled).
|
by user own account information (if PAM enabled).
|
||||||
- fixes for handle/print correctly 32bit uid/gid (Thorsten Kukuk <kukuk@suse.de>),
|
- fixes for handle/print correctly 32bit uid/gid (Thorsten Kukuk <kukuk@suse.de>),
|
||||||
@@ -1446,30 +1446,30 @@ shadow-20001016 => shadow-4.0.0 06-01-2002
|
|||||||
- much better automake support,
|
- much better automake support,
|
||||||
- added pt_BR man pages for gpasswd(1), groupadd(8), groupdel(8),
|
- added pt_BR man pages for gpasswd(1), groupadd(8), groupdel(8),
|
||||||
groupmod(8), shadow(5) (man pages for other nations also are welcome),
|
groupmod(8), shadow(5) (man pages for other nations also are welcome),
|
||||||
- mamny small fixes and updates nad improvements in man pages,
|
- many small fixes and updates nad improvements in man pages,
|
||||||
- aplayed Debian patch to man pages for shadowconfig,
|
- applied Debian patch to man pages for shadowconfig,
|
||||||
- remove limit to 6 chars logged tty name (012_libmisc_sulog.c.diff Debian
|
- remove limit to 6 chars logged tty name (012_libmisc_sulog.c.diff Debian
|
||||||
patch).
|
patch).
|
||||||
|
|
||||||
shadow-20001012 -> shadow-20001016:
|
shadow-20001012 -> shadow-20001016:
|
||||||
- conditionaly disabled body reload_nscd() because not every
|
- conditionally disabled body reload_nscd() because not every
|
||||||
version of nscd can handle it (this can be enabled by define
|
version of nscd can handle it (this can be enabled by define
|
||||||
ENABLE_NSCD_SIGHUP) (Marek Michałkiewicz <marekm@linux.org.pl>)
|
ENABLE_NSCD_SIGHUP) (Marek Michałkiewicz <marekm@linux.org.pl>)
|
||||||
- fixes on autoconf/automake level for dist target,
|
- fixes on autoconf/automake level for dist target,
|
||||||
- Julianne F. Haugh new contact adress.
|
- Julianne F. Haugh new contact address.
|
||||||
|
|
||||||
shadow-20000902 => shadow-20001012
|
shadow-20000902 => shadow-20001012
|
||||||
|
|
||||||
- removed /redhat directory with obsoleted files (partialy rewrited spec
|
- removed /redhat directory with obsoleted files (partially rewritten spec
|
||||||
file is now in root directory),
|
file is now in root directory),
|
||||||
- aplayed shadow-19990827-group.patch patch from RH wich prevents adduser
|
- applied shadow-19990827-group.patch patch from RH wich prevents adduser
|
||||||
overwrite previously existing groups in adduser,
|
overwrite previously existing groups in adduser,
|
||||||
- added PAM support for chage (bind to "chage" PAM config file) also
|
- added PAM support for chage (bind to "chage" PAM config file) also
|
||||||
added PAM support for all other small tools like chpasswd, groupadd,
|
added PAM support for all other small tools like chpasswd, groupadd,
|
||||||
groupdel, groupmod, newusers, useradd, userdel, usermod (bind to common
|
groupdel, groupmod, newusers, useradd, userdel, usermod (bind to common
|
||||||
"shadow" PAM config file) - this modificaytions mainly based on
|
"shadow" PAM config file) - this modifications mainly based on
|
||||||
modifications prepared by Janek Rękojarski <baggins@pld.org.pl>,
|
modifications prepared by Janek Rękojarski <baggins@pld.org.pl>,
|
||||||
- many small fixes and improvments in automake (mow "make dist"
|
- many small fixes and improvements in automake (mow "make dist"
|
||||||
works correctly),
|
works correctly),
|
||||||
- added cs translation (Jiri Pavlovsky <Jiri.Pavlovsky@ff.cuni.cz>).
|
- added cs translation (Jiri Pavlovsky <Jiri.Pavlovsky@ff.cuni.cz>).
|
||||||
|
|
||||||
|
|||||||
@@ -44,6 +44,7 @@ a lot of mail...
|
|||||||
|
|
||||||
Adam Rudnicki <adam@v-lo.krakow.pl>
|
Adam Rudnicki <adam@v-lo.krakow.pl>
|
||||||
Alan Curry <pacman@tardis.mars.net>
|
Alan Curry <pacman@tardis.mars.net>
|
||||||
|
Aleksa Sarai <cyphar@cyphar.com>
|
||||||
Alexander O. Yuriev <alex@bach.cis.temple.edu>
|
Alexander O. Yuriev <alex@bach.cis.temple.edu>
|
||||||
Algis Rudys <arudys@rice.edu>
|
Algis Rudys <arudys@rice.edu>
|
||||||
Andreas Jaeger <aj@arthur.rhein-neckar.de>
|
Andreas Jaeger <aj@arthur.rhein-neckar.de>
|
||||||
|
|||||||
+3
-2
@@ -1,6 +1,6 @@
|
|||||||
dnl Process this file with autoconf to produce a configure script.
|
dnl Process this file with autoconf to produce a configure script.
|
||||||
AC_PREREQ([2.64])
|
AC_PREREQ([2.64])
|
||||||
AC_INIT([shadow], [4.5], [pkg-shadow-devel@lists.alioth.debian.org], [],
|
AC_INIT([shadow], [4.6], [pkg-shadow-devel@lists.alioth.debian.org], [],
|
||||||
[https://github.com/shadow-maint/shadow])
|
[https://github.com/shadow-maint/shadow])
|
||||||
AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
|
AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
|
||||||
AM_SILENT_RULES([yes])
|
AM_SILENT_RULES([yes])
|
||||||
@@ -324,6 +324,7 @@ if test "$enable_man" = "yes"; then
|
|||||||
AC_PATH_PROG([XSLTPROC], [xsltproc])
|
AC_PATH_PROG([XSLTPROC], [xsltproc])
|
||||||
if test -z "$XSLTPROC"; then
|
if test -z "$XSLTPROC"; then
|
||||||
enable_man=no
|
enable_man=no
|
||||||
|
AC_MSG_ERROR([xsltproc is missing.])
|
||||||
fi
|
fi
|
||||||
|
|
||||||
dnl check for DocBook DTD and stylesheets in the local catalog.
|
dnl check for DocBook DTD and stylesheets in the local catalog.
|
||||||
@@ -566,7 +567,7 @@ if test "$with_libpam" = "yes"; then
|
|||||||
LIBS=$save_libs
|
LIBS=$save_libs
|
||||||
|
|
||||||
AC_DEFINE(USE_PAM, 1, [Define to support Pluggable Authentication Modules])
|
AC_DEFINE(USE_PAM, 1, [Define to support Pluggable Authentication Modules])
|
||||||
AC_DEFINE_UNQUOTED(SHADOW_PAM_CONVERSATION, [$pam_conv_function],[PAM converstation to use])
|
AC_DEFINE_UNQUOTED(SHADOW_PAM_CONVERSATION, [$pam_conv_function],[PAM conversation to use])
|
||||||
AM_CONDITIONAL(USE_PAM, [true])
|
AM_CONDITIONAL(USE_PAM, [true])
|
||||||
|
|
||||||
AC_MSG_CHECKING(use login and su access checking if PAM not used)
|
AC_MSG_CHECKING(use login and su access checking if PAM not used)
|
||||||
|
|||||||
@@ -20,7 +20,7 @@
|
|||||||
** 1/28/95
|
** 1/28/95
|
||||||
** shadow-adduser 1.3:
|
** shadow-adduser 1.3:
|
||||||
**
|
**
|
||||||
** Basically a bug-fix on my additions in 1.2. Thanx to Terry Stewart
|
** Basically a bug-fix on my additions in 1.2. Thanks to Terry Stewart
|
||||||
** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
|
** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
|
||||||
** It was such a stupid bug that I would have never seen it myself.
|
** It was such a stupid bug that I would have never seen it myself.
|
||||||
**
|
**
|
||||||
|
|||||||
+1
-1
@@ -34,7 +34,7 @@
|
|||||||
** 1/28/95
|
** 1/28/95
|
||||||
** shadow-adduser 1.3:
|
** shadow-adduser 1.3:
|
||||||
**
|
**
|
||||||
** Basically a bug-fix on my additions in 1.2. Thanx to Terry Stewart
|
** Basically a bug-fix on my additions in 1.2. Thanks to Terry Stewart
|
||||||
** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
|
** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
|
||||||
** It was such a stupid bug that I would have never seen it myself.
|
** It was such a stupid bug that I would have never seen it myself.
|
||||||
**
|
**
|
||||||
|
|||||||
+1
-1
@@ -32,7 +32,7 @@ def_home_dir=/home/users
|
|||||||
# default shell
|
# default shell
|
||||||
def_shell=/bin/tcsh
|
def_shell=/bin/tcsh
|
||||||
|
|
||||||
# Defaul expiration date (mm/dd/yy)
|
# Default expiration date (mm/dd/yy)
|
||||||
def_expire=""
|
def_expire=""
|
||||||
|
|
||||||
# default dates
|
# default dates
|
||||||
|
|||||||
@@ -480,7 +480,7 @@ X.B groupmems
|
|||||||
\fB-D\fR |
|
\fB-D\fR |
|
||||||
[\fB-g\fI group_name \fR]
|
[\fB-g\fI group_name \fR]
|
||||||
X.SH DESCRIPTION
|
X.SH DESCRIPTION
|
||||||
The \fBgroupmems\fR utility allows a user to administer his/her own
|
The \fBgroupmems\fR utility allows a user to administer their own
|
||||||
group membership list without the requirement of superuser privileges.
|
group membership list without the requirement of superuser privileges.
|
||||||
The \fBgroupmems\fR utility is for systems that configure its users to
|
The \fBgroupmems\fR utility is for systems that configure its users to
|
||||||
be in their own name sake primary group (i.e., guest / guest).
|
be in their own name sake primary group (i.e., guest / guest).
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ Hello Marek,
|
|||||||
|
|
||||||
I have created a diffile against the 980403 release that adds
|
I have created a diffile against the 980403 release that adds
|
||||||
functionality to newusers for automatic handling of users with only
|
functionality to newusers for automatic handling of users with only
|
||||||
anonomous ftp login (using the guestgroup feature in ftpaccess, which
|
anonymous ftp login (using the guestgroup feature in ftpaccess, which
|
||||||
means that the users home directory looks like '/home/user/./'). It also
|
means that the users home directory looks like '/home/user/./'). It also
|
||||||
adds a commandline argument to specify an initial directory structure
|
adds a commandline argument to specify an initial directory structure
|
||||||
for such users, with a tarball normally containing the bin,lib,etc
|
for such users, with a tarball normally containing the bin,lib,etc
|
||||||
|
|||||||
Vendored
-16
@@ -1,16 +0,0 @@
|
|||||||
PKG=shadow
|
|
||||||
SITE=ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/
|
|
||||||
|
|
||||||
deb:: check_cheese
|
|
||||||
|
|
||||||
include /usr/share/quilt/quilt.debbuild.mk
|
|
||||||
|
|
||||||
check_cheese:
|
|
||||||
@dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \
|
|
||||||
echo ""; \
|
|
||||||
echo " ** **"; \
|
|
||||||
echo " ** Warning: not a cheesy release! **"; \
|
|
||||||
echo " ** **"; \
|
|
||||||
echo ""; \
|
|
||||||
exit 1; \
|
|
||||||
}
|
|
||||||
Vendored
-36
@@ -1,36 +0,0 @@
|
|||||||
shadow (1:4.0.15-5) unstable; urgency=low
|
|
||||||
|
|
||||||
* commands passed in argument to su must use su's -c option and must quote
|
|
||||||
the command if it contains a space, as in:
|
|
||||||
su - root -c "ls -l /"
|
|
||||||
The following commands won't work anymore:
|
|
||||||
su - root -c ls -l /
|
|
||||||
su - root "ls -l /"
|
|
||||||
su - root ls -l /
|
|
||||||
|
|
||||||
-- Christian Perrier <bubulle@debian.org> Sat, 8 Apr 2006 20:11:38 +0200
|
|
||||||
|
|
||||||
shadow (1:4.0.14-1) unstable; urgency=low
|
|
||||||
|
|
||||||
* passwd does not support the -f, -s, and -g options anymore. You should use
|
|
||||||
the chfn, chsh and gpasswd utilities instead.
|
|
||||||
* login now distributes the nologin utility, which can be used as a shell
|
|
||||||
to politely refuse a login
|
|
||||||
|
|
||||||
-- Christian Perrier <bubulle@debian.org> Thu, 5 Jan 2006 08:47:44 +0100
|
|
||||||
|
|
||||||
shadow (1:4.0.12-1) unstable; urgency=low
|
|
||||||
|
|
||||||
CLOSE_SESSIONS and other variables are not used anymore in
|
|
||||||
/etc/login/defs.
|
|
||||||
As shadow utilities which use this file now warn about unknown
|
|
||||||
entries there, administrators should remove such unknown entries.
|
|
||||||
The supplied login.defs file does not include them anymore.
|
|
||||||
|
|
||||||
dpasswd is no more distributed by upstream. Login do not support
|
|
||||||
dialup password anymore. Re-introducing this functionality in
|
|
||||||
upstream is not trivial.
|
|
||||||
|
|
||||||
|
|
||||||
-- Christian Perrier <bubulle@debian.org> Thu, 25 Aug 2005 08:38:47 +0200
|
|
||||||
|
|
||||||
Vendored
-62
@@ -1,62 +0,0 @@
|
|||||||
Read this file first for a brief overview of the new versions of login
|
|
||||||
and passwd.
|
|
||||||
|
|
||||||
|
|
||||||
---Shadow passwords
|
|
||||||
|
|
||||||
The command `shadowconfig on' will turn on shadow password support.
|
|
||||||
`shadowconfig off' will turn it back off. If you turn on shadow
|
|
||||||
password support, you'll gain the ability to set password ages and
|
|
||||||
expirations with chage(1).
|
|
||||||
|
|
||||||
NOTE: If you use the nscd package, you may have problems with a
|
|
||||||
slight delay in updating the password information. You may notice
|
|
||||||
this during upgrades of certain packages that try to add a system
|
|
||||||
user and then access the users information immediately afterwards.
|
|
||||||
To avoid this, it is suggested that you stop the nscd daemon before
|
|
||||||
upgrades, then restart it again.
|
|
||||||
|
|
||||||
---General configuration
|
|
||||||
|
|
||||||
Most of the configuration for the shadow utilities is in
|
|
||||||
/etc/login.defs. See login.defs(5). The defaults are quite
|
|
||||||
reasonable.
|
|
||||||
|
|
||||||
Also see the /etc/pam.d/* files for each program to configure the PAM
|
|
||||||
support. PAM documentation is available in several formats in the
|
|
||||||
libpam-doc package.
|
|
||||||
|
|
||||||
|
|
||||||
---MD5 Encryption
|
|
||||||
|
|
||||||
This is enabled now using the /etc/pam.d/* files. Examples are given.
|
|
||||||
|
|
||||||
|
|
||||||
---Adding users and groups
|
|
||||||
|
|
||||||
Though you may add users and groups with the SysV type commands,
|
|
||||||
useradd and groupadd, I recommend you add them with Debian adduser
|
|
||||||
version 3+. adduser gives you more configuration and conforms to the
|
|
||||||
Debian UID and GID allocation.
|
|
||||||
|
|
||||||
Editing user and group parameters can be done with usermod and
|
|
||||||
groupmod. Removing users and groups can be done with userdel and
|
|
||||||
groupdel.
|
|
||||||
|
|
||||||
|
|
||||||
--- Group administration
|
|
||||||
|
|
||||||
Local group allocation is much easier. With gpasswd(1) you can
|
|
||||||
designate users to administer groups. They can then securely add or
|
|
||||||
remove users from the group.
|
|
||||||
|
|
||||||
|
|
||||||
--- What to read next?
|
|
||||||
|
|
||||||
Read the manpages, the other files in this directory, and the Shadow
|
|
||||||
Password HOWTO (included in the doc-linux package). A large portion
|
|
||||||
of these files deals with getting shadow installed. You can, of
|
|
||||||
course, ignore those parts.
|
|
||||||
|
|
||||||
Also, the libpam-doc package will go a long way to allowing you to take
|
|
||||||
full advantage of the PAM authentication scheme.
|
|
||||||
Vendored
-4
@@ -1,4 +0,0 @@
|
|||||||
A testsuite is also available. Instruction on how to run this testsuite
|
|
||||||
are available in tests/README
|
|
||||||
|
|
||||||
-- Balint Reczey <rbalint@ubuntu.com>, Sat, 12 Aug 2017 18:46:44 -0400
|
|
||||||
Vendored
-19
@@ -1,19 +0,0 @@
|
|||||||
Things that should be done:
|
|
||||||
* Verify the files left in debian/tmp
|
|
||||||
+ e.g. /etc/default/adduser should be installed
|
|
||||||
* Check the build system: rebuilding the package twoce in the same tree
|
|
||||||
doubles the size of the diff.gz file
|
|
||||||
|
|
||||||
Other points (not related to the release of a syncronized shadow):
|
|
||||||
* compare the source with the usages and man pages
|
|
||||||
+ probably add a sentence to chsh/chfn's manpages about authentication
|
|
||||||
required for ordinary users
|
|
||||||
* do something (a tool) for the variables in login.defs
|
|
||||||
In Debian, some tools are not compiled with the PAM support, so upstream
|
|
||||||
getdef.c won't be OK.
|
|
||||||
It should be nice to see in each man page the set of variables used.
|
|
||||||
The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
|
|
||||||
with the debugging informations. This may be used to extract the set of
|
|
||||||
variables used in Debian/for each tools.
|
|
||||||
* verify all the patches around (I've found patches for at least RedHat,
|
|
||||||
OWL, LFS, Mandriva, Gentoo; are they already applied?)
|
|
||||||
Vendored
-25
@@ -1,25 +0,0 @@
|
|||||||
This described the usertags used by the team.
|
|
||||||
|
|
||||||
For usertags documentation, see
|
|
||||||
http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
|
|
||||||
|
|
||||||
All bugs tagged by team members must be tagged with
|
|
||||||
"user pkg-shadow-devel@lists.alioth.debian.org"
|
|
||||||
|
|
||||||
Tags list
|
|
||||||
---------
|
|
||||||
|
|
||||||
toclose: This bug has been announced to be closed in case no more news
|
|
||||||
or information is received from the bug submitter or someone
|
|
||||||
else until the delay specified in the limits_YYYYMMDD tag
|
|
||||||
|
|
||||||
limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
|
|
||||||
bugs can be closed without other action in case no news
|
|
||||||
is received
|
|
||||||
|
|
||||||
manpages-replace A bug reported angainst a manpages-xx package to indicate
|
|
||||||
conflicting man pages. This tag can be used to tune the
|
|
||||||
Replaces fields.
|
|
||||||
|
|
||||||
su-transition: This bug is related to the su transition (#276419)
|
|
||||||
|
|
||||||
Vendored
-3849
File diff suppressed because it is too large
Load Diff
Vendored
-1
@@ -1 +0,0 @@
|
|||||||
10
|
|
||||||
Vendored
-78
@@ -1,78 +0,0 @@
|
|||||||
Source: shadow
|
|
||||||
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
|
|
||||||
Uploaders: Christian Perrier <bubulle@debian.org>,
|
|
||||||
Balint Reczey <rbalint@ubuntu.com>,
|
|
||||||
Serge Hallyn <serge@hallyn.com>
|
|
||||||
Section: admin
|
|
||||||
Priority: required
|
|
||||||
Build-Depends: dh-autoreconf,
|
|
||||||
gettext,
|
|
||||||
libpam0g-dev,
|
|
||||||
debhelper (>= 10~),
|
|
||||||
quilt,
|
|
||||||
xsltproc,
|
|
||||||
docbook-xsl,
|
|
||||||
docbook-xml,
|
|
||||||
libxml2-utils,
|
|
||||||
cdbs,
|
|
||||||
libselinux1-dev [linux-any],
|
|
||||||
libsemanage1-dev [linux-any],
|
|
||||||
gnome-doc-utils,
|
|
||||||
bison,
|
|
||||||
libaudit-dev [linux-any]
|
|
||||||
Standards-Version: 3.9.5
|
|
||||||
Vcs-Browser: https://anonscm.debian.org/git/pkg-shadow/shadow.git
|
|
||||||
Vcs-Git: https://anonscm.debian.org/git/pkg-shadow/shadow.git
|
|
||||||
Homepage: https://github.com/shadow-maint/shadow
|
|
||||||
|
|
||||||
Package: passwd
|
|
||||||
Architecture: any
|
|
||||||
Multi-Arch: foreign
|
|
||||||
Depends: ${shlibs:Depends},
|
|
||||||
${misc:Depends},
|
|
||||||
libpam-modules
|
|
||||||
Replaces: manpages-tr (<< 1.0.5),
|
|
||||||
manpages-zh (<< 1.5.1-1)
|
|
||||||
Description: change and administer password and group data
|
|
||||||
This package includes passwd, chsh, chfn, and many other programs to
|
|
||||||
maintain password and group data.
|
|
||||||
.
|
|
||||||
Shadow passwords are supported. See /usr/share/doc/passwd/README.Debian
|
|
||||||
|
|
||||||
Package: login
|
|
||||||
Architecture: any
|
|
||||||
Essential: yes
|
|
||||||
Pre-Depends: ${shlibs:Depends},
|
|
||||||
${misc:Depends},
|
|
||||||
libpam-runtime,
|
|
||||||
libpam-modules (>= 1.1.8-1)
|
|
||||||
Breaks: coreutils (<< 8.21~) [hurd-any],
|
|
||||||
passwd (<< 1:4.1.5.1-2~) [hurd-any],
|
|
||||||
hurd (<< 20140206~) [hurd-any],
|
|
||||||
util-linux (<< 2.32-0.2~)
|
|
||||||
Conflicts: gnunet (<< 0.7.0c-2),
|
|
||||||
amavisd-new (<< 2.3.3-8),
|
|
||||||
python-4suite (<< 0.99cvs20060405-1),
|
|
||||||
backupninja (<< 0.9.3-5),
|
|
||||||
echolot (<< 2.1.8-4)
|
|
||||||
Replaces: manpages-de (<< 0.5-3),
|
|
||||||
manpages-tr (<< 1.0.5),
|
|
||||||
manpages-zh (<< 1.5.1-1),
|
|
||||||
passwd (<< 1:4.1.5.1-2~) [hurd-any],
|
|
||||||
coreutils (<< 8.21~) [hurd-any],
|
|
||||||
hurd (<< 20140206~) [hurd-any]
|
|
||||||
Description: system login tools
|
|
||||||
These tools are required to be able to login and use your system. The
|
|
||||||
login program invokes your user shell and enables command execution. The
|
|
||||||
newgrp program is used to change your effective group ID (useful for
|
|
||||||
workgroup type situations). The su program allows changing your effective
|
|
||||||
user ID (useful being able to execute commands as another user).
|
|
||||||
|
|
||||||
Package: uidmap
|
|
||||||
Architecture: any
|
|
||||||
Priority: optional
|
|
||||||
Depends: ${shlibs:Depends},
|
|
||||||
${misc:Depends}
|
|
||||||
Description: programs to help use subuids
|
|
||||||
These programs help unprivileged users to create uid and gid mappings in
|
|
||||||
user namespaces.
|
|
||||||
Vendored
-103
@@ -1,103 +0,0 @@
|
|||||||
This is Debian GNU/Linux's prepackaged version of the shadow utilities.
|
|
||||||
|
|
||||||
It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>.
|
|
||||||
As of May 2007, this site is no longer available.
|
|
||||||
|
|
||||||
Copyright:
|
|
||||||
|
|
||||||
Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
|
|
||||||
All rights reserved.
|
|
||||||
|
|
||||||
Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
|
|
||||||
All rights reserved.
|
|
||||||
|
|
||||||
Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
|
|
||||||
All rights reserved.
|
|
||||||
|
|
||||||
Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
|
|
||||||
All rights reserved.
|
|
||||||
|
|
||||||
Redistribution and use in source and binary forms, with or without
|
|
||||||
modification, are permitted provided that the following conditions
|
|
||||||
are met:
|
|
||||||
1. Redistributions of source code must retain the above copyright
|
|
||||||
notice, this list of conditions and the following disclaimer.
|
|
||||||
2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
notice, this list of conditions and the following disclaimer in the
|
|
||||||
documentation and/or other materials provided with the distribution.
|
|
||||||
3. Neither the name of Julianne F. Haugh nor the names of its contributors
|
|
||||||
may be used to endorse or promote products derived from this software
|
|
||||||
without specific prior written permission.
|
|
||||||
|
|
||||||
THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
|
|
||||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
||||||
ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
|
|
||||||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
||||||
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
||||||
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
||||||
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
||||||
SUCH DAMAGE.
|
|
||||||
|
|
||||||
This source code is currently archived on ftp.uu.net in the
|
|
||||||
comp.sources.misc portion of the USENET archives. You may also contact
|
|
||||||
the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
|
|
||||||
any questions regarding this package.
|
|
||||||
|
|
||||||
THIS SOFTWARE IS BEING DISTRIBUTED AS-IS. THE AUTHORS DISCLAIM ALL
|
|
||||||
LIABILITY FOR ANY CONSEQUENCES OF USE. THE USER IS SOLELY RESPONSIBLE
|
|
||||||
FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE. THE AUTHORS ARE UNDER NO
|
|
||||||
OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS. THE USER IS
|
|
||||||
ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
|
|
||||||
LOSS OF INFORMATION OR MACHINE RESOURCES.
