Compare commits
835 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| abac5f8d6c | |||
| 88de51965d | |||
| df6b651325 | |||
| 406a28db14 | |||
| 00bcf65d58 | |||
| 9105fcd24c | |||
| ba18b6cab2 | |||
| b43b5a89d1 | |||
| 591aa8debe | |||
| bcd42a4c62 | |||
| 589f97ade4 | |||
| d7f24f954e | |||
| f9176c3be3 | |||
| bc6cd09194 | |||
| b8a7c3ac04 | |||
| 133b10b734 | |||
| 40146019e6 | |||
| 3588f5d2a3 | |||
| af6b417156 | |||
| 9b4168f0b2 | |||
| fd20e4fe4b | |||
| d779e83350 | |||
| 8b5c7cace3 | |||
| 182a8cf464 | |||
| b20639f055 | |||
| 0531cb85a4 | |||
| 19ebc9d55a | |||
| f19610854c | |||
| 398a6d383a | |||
| 70c472f91d | |||
| 3b66774757 | |||
| a975974d2c | |||
| 25df6ffc55 | |||
| 9eb5f5e758 | |||
| e530aed7c6 | |||
| 39c9155f66 | |||
| 60d4dc5ae0 | |||
| 5a3eada191 | |||
| 616a2b0c7b | |||
| 9089583e08 | |||
| b89c17643b | |||
| 83c828d86a | |||
| 786bb46ef9 | |||
| d4fc50519b | |||
| 45c29ff8ce | |||
| 8e21a0615d | |||
| b679e205d8 | |||
| 186f8f8c5a | |||
| d53df510ec | |||
| 569a90cd97 | |||
| b5d9320f6d | |||
| f1e917cc43 | |||
| 365658d0f3 | |||
| 83e36d1e1b | |||
| d9e428fd63 | |||
| 3fcf082618 | |||
| 68cd195044 | |||
| d8af4b7e5b | |||
| 598853e638 | |||
| 5a6e0c0ebd | |||
| f9aecd19f3 | |||
| 14d5db18a8 | |||
| 7df6dd8cf2 | |||
| d5849a0f2b | |||
| e56640f2af | |||
| bfaa59229d | |||
| a497c3663f | |||
| 07dea48511 | |||
| 0f4406b757 | |||
| 2141c2f804 | |||
| c3503a0b5c | |||
| 63448ba21d | |||
| a933847574 | |||
| 6e19e48f9b | |||
| de99d9b9d6 | |||
| 03c52251fb | |||
| aadd2f332c | |||
| c634bfd35c | |||
| e1782606c1 | |||
| 11e8de1be1 | |||
| dedf96dd6f | |||
| 4ea3973200 | |||
| 2fb68149d6 | |||
| a154eb5401 | |||
| 4a2fadfa21 | |||
| 1566e6de21 | |||
| acf9e8fa4a | |||
| 6c29058c9f | |||
| 16e593e364 | |||
| e8c4143fdc | |||
| b4ad01d830 | |||
| ea64aa07a8 | |||
| 523b9000fd | |||
| 71869c2d24 | |||
| 2aa9297367 | |||
| 9bc936e018 | |||
| 2ef82ecb53 | |||
| 5fc7602f3e | |||
| 0274441ec5 | |||
| 60c9571605 | |||
| c7e2932be4 | |||
| d480b7dfee | |||
| 260b0eb77a | |||
| 34599da75c | |||
| aeb11d0c3e | |||
| 9c7fd6b104 | |||
| 1f40da3a5f | |||
| c84a3fd5f8 | |||
| 25cba03d2d | |||
| 68ee6e45ad | |||
| 00e4c00838 | |||
| 45c41f0de6 | |||
| b27aad278a | |||
| 57283d75f7 | |||
| ec09609355 | |||
| ad21753e53 | |||
| 2649a0dc50 | |||
| 68fb7adaf7 | |||
| bbfcca9015 | |||
| 65b471a2f2 | |||
| 0e011449f7 | |||
| 99a8e345da | |||
| 7573a1f684 | |||
| d89d44af82 | |||
| 13f031cd67 | |||
| 0c7f32eab6 | |||
| 16796d7e3b | |||
| 371d5aa969 | |||
| 0687637b17 | |||
| 4294d76926 | |||
| e2fa8501ca | |||
| 0047ae2042 | |||
| 820997101a | |||
| 2e8f003402 | |||
| 2e014282f7 | |||
| be2dc119ed | |||
| 1e2d22eb6b | |||
| 35d80a0a73 | |||
| f06ef92c66 | |||
| 22d833f38e | |||
| 08807ee3fc | |||
| 80a1bae6fe | |||
| e8bdaa552b | |||
| 60bf0e1338 | |||
| 33f491513e | |||
| db1dc7288b | |||
| 36ff9fa1df | |||
| 6d11fd0a58 | |||
| c0dbed948f | |||
| 03e6eeb8bb | |||
| 9cf5fea519 | |||
| 62c424ce33 | |||
| 346bc7c0df | |||
| d977bc5d19 | |||
| 4a0d11ba27 | |||
| 8d3f289bd8 | |||
| 7a04299f9e | |||
| 770fddc081 | |||
| b079e4f331 | |||
| ac43a9a2d5 | |||
| 5c999162fa | |||
| 4d45becee0 | |||
| 057ad9bb69 | |||
| 27c3b04789 | |||
| 553718623c | |||
| 438596a720 | |||
| 5e3b5ba676 | |||
| 7ca179b885 | |||
| 1bd5acfa3f | |||
| a10d121ff7 | |||
| c16590aaf3 | |||
| 013637e2de | |||
| c8c3924815 | |||
| 18d4a7a6a9 | |||
| 36018131dd | |||
| f35045dcf1 | |||
| 2a2cee4a95 | |||
| 30eae84422 | |||
| 62c0ed4fcb | |||
| 315479a6ce | |||
| a240b74921 | |||
| 48841074a0 | |||
| c55dcada36 | |||
| b7d5465b0e | |||
| 5f5b7d56a6 | |||
| ca30001269 | |||
| e45face1d2 | |||
| 2ad689b454 | |||
| 53b76ca815 | |||
| 21b505094a | |||
| 89c37173e1 | |||
| 7ab1a77227 | |||
| 1d04d40bc6 | |||
| 3bde6ef31b | |||
| 2dd2472e22 | |||
| e065751f91 | |||
| f2973dcc5a | |||
| 907c0ab20b | |||
| 9171ec4eae | |||
| f21fe99292 | |||
| 96845a5867 | |||
| d984dcb999 | |||
| eafbe03cc8 | |||
| b63ac7ac95 | |||
| 3dc001c683 | |||
| 3cb3fec04a | |||
| d6508a4fed | |||
| 3b694115de | |||
| 903f041993 | |||
| 9811f7fd4a | |||
| 5852c4eb9b | |||
| b954300b83 | |||
| a2c7f4c8a5 | |||
| 8e85d1cb82 | |||
| ec7f69e97a | |||
| fbdc52a86d | |||
| dff2fa836e | |||
| 190dfc30eb | |||
| 8ba58a61d5 | |||
| c980cb6b3a | |||
| 30b6ca81e0 | |||
| 541f6a66b8 | |||
| c6175f07e3 | |||
| 0b8b6534cc | |||
| f6de85357c | |||
| 913827c3c1 | |||
| 5fdb900d7b | |||
| 7803aa52ab | |||
| 54746f0d92 | |||
| dd612ca974 | |||
| 55b516ba94 | |||
| bda5661096 | |||
| 186f0b002a | |||
| ce533f3250 | |||
| eb3cd52450 | |||
| 28af4c5bc5 | |||
| 5bb64ec036 | |||
| 6b8409e9e8 | |||
| 4a5447d4d7 | |||
| 1c619c768d | |||
| af075bffc9 | |||
| 971f260e94 | |||
| 9f71e81c91 | |||
| 7dc1f3b2dd | |||
| 5431d2abe2 | |||
| 47bbcf4dc4 | |||
| b512961c12 | |||
| efab223b05 | |||
| cd964eccb5 | |||
| 1ce22b1adc | |||
| 6c4c7f47a0 | |||
| 53ba4f6fc6 | |||
| 2d0341ae26 | |||
| edc2bc5556 | |||
| a3e655cc19 | |||
| 34e67733ad | |||
| f261f8897d | |||
| b2f829c0d9 | |||
| e44a7c5333 | |||
| 5256839da0 | |||
| 053fd6f667 | |||
| d25fbce118 | |||
| 4d3d2852df | |||
| 35f6fa4fb2 | |||
| 8c79098041 | |||
| 227e780644 | |||
| 85f90d1aa2 | |||
| 2fcaf22140 | |||
| ff97ca76fc | |||
| b7a8fec626 | |||
| 7d143a73d5 | |||
| fd69ebf5a9 | |||
| 9fa842ffbf | |||
| 5305181f4e | |||
| 5760010c6a | |||
| ed983623b7 | |||
| 871df6e34b | |||
| 279b8e9b69 | |||
| 9540ec861e | |||
| d408a3cdda | |||
| 51520f2c77 | |||
| c0a26b82ae | |||
| 133092e437 | |||
| 6f7963a3ea | |||
| d2b12355ee | |||
| c0e2ae0e41 | |||
| 6e0036f616 | |||
| 12e0029b68 | |||
| efd41d31d8 | |||
| ea725da60f | |||
| ec9d756fc7 | |||
| e74300f9f3 | |||
| ce687005c7 | |||
| 645829be3b | |||
| 87134054ab | |||
| f26adb9373 | |||
| 563facd989 | |||
| 5292e8e37e | |||
| 4a79eb6418 | |||
| d36e1588a4 | |||
| 3a8fc569dc | |||
| d88fee56d0 | |||
| 8c071f98f4 | |||
| 17589834e9 | |||
| b1dcbb9109 | |||
| ff21533772 | |||
| 8e4062eaad | |||
| 3e7c866497 | |||
| 25eb9fd7e9 | |||
| a472a22b42 | |||
| 528435663e | |||
| 13125b6596 | |||
| e642700f7c | |||
| 1c05718b49 | |||
| 21b28d9ac2 | |||
| 31b4793161 | |||
| 831ca2acc0 | |||
| c959b173fa | |||
| 494fe327a2 | |||
| 32ee5cf5a4 | |||
| 1dab661a88 | |||
| 5c743da48c | |||
| 34b64c6a5c | |||
| 520c3d2ee8 | |||
| edc1e3de4c | |||
| 51c1b4fd6e | |||
| dc8ebb9a93 | |||
| 3f81b32b3a | |||
| 05712cf244 | |||
| 3cd211df74 | |||
| eed7f843e5 | |||
| 0dd4550277 | |||
| 4f0461c5aa | |||
| 801dc30dc9 | |||
| 81d3f93571 | |||
| 2bbe223879 | |||
| 5a13d590df | |||
| 150d37d441 | |||
| 92ada6ae8c | |||
| f844f3fc1f | |||
| f04a81b799 | |||
| ac62509912 | |||
| 090dcd4714 | |||
| 2772f3caaf | |||
| d4da487911 | |||
| 26d47d4a13 | |||
| 7aa5afbe3e | |||
| 8e07b2236e | |||
| b82323f6fc | |||
| 2da85fc32b | |||
| 036fdfd2cb | |||
| 3081241777 | |||
| 3472bee15a | |||
| a6336f11f8 | |||
| 3b6a675f3f | |||
| bcd3d8c1b8 | |||
| 7de171da64 | |||
| fc3fa0e293 | |||
| 53b2f99d37 | |||
| 056347f7a0 | |||
| 80d3925cc1 | |||
| 4ff6fdd350 | |||
| 6fd2918f82 | |||
| 991d707460 | |||
| 6268434a34 | |||
| 79bd47d726 | |||
| 6a94f65dc6 | |||
| f38390ecf8 | |||
| 1906527bb8 | |||
| 4de1bfac9c | |||
| ce8580ca6d | |||
| 78fd15bab1 | |||
| f32335f6f9 | |||
| c7df39a736 | |||
| cc5a9f7708 | |||
| f1bb2c3848 | |||
| 5f632d1a86 | |||
| 56545b1b78 | |||
| 43c4c62ad7 | |||
| 9530fa372c | |||
| 26691d3301 | |||
| a8a28eba99 | |||
| 3cdfbb6cef | |||
| 250ed8cf16 | |||
| c6e3185f0c | |||
| cd10fe20c5 | |||
| 31678f87d9 | |||
| b318b6721e | |||
| 0fe9b6b867 | |||
| 3a91912281 | |||
| b1286d31fd | |||
| 5c8a6cd6eb | |||
| 68fdd46a81 | |||
| 76097618c2 | |||
| fe99e0edd8 | |||
| a000373d8d | |||
| 8c5876cef0 | |||
| f5e0895b3a | |||
| da9a0615de | |||
| 1640002065 | |||
| 53f2df3ded | |||
| 49a95f6c07 | |||
| 3ababb2263 | |||
| 20ba2e50ab | |||
| 282bbb9cfc | |||
| 52f620f78d | |||
| 0bdd59ac57 | |||
| f1127e1aac | |||
| e9e97852cf | |||
| 43cd3dc662 | |||
| 070ba9d6d4 | |||
| ce9ed32e74 | |||
| 9e83d9f840 | |||
| 96866ff296 | |||
| 1a58cb2346 | |||
| 01b11c5f84 | |||
| 91c630033d | |||
| 8422a00909 | |||
| fa16e07b2e | |||
| bf28febe2f | |||
| 4375e97124 | |||
| b42d7cf631 | |||
| b3a4a77b46 | |||
| 65269966d5 | |||
| 86ce147df1 | |||
| d868434939 | |||
| 3e50639cba | |||
| d3a0659e13 | |||
| 199d8b2719 | |||
| e9b12a545d | |||
| 0d29450314 | |||
| 96432cb7a1 | |||
| d2a6818f17 | |||
| c2b51209bb | |||
| 436996ed07 | |||
| 3d5b4ce121 | |||
| f121e979bb | |||
| cb8f35691a | |||
| 0ea08a3961 | |||
| 9ef58601e0 | |||
| 130e26d582 | |||
| 3462794b84 | |||
| f82f0de34e | |||
| eb61b09070 | |||
| a97b3a382b | |||
| f3ef07b8c7 | |||
| 8f4d210b31 | |||
| 6ff5ab6af4 | |||
| cfbe85f1f0 | |||
| 6752d525c3 | |||
| 36595ad2cd | |||
| 88e88fbf27 | |||
| f2915bc349 | |||
| fca246813e | |||
| 9292f7b951 | |||
| ff0f6c28eb | |||
| c556de2b56 | |||
| 7890eab89b | |||
| f9aee80330 | |||
| d9b8c55516 | |||
| c3e1c92fa7 | |||
| 8cd330b97a | |||
| 156bd855d4 | |||
| 5324b00638 | |||
| ba569f80b6 | |||
| d6495cab07 | |||
| 5520ea45cc | |||
| 98df44c5a1 | |||
| e5aa1773d3 | |||
| f810e0a171 | |||
| 4e2e230b07 | |||
| d65a81cc37 | |||
| 9febd5c52e | |||
| c9eb7cb521 | |||
| d6271f27b8 | |||
| 4d7d93d08a | |||
| 127ac7cf5e | |||
| 292b47c386 | |||
| 2d99df028e | |||
| 8009e96f35 | |||
| d485633edc | |||
| 81c1f063d2 | |||
| 067fb2ff47 | |||
| 3052b0306d | |||
| 1b0a6b20be | |||
| bce89b7cad | |||
| 0a6760339d | |||
| e379403368 | |||
| 02cfa1e96e | |||
| ae2a17ec1c | |||
| 7b6b6a081f | |||
| a89ae2b415 | |||
| f6b6e256d0 | |||
| 95611179d1 | |||
| a8fe4890d5 | |||
| 4c58978bf2 | |||
| d97b4164c7 | |||
| 049e27557a | |||
| 11e7186926 | |||
| 40065af03f | |||
| b30988f25e | |||
| 99858683d0 | |||
| d3b0033664 | |||
| e1d86d97bb | |||
| a1a7ad3bee | |||
| beb38aa933 | |||
| a3a623daed | |||
| d2bd32ab51 | |||
| 420463e136 | |||
| 34cc1b4591 | |||
| 40f31fe111 | |||
| 66d1c537b8 | |||
| 0d5d805ba3 | |||
| af0a5b3a7e | |||
| e6fdd218b5 | |||
| 9c9b12ccfb | |||
| 208cc24840 | |||
| 00fa6ffc89 | |||
| 562ea47e66 | |||
| 33d5f5d307 | |||
| 7ab05204f9 | |||
| 7ff74651d9 | |||
| b13dde1746 | |||
| 5ef093d38e | |||
| d56e6d08bc | |||
| b98c5149da | |||
| 1ccdb08ab2 | |||
| 39553bc84a | |||
| 2a3f424d3d | |||
| 49db6466e1 | |||
| b09af63a5d | |||
| d9a24cc82c | |||
| ab1840c6d6 | |||
| 14aaa22238 | |||
| e7bb558118 | |||
| bb269e44d7 | |||
| 2ad293e849 | |||
| e6bc2c9f9b | |||
| af76777327 | |||
| 4d7b872d28 | |||
| bc66fb0ed3 | |||
| a295dc0f1b | |||
| 097d6864f7 | |||
| b7bf03b161 | |||
| 7a78d9c181 | |||
| d548fe213b | |||
| 0423800e3e | |||
| e98619c71c | |||
| 8f364eb05a | |||
| 0ca7b0bfb3 | |||
| 09b2603e32 | |||
| cd0a2dd06d | |||
| d4931a4aef | |||
| 0b36e4e59f | |||
| 51c59171e4 | |||
| 474d525137 | |||
| f0866cc1fb | |||
| f4c395459d | |||
| 8f64322393 | |||
| 5e45536e26 | |||
| a645f89697 | |||
| 02e5dbd136 | |||
| fd204abcae | |||
| 9fb40391f8 | |||
| 6657ff38e5 | |||
| 43515a0924 | |||
| 66c00bd2be | |||
| 101469c265 | |||
| dbe74223ee | |||
| 9d3a7eb59a | |||
| 21d6b34360 | |||
| da34d2eac4 | |||
| f34f017160 | |||
| 0323eeb589 | |||
| 26d0bcb51f | |||
| c5d02f1f2f | |||
| 3ccb21e2ff | |||
| fe497cb98e | |||
| 557a602026 | |||
| 57d512829c | |||
| d7e3907ab6 | |||
| 6d4f30fbeb | |||
| f7ea46fe79 | |||
| 1c142ff073 | |||
| 6edf9089ec | |||
| af8755d005 | |||
| 0c13397839 | |||
| ec60f91bc5 | |||
| 1e73fef46e | |||
| 469a214650 | |||
| d638e563b6 | |||
| ae59303366 | |||
| 291b61a6c3 | |||
| 515dbe2f9a | |||
| f1fd47e349 | |||
| d181848c75 | |||
| c0dda226c3 | |||
| 7c0c287396 | |||
| 6232365cea | |||
| 455c9e8673 | |||
| 3c064bcebb | |||
| 3152fbd0d2 | |||
| 560095862a | |||
| 126500c911 | |||
| 855c092543 | |||
| b705ca4d97 | |||
| 9fc3874093 | |||
| e780891e11 | |||
| 22278063de | |||
| edde4d731d | |||
| 30c5ceb601 | |||
| 22a26e92e4 | |||
| 2d5f7a20d7 | |||
| 8d682b7f61 | |||
| 39c3a9c268 | |||
| 510226f810 | |||
| 0db4a29c22 | |||
| e5dd164814 | |||
| a80f47a81d | |||
| 40461f86ed | |||
| 5a1749e06e | |||
| 7500d0ec1c | |||
| 6da3c2ba7f | |||
| 4fa62a74e2 | |||
| 5901e73a95 | |||
| 79081455e3 | |||
| 73fe74c374 | |||
| d56b246d1b | |||
| 792ea0fa66 | |||
| 42f0bdb7aa | |||
| eeccfb8f62 | |||
| 90895612f1 | |||
| c284183a26 | |||
| bf4b725f01 | |||
| 20de595e37 | |||
| 92ff2a501d | |||
| 6aec5248e8 | |||
| dbecb8a7c0 | |||
| 61fb780f5c | |||
| ac4b6af8e9 | |||
| 5f027bb6a4 | |||
| c53557d535 | |||
| afce34ff40 | |||
| 312f23ab50 | |||
| 93933b959d | |||
| 5af0050d0a | |||
| 993f5134fd | |||
| 89e6ca0d7e | |||
| 7857beaf95 | |||
| 86aaea0978 | |||
| 8779ad5ec2 | |||
| eb2337b2c7 | |||
| ac972ba6fb | |||
| e8f45d238f | |||
| d27a65e33b | |||
| 0c6a55969e | |||
| b3acd37d6d | |||
| 99c78a4ae3 | |||
| ffddc3dbf8 | |||
| aaa2195044 | |||
| 9c9b24acaa | |||
| bebb89c93b | |||
| b53ea15a4d | |||
| a2054f9a9d | |||
| ed328dc03c | |||
| f3b4069ba4 | |||
| dac2b189c2 | |||
| 3f9037b282 | |||
| d4f56275e5 | |||
| 062eb42fd4 | |||
| 9768aa54f9 | |||
| 326c956bcd | |||
| 49c32e7ec1 | |||
| c8f4e36ebf | |||
| 57d3f9fa83 | |||
| aeae21cf6e | |||
| 857a615e2c | |||
| 7df22c6930 | |||
| d83880777a | |||
| f490e1a144 | |||
| 27ed5d04f7 | |||
| 98b7858e66 | |||
| 9c0339d436 | |||
| 48537b4957 | |||
| 4146176c08 | |||
| 33ba4c0628 | |||
| 3cf7c19a56 | |||
| 29f48bafae | |||
| 57da5c1045 | |||
| 897f8481b2 | |||
| 2d428c52c9 | |||
| 9d4c337ca1 | |||
| dfff7d3cfe | |||
| 67ac228c4a | |||
| 9e4d6448e6 | |||
| 1cbb3cc320 | |||
| 30d2b24f04 | |||
| 202fb5c463 | |||
| c203282681 | |||
| 1937662816 | |||
| d8b44cb331 | |||
| 4399f64323 | |||
| d17cbbac9f | |||
| d073acd750 | |||
| 1f7ad41762 | |||
| 319a16fc84 | |||
| 6790d09e85 | |||
| de17d213b2 | |||
| e1f8184dc3 | |||
| 91a8f30a61 | |||
| c155f2e39f | |||
| 51f7bfdfde | |||
| 7fb73b155e | |||
| b088dfeff4 | |||
| 1dbaebde63 | |||
| 1023d83acd | |||
| d07207326e | |||
| 2697c9817e | |||
| 159fbaacc0 | |||
| f276efcb29 | |||
| 9300464b43 | |||
| 52635a7d74 | |||
| e47fc28584 | |||
| 37385ee60d | |||
| 7b44b22213 | |||
| fa2b2e905d | |||
| 494e15df37 | |||
| 851446c287 | |||
| 0d183e6b94 | |||
| ffe583db50 | |||
| fffcc837ac | |||
| 1712aa91e9 | |||
| ee5bd9c521 | |||
| 25b03d8cd7 | |||
| 4473bc6264 | |||
| 7be39fc4aa | |||
| f4d0f69e35 | |||
| afabc3beb8 | |||
| 7bbe585f1e | |||
| 3ff563252e | |||
| 5b6ed9c678 | |||
| f9a23b8f67 | |||
| b140a0da35 | |||
| 676f702362 | |||
| 1beaa67010 | |||
| f7679480e6 | |||
| 3354e2dce7 | |||
| ca42fa251a | |||
| bab3f92304 | |||
| 9b9f463b8f | |||
| 3d84c8c91c | |||
| 54e3d28428 | |||
| 0a21c2438e | |||
| 5a9ea180fa | |||
| f77c7d061f | |||
| 02d1ba5c99 | |||
| 106a7a690c | |||
| c3d6c6d5ce | |||
| b2b7993cd0 | |||
| 89c07802de | |||
| 285046bd1e | |||
| 41d38991df | |||
| 517cc9fd79 | |||
| 8b991cdd58 | |||
| b1487cf3e6 | |||
| e158a89d37 | |||
| 632a264077 | |||
| 201d2b1608 | |||
| a48e84f0d6 | |||
| 90b05a2679 | |||
| 36f46d4dfb | |||
| 4a57055073 | |||
| e7ffab6b8e | |||
| 46b0cb2db2 | |||
| bd4b7d0c23 | |||
| 960b18e52e | |||
| dfcdbb7db5 | |||
| dd712a6184 | |||
| e4d00c832f | |||
| 4cff2127e3 | |||
| 837e8bcd05 | |||
| edb3448880 | |||
| 2c6ecc3e02 | |||
| 06f7f0d87f | |||
| 80dcfd6690 | |||
| f6249fb88a | |||
| bb9ad48e4f | |||
| 6cde8339cf | |||
| de62c3d005 | |||
| 54d8487fe3 | |||
| cf35478f4d | |||
| 1c33a0b2e5 | |||
| 5c207aa3ac | |||
| fe6fa70efe | |||
| abbf45f14f | |||
| e3e826734c | |||
| 17026efc75 | |||
| 41a6258033 | |||
| 191be4c39f | |||
| 09e267dad4 | |||
| 459433e461 | |||
| 5ec74ab450 | |||
| 40d644c1b5 | |||
| 11194f7e88 | |||
| 9dcb747e52 | |||
| ab9d319d06 | |||
| 8b6415c8cb | |||
| 5e1e47c89f | |||
| a1bb0a0c36 | |||
| 9765bc4a11 | |||
| 3bc2c036d4 | |||
| d0aa0033ee | |||
| 6d31d38571 | |||
| 2e741e5948 | |||
| 8af99d4da2 | |||
| 6e28c75c09 | |||
| 164c2b24bf | |||
| c6f0bda817 | |||
| 8ebce60492 | |||
| 52af2aa829 | |||
| 62a24d7d0b | |||
| a0d0068f7d | |||
| b2a73af945 | |||
| 75ee1ef03b | |||
| 9df5820cb5 | |||
| 1e502d5cbc | |||
| e4feaa023e | |||
| e895c05aa3 | |||
| 21a85fb04a | |||
| cf467c52af | |||
| 4442be02f7 | |||
| 1ed4974bf0 | |||
| 32d29775bc | |||
| d0e332f49c | |||
| 39beb1da3a |
+50
@@ -0,0 +1,50 @@
|
||||
*~
|
||||
lib*.a
|
||||
*.o
|
||||
*.lo
|
||||
*.la
|
||||
*.gmo
|
||||
.deps
|
||||
.libs
|
||||
|
||||
*.patch
|
||||
*.rej
|
||||
*.orig
|
||||
|
||||
Makefile
|
||||
Makefile.in
|
||||
|
||||
/ABOUT-NLS
|
||||
/aclocal.m4
|
||||
/autom4te.cache
|
||||
/compile
|
||||
/config.cache
|
||||
/config.guess
|
||||
/config.h
|
||||
/config.h.in
|
||||
/config.log
|
||||
/config.rpath
|
||||
/config.status
|
||||
/config.sub
|
||||
/configure
|
||||
/depcomp
|
||||
/install-sh
|
||||
/libtool
|
||||
/ltmain.sh
|
||||
/m4
|
||||
/missing
|
||||
/stamp-h1
|
||||
/ylwrap
|
||||
|
||||
/po/*.header
|
||||
/po/*.sed
|
||||
/po/*.sin
|
||||
/po/Makefile.in.in
|
||||
/po/Makevars.template
|
||||
/po/POTFILES
|
||||
/po/Rules-quot
|
||||
/po/stamp-po
|
||||
|
||||
/shadow.spec
|
||||
/shadow-*.tar.*
|
||||
/libmisc/getdate.c
|
||||
+20
@@ -0,0 +1,20 @@
|
||||
sudo: false
|
||||
|
||||
language: c
|
||||
|
||||
compiler:
|
||||
- gcc
|
||||
- clang
|
||||
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- autopoint
|
||||
- xsltproc
|
||||
|
||||
script:
|
||||
- ./autogen.sh --without-selinux --disable-man
|
||||
- grep ENABLE_ config.status
|
||||
- make
|
||||
|
||||
# vim:et:ts=2:sw=2
|
||||
@@ -0,0 +1,118 @@
|
||||
NOTE:
|
||||
This license has been obsoleted by the change to the BSD-style copyright.
|
||||
You may continue to use this license if you wish, but you are under no
|
||||
obligation to do so.
|
||||
|
||||
(*
|
||||
This document is freely plagiarised from the 'Artistic Licence',
|
||||
distributed as part of the Perl v4.0 kit by Larry Wall, which is
|
||||
available from most major archive sites. I stole it from CrackLib.
|
||||
|
||||
$Id$
|
||||
*)
|
||||
|
||||
This documents purpose is to state the conditions under which this
|
||||
Package (See definition below) viz: "Shadow", the Shadow Password Suite
|
||||
which is held by Julianne Frances Haugh, may be copied, such that the
|
||||
copyright holder maintains some semblance of artistic control over the
|
||||
development of the package, while giving the users of the package the
|
||||
right to use and distribute the Package in a more-or-less customary
|
||||
fashion, plus the right to make reasonable modifications.
|
||||
|
||||
So there.
|
||||
|
||||
***************************************************************************
|
||||
|
||||
Definitions:
|
||||
|
||||
|
||||
A "Package" refers to the collection of files distributed by the
|
||||
Copyright Holder, and derivatives of that collection of files created
|
||||
through textual modification, or segments thereof.
|
||||
|
||||
"Standard Version" refers to such a Package if it has not been modified,
|
||||
or has been modified in accordance with the wishes of the Copyright
|
||||
Holder.
|
||||
|
||||
"Copyright Holder" is whoever is named in the copyright or copyrights
|
||||
for the package.
|
||||
|
||||
"You" is you, if you're thinking about copying or distributing this
|
||||
Package.
|
||||
|
||||
"Reasonable copying fee" is whatever you can justify on the basis of
|
||||
media cost, duplication charges, time of people involved, and so on.
|
||||
(You will not be required to justify it to the Copyright Holder, but
|
||||
only to the computing community at large as a market that must bear the
|
||||
fee.)
|
||||
|
||||
"Freely Available" means that no fee is charged for the item itself,
|
||||
though there may be fees involved in handling the item. It also means
|
||||
that recipients of the item may redistribute it under the same
|
||||
conditions they received it.
|
||||
|
||||
|
||||
1. You may make and give away verbatim copies of the source form of the
|
||||
Standard Version of this Package without restriction, provided that you
|
||||
duplicate all of the original copyright notices and associated
|
||||
disclaimers.
|
||||
|
||||
2. You may apply bug fixes, portability fixes and other modifications
|
||||
derived from the Public Domain or from the Copyright Holder. A Package
|
||||
modified in such a way shall still be considered the Standard Version.
|
||||
|
||||
3. You may otherwise modify your copy of this Package in any way,
|
||||
provided that you insert a prominent notice in each changed file stating
|
||||
how and when AND WHY you changed that file, and provided that you do at
|
||||
least ONE of the following:
|
||||
|
||||
a) place your modifications in the Public Domain or otherwise make them
|
||||
Freely Available, such as by posting said modifications to Usenet or an
|
||||
equivalent medium, or placing the modifications on a major archive site
|
||||
such as uunet.uu.net, or by allowing the Copyright Holder to include
|
||||
your modifications in the Standard Version of the Package.
|
||||
|
||||
b) use the modified Package only within your corporation or organization.
|
||||
|
||||
c) rename any non-standard executables so the names do not conflict with
|
||||
standard executables, which must also be provided, and provide separate
|
||||
documentation for each non-standard executable that clearly documents
|
||||
how it differs from the Standard Version.
|
||||
|
||||
d) make other distribution arrangements with the Copyright Holder.
|
||||
|
||||
4. You may distribute the programs of this Package in object code or
|
||||
executable form, provided that you do at least ONE of the following:
|
||||
|
||||
a) distribute a Standard Version of the executables and library files,
|
||||
together with instructions (in the manual page or equivalent) on where
|
||||
to get the Standard Version.
|
||||
|
||||
b) accompany the distribution with the machine-readable source of the
|
||||
Package with your modifications.
|
||||
|
||||
c) accompany any non-standard executables with their corresponding
|
||||
Standard Version executables, giving the non-standard executables
|
||||
non-standard names, and clearly documenting the differences in manual
|
||||
pages (or equivalent), together with instructions on where to get the
|
||||
Standard Version.
|
||||
|
||||
d) make other distribution arrangements with the Copyright Holder.
|
||||
|
||||
5. You may charge a reasonable copying fee for any distribution of this
|
||||
Package. You may charge any fee you choose for support of this Package.
|
||||
YOU MAY NOT CHARGE A FEE FOR THIS PACKAGE ITSELF. However, you may
|
||||
distribute this Package in aggregate with other (possibly commercial)
|
||||
programs as part of a larger (possibly commercial) software distribution
|
||||
provided that YOU DO NOT ADVERTISE this package as a product of your
|
||||
own.
|
||||
|
||||
6. The name of the Copyright Holder may not be used to endorse or
|
||||
promote products derived from this software without specific prior
|
||||
written permission.
|
||||
|
||||
7. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
|
||||
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
The End
|
||||
@@ -0,0 +1,6 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
|
||||
EXTRA_DIST = NEWS README TODO shadow.spec.in
|
||||
|
||||
SUBDIRS = po man libmisc lib src \
|
||||
contrib doc etc
|
||||
@@ -0,0 +1,122 @@
|
||||
Shadow SITES
|
||||
============
|
||||
|
||||
Homepage
|
||||
http://pkg-shadow.alioth.debian.org/
|
||||
|
||||
FTP site
|
||||
ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow
|
||||
|
||||
SVN repository
|
||||
anonymous read only access: svn://svn.debian.org/pkg-shadow/upstream
|
||||
|
||||
SVN web interface
|
||||
http://svn.debian.org/wsvn/pkg-shadow/upstream
|
||||
or
|
||||
http://svn.debian.org/viewsvn/pkg-shadow/upstream
|
||||
|
||||
Mailing lists
|
||||
for general discuss: pkg-shadow-devel@lists.alioth.debian.org
|
||||
commit list: pkg-shadow-commits@lists.alioth.debian.org
|
||||
|
||||
Mailing lists subscription
|
||||
http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-devel
|
||||
http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-commits
|
||||
|
||||
Mailing lists archives:
|
||||
http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/
|
||||
http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/
|
||||
|
||||
S/Key support:
|
||||
Shadow can be built with S/Key support using the S/Key package from:
|
||||
|
||||
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/
|
||||
or
|
||||
http://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2
|
||||
|
||||
Authors and contributors
|
||||
========================
|
||||
|
||||
Thanks to at least the following people for sending patches, bug
|
||||
reports and various comments. This list may be incomplete, I received
|
||||
a lot of mail...
|
||||
|
||||
|
||||
Adam Rudnicki <adam@v-lo.krakow.pl>
|
||||
Alan Curry <pacman@tardis.mars.net>
|
||||
Alexander O. Yuriev <alex@bach.cis.temple.edu>
|
||||
Algis Rudys <arudys@rice.edu>
|
||||
Andreas Jaeger <aj@arthur.rhein-neckar.de>
|
||||
Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
|
||||
Anton Gluck <gluc@midway.uchicago.edu>
|
||||
Arkadiusz Miskiewicz <misiek@pld.org.pl>
|
||||
Ben Collins <bcollins@debian.org>
|
||||
Brian R. Gaeke <brg@dgate.org>
|
||||
Calle Karlsson <ckn@kash.se>
|
||||
Chip Rosenthal <chip@unicom.com>
|
||||
Chris Evans <lady0110@sable.ox.ac.uk>
|
||||
Cristian Gafton <gafton@sorosis.ro>
|
||||
Dan Walsh <dwalsh@redhat.com>
|
||||
Darcy Boese <possum@chardonnay.niagara.com>
|
||||
Dave Hagewood <admin@arrowweb.com>
|
||||
David A. Holland <dholland@hcs.harvard.edu>
|
||||
David Frey <David.Frey@lugs.ch>
|
||||
Ed Carp <ecarp@netcom.com>
|
||||
Floody <flood@evcom.net>
|
||||
Frank Denis <j@4u.net>
|
||||
George Kraft IV <gk4@us.ibm.com>
|
||||
Greg Mortensen <loki@world.std.com>
|
||||
Guido van Rooij
|
||||
Guy Maor <maor@debian.org>
|
||||
Hrvoje Dogan <hdogan@bjesomar.srce.hr>
|
||||
Jakub Hrozek <jhrozek@redhat.com>
|
||||
Janos Farkas <chexum@bankinf.banki.hu>
|
||||
Jay Soffian <jay@lw.net>
|
||||
Jesse Thilo <Jesse.Thilo@pobox.com>
|
||||
Joey Hess <joey@kite.ml.org>
|
||||
John Adelsberger <jja@umr.edu>
|
||||
Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
|
||||
Jon Lewis <jlewis@lewis.org>
|
||||
Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
|
||||
Judd Bourgeois <shagboy@bluesky.net>
|
||||
Juergen Heinzl <unicorn@noris.net>
|
||||
Juha Virtanen <jiivee@iki.fi>
|
||||
Julian Pidancet <julian.pidancet@gmail.com>
|
||||
Julianne Frances Haugh <jockgrrl@ix.netcom.com>
|
||||
Leonard N. Zubkoff <lnz@dandelion.com>
|
||||
Luca Berra <bluca@www.polimi.it>
|
||||
Lukáš Kuklínek <lkukline@redhat.com>
|
||||
Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
|
||||
Marc Ewing <marc@redhat.com>
|
||||
Martin Bene <mb@sime.com>
|
||||
Martin Mares <mj@gts.cz>
|
||||
Michael Meskes <meskes@topsystem.de>
|
||||
Michael Talbot-Wilson <mike@calypso.bns.com.au>
|
||||
Mike Frysinger <vapier@gentoo.org>
|
||||
Mike Pakovic <mpakovic@users.southeast.net>
|
||||
Nicolas François <nicolas.francois@centraliens.net>
|
||||
Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
|
||||
Pavel Machek <pavel@bug.ucw.cz>
|
||||
Peter Vrabec <pvrabec@redhat.com>
|
||||
Phillip Street
|
||||
Rafał Maszkowski <rzm@icm.edu.pl>
|
||||
Rani Chouha <ranibey@smartec.com>
|
||||
Sami Kerola <kerolasa@rocketmail.com>
|
||||
Scott Garman <scott.a.garman@intel.com>
|
||||
Sebastian Rick Rijkers <srrijkers@gmail.com>
|
||||
Seraphim Mellos <mellos@ceid.upatras.gr>
|
||||
Shane Watts <shane@nexus.mlckew.edu.au>
|
||||
Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
|
||||
Thorsten Kukuk <kukuk@suse.de>
|
||||
Tim Hockin <thockin@eagle.ais.net>
|
||||
Timo Karjalainen <timok@iki.fi>
|
||||
Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
|
||||
Werner Fink <werner@suse.de>
|
||||
|
||||
Maintainers
|
||||
===========
|
||||
|
||||
Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
|
||||
Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
|
||||
Serge E. Hallyn <serge@hallyn.com> (2014-now)
|
||||
|
||||
@@ -0,0 +1,127 @@
|
||||
* Create a common usage function that'd take the array of
|
||||
long options and an array of descriptions and output that so things would
|
||||
be standardized across the utils.
|
||||
Usage strings should be normalized and split first.
|
||||
Investigate optparse.
|
||||
|
||||
|
||||
/etc/default/useradd
|
||||
* GROUP=1000 should accept a group name.
