diff options
| author | Nicolas Iooss | 2022-12-17 16:35:28 +0100 |
|---|---|---|
| committer | Nicolas Iooss | 2022-12-17 16:35:28 +0100 |
| commit | e49ea2c6df508837624f86261729f79058c3656a (patch) | |
| tree | e617e6ce32609bfb4d50f2a7055dd277251107f9 | |
| parent | 87b927a4b3570a4f4598edf5b7f68926d07bbfc2 (diff) | |
| download | aur-e49ea2c6df508837624f86261729f79058c3656a.tar.gz | |
shadow-selinux 4.12.3-2 update
| -rw-r--r-- | .SRCINFO | 56 | ||||
| -rw-r--r-- | 0001-Disable-replaced-tools-and-man-pages.patch | 702 | ||||
| -rw-r--r-- | 0002-Adapt-login.defs-for-PAM-and-util-linux.patch | 692 | ||||
| -rw-r--r-- | 0003-Add-Arch-Linux-defaults-for-login.defs.patch | 73 | ||||
| -rw-r--r-- | 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch | 201 | ||||
| -rw-r--r-- | PKGBUILD | 169 | ||||
| -rw-r--r-- | chgpasswd | 4 | ||||
| -rw-r--r-- | chpasswd | 6 | ||||
| -rw-r--r-- | defaults.pam | 6 | ||||
| -rw-r--r-- | newusers | 6 | ||||
| -rw-r--r-- | passwd | 4 | ||||
| -rw-r--r-- | shadow-4.11.1-login.defs.patch | 308 | ||||
| -rw-r--r-- | shadow.install | 22 | ||||
| -rw-r--r-- | shadow.service | 28 |
14 files changed, 1789 insertions, 488 deletions
@@ -1,13 +1,16 @@ pkgbase = shadow-selinux pkgdesc = Password and account management tool suite with support for shadow files and PAM - SELinux support - pkgver = 4.11.1 - pkgrel = 3 + pkgver = 4.12.3 + pkgrel = 2 url = https://github.com/shadow-maint/shadow - install = shadow.install arch = x86_64 arch = aarch64 groups = selinux license = BSD + makedepends = docbook-xsl + makedepends = itstool + makedepends = libcap + makedepends = libxslt depends = acl depends = libacl.so depends = attr @@ -15,15 +18,14 @@ pkgbase = shadow-selinux depends = audit depends = libaudit.so depends = glibc - depends = libcap-ng depends = libxcrypt depends = libcrypt.so depends = pam-selinux depends = libpam.so depends = libpam_misc.so depends = libsemanage>=3.2 - provides = shadow=4.11.1-3 - provides = selinux-shadow=4.11.1-3 + provides = shadow=4.12.3-2 + provides = selinux-shadow=4.12.3-2 conflicts = shadow conflicts = selinux-shadow options = !emptydirs @@ -42,39 +44,33 @@ pkgbase = shadow-selinux backup = etc/pam.d/useradd backup = etc/pam.d/userdel backup = etc/pam.d/usermod - source = https://github.com/shadow-maint/shadow/releases/download/v4.11.1/shadow-4.11.1.tar.xz - source = https://github.com/shadow-maint/shadow/releases/download/v4.11.1/shadow-4.11.1.tar.xz.asc - source = chgpasswd - source = chpasswd - source = defaults.pam - source = newusers - source = passwd + source = https://github.com/shadow-maint/shadow/releases/download/4.12.3/shadow-4.12.3.tar.xz + source = https://github.com/shadow-maint/shadow/releases/download/4.12.3/shadow-4.12.3.tar.xz.asc + source = 0001-Disable-replaced-tools-and-man-pages.patch + source = 0002-Adapt-login.defs-for-PAM-and-util-linux.patch + source = 0003-Add-Arch-Linux-defaults-for-login.defs.patch + source = 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch source = shadow.timer source = shadow.service source = useradd.defaults - source = shadow-4.11.1-login.defs.patch validpgpkeys = 66D0387DB85D320F8408166DB175CFA98F192AF2 - sha512sums = 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f + sha512sums = 0529889258f54e7634762dc154aa680d55f8c5f1654afadd1b7431cfbb890a3b1ba27c7ff4b7c45986e4ee2289946db2e420b23ed13e4e5b15800a1fb3a013bc sha512sums = SKIP - sha512sums = aef316f283a0ba0387afd5bd049b20d748dcfe8aebc5f5ea1ce1308167d6a578ae7d0007a5ed4d9862de7d377851edd2c8771e1fb1076262468078c2c76e42fc - sha512sums = dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df - sha512sums = 41c856d893c4157b158d79341fe2b1892be463e17f7a007f1c17397b5625c1d2d5671bc0b37879064ae715a918fb9b05c32d18d1aaa64284cddd8ecbda9b2434 - sha512sums = dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df - sha512sums = 4fb7474ea9dedf86e4c65bf18f503a6d8c00d477a7c32be3cfdfd026bd62ef866d009c50e5a2dc2101bea332c5697bc1e0d55225f39c83252860f5b9b7461aeb + sha512sums = a0c69c252a8e41b1e3aa4c76cc6c37893a667dd079db9b7bdb54143d4b81f56551b787a93dad6e4adcd532cd12b51c9a5a5a4ae509f7ab5fe732fb9f23f57b5c + sha512sums = a44f3d71376a39bc7bb9d43290f619964f83184dba938857f5765c439150df2c9ba00f115579a7eeca5b316ea71808e9606c6ba977a41aa7fc4b1675606f1351 + sha512sums = e8418e6d518101be63e7890254f9a0490f94302882689a0b69601186c9f1915831a34bb6998dbc92b753bff3f762793a7ccade66c2bac2d7b7a77d1a861d5cb7 + sha512sums = 4e6b1f88ab1e3416ab0633b897ebb1359d422b5c2222f3ed3631732f790c42352d1cbe66fa08f45eb2e1679af8f602a95fcc7f463f1bba94c2414e902a4fa215 sha512sums = e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621 - sha512sums = 67a49415f676a443f81021bfa29d198462008da1224086f8c549b19c2fd21514ca3302d5ac23edec28b9c724fef921596586423ebe41e852ebfbe7216af727e6 + sha512sums = 86c9412e379c0fc97c0eec417340adae990342f35d6663a6a59e8aae2221a5fbfd0437b5892aefd9cf09ef76a970f3a42b20cea051db651475d526eda17a973a sha512sums = e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8 - sha512sums = f5f1fad77363db46ca513c76f22654924dd732cdf2e596fcfccb0a47a70d6099b6705e90adb661cd45af076959ef1f9f6bba66942500e603df9421caa9ed2f80 - b2sums = d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f0b960554c8155af6dc0564c585335b27aecca6538b394a0d58d927588 + b2sums = 63b10d75a11d419156a996b8acf1bebbfab28999c2ab796e6625c028882073d4021806d8b56224190886c076a1205955e7797cb6f797ef73af3a8a33ac34bf2f b2sums = SKIP - b2sums = 31e74eebedf8cb6e5ade36096b4399892d7091b9dce4645fde591f64802dc8befd73ae8019e78f8d326a605b224c7828694d21788bd6073db43c41cf5a9c2805 - b2sums = 1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666 - b2sums = 5fde901d7d29995523cf261de973cc053265f37cf8fecc5511ccfff35a6ef4308f8cf36dc94e37c8b7604694ffa6ab87331c9b533b3538c6f7d7d911c9f94d19 - b2sums = 1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666 - b2sums = 5b4e20609d38dcec82eae66acdfb7d45288574e7bf9684fa0f66bc0fb1c45cd78ee503d04a5084e28755fb7a1c6cea95854c93b33d76ab20964f45420c68403c + b2sums = f1bf37abe10f554abea4635c62e74c43e09e64181e83d68dd8e2031d44d3a46835c5b4997b04614115a2dbd51a1caa67f7ca70fed623ee7f2916538a8ac85593 + b2sums = a1cd3ffd50335eee265587a6a8733bc4c6b0d354c6ea90b2dd5d42642d782acc00d690a40e71ba31b56fd374b1619cc05f9dc876b2f6279ff32f95a17bbbbd87 + b2sums = 9715184569ca6769b31c01a58a1c8a0b5bb8099f6c07a888a2e0fab6748ac18eed7dd4297cc98449fd2a123cff6b027ab757d34a4cad113a4d9e5e02b28bb668 + b2sums = f11abd5dbe0cc4029eb8e7eb101d95f0fbf48550bdab73ebea1f25a5bc9a401713061832bf494d614711d834ab1e79ef14831bc8a2d18b8980fcb2fe7e0fe5c3 b2sums = 5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b - b2sums = 4a9cb6fe6658f2182655d42761d9d669654c6f0e891610e1b7fd256ce32a561f05e71daf8e473d98f16f5ee9d16d46a097a2d0de42eac58b4ce3be1525a74856 + b2sums = be9d8a7424143791e61d61b01c775e3a10dd6b6a1a7af13081bc00e400e880a209240dcceb09c671de41fbdf18373f1195aa8a559cf935122ba5d1312ed8dab2 b2sums = d5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879 - b2sums = ecc517a22ba12bd7afa3a0eefb68febf27b164cfac6502e66930bd12c62947ae362b4113472544fddc2f39e9c64d78cc662605a359c9988baaba8613d4c0f468 pkgname = shadow-selinux diff --git a/0001-Disable-replaced-tools-and-man-pages.patch b/0001-Disable-replaced-tools-and-man-pages.patch new file mode 100644 index 000000000000..89b926b1267e --- /dev/null +++ b/0001-Disable-replaced-tools-and-man-pages.patch @@ -0,0 +1,702 @@ +From 2fad83b45d4cf64f7d1fb41ba075e627189df75c Mon Sep 17 00:00:00 2001 +From: David Runge <dvzrv@archlinux.org> +Date: Sat, 5 Nov 2022 23:40:18 +0100 +Subject: [PATCH 1/4] Disable replaced tools and man pages + +man/Makefile.am, man/*/Makefile.am: +Disable man pages for chfn, chsh, login, logoutd, newgrp, nologin, vigr, +vipw and su as they are either no longer used or replaced by util-linux. + +src/Makefile.am: +Set usbindir to use bin instead of sbin, as Arch Linux is a /usr and bin +merge distribution. +Remove the use of login, nologin, chfn, chsh, logoutd, vipw and vigr, as +they are either not used or replaced by util-linux. +Move newgrp to replace sg (instead of it being a symlink). +--- + man/Makefile.am | 19 ++----------------- + man/cs/Makefile.am | 8 ++------ + man/da/Makefile.am | 8 +------- + man/de/Makefile.am | 11 +---------- + man/fi/Makefile.am | 5 +---- + man/fr/Makefile.am | 11 +---------- + man/hu/Makefile.am | 6 +----- + man/id/Makefile.am | 2 -- + man/it/Makefile.am | 11 +---------- + man/ja/Makefile.am | 10 +--------- + man/ko/Makefile.am | 8 +------- + man/pl/Makefile.am | 7 +------ + man/ru/Makefile.am | 11 +---------- + man/sv/Makefile.am | 8 +------- + man/tr/Makefile.am | 3 --- + man/uk/Makefile.am | 11 +---------- + man/zh_CN/Makefile.am | 11 +---------- + man/zh_TW/Makefile.am | 4 ---- + src/Makefile.am | 18 +++++++----------- + 19 files changed, 24 insertions(+), 148 deletions(-) + +diff --git a/man/Makefile.am b/man/Makefile.am +index 4382df60..078db349 100644 +--- a/man/Makefile.am ++++ b/man/Makefile.am +@@ -8,10 +8,8 @@ endif + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -27,12 +25,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -44,9 +38,7 @@ man_MANS = \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +@@ -74,10 +66,8 @@ endif + + man_XMANS = \ + chage.1.xml \ +- chfn.1.xml \ + chgpasswd.8.xml \ + chpasswd.8.xml \ +- chsh.1.xml \ + expiry.1.xml \ + faillog.5.xml \ + faillog.8.xml \ +@@ -92,12 +82,9 @@ man_XMANS = \ + gshadow.5.xml \ + lastlog.8.xml \ + limits.5.xml \ +- login.1.xml \ + login.access.5.xml \ + login.defs.5.xml \ +- logoutd.8.xml \ + newgidmap.1.xml \ +- newgrp.1.xml \ + newuidmap.1.xml \ + newusers.8.xml \ + nologin.8.xml \ +@@ -109,14 +96,12 @@ man_XMANS = \ + shadow.3.xml \ + shadow.5.xml \ + sg.1.xml \ +- su.1.xml \ + suauth.5.xml \ + subgid.5.xml \ + subuid.5.xml \ + useradd.8.xml \ + userdel.8.xml \ +- usermod.8.xml \ +- vipw.8.xml ++ usermod.8.xml + + login_defs_v = \ + CHFN_AUTH.xml \ +diff --git a/man/cs/Makefile.am b/man/cs/Makefile.am +index 3b2be0ce..50290f4a 100644 +--- a/man/cs/Makefile.am ++++ b/man/cs/Makefile.am +@@ -13,14 +13,10 @@ man_MANS = \ + man8/grpck.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man8/nologin.8 \ + man5/passwd.5 \ +- man5/shadow.5 \ +- man1/su.1 \ +- man8/vipw.8 ++ man5/shadow.5 + + EXTRA_DIST = $(man_MANS) \ + man1/id.1 \ +- man8/groupmems.8 \ +- man8/logoutd.8 ++ man8/groupmems.8 + +diff --git a/man/da/Makefile.am b/man/da/Makefile.am +index a3b09224..e45bef66 100644 +--- a/man/da/Makefile.am ++++ b/man/da/Makefile.am +@@ -3,16 +3,10 @@ mandir = @mandir@/da + + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ +- man1/chfn.1 \ + man8/groupdel.8 \ + man1/groups.1 \ + man5/gshadow.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ +- man8/nologin.8 \ +- man1/sg.1 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man1/sg.1 + + man_nopam = + +diff --git a/man/de/Makefile.am b/man/de/Makefile.am +index 3cd302ee..dee3e2a1 100644 +--- a/man/de/Makefile.am ++++ b/man/de/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/de + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/fi/Makefile.am b/man/fi/Makefile.am +index 26a1a848..f02b92f3 100644 +--- a/man/fi/Makefile.am ++++ b/man/fi/Makefile.am +@@ -1,10 +1,7 @@ + + mandir = @mandir@/fi + +-man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ +- man1/su.1 ++man_MANS = + + # Outdated manpages + # passwd.1 (https://bugs.launchpad.net/ubuntu/+bug/384024) +diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am +index 230d2126..1955e94a 100644 +--- a/man/fr/Makefile.am ++++ b/man/fr/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/fr + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/hu/Makefile.am b/man/hu/Makefile.am +index e659aef1..ae80da49 100644 +--- a/man/hu/Makefile.am ++++ b/man/hu/Makefile.am +@@ -2,16 +2,12 @@ + mandir = @mandir@/hu + + man_MANS = \ +- man1/chsh.1 \ + man1/gpasswd.1 \ + man1/groups.1 \ + man8/lastlog.8 \ +- man1/login.1 \ +- man1/newgrp.1 \ + man1/passwd.1 \ + man5/passwd.5 \ +- man1/sg.1 \ +- man1/su.1 ++ man1/sg.1 + + EXTRA_DIST = $(man_MANS) + +diff --git a/man/id/Makefile.am b/man/id/Makefile.am +index 21f3dbe9..6d10b930 100644 +--- a/man/id/Makefile.am ++++ b/man/id/Makefile.am +@@ -2,8 +2,6 @@ + mandir = @mandir@/id + + man_MANS = \ +- man1/chsh.1 \ +- man1/login.1 \ + man8/useradd.8 + + EXTRA_DIST = $(man_MANS) +diff --git a/man/it/Makefile.am b/man/it/Makefile.am +index 94460aac..ecf5bd18 100644 +--- a/man/it/Makefile.am ++++ b/man/it/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/it + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am +index ffb75a98..b88c490a 100644 +--- a/man/ja/Makefile.am ++++ b/man/ja/Makefile.am +@@ -3,9 +3,7 @@ mandir = @mandir@/ja + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -18,10 +16,7 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ + man1/passwd.1 \ + man5/passwd.5 \ +@@ -30,13 +25,10 @@ man_MANS = \ + man8/pwunconv.8 \ + man1/sg.1 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/ko/Makefile.am b/man/ko/Makefile.am +index c269f0bb..9616cb3e 100644 +--- a/man/ko/Makefile.am ++++ b/man/ko/Makefile.am +@@ -2,14 +2,8 @@ + mandir = @mandir@/ko + + man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ + man1/groups.1 \ +- man1/login.1 \ +- man5/passwd.5 \ +- man1/su.1 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man5/passwd.5 + # newgrp.1 must be updated + # newgrp.1 + +diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am +index 724d25f3..fa6675b9 100644 +--- a/man/pl/Makefile.am ++++ b/man/pl/Makefile.am +@@ -4,7 +4,6 @@ mandir = @mandir@/pl + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ + man1/chage.1 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -16,14 +15,10 @@ man_MANS = \ + man1/groups.1 \ + man8/grpck.8 \ + man8/lastlog.8 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man1/sg.1 \ + man3/shadow.3 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/porttime.5 +diff --git a/man/ru/Makefile.am b/man/ru/Makefile.am +index 8a776a87..29e1b843 100644 +--- a/man/ru/Makefile.am ++++ b/man/ru/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/ru + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/sv/Makefile.am b/man/sv/Makefile.am +index e64b7bc8..fbb2a716 100644 +--- a/man/sv/Makefile.am ++++ b/man/sv/Makefile.am +@@ -3,7 +3,6 @@ mandir = @mandir@/sv + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ + man1/chage.1 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -16,18 +15,13 @@ man_MANS = \ + man8/grpck.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ + man1/sg.1 \ + man3/shadow.3 \ + man5/suauth.5 \ +- man8/userdel.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/userdel.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/tr/Makefile.am b/man/tr/Makefile.am +index 8d8b9166..4fe3632a 100644 +--- a/man/tr/Makefile.am ++++ b/man/tr/Makefile.am +@@ -2,15 +2,12 @@ mandir = @mandir@/tr + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/groupadd.8 \ + man8/groupdel.8 \ + man8/groupmod.8 \ +- man1/login.1 \ + man1/passwd.1 \ + man5/passwd.5 \ + man5/shadow.5 \ +- man1/su.1 \ + man8/useradd.8 \ + man8/userdel.8 \ + man8/usermod.8 +diff --git a/man/uk/Makefile.am b/man/uk/Makefile.am +index 30c86272..82dc3a82 100644 +--- a/man/uk/Makefile.am ++++ b/man/uk/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/uk + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/login.access.5 \ +diff --git a/man/zh_CN/Makefile.am b/man/zh_CN/Makefile.am +index e9d8f2c2..c2e6cdfd 100644 +--- a/man/zh_CN/Makefile.am ++++ b/man/zh_CN/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/zh_CN + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/zh_TW/Makefile.am b/man/zh_TW/Makefile.am +index c36ed2c7..26696b67 100644 +--- a/man/zh_TW/Makefile.am ++++ b/man/zh_TW/Makefile.am +@@ -2,15 +2,11 @@ + mandir = @mandir@/zh_TW + + man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ + man8/chpasswd.8 \ +- man1/newgrp.1 \ + man8/groupadd.8 \ + man8/groupdel.8 \ + man8/groupmod.8 \ + man5/passwd.5 \ +- man1/su.1 \ + man8/useradd.8 \ + man8/userdel.8 \ + man8/usermod.8 +diff --git a/src/Makefile.am b/src/Makefile.am +index a1a2e4e3..53cd7953 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -3,7 +3,7 @@ EXTRA_DIST = \ + .indent.pro + + ubindir = ${prefix}/bin +-usbindir = ${prefix}/sbin ++usbindir = ${prefix}/bin + suidperms = 4755 + sgidperms = 2755 + +@@ -24,9 +24,9 @@ AM_CPPFLAGS = \ + # and installation would be much simpler (just two directories, + # $prefix/bin and $prefix/sbin, no install-data hacks...) + +-bin_PROGRAMS = groups login +-sbin_PROGRAMS = nologin +-ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd ++bin_PROGRAMS = groups ++sbin_PROGRAMS = ++ubin_PROGRAMS = faillog lastlog chage expiry gpasswd newgrp passwd + if ENABLE_SUBIDS + ubin_PROGRAMS += newgidmap newuidmap + endif +@@ -43,22 +43,20 @@ usbin_PROGRAMS = \ + grpck \ + grpconv \ + grpunconv \ +- logoutd \ + newusers \ + pwck \ + pwconv \ + pwunconv \ + useradd \ + userdel \ +- usermod \ +- vipw ++ usermod + + # id and groups are from gnu, sulogin from sysvinit + noinst_PROGRAMS = id sulogin + + suidusbins = + suidbins = +-suidubins = chage chfn chsh expiry gpasswd newgrp ++suidubins = chage expiry gpasswd newgrp + if WITH_SU + suidbins += su + endif +@@ -131,18 +129,16 @@ sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF) + useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl + userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) -ldl + usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl +-vipw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) + + install-am: all-am + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am +- ln -sf newgrp $(DESTDIR)$(ubindir)/sg +- ln -sf vipw $(DESTDIR)$(usbindir)/vigr + set -e; for i in $(suidbins); do \ + chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \ + done + set -e; for i in $(suidubins); do \ + chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \ + done ++ mv -v $(DESTDIR)$(ubindir)/newgrp $(DESTDIR)$(ubindir)/sg + set -e; for i in $(suidusbins); do \ + chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \ + done +-- +2.38.1 + diff --git a/0002-Adapt-login.defs-for-PAM-and-util-linux.patch b/0002-Adapt-login.defs-for-PAM-and-util-linux.patch new file mode 100644 index 000000000000..18dd041b0d4d --- /dev/null +++ b/0002-Adapt-login.defs-for-PAM-and-util-linux.patch @@ -0,0 +1,692 @@ +From db62b53ff601451e900548dceb72f5165f362fa6 Mon Sep 17 00:00:00 2001 +From: David Runge <dvzrv@archlinux.org> +Date: Mon, 31 Oct 2022 09:45:13 +0100 +Subject: [PATCH 2/4] Adapt login.defs for PAM and util-linux + +etc/login.defs: +Remove unused login.defs options, that are either irrelevant due to the +use of PAM or because the util-linux version of a binary does not +support them. +Modify all options that are ignored when using PAM, but are supported by +util-linux. + +Removed options because they are part of PAMDEFS (options in PAMDEFS are +options silently ignored by shadow when built with PAM enabled): +* CHFN_AUTH +* CRACKLIB_DICTPATH +* ENV_HZ +* ENVIRON_FILE +* ENV_TZ +* FAILLOG_ENAB +* FTMP_FILE +* ISSUE_FILE +* LASTLOG_ENAB +* LOGIN_STRING +* MAIL_CHECK_ENAB +* NOLOGINS_FILE +* OBSCURE_CHECKS_ENAB +* PASS_ALWAYS_WARN +* PASS_CHANGE_TRIES +* PASS_MAX_LEN +* PASS_MIN_LEN +* PORTTIME_CHECKS_ENAB +* QUOTAS_ENAB +* SU_WHEEL_ONLY +* SYSLOG_SU_ENAB +* ULIMIT + +Removed options because they are not availablbe with PAM enabled: +* CONSOLE_GROUPS +* CONSOLE +* MD5_CRYPT_ENAB +* PREVENT_NO_AUTH + +Removed options because they are not supported by login from util-linux: +* ERASECHAR +* KILLCHAR +* LOG_OK_LOGINS +* TTYTYPE_FILE + +Removed options because they are not supported by su from util-linux: +* SULOG_FILE +* SU_NAME + +Adapted options because they are in PAMDEFS but are supported by login +from util-linux: +* MOTD_FILE + +man/login.defs.5.xml: +Remove unavailable options from man 5 login.defs. +--- + etc/login.defs | 212 +------------------------------------------ + man/login.defs.5.xml | 150 +----------------------------- + 2 files changed, 8 insertions(+), 354 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 114dbcd9..7c633a57 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -3,6 +3,8 @@ + # + # $Id$ + # ++# NOTE: This file is adapted for the use on Arch Linux! ++# Unsupported options due to the use of util-linux or PAM are removed. + + # + # Delay in seconds before being allowed another attempt after a login failure +@@ -11,26 +13,11 @@ + # + FAIL_DELAY 3 + +-# +-# Enable logging and display of /var/log/faillog login(1) failure info. +-# +-FAILLOG_ENAB yes +- + # + # Enable display of unknown usernames when login(1) failures are recorded. + # + LOG_UNKFAIL_ENAB no + +-# +-# Enable logging of successful logins +-# +-LOG_OK_LOGINS no +- +-# +-# Enable logging and display of /var/log/lastlog login(1) time info. +-# +-LASTLOG_ENAB yes +- + # + # Limit the highest user ID number for which the lastlog entries should + # be updated. +@@ -40,88 +27,13 @@ LASTLOG_ENAB yes + # + #LASTLOG_UID_MAX + +-# +-# Enable checking and display of mailbox status upon login. +-# +-# Disable if the shell startup files already check for mail +-# ("mailx -e" or equivalent). +-# +-MAIL_CHECK_ENAB yes +- +-# +-# Enable additional checks upon password changes. +-# +-OBSCURE_CHECKS_ENAB yes +- +-# +-# Enable checking of time restrictions specified in /etc/porttime. +-# +-PORTTIME_CHECKS_ENAB yes +- +-# +-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. +-# +-QUOTAS_ENAB yes +- +-# +-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). +-# +-SYSLOG_SU_ENAB yes +-SYSLOG_SG_ENAB yes +- +-# +-# If defined, either full pathname of a file containing device names or +-# a ":" delimited list of device names. Root logins will be allowed only +-# from these devices. +-# +-CONSOLE /etc/securetty +-#CONSOLE console:tty01:tty02:tty03:tty04 +- +-# +-# If defined, all su(1) activity is logged to this file. +-# +-#SULOG_FILE /var/log/sulog +- + # + # If defined, ":" delimited list of "message of the day" files to + # be displayed upon login. + # +-MOTD_FILE /etc/motd ++MOTD_FILE + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +-# +-# If defined, this file will be output before each login(1) prompt. +-# +-#ISSUE_FILE /etc/issue +- +-# +-# If defined, file which maps tty line to TERM environment parameter. +-# Each line of the file is in a format similar to "vt100 tty01". +-# +-#TTYTYPE_FILE /etc/ttytype +- +-# +-# If defined, login(1) failures will be logged here in a utmp format. +-# last(1), when invoked as lastb(1), will read /var/log/btmp, so... +-# +-FTMP_FILE /var/log/btmp +- +-# +-# If defined, name of file whose presence will inhibit non-root +-# logins. The content of this file should be a message indicating +-# why logins are inhibited. +-# +-NOLOGINS_FILE /etc/nologin +- +-# +-# If defined, the command name to display when running "su -". For +-# example, if this is defined as "su" then ps(1) will display the +-# command as "-su". If not defined, then ps(1) will display the +-# name of the shell actually being run, e.g. something like "-sh". +-# +-SU_NAME su +- + # + # *REQUIRED* + # Directory where mailboxes reside, _or_ name of file, relative to the +@@ -139,21 +51,6 @@ MAIL_DIR /var/spool/mail + HUSHLOGIN_FILE .hushlogin + #HUSHLOGIN_FILE /etc/hushlogins + +-# +-# If defined, either a TZ environment parameter spec or the +-# fully-rooted pathname of a file containing such a spec. +-# +-#ENV_TZ TZ=CST6CDT +-#ENV_TZ /etc/tzname +- +-# +-# If defined, an HZ environment parameter spec. +-# +-# for Linux/x86 +-ENV_HZ HZ=100 +-# For Linux/Alpha... +-#ENV_HZ HZ=1024 +- + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # +@@ -175,23 +72,6 @@ ENV_PATH PATH=/bin:/usr/bin + TTYGROUP tty + TTYPERM 0600 + +-# +-# Login configuration initializations: +-# +-# ERASECHAR Terminal ERASE character ('\010' = backspace). +-# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# ULIMIT Default "ulimit" value. +-# +-# The ERASECHAR and KILLCHAR are used only on System V machines. +-# The ULIMIT is used only if the system supports it. +-# (now it works with setrlimit too; ulimit is in 512-byte units) +-# +-# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +-# +-ERASECHAR 0177 +-KILLCHAR 025 +-#ULIMIT 2097152 +- + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. + # UMASK is also used by useradd(8) and