|
|
||||||
|
|
||||||
Special thanks are due to Chip Rosenthal for his fine testing efforts;
|
|
||||||
to Steve Simmons for his work in porting this code to BSD; and to Bill
|
|
||||||
Kennedy for his contributions of LaserJet printer time and energies.
|
|
||||||
Also, thanks for Dennis L. Mumaugh for the initial shadow password
|
|
||||||
information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
|
|
||||||
V Release 4 changes. Effort in porting to SunOS has been contributed
|
|
||||||
by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
|
|
||||||
(mke@kaberd.rain.com). Effort in porting to AT&T UNIX System V Release
|
|
||||||
4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
|
|
||||||
Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
|
|
||||||
for taking over the Linux port of this software.
|
|
||||||
|
|
||||||
Source files: login_access.c, login_desrpc.c, login_krb.c are derived
|
|
||||||
from the logdaemon-5.0 package, which is under the following license:
|
|
||||||
|
|
||||||
/************************************************************************
|
|
||||||
* Copyright 1995 by Wietse Venema. All rights reserved. Individual files
|
|
||||||
* may be covered by other copyrights (as noted in the file itself.)
|
|
||||||
*
|
|
||||||
* This material was originally written and compiled by Wietse Venema at
|
|
||||||
* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
|
|
||||||
* 1992, 1993, 1994 and 1995.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms are permitted
|
|
||||||
* provided that this entire copyright notice is duplicated in all such
|
|
||||||
* copies.
|
|
||||||
*
|
|
||||||
* This software is provided "as is" and without any expressed or implied
|
|
||||||
* warranties, including, without limitation, the implied warranties of
|
|
||||||
* merchantibility and fitness for any particular purpose.
|
|
||||||
************************************************************************/
|
|
||||||
|
|
||||||
Some parts substantially in src/su.c derived from an ancestor of
|
|
||||||
su for GNU. Run a shell with substitute user and group IDs.
|
|
||||||
Copyright (C) 1992-2003 Free Software Foundation, Inc.
|
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
|
||||||
it under the terms of the GNU General Public License as published by
|
|
||||||
the Free Software Foundation; either version 2, or (at your option)
|
|
||||||
any later version.
|
|
||||||
|
|
||||||
This program is distributed in the hope that it will be useful,
|
|
||||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
GNU General Public License for more details.
|
|
||||||
|
|
||||||
On Debian GNU/Linux systems, the complete text of the GNU General Public
|
|
||||||
License can be found in '/usr/share/common-licenses/GPL-2'
|
|
||||||
Vendored
-1
@@ -1 +0,0 @@
|
|||||||
.so man8/cppw.8
|
|
||||||
Vendored
-27
@@ -1,27 +0,0 @@
|
|||||||
.TH CPPW 8 "7 Apr 2005"
|
|
||||||
.SH NAME
|
|
||||||
cppw, cpgr \- copy with locking the given file to the password or group file
|
|
||||||
.SH SYNOPSIS
|
|
||||||
\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
|
|
||||||
.br
|
|
||||||
\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
|
|
||||||
|
|
||||||
.SH DESCRIPTION
|
|
||||||
.BR cppw " and " cpgr
|
|
||||||
will copy, with locking, the given file to
|
|
||||||
.IR /etc/passwd " and " /etc/group ", respectively."
|
|
||||||
With the \fB\-s\fR flag, they will copy the shadow versions of those files,
|
|
||||||
.IR /etc/shadow " and " /etc/gshadow ", respectively."
|
|
||||||
|
|
||||||
With the \fB\-h\fR flag, the commands display a short help message and exit
|
|
||||||
silently.
|
|
||||||
.SH "SEE ALSO"
|
|
||||||
.BR vipw (8),
|
|
||||||
.BR vigr (8),
|
|
||||||
.BR group (5),
|
|
||||||
.BR passwd (5),
|
|
||||||
.BR shadow (5),
|
|
||||||
.BR gshadow (5)
|
|
||||||
.SH AUTHOR
|
|
||||||
\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
|
|
||||||
\fBvipw\fR and \fBvigr\fR written by Guy Maor.
|
|
||||||
Vendored
-94
@@ -1,94 +0,0 @@
|
|||||||
Build-Depends:
|
|
||||||
==============
|
|
||||||
* autoconf
|
|
||||||
* automake1.9
|
|
||||||
works with 1.7 or 1.9 (at least)
|
|
||||||
* libtool
|
|
||||||
* gettext
|
|
||||||
POT, PO, GMO regenerated?
|
|
||||||
* libpam0g-dev
|
|
||||||
OK
|
|
||||||
* debhelper (>= 4.1.16)
|
|
||||||
* po-debconf
|
|
||||||
OK
|
|
||||||
* quilt
|
|
||||||
patch system
|
|
||||||
* dpkg-dev (>= 1.13.5)
|
|
||||||
* xsltproc
|
|
||||||
used to generate the manpages
|
|
||||||
* docbook-xsl
|
|
||||||
needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
|
|
||||||
* docbook-xml
|
|
||||||
manpages/docbook.xsl includes html/docbook.xsl
|
|
||||||
(But it is not strictly needed. The generated manpages are identical.
|
|
||||||
Without it, a warning is generated.)
|
|
||||||
Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
|
|
||||||
* libxml2-utils
|
|
||||||
needed by the JH_CHECK_XML_CATALOG macros
|
|
||||||
* cdbs
|
|
||||||
used in debian/rules
|
|
||||||
* libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
|
|
||||||
* gnome-doc-utils (>= 0.4.3-1)
|
|
||||||
xml2po, 0.4.3-1 needed for the -l switch.
|
|
||||||
|
|
||||||
passwd Depends:
|
|
||||||
===============
|
|
||||||
* ${shlibs:Depends}
|
|
||||||
OK
|
|
||||||
* ${loginpam}
|
|
||||||
- hurd
|
|
||||||
login
|
|
||||||
libpam-modules (>= 0.72-5)
|
|
||||||
- other archs
|
|
||||||
+ login (>= 970502-1)
|
|
||||||
login is needed because some passwd utils need /etc/login.defs
|
|
||||||
login is Essential, so this is just to enforce the version
|
|
||||||
+ libpam-modules (>= 0.72-5)
|
|
||||||
* debianutils (>= 2.15.2)
|
|
||||||
After 1:4.0.12-6, {add,remove}-shell are distributed in debianutils (2.15)
|
|
||||||
/etc/shell was forgotten and introduced in debianutils in 2.15.2
|
|
||||||
|
|
||||||
passwd Conflicts:
|
|
||||||
=================
|
|
||||||
|
|
||||||
passwd Replaces:
|
|
||||||
================
|
|
||||||
Some of the passwd man pages are also distributed in some manpages* packages.
|
|
||||||
Look at the debian/02/run test to optimize these dependencies.
|
|
||||||
NOTE: Not all maintainers have been notified.
|
|
||||||
* manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3)
|
|
||||||
All those packages have been updated during sarge->etch. So these Replaces
|
|
||||||
should be removed after lenny release
|
|
||||||
* manpages-tr, manpages-zh
|
|
||||||
Those packages are still in etch, so the Replaces should be kept even
|
|
||||||
after lenny release
|
|
||||||
|
|
||||||
login Pre-Depends:
|
|
||||||
==================
|
|
||||||
* ${shlibs:Depends}
|
|
||||||
* libpam-runtime (>= 0.76-14)
|
|
||||||
sarge contained 0.76-22
|
|
||||||
|
|
||||||
Why Pre-Depends? (because it's an essential package?)
|
|
||||||
|
|
||||||
login Depends:
|
|
||||||
==============
|
|
||||||
* libpam-modules (>= 0.72-5)
|
|
||||||
libpam-modules is needed.
|
|
||||||
potato contained 0.72-9
|
|
||||||
|
|
||||||
login Conflicts:
|
|
||||||
================
|
|
||||||
|
|
||||||
login Replaces:
|
|
||||||
===============
|
|
||||||
* Some of the login man pages are also distributed in some manpages* packages.
|
|
||||||
Look at the debian/02/run test to optimize these dependencies.
|
|
||||||
NOTE: Not all maintainers have been notified.
|
|
||||||
- manpages-fi, manpages-fr (<<1.64.0-1), manpages-hu, manpages-it, manpages-ko, manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15)
|
|
||||||
Those are packages that have been updated during sarge->etch. These
|
|
||||||
Replaces should be removed after lenny
|
|
||||||
- manpages-tr, manpages-zh
|
|
||||||
Those packages are still in etch, so the Replaces should be kept even
|
|
||||||
after lenny release
|
|
||||||
|
|
||||||
Vendored
-340
@@ -1,340 +0,0 @@
|
|||||||
#
|
|
||||||
# /etc/login.defs - Configuration control definitions for the login package.
|
|
||||||
#
|
|
||||||
# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
|
|
||||||
# If unspecified, some arbitrary (and possibly incorrect) value will
|
|
||||||
# be assumed. All other items are optional - if not specified then
|
|
||||||
# the described action or option will be inhibited.
|
|
||||||
#
|
|
||||||
# Comment lines (lines beginning with "#") and blank lines are ignored.
|
|
||||||
#
|
|
||||||
# Modified for Linux. --marekm
|
|
||||||
|
|
||||||
# REQUIRED for useradd/userdel/usermod
|
|
||||||
# Directory where mailboxes reside, _or_ name of file, relative to the
|
|
||||||
# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
|
|
||||||
# MAIL_DIR takes precedence.
|
|
||||||
#
|
|
||||||
# Essentially:
|
|
||||||
# - MAIL_DIR defines the location of users mail spool files
|
|
||||||
# (for mbox use) by appending the username to MAIL_DIR as defined
|
|
||||||
# below.
|
|
||||||
# - MAIL_FILE defines the location of the users mail spool files as the
|
|
||||||
# fully-qualified filename obtained by prepending the user home
|
|
||||||
# directory before $MAIL_FILE
|
|
||||||
#
|
|
||||||
# NOTE: This is no more used for setting up users MAIL environment variable
|
|
||||||
# which is, starting from shadow 4.0.12-1 in Debian, entirely the
|
|
||||||
# job of the pam_mail PAM modules
|
|
||||||
# See default PAM configuration files provided for
|
|
||||||
# login, su, etc.
|
|
||||||
#
|
|
||||||
# This is a temporary situation: setting these variables will soon
|
|
||||||
# move to /etc/default/useradd and the variables will then be
|
|
||||||
# no more supported
|
|
||||||
MAIL_DIR /var/mail
|
|
||||||
#MAIL_FILE .mail
|
|
||||||
|
|
||||||
#
|
|
||||||
# Enable logging and display of /var/log/faillog login failure info.
|
|
||||||
# This option conflicts with the pam_tally PAM module.
|
|
||||||
#
|
|
||||||
FAILLOG_ENAB yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# Enable display of unknown usernames when login failures are recorded.
|
|
||||||
#
|
|
||||||
# WARNING: Unknown usernames may become world readable.
|
|
||||||
# See #290803 and #298773 for details about how this could become a security
|
|
||||||
# concern
|
|
||||||
LOG_UNKFAIL_ENAB no
|
|
||||||
|
|
||||||
#
|
|
||||||
# Enable logging of successful logins
|
|
||||||
#
|
|
||||||
LOG_OK_LOGINS no
|
|
||||||
|
|
||||||
#
|
|
||||||
# Enable "syslog" logging of su activity - in addition to sulog file logging.
|
|
||||||
# SYSLOG_SG_ENAB does the same for newgrp and sg.
|
|
||||||
#
|
|
||||||
SYSLOG_SU_ENAB yes
|
|
||||||
SYSLOG_SG_ENAB yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# If defined, all su activity is logged to this file.
|
|
||||||
#
|
|
||||||
#SULOG_FILE /var/log/sulog
|
|
||||||
|
|
||||||
#
|
|
||||||
# If defined, file which maps tty line to TERM environment parameter.
|
|
||||||
# Each line of the file is in a format something like "vt100 tty01".
|
|
||||||
#
|
|
||||||
#TTYTYPE_FILE /etc/ttytype
|
|
||||||
|
|
||||||
#
|
|
||||||
# If defined, login failures will be logged here in a utmp format
|
|
||||||
# last, when invoked as lastb, will read /var/log/btmp, so...
|
|
||||||
#
|
|
||||||
FTMP_FILE /var/log/btmp
|
|
||||||
|
|
||||||
#
|
|
||||||
# If defined, the command name to display when running "su -". For
|
|
||||||
# example, if this is defined as "su" then a "ps" will display the
|
|
||||||
# command is "-su". If not defined, then "ps" would display the
|
|
||||||
# name of the shell actually being run, e.g. something like "-sh".
|
|
||||||
#
|
|
||||||
SU_NAME su
|
|
||||||
|
|
||||||
#
|
|
||||||
# If defined, file which inhibits all the usual chatter during the login
|
|
||||||
# sequence. If a full pathname, then hushed mode will be enabled if the
|
|
||||||
# user's name or shell are found in the file. If not a full pathname, then
|
|
||||||
# hushed mode will be enabled if the file exists in the user's home directory.
|
|
||||||
#
|
|
||||||
HUSHLOGIN_FILE .hushlogin
|
|
||||||
#HUSHLOGIN_FILE /etc/hushlogins
|
|
||||||
|
|
||||||
#
|
|
||||||
# *REQUIRED* The default PATH settings, for superuser and normal users.
|
|
||||||
#
|
|
||||||
# (they are minimal, add the rest in the shell startup files)
|
|
||||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
|
||||||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
|
|
||||||
|
|
||||||
#
|
|
||||||
# Terminal permissions
|
|
||||||
#
|
|
||||||
# TTYGROUP Login tty will be assigned this group ownership.
|
|
||||||
# TTYPERM Login tty will be set to this permission.
|
|
||||||
#
|
|
||||||
# If you have a "write" program which is "setgid" to a special group
|
|
||||||
# which owns the terminals, define TTYGROUP to the group number and
|
|
||||||
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
|
|
||||||
# TTYPERM to either 622 or 600.
|
|
||||||
#
|
|
||||||
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
|
|
||||||
# However, the default and recommended value for TTYPERM is still 0600
|
|
||||||
# to not allow anyone to write to anyone else console or terminal
|
|
||||||
|
|
||||||
# Users can still allow other people to write them by issuing
|
|
||||||
# the "mesg y" command.
|
|
||||||
|
|
||||||
TTYGROUP tty
|
|
||||||
TTYPERM 0600
|
|
||||||
|
|
||||||
#
|
|
||||||
# Login configuration initializations:
|
|
||||||
#
|
|
||||||
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
|
||||||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
|
||||||
# UMASK Default "umask" value.
|
|
||||||
#
|
|
||||||
# The ERASECHAR and KILLCHAR are used only on System V machines.
|
|
||||||
#
|
|
||||||
# UMASK is the default umask value for pam_umask and is used by
|
|
||||||
# useradd and newusers to set the mode of the new home directories.
|
|
||||||
# 022 is the "historical" value in Debian for UMASK
|
|
||||||
# 027, or even 077, could be considered better for privacy
|
|
||||||
# There is no One True Answer here : each sysadmin must make up his/her
|
|
||||||
# mind.
|
|
||||||
#
|
|
||||||
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
|
|
||||||
# for private user groups, i. e. the uid is the same as gid, and username is
|
|
||||||
# the same as the primary group name: for these, the user permissions will be
|
|
||||||
# used as group permissions, e. g. 022 will become 002.
|
|
||||||
#
|
|
||||||
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
|
|
||||||
#
|
|
||||||
ERASECHAR 0177
|
|
||||||
KILLCHAR 025
|
|
||||||
UMASK 022
|
|
||||||
|
|
||||||
#
|
|
||||||
# Password aging controls:
|
|
||||||
#
|
|
||||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
|
||||||
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
|
||||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
|
||||||
#
|
|
||||||
PASS_MAX_DAYS 99999
|
|
||||||
PASS_MIN_DAYS 0
|
|
||||||
PASS_WARN_AGE 7
|
|
||||||
|
|
||||||
#
|
|
||||||
# Min/max values for automatic uid selection in useradd
|
|
||||||
#
|
|
||||||
UID_MIN 1000
|
|
||||||
UID_MAX 60000
|
|
||||||
# System accounts
|
|
||||||
#SYS_UID_MIN 100
|
|
||||||
#SYS_UID_MAX 999
|
|
||||||
|
|
||||||
#
|
|
||||||
# Min/max values for automatic gid selection in groupadd
|
|
||||||
#
|
|
||||||
GID_MIN 1000
|
|
||||||
GID_MAX 60000
|
|
||||||
# System accounts
|
|
||||||
#SYS_GID_MIN 100
|
|
||||||
#SYS_GID_MAX 999
|
|
||||||
|
|
||||||
#
|
|
||||||
# Max number of login retries if password is bad. This will most likely be
|
|
||||||
# overriden by PAM, since the default pam_unix module has it's own built
|
|
||||||
# in of 3 retries. However, this is a safe fallback in case you are using
|
|
||||||
# an authentication module that does not enforce PAM_MAXTRIES.
|
|
||||||
#
|
|
||||||
LOGIN_RETRIES 5
|
|
||||||
|
|
||||||
#
|
|
||||||
# Max time in seconds for login
|
|
||||||
#
|
|
||||||
LOGIN_TIMEOUT 60
|
|
||||||
|
|
||||||
#
|
|
||||||
# Which fields may be changed by regular users using chfn - use
|
|
||||||
# any combination of letters "frwh" (full name, room number, work
|
|
||||||
# phone, home phone). If not defined, no changes are allowed.
|
|
||||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
|
||||||
#
|
|
||||||
CHFN_RESTRICT rwh
|
|
||||||
|
|
||||||
#
|
|
||||||
# Should login be allowed if we can't cd to the home directory?
|
|
||||||
# Default in no.
|
|
||||||
#
|
|
||||||
DEFAULT_HOME yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# If defined, this command is run when removing a user.
|
|
||||||
# It should remove any at/cron/print jobs etc. owned by
|
|
||||||
# the user to be removed (passed as the first argument).
|
|
||||||
#
|
|
||||||
#USERDEL_CMD /usr/sbin/userdel_local
|
|
||||||
|
|
||||||
#
|
|
||||||
# If set to yes, userdel will remove the user's group if it contains no
|
|
||||||
# more members, and useradd will create by default a group with the name
|
|
||||||
# of the user.
|
|
||||||
#
|
|
||||||
# Other former uses of this variable such as setting the umask when
|
|
||||||
# user==primary group are not used in PAM environments, such as Debian
|
|
||||||
#
|
|
||||||
USERGROUPS_ENAB yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# Instead of the real user shell, the program specified by this parameter
|
|
||||||
# will be launched, although its visible name (argv[0]) will be the shell's.
|
|
||||||
# The program may do whatever it wants (logging, additional authentification,
|
|
||||||
# banner, ...) before running the actual shell.
|
|
||||||
#
|
|
||||||
# FAKE_SHELL /bin/fakeshell
|
|
||||||
|
|
||||||
#
|
|
||||||
# If defined, either full pathname of a file containing device names or
|
|
||||||
# a ":" delimited list of device names. Root logins will be allowed only
|
|
||||||
# upon these devices.
|
|
||||||
#
|
|
||||||
# This variable is used by login and su.
|
|
||||||
#
|
|
||||||
#CONSOLE /etc/consoles
|
|
||||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
|
||||||
|
|
||||||
#
|
|
||||||
# List of groups to add to the user's supplementary group set
|
|
||||||
# when logging in on the console (as determined by the CONSOLE
|
|
||||||
# setting). Default is none.
|
|
||||||
#
|
|
||||||
# Use with caution - it is possible for users to gain permanent
|
|
||||||
# access to these groups, even when not logged in on the console.
|
|
||||||
# How to do it is left as an exercise for the reader...
|
|
||||||
#
|
|
||||||
# This variable is used by login and su.
|
|
||||||
#
|
|
||||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
|
||||||
|
|
||||||
#
|
|
||||||
# If set to "yes", new passwords will be encrypted using the MD5-based
|
|
||||||
# algorithm compatible with the one used by recent releases of FreeBSD.
|
|
||||||
# It supports passwords of unlimited length and longer salt strings.
|
|
||||||
# Set to "no" if you need to copy encrypted passwords to other systems
|
|
||||||
# which don't understand the new algorithm. Default is "no".
|
|
||||||
#
|
|
||||||
# This variable is deprecated. You should use ENCRYPT_METHOD.
|
|
||||||
#
|
|
||||||
#MD5_CRYPT_ENAB no
|
|
||||||
|
|
||||||
#
|
|
||||||
# If set to MD5 , MD5-based algorithm will be used for encrypting password
|
|
||||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
|
||||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
|
||||||
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
|
||||||
# Overrides the MD5_CRYPT_ENAB option
|
|
||||||
#
|
|
||||||
# Note: It is recommended to use a value consistent with
|
|
||||||
# the PAM modules configuration.
|
|
||||||
#
|
|
||||||
ENCRYPT_METHOD SHA512
|
|
||||||
|
|
||||||
#
|
|
||||||
# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
|
||||||
#
|
|
||||||
# Define the number of SHA rounds.
|
|
||||||
# With a lot of rounds, it is more difficult to brute forcing the password.
|
|
||||||
# But note also that it more CPU resources will be needed to authenticate
|
|
||||||
# users.
|
|
||||||
#
|
|
||||||
# If not specified, the libc will choose the default number of rounds (5000).
|
|
||||||
# The values must be inside the 1000-999999999 range.
|
|
||||||
# If only one of the MIN or MAX values is set, then this value will be used.
|
|
||||||
# If MIN > MAX, the highest value will be used.
|
|
||||||
#
|
|
||||||
# SHA_CRYPT_MIN_ROUNDS 5000
|
|
||||||
# SHA_CRYPT_MAX_ROUNDS 5000
|
|
||||||
|
|
||||||
################# OBSOLETED BY PAM ##############
|
|
||||||
# #
|
|
||||||
# These options are now handled by PAM. Please #
|
|
||||||
# edit the appropriate file in /etc/pam.d/ to #
|
|
||||||
# enable the equivelants of them.
|
|
||||||
#
|
|
||||||
###############
|
|
||||||
|
|
||||||
#MOTD_FILE
|
|
||||||
#DIALUPS_CHECK_ENAB
|
|
||||||
#LASTLOG_ENAB
|
|
||||||
#MAIL_CHECK_ENAB
|
|
||||||
#OBSCURE_CHECKS_ENAB
|
|
||||||
#PORTTIME_CHECKS_ENAB
|
|
||||||
#SU_WHEEL_ONLY
|
|
||||||
#CRACKLIB_DICTPATH
|
|
||||||
#PASS_CHANGE_TRIES
|
|
||||||
#PASS_ALWAYS_WARN
|
|
||||||
#ENVIRON_FILE
|
|
||||||
#NOLOGINS_FILE
|
|
||||||
#ISSUE_FILE
|
|
||||||
#PASS_MIN_LEN
|
|
||||||
#PASS_MAX_LEN
|
|
||||||
#ULIMIT
|
|
||||||
#ENV_HZ
|
|
||||||
#CHFN_AUTH
|
|
||||||
#CHSH_AUTH
|
|
||||||
#FAIL_DELAY
|
|
||||||
|
|
||||||
################# OBSOLETED #######################
|
|
||||||
# #
|
|
||||||
# These options are no more handled by shadow. #
|
|
||||||
# #
|
|
||||||
# Shadow utilities will display a warning if they #
|
|
||||||
# still appear. #
|
|
||||||
# #
|
|
||||||
###################################################
|
|
||||||
|
|
||||||
# CLOSE_SESSIONS
|
|
||||||
# LOGIN_STRING
|
|
||||||
# NO_PASSWORD_CONSOLE
|
|
||||||
# QMAIL_DIR
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Vendored
-1
@@ -1 +0,0 @@
|
|||||||
usr/share/lintian/overrides
|
|
||||||
Vendored
-22
@@ -1,22 +0,0 @@
|
|||||||
usr/share/locale/*/LC_MESSAGES/shadow.mo
|
|
||||||
usr/share/man/*/man1/login.1
|
|
||||||
usr/share/man/*/man1/newgrp.1
|
|
||||||
usr/share/man/*/man1/sg.1
|
|
||||||
usr/share/man/*/man5/faillog.5
|
|
||||||
usr/share/man/*/man5/login.defs.5
|
|
||||||
usr/share/man/*/man8/faillog.8
|
|
||||||
usr/share/man/*/man8/lastlog.8
|
|
||||||
usr/share/man/*/man8/nologin.8
|
|
||||||
usr/share/man/man1/login.1
|
|
||||||
usr/share/man/man1/newgrp.1
|
|
||||||
usr/share/man/man1/sg.1
|
|
||||||
usr/share/man/man5/faillog.5
|
|
||||||
usr/share/man/man5/login.defs.5
|
|
||||||
usr/share/man/man8/faillog.8
|
|
||||||
usr/share/man/man8/lastlog.8
|
|
||||||
usr/share/man/man8/nologin.8
|
|
||||||
usr/sbin/nologin
|
|
||||||
usr/bin/faillog
|
|
||||||
usr/bin/lastlog
|
|
||||||
usr/bin/newgrp
|
|
||||||
bin/login
|
|
||||||
Vendored
-1
@@ -1 +0,0 @@
|
|||||||
usr/bin/newgrp usr/bin/sg
|
|
||||||
Vendored
-3
@@ -1,3 +0,0 @@
|
|||||||
login: setuid-binary usr/bin/newgrp 4755 root/root
|
|
||||||
login: setuid-binary bin/su 4755 root/root
|
|
||||||
login: possible-missing-colon-in-closes l667:closes bug 336321
|
|
||||||
Vendored
-116
@@ -1,116 +0,0 @@
|
|||||||
#
|
|
||||||
# The PAM configuration file for the Shadow `login' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# Enforce a minimal delay in case of failure (in microseconds).