|
||||
|
||||
Check when RLOGIN is enabled if ruserok() exists
|
||||
|
||||
Move selinux_file_context out of libmisc/copydir.c
|
||||
|
||||
Review hardcoded root account?
|
||||
|
||||
review all call to strto
|
||||
|
||||
libmisc/cleanup_user.c
|
||||
cleanup needed (cleanup_report_add_user* not used)
|
||||
|
||||
|
||||
libxcrypt support
|
||||
* http://wiki.linuxfromscratch.org/patches/browser/trunk/shadow/shadow-4.0.18.1-owl_blowfish-1.patch
|
||||
|
||||
implement getlong, getulong.
|
||||
avoid atoi, atol, atoul, strtol, strtoul, ...
|
||||
|
||||
manpages: comment the RLOGIN parts
|
||||
|
||||
Replace build_list (in lib/gshadow.c) and list (in lib/sgetgrent.c) by
|
||||
comma_to_list()
|
||||
|
||||
Revert the modified files if all files could not be changed.
|
||||
* or warn and indicate which files were modified and which were not.
|
||||
* check the order the files are modified.
|
||||
|
||||
report nscd_flush_cache failures?
|
||||
call nscd from the programs or from lib (commonio?)
|
||||
|
||||
PAM: check if a non-interactive conversation function could be used to set
|
||||
the password in chpasswd and newusers
|
||||
|
||||
WITH_SELINUX
|
||||
- review all tools to check that the strategies are consistent
|
||||
|
||||
chage, chfn, chsh: same change needed as in passwd.
|
||||
- probably need moving check_selinux_access to a separate file.
|
||||
|
||||
testsuite
|
||||
- newgrp
|
||||
- test with unknown user's GID
|
||||
|
||||
newusers
|
||||
- add logging to SYSLOG & AUDIT
|
||||
- use CREATE_HOME
|
||||
- Add a -Z option (see useradd / usermod)
|
||||
|
||||
Document when/where option appeared, document whether an option is standard
|
||||
or not.
|
||||
|
||||
Check all the expiry semantics
|
||||
|
||||
ALL:
|
||||
- move base passwd/shadow/group/gshadow operation to module for allow write
|
||||
different backend modules for db, NIS, LDAP and others. Default backend it
|
||||
will be goot if will be chosen depending on /etc/nsswitch.conf and allow
|
||||
override this by -r <repository> options (where the <repository> can be
|
||||
file, db, nis nisplus, ldap .. like on /etc/nsswitch.conf in service column).
|
||||
passwd have old piece of code with handling -r option and it will be good
|
||||
finish this and propagate on other shadow tools for allow operate on other
|
||||
user databases by well known tools.
|
||||
- Protect against signals. Register do_cleanups in a signal handler.
|
||||
|
||||
- login.defs
|
||||
- generate depending on configuration
|
||||
|
||||
- useradd:
|
||||
- add handle create user mail spool in maildir format.
|
||||
- Add support for -k in -D mode
|
||||
- Add support for -K in -D mode
|
||||
- Add option to create or not the mail spool (and set the default in -D
|
||||
mode)
|
||||
- Change -l to reset the entry if an entry was already there
|
||||
- set the mask in mkdir?
|
||||
|
||||
- userdel:
|
||||
- add backup option for the removal of user resources,
|
||||
- user_busy: check that the user is not running any processes.
|
||||
- missing "deleting group" FAILED
|
||||
- home dir removed, but userdel may fail and may leave the user
|
||||
=> warning needed
|
||||
|
||||
- usermod
|
||||
- add an option equivalent to useradd's -l (only when uid is changed)
|
||||
- the mode of new home directories should be set according to the
|
||||
original mode. Does copy_tree does this?
|
||||
- user renamed, order is not kept in /etc/group (see
|
||||
47_usermod-l_no_shadow_file). This is a problem when the first user is
|
||||
considered as the admin.
|
||||
- see mail "user ID change" on April, 15
|
||||
+ fix call to chown (combination of -m and -u/-g)
|
||||
+ add tests
|
||||
|
||||
- passwd:
|
||||
- check combination of options (e.g. -u/-l)
|
||||
- when -u refuse to unlock because it would create an empty password, it
|
||||
should not display "Password changed."
|
||||
exit instead?
|
||||
|
||||
- newgrp: check the USE_PAM section.
|
||||
|
||||
- pwck
|
||||
- Add check to move passwd passwords to shadow if there is a shadow
|
||||
entry (with a password).
|
||||
- Add check to move passwd passwords to shadow if there is a shadow
|
||||
file.
|
||||
- Support an alternative /etc/tcb directory as second parameter.
|
||||
- add options -g / -G to specify alternative group / gshadow files
|
||||
|
||||
- su
|
||||
- add a login.defs configuration parameter to add variables to keep in
|
||||
the environment with "su -l" (TERM/TERMCOLOR/...)
|
||||
|
||||
- vipw
|
||||
- set ACLs and XATTRs on the temporary file (and backups?)
|
||||
- vipw + selinux -> use lib/selinux.c
|
||||
@@ -0,0 +1,54 @@
|
||||
# Checks the location of the XML Catalog
|
||||
# Usage:
|
||||
# JH_PATH_XML_CATALOG([ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
|
||||
# Defines XMLCATALOG and XML_CATALOG_FILE substitutions
|
||||
AC_DEFUN([JH_PATH_XML_CATALOG],
|
||||
[
|
||||
# check for the presence of the XML catalog
|
||||
AC_ARG_WITH([xml-catalog],
|
||||
AC_HELP_STRING([--with-xml-catalog=CATALOG],
|
||||
[path to xml catalog to use]),,
|
||||
[with_xml_catalog=/etc/xml/catalog])
|
||||
jh_found_xmlcatalog=true
|
||||
XML_CATALOG_FILE="$with_xml_catalog"
|
||||
AC_SUBST([XML_CATALOG_FILE])
|
||||
AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
|
||||
if test -f "$XML_CATALOG_FILE"; then
|
||||
AC_MSG_RESULT([found])
|
||||
else
|
||||
jh_found_xmlcatalog=false
|
||||
AC_MSG_RESULT([not found])
|
||||
fi
|
||||
|
||||
# check for the xmlcatalog program
|
||||
AC_PATH_PROG(XMLCATALOG, xmlcatalog, no)
|
||||
if test "x$XMLCATALOG" = xno; then
|
||||
jh_found_xmlcatalog=false
|
||||
fi
|
||||
|
||||
if $jh_found_xmlcatalog; then
|
||||
ifelse([$1],,[:],[$1])
|
||||
else
|
||||
ifelse([$2],,[AC_MSG_ERROR([could not find XML catalog])],[$2])
|
||||
fi
|
||||
])
|
||||
|
||||
# Checks if a particular URI appears in the XML catalog
|
||||
# Usage:
|
||||
# JH_CHECK_XML_CATALOG(URI, [FRIENDLY-NAME], [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
|
||||
AC_DEFUN([JH_CHECK_XML_CATALOG],
|
||||
[
|
||||
AC_REQUIRE([JH_PATH_XML_CATALOG],[JH_PATH_XML_CATALOG(,[:])])dnl
|
||||
AC_MSG_CHECKING([for ifelse([$2],,[$1],[$2]) in XML catalog])
|
||||
if $jh_found_xmlcatalog && \
|
||||
AC_RUN_LOG([$XMLCATALOG --noout "$XML_CATALOG_FILE" "$1" >&2]); then
|
||||
AC_MSG_RESULT([found])
|
||||
ifelse([$3],,,[$3
|
||||
])dnl
|
||||
else
|
||||
AC_MSG_RESULT([not found])
|
||||
ifelse([$4],,
|
||||
[AC_MSG_ERROR([could not find ifelse([$2],,[$1],[$2]) in XML catalog])],
|
||||
[$4])
|
||||
fi
|
||||
])
|
||||
Executable
+12
@@ -0,0 +1,12 @@
|
||||
#! /bin/sh
|
||||
|
||||
autoreconf -v -f --install || exit 1
|
||||
|
||||
./configure \
|
||||
CFLAGS="-O2 -Wall" \
|
||||
--enable-man \
|
||||
--enable-maintainer-mode \
|
||||
--disable-shared \
|
||||
--without-libpam \
|
||||
--with-selinux \
|
||||
"$@"
|
||||
+682
@@ -0,0 +1,682 @@
|
||||
dnl Process this file with autoconf to produce a configure script.
|
||||
AC_PREREQ([2.64])
|
||||
AC_INIT([shadow], [4.5], [pkg-shadow-devel@lists.alioth.debian.org], [],
|
||||
[https://github.com/shadow-maint/shadow])
|
||||
AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
|
||||
AM_SILENT_RULES([yes])
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
|
||||
dnl Some hacks...
|
||||
test "$prefix" = "NONE" && prefix="/usr"
|
||||
test "$prefix" = "/usr" && exec_prefix=""
|
||||
|
||||
AC_GNU_SOURCE
|
||||
|
||||
AM_DISABLE_SHARED
|
||||
AM_ENABLE_STATIC
|
||||
|
||||
AM_MAINTAINER_MODE
|
||||
|
||||
dnl Checks for programs.
|
||||
AC_PROG_CC
|
||||
AC_ISC_POSIX
|
||||
AC_PROG_LN_S
|
||||
AC_PROG_YACC
|
||||
AM_PROG_LIBTOOL
|
||||
|
||||
dnl Checks for libraries.
|
||||
|
||||
dnl Checks for header files.
|
||||
AC_HEADER_DIRENT
|
||||
AC_HEADER_STDC
|
||||
AC_HEADER_SYS_WAIT
|
||||
AC_HEADER_STDBOOL
|
||||
|
||||
AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
|
||||
utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
|
||||
utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
|
||||
locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
|
||||
attr/error_context.h)
|
||||
|
||||
dnl shadow now uses the libc's shadow implementation
|
||||
AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])
|
||||
|
||||
AC_CHECK_FUNCS(l64a fchmod fchown fsync futimes getgroups gethostname getspnam \
|
||||
gettimeofday getusershell getutent initgroups lchown lckpwdf lstat \
|
||||
lutimes memcpy memset setgroups sigaction strchr updwtmp updwtmpx innetgr \
|
||||
getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo \
|
||||
ruserok)
|
||||
AC_SYS_LARGEFILE
|
||||
|
||||
dnl Checks for typedefs, structures, and compiler characteristics.
|
||||
AC_C_CONST
|
||||
AC_TYPE_UID_T
|
||||
AC_TYPE_OFF_T
|
||||
AC_TYPE_PID_T
|
||||
AC_TYPE_MODE_T
|
||||
AC_HEADER_STAT
|
||||
AC_CHECK_MEMBERS([struct stat.st_rdev])
|
||||
AC_CHECK_MEMBERS([struct stat.st_atim])
|
||||
AC_CHECK_MEMBERS([struct stat.st_atimensec])
|
||||
AC_CHECK_MEMBERS([struct stat.st_mtim])
|
||||
AC_CHECK_MEMBERS([struct stat.st_mtimensec])
|
||||
AC_HEADER_TIME
|
||||
AC_STRUCT_TM
|
||||
|
||||
AC_CHECK_MEMBERS([struct utmp.ut_type,
|
||||
struct utmp.ut_id,
|
||||
struct utmp.ut_name,
|
||||
struct utmp.ut_user,
|
||||
struct utmp.ut_host,
|
||||
struct utmp.ut_syslen,
|
||||
struct utmp.ut_addr,
|
||||
struct utmp.ut_addr_v6,
|
||||
struct utmp.ut_time,
|
||||
struct utmp.ut_xtime,
|
||||
struct utmp.ut_tv],,,[[#include <utmp.h>]])
|
||||
dnl There are dependencies:
|
||||
dnl If UTMPX has to be used, the utmp structure shall have a ut_id field.
|
||||
if test "$ac_cv_header_utmpx_h" = "yes" &&
|
||||
test "$ac_cv_member_struct_utmp_ut_id" != "yes"; then
|
||||
AC_MSG_ERROR(Systems with UTMPX and no ut_id field in the utmp structure are not supported)
|
||||
fi
|
||||
|
||||
AC_CHECK_MEMBERS([struct utmpx.ut_name,
|
||||
struct utmpx.ut_host,
|
||||
struct utmpx.ut_syslen,
|
||||
struct utmpx.ut_addr,
|
||||
struct utmpx.ut_addr_v6,
|
||||
struct utmpx.ut_time,
|
||||
struct utmpx.ut_xtime],,,[[#include <utmpx.h>]])
|
||||
|
||||
if test "$ac_cv_header_lastlog_h" = "yes"; then
|
||||
AC_CACHE_CHECK(for ll_host in struct lastlog,
|
||||
ac_cv_struct_lastlog_ll_host,
|
||||
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <lastlog.h>],
|
||||
[struct lastlog ll; char *cp = ll.ll_host;]
|
||||
)],
|
||||
[ac_cv_struct_lastlog_ll_host=yes],
|
||||
[ac_cv_struct_lastlog_ll_host=no]
|
||||
)
|
||||
)
|
||||
|
||||
if test "$ac_cv_struct_lastlog_ll_host" = "yes"; then
|
||||
AC_DEFINE(HAVE_LL_HOST, 1,
|
||||
[Define if struct lastlog has ll_host])
|
||||
fi
|
||||
fi
|
||||
|
||||
dnl Checks for library functions.
|
||||
AC_TYPE_GETGROUPS
|
||||
AC_TYPE_SIGNAL
|
||||
AC_FUNC_UTIME_NULL
|
||||
AC_FUNC_STRFTIME
|
||||
AC_REPLACE_FUNCS(mkdir putgrent putpwent putspent rename rmdir)
|
||||
AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
|
||||
AC_REPLACE_FUNCS(snprintf strcasecmp strdup strerror strstr)
|
||||
|
||||
AC_CHECK_FUNC(setpgrp)
|
||||
|
||||
if test "$ac_cv_header_shadow_h" = "yes"; then
|
||||
AC_CACHE_CHECK(for working shadow group support,
|
||||
ac_cv_libc_shadowgrp,
|
||||
AC_RUN_IFELSE([AC_LANG_SOURCE([
|
||||
#include <shadow.h>
|
||||
main()
|
||||
{
|
||||
struct sgrp *sg = sgetsgent("test:x::");
|
||||
/* NYS libc on Red Hat 3.0.3 has broken shadow group support */
|
||||
return !sg || !sg->sg_adm || !sg->sg_mem;
|
||||
}]
|
||||
)],
|
||||
[ac_cv_libc_shadowgrp=yes],
|
||||
[ac_cv_libc_shadowgrp=no],
|
||||
[ac_cv_libc_shadowgrp=no]
|
||||
)
|
||||
)
|
||||
|
||||
if test "$ac_cv_libc_shadowgrp" = "yes"; then
|
||||
AC_DEFINE(HAVE_SHADOWGRP, 1, [Have working shadow group support in libc])
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([location of shared mail directory], shadow_cv_maildir,
|
||||
[for shadow_cv_maildir in /var/mail /var/spool/mail /usr/spool/mail /usr/mail none; do
|
||||
if test -d $shadow_cv_maildir; then
|
||||
break
|
||||
fi
|
||||
done])
|
||||
if test $shadow_cv_maildir != none; then
|
||||
AC_DEFINE_UNQUOTED(MAIL_SPOOL_DIR, "$shadow_cv_maildir",
|
||||
[Location of system mail spool directory.])
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([location of user mail file], shadow_cv_mailfile,
|
||||
[for shadow_cv_mailfile in Mailbox mailbox Mail mail .mail none; do
|
||||
if test -f $HOME/$shadow_cv_mailfile; then
|
||||
break
|
||||
fi
|
||||
done])
|
||||
if test $shadow_cv_mailfile != none; then
|
||||
AC_DEFINE_UNQUOTED(MAIL_SPOOL_FILE, "$shadow_cv_mailfile",
|
||||
[Name of user's mail spool file if stored in user's home directory.])
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([location of utmp], shadow_cv_utmpdir,
|
||||
[for shadow_cv_utmpdir in /var/run /var/adm /usr/adm /etc none; do
|
||||
if test -f $shadow_cv_utmpdir/utmp; then
|
||||
break
|
||||
fi
|
||||
done])
|
||||
if test "$shadow_cv_utmpdir" = "none"; then
|
||||
AC_MSG_WARN(utmp file not found)
|
||||
fi
|
||||
AC_DEFINE_UNQUOTED(_UTMP_FILE, "$shadow_cv_utmpdir/utmp",
|
||||
[Path for utmp file.])
|
||||
|
||||
AC_CACHE_CHECK([location of faillog/lastlog/wtmp], shadow_cv_logdir,
|
||||
[for shadow_cv_logdir in /var/log /var/adm /usr/adm /etc; do
|
||||
if test -d $shadow_cv_logdir; then
|
||||
break
|
||||
fi
|
||||
done])
|
||||
AC_DEFINE_UNQUOTED(_WTMP_FILE, "$shadow_cv_logdir/wtmp",
|
||||
[Path for wtmp file.])
|
||||
AC_DEFINE_UNQUOTED(LASTLOG_FILE, "$shadow_cv_logdir/lastlog",
|
||||
[Path for lastlog file.])
|
||||
AC_DEFINE_UNQUOTED(FAILLOG_FILE, "$shadow_cv_logdir/faillog",
|
||||
[Path for faillog file.])
|
||||
|
||||
AC_CACHE_CHECK([location of the passwd program], shadow_cv_passwd_dir,
|
||||
[if test -f /usr/bin/passwd; then
|
||||
shadow_cv_passwd_dir=/usr/bin
|
||||
else
|
||||
shadow_cv_passwd_dir=/bin
|
||||
fi])
|
||||
AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd",
|
||||
[Path to passwd program.])
|
||||
|
||||
dnl XXX - quick hack, should disappear before anyone notices :).
|
||||
AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().])
|
||||
if test "$ac_cv_func_ruserok" = "yes"; then
|
||||
AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for rlogind.])
|
||||
AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value (0 or 1).])
|
||||
fi
|
||||
|
||||
AC_ARG_ENABLE(shadowgrp,
|
||||
[AC_HELP_STRING([--enable-shadowgrp], [enable shadow group support @<:@default=yes@:>@])],
|
||||
[case "${enableval}" in
|
||||
yes) enable_shadowgrp="yes" ;;
|
||||
no) enable_shadowgrp="no" ;;
|
||||
*) AC_MSG_ERROR(bad value ${enableval} for --enable-shadowgrp) ;;
|
||||
esac],
|
||||
[enable_shadowgrp="yes"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(man,
|
||||
[AC_HELP_STRING([--enable-man],
|
||||
[regenerate roff man pages from Docbook @<:@default=no@:>@])],
|
||||
[enable_man="${enableval}"],
|
||||
[enable_man="no"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(account-tools-setuid,
|
||||
[AC_HELP_STRING([--enable-account-tools-setuid],
|
||||
[Install the user and group management tools setuid and authenticate the callers. This requires --with-pam.])],
|
||||
[case "${enableval}" in
|
||||
yes) enable_acct_tools_setuid="yes" ;;
|
||||
no) enable_acct_tools_setuid="no" ;;
|
||||
*) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
|
||||
;;
|
||||
esac],
|
||||
[enable_acct_tools_setuid="maybe"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(utmpx,
|
||||
[AC_HELP_STRING([--enable-utmpx],
|
||||
[enable loggin in utmpx / wtmpx @<:@default=no@:>@])],
|
||||
[case "${enableval}" in
|
||||
yes) enable_utmpx="yes" ;;
|
||||
no) enable_utmpx="no" ;;
|
||||
*) AC_MSG_ERROR(bad value ${enableval} for --enable-utmpx) ;;
|
||||
esac],
|
||||
[enable_utmpx="no"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(subordinate-ids,
|
||||
[AC_HELP_STRING([--enable-subordinate-ids],
|
||||
[support subordinate ids @<:@default=yes@:>@])],
|
||||
[enable_subids="${enableval}"],
|
||||
[enable_subids="maybe"]
|
||||
)
|
||||
|
||||
AC_ARG_WITH(audit,
|
||||
[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
|
||||
[with_audit=$withval], [with_audit=maybe])
|
||||
AC_ARG_WITH(libpam,
|
||||
[AC_HELP_STRING([--with-libpam], [use libpam for PAM support @<:@default=yes if found@:>@])],
|
||||
[with_libpam=$withval], [with_libpam=maybe])
|
||||
AC_ARG_WITH(selinux,
|
||||
[AC_HELP_STRING([--with-selinux], [use SELinux support @<:@default=yes if found@:>@])],
|
||||
[with_selinux=$withval], [with_selinux=maybe])
|
||||
AC_ARG_WITH(acl,
|
||||
[AC_HELP_STRING([--with-acl], [use ACL support @<:@default=yes if found@:>@])],
|
||||
[with_acl=$withval], [with_acl=maybe])
|
||||
AC_ARG_WITH(attr,
|
||||
[AC_HELP_STRING([--with-attr], [use Extended Attribute support @<:@default=yes if found@:>@])],
|
||||
[with_attr=$withval], [with_attr=maybe])
|
||||
AC_ARG_WITH(skey,
|
||||
[AC_HELP_STRING([--with-skey], [use S/Key support @<:@default=no@:>@])],
|
||||
[with_skey=$withval], [with_skey=no])
|
||||
AC_ARG_WITH(tcb,
|
||||
[AC_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
|
||||
[with_tcb=$withval], [with_tcb=maybe])
|
||||
AC_ARG_WITH(libcrack,
|
||||
[AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=no@:>@])],
|
||||
[with_libcrack=$withval], [with_libcrack=no])
|
||||
AC_ARG_WITH(sha-crypt,
|
||||
[AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
|
||||
[with_sha_crypt=$withval], [with_sha_crypt=yes])
|
||||
AC_ARG_WITH(nscd,
|
||||
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
|
||||
[with_nscd=$withval], [with_nscd=yes])
|
||||
AC_ARG_WITH(group-name-max-length,
|
||||
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
|
||||
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
|
||||
|
||||
if test "$with_group_name_max_length" = "no" ; then
|
||||
with_group_name_max_length=0
|
||||
elif test "$with_group_name_max_length" = "yes" ; then
|
||||
with_group_name_max_length=16
|
||||
fi
|
||||
AC_DEFINE_UNQUOTED(GROUP_NAME_MAX_LENGTH, $with_group_name_max_length, [max group name length])
|
||||
AC_SUBST(GROUP_NAME_MAX_LENGTH)
|
||||
GROUP_NAME_MAX_LENGTH="$with_group_name_max_length"
|
||||
|
||||
AM_CONDITIONAL(USE_SHA_CRYPT, test "x$with_sha_crypt" = "xyes")
|
||||
if test "$with_sha_crypt" = "yes"; then
|
||||
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
|
||||
fi
|
||||
|
||||
if test "$with_nscd" = "yes"; then
|
||||
AC_CHECK_FUNC(posix_spawn,
|
||||
[AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
|
||||
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
|
||||
fi
|
||||
|
||||
dnl Check for some functions in libc first, only if not found check for
|
||||
dnl other libraries. This should prevent linking libnsl if not really
|
||||
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
|
||||
|
||||
AC_SEARCH_LIBS(inet_ntoa, inet)
|
||||
AC_SEARCH_LIBS(socket, socket)
|
||||
AC_SEARCH_LIBS(gethostbyname, nsl)
|
||||
|
||||
if test "$enable_shadowgrp" = "yes"; then
|
||||
AC_DEFINE(SHADOWGRP, 1, [Define to support the shadow group file.])
|
||||
fi
|
||||
AM_CONDITIONAL(SHADOWGRP, test "x$enable_shadowgrp" = "xyes")
|
||||
|
||||
if test "$enable_man" = "yes"; then
|
||||
dnl
|
||||
dnl Check for xsltproc
|
||||
dnl
|
||||
AC_PATH_PROG([XSLTPROC], [xsltproc])
|
||||
if test -z "$XSLTPROC"; then
|
||||
enable_man=no
|
||||
fi
|
||||
|
||||
dnl check for DocBook DTD and stylesheets in the local catalog.
|
||||
JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN],
|
||||
[DocBook XML DTD V4.1.2], [], enable_man=no)
|
||||
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
|
||||
[DocBook XSL Stylesheets >= 1.70.1], [], enable_man=no)
|
||||
fi
|
||||
AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test "x$enable_man" != "xno")
|
||||
|
||||
if test "$enable_subids" != "no"; then
|
||||
dnl
|
||||
dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
|
||||
dnl
|
||||
AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
|
||||
AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
|
||||
|
||||
if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
|
||||
AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
|
||||
enable_subids="yes"
|
||||
else
|
||||
if test "x$enable_subids" = "xyes"; then
|
||||
AC_MSG_ERROR([Cannot enable support the subordinate IDs on systems where gid_t or uid_t has less than 32 bits])
|
||||
fi
|
||||
enable_subids="no"
|
||||
fi
|
||||
fi
|
||||
AM_CONDITIONAL(ENABLE_SUBIDS, test "x$enable_subids" != "xno")
|
||||
|
||||
AC_SUBST(LIBCRYPT)
|
||||
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
|
||||
[AC_MSG_ERROR([crypt() not found])])
|
||||
|
||||
AC_SUBST(LIBACL)
|
||||
if test "$with_acl" != "no"; then
|
||||
AC_CHECK_HEADERS(acl/libacl.h attr/error_context.h, [acl_header="yes"], [acl_header="no"])
|
||||
if test "$acl_header$with_acl" = "noyes" ; then
|
||||
AC_MSG_ERROR([acl/libacl.h or attr/error_context.h is missing])
|
||||
elif test "$acl_header" = "yes" ; then
|
||||
AC_CHECK_LIB(acl, perm_copy_file,
|
||||
[AC_CHECK_LIB(acl, perm_copy_fd,
|
||||
[acl_lib="yes"],
|
||||
[acl_lib="no"])],
|
||||
[acl_lib="no"])
|
||||
if test "$acl_lib$with_acl" = "noyes" ; then
|
||||
AC_MSG_ERROR([libacl not found])
|
||||
elif test "$acl_lib" = "no" ; then
|
||||
with_acl="no"
|
||||
else
|
||||
AC_DEFINE(WITH_ACL, 1,
|
||||
[Build shadow with ACL support])
|
||||
LIBACL="-lacl"
|
||||
with_acl="yes"
|
||||
fi
|
||||
else
|
||||
with_acl="no"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBATTR)
|
||||
if test "$with_attr" != "no"; then
|
||||
AC_CHECK_HEADERS(attr/libattr.h attr/error_context.h, [attr_header="yes"], [attr_header="no"])
|
||||
if test "$attr_header$with_attr" = "noyes" ; then
|
||||
AC_MSG_ERROR([attr/libattr.h or attr/error_context.h is missing])
|
||||
elif test "$attr_header" = "yes" ; then
|
||||
AC_CHECK_LIB(attr, attr_copy_file,
|
||||
[AC_CHECK_LIB(attr, attr_copy_fd,
|
||||
[attr_lib="yes"],
|
||||
[attr_lib="no"])],
|
||||
[attr_lib="no"])
|
||||
if test "$attr_lib$with_attr" = "noyes" ; then
|
||||
AC_MSG_ERROR([libattr not found])
|
||||
elif test "$attr_lib" = "no" ; then
|
||||
with_attr="no"
|
||||
else
|
||||
AC_DEFINE(WITH_ATTR, 1,
|
||||
[Build shadow with Extended Attributes support])
|
||||
LIBATTR="-lattr"
|
||||
with_attr="yes"
|
||||
fi
|
||||
else
|
||||
with_attr="no"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBAUDIT)
|
||||
if test "$with_audit" != "no"; then
|
||||
AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
|
||||
if test "$audit_header$with_audit" = "noyes" ; then
|
||||
AC_MSG_ERROR([libaudit.h is missing])
|
||||
elif test "$audit_header" = "yes"; then
|
||||
AC_CHECK_DECL(AUDIT_ADD_USER,,[audit_header="no"],[#include <libaudit.h>])
|
||||
AC_CHECK_DECL(AUDIT_DEL_USER,,[audit_header="no"],[#include <libaudit.h>])
|
||||
AC_CHECK_DECL(AUDIT_ADD_GROUP,,[audit_header="no"],[#include <libaudit.h>])
|
||||
AC_CHECK_DECL(AUDIT_DEL_GROUP,,[audit_header="no"],[#include <libaudit.h>])
|
||||
if test "$audit_header$with_audit" = "noyes" ; then
|
||||
AC_MSG_ERROR([AUDIT_ADD_USER AUDIT_DEL_USER AUDIT_ADD_GROUP or AUDIT_DEL_GROUP missing from libaudit.h])
|
||||
fi
|
||||
fi
|
||||
if test "$audit_header" = "yes"; then
|
||||
AC_CHECK_LIB(audit, audit_log_acct_message,
|
||||
[audit_lib="yes"], [audit_lib="no"])
|
||||
if test "$audit_lib$with_audit" = "noyes" ; then
|
||||
AC_MSG_ERROR([libaudit not found])
|
||||
elif test "$audit_lib" = "no" ; then
|
||||
with_audit="no"
|
||||
else
|
||||
AC_DEFINE(WITH_AUDIT, 1,
|
||||
[Define if you want to enable Audit messages])
|
||||
LIBAUDIT="-laudit"
|
||||
with_audit="yes"
|
||||
fi
|
||||
else
|
||||
with_audit="no"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBCRACK)
|
||||
if test "$with_libcrack" = "yes"; then
|
||||
echo "checking cracklib flavour, don't be surprised by the results"
|
||||
AC_CHECK_LIB(crack, FascistCheck,
|
||||
[LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
|
||||
AC_CHECK_LIB(crack, FascistHistory,
|
||||
AC_DEFINE(HAVE_LIBCRACK_HIST, 1, [Defined if you have the ts&szs cracklib.]))
|
||||
AC_CHECK_LIB(crack, FascistHistoryPw,
|
||||
AC_DEFINE(HAVE_LIBCRACK_PW, 1, [Defined if it includes *Pw functions.]))
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBSELINUX)
|
||||
AC_SUBST(LIBSEMANAGE)
|
||||
if test "$with_selinux" != "no"; then
|
||||
AC_CHECK_HEADERS(selinux/selinux.h, [selinux_header="yes"], [selinux_header="no"])
|
||||
if test "$selinux_header$with_selinux" = "noyes" ; then
|
||||
AC_MSG_ERROR([selinux/selinux.h is missing])
|
||||
fi
|
||||
|
||||
AC_CHECK_HEADERS(semanage/semanage.h, [semanage_header="yes"], [semanage_header="no"])
|
||||
if test "$semanage_header$with_selinux" = "noyes" ; then
|
||||
AC_MSG_ERROR([semanage/semanage.h is missing])
|
||||
fi
|
||||
|
||||
if test "$selinux_header$semanage_header" = "yesyes" ; then
|
||||
AC_CHECK_LIB(selinux, is_selinux_enabled, [selinux_lib="yes"], [selinux_lib="no"])
|
||||
if test "$selinux_lib$with_selinux" = "noyes" ; then
|
||||
AC_MSG_ERROR([libselinux not found])
|
||||
fi
|
||||
|
||||
AC_CHECK_LIB(semanage, semanage_connect, [semanage_lib="yes"], [semanage_lib="no"])
|
||||
if test "$semanage_lib$with_selinux" = "noyes" ; then
|
||||
AC_MSG_ERROR([libsemanage not found])
|
||||
fi
|
||||
|
||||
if test "$selinux_lib$semanage_lib" == "yesyes" ; then
|
||||
AC_DEFINE(WITH_SELINUX, 1,
|
||||
[Build shadow with SELinux support])
|
||||
LIBSELINUX="-lselinux"
|
||||
LIBSEMANAGE="-lsemanage"
|
||||
with_selinux="yes"
|
||||
else
|
||||
with_selinux="no"
|
||||
fi
|
||||
else
|
||||
with_selinux="no"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBTCB)
|
||||
if test "$with_tcb" != "no"; then
|
||||
AC_CHECK_HEADERS(tcb.h, [tcb_header="yes"], [tcb_header="no"])
|
||||
if test "$tcb_header$with_tcb" = "noyes" ; then
|
||||
AC_MSG_ERROR([tcb.h is missing])
|
||||
elif test "$tcb_header" = "yes" ; then
|
||||
AC_CHECK_LIB(tcb, tcb_is_suspect, [tcb_lib="yes"], [tcb_lib="no"])
|
||||
if test "$tcb_lib$with_tcb" = "noyes" ; then
|
||||
AC_MSG_ERROR([libtcb not found])
|
||||
elif test "$tcb_lib" = "no" ; then
|
||||
with_tcb="no"
|
||||
else
|
||||
AC_DEFINE(WITH_TCB, 1, [Build shadow with tcb support (incomplete)])
|
||||
LIBTCB="-ltcb"
|
||||
with_tcb="yes"
|
||||
fi
|
||||
else
|
||||
with_tcb="no"
|
||||
fi
|
||||
fi
|
||||
AM_CONDITIONAL(WITH_TCB, test x$with_tcb = xyes)
|
||||
|
||||
AC_SUBST(LIBPAM)
|
||||
if test "$with_libpam" != "no"; then
|
||||
AC_CHECK_LIB(pam, pam_start,
|
||||
[pam_lib="yes"], [pam_lib="no"])
|
||||
if test "$pam_lib$with_libpam" = "noyes" ; then
|
||||
AC_MSG_ERROR(libpam not found)
|
||||
fi
|
||||
|
||||
LIBPAM="-lpam"
|
||||
pam_conv_function="no"
|
||||
|
||||
AC_CHECK_LIB(pam, openpam_ttyconv,
|
||||
[pam_conv_function="openpam_ttyconv"],
|
||||
AC_CHECK_LIB(pam_misc, misc_conv,
|
||||
[pam_conv_function="misc_conv"; LIBPAM="$LIBPAM -lpam_misc"])
|
||||
)
|
||||
|
||||
if test "$pam_conv_function$with_libpam" = "noyes" ; then
|
||||
AC_MSG_ERROR(PAM conversation function not found)
|
||||
fi
|
||||
|
||||
pam_headers_found=no
|
||||
AC_CHECK_HEADERS( [security/openpam.h security/pam_misc.h],
|
||||
[ pam_headers_found=yes ; break ], [],
|
||||
[ #include <security/pam_appl.h> ] )
|
||||
if test "$pam_headers_found$with_libpam" = "noyes" ; then
|
||||
AC_MSG_ERROR(PAM headers not found)
|
||||
fi
|
||||
|
||||
|
||||
if test "$pam_lib$pam_headers_found" = "yesyes" -a "$pam_conv_function" != "no" ; then
|
||||
with_libpam="yes"
|
||||
else
|
||||
with_libpam="no"
|
||||
unset LIBPAM
|
||||
fi
|
||||
fi
|
||||
dnl Now with_libpam is either yes or no
|
||||
if test "$with_libpam" = "yes"; then
|
||||
AC_CHECK_DECLS([PAM_ESTABLISH_CRED,
|
||||
PAM_DELETE_CRED,
|
||||
PAM_NEW_AUTHTOK_REQD,
|
||||
PAM_DATA_SILENT],
|
||||
[], [], [#include <security/pam_appl.h>])
|
||||
|
||||
|
||||
save_libs=$LIBS
|
||||
LIBS="$LIBS $LIBPAM"
|
||||
# We do not use AC_CHECK_FUNCS to avoid duplicated definition with
|
||||
# Linux PAM.
|
||||
AC_CHECK_FUNC(pam_fail_delay, [AC_DEFINE(HAS_PAM_FAIL_DELAY, 1, [Define to 1 if you have the declaration of 'pam_fail_delay'])])
|
||||
LIBS=$save_libs
|
||||
|
||||
AC_DEFINE(USE_PAM, 1, [Define to support Pluggable Authentication Modules])
|
||||
AC_DEFINE_UNQUOTED(SHADOW_PAM_CONVERSATION, [$pam_conv_function],[PAM converstation to use])
|
||||
AM_CONDITIONAL(USE_PAM, [true])
|
||||
|
||||
AC_MSG_CHECKING(use login and su access checking if PAM not used)
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
AC_DEFINE(SU_ACCESS, 1, [Define to support /etc/suauth su access control.])
|
||||
AM_CONDITIONAL(USE_PAM, [false])
|
||||
AC_MSG_CHECKING(use login and su access checking if PAM not used)
|
||||
AC_MSG_RESULT(yes)
|
||||
fi
|
||||
|
||||
if test "$enable_acct_tools_setuid" != "no"; then
|
||||
if test "$with_libpam" != "yes"; then
|
||||
if test "$enable_acct_tools_setuid" = "yes"; then
|
||||
AC_MSG_ERROR(PAM support is required for --enable-account-tools-setuid)
|
||||
else
|
||||
enable_acct_tools_setuid="no"
|
||||
fi
|
||||
else
|
||||
enable_acct_tools_setuid="yes"
|
||||
fi
|
||||
if test "$enable_acct_tools_setuid" = "yes"; then
|
||||
AC_DEFINE(ACCT_TOOLS_SETUID,
|
||||
1,
|
||||
[Define if account management tools should be installed setuid and authenticate the callers])
|
||||
fi
|
||||
fi
|
||||
AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
|
||||
|
||||
AC_SUBST(LIBSKEY)
|
||||
AC_SUBST(LIBMD)
|
||||
if test "$with_skey" = "yes"; then
|
||||
AC_CHECK_LIB(md, MD5Init, [LIBMD=-lmd])
|
||||
AC_CHECK_LIB(skey, skeychallenge, [LIBSKEY=-lskey],
|
||||
[AC_MSG_ERROR([liskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2])])
|
||||
AC_DEFINE(SKEY, 1, [Define to support S/Key logins.])
|
||||
AC_TRY_COMPILE([
|
||||
#include <stdio.h>
|
||||
#include <skey.h>
|
||||
],[
|
||||
skeychallenge((void*)0, (void*)0, (void*)0, 0);
|
||||
],[AC_DEFINE(SKEY_BSD_STYLE, 1, [Define to support newer BSD S/Key API])])
|
||||
fi
|
||||
|
||||
if test "$enable_utmpx" = "yes"; then
|
||||
if test "$ac_cv_header_utmpx_h" != "yes"; then
|
||||
AC_MSG_ERROR([The utmpx.h header file is required for utmpx support.])
