diff options
| author | Nicolas Iooss | 2022-12-17 16:35:28 +0100 |
|---|---|---|
| committer | Nicolas Iooss | 2022-12-17 16:35:28 +0100 |
| commit | e49ea2c6df508837624f86261729f79058c3656a (patch) | |
| tree | e617e6ce32609bfb4d50f2a7055dd277251107f9 /0002-Adapt-login.defs-for-PAM-and-util-linux.patch | |
| parent | 87b927a4b3570a4f4598edf5b7f68926d07bbfc2 (diff) | |
| download | aur-e49ea2c6df508837624f86261729f79058c3656a.tar.gz | |
shadow-selinux 4.12.3-2 update
Diffstat (limited to '0002-Adapt-login.defs-for-PAM-and-util-linux.patch')
| -rw-r--r-- | 0002-Adapt-login.defs-for-PAM-and-util-linux.patch | 692 |
1 files changed, 692 insertions, 0 deletions
diff --git a/0002-Adapt-login.defs-for-PAM-and-util-linux.patch b/0002-Adapt-login.defs-for-PAM-and-util-linux.patch new file mode 100644 index 000000000000..18dd041b0d4d --- /dev/null +++ b/0002-Adapt-login.defs-for-PAM-and-util-linux.patch @@ -0,0 +1,692 @@ +From db62b53ff601451e900548dceb72f5165f362fa6 Mon Sep 17 00:00:00 2001 +From: David Runge <dvzrv@archlinux.org> +Date: Mon, 31 Oct 2022 09:45:13 +0100 +Subject: [PATCH 2/4] Adapt login.defs for PAM and util-linux + +etc/login.defs: +Remove unused login.defs options, that are either irrelevant due to the +use of PAM or because the util-linux version of a binary does not +support them. +Modify all options that are ignored when using PAM, but are supported by +util-linux. + +Removed options because they are part of PAMDEFS (options in PAMDEFS are +options silently ignored by shadow when built with PAM enabled): +* CHFN_AUTH +* CRACKLIB_DICTPATH +* ENV_HZ +* ENVIRON_FILE +* ENV_TZ +* FAILLOG_ENAB +* FTMP_FILE +* ISSUE_FILE +* LASTLOG_ENAB +* LOGIN_STRING +* MAIL_CHECK_ENAB +* NOLOGINS_FILE +* OBSCURE_CHECKS_ENAB +* PASS_ALWAYS_WARN +* PASS_CHANGE_TRIES +* PASS_MAX_LEN +* PASS_MIN_LEN +* PORTTIME_CHECKS_ENAB +* QUOTAS_ENAB +* SU_WHEEL_ONLY +* SYSLOG_SU_ENAB +* ULIMIT + +Removed options because they are not availablbe with PAM enabled: +* CONSOLE_GROUPS +* CONSOLE +* MD5_CRYPT_ENAB +* PREVENT_NO_AUTH + +Removed options because they are not supported by login from util-linux: +* ERASECHAR +* KILLCHAR +* LOG_OK_LOGINS +* TTYTYPE_FILE + +Removed options because they are not supported by su from util-linux: +* SULOG_FILE +* SU_NAME + +Adapted options because they are in PAMDEFS but are supported by login +from util-linux: +* MOTD_FILE + +man/login.defs.5.xml: +Remove unavailable options from man 5 login.defs. +--- + etc/login.defs | 212 +------------------------------------------ + man/login.defs.5.xml | 150 +----------------------------- + 2 files changed, 8 insertions(+), 354 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 114dbcd9..7c633a57 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -3,6 +3,8 @@ + # + # $Id$ + # ++# NOTE: This file is adapted for the use on Arch Linux! ++# Unsupported options due to the use of util-linux or PAM are removed. + + # + # Delay in seconds before being allowed another attempt after a login failure +@@ -11,26 +13,11 @@ + # + FAIL_DELAY 3 + +-# +-# Enable logging and display of /var/log/faillog login(1) failure info. +-# +-FAILLOG_ENAB yes +- + # + # Enable display of unknown usernames when login(1) failures are recorded. + # + LOG_UNKFAIL_ENAB no + +-# +-# Enable logging of successful logins +-# +-LOG_OK_LOGINS no +- +-# +-# Enable logging and display of /var/log/lastlog login(1) time info. +-# +-LASTLOG_ENAB yes +- + # + # Limit the highest