|
|
||||||
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
|
||||||
# Note that other modules may require another minimal delay. (for example,
|
|
||||||
# to disable any delay, you should add the nodelay option to pam_unix)
|
|
||||||
auth optional pam_faildelay.so delay=3000000
|
|
||||||
|
|
||||||
# Outputs an issue file prior to each login prompt (Replaces the
|
|
||||||
# ISSUE_FILE option from login.defs). Uncomment for use
|
|
||||||
# auth required pam_issue.so issue=/etc/issue
|
|
||||||
|
|
||||||
# Disallows root logins except on tty's listed in /etc/securetty
|
|
||||||
# (Replaces the `CONSOLE' setting from login.defs)
|
|
||||||
#
|
|
||||||
# With the default control of this module:
|
|
||||||
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
|
||||||
# root will not be prompted for a password on insecure lines.
|
|
||||||
# if an invalid username is entered, a password is prompted (but login
|
|
||||||
# will eventually be rejected)
|
|
||||||
#
|
|
||||||
# You can change it to a "requisite" module if you think root may mis-type
|
|
||||||
# her login and should not be prompted for a password in that case. But
|
|
||||||
# this will leave the system as vulnerable to user enumeration attacks.
|
|
||||||
#
|
|
||||||
# You can change it to a "required" module if you think it permits to
|
|
||||||
# guess valid user names of your system (invalid user names are considered
|
|
||||||
# as possibly being root on insecure lines), but root passwords may be
|
|
||||||
# communicated over insecure lines.
|
|
||||||
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
|
||||||
|
|
||||||
# Disallows other than root logins when /etc/nologin exists
|
|
||||||
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
|
||||||
auth requisite pam_nologin.so
|
|
||||||
|
|
||||||
# SELinux needs to be the first session rule. This ensures that any
|
|
||||||
# lingering context has been cleared. Without this it is possible
|
|
||||||
# that a module could execute code in the wrong domain.
|
|
||||||
# When the module is present, "required" would be sufficient (When SELinux
|
|
||||||
# is disabled, this returns success.)
|
|
||||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
|
||||||
|
|
||||||
# Sets the loginuid process attribute
|
|
||||||
session required pam_loginuid.so
|
|
||||||
|
|
||||||
# SELinux needs to intervene at login time to ensure that the process
|
|
||||||
# starts in the proper default security context. Only sessions which are
|
|
||||||
# intended to run in the user's context should be run after this.
|
|
||||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
|
||||||
# When the module is present, "required" would be sufficient (When SELinux
|
|
||||||
# is disabled, this returns success.)
|
|
||||||
|
|
||||||
# This module parses environment configuration file(s)
|
|
||||||
# and also allows you to use an extended config
|
|
||||||
# file /etc/security/pam_env.conf.
|
|
||||||
#
|
|
||||||
# parsing /etc/environment needs "readenv=1"
|
|
||||||
session required pam_env.so readenv=1
|
|
||||||
# locale variables are also kept into /etc/default/locale in etch
|
|
||||||
# reading this file *in addition to /etc/environment* does not hurt
|
|
||||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
|
||||||
|
|
||||||
# Standard Un*x authentication.
|
|
||||||
@include common-auth
|
|
||||||
|
|
||||||
# This allows certain extra groups to be granted to a user
|
|
||||||
# based on things like time of day, tty, service, and user.
|
|
||||||
# Please edit /etc/security/group.conf to fit your needs
|
|
||||||
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
|
||||||
auth optional pam_group.so
|
|
||||||
|
|
||||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
|
||||||
# time restraint on logins.
|
|
||||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
|
||||||
# as well as /etc/porttime)
|
|
||||||
# account requisite pam_time.so
|
|
||||||
|
|
||||||
# Uncomment and edit /etc/security/access.conf if you need to
|
|
||||||
# set access limits.
|
|
||||||
# (Replaces /etc/login.access file)
|
|
||||||
# account required pam_access.so
|
|
||||||
|
|
||||||
# Sets up user limits according to /etc/security/limits.conf
|
|
||||||
# (Replaces the use of /etc/limits in old login)
|
|
||||||
session required pam_limits.so
|
|
||||||
|
|
||||||
# Prints the last login info upon successful login
|
|
||||||
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
|
||||||
session optional pam_lastlog.so
|
|
||||||
|
|
||||||
# Prints the message of the day upon successful login.
|
|
||||||
# (Replaces the `MOTD_FILE' option in login.defs)
|
|
||||||
# This includes a dynamically generated part from /run/motd.dynamic
|
|
||||||
# and a static (admin-editable) part from /etc/motd.
|
|
||||||
session optional pam_motd.so motd=/run/motd.dynamic
|
|
||||||
session optional pam_motd.so noupdate
|
|
||||||
|
|
||||||
# Prints the status of the user's mailbox upon successful login
|
|
||||||
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
|
||||||
#
|
|
||||||
# This also defines the MAIL environment variable
|
|
||||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
|
||||||
# in /etc/login.defs to make sure that removing a user
|
|
||||||
# also removes the user's mail spool file.
|
|
||||||
# See comments in /etc/login.defs
|
|
||||||
session optional pam_mail.so standard
|
|
||||||
|
|
||||||
# Create a new session keyring.
|
|
||||||
session optional pam_keyinit.so force revoke
|
|
||||||
|
|
||||||
# Standard Un*x account and session
|
|
||||||
@include common-account
|
|
||||||
@include common-session
|
|
||||||
@include common-password
|
|
||||||
Vendored
-56
@@ -1,56 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
if test "$1" = configure
|
|
||||||
then
|
|
||||||
if test -f /etc/init.d/logoutd
|
|
||||||
then
|
|
||||||
if test "$(md5sum /etc/init.d/logoutd)" = "9080f92783dd53f6f2108e698c06bd53 /etc/init.d/logoutd"
|
|
||||||
then
|
|
||||||
echo "removing logoutd cruft"
|
|
||||||
rm /etc/init.d/logoutd
|
|
||||||
update-rc.d logoutd remove
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
|
|
||||||
|
|
||||||
if [ "$1" = "configure" ]; then
|
|
||||||
# Install faillog during initial installs only
|
|
||||||
if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
|
|
||||||
touch /var/log/faillog
|
|
||||||
chown root:root /var/log/faillog
|
|
||||||
chmod 644 /var/log/faillog
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Create subuid/subgid if missing
|
|
||||||
if [ ! -e /etc/subuid ]; then
|
|
||||||
touch /etc/subuid
|
|
||||||
chown root:root /etc/subuid
|
|
||||||
chmod 644 /etc/subuid
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e /etc/subgid ]; then
|
|
||||||
touch /etc/subgid
|
|
||||||
chown root:root /etc/subgid
|
|
||||||
chmod 644 /etc/subgid
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Create subuid/subgid if missing
|
|
||||||
if [ ! -e /etc/subuid ]; then
|
|
||||||
touch /etc/subuid
|
|
||||||
chown root:root /etc/subuid
|
|
||||||
chmod 644 /etc/subuid
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e /etc/subgid ]; then
|
|
||||||
touch /etc/subgid
|
|
||||||
chown root:root /etc/subgid
|
|
||||||
chmod 644 /etc/subgid
|
|
||||||
fi
|
|
||||||
|
|
||||||
#DEBHELPER#
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
Vendored
-52
@@ -1,52 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
#
|
|
||||||
# see: dh_installdeb(1)
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
# summary of how this script can be called:
|
|
||||||
# * <new-preinst> `install'
|
|
||||||
# * <new-preinst> `install' <old-version>
|
|
||||||
# * <new-preinst> `upgrade' <old-version>
|
|
||||||
# * <old-preinst> `abort-upgrade' <new-version>
|
|
||||||
#
|
|
||||||
# for details, see http://www.debian.org/doc/debian-policy/ or
|
|
||||||
# the debian-policy package
|
|
||||||
|
|
||||||
remove_md5() {
|
|
||||||
if md5sum $1 2>/dev/null |grep -q $2; then
|
|
||||||
cp $1 $1.pre-upgrade
|
|
||||||
sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
|
|
||||||
&& mv $1.post-upgrade $1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
install|upgrade)
|
|
||||||
if [ "x$2" != "x" ] ; then
|
|
||||||
if dpkg --compare-versions $2 lt 1:4.0.3 ; then
|
|
||||||
remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
;;
|
|
||||||
|
|
||||||
abort-upgrade)
|
|
||||||
;;
|
|
||||||
|
|
||||||
*)
|
|
||||||
echo "preinst called with unknown argument \`$1'" >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# dh_installdeb will replace this with shell code automatically
|
|
||||||
# generated by other debhelper scripts.
|
|
||||||
|
|
||||||
#DEBHELPER#
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
|
|
||||||
|
|
||||||
Vendored
-61
@@ -1,61 +0,0 @@
|
|||||||
#
|
|
||||||
# The PAM configuration file for the Shadow `su' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to su without passwords (normal operation)
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# Uncomment this to force users to be a member of group root
|
|
||||||
# before they can use `su'. You can also add "group=foo"
|
|
||||||
# to the end of this line if you want to use a group other
|
|
||||||
# than the default "root" (but this may have side effect of
|
|
||||||
# denying "root" user, unless she's a member of "foo" or explicitly
|
|
||||||
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
|
||||||
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
|
||||||
# auth required pam_wheel.so
|
|
||||||
|
|
||||||
# Uncomment this if you want wheel members to be able to
|
|
||||||
# su without a password.
|
|
||||||
# auth sufficient pam_wheel.so trust
|
|
||||||
|
|
||||||
# Uncomment this if you want members of a specific group to not
|
|
||||||
# be allowed to use su at all.
|
|
||||||
# auth required pam_wheel.so deny group=nosu
|
|
||||||
|
|
||||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
|
||||||
# time restrainst on su usage.
|
|
||||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
|
||||||
# as well as /etc/porttime)
|
|
||||||
# account requisite pam_time.so
|
|
||||||
|
|
||||||
# This module parses environment configuration file(s)
|
|
||||||
# and also allows you to use an extended config
|
|
||||||
# file /etc/security/pam_env.conf.
|
|
||||||
#
|
|
||||||
# parsing /etc/environment needs "readenv=1"
|
|
||||||
session required pam_env.so readenv=1
|
|
||||||
# locale variables are also kept into /etc/default/locale in etch
|
|
||||||
# reading this file *in addition to /etc/environment* does not hurt
|
|
||||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
|
||||||
|
|
||||||
# Defines the MAIL environment variable
|
|
||||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
|
||||||
# in /etc/login.defs to make sure that removing a user
|
|
||||||
# also removes the user's mail spool file.
|
|
||||||
# See comments in /etc/login.defs
|
|
||||||
#
|
|
||||||
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
|
||||||
session optional pam_mail.so nopen
|
|
||||||
|
|
||||||
# Sets up user limits according to /etc/security/limits.conf
|
|
||||||
# (Replaces the use of /etc/limits in old login)
|
|
||||||
session required pam_limits.so
|
|
||||||
|
|
||||||
# The standard Unix authentication modules, used with
|
|
||||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
|
||||||
# /etc/shadow entries.
|
|
||||||
@include common-auth
|
|
||||||
@include common-account
|
|
||||||
@include common-session
|
|
||||||
|
|
||||||
|
|
||||||
Vendored
-8
@@ -1,8 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'chage' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to change password aging being prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# checks for account validity
|
|
||||||
account required pam_permit.so
|
|
||||||
Vendored
-16
@@ -1,16 +0,0 @@
|
|||||||
#
|
|
||||||
# The PAM configuration file for the Shadow `chfn' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to change user infomation without being
|
|
||||||
# prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# The standard Unix authentication modules, used with
|
|
||||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
|
||||||
# /etc/shadow entries.
|
|
||||||
@include common-auth
|
|
||||||
@include common-account
|
|
||||||
@include common-session
|
|
||||||
|
|
||||||
|
|
||||||
Vendored
-5
@@ -1,5 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'chpasswd' service
|
|
||||||
#
|
|
||||||
|
|
||||||
@include common-password
|
|
||||||
|
|
||||||
Vendored
-20
@@ -1,20 +0,0 @@
|
|||||||
#
|
|
||||||
# The PAM configuration file for the Shadow `chsh' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This will not allow a user to change their shell unless
|
|
||||||
# their current one is listed in /etc/shells. This keeps
|
|
||||||
# accounts with special shells from changing them.
|
|
||||||
auth required pam_shells.so
|
|
||||||
|
|
||||||
# This allows root to change user shell without being
|
|
||||||
# prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# The standard Unix authentication modules, used with
|
|
||||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
|
||||||
# /etc/shadow entries.
|
|
||||||
@include common-auth
|
|
||||||
@include common-account
|
|
||||||
@include common-session
|
|
||||||
|
|
||||||
Vendored
-9
@@ -1,9 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
cd /var/backups || exit 0
|
|
||||||
|
|
||||||
for FILE in passwd group shadow gshadow; do
|
|
||||||
test -f /etc/$FILE || continue
|
|
||||||
cmp -s $FILE.bak /etc/$FILE && continue
|
|
||||||
cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak
|
|
||||||
done
|
|
||||||
Vendored
-2
@@ -1,2 +0,0 @@
|
|||||||
usr/share/lintian/overrides
|
|
||||||
etc/default
|
|
||||||
Vendored
-1
@@ -1 +0,0 @@
|
|||||||
debian/passwd.expire.cron
|
|
||||||
Vendored
-57
@@ -1,57 +0,0 @@
|
|||||||
#!/usr/bin/perl
|
|
||||||
#
|
|
||||||
# passwd.expire.cron: sample expiry notification script for use as a cronjob
|
|
||||||
#
|
|
||||||
# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
|
|
||||||
# for use, distribution, modification, etc.
|
|
||||||
#
|
|
||||||
# Usage:
|
|
||||||
# edit the listed options, including the actual email, then rename to
|
|
||||||
# /etc/cron.daily/passwd
|
|
||||||
#
|
|
||||||
# If your users don't have a valid login shell (ie. they are ftp or mail
|
|
||||||
# users only), they will need some other way to change their password
|
|
||||||
# (telnet will work since login will handle password aging, or a poppasswd
|
|
||||||
# program, if they are mail users).
|
|
||||||
|
|
||||||
# <CONFIG> #
|
|
||||||
|
|
||||||
# should be same as /etc/adduser.conf
|
|
||||||
$LOW_UID=1000;
|
|
||||||
$HIGH_UID=29999;
|
|
||||||
|
|
||||||
# this let's the MTA handle the domain,
|
|
||||||
# set it manually if you want. Make sure
|
|
||||||
# you also add the @ like "\@domain.com"
|
|
||||||
$MAIL_DOM="";
|
|
||||||
|
|
||||||
# </CONFIG> #
|
|
||||||
|
|
||||||
# Set the current day reference
|
|
||||||
$curdays = int(time() / (60 * 60 * 24));
|
|
||||||
|
|
||||||
# Now go through the list
|
|
||||||
|
|
||||||
open(SH, "< /etc/shadow");
|
|
||||||
while (<SH>) {
|
|
||||||
@shent = split(':', $_);
|
|
||||||
@userent = getpwnam($shent[0]);
|
|
||||||
if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
|
|
||||||
if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
|
|
||||||
$shent[4] != -1 && $shent[4] != 0 &&
|
|
||||||
$shent[5] != -1 && $shent[5] != 0) {
|
|
||||||
$daysleft = ($shent[2] + $shent[4]) - $curdays;
|
|
||||||
if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
|
|
||||||
if ($daysleft < 0) { next; }
|
|
||||||
open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
|
|
||||||
print MAIL <<EOF;
|
|
||||||
Your account will expire in $daysleft $days. Please change your password before
|
|
||||||
then or your account will expire
|
|
||||||
EOF
|
|
||||||
close (MAIL);
|
|
||||||
# This makes sure we also get a list of almost expired users
|
|
||||||
print "$shent[0]'s account will expire in $daysleft days\n";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@userent = getpwent();
|
|
||||||
}
|
|
||||||
Vendored
-8
@@ -1,8 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'groupadd' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to add groups without being prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# checks for account validity
|
|
||||||
account required pam_permit.so
|
|
||||||
Vendored
-8
@@ -1,8 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'groupdel' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to remove groups without being prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# checks for account validity
|
|
||||||
account required pam_permit.so
|
|
||||||
Vendored
-8
@@ -1,8 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'groupmod' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to modify groups without being prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# checks for account validity
|
|
||||||
account required pam_permit.so
|
|
||||||
Vendored
-80
@@ -1,80 +0,0 @@
|
|||||||
usr/bin/chage
|
|
||||||
usr/bin/chfn
|
|
||||||
usr/bin/chsh
|
|
||||||
usr/bin/expiry
|
|
||||||
usr/bin/gpasswd
|
|
||||||
usr/bin/passwd
|
|
||||||
usr/sbin/chpasswd
|
|
||||||
usr/sbin/chgpasswd
|
|
||||||
usr/sbin/cppw
|
|
||||||
usr/sbin/groupadd
|
|
||||||
usr/sbin/groupdel
|
|
||||||
usr/sbin/groupmod
|
|
||||||
usr/sbin/groupmems
|
|
||||||
usr/sbin/grpck
|
|
||||||
usr/sbin/grpconv
|
|
||||||
usr/sbin/grpunconv
|
|
||||||
usr/sbin/newusers
|
|
||||||
usr/sbin/pwck
|
|
||||||
usr/sbin/pwconv
|
|
||||||
usr/sbin/pwunconv
|
|
||||||
usr/sbin/useradd
|
|
||||||
usr/sbin/userdel
|
|
||||||
usr/sbin/usermod
|
|
||||||
usr/sbin/vipw
|
|
||||||
usr/share/man/*/man1/chage.1
|
|
||||||
usr/share/man/*/man1/chfn.1
|
|
||||||
usr/share/man/*/man1/chsh.1
|
|
||||||
usr/share/man/*/man1/expiry.1
|
|
||||||
usr/share/man/*/man1/gpasswd.1
|
|
||||||
usr/share/man/*/man1/passwd.1
|
|
||||||
usr/share/man/*/man5/passwd.5
|
|
||||||
usr/share/man/*/man5/shadow.5
|
|
||||||
usr/share/man/*/man5/gshadow.5
|
|
||||||
usr/share/man/*/man8/chpasswd.8
|
|
||||||
usr/share/man/*/man8/groupadd.8
|
|
||||||
usr/share/man/*/man8/groupdel.8
|
|
||||||
usr/share/man/*/man8/groupmod.8
|
|
||||||
usr/share/man/*/man8/groupmems.8
|
|
||||||
usr/share/man/*/man8/grpck.8
|
|
||||||
usr/share/man/*/man8/grpconv.8
|
|
||||||
usr/share/man/*/man8/grpunconv.8
|
|
||||||
usr/share/man/*/man8/newusers.8
|
|
||||||
usr/share/man/*/man8/pwck.8
|
|
||||||
usr/share/man/*/man8/pwconv.8
|
|
||||||
usr/share/man/*/man8/pwunconv.8
|
|
||||||
usr/share/man/*/man8/useradd.8
|
|
||||||
usr/share/man/*/man8/userdel.8
|
|
||||||
usr/share/man/*/man8/usermod.8
|
|
||||||
usr/share/man/*/man8/vigr.8
|
|
||||||
usr/share/man/*/man8/vipw.8
|
|
||||||
usr/share/man/man1/chage.1
|
|
||||||
usr/share/man/man1/chfn.1
|
|
||||||
usr/share/man/man1/chsh.1
|
|
||||||
usr/share/man/man1/expiry.1
|
|
||||||
usr/share/man/man1/gpasswd.1
|
|
||||||
usr/share/man/man1/passwd.1
|
|
||||||
usr/share/man/man5/passwd.5
|
|
||||||
usr/share/man/man5/shadow.5
|
|
||||||
usr/share/man/man5/gshadow.5
|
|
||||||
usr/share/man/man5/subuid.5
|
|
||||||
usr/share/man/man5/subgid.5
|
|
||||||
usr/share/man/man5/subgid.5
|
|
||||||
usr/share/man/man5/subuid.5
|
|
||||||
usr/share/man/man8/chgpasswd.8
|
|
||||||
usr/share/man/man8/chpasswd.8
|
|
||||||
usr/share/man/man8/groupadd.8
|
|
||||||
usr/share/man/man8/groupdel.8
|
|
||||||
usr/share/man/man8/groupmod.8
|
|
||||||
usr/share/man/man8/grpck.8
|
|
||||||
usr/share/man/man8/grpconv.8
|
|
||||||
usr/share/man/man8/grpunconv.8
|
|
||||||
usr/share/man/man8/newusers.8
|
|
||||||
usr/share/man/man8/pwck.8
|
|
||||||
usr/share/man/man8/pwconv.8
|
|
||||||
usr/share/man/man8/pwunconv.8
|
|
||||||
usr/share/man/man8/useradd.8
|
|
||||||
usr/share/man/man8/userdel.8
|
|
||||||
usr/share/man/man8/usermod.8
|
|
||||||
usr/share/man/man8/vigr.8
|
|
||||||
usr/share/man/man8/vipw.8
|
|
||||||
Vendored
-2
@@ -1,2 +0,0 @@
|
|||||||
usr/sbin/vipw usr/sbin/vigr
|
|
||||||
usr/sbin/cppw usr/sbin/cpgr
|
|
||||||
Vendored
-6
@@ -1,6 +0,0 @@
|
|||||||
passwd: setgid-binary usr/bin/chage 2755 root/shadow
|
|
||||||
passwd: setuid-binary usr/bin/chfn 4755 root/root
|
|
||||||
passwd: setuid-binary usr/bin/chsh 4755 root/root
|
|
||||||
passwd: setgid-binary usr/bin/expiry 2755 root/shadow
|
|
||||||
passwd: setuid-binary usr/bin/gpasswd 4755 root/root
|
|
||||||
passwd: setuid-binary usr/bin/passwd 4755 root/root
|
|
||||||
Vendored
-5
@@ -1,5 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'newusers' service
|
|
||||||
#
|
|
||||||
|
|
||||||
@include common-password
|
|
||||||
|
|
||||||
Vendored
-6
@@ -1,6 +0,0 @@
|
|||||||
#
|
|
||||||
# The PAM configuration file for the Shadow `passwd' service
|
|
||||||
#
|
|
||||||
|
|
||||||
@include common-password
|
|
||||||
|
|
||||||
Vendored
-44
@@ -1,44 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
configure)
|
|
||||||
# Fix permissions on various log files from old versions of the debian
|
|
||||||
# installer, some unrelated to passwd but we decided to put the fix
|
|
||||||
# here since there was no better place. This can safely be removed
|
|
||||||
# after etch is released.
|
|
||||||
if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
|
|
||||||
for log in /var/log/base-config* \
|
|
||||||
$(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
|
|
||||||
if [ -e "$log" ]; then
|
|
||||||
chmod 600 "$log"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
|
|
||||||
if ! getent group shadow | grep -q '^shadow:[^:]*:42'
|
|
||||||
then
|
|
||||||
groupadd -g 42 shadow || (
|
|
||||||
cat <<EOF
|
|
||||||
Group ID 42 has been allocated for the shadow group. You have either
|
|
||||||
used 42 yourself or created a shadow group with a different ID.
|
|
||||||
Please correct this problem and reconfigure with ``dpkg --configure passwd''.
|
|
||||||
|
|
||||||
Note that both user and group IDs in the range 0-99 are globally
|
|
||||||
allocated by the Debian project and must be the same on every Debian
|
|
||||||
system.
|
|
||||||
EOF
|
|
||||||
exit 1
|
|
||||||
)
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# Run shadowconfig only on new installs
|
|
||||||
[ -z "$2" ] && shadowconfig on
|
|
||||||
|
|
||||||
#DEBHELPER#
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
Vendored
-51
@@ -1,51 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
#
|
|
||||||
# see: dh_installdeb(1)
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
# summary of how this script can be called:
|
|
||||||
# * <new-preinst> `install'
|
|
||||||
# * <new-preinst> `install' <old-version>
|
|
||||||
# * <new-preinst> `upgrade' <old-version>
|
|
||||||
# * <old-preinst> `abort-upgrade' <new-version>
|
|
||||||
#
|
|
||||||
# for details, see http://www.debian.org/doc/debian-policy/ or
|
|
||||||
# the debian-policy package
|
|
||||||
|
|
||||||
remove_md5() {
|
|
||||||
if md5sum $1 2>/dev/null |grep -q $2; then
|
|
||||||
cp $1 $1.pre-upgrade
|
|
||||||
sed -e '/^[^#]*[ \t]*password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
|
|
||||||
&& mv $1.post-upgrade $1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
install|upgrade)
|
|
||||||
if [ "x$2" != "x" ] ; then
|
|
||||||
if dpkg --compare-versions $2 lt 1:4.0.3 ; then
|
|
||||||
remove_md5 /etc/pam.d/passwd 23a5d1465bbc1e39ca6e0c32f22a75c9
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
|
|
||||||
abort-upgrade)
|
|
||||||
;;
|
|
||||||
|
|
||||||
*)
|
|
||||||
echo "preinst called with unknown argument \`$1'" >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# dh_installdeb will replace this with shell code automatically
|
|
||||||
# generated by other debhelper scripts.
|
|
||||||
|
|
||||||
#DEBHELPER#
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
|
|
||||||
|
|
||||||
Vendored
-8
@@ -1,8 +0,0 @@
|
|||||||
# If a password operation is in progress and we lose power, stale lockfiles
|
|
||||||
# can be left behind. Clear them on boot.
|
|
||||||
r! /etc/gshadow.lock
|
|
||||||
r! /etc/shadow.lock
|
|
||||||
r! /etc/passwd.lock
|
|
||||||
r! /etc/group.lock
|
|
||||||
r! /etc/subuid.lock
|
|
||||||
r! /etc/subgid.lock
|
|
||||||
Vendored
-8
@@ -1,8 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'useradd' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to add users without being prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# checks for account validity
|
|
||||||
account required pam_permit.so
|
|
||||||
Vendored
-8
@@ -1,8 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'userdel' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to remove users without being prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# checks for account validity
|
|
||||||
account required pam_permit.so
|
|
||||||
Vendored
-8
@@ -1,8 +0,0 @@
|
|||||||
# The PAM configuration file for the Shadow 'groupdel' service
|
|
||||||
#
|
|
||||||
|
|
||||||
# This allows root to remove groups without being prompted for a password
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
|
|
||||||
# checks for account validity
|
|
||||||
account required pam_permit.so
|
|
||||||
-183
@@ -1,183 +0,0 @@
|
|||||||
From 11fc74ffc7172c587bbd2a6399defbd53eab97c6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
|
||||||
Date: Thu, 15 Feb 2018 23:49:40 +1100
|
|
||||||
Subject: newgidmap: enforce setgroups=deny if self-mapping a group
|
|
||||||
|
|
||||||
This is necessary to match the kernel-side policy of "self-mapping in a
|
|
||||||
user namespace is fine, but you cannot drop groups" -- a policy that was
|
|
||||||
created in order to stop user namespaces from allowing trivial privilege
|
|
||||||
escalation by dropping supplementary groups that were "blacklisted" from
|
|
||||||
certain paths.