newusers(8) to set the mode for new +@@ -211,27 +91,12 @@ UMASK 022 + # + # PASS_MAX_DAYS Maximum number of days a password may be used. + # PASS_MIN_DAYS Minimum number of days allowed between password changes. +-# PASS_MIN_LEN Minimum acceptable password length. + # PASS_WARN_AGE Number of days warning given before a password expires. + # + PASS_MAX_DAYS 99999 + PASS_MIN_DAYS 0 +-PASS_MIN_LEN 5 + PASS_WARN_AGE 7 + +-# +-# If "yes", the user must be listed as a member of the first gid 0 group +-# in /etc/group (called "root" on most Linux systems) to be able to "su" +-# to uid 0 accounts. If the group doesn't exist or is empty, no one +-# will be able to "su" to uid 0. +-# +-SU_WHEEL_ONLY no +- +-# +-# If compiled with cracklib support, sets the path to the dictionaries +-# +-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict +- + # + # Min/max values for automatic uid selection in useradd(8) + # +@@ -268,28 +133,6 @@ LOGIN_RETRIES 5 + # + LOGIN_TIMEOUT 60 + +-# +-# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +-# +-PASS_ALWAYS_WARN yes +- +-# +-# Number of significant characters in the password for crypt(). +-# Default is 8, don't change unless your crypt() is better. +-# Ignored if MD5_CRYPT_ENAB set to "yes". +-# +-#PASS_MAX_LEN 8 +- +-# +-# Require password before chfn(1)/chsh(1) can make any changes. +-# +-CHFN_AUTH yes +- + # + # Which fields may be changed by regular users using chfn(1) - use + # any combination of letters "frwh" (full name, room number, work +@@ -298,38 +141,14 @@ CHFN_AUTH yes + # + CHFN_RESTRICT rwh + +-# +-# Password prompt (%s will be replaced by user name). +-# +-# XXX - it doesn't work correctly yet, for now leave it commented out +-# to use the default which is just "Password: ". +-#LOGIN_STRING "%s's Password: " +- +-# +-# Only works if compiled with MD5_CRYPT defined: +-# If set to "yes", new passwords will be encrypted using the MD5-based +-# algorithm compatible with the one used by recent releases of FreeBSD. +-# It supports passwords of unlimited length and longer salt strings. +-# Set to "no" if you need to copy encrypted passwords to other systems +-# which don't understand the new algorithm. Default is "no". +-# +-# Note: If you use PAM, it is recommended to use a value consistent with +-# the PAM modules configuration. +-# +-# This variable is deprecated. You should use ENCRYPT_METHOD instead. +-# +-#MD5_CRYPT_ENAB no +- + # + # Only works if compiled with ENCRYPTMETHOD_SELECT defined: +-# If set to MD5, MD5-based algorithm will be used for encrypting password + # If set to SHA256, SHA256-based algorithm will be used for encrypting password + # If set to SHA512, SHA512-based algorithm will be used for encrypting password + # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password + # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password + # If set to DES, DES-based algorithm will be used for encrypting password (default) + # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +-# Overrides the MD5_CRYPT_ENAB option + # + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. +@@ -381,17 +200,6 @@ CHFN_RESTRICT rwh + # + #YESCRYPT_COST_FACTOR 5 + +-# +-# List of groups to add to the user's supplementary group set +-# when logging in from the console (as determined by the CONSOLE +-# setting). Default is none. +-# +-# Use with caution - it is possible for users to gain permanent +-# access to these groups, even when not logged in from the console. +-# How to do it is left as an exercise for the reader... +-# +-#CONSOLE_GROUPS floppy:audio:cdrom +- + # + # Should login be allowed if we can't cd to the home directory? + # Default is no. +@@ -406,12 +214,6 @@ DEFAULT_HOME yes + # + NONEXISTENT /nonexistent + +-# +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- + # + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by +@@ -459,14 +261,6 @@ USERGROUPS_ENAB yes + # + #GRANT_AUX_GROUP_SUBIDS yes + +-# +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +-PREVENT_NO_AUTH superuser +- + # + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message +diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml +index ab62fa86..d82c47f1 100644 +--- a/man/login.defs.5.xml ++++ b/man/login.defs.5.xml +@@ -7,69 +7,38 @@ + --> + <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ +-<!ENTITY CHFN_AUTH SYSTEM "login.defs.d/CHFN_AUTH.xml"> + <!ENTITY CHFN_RESTRICT SYSTEM "login.defs.d/CHFN_RESTRICT.xml"> +-<!ENTITY CHSH_AUTH SYSTEM "login.defs.d/CHSH_AUTH.xml"> +-<!ENTITY CONSOLE SYSTEM "login.defs.d/CONSOLE.xml"> +-<!ENTITY CONSOLE_GROUPS SYSTEM "login.defs.d/CONSOLE_GROUPS.xml"> + <!ENTITY CREATE_HOME SYSTEM "login.defs.d/CREATE_HOME.xml"> + <!ENTITY DEFAULT_HOME SYSTEM "login.defs.d/DEFAULT_HOME.xml"> + <!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml"> +-<!ENTITY ENV_HZ SYSTEM "login.defs.d/ENV_HZ.xml"> + <!ENTITY ENV_PATH SYSTEM "login.defs.d/ENV_PATH.xml"> + <!ENTITY ENV_SUPATH SYSTEM "login.defs.d/ENV_SUPATH.xml"> +-<!ENTITY ENV_TZ SYSTEM "login.defs.d/ENV_TZ.xml"> +-<!ENTITY ENVIRON_FILE SYSTEM "login.defs.d/ENVIRON_FILE.xml"> +-<!ENTITY ERASECHAR SYSTEM "login.defs.d/ERASECHAR.xml"> + <!ENTITY FAIL_DELAY SYSTEM "login.defs.d/FAIL_DELAY.xml"> +-<!ENTITY FAILLOG_ENAB SYSTEM "login.defs.d/FAILLOG_ENAB.xml"> +-<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml"> +-<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml"> + <!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml"> + <!ENTITY HMAC_CRYPTO_ALGO SYSTEM "login.defs.d/HMAC_CRYPTO_ALGO.xml"> + <!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml"> + <!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml"> +-<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml"> +-<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml"> +-<!ENTITY LASTLOG_ENAB SYSTEM "login.defs.d/LASTLOG_ENAB.xml"> + <!ENTITY LASTLOG_UID_MAX SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml"> +-<!ENTITY LOG_OK_LOGINS SYSTEM "login.defs.d/LOG_OK_LOGINS.xml"> + <!ENTITY LOG_UNKFAIL_ENAB SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml"> + <!ENTITY LOGIN_RETRIES SYSTEM "login.defs.d/LOGIN_RETRIES.xml"> +-<!ENTITY LOGIN_STRING SYSTEM "login.defs.d/LOGIN_STRING.xml"> + <!ENTITY LOGIN_TIMEOUT SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml"> +-<!ENTITY MAIL_CHECK_ENAB SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml"> + <!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml"> + <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml"> +-<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml"> + <!ENTITY MOTD_FILE SYSTEM "login.defs.d/MOTD_FILE.xml"> +-<!ENTITY NOLOGINS_FILE SYSTEM "login.defs.d/NOLOGINS_FILE.xml"> + <!ENTITY NONEXISTENT SYSTEM "login.defs.d/NONEXISTENT.xml"> +-<!ENTITY OBSCURE_CHECKS_ENAB SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml"> +-<!ENTITY PASS_ALWAYS_WARN SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml"> +-<!ENTITY PASS_CHANGE_TRIES SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml"> +-<!ENTITY PASS_MAX_LEN SYSTEM "login.defs.d/PASS_MAX_LEN.xml"> + <!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml"> + <!ENTITY PASS_MIN_DAYS SYSTEM "login.defs.d/PASS_MIN_DAYS.xml"> + <!ENTITY PASS_WARN_AGE SYSTEM "login.defs.d/PASS_WARN_AGE.xml"> +-<!ENTITY PORTTIME_CHECKS_ENAB SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml"> +-<!ENTITY QUOTAS_ENAB SYSTEM "login.defs.d/QUOTAS_ENAB.xml"> + <!