|
||||
fi
|
||||
AC_DEFINE(USE_UTMPX,
|
||||
1,
|
||||
[Define if utmpx should be used])
|
||||
fi
|
||||
|
||||
AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])
|
||||
|
||||
AM_GNU_GETTEXT_VERSION(0.16)
|
||||
AM_GNU_GETTEXT([external], [need-ngettext])
|
||||
AM_CONDITIONAL(USE_NLS, test "x$USE_NLS" = "xyes")
|
||||
|
||||
AC_CONFIG_FILES([
|
||||
Makefile
|
||||
po/Makefile.in
|
||||
doc/Makefile
|
||||
man/Makefile
|
||||
man/config.xml
|
||||
man/po/Makefile
|
||||
man/cs/Makefile
|
||||
man/da/Makefile
|
||||
man/de/Makefile
|
||||
man/es/Makefile
|
||||
man/fi/Makefile
|
||||
man/fr/Makefile
|
||||
man/hu/Makefile
|
||||
man/id/Makefile
|
||||
man/it/Makefile
|
||||
man/ja/Makefile
|
||||
man/ko/Makefile
|
||||
man/pl/Makefile
|
||||
man/pt_BR/Makefile
|
||||
man/ru/Makefile
|
||||
man/sv/Makefile
|
||||
man/tr/Makefile
|
||||
man/zh_CN/Makefile
|
||||
man/zh_TW/Makefile
|
||||
libmisc/Makefile
|
||||
lib/Makefile
|
||||
src/Makefile
|
||||
contrib/Makefile
|
||||
etc/Makefile
|
||||
etc/pam.d/Makefile
|
||||
shadow.spec
|
||||
])
|
||||
AC_OUTPUT
|
||||
|
||||
echo
|
||||
echo "shadow will be compiled with the following features:"
|
||||
echo
|
||||
echo " auditing support: $with_audit"
|
||||
echo " CrackLib support: $with_libcrack"
|
||||
echo " PAM support: $with_libpam"
|
||||
if test "$with_libpam" = "yes"; then
|
||||
echo " suid account management tools: $enable_acct_tools_setuid"
|
||||
fi
|
||||
echo " SELinux support: $with_selinux"
|
||||
echo " ACL support: $with_acl"
|
||||
echo " Extended Attributes support: $with_attr"
|
||||
echo " tcb support (incomplete): $with_tcb"
|
||||
echo " shadow group support: $enable_shadowgrp"
|
||||
echo " S/Key support: $with_skey"
|
||||
echo " SHA passwords encryption: $with_sha_crypt"
|
||||
echo " nscd support: $with_nscd"
|
||||
echo " subordinate IDs support: $enable_subids"
|
||||
echo
|
||||
@@ -0,0 +1,6 @@
|
||||
# This is a dummy Makefile.am to get automake work flawlessly,
|
||||
# and also cooperate to make a distribution for `make dist'
|
||||
|
||||
EXTRA_DIST = README adduser.c adduser-old.c adduser.sh adduser2.sh \
|
||||
atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
|
||||
udbachk.tgz
|
||||
@@ -0,0 +1,10 @@
|
||||
People keep sending various adduser programs and scripts... They are
|
||||
all in this directory. I haven't tested them, use at your own risk.
|
||||
Anyway, the best one I've seen so far is adduser-3.x from Debian.
|
||||
|
||||
atudel is a perl script to remove at jobs owned by the specified user
|
||||
(atrm in at-2.9 for Linux can't do that).
|
||||
|
||||
udbachk.tgz is a passwd/group/shadow file integrity checker.
|
||||
|
||||
--marekm
|
||||
@@ -0,0 +1,300 @@
|
||||
/****
|
||||
** 03/17/96
|
||||
** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
|
||||
** --marekm
|
||||
**
|
||||
** 02/26/96
|
||||
** modified to call shadow utils (useradd,chage,passwd) on shadowed
|
||||
** systems - Cristian Gafton, gafton@sorosis.ro
|
||||
**
|
||||
** 6/27/95
|
||||
** shadow-adduser 1.4:
|
||||
**
|
||||
** now it copies the /etc/skel dir into the person's dir,
|
||||
** makes the mail folders, changed some defaults and made a 'make
|
||||
** install' just for the hell of it.
|
||||
**
|
||||
** Greg Gallagher
|
||||
** CIN.Net
|
||||
**
|
||||
** 1/28/95
|
||||
** shadow-adduser 1.3:
|
||||
**
|
||||
** Basically a bug-fix on my additions in 1.2. Thanx to Terry Stewart
|
||||
** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
|
||||
** It was such a stupid bug that I would have never seen it myself.
|
||||
**
|
||||
** Brandon
|
||||
*****
|
||||
** 01/27/95
|
||||
**
|
||||
** shadow-adduser 1.2:
|
||||
** I took the C source from adduser-shadow (credits are below) and made
|
||||
** it a little more worthwhile. Many small changes... Here's
|
||||
** the ones I can remember:
|
||||
**
|
||||
** Removed support for non-shadowed systems (if you don't have shadow,
|
||||
** use the original adduser, don't get this shadow version!)
|
||||
** Added support for the correct /etc/shadow fields (Min days before
|
||||
** password change, max days before password change, Warning days,
|
||||
** and how many days from expiry date does the account go invalid)
|
||||
** The previous version just left all of those fields blank.
|
||||
** There is still one field left (expiry date for the account, period)
|
||||
** which I have left blank because I do not use it and didn't want to
|
||||
** spend any more time on this. I'm sure someone will put it in and
|
||||
** tack another plethora of credits on here. :)
|
||||
** Added in the password date field, which should always reflect the last
|
||||
** date the password was changed, for expiry purposes. "passwd" always
|
||||
** updates this field, so the adduser program should set it up right
|
||||
** initially (or a user could keep thier initial password forever ;)
|
||||
** The number is in days since Jan 1st, 1970.
|
||||
**
|
||||
** Have fun with it, and someone please make
|
||||
** a real version(this is still just a hack)
|
||||
** for us all to use (and Email it to me???)
|
||||
**
|
||||
** Brandon
|
||||
** photon@usis.com
|
||||
**
|
||||
*****
|
||||
** adduser 1.0: add a new user account (For systems not using shadow)
|
||||
** With a nice little interface and a will to do all the work for you.
|
||||
**
|
||||
** Craig Hagan
|
||||
** hagan@opine.cs.umass.edu
|
||||
**
|
||||
** Modified to really work, look clean, and find unused uid by Chris Cappuccio
|
||||
** chris@slinky.cs.umass.edu
|
||||
**
|
||||
*****
|
||||
**
|
||||
** 01/19/95
|
||||
**
|
||||
** FURTHER modifications to enable shadow passwd support (kludged, but
|
||||
** no more so than the original) by Dan Crowson - dcrowson@mo.net
|
||||
**
|
||||
** Search on DAN for all changes...
|
||||
**
|
||||
*****
|
||||
**
|
||||
** cc -O -o adduser adduser.c
|
||||
** Use gcc if you have it... (political reasons beyond my control) (chris)
|
||||
**
|
||||
** I've gotten this program to work with success under Linux (without
|
||||
** shadow) and SunOS 4.1.3. I would assume it should work pretty well
|
||||
** on any system that uses no shadow. (chris)
|
||||
**
|
||||
** If you have no crypt() then try
|
||||
** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
|
||||
** I'm not sure how login operates with no crypt()... I guess
|
||||
** the same way we're doing it here.
|
||||
*/
|
||||
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#define DEFAULT_SHELL "/bin/bash" /* because BASH is your friend */
|
||||
#define DEFAULT_HOME "/home"
|
||||
#define USERADD_PATH "/usr/sbin/useradd"
|
||||
#define CHAGE_PATH "/usr/sbin/chage"
|
||||
#define PASSWD_PATH "/usr/bin/passwd"
|
||||
#define DEFAULT_GROUP 100
|
||||
|
||||
#define DEFAULT_MAX_PASS 60
|
||||
#define DEFAULT_WARN_PASS 10
|
||||
/* if you use this feature, you will get a lot of complaints from users
|
||||
who rarely use their accounts :) (something like 3 months would be
|
||||
more reasonable) --marekm */
|
||||
#define DEFAULT_USER_DIE /* 10 */ 0
|
||||
|
||||
void main()
|
||||
{
|
||||
char foo[32];
|
||||
char uname[9],person[32],dir[32],shell[32];
|
||||
unsigned int group,min_pass,max_pass,warn_pass,user_die;
|
||||
/* the group and uid of the new user */
|
||||
int bad=0,done=0,correct=0,gets_warning=0;
|
||||
char cmd[255];
|
||||
struct group *grp;
|
||||
|
||||
/* flags, in order:
|
||||
* bad to see if the username is in /etc/passwd, or if strange stuff has
|
||||
* been typed if the user might be put in group 0
|
||||
* done allows the program to exit when a user has been added
|
||||
* correct loops until a password is found that isn't in /etc/passwd
|
||||
* gets_warning allows the fflush to be skipped for the first gets
|
||||
* so that output is still legible
|
||||
*/
|
||||
|
||||
/* The real program starts HERE! */
|
||||
|
||||
if(geteuid()!=0)
|
||||
{
|
||||
printf("It seems you don't have access to add a new user. Try\n");
|
||||
printf("logging in as root or su root to gain super-user access.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Sanity checks
|
||||
*/
|
||||
|
||||
if (!(grp=getgrgid(DEFAULT_GROUP))){
|
||||
printf("Error: the default group %d does not exist on this system!\n",
|
||||
DEFAULT_GROUP);
|
||||
printf("adduser must be recompiled.\n");
|
||||
exit(1);
|
||||
};
|
||||
|
||||
while(!correct) { /* loop until a "good" uname is chosen */
|
||||
while(!done) {
|
||||
printf("\nLogin to add (^C to quit): ");
|
||||
if(gets_warning) /* if the warning was already shown */
|
||||
fflush(stdout); /* fflush stdout, otherwise set the flag */
|
||||
else
|
||||
gets_warning=1;
|
||||
|
||||
gets(uname);
|
||||
if(!strlen(uname)) {
|
||||
printf("Empty input.\n");
|
||||
done=0;
|
||||
continue;
|
||||
};
|
||||
|
||||
/* what I saw here before made me think maybe I was running DOS */
|
||||
/* might this be a solution? (chris) */
|
||||
if (getpwnam(uname) != NULL) {
|
||||
printf("That name is in use, choose another.\n");
|
||||
done=0;
|
||||
} else
|
||||
done=1;
|
||||
}; /* done, we have a valid new user name */
|
||||
|
||||
/* all set, get the rest of the stuff */
|
||||
printf("\nEditing information for new user [%s]\n",uname);
|
||||
|
||||
printf("\nFull Name [%s]: ",uname);
|
||||
gets(person);
|
||||
if (!strlen(person)) {
|
||||
bzero(person,sizeof(person));
|
||||
strcpy(person,uname);
|
||||
};
|
||||
|
||||
do {
|
||||
bad=0;
|
||||
printf("GID [%d]: ",DEFAULT_GROUP);
|
||||
gets(foo);
|
||||
if (!strlen(foo))
|
||||
group=DEFAULT_GROUP;
|
||||
else
|
||||
if (isdigit (*foo)) {
|
||||
group = atoi(foo);
|
||||
if (! (grp = getgrgid (group))) {
|
||||
printf("unknown gid %s\n",foo);
|
||||
group=DEFAULT_GROUP;
|
||||
bad=1;
|
||||
};
|
||||
} else
|
||||
if ((grp = getgrnam (foo)))
|
||||
group = grp->gr_gid;
|
||||
else {
|
||||
printf("unknown group %s\n",foo);
|
||||
group=DEFAULT_GROUP;
|
||||
bad=1;
|
||||
}
|
||||
if (group==0){ /* You're not allowed to make root group users! */
|
||||
printf("Creation of root group users not allowed (must be done by hand)\n");
|
||||
group=DEFAULT_GROUP;
|
||||
bad=1;
|
||||
};
|
||||
} while(bad);
|
||||
|
||||
|
||||
fflush(stdin);
|
||||
|
||||
printf("\nIf home dir ends with a / then [%s] will be appended to it\n",uname);
|
||||
printf("Home Directory [%s/%s]: ",DEFAULT_HOME,uname);
|
||||
fflush(stdout);
|
||||
gets(dir);
|
||||
if (!strlen(dir)) { /* hit return */
|
||||
sprintf(dir,"%s/%s",DEFAULT_HOME,uname);
|
||||
fflush(stdin);
|
||||
} else
|
||||
if (dir[strlen(dir)-1]=='/')
|
||||
sprintf(dir+strlen(dir),"%s",uname);
|
||||
|
||||
printf("\nShell [%s]: ",DEFAULT_SHELL);
|
||||
fflush(stdout);
|
||||
gets(shell);
|
||||
if (!strlen(shell))
|
||||
sprintf(shell,"%s",DEFAULT_SHELL);
|
||||
|
||||
printf("\nMin. Password Change Days [0]: ");
|
||||
gets(foo);
|
||||
min_pass=atoi(foo);
|
||||
|
||||
printf("Max. Password Change Days [%d]: ",DEFAULT_MAX_PASS);
|
||||
gets(foo);
|
||||
if (strlen(foo) > 1)
|
||||
max_pass = atoi(foo);
|
||||
else
|
||||
max_pass = DEFAULT_MAX_PASS;
|
||||
|
||||
printf("Password Warning Days [%d]: ",DEFAULT_WARN_PASS);
|
||||
gets(foo);
|
||||
warn_pass = atoi(foo);
|
||||
if (warn_pass==0)
|
||||
warn_pass = DEFAULT_WARN_PASS;
|
||||
|
||||
printf("Days after Password Expiry for Account Locking [%d]: ",DEFAULT_USER_DIE);
|
||||
gets(foo);
|
||||
user_die = atoi(foo);
|
||||
if (user_die == 0)
|
||||
user_die = DEFAULT_USER_DIE;
|
||||
|
||||
printf("\nInformation for new user [%s] [%s]:\n",uname,person);
|
||||
printf("Home directory: [%s] Shell: [%s]\n",dir,shell);
|
||||
printf("GID: [%d]\n",group);
|
||||
printf("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
|
||||
min_pass,max_pass,warn_pass,user_die);
|
||||
printf("\nIs this correct? [y/N]: ");
|
||||
fflush(stdout);
|
||||
gets(foo);
|
||||
|
||||
done=bad=correct=(foo[0]=='y'||foo[0]=='Y');
|
||||
|
||||
if(bad!=1)
|
||||
printf("\nUser [%s] not added\n",uname);
|
||||
}
|
||||
|
||||
bzero(cmd,sizeof(cmd));
|
||||
sprintf(cmd,"%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
|
||||
USERADD_PATH,group,dir,shell,person,uname);
|
||||
printf("Calling useradd to add new user:\n%s\n",cmd);
|
||||
if(system(cmd)){
|
||||
printf("User add failed!\n");
|
||||
exit(errno);
|
||||
};
|
||||
bzero(cmd,sizeof(cmd));
|
||||
sprintf(cmd,"%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
|
||||
min_pass,max_pass,warn_pass,user_die,uname);
|
||||
printf("%s\n",cmd);
|
||||
if(system(cmd)){
|
||||
printf("There was an error setting password expire values\n");
|
||||
exit(errno);
|
||||
};
|
||||
bzero(cmd,sizeof(cmd));
|
||||
sprintf(cmd,"%s %s",PASSWD_PATH,uname);
|
||||
system(cmd);
|
||||
printf("\nDone.\n");
|
||||
}
|
||||
|
||||
@@ -0,0 +1,502 @@
|
||||
/****
|
||||
** 04/21/96
|
||||
** hacked even more, replaced gets() with something slightly harder to buffer
|
||||
** overflow. Added support for setting a default quota on new account, with
|
||||
** edquota -p. Other cleanups for security, I let some users run adduser suid
|
||||
** root to add new accounts. (overflow checks, clobber environment, valid
|
||||
** shell checks, restrictions on gid + home dir settings).
|
||||
|
||||
** Added max. username length. Used syslog() a bit for important events.
|
||||
** Support to immediately expire account with passwd -e.
|
||||
|
||||
** Called it version 2.0! Because I felt like it!
|
||||
|
||||
** -- Chris, chris@ferret.lmh.ox.ac.uk
|
||||
|
||||
** 03/17/96
|
||||
** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
|
||||
** --marekm
|
||||
**
|
||||
** 02/26/96
|
||||
** modified to call shadow utils (useradd,chage,passwd) on shadowed
|
||||
** systems - Cristian Gafton, gafton@sorosis.ro
|
||||
**
|
||||
** 6/27/95
|
||||
** shadow-adduser 1.4:
|
||||
**
|
||||
** now it copies the /etc/skel dir into the person's dir,
|
||||
** makes the mail folders, changed some defaults and made a 'make
|
||||
** install' just for the hell of it.
|
||||
**
|
||||
** Greg Gallagher
|
||||
** CIN.Net
|
||||
**
|
||||
** 1/28/95
|
||||
** shadow-adduser 1.3:
|
||||
**
|
||||
** Basically a bug-fix on my additions in 1.2. Thanx to Terry Stewart
|
||||
** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
|
||||
** It was such a stupid bug that I would have never seen it myself.
|
||||
**
|
||||
** Brandon
|
||||
*****
|
||||
** 01/27/95
|
||||
**
|
||||
** shadow-adduser 1.2:
|
||||
** I took the C source from adduser-shadow (credits are below) and made
|
||||
** it a little more worthwhile. Many small changes... Here's
|
||||
** the ones I can remember:
|
||||
**
|
||||
** Removed support for non-shadowed systems (if you don't have shadow,
|
||||
** use the original adduser, don't get this shadow version!)
|
||||
** Added support for the correct /etc/shadow fields (Min days before
|
||||
** password change, max days before password change, Warning days,
|
||||
** and how many days from expiry date does the account go invalid)
|
||||
** The previous version just left all of those fields blank.
|
||||
** There is still one field left (expiry date for the account, period)
|
||||
** which I have left blank because I do not use it and didn't want to
|
||||
** spend any more time on this. I'm sure someone will put it in and
|
||||
** tack another plethora of credits on here. :)
|
||||
** Added in the password date field, which should always reflect the last
|
||||
** date the password was changed, for expiry purposes. "passwd" always
|
||||
** updates this field, so the adduser program should set it up right
|
||||
** initially (or a user could keep thier initial password forever ;)
|
||||
** The number is in days since Jan 1st, 1970.
|
||||
**
|
||||
** Have fun with it, and someone please make
|
||||
** a real version(this is still just a hack)
|
||||
** for us all to use (and Email it to me???)
|
||||
**
|
||||
** Brandon
|
||||
** photon@usis.com
|
||||
**
|
||||
*****
|
||||
** adduser 1.0: add a new user account (For systems not using shadow)
|
||||
** With a nice little interface and a will to do all the work for you.
|
||||
**
|
||||
** Craig Hagan
|
||||
** hagan@opine.cs.umass.edu
|
||||
**
|
||||
** Modified to really work, look clean, and find unused uid by Chris Cappuccio
|
||||
** chris@slinky.cs.umass.edu
|
||||
**
|
||||
*****
|
||||
**
|
||||
** 01/19/95
|
||||
**
|
||||
** FURTHER modifications to enable shadow passwd support (kludged, but
|
||||
** no more so than the original) by Dan Crowson - dcrowson@mo.net
|
||||
**
|
||||
** Search on DAN for all changes...
|
||||
**
|
||||
*****
|
||||
**
|
||||
** cc -O -o adduser adduser.c
|
||||
** Use gcc if you have it... (political reasons beyond my control) (chris)
|
||||
**
|
||||
** I've gotten this program to work with success under Linux (without
|
||||
** shadow) and SunOS 4.1.3. I would assume it should work pretty well
|
||||
** on any system that uses no shadow. (chris)
|
||||
**
|
||||
** If you have no crypt() then try
|
||||
** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
|
||||
** I'm not sure how login operates with no crypt()... I guess
|
||||
** the same way we're doing it here.
|
||||
*/
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/stat.h>
|
||||
#include <syslog.h>
|
||||
|
||||
#define IMMEDIATE_CHANGE /* Expire newly created password, must be changed
|
||||
* immediately upon next login */
|
||||
#define HAVE_QUOTAS /* Obvious */
|
||||
#define EXPIRE_VALS_SET /* If defined, 'normal' users can't change
|
||||
* password expiry values (if running suid root) */
|
||||
|
||||
#define HAVE_GETUSERSHELL /* FIXME: Isn't this defined in config.h too? */
|
||||
#define LOGGING /* If we want to log various things to syslog */
|
||||
#define MAX_USRNAME 8 /* Longer usernames seem to work on my system....
|
||||
* But they're probably a poor idea */
|
||||
|
||||
|
||||
#define DEFAULT_SHELL "/bin/bash" /* because BASH is your friend */
|
||||
#define DEFAULT_HOME "/home"
|
||||
#define USERADD_PATH "/usr/sbin/useradd"
|
||||
#define CHAGE_PATH "/usr/bin/chage"
|
||||
#define PASSWD_PATH "/usr/bin/passwd"
|
||||
#define EDQUOTA_PATH "/usr/sbin/edquota"
|
||||
#define QUOTA_DEFAULT "defuser"
|
||||
#define DEFAULT_GROUP 100
|
||||
|
||||
#define DEFAULT_MIN_PASS 0
|
||||
#define DEFAULT_MAX_PASS 100
|
||||
#define DEFAULT_WARN_PASS 14
|
||||
#define DEFAULT_USER_DIE 366
|
||||
|
||||
void safeget (char *, int);
|
||||
|
||||
void
|
||||
main (void)
|
||||
{
|
||||
char foo[32];
|
||||
char usrname[32], person[32], dir[32], shell[32];
|
||||
unsigned int group, min_pass, max_pass, warn_pass, user_die;
|
||||
/* the group and uid of the new user */
|
||||
int bad = 0, done = 0, correct = 0, olduid;
|
||||
char cmd[255];
|
||||
struct group *grp;
|
||||
|
||||
/* flags, in order:
|
||||
* bad to see if the username is in /etc/passwd, or if strange stuff has
|
||||
* been typed if the user might be put in group 0
|
||||
* done allows the program to exit when a user has been added
|
||||
* correct loops until a username is found that isn't in /etc/passwd
|
||||
*/
|
||||
|
||||
/* The real program starts HERE! */
|
||||
|
||||
if (geteuid () != 0)
|
||||
{
|
||||
printf ("It seems you don't have access to add a new user. Try\n");
|
||||
printf ("logging in as root or su root to gain superuser access.\n");
|
||||
exit (1);
|
||||
}
|
||||
|
||||
/* Sanity checks
|
||||
*/
|
||||
|
||||
#ifdef LOGGING
|
||||
openlog ("adduser", LOG_PID | LOG_CONS | LOG_NOWAIT, LOG_AUTH);
|
||||
syslog (LOG_INFO, "invoked by user %s\n", getpwuid (getuid ())->pw_name);
|
||||
#endif
|
||||
|
||||
if (!(grp = getgrgid (DEFAULT_GROUP)))
|
||||
{
|
||||
printf ("Error: the default group %d does not exist on this system!\n",
|
||||
DEFAULT_GROUP);
|
||||
printf ("adduser must be recompiled.\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "warning: failed. no such default group\n");
|
||||
closelog ();
|
||||
#endif
|
||||
exit (1);
|
||||
};
|
||||
|
||||
while (!correct)
|
||||
{ /* loop until a "good" usrname is chosen */
|
||||
while (!done)
|
||||
{
|
||||
printf ("\nLogin to add (^C to quit): ");
|
||||
fflush (stdout);
|
||||
|
||||
safeget (usrname, sizeof (usrname));
|
||||
|
||||
if (!strlen (usrname))
|
||||
{
|
||||
printf ("Empty input.\n");
|
||||
done = 0;
|
||||
continue;
|
||||
};
|
||||
|
||||
/* what I saw here before made me think maybe I was running DOS */
|
||||
/* might this be a solution? (chris) */
|
||||
if (strlen (usrname) > MAX_USRNAME)
|
||||
{
|
||||
printf ("That name is longer than the maximum of %d characters. Choose another.\n", MAX_USRNAME);
|
||||
done = 0;
|
||||
}
|
||||
else if (getpwnam (usrname) != NULL)
|
||||
{
|
||||
printf ("That name is in use, choose another.\n");
|
||||
done = 0;
|
||||
}
|
||||
else if (strchr (usrname, ' ') != NULL)
|
||||
{
|
||||
printf ("No spaces in username!!\n");
|
||||
done = 0;
|
||||
}
|
||||
else
|
||||
done = 1;
|
||||
}; /* done, we have a valid new user name */
|
||||
|
||||
/* all set, get the rest of the stuff */
|
||||
printf ("\nEditing information for new user [%s]\n", usrname);
|
||||
|
||||
printf ("\nFull Name [%s]: ", usrname);
|
||||
fflush (stdout);
|
||||
safeget (person, sizeof (person));
|
||||
if (!strlen (person))
|
||||
{
|
||||
bzero (person, sizeof (person));
|
||||
strcpy (person, usrname);
|
||||
};
|
||||
|
||||
if (getuid () == 0)
|
||||
{
|
||||
do
|
||||
{
|
||||
bad = 0;
|
||||
printf ("GID [%d]: ", DEFAULT_GROUP);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
if (!strlen (foo))
|
||||
group = DEFAULT_GROUP;
|
||||
else if (isdigit (*foo))
|
||||
{
|
||||
group = atoi (foo);
|
||||
if (!(grp = getgrgid (group)))
|
||||
{
|
||||
printf ("unknown gid %s\n", foo);
|
||||
group = DEFAULT_GROUP;
|
||||
bad = 1;
|
||||
};
|
||||
}
|
||||
else if ((grp = getgrnam (foo)))
|
||||
group = grp->gr_gid;
|
||||
else
|
||||
{
|
||||
printf ("unknown group %s\n", foo);
|
||||
group = DEFAULT_GROUP;
|
||||
bad = 1;
|
||||
}
|
||||
if (group == 0)
|
||||
{ /* You're not allowed to make root group users! */
|
||||
printf ("Creation of root group users not allowed (must be done by hand)\n");
|
||||
group = DEFAULT_GROUP;
|
||||
bad = 1;
|
||||
};
|
||||
}
|
||||
while (bad);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("Group will be default of: %d\n", DEFAULT_GROUP);
|
||||
group = DEFAULT_GROUP;
|
||||
}
|
||||
|
||||
if (getuid () == 0)
|
||||
{
|
||||
printf ("\nIf home dir ends with a / then '%s' will be appended to it\n", usrname);
|
||||
printf ("Home Directory [%s/%s]: ", DEFAULT_HOME, usrname);
|
||||
fflush (stdout);
|
||||
safeget (dir, sizeof (dir));
|
||||
if (!strlen (dir))
|
||||
{ /* hit return */
|
||||
sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
|
||||
}
|
||||
else if (dir[strlen (dir) - 1] == '/')
|
||||
sprintf (dir+strlen(dir), "%s", usrname);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("\nHome directory will be %s/%s\n", DEFAULT_HOME, usrname);
|
||||
sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
|
||||
}
|
||||
|
||||
printf ("\nShell [%s]: ", DEFAULT_SHELL);
|
||||
fflush (stdout);
|
||||
safeget (shell, sizeof (shell));
|
||||
if (!strlen (shell))
|
||||
sprintf (shell, "%s", DEFAULT_SHELL);
|
||||
else
|
||||
{
|
||||
char *sh;
|
||||
int ok = 0;
|
||||
#ifdef HAVE_GETUSERSHELL
|
||||
setusershell ();
|
||||
while ((sh = getusershell ()) != NULL)
|
||||
if (!strcmp (shell, sh))
|
||||
ok = 1;
|
||||
endusershell ();
|
||||
#endif
|
||||
if (!ok)
|
||||
{
|
||||
if (getuid () == 0)
|
||||
printf ("Warning: root allowed non standard shell\n");
|
||||
else
|
||||
{
|
||||
printf ("Shell NOT in /etc/shells, DEFAULT used\n");
|
||||
sprintf (shell, "%s", DEFAULT_SHELL);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef EXPIRE_VALS_SET
|
||||
if (getuid () == 0)
|
||||
{
|
||||
#endif
|
||||
printf ("\nMin. Password Change Days [%d]: ", DEFAULT_MIN_PASS);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
if (strlen (foo) > 1)
|
||||
min_pass = DEFAULT_MIN_PASS;
|
||||
else
|
||||
min_pass = atoi (foo);
|
||||
|
||||
printf ("Max. Password Change Days [%d]: ", DEFAULT_MAX_PASS);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
if (strlen (foo) > 1)
|
||||
max_pass = atoi (foo);
|
||||
else
|
||||
max_pass = DEFAULT_MAX_PASS;
|
||||
|
||||
printf ("Password Warning Days [%d]: ", DEFAULT_WARN_PASS);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
warn_pass = atoi (foo);
|
||||
if (warn_pass == 0)
|
||||
|
||||
warn_pass = DEFAULT_WARN_PASS;
|
||||
|
||||
printf ("Days after Password Expiry for Account Locking [%d]: ", DEFAULT_USER_DIE);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
user_die = atoi (foo);
|
||||
if (user_die == 0)
|
||||
user_die = DEFAULT_USER_DIE;
|
||||
|
||||
#ifdef EXPIRE_VALS_SET
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("\nSorry, account expiry values are set.\n");
|
||||
user_die = DEFAULT_USER_DIE;
|
||||
warn_pass = DEFAULT_WARN_PASS;
|
||||
max_pass = DEFAULT_MAX_PASS;
|
||||
min_pass = DEFAULT_MIN_PASS;
|
||||
}
|
||||
#endif
|
||||
|
||||
printf ("\nInformation for new user [%s] [%s]:\n", usrname, person);
|
||||
printf ("Home directory: [%s] Shell: [%s]\n", dir, shell);
|
||||
printf ("GID: [%d]\n", group);
|
||||
printf ("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
|
||||
min_pass, max_pass, warn_pass, user_die);
|
||||
printf ("\nIs this correct? [y/N]: ");
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
|
||||
done = bad = correct = (foo[0] == 'y' || foo[0] == 'Y');
|
||||
|
||||
if (bad != 1)
|
||||
printf ("\nUser [%s] not added\n", usrname);
|
||||
}
|
||||
|
||||
/* Clobber the environment, I run this suid root sometimes to let
|
||||
* non root privileged accounts add users --chris */
|
||||
|
||||
*environ = NULL;
|
||||
|
||||
bzero (cmd, sizeof (cmd));
|
||||
sprintf (cmd, "%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
|
||||
USERADD_PATH, group, dir, shell, person, usrname);
|
||||
printf ("Calling useradd to add new user:\n%s\n", cmd);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("User add failed!\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "could not add new user\n");
|
||||
closelog ();
|
||||
#endif
|
||||
exit (errno);
|
||||
};
|
||||
|
||||
olduid = getuid (); /* chage, passwd, edquota etc. require ruid = root
|
||||
*/
|
||||
setuid (0);
|
||||
|
||||
bzero (cmd, sizeof (cmd));
|
||||
|
||||
/* Chage runs suid root. => we need ruid root to run it with
|
||||
* anything other than chage -l
|
||||
*/
|
||||
|
||||
sprintf (cmd, "%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
|
||||
min_pass, max_pass, warn_pass, user_die, usrname);
|
||||
printf ("%s\n", cmd);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("There was an error setting password expire values\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "password expire values could not be set\n");
|
||||
#endif
|
||||
};
|
||||
|
||||
/* I want to add a user completely with one easy command --chris */
|
||||
|
||||
#ifdef HAVE_QUOTAS
|
||||
bzero (cmd, sizeof (cmd));
|
||||
sprintf (cmd, "%s -p %s -u %s", EDQUOTA_PATH, QUOTA_DEFAULT, usrname);
|
||||
printf ("%s\n", cmd);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("\nWarning: error setting quota\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "warning: account created but NO quotas set!\n");
|
||||
#endif /* LOGGING */
|
||||
}
|
||||
else
|
||||
printf ("\nDefault quota set.\n");
|
||||
#endif /* HAVE_QUOTAS */
|
||||
|
||||
bzero (cmd, sizeof (cmd));
|
||||
sprintf (cmd, "%s %s", PASSWD_PATH, usrname);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("\nWarning: error setting password\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "warning: password set failed!\n");
|
||||
#endif
|
||||
}
|
||||
#ifdef IMMEDIATE_CHANGE
|
||||
bzero (cmd, sizeof (cmd));
|
||||
sprintf (cmd, "%s -e %s", PASSWD_PATH, usrname);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("\nWarning: error expiring password\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "warning: password expire failed!\n");
|
||||
#endif /* LOGGING */
|
||||
}
|
||||
#endif /* IMMEDIATE_CHANGE */
|
||||
|
||||
setuid (olduid);
|
||||
|
||||
#ifdef LOGGING
|
||||
closelog ();
|
||||
#endif
|
||||
|
||||
printf ("\nDone.\n");
|
||||
}
|
||||
|
||||
void
|
||||
safeget (char *buf, int maxlen)
|
||||
{
|
||||
int c, i = 0, bad = 0;
|
||||
char *bstart = buf;
|
||||
while ((c = getc (stdin)) != EOF && (c != '\n') && (++i < maxlen))
|
||||
{
|
||||
bad = (!isalnum (c) && (c != '_') && (c != ' '));
|
||||
*(buf++) = (char) c;
|
||||
}
|
||||
*buf = '\0';
|
||||
|
||||
if (bad)
|
||||
{
|
||||
printf ("\nString contained banned character. Please stick to alphanumerics.\n");
|
||||
*bstart = '\0';
|
||||
}
|
||||
}
|
||||
|
||||
Executable
+90
@@ -0,0 +1,90 @@
|
||||
#!/bin/sh
|
||||
# adduser script for use with shadow passwords and useradd command.
|
||||
# by Hrvoje Dogan <hdogan@student.math.hr>, Dec 1995.
|
||||
|
||||
echo -n "Login name for new user []:"
|
||||
read LOGIN
|
||||
if [ -z $LOGIN ]
|
||||
then echo "Come on, man, you can't leave the login field empty...";exit
|
||||
fi
|
||||
echo
|
||||
echo -n "User id for $LOGIN [ defaults to next available]:"
|
||||
read ID
|
||||
GUID="-u $ID"
|
||||
if [ -z $ID ]
|
||||
then GUID=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "Initial group for $LOGIN [users]:"
|
||||
read GID
|
||||
GGID="-g $GID"
|
||||
if [ -z $GID ]
|
||||
then GGID=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "Additional groups for $LOGIN []:"
|
||||
read AGID
|
||||
GAGID="-G $AGID"
|
||||
if [ -z $AGID ]
|
||||
then GAGID=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "$LOGIN's home directory [/home/$LOGIN]:"
|
||||
read HME
|
||||
GHME="-d $HME"
|
||||
if [ -z $HME ]
|
||||
then GHME=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "$LOGIN's shell [/bin/bash]:"
|
||||
read SHL
|
||||
GSHL="-s $SHL"
|
||||
if [ -z $SHL ]
|
||||
then GSHL=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "$LOGIN's account expiry date (MM/DD/YY) []:"
|
||||
read EXP
|
||||
GEXP="-e $EXP"
|
||||
if [ -z $EXP ]
|
||||
then GEXP=""
|
||||
fi
|
||||
echo
|
||||
echo OK, I'm about to make a new account. Here's what you entered so far:
|
||||
echo New login name: $LOGIN
|
||||
if [ -z $GUID ]
|
||||
then echo New UID: [Next available]
|
||||
else echo New UID: $UID
|
||||
fi
|
||||
if [ -z $GGID ]
|
||||
then echo Initial group: users
|
||||
else echo Initial group: $GID
|
||||
fi
|
||||
if [ -z $GAGID ]
|
||||
then echo Additional groups: [none]
|
||||
else echo Additional groups: $AGID
|
||||
fi
|
||||
if [ -z $GHME ]
|
||||
then echo Home directory: /home/$LOGIN
|
||||
else echo Home directory: $HME
|
||||
fi
|
||||
if [ -z $GSHL ]
|
||||
then echo Shell: /bin/bash
|
||||
else echo Shell: $SHL
|
||||
fi
|
||||
if [ -z $GEXP ]
|
||||
then echo Expiry date: [no expiration]
|
||||
else echo Expiry date: $EXP
|
||||
fi
|
||||
echo "This is it... if you want to bail out, you'd better do it now."
|
||||
read FOO
|
||||
echo Making new account...
|
||||
/usr/sbin/useradd $GHME -m $GEXP $GGID $GAGID $GSHL $GUID $LOGIN
|
||||
/usr/bin/chfn $LOGIN
|
||||
/usr/bin/passwd $LOGIN
|
||||
echo "Done..."
|
||||
Executable
+743
@@ -0,0 +1,743 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# adduser Interactive user adding program.
|
||||
#
|
||||
# Copyright (C) 1996 Petri Mattila, Prihateam Networks
|
||||
# petri@prihateam.fi
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2, or (at your option)
|
||||
# any later version.
|
||||
#
|
||||
# Changes:
|
||||
# 220496 v0.01 Initial version
|
||||
# 230496 v0.02 More checks, embolden summary
|
||||
# 240496 Even more checks
|
||||
# 250496 Help with ?
|
||||
# 040596 v0.03 Cleanups
|
||||
# 050596 v0.04 Bug fixes, expire date checks
|
||||
# 070596 v0.05 Iso-latin-1 names
|
||||
#
|
||||
|
||||
## Defaults
|
||||
|
||||
# default groups
|
||||
def_group="users"
|
||||
def_other_groups=""
|
||||
|
||||
# default home directory
|
||||
def_home_dir=/home/users
|
||||
|
||||
# default shell
|
||||
def_shell=/bin/tcsh
|
||||
|
||||
# Defaul expiration date (mm/dd/yy)
|
||||
def_expire=""
|
||||
|
||||
# default dates
|
||||
def_pwd_min=0
|
||||
def_pwd_max=90
|
||||
def_pwd_warn=14
|
||||
def_pwd_iact=14
|
||||
|
||||
|
||||
# possible UIDs
|
||||
uid_low=1000
|
||||
uid_high=64000
|
||||
|
||||
# skel directory
|
||||
skel=/etc/skel
|
||||
|
||||
# default mode for home directory
|
||||
def_mode=711
|
||||
|
||||
# Regex, that the login name must meet, only ANSI characters
|
||||
login_regex='^[0-9a-zA-Z_-]*$'
|
||||
|
||||
# Regex, that the user name must meet
|
||||
# ANSI version
|
||||
##name_regex='^[0-9a-zA-Z_-\ ]*$'
|
||||
# ISO-LATIN-1 version
|
||||
name_regex='^[0-9a-zA-ZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõöùúûüýþÿ_-\ ]*$'
|
||||
|
||||
# set PATH
|
||||
export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
|
||||
|
||||
# Some special characters
|
||||
case "$TERM" in
|
||||
vt*|ansi*|con*|xterm*|linux*)
|
||||
S='[1m' # start embolden
|
||||
E='[m' # end embolden
|
||||
;;
|
||||
*)
|
||||
S=''
|
||||
E=''
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
## Functions
|
||||
|
||||
check_root() {
|
||||
if test "$EUID" -ne 0
|
||||
then
|
||||
echo "You must be root to run this program."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_user() {
|
||||
local usr pwd uid gid name home sh
|
||||
|
||||
cat /etc/passwd | (
|
||||
while IFS=":" read usr pwd uid gid name home sh
|
||||
do
|
||||
if test "$1" = "${usr}"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
)
|
||||
}
|
||||
|
||||
check_group() {
|
||||
local read grp pwd gid members
|
||||
|
||||
cat /etc/group | (
|
||||
while IFS=":" read grp pwd gid members
|
||||
do
|
||||
if test "$1" = "${grp}"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
)
|
||||
}
|
||||
|
||||
check_other_groups() {
|
||||
local grp check IFS
|
||||
|
||||
check="$1"
|
||||
IFS=","
|
||||
|
||||
set ${check}
|
||||
for grp
|
||||
do
|
||||
if check_group "${grp}"
|
||||
then
|
||||
echo "Group ${grp} does not exist."
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
check_uid() {
|
||||
local usr pwd uid gid name home sh
|
||||
|
||||
cat /etc/passwd | (
|
||||
while IFS=":" read usr pwd uid gid name home sh
|
||||
do
|
||||
if test "$1" = "${uid}"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
)
|
||||
}
|
||||
|
||||
read_yn() {
|
||||
local ans ynd
|
||||
|
||||
ynd="$1"
|
||||
|
||||
while :
|
||||
do
|
||||
read ans
|
||||
case "${ans}" in
|
||||
"") return ${ynd} ;;
|
||||
[nN]) return 1 ;;
|
||||
[yY]) return 0 ;;
|
||||
*) echo -n "Y or N, please ? " ;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
read_login() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Login: ${def_login:+[${def_login}] }"
|
||||
read login
|
||||
|
||||
if test "${login}" = '?'
|
||||
then
|
||||
less /etc/passwd
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if test -z "${login}" -a -n "${def_login}"
|
||||
then
|
||||
login="${def_login}"
|
||||
echo "Using ${login}"
|
||||
return
|
||||
fi
|
||||
|
||||
if test "${#login}" -gt 8
|
||||
then
|
||||
echo "Login must be at most 8 characters long"
|
||||
continue
|
||||
fi
|
||||
|
||||
if test "${#login}" -lt 2
|
||||
then
|
||||
echo "Login must be at least 2 characters long"
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! expr "${login}" : "${login_regex}" &> /dev/null
|
||||
then
|
||||
echo "Please use letters, numbers and special characters _-,."