|
|
||||||
|
|
||||||
This is the simplest fix for the underlying issue, and effectively makes
|
|
||||||
it so that unless a user has a valid mapping set in /etc/subgid (which
|
|
||||||
only administrators can modify) -- and they are currently trying to use
|
|
||||||
that mapping -- then /proc/$pid/setgroups will be set to deny. This
|
|
||||||
workaround is only partial, because ideally it should be possible to set
|
|
||||||
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
|
|
||||||
administrators to further restrict newgidmap(1).
|
|
||||||
|
|
||||||
We also don't write anything in the "allow" case because "allow" is the
|
|
||||||
default, and users may have already written "deny" even if they
|
|
||||||
technically are allowed to use setgroups. And we don't write anything if
|
|
||||||
the setgroups policy is already "deny".
|
|
||||||
|
|
||||||
Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
|
|
||||||
Fixes: CVE-2018-7169
|
|
||||||
Reported-by: Craig Furman <craig.furman89@gmail.com>
|
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
||||||
---
|
|
||||||
src/newgidmap.c | 89 ++++++++++++++++++++++++++++++++++++++++++++-----
|
|
||||||
1 file changed, 80 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/newgidmap.c b/src/newgidmap.c
|
|
||||||
index b1e33513..59a2e75c 100644
|
|
||||||
--- a/src/newgidmap.c
|
|
||||||
+++ b/src/newgidmap.c
|
|
||||||
@@ -46,32 +46,37 @@
|
|
||||||
*/
|
|
||||||
const char *Prog;
|
|
||||||
|
|
||||||
-static bool verify_range(struct passwd *pw, struct map_range *range)
|
|
||||||
+
|
|
||||||
+static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
|
|
||||||
{
|
|
||||||
/* An empty range is invalid */
|
|
||||||
if (range->count == 0)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
- /* Test /etc/subgid */
|
|
||||||
- if (have_sub_gids(pw->pw_name, range->lower, range->count))
|
|
||||||
+ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
|
|
||||||
+ if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
|
|
||||||
+ *allow_setgroups = true;
|
|
||||||
return true;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- /* Allow a process to map its own gid */
|
|
||||||
- if ((range->count == 1) && (pw->pw_gid == range->lower))
|
|
||||||
+ /* Allow a process to map its own gid. */
|
|
||||||
+ if ((range->count == 1) && (pw->pw_gid == range->lower)) {
|
|
||||||
+ /* noop -- if setgroups is enabled already we won't disable it. */
|
|
||||||
return true;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void verify_ranges(struct passwd *pw, int ranges,
|
|
||||||
- struct map_range *mappings)
|
|
||||||
+ struct map_range *mappings, bool *allow_setgroups)
|
|
||||||
{
|
|
||||||
struct map_range *mapping;
|
|
||||||
int idx;
|
|
||||||
|
|
||||||
mapping = mappings;
|
|
||||||
for (idx = 0; idx < ranges; idx++, mapping++) {
|
|
||||||
- if (!verify_range(pw, mapping)) {
|
|
||||||
+ if (!verify_range(pw, mapping, allow_setgroups)) {
|
|
||||||
fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
|
|
||||||
Prog,
|
|
||||||
mapping->upper,
|
|
||||||
@@ -89,6 +94,70 @@ static void usage(void)
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
+void write_setgroups(int proc_dir_fd, bool allow_setgroups)
|
|
||||||
+{
|
|
||||||
+ int setgroups_fd;
|
|
||||||
+ char *policy, policy_buffer[4096];
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Default is "deny", and any "allow" will out-rank a "deny". We don't
|
|
||||||
+ * forcefully write an "allow" here because the process we are writing
|
|
||||||
+ * mappings for may have already set themselves to "deny" (and "allow"
|
|
||||||
+ * is the default anyway). So allow_setgroups == true is a noop.
|
|
||||||
+ */
|
|
||||||
+ policy = "deny\n";
|
|
||||||
+ if (allow_setgroups)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
|
|
||||||
+ if (setgroups_fd < 0) {
|
|
||||||
+ /*
|
|
||||||
+ * If it's an ENOENT then we are on too old a kernel for the setgroups
|
|
||||||
+ * code to exist. Emit a warning and bail on this.
|
|
||||||
+ */
|
|
||||||
+ if (ENOENT == errno) {
|
|
||||||
+ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
|
|
||||||
+ Prog,
|
|
||||||
+ strerror(errno));
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Check whether the policy is already what we want. /proc/self/setgroups
|
|
||||||
+ * is write-once, so attempting to write after it's already written to will
|
|
||||||
+ * fail.
|
|
||||||
+ */
|
|
||||||
+ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
|
|
||||||
+ fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
|
|
||||||
+ Prog,
|
|
||||||
+ strerror(errno));
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+ if (!strncmp(policy_buffer, policy, strlen(policy)))
|
|
||||||
+ goto out;
|
|
||||||
+
|
|
||||||
+ /* Write the policy. */
|
|
||||||
+ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
|
|
||||||
+ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
|
|
||||||
+ Prog,
|
|
||||||
+ strerror(errno));
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+ if (dprintf(setgroups_fd, "%s", policy) < 0) {
|
|
||||||
+ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
|
|
||||||
+ Prog,
|
|
||||||
+ policy,
|
|
||||||
+ strerror(errno));
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ close(setgroups_fd);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* newgidmap - Set the gid_map for the specified process
|
|
||||||
*/
|
|
||||||
@@ -103,6 +172,7 @@ int main(int argc, char **argv)
|
|
||||||
struct stat st;
|
|
||||||
struct passwd *pw;
|
|
||||||
int written;
|
|
||||||
+ bool allow_setgroups = false;
|
|
||||||
|
|
||||||
Prog = Basename (argv[0]);
|
|
||||||
|
|
||||||
@@ -145,7 +215,7 @@ int main(int argc, char **argv)
|
|
||||||
(unsigned long) getuid ()));
|
|
||||||
return EXIT_FAILURE;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+
|
|
||||||
/* Get the effective uid and effective gid of the target process */
|
|
||||||
if (fstat(proc_dir_fd, &st) < 0) {
|
|
||||||
fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
|
|
||||||
@@ -177,8 +247,9 @@ int main(int argc, char **argv)
|
|
||||||
if (!mappings)
|
|
||||||
usage();
|
|
||||||
|
|
||||||
- verify_ranges(pw, ranges, mappings);
|
|
||||||
+ verify_ranges(pw, ranges, mappings, &allow_setgroups);
|
|
||||||
|
|
||||||
+ write_setgroups(proc_dir_fd, allow_setgroups);
|
|
||||||
write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
|
|
||||||
sub_gid_close();
|
|
||||||
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
||||||
@@ -1,142 +0,0 @@
|
|||||||
From cbfa2ff40ce629f55ddd67e3490c311dfcaa4462 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alejandro Colomar <alx@kernel.org>
|
|
||||||
Date: Sat, 10 Jun 2023 16:20:05 +0200
|
|
||||||
Subject: gpasswd(1): Fix password leak
|
|
||||||
|
|
||||||
How to trigger this password leak?
|
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
When gpasswd(1) asks for the new password, it asks twice (as is usual
|
|
||||||
for confirming the new password). Each of those 2 password prompts
|
|
||||||
uses agetpass() to get the password. If the second agetpass() fails,
|
|
||||||
the first password, which has been copied into the 'static' buffer
|
|
||||||
'pass' via STRFCPY(), wasn't being zeroed.
|
|
||||||
|
|
||||||
agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
|
|
||||||
can fail for any of the following reasons:
|
|
||||||
|
|
||||||
- malloc(3) or readpassphrase(3) failure.
|
|
||||||
|
|
||||||
These are going to be difficult to trigger. Maybe getting the system
|
|
||||||
to the limits of memory utilization at that exact point, so that the
|
|
||||||
next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
|
|
||||||
About readpassphrase(3), ENFILE and EINTR seem the only plausible
|
|
||||||
ones, and EINTR probably requires privilege or being the same user;
|
|
||||||
but I wouldn't discard ENFILE so easily, if a process starts opening
|
|
||||||
files.
|
|
||||||
|
|
||||||
- The password is longer than PASS_MAX.
|
|
||||||
|
|
||||||
The is plausible with physical access. However, at that point, a
|
|
||||||
keylogger will be a much simpler attack.
|
|
||||||
|
|
||||||
And, the attacker must be able to know when the second password is being
|
|
||||||
introduced, which is not going to be easy.
|
|
||||||
|
|
||||||
How to read the password after the leak?
|
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
Provoking the leak yourself at the right point by entering a very long
|
|
||||||
password is easy, and inspecting the process stack at that point should
|
|
||||||
be doable. Try to find some consistent patterns.
|
|
||||||
|
|
||||||
Then, search for those patterns in free memory, right after the victim
|
|
||||||
leaks their password.
|
|
||||||
|
|
||||||
Once you get the leak, a program should read all the free memory
|
|
||||||
searching for patterns that gpasswd(1) leaves nearby the leaked
|
|
||||||
password.
|
|
||||||
|
|
||||||
On 6/10/23 03:14, Seth Arnold wrote:
|
|
||||||
> An attacker process wouldn't be able to use malloc(3) for this task.
|
|
||||||
> There's a handful of tools available for userspace to allocate memory:
|
|
||||||
>
|
|
||||||
> - brk / sbrk
|
|
||||||
> - mmap MAP_ANONYMOUS
|
|
||||||
> - mmap /dev/zero
|
|
||||||
> - mmap some other file
|
|
||||||
> - shm_open
|
|
||||||
> - shmget
|
|
||||||
>
|
|
||||||
> Most of these return only pages of zeros to a process. Using mmap of an
|
|
||||||
> existing file, you can get some of the contents of the file demand-loaded
|
|
||||||
> into the memory space on the first use.
|
|
||||||
>
|
|
||||||
> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
|
|
||||||
> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
|
|
||||||
>
|
|
||||||
> malloc(3) doesn't zero memory, to our collective frustration, but all the
|
|
||||||
> garbage in the allocations is from previous allocations in the current
|
|
||||||
> process. It isn't leftover from other processes.
|
|
||||||
>
|
|
||||||
> The avenues available for reading the memory:
|
|
||||||
> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
|
|
||||||
> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
|
|
||||||
> - ptrace (requires ptrace privileges, mediated by YAMA)
|
|
||||||
> - causing memory to be swapped to disk, and then inspecting the swap
|
|
||||||
>
|
|
||||||
> These all require a certain amount of privileges.
|
|
||||||
|
|
||||||
How to fix it?
|
|
||||||
~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
memzero(), which internally calls explicit_bzero(3), or whatever
|
|
||||||
alternative the system provides with a slightly different name, will
|
|
||||||
make sure that the buffer is zeroed in memory, and optimizations are not
|
|
||||||
allowed to impede this zeroing.
|
|
||||||
|
|
||||||
This is not really 100% effective, since compilers may place copies of
|
|
||||||
the string somewhere hidden in the stack. Those copies won't get zeroed
|
|
||||||
by explicit_bzero(3). However, that's arguably a compiler bug, since
|
|
||||||
compilers should make everything possible to avoid optimizing strings
|
|
||||||
that are later passed to explicit_bzero(3). But we all know that
|
|
||||||
sometimes it's impossible to have perfect knowledge in the compiler, so
|
|
||||||
this is plausible. Nevertheless, there's nothing we can do against such
|
|
||||||
issues, except minimizing the time such passwords are stored in plain
|
|
||||||
text.
|
|
||||||
|
|
||||||
Security concerns
|
|
||||||
~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
We believe this isn't easy to exploit. Nevertheless, and since the fix
|
|
||||||
is trivial, this fix should probably be applied soon, and backported to
|
|
||||||
all supported distributions, to prevent someone else having more
|
|
||||||
imagination than us to find a way.
|
|
||||||
|
|
||||||
Affected versions
|
|
||||||
~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
All. Bug introduced in shadow 19990709. That's the second commit in
|
|
||||||
the git history.
|
|
||||||
|
|
||||||
Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
|
|
||||||
Reported-by: Alejandro Colomar <alx@kernel.org>
|
|
||||||
Cc: Serge Hallyn <serge@hallyn.com>
|
|
||||||
Cc: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
Cc: Seth Arnold <seth.arnold@canonical.com>
|
|
||||||
Cc: Christian Brauner <christian@brauner.io>
|
|
||||||
Cc: Balint Reczey <rbalint@debian.org>
|
|
||||||
Cc: Sam James <sam@gentoo.org>
|
|
||||||
Cc: David Runge <dvzrv@archlinux.org>
|
|
||||||
Cc: Andreas Jaeger <aj@suse.de>
|
|
||||||
Cc: <~hallyn/shadow@lists.sr.ht>
|
|
||||||
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
|
||||||
---
|
|
||||||
src/gpasswd.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/src/gpasswd.c b/src/gpasswd.c
|
|
||||||
index c4a492b1..cbbd8068 100644
|
|
||||||
--- a/src/gpasswd.c
|
|
||||||
+++ b/src/gpasswd.c
|
|
||||||
@@ -917,6 +917,7 @@ static void change_passwd (struct group *gr)
|
|
||||||
strzero (cp);
|
|
||||||
cp = getpass (_("Re-enter new password: "));
|
|
||||||
if (NULL == cp) {
|
|
||||||
+ memzero (pass, sizeof pass);
|
|
||||||
exit (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
||||||
@@ -1,45 +0,0 @@
|
|||||||
From b42c60bc8f026b250810a75bafe865338d734ec3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
|
|
||||||
Date: Thu, 23 Mar 2023 23:39:38 +0000
|
|
||||||
Subject: Added control character check
|
|
||||||
|
|
||||||
Added control character check, returning -1 (to "err") if control characters are present.
|
|
||||||
---
|
|
||||||
lib/fields.c | 11 +++++++----
|
|
||||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/fields.c b/lib/fields.c
|
|
||||||
index 649fae17..b8f13ba7 100644
|
|
||||||
--- a/lib/fields.c
|
|
||||||
+++ b/lib/fields.c
|
|
||||||
@@ -44,9 +44,9 @@
|
|
||||||
*
|
|
||||||
* The supplied field is scanned for non-printable and other illegal
|
|
||||||
* characters.
|
|
||||||
- * + -1 is returned if an illegal character is present.
|
|
||||||
- * + 1 is returned if no illegal characters are present, but the field
|
|
||||||
- * contains a non-printable character.
|
|
||||||
+ * + -1 is returned if an illegal or control character is present.
|
|
||||||
+ * + 1 is returned if no illegal or control characters are present,
|
|
||||||
+ * but the field contains a non-printable character.
|
|
||||||
* + 0 is returned otherwise.
|
|
||||||
*/
|
|
||||||
int valid_field (const char *field, const char *illegal)
|
|
||||||
@@ -68,10 +68,13 @@ int valid_field (const char *field, const char *illegal)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (0 == err) {
|
|
||||||
- /* Search if there are some non-printable characters */
|
|
||||||
+ /* Search if there are non-printable or control characters */
|
|
||||||
for (cp = field; '\0' != *cp; cp++) {
|
|
||||||
if (!isprint (*cp)) {
|
|
||||||
err = 1;
|
|
||||||
+ }
|
|
||||||
+ if (!iscntrl (*cp)) {
|
|
||||||
+ err = -1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
||||||
-61
@@ -1,61 +0,0 @@
|
|||||||
From 261c9cd274f07361c304d3993e325fe29d4bad14 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
|
||||||
Date: Fri, 31 Mar 2023 14:46:50 +0200
|
|
||||||
Subject: Overhaul valid_field()
|
|
||||||
|
|
||||||
e5905c4b ("Added control character check") introduced checking for
|
|
||||||
control characters but had the logic inverted, so it rejects all
|
|
||||||
characters that are not control ones.
|
|
||||||
|
|
||||||
Cast the character to `unsigned char` before passing to the character
|
|
||||||
checking functions to avoid UB.
|
|
||||||
|
|
||||||
Use strpbrk(3) for the illegal character test and return early.
|
|
||||||
---
|
|
||||||
lib/fields.c | 24 ++++++++++--------------
|
|
||||||
1 file changed, 10 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/fields.c b/lib/fields.c
|
|
||||||
index b8f13ba7..191257e8 100644
|
|
||||||
--- a/lib/fields.c
|
|
||||||
+++ b/lib/fields.c
|
|
||||||
@@ -60,26 +60,22 @@ int valid_field (const char *field, const char *illegal)
|
|
||||||
|
|
||||||
/* For each character of field, search if it appears in the list
|
|
||||||
* of illegal characters. */
|
|
||||||
+ if (illegal && NULL != strpbrk (field, illegal)) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Search if there are non-printable or control characters */
|
|
||||||
for (cp = field; '\0' != *cp; cp++) {
|
|
||||||
- if (strchr (illegal, *cp) != NULL) {
|
|
||||||
+ unsigned char c = *cp;
|
|
||||||
+ if (!isprint (c)) {
|
|
||||||
+ err = 1;
|
|
||||||
+ }
|
|
||||||
+ if (iscntrl (c)) {
|
|
||||||
err = -1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (0 == err) {
|
|
||||||
- /* Search if there are non-printable or control characters */
|
|
||||||
- for (cp = field; '\0' != *cp; cp++) {
|
|
||||||
- if (!isprint (*cp)) {
|
|
||||||
- err = 1;
|
|
||||||
- }
|
|
||||||
- if (!iscntrl (*cp)) {
|
|
||||||
- err = -1;
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
return err;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
||||||
-55
@@ -1,55 +0,0 @@
|
|||||||
Goal: Log login failures to the btmp file
|
|
||||||
|
|
||||||
Notes:
|
|
||||||
* I'm not sure login should add an entry in the FTMP file when PAM is used.
|
|
||||||
(but nothing in /etc/login.defs indicates that the failure is not logged)
|
|
||||||
|
|
||||||
Index: shadow-4.4/src/login.c
|
|
||||||
===================================================================
|
|
||||||
--- shadow-4.4.orig/src/login.c
|
|
||||||
+++ shadow-4.4/src/login.c
|
|
||||||
@@ -834,6 +834,24 @@ int main (int argc, char **argv)
|
|
||||||
(void) puts ("");
|
|
||||||
(void) puts (_("Login incorrect"));
|
|
||||||
|
|
||||||
+ if (getdef_str("FTMP_FILE") != NULL) {
|
|
||||||
+#ifdef USE_UTMPX
|
|
||||||
+ struct utmpx *failent =
|
|
||||||
+ prepare_utmpx (failent_user,
|
|
||||||
+ tty,
|
|
||||||
+ /* FIXME: or fromhost? */hostname,
|
|
||||||
+ utent);
|
|
||||||
+#else /* !USE_UTMPX */
|
|
||||||
+ struct utmp *failent =
|
|
||||||
+ prepare_utmp (failent_user,
|
|
||||||
+ tty,
|
|
||||||
+ hostname,
|
|
||||||
+ utent);
|
|
||||||
+#endif /* !USE_UTMPX */
|
|
||||||
+ failtmp (failent_user, failent);
|
|
||||||
+ free (failent);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (failcount >= retries) {
|
|
||||||
SYSLOG ((LOG_NOTICE,
|
|
||||||
"TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
|
|
||||||
Index: shadow-4.4/lib/getdef.c
|
|
||||||
===================================================================
|
|
||||||
--- shadow-4.4.orig/lib/getdef.c
|
|
||||||
+++ shadow-4.4/lib/getdef.c
|
|
||||||
@@ -57,7 +57,6 @@ struct itemdef {
|
|
||||||
{"ENVIRON_FILE", NULL}, \
|
|
||||||
{"ENV_TZ", NULL}, \
|
|
||||||
{"FAILLOG_ENAB", NULL}, \
|
|
||||||
- {"FTMP_FILE", NULL}, \
|
|
||||||
{"ISSUE_FILE", NULL}, \
|
|
||||||
{"LASTLOG_ENAB", NULL}, \
|
|
||||||
{"LOGIN_STRING", NULL}, \
|
|
||||||
@@ -88,6 +87,7 @@ static struct itemdef def_table[] = {
|
|
||||||
{"ERASECHAR", NULL},
|
|
||||||
{"FAIL_DELAY", NULL},
|
|
||||||
{"FAKE_SHELL", NULL},
|
|
||||||
+ {"FTMP_FILE", NULL},
|
|
||||||
{"GID_MAX", NULL},
|
|
||||||
{"GID_MIN", NULL},
|
|
||||||
{"HUSHLOGIN_FILE", NULL},
|
|
||||||
Vendored
-276
@@ -1,276 +0,0 @@
|
|||||||
#! /bin/sh /usr/share/dpatch/dpatch-run
|
|
||||||
## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
|
|
||||||
##
|
|
||||||
## All lines beginning with `## DP:' are a description of the patch.
|
|
||||||
## DP: Add cppw / cpgr
|
|
||||||
|
|
||||||
@DPATCH@
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/cppw.c
|
|
||||||
@@ -0,0 +1,238 @@
|
|
||||||
+/*
|
|
||||||
+ cppw, cpgr copy with locking given file over the password or group file
|
|
||||||
+ with -s will copy with locking given file over shadow or gshadow file
|
|
||||||
+
|
|
||||||
+ Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
|
|
||||||
+
|
|
||||||
+ Based on vipw, vigr by:
|
|
||||||
+ Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
|
|
||||||
+
|
|
||||||
+ This program is free software; you can redistribute it and/or modify
|
|
||||||
+ it under the terms of the GNU General Public License as published by
|
|
||||||
+ the Free Software Foundation; either version 2 of the License, or
|
|
||||||
+ (at your option) any later version.
|
|
||||||
+
|
|
||||||
+ This program is distributed in the hope that it will be useful, but
|
|
||||||
+ WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
+ General Public License for more details.