user ID number for which the lastlog entries should + # be updated. +@@ -40,88 +27,13 @@ LASTLOG_ENAB yes + # + #LASTLOG_UID_MAX + +-# +-# Enable checking and display of mailbox status upon login. +-# +-# Disable if the shell startup files already check for mail +-# ("mailx -e" or equivalent). +-# +-MAIL_CHECK_ENAB yes +- +-# +-# Enable additional checks upon password changes. +-# +-OBSCURE_CHECKS_ENAB yes +- +-# +-# Enable checking of time restrictions specified in /etc/porttime. +-# +-PORTTIME_CHECKS_ENAB yes +- +-# +-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. +-# +-QUOTAS_ENAB yes +- +-# +-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). +-# +-SYSLOG_SU_ENAB yes +-SYSLOG_SG_ENAB yes +- +-# +-# If defined, either full pathname of a file containing device names or +-# a ":" delimited list of device names. Root logins will be allowed only +-# from these devices. +-# +-CONSOLE /etc/securetty +-#CONSOLE console:tty01:tty02:tty03:tty04 +- +-# +-# If defined, all su(1) activity is logged to this file. +-# +-#SULOG_FILE /var/log/sulog +- + # + # If defined, ":" delimited list of "message of the day" files to + # be displayed upon login. + # +-MOTD_FILE /etc/motd ++MOTD_FILE + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +-# +-# If defined, this file will be output before each login(1) prompt. +-# +-#ISSUE_FILE /etc/issue +- +-# +-# If defined, file which maps tty line to TERM environment parameter. +-# Each line of the file is in a format similar to "vt100 tty01". +-# +-#TTYTYPE_FILE /etc/ttytype +- +-# +-# If defined, login(1) failures will be logged here in a utmp format. +-# last(1), when invoked as lastb(1), will read /var/log/btmp, so... +-# +-FTMP_FILE /var/log/btmp +- +-# +-# If defined, name of file whose presence will inhibit non-root +-# logins. The content of this file should be a message indicating +-# why logins are inhibited. +-# +-NOLOGINS_FILE /etc/nologin +- +-# +-# If defined, the command name to display when running "su -". For +-# example, if this is defined as "su" then ps(1) will display the +-# command as "-su". If not defined, then ps(1) will display the +-# name of the shell actually being run, e.g. something like "-sh". +-# +-SU_NAME su +- + # + # *REQUIRED* + # Directory where mailboxes reside, _or_ name of file, relative to the +@@ -139,21 +51,6 @@ MAIL_DIR /var/spool/mail + HUSHLOGIN_FILE .hushlogin + #HUSHLOGIN_FILE /etc/hushlogins + +-# +-# If defined, either a TZ environment parameter spec or the +-# fully-rooted pathname of a file containing such a spec. +-# +-#ENV_TZ TZ=CST6CDT +-#ENV_TZ /etc/tzname +- +-# +-# If defined, an HZ environment parameter spec. +-# +-# for Linux/x86 +-ENV_HZ HZ=100 +-# For Linux/Alpha... +-#ENV_HZ HZ=1024 +- + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # +@@ -175,23 +72,6 @@ ENV_PATH PATH=/bin:/usr/bin + TTYGROUP tty + TTYPERM 0600 + +-# +-# Login configuration initializations: +-# +-# ERASECHAR Terminal ERASE character ('\010' = backspace). +-# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# ULIMIT Default "ulimit" value. +-# +-# The ERASECHAR and KILLCHAR are used only on System V machines. +-# The ULIMIT is used only if the system supports it. +-# (now it works with setrlimit too; ulimit is in 512-byte units) +-# +-# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +-# +-ERASECHAR 0177 +-KILLCHAR 025 +-#ULIMIT 2097152 +- + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. + # UMASK