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! check_user "${login}"
|
||||
then
|
||||
echo "Username ${login} is already in use"
|
||||
continue
|
||||
fi
|
||||
|
||||
def_login="${login}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_name () {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Real name: ${def_name:+[${def_name}] }"
|
||||
read name
|
||||
|
||||
if test "${name}" = '?'
|
||||
then
|
||||
less /etc/passwd
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if test -z "${name}" -a -n "${def_name}"
|
||||
then
|
||||
name="${def_name}"
|
||||
echo "Using ${name}"
|
||||
fi
|
||||
|
||||
if test "${#name}" -gt 32
|
||||
then
|
||||
echo "Name should be at most 32 characters long"
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! expr "${name}" : "${name_regex}" &> /dev/null
|
||||
then
|
||||
echo "Please use letters, numbers, spaces and special characters ,._-"
|
||||
continue
|
||||
fi
|
||||
|
||||
def_name="${name}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_home() {
|
||||
local x
|
||||
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Home Directory: [${def_home_dir}/${login}] "
|
||||
read home
|
||||
|
||||
if test -z "${home}"
|
||||
then
|
||||
home="${def_home_dir}/${login}"
|
||||
echo "Using ${home}"
|
||||
fi
|
||||
|
||||
if ! expr "${home}" : '^[0-9a-zA-Z,._-\/]*$' &> /dev/null
|
||||
then
|
||||
echo "Please use letters, numbers, spaces and special characters ,._-/"
|
||||
continue
|
||||
fi
|
||||
|
||||
x="$(basename ${home})"
|
||||
if test "${x}" != "${login}"
|
||||
then
|
||||
echo "Warning: you are about to use different login name and home directory."
|
||||
fi
|
||||
|
||||
x="$(dirname ${home})"
|
||||
if ! test -d "${x}"
|
||||
then
|
||||
echo "Directory ${x} does not exist."
|
||||
echo "If you still want to use it, please make it manually."
|
||||
continue
|
||||
fi
|
||||
|
||||
def_home_dir="${x}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_shell () {
|
||||
local x
|
||||
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Shell: [${def_shell}] "
|
||||
read shell
|
||||
|
||||
if test -z "${shell}"
|
||||
then
|
||||
shell="${def_shell}"
|
||||
echo "Using ${shell}"
|
||||
fi
|
||||
|
||||
for x in $(cat /etc/shells)
|
||||
do
|
||||
if test "${x}" = "${shell}"
|
||||
then
|
||||
def_shell="${shell}"
|
||||
return
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Possible shells are:"
|
||||
cat /etc/shells
|
||||
done
|
||||
}
|
||||
|
||||
read_group () {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Group: [${def_group}] "
|
||||
read group
|
||||
|
||||
if test -z "${group}"
|
||||
then
|
||||
group="${def_group}"
|
||||
echo "Using ${group}"
|
||||
fi
|
||||
|
||||
if test "${group}" = '?'
|
||||
then
|
||||
less /etc/group
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if check_group "${group}"
|
||||
then
|
||||
echo "Group ${group} does not exist."
|
||||
continue
|
||||
fi
|
||||
|
||||
def_group="${group}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_other_groups () {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Other groups: [${def_og:-none}] "
|
||||
read other_groups
|
||||
|
||||
if test "${other_groups}" = '?'
|
||||
then
|
||||
less /etc/group
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if test -z "${other_groups}"
|
||||
then
|
||||
if test -n "${def_og}"
|
||||
then
|
||||
other_groups="${def_og}"
|
||||
echo "Using ${other_groups}"
|
||||
else
|
||||
echo "No other groups"
|
||||
return
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if ! check_other_groups "${other_groups}"
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
def_og="${other_groups}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_uid () {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "uid: [first free] "
|
||||
read uid
|
||||
|
||||
if test -z "${uid}"
|
||||
then
|
||||
echo "Using first free UID."
|
||||
return
|
||||
fi
|
||||
|
||||
if test "${uid}" = '?'
|
||||
then
|
||||
less /etc/passwd
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! expr "${uid}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${uid}" -lt "${uid_low}"
|
||||
then
|
||||
echo "UID must be greater than ${uid_low}"
|
||||
continue
|
||||
fi
|
||||
if test "${uid}" -gt "${uid_high}"
|
||||
then
|
||||
echo "UID must be smaller than ${uid_high}"
|
||||
continue
|
||||
fi
|
||||
if ! check_uid "${uid}"
|
||||
then
|
||||
echo "UID ${uid} is already in use"
|
||||
continue
|
||||
fi
|
||||
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_max_valid_days() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Maximum days between password changes: [${def_pwd_max}] "
|
||||
read max_days
|
||||
|
||||
if test -z "${max_days}"
|
||||
then
|
||||
max_days="${def_pwd_max}"
|
||||
echo "Using ${max_days}"
|
||||
return
|
||||
fi
|
||||
|
||||
if ! expr "${max_days}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${max_days}" -lt 7
|
||||
then
|
||||
echo "Warning: you are using a value shorter than a week."
|
||||
fi
|
||||
|
||||
def_pwd_max="${max_days}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_min_valid_days() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Minimum days between password changes: [${def_pwd_min}] "
|
||||
read min_days
|
||||
|
||||
if test -z "${min_days}"
|
||||
then
|
||||
min_days="${def_pwd_min}"
|
||||
echo "Using ${min_days}"
|
||||
return
|
||||
fi
|
||||
|
||||
if ! expr "${min_days}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${min_days}" -gt 7
|
||||
then
|
||||
echo "Warning: you are using a value longer than a week."
|
||||
fi
|
||||
|
||||
def_pwd_min="${min_days}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_warning_days() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Number of warning days before password expires: [${def_pwd_warn}] "
|
||||
read warn_days
|
||||
|
||||
if test -z "${warn_days}"
|
||||
then
|
||||
warn_days="${def_pwd_warn}"
|
||||
echo "Using ${warn_days}"
|
||||
fi
|
||||
|
||||
if ! expr "${warn_days}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${warn_days}" -gt 14
|
||||
then
|
||||
echo "Warning: you are using a value longer than two week."
|
||||
fi
|
||||
|
||||
def_pwd_warn="${warn_days}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
read_inactive_days() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Number of usable days after expiration: [${def_pwd_iact}] "
|
||||
read iact_days
|
||||
|
||||
if test -z "${iact_days}"
|
||||
then
|
||||
iact_days="${def_pwd_iact}"
|
||||
echo "Using ${iact_days}"
|
||||
return
|
||||
fi
|
||||
if ! expr "${iact_days}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${iact_days}" -gt 14
|
||||
then
|
||||
echo "Warning: you are using a value that is more than two weeks."
|
||||
fi
|
||||
|
||||
def_pwd_iact="${iact_days}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_expire_date() {
|
||||
local ans
|
||||
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Expire date of this account (mm/dd/yy): [${def_expire:-never}] "
|
||||
read ans
|
||||
|
||||
if test -z "${ans}"
|
||||
then
|
||||
if test -z "${def_expire}"
|
||||
then
|
||||
ans="never"
|
||||
else
|
||||
ans="${def_expire}"
|
||||
echo "Using ${def_expire}"
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "${ans}" = "never"
|
||||
then
|
||||
echo "Account will never expire."
|
||||
def_expire=""
|
||||
expire=""
|
||||
return
|
||||
fi
|
||||
|
||||
if ! expr "${ans}" : '^[0-9][0-9]/[0-9][0-9]/[0-9][0-9]$' &> /dev/null
|
||||
then
|
||||
echo "Please use format mm/dd/yy"
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! expire_date="$(date -d ${ans} '+%A, %B %d %Y')"
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
def_expire="${expire}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_passwd_yn() {
|
||||
echo -en "\nDo you want to set password [Y/n] ? "
|
||||
if read_yn 0
|
||||
then
|
||||
set_pwd="YES"
|
||||
else
|
||||
set_pwd=""
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
print_values() {
|
||||
|
||||
clear
|
||||
cat << EOM
|
||||
|
||||
Login: ${S}${login}${E}
|
||||
Group: ${S}${group}${E}
|
||||
Other groups: ${S}${other_groups:-[none]}${E}
|
||||
|
||||
Real Name: ${S}${name}${E}
|
||||
|
||||
uid: ${S}${uid:-[first free]}${E}
|
||||
home: ${S}${home}${E}
|
||||
shell: ${S}${shell}${E}
|
||||
|
||||
Account expiration date: ${S}${expire_date:-never}${E}
|
||||
Minimum days between password changes: ${S}${min_days}${E}
|
||||
Maximum days between password changes: ${S}${max_days}${E}
|
||||
Number of usable days after expiration: ${S}${iact_days}${E}
|
||||
Number of warning days before expiration: ${S}${warn_days}${E}
|
||||
|
||||
${S}${set_pwd:+Set password for this account.}${E}
|
||||
|
||||
EOM
|
||||
}
|
||||
|
||||
set_user() {
|
||||
if ! useradd \
|
||||
-c "${name}" \
|
||||
-d "${home}" \
|
||||
-g "${group}" \
|
||||
-s "${shell}" \
|
||||
${expire:+-e ${expire}} \
|
||||
${uid:+-u ${uid}} \
|
||||
${other_groups:+-G ${other_groups}} \
|
||||
${login}
|
||||
then
|
||||
echo "Error ($?) in useradd...exiting..."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
set_aging() {
|
||||
if ! passwd \
|
||||
-x ${max_days} \
|
||||
-n ${min_days} \
|
||||
-w ${warn_days} \
|
||||
-i ${iact_days} \
|
||||
${login}
|
||||
then
|
||||
echo "Error ($?) in setting password aging...exiting..."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
set_password() {
|
||||
if test -n "${set_pwd}"
|
||||
then
|
||||
echo
|
||||
passwd ${login}
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
set_system() {
|
||||
if test -d "${home}"
|
||||
then
|
||||
echo "Directory ${home} already exists."
|
||||
echo "Skeleton files not copied."
|
||||
return
|
||||
fi
|
||||
|
||||
echo -n "Copying skeleton files..."
|
||||
(
|
||||
mkdir ${home}
|
||||
cd ${skel} && cp -af . ${home}
|
||||
chmod ${def_mode} ${home}
|
||||
chown -R ${login}:${group} ${home}
|
||||
)
|
||||
echo "done."
|
||||
|
||||
## Add your own stuff here:
|
||||
echo -n "Setting up other files..."
|
||||
(
|
||||
mailbox="/var/spool/mail/${login}"
|
||||
touch ${mailbox}
|
||||
chown "${login}:mail" ${mailbox}
|
||||
chmod 600 ${mailbox}
|
||||
)
|
||||
echo "done."
|
||||
}
|
||||
|
||||
|
||||
read_values() {
|
||||
clear
|
||||
echo -e "\nPlease answer the following questions about the new user to be added."
|
||||
|
||||
while :
|
||||
do
|
||||
read_login
|
||||
read_name
|
||||
read_group
|
||||
read_other_groups
|
||||
read_home
|
||||
read_shell
|
||||
read_uid
|
||||
read_expire_date
|
||||
read_max_valid_days
|
||||
read_min_valid_days
|
||||
read_warning_days
|
||||
read_inactive_days
|
||||
read_passwd_yn
|
||||
|
||||
print_values
|
||||
|
||||
echo -n "Is this correct [N/y] ? "
|
||||
read_yn 1 && return
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
main() {
|
||||
check_root
|
||||
read_values
|
||||
set_user
|
||||
set_aging
|
||||
set_system
|
||||
set_password
|
||||
}
|
||||
|
||||
|
||||
## Run it 8-)
|
||||
main
|
||||
|
||||
# End.
|
||||
Executable
+85
@@ -0,0 +1,85 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Copyright (c) 1996 Brian R. Gaeke
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
# 3. All advertising materials mentioning features or use of this software
|
||||
# must display the following acknowledgement:
|
||||
# This product includes software developed by Brian R. Gaeke.
|
||||
# 4. The name of the author, Brian R. Gaeke, may not be used to endorse
|
||||
# or promote products derived from this software without specific
|
||||
# prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY BRIAN R. GAEKE ``AS IS'' AND ANY EXPRESS
|
||||
# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
# DISCLAIMED. IN NO EVENT SHALL BRIAN R. GAEKE BE LIABLE FOR ANY DIRECT,
|
||||
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
||||
# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
#
|
||||
# Additionally:
|
||||
#
|
||||
# This software is provided without support and without any obligation
|
||||
# on the part of Brian R. Gaeke to assist in its use, correction,
|
||||
# modification or enhancement.
|
||||
#
|
||||
#######################################################################
|
||||
#
|
||||
# this is atudel, version 2, by Brian R. Gaeke <brg@dgate.org>
|
||||
#
|
||||
|
||||
require "getopts.pl";
|
||||
&Getopts('v');
|
||||
$username = shift(@ARGV);
|
||||
&usage unless $username;
|
||||
|
||||
sub usage
|
||||
{
|
||||
print STDERR "atudel - remove all at jobs owned by a user\n";
|
||||
print STDERR "usage: $0 [-v] username\n";
|
||||
exit(1);
|
||||
}
|
||||
|
||||
# odd. unless getpwnam($uname) doesn't seem to work for $uname eq "root" on
|
||||
# my linux system. but this does.
|
||||
die "user $username does not exist; stopping"
|
||||
unless defined(getpwnam($username));
|
||||
|
||||
print "searching for at jobs owned by user $username ..." if $opt_v;
|
||||
|
||||
chdir "/var/spool/atjobs" ||
|
||||
die "can't chdir to /var/spool/atjobs: $!\nstopping";
|
||||
opendir(DIR,".") || die "can't opendir(/var/spool/atjobs): $!\nstopping";
|
||||
@files = grep(!/^\./,grep(-f,readdir(DIR)));
|
||||
closedir DIR;
|
||||
|
||||
foreach $x (@files)
|
||||
{
|
||||
$owner = (getpwuid((stat($x))[4]))[0];
|
||||
push(@nuke_bait,$x) if $owner eq $username;
|
||||
}
|
||||
|
||||
if (@nuke_bait)
|
||||
{
|
||||
print "removed jobIDs: @{nuke_bait}.\n" if $opt_v;
|
||||
unlink @nuke_bait;
|
||||
}
|
||||
elsif ($opt_v)
|
||||
{
|
||||
print "\n";
|
||||
}
|
||||
|
||||
exit 0;
|
||||
@@ -0,0 +1,546 @@
|
||||
#!/bin/sh
|
||||
# This is a shell archive (produced by GNU sharutils 4.2.1).
|
||||
# To extract the files from this archive, save it to some FILE, remove
|
||||
# everything before the `!/bin/sh' line above, then type `sh FILE'.
|
||||
#
|
||||
# Made on 2000-05-25 14:41 CDT by <gk4@gnu.austin.ibm.com>.
|
||||
# Source directory was `/home/gk4/src/groupmem'.
|
||||
#
|
||||
# Existing files will *not* be overwritten unless `-c' is specified.
|
||||
#
|
||||
# This shar contains:
|
||||
# length mode name
|
||||
# ------ ---------- ------------------------------------------
|
||||
# 1960 -rw-r--r-- Makefile
|
||||
# 6348 -rw-r--r-- groupmems.c
|
||||
# 3372 -rw------- groupmems.8
|
||||
#
|
||||
save_IFS="${IFS}"
|
||||
IFS="${IFS}:"
|
||||
gettext_dir=FAILED
|
||||
locale_dir=FAILED
|
||||
first_param="$1"
|
||||
for dir in $PATH
|
||||
do
|
||||
if test "$gettext_dir" = FAILED && test -f $dir/gettext \
|
||||
&& ($dir/gettext --version >/dev/null 2>&1)
|
||||
then
|
||||
set `$dir/gettext --version 2>&1`
|
||||
if test "$3" = GNU
|
||||
then
|
||||
gettext_dir=$dir
|
||||
fi
|
||||
fi
|
||||
if test "$locale_dir" = FAILED && test -f $dir/shar \
|
||||
&& ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
|
||||
then
|
||||
locale_dir=`$dir/shar --print-text-domain-dir`
|
||||
fi
|
||||
done
|
||||
IFS="$save_IFS"
|
||||
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
|
||||
then
|
||||
echo=echo
|
||||
else
|
||||
TEXTDOMAINDIR=$locale_dir
|
||||
export TEXTDOMAINDIR
|
||||
TEXTDOMAIN=sharutils
|
||||
export TEXTDOMAIN
|
||||
echo="$gettext_dir/gettext -s"
|
||||
fi
|
||||
if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f 200112312359.59 -a -f $$.touch; then
|
||||
shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
|
||||
elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f 123123592001.59 -a ! -f 123123592001.5 -a -f $$.touch; then
|
||||
shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
|
||||
elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 -a -f $$.touch; then
|
||||
shar_touch='touch -am $3$4$5$6$2 "$8"'
|
||||
else
|
||||
shar_touch=:
|
||||
echo
|
||||
$echo 'WARNING: not restoring timestamps. Consider getting and'
|
||||
$echo "installing GNU \`touch', distributed in GNU File Utilities..."
|
||||
echo
|
||||
fi
|
||||
rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
|
||||
#
|
||||
if mkdir _sh10937; then
|
||||
$echo 'x -' 'creating lock directory'
|
||||
else
|
||||
$echo 'failed to create lock directory'
|
||||
exit 1
|
||||
fi
|
||||
# ============= Makefile ==============
|
||||
if test -f 'Makefile' && test "$first_param" != -c; then
|
||||
$echo 'x -' SKIPPING 'Makefile' '(file already exists)'
|
||||
else
|
||||
$echo 'x -' extracting 'Makefile' '(text)'
|
||||
sed 's/^X//' << 'SHAR_EOF' > 'Makefile' &&
|
||||
/*
|
||||
# Copyright 2000, International Business Machines, Inc.
|
||||
# All rights reserved.
|
||||
#
|
||||
# original author: George Kraft IV, gk4@us.ibm.com
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
# 3. Neither the name of International Business Machines, Inc., nor the
|
||||
# names of its contributors may be used to endorse or promote products
|
||||
# derived from this software without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY INTERNATIONAL BUSINESS MACHINES, INC. AND
|
||||
# CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
|
||||
# BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
||||
# INTERNATIONAL BUSINESS MACHINES, INC. OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
X
|
||||
all: groupmems
|
||||
X
|
||||
groupmems: groupmems.c
|
||||
X cc -g -o groupmems groupmems.c -L. -lshadow
|
||||
X
|
||||
install: groupmems
|
||||
X -/usr/sbin/groupadd groups
|
||||
X install -o root -g groups -m 4770 groupmems /usr/bin
|
||||
X
|
||||
install.man: groupmems.8
|
||||
X install -o root -g root -m 644 groupmems.8 /usr/man/man8
|
||||
X
|
||||
SHAR_EOF
|
||||
(set 20 00 05 25 14 40 28 'Makefile'; eval "$shar_touch") &&
|
||||
chmod 0644 'Makefile' ||
|
||||
$echo 'restore of' 'Makefile' 'failed'
|
||||
if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
|
||||
&& ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
|
||||
md5sum -c << SHAR_EOF >/dev/null 2>&1 \
|
||||
|| $echo 'Makefile:' 'MD5 check failed'
|
||||
b46cf7ef8d59149093c011ced3f3103c Makefile
|
||||
SHAR_EOF
|
||||
else
|
||||
shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'Makefile'`"
|
||||
test 1960 -eq "$shar_count" ||
|
||||
$echo 'Makefile:' 'original size' '1960,' 'current size' "$shar_count!"
|
||||
fi
|
||||
fi
|
||||
# ============= groupmems.c ==============
|
||||
if test -f 'groupmems.c' && test "$first_param" != -c; then
|
||||
$echo 'x -' SKIPPING 'groupmems.c' '(file already exists)'
|
||||
else
|
||||
$echo 'x -' extracting 'groupmems.c' '(text)'
|
||||
sed 's/^X//' << 'SHAR_EOF' > 'groupmems.c' &&
|
||||
/*
|
||||
X * Copyright 2000, International Business Machines, Inc.
|
||||
X * All rights reserved.
|
||||
X *
|
||||
X * original author: George Kraft IV, gk4@us.ibm.com
|
||||
X *
|
||||
X * Redistribution and use in source and binary forms, with or without
|
||||
X * modification, are permitted provided that the following conditions
|
||||
X * are met:
|
||||
X *
|
||||
X * 1. Redistributions of source code must retain the above copyright
|
||||
X * notice, this list of conditions and the following disclaimer.
|
||||
X * 2. Redistributions in binary form must reproduce the above copyright
|
||||
X * notice, this list of conditions and the following disclaimer in the
|
||||
X * documentation and/or other materials provided with the distribution.
|
||||
X * 3. Neither the name of International Business Machines, Inc., nor the
|
||||
X * names of its contributors may be used to endorse or promote products
|
||||
X * derived from this software without specific prior written permission.
|
||||
X *
|
||||
X * THIS SOFTWARE IS PROVIDED BY INTERNATIONAL BUSINESS MACHINES, INC. AND
|
||||
X * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
|
||||
X * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
X * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
||||
X * INTERNATIONAL BUSINESS MACHINES, INC. OR CONTRIBUTORS BE LIABLE
|
||||
X * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
X * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
X * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
X * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
X * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
X * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
X * SUCH DAMAGE.
|
||||
X */
|
||||
/*
|
||||
**
|
||||
** Utility "groupmem" adds and deletes members from a user's group.
|
||||
**
|
||||
** Setup (as "root"):
|
||||
**
|
||||
** groupadd -r groups
|
||||
** chmod 2770 groupmems
|
||||
** chown root.groups groupmems
|
||||
** groupmems -g groups -a gk4
|
||||
**
|
||||
** Usage (as "gk4"):
|
||||
**
|
||||
** groupmems -a olive
|
||||
** groupmems -a jordan
|
||||
** groupmems -a meghan
|
||||
** groupmems -a morgan
|
||||
** groupmems -a jake
|
||||
** groupmems -l
|
||||
** groupmems -d jake
|
||||
** groupmems -l
|
||||
*/
|
||||
X
|
||||
#include <stdio.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
X
|
||||
/* Exit Status Values */
|
||||
X
|
||||
#define EXIT_SUCCESS 0 /* success */
|
||||
#define EXIT_USAGE 1 /* invalid command syntax */
|
||||
#define EXIT_GROUP_FILE 2 /* group file access problems */
|
||||
#define EXIT_NOT_ROOT 3 /* not superuser */
|
||||
#define EXIT_NOT_EROOT 4 /* not effective superuser */
|
||||
#define EXIT_NOT_PRIMARY 5 /* not primary owner of group */
|
||||
#define EXIT_NOT_MEMBER 6 /* member of group does not exist */
|
||||
#define EXIT_MEMBER_EXISTS 7 /* member of group already exists */
|
||||
X
|
||||
#define TRUE 1
|
||||
#define FALSE 0
|
||||
X
|
||||
/* Globals */
|
||||
X
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
static char *adduser = NULL;
|
||||
static char *deluser = NULL;
|
||||
static char *thisgroup = NULL;
|
||||
static int purge = FALSE;
|
||||
static int list = FALSE;
|
||||
static int exclusive = 0;
|
||||
X
|
||||
static int isroot(void) {
|
||||
X return getuid() ? FALSE : TRUE;
|
||||
}
|
||||
X
|
||||
static int isgroup(void) {
|
||||
X gid_t g = getgid();
|
||||
X struct group *grp = getgrgid(g);
|
||||
X
|
||||
X return TRUE;
|
||||
}
|
||||
X
|
||||
static char *whoami(void) {
|
||||
X struct group *grp = getgrgid(getgid());
|
||||
X struct passwd *usr = getpwuid(getuid());
|
||||
X
|
||||
X if (0 == strcmp(usr->pw_name, grp->gr_name)) {
|
||||
X return (char *)strdup(usr->pw_name);
|
||||
X } else {
|
||||
X return NULL;
|
||||
X }
|
||||
}
|
||||
X
|
||||
static void
|
||||
addtogroup(char *user, char **members) {
|
||||
X int i;
|
||||
X char **pmembers;
|
||||
X
|
||||
X for (i = 0; NULL != members[i]; i++ ) {
|
||||
X if (0 == strcmp(user, members[i])) {
|
||||
X fprintf(stderr, "Member already exists\n");
|
||||
X exit(EXIT_MEMBER_EXISTS);
|
||||
X }
|
||||
X }
|
||||
X
|
||||
X if (0 == i) {
|
||||
X pmembers = (char **)calloc(2, sizeof(char *));
|
||||
X } else {
|
||||
X pmembers = (char **)realloc(members, sizeof(char *)*(i+1));
|
||||
X }
|
||||
X
|
||||
X *members = *pmembers;
|
||||
X members[i] = user;
|
||||
X members[i+1] = NULL;
|
||||
}
|
||||
X
|
||||
static void
|
||||
rmfromgroup(char *user, char **members) {
|
||||
X int i;
|
||||
X int found = FALSE;
|
||||
X
|
||||
X i = 0;
|
||||
X while (!found && NULL != members[i]) {
|
||||
X if (0 == strcmp(user, members[i])) {
|
||||
X found = TRUE;
|
||||
X } else {
|
||||
X i++;
|
||||
X }
|
||||
X }
|
||||
X
|
||||
X while (found && NULL != members[i]) {
|
||||
X members[i] = members[++i];
|
||||
X }
|
||||
X
|
||||
X if (!found) {
|
||||
X fprintf(stderr, "Member to remove could not be found\n");
|
||||
X exit(EXIT_NOT_MEMBER);
|
||||
X }
|
||||
}
|
||||
X
|
||||
static void
|
||||
nomembers(char **members) {
|
||||
X int i;
|
||||
X
|
||||
X for (i = 0; NULL != members[i]; i++ ) {
|
||||
X members[i] = NULL;
|
||||
X }
|
||||
}
|
||||
X
|
||||
static void
|
||||
members(char **members) {
|
||||
X int i;
|
||||
X
|
||||
X for (i = 0; NULL != members[i]; i++ ) {
|
||||
X printf("%s ", members[i]);
|
||||
X
|
||||
X if (NULL == members[i+1]) {
|
||||
X printf("\n");
|
||||
X } else {
|
||||
X printf(" ");
|
||||
X }
|
||||
X }
|
||||
}
|
||||
X
|
||||
static void usage(void) {
|
||||
X fprintf(stderr, "usage: groupmems -a username | -d username | -D | -l [-g groupname]\n");
|
||||
X exit(EXIT_USAGE);
|
||||
}
|
||||
X
|
||||
main(int argc, char **argv) {
|
||||
X int arg, i;
|
||||
X char *name;
|
||||
X struct group *grp;
|
||||
X
|
||||
X while ((arg = getopt(argc, argv, "a:d:g:Dl")) != EOF) {
|
||||
X switch (arg) {
|
||||
X case 'a':
|
||||
X adduser = strdup(optarg);
|
||||
X ++exclusive;
|
||||
X break;
|
||||
X case 'd':
|
||||
X deluser = strdup(optarg);
|
||||
X ++exclusive;
|
||||
X break;
|
||||
X case 'g':
|
||||
X thisgroup = strdup(optarg);
|
||||
X break;
|
||||
X case 'D':
|
||||
X purge = TRUE;
|
||||
X ++exclusive;
|
||||
X break;
|
||||
X case 'l':
|
||||
X list = TRUE;
|
||||
X ++exclusive;
|
||||
X break;
|
||||
X default:
|
||||
X usage();
|
||||
X }
|
||||
X }
|
||||
X
|
||||
X if (exclusive > 1 || optind < argc) {
|
||||
X usage();
|
||||
X }
|
||||
X
|
||||
X if (!isroot() && NULL != thisgroup) {
|
||||
X fprintf(stderr, "Only root can add members to different groups\n");
|
||||
X exit(EXIT_NOT_ROOT);
|
||||
X } else if (isroot() && NULL != thisgroup) {
|
||||
X name = thisgroup;
|
||||
X } else if (!isgroup()) {
|
||||
X fprintf(stderr, "Group access is required\n");
|
||||
X exit(EXIT_NOT_EROOT);
|
||||
X } else if (NULL == (name = whoami())) {
|
||||
X fprintf(stderr, "Not primary owner of current group\n");
|
||||
X exit(EXIT_NOT_PRIMARY);
|
||||
X }
|
||||
X
|
||||
X if (!gr_lock()) {
|
||||
X fprintf(stderr, "Unable to lock group file\n");
|
||||
X exit(EXIT_GROUP_FILE);
|
||||
X }
|
||||
X
|
||||
X if (!gr_open(O_RDWR)) {
|
||||
X fprintf(stderr, "Unable to open group file\n");
|
||||
X exit(EXIT_GROUP_FILE);
|
||||
X }
|
||||
X
|
||||
X grp = (struct group *)gr_locate(name);
|
||||
X
|
||||
X if (NULL != adduser) {
|
||||
X addtogroup(adduser, grp->gr_mem);
|
||||
X gr_update(grp);
|
||||
X } else if (NULL != deluser) {
|
||||
X rmfromgroup(deluser, grp->gr_mem);
|
||||
X gr_update(grp);
|
||||
X } else if (purge) {
|
||||
X nomembers(grp->gr_mem);
|
||||
X gr_update(grp);
|
||||
X } else if (list) {
|
||||
X members(grp->gr_mem);
|
||||
X }
|
||||
X
|
||||
X if (!gr_close()) {
|
||||
X fprintf(stderr, "Cannot close group file\n");
|
||||
X exit(EXIT_GROUP_FILE);
|
||||
X }
|
||||
X
|
||||
X gr_unlock();
|
||||
X
|
||||
X exit(EXIT_SUCCESS);
|
||||
}
|
||||
X
|
||||
/* EOF */
|
||||
SHAR_EOF
|
||||
(set 20 00 05 25 14 36 38 'groupmems.c'; eval "$shar_touch") &&
|
||||
chmod 0644 'groupmems.c' ||
|
||||
$echo 'restore of' 'groupmems.c' 'failed'
|
||||
if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
|
||||
&& ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
|
||||
md5sum -c << SHAR_EOF >/dev/null 2>&1 \
|
||||
|| $echo 'groupmems.c:' 'MD5 check failed'
|
||||
f0dd68f8d762d89d24d3ce1f4141f981 groupmems.c
|
||||
SHAR_EOF
|
||||
else
|
||||
shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'groupmems.c'`"
|
||||
test 6348 -eq "$shar_count" ||
|
||||
$echo 'groupmems.c:' 'original size' '6348,' 'current size' "$shar_count!"
|
||||
fi
|
||||
fi
|
||||
# ============= groupmems.8 ==============
|
||||
if test -f 'groupmems.8' && test "$first_param" != -c; then
|
||||
$echo 'x -' SKIPPING 'groupmems.8' '(file already exists)'
|
||||
else
|
||||
$echo 'x -' extracting 'groupmems.8' '(text)'
|
||||
sed 's/^X//' << 'SHAR_EOF' > 'groupmems.8' &&
|
||||
X.\"
|
||||
X.\" Copyright 2000, International Business Machines, Inc.
|
||||
X.\" All rights reserved.
|
||||
X.\"
|
||||
X.\" original author: George Kraft IV, gk4@us.ibm.com
|
||||
X.\"
|
||||
X.\" Redistribution and use in source and binary forms, with or without
|
||||
X.\" modification, are permitted provided that the following conditions
|
||||
X.\" are met:
|
||||
X.\"
|
||||
X.\" 1. Redistributions of source code must retain the above copyright
|
||||
X.\" notice, this list of conditions and the following disclaimer.
|
||||
X.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
X.\" notice, this list of conditions and the following disclaimer in the
|
||||
X.\" documentation and/or other materials provided with the distribution.
|
||||
X.\" 3. Neither the name of International Business Machines, Inc., nor the
|
||||
X.\" names of its contributors may be used to endorse or promote products
|
||||
X.\" derived from this software without specific prior written permission.
|
||||
X.\"
|
||||
X.\" THIS SOFTWARE IS PROVIDED BY INTERNATIONAL BUSINESS MACHINES, INC. AND
|
||||
X.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
|
||||
X.\" BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
X.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
||||
X.\" INTERNATIONAL BUSINESS MACHINES, INC. OR CONTRIBUTORS BE LIABLE
|
||||
X.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
X.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
X.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
X.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
X.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
X.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
X.\" SUCH DAMAGE.
|
||||
X.\"
|
||||
X.\" $Id$
|
||||
X.\"
|
||||
X.TH GROUPMEMS 8
|
||||
X.SH NAME
|
||||
groupmems \- Administer members of a user's primary group
|
||||
X.SH SYNOPSIS
|
||||
X.B groupmems
|
||||
\fB-a\fI user_name \fR |
|
||||
\fB-d\fI user_name \fR |
|
||||
\fB-l\fR |
|
||||
\fB-D\fR |
|
||||
[\fB-g\fI group_name \fR]
|
||||
X.SH DESCRIPTION
|
||||
The \fBgroupmems\fR utility allows a user to administer his/her own
|
||||
group membership list without the requirement of superuser privileges.
|
||||
The \fBgroupmems\fR utility is for systems that configure its users to
|
||||
be in their own name sake primary group (i.e., guest / guest).
|
||||
X.P
|
||||
Only the superuser, as administrator, can use \fBgroupmems\fR to alter
|
||||
the memberships of other groups.
|
||||
X.IP "\fB-a \fIuser_name\fR"
|
||||
Add a new user to the group membership list.
|
||||
X.IP "\fB-d \fIuser_name\fR"
|
||||
Delete a user from the group membership list.
|
||||
X.IP "\fB-l\fR"
|
||||
List the group membership list.
|
||||
X.IP "\fB-D\fR"
|
||||
Delete all users from the group membership list.
|
||||
X.IP "\fB-g \fIgroup_name\fR"
|
||||
The superuser can specify which group membership list to modify.
|
||||
X.SH SETUP
|
||||
The \fBgroupmems\fR executable should be in mode \fB2770\fR as user \fBroot\fR
|
||||
and in group \fBgroups\fR. The system administrator can add users to
|
||||
group groups to allow or disallow them using the \fBgroupmems\fR utility
|
||||
to manager their own group membership list.
|
||||
X.P
|
||||
X $ groupadd -r groups
|
||||
X.br
|
||||
X $ chmod 2770 groupmems
|
||||
X.br
|
||||
X $ chown root.groups groupmems
|
||||
X.br
|
||||
X $ groupmems -g groups -a gk4
|
||||
X.SH FILES
|
||||
/etc/group
|
||||
X.br
|
||||
/etc/gshadow
|
||||
X.SH SEE ALSO
|
||||
X.BR chfn (1),
|
||||
X.BR chsh (1),
|
||||
X.BR useradd (8),
|
||||
X.BR userdel (8),
|
||||
X.BR usermod (8),
|
||||
X.BR passwd (1),
|
||||
X.BR groupadd (8),
|
||||
X.BR groupdel (8)
|
||||
X.SH AUTHOR
|
||||
George Kraft IV (gk4@us.ibm.com)
|
||||
X.\" EOF
|
||||
SHAR_EOF
|
||||
(set 20 00 05 25 14 38 23 'groupmems.8'; eval "$shar_touch") &&
|
||||
chmod 0600 'groupmems.8' ||
|
||||
$echo 'restore of' 'groupmems.8' 'failed'
|
||||
if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
|
||||
&& ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
|
||||
md5sum -c << SHAR_EOF >/dev/null 2>&1 \
|
||||
|| $echo 'groupmems.8:' 'MD5 check failed'
|
||||
181e6cd3a3c9d3df320197fa2cde2b4a groupmems.8
|
||||
SHAR_EOF
|
||||
else
|
||||
shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'groupmems.8'`"
|
||||
test 3372 -eq "$shar_count" ||
|
||||
$echo 'groupmems.8:' 'original size' '3372,' 'current size' "$shar_count!"
|
||||
fi
|
||||
fi
|
||||
rm -fr _sh10937
|
||||
exit 0
|
||||
@@ -0,0 +1,308 @@
|
||||
/*
|
||||
* pwdauth.c - program to verify a given username/password pair.
|
||||
*
|
||||
* Run it with username in argv[1] (may be omitted - default is the
|
||||
* current user), and send it the password over a pipe on stdin.
|
||||
* Exit status: 0 - correct password, 1 - wrong password, >1 - other
|
||||
* errors. For use with shadow passwords, this program should be
|
||||
* installed setuid root.
|
||||
*
|
||||
* This can be used, for example, by xlock - you don't have to install
|
||||
* this large and complex (== possibly insecure) program setuid root,
|
||||
* just modify it to run this simple program to do the authentication.
|
||||
*
|
||||
* Recent versions (xlockmore-3.9) are cleaner, and drop privileges as
|
||||
* soon as possible after getting the user's encrypted password.
|
||||
* Using this program probably doesn't make it more secure, and has one
|
||||
* disadvantage: since we don't get the encrypted user's password at
|
||||
* startup (but at the time the user is authenticated), it is not clear
|
||||
* how we should handle errors (like getpwnam() returning NULL).
|
||||
* - fail the authentication? Problem: no way to unlock (other than kill
|
||||
* the process from somewhere else) if the NIS server stops responding.
|
||||
* - succeed and unlock? Problem: it's too easy to unlock by unplugging
|
||||
* the box from the network and waiting until NIS times out...
|
||||
*
|
||||
* This program is Copyright (C) 1996 Marek Michalkiewicz
|
||||
* <marekm@i17linuxb.ists.pwr.wroc.pl>.
|
||||
*
|
||||
* It may be used and distributed freely for any purposes. There is no
|
||||
* warranty - use at your own risk. I am not liable for any damages etc.
|
||||
* If you improve it, please send me your changes.
|
||||
*/
|
||||
|
||||
static char rcsid[] = "$Id$";
|
||||
|
||||
/*
|
||||
* Define USE_SYSLOG to use syslog() to log successful and failed
|
||||
* authentication. This should be safe even if your system has
|
||||
* the infamous syslog buffer overrun security problem...
|
||||
*/
|
||||
#define USE_SYSLOG
|
||||
|
||||
/*
|
||||
* Define HAVE_GETSPNAM to get shadow passwords using getspnam().
|
||||
* Some systems don't have getspnam(), but getpwnam() returns
|
||||
* encrypted passwords only if running as root.
|
||||
*
|
||||
* According to the xlock source (not tested, except Linux) -
|
||||
* define: Linux, Solaris 2.x, SVR4, ...
|
||||
* undef: HP-UX with Secured Passwords, FreeBSD, NetBSD, QNX.
|
||||
* Known not supported (yet): Ultrix, OSF/1, SCO.
|
||||
*/
|
||||
#define HAVE_GETSPNAM
|
||||
|
||||
/*
|
||||
* Define HAVE_PW_ENCRYPT to use pw_encrypt() instead of crypt().
|
||||
* pw_encrypt() is like the standard crypt(), except that it may
|
||||
* support better password hashing algorithms.
|
||||
*
|
||||
* Define if linking with libshadow.a from the shadow password
|
||||
* suite (Linux, SunOS 4.x?).
|
||||
*/
|
||||
#undef HAVE_PW_ENCRYPT
|
||||
|
||||
/*
|
||||
* Define HAVE_AUTH_METHODS to support the shadow suite specific
|
||||
* extension: the encrypted password field contains a list of
|
||||
* administrator defined authentication methods, separated by
|
||||
* semicolons. This program only supports the standard password
|
||||
* authentication method (a string that doesn't start with '@').