|
|
||||||
+
|
|
||||||
+ You should have received a copy of the GNU General Public License
|
|
||||||
+ along with this program; if not, write to the Free Software
|
|
||||||
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
||||||
+
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include <config.h>
|
|
||||||
+#include "defines.h"
|
|
||||||
+
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <signal.h>
|
|
||||||
+#include <utime.h>
|
|
||||||
+#include "exitcodes.h"
|
|
||||||
+#include "prototypes.h"
|
|
||||||
+#include "pwio.h"
|
|
||||||
+#include "shadowio.h"
|
|
||||||
+#include "groupio.h"
|
|
||||||
+#include "sgroupio.h"
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+const char *Prog;
|
|
||||||
+
|
|
||||||
+const char *filename, *filenewname;
|
|
||||||
+static bool filelocked = false;
|
|
||||||
+static int (*unlock) (void);
|
|
||||||
+
|
|
||||||
+/* local function prototypes */
|
|
||||||
+static int create_copy (FILE *fp, const char *dest, struct stat *sb);
|
|
||||||
+static void cppwexit (const char *msg, int syserr, int ret);
|
|
||||||
+static void cppwcopy (const char *file,
|
|
||||||
+ const char *in_file,
|
|
||||||
+ int (*file_lock) (void),
|
|
||||||
+ int (*file_unlock) (void));
|
|
||||||
+
|
|
||||||
+static int create_copy (FILE *fp, const char *dest, struct stat *sb)
|
|
||||||
+{
|
|
||||||
+ struct utimbuf ub;
|
|
||||||
+ FILE *bkfp;
|
|
||||||
+ int c;
|
|
||||||
+ mode_t mask;
|
|
||||||
+
|
|
||||||
+ mask = umask (077);
|
|
||||||
+ bkfp = fopen (dest, "w");
|
|
||||||
+ (void) umask (mask);
|
|
||||||
+ if (NULL == bkfp) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rewind (fp);
|
|
||||||
+ while ((c = getc (fp)) != EOF) {
|
|
||||||
+ if (putc (c, bkfp) == EOF) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ( (c != EOF)
|
|
||||||
+ || (fflush (bkfp) != 0)) {
|
|
||||||
+ (void) fclose (bkfp);
|
|
||||||
+ (void) unlink (dest);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ if ( (fsync (fileno (bkfp)) != 0)
|
|
||||||
+ || (fclose (bkfp) != 0)) {
|
|
||||||
+ (void) unlink (dest);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ub.actime = sb->st_atime;
|
|
||||||
+ ub.modtime = sb->st_mtime;
|
|
||||||
+ if ( (utime (dest, &ub) != 0)
|
|
||||||
+ || (chmod (dest, sb->st_mode) != 0)
|
|
||||||
+ || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
|
|
||||||
+ (void) unlink (dest);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void cppwexit (const char *msg, int syserr, int ret)
|
|
||||||
+{
|
|
||||||
+ int err = errno;
|
|
||||||
+ if (filelocked) {
|
|
||||||
+ (*unlock) ();
|
|
||||||
+ }
|
|
||||||
+ if (NULL != msg) {
|
|
||||||
+ fprintf (stderr, "%s: %s", Prog, msg);
|
|
||||||
+ if (0 != syserr) {
|
|
||||||
+ fprintf (stderr, ": %s", strerror (err));
|
|
||||||
+ }
|
|
||||||
+ (void) fputs ("\n", stderr);
|
|
||||||
+ }
|
|
||||||
+ if (NULL != filename) {
|
|
||||||
+ fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
|
|
||||||
+ } else {
|
|
||||||
+ fprintf (stderr, _("%s: no changes\n"), Prog);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ exit (ret);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void cppwcopy (const char *file,
|
|
||||||
+ const char *in_file,
|
|
||||||
+ int (*file_lock) (void),
|
|
||||||
+ int (*file_unlock) (void))
|
|
||||||
+{
|
|
||||||
+ struct stat st1;
|
|
||||||
+ FILE *f;
|
|
||||||
+ char filenew[1024];
|
|
||||||
+
|
|
||||||
+ snprintf (filenew, sizeof filenew, "%s.new", file);
|
|
||||||
+ unlock = file_unlock;
|
|
||||||
+ filename = file;
|
|
||||||
+ filenewname = filenew;
|
|
||||||
+
|
|
||||||
+ if (access (file, F_OK) != 0) {
|
|
||||||
+ cppwexit (file, 1, 1);
|
|
||||||
+ }
|
|
||||||
+ if (file_lock () == 0) {
|
|
||||||
+ cppwexit (_("Couldn't lock file"), 0, 5);
|
|
||||||
+ }
|
|
||||||
+ filelocked = true;
|
|
||||||
+
|
|
||||||
+ /* file to copy has same owners, perm */
|
|
||||||
+ if (stat (file, &st1) != 0) {
|
|
||||||
+ cppwexit (file, 1, 1);
|
|
||||||
+ }
|
|
||||||
+ f = fopen (in_file, "r");
|
|
||||||
+ if (NULL == f) {
|
|
||||||
+ cppwexit (in_file, 1, 1);
|
|
||||||
+ }
|
|
||||||
+ if (create_copy (f, filenew, &st1) != 0) {
|
|
||||||
+ cppwexit (_("Couldn't make copy"), errno, 1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* XXX - here we should check filenew for errors; if there are any,
|
|
||||||
+ * fail w/ an appropriate error code and let the user manually fix
|
|
||||||
+ * it. Use pwck or grpck to do the check. - Stephen (Shamelessly
|
|
||||||
+ * stolen from '--marekm's comment) */
|
|
||||||
+
|
|
||||||
+ if (rename (filenew, file) != 0) {
|
|
||||||
+ fprintf (stderr, _("%s: can't copy %s: %s)\n"),
|
|
||||||
+ Prog, filenew, strerror (errno));
|
|
||||||
+ cppwexit (NULL,0,1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ (*file_unlock) ();
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int main (int argc, char **argv)
|
|
||||||
+{
|
|
||||||
+ int flag;
|
|
||||||
+ bool cpshadow = false;
|
|
||||||
+ char *in_file;
|
|
||||||
+ int e = E_USAGE;
|
|
||||||
+ bool do_cppw = true;
|
|
||||||
+
|
|
||||||
+ (void) setlocale (LC_ALL, "");
|
|
||||||
+ (void) bindtextdomain (PACKAGE, LOCALEDIR);
|
|
||||||
+ (void) textdomain (PACKAGE);
|
|
||||||
+
|
|
||||||
+ Prog = Basename (argv[0]);
|
|
||||||
+ if (strcmp (Prog, "cpgr") == 0) {
|
|
||||||
+ do_cppw = false;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while ((flag = getopt (argc, argv, "ghps")) != EOF) {
|
|
||||||
+ switch (flag) {
|
|
||||||
+ case 'p':
|
|
||||||
+ do_cppw = true;
|
|
||||||
+ break;
|
|
||||||
+ case 'g':
|
|
||||||
+ do_cppw = false;
|
|
||||||
+ break;
|
|
||||||
+ case 's':
|
|
||||||
+ cpshadow = true;
|
|
||||||
+ break;
|
|
||||||
+ case 'h':
|
|
||||||
+ e = E_SUCCESS;
|
|
||||||
+ /*pass through*/
|
|
||||||
+ default:
|
|
||||||
+ (void) fputs (_("Usage:\n\
|
|
||||||
+`cppw <file>' copys over /etc/passwd `cppw -s <file>' copys over /etc/shadow\n\
|
|
||||||
+`cpgr <file>' copys over /etc/group `cpgr -s <file>' copys over /etc/gshadow\n\
|
|
||||||
+"), (E_SUCCESS != e) ? stderr : stdout);
|
|
||||||
+ exit (e);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (argc != optind + 1) {
|
|
||||||
+ cppwexit (_("wrong number of arguments, -h for usage"),0,1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ in_file = argv[optind];
|
|
||||||
+
|
|
||||||
+ if (do_cppw) {
|
|
||||||
+ if (cpshadow) {
|
|
||||||
+ cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
|
|
||||||
+ } else {
|
|
||||||
+ cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+#ifdef SHADOWGRP
|
|
||||||
+ if (cpshadow) {
|
|
||||||
+ cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
|
|
||||||
+ } else
|
|
||||||
+#endif /* SHADOWGRP */
|
|
||||||
+ {
|
|
||||||
+ cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
--- a/src/Makefile.am
|
|
||||||
+++ b/src/Makefile.am
|
|
||||||
@@ -30,6 +30,7 @@
|
|
||||||
ubin_PROGRAMS += newgidmap newuidmap
|
|
||||||
endif
|
|
||||||
usbin_PROGRAMS = \
|
|
||||||
+ cppw \
|
|
||||||
chgpasswd \
|
|
||||||
chpasswd \
|
|
||||||
groupadd \
|
|
||||||
@@ -90,6 +91,7 @@
|
|
||||||
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
|
|
||||||
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
|
|
||||||
chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
|
|
||||||
+cppw_LDADD = $(LDADD) $(LIBSELINUX)
|
|
||||||
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
|
|
||||||
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
|
||||||
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
|
||||||
--- a/po/POTFILES.in
|
|
||||||
+++ b/po/POTFILES.in
|
|
||||||
@@ -85,6 +85,7 @@
|
|
||||||
src/chgpasswd.c
|
|
||||||
src/chpasswd.c
|
|
||||||
src/chsh.c
|
|
||||||
+src/cppw.c
|
|
||||||
src/expiry.c
|
|
||||||
src/faillog.c
|
|
||||||
src/gpasswd.c
|
|
||||||
Vendored
-64
@@ -1,64 +0,0 @@
|
|||||||
Goal: Add selinux support to cppw
|
|
||||||
|
|
||||||
Fix:
|
|
||||||
|
|
||||||
Status wrt upstream: cppw is not available upstream.
|
|
||||||
The patch was made based on the
|
|
||||||
302_vim_selinux_support patch. It needs to be
|
|
||||||
reviewed by an SE-Linux aware person.
|
|
||||||
|
|
||||||
Depends on 401_cppw_src.dpatch
|
|
||||||
|
|
||||||
Index: git/src/cppw.c
|
|
||||||
===================================================================
|
|
||||||
--- git.orig/src/cppw.c
|
|
||||||
+++ git/src/cppw.c
|
|
||||||
@@ -34,6 +34,9 @@
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <signal.h>
|
|
||||||
#include <utime.h>
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+#include <selinux/selinux.h>
|
|
||||||
+#endif /* WITH_SELINUX */
|
|
||||||
#include "exitcodes.h"
|
|
||||||
#include "prototypes.h"
|
|
||||||
#include "pwio.h"
|
|
||||||
@@ -139,6 +142,22 @@
|
|
||||||
if (access (file, F_OK) != 0) {
|
|
||||||
cppwexit (file, 1, 1);
|
|
||||||
}
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+ /* if SE Linux is enabled then set the context of all new files
|
|
||||||
+ * to be the context of the file we are editing */
|
|
||||||
+ if (is_selinux_enabled () > 0) {
|
|
||||||
+ security_context_t passwd_context=NULL;
|
|
||||||
+ int ret = 0;
|
|
||||||
+ if (getfilecon (file, &passwd_context) < 0) {
|
|
||||||
+ cppwexit (_("Couldn't get file context"), errno, 1);
|
|
||||||
+ }
|
|
||||||
+ ret = setfscreatecon (passwd_context);
|
|
||||||
+ freecon (passwd_context);
|
|
||||||
+ if (0 != ret) {
|
|
||||||
+ cppwexit (_("setfscreatecon () failed"), errno, 1);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif /* WITH_SELINUX */
|
|
||||||
if (file_lock () == 0) {
|
|
||||||
cppwexit (_("Couldn't lock file"), 0, 5);
|
|
||||||
}
|
|
||||||
@@ -167,6 +186,15 @@
|
|
||||||
cppwexit (NULL,0,1);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+ /* unset the fscreatecon */
|
|
||||||
+ if (is_selinux_enabled () > 0) {
|
|
||||||
+ if (setfscreatecon (NULL)) {
|
|
||||||
+ cppwexit (_("setfscreatecon() failed"), errno, 1);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif /* WITH_SELINUX */
|
|
||||||
+
|
|
||||||
(*file_unlock) ();
|
|
||||||
}
|
|
||||||
|
|
||||||
-88
@@ -1,88 +0,0 @@
|
|||||||
Goal: Re-enable logging and displaying failures on login when login is
|
|
||||||
compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
|
|
||||||
faillog file if it does not exist on postinst (as on Woody).
|
|
||||||
Depends: 008_login_more_LOG_UNKFAIL_ENAB
|
|
||||||
Fixes: #192849
|
|
||||||
|
|
||||||
Note: It could be removed if pam_tally could report the number of failures
|
|
||||||
preceding a successful login.
|
|
||||||
|
|
||||||
Index: shadow-4.4/src/login.c
|
|
||||||
===================================================================
|
|
||||||
--- shadow-4.4.orig/src/login.c
|
|
||||||
+++ shadow-4.4/src/login.c
|
|
||||||
@@ -131,9 +131,9 @@ static void update_utmp (const char *use
|
|
||||||
const char *host,
|
|
||||||
/*@null@*/const struct utmp *utent);
|
|
||||||
|
|
||||||
-#ifndef USE_PAM
|
|
||||||
static struct faillog faillog;
|
|
||||||
|
|
||||||
+#ifndef USE_PAM
|
|
||||||
static void bad_time_notify (void);
|
|
||||||
static void check_nologin (bool login_to_root);
|
|
||||||
#else
|
|
||||||
@@ -794,6 +794,9 @@ int main (int argc, char **argv)
|
|
||||||
SYSLOG ((LOG_NOTICE,
|
|
||||||
"TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
|
|
||||||
failcount, fromhost, failent_user));
|
|
||||||
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
|
|
||||||
+ failure (pwd->pw_uid, tty, &faillog);
|
|
||||||
+ }
|
|
||||||
fprintf (stderr,
|
|
||||||
_("Maximum number of tries exceeded (%u)\n"),
|
|
||||||
failcount);
|
|
||||||
@@ -811,6 +814,14 @@ int main (int argc, char **argv)
|
|
||||||
pam_strerror (pamh, retcode)));
|
|
||||||
failed = true;
|
|
||||||
}
|
|
||||||
+ if ( (NULL != pwd)
|
|
||||||
+ && getdef_bool("FAILLOG_ENAB")
|
|
||||||
+ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
|
|
||||||
+ SYSLOG((LOG_CRIT,
|
|
||||||
+ "exceeded failure limit for `%s' %s",
|
|
||||||
+ failent_user, fromhost));
|
|
||||||
+ failed = 1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (!failed) {
|
|
||||||
break;
|
|
||||||
@@ -834,6 +845,10 @@ int main (int argc, char **argv)
|
|
||||||
(void) puts ("");
|
|
||||||
(void) puts (_("Login incorrect"));
|
|
||||||
|
|
||||||
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
|
|
||||||
+ failure (pwd->pw_uid, tty, &faillog);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (getdef_str("FTMP_FILE") != NULL) {
|
|
||||||
#ifdef USE_UTMPX
|
|
||||||
struct utmpx *failent =
|
|
||||||
@@ -1288,6 +1303,7 @@ int main (int argc, char **argv)
|
|
||||||
*/
|
|
||||||
#ifndef USE_PAM
|
|
||||||
motd (); /* print the message of the day */
|
|
||||||
+#endif
|
|
||||||
if ( getdef_bool ("FAILLOG_ENAB")
|
|
||||||
&& (0 != faillog.fail_cnt)) {
|
|
||||||
failprint (&faillog);
|
|
||||||
@@ -1300,6 +1316,7 @@ int main (int argc, char **argv)
|
|
||||||
username, (int) faillog.fail_cnt));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+#ifndef USE_PAM
|
|
||||||
if ( getdef_bool ("LASTLOG_ENAB")
|
|
||||||
&& (ll.ll_time != 0)) {
|
|
||||||
time_t ll_time = ll.ll_time;
|
|
||||||
Index: shadow-4.4/lib/getdef.c
|
|
||||||
===================================================================
|
|
||||||
--- shadow-4.4.orig/lib/getdef.c
|
|
||||||
+++ shadow-4.4/lib/getdef.c
|
|
||||||
@@ -86,6 +86,7 @@ static struct itemdef def_table[] = {
|
|
||||||
{"ENV_SUPATH", NULL},
|
|
||||||
{"ERASECHAR", NULL},
|
|
||||||
{"FAIL_DELAY", NULL},
|
|
||||||
+ {"FAILLOG_ENAB", NULL},
|
|
||||||
{"FAKE_SHELL", NULL},
|
|
||||||
{"FTMP_FILE", NULL},
|
|
||||||
{"GID_MAX", NULL},
|
|
||||||
-101
@@ -1,101 +0,0 @@
|
|||||||
Goal: Do not hardcode pam_fail_delay and let pam_unix do its
|
|
||||||
job to set a delay...or not
|
|
||||||
|
|
||||||
Fixes: #87648
|
|
||||||
|
|
||||||
Status wrt upstream: Forwarded but not applied yet
|
|
||||||
|
|
||||||
Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
|
|
||||||
|
|
||||||
Index: shadow-4.4/src/login.c
|
|
||||||
===================================================================
|
|
||||||
--- shadow-4.4.orig/src/login.c
|
|
||||||
+++ shadow-4.4/src/login.c
|
|
||||||
@@ -525,7 +525,6 @@ int main (int argc, char **argv)
|
|
||||||
#if defined(HAVE_STRFTIME) && !defined(USE_PAM)
|
|
||||||
char ptime[80];
|
|
||||||
#endif
|
|
||||||
- unsigned int delay;
|
|
||||||
unsigned int retries;
|
|
||||||
bool subroot = false;
|
|
||||||
#ifndef USE_PAM
|
|
||||||
@@ -546,6 +545,7 @@ int main (int argc, char **argv)
|
|
||||||
pid_t child;
|
|
||||||
char *pam_user = NULL;
|
|
||||||
#else
|
|
||||||
+ unsigned int delay;
|
|
||||||
struct spwd *spwd = NULL;
|
|
||||||
#endif
|
|
||||||
/*
|
|
||||||
@@ -708,7 +708,6 @@ int main (int argc, char **argv)
|
|
||||||
}
|
|
||||||
|
|
||||||
environ = newenvp; /* make new environment active */
|
|
||||||
- delay = getdef_unum ("FAIL_DELAY", 1);
|
|
||||||
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
|
|
||||||
|
|
||||||
#ifdef USE_PAM
|
|
||||||
@@ -724,8 +723,7 @@ int main (int argc, char **argv)
|
|
||||||
|
|
||||||
/*
|
|
||||||
* hostname & tty are either set to NULL or their correct values,
|
|
||||||
- * depending on how much we know. We also set PAM's fail delay to
|
|
||||||
- * ours.
|
|
||||||
+ * depending on how much we know.
|
|
||||||
*
|
|
||||||
* PAM_RHOST and PAM_TTY are used for authentication, only use
|
|
||||||
* information coming from login or from the caller (e.g. no utmp)
|
|
||||||
@@ -734,10 +732,6 @@ int main (int argc, char **argv)
|
|
||||||
PAM_FAIL_CHECK;
|
|
||||||
retcode = pam_set_item (pamh, PAM_TTY, tty);
|
|
||||||
PAM_FAIL_CHECK;
|
|
||||||
-#ifdef HAS_PAM_FAIL_DELAY
|
|
||||||
- retcode = pam_fail_delay (pamh, 1000000 * delay);
|
|
||||||
- PAM_FAIL_CHECK;
|
|
||||||
-#endif
|
|
||||||
/* if fflg, then the user has already been authenticated */
|
|
||||||
if (!fflg) {
|
|
||||||
unsigned int failcount = 0;
|
|
||||||
@@ -778,12 +772,6 @@ int main (int argc, char **argv)
|
|
||||||
bool failed = false;
|
|
||||||
|
|
||||||
failcount++;
|
|
||||||
-#ifdef HAS_PAM_FAIL_DELAY
|
|
||||||
- if (delay > 0) {
|
|
||||||
- retcode = pam_fail_delay(pamh, 1000000*delay);
|
|
||||||
- PAM_FAIL_CHECK;
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
retcode = pam_authenticate (pamh, 0);
|
|
||||||
|
|
||||||
@@ -1106,14 +1094,17 @@ int main (int argc, char **argv)
|
|
||||||
free (username);
|
|
||||||
username = NULL;
|
|
||||||
|
|
||||||
+#ifndef USE_PAM
|
|
||||||
/*
|
|
||||||
* Wait a while (a la SVR4 /usr/bin/login) before attempting
|
|
||||||
* to login the user again. If the earlier alarm occurs
|
|
||||||
* before the sleep() below completes, login will exit.
|
|
||||||
*/
|
|
||||||
+ delay = getdef_unum ("FAIL_DELAY", 1);
|
|
||||||
if (delay > 0) {
|
|
||||||
(void) sleep (delay);
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
(void) puts (_("Login incorrect"));
|
|
||||||
|
|
||||||
Index: shadow-4.4/lib/getdef.c
|
|
||||||
===================================================================
|
|
||||||
--- shadow-4.4.orig/lib/getdef.c
|
|
||||||
+++ shadow-4.4/lib/getdef.c
|
|
||||||
@@ -85,7 +85,6 @@ static struct itemdef def_table[] = {
|
|
||||||
{"ENV_PATH", NULL},
|
|
||||||
{"ENV_SUPATH", NULL},
|
|
||||||
{"ERASECHAR", NULL},
|
|
||||||
- {"FAIL_DELAY", NULL},
|
|
||||||
{"FAILLOG_ENAB", NULL},
|
|
||||||
{"FAKE_SHELL", NULL},
|
|
||||||
{"FTMP_FILE", NULL},
|
|
||||||
-60
@@ -1,60 +0,0 @@
|
|||||||
Goal: save the [g]shadow files with the 'shadow' group and mode 0440
|
|
||||||
|
|
||||||
Fixes: #166793
|
|
||||||
|
|
||||||
--- a/lib/commonio.c
|
|
||||||
+++ b/lib/commonio.c
|
|
||||||
@@ -44,6 +44,7 @@
|
|
||||||
#include <errno.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <signal.h>
|
|
||||||
+#include <grp.h>
|
|
||||||
#include "nscd.h"
|
|
||||||
#ifdef WITH_TCB
|
|
||||||
#include <tcb.h>
|
|
||||||
@@ -963,12 +964,23 @@
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
+ struct group *grp;
|
|
||||||
/*
|
|
||||||
* Default permissions for new [g]shadow files.
|
|
||||||
*/
|
|
||||||
sb.st_mode = db->st_mode;
|
|
||||||
sb.st_uid = db->st_uid;
|
|
||||||
sb.st_gid = db->st_gid;
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Try to retrieve the shadow's GID, and fall back to GID 0.
|
|
||||||
+ */
|
|
||||||
+ if (sb.st_gid == 0) {
|
|
||||||
+ if ((grp = getgrnam("shadow")) != NULL)
|
|
||||||
+ sb.st_gid = grp->gr_gid;
|
|
||||||
+ else
|
|
||||||
+ sb.st_gid = 0;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
snprintf (buf, sizeof buf, "%s+", db->filename);
|
|
||||||
--- a/lib/sgroupio.c
|
|
||||||
+++ b/lib/sgroupio.c
|
|
||||||
@@ -229,7 +229,7 @@
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
NULL, /* scontext */
|
|
||||||
#endif
|
|
||||||
- 0400, /* st_mode */
|
|
||||||
+ 0440, /* st_mode */
|
|
||||||
0, /* st_uid */
|
|
||||||
0, /* st_gid */
|
|
||||||
NULL, /* head */
|
|
||||||
--- a/lib/shadowio.c
|
|
||||||
+++ b/lib/shadowio.c
|
|
||||||
@@ -105,7 +105,7 @@
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
NULL, /* scontext */
|
|
||||||
#endif /* WITH_SELINUX */
|
|
||||||
- 0400, /* st_mode */
|
|
||||||
+ 0440, /* st_mode */
|
|
||||||
0, /* st_uid */
|
|
||||||
0, /* st_gid */
|
|
||||||
NULL, /* head */
|
|
||||||
Vendored
-201
@@ -1,201 +0,0 @@
|
|||||||
Goal: Document the shadowconfig utility
|
|
||||||
|
|
||||||
Status wrt upstream: The shadowconfig utility is debian specific.
|
|
||||||
Its man page also (but it used to be distributed)
|
|
||||||
|
|
||||||
Index: git/man/shadowconfig.8
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ git/man/shadowconfig.8
|
|
||||||
@@ -0,0 +1,41 @@
|
|
||||||
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
|
|
||||||
+.de Sh \" Subsection
|
|
||||||
+.br
|
|
||||||
+.if t .Sp
|
|
||||||
+.ne 5
|
|
||||||
+.PP
|
|
||||||
+\fB\\$1\fR
|
|
||||||
+.PP
|
|
||||||
+..
|
|
||||||
+.de Sp \" Vertical space (when we can't use .PP)
|
|
||||||
+.if t .sp .5v
|
|
||||||
+.if n .sp
|
|
||||||
+..
|
|
||||||
+.de Ip \" List item
|
|
||||||
+.br
|
|
||||||
+.ie \\n(.$>=3 .ne \\$3
|
|
||||||
+.el .ne 3
|
|
||||||
+.IP "\\$1" \\$2
|
|
||||||
+..
|
|
||||||
+.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
|
|
||||||
+.SH NAME
|
|
||||||
+shadowconfig \- toggle shadow passwords on and off
|
|
||||||
+.SH "SYNOPSIS"
|
|
||||||
+.ad l
|
|
||||||
+.hy 0
|
|
||||||
+.HP 13
|
|
||||||
+\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
|
|
||||||
+.ad
|
|
||||||
+.hy
|
|
||||||
+
|
|
||||||
+.SH "DESCRIPTION"
|
|
||||||
+
|
|
||||||
+.PP
|
|
||||||
+\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
|
|
||||||
+
|
|
||||||
+.PP
|
|
||||||
+Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
|
|
||||||
+
|
|
||||||
+.PP
|
|
||||||
+Note that turning shadow passwords off and on again will lose all password aging information\&.
|
|
||||||
+
|
|
||||||
Index: git/man/shadowconfig.8.xml
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ git/man/shadowconfig.8.xml
|
|
||||||
@@ -0,0 +1,52 @@
|
|
||||||
+<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
||||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
||||||
+<refentry id='shadowconfig.8'>
|
|
||||||
+ <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
|
|
||||||
+ <refentryinfo>
|
|
||||||
+ <date>19 Apr 1997</date>
|
|
||||||
+ </refentryinfo>
|
|
||||||
+ <refmeta>
|
|
||||||
+ <refentrytitle>shadowconfig</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum>
|
|
||||||
+ <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
|
|
||||||
+ <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
|
|
||||||
+ </refmeta>
|
|
||||||
+ <refnamediv id='name'>
|
|
||||||
+ <refname>shadowconfig</refname>
|
|
||||||
+ <refpurpose>toggle shadow passwords on and off</refpurpose>
|
|
||||||
+ </refnamediv>
|
|
||||||
+
|
|
||||||
+ <refsynopsisdiv id='synopsis'>
|
|
||||||
+ <cmdsynopsis>
|
|
||||||
+ <command>shadowconfig</command>
|
|
||||||
+ <group choice='plain'>
|
|
||||||
+ <arg choice='plain'><replaceable>on</replaceable></arg>
|
|
||||||
+ <arg choice='plain'><replaceable>off</replaceable></arg>
|
|
||||||
+ </group>
|
|
||||||
+ </cmdsynopsis>
|
|
||||||
+ </refsynopsisdiv>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='description'>
|
|
||||||
+ <title>DESCRIPTION</title>
|
|
||||||
+ <para><command>shadowconfig</command> on will turn shadow passwords on;
|
|
||||||
+ <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
|
|
||||||
+ passwords off. <command>shadowconfig</command> will print an error
|
|
||||||
+ message and exit with a nonzero code if it finds anything awry. If
|
|
||||||
+ that happens, you should correct the error and run it again. Turning
|
|
||||||
+ shadow passwords on when they are already on, or off when they are
|
|
||||||
+ already off, is harmless.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
|
|
||||||
+ brief introduction
|
|
||||||
+ to shadow passwords and related features.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>Note that turning shadow passwords off and on again will lose all
|
|
||||||
+ password
|
|
||||||
+ aging information.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+</refentry>
|
|
||||||
Index: git/man/fr/shadowconfig.8
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ git/man/fr/shadowconfig.8
|
|
||||||
@@ -0,0 +1,26 @@
|
|
||||||
+.\" This file was generated with po4a. Translate the source file.
