initial upload

13 files changed, 511 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..992fe2fb7965
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,59 @@
+pkgbase = shadow-minimal-git
+	pkgdesc = Password and account management tool suite with support for shadow files and PAM
+	pkgver = 4.8.1
+	pkgrel = 1
+	url = https://github.com/shadow-maint/shadow
+	install = shadow.install
+	arch = x86_64
+	license = BSD
+	depends = pam
+	depends = acl
+	depends = libacl.so
+	depends = libcap-ng
+	depends = libcap-ng.so
+	depends = libxcrypt
+	depends = libcrypt.so
+	provides = shadow
+	conflicts = shadow
+	options = strip
+	backup = etc/login.defs
+	backup = etc/pam.d/chage
+	backup = etc/pam.d/passwd
+	backup = etc/pam.d/shadow
+	backup = etc/pam.d/useradd
+	backup = etc/pam.d/usermod
+	backup = etc/pam.d/userdel
+	backup = etc/pam.d/chpasswd
+	backup = etc/pam.d/newusers
+	backup = etc/pam.d/groupadd
+	backup = etc/pam.d/groupdel
+	backup = etc/pam.d/groupmod
+	backup = etc/pam.d/chgpasswd
+	backup = etc/pam.d/groupmems
+	backup = etc/default/useradd
+	source = git+https://github.com/shadow-maint/shadow
+	source = LICENSE
+	source = chgpasswd
+	source = chpasswd
+	source = defaults.pam
+	source = login.defs
+	source = newusers
+	source = passwd
+	source = shadow.timer
+	source = shadow.service
+	source = useradd.defaults
+	sha1sums = SKIP
+	sha1sums = SKIP
+	sha1sums = 33a6cf1e44a1410e5c9726c89e5de68b78f5f922
+	sha1sums = 4ad0e059406a305c8640ed30d93c2a1f62c2f4ad
+	sha1sums = 12427b1ca92a9b85ca8202239f0d9f50198b818f
+	sha1sums = 0e56fed7fc93572c6bf0d8f3b099166558bb46f1
+	sha1sums = 81a02eadb5f605fef5c75b6d8a03713a7041864b
+	sha1sums = 12427b1ca92a9b85ca8202239f0d9f50198b818f
+	sha1sums = 611be25d91c3f8f307c7fe2485d5f781e5dee75f
+	sha1sums = a154a94b47a3d0c6c287253b98c0d10b861226d0
+	sha1sums = b5540736f5acbc23b568973eb5645604762db3dd
+	sha1sums = c173208c5cf34528602f9931468a67b7f68abad3
+
+pkgname = shadow-minimal-git
+
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 000000000000..c5ab15a5607a
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 1990 - 1994, Julianne Frances Haugh
+ * Copyright (c) 1996 - 2000, Marek Michałkiewicz
+ * Copyright (c) 2001 - 2006, Tomasz Kłoczko
+ * Copyright (c) 2007 - 2009, Nicolas François
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the copyright holders or contributors may not be used to
+ *    endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..827971bc2930
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,138 @@
+# Maintainer:  Vincent Grande <shoober420@gmail.com>
+# Contributor: Dave Reisner <dreisner@archlinux.org>
+# Contributor: Aaron Griffin <aaron@archlinux.org>
+
+pkgname=shadow-minimal-git
+pkgver=4.8.1
+pkgrel=1
+pkgdesc="Password and account management tool suite with support for shadow files and PAM"
+arch=('x86_64')
+url='https://github.com/shadow-maint/shadow'
+license=('BSD')
+# libcap-ng needed by install scriptlet for 'filecap'
+depends=('pam' 'acl' 'libacl.so' 'libcap-ng' 'libcap-ng.so'
+         'libxcrypt' 'libcrypt.so')
+backup=(etc/login.defs
+        etc/pam.d/{chage,passwd,shadow,useradd,usermod,userdel}
+        etc/pam.d/{chpasswd,newusers,groupadd,groupdel,groupmod}
+        etc/pam.d/{chgpasswd,groupmems}
+        etc/default/useradd)
+options=(strip)
+provides=(shadow)
+conflicts=(shadow)
+#validpgpkeys=('D5C2F9BFCA128BBA22A77218872F702C4D6E25A8'   # Christian Perrier
+#              'F1D08DB778185BF784002DFFE9FEEA06A85E3F9D')  # Serge Hallyn
+source=("git+https://github.com/shadow-maint/shadow"
+        LICENSE
+        chgpasswd
+        chpasswd