is also used by useradd(8) and newusers(8) to set the mode for new +@@ -211,27 +91,12 @@ UMASK 022 + # + # PASS_MAX_DAYS Maximum number of days a password may be used. + # PASS_MIN_DAYS Minimum number of days allowed between password changes. +-# PASS_MIN_LEN Minimum acceptable password length. + # PASS_WARN_AGE Number of days warning given before a password expires. + # + PASS_MAX_DAYS 99999 + PASS_MIN_DAYS 0 +-PASS_MIN_LEN 5 + PASS_WARN_AGE 7 + +-# +-# If "yes", the user must be listed as a member of the first gid 0 group +-# in /etc/group (called "root" on most Linux systems) to be able to "su" +-# to uid 0 accounts. If the group doesn't exist or is empty, no one +-# will be able to "su" to uid 0. +-# +-SU_WHEEL_ONLY no +- +-# +-# If compiled with cracklib support, sets the path to the dictionaries +-# +-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict +- + # + # Min/max values for automatic uid selection in useradd(8) + # +@@ -268,28 +133,6 @@ LOGIN_RETRIES 5 + # + LOGIN_TIMEOUT 60 + +-# +-# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +-# +-PASS_ALWAYS_WARN yes +- +-# +-# Number of significant characters in the password for crypt(). +-# Default is 8, don't change unless your crypt() is better. +-# Ignored if MD5_CRYPT_ENAB set to "yes". +-# +-#PASS_MAX_LEN 8 +- +-# +-# Require password before chfn(1)/chsh(1) can make any changes. +-# +-CHFN_AUTH yes +- + # + # Which fields may be changed by regular users using chfn(1) - use + # any combination of letters "frwh" (full name, room number, work +@@ -298,38 +141,14 @@ CHFN_AUTH yes + # + CHFN_RESTRICT rwh + +-# +-# Password prompt (%s will be replaced by user name). +-# +-# XXX - it doesn't work correctly yet, for now leave it commented out +-# to use the default which is just "Password: ". +-#LOGIN_STRING "%s's Password: " +- +-# +-# Only works if compiled with MD5_CRYPT defined: +-# If set to "yes", new passwords will be encrypted using the MD5-based +-# algorithm compatible with the one used by recent releases of FreeBSD. +-# It supports passwords of unlimited length and longer salt strings. +-# Set to "no" if you need to copy encrypted passwords to other systems +-# which don't understand the new algorithm. Default is "no". +-# +-# Note: If you use PAM, it is recommended to use a value consistent with +-# the PAM modules configuration. +-# +-# This variable is deprecated. You should use ENCRYPT_METHOD instead. +-# +-#MD5_CRYPT_ENAB no +- + # + # Only works if compiled with ENCRYPTMETHOD_SELECT defined: +-# If set to MD5, MD5-based algorithm will be used for encrypting password + # If set to SHA256, SHA256-based algorithm will be used for encrypting password + # If set to SHA512, SHA512-based algorithm will be used for encrypting password + # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password + # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password + # If set to DES, DES-based algorithm will be used for encrypting password (default) + # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +-# Overrides the MD5_CRYPT_ENAB option + # + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. +@@ -381,17 +200,6 @@ CHFN_RESTRICT rwh + # + #YESCRYPT_COST_FACTOR 5 + +-# +-# List of groups to add to the user's supplementary group set +-# when logging in from the console (as determined by the CONSOLE +-# setting). Default is none. +-# +-# Use with caution - it is possible for users to gain permanent +-# access to these groups, even when not logged in from the console. +-# How to do it is left as an exercise for the reader... +-# +-#CONSOLE_GROUPS floppy:audio:cdrom +- + # + # Should login be allowed if we can't cd to the home directory? + # Default is no. +@@ -406,12 +214,6 @@ DEFAULT_HOME yes + # + NONEXISTENT /nonexistent + +-# +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- + # + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by +@@ -459,14 +261,6 @@ USERGROUPS_ENAB yes + # + #GRANT_AUX_GROUP_SUBIDS yes + +-# +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +-PREVENT_NO_AUTH superuser +- + # + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message +diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml +index ab62fa86..d82c47f1 100644 +--- a/man/login.defs.5.xml ++++ b/man/login.defs.5.xml +@@ -7,69 +7,38 @@ + --> + <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ +-<!ENTITY CHFN_AUTH SYSTEM "login.defs.d/CHFN_AUTH.xml"> + <!ENTITY CHFN_RESTRICT SYSTEM "login.defs.d/CHFN_RESTRICT.xml"> +-<!ENTITY CHSH_AUTH SYSTEM "login.defs.d/CHSH_AUTH.xml"> +-<!ENTITY CONSOLE SYSTEM "login.defs.d/CONSOLE.xml"> +-<!ENTITY CONSOLE_GROUPS SYSTEM "login.defs.d/CONSOLE_GROUPS.xml"> + <!ENTITY CREATE_HOME SYSTEM "login.defs.d/CREATE_HOME.xml"> + <!ENTITY DEFAULT_HOME SYSTEM "login.defs.d/DEFAULT_HOME.xml"> + <!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml"> +-<!ENTITY ENV_HZ SYSTEM "login.defs.d/ENV_HZ.xml"> + <!ENTITY ENV_PATH SYSTEM "login.defs.d/ENV_PATH.xml"> + <!ENTITY ENV_SUPATH SYSTEM "login.defs.d/ENV_SUPATH.xml"> +-<!ENTITY ENV_TZ SYSTEM "login.defs.d/ENV_TZ.xml"> +-<!ENTITY ENVIRON_FILE SYSTEM "login.defs.d/ENVIRON_FILE.xml"> +-<!ENTITY ERASECHAR SYSTEM "login.defs.d/ERASECHAR.xml"> + <!ENTITY FAIL_DELAY SYSTEM "login.defs.d/FAIL_DELAY.xml"> +-<!ENTITY FAILLOG_ENAB SYSTEM "login.defs.d/FAILLOG_ENAB.xml"> +-<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml"> +-<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml"> + <!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml"> + <!ENTITY HMAC_CRYPTO_ALGO SYSTEM "login.defs.d/HMAC_CRYPTO_ALGO.xml"> + <!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml"> + <!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml"> +-<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml"> +-<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml"> +-<!ENTITY LASTLOG_ENAB SYSTEM "login.defs.d/LASTLOG_ENAB.xml"> + <!ENTITY LASTLOG_UID_MAX SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml"> +-<!ENTITY LOG_OK_LOGINS SYSTEM "login.defs.d/LOG_OK_LOGINS.xml"> + <!ENTITY LOG_UNKFAIL_ENAB SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml"> + <!ENTITY LOGIN_RETRIES SYSTEM "login.defs.d/LOGIN_RETRIES.xml"> +-<!ENTITY LOGIN_STRING SYSTEM "login.defs.d/LOGIN_STRING.xml"> + <!ENTITY LOGIN_TIMEOUT SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml"> +-<!ENTITY MAIL_CHECK_ENAB SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml"> + <!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml"> + <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml"> +-<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml"> + <!ENTITY MOTD_FILE SYSTEM "login.defs.d/MOTD_FILE.xml"> +-<!ENTITY NOLOGINS_FILE SYSTEM "login.defs.d/NOLOGINS_FILE.xml"> + <!ENTITY NONEXISTENT SYSTEM "login.defs.d/NONEXISTENT.xml"> +-<!ENTITY OBSCURE_CHECKS_ENAB SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml"> +-<!ENTITY PASS_ALWAYS_WARN SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml"> +-<!ENTITY PASS_CHANGE_TRIES SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml"> +-<!ENTITY PASS_MAX_LEN SYSTEM "login.defs.d/PASS_MAX_LEN.xml"> + <!