|
|
||||||
+.\"
|
|
||||||
+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
|
|
||||||
+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
|
|
||||||
+.SH NOM
|
|
||||||
+shadowconfig \- active ou désactive les mots de passe cachés
|
|
||||||
+.SH SYNOPSIS
|
|
||||||
+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
|
|
||||||
+.SH DESCRIPTION
|
|
||||||
+.PP
|
|
||||||
+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
|
|
||||||
+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
|
|
||||||
+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
|
|
||||||
+de recommencer.
|
|
||||||
+
|
|
||||||
+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
|
|
||||||
+désactiver lorsqu'ils ne sont pas actifs est sans effet.
|
|
||||||
+
|
|
||||||
+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
|
|
||||||
+mots de passe cachés et à leurs fonctionnalités.
|
|
||||||
+
|
|
||||||
+Notez que désactiver puis réactiver les mots de passe cachés aura pour
|
|
||||||
+conséquence la perte des informations d'âge sur les mots de passe.
|
|
||||||
+.SH TRADUCTION
|
|
||||||
+Nicolas FRANÇOIS, 2004.
|
|
||||||
+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
|
|
||||||
Index: git/man/ja/shadowconfig.8
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ git/man/ja/shadowconfig.8
|
|
||||||
@@ -0,0 +1,25 @@
|
|
||||||
+.\" all right reserved,
|
|
||||||
+.\" Translated Tue Oct 30 11:59:11 JST 2001
|
|
||||||
+.\" by Maki KURODA <mkuroda@aisys-jp.com>
|
|
||||||
+.\"
|
|
||||||
+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
|
|
||||||
+.SH 名前
|
|
||||||
+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
|
|
||||||
+.SH 書式
|
|
||||||
+.B "shadowconfig"
|
|
||||||
+.IR on " | " off
|
|
||||||
+.SH 説明
|
|
||||||
+.PP
|
|
||||||
+.B shadowconfig on
|
|
||||||
+は shadow パスワードを有効にする。
|
|
||||||
+.B shadowconfig off
|
|
||||||
+は shadow パスワードを無効にする。
|
|
||||||
+.B shadowconfig
|
|
||||||
+は何らかの間違いがあると、エラーメッセージを表示し、
|
|
||||||
+ゼロではない返り値を返す。
|
|
||||||
+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
|
|
||||||
+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
|
|
||||||
+すでにオフの場合にオフに設定しても、何の影響もない。
|
|
||||||
+
|
|
||||||
+.I /usr/share/doc/passwd/README.debian.gz
|
|
||||||
+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
|
|
||||||
Index: git/man/pl/shadowconfig.8
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ git/man/pl/shadowconfig.8
|
|
||||||
@@ -0,0 +1,27 @@
|
|
||||||
+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
|
|
||||||
+.\" {PTM/WK/1999-09-14}
|
|
||||||
+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
|
|
||||||
+.SH NAZWA
|
|
||||||
+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
|
|
||||||
+.SH SKŁADNIA
|
|
||||||
+.B "shadowconfig"
|
|
||||||
+.IR on " | " off
|
|
||||||
+.SH OPIS
|
|
||||||
+.PP
|
|
||||||
+.B shadowconfig on
|
|
||||||
+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
|
|
||||||
+.B shadowconfig off
|
|
||||||
+wyłącza dodatkowe pliki haseł i grup.
|
|
||||||
+.B shadowconfig
|
|
||||||
+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
|
|
||||||
+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
|
|
||||||
+.\" if it finds anything awry.
|
|
||||||
+i uruchomić program ponownie.
|
|
||||||
+
|
|
||||||
+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
|
|
||||||
+gdy jest wyłączona jest nieszkodliwe.
|
|
||||||
+
|
|
||||||
+Przeczytaj
|
|
||||||
+.IR /usr/share/doc/passwd/README.debian.gz ,
|
|
||||||
+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
|
|
||||||
+plików haseł przesłanianych (shadow passwords) i związanych tematów.
|
|
||||||
-40
@@ -1,40 +0,0 @@
|
|||||||
Goal: Recommend using adduser and deluser.
|
|
||||||
|
|
||||||
Fixes: #406046
|
|
||||||
|
|
||||||
Status wrt upstream: Debian specific patch.
|
|
||||||
|
|
||||||
Index: git/man/useradd.8.xml
|
|
||||||
===================================================================
|
|
||||||
--- git.orig/man/useradd.8.xml
|
|
||||||
+++ git/man/useradd.8.xml
|
|
||||||
@@ -105,6 +105,12 @@
|
|
||||||
<refsect1 id='description'>
|
|
||||||
<title>DESCRIPTION</title>
|
|
||||||
<para>
|
|
||||||
+ <command>useradd</command> is a low level utility for adding
|
|
||||||
+ users. On Debian, administrators should usually use
|
|
||||||
+ <citerefentry><refentrytitle>adduser</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum></citerefentry> instead.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
When invoked without the <option>-D</option> option, the
|
|
||||||
<command>useradd</command> command creates a new user account using
|
|
||||||
the values specified on the command line plus the default values from
|
|
||||||
Index: git/man/userdel.8.xml
|
|
||||||
===================================================================
|
|
||||||
--- git.orig/man/userdel.8.xml
|
|
||||||
+++ git/man/userdel.8.xml
|
|
||||||
@@ -83,6 +83,12 @@
|
|
||||||
<refsect1 id='description'>
|
|
||||||
<title>DESCRIPTION</title>
|
|
||||||
<para>
|
|
||||||
+ <command>userdel</command> is a low level utility for removing
|
|
||||||
+ users. On Debian, administrators should usually use
|
|
||||||
+ <citerefentry><refentrytitle>deluser</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum></citerefentry> instead.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
The <command>userdel</command> command modifies the system account
|
|
||||||
files, deleting all entries that refer to the user name <emphasis
|
|
||||||
remap='I'>LOGIN</emphasis>. The named user must exist.
|
|
||||||
Vendored
-106
@@ -1,106 +0,0 @@
|
|||||||
Goal: Relaxed usernames/groupnames checking patch.
|
|
||||||
|
|
||||||
Status wrt upstream: Debian specific. Not to be used upstream
|
|
||||||
|
|
||||||
Details:
|
|
||||||
Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
|
|
||||||
characters and don't start with '-', '+', or '~'. This patch is more
|
|
||||||
restrictive than original Karl's version. closes: #264879
|
|
||||||
Also closes: #377844
|
|
||||||
|
|
||||||
Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
|
|
||||||
|
|
||||||
I can't come up with a good justification as to why characters other
|
|
||||||
than ':'s and '\0's should be disallowed in group and usernames (other
|
|
||||||
than '-' as the leading character). Thus, the maintenance tools don't
|
|
||||||
anymore. closes: #79682, #166798, #171179
|
|
||||||
|
|
||||||
Index: git/libmisc/chkname.c
|
|
||||||
===================================================================
|
|
||||||
--- git.orig/libmisc/chkname.c
|
|
||||||
+++ git/libmisc/chkname.c
|
|
||||||
@@ -48,6 +48,7 @@
|
|
||||||
|
|
||||||
static bool is_valid_name (const char *name)
|
|
||||||
{
|
|
||||||
+#if 0
|
|
||||||
/*
|
|
||||||
* User/group names must match [a-z_][a-z0-9_-]*[$]
|
|
||||||
*/
|
|
||||||
@@ -66,6 +67,26 @@
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
+ /*
|
|
||||||
+ * POSIX indicate that usernames are composed of characters from the
|
|
||||||
+ * portable filename character set [A-Za-z0-9._-], and that the hyphen
|
|
||||||
+ * should not be used as the first character of a portable user name.
|
|
||||||
+ *
|
|
||||||
+ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
|
|
||||||
+ */
|
|
||||||
+ if ( ('\0' == *name)
|
|
||||||
+ || ('-' == *name)
|
|
||||||
+ || ('~' == *name)
|
|
||||||
+ || ('+' == *name)) {
|
|
||||||
+ return false;
|
|
||||||
+ }
|
|
||||||
+ do {
|
|
||||||
+ if ((':' == *name) || (',' == *name) || isspace(*name)) {
|
|
||||||
+ return false;
|
|
||||||
+ }
|
|
||||||
+ name++;
|
|
||||||
+ } while ('\0' != *name);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
Index: git/man/useradd.8.xml
|
|
||||||
===================================================================
|
|
||||||
--- git.orig/man/useradd.8.xml
|
|
||||||
+++ git/man/useradd.8.xml
|
|
||||||
@@ -633,12 +633,20 @@
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>
|
|
||||||
- Usernames must start with a lower case letter or an underscore,
|
|
||||||
+ It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
|
|
||||||
followed by lower case letters, digits, underscores, or dashes.
|
|
||||||
They can end with a dollar sign.
|
|
||||||
In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
+ On Debian, the only constraints are that usernames must neither start
|
|
||||||
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
|
|
||||||
+ colon (':'), a comma (','), or a whitespace (space: ' ',
|
|
||||||
+ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
|
|
||||||
+ ('/') may break the default algorithm for the definition of the
|
|
||||||
+ user's home directory.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
Usernames may only be up to 32 characters long.
|
|
||||||
</para>
|
|
||||||
</refsect1>
|
|
||||||
Index: git/man/groupadd.8.xml
|
|
||||||
===================================================================
|
|
||||||
--- git.orig/man/groupadd.8.xml
|
|
||||||
+++ git/man/groupadd.8.xml
|
|
||||||
@@ -256,12 +256,18 @@
|
|
||||||
<refsect1 id='caveats'>
|
|
||||||
<title>CAVEATS</title>
|
|
||||||
<para>
|
|
||||||
- Groupnames must start with a lower case letter or an underscore,
|
|
||||||
+ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
|
|
||||||
followed by lower case letters, digits, underscores, or dashes.
|
|
||||||
They can end with a dollar sign.
|
|
||||||
In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
+ On Debian, the only constraints are that groupnames must neither start
|
|
||||||
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
|
|
||||||
+ colon (':'), a comma (','), or a whitespace (space:' ',
|
|
||||||
+ end of line: '\n', tabulation: '\t', etc.).
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
-18
@@ -1,18 +0,0 @@
|
|||||||
--- a/src/Makefile.am
|
|
||||||
+++ b/src/Makefile.am
|
|
||||||
@@ -24,7 +24,6 @@
|
|
||||||
# $prefix/bin and $prefix/sbin, no install-data hacks...)
|
|
||||||
|
|
||||||
bin_PROGRAMS = groups login su
|
|
||||||
-sbin_PROGRAMS = nologin
|
|
||||||
ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
|
|
||||||
if ENABLE_SUBIDS
|
|
||||||
ubin_PROGRAMS += newgidmap newuidmap
|
|
||||||
@@ -42,6 +41,7 @@
|
|
||||||
grpunconv \
|
|
||||||
logoutd \
|
|
||||||
newusers \
|
|
||||||
+ nologin \
|
|
||||||
pwck \
|
|
||||||
pwconv \
|
|
||||||
pwunconv \
|
|
||||||
Vendored
-43
@@ -1,43 +0,0 @@
|
|||||||
Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
|
|
||||||
|
|
||||||
Note: useradd.8 needs to be regenerated.
|
|
||||||
|
|
||||||
Status wrt upstream: not included as this is just specific
|
|
||||||
backward compatibility for Debian
|
|
||||||
|
|
||||||
--- a/man/useradd.8.xml
|
|
||||||
+++ b/man/useradd.8.xml
|
|
||||||
@@ -329,6 +329,11 @@
|
|
||||||
databases are reset to avoid reusing the entry from a previously
|
|
||||||
deleted user.
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ For the compatibility with previous Debian's
|
|
||||||
+ <command>useradd</command>, the <option>-O</option> option is
|
|
||||||
+ also supported.
|
|
||||||
+ </para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
--- a/src/useradd.c
|
|
||||||
+++ b/src/useradd.c
|
|
||||||
@@ -1059,9 +1059,9 @@
|
|
||||||
};
|
|
||||||
while ((c = getopt_long (argc, argv,
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
|
|
||||||
+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:UZ:",
|
|
||||||
#else /* !WITH_SELINUX */
|
|
||||||
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
|
|
||||||
+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:U",
|
|
||||||
#endif /* !WITH_SELINUX */
|
|
||||||
long_options, NULL)) != -1) {
|
|
||||||
switch (c) {
|
|
||||||
@@ -1184,6 +1184,7 @@
|
|
||||||
kflg = true;
|
|
||||||
break;
|
|
||||||
case 'K':
|
|
||||||
+ case 'O': /* compatibility with previous Debian useradd */
|
|
||||||
/*
|
|
||||||
* override login.defs defaults (-K name=value)
|
|
||||||
* example: -K UID_MIN=100 -K UID_MAX=499
|
|
||||||
-81
@@ -1,81 +0,0 @@
|
|||||||
--- a/debian/passwd.install
|
|
||||||
+++ b/debian/passwd.install
|
|
||||||
@@ -9,6 +9,7 @@
|
|
||||||
usr/sbin/cppw
|
|
||||||
usr/sbin/groupadd
|
|
||||||
usr/sbin/groupdel
|
|
||||||
+usr/sbin/groupmems
|
|
||||||
usr/sbin/groupmod
|
|
||||||
usr/sbin/grpck
|
|
||||||
usr/sbin/grpconv
|
|
||||||
@@ -33,6 +34,7 @@
|
|
||||||
usr/share/man/*/man8/chpasswd.8
|
|
||||||
usr/share/man/*/man8/groupadd.8
|
|
||||||
usr/share/man/*/man8/groupdel.8
|
|
||||||
+usr/share/man/*/man8/groupmems.8
|
|
||||||
usr/share/man/*/man8/groupmod.8
|
|
||||||
usr/share/man/*/man8/grpck.8
|
|
||||||
usr/share/man/*/man8/grpconv.8
|
|
||||||
@@ -59,6 +61,7 @@
|
|
||||||
usr/share/man/man8/chpasswd.8
|
|
||||||
usr/share/man/man8/groupadd.8
|
|
||||||
usr/share/man/man8/groupdel.8
|
|
||||||
+usr/share/man/man8/groupmems.8
|
|
||||||
usr/share/man/man8/groupmod.8
|
|
||||||
usr/share/man/man8/grpck.8
|
|
||||||
usr/share/man/man8/grpconv.8
|
|
||||||
--- a/debian/passwd.postinst
|
|
||||||
+++ b/debian/passwd.postinst
|
|
||||||
@@ -31,6 +31,24 @@
|
|
||||||
exit 1
|
|
||||||
)
|
|
||||||
fi
|
|
||||||
+ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
|
|
||||||
+ then
|
|
||||||
+ groupadd -g 99 groupmems || (
|
|
||||||
+ cat <<EOF
|
|
||||||
+************************ TESTSUITE *****************************
|
|
||||||
+Group ID 99 has been allocated for the groupmems group. You have either
|
|
||||||
+used 99 yourself or created a groupmems group with a different ID.
|
|
||||||
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
|
|
||||||
+
|
|
||||||
+Note that both user and group IDs in the range 0-99 are globally
|
|
||||||
+allocated by the Debian project and must be the same on every Debian
|
|
||||||
+system.
|
|
||||||
+EOF
|
|
||||||
+ exit 1
|
|
||||||
+ )
|
|
||||||
+# FIXME
|
|
||||||
+ chgrp groupmems /usr/sbin/groupmems
|
|
||||||
+ fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
--- a/debian/rules
|
|
||||||
+++ b/debian/rules
|
|
||||||
@@ -60,6 +60,7 @@
|
|
||||||
dh_installpam -p passwd --name=chsh
|
|
||||||
dh_installpam -p passwd --name=chpasswd
|
|
||||||
dh_installpam -p passwd --name=newusers
|
|
||||||
+ dh_installpam -p passwd --name=groupmems
|
|
||||||
ifeq ($(DEB_HOST_ARCH_OS),hurd)
|
|
||||||
# login is not built on The Hurd, but some utilities of passwd depends on
|
|
||||||
# /etc/login.defs.
|
|
||||||
@@ -87,3 +88,6 @@
|
|
||||||
chgrp shadow debian/passwd/usr/bin/expiry
|
|
||||||
chmod g+s debian/passwd/usr/bin/chage
|
|
||||||
chmod g+s debian/passwd/usr/bin/expiry
|
|
||||||
+ chgrp groupmems debian/passwd/usr/sbin/groupmems
|
|
||||||
+ chmod u+s debian/passwd/usr/sbin/groupmems
|
|
||||||
+ chmod o-x debian/passwd/usr/sbin/groupmems
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/debian/passwd.groupmems.pam
|
|
||||||
@@ -0,0 +1,8 @@
|
|
||||||
+# The PAM configuration file for the Shadow 'groupmod' service
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+# This allows root to modify groups without being prompted for a password
|
|
||||||
+auth sufficient pam_rootok.so
|
|
||||||
+
|
|
||||||
+@include common-auth
|
|
||||||
+@include common-account
|
|
||||||
Vendored
-76
@@ -1,76 +0,0 @@
|
|||||||
--- a/lib/Makefile.am
|
|
||||||
+++ b/lib/Makefile.am
|
|
||||||
@@ -1,6 +1,8 @@
|
|
||||||
|
|
||||||
AUTOMAKE_OPTIONS = 1.0 foreign
|
|
||||||
|
|
||||||
+CFLAGS += -fprofile-arcs -ftest-coverage
|
|
||||||
+
|
|
||||||
DEFS =
|
|
||||||
|
|
||||||
noinst_LTLIBRARIES = libshadow.la
|
|
||||||
--- a/libmisc/Makefile.am
|
|
||||||
+++ b/libmisc/Makefile.am
|
|
||||||
@@ -1,6 +1,8 @@
|
|
||||||
|
|
||||||
EXTRA_DIST = .indent.pro xgetXXbyYY.c
|
|
||||||
|
|
||||||
+CFLAGS += -fprofile-arcs -ftest-coverage
|
|
||||||
+
|
|
||||||
INCLUDES = -I$(top_srcdir)/lib
|
|
||||||
|
|
||||||
noinst_LIBRARIES = libmisc.a
|
|
||||||
--- a/src/Makefile.am
|
|
||||||
+++ b/src/Makefile.am
|
|
||||||
@@ -7,6 +7,8 @@
|
|
||||||
suidperms = 4755
|
|
||||||
sgidperms = 2755
|
|
||||||
|
|
||||||
+CFLAGS += -fprofile-arcs -ftest-coverage
|
|
||||||
+
|
|
||||||
INCLUDES = \
|
|
||||||
-I${top_srcdir}/lib \
|
|
||||||
-I$(top_srcdir)/libmisc
|
|
||||||
--- a/debian/rules
|
|
||||||
+++ b/debian/rules
|
|
||||||
@@ -40,6 +40,12 @@
|
|
||||||
endif
|
|
||||||
export CFLAGS
|
|
||||||
|
|
||||||
+clean:: clean_gcov
|
|
||||||
+
|
|
||||||
+clean_gcov:
|
|
||||||
+ find . -name "*.gcda" -delete
|
|
||||||
+ find . -name "*.gcno" -delete
|
|
||||||
+
|
|
||||||
# Add extras to the install process:
|
|
||||||
binary-install/login::
|
|
||||||
dh_installpam -p login
|
|
||||||
--- a/lib/defines.h
|
|
||||||
+++ b/lib/defines.h
|
|
||||||
@@ -174,23 +174,9 @@
|
|
||||||
trust the formatted time received from the unix domain (or worse,
|
|
||||||
UDP) socket. -MM */
|
|
||||||
/* Avoid translated PAM error messages: Set LC_ALL to "C".
|
|
||||||
+ * This is disabled for coverage testing
|
|
||||||
* --Nekral */
|
|
||||||
-#define SYSLOG(x) \
|
|
||||||
- do { \
|
|
||||||
- char *old_locale = setlocale (LC_ALL, NULL); \
|
|
||||||
- char *saved_locale = NULL; \
|
|
||||||
- if (NULL != old_locale) { \
|
|
||||||
- saved_locale = strdup (old_locale); \
|
|
||||||
- } \
|
|
||||||
- if (NULL != saved_locale) { \
|
|
||||||
- (void) setlocale (LC_ALL, "C"); \
|
|
||||||
- } \
|
|
||||||
- syslog x ; \
|
|
||||||
- if (NULL != saved_locale) { \
|
|
||||||
- (void) setlocale (LC_ALL, saved_locale); \
|
|
||||||
- free (saved_locale); \
|
|
||||||
- } \
|
|
||||||
- } while (false)
|
|
||||||
+#define SYSLOG(x) syslog x
|
|
||||||
#else /* !ENABLE_NLS */
|
|
||||||
#define SYSLOG(x) syslog x
|
|
||||||
#endif /* !ENABLE_NLS */
|
|
||||||
Vendored
-22
@@ -1,22 +0,0 @@
|
|||||||
Small intro to the system for numbering the patches here...
|
|
||||||
|
|
||||||
-The 00xx-... patches are forwarded to upstream's git repository
|
|
||||||
|
|
||||||
-The 0xx_... series of patches are patches isolated from the latest
|
|
||||||
version of the shadow Debian package not using quilt in order to
|
|
||||||
separate upstream from Debian-specific stuff.
|
|
||||||
|
|
||||||
NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
|
|
||||||
|
|
||||||
-The 4xx series are patches which have been applied to Debian's shadow
|
|
||||||
and have NOT been accepted and/or applied upstream. These patches MUST be kept
|
|
||||||
even after resynced with upstream
|
|
||||||
|
|
||||||
-The 5xx series are patches which are applied to Debian's shadow
|
|
||||||
and will never be proposed upstream because they're too specific
|
|
||||||
This list SHOULD BE AS SHORT AS POSSIBLE
|
|
||||||
|
|
||||||
In short, while we are working towards synchronisation with upstream,
|
|
||||||
our goal is to make 0xx patches disappear by moving them either to 3xx
|
|
||||||
series (things already implemented upstream) or to 4xx series
|
|
||||||
(Debian-specific patches).