+        defaults.pam
+        login.defs
+        newusers
+        passwd
+        shadow.{timer,service}
+        useradd.defaults)
+install=shadow.install
+sha1sums=('SKIP'
+          'SKIP'
+          '33a6cf1e44a1410e5c9726c89e5de68b78f5f922'
+          '4ad0e059406a305c8640ed30d93c2a1f62c2f4ad'
+          '12427b1ca92a9b85ca8202239f0d9f50198b818f'
+          '0e56fed7fc93572c6bf0d8f3b099166558bb46f1'
+          '81a02eadb5f605fef5c75b6d8a03713a7041864b'
+          '12427b1ca92a9b85ca8202239f0d9f50198b818f'
+          '611be25d91c3f8f307c7fe2485d5f781e5dee75f'
+          'a154a94b47a3d0c6c287253b98c0d10b861226d0'
+          'b5540736f5acbc23b568973eb5645604762db3dd'
+          'c173208c5cf34528602f9931468a67b7f68abad3')
+
+pkgver() {
+   cd shadow
+   git describe --tags | sed 's/-/+/g'
+}
+
+build() {
+  cd shadow
+
+  autoreconf -fi
+  ./configure \
+    --prefix=/usr \
+    --bindir=/usr/bin \
+    --sbindir=/usr/bin \
+    --libdir=/usr/lib \
+    --mandir=/usr/share/man \
+    --sysconfdir=/etc \
+    --disable-account-tools-setuid \
+    --with-libpam \
+    --with-group-name-max-length=32 \
+    --without-audit \
+    --without-btrfs \
+    --without-selinux
+
+  make
+}
+
+package() {
+  cd shadow
+
+  make DESTDIR="$pkgdir" install
+
+  # license
+  install -Dm644 "$srcdir/LICENSE" "$pkgdir/usr/share/licenses/shadow/LICENSE"
+
+  # useradd defaults
+  install -Dm600 "$srcdir/useradd.defaults" "$pkgdir/etc/default/useradd"
+
+  # systemd units
+  install -D -m644 "$srcdir/shadow.timer" "$pkgdir/usr/lib/systemd/system/shadow.timer"
+  install -D -m644 "$srcdir/shadow.service" "$pkgdir/usr/lib/systemd/system/shadow.service"
+  install -d -m755 "$pkgdir/usr/lib/systemd/system/timers.target.wants"
+  ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer"
+
+  # login.defs
+  install -Dm644 "$srcdir/login.defs" "$pkgdir/etc/login.defs"
+
+  # PAM config - custom
+  rm "$pkgdir/etc/pam.d"/*
+  install -t "$pkgdir/etc/pam.d" -m644 "$srcdir"/{passwd,chgpasswd,chpasswd,newusers}
+
+  # PAM config - from tarball
+  install -Dm644 etc/pam.d/groupmems "$pkgdir/etc/pam.d/groupmems"
+
+  # we use the 'useradd' PAM file for other similar utilities
+  for file in chage groupadd groupdel groupmod shadow \
+      useradd usermod userdel; do
+    install -Dm644 "$srcdir/defaults.pam" "$pkgdir/etc/pam.d/$file"
+  done
+
+  # Remove evil/broken tools
+  rm "$pkgdir"/usr/sbin/logoutd
+
+  # Remove utilities provided by util-linux
+  rm \
+      "$pkgdir"/usr/bin/{login,su,chsh,chfn,sg,nologin} \
+      "$pkgdir"/usr/sbin/{vipw,vigr}
+
+  # but we keep newgrp, as sg is really an alias to it
+  mv "$pkgdir"/usr/bin/{newgrp,sg}
+
+  # ...and their many man pages
+  find "$pkgdir"/usr/share/man \
+      '(' -name 'chsh.1'    -o \
+          -name 'chfn.1'    -o \
+          -name 'su.1'      -o \
+          -name 'logoutd.8' -o \
+          -name 'login.1'   -o \
+          -name 'nologin.8' -o \
+          -name 'vipw.8'    -o \
+          -name 'vigr.8'    -o \
+          -name 'newgrp.1' ')' \
+      -delete
+  rmdir \
+      "$pkgdir"/usr/share/man/{fi,id,zh_TW}/man1 \
+      "$pkgdir"/usr/share/man/{fi,ko/man8}
+
+  # move everything else to /usr/bin, because this isn't handled by ./configure
+  mv "$pkgdir"/usr/sbin/* "$pkgdir"/usr/bin
+  rmdir "$pkgdir/usr/sbin"
+}
diff --git a/chgpasswd b/chgpasswd
new file mode 100644
index 000000000000..8f49f5cc831e
--- /dev/null
+++ b/chgpasswd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/chpasswd b/chpasswd
new file mode 100644
index 000000000000..5d447985a4a8
--- /dev/null