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml"> +-<!ENTITY SULOG_FILE SYSTEM "login.defs.d/SULOG_FILE.xml"> +-<!ENTITY SU_NAME SYSTEM "login.defs.d/SU_NAME.xml"> +-<!ENTITY SU_WHEEL_ONLY SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml"> + <!ENTITY SUB_GID_COUNT SYSTEM "login.defs.d/SUB_GID_COUNT.xml"> + <!ENTITY SUB_UID_COUNT SYSTEM "login.defs.d/SUB_UID_COUNT.xml"> + <!ENTITY SYS_GID_MAX SYSTEM "login.defs.d/SYS_GID_MAX.xml"> + <!ENTITY SYSLOG_SG_ENAB SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml"> +-<!ENTITY SYSLOG_SU_ENAB SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml"> + <!ENTITY SYS_UID_MAX SYSTEM "login.defs.d/SYS_UID_MAX.xml"> + <!ENTITY TCB_AUTH_GROUP SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml"> + <!ENTITY TCB_SYMLINKS SYSTEM "login.defs.d/TCB_SYMLINKS.xml"> + <!ENTITY TTYGROUP SYSTEM "login.defs.d/TTYGROUP.xml"> +-<!ENTITY TTYTYPE_FILE SYSTEM "login.defs.d/TTYTYPE_FILE.xml"> + <!ENTITY UID_MAX SYSTEM "login.defs.d/UID_MAX.xml"> +-<!ENTITY ULIMIT SYSTEM "login.defs.d/ULIMIT.xml"> + <!ENTITY UMASK SYSTEM "login.defs.d/UMASK.xml"> + <!ENTITY USERDEL_CMD SYSTEM "login.defs.d/USERDEL_CMD.xml"> + <!ENTITY USERGROUPS_ENAB SYSTEM "login.defs.d/USERGROUPS_ENAB.xml"> +@@ -145,47 +114,25 @@ + <para>The following configuration items are provided:</para> + + <variablelist remap='IP'> +- &CHFN_AUTH; + &CHFN_RESTRICT; +- &CHSH_AUTH; +- &CONSOLE; +- &CONSOLE_GROUPS; + &CREATE_HOME; + &DEFAULT_HOME; + &ENCRYPT_METHOD; +- &ENV_HZ; + &ENV_PATH; + &ENV_SUPATH; +- &ENV_TZ; +- &ENVIRON_FILE; +- &ERASECHAR; + &FAIL_DELAY; +- &FAILLOG_ENAB; +- &FAKE_SHELL; +- &FTMP_FILE; + &GID_MAX; <!-- documents also GID_MIN --> + &HMAC_CRYPTO_ALGO; + &HOME_MODE; + &HUSHLOGIN_FILE; +- &ISSUE_FILE; +- &KILLCHAR; +- &LASTLOG_ENAB; + &LASTLOG_UID_MAX; +- &LOG_OK_LOGINS; + &LOG_UNKFAIL_ENAB; + &LOGIN_RETRIES; +- &LOGIN_STRING; + &LOGIN_TIMEOUT; +- &MAIL_CHECK_ENAB; + &MAIL_DIR; + &MAX_MEMBERS_PER_GROUP; +- &MD5_CRYPT_ENAB; + &MOTD_FILE; +- &NOLOGINS_FILE; + &NONEXISTENT; +- &OBSCURE_CHECKS_ENAB; +- &PASS_ALWAYS_WARN; +- &PASS_CHANGE_TRIES; + &PASS_MAX_DAYS; + &PASS_MIN_DAYS; + &PASS_WARN_AGE; +@@ -195,25 +142,16 @@ + time of account creation. Any changes to these settings won't affect + existing accounts. + </para> +- &PASS_MAX_LEN; <!-- documents also PASS_MIN_LEN --> +- &PORTTIME_CHECKS_ENAB; +- "AS_ENAB; + &SHA_CRYPT_MIN_ROUNDS; <!-- documents also SHA_CRYPT_MAX_ROUNDS --> +- &SULOG_FILE; +- &SU_NAME; +- &SU_WHEEL_ONLY; + &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX --> + &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX --> + &SYS_GID_MAX; <!-- documents also SYS_GID_MIN --> + &SYS_UID_MAX; <!-- documents also SYS_UID_MIN --> + &SYSLOG_SG_ENAB; +- &SYSLOG_SU_ENAB; + &TCB_AUTH_GROUP; + &TCB_SYMLINKS; + &TTYGROUP; +- &TTYTYPE_FILE; + &UID_MAX; <!-- documents also UID_MIN --> +- &ULIMIT; + &UMASK; + &USERDEL_CMD; + &USERGROUPS_ENAB; +@@ -239,9 +177,7 @@ + <term>chfn</term> + <listitem> + <para> +- <phrase condition="no_pam">CHFN_AUTH</phrase> + CHFN_RESTRICT +- <phrase condition="no_pam">LOGIN_STRING</phrase> + </para> + </listitem> + </varlistentry> +@@ -249,7 +185,7 @@ + <term>chgpasswd</term> + <listitem> + <para> +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -259,8 +195,6 @@ + <term>chpasswd</term> + <listitem> + <para> +- <phrase condition="no_pam">ENCRYPT_METHOD +- MD5_CRYPT_ENAB </phrase> + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -270,7 +204,7 @@ + <term>chsh</term> + <listitem> + <para> +- CHSH_AUTH LOGIN_STRING ++ CHSH_AUTH + </para> + </listitem> + </varlistentry> +@@ -280,7 +214,7 @@ + <term>gpasswd</term> + <listitem> + <para> +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -339,35 +273,6 @@ + <para>LASTLOG_UID_MAX</para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>login</term> +- <listitem> +- <para> +- <phrase condition="no_pam">CONSOLE</phrase> +- CONSOLE_GROUPS DEFAULT_HOME +- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE</phrase> +- ERASECHAR FAIL_DELAY +- <phrase condition="no_pam">FAILLOG_ENAB</phrase> +- FAKE_SHELL +- <phrase condition="no_pam">FTMP_FILE</phrase> +- HUSHLOGIN_FILE +- <phrase condition="no_pam">ISSUE_FILE</phrase> +- KILLCHAR +- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase> +- LOGIN_RETRIES +- <phrase condition="no_pam">LOGIN_STRING</phrase> +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB</phrase> +- TTYGROUP TTYPERM TTYTYPE_FILE +- <phrase condition="no_pam">ULIMIT UMASK</phrase> +- USERGROUPS_ENAB +- </para> +- </listitem> +- </varlistentry> +- <!-- logoutd: no variables --> + <varlistentry> + <term>newgrp / sg</term> + <listitem> +@@ -382,7 +287,7 @@ + <para> + ENCRYPT_METHOD + GID_MAX GID_MIN +- MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ MAX_MEMBERS_PER_GROUP + HOME_MODE + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS +@@ -399,8 +304,7 @@ + <term>passwd</term> + <listitem> + <para> +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN ++ ENCRYPT_METHOD + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -432,32 +336,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>su</term> +- <listitem> +- <para> +- <phrase condition="no_pam">CONSOLE</phrase> +- CONSOLE_GROUPS DEFAULT_HOME +- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase> +- ENV_PATH ENV_SUPATH +- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase> +- SULOG_FILE SU_NAME +- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase> +- SYSLOG_SU_ENAB +- <phrase condition="no_pam">USERGROUPS_ENAB</phrase> +- </para> +- </listitem> +- </varlistentry> +- <varlistentry> +- <term>sulogin</term> +- <listitem> +- <para> +- ENV_HZ +- <phrase condition="no_pam">ENV_TZ</phrase> +- </para> +- </listitem> +- </varlistentry> + <varlistentry> + <term>useradd</term> + <listitem> +@@ -486,24 +364,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>usermod</term> +- <listitem> +- <para> +- LASTLOG_UID_MAX +- MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP +- <phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase> +- </para> +- </listitem> +- </varlistentry> +- <varlistentry condition="tcb"> +- <term>vipw</term> +- <listitem> +- <para> +- <phrase condition="tcb">USE_TCB</phrase> +- </para> +- </listitem> +- </varlistentry> + </variablelist> + </refsect1> + +-- +2.38.1 + diff --git a/0003-Add-Arch-Linux-defaults-for-login.defs.patch b/0003-Add-Arch-Linux-defaults-for-login.defs.patch new file mode 100644 index 000000000000..809ac79c284a --- /dev/null +++ b/0003-Add-Arch-Linux-defaults-for-login.defs.patch @@ -0,0 +1,73 @@ +From 09850623c6c5c4e4738088c80de82952f9f48c27 Mon Sep 17 00:00:00 2001 +From: David Runge <dvzrv@archlinux.org> +Date: Mon, 31 Oct 2022 10:10:22 +0100 +Subject: [PATCH 3/4] Add Arch Linux defaults for login.defs + +etc/login.defs: +Change ENV_SUPATH and ENV_SUPATH to only use +/usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr merge +and bin merge distribution. +Change UMASK to 077 as it is considered a more privacy conserving +default than 022. +Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for +distribution added UIDs and GIDs. +Change ENCRYPT_METHOD to SHA512 as it is a safer hashing algorithm than +DES. +--- + etc/login.defs | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 7c633a57..ea841257 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -55,8 +55,8 @@ HUSHLOGIN_FILE .hushlogin + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ++ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + + # + # Terminal permissions +@@ -79,7 +79,7 @@ TTYPERM 0600 + # 022 is the default value, but 027, or even 077, could be considered + # for increased privacy. There is no One True Answer here: each sysadmin + # must make up their mind. +-UMASK 022 ++UMASK 077 + + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. +@@ -103,7 +103,7 @@ PASS_WARN_AGE 7 + UID_MIN 1000 + UID_MAX 60000 + # System accounts +-SYS_UID_MIN 101 ++SYS_UID_MIN 500 + SYS_UID_MAX 999 + # Extra per user uids + SUB_UID_MIN 100000 +@@ -116,7 +116,7 @@ SUB_UID_COUNT 65536 + GID_MIN 1000 + GID_MAX 60000 + # System accounts +-SYS_GID_MIN 101 ++SYS_GID_MIN 500 + SYS_GID_MAX 999 + # Extra per user group ids + SUB_GID_MIN 100000 +@@ -153,7 +153,7 @@ CHFN_RESTRICT rwh + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # +-#ENCRYPT_METHOD DES ++ENCRYPT_METHOD SHA512 + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +-- +2.38.1 + diff --git a/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch b/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch new file mode 100644 index 000000000000..b39284c6ad03 --- /dev/null +++ b/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch @@ -0,0 +1,201 @@ +From 6f1cf7cbe378532b808ca6dc5ec7e5c56d877bbc Mon Sep 17 00:00:00 2001 +From: David