|
|
||||||
Vendored
-20
@@ -1,20 +0,0 @@
|
|||||||
# These patches are only for the testsuite:
|
|
||||||
#900_testsuite_groupmems
|
|
||||||
#901_testsuite_gcov
|
|
||||||
|
|
||||||
503_shadowconfig.8
|
|
||||||
008_login_log_failure_in_FTMP
|
|
||||||
429_login_FAILLOG_ENAB
|
|
||||||
401_cppw_src.dpatch
|
|
||||||
# 402 should be merged in 401, but should be reviewed by SE Linux experts first
|
|
||||||
402_cppw_selinux
|
|
||||||
506_relaxed_usernames
|
|
||||||
542_useradd-O_option
|
|
||||||
463_login_delay_obeys_to_PAM
|
|
||||||
508_nologin_in_usr_sbin
|
|
||||||
505_useradd_recommend_adduser
|
|
||||||
501_commonio_group_shadow
|
|
||||||
0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch
|
|
||||||
0002-gpasswd-1-Fix-password-leak.patch
|
|
||||||
0003-Added-control-character-check.patch
|
|
||||||
0004-Overhaul-valid_field.patch
|
|
||||||
Vendored
-96
@@ -1,96 +0,0 @@
|
|||||||
#!/usr/bin/make -f
|
|
||||||
# -*- mode: makefile; coding: utf-8 -*-
|
|
||||||
|
|
||||||
DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
|
|
||||||
|
|
||||||
# Enable PIE, BINDNOW, and possible future flags.
|
|
||||||
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
|
|
||||||
DPKG_EXPORT_BUILDFLAGS = 1
|
|
||||||
include /usr/share/dpkg/buildflags.mk
|
|
||||||
|
|
||||||
# Call autoreconf since we need to regenerate all the autofoo files
|
|
||||||
include /usr/share/cdbs/1/rules/autoreconf.mk
|
|
||||||
include /usr/share/cdbs/1/rules/debhelper.mk
|
|
||||||
# Specify where dh_install will find the files that it needs to move:
|
|
||||||
DEB_DH_INSTALL_SOURCEDIR=debian/tmp
|
|
||||||
# Specify the destination of shadow's "make install"
|
|
||||||
# (This is only needed on The Hurd, where only one package is built. On
|
|
||||||
# the other arch, DEB_DESTDIR already points to debian/tmp)
|
|
||||||
DEB_DESTDIR=$(CURDIR)/debian/tmp
|
|
||||||
|
|
||||||
include /usr/share/cdbs/1/class/autotools.mk
|
|
||||||
|
|
||||||
# Adds extra options when calling the configure script:
|
|
||||||
DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
|
|
||||||
--without-libcrack \
|
|
||||||
--mandir=/usr/share/man \
|
|
||||||
--with-libpam \
|
|
||||||
--enable-shadowgrp \
|
|
||||||
--enable-man \
|
|
||||||
--disable-account-tools-setuid \
|
|
||||||
--with-group-name-max-length=32 \
|
|
||||||
--without-acl \
|
|
||||||
--without-attr \
|
|
||||||
--without-tcb \
|
|
||||||
SHELL=/bin/sh
|
|
||||||
ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
|
|
||||||
DEB_CONFIGURE_EXTRA_FLAGS += --host=$(DEB_HOST_GNU_TYPE)
|
|
||||||
endif
|
|
||||||
|
|
||||||
# Set the default editor for vipw/vigr
|
|
||||||
CFLAGS += -DDEFAULT_EDITOR=\\\"sensible-editor\\\"
|
|
||||||
|
|
||||||
# Add extras to the install process:
|
|
||||||
binary-install/login::
|
|
||||||
ifeq ($(DEB_HOST_ARCH_OS),hurd)
|
|
||||||
# /bin/login is provided by the hurd package.
|
|
||||||
rm -f debian/login/bin/login
|
|
||||||
endif
|
|
||||||
ifneq ($(DEB_HOST_ARCH_OS),linux)
|
|
||||||
sed -i 's/session optional pam_keyinit.so/# Linux only # session optional pam_keyinit.so/' debian/login.pam
|
|
||||||
endif
|
|
||||||
dh_installpam -p login
|
|
||||||
install -c -m 444 debian/login.defs debian/login/etc/login.defs
|
|
||||||
install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
|
|
||||||
dh_lintian -p login
|
|
||||||
|
|
||||||
binary-install/passwd::
|
|
||||||
install -c -m 444 man/shadowconfig.8 debian/passwd/usr/share/man/man8
|
|
||||||
install -c -m 444 man/ja/shadowconfig.8 debian/passwd/usr/share/man/ja/man8
|
|
||||||
install -c -m 444 man/pl/shadowconfig.8 debian/passwd/usr/share/man/pl/man8
|
|
||||||
install -c -m 444 man/fr/shadowconfig.8 debian/passwd/usr/share/man/fr/man8
|
|
||||||
# Distribute the pam.d files; unless for the commands with disabled PAM
|
|
||||||
# support
|
|
||||||
dh_installpam -p passwd --name=passwd
|
|
||||||
dh_installpam -p passwd --name=chfn
|
|
||||||
dh_installpam -p passwd --name=chsh
|
|
||||||
dh_installpam -p passwd --name=chpasswd
|
|
||||||
dh_installpam -p passwd --name=newusers
|
|
||||||
install -c -m 644 debian/useradd.default debian/passwd/etc/default/useradd
|
|
||||||
install -d debian/passwd/sbin
|
|
||||||
install -c -m 555 debian/shadowconfig.sh debian/passwd/sbin/shadowconfig
|
|
||||||
install -c -m 444 debian/cpgr.8 debian/passwd/usr/share/man/man8
|
|
||||||
install -c -m 444 debian/cppw.8 debian/passwd/usr/share/man/man8
|
|
||||||
dh_lintian -p passwd
|
|
||||||
|
|
||||||
binary-predeb/uidmap::
|
|
||||||
chmod u+s debian/uidmap/usr/bin/newuidmap
|
|
||||||
chmod u+s debian/uidmap/usr/bin/newgidmap
|
|
||||||
|
|
||||||
binary-predeb/login::
|
|
||||||
# No real need for login to be setuid root
|
|
||||||
# chmod u+s debian/login/bin/login
|
|
||||||
chmod u+s debian/login/usr/bin/newgrp
|
|
||||||
|
|
||||||
binary-predeb/passwd::
|
|
||||||
chmod u+s debian/passwd/usr/bin/chfn
|
|
||||||
chmod u+s debian/passwd/usr/bin/chsh
|
|
||||||
chmod u+s debian/passwd/usr/bin/gpasswd
|
|
||||||
chmod u+s debian/passwd/usr/bin/passwd
|
|
||||||
chgrp shadow debian/passwd/usr/bin/chage
|
|
||||||
chgrp shadow debian/passwd/usr/bin/expiry
|
|
||||||
chmod g+s debian/passwd/usr/bin/chage
|
|
||||||
chmod g+s debian/passwd/usr/bin/expiry
|
|
||||||
|
|
||||||
clean::
|
|
||||||
sed -i 's/# Linux only # //' debian/login.pam
|
|
||||||
Vendored
-71
@@ -1,71 +0,0 @@
|
|||||||
# /etc/securetty: list of terminals on which root is allowed to login.
|
|
||||||
# See securetty(5) and login(1).
|
|
||||||
console
|
|
||||||
|
|
||||||
# for people with serial port consoles
|
|
||||||
com0
|
|
||||||
|
|
||||||
# Standard consoles
|
|
||||||
tty1
|
|
||||||
tty2
|
|
||||||
tty3
|
|
||||||
tty4
|
|
||||||
tty5
|
|
||||||
tty6
|
|
||||||
tty7
|
|
||||||
tty8
|
|
||||||
tty9
|
|
||||||
tty10
|
|
||||||
tty11
|
|
||||||
tty12
|
|
||||||
tty13
|
|
||||||
tty14
|
|
||||||
tty15
|
|
||||||
tty16
|
|
||||||
tty17
|
|
||||||
tty18
|
|
||||||
tty19
|
|
||||||
tty20
|
|
||||||
tty21
|
|
||||||
tty22
|
|
||||||
tty23
|
|
||||||
tty24
|
|
||||||
tty25
|
|
||||||
tty26
|
|
||||||
tty27
|
|
||||||
tty28
|
|
||||||
tty29
|
|
||||||
tty30
|
|
||||||
tty31
|
|
||||||
tty32
|
|
||||||
tty33
|
|
||||||
tty34
|
|
||||||
tty35
|
|
||||||
tty36
|
|
||||||
tty37
|
|
||||||
tty38
|
|
||||||
tty39
|
|
||||||
tty40
|
|
||||||
tty41
|
|
||||||
tty42
|
|
||||||
tty43
|
|
||||||
tty44
|
|
||||||
tty45
|
|
||||||
tty46
|
|
||||||
tty47
|
|
||||||
tty48
|
|
||||||
tty49
|
|
||||||
tty50
|
|
||||||
tty51
|
|
||||||
tty52
|
|
||||||
tty53
|
|
||||||
tty54
|
|
||||||
tty55
|
|
||||||
tty56
|
|
||||||
tty57
|
|
||||||
tty58
|
|
||||||
tty59
|
|
||||||
tty60
|
|
||||||
tty61
|
|
||||||
tty62
|
|
||||||
tty63
|
|
||||||
Vendored
-24
@@ -1,24 +0,0 @@
|
|||||||
# /etc/securetty: list of terminals on which root is allowed to login.
|
|
||||||
# See securetty(5) and login(1).
|
|
||||||
console
|
|
||||||
|
|
||||||
# for people with serial port consoles
|
|
||||||
ttyd0
|
|
||||||
ttyd1
|
|
||||||
|
|
||||||
# Standard consoles
|
|
||||||
ttyv0
|
|
||||||
ttyv1
|
|
||||||
ttyv2
|
|
||||||
ttyv3
|
|
||||||
ttyv4
|
|
||||||
ttyv5
|
|
||||||
ttyv6
|
|
||||||
ttyv7
|
|
||||||
ttyva
|
|
||||||
ttyvb
|
|
||||||
ttyvc
|
|
||||||
ttyvd
|
|
||||||
ttyve
|
|
||||||
ttyvf
|
|
||||||
|
|
||||||
Vendored
-12
@@ -1,12 +0,0 @@
|
|||||||
# /etc/securetty: list of terminals on which root is allowed to login.
|
|
||||||
# See securetty(5) and login(1).
|
|
||||||
console
|
|
||||||
|
|
||||||
# for people with serial port consoles
|
|
||||||
tty00
|
|
||||||
|
|
||||||
# Standard consoles
|
|
||||||
ttyE0
|
|
||||||
ttyE1
|
|
||||||
ttyE2
|
|
||||||
ttyE3
|
|
||||||
Vendored
-412
@@ -1,412 +0,0 @@
|
|||||||
# /etc/securetty: list of terminals on which root is allowed to login.
|
|
||||||
# See securetty(5) and login(1).
|
|
||||||
|
|
||||||
console
|
|
||||||
|
|
||||||
# Local X displays (allows empty passwords with pam_unix's nullok_secure)
|
|
||||||
:0
|
|
||||||
:0.0
|
|
||||||
:0.1
|
|
||||||
:1
|
|
||||||
:1.0
|
|
||||||
:1.1
|
|
||||||
:2
|
|
||||||
:2.0
|
|
||||||
:2.1
|
|
||||||
:3
|
|
||||||
:3.0
|
|
||||||
:3.1
|
|
||||||
#...
|
|
||||||
|
|
||||||
|
|
||||||
# ==========================================================
|
|
||||||
#
|
|
||||||
# TTYs sorted by major number according to Documentation/devices.txt
|
|
||||||
#
|
|
||||||
# ==========================================================
|
|
||||||
|
|
||||||
# Virtual consoles
|
|
||||||
tty1
|
|
||||||
tty2
|
|
||||||
tty3
|
|
||||||
tty4
|
|
||||||
tty5
|
|
||||||
tty6
|
|
||||||
tty7
|
|
||||||
tty8
|
|
||||||
tty9
|
|
||||||
tty10
|
|
||||||
tty11
|
|
||||||
tty12
|
|
||||||
tty13
|
|
||||||
tty14
|
|
||||||
tty15
|
|
||||||
tty16
|
|
||||||
tty17
|
|
||||||
tty18
|
|
||||||
tty19
|
|
||||||
tty20
|
|
||||||
tty21
|
|
||||||
tty22
|
|
||||||
tty23
|
|
||||||
tty24
|
|
||||||
tty25
|
|
||||||
tty26
|
|
||||||
tty27
|
|
||||||
tty28
|
|
||||||
tty29
|
|
||||||
tty30
|
|
||||||
tty31
|
|
||||||
tty32
|
|
||||||
tty33
|
|
||||||
tty34
|
|
||||||
tty35
|
|
||||||
tty36
|
|
||||||
tty37
|
|
||||||
tty38
|
|
||||||
tty39
|
|
||||||
tty40
|
|
||||||
tty41
|
|
||||||
tty42
|
|
||||||
tty43
|
|
||||||
tty44
|
|
||||||
tty45
|
|
||||||
tty46
|
|
||||||
tty47
|
|
||||||
tty48
|
|
||||||
tty49
|
|
||||||
tty50
|
|
||||||
tty51
|
|
||||||
tty52
|
|
||||||
tty53
|
|
||||||
tty54
|
|
||||||
tty55
|
|
||||||
tty56
|
|
||||||
tty57
|
|
||||||
tty58
|
|
||||||
tty59
|
|
||||||
tty60
|
|
||||||
tty61
|
|
||||||
tty62
|
|
||||||
tty63
|
|
||||||
|
|
||||||
# UART serial ports
|
|
||||||
ttyS0
|
|
||||||
ttyS1
|
|
||||||
ttyS2
|
|
||||||
ttyS3
|
|
||||||
ttyS4
|
|
||||||
ttyS5
|
|
||||||
#...ttyS191
|
|
||||||
|
|
||||||
# Serial Mux devices (Linux/PA-RISC only)
|
|
||||||
ttyB0
|
|
||||||
ttyB1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Chase serial card
|
|
||||||
ttyH0
|
|
||||||
ttyH1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Cyclades serial cards
|
|
||||||
ttyC0
|
|
||||||
ttyC1
|
|
||||||
#...ttyC31
|
|
||||||
|
|
||||||
# Digiboard serial cards
|
|
||||||
ttyD0
|
|
||||||
ttyD1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Stallion serial cards
|
|
||||||
ttyE0
|
|
||||||
ttyE1
|
|
||||||
#...ttyE255
|
|
||||||
|
|
||||||
# Specialix serial cards
|
|
||||||
ttyX0
|
|
||||||
ttyX1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Comtrol Rocketport serial cards
|
|
||||||
ttyR0
|
|
||||||
ttyR1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# SDL RISCom serial cards
|
|
||||||
ttyL0
|
|
||||||
ttyL1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Hayes ESP serial card
|
|
||||||
ttyP0
|
|
||||||
ttyP1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Computone IntelliPort II serial card
|
|
||||||
ttyF0
|
|
||||||
ttyF1
|
|
||||||
#...ttyF255
|
|
||||||
|
|
||||||
# Specialix IO8+ serial card
|
|
||||||
ttyW0
|
|
||||||
ttyW1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Comtrol VS-1000 serial controller
|
|
||||||
ttyV0
|
|
||||||
ttyV1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# ISI serial card
|
|
||||||
ttyM0
|
|
||||||
ttyM1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Technology Concepts serial card
|
|
||||||
ttyT0
|
|
||||||
ttyT1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# Specialix RIO serial card
|
|
||||||
ttySR0
|
|
||||||
ttySR1
|
|
||||||
#...ttySR511
|
|
||||||
|
|
||||||
# Chase Research AT/PCI-Fast serial card
|
|
||||||
ttyCH0
|
|
||||||
ttyCH1
|
|
||||||
#...ttyCH63
|
|
||||||
|
|
||||||
# Moxa Intellio serial card
|
|
||||||
ttyMX0
|
|
||||||
ttyMX1
|
|
||||||
#...ttyMX127
|
|
||||||
|
|
||||||
# SmartIO serial card
|
|
||||||
ttySI0
|
|
||||||
ttySI1
|
|
||||||
#...
|
|
||||||
|
|
||||||
# USB dongles
|
|
||||||
ttyUSB0
|
|
||||||
ttyUSB1
|
|
||||||
ttyUSB2
|
|
||||||
#...
|
|
||||||
|
|
||||||
# LinkUp Systems L72xx UARTs
|
|
||||||
ttyLU0
|
|
||||||
ttyLU1
|
|
||||||
ttyLU2
|
|
||||||
ttyLU3
|
|
||||||
|
|
||||||
# StrongARM builtin serial ports
|
|
||||||
ttySA0
|
|
||||||
ttySA1
|
|
||||||
ttySA2
|
|
||||||
|
|
||||||
# SCI serial port (SuperH) ports and SC26xx serial ports
|
|
||||||
ttySC0
|
|
||||||
ttySC1
|
|
||||||
ttySC2
|
|
||||||
ttySC3
|
|
||||||
ttySC4
|
|
||||||
ttySC5
|
|
||||||
ttySC6
|
|
||||||
ttySC7
|
|
||||||
ttySC8
|
|
||||||
ttySC9
|
|
||||||
|
|
||||||
# ARM "AMBA" serial ports
|
|
||||||
ttyAM0
|
|
||||||
ttyAM1
|
|
||||||
ttyAM2
|
|
||||||
ttyAM3
|
|
||||||
ttyAM4
|
|
||||||
ttyAM5
|
|
||||||
ttyAM6
|
|
||||||
ttyAM7
|
|
||||||
ttyAM8
|
|
||||||
ttyAM9
|
|
||||||
ttyAM10
|
|
||||||
ttyAM11
|
|
||||||
ttyAM12
|
|
||||||
ttyAM13
|
|
||||||
ttyAM14
|
|
||||||
ttyAM15
|
|
||||||
|
|
||||||
# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
|
|
||||||
ttyAMA0
|
|
||||||
ttyAMA1
|
|
||||||
ttyAMA2
|
|
||||||
ttyAMA3
|
|
||||||
|
|
||||||
# DataBooster serial ports
|
|
||||||
ttyDB0
|
|
||||||
ttyDB1
|
|
||||||
ttyDB2
|
|
||||||
ttyDB3
|
|
||||||
ttyDB4
|
|
||||||
ttyDB5
|
|
||||||
ttyDB6
|
|
||||||
ttyDB7
|
|
||||||
|
|
||||||
# SGI Altix console ports
|
|
||||||
ttySG0
|
|
||||||
|
|
||||||
# Motorola i.MX ports
|
|
||||||
ttySMX0
|
|
||||||
ttySMX1
|
|
||||||
ttySMX2
|
|
||||||
|
|
||||||
# Marvell MPSC ports
|
|
||||||
ttyMM0
|
|
||||||
ttyMM1
|
|
||||||
|
|
||||||
# PPC CPM (SCC or SMC) ports
|
|
||||||
ttyCPM0
|
|
||||||
ttyCPM1
|
|
||||||
ttyCPM2
|
|
||||||
ttyCPM3
|
|
||||||
ttyCPM4
|
|
||||||
ttyCPM5
|
|
||||||
|
|
||||||
# Altix serial cards
|
|
||||||
ttyIOC0
|
|
||||||
ttyIOC1
|
|
||||||
#...ttyIOC31
|
|
||||||
|
|
||||||
# NEC VR4100 series SIU
|
|
||||||
ttyVR0
|
|
||||||
|
|
||||||
# NEC VR4100 series SSIU
|
|
||||||
ttyVR1
|
|
||||||
|
|
||||||
# Altix ioc4 serial cards
|
|
||||||
ttyIOC84
|
|
||||||
ttyIOC85
|
|
||||||
#...ttyIOC115
|
|
||||||
|
|
||||||
# Altix ioc3 serial cards
|
|
||||||
ttySIOC0
|
|
||||||
ttySIOC1
|
|
||||||
#...ttySIOC31
|
|
||||||
|
|
||||||
# PPC PSC ports
|
|
||||||
ttyPSC0
|
|
||||||
ttyPSC1
|
|
||||||
ttyPSC2
|
|
||||||
ttyPSC3
|
|
||||||
ttyPSC4
|
|
||||||
ttyPSC5
|
|
||||||
|
|
||||||
# ATMEL serial ports
|
|
||||||
ttyAT0
|
|
||||||
ttyAT1
|
|
||||||
#...ttyAT15
|
|
||||||
|
|
||||||
# Hilscher netX serial port
|
|
||||||
ttyNX0
|
|
||||||
ttyNX1
|
|
||||||
#...ttyNX15
|
|
||||||
|
|
||||||
# Xilinx uartlite - port
|
|
||||||
ttyUL0
|
|
||||||
ttyUL1
|
|
||||||
ttyUL2
|
|
||||||
ttyUL3
|
|
||||||
|
|
||||||
# Xen virtual console - port 0
|
|
||||||
xvc0
|
|
||||||
|
|
||||||
# pmac_zilog - port
|
|
||||||
ttyPZ0
|
|
||||||
ttyPZ1
|
|
||||||
ttyPZ2
|
|
||||||
ttyPZ3
|
|
||||||
|
|
||||||
# TX39/49 serial port
|
|
||||||
ttyTX0
|
|
||||||
ttyTX1
|
|
||||||
ttyTX2
|
|
||||||
ttyTX3
|
|
||||||
ttyTX4
|
|
||||||
ttyTX5
|
|
||||||
ttyTX6
|
|
||||||
ttyTX7
|
|
||||||
|
|
||||||
# SC26xx serial ports (see SCI serial ports (SuperH))
|
|
||||||
|
|
||||||
# MAX3100 serial ports
|
|
||||||
ttyMAX0
|
|
||||||
ttyMAX1
|
|
||||||
ttyMAX2
|
|
||||||
ttyMAX3
|
|
||||||
|
|
||||||
# OMAP serial ports
|
|
||||||
ttyO0
|
|
||||||
ttyO1
|
|
||||||
ttyO2
|
|
||||||
ttyO3
|
|
||||||
|
|
||||||
# User space serial ports
|
|
||||||
ttyU0
|
|
||||||
ttyU1
|
|
||||||
|
|
||||||
# A2232 serial card
|
|
||||||
ttyY0
|
|
||||||
ttyY1
|
|
||||||
|
|
||||||
# IBM 3270 terminal Unix tty access
|
|
||||||
3270/tty1
|
|
||||||
3270/tty2
|
|
||||||
#...
|
|
||||||
|
|
||||||
# IBM iSeries/pSeries virtual console
|
|
||||||
hvc0
|
|
||||||
hvc1
|
|
||||||
#...
|
|
||||||
#IBM pSeries console ports
|
|
||||||
hvsi0
|
|
||||||
hvsi1
|
|
||||||
hvsi2
|
|
||||||
|
|
||||||
# Equinox SST multi-port serial boards
|
|
||||||
ttyEQ0
|
|
||||||
ttyEQ1
|
|
||||||
#...ttyEQ1027
|
|
||||||
|
|
||||||
# ==========================================================
|
|
||||||
#
|
|
||||||
# Not in Documentation/Devices.txt
|
|
||||||
#
|
|
||||||
# ==========================================================
|
|
||||||
|
|
||||||
# Embedded Freescale i.MX ports
|
|
||||||
ttymxc0
|
|
||||||
ttymxc1
|
|
||||||
ttymxc2
|
|
||||||
ttymxc3
|
|
||||||
ttymxc4
|
|
||||||
ttymxc5
|
|
||||||
|
|
||||||
# LXC (Linux Containers)
|
|
||||||
lxc/console
|
|
||||||
lxc/tty1
|
|
||||||
lxc/tty2
|
|
||||||
lxc/tty3
|
|
||||||
lxc/tty4
|
|
||||||
|
|
||||||
# Serial Console for MIPS Swarm
|
|
||||||
duart0
|
|
||||||
duart1
|
|
||||||
|
|
||||||
# s390 and s390x ports in LPAR mode
|
|
||||||
ttysclp0
|
|
||||||
|
|
||||||
# ODROID XU4 serial console
|
|
||||||
ttySAC0
|
|
||||||
ttySAC1
|
|
||||||
ttySAC2
|
|
||||||
ttySAC3
|
|
||||||
Vendored
-49
@@ -1,49 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# turn shadow passwords on or off on a Debian system
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
shadowon () {
|
|
||||||
set -e
|
|
||||||
pwck -q -r
|
|
||||||
grpck -r
|
|
||||||
pwconv
|
|
||||||
grpconv
|
|
||||||
chown root:root /etc/passwd /etc/group
|
|
||||||
chmod 644 /etc/passwd /etc/group
|
|
||||||
chown root:shadow /etc/shadow /etc/gshadow
|
|
||||||
chmod 640 /etc/shadow /etc/gshadow
|
|
||||||
}
|
|
||||||
|
|
||||||
shadowoff () {
|
|
||||||
set -e
|
|
||||||
pwck -q -r
|
|
||||||
grpck -r
|
|
||||||
pwunconv
|
|
||||||
grpunconv
|
|
||||||
# sometimes the passwd perms get munged
|
|
||||||
chown root:root /etc/passwd /etc/group
|
|
||||||
chmod 644 /etc/passwd /etc/group
|
|
||||||
}
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
"on")
|
|
||||||
if shadowon ; then
|
|
||||||
echo Shadow passwords are now on.
|
|
||||||
else
|
|
||||||
echo Please correct the error and rerun \`$0 on\'
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
"off")
|
|
||||||
if shadowoff ; then
|
|
||||||
echo Shadow passwords are now off.
|
|
||||||
else
|
|
||||||
echo Please correct the error and rerun \`$0 off\'
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo Usage: $0 on \| off
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
Vendored
-1
@@ -1 +0,0 @@
|
|||||||
3.0 (quilt)
|
|
||||||
Vendored
-4
@@ -1,4 +0,0 @@
|
|||||||
usr/bin/newuidmap
|
|
||||||
usr/bin/newgidmap
|
|
||||||
usr/share/man/man1/newuidmap.1
|
|
||||||
usr/share/man/man1/newgidmap.1
|
|
||||||
Vendored
-2
@@ -1,2 +0,0 @@
|
|||||||
uidmap: setuid-binary usr/bin/newgidmap 4755 root/root
|
|
||||||
uidmap: setuid-binary usr/bin/newuidmap 4755 root/root
|
|
||||||
Vendored
-8196
File diff suppressed because it is too large
Load Diff
Vendored
-37
@@ -1,37 +0,0 @@
|
|||||||
# Default values for useradd(8)
|
|
||||||
#
|
|
||||||
# The SHELL variable specifies the default login shell on your
|
|
||||||
# system.
|
|
||||||
# Similar to DHSELL in adduser. However, we use "sh" here because
|
|
||||||
# useradd is a low level utility and should be as general
|
|
||||||
# as possible
|
|
||||||
SHELL=/bin/sh
|
|
||||||
#
|
|
||||||
# The default group for users
|
|
||||||
# 100=users on Debian systems
|
|
||||||
# Same as USERS_GID in adduser
|
|
||||||
# This argument is used when the -n flag is specified.
|
|
||||||
# The default behavior (when -n and -g are not specified) is to create a
|
|
||||||
# primary user group with the same name as the user being added to the
|
|
||||||
# system.
|
|
||||||
# GROUP=100
|
|
||||||
#
|
|
||||||
# The default home directory. Same as DHOME for adduser
|
|
||||||
# HOME=/home
|
|
||||||
#
|
|
||||||
# The number of days after a password expires until the account
|
|
||||||
# is permanently disabled
|
|
||||||
# INACTIVE=-1
|
|
||||||
#
|
|
||||||
# The default expire date
|
|
||||||
# EXPIRE=
|
|
||||||
#
|
|
||||||
# The SKEL variable specifies the directory containing "skeletal" user
|
|
||||||
# files; in other words, files such as a sample .profile that will be
|
|
||||||
# copied to the new user's home directory when it is created.
|
|
||||||
# SKEL=/etc/skel
|
|
||||||
#
|
|
||||||
# Defines whether the mail spool should be created while
|
|
||||||
# creating the account
|
|
||||||
# CREATE_MAIL_SPOOL=yes
|
|
||||||
|
|
||||||
Vendored
-4
@@ -1,4 +0,0 @@
|
|||||||
version=4
|
|
||||||
opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%shadow-$1.tar.gz%" \
|
|
||||||
https://github.com/shadow-maint/shadow/tags \
|
|
||||||
(?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
|
|
||||||
+1
-1
@@ -15,7 +15,7 @@ Changes:
|
|||||||
- code merged into lmain.c --cristiang
|
- code merged into lmain.c --cristiang
|
||||||
|
|
||||||
TODO: - support groups in the limits file
|
TODO: - support groups in the limits file
|
||||||
(only usernames are supported at this momment :-( )
|
(only usernames are supported at this moment :-( )
|
||||||
|
|
||||||
Setting user limits for shadow login program
|
Setting user limits for shadow login program
|
||||||
|
|
||||||
|
|||||||
+1
-1
@@ -189,7 +189,7 @@ KILLCHAR 025
|
|||||||
# home directories.
|
# home directories.
|
||||||
# 022 is the default value, but 027, or even 077, could be considered
|
# 022 is the default value, but 027, or even 077, could be considered
|
||||||
# for increased privacy. There is no One True Answer here: each sysadmin
|
# for increased privacy. There is no One True Answer here: each sysadmin
|
||||||
# must make up his/her mind.
|
# must make up their mind.
|
||||||
UMASK 022
|
UMASK 022
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|||||||
+28
-8
@@ -375,28 +375,48 @@ bool commonio_present (const struct commonio_db *db)
|
|||||||
|
|
||||||
int commonio_lock_nowait (struct commonio_db *db, bool log)
|
int commonio_lock_nowait (struct commonio_db *db, bool log)
|
||||||
{
|
{
|
||||||
char file[1024];
|
char* file = NULL;
|
||||||
char lock[1024];
|
char* lock = NULL;
|
||||||
|
size_t lock_file_len;
|
||||||
|
size_t file_len;
|
||||||
|
int err;
|
||||||
|
|
||||||
if (db->locked) {
|
if (db->locked) {
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
file_len = strlen(db->filename) + 11;/* %lu max size */
|
||||||
snprintf (file, sizeof file, "%s.%lu",
|
lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
|
||||||
|
file = (char*)malloc(file_len);
|
||||||
|
if(file == NULL) {
|
||||||
|
err = ENOMEM;
|
||||||
|
goto cleanup_ENOMEM;
|
||||||
|
}
|
||||||
|
lock = (char*)malloc(lock_file_len);
|
||||||
|
if(lock == NULL) {
|
||||||
|
err = ENOMEM;
|
||||||
|
goto cleanup_ENOMEM;
|
||||||
|
}
|
||||||
|
snprintf (file, file_len, "%s.%lu",
|
||||||
db->filename, (unsigned long) getpid ());
|
db->filename, (unsigned long) getpid ());
|
||||||
snprintf (lock, sizeof lock, "%s.lock", db->filename);
|
snprintf (lock, lock_file_len, "%s.lock", db->filename);
|
||||||
if (do_lock_file (file, lock, log) != 0) {
|
if (do_lock_file (file, lock, log) != 0) {
|
||||||
db->locked = true;
|
db->locked = true;
|
||||||
lock_count++;
|
lock_count++;
|
||||||
return 1;
|
err = 1;
|
||||||
}
|
}
|
||||||
return 0;
|
cleanup_ENOMEM:
|
||||||
|
if(file)
|
||||||
|
free(file);
|
||||||
|
if(lock)
|
||||||
|
free(lock);
|
||||||
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
int commonio_lock (struct commonio_db *db)
|
int commonio_lock (struct commonio_db *db)
|
||||||
{
|
{
|
||||||
#ifdef HAVE_LCKPWDF
|
/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
|
||||||
|
#if 0
|
||||||
/*
|
/*
|
||||||
* only if the system libc has a real lckpwdf() - the one from
|
* only if the system libc has a real lckpwdf() - the one from
|
||||||
* lockpw.c calls us and would cause infinite recursion!