|
||||
*/
|
||||
#undef HAVE_AUTH_METHODS
|
||||
|
||||
/*
|
||||
* FAIL_DELAY - number of seconds to sleep before exiting if the
|
||||
* password was wrong, to slow down password guessing attempts.
|
||||
*/
|
||||
#define FAIL_DELAY 2
|
||||
|
||||
/* No user-serviceable parts below :-). */
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
#include <unistd.h>
|
||||
#include <pwd.h>
|
||||
|
||||
#ifdef USE_SYSLOG
|
||||
#include <syslog.h>
|
||||
#ifndef LOG_AUTHPRIV
|
||||
#define LOG_AUTHPRIV LOG_AUTH
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_GETSPNAM
|
||||
#include <shadow.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_PW_ENCRYPT
|
||||
extern char *pw_encrypt();
|
||||
#define crypt pw_encrypt
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Read the password (one line) from fp. We don't turn off echo
|
||||
* because we expect input from a pipe.
|
||||
*/
|
||||
static char *
|
||||
get_line(fp)
|
||||
FILE *fp;
|
||||
{
|
||||
static char buf[128];
|
||||
char *cp;
|
||||
int ch;
|
||||
|
||||
cp = buf;
|
||||
while ((ch = getc(fp)) != EOF && ch != '\0' && ch != '\n') {
|
||||
if (cp >= buf + sizeof buf - 1)
|
||||
break;
|
||||
*cp++ = ch;
|
||||
}
|
||||
*cp = '\0';
|
||||
return buf;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the password file entry for the current user. If the name
|
||||
* returned by getlogin() is correct (matches the current real uid),
|
||||
* return the entry for that user. Otherwise, return the entry (if
|
||||
* any) matching the current real uid. Return NULL on failure.
|
||||
*/
|
||||
static struct passwd *
|
||||
get_my_pwent()
|
||||
{
|
||||
uid_t uid = getuid();
|
||||
char *name = getlogin();
|
||||
|
||||
if (name && *name) {
|
||||
struct passwd *pw = getpwnam(name);
|
||||
|
||||
if (pw && pw->pw_uid == uid)
|
||||
return pw;
|
||||
}
|
||||
return getpwuid(uid);
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify the password. The system-dependent shadow support is here.
|
||||
*/
|
||||
static int
|
||||
password_auth_ok(pw, pass)
|
||||
const struct passwd *pw;
|
||||
const char *pass;
|
||||
{
|
||||
int result;
|
||||
char *cp;
|
||||
#ifdef HAVE_AUTH_METHODS
|
||||
char *buf;
|
||||
#endif
|
||||
#ifdef HAVE_GETSPNAM
|
||||
struct spwd *sp;
|
||||
#endif
|
||||
|
||||
if (pw) {
|
||||
#ifdef HAVE_GETSPNAM
|
||||
sp = getspnam(pw->pw_name);
|
||||
if (sp)
|
||||
cp = sp->sp_pwdp;
|
||||
else
|
||||
#endif
|
||||
cp = pw->pw_passwd;
|
||||
} else
|
||||
cp = "xx";
|
||||
|
||||
#ifdef HAVE_AUTH_METHODS
|
||||
buf = strdup(cp); /* will be modified by strtok() */
|
||||
if (!buf) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
exit(13);
|
||||
}
|
||||
cp = strtok(buf, ";");
|
||||
while (cp && *cp == '@')
|
||||
cp = strtok(NULL, ";");
|
||||
|
||||
/* fail if no password authentication for this user */
|
||||
if (!cp)
|
||||
cp = "xx";
|
||||
#endif
|
||||
|
||||
if (*pass || *cp)
|
||||
result = (strcmp(crypt(pass, cp), cp) == 0);
|
||||
else
|
||||
result = 1; /* user with no password */
|
||||
|
||||
#ifdef HAVE_AUTH_METHODS
|
||||
free(buf);
|
||||
#endif
|
||||
return result;
|
||||
}
|
||||
|
||||
/*
|
||||
* Main program.
|
||||
*/
|
||||
int
|
||||
main(argc, argv)
|
||||
int argc;
|
||||
char **argv;
|
||||
{
|
||||
struct passwd *pw;
|
||||
char *pass, *name;
|
||||
char myname[32];
|
||||
|
||||
#ifdef USE_SYSLOG
|
||||
openlog("pwdauth", LOG_PID | LOG_CONS, LOG_AUTHPRIV);
|
||||
#endif
|
||||
pw = get_my_pwent();
|
||||
if (!pw) {
|
||||
#ifdef USE_SYSLOG
|
||||
syslog(LOG_ERR, "can't get login name for uid %d.\n",
|
||||
(int) getuid());
|
||||
#endif
|
||||
fprintf(stderr, "Who are you?\n");
|
||||
exit(2);
|
||||
}
|
||||
strncpy(myname, pw->pw_name, sizeof myname - 1);
|
||||
myname[sizeof myname - 1] = '\0';
|
||||
name = myname;
|
||||
|
||||
if (argc > 1) {
|
||||
name = argv[1];
|
||||
pw = getpwnam(name);
|
||||
}
|
||||
|
||||
pass = get_line(stdin);
|
||||
if (password_auth_ok(pw, pass)) {
|
||||
#ifdef USE_SYSLOG
|
||||
syslog(pw->pw_uid ? LOG_INFO : LOG_NOTICE,
|
||||
"user `%s' entered correct password for `%.32s'.\n",
|
||||
myname, name);
|
||||
#endif
|
||||
exit(0);
|
||||
}
|
||||
#ifdef USE_SYSLOG
|
||||
/* be careful not to overrun the syslog buffer */
|
||||
syslog((!pw || pw->pw_uid) ? LOG_NOTICE : LOG_WARNING,
|
||||
"user `%s' entered incorrect password for `%.32s'.\n",
|
||||
myname, name);
|
||||
#endif
|
||||
#ifdef FAIL_DELAY
|
||||
sleep(FAIL_DELAY);
|
||||
#endif
|
||||
fprintf(stderr, "Wrong password.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#if 0
|
||||
/*
|
||||
* You can use code similar to the following to run this program.
|
||||
* Return values: >=0 - program exit status (use the <sys/wait.h>
|
||||
* macros to get the exit code, it is shifted left by 8 bits),
|
||||
* -1 - check errno.
|
||||
*/
|
||||
int
|
||||
verify_password(const char *username, const char *password)
|
||||
{
|
||||
int pipe_fd[2];
|
||||
int pid, wpid, status;
|
||||
|
||||
if (pipe(pipe_fd))
|
||||
return -1;
|
||||
|
||||
if ((pid = fork()) == 0) {
|
||||
char *arg[3];
|
||||
char *env[1];
|
||||
|
||||
/* child */
|
||||
close(pipe_fd[1]);
|
||||
if (pipe_fd[0] != 0) {
|
||||
if (dup2(pipe_fd[0], 0) != 0)
|
||||
_exit(127);
|
||||
close(pipe_fd[0]);
|
||||
}
|
||||
arg[0] = "/usr/bin/pwdauth";
|
||||
arg[1] = username;
|
||||
arg[2] = NULL;
|
||||
env[0] = NULL;
|
||||
execve(arg[0], arg, env);
|
||||
_exit(127);
|
||||
} else if (pid == -1) {
|
||||
/* error */
|
||||
close(pipe_fd[0]);
|
||||
close(pipe_fd[1]);
|
||||
return -1;
|
||||
}
|
||||
/* parent */
|
||||
close(pipe_fd[0]);
|
||||
write(pipe_fd[1], password, strlen(password));
|
||||
write(pipe_fd[1], "\n", 1);
|
||||
close(pipe_fd[1]);
|
||||
|
||||
while ((wpid = wait(&status)) != pid) {
|
||||
if (wpid == -1)
|
||||
return -1;
|
||||
}
|
||||
return status;
|
||||
}
|
||||
#endif
|
||||
@@ -0,0 +1,147 @@
|
||||
Hello Marek,
|
||||
|
||||
I have created a diffile against the 980403 release that adds
|
||||
functionality to newusers for automatic handling of users with only
|
||||
anonomous ftp login (using the guestgroup feature in ftpaccess, which
|
||||
means that the users home directory looks like '/home/user/./'). It also
|
||||
adds a commandline argument to specify an initial directory structure
|
||||
for such users, with a tarball normally containing the bin,lib,etc
|
||||
directories used in the chrooted environment.
|
||||
|
||||
I am using it to automatically create chunks of users with only ftp
|
||||
access for a webserver.
|
||||
|
||||
I have tried to follow your coding standards and I believe it is bug
|
||||
free but.. well, who knows. :) It's not much code however.
|
||||
|
||||
I hope you find it useful. Do what you like with it, feel free to ask if
|
||||
anything is unclear.
|
||||
|
||||
Best rgds,
|
||||
Calle Karlsson
|
||||
ckn@kash.se
|
||||
|
||||
diff -uNr shadow-980403.orig/src/newusers.c shadow-980403/src/newusers.c
|
||||
--- shadow-980403.orig/src/newusers.c Fri Jan 30 00:22:43 1998
|
||||
+++ shadow-980403/src/newusers.c Fri Apr 17 16:55:33 1998
|
||||
@@ -76,11 +76,35 @@
|
||||
static void
|
||||
usage(void)
|
||||
{
|
||||
- fprintf(stderr, "Usage: %s [ input ]\n", Prog);
|
||||
+ fprintf (stderr, "Usage: %s [-p prototype tarfile] [ input ]\n", Prog);
|
||||
+ fprintf (stderr, "The prototype tarfile is only used for users\n");
|
||||
+ fprintf (stderr, "marked as anonymous ftp users. It must be a full pathname.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/*
|
||||
+ * createuserdir - create a directory and chmod it
|
||||
+ */
|
||||
+
|
||||
+static int
|
||||
+createuserdir (char * dir, int uid, int gid, int line)
|
||||
+{
|
||||
+ if (mkdir (dir, 0777 & ~getdef_num("UMASK", 077))) {
|
||||
+ fprintf (stderr, "%s: line %d: mkdir %s failed\n",
|
||||
+ Prog, line, dir);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (chown (dir, uid, gid)) {
|
||||
+ fprintf (stderr, "%s: line %d: chown %s failed\n",
|
||||
+ Prog, line, dir);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* add_group - create a new group or add a user to an existing group
|
||||
*/
|
||||
|
||||
@@ -328,6 +352,8 @@
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char buf[BUFSIZ];
|
||||
+ char anonproto[BUFSIZ];
|
||||
+ int flag;
|
||||
char *fields[8];
|
||||
int nfields;
|
||||
char *cp;
|
||||
@@ -340,12 +366,23 @@
|
||||
|
||||
Prog = Basename(argv[0]);
|
||||
|
||||
- if (argc > 1 && argv[1][0] == '-')
|
||||
- usage ();
|
||||
+ * anonproto = '\0';
|
||||
+
|
||||
+ while ((flag = getopt (argc, argv, "p:h")) != EOF) {
|
||||
+ switch (flag) {
|
||||
+ case 'p':
|
||||
+ STRFCPY(anonproto, optarg);
|
||||
+ break;
|
||||
+ case 'h':
|
||||
+ default:
|
||||
+ usage ();
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- if (argc == 2) {
|
||||
- if (! freopen (argv[1], "r", stdin)) {
|
||||
- snprintf(buf, sizeof buf, "%s: %s", Prog, argv[1]);
|
||||
+ if (optind < argc) {
|
||||
+ if (! freopen (argv[optind], "r", stdin)) {
|
||||
+ snprintf(buf, sizeof buf, "%s: %s", Prog, argv[optind]);
|
||||
perror (buf);
|
||||
exit (1);
|
||||
}
|
||||
@@ -499,15 +536,36 @@
|
||||
if (fields[6][0])
|
||||
newpw.pw_shell = fields[6];
|
||||
|
||||
- if (newpw.pw_dir[0] && access(newpw.pw_dir, F_OK)) {
|
||||
- if (mkdir (newpw.pw_dir,
|
||||
- 0777 & ~getdef_num("UMASK", 077)))
|
||||
- fprintf (stderr, "%s: line %d: mkdir failed\n",
|
||||
- Prog, line);
|
||||
- else if (chown (newpw.pw_dir,
|
||||
- newpw.pw_uid, newpw.pw_gid))
|
||||
- fprintf (stderr, "%s: line %d: chown failed\n",
|
||||
- Prog, line);
|
||||
+ if (newpw.pw_dir[0]) {
|
||||
+ char * userdir = strdup (newpw.pw_dir);
|
||||
+ char * anonpart;
|
||||
+ int rc;
|
||||
+
|
||||
+ if ((anonpart = strstr (userdir, "/./"))) {
|
||||
+ * anonpart = '\0';
|
||||
+ anonpart += 2;
|
||||
+ }
|
||||
+
|
||||
+ if (access(userdir, F_OK))
|
||||
+ rc = createuserdir (userdir, newpw.pw_uid, newpw.pw_gid, line);
|
||||
+ else
|
||||
+ rc = 0;
|
||||
+
|
||||
+ if (rc == 0 && anonpart) {
|
||||
+ if (* anonproto) {
|
||||
+ char cmdbuf [BUFSIZ];
|
||||
+ snprintf(cmdbuf, sizeof cmdbuf,
|
||||
+ "cd %s; tar xf %s",
|
||||
+ userdir, anonproto);
|
||||
+ system (cmdbuf);
|
||||
+ }
|
||||
+ if (strlen (anonpart) > 1) {
|
||||
+ strcat (userdir, anonpart);
|
||||
+ if (access (userdir, F_OK))
|
||||
+ createuserdir (userdir, newpw.pw_uid, newpw.pw_gid, line);
|
||||
+ }
|
||||
+ }
|
||||
+ free (userdir);
|
||||
}
|
||||
|
||||
/*
|
||||
Binary file not shown.
Vendored
+16
@@ -0,0 +1,16 @@
|
||||
PKG=shadow
|
||||
SITE=ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/
|
||||
|
||||
deb:: check_cheese
|
||||
|
||||
include /usr/share/quilt/quilt.debbuild.mk
|
||||
|
||||
check_cheese:
|
||||
@dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \
|
||||
echo ""; \
|
||||
echo " ** **"; \
|
||||
echo " ** Warning: not a cheesy release! **"; \
|
||||
echo " ** **"; \
|
||||
echo ""; \
|
||||
exit 1; \
|
||||
}
|
||||
Vendored
+36
@@ -0,0 +1,36 @@
|
||||
shadow (1:4.0.15-5) unstable; urgency=low
|
||||
|
||||
* commands passed in argument to su must use su's -c option and must quote
|
||||
the command if it contains a space, as in:
|
||||
su - root -c "ls -l /"
|
||||
The following commands won't work anymore:
|
||||
su - root -c ls -l /
|
||||
su - root "ls -l /"
|
||||
su - root ls -l /
|
||||
|
||||
-- Christian Perrier <bubulle@debian.org> Sat, 8 Apr 2006 20:11:38 +0200
|
||||
|
||||
shadow (1:4.0.14-1) unstable; urgency=low
|
||||
|
||||
* passwd does not support the -f, -s, and -g options anymore. You should use
|
||||
the chfn, chsh and gpasswd utilities instead.
|
||||
* login now distributes the nologin utility, which can be used as a shell
|
||||
to politely refuse a login
|
||||
|
||||
-- Christian Perrier <bubulle@debian.org> Thu, 5 Jan 2006 08:47:44 +0100
|
||||
|
||||
shadow (1:4.0.12-1) unstable; urgency=low
|
||||
|
||||
CLOSE_SESSIONS and other variables are not used anymore in
|
||||
/etc/login/defs.
|
||||
As shadow utilities which use this file now warn about unknown
|
||||
entries there, administrators should remove such unknown entries.
|
||||
The supplied login.defs file does not include them anymore.
|
||||
|
||||
dpasswd is no more distributed by upstream. Login do not support
|
||||
dialup password anymore. Re-introducing this functionality in
|
||||
upstream is not trivial.
|
||||
|
||||
|
||||
-- Christian Perrier <bubulle@debian.org> Thu, 25 Aug 2005 08:38:47 +0200
|
||||
|
||||
Vendored
+62
@@ -0,0 +1,62 @@
|
||||
Read this file first for a brief overview of the new versions of login
|
||||
and passwd.
|
||||
|
||||
|
||||
---Shadow passwords
|
||||
|
||||
The command `shadowconfig on' will turn on shadow password support.
|
||||
`shadowconfig off' will turn it back off. If you turn on shadow
|
||||
password support, you'll gain the ability to set password ages and
|
||||
expirations with chage(1).
|
||||
|
||||
NOTE: If you use the nscd package, you may have problems with a
|
||||
slight delay in updating the password information. You may notice
|
||||
this during upgrades of certain packages that try to add a system
|
||||
user and then access the users information immediately afterwards.
|
||||
To avoid this, it is suggested that you stop the nscd daemon before
|
||||
upgrades, then restart it again.
|
||||
|
||||
---General configuration
|
||||
|
||||
Most of the configuration for the shadow utilities is in
|
||||
/etc/login.defs. See login.defs(5). The defaults are quite
|
||||
reasonable.
|
||||
|
||||
Also see the /etc/pam.d/* files for each program to configure the PAM
|
||||
support. PAM documentation is available in several formats in the
|
||||
libpam-doc package.
|
||||
|
||||
|
||||
---MD5 Encryption
|
||||
|
||||
This is enabled now using the /etc/pam.d/* files. Examples are given.
|
||||
|
||||
|
||||
---Adding users and groups
|
||||
|
||||
Though you may add users and groups with the SysV type commands,
|
||||
useradd and groupadd, I recommend you add them with Debian adduser
|
||||
version 3+. adduser gives you more configuration and conforms to the
|
||||
Debian UID and GID allocation.
|
||||
|
||||
Editing user and group parameters can be done with usermod and
|
||||
groupmod. Removing users and groups can be done with userdel and
|
||||
groupdel.
|
||||
|
||||
|
||||
--- Group administration
|
||||
|
||||
Local group allocation is much easier. With gpasswd(1) you can
|
||||
designate users to administer groups. They can then securely add or
|
||||
remove users from the group.
|
||||
|
||||
|
||||
--- What to read next?
|
||||
|
||||
Read the manpages, the other files in this directory, and the Shadow
|
||||
Password HOWTO (included in the doc-linux package). A large portion
|
||||
of these files deals with getting shadow installed. You can, of
|
||||
course, ignore those parts.
|
||||
|
||||
Also, the libpam-doc package will go a long way to allowing you to take
|
||||
full advantage of the PAM authentication scheme.
|
||||
Vendored
+4
@@ -0,0 +1,4 @@
|
||||
A testsuite is also available. Instruction on how to run this testsuite
|
||||
are available in tests/README
|
||||
|
||||
-- Balint Reczey <rbalint@ubuntu.com>, Sat, 12 Aug 2017 18:46:44 -0400
|
||||
Vendored
+19
@@ -0,0 +1,19 @@
|
||||
Things that should be done:
|
||||
* Verify the files left in debian/tmp
|
||||
+ e.g. /etc/default/adduser should be installed
|
||||
* Check the build system: rebuilding the package twoce in the same tree
|
||||
doubles the size of the diff.gz file
|
||||
|
||||
Other points (not related to the release of a syncronized shadow):
|
||||
* compare the source with the usages and man pages
|
||||
+ probably add a sentence to chsh/chfn's manpages about authentication
|
||||
required for ordinary users
|
||||
* do something (a tool) for the variables in login.defs
|
||||
In Debian, some tools are not compiled with the PAM support, so upstream
|
||||
getdef.c won't be OK.
|
||||
It should be nice to see in each man page the set of variables used.
|
||||
The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
|
||||
with the debugging informations. This may be used to extract the set of
|
||||
variables used in Debian/for each tools.
|
||||
* verify all the patches around (I've found patches for at least RedHat,
|
||||
OWL, LFS, Mandriva, Gentoo; are they already applied?)
|
||||
Vendored
+25
@@ -0,0 +1,25 @@
|
||||
This described the usertags used by the team.
|
||||
|
||||
For usertags documentation, see
|
||||
http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
|
||||
|
||||
All bugs tagged by team members must be tagged with
|
||||
"user pkg-shadow-devel@lists.alioth.debian.org"
|
||||
|
||||
Tags list
|
||||
---------
|
||||
|
||||
toclose: This bug has been announced to be closed in case no more news
|
||||
or information is received from the bug submitter or someone
|
||||
else until the delay specified in the limits_YYYYMMDD tag
|
||||
|
||||
limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
|
||||
bugs can be closed without other action in case no news
|
||||
is received
|
||||
|
||||
manpages-replace A bug reported angainst a manpages-xx package to indicate
|
||||
conflicting man pages. This tag can be used to tune the
|
||||
Replaces fields.
|
||||
|
||||
su-transition: This bug is related to the su transition (#276419)
|
||||
|
||||
Vendored
+3849
File diff suppressed because it is too large
Load Diff
Vendored
+1
@@ -0,0 +1 @@
|
||||
10
|
||||
Vendored
+78
@@ -0,0 +1,78 @@
|
||||
Source: shadow
|
||||
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
|
||||
Uploaders: Christian Perrier <bubulle@debian.org>,
|
||||
Balint Reczey <rbalint@ubuntu.com>,
|
||||
Serge Hallyn <serge@hallyn.com>
|
||||
Section: admin
|
||||
Priority: required
|
||||
Build-Depends: dh-autoreconf,
|
||||
gettext,
|
||||
libpam0g-dev,
|
||||
debhelper (>= 10~),
|
||||
quilt,
|
||||
xsltproc,
|
||||
docbook-xsl,
|
||||
docbook-xml,
|
||||
libxml2-utils,
|
||||
cdbs,
|
||||
libselinux1-dev [linux-any],
|
||||
libsemanage1-dev [linux-any],
|
||||
gnome-doc-utils,
|
||||
bison,
|
||||
libaudit-dev [linux-any]
|
||||
Standards-Version: 3.9.5
|
||||
Vcs-Browser: https://anonscm.debian.org/git/pkg-shadow/shadow.git
|
||||
Vcs-Git: https://anonscm.debian.org/git/pkg-shadow/shadow.git
|
||||
Homepage: https://github.com/shadow-maint/shadow
|
||||
|
||||
Package: passwd
|
||||
Architecture: any
|
||||
Multi-Arch: foreign
|
||||
Depends: ${shlibs:Depends},
|
||||
${misc:Depends},
|
||||
libpam-modules
|
||||
Replaces: manpages-tr (<< 1.0.5),
|
||||
manpages-zh (<< 1.5.1-1)
|
||||
Description: change and administer password and group data
|
||||
This package includes passwd, chsh, chfn, and many other programs to
|
||||
maintain password and group data.
|
||||
.
|
||||
Shadow passwords are supported. See /usr/share/doc/passwd/README.Debian
|
||||
|
||||
Package: login
|
||||
Architecture: any
|
||||
Essential: yes
|
||||
Pre-Depends: ${shlibs:Depends},
|
||||
${misc:Depends},
|
||||
libpam-runtime,
|
||||
libpam-modules (>= 1.1.8-1)
|
||||
Breaks: coreutils (<< 8.21~) [hurd-any],
|
||||
passwd (<< 1:4.1.5.1-2~) [hurd-any],
|
||||
hurd (<< 20140206~) [hurd-any],
|
||||
util-linux (<< 2.32-0.2~)
|
||||
Conflicts: gnunet (<< 0.7.0c-2),
|
||||
amavisd-new (<< 2.3.3-8),
|
||||
python-4suite (<< 0.99cvs20060405-1),
|
||||
backupninja (<< 0.9.3-5),
|
||||
echolot (<< 2.1.8-4)
|
||||
Replaces: manpages-de (<< 0.5-3),
|
||||
manpages-tr (<< 1.0.5),
|
||||
manpages-zh (<< 1.5.1-1),
|
||||
passwd (<< 1:4.1.5.1-2~) [hurd-any],
|
||||
coreutils (<< 8.21~) [hurd-any],
|
||||
hurd (<< 20140206~) [hurd-any]
|
||||
Description: system login tools
|
||||
These tools are required to be able to login and use your system. The
|
||||
login program invokes your user shell and enables command execution. The
|
||||
newgrp program is used to change your effective group ID (useful for
|
||||
workgroup type situations). The su program allows changing your effective
|
||||
user ID (useful being able to execute commands as another user).
|
||||
|
||||
Package: uidmap
|
||||
Architecture: any
|
||||
Priority: optional
|
||||
Depends: ${shlibs:Depends},
|
||||
${misc:Depends}
|
||||
Description: programs to help use subuids
|
||||
These programs help unprivileged users to create uid and gid mappings in
|
||||
user namespaces.
|
||||
Vendored
+103
@@ -0,0 +1,103 @@
|
||||
This is Debian GNU/Linux's prepackaged version of the shadow utilities.
|
||||
|
||||
It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>.
|
||||
As of May 2007, this site is no longer available.
|
||||
|
||||
Copyright:
|
||||
|
||||
Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
|
||||
All rights reserved.
|
||||
|
||||
Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
|
||||
All rights reserved.
|
||||
|
||||
Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
|
||||
All rights reserved.
|
||||
|
||||
Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions
|
||||
are met:
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
3. Neither the name of Julianne F. Haugh nor the names of its contributors
|
||||
may be used to endorse or promote products derived from this software
|
||||
without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
|
||||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGE.
|
||||
|
||||
This source code is currently archived on ftp.uu.net in the
|
||||
comp.sources.misc portion of the USENET archives. You may also contact
|
||||
the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
|
||||
any questions regarding this package.
|
||||
|
||||
THIS SOFTWARE IS BEING DISTRIBUTED AS-IS. THE AUTHORS DISCLAIM ALL
|
||||
LIABILITY FOR ANY CONSEQUENCES OF USE. THE USER IS SOLELY RESPONSIBLE
|
||||
FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE. THE AUTHORS ARE UNDER NO
|
||||
OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS. THE USER IS
|
||||
ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
|
||||
LOSS OF INFORMATION OR MACHINE RESOURCES.
|
||||
|
||||
Special thanks are due to Chip Rosenthal for his fine testing efforts;
|
||||
to Steve Simmons for his work in porting this code to BSD; and to Bill
|
||||
Kennedy for his contributions of LaserJet printer time and energies.
|
||||
Also, thanks for Dennis L. Mumaugh for the initial shadow password
|
||||
information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
|
||||
V Release 4 changes. Effort in porting to SunOS has been contributed
|
||||
by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
|
||||
(mke@kaberd.rain.com). Effort in porting to AT&T UNIX System V Release
|
||||
4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
|
||||
Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
|
||||
for taking over the Linux port of this software.
|
||||
|
||||
Source files: login_access.c, login_desrpc.c, login_krb.c are derived
|
||||
from the logdaemon-5.0 package, which is under the following license:
|
||||
|
||||
/************************************************************************
|
||||
* Copyright 1995 by Wietse Venema. All rights reserved. Individual files
|
||||
* may be covered by other copyrights (as noted in the file itself.)
|
||||
*
|
||||
* This material was originally written and compiled by Wietse Venema at
|
||||
* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
|
||||
* 1992, 1993, 1994 and 1995.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this entire copyright notice is duplicated in all such
|
||||
* copies.
|
||||
*
|
||||
* This software is provided "as is" and without any expressed or implied
|
||||
* warranties, including, without limitation, the implied warranties of
|
||||
* merchantibility and fitness for any particular purpose.
|
||||
************************************************************************/
|
||||
|
||||
Some parts substantially in src/su.c derived from an ancestor of
|
||||
su for GNU. Run a shell with substitute user and group IDs.
|
||||
Copyright (C) 1992-2003 Free Software Foundation, Inc.
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2, or (at your option)
|
||||
any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
On Debian GNU/Linux systems, the complete text of the GNU General Public
|
||||
License can be found in '/usr/share/common-licenses/GPL-2'
|
||||
Vendored
+1
@@ -0,0 +1 @@
|
||||
.so man8/cppw.8
|
||||
Vendored
+27
@@ -0,0 +1,27 @@
|
||||
.TH CPPW 8 "7 Apr 2005"
|
||||
.SH NAME
|
||||
cppw, cpgr \- copy with locking the given file to the password or group file
|
||||
.SH SYNOPSIS
|
||||
\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
|
||||
.br
|
||||
\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
|
||||
|
||||
.SH DESCRIPTION
|
||||
.BR cppw " and " cpgr
|
||||
will copy, with locking, the given file to
|
||||
.IR /etc/passwd " and " /etc/group ", respectively."
|
||||
With the \fB\-s\fR flag, they will copy the shadow versions of those files,
|
||||
.IR /etc/shadow " and " /etc/gshadow ", respectively."
|
||||
|
||||
With the \fB\-h\fR flag, the commands display a short help message and exit
|
||||
silently.
|
||||
.SH "SEE ALSO"
|
||||
.BR vipw (8),
|
||||
.BR vigr (8),
|
||||
.BR group (5),
|
||||
.BR passwd (5),
|
||||
.BR shadow (5),
|
||||
.BR gshadow (5)
|
||||
.SH AUTHOR
|
||||
\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
|
||||
\fBvipw\fR and \fBvigr\fR written by Guy Maor.
|
||||
Vendored
+94
@@ -0,0 +1,94 @@
|
||||
Build-Depends:
|
||||
==============
|
||||
* autoconf
|
||||
* automake1.9
|
||||
works with 1.7 or 1.9 (at least)
|
||||
* libtool
|
||||
* gettext
|
||||
POT, PO, GMO regenerated?
|
||||
* libpam0g-dev
|
||||
OK
|
||||
* debhelper (>= 4.1.16)
|
||||
* po-debconf
|
||||
OK
|
||||
* quilt
|
||||
patch system
|
||||
* dpkg-dev (>= 1.13.5)
|
||||
* xsltproc
|
||||
used to generate the manpages
|
||||
* docbook-xsl
|
||||
needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
|
||||
* docbook-xml
|
||||
manpages/docbook.xsl includes html/docbook.xsl
|
||||
(But it is not strictly needed. The generated manpages are identical.
|
||||
Without it, a warning is generated.)
|
||||
Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
|
||||
* libxml2-utils
|
||||
needed by the JH_CHECK_XML_CATALOG macros
|
||||
* cdbs
|
||||
used in debian/rules
|
||||
* libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
|
||||
* gnome-doc-utils (>= 0.4.3-1)
|
||||
xml2po, 0.4.3-1 needed for the -l switch.
|
||||
|
||||
passwd Depends:
|
||||
===============
|
||||
* ${shlibs:Depends}
|
||||
OK
|
||||
* ${loginpam}
|
||||
- hurd
|
||||
login
|
||||
libpam-modules (>= 0.72-5)
|
||||
- other archs
|
||||
+ login (>= 970502-1)
|
||||
login is needed because some passwd utils need /etc/login.defs
|
||||
login is Essential, so this is just to enforce the version
|
||||
+ libpam-modules (>= 0.72-5)
|
||||
* debianutils (>= 2.15.2)
|
||||
After 1:4.0.12-6, {add,remove}-shell are distributed in debianutils (2.15)
|
||||
/etc/shell was forgotten and introduced in debianutils in 2.15.2
|
||||
|
||||
passwd Conflicts:
|
||||
=================
|
||||
|
||||
passwd Replaces:
|
||||
================
|
||||
Some of the passwd man pages are also distributed in some manpages* packages.
|
||||
Look at the debian/02/run test to optimize these dependencies.
|
||||
NOTE: Not all maintainers have been notified.
|
||||
* manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3)
|
||||
All those packages have been updated during sarge->etch. So these Replaces
|
||||
should be removed after lenny release
|
||||
* manpages-tr, manpages-zh
|
||||
Those packages are still in etch, so the Replaces should be kept even
|
||||
after lenny release
|
||||
|
||||
login Pre-Depends:
|
||||
==================
|
||||
* ${shlibs:Depends}
|
||||
* libpam-runtime (>= 0.76-14)
|
||||
sarge contained 0.76-22
|
||||
|
||||
Why Pre-Depends? (because it's an essential package?)
|
||||
|
||||
login Depends:
|
||||
==============
|
||||
* libpam-modules (>= 0.72-5)
|
||||
libpam-modules is needed.
|
||||
potato contained 0.72-9
|
||||
|
||||
login Conflicts:
|
||||
================
|
||||
|
||||
login Replaces:
|
||||
===============
|
||||
* Some of the login man pages are also distributed in some manpages* packages.
|
||||
Look at the debian/02/run test to optimize these dependencies.
|
||||
NOTE: Not all maintainers have been notified.
|
||||
- manpages-fi, manpages-fr (<<1.64.0-1), manpages-hu, manpages-it, manpages-ko, manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15)