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml"> + <!ENTITY PASS_MIN_DAYS SYSTEM "login.defs.d/PASS_MIN_DAYS.xml"> + <!ENTITY PASS_WARN_AGE SYSTEM "login.defs.d/PASS_WARN_AGE.xml"> +-<!ENTITY PORTTIME_CHECKS_ENAB SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml"> +-<!ENTITY QUOTAS_ENAB SYSTEM "login.defs.d/QUOTAS_ENAB.xml"> + <!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml"> +-<!ENTITY SULOG_FILE SYSTEM "login.defs.d/SULOG_FILE.xml"> +-<!ENTITY SU_NAME SYSTEM "login.defs.d/SU_NAME.xml"> +-<!ENTITY SU_WHEEL_ONLY SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml"> + <!ENTITY SUB_GID_COUNT SYSTEM "login.defs.d/SUB_GID_COUNT.xml"> + <!ENTITY SUB_UID_COUNT SYSTEM "login.defs.d/SUB_UID_COUNT.xml"> + <!ENTITY SYS_GID_MAX SYSTEM "login.defs.d/SYS_GID_MAX.xml"> + <!ENTITY SYSLOG_SG_ENAB SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml"> +-<!ENTITY SYSLOG_SU_ENAB SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml"> + <!ENTITY SYS_UID_MAX SYSTEM "login.defs.d/SYS_UID_MAX.xml"> + <!ENTITY TCB_AUTH_GROUP SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml"> + <!ENTITY TCB_SYMLINKS SYSTEM "login.defs.d/TCB_SYMLINKS.xml"> + <!ENTITY TTYGROUP SYSTEM "login.defs.d/TTYGROUP.xml"> +-<!ENTITY TTYTYPE_FILE SYSTEM "login.defs.d/TTYTYPE_FILE.xml"> + <!ENTITY UID_MAX SYSTEM "login.defs.d/UID_MAX.xml"> +-<!ENTITY ULIMIT SYSTEM "login.defs.d/ULIMIT.xml"> + <!ENTITY UMASK SYSTEM "login.defs.d/UMASK.xml"> + <!ENTITY USERDEL_CMD SYSTEM "login.defs.d/USERDEL_CMD.xml"> + <!ENTITY USERGROUPS_ENAB SYSTEM "login.defs.d/USERGROUPS_ENAB.xml"> +@@ -145,47 +114,25 @@ + <para>The following configuration items are provided:</para> + + <variablelist remap='IP'> +- &CHFN_AUTH; + &CHFN_RESTRICT; +- &CHSH_AUTH; +- &CONSOLE; +- &CONSOLE_GROUPS; + &CREATE_HOME; + &DEFAULT_HOME; + &ENCRYPT_METHOD; +- &ENV_HZ; + &ENV_PATH; + &ENV_SUPATH; +- &ENV_TZ; +- &ENVIRON_FILE; +- &ERASECHAR; + &FAIL_DELAY; +- &FAILLOG_ENAB; +- &FAKE_SHELL; +- &FTMP_FILE; + &GID_MAX; <!-- documents also GID_MIN --> + &HMAC_CRYPTO_ALGO; + &HOME_MODE; + &HUSHLOGIN_FILE; +- &ISSUE_FILE; +- &KILLCHAR; +- &LASTLOG_ENAB; + &LASTLOG_UID_MAX; +- &LOG_OK_LOGINS; + &LOG_UNKFAIL_ENAB; + &LOGIN_RETRIES; +- &LOGIN_STRING; + &LOGIN_TIMEOUT; +- &MAIL_CHECK_ENAB; + &MAIL_DIR; + &MAX_MEMBERS_PER_GROUP; +- &MD5_CRYPT_ENAB; + &MOTD_FILE; +- &NOLOGINS_FILE; + &NONEXISTENT; +- &OBSCURE_CHECKS_ENAB; +- &PASS_ALWAYS_WARN; +- &PASS_CHANGE_TRIES; + &PASS_MAX_DAYS; + &PASS_MIN_DAYS; + &PASS_WARN_AGE; +@@ -195,25 +142,16 @@ + time of account creation. Any changes to these settings won't affect + existing accounts. + </para> +- &PASS_MAX_LEN; <!-- documents also PASS_MIN_LEN --> +- &PORTTIME_CHECKS_ENAB; +- "AS_ENAB; + &SHA_CRYPT_MIN_ROUNDS; <!-- documents also SHA_CRYPT_MAX_ROUNDS --> +- &SULOG_FILE; +- &SU_NAME; +- &SU_WHEEL_ONLY; + &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX --> + &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX --> + &SYS_GID_MAX; <!-- documents also SYS_GID_MIN --> + &SYS_UID_MAX; <!-- documents also SYS_UID_MIN --> + &SYSLOG_SG_ENAB; +- &SYSLOG_SU_ENAB; + &TCB_AUTH_GROUP; + &TCB_SYMLINKS; + &TTYGROUP; +- &TTYTYPE_FILE; + &UID_MAX; <!