|
* lockpw.c calls us and would cause infinite recursion!
|
||||||
|
|||||||
+1
-1
@@ -24,7 +24,7 @@ typedef unsigned char _Bool;
|
|||||||
|
|
||||||
/* Take care of NLS matters. */
|
/* Take care of NLS matters. */
|
||||||
#ifdef S_SPLINT_S
|
#ifdef S_SPLINT_S
|
||||||
extern char *setlocale(int categorie, const char *locale);
|
extern char *setlocale(int categories, const char *locale);
|
||||||
# define LC_ALL (6)
|
# define LC_ALL (6)
|
||||||
extern char * bindtextdomain (const char * domainname, const char * dirname);
|
extern char * bindtextdomain (const char * domainname, const char * dirname);
|
||||||
extern char * textdomain (const char * domainname);
|
extern char * textdomain (const char * domainname);
|
||||||
|
|||||||
+12
-1
@@ -155,7 +155,7 @@ static struct itemdef knowndef_table[] = {
|
|||||||
#define LOGINDEFS "/etc/login.defs"
|
#define LOGINDEFS "/etc/login.defs"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static char def_fname[] = LOGINDEFS; /* login config defs file */
|
static const char* def_fname = LOGINDEFS; /* login config defs file */
|
||||||
static bool def_loaded = false; /* are defs already loaded? */
|
static bool def_loaded = false; /* are defs already loaded? */
|
||||||
|
|
||||||
/* local function prototypes */
|
/* local function prototypes */
|
||||||
@@ -424,6 +424,17 @@ out:
|
|||||||
return (struct itemdef *) NULL;
|
return (struct itemdef *) NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* setdef_config_file - set the default configuration file path
|
||||||
|
*
|
||||||
|
* must be called prior to any def* calls.
|
||||||
|
*/
|
||||||
|
|
||||||
|
void setdef_config_file (const char* file)
|
||||||
|
{
|
||||||
|
def_fname = file;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* def_load - load configuration table
|
* def_load - load configuration table
|
||||||
*
|
*
|
||||||
|
|||||||
@@ -40,6 +40,7 @@ extern unsigned long getdef_ulong (const char *, unsigned long);
|
|||||||
extern unsigned int getdef_unum (const char *, unsigned int);
|
extern unsigned int getdef_unum (const char *, unsigned int);
|
||||||
extern /*@observer@*/ /*@null@*/const char *getdef_str (const char *);
|
extern /*@observer@*/ /*@null@*/const char *getdef_str (const char *);
|
||||||
extern int putdef_str (const char *, const char *);
|
extern int putdef_str (const char *, const char *);
|
||||||
|
extern void setdef_config_file (const char* file);
|
||||||
|
|
||||||
/* default UMASK value if not specified in /etc/login.defs */
|
/* default UMASK value if not specified in /etc/login.defs */
|
||||||
#define GETDEF_DEFAULT_UMASK 022
|
#define GETDEF_DEFAULT_UMASK 022
|
||||||
|
|||||||
+17
-2
@@ -254,9 +254,9 @@ extern void motd (void);
|
|||||||
/* myname.c */
|
/* myname.c */
|
||||||
extern /*@null@*//*@only@*/struct passwd *get_my_pwent (void);
|
extern /*@null@*//*@only@*/struct passwd *get_my_pwent (void);
|
||||||
|
|
||||||
/* pam_pass_non_interractive.c */
|
/* pam_pass_non_interactive.c */
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
extern int do_pam_passwd_non_interractive (const char *pam_service,
|
extern int do_pam_passwd_non_interactive (const char *pam_service,
|
||||||
const char *username,
|
const char *username,
|
||||||
const char* password);
|
const char* password);
|
||||||
#endif /* USE_PAM */
|
#endif /* USE_PAM */
|
||||||
@@ -274,6 +274,21 @@ extern void do_pam_passwd (const char *user, bool silent, bool change_expired);
|
|||||||
/* port.c */
|
/* port.c */
|
||||||
extern bool isttytime (const char *, const char *, time_t);
|
extern bool isttytime (const char *, const char *, time_t);
|
||||||
|
|
||||||
|
/* prefix_flag.c */
|
||||||
|
extern const char* process_prefix_flag (const char* short_opt, int argc, char **argv);
|
||||||
|
extern struct group *prefix_getgrnam(const char *name);
|
||||||
|
extern struct group *prefix_getgrgid(gid_t gid);
|
||||||
|
extern struct passwd *prefix_getpwuid(uid_t uid);
|
||||||
|
extern struct passwd *prefix_getpwnam(const char* name);
|
||||||
|
extern struct spwd *prefix_getspnam(const char* name);
|
||||||
|
extern struct group *prefix_getgr_nam_gid(const char *grname);
|
||||||
|
extern void prefix_setpwent();
|
||||||
|
extern struct passwd* prefix_getpwent();
|
||||||
|
extern void prefix_endpwent();
|
||||||
|
extern void prefix_setgrent();
|
||||||
|
extern struct group* prefix_getgrent();
|
||||||
|
extern void prefix_endgrent();
|
||||||
|
|
||||||
/* pwd2spwd.c */
|
/* pwd2spwd.c */
|
||||||
#ifndef USE_PAM
|
#ifndef USE_PAM
|
||||||
extern struct spwd *pwd_to_spwd (const struct passwd *);
|
extern struct spwd *pwd_to_spwd (const struct passwd *);
|
||||||
|
|||||||
+3
-3
@@ -181,7 +181,7 @@ static const bool range_exists(struct commonio_db *db, const char *owner)
|
|||||||
* subuid @val.
|
* subuid @val.
|
||||||
*
|
*
|
||||||
* @db: database to query
|
* @db: database to query
|
||||||
* @owner: owning uid being queuried
|
* @owner: owning uid being queried
|
||||||
* @val: subuid being searched for.
|
* @val: subuid being searched for.
|
||||||
*
|
*
|
||||||
* Returns a range of subuids belonging to @owner and including the subuid
|
* Returns a range of subuids belonging to @owner and including the subuid
|
||||||
@@ -221,7 +221,7 @@ static const struct subordinate_range *find_range(struct commonio_db *db,
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* Search loop above did not produce any result. Let's rerun it,
|
* Search loop above did not produce any result. Let's rerun it,
|
||||||
* but this time try to matcha actual UIDs. The first entry that
|
* but this time try to match actual UIDs. The first entry that
|
||||||
* matches is considered a success.
|
* matches is considered a success.
|
||||||
* (It may be specified as literal UID or as another username which
|
* (It may be specified as literal UID or as another username which
|
||||||
* has the same UID as the username we are looking for.)
|
* has the same UID as the username we are looking for.)
|
||||||
@@ -418,7 +418,7 @@ fail:
|
|||||||
* @start: the first uid in the owned range
|
* @start: the first uid in the owned range
|
||||||
* @count: the number of uids in the range
|
* @count: the number of uids in the range
|
||||||
*
|
*
|
||||||
* Return 1 if the range is already present or on succcess. On error
|
* Return 1 if the range is already present or on success. On error
|
||||||
* return 0 and set errno appropriately.
|
* return 0 and set errno appropriately.
|
||||||
*/
|
*/
|
||||||
static int add_range(struct commonio_db *db,
|
static int add_range(struct commonio_db *db,
|
||||||
|
|||||||
+2
-1
@@ -44,7 +44,8 @@ libmisc_a_SOURCES = \
|
|||||||
myname.c \
|
myname.c \
|
||||||
obscure.c \
|
obscure.c \
|
||||||
pam_pass.c \
|
pam_pass.c \
|
||||||
pam_pass_non_interractive.c \
|
pam_pass_non_interactive.c \
|
||||||
|
prefix_flag.c \
|
||||||
pwd2spwd.c \
|
pwd2spwd.c \
|
||||||
pwdcheck.c \
|
pwdcheck.c \
|
||||||
pwd_init.c \
|
pwd_init.c \
|
||||||
|
|||||||
+1
-1
@@ -69,7 +69,7 @@ extern int failcheck (uid_t uid, struct faillog *fl, bool failed);
|
|||||||
extern void failprint (const struct faillog *);
|
extern void failprint (const struct faillog *);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* failtmp - update the cummulative failure log
|
* failtmp - update the cumulative failure log
|
||||||
*
|
*
|
||||||
* failtmp updates the (struct utmp) formatted failure log which
|
* failtmp updates the (struct utmp) formatted failure log which
|
||||||
* maintains a record of all login failures.
|
* maintains a record of all login failures.
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ static int check_gid (const gid_t gid,
|
|||||||
}
|
}
|
||||||
/* Check if the GID exists according to NSS */
|
/* Check if the GID exists according to NSS */
|
||||||
errno = 0;
|
errno = 0;
|
||||||
if (getgrgid (gid) != NULL) {
|
if (prefix_getgrgid (gid) != NULL) {
|
||||||
return EEXIST;
|
return EEXIST;
|
||||||
} else {
|
} else {
|
||||||
/* getgrgid() was NULL
|
/* getgrgid() was NULL
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ static int check_uid(const uid_t uid,
|
|||||||
}
|
}
|
||||||
/* Check if the UID exists according to NSS */
|
/* Check if the UID exists according to NSS */
|
||||||
errno = 0;
|
errno = 0;
|
||||||
if (getpwuid(uid) != NULL) {
|
if (prefix_getpwuid(uid) != NULL) {
|
||||||
return EEXIST;
|
return EEXIST;
|
||||||
} else {
|
} else {
|
||||||
/* getpwuid() was NULL
|
/* getpwuid() was NULL
|
||||||
|
|||||||
+1
-1
@@ -66,7 +66,7 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Remap normal yacc parser interface names (yyparse, yylex, yyerror, etc),
|
/* Remap normal yacc parser interface names (yyparse, yylex, yyerror, etc),
|
||||||
as well as gratuitiously global symbol names, so we can have multiple
|
as well as gratuitously global symbol names, so we can have multiple
|
||||||
yacc generated parsers in the same program. Note that these are only
|
yacc generated parsers in the same program. Note that these are only
|
||||||
the variables produced by yacc. If other parser generators (bison,
|
the variables produced by yacc. If other parser generators (bison,
|
||||||
byacc, etc) produce additional global names that conflict at link time,
|
byacc, etc) produce additional global names that conflict at link time,
|
||||||
|
|||||||
+1
-1
@@ -148,7 +148,7 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
|
|||||||
pos += written;
|
pos += written;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Write the mapping to the maping file */
|
/* Write the mapping to the mapping file */
|
||||||
fd = openat(proc_dir_fd, map_file, O_WRONLY);
|
fd = openat(proc_dir_fd, map_file, O_WRONLY);
|
||||||
if (fd < 0) {
|
if (fd < 0) {
|
||||||
fprintf(stderr, _("%s: open of %s failed: %s\n"),
|
fprintf(stderr, _("%s: open of %s failed: %s\n"),
|
||||||
|
|||||||
@@ -134,7 +134,7 @@ failed_conversation:
|
|||||||
*
|
*
|
||||||
* Return 0 on success, 1 on failure.
|
* Return 0 on success, 1 on failure.
|
||||||
*/
|
*/
|
||||||
int do_pam_passwd_non_interractive (const char *pam_service,
|
int do_pam_passwd_non_interactive (const char *pam_service,
|
||||||
const char *username,
|
const char *username,
|
||||||
const char* password)
|
const char* password)
|
||||||
{
|
{
|
||||||
@@ -0,0 +1,340 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2011 , Julian Pidancet
|
||||||
|
* Copyright (c) 2011 , Nicolas François
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
* 3. The name of the copyright holders or contributors may not be used to
|
||||||
|
* endorse or promote products derived from this software without
|
||||||
|
* specific prior written permission.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||||
|
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
* HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <config.h>
|
||||||
|
|
||||||
|
#ident "$Id$"
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <assert.h>
|
||||||
|
#include "defines.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
/*@-exitarg@*/
|
||||||
|
#include "exitcodes.h"
|
||||||
|
#include "groupio.h"
|
||||||
|
#include "pwio.h"
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
#include "sgroupio.h"
|
||||||
|
#endif
|
||||||
|
#include "shadowio.h"
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
#include "subordinateio.h"
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
#include "getdef.h"
|
||||||
|
|
||||||
|
static char *passwd_db_file = NULL;
|
||||||
|
static char *spw_db_file = NULL;
|
||||||
|
static char *group_db_file = NULL;
|
||||||
|
static char *sgroup_db_file = NULL;
|
||||||
|
static char *suid_db_file = NULL;
|
||||||
|
static char *sgid_db_file = NULL;
|
||||||
|
static char *def_conf_file = NULL;
|
||||||
|
static FILE* fp_pwent = NULL;
|
||||||
|
static FILE* fp_grent = NULL;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* process_prefix_flag - prefix all paths if given the --prefix option
|
||||||
|
*
|
||||||
|
* This shall be called before accessing the passwd, group, shadow,
|
||||||
|
* gshadow, useradd's default, login.defs files (non exhaustive list)
|
||||||
|
* or authenticating the caller.
|
||||||
|
*
|
||||||
|
* The audit, syslog, or locale files shall be open before
|
||||||
|
*/
|
||||||
|
extern const char* process_prefix_flag (const char* short_opt, int argc, char **argv)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Parse the command line options.
|
||||||
|
*/
|
||||||
|
int i;
|
||||||
|
const char *prefix = NULL;
|
||||||
|
|
||||||
|
for (i = 0; i < argc; i++) {
|
||||||
|
if ( (strcmp (argv[i], "--prefix") == 0)
|
||||||
|
|| (strcmp (argv[i], short_opt) == 0)) {
|
||||||
|
if (NULL != prefix) {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: multiple --prefix options\n"),
|
||||||
|
Prog);
|
||||||
|
exit (E_BAD_ARG);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (i + 1 == argc) {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: option '%s' requires an argument\n"),
|
||||||
|
Prog, argv[i]);
|
||||||
|
exit (E_BAD_ARG);
|
||||||
|
}
|
||||||
|
prefix = argv[i + 1];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if (prefix != NULL) {
|
||||||
|
if ( prefix[0] == '\0' || !strcmp(prefix, "/"))
|
||||||
|
return ""; /* if prefix is "/" then we ignore the flag option */
|
||||||
|
/* should we prevent symbolic link from being used as a prefix? */
|
||||||
|
|
||||||
|
size_t len;
|
||||||
|
len = strlen(prefix) + strlen(PASSWD_FILE) + 2;
|
||||||
|
passwd_db_file = xmalloc(len);
|
||||||
|
snprintf(passwd_db_file, len, "%s/%s", prefix, PASSWD_FILE);
|
||||||
|
pw_setdbname(passwd_db_file);
|
||||||
|
|
||||||
|
len = strlen(prefix) + strlen(GROUP_FILE) + 2;
|
||||||
|
group_db_file = xmalloc(len);
|
||||||
|
snprintf(group_db_file, len, "%s/%s", prefix, GROUP_FILE);
|
||||||
|
gr_setdbname(group_db_file);
|
||||||
|
|
||||||
|
#ifdef SHADOWGRP
|
||||||
|
len = strlen(prefix) + strlen(SGROUP_FILE) + 2;
|
||||||
|
sgroup_db_file = xmalloc(len);
|
||||||
|
snprintf(sgroup_db_file, len, "%s/%s", prefix, SGROUP_FILE);
|
||||||
|
sgr_setdbname(sgroup_db_file);
|
||||||
|
#endif
|
||||||
|
#ifdef USE_NIS
|
||||||
|
__setspNIS(0); /* disable NIS for now, at least until it is properly supporting a "prefix" */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
len = strlen(prefix) + strlen(SHADOW_FILE) + 2;
|
||||||
|
spw_db_file = xmalloc(len);
|
||||||
|
snprintf(spw_db_file, len, "%s/%s", prefix, SHADOW_FILE);
|
||||||
|
spw_setdbname(spw_db_file);
|
||||||
|
|
||||||
|
|
||||||
|
len = strlen(prefix) + strlen("/etc/subuid") + 2;
|
||||||
|
suid_db_file = xmalloc(len);
|
||||||
|
snprintf(suid_db_file, len, "%s/%s", prefix, "/etc/subuid");
|
||||||
|
sub_uid_setdbname(suid_db_file);
|
||||||
|
|
||||||
|
len = strlen(prefix) + strlen("/etc/subgid") + 2;
|
||||||
|
sgid_db_file = xmalloc(len);
|
||||||
|
snprintf(sgid_db_file, len, "%s/%s", prefix, "/etc/subgid");
|
||||||
|
sub_gid_setdbname(sgid_db_file);
|
||||||
|
|
||||||
|
len = strlen(prefix) + strlen("/etc/login.defs") + 2;
|
||||||
|
def_conf_file = xmalloc(len);
|
||||||
|
snprintf(def_conf_file, len, "%s/%s", prefix, "/etc/login.defs");
|
||||||
|
setdef_config_file(def_conf_file);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (prefix == NULL)
|
||||||
|
return "";
|
||||||
|
return prefix;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
extern struct group *prefix_getgrnam(const char *name)
|
||||||
|
{
|
||||||
|
if (group_db_file) {
|
||||||
|
FILE* fg;
|
||||||
|
struct group * grp = NULL;
|
||||||
|
|
||||||
|
fg = fopen(group_db_file, "rt");
|
||||||
|
if(!fg)
|
||||||
|
return NULL;
|
||||||
|
while(grp = fgetgrent(fg)) {
|
||||||
|
if(!strcmp(name, grp->gr_name))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
fclose(fg);
|
||||||
|
return grp;
|
||||||
|
}
|
||||||
|
|
||||||
|
return getgrnam(name);
|
||||||
|
}
|
||||||
|
|
||||||
|
extern struct group *prefix_getgrgid(gid_t gid)
|
||||||
|
{
|
||||||
|
if (group_db_file) {
|
||||||
|
FILE* fg;
|
||||||
|
struct group * grp = NULL;
|
||||||
|
|
||||||
|
fg = fopen(group_db_file, "rt");
|
||||||
|
if(!fg)
|
||||||
|
return NULL;
|
||||||
|
while(grp = fgetgrent(fg)) {
|
||||||
|
if(gid == grp->gr_gid)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
fclose(fg);
|
||||||
|
return grp;
|
||||||
|
}
|
||||||
|
|
||||||
|
return getgrgid(gid);
|
||||||
|
}
|
||||||
|
|
||||||
|
extern struct passwd *prefix_getpwuid(uid_t uid)
|
||||||
|
{
|
||||||
|
if (passwd_db_file) {
|
||||||
|
FILE* fg;
|
||||||
|
struct passwd *pwd = NULL;
|
||||||
|
|
||||||
|
fg = fopen(passwd_db_file, "rt");
|
||||||
|
if(!fg)
|
||||||
|
return NULL;
|
||||||
|
while(pwd = fgetpwent(fg)) {
|
||||||
|
if(uid == pwd->pw_uid)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
fclose(fg);
|
||||||
|
return pwd;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return getpwuid(uid);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
extern struct passwd *prefix_getpwnam(const char* name)
|
||||||
|
{
|
||||||
|
if (passwd_db_file) {
|
||||||
|
FILE* fg;
|
||||||
|
struct passwd *pwd = NULL;
|
||||||
|
|
||||||
|
fg = fopen(passwd_db_file, "rt");
|
||||||
|
if(!fg)
|
||||||
|
return NULL;
|
||||||
|
while(pwd = fgetpwent(fg)) {
|
||||||
|
if(!strcmp(name, pwd->pw_name))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
fclose(fg);
|
||||||
|
return pwd;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return getpwnam(name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
extern struct spwd *prefix_getspnam(const char* name)
|
||||||
|
{
|
||||||
|
if (spw_db_file) {
|
||||||
|
FILE* fg;
|
||||||
|
struct spwd *sp = NULL;
|
||||||
|
|
||||||
|
fg = fopen(spw_db_file, "rt");
|
||||||
|
if(!fg)
|
||||||
|
return NULL;
|
||||||
|
while(sp = fgetspent(fg)) {
|
||||||
|
if(!strcmp(name, sp->sp_namp))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
fclose(fg);
|
||||||
|
return sp;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return getspnam(name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
extern void prefix_setpwent()
|
||||||
|
{
|
||||||
|
if(!passwd_db_file) {
|
||||||
|
setpwent();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (fp_pwent)
|
||||||
|
fclose (fp_pwent);
|
||||||
|
|
||||||
|
fp_pwent = fopen(passwd_db_file, "rt");
|
||||||
|
if(!fp_pwent)
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
extern struct passwd* prefix_getpwent()
|
||||||
|
{
|
||||||
|
if(!passwd_db_file) {
|
||||||
|
return getpwent();
|
||||||
|
}
|
||||||
|
return fgetpwent(fp_pwent);
|
||||||
|
}
|
||||||
|
extern void prefix_endpwent()
|
||||||
|
{
|
||||||
|
if(!passwd_db_file) {
|
||||||
|
endpwent();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (fp_pwent)
|
||||||
|
fclose(fp_pwent);
|
||||||
|
fp_pwent = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
extern void prefix_setgrent()
|
||||||
|
{
|
||||||
|
if(!group_db_file) {
|
||||||
|
setgrent();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (fp_grent)
|
||||||
|
fclose (fp_grent);
|
||||||
|
|
||||||
|
fp_grent = fopen(group_db_file, "rt");
|
||||||
|
if(!fp_grent)
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
extern struct group* prefix_getgrent()
|
||||||
|
{
|
||||||
|
if(!group_db_file) {
|
||||||
|
return getgrent();
|
||||||
|
}
|
||||||
|
return fgetgrent(fp_grent);
|
||||||
|
}
|
||||||
|
extern void prefix_endgrent()
|
||||||
|
{
|
||||||
|
if(!group_db_file) {
|
||||||
|
endgrent();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (fp_grent)
|
||||||
|
fclose(fp_grent);
|
||||||
|
fp_grent = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
extern struct group *prefix_getgr_nam_gid(const char *grname)
|
||||||
|
{
|
||||||
|
long long int gid;
|
||||||
|
char *endptr;
|
||||||
|
|
||||||
|
if (NULL == grname) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (group_db_file) {
|
||||||
|
errno = 0;
|
||||||
|
gid = strtoll (grname, &endptr, 10);
|
||||||
|
if ( ('\0' != *grname)
|
||||||
|
&& ('\0' == *endptr)
|
||||||
|
&& (ERANGE != errno)
|
||||||
|
&& (gid == (gid_t)gid)) {
|
||||||
|
return prefix_getgrgid ((gid_t) gid);
|
||||||
|
}
|
||||||
|
return prefix_getgrnam (grname);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
return getgr_nam_gid(grname);
|
||||||
|
}
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user