|
||||
Those are packages that have been updated during sarge->etch. These
|
||||
Replaces should be removed after lenny
|
||||
- manpages-tr, manpages-zh
|
||||
Those packages are still in etch, so the Replaces should be kept even
|
||||
after lenny release
|
||||
|
||||
Vendored
+340
@@ -0,0 +1,340 @@
|
||||
#
|
||||
# /etc/login.defs - Configuration control definitions for the login package.
|
||||
#
|
||||
# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
|
||||
# If unspecified, some arbitrary (and possibly incorrect) value will
|
||||
# be assumed. All other items are optional - if not specified then
|
||||
# the described action or option will be inhibited.
|
||||
#
|
||||
# Comment lines (lines beginning with "#") and blank lines are ignored.
|
||||
#
|
||||
# Modified for Linux. --marekm
|
||||
|
||||
# REQUIRED for useradd/userdel/usermod
|
||||
# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||
# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
|
||||
# MAIL_DIR takes precedence.
|
||||
#
|
||||
# Essentially:
|
||||
# - MAIL_DIR defines the location of users mail spool files
|
||||
# (for mbox use) by appending the username to MAIL_DIR as defined
|
||||
# below.
|
||||
# - MAIL_FILE defines the location of the users mail spool files as the
|
||||
# fully-qualified filename obtained by prepending the user home
|
||||
# directory before $MAIL_FILE
|
||||
#
|
||||
# NOTE: This is no more used for setting up users MAIL environment variable
|
||||
# which is, starting from shadow 4.0.12-1 in Debian, entirely the
|
||||
# job of the pam_mail PAM modules
|
||||
# See default PAM configuration files provided for
|
||||
# login, su, etc.
|
||||
#
|
||||
# This is a temporary situation: setting these variables will soon
|
||||
# move to /etc/default/useradd and the variables will then be
|
||||
# no more supported
|
||||
MAIL_DIR /var/mail
|
||||
#MAIL_FILE .mail
|
||||
|
||||
#
|
||||
# Enable logging and display of /var/log/faillog login failure info.
|
||||
# This option conflicts with the pam_tally PAM module.
|
||||
#
|
||||
FAILLOG_ENAB yes
|
||||
|
||||
#
|
||||
# Enable display of unknown usernames when login failures are recorded.
|
||||
#
|
||||
# WARNING: Unknown usernames may become world readable.
|
||||
# See #290803 and #298773 for details about how this could become a security
|
||||
# concern
|
||||
LOG_UNKFAIL_ENAB no
|
||||
|
||||
#
|
||||
# Enable logging of successful logins
|
||||
#
|
||||
LOG_OK_LOGINS no
|
||||
|
||||
#
|
||||
# Enable "syslog" logging of su activity - in addition to sulog file logging.
|
||||
# SYSLOG_SG_ENAB does the same for newgrp and sg.
|
||||
#
|
||||
SYSLOG_SU_ENAB yes
|
||||
SYSLOG_SG_ENAB yes
|
||||
|
||||
#
|
||||
# If defined, all su activity is logged to this file.
|
||||
#
|
||||
#SULOG_FILE /var/log/sulog
|
||||
|
||||
#
|
||||
# If defined, file which maps tty line to TERM environment parameter.
|
||||
# Each line of the file is in a format something like "vt100 tty01".
|
||||
#
|
||||
#TTYTYPE_FILE /etc/ttytype
|
||||
|
||||
#
|
||||
# If defined, login failures will be logged here in a utmp format
|
||||
# last, when invoked as lastb, will read /var/log/btmp, so...
|
||||
#
|
||||
FTMP_FILE /var/log/btmp
|
||||
|
||||
#
|
||||
# If defined, the command name to display when running "su -". For
|
||||
# example, if this is defined as "su" then a "ps" will display the
|
||||
# command is "-su". If not defined, then "ps" would display the
|
||||
# name of the shell actually being run, e.g. something like "-sh".
|
||||
#
|
||||
SU_NAME su
|
||||
|
||||
#
|
||||
# If defined, file which inhibits all the usual chatter during the login
|
||||
# sequence. If a full pathname, then hushed mode will be enabled if the
|
||||
# user's name or shell are found in the file. If not a full pathname, then
|
||||
# hushed mode will be enabled if the file exists in the user's home directory.
|
||||
#
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
|
||||
#
|
||||
# *REQUIRED* The default PATH settings, for superuser and normal users.
|
||||
#
|
||||
# (they are minimal, add the rest in the shell startup files)
|
||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
|
||||
|
||||
#
|
||||
# Terminal permissions
|
||||
#
|
||||
# TTYGROUP Login tty will be assigned this group ownership.
|
||||
# TTYPERM Login tty will be set to this permission.
|
||||
#
|
||||
# If you have a "write" program which is "setgid" to a special group
|
||||
# which owns the terminals, define TTYGROUP to the group number and
|
||||
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
|
||||
# TTYPERM to either 622 or 600.
|
||||
#
|
||||
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
|
||||
# However, the default and recommended value for TTYPERM is still 0600
|
||||
# to not allow anyone to write to anyone else console or terminal
|
||||
|
||||
# Users can still allow other people to write them by issuing
|
||||
# the "mesg y" command.
|
||||
|
||||
TTYGROUP tty
|
||||
TTYPERM 0600
|
||||
|
||||
#
|
||||
# Login configuration initializations:
|
||||
#
|
||||
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
||||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
||||
# UMASK Default "umask" value.
|
||||
#
|
||||
# The ERASECHAR and KILLCHAR are used only on System V machines.
|
||||
#
|
||||
# UMASK is the default umask value for pam_umask and is used by
|
||||
# useradd and newusers to set the mode of the new home directories.
|
||||
# 022 is the "historical" value in Debian for UMASK
|
||||
# 027, or even 077, could be considered better for privacy
|
||||
# There is no One True Answer here : each sysadmin must make up his/her
|
||||
# mind.
|
||||
#
|
||||
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
|
||||
# for private user groups, i. e. the uid is the same as gid, and username is
|
||||
# the same as the primary group name: for these, the user permissions will be
|
||||
# used as group permissions, e. g. 022 will become 002.
|
||||
#
|
||||
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
|
||||
#
|
||||
ERASECHAR 0177
|
||||
KILLCHAR 025
|
||||
UMASK 022
|
||||
|
||||
#
|
||||
# Password aging controls:
|
||||
#
|
||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||
#
|
||||
PASS_MAX_DAYS 99999
|
||||
PASS_MIN_DAYS 0
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
#
|
||||
# Min/max values for automatic uid selection in useradd
|
||||
#
|
||||
UID_MIN 1000
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
#SYS_UID_MIN 100
|
||||
#SYS_UID_MAX 999
|
||||
|
||||
#
|
||||
# Min/max values for automatic gid selection in groupadd
|
||||
#
|
||||
GID_MIN 1000
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
#SYS_GID_MIN 100
|
||||
#SYS_GID_MAX 999
|
||||
|
||||
#
|
||||
# Max number of login retries if password is bad. This will most likely be
|
||||
# overriden by PAM, since the default pam_unix module has it's own built
|
||||
# in of 3 retries. However, this is a safe fallback in case you are using
|
||||
# an authentication module that does not enforce PAM_MAXTRIES.
|
||||
#
|
||||
LOGIN_RETRIES 5
|
||||
|
||||
#
|
||||
# Max time in seconds for login
|
||||
#
|
||||
LOGIN_TIMEOUT 60
|
||||
|
||||
#
|
||||
# Which fields may be changed by regular users using chfn - use
|
||||
# any combination of letters "frwh" (full name, room number, work
|
||||
# phone, home phone). If not defined, no changes are allowed.
|
||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
#
|
||||
CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
# Default in no.
|
||||
#
|
||||
DEFAULT_HOME yes
|
||||
|
||||
#
|
||||
# If defined, this command is run when removing a user.
|
||||
# It should remove any at/cron/print jobs etc. owned by
|
||||
# the user to be removed (passed as the first argument).
|
||||
#
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
# If set to yes, userdel will remove the user's group if it contains no
|
||||
# more members, and useradd will create by default a group with the name
|
||||
# of the user.
|
||||
#
|
||||
# Other former uses of this variable such as setting the umask when
|
||||
# user==primary group are not used in PAM environments, such as Debian
|
||||
#
|
||||
USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
# Instead of the real user shell, the program specified by this parameter
|
||||
# will be launched, although its visible name (argv[0]) will be the shell's.
|
||||
# The program may do whatever it wants (logging, additional authentification,
|
||||
# banner, ...) before running the actual shell.
|
||||
#
|
||||
# FAKE_SHELL /bin/fakeshell
|
||||
|
||||
#
|
||||
# If defined, either full pathname of a file containing device names or
|
||||
# a ":" delimited list of device names. Root logins will be allowed only
|
||||
# upon these devices.
|
||||
#
|
||||
# This variable is used by login and su.
|
||||
#
|
||||
#CONSOLE /etc/consoles
|
||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
|
||||
#
|
||||
# List of groups to add to the user's supplementary group set
|
||||
# when logging in on the console (as determined by the CONSOLE
|
||||
# setting). Default is none.
|
||||
#
|
||||
# Use with caution - it is possible for users to gain permanent
|
||||
# access to these groups, even when not logged in on the console.
|
||||
# How to do it is left as an exercise for the reader...
|
||||
#
|
||||
# This variable is used by login and su.
|
||||
#
|
||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
|
||||
#
|
||||
# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||
# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||
# It supports passwords of unlimited length and longer salt strings.
|
||||
# Set to "no" if you need to copy encrypted passwords to other systems
|
||||
# which don't understand the new algorithm. Default is "no".
|
||||
#
|
||||
# This variable is deprecated. You should use ENCRYPT_METHOD.
|
||||
#
|
||||
#MD5_CRYPT_ENAB no
|
||||
|
||||
#
|
||||
# If set to MD5 , MD5-based algorithm will be used for encrypting password
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||
# Overrides the MD5_CRYPT_ENAB option
|
||||
#
|
||||
# Note: It is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
ENCRYPT_METHOD SHA512
|
||||
|
||||
#
|
||||
# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
#
|
||||
# Define the number of SHA rounds.
|
||||
# With a lot of rounds, it is more difficult to brute forcing the password.
|
||||
# But note also that it more CPU resources will be needed to authenticate
|
||||
# users.
|
||||
#
|
||||
# If not specified, the libc will choose the default number of rounds (5000).
|
||||
# The values must be inside the 1000-999999999 range.
|
||||
# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
# If MIN > MAX, the highest value will be used.
|
||||
#
|
||||
# SHA_CRYPT_MIN_ROUNDS 5000
|
||||
# SHA_CRYPT_MAX_ROUNDS 5000
|
||||
|
||||
################# OBSOLETED BY PAM ##############
|
||||
# #
|
||||
# These options are now handled by PAM. Please #
|
||||
# edit the appropriate file in /etc/pam.d/ to #
|
||||
# enable the equivelants of them.
|
||||
#
|
||||
###############
|
||||
|
||||
#MOTD_FILE
|
||||
#DIALUPS_CHECK_ENAB
|
||||
#LASTLOG_ENAB
|
||||
#MAIL_CHECK_ENAB
|
||||
#OBSCURE_CHECKS_ENAB
|
||||
#PORTTIME_CHECKS_ENAB
|
||||
#SU_WHEEL_ONLY
|
||||
#CRACKLIB_DICTPATH
|
||||
#PASS_CHANGE_TRIES
|
||||
#PASS_ALWAYS_WARN
|
||||
#ENVIRON_FILE
|
||||
#NOLOGINS_FILE
|
||||
#ISSUE_FILE
|
||||
#PASS_MIN_LEN
|
||||
#PASS_MAX_LEN
|
||||
#ULIMIT
|
||||
#ENV_HZ
|
||||
#CHFN_AUTH
|
||||
#CHSH_AUTH
|
||||
#FAIL_DELAY
|
||||
|
||||
################# OBSOLETED #######################
|
||||
# #
|
||||
# These options are no more handled by shadow. #
|
||||
# #
|
||||
# Shadow utilities will display a warning if they #
|
||||
# still appear. #
|
||||
# #
|
||||
###################################################
|
||||
|
||||
# CLOSE_SESSIONS
|
||||
# LOGIN_STRING
|
||||
# NO_PASSWORD_CONSOLE
|
||||
# QMAIL_DIR
|
||||
|
||||
|
||||
|
||||
Vendored
+1
@@ -0,0 +1 @@
|
||||
usr/share/lintian/overrides
|
||||
Vendored
+22
@@ -0,0 +1,22 @@
|
||||
usr/share/locale/*/LC_MESSAGES/shadow.mo
|
||||
usr/share/man/*/man1/login.1
|
||||
usr/share/man/*/man1/newgrp.1
|
||||
usr/share/man/*/man1/sg.1
|
||||
usr/share/man/*/man5/faillog.5
|
||||
usr/share/man/*/man5/login.defs.5
|
||||
usr/share/man/*/man8/faillog.8
|
||||
usr/share/man/*/man8/lastlog.8
|
||||
usr/share/man/*/man8/nologin.8
|
||||
usr/share/man/man1/login.1
|
||||
usr/share/man/man1/newgrp.1
|
||||
usr/share/man/man1/sg.1
|
||||
usr/share/man/man5/faillog.5
|
||||
usr/share/man/man5/login.defs.5
|
||||
usr/share/man/man8/faillog.8
|
||||
usr/share/man/man8/lastlog.8
|
||||
usr/share/man/man8/nologin.8
|
||||
usr/sbin/nologin
|
||||
usr/bin/faillog
|
||||
usr/bin/lastlog
|
||||
usr/bin/newgrp
|
||||
bin/login
|
||||
Vendored
+1
@@ -0,0 +1 @@
|
||||
usr/bin/newgrp usr/bin/sg
|
||||
Vendored
+3
@@ -0,0 +1,3 @@
|
||||
login: setuid-binary usr/bin/newgrp 4755 root/root
|
||||
login: setuid-binary bin/su 4755 root/root
|
||||
login: possible-missing-colon-in-closes l667:closes bug 336321
|
||||
Vendored
+116
@@ -0,0 +1,116 @@
|
||||
#
|
||||
# The PAM configuration file for the Shadow `login' service
|
||||
#
|
||||
|
||||
# Enforce a minimal delay in case of failure (in microseconds).
|
||||
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||
# Note that other modules may require another minimal delay. (for example,
|
||||
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||
auth optional pam_faildelay.so delay=3000000
|
||||
|
||||
# Outputs an issue file prior to each login prompt (Replaces the
|
||||
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||
# auth required pam_issue.so issue=/etc/issue
|
||||
|
||||
# Disallows root logins except on tty's listed in /etc/securetty
|
||||
# (Replaces the `CONSOLE' setting from login.defs)
|
||||
#
|
||||
# With the default control of this module:
|
||||
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||
# root will not be prompted for a password on insecure lines.
|
||||
# if an invalid username is entered, a password is prompted (but login
|
||||
# will eventually be rejected)
|
||||
#
|
||||
# You can change it to a "requisite" module if you think root may mis-type
|
||||
# her login and should not be prompted for a password in that case. But
|
||||
# this will leave the system as vulnerable to user enumeration attacks.
|
||||
#
|
||||
# You can change it to a "required" module if you think it permits to
|
||||
# guess valid user names of your system (invalid user names are considered
|
||||
# as possibly being root on insecure lines), but root passwords may be
|
||||
# communicated over insecure lines.
|
||||
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||
|
||||
# Disallows other than root logins when /etc/nologin exists
|
||||
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||
auth requisite pam_nologin.so
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without this it is possible
|
||||
# that a module could execute code in the wrong domain.
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
# Sets the loginuid process attribute
|
||||
session required pam_loginuid.so
|
||||
|
||||
# SELinux needs to intervene at login time to ensure that the process
|
||||
# starts in the proper default security context. Only sessions which are
|
||||
# intended to run in the user's context should be run after this.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Standard Un*x authentication.
|
||||
@include common-auth
|
||||
|
||||
# This allows certain extra groups to be granted to a user
|
||||
# based on things like time of day, tty, service, and user.
|
||||
# Please edit /etc/security/group.conf to fit your needs
|
||||
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||
auth optional pam_group.so
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restraint on logins.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# Uncomment and edit /etc/security/access.conf if you need to
|
||||
# set access limits.
|
||||
# (Replaces /etc/login.access file)
|
||||
# account required pam_access.so
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
session required pam_limits.so
|
||||
|
||||
# Prints the last login info upon successful login
|
||||
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||
session optional pam_lastlog.so
|
||||
|
||||
# Prints the message of the day upon successful login.
|
||||
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||
# This includes a dynamically generated part from /run/motd.dynamic
|
||||
# and a static (admin-editable) part from /etc/motd.
|
||||
session optional pam_motd.so motd=/run/motd.dynamic
|
||||
session optional pam_motd.so noupdate
|
||||
|
||||
# Prints the status of the user's mailbox upon successful login
|
||||
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||
#
|
||||
# This also defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
session optional pam_mail.so standard
|
||||
|
||||
# Create a new session keyring.
|
||||
session optional pam_keyinit.so force revoke
|
||||
|
||||
# Standard Un*x account and session
|
||||
@include common-account
|
||||
@include common-session
|
||||
@include common-password
|
||||
Vendored
+56
@@ -0,0 +1,56 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
if test "$1" = configure
|
||||
then
|
||||
if test -f /etc/init.d/logoutd
|
||||
then
|
||||
if test "$(md5sum /etc/init.d/logoutd)" = "9080f92783dd53f6f2108e698c06bd53 /etc/init.d/logoutd"
|
||||
then
|
||||
echo "removing logoutd cruft"
|
||||
rm /etc/init.d/logoutd
|
||||
update-rc.d logoutd remove
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
|
||||
|
||||
if [ "$1" = "configure" ]; then
|
||||
# Install faillog during initial installs only
|
||||
if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
|
||||
touch /var/log/faillog
|
||||
chown root:root /var/log/faillog
|
||||
chmod 644 /var/log/faillog
|
||||
fi
|
||||
|
||||
# Create subuid/subgid if missing
|
||||
if [ ! -e /etc/subuid ]; then
|
||||
touch /etc/subuid
|
||||
chown root:root /etc/subuid
|
||||
chmod 644 /etc/subuid
|
||||
fi
|
||||
|
||||
if [ ! -e /etc/subgid ]; then
|
||||
touch /etc/subgid
|
||||
chown root:root /etc/subgid
|
||||
chmod 644 /etc/subgid
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create subuid/subgid if missing
|
||||
if [ ! -e /etc/subuid ]; then
|
||||
touch /etc/subuid
|
||||
chown root:root /etc/subuid
|
||||
chmod 644 /etc/subuid
|
||||
fi
|
||||
|
||||
if [ ! -e /etc/subgid ]; then
|
||||
touch /etc/subgid
|
||||
chown root:root /etc/subgid
|
||||
chmod 644 /etc/subgid
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
||||
Vendored
+52
@@ -0,0 +1,52 @@
|
||||
#! /bin/sh
|
||||
|
||||
#
|
||||
# see: dh_installdeb(1)
|
||||
|
||||
set -e
|
||||
|
||||
# summary of how this script can be called:
|
||||
# * <new-preinst> `install'
|
||||
# * <new-preinst> `install' <old-version>
|
||||
# * <new-preinst> `upgrade' <old-version>
|
||||
# * <old-preinst> `abort-upgrade' <new-version>
|
||||
#
|
||||
# for details, see http://www.debian.org/doc/debian-policy/ or
|
||||
# the debian-policy package
|
||||
|
||||
remove_md5() {
|
||||
if md5sum $1 2>/dev/null |grep -q $2; then
|
||||
cp $1 $1.pre-upgrade
|
||||
sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
|
||||
&& mv $1.post-upgrade $1
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
install|upgrade)
|
||||
if [ "x$2" != "x" ] ; then
|
||||
if dpkg --compare-versions $2 lt 1:4.0.3 ; then
|
||||
remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
|
||||
fi
|
||||
fi
|
||||
|
||||
;;
|
||||
|
||||
abort-upgrade)
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "preinst called with unknown argument \`$1'" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# dh_installdeb will replace this with shell code automatically
|
||||
# generated by other debhelper scripts.
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
||||
|
||||
|
||||
Vendored
+61
@@ -0,0 +1,61 @@
|
||||
#
|
||||
# The PAM configuration file for the Shadow `su' service
|
||||
#
|
||||
|
||||
# This allows root to su without passwords (normal operation)
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# Uncomment this to force users to be a member of group root
|
||||
# before they can use `su'. You can also add "group=foo"
|
||||
# to the end of this line if you want to use a group other
|
||||
# than the default "root" (but this may have side effect of
|
||||
# denying "root" user, unless she's a member of "foo" or explicitly
|
||||
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
||||
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
||||
# auth required pam_wheel.so
|
||||
|
||||
# Uncomment this if you want wheel members to be able to
|
||||
# su without a password.
|
||||
# auth sufficient pam_wheel.so trust
|
||||
|
||||
# Uncomment this if you want members of a specific group to not
|
||||
# be allowed to use su at all.
|
||||
# auth required pam_wheel.so deny group=nosu
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restrainst on su usage.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
#
|
||||
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
||||
session optional pam_mail.so nopen
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
session required pam_limits.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
||||
|
||||
Vendored
+8
@@ -0,0 +1,8 @@
|
||||
# The PAM configuration file for the Shadow 'chage' service
|
||||
#
|
||||
|
||||
# This allows root to change password aging being prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# checks for account validity
|
||||
account required pam_permit.so
|
||||
Vendored
+16
@@ -0,0 +1,16 @@
|
||||
#
|
||||
# The PAM configuration file for the Shadow `chfn' service
|
||||
#
|
||||
|
||||
# This allows root to change user infomation without being
|
||||
# prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
||||
|
||||
Vendored
+5
@@ -0,0 +1,5 @@
|
||||
# The PAM configuration file for the Shadow 'chpasswd' service
|
||||
#
|
||||
|
||||
@include common-password
|
||||
|
||||
Vendored
+20
@@ -0,0 +1,20 @@
|
||||
#
|
||||
# The PAM configuration file for the Shadow `chsh' service
|
||||
#
|
||||
|
||||
# This will not allow a user to change their shell unless
|
||||
# their current one is listed in /etc/shells. This keeps
|
||||
# accounts with special shells from changing them.
|
||||
auth required pam_shells.so
|
||||
|
||||
# This allows root to change user shell without being
|
||||
# prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
||||
Vendored
+9
@@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
cd /var/backups || exit 0
|
||||
|
||||
for FILE in passwd group shadow gshadow; do
|
||||
test -f /etc/$FILE || continue
|
||||
cmp -s $FILE.bak /etc/$FILE && continue
|
||||
cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak
|
||||
done
|
||||
Vendored
+2
@@ -0,0 +1,2 @@
|
||||
usr/share/lintian/overrides
|
||||
etc/default
|
||||
Vendored
+1
@@ -0,0 +1 @@
|
||||
debian/passwd.expire.cron
|
||||
Vendored
+57
@@ -0,0 +1,57 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# passwd.expire.cron: sample expiry notification script for use as a cronjob
|
||||
#
|
||||
# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
|
||||
# for use, distribution, modification, etc.
|
||||
#
|
||||
# Usage:
|
||||
# edit the listed options, including the actual email, then rename to
|
||||
# /etc/cron.daily/passwd
|
||||
#
|
||||
# If your users don't have a valid login shell (ie. they are ftp or mail
|
||||
# users only), they will need some other way to change their password
|
||||
# (telnet will work since login will handle password aging, or a poppasswd
|
||||
# program, if they are mail users).
|
||||
|
||||
# <CONFIG> #
|
||||
|
||||
# should be same as /etc/adduser.conf
|
||||
$LOW_UID=1000;
|
||||
$HIGH_UID=29999;
|
||||
|
||||
# this let's the MTA handle the domain,
|
||||
# set it manually if you want. Make sure
|
||||
# you also add the @ like "\@domain.com"
|
||||
$MAIL_DOM="";
|
||||
|
||||
# </CONFIG> #
|
||||
|
||||
# Set the current day reference
|
||||
$curdays = int(time() / (60 * 60 * 24));
|
||||
|
||||
# Now go through the list
|
||||
|
||||
open(SH, "< /etc/shadow");
|
||||
while (<SH>) {
|
||||
@shent = split(':', $_);
|
||||
@userent = getpwnam($shent[0]);
|
||||
if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
|
||||
if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
|
||||
$shent[4] != -1 && $shent[4] != 0 &&
|
||||
$shent[5] != -1 && $shent[5] != 0) {
|
||||
$daysleft = ($shent[2] + $shent[4]) - $curdays;
|
||||
if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
|
||||
if ($daysleft < 0) { next; }
|
||||
open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
|
||||
print MAIL <<EOF;
|
||||
Your account will expire in $daysleft $days. Please change your password before
|
||||
then or your account will expire
|
||||
EOF
|
||||
close (MAIL);
|
||||
# This makes sure we also get a list of almost expired users
|
||||
print "$shent[0]'s account will expire in $daysleft days\n";
|
||||
}
|
||||
}
|
||||
@userent = getpwent();
|
||||
}
|
||||
Vendored
+8
@@ -0,0 +1,8 @@
|
||||
# The PAM configuration file for the Shadow 'groupadd' service
|
||||
#
|
||||
|
||||
# This allows root to add groups without being prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# checks for account validity
|
||||
account required pam_permit.so
|
||||
Vendored
+8
@@ -0,0 +1,8 @@
|
||||
# The PAM configuration file for the Shadow 'groupdel' service
|
||||
#
|
||||
|
||||
# This allows root to remove groups without being prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# checks for account validity
|
||||
account required pam_permit.so
|
||||
Vendored
+8
@@ -0,0 +1,8 @@
|
||||
# The PAM configuration file for the Shadow 'groupmod' service
|
||||
#
|
||||
|
||||
# This allows root to modify groups without being prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# checks for account validity
|
||||
account required pam_permit.so
|
||||
Vendored
+80
@@ -0,0 +1,80 @@
|
||||
usr/bin/chage
|
||||
usr/bin/chfn
|
||||
usr/bin/chsh
|
||||
usr/bin/expiry
|
||||
usr/bin/gpasswd
|
||||
usr/bin/passwd
|
||||
usr/sbin/chpasswd
|
||||
usr/sbin/chgpasswd
|
||||
usr/sbin/cppw
|
||||
usr/sbin/groupadd
|
||||
usr/sbin/groupdel
|
||||
usr/sbin/groupmod
|
||||
usr/sbin/groupmems
|
||||
usr/sbin/grpck
|
||||
usr/sbin/grpconv
|
||||
usr/sbin/grpunconv
|
||||
usr/sbin/newusers
|
||||
usr/sbin/pwck
|
||||
usr/sbin/pwconv
|
||||
usr/sbin/pwunconv
|
||||
usr/sbin/useradd
|
||||
usr/sbin/userdel
|
||||
usr/sbin/usermod
|
||||
usr/sbin/vipw
|
||||
usr/share/man/*/man1/chage.1
|
||||
usr/share/man/*/man1/chfn.1
|
||||
usr/share/man/*/man1/chsh.1
|
||||
usr/share/man/*/man1/expiry.1
|
||||
usr/share/man/*/man1/gpasswd.1
|
||||
usr/share/man/*/man1/passwd.1
|
||||
usr/share/man/*/man5/passwd.5
|
||||
usr/share/man/*/man5/shadow.5
|
||||
usr/share/man/*/man5/gshadow.5
|
||||
usr/share/man/*/man8/chpasswd.8
|
||||
usr/share/man/*/man8/groupadd.8
|
||||
usr/share/man/*/man8/groupdel.8
|
||||
usr/share/man/*/man8/groupmod.8
|
||||
usr/share/man/*/man8/groupmems.8
|
||||
usr/share/man/*/man8/grpck.8
|
||||
usr/share/man/*/man8/grpconv.8
|
||||
usr/share/man/*/man8/grpunconv.8
|
||||
usr/share/man/*/man8/newusers.8
|
||||
usr/share/man/*/man8/pwck.8
|
||||
usr/share/man/*/man8/pwconv.8
|
||||
usr/share/man/*/man8/pwunconv.8
|
||||
usr/share/man/*/man8/useradd.8
|
||||
usr/share/man/*/man8/userdel.8
|
||||
usr/share/man/*/man8/usermod.8
|
||||
usr/share/man/*/man8/vigr.8
|
||||
usr/share/man/*/man8/vipw.8
|
||||
usr/share/man/man1/chage.1
|
||||
usr/share/man/man1/chfn.1
|
||||
usr/share/man/man1/chsh.1
|
||||
usr/share/man/man1/expiry.1
|
||||
usr/share/man/man1/gpasswd.1
|
||||
usr/share/man/man1/passwd.1
|
||||
usr/share/man/man5/passwd.5
|
||||
usr/share/man/man5/shadow.5
|
||||
usr/share/man/man5/gshadow.5
|
||||
usr/share/man/man5/subuid.5
|
||||
usr/share/man/man5/subgid.5
|
||||
usr/share/man/man5/subgid.5
|
||||
usr/share/man/man5/subuid.5
|
||||
usr/share/man/man8/chgpasswd.8
|
||||
usr/share/man/man8/chpasswd.8
|
||||
usr/share/man/man8/groupadd.8
|
||||
usr/share/man/man8/groupdel.8
|
||||
usr/share/man/man8/groupmod.8
|
||||
usr/share/man/man8/grpck.8
|
||||
usr/share/man/man8/grpconv.8
|
||||
usr/share/man/man8/grpunconv.8
|
||||
usr/share/man/man8/newusers.8
|
||||
usr/share/man/man8/pwck.8
|
||||
usr/share/man/man8/pwconv.8
|
||||
usr/share/man/man8/pwunconv.8
|
||||
usr/share/man/man8/useradd.8
|
||||
usr/share/man/man8/userdel.8
|
||||
usr/share/man/man8/usermod.8
|
||||
usr/share/man/man8/vigr.8
|
||||
usr/share/man/man8/vipw.8
|
||||
Vendored
+2
@@ -0,0 +1,2 @@
|
||||
usr/sbin/vipw usr/sbin/vigr
|
||||
usr/sbin/cppw usr/sbin/cpgr
|
||||
Vendored
+6
@@ -0,0 +1,6 @@
|
||||
passwd: setgid-binary usr/bin/chage 2755 root/shadow
|
||||
passwd: setuid-binary usr/bin/chfn 4755 root/root
|
||||
passwd: setuid-binary usr/bin/chsh 4755 root/root
|
||||
passwd: setgid-binary usr/bin/expiry 2755 root/shadow
|
||||
passwd: setuid-binary usr/bin/gpasswd 4755 root/root
|
||||
passwd: setuid-binary usr/bin/passwd 4755 root/root
|
||||
Vendored
+5
@@ -0,0 +1,5 @@
|
||||
# The PAM configuration file for the Shadow 'newusers' service
|
||||
#
|
||||
|
||||
@include common-password
|
||||
|
||||
Vendored
+6
@@ -0,0 +1,6 @@
|
||||
#
|
||||
# The PAM configuration file for the Shadow `passwd' service
|
||||
#
|
||||
|
||||
@include common-password
|
||||
|
||||
Vendored
+44
@@ -0,0 +1,44 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
case "$1" in
|
||||
configure)
|
||||
# Fix permissions on various log files from old versions of the debian
|
||||
# installer, some unrelated to passwd but we decided to put the fix
|
||||
# here since there was no better place. This can safely be removed
|
||||
# after etch is released.
|
||||
if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
|
||||
for log in /var/log/base-config* \
|
||||
$(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
|
||||
if [ -e "$log" ]; then
|
||||
chmod 600 "$log"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
|
||||
if ! getent group shadow | grep -q '^shadow:[^:]*:42'
|
||||
then
|
||||
groupadd -g 42 shadow || (
|
||||
cat <<EOF
|
||||
Group ID 42 has been allocated for the shadow group. You have either
|
||||
used 42 yourself or created a shadow group with a different ID.
|
||||
Please correct this problem and reconfigure with ``dpkg --configure passwd''.
|
||||
|
||||
Note that both user and group IDs in the range 0-99 are globally
|
||||
allocated by the Debian project and must be the same on every Debian
|
||||
system.
|
||||
EOF
|
||||
exit 1
|
||||
)
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# Run shadowconfig only on new installs
|
||||
[ -z "$2" ] && shadowconfig on
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
||||
Vendored
+51
@@ -0,0 +1,51 @@
|
||||
#! /bin/sh
|
||||
|
||||
#
|
||||
# see: dh_installdeb(1)
|
||||
|
||||
set -e
|
||||
|
||||
# summary of how this script can be called:
|
||||
# * <new-preinst> `install'
|
||||
# * <new-preinst> `install' <old-version>
|
||||
# * <new-preinst> `upgrade' <old-version>
|
||||
# * <old-preinst> `abort-upgrade' <new-version>
|
||||
#
|
||||
# for details, see http://www.debian.org/doc/debian-policy/ or
|
||||
# the debian-policy package
|
||||
|
||||
remove_md5() {
|
||||
if md5sum $1 2>/dev/null |grep -q $2; then
|
||||
cp $1 $1.pre-upgrade
|
||||
sed -e '/^[^#]*[ \t]*password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
|
||||
&& mv $1.post-upgrade $1
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
install|upgrade)
|
||||
if [ "x$2" != "x" ] ; then
|
||||
if dpkg --compare-versions $2 lt 1:4.0.3 ; then
|
||||
remove_md5 /etc/pam.d/passwd 23a5d1465bbc1e39ca6e0c32f22a75c9
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
|
||||
abort-upgrade)
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "preinst called with unknown argument \`$1'" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# dh_installdeb will replace this with shell code automatically
|
||||
# generated by other debhelper scripts.
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
||||
|
||||
|
||||
Vendored
+8
@@ -0,0 +1,8 @@
|
||||
# If a password operation is in progress and we lose power, stale lockfiles
|
||||
# can be left behind. Clear them on boot.
|
||||
r! /etc/gshadow.lock
|
||||
r! /etc/shadow.lock
|
||||
r! /etc/passwd.lock
|
||||
r! /etc/group.lock
|
||||
r! /etc/subuid.lock
|
||||
r! /etc/subgid.lock
|
||||
Vendored
+8
@@ -0,0 +1,8 @@
|
||||
# The PAM configuration file for the Shadow 'useradd' service
|
||||
#
|
||||
|
||||
# This allows root to add users without being prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# checks for account validity
|
||||
account required pam_permit.so
|
||||
Vendored
+8
@@ -0,0 +1,8 @@
|
||||
# The PAM configuration file for the Shadow 'userdel' service
|
||||
#
|
||||
|
||||
# This allows root to remove users without being prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# checks for account validity
|
||||
account required pam_permit.so
|
||||
Vendored
+8
@@ -0,0 +1,8 @@
|
||||
# The PAM configuration file for the Shadow 'groupdel' service
|
||||
#
|
||||
|
||||
# This allows root to remove groups without being prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# checks for account validity
|
||||
account required pam_permit.so
|
||||
+183
@@ -0,0 +1,183 @@
|
||||
From 11fc74ffc7172c587bbd2a6399defbd53eab97c6 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Thu, 15 Feb 2018 23:49:40 +1100
|
||||
Subject: newgidmap: enforce setgroups=deny if self-mapping a group
|
||||
|
||||
This is necessary to match the kernel-side policy of "self-mapping in a
|
||||
user namespace is fine, but you cannot drop groups" -- a policy that was
|
||||
created in order to stop user namespaces from allowing trivial privilege
|
||||
escalation by dropping supplementary groups that were "blacklisted" from
|
||||
certain paths.
|
||||
|
||||
This is the simplest fix for the underlying issue, and effectively makes
|
||||
it so that unless a user has a valid mapping set in /etc/subgid (which
|
||||
only administrators can modify) -- and they are currently trying to use
|
||||
that mapping -- then /proc/$pid/setgroups will be set to deny. This
|
||||
workaround is only partial, because ideally it should be possible to set
|
||||
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
|
||||
administrators to further restrict newgidmap(1).
|
||||
|
||||
We also don't write anything in the "allow" case because "allow" is the
|
||||
default, and users may have already written "deny" even if they
|
||||
technically are allowed to use setgroups. And we don't write anything if
|
||||
the setgroups policy is already "deny".
|
||||
|
||||
Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
|
||||
Fixes: CVE-2018-7169
|
||||
Reported-by: Craig Furman <craig.furman89@gmail.com>
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
src/newgidmap.c | 89 ++++++++++++++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 80 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/newgidmap.c b/src/newgidmap.c
|
||||
index b1e33513..59a2e75c 100644
|
||||
--- a/src/newgidmap.c
|
||||
+++ b/src/newgidmap.c
|
||||
@@ -46,32 +46,37 @@
|
||||
*/
|
||||
const char *Prog;
|
||||
|
||||
-static bool verify_range(struct passwd *pw, struct map_range *range)
|
||||
+
|
||||
+static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
|
||||
{
|
||||
/* An empty range is invalid */
|
||||
if (range->count == 0)
|
||||
return false;
|
||||
|
||||
- /* Test /etc/subgid */
|
||||
- if (have_sub_gids(pw->pw_name, range->lower, range->count))
|
||||
+ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
|
||||
+ if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
|
||||
+ *allow_setgroups = true;
|
||||
return true;
|
||||
+ }
|
||||
|
||||
- /* Allow a process to map its own gid */
|
||||
- if ((range->count == 1) && (pw->pw_gid == range->lower))
|
||||
+ /* Allow a process to map its own gid. */
|
||||
+ if ((range->count == 1) && (pw->pw_gid == range->lower)) {
|
||||
+ /* noop -- if setgroups is enabled already we won't disable it. */
|
||||
return true;
|
||||
+ }
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static void verify_ranges(struct passwd *pw, int ranges,
|
||||
- struct map_range *mappings)
|
||||
+ struct map_range *mappings, bool *allow_setgroups)
|
||||
{
|
||||
struct map_range *mapping;
|
||||
int idx;
|
||||
|
||||
mapping = mappings;
|
||||
for (idx = 0; idx < ranges; idx++, mapping++) {
|
||||
- if (!verify_range(pw, mapping)) {
|
||||
+ if (!verify_range(pw, mapping, allow_setgroups)) {
|
||||
fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
|
||||
Prog,
|
||||
mapping->upper,
|
||||
@@ -89,6 +94,70 @@ static void usage(void)
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+void write_setgroups(int proc_dir_fd, bool allow_setgroups)
|
||||
+{
|
||||
+ int setgroups_fd;
|
||||
+ char *policy, policy_buffer[4096];
|
||||
+
|
||||
+ /*
|
||||
+ * Default is "deny", and any "allow" will out-rank a "deny". We don't
|
||||
+ * forcefully write an "allow" here because the process we are writing
|
||||
+ * mappings for may have already set themselves to "deny" (and "allow"
|
||||
+ * is the default anyway). So allow_setgroups == true is a noop.
|
||||
+ */
|
||||
+ policy = "deny\n";
|
||||
+ if (allow_setgroups)
|
||||
+ return;
|
||||
+
|
||||
+ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
|
||||
+ if (setgroups_fd < 0) {
|
||||
+ /*
|
||||
+ * If it's an ENOENT then we are on too old a kernel for the setgroups
|
||||
+ * code to exist. Emit a warning and bail on this.
|
||||
+ */
|
||||
+ if (ENOENT == errno) {
|
||||
+ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
|
||||
+ Prog,
|
||||
+ strerror(errno));
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Check whether the policy is already what we want. /proc/self/setgroups
|
||||
+ * is write-once, so attempting to write after it's already written to will
|
||||
+ * fail.
|
||||
+ */
|
||||
+ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
|
||||
+ fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
|
||||
+ Prog,
|
||||
+ strerror(errno));
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ if (!strncmp(policy_buffer, policy, strlen(policy)))
|
||||
+ goto out;
|
||||
+
|
||||
+ /* Write the policy. */
|
||||
+ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
|
||||
+ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
|
||||
+ Prog,
|
||||
+ strerror(errno));
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ if (dprintf(setgroups_fd, "%s", policy) < 0) {
|
||||
+ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
|
||||
+ Prog,
|
||||
+ policy,
|
||||
+ strerror(errno));
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
+out:
|
||||
+ close(setgroups_fd);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* newgidmap - Set the gid_map for the specified process
|
||||
*/
|
||||
@@ -103,6 +172,7 @@ int main(int argc, char **argv)
|
||||
struct stat st;
|
||||
struct passwd *pw;
|
||||
int written;
|
||||
+ bool allow_setgroups = false;
|
||||
|
||||
Prog = Basename (argv[0]);
|
||||
|
||||
@@ -145,7 +215,7 @@ int main(int argc, char **argv)
|
||||
(unsigned long) getuid ()));
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
-
|
||||
+
|
||||
/* Get the effective uid and effective gid of the target process */
|
||||
if (fstat(proc_dir_fd, &st) < 0) {
|
||||
fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
|
||||
@@ -177,8 +247,9 @@ int main(int argc, char **argv)
|
||||
if (!mappings)
|
||||
usage();
|
||||
|
||||
- verify_ranges(pw, ranges, mappings);
|
||||
+ verify_ranges(pw, ranges, mappings, &allow_setgroups);
|
||||
|
||||
+ write_setgroups(proc_dir_fd, allow_setgroups);
|
||||
write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
|
||||
sub_gid_close();
|
||||
|
||||
--
|
||||
2.30.2
|
||||
|
||||
@@ -0,0 +1,142 @@
|
||||
From cbfa2ff40ce629f55ddd67e3490c311dfcaa4462 Mon Sep 17 00:00:00 2001
|
||||
From: Alejandro Colomar <alx@kernel.org>
|
||||
Date: Sat, 10 Jun 2023 16:20:05 +0200
|
||||
Subject: gpasswd(1): Fix password leak
|
||||
|
||||
How to trigger this password leak?
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
When gpasswd(1) asks for the new password, it asks twice (as is usual
|
||||
for confirming the new password). Each of those 2 password prompts
|
||||
uses agetpass() to get the password. If the second agetpass() fails,
|
||||
the first password, which has been copied into the 'static' buffer
|
||||
'pass' via STRFCPY(), wasn't being zeroed.
|
||||
|
||||
agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
|
||||
can fail for any of the following reasons:
|
||||
|
||||
- malloc(3) or readpassphrase(3) failure.
|
||||
|
||||
These are going to be difficult to trigger. Maybe getting the system
|
||||
to the limits of memory utilization at that exact point, so that the
|
||||
next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
|
||||
About readpassphrase(3), ENFILE and EINTR seem the only plausible
|
||||
ones, and EINTR probably requires privilege or being the same user;
|
||||
but I wouldn't discard ENFILE so easily, if a process starts opening
|
||||
files.
|
||||
|
||||
- The password is longer than PASS_MAX.
|
||||
|
||||
The is plausible with physical access. However, at that point, a
|
||||
keylogger will be a much simpler attack.
|
||||
|
||||
And, the attacker must be able to know when the second password is being
|
||||
introduced, which is not going to be easy.
|
||||
|
||||
How to read the password after the leak?
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Provoking the leak yourself at the right point by entering a very long
|
||||
password is easy, and inspecting the process stack at that point should
|
||||
be doable. Try to find some consistent patterns.
|
||||
|
||||
Then, search for those patterns in free memory, right after the victim
|
||||
leaks their password.
|
||||
|
||||
Once you get the leak, a program should read all the free memory
|
||||
searching for patterns that gpasswd(1) leaves nearby the leaked
|
||||
password.
|
||||
|
||||
On 6/10/23 03:14, Seth Arnold wrote:
|
||||
> An attacker process wouldn't be able to use malloc(3) for this task.
|
||||
> There's a handful of tools available for userspace to allocate memory:
|
||||
>
|
||||
> - brk / sbrk
|
||||
> - mmap MAP_ANONYMOUS
|
||||
> - mmap /dev/zero
|
||||
> - mmap some other file
|
||||
> - shm_open
|
||||
> - shmget
|
||||
>
|
||||
> Most of these return only pages of zeros to a process. Using mmap of an
|
||||
> existing file, you can get some of the contents of the file demand-loaded
|
||||
> into the memory space on the first use.
|
||||
>
|
||||
> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
|
||||
> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
|
||||
>
|
||||
> malloc(3) doesn't zero memory, to our collective frustration, but all the
|
||||
> garbage in the allocations is from previous allocations in the current
|
||||
> process. It isn't leftover from other processes.
|
||||
>
|
||||
> The avenues available for reading the memory:
|
||||
> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
|
||||
> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
|
||||
> - ptrace (requires ptrace privileges, mediated by YAMA)
|
||||
> - causing memory to be swapped to disk, and then inspecting the swap
|
||||
>
|
||||
> These all require a certain amount of privileges.
|
||||
|
||||
How to fix it?