Runge <dvzrv@archlinux.org> +Date: Sat, 5 Nov 2022 22:52:58 +0100 +Subject: [PATCH 4/4] Add Arch Linux defaults for /etc/pam.d/ + +etc/pam.d/Makefile.am: +Disable chfn, chsh and login. +Enable shadow. +Always install the PAM integration for the account tools (even if they +are not setuid). + +etc/pam.d/{chage,chpasswd,group{add,del,mod},newusers,passwd,shadow,user{add,del,mod}}: +Add distribution defaults for Arch Linux. + +s +--- + etc/pam.d/Makefile.am | 7 ++----- + etc/pam.d/chage | 6 ++++-- + etc/pam.d/chpasswd | 6 ++++-- + etc/pam.d/groupadd | 6 ++++-- + etc/pam.d/groupdel | 6 ++++-- + etc/pam.d/groupmod | 6 ++++-- + etc/pam.d/newusers | 6 ++++-- + etc/pam.d/passwd | 4 +--- + etc/pam.d/shadow | 6 ++++++ + etc/pam.d/useradd | 6 ++++-- + etc/pam.d/userdel | 6 ++++-- + etc/pam.d/usermod | 6 ++++-- + 12 files changed, 45 insertions(+), 26 deletions(-) + create mode 100644 etc/pam.d/shadow + +diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am +index 38ff26ae..41e43e01 100644 +--- a/etc/pam.d/Makefile.am ++++ b/etc/pam.d/Makefile.am +@@ -2,10 +2,8 @@ + # and also cooperate to make a distribution for `make dist' + + pamd_files = \ +- chfn \ +- chsh \ + groupmems \ +- login \ ++ shadow \ + passwd + + pamd_acct_tools_files = \ +@@ -23,10 +21,9 @@ pamd_acct_tools_files = \ + if USE_PAM + pamddir = $(sysconfdir)/pam.d + pamd_DATA = $(pamd_files) +-if ACCT_TOOLS_SETUID ++# NOTE: we are always installing the PAM integration for the account tools + pamd_DATA += $(pamd_acct_tools_files) + endif +-endif + + if WITH_SU + pamd_files += su +diff --git a/etc/pam.d/chage b/etc/pam.d/chage +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/chage ++++ b/etc/pam.d/chage +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/chpasswd b/etc/pam.d/chpasswd +index 8f49f5cc..5d447985 100644 +--- a/etc/pam.d/chpasswd ++++ b/etc/pam.d/chpasswd +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_unix.so sha512 shadow +diff --git a/etc/pam.d/groupadd b/etc/pam.d/groupadd +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/groupadd ++++ b/etc/pam.d/groupadd +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/groupdel b/etc/pam.d/groupdel +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/groupdel ++++ b/etc/pam.d/groupdel +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/groupmod b/etc/pam.d/groupmod +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/groupmod ++++ b/etc/pam.d/groupmod +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/newusers b/etc/pam.d/newusers +index 8f49f5cc..5d447985 100644 +--- a/etc/pam.d/newusers ++++ b/etc/pam.d/newusers +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_unix.so sha512 shadow +diff --git a/etc/pam.d/passwd b/etc/pam.d/passwd +index 731c0d36..08d819b2 100644 +--- a/etc/pam.d/passwd ++++ b/etc/pam.d/passwd +@@ -1,4 +1,2 @@ + #%PAM-1.0 +-auth include system-auth +-account include system-auth +-password include system-auth ++password required pam_unix.so sha512 shadow nullok +diff --git a/etc/pam.d/shadow b/etc/pam.d/shadow +new file mode 100644 +index 00000000..a7bf8a4a +--- /dev/null ++++ b/etc/pam.d/shadow +@@ -0,0 +1,6 @@ ++#%PAM-1.0 ++auth sufficient pam_rootok.so ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/useradd b/etc/pam.d/useradd +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/useradd ++++ b/etc/pam.d/useradd +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/userdel b/etc/pam.d/userdel +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/userdel ++++ b/etc/pam.d/userdel +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/usermod b/etc/pam.d/usermod +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/usermod ++++ b/etc/pam.d/usermod +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +-- +2.38.1 + @@ -10,24 +10,23 @@ # If you want to help keep it up to date, please open a Pull Request there. pkgname=shadow-selinux -pkgver=4.11.1 -pkgrel=3 +pkgver=4.12.3 +pkgrel=2 pkgdesc="Password and account management tool suite with support for shadow files and PAM - SELinux support" -arch=('x86_64' 'aarch64') -url='https://github.com/shadow-maint/shadow' -license=('BSD') -groups=('selinux') -# libcap-ng needed by install scriptlet for 'filecap' +arch=(x86_64 aarch64) +url="https://github.com/shadow-maint/shadow" +license=(BSD) +groups=(selinux) depends=( - 'acl' 'libacl.so' - 'attr' 'libattr.so' - 'audit' 'libaudit.so' - 'glibc' - 'libcap-ng' - 'libxcrypt' 'libcrypt.so' - 'pam-selinux' 'libpam.so' 'libpam_misc.so' + acl libacl.so + attr libattr.so + audit libaudit.so + glibc + libxcrypt libcrypt.so + pam-selinux libpam.so libpam_misc.so 'libsemanage>=3.2' ) +makedepends=(docbook-xsl itstool libcap libxslt) backup=( etc/default/useradd etc/login.defs @@ -36,67 +35,73 @@ backup=( conflicts=("${pkgname/-selinux}" "selinux-${pkgname/-selinux}") provides=("${pkgname/-selinux}=${pkgver}-${pkgrel}" "selinux-${pkgname/-selinux}=${pkgver}-${pkgrel}") -options=('!emptydirs') -install=shadow.install +options=(!emptydirs) +# NOTE: distribution patches are taken from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.12.3.arch2 source=( - "https://github.com/shadow-maint/shadow/releases/download/v$pkgver/shadow-$pkgver.tar.xz"{,.asc} - chgpasswd - chpasswd - defaults.pam - newusers - passwd + https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz{,.asc} + 0001-Disable-replaced-tools-and-man-pages.patch + 0002-Adapt-login.defs-for-PAM-and-util-linux.patch + 0003-Add-Arch-Linux-defaults-for-login.defs.patch + 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch shadow.{timer,service} useradd.defaults - ${pkgname/-selinux}-4.11.1-login.defs.patch ) -sha512sums=('12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f' +sha512sums=('0529889258f54e7634762dc154aa680d55f8c5f1654afadd1b7431cfbb890a3b1ba27c7ff4b7c45986e4ee2289946db2e420b23ed13e4e5b15800a1fb3a013bc' 'SKIP' - 'aef316f283a0ba0387afd5bd049b20d748dcfe8aebc5f5ea1ce1308167d6a578ae7d0007a5ed4d9862de7d377851edd2c8771e1fb1076262468078c2c76e42fc' - 'dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df' - '41c856d893c4157b158d79341fe2b1892be463e17f7a007f1c17397b5625c1d2d5671bc0b37879064ae715a918fb9b05c32d18d1aaa64284cddd8ecbda9b2434' - 'dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df' - '4fb7474ea9dedf86e4c65bf18f503a6d8c00d477a7c32be3cfdfd026bd62ef866d009c50e5a2dc2101bea332c5697bc1e0d55225f39c83252860f5b9b7461aeb' + 'a0c69c252a8e41b1e3aa4c76cc6c37893a667dd079db9b7bdb54143d4b81f56551b787a93dad6e4adcd532cd12b51c9a5a5a4ae509f7ab5fe732fb9f23f57b5c' + 'a44f3d71376a39bc7bb9d43290f619964f83184dba938857f5765c439150df2c9ba00f115579a7eeca5b316ea71808e9606c6ba977a41aa7fc4b1675606f1351' + 'e8418e6d518101be63e7890254f9a0490f94302882689a0b69601186c9f1915831a34bb6998dbc92b753bff3f762793a7ccade66c2bac2d7b7a77d1a861d5cb7' + '4e6b1f88ab1e3416ab0633b897ebb1359d422b5c2222f3ed3631732f790c42352d1cbe66fa08f45eb2e1679af8f602a95fcc7f463f1bba94c2414e902a4fa215' 'e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621' - '67a49415f676a443f81021bfa29d198462008da1224086f8c549b19c2fd21514ca3302d5ac23edec28b9c724fef921596586423ebe41e852ebfbe7216af727e6' - 'e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8' - 'f5f1fad77363db46ca513c76f22654924dd732cdf2e596fcfccb0a47a70d6099b6705e90adb661cd45af076959ef1f9f6bba66942500e603df9421caa9ed2f80') -b2sums=('d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f0b960554c8155af6dc0564c585335b27aecca6538b394a0d58d927588' + '86c9412e379c0fc97c0eec417340adae990342f35d6663a6a59e8aae2221a5fbfd0437b5892aefd9cf09ef76a970f3a42b20cea051db651475d526eda17a973a' + 'e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8') +b2sums=('63b10d75a11d419156a996b8acf1bebbfab28999c2ab796e6625c028882073d4021806d8b56224190886c076a1205955e7797cb6f797ef73af3a8a33ac34bf2f' 'SKIP' - '31e74eebedf8cb6e5ade36096b4399892d7091b9dce4645fde591f64802dc8befd73ae8019e78f8d326a605b224c7828694d21788bd6073db43c41cf5a9c2805' - '1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666' - '5fde901d7d29995523cf261de973cc053265f37cf8fecc5511ccfff35a6ef4308f8cf36dc94e37c8b7604694ffa6ab87331c9b533b3538c6f7d7d911c9f94d19' - '1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666' - '5b4e20609d38dcec82eae66acdfb7d45288574e7bf9684fa0f66bc0fb1c45cd78ee503d04a5084e28755fb7a1c6cea95854c93b33d76ab20964f45420c68403c' + 