+++ b/chpasswd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password 	required 	pam_unix.so sha512 shadow
diff --git a/defaults.pam b/defaults.pam
new file mode 100644
index 000000000000..a7bf8a4a5b08
--- /dev/null
+++ b/defaults.pam
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password	required	pam_permit.so
diff --git a/login.defs b/login.defs
new file mode 100644
index 000000000000..a0afbc1e9b68
--- /dev/null
+++ b/login.defs
@@ -0,0 +1,208 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed.  All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux.  --marekm
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+#
+FAIL_DELAY		3
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE		/etc/securetty
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#   QMAIL_DIR is for Qmail
+#
+#QMAIL_DIR	Maildir
+MAIL_DIR	/var/spool/mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+ENV_PATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#	UMASK		Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+UMASK		077
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+SYS_UID_MIN		  500
+SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+SYS_GID_MIN		  500
+SYS_GID_MAX		  999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# Controls display of the motd file. This is better handled by pam_motd.so
+# so the declaration here is empty is suppress display by readers of this
+# file.
+#
+MOTD_FILE
+
+#
+# Hash shadow passwords with SHA512.
+#
+ENCRYPT_METHOD	SHA512
diff --git a/newusers b/newusers
new file mode 100644
index 000000000000..5d447985a4a8
--- /dev/null
+++ b/newusers
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password 	required 	pam_unix.so sha512 shadow
diff --git a/passwd b/passwd
new file mode 100644
index 000000000000..ab56da4967d0
--- /dev/null
+++ b/passwd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+#password	required	pam_unix.so sha512 shadow use_authtok
+password	required	pam_unix.so sha512 shadow nullok
diff --git a/shadow.install b/shadow.install
new file mode 100644
index 000000000000..83d9ab7d3177
--- /dev/null
+++ b/shadow.install
@@ -0,0 +1,22 @@
+setcaps() {
+  _setcap() {
+    if filecap "$1" "$2"; then
+      chmod -s "$1"
+    fi
+  }
+
+  # shadow ships these as setuid, but if we can apply file caps, use those instead.
+  # 'filecap' insists on absolute paths
+  _setcap /usr/bin/newuidmap setuid
+  _setcap /usr/bin/newgidmap setgid
+}
+
+post_install() {
+  setcaps
+}
+
+post_upgrade() {
+  setcaps
+}
+
+# vim:set ts=2 sw=2 et:
diff --git a/shadow.service b/shadow.service
new file mode 100644
index 000000000000..39025d90e1cb
--- /dev/null
+++ b/shadow.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Verify integrity of password and group files
+After=systemd-sysusers.service
+
+[Service]
+Type=simple
+# Always run both checks, but fail the service if either fails
+ExecStart=/bin/sh -c '/usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r'
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
diff --git a/shadow.timer b/shadow.timer
new file mode 100644
index 000000000000..9cc6baaa9a87
--- /dev/null
+++ b/shadow.timer
@@ -0,0 +1,7 @@
+[Unit]
+Description=Daily verification of password and group files
+
+[Timer]
+OnCalendar=daily
+AccuracySec=12h
+Persistent=true
diff --git a/useradd.defaults b/useradd.defaults
new file mode 100644
index 000000000000..e07fe271ca3b
--- /dev/null
+++ b/useradd.defaults
@@ -0,0 +1,9 @@
+# useradd defaults file for ArchLinux
+# original changes by TomK
+GROUP=users
+HOME=/home
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
+CREATE_MAIL_SPOOL=no