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
memzero(), which internally calls explicit_bzero(3), or whatever
|
||||
alternative the system provides with a slightly different name, will
|
||||
make sure that the buffer is zeroed in memory, and optimizations are not
|
||||
allowed to impede this zeroing.
|
||||
|
||||
This is not really 100% effective, since compilers may place copies of
|
||||
the string somewhere hidden in the stack. Those copies won't get zeroed
|
||||
by explicit_bzero(3). However, that's arguably a compiler bug, since
|
||||
compilers should make everything possible to avoid optimizing strings
|
||||
that are later passed to explicit_bzero(3). But we all know that
|
||||
sometimes it's impossible to have perfect knowledge in the compiler, so
|
||||
this is plausible. Nevertheless, there's nothing we can do against such
|
||||
issues, except minimizing the time such passwords are stored in plain
|
||||
text.
|
||||
|
||||
Security concerns
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
We believe this isn't easy to exploit. Nevertheless, and since the fix
|
||||
is trivial, this fix should probably be applied soon, and backported to
|
||||
all supported distributions, to prevent someone else having more
|
||||
imagination than us to find a way.
|
||||
|
||||
Affected versions
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
All. Bug introduced in shadow 19990709. That's the second commit in
|
||||
the git history.
|
||||
|
||||
Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
|
||||
Reported-by: Alejandro Colomar <alx@kernel.org>
|
||||
Cc: Serge Hallyn <serge@hallyn.com>
|
||||
Cc: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Cc: Seth Arnold <seth.arnold@canonical.com>
|
||||
Cc: Christian Brauner <christian@brauner.io>
|
||||
Cc: Balint Reczey <rbalint@debian.org>
|
||||
Cc: Sam James <sam@gentoo.org>
|
||||
Cc: David Runge <dvzrv@archlinux.org>
|
||||
Cc: Andreas Jaeger <aj@suse.de>
|
||||
Cc: <~hallyn/shadow@lists.sr.ht>
|
||||
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
||||
---
|
||||
src/gpasswd.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/gpasswd.c b/src/gpasswd.c
|
||||
index c4a492b1..cbbd8068 100644
|
||||
--- a/src/gpasswd.c
|
||||
+++ b/src/gpasswd.c
|
||||
@@ -917,6 +917,7 @@ static void change_passwd (struct group *gr)
|
||||
strzero (cp);
|
||||
cp = getpass (_("Re-enter new password: "));
|
||||
if (NULL == cp) {
|
||||
+ memzero (pass, sizeof pass);
|
||||
exit (1);
|
||||
}
|
||||
|
||||
--
|
||||
2.30.2
|
||||
|
||||
@@ -0,0 +1,45 @@
|
||||
From b42c60bc8f026b250810a75bafe865338d734ec3 Mon Sep 17 00:00:00 2001
|
||||
From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
|
||||
Date: Thu, 23 Mar 2023 23:39:38 +0000
|
||||
Subject: Added control character check
|
||||
|
||||
Added control character check, returning -1 (to "err") if control characters are present.
|
||||
---
|
||||
lib/fields.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/fields.c b/lib/fields.c
|
||||
index 649fae17..b8f13ba7 100644
|
||||
--- a/lib/fields.c
|
||||
+++ b/lib/fields.c
|
||||
@@ -44,9 +44,9 @@
|
||||
*
|
||||
* The supplied field is scanned for non-printable and other illegal
|
||||
* characters.
|
||||
- * + -1 is returned if an illegal character is present.
|
||||
- * + 1 is returned if no illegal characters are present, but the field
|
||||
- * contains a non-printable character.
|
||||
+ * + -1 is returned if an illegal or control character is present.
|
||||
+ * + 1 is returned if no illegal or control characters are present,
|
||||
+ * but the field contains a non-printable character.
|
||||
* + 0 is returned otherwise.
|
||||
*/
|
||||
int valid_field (const char *field, const char *illegal)
|
||||
@@ -68,10 +68,13 @@ int valid_field (const char *field, const char *illegal)
|
||||
}
|
||||
|
||||
if (0 == err) {
|
||||
- /* Search if there are some non-printable characters */
|
||||
+ /* Search if there are non-printable or control characters */
|
||||
for (cp = field; '\0' != *cp; cp++) {
|
||||
if (!isprint (*cp)) {
|
||||
err = 1;
|
||||
+ }
|
||||
+ if (!iscntrl (*cp)) {
|
||||
+ err = -1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.30.2
|
||||
|
||||
+61
@@ -0,0 +1,61 @@
|
||||
From 261c9cd274f07361c304d3993e325fe29d4bad14 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Fri, 31 Mar 2023 14:46:50 +0200
|
||||
Subject: Overhaul valid_field()
|
||||
|
||||
e5905c4b ("Added control character check") introduced checking for
|
||||
control characters but had the logic inverted, so it rejects all
|
||||
characters that are not control ones.
|
||||
|
||||
Cast the character to `unsigned char` before passing to the character
|
||||
checking functions to avoid UB.
|
||||
|
||||
Use strpbrk(3) for the illegal character test and return early.
|
||||
---
|
||||
lib/fields.c | 24 ++++++++++--------------
|
||||
1 file changed, 10 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/lib/fields.c b/lib/fields.c
|
||||
index b8f13ba7..191257e8 100644
|
||||
--- a/lib/fields.c
|
||||
+++ b/lib/fields.c
|
||||
@@ -60,26 +60,22 @@ int valid_field (const char *field, const char *illegal)
|
||||
|
||||
/* For each character of field, search if it appears in the list
|
||||
* of illegal characters. */
|
||||
+ if (illegal && NULL != strpbrk (field, illegal)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ /* Search if there are non-printable or control characters */
|
||||
for (cp = field; '\0' != *cp; cp++) {
|
||||
- if (strchr (illegal, *cp) != NULL) {
|
||||
+ unsigned char c = *cp;
|
||||
+ if (!isprint (c)) {
|
||||
+ err = 1;
|
||||
+ }
|
||||
+ if (iscntrl (c)) {
|
||||
err = -1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
- if (0 == err) {
|
||||
- /* Search if there are non-printable or control characters */
|
||||
- for (cp = field; '\0' != *cp; cp++) {
|
||||
- if (!isprint (*cp)) {
|
||||
- err = 1;
|
||||
- }
|
||||
- if (!iscntrl (*cp)) {
|
||||
- err = -1;
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
return err;
|
||||
}
|
||||
|
||||
--
|
||||
2.30.2
|
||||
|
||||
+55
@@ -0,0 +1,55 @@
|
||||
Goal: Log login failures to the btmp file
|
||||
|
||||
Notes:
|
||||
* I'm not sure login should add an entry in the FTMP file when PAM is used.
|
||||
(but nothing in /etc/login.defs indicates that the failure is not logged)
|
||||
|
||||
Index: shadow-4.4/src/login.c
|
||||
===================================================================
|
||||
--- shadow-4.4.orig/src/login.c
|
||||
+++ shadow-4.4/src/login.c
|
||||
@@ -834,6 +834,24 @@ int main (int argc, char **argv)
|
||||
(void) puts ("");
|
||||
(void) puts (_("Login incorrect"));
|
||||
|
||||
+ if (getdef_str("FTMP_FILE") != NULL) {
|
||||
+#ifdef USE_UTMPX
|
||||
+ struct utmpx *failent =
|
||||
+ prepare_utmpx (failent_user,
|
||||
+ tty,
|
||||
+ /* FIXME: or fromhost? */hostname,
|
||||
+ utent);
|
||||
+#else /* !USE_UTMPX */
|
||||
+ struct utmp *failent =
|
||||
+ prepare_utmp (failent_user,
|
||||
+ tty,
|
||||
+ hostname,
|
||||
+ utent);
|
||||
+#endif /* !USE_UTMPX */
|
||||
+ failtmp (failent_user, failent);
|
||||
+ free (failent);
|
||||
+ }
|
||||
+
|
||||
if (failcount >= retries) {
|
||||
SYSLOG ((LOG_NOTICE,
|
||||
"TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
|
||||
Index: shadow-4.4/lib/getdef.c
|
||||
===================================================================
|
||||
--- shadow-4.4.orig/lib/getdef.c
|
||||
+++ shadow-4.4/lib/getdef.c
|
||||
@@ -57,7 +57,6 @@ struct itemdef {
|
||||
{"ENVIRON_FILE", NULL}, \
|
||||
{"ENV_TZ", NULL}, \
|
||||
{"FAILLOG_ENAB", NULL}, \
|
||||
- {"FTMP_FILE", NULL}, \
|
||||
{"ISSUE_FILE", NULL}, \
|
||||
{"LASTLOG_ENAB", NULL}, \
|
||||
{"LOGIN_STRING", NULL}, \
|
||||
@@ -88,6 +87,7 @@ static struct itemdef def_table[] = {
|
||||
{"ERASECHAR", NULL},
|
||||
{"FAIL_DELAY", NULL},
|
||||
{"FAKE_SHELL", NULL},
|
||||
+ {"FTMP_FILE", NULL},
|
||||
{"GID_MAX", NULL},
|
||||
{"GID_MIN", NULL},
|
||||
{"HUSHLOGIN_FILE", NULL},
|
||||
Vendored
+276
@@ -0,0 +1,276 @@
|
||||
#! /bin/sh /usr/share/dpatch/dpatch-run
|
||||
## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
|
||||
##
|
||||
## All lines beginning with `## DP:' are a description of the patch.
|
||||
## DP: Add cppw / cpgr
|
||||
|
||||
@DPATCH@
|
||||
--- /dev/null
|
||||
+++ b/src/cppw.c
|
||||
@@ -0,0 +1,238 @@
|
||||
+/*
|
||||
+ cppw, cpgr copy with locking given file over the password or group file
|
||||
+ with -s will copy with locking given file over shadow or gshadow file
|
||||
+
|
||||
+ Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
|
||||
+
|
||||
+ Based on vipw, vigr by:
|
||||
+ Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 2 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful, but
|
||||
+ WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program; if not, write to the Free Software
|
||||
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
+
|
||||
+ */
|
||||
+
|
||||
+#include <config.h>
|
||||
+#include "defines.h"
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <unistd.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <signal.h>
|
||||
+#include <utime.h>
|
||||
+#include "exitcodes.h"
|
||||
+#include "prototypes.h"
|
||||
+#include "pwio.h"
|
||||
+#include "shadowio.h"
|
||||
+#include "groupio.h"
|
||||
+#include "sgroupio.h"
|
||||
+
|
||||
+
|
||||
+const char *Prog;
|
||||
+
|
||||
+const char *filename, *filenewname;
|
||||
+static bool filelocked = false;
|
||||
+static int (*unlock) (void);
|
||||
+
|
||||
+/* local function prototypes */
|
||||
+static int create_copy (FILE *fp, const char *dest, struct stat *sb);
|
||||
+static void cppwexit (const char *msg, int syserr, int ret);
|
||||
+static void cppwcopy (const char *file,
|
||||
+ const char *in_file,
|
||||
+ int (*file_lock) (void),
|
||||
+ int (*file_unlock) (void));
|
||||
+
|
||||
+static int create_copy (FILE *fp, const char *dest, struct stat *sb)
|
||||
+{
|
||||
+ struct utimbuf ub;
|
||||
+ FILE *bkfp;
|
||||
+ int c;
|
||||
+ mode_t mask;
|
||||
+
|
||||
+ mask = umask (077);
|
||||
+ bkfp = fopen (dest, "w");
|
||||
+ (void) umask (mask);
|
||||
+ if (NULL == bkfp) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ rewind (fp);
|
||||
+ while ((c = getc (fp)) != EOF) {
|
||||
+ if (putc (c, bkfp) == EOF) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if ( (c != EOF)
|
||||
+ || (fflush (bkfp) != 0)) {
|
||||
+ (void) fclose (bkfp);
|
||||
+ (void) unlink (dest);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if ( (fsync (fileno (bkfp)) != 0)
|
||||
+ || (fclose (bkfp) != 0)) {
|
||||
+ (void) unlink (dest);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ ub.actime = sb->st_atime;
|
||||
+ ub.modtime = sb->st_mtime;
|
||||
+ if ( (utime (dest, &ub) != 0)
|
||||
+ || (chmod (dest, sb->st_mode) != 0)
|
||||
+ || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
|
||||
+ (void) unlink (dest);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void cppwexit (const char *msg, int syserr, int ret)
|
||||
+{
|
||||
+ int err = errno;
|
||||
+ if (filelocked) {
|
||||
+ (*unlock) ();
|
||||
+ }
|
||||
+ if (NULL != msg) {
|
||||
+ fprintf (stderr, "%s: %s", Prog, msg);
|
||||
+ if (0 != syserr) {
|
||||
+ fprintf (stderr, ": %s", strerror (err));
|
||||
+ }
|
||||
+ (void) fputs ("\n", stderr);
|
||||
+ }
|
||||
+ if (NULL != filename) {
|
||||
+ fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
|
||||
+ } else {
|
||||
+ fprintf (stderr, _("%s: no changes\n"), Prog);
|
||||
+ }
|
||||
+
|
||||
+ exit (ret);
|
||||
+}
|
||||
+
|
||||
+static void cppwcopy (const char *file,
|
||||
+ const char *in_file,
|
||||
+ int (*file_lock) (void),
|
||||
+ int (*file_unlock) (void))
|
||||
+{
|
||||
+ struct stat st1;
|
||||
+ FILE *f;
|
||||
+ char filenew[1024];
|
||||
+
|
||||
+ snprintf (filenew, sizeof filenew, "%s.new", file);
|
||||
+ unlock = file_unlock;
|
||||
+ filename = file;
|
||||
+ filenewname = filenew;
|
||||
+
|
||||
+ if (access (file, F_OK) != 0) {
|
||||
+ cppwexit (file, 1, 1);
|
||||
+ }
|
||||
+ if (file_lock () == 0) {
|
||||
+ cppwexit (_("Couldn't lock file"), 0, 5);
|
||||
+ }
|
||||
+ filelocked = true;
|
||||
+
|
||||
+ /* file to copy has same owners, perm */
|
||||
+ if (stat (file, &st1) != 0) {
|
||||
+ cppwexit (file, 1, 1);
|
||||
+ }
|
||||
+ f = fopen (in_file, "r");
|
||||
+ if (NULL == f) {
|
||||
+ cppwexit (in_file, 1, 1);
|
||||
+ }
|
||||
+ if (create_copy (f, filenew, &st1) != 0) {
|
||||
+ cppwexit (_("Couldn't make copy"), errno, 1);
|
||||
+ }
|
||||
+
|
||||
+ /* XXX - here we should check filenew for errors; if there are any,
|
||||
+ * fail w/ an appropriate error code and let the user manually fix
|
||||
+ * it. Use pwck or grpck to do the check. - Stephen (Shamelessly
|
||||
+ * stolen from '--marekm's comment) */
|
||||
+
|
||||
+ if (rename (filenew, file) != 0) {
|
||||
+ fprintf (stderr, _("%s: can't copy %s: %s)\n"),
|
||||
+ Prog, filenew, strerror (errno));
|
||||
+ cppwexit (NULL,0,1);
|
||||
+ }
|
||||
+
|
||||
+ (*file_unlock) ();
|
||||
+}
|
||||
+
|
||||
+int main (int argc, char **argv)
|
||||
+{
|
||||
+ int flag;
|
||||
+ bool cpshadow = false;
|
||||
+ char *in_file;
|
||||
+ int e = E_USAGE;
|
||||
+ bool do_cppw = true;
|
||||
+
|
||||
+ (void) setlocale (LC_ALL, "");
|
||||
+ (void) bindtextdomain (PACKAGE, LOCALEDIR);
|
||||
+ (void) textdomain (PACKAGE);
|
||||
+
|
||||
+ Prog = Basename (argv[0]);
|
||||
+ if (strcmp (Prog, "cpgr") == 0) {
|
||||
+ do_cppw = false;
|
||||
+ }
|
||||
+
|
||||
+ while ((flag = getopt (argc, argv, "ghps")) != EOF) {
|
||||
+ switch (flag) {
|
||||
+ case 'p':
|
||||
+ do_cppw = true;
|
||||
+ break;
|
||||
+ case 'g':
|
||||
+ do_cppw = false;
|
||||
+ break;
|
||||
+ case 's':
|
||||
+ cpshadow = true;
|
||||
+ break;
|
||||
+ case 'h':
|
||||
+ e = E_SUCCESS;
|
||||
+ /*pass through*/
|
||||
+ default:
|
||||
+ (void) fputs (_("Usage:\n\
|
||||
+`cppw <file>' copys over /etc/passwd `cppw -s <file>' copys over /etc/shadow\n\
|
||||
+`cpgr <file>' copys over /etc/group `cpgr -s <file>' copys over /etc/gshadow\n\
|
||||
+"), (E_SUCCESS != e) ? stderr : stdout);
|
||||
+ exit (e);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (argc != optind + 1) {
|
||||
+ cppwexit (_("wrong number of arguments, -h for usage"),0,1);
|
||||
+ }
|
||||
+
|
||||
+ in_file = argv[optind];
|
||||
+
|
||||
+ if (do_cppw) {
|
||||
+ if (cpshadow) {
|
||||
+ cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
|
||||
+ } else {
|
||||
+ cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
|
||||
+ }
|
||||
+ } else {
|
||||
+#ifdef SHADOWGRP
|
||||
+ if (cpshadow) {
|
||||
+ cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
|
||||
+ } else
|
||||
+#endif /* SHADOWGRP */
|
||||
+ {
|
||||
+ cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -30,6 +30,7 @@
|
||||
ubin_PROGRAMS += newgidmap newuidmap
|
||||
endif
|
||||
usbin_PROGRAMS = \
|
||||
+ cppw \
|
||||
chgpasswd \
|
||||
chpasswd \
|
||||
groupadd \
|
||||
@@ -90,6 +91,7 @@
|
||||
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
|
||||
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
|
||||
chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
|
||||
+cppw_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
|
||||
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||
--- a/po/POTFILES.in
|
||||
+++ b/po/POTFILES.in
|
||||
@@ -85,6 +85,7 @@
|
||||
src/chgpasswd.c
|
||||
src/chpasswd.c
|
||||
src/chsh.c
|
||||
+src/cppw.c
|
||||
src/expiry.c
|
||||
src/faillog.c
|
||||
src/gpasswd.c
|
||||
Vendored
+64
@@ -0,0 +1,64 @@
|
||||
Goal: Add selinux support to cppw
|
||||
|
||||
Fix:
|
||||
|
||||
Status wrt upstream: cppw is not available upstream.
|
||||
The patch was made based on the
|
||||
302_vim_selinux_support patch. It needs to be
|
||||
reviewed by an SE-Linux aware person.
|
||||
|
||||
Depends on 401_cppw_src.dpatch
|
||||
|
||||
Index: git/src/cppw.c
|
||||
===================================================================
|
||||
--- git.orig/src/cppw.c
|
||||
+++ git/src/cppw.c
|
||||
@@ -34,6 +34,9 @@
|
||||
#include <sys/types.h>
|
||||
#include <signal.h>
|
||||
#include <utime.h>
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#endif /* WITH_SELINUX */
|
||||
#include "exitcodes.h"
|
||||
#include "prototypes.h"
|
||||
#include "pwio.h"
|
||||
@@ -139,6 +142,22 @@
|
||||
if (access (file, F_OK) != 0) {
|
||||
cppwexit (file, 1, 1);
|
||||
}
|
||||
+#ifdef WITH_SELINUX
|
||||
+ /* if SE Linux is enabled then set the context of all new files
|
||||
+ * to be the context of the file we are editing */
|
||||
+ if (is_selinux_enabled () > 0) {
|
||||
+ security_context_t passwd_context=NULL;
|
||||
+ int ret = 0;
|
||||
+ if (getfilecon (file, &passwd_context) < 0) {
|
||||
+ cppwexit (_("Couldn't get file context"), errno, 1);
|
||||
+ }
|
||||
+ ret = setfscreatecon (passwd_context);
|
||||
+ freecon (passwd_context);
|
||||
+ if (0 != ret) {
|
||||
+ cppwexit (_("setfscreatecon () failed"), errno, 1);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* WITH_SELINUX */
|
||||
if (file_lock () == 0) {
|
||||
cppwexit (_("Couldn't lock file"), 0, 5);
|
||||
}
|
||||
@@ -167,6 +186,15 @@
|
||||
cppwexit (NULL,0,1);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ /* unset the fscreatecon */
|
||||
+ if (is_selinux_enabled () > 0) {
|
||||
+ if (setfscreatecon (NULL)) {
|
||||
+ cppwexit (_("setfscreatecon() failed"), errno, 1);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* WITH_SELINUX */
|
||||
+
|
||||
(*file_unlock) ();
|
||||
}
|
||||
|
||||
+88
@@ -0,0 +1,88 @@
|
||||
Goal: Re-enable logging and displaying failures on login when login is
|
||||
compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
|
||||
faillog file if it does not exist on postinst (as on Woody).
|
||||
Depends: 008_login_more_LOG_UNKFAIL_ENAB
|
||||
Fixes: #192849
|
||||
|
||||
Note: It could be removed if pam_tally could report the number of failures
|
||||
preceding a successful login.
|
||||
|
||||
Index: shadow-4.4/src/login.c
|
||||
===================================================================
|
||||
--- shadow-4.4.orig/src/login.c
|
||||
+++ shadow-4.4/src/login.c
|
||||
@@ -131,9 +131,9 @@ static void update_utmp (const char *use
|
||||
const char *host,
|
||||
/*@null@*/const struct utmp *utent);
|
||||
|
||||
-#ifndef USE_PAM
|
||||
static struct faillog faillog;
|
||||
|
||||
+#ifndef USE_PAM
|
||||
static void bad_time_notify (void);
|
||||
static void check_nologin (bool login_to_root);
|
||||
#else
|
||||
@@ -794,6 +794,9 @@ int main (int argc, char **argv)
|
||||
SYSLOG ((LOG_NOTICE,
|
||||
"TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
|
||||
failcount, fromhost, failent_user));
|
||||
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
|
||||
+ failure (pwd->pw_uid, tty, &faillog);
|
||||
+ }
|
||||
fprintf (stderr,
|
||||
_("Maximum number of tries exceeded (%u)\n"),
|
||||
failcount);
|
||||
@@ -811,6 +814,14 @@ int main (int argc, char **argv)
|
||||
pam_strerror (pamh, retcode)));
|
||||
failed = true;
|
||||
}
|
||||
+ if ( (NULL != pwd)
|
||||
+ && getdef_bool("FAILLOG_ENAB")
|
||||
+ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
|
||||
+ SYSLOG((LOG_CRIT,
|
||||
+ "exceeded failure limit for `%s' %s",
|
||||
+ failent_user, fromhost));
|
||||
+ failed = 1;
|
||||
+ }
|
||||
|
||||
if (!failed) {
|
||||
break;
|
||||
@@ -834,6 +845,10 @@ int main (int argc, char **argv)
|
||||
(void) puts ("");
|
||||
(void) puts (_("Login incorrect"));
|
||||
|
||||
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
|
||||
+ failure (pwd->pw_uid, tty, &faillog);
|
||||
+ }
|
||||
+
|
||||
if (getdef_str("FTMP_FILE") != NULL) {
|
||||
#ifdef USE_UTMPX
|
||||
struct utmpx *failent =
|
||||
@@ -1288,6 +1303,7 @@ int main (int argc, char **argv)
|
||||
*/
|
||||
#ifndef USE_PAM
|
||||
motd (); /* print the message of the day */
|
||||
+#endif
|
||||
if ( getdef_bool ("FAILLOG_ENAB")
|
||||
&& (0 != faillog.fail_cnt)) {
|
||||
failprint (&faillog);
|
||||
@@ -1300,6 +1316,7 @@ int main (int argc, char **argv)
|
||||
username, (int) faillog.fail_cnt));
|
||||
}
|
||||
}
|
||||
+#ifndef USE_PAM
|
||||
if ( getdef_bool ("LASTLOG_ENAB")
|
||||
&& (ll.ll_time != 0)) {
|
||||
time_t ll_time = ll.ll_time;
|
||||
Index: shadow-4.4/lib/getdef.c
|
||||
===================================================================
|
||||
--- shadow-4.4.orig/lib/getdef.c
|
||||
+++ shadow-4.4/lib/getdef.c
|
||||
@@ -86,6 +86,7 @@ static struct itemdef def_table[] = {
|
||||
{"ENV_SUPATH", NULL},
|
||||
{"ERASECHAR", NULL},
|
||||
{"FAIL_DELAY", NULL},
|
||||
+ {"FAILLOG_ENAB", NULL},
|
||||
{"FAKE_SHELL", NULL},
|
||||
{"FTMP_FILE", NULL},
|
||||
{"GID_MAX", NULL},
|
||||
+101
@@ -0,0 +1,101 @@
|
||||
Goal: Do not hardcode pam_fail_delay and let pam_unix do its
|
||||
job to set a delay...or not
|
||||
|
||||
Fixes: #87648
|
||||
|
||||
Status wrt upstream: Forwarded but not applied yet
|
||||
|
||||
Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
|
||||
|
||||
Index: shadow-4.4/src/login.c
|
||||
===================================================================
|
||||
--- shadow-4.4.orig/src/login.c
|
||||
+++ shadow-4.4/src/login.c
|
||||
@@ -525,7 +525,6 @@ int main (int argc, char **argv)
|
||||
#if defined(HAVE_STRFTIME) && !defined(USE_PAM)
|
||||
char ptime[80];
|
||||
#endif
|
||||
- unsigned int delay;
|
||||
unsigned int retries;
|
||||
bool subroot = false;
|
||||
#ifndef USE_PAM
|
||||
@@ -546,6 +545,7 @@ int main (int argc, char **argv)
|
||||
pid_t child;
|
||||
char *pam_user = NULL;
|
||||
#else
|
||||
+ unsigned int delay;
|
||||
struct spwd *spwd = NULL;
|
||||
#endif
|
||||
/*
|
||||
@@ -708,7 +708,6 @@ int main (int argc, char **argv)
|
||||
}
|
||||
|
||||
environ = newenvp; /* make new environment active */
|
||||
- delay = getdef_unum ("FAIL_DELAY", 1);
|
||||
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -724,8 +723,7 @@ int main (int argc, char **argv)
|
||||
|
||||
/*
|
||||
* hostname & tty are either set to NULL or their correct values,
|
||||
- * depending on how much we know. We also set PAM's fail delay to
|
||||
- * ours.
|
||||
+ * depending on how much we know.
|
||||
*
|
||||
* PAM_RHOST and PAM_TTY are used for authentication, only use
|
||||
* information coming from login or from the caller (e.g. no utmp)
|
||||
@@ -734,10 +732,6 @@ int main (int argc, char **argv)
|
||||
PAM_FAIL_CHECK;
|
||||
retcode = pam_set_item (pamh, PAM_TTY, tty);
|
||||
PAM_FAIL_CHECK;
|
||||
-#ifdef HAS_PAM_FAIL_DELAY
|
||||
- retcode = pam_fail_delay (pamh, 1000000 * delay);
|
||||
- PAM_FAIL_CHECK;
|
||||
-#endif
|
||||
/* if fflg, then the user has already been authenticated */
|
||||
if (!fflg) {
|
||||
unsigned int failcount = 0;
|
||||
@@ -778,12 +772,6 @@ int main (int argc, char **argv)
|
||||
bool failed = false;
|
||||
|
||||
failcount++;
|
||||
-#ifdef HAS_PAM_FAIL_DELAY
|
||||
- if (delay > 0) {
|
||||
- retcode = pam_fail_delay(pamh, 1000000*delay);
|
||||
- PAM_FAIL_CHECK;
|
||||
- }
|
||||
-#endif
|
||||
|
||||
retcode = pam_authenticate (pamh, 0);
|
||||
|
||||
@@ -1106,14 +1094,17 @@ int main (int argc, char **argv)
|
||||
free (username);
|
||||
username = NULL;
|
||||
|
||||
+#ifndef USE_PAM
|
||||
/*
|
||||
* Wait a while (a la SVR4 /usr/bin/login) before attempting
|
||||
* to login the user again. If the earlier alarm occurs
|
||||
* before the sleep() below completes, login will exit.
|
||||
*/
|
||||
+ delay = getdef_unum ("FAIL_DELAY", 1);
|
||||
if (delay > 0) {
|
||||
(void) sleep (delay);
|
||||
}
|
||||
+#endif
|
||||
|
||||
(void) puts (_("Login incorrect"));
|
||||
|
||||
Index: shadow-4.4/lib/getdef.c
|
||||
===================================================================
|
||||
--- shadow-4.4.orig/lib/getdef.c
|
||||
+++ shadow-4.4/lib/getdef.c
|
||||
@@ -85,7 +85,6 @@ static struct itemdef def_table[] = {
|
||||
{"ENV_PATH", NULL},
|
||||
{"ENV_SUPATH", NULL},
|
||||
{"ERASECHAR", NULL},
|
||||
- {"FAIL_DELAY", NULL},
|
||||
{"FAILLOG_ENAB", NULL},
|
||||
{"FAKE_SHELL", NULL},
|
||||
{"FTMP_FILE", NULL},
|
||||
+60
@@ -0,0 +1,60 @@
|
||||
Goal: save the [g]shadow files with the 'shadow' group and mode 0440
|
||||
|
||||
Fixes: #166793
|
||||
|
||||
--- a/lib/commonio.c
|
||||
+++ b/lib/commonio.c
|
||||
@@ -44,6 +44,7 @@
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <signal.h>
|
||||
+#include <grp.h>
|
||||
#include "nscd.h"
|
||||
#ifdef WITH_TCB
|
||||
#include <tcb.h>
|
||||
@@ -963,12 +964,23 @@
|
||||
goto fail;
|
||||
}
|
||||
} else {
|
||||
+ struct group *grp;
|
||||
/*
|
||||
* Default permissions for new [g]shadow files.
|
||||
*/
|
||||
sb.st_mode = db->st_mode;
|
||||
sb.st_uid = db->st_uid;
|
||||
sb.st_gid = db->st_gid;
|
||||
+
|
||||
+ /*
|
||||
+ * Try to retrieve the shadow's GID, and fall back to GID 0.
|
||||
+ */
|
||||
+ if (sb.st_gid == 0) {
|
||||
+ if ((grp = getgrnam("shadow")) != NULL)
|
||||
+ sb.st_gid = grp->gr_gid;
|
||||
+ else
|
||||
+ sb.st_gid = 0;
|
||||
+ }
|
||||
}
|
||||
|
||||
snprintf (buf, sizeof buf, "%s+", db->filename);
|
||||
--- a/lib/sgroupio.c
|
||||
+++ b/lib/sgroupio.c
|
||||
@@ -229,7 +229,7 @@
|
||||
#ifdef WITH_SELINUX
|
||||
NULL, /* scontext */
|
||||
#endif
|
||||
- 0400, /* st_mode */
|
||||
+ 0440, /* st_mode */
|
||||
0, /* st_uid */
|
||||
0, /* st_gid */
|
||||
NULL, /* head */
|
||||
--- a/lib/shadowio.c
|
||||
+++ b/lib/shadowio.c
|
||||
@@ -105,7 +105,7 @@
|
||||
#ifdef WITH_SELINUX
|
||||
NULL, /* scontext */
|
||||
#endif /* WITH_SELINUX */
|
||||
- 0400, /* st_mode */
|
||||
+ 0440, /* st_mode */
|
||||
0, /* st_uid */
|
||||
0, /* st_gid */
|
||||
NULL, /* head */
|
||||
Vendored
+201
@@ -0,0 +1,201 @@
|
||||
Goal: Document the shadowconfig utility
|
||||
|
||||
Status wrt upstream: The shadowconfig utility is debian specific.
|
||||
Its man page also (but it used to be distributed)
|
||||
|
||||
Index: git/man/shadowconfig.8
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ git/man/shadowconfig.8
|
||||
@@ -0,0 +1,41 @@
|
||||
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
|
||||
+.de Sh \" Subsection
|
||||
+.br
|
||||
+.if t .Sp
|
||||
+.ne 5
|
||||
+.PP
|
||||
+\fB\\$1\fR
|
||||
+.PP
|
||||
+..
|
||||
+.de Sp \" Vertical space (when we can't use .PP)
|
||||
+.if t .sp .5v
|
||||
+.if n .sp
|
||||
+..
|
||||
+.de Ip \" List item
|
||||
+.br
|
||||
+.ie \\n(.$>=3 .ne \\$3
|
||||
+.el .ne 3
|
||||
+.IP "\\$1" \\$2
|
||||
+..
|
||||
+.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
|
||||
+.SH NAME
|
||||
+shadowconfig \- toggle shadow passwords on and off
|
||||
+.SH "SYNOPSIS"
|
||||
+.ad l
|
||||
+.hy 0
|
||||
+.HP 13
|
||||
+\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
|
||||
+.ad
|
||||
+.hy
|
||||
+
|
||||
+.SH "DESCRIPTION"
|
||||
+
|
||||
+.PP
|
||||
+\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
|
||||
+
|
||||
+.PP
|
||||
+Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
|
||||
+
|
||||
+.PP
|
||||
+Note that turning shadow passwords off and on again will lose all password aging information\&.
|
||||
+
|
||||
Index: git/man/shadowconfig.8.xml
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ git/man/shadowconfig.8.xml
|
||||
@@ -0,0 +1,52 @@
|
||||
+<?xml version="1.0" encoding="UTF-8"?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||
+<refentry id='shadowconfig.8'>
|
||||
+ <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
|
||||
+ <refentryinfo>
|
||||
+ <date>19 Apr 1997</date>
|
||||
+ </refentryinfo>
|
||||
+ <refmeta>
|
||||
+ <refentrytitle>shadowconfig</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum>
|
||||
+ <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
|
||||
+ <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
|
||||
+ </refmeta>
|
||||
+ <refnamediv id='name'>
|
||||
+ <refname>shadowconfig</refname>
|
||||
+ <refpurpose>toggle shadow passwords on and off</refpurpose>
|
||||
+ </refnamediv>
|
||||
+
|
||||
+ <refsynopsisdiv id='synopsis'>
|
||||
+ <cmdsynopsis>
|
||||
+ <command>shadowconfig</command>
|
||||
+ <group choice='plain'>
|
||||
+ <arg choice='plain'><replaceable>on</replaceable></arg>
|
||||
+ <arg choice='plain'><replaceable>off</replaceable></arg>
|
||||
+ </group>
|
||||
+ </cmdsynopsis>
|
||||
+ </refsynopsisdiv>
|
||||
+
|
||||
+ <refsect1 id='description'>
|
||||
+ <title>DESCRIPTION</title>
|
||||
+ <para><command>shadowconfig</command> on will turn shadow passwords on;
|
||||
+ <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
|
||||
+ passwords off. <command>shadowconfig</command> will print an error
|
||||
+ message and exit with a nonzero code if it finds anything awry. If
|
||||
+ that happens, you should correct the error and run it again. Turning
|
||||
+ shadow passwords on when they are already on, or off when they are
|
||||
+ already off, is harmless.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
|
||||
+ brief introduction
|
||||
+ to shadow passwords and related features.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>Note that turning shadow passwords off and on again will lose all
|
||||
+ password
|
||||
+ aging information.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+</refentry>
|
||||
Index: git/man/fr/shadowconfig.8
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ git/man/fr/shadowconfig.8
|
||||
@@ -0,0 +1,26 @@
|
||||
+.\" This file was generated with po4a. Translate the source file.
|
||||
+.\"
|
||||
+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
|
||||
+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
|
||||
+.SH NOM
|
||||
+shadowconfig \- active ou désactive les mots de passe cachés
|
||||
+.SH SYNOPSIS
|
||||
+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
|
||||
+.SH DESCRIPTION
|
||||
+.PP
|
||||
+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
|
||||
+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
|
||||
+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
|
||||
+de recommencer.
|
||||
+
|
||||
+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
|
||||
+désactiver lorsqu'ils ne sont pas actifs est sans effet.
|
||||
+
|
||||
+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
|
||||
+mots de passe cachés et à leurs fonctionnalités.
|
||||
+
|
||||
+Notez que désactiver puis réactiver les mots de passe cachés aura pour
|
||||
+conséquence la perte des informations d'âge sur les mots de passe.
|
||||
+.SH TRADUCTION
|
||||
+Nicolas FRANÇOIS, 2004.
|
||||
+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
|
||||
Index: git/man/ja/shadowconfig.8
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ git/man/ja/shadowconfig.8
|
||||
@@ -0,0 +1,25 @@
|
||||
+.\" all right reserved,
|
||||
+.\" Translated Tue Oct 30 11:59:11 JST 2001
|
||||
+.\" by Maki KURODA <mkuroda@aisys-jp.com>
|
||||
+.\"
|
||||
+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
|
||||
+.SH 名前
|
||||
+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
|
||||
+.SH 書式
|
||||
+.B "shadowconfig"
|
||||
+.IR on " | " off
|
||||
+.SH 説明
|
||||
+.PP
|
||||
+.B shadowconfig on
|
||||
+は shadow パスワードを有効にする。
|
||||
+.B shadowconfig off
|
||||
+は shadow パスワードを無効にする。
|
||||
+.B shadowconfig
|
||||
+は何らかの間違いがあると、エラーメッセージを表示し、
|
||||
+ゼロではない返り値を返す。
|
||||
+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
|
||||
+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
|
||||
+すでにオフの場合にオフに設定しても、何の影響もない。
|
||||
+
|
||||
+.I /usr/share/doc/passwd/README.debian.gz
|
||||
+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
|
||||
Index: git/man/pl/shadowconfig.8
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ git/man/pl/shadowconfig.8
|
||||
@@ -0,0 +1,27 @@
|
||||
+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
|
||||
+.\" {PTM/WK/1999-09-14}
|
||||
+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
|
||||
+.SH NAZWA
|
||||
+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
|
||||
+.SH SKŁADNIA
|
||||
+.B "shadowconfig"
|
||||
+.IR on " | " off
|
||||
+.SH OPIS
|
||||
+.PP
|
||||
+.B shadowconfig on
|
||||
+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
|
||||
+.B shadowconfig off
|
||||
+wyłącza dodatkowe pliki haseł i grup.
|
||||
+.B shadowconfig
|
||||
+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
|
||||
+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
|
||||
+.\" if it finds anything awry.
|
||||
+i uruchomić program ponownie.
|
||||
+
|
||||
+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
|
||||
+gdy jest wyłączona jest nieszkodliwe.
|
||||
+
|
||||
+Przeczytaj
|
||||
+.IR /usr/share/doc/passwd/README.debian.gz ,
|
||||
+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
|
||||
+plików haseł przesłanianych (shadow passwords) i związanych tematów.
|
||||
+40
@@ -0,0 +1,40 @@
|
||||
Goal: Recommend using adduser and deluser.
|
||||
|
||||
Fixes: #406046
|
||||
|
||||
Status wrt upstream: Debian specific patch.
|
||||
|
||||
Index: git/man/useradd.8.xml
|
||||
===================================================================
|
||||
--- git.orig/man/useradd.8.xml
|
||||
+++ git/man/useradd.8.xml
|
||||
@@ -105,6 +105,12 @@
|
||||
<refsect1 id='description'>
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
+ <command>useradd</command> is a low level utility for adding
|
||||
+ users. On Debian, administrators should usually use
|
||||
+ <citerefentry><refentrytitle>adduser</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum></citerefentry> instead.
|
||||
+ </para>
|
||||
+ <para>
|
||||
When invoked without the <option>-D</option> option, the
|
||||
<command>useradd</command> command creates a new user account using
|
||||
the values specified on the command line plus the default values from
|
||||
Index: git/man/userdel.8.xml
|
||||
===================================================================
|
||||
--- git.orig/man/userdel.8.xml
|
||||
+++ git/man/userdel.8.xml
|
||||
@@ -83,6 +83,12 @@
|
||||
<refsect1 id='description'>
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
+ <command>userdel</command> is a low level utility for removing
|
||||
+ users. On Debian, administrators should usually use
|
||||
+ <citerefentry><refentrytitle>deluser</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum></citerefentry> instead.
|
||||
+ </para>
|
||||
+ <para>
|
||||
The <command>userdel</command> command modifies the system account
|
||||
files, deleting all entries that refer to the user name <emphasis
|
||||
remap='I'>LOGIN</emphasis>. The named user must exist.
|
||||
Vendored
+106
@@ -0,0 +1,106 @@
|
||||
Goal: Relaxed usernames/groupnames checking patch.
|
||||
|
||||
Status wrt upstream: Debian specific. Not to be used upstream
|
||||
|
||||
Details:
|
||||
Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
|
||||
characters and don't start with '-', '+', or '~'. This patch is more
|
||||
restrictive than original Karl's version. closes: #264879
|
||||
Also closes: #377844
|
||||
|
||||
Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
|
||||
|
||||
I can't come up with a good justification as to why characters other
|
||||
than ':'s and '\0's should be disallowed in group and usernames (other
|
||||
than '-' as the leading character). Thus, the maintenance tools don't
|
||||
anymore. closes: #79682, #166798, #171179
|
||||
|
||||
Index: git/libmisc/chkname.c
|
||||
===================================================================
|
||||
--- git.orig/libmisc/chkname.c
|
||||
+++ git/libmisc/chkname.c
|
||||
@@ -48,6 +48,7 @@
|
||||
|
||||
static bool is_valid_name (const char *name)
|
||||
{
|
||||
+#if 0
|
||||
/*
|
||||
* User/group names must match [a-z_][a-z0-9_-]*[$]
|
||||
*/
|
||||
@@ -66,6 +67,26 @@
|
||||
return false;
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
+ /*
|
||||
+ * POSIX indicate that usernames are composed of characters from the
|
||||
+ * portable filename character set [A-Za-z0-9._-], and that the hyphen
|
||||
+ * should not be used as the first character of a portable user name.