'f1bf37abe10f554abea4635c62e74c43e09e64181e83d68dd8e2031d44d3a46835c5b4997b04614115a2dbd51a1caa67f7ca70fed623ee7f2916538a8ac85593' + 'a1cd3ffd50335eee265587a6a8733bc4c6b0d354c6ea90b2dd5d42642d782acc00d690a40e71ba31b56fd374b1619cc05f9dc876b2f6279ff32f95a17bbbbd87' + '9715184569ca6769b31c01a58a1c8a0b5bb8099f6c07a888a2e0fab6748ac18eed7dd4297cc98449fd2a123cff6b027ab757d34a4cad113a4d9e5e02b28bb668' + 'f11abd5dbe0cc4029eb8e7eb101d95f0fbf48550bdab73ebea1f25a5bc9a401713061832bf494d614711d834ab1e79ef14831bc8a2d18b8980fcb2fe7e0fe5c3' '5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b' - '4a9cb6fe6658f2182655d42761d9d669654c6f0e891610e1b7fd256ce32a561f05e71daf8e473d98f16f5ee9d16d46a097a2d0de42eac58b4ce3be1525a74856' - 'd5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879' - 'ecc517a22ba12bd7afa3a0eefb68febf27b164cfac6502e66930bd12c62947ae362b4113472544fddc2f39e9c64d78cc662605a359c9988baaba8613d4c0f468') -validpgpkeys=('66D0387DB85D320F8408166DB175CFA98F192AF2') # Serge Hallyn <sergeh@kernel.org> + 'be9d8a7424143791e61d61b01c775e3a10dd6b6a1a7af13081bc00e400e880a209240dcceb09c671de41fbdf18373f1195aa8a559cf935122ba5d1312ed8dab2' + 'd5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879') +validpgpkeys=(66D0387DB85D320F8408166DB175CFA98F192AF2) # Serge Hallyn <sergeh@kernel.org> prepare() { - # comment options that are taken over by util-linux and apply defaults - patch -Np1 -d "${pkgname/-selinux}-$pkgver" -i ../${pkgname/-selinux}-4.11.1-login.defs.patch -} + local filename -build() { cd "${pkgname/-selinux}-$pkgver" + for filename in "${source[@]}"; do + if [[ "$filename" =~ \.patch$ ]]; then + printf "Applying patch %s\n" "${filename##*/}" + patch -Np1 -i "$srcdir/${filename##*/}" + fi + done + + autoreconf -fiv +} - ./configure \ - --prefix=/usr \ - --bindir=/usr/bin \ - --sbindir=/usr/bin \ - --libdir=/usr/lib \ - --mandir=/usr/share/man \ - --sysconfdir=/etc \ - --disable-account-tools-setuid \ - --with-fcaps \ - --with-libpam \ - --with-group-name-max-length=32 \ - --with-audit \ - --with-bcrypt \ - --with-yescrypt \ - --with-selinux \ +build() { + local configure_options=( + --prefix=/usr + --bindir=/usr/bin + --sbindir=/usr/bin + --libdir=/usr/lib + --mandir=/usr/share/man + --sysconfdir=/etc + --disable-account-tools-setuid + --enable-man + --with-fcaps + --with-libpam + --with-group-name-max-length=32 + --with-audit + --with-bcrypt + --with-yescrypt + --with-selinux --without-su + ) + + cd "${pkgname/-selinux}-$pkgver" + ./configure "${configure_options[@]}" # prevent excessive overlinking due to libtool sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool @@ -116,46 +121,8 @@ package() { install -vDm 600 ../useradd.defaults "$pkgdir/etc/default/useradd" # systemd units - install -vDm 644 "../shadow.timer" -t "$pkgdir/usr/lib/systemd/system/" - install -vDm 644 "../shadow.service" -t "$pkgdir/usr/lib/systemd/system/" + install -vDm 644 ../shadow.timer -t "$pkgdir/usr/lib/systemd/system/" + install -vDm 644 ../shadow.service -t "$pkgdir/usr/lib/systemd/system/" install -vdm 755 "$pkgdir/usr/lib/systemd/system/timers.target.wants" ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer" - - # PAM config - custom - rm "$pkgdir/etc/pam.d"/* - install -vDm 644 ../{passwd,chgpasswd,chpasswd,newusers} -t "$pkgdir/etc/pam.d/" - - # PAM config - from tarball - install -vDm 644 etc/pam.d/groupmems -t "$pkgdir/etc/pam.d/" - - # we use the 'useradd' PAM file for other similar utilities - for file in chage group{add,del,mod} shadow user{add,del,mod}; do - install -vDm 644 "../defaults.pam" "$pkgdir/etc/pam.d/$file" - done - - # Remove evil/broken tools - rm -v "$pkgdir"/usr/sbin/logoutd - - # Remove utilities provided by util-linux - rm -v "$pkgdir"/usr/{bin/{login,chsh,chfn,sg,nologin},sbin/{vipw,vigr}} - - # but we keep newgrp, as sg is really an alias to it - mv -v "$pkgdir"/usr/bin/{newgrp,sg} - - # ...and their many man pages - find "$pkgdir"/usr/share/man \ - '(' -name 'chsh.1' -o \ - -name 'chfn.1' -o \ - -name 'su.1' -o \ - -name 'logoutd.8' -o \ - -name 'login.1' -o \ - -name 'nologin.8' -o \ - -name 'vipw.8' -o \ - -name 'vigr.8' -o \ - -name 'newgrp.1' ')' \ - -delete - - # move everything else to /usr/bin, because this isn't handled by ./configure - mv -v "$pkgdir"/usr/sbin/* "$pkgdir"/usr/bin - rmdir -v "$pkgdir/usr/sbin" } diff --git a/chgpasswd b/chgpasswd deleted file mode 100644 index 8f49f5cc831e..000000000000 --- a/chgpasswd +++ /dev/null @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -account required pam_permit.so -password include system-auth diff --git a/chpasswd b/chpasswd deleted file mode 100644 index 5d447985a4a8..000000000000 --- a/chpasswd +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -auth required pam_unix.so -account required pam_unix.so -session required pam_unix.so -password required pam_unix.so sha512 shadow diff --git a/defaults.pam b/defaults.pam deleted file mode 100644 index a7bf8a4a5b08..000000000000 --- a/defaults.pam +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -auth required pam_unix.so -account required pam_unix.so -session required pam_unix.so -password required pam_permit.so diff --git a/newusers b/newusers deleted file mode 100644 index 5d447985a4a8..000000000000 --- a/newusers +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -auth required pam_unix.so -account required pam_unix.so -session required pam_unix.so -password required pam_unix.so sha512 shadow diff --git a/passwd b/passwd deleted file mode 100644 index ab56da4967d0..000000000000 --- a/passwd +++ /dev/null @@ -1,4 +0,0 @@ -#%PAM-1.0 -#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 -#password required pam_unix.so sha512 shadow use_authtok -password required pam_unix.so sha512 shadow nullok diff --git a/shadow-4.11.1-login.defs.patch b/shadow-4.11.1-login.defs.patch deleted file mode 100644 index bce8a119c01a..000000000000 --- a/shadow-4.11.1-login.defs.patch +++ /dev/null @@ -1,308 +0,0 @@ -diff --git i/etc/login.defs w/etc/login.defs -index 114dbcd9..4cb8cdf5 100644 ---- i/etc/login.defs -+++ w/etc/login.defs -@@ -3,6 +3,8 @@ - # - # $Id$ - # -+# This file is adapted for the use on Arch Linux. -+# Options unsupported due to the use of util-linux or PAM are commented. - - # - # Delay in seconds before being allowed another attempt after a login failure -@@ -14,7 +16,7 @@ FAIL_DELAY 3 - # - # Enable logging and display of /var/log/faillog login(1) failure info. - # --FAILLOG_ENAB yes -+# FAILLOG_ENAB is currently not supported - - # - # Enable display of unknown usernames when login(1) failures are recorded. -@@ -24,12 +26,12 @@ LOG_UNKFAIL_ENAB no - # - # Enable logging of successful logins - # --LOG_OK_LOGINS no -+# LOG_OK_LOGINS is currently not supported - - # - # Enable logging and display of /var/log/lastlog login(1) time info. - # --LASTLOG_ENAB yes -+# LASTLOG_ENAB is currently not supported - - # - # Limit the highest user ID number for which the lastlog entries should -@@ -46,28 +48,28 @@ LASTLOG_ENAB yes - # Disable if the shell startup files already check for mail - # ("mailx -e" or equivalent). - # --MAIL_CHECK_ENAB yes -+# MAIL_CHECK_ENAB is currently not supported - - # - # Enable additional checks upon password changes. - # --OBSCURE_CHECKS_ENAB yes -+# OBSCURE_CHECKS_ENAB is currently not supported - - # - # Enable checking of time restrictions specified in /etc/porttime. - # --PORTTIME_CHECKS_ENAB yes -+# PORTTIME_CHECKS_ENAB is currently not supported - - # - # Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. - # --QUOTAS_ENAB yes -+# QUOTAS_ENAB is currently not supported - - # - # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. - # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). - # --SYSLOG_SU_ENAB yes -+# SYSLOG_SU_ENAB is currently not supported - SYSLOG_SG_ENAB yes - - # -@@ -75,44 +77,43 @@ SYSLOG_SG_ENAB yes - # a ":" delimited list of device names. Root logins will be allowed only - # from