-- documents also UID_MIN --> +- &ULIMIT; + &UMASK; + &USERDEL_CMD; + &USERGROUPS_ENAB; +@@ -239,9 +177,7 @@ + <term>chfn</term> + <listitem> + <para> +- <phrase condition="no_pam">CHFN_AUTH</phrase> + CHFN_RESTRICT +- <phrase condition="no_pam">LOGIN_STRING</phrase> + </para> + </listitem> + </varlistentry> +@@ -249,7 +185,7 @@ + <term>chgpasswd</term> + <listitem> + <para> +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -259,8 +195,6 @@ + <term>chpasswd</term> + <listitem> + <para> +- <phrase condition="no_pam">ENCRYPT_METHOD +- MD5_CRYPT_ENAB </phrase> + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -270,7 +204,7 @@ + <term>chsh</term> + <listitem> + <para> +- CHSH_AUTH LOGIN_STRING ++ CHSH_AUTH + </para> + </listitem> + </varlistentry> +@@ -280,7 +214,7 @@ + <term>gpasswd</term> + <listitem> + <para> +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -339,35 +273,6 @@ + <para>LASTLOG_UID_MAX</para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>login</term> +- <listitem> +- <para> +- <phrase condition="no_pam">CONSOLE</phrase> +- CONSOLE_GROUPS DEFAULT_HOME +- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE</phrase> +- ERASECHAR FAIL_DELAY +- <phrase condition="no_pam">FAILLOG_ENAB</phrase> +- FAKE_SHELL +- <phrase condition="no_pam">FTMP_FILE</phrase> +- HUSHLOGIN_FILE +- <phrase condition="no_pam">ISSUE_FILE</phrase> +- KILLCHAR +- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase> +- LOGIN_RETRIES +- <phrase condition="no_pam">LOGIN_STRING</phrase> +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB</phrase> +- TTYGROUP TTYPERM TTYTYPE_FILE +- <phrase condition="no_pam">ULIMIT UMASK</phrase> +- USERGROUPS_ENAB +- </para> +- </listitem> +- </varlistentry> +- <!-- logoutd: no variables --> + <varlistentry> + <term>newgrp / sg</term> + <listitem> +@@ -382,7 +287,7 @@ + <para> + ENCRYPT_METHOD + GID_MAX GID_MIN +- MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ MAX_MEMBERS_PER_GROUP + HOME_MODE + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS +@@ -399,8 +304,7 @@ + <term>passwd</term> + <listitem> + <para> +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN ++ ENCRYPT_METHOD + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -432,32 +336,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>su</term> +- <listitem> +- <para> +- <phrase condition="no_pam">CONSOLE</phrase> +- CONSOLE_GROUPS DEFAULT_HOME +- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase> +- ENV_PATH ENV_SUPATH +- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase> +- SULOG_FILE SU_NAME +- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase> +- SYSLOG_SU_ENAB +- <phrase condition="no_pam">USERGROUPS_ENAB</phrase> +- </para> +- </listitem> +- </varlistentry> +- <varlistentry> +- <term>sulogin</term> +- <listitem> +- <para> +- ENV_HZ +- <phrase condition="no_pam">ENV_TZ</phrase> +- </para> +- </listitem> +- </varlistentry> + <varlistentry> + <term>useradd</term> + <listitem> +@@ -486,24 +364,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>usermod</term> +- <listitem> +- <para> +- LASTLOG_UID_MAX +- MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP +- <phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase> +- </para> +- </listitem> +- </varlistentry> +- <varlistentry condition="tcb"> +- <term>vipw</term> +- <listitem> +- <para> +- <phrase condition="tcb">USE_TCB</phrase> +- </para> +- </listitem> +- </varlistentry> + </variablelist> + </refsect1> + +-- +2.38.1 + |