|
||||
+ *
|
||||
+ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
|
||||
+ */
|
||||
+ if ( ('\0' == *name)
|
||||
+ || ('-' == *name)
|
||||
+ || ('~' == *name)
|
||||
+ || ('+' == *name)) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ do {
|
||||
+ if ((':' == *name) || (',' == *name) || isspace(*name)) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ name++;
|
||||
+ } while ('\0' != *name);
|
||||
|
||||
return true;
|
||||
}
|
||||
Index: git/man/useradd.8.xml
|
||||
===================================================================
|
||||
--- git.orig/man/useradd.8.xml
|
||||
+++ git/man/useradd.8.xml
|
||||
@@ -633,12 +633,20 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
- Usernames must start with a lower case letter or an underscore,
|
||||
+ It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
|
||||
followed by lower case letters, digits, underscores, or dashes.
|
||||
They can end with a dollar sign.
|
||||
In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
||||
</para>
|
||||
<para>
|
||||
+ On Debian, the only constraints are that usernames must neither start
|
||||
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
|
||||
+ colon (':'), a comma (','), or a whitespace (space: ' ',
|
||||
+ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
|
||||
+ ('/') may break the default algorithm for the definition of the
|
||||
+ user's home directory.
|
||||
+ </para>
|
||||
+ <para>
|
||||
Usernames may only be up to 32 characters long.
|
||||
</para>
|
||||
</refsect1>
|
||||
Index: git/man/groupadd.8.xml
|
||||
===================================================================
|
||||
--- git.orig/man/groupadd.8.xml
|
||||
+++ git/man/groupadd.8.xml
|
||||
@@ -256,12 +256,18 @@
|
||||
<refsect1 id='caveats'>
|
||||
<title>CAVEATS</title>
|
||||
<para>
|
||||
- Groupnames must start with a lower case letter or an underscore,
|
||||
+ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
|
||||
followed by lower case letters, digits, underscores, or dashes.
|
||||
They can end with a dollar sign.
|
||||
In regular expression terms: [a-z_][a-z0-9_-]*[$]?
|
||||
</para>
|
||||
<para>
|
||||
+ On Debian, the only constraints are that groupnames must neither start
|
||||
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
|
||||
+ colon (':'), a comma (','), or a whitespace (space:' ',
|
||||
+ end of line: '\n', tabulation: '\t', etc.).
|
||||
+ </para>
|
||||
+ <para>
|
||||
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
|
||||
</para>
|
||||
<para>
|
||||
+18
@@ -0,0 +1,18 @@
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -24,7 +24,6 @@
|
||||
# $prefix/bin and $prefix/sbin, no install-data hacks...)
|
||||
|
||||
bin_PROGRAMS = groups login su
|
||||
-sbin_PROGRAMS = nologin
|
||||
ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
|
||||
if ENABLE_SUBIDS
|
||||
ubin_PROGRAMS += newgidmap newuidmap
|
||||
@@ -42,6 +41,7 @@
|
||||
grpunconv \
|
||||
logoutd \
|
||||
newusers \
|
||||
+ nologin \
|
||||
pwck \
|
||||
pwconv \
|
||||
pwunconv \
|
||||
Vendored
+43
@@ -0,0 +1,43 @@
|
||||
Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
|
||||
|
||||
Note: useradd.8 needs to be regenerated.
|
||||
|
||||
Status wrt upstream: not included as this is just specific
|
||||
backward compatibility for Debian
|
||||
|
||||
--- a/man/useradd.8.xml
|
||||
+++ b/man/useradd.8.xml
|
||||
@@ -329,6 +329,11 @@
|
||||
databases are reset to avoid reusing the entry from a previously
|
||||
deleted user.
|
||||
</para>
|
||||
+ <para>
|
||||
+ For the compatibility with previous Debian's
|
||||
+ <command>useradd</command>, the <option>-O</option> option is
|
||||
+ also supported.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
--- a/src/useradd.c
|
||||
+++ b/src/useradd.c
|
||||
@@ -1059,9 +1059,9 @@
|
||||
};
|
||||
while ((c = getopt_long (argc, argv,
|
||||
#ifdef WITH_SELINUX
|
||||
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
|
||||
+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:UZ:",
|
||||
#else /* !WITH_SELINUX */
|
||||
- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
|
||||
+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:U",
|
||||
#endif /* !WITH_SELINUX */
|
||||
long_options, NULL)) != -1) {
|
||||
switch (c) {
|
||||
@@ -1184,6 +1184,7 @@
|
||||
kflg = true;
|
||||
break;
|
||||
case 'K':
|
||||
+ case 'O': /* compatibility with previous Debian useradd */
|
||||
/*
|
||||
* override login.defs defaults (-K name=value)
|
||||
* example: -K UID_MIN=100 -K UID_MAX=499
|
||||
+81
@@ -0,0 +1,81 @@
|
||||
--- a/debian/passwd.install
|
||||
+++ b/debian/passwd.install
|
||||
@@ -9,6 +9,7 @@
|
||||
usr/sbin/cppw
|
||||
usr/sbin/groupadd
|
||||
usr/sbin/groupdel
|
||||
+usr/sbin/groupmems
|
||||
usr/sbin/groupmod
|
||||
usr/sbin/grpck
|
||||
usr/sbin/grpconv
|
||||
@@ -33,6 +34,7 @@
|
||||
usr/share/man/*/man8/chpasswd.8
|
||||
usr/share/man/*/man8/groupadd.8
|
||||
usr/share/man/*/man8/groupdel.8
|
||||
+usr/share/man/*/man8/groupmems.8
|
||||
usr/share/man/*/man8/groupmod.8
|
||||
usr/share/man/*/man8/grpck.8
|
||||
usr/share/man/*/man8/grpconv.8
|
||||
@@ -59,6 +61,7 @@
|
||||
usr/share/man/man8/chpasswd.8
|
||||
usr/share/man/man8/groupadd.8
|
||||
usr/share/man/man8/groupdel.8
|
||||
+usr/share/man/man8/groupmems.8
|
||||
usr/share/man/man8/groupmod.8
|
||||
usr/share/man/man8/grpck.8
|
||||
usr/share/man/man8/grpconv.8
|
||||
--- a/debian/passwd.postinst
|
||||
+++ b/debian/passwd.postinst
|
||||
@@ -31,6 +31,24 @@
|
||||
exit 1
|
||||
)
|
||||
fi
|
||||
+ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
|
||||
+ then
|
||||
+ groupadd -g 99 groupmems || (
|
||||
+ cat <<EOF
|
||||
+************************ TESTSUITE *****************************
|
||||
+Group ID 99 has been allocated for the groupmems group. You have either
|
||||
+used 99 yourself or created a groupmems group with a different ID.
|
||||
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
|
||||
+
|
||||
+Note that both user and group IDs in the range 0-99 are globally
|
||||
+allocated by the Debian project and must be the same on every Debian
|
||||
+system.
|
||||
+EOF
|
||||
+ exit 1
|
||||
+ )
|
||||
+# FIXME
|
||||
+ chgrp groupmems /usr/sbin/groupmems
|
||||
+ fi
|
||||
;;
|
||||
esac
|
||||
|
||||
--- a/debian/rules
|
||||
+++ b/debian/rules
|
||||
@@ -60,6 +60,7 @@
|
||||
dh_installpam -p passwd --name=chsh
|
||||
dh_installpam -p passwd --name=chpasswd
|
||||
dh_installpam -p passwd --name=newusers
|
||||
+ dh_installpam -p passwd --name=groupmems
|
||||
ifeq ($(DEB_HOST_ARCH_OS),hurd)
|
||||
# login is not built on The Hurd, but some utilities of passwd depends on
|
||||
# /etc/login.defs.
|
||||
@@ -87,3 +88,6 @@
|
||||
chgrp shadow debian/passwd/usr/bin/expiry
|
||||
chmod g+s debian/passwd/usr/bin/chage
|
||||
chmod g+s debian/passwd/usr/bin/expiry
|
||||
+ chgrp groupmems debian/passwd/usr/sbin/groupmems
|
||||
+ chmod u+s debian/passwd/usr/sbin/groupmems
|
||||
+ chmod o-x debian/passwd/usr/sbin/groupmems
|
||||
--- /dev/null
|
||||
+++ b/debian/passwd.groupmems.pam
|
||||
@@ -0,0 +1,8 @@
|
||||
+# The PAM configuration file for the Shadow 'groupmod' service
|
||||
+#
|
||||
+
|
||||
+# This allows root to modify groups without being prompted for a password
|
||||
+auth sufficient pam_rootok.so
|
||||
+
|
||||
+@include common-auth
|
||||
+@include common-account
|
||||
Vendored
+76
@@ -0,0 +1,76 @@
|
||||
--- a/lib/Makefile.am
|
||||
+++ b/lib/Makefile.am
|
||||
@@ -1,6 +1,8 @@
|
||||
|
||||
AUTOMAKE_OPTIONS = 1.0 foreign
|
||||
|
||||
+CFLAGS += -fprofile-arcs -ftest-coverage
|
||||
+
|
||||
DEFS =
|
||||
|
||||
noinst_LTLIBRARIES = libshadow.la
|
||||
--- a/libmisc/Makefile.am
|
||||
+++ b/libmisc/Makefile.am
|
||||
@@ -1,6 +1,8 @@
|
||||
|
||||
EXTRA_DIST = .indent.pro xgetXXbyYY.c
|
||||
|
||||
+CFLAGS += -fprofile-arcs -ftest-coverage
|
||||
+
|
||||
INCLUDES = -I$(top_srcdir)/lib
|
||||
|
||||
noinst_LIBRARIES = libmisc.a
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -7,6 +7,8 @@
|
||||
suidperms = 4755
|
||||
sgidperms = 2755
|
||||
|
||||
+CFLAGS += -fprofile-arcs -ftest-coverage
|
||||
+
|
||||
INCLUDES = \
|
||||
-I${top_srcdir}/lib \
|
||||
-I$(top_srcdir)/libmisc
|
||||
--- a/debian/rules
|
||||
+++ b/debian/rules
|
||||
@@ -40,6 +40,12 @@
|
||||
endif
|
||||
export CFLAGS
|
||||
|
||||
+clean:: clean_gcov
|
||||
+
|
||||
+clean_gcov:
|
||||
+ find . -name "*.gcda" -delete
|
||||
+ find . -name "*.gcno" -delete
|
||||
+
|
||||
# Add extras to the install process:
|
||||
binary-install/login::
|
||||
dh_installpam -p login
|
||||
--- a/lib/defines.h
|
||||
+++ b/lib/defines.h
|
||||
@@ -174,23 +174,9 @@
|
||||
trust the formatted time received from the unix domain (or worse,
|
||||
UDP) socket. -MM */
|
||||
/* Avoid translated PAM error messages: Set LC_ALL to "C".
|
||||
+ * This is disabled for coverage testing
|
||||
* --Nekral */
|
||||
-#define SYSLOG(x) \
|
||||
- do { \
|
||||
- char *old_locale = setlocale (LC_ALL, NULL); \
|
||||
- char *saved_locale = NULL; \
|
||||
- if (NULL != old_locale) { \
|
||||
- saved_locale = strdup (old_locale); \
|
||||
- } \
|
||||
- if (NULL != saved_locale) { \
|
||||
- (void) setlocale (LC_ALL, "C"); \
|
||||
- } \
|
||||
- syslog x ; \
|
||||
- if (NULL != saved_locale) { \
|
||||
- (void) setlocale (LC_ALL, saved_locale); \
|
||||
- free (saved_locale); \
|
||||
- } \
|
||||
- } while (false)
|
||||
+#define SYSLOG(x) syslog x
|
||||
#else /* !ENABLE_NLS */
|
||||
#define SYSLOG(x) syslog x
|
||||
#endif /* !ENABLE_NLS */
|
||||
Vendored
+22
@@ -0,0 +1,22 @@
|
||||
Small intro to the system for numbering the patches here...
|
||||
|
||||
-The 00xx-... patches are forwarded to upstream's git repository
|
||||
|
||||
-The 0xx_... series of patches are patches isolated from the latest
|
||||
version of the shadow Debian package not using quilt in order to
|
||||
separate upstream from Debian-specific stuff.
|
||||
|
||||
NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
|
||||
|
||||
-The 4xx series are patches which have been applied to Debian's shadow
|
||||
and have NOT been accepted and/or applied upstream. These patches MUST be kept
|
||||
even after resynced with upstream
|
||||
|
||||
-The 5xx series are patches which are applied to Debian's shadow
|
||||
and will never be proposed upstream because they're too specific
|
||||
This list SHOULD BE AS SHORT AS POSSIBLE
|
||||
|
||||
In short, while we are working towards synchronisation with upstream,
|
||||
our goal is to make 0xx patches disappear by moving them either to 3xx
|
||||
series (things already implemented upstream) or to 4xx series
|
||||
(Debian-specific patches).
|
||||
Vendored
+20
@@ -0,0 +1,20 @@
|
||||
# These patches are only for the testsuite:
|
||||
#900_testsuite_groupmems
|
||||
#901_testsuite_gcov
|
||||
|
||||
503_shadowconfig.8
|
||||
008_login_log_failure_in_FTMP
|
||||
429_login_FAILLOG_ENAB
|
||||
401_cppw_src.dpatch
|
||||
# 402 should be merged in 401, but should be reviewed by SE Linux experts first
|
||||
402_cppw_selinux
|
||||
506_relaxed_usernames
|
||||
542_useradd-O_option
|
||||
463_login_delay_obeys_to_PAM
|
||||
508_nologin_in_usr_sbin
|
||||
505_useradd_recommend_adduser
|
||||
501_commonio_group_shadow
|
||||
0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch
|
||||
0002-gpasswd-1-Fix-password-leak.patch
|
||||
0003-Added-control-character-check.patch
|
||||
0004-Overhaul-valid_field.patch
|
||||
+96
@@ -0,0 +1,96 @@
|
||||
#!/usr/bin/make -f
|
||||
# -*- mode: makefile; coding: utf-8 -*-
|
||||
|
||||
DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
|
||||
|
||||
# Enable PIE, BINDNOW, and possible future flags.
|
||||
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
|
||||
DPKG_EXPORT_BUILDFLAGS = 1
|
||||
include /usr/share/dpkg/buildflags.mk
|
||||
|
||||
# Call autoreconf since we need to regenerate all the autofoo files
|
||||
include /usr/share/cdbs/1/rules/autoreconf.mk
|
||||
include /usr/share/cdbs/1/rules/debhelper.mk
|
||||
# Specify where dh_install will find the files that it needs to move:
|
||||
DEB_DH_INSTALL_SOURCEDIR=debian/tmp
|
||||
# Specify the destination of shadow's "make install"
|
||||
# (This is only needed on The Hurd, where only one package is built. On
|
||||
# the other arch, DEB_DESTDIR already points to debian/tmp)
|
||||
DEB_DESTDIR=$(CURDIR)/debian/tmp
|
||||
|
||||
include /usr/share/cdbs/1/class/autotools.mk
|
||||
|
||||
# Adds extra options when calling the configure script:
|
||||
DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
|
||||
--without-libcrack \
|
||||
--mandir=/usr/share/man \
|
||||
--with-libpam \
|
||||
--enable-shadowgrp \
|
||||
--enable-man \
|
||||
--disable-account-tools-setuid \
|
||||
--with-group-name-max-length=32 \
|
||||
--without-acl \
|
||||
--without-attr \
|
||||
--without-tcb \
|
||||
SHELL=/bin/sh
|
||||
ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
|
||||
DEB_CONFIGURE_EXTRA_FLAGS += --host=$(DEB_HOST_GNU_TYPE)
|
||||
endif
|
||||
|
||||
# Set the default editor for vipw/vigr
|
||||
CFLAGS += -DDEFAULT_EDITOR=\\\"sensible-editor\\\"
|
||||
|
||||
# Add extras to the install process:
|
||||
binary-install/login::
|
||||
ifeq ($(DEB_HOST_ARCH_OS),hurd)
|
||||
# /bin/login is provided by the hurd package.
|
||||
rm -f debian/login/bin/login
|
||||
endif
|
||||
ifneq ($(DEB_HOST_ARCH_OS),linux)
|
||||
sed -i 's/session optional pam_keyinit.so/# Linux only # session optional pam_keyinit.so/' debian/login.pam
|
||||
endif
|
||||
dh_installpam -p login
|
||||
install -c -m 444 debian/login.defs debian/login/etc/login.defs
|
||||
install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
|
||||
dh_lintian -p login
|
||||
|
||||
binary-install/passwd::
|
||||
install -c -m 444 man/shadowconfig.8 debian/passwd/usr/share/man/man8
|
||||
install -c -m 444 man/ja/shadowconfig.8 debian/passwd/usr/share/man/ja/man8
|
||||
install -c -m 444 man/pl/shadowconfig.8 debian/passwd/usr/share/man/pl/man8
|
||||
install -c -m 444 man/fr/shadowconfig.8 debian/passwd/usr/share/man/fr/man8
|
||||
# Distribute the pam.d files; unless for the commands with disabled PAM
|
||||
# support
|
||||
dh_installpam -p passwd --name=passwd
|
||||
dh_installpam -p passwd --name=chfn
|
||||
dh_installpam -p passwd --name=chsh
|
||||
dh_installpam -p passwd --name=chpasswd
|
||||
dh_installpam -p passwd --name=newusers
|
||||
install -c -m 644 debian/useradd.default debian/passwd/etc/default/useradd
|
||||
install -d debian/passwd/sbin
|
||||
install -c -m 555 debian/shadowconfig.sh debian/passwd/sbin/shadowconfig
|
||||
install -c -m 444 debian/cpgr.8 debian/passwd/usr/share/man/man8
|
||||
install -c -m 444 debian/cppw.8 debian/passwd/usr/share/man/man8
|
||||
dh_lintian -p passwd
|
||||
|
||||
binary-predeb/uidmap::
|
||||
chmod u+s debian/uidmap/usr/bin/newuidmap
|
||||
chmod u+s debian/uidmap/usr/bin/newgidmap
|
||||
|
||||
binary-predeb/login::
|
||||
# No real need for login to be setuid root
|
||||
# chmod u+s debian/login/bin/login
|
||||
chmod u+s debian/login/usr/bin/newgrp
|
||||
|
||||
binary-predeb/passwd::
|
||||
chmod u+s debian/passwd/usr/bin/chfn
|
||||
chmod u+s debian/passwd/usr/bin/chsh
|
||||
chmod u+s debian/passwd/usr/bin/gpasswd
|
||||
chmod u+s debian/passwd/usr/bin/passwd
|
||||
chgrp shadow debian/passwd/usr/bin/chage
|
||||
chgrp shadow debian/passwd/usr/bin/expiry
|
||||
chmod g+s debian/passwd/usr/bin/chage
|
||||
chmod g+s debian/passwd/usr/bin/expiry
|
||||
|
||||
clean::
|
||||
sed -i 's/# Linux only # //' debian/login.pam
|
||||
Vendored
+71
@@ -0,0 +1,71 @@
|
||||
# /etc/securetty: list of terminals on which root is allowed to login.
|
||||
# See securetty(5) and login(1).
|
||||
console
|
||||
|
||||
# for people with serial port consoles
|
||||
com0
|
||||
|
||||
# Standard consoles
|
||||
tty1
|
||||
tty2
|
||||
tty3
|
||||
tty4
|
||||
tty5
|
||||
tty6
|
||||
tty7
|
||||
tty8
|
||||
tty9
|
||||
tty10
|
||||
tty11
|
||||
tty12
|
||||
tty13
|
||||
tty14
|
||||
tty15
|
||||
tty16
|
||||
tty17
|
||||
tty18
|
||||
tty19
|
||||
tty20
|
||||
tty21
|
||||
tty22
|
||||
tty23
|
||||
tty24
|
||||
tty25
|
||||
tty26
|
||||
tty27
|
||||
tty28
|
||||
tty29
|
||||
tty30
|
||||
tty31
|
||||
tty32
|
||||
tty33
|
||||
tty34
|
||||
tty35
|
||||
tty36
|
||||
tty37
|
||||
tty38
|
||||
tty39
|
||||
tty40
|
||||
tty41
|
||||
tty42
|
||||
tty43
|
||||
tty44
|
||||
tty45
|
||||
tty46
|
||||
tty47
|
||||
tty48
|
||||
tty49
|
||||
tty50
|
||||
tty51
|
||||
tty52
|
||||
tty53
|
||||
tty54
|
||||
tty55
|
||||
tty56
|
||||
tty57
|
||||
tty58
|
||||
tty59
|
||||
tty60
|
||||
tty61
|
||||
tty62
|
||||
tty63
|
||||
Vendored
+24
@@ -0,0 +1,24 @@
|
||||
# /etc/securetty: list of terminals on which root is allowed to login.
|
||||
# See securetty(5) and login(1).
|
||||
console
|
||||
|
||||
# for people with serial port consoles
|
||||
ttyd0
|
||||
ttyd1
|
||||
|
||||
# Standard consoles
|
||||
ttyv0
|
||||
ttyv1
|
||||
ttyv2
|
||||
ttyv3
|
||||
ttyv4
|
||||
ttyv5
|
||||
ttyv6
|
||||
ttyv7
|
||||
ttyva
|
||||
ttyvb
|
||||
ttyvc
|
||||
ttyvd
|
||||
ttyve
|
||||
ttyvf
|
||||
|
||||
Vendored
+12
@@ -0,0 +1,12 @@
|
||||
# /etc/securetty: list of terminals on which root is allowed to login.
|
||||
# See securetty(5) and login(1).
|
||||
console
|
||||
|
||||
# for people with serial port consoles
|
||||
tty00
|
||||
|
||||
# Standard consoles
|
||||
ttyE0
|
||||
ttyE1
|
||||
ttyE2
|
||||
ttyE3
|
||||
Vendored
+412
@@ -0,0 +1,412 @@
|
||||
# /etc/securetty: list of terminals on which root is allowed to login.
|
||||
# See securetty(5) and login(1).
|
||||
|
||||
console
|
||||
|
||||
# Local X displays (allows empty passwords with pam_unix's nullok_secure)
|
||||
:0
|
||||
:0.0
|
||||
:0.1
|
||||
:1
|
||||
:1.0
|
||||
:1.1
|
||||
:2
|
||||
:2.0
|
||||
:2.1
|
||||
:3
|
||||
:3.0
|
||||
:3.1
|
||||
#...
|
||||
|
||||
|
||||
# ==========================================================
|
||||
#
|
||||
# TTYs sorted by major number according to Documentation/devices.txt
|
||||
#
|
||||
# ==========================================================
|
||||
|
||||
# Virtual consoles
|
||||
tty1
|
||||
tty2
|
||||
tty3
|
||||
tty4
|
||||
tty5
|
||||
tty6
|
||||
tty7
|
||||
tty8
|
||||
tty9
|
||||
tty10
|
||||
tty11
|
||||
tty12
|
||||
tty13
|
||||
tty14
|
||||
tty15
|
||||
tty16
|
||||
tty17
|
||||
tty18
|
||||
tty19
|
||||
tty20
|
||||
tty21
|
||||
tty22
|
||||
tty23
|
||||
tty24
|
||||
tty25
|
||||
tty26
|
||||
tty27
|
||||
tty28
|
||||
tty29
|
||||
tty30
|
||||
tty31
|
||||
tty32
|
||||
tty33
|
||||
tty34
|
||||
tty35
|
||||
tty36
|
||||
tty37
|
||||
tty38
|
||||
tty39
|
||||
tty40
|
||||
tty41
|
||||
tty42
|
||||
tty43
|
||||
tty44
|
||||
tty45
|
||||
tty46
|
||||
tty47
|
||||
tty48
|
||||
tty49
|
||||
tty50
|
||||
tty51
|
||||
tty52
|
||||
tty53
|
||||
tty54
|
||||
tty55
|
||||
tty56
|
||||
tty57
|
||||
tty58
|
||||
tty59
|
||||
tty60
|
||||
tty61
|
||||
tty62
|
||||
tty63
|
||||
|
||||
# UART serial ports
|
||||
ttyS0
|
||||
ttyS1
|
||||
ttyS2
|
||||
ttyS3
|
||||
ttyS4
|
||||
ttyS5
|
||||
#...ttyS191
|
||||
|
||||
# Serial Mux devices (Linux/PA-RISC only)
|
||||
ttyB0
|
||||
ttyB1
|
||||
#...
|
||||
|
||||
# Chase serial card
|
||||
ttyH0
|
||||
ttyH1
|
||||
#...
|
||||
|
||||
# Cyclades serial cards
|
||||
ttyC0
|
||||
ttyC1
|
||||
#...ttyC31
|
||||
|
||||
# Digiboard serial cards
|
||||
ttyD0
|
||||
ttyD1
|
||||
#...
|
||||
|
||||
# Stallion serial cards
|
||||
ttyE0
|
||||
ttyE1
|
||||
#...ttyE255
|
||||
|
||||
# Specialix serial cards
|
||||
ttyX0
|
||||
ttyX1
|
||||
#...
|
||||
|
||||
# Comtrol Rocketport serial cards
|
||||
ttyR0
|
||||
ttyR1
|
||||
#...
|
||||
|
||||
# SDL RISCom serial cards
|
||||
ttyL0
|
||||
ttyL1
|
||||
#...
|
||||
|
||||
# Hayes ESP serial card
|
||||
ttyP0
|
||||
ttyP1
|
||||
#...
|
||||
|
||||
# Computone IntelliPort II serial card
|
||||
ttyF0
|
||||
ttyF1
|
||||
#...ttyF255
|
||||
|
||||
# Specialix IO8+ serial card
|
||||
ttyW0
|
||||
ttyW1
|
||||
#...
|
||||
|
||||
# Comtrol VS-1000 serial controller
|
||||
ttyV0
|
||||
ttyV1
|
||||
#...
|
||||
|
||||
# ISI serial card
|
||||
ttyM0
|
||||
ttyM1
|
||||
#...
|
||||
|
||||
# Technology Concepts serial card
|
||||
ttyT0
|
||||
ttyT1
|
||||
#...
|
||||
|
||||
# Specialix RIO serial card
|
||||
ttySR0
|
||||
ttySR1
|
||||
#...ttySR511
|
||||
|
||||
# Chase Research AT/PCI-Fast serial card
|
||||
ttyCH0
|
||||
ttyCH1
|
||||
#...ttyCH63
|
||||
|
||||
# Moxa Intellio serial card
|
||||
ttyMX0
|
||||
ttyMX1
|
||||
#...ttyMX127
|
||||
|
||||
# SmartIO serial card
|
||||
ttySI0
|
||||
ttySI1
|
||||
#...
|
||||
|
||||
# USB dongles
|
||||
ttyUSB0
|
||||
ttyUSB1
|
||||
ttyUSB2
|
||||
#...
|
||||
|
||||
# LinkUp Systems L72xx UARTs
|
||||
ttyLU0
|
||||
ttyLU1
|
||||
ttyLU2
|
||||
ttyLU3
|
||||
|
||||
# StrongARM builtin serial ports
|
||||
ttySA0
|
||||
ttySA1
|
||||
ttySA2
|
||||
|
||||
# SCI serial port (SuperH) ports and SC26xx serial ports
|
||||
ttySC0
|
||||
ttySC1
|
||||
ttySC2
|
||||
ttySC3
|
||||
ttySC4
|
||||
ttySC5
|
||||
ttySC6
|
||||
ttySC7
|
||||
ttySC8
|
||||
ttySC9
|
||||
|
||||
# ARM "AMBA" serial ports
|
||||
ttyAM0
|
||||
ttyAM1
|
||||
ttyAM2
|
||||
ttyAM3
|
||||
ttyAM4
|
||||
ttyAM5
|
||||
ttyAM6
|
||||
ttyAM7
|
||||
ttyAM8
|
||||
ttyAM9
|
||||
ttyAM10
|
||||
ttyAM11
|
||||
ttyAM12
|
||||
ttyAM13
|
||||
ttyAM14
|
||||
ttyAM15
|
||||
|
||||
# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
|
||||
ttyAMA0
|
||||
ttyAMA1
|
||||
ttyAMA2
|
||||
ttyAMA3
|
||||
|
||||
# DataBooster serial ports
|
||||
ttyDB0
|
||||
ttyDB1
|
||||
ttyDB2
|
||||
ttyDB3
|
||||
ttyDB4
|
||||
ttyDB5
|
||||
ttyDB6
|
||||
ttyDB7
|
||||
|
||||
# SGI Altix console ports
|
||||
ttySG0
|
||||
|
||||
# Motorola i.MX ports
|
||||
ttySMX0
|
||||
ttySMX1
|
||||
ttySMX2
|
||||
|
||||
# Marvell MPSC ports
|
||||
ttyMM0
|
||||
ttyMM1
|
||||
|
||||
# PPC CPM (SCC or SMC) ports
|
||||
ttyCPM0
|
||||
ttyCPM1
|
||||
ttyCPM2
|
||||
ttyCPM3
|
||||
ttyCPM4
|
||||
ttyCPM5
|
||||
|
||||
# Altix serial cards
|
||||
ttyIOC0
|
||||
ttyIOC1
|
||||
#...ttyIOC31
|
||||
|
||||
# NEC VR4100 series SIU
|
||||
ttyVR0
|
||||
|
||||
# NEC VR4100 series SSIU
|
||||
ttyVR1
|
||||
|
||||
# Altix ioc4 serial cards
|
||||
ttyIOC84
|
||||
ttyIOC85
|
||||
#...ttyIOC115
|
||||
|
||||
# Altix ioc3 serial cards
|
||||
ttySIOC0
|
||||
ttySIOC1
|
||||
#...ttySIOC31
|
||||
|
||||
# PPC PSC ports
|
||||
ttyPSC0
|
||||
ttyPSC1
|
||||
ttyPSC2
|
||||
ttyPSC3
|
||||
ttyPSC4
|
||||
ttyPSC5
|
||||
|
||||
# ATMEL serial ports
|
||||
ttyAT0
|
||||
ttyAT1
|
||||
#...ttyAT15
|
||||
|
||||
# Hilscher netX serial port
|
||||
ttyNX0
|
||||
ttyNX1
|
||||
#...ttyNX15
|
||||
|
||||
# Xilinx uartlite - port
|
||||
ttyUL0
|
||||
ttyUL1
|
||||
ttyUL2
|
||||
ttyUL3
|
||||
|
||||
# Xen virtual console - port 0
|
||||
xvc0
|
||||
|
||||
# pmac_zilog - port
|
||||
ttyPZ0
|
||||
ttyPZ1
|
||||
ttyPZ2
|
||||
ttyPZ3
|
||||
|
||||
# TX39/49 serial port
|
||||
ttyTX0
|
||||
ttyTX1
|
||||
ttyTX2
|
||||
ttyTX3
|
||||
ttyTX4
|
||||
ttyTX5
|
||||
ttyTX6
|
||||
ttyTX7
|
||||
|
||||
# SC26xx serial ports (see SCI serial ports (SuperH))
|
||||
|
||||
# MAX3100 serial ports
|
||||
ttyMAX0
|
||||
ttyMAX1
|
||||
ttyMAX2
|
||||
ttyMAX3
|
||||
|
||||
# OMAP serial ports
|
||||
ttyO0
|
||||
ttyO1
|
||||
ttyO2
|
||||
ttyO3
|
||||
|
||||
# User space serial ports
|
||||
ttyU0
|
||||
ttyU1
|
||||
|
||||
# A2232 serial card
|
||||
ttyY0
|
||||
ttyY1
|
||||
|
||||
# IBM 3270 terminal Unix tty access
|
||||
3270/tty1
|
||||
3270/tty2
|
||||
#...
|
||||
|
||||
# IBM iSeries/pSeries virtual console
|
||||
hvc0
|
||||
hvc1
|
||||
#...
|
||||
#IBM pSeries console ports
|
||||
hvsi0
|
||||
hvsi1
|
||||
hvsi2
|
||||
|
||||
# Equinox SST multi-port serial boards
|
||||
ttyEQ0
|
||||
ttyEQ1
|
||||
#...ttyEQ1027
|
||||
|
||||
# ==========================================================
|
||||
#
|
||||
# Not in Documentation/Devices.txt
|
||||
#
|
||||
# ==========================================================
|
||||
|
||||
# Embedded Freescale i.MX ports
|
||||
ttymxc0
|
||||
ttymxc1
|
||||
ttymxc2
|
||||
ttymxc3
|
||||
ttymxc4
|
||||
ttymxc5
|
||||
|
||||
# LXC (Linux Containers)
|
||||
lxc/console
|
||||
lxc/tty1
|
||||
lxc/tty2
|
||||
lxc/tty3
|
||||
lxc/tty4
|
||||
|
||||
# Serial Console for MIPS Swarm
|
||||
duart0
|
||||
duart1
|
||||
|
||||
# s390 and s390x ports in LPAR mode
|
||||
ttysclp0
|
||||
|
||||
# ODROID XU4 serial console
|
||||
ttySAC0
|
||||
ttySAC1
|
||||
ttySAC2
|
||||
ttySAC3
|
||||
Vendored
+49
@@ -0,0 +1,49 @@
|
||||
#!/bin/sh
|
||||
# turn shadow passwords on or off on a Debian system
|
||||
|
||||
set -e
|
||||
|
||||
shadowon () {
|
||||
set -e
|
||||
pwck -q -r
|
||||
grpck -r
|
||||
pwconv
|
||||
grpconv
|
||||
chown root:root /etc/passwd /etc/group
|
||||
chmod 644 /etc/passwd /etc/group
|
||||
chown root:shadow /etc/shadow /etc/gshadow
|
||||
chmod 640 /etc/shadow /etc/gshadow
|
||||
}
|
||||
|
||||
shadowoff () {
|
||||
set -e
|
||||
pwck -q -r
|
||||
grpck -r
|
||||
pwunconv
|
||||
grpunconv
|
||||
# sometimes the passwd perms get munged
|
||||
chown root:root /etc/passwd /etc/group
|
||||
chmod 644 /etc/passwd /etc/group
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
"on")
|
||||
if shadowon ; then
|
||||
echo Shadow passwords are now on.
|
||||
else
|
||||
echo Please correct the error and rerun \`$0 on\'
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
"off")
|
||||
if shadowoff ; then
|
||||
echo Shadow passwords are now off.
|
||||
else
|
||||
echo Please correct the error and rerun \`$0 off\'
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo Usage: $0 on \| off
|
||||
;;
|
||||
esac
|
||||
Vendored
+1
@@ -0,0 +1 @@
|
||||
3.0 (quilt)
|
||||
Vendored
+4
@@ -0,0 +1,4 @@
|
||||
usr/bin/newuidmap
|
||||
usr/bin/newgidmap
|
||||
usr/share/man/man1/newuidmap.1
|
||||
usr/share/man/man1/newgidmap.1
|
||||
Vendored
+2
@@ -0,0 +1,2 @@
|
||||
uidmap: setuid-binary usr/bin/newgidmap 4755 root/root
|
||||
uidmap: setuid-binary usr/bin/newuidmap 4755 root/root
|
||||
Vendored
+8196
File diff suppressed because it is too large
Load Diff
Vendored
+37
@@ -0,0 +1,37 @@
|
||||
# Default values for useradd(8)
|
||||
#
|
||||
# The SHELL variable specifies the default login shell on your
|
||||
# system.
|
||||
# Similar to DHSELL in adduser. However, we use "sh" here because
|
||||
# useradd is a low level utility and should be as general
|
||||
# as possible
|
||||
SHELL=/bin/sh
|
||||
#
|
||||
# The default group for users
|
||||
# 100=users on Debian systems
|
||||
# Same as USERS_GID in adduser
|
||||
# This argument is used when the -n flag is specified.
|
||||
# The default behavior (when -n and -g are not specified) is to create a
|
||||
# primary user group with the same name as the user being added to the
|
||||
# system.
|
||||
# GROUP=100
|
||||
#
|
||||
# The default home directory. Same as DHOME for adduser
|
||||
# HOME=/home
|
||||
#
|
||||
# The number of days after a password expires until the account
|
||||
# is permanently disabled
|
||||
# INACTIVE=-1
|
||||
#
|
||||
# The default expire date
|
||||
# EXPIRE=
|
||||
#
|
||||
# The SKEL variable specifies the directory containing "skeletal" user
|
||||
# files; in other words, files such as a sample .profile that will be
|
||||
# copied to the new user's home directory when it is created.
|
||||
# SKEL=/etc/skel
|
||||
#
|
||||
# Defines whether the mail spool should be created while
|
||||
# creating the account
|
||||
# CREATE_MAIL_SPOOL=yes
|
||||
|
||||
Vendored
+4
@@ -0,0 +1,4 @@
|
||||
version=4
|
||||
opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%shadow-$1.tar.gz%" \
|
||||
https://github.com/shadow-maint/shadow/tags \
|
||||
(?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
|
||||
@@ -0,0 +1,5 @@
|
||||
# This is a dummy Makefile.am to get automake work flawlessly,
|
||||
# and also cooperate to make a distribution for `make dist'
|
||||
|
||||
EXTRA_DIST = HOWTO README.limits \
|
||||
README.platforms WISHLIST console.c.spec.txt cracklib26.diff
|
||||
@@ -0,0 +1,66 @@
|
||||
|
||||
ABOUT shadow-login limits:
|
||||
|
||||
This code is merged into shadow login program from the original LShell 2.01
|
||||
written by Joel Katz. The port and some additional features have been added
|
||||
by Cristian Gafton (gafton@sorosis.ro).
|
||||
|
||||
|
||||
Changes:
|
||||
- 96/04/16
|
||||
- {spaces,tabs} allowed within limits string
|
||||
- Warn via syslog multiple default limits
|
||||
- added few paragraphs to the login man page
|
||||
- 96/04/14
|
||||
- code merged into lmain.c --cristiang
|
||||
|
||||
TODO: - support groups in the limits file
|
||||
(only usernames are supported at this momment :-( )
|
||||
|
||||
Setting user limits for shadow login program
|
||||
|
||||
First, make a root-only-readable file (/etc/limits by default or LIMITS_FILE
|
||||
defined config.h) that describes the resource limits you wish to impose. By
|
||||
default no quotas are imposed on 'root'. In fact, there is no way to impose
|
||||
limits via this procedure to root-equiv accounts (accounts with UID 0).
|
||||
|
||||
Each line describes a limit for a user in the form:
|
||||
|
||||
user LIMITS_STRING
|
||||
|
||||
The LIMITS_STRING is a string of a concatenated list of resource limits.
|
||||
Each limit consists of a letter identifier followed by a numerical limit.
|
||||
The valid identifiers are:
|
||||
|
||||
A: max address space (KB)
|
||||
C: max core file size (KB)
|
||||
D: max data size (KB)
|
||||
F: maximum filesize (KB)
|
||||
M: max locked-in-memory address space (KB)
|
||||
N: max number of open files
|
||||
R: max resident set size (KB)
|
||||
S: max stack size (KB)
|
||||
T: max CPU time (MIN)
|
||||
U: max number of processes
|
||||
L: max number of logins for this user
|
||||
|
||||
For example, L2D2048N5 is a valid LIMITS_STRING. For reading convenience,
|
||||
the following entries are equivalent:
|
||||
|
||||
username L2D2048N5
|
||||
username L2 D2048 N5
|
||||
|
||||
Be aware that after <username> the rest of the line is considered a limit
|
||||
string, thus comments are not allowed. A invalid limits string will be
|
||||
rejected (not considered) by the login program.
|
||||
|
||||
The default entry is denoted by username '*'. If you have multiple 'default'
|
||||
entries in your LIMITS_FILE, then the last one will be used as the default
|
||||
entry.
|
||||
|
||||
To completely disable limits for a user, a single dash (-) will do.
|
||||
|
||||
Also, please note that all limit settings are set PER LOGIN. They are
|
||||
not global, nor are they permanent. Perhaps global limits will come, but
|
||||
for now this will have to do ;)
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user