these devices. - # --CONSOLE /etc/securetty --#CONSOLE console:tty01:tty02:tty03:tty04 -+# CONSOLE is currently not supported - - # - # If defined, all su(1) activity is logged to this file. - # --#SULOG_FILE /var/log/sulog -+# SULOG_FILE is currently not supported - - # - # If defined, ":" delimited list of "message of the day" files to - # be displayed upon login. - # --MOTD_FILE /etc/motd -+MOTD_FILE - #MOTD_FILE /etc/motd:/usr/lib/news/news-motd - - # - # If defined, this file will be output before each login(1) prompt. - # --#ISSUE_FILE /etc/issue -+# ISSUE_FILE is currently not supported - - # - # If defined, file which maps tty line to TERM environment parameter. - # Each line of the file is in a format similar to "vt100 tty01". - # --#TTYTYPE_FILE /etc/ttytype -+# TTYTYPE_FILE is currently not supported - - # - # If defined, login(1) failures will be logged here in a utmp format. - # last(1), when invoked as lastb(1), will read /var/log/btmp, so... - # --FTMP_FILE /var/log/btmp -+# FTMP_FILE is currently not supported - - # - # If defined, name of file whose presence will inhibit non-root - # logins. The content of this file should be a message indicating - # why logins are inhibited. - # --NOLOGINS_FILE /etc/nologin -+# NOLOGINS_FILE is currently not supported - - # - # If defined, the command name to display when running "su -". For -@@ -120,7 +121,7 @@ NOLOGINS_FILE /etc/nologin - # command as "-su". If not defined, then ps(1) will display the - # name of the shell actually being run, e.g. something like "-sh". - # --SU_NAME su -+# SU_NAME is currently not supported - - # - # *REQUIRED* -@@ -143,23 +144,22 @@ HUSHLOGIN_FILE .hushlogin - # If defined, either a TZ environment parameter spec or the - # fully-rooted pathname of a file containing such a spec. - # --#ENV_TZ TZ=CST6CDT --#ENV_TZ /etc/tzname -+# ENV_TZ is currently not supported - - # - # If defined, an HZ environment parameter spec. - # - # for Linux/x86 --ENV_HZ HZ=100 -+# ENV_HZ HZ=100 - # For Linux/Alpha... --#ENV_HZ HZ=1024 -+# ENV_HZ is currently not supported - - # - # *REQUIRED* The default PATH settings, for superuser and normal users. - # - # (they are minimal, add the rest in the shell startup files) --ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin --ENV_PATH PATH=/bin:/usr/bin -+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -+ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin - - # - # Terminal permissions -@@ -188,9 +188,9 @@ TTYPERM 0600 - # - # Prefix these values with "0" to get octal, "0x" to get hexadecimal. - # --ERASECHAR 0177 --KILLCHAR 025 --#ULIMIT 2097152 -+# ERASECHAR is currently not supported -+# KILLCHAR is currently not supported -+# ULIMIT is currently not supported - - # Default initial "umask" value used by login(1) on non-PAM enabled systems. - # Default "umask" value for pam_umask(8) on PAM enabled systems. -@@ -199,7 +199,7 @@ KILLCHAR 025 - # 022 is the default value, but 027, or even 077, could be considered - # for increased privacy. There is no One True Answer here: each sysadmin - # must make up their mind. --UMASK 022 -+UMASK 077 - - # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new - # home directories. -@@ -216,7 +216,7 @@ UMASK 022 - # - PASS_MAX_DAYS 99999 - PASS_MIN_DAYS 0 --PASS_MIN_LEN 5 -+# PASS_MIN_LEN is currently not supported - PASS_WARN_AGE 7 - - # -@@ -225,12 +225,12 @@ PASS_WARN_AGE 7 - # to uid 0 accounts. If the group doesn't exist or is empty, no one - # will be able to "su" to uid 0. - # --SU_WHEEL_ONLY no -+# SU_WHEEL_ONLY is currently not supported - - # - # If compiled with cracklib support, sets the path to the dictionaries - # --CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict -+# CRACKLIB_DICTPATH is currently not supported - - # - # Min/max values for automatic uid selection in useradd(8) -@@ -238,7 +238,7 @@ CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict - UID_MIN 1000 - UID_MAX 60000 - # System accounts --SYS_UID_MIN 101 -+SYS_UID_MIN 500 - SYS_UID_MAX 999 - # Extra per user uids - SUB_UID_MIN 100000 -@@ -251,7 +251,7 @@ SUB_UID_COUNT 65536 - GID_MIN 1000 - GID_MAX 60000 - # System accounts --SYS_GID_MIN 101 -+SYS_GID_MIN 500 - SYS_GID_MAX 999 - # Extra per user group ids - SUB_GID_MIN 100000 -@@ -271,24 +271,24 @@ LOGIN_TIMEOUT 60 - # - # Maximum number of attempts to change password if rejected (too easy) - # --PASS_CHANGE_TRIES 5 -+# PASS_CHANGE_TRIES is currently not supported - - # - # Warn about weak passwords (but still allow them) if you are root. - # --PASS_ALWAYS_WARN yes -+# PASS_ALWAYS_WARN is currently not supported - - # - # Number of significant characters in the password for crypt(). - # Default is 8, don't change unless your crypt() is better. - # Ignored if MD5_CRYPT_ENAB set to "yes". - # --#PASS_MAX_LEN 8 -+# PASS_MAX_LEN is currently not supported - - # - # Require password before chfn(1)/chsh(1) can make any changes. - # --CHFN_AUTH yes -+# CHFN_AUTH is currently not supported - - # - # Which fields may be changed by regular users using chfn(1) - use -@@ -303,7 +303,7 @@ CHFN_RESTRICT rwh - # - # XXX - it doesn't work correctly yet, for now leave it commented out - # to use the default which is just "Password: ". --#LOGIN_STRING "%s's Password: " -+# LOGIN_STRING is currently not supported - - # - # Only works if compiled with MD5_CRYPT defined: -@@ -318,7 +318,7 @@ CHFN_RESTRICT rwh - # - # This variable is deprecated. You should use ENCRYPT_METHOD instead. - # --#MD5_CRYPT_ENAB no -+# MD5_CRYPT_ENAB is currently not supported - - # - # Only works if compiled with ENCRYPTMETHOD_SELECT defined: -@@ -334,7 +334,7 @@ CHFN_RESTRICT rwh - # Note: If you use PAM, it is recommended to use a value consistent with - # the PAM modules configuration. - # --#ENCRYPT_METHOD DES -+ENCRYPT_METHOD SHA512 - - # - # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -@@ -390,7 +390,7 @@ CHFN_RESTRICT rwh - # access to these groups, even when not logged in from the console. - # How to do it is left as an exercise for the reader... - # --#CONSOLE_GROUPS floppy:audio:cdrom -+# CONSOLE_GROUPS is currently not supported - - # - # Should login be allowed if we can't cd to the home directory? -@@ -410,7 +410,7 @@ NONEXISTENT /nonexistent - # If this file exists and is readable, login environment will be - # read from it. Every line should be in the form name=value. - # --ENVIRON_FILE /etc/environment -+# ENVIRON_FILE is currently not supported - - # - # If defined, this command is run when removing a user. -@@ -465,7 +465,7 @@ USERGROUPS_ENAB yes - # Set to "yes" to prevent for all accounts - # Set to "superuser" to prevent for UID 0 / root (default) - # Set to "no" to not prevent for any account (dangerous, historical default) --PREVENT_NO_AUTH superuser -+# PREVENT_NO_AUTH is currently not supported - - # - # Select the HMAC cryptography algorithm. diff --git a/shadow.install b/shadow.install deleted file mode 100644 index 83d9ab7d3177..000000000000 --- a/shadow.install +++ /dev/null @@ -1,22 +0,0 @@ -setcaps() { - _setcap() { - if filecap "$1" "$2"; then - chmod -s "$1" - fi - } - - # shadow ships these as setuid, but if we can apply file caps, use those instead. - # 'filecap' insists on absolute paths - _setcap /usr/bin/newuidmap setuid - _setcap /usr/bin/newgidmap setgid -} - -post_install() { - setcaps -} - -post_upgrade() { - setcaps -} - -# vim:set ts=2 sw=2 et: diff --git a/shadow.service b/shadow.service index 39025d90e1cb..951cdc3bd3b9 100644 --- a/shadow.service +++ b/shadow.service @@ -3,9 +3,35 @@ Description=Verify integrity of password and group files After=systemd-sysusers.service [Service] -Type=simple +CapabilityBoundingSet=CAP_DAC_READ_SEARCH # Always run both checks, but fail the service if either fails ExecStart=/bin/sh -c '/usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r' Nice=19 IOSchedulingClass=best-effort IOSchedulingPriority=7 +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=none +RestrictNamespaces=yes +RestrictSUIDSGID=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources +SystemCallFilter=~@privileged +UMask=0077 |