diff options
-rw-r--r-- | .SRCINFO | 56 | ||||
-rw-r--r-- | 0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch (renamed from 0001-Disable-replaced-tools-and-man-pages.patch) | 189 | ||||
-rw-r--r-- | 0002-Adapt-login.defs-for-PAM-and-util-linux.patch | 53 | ||||
-rw-r--r-- | 0003-Add-Arch-Linux-defaults-for-login.defs.patch | 44 | ||||
-rw-r--r-- | 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch | 201 | ||||
-rw-r--r-- | LICENSE | 31 | ||||
-rw-r--r-- | PKGBUILD | 83 | ||||
-rw-r--r-- | shadow.sysusers | 1 | ||||
-rw-r--r-- | shadow.tmpfiles | 1 | ||||
-rw-r--r-- | useradd.defaults | 2 |
10 files changed, 250 insertions, 411 deletions
@@ -1,12 +1,12 @@ pkgbase = shadow-selinux pkgdesc = Password and account management tool suite with support for shadow files and PAM - SELinux support - pkgver = 4.13 - pkgrel = 3 + pkgver = 4.14.0 + pkgrel = 4 url = https://github.com/shadow-maint/shadow arch = x86_64 arch = aarch64 groups = selinux - license = BSD + license = BSD-3-Clause makedepends = docbook-xsl makedepends = itstool makedepends = libcap @@ -24,53 +24,47 @@ pkgbase = shadow-selinux depends = libpam.so depends = libpam_misc.so depends = libsemanage>=3.2 - provides = shadow=4.13-3 - provides = selinux-shadow=4.13-3 + provides = shadow=4.14.0-4 + provides = selinux-shadow=4.14.0-4 conflicts = shadow conflicts = selinux-shadow options = !emptydirs backup = etc/default/useradd backup = etc/login.defs - backup = etc/pam.d/chage - backup = etc/pam.d/passwd backup = etc/pam.d/chpasswd - backup = etc/pam.d/chgpasswd - backup = etc/pam.d/groupadd - backup = etc/pam.d/groupdel backup = etc/pam.d/groupmems - backup = etc/pam.d/groupmod backup = etc/pam.d/newusers - backup = etc/pam.d/shadow - backup = etc/pam.d/useradd - backup = etc/pam.d/userdel - backup = etc/pam.d/usermod - source = https://github.com/shadow-maint/shadow/releases/download/4.13/shadow-4.13.tar.xz - source = https://github.com/shadow-maint/shadow/releases/download/4.13/shadow-4.13.tar.xz.asc - source = 0001-Disable-replaced-tools-and-man-pages.patch + backup = etc/pam.d/passwd + source = https://github.com/shadow-maint/shadow/releases/download/4.14.0/shadow-4.14.0.tar.xz + source = https://github.com/shadow-maint/shadow/releases/download/4.14.0/shadow-4.14.0.tar.xz.asc + source = 0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch source = 0002-Adapt-login.defs-for-PAM-and-util-linux.patch source = 0003-Add-Arch-Linux-defaults-for-login.defs.patch - source = 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch source = shadow.timer source = shadow.service + source = shadow.sysusers + source = shadow.tmpfiles source = useradd.defaults validpgpkeys = 66D0387DB85D320F8408166DB175CFA98F192AF2 - sha512sums = 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e + sha512sums = ff960481d576f9db5a9f10becc4e1a74c03de484ecfdcd7f1ea735fded683d7ba0f9cd895dc6a431b77e5a633752273178b1bcda4cefaa5adbf0f143c9a0c86f sha512sums = SKIP - sha512sums = 23215dbc4efa5cb321f32442be30b92f79f1e008c7418ee5daac27540785c1674e790a5e4ee755e9a5a086589be8437e25efbee4a4668918b14337b86309192b - sha512sums = 26160ba1bc42619077dd826fc6e472196e47f4f2e29f9a70d68373a73df9d6187e3a2671369a223e230b05b42af113c38aacf24cd6cb99fbc00b8baca71ab6b7 - sha512sums = 3b8bec1dc5dfdc5a3b7b3a4579c05d7fc71ac80c87bdb35031820c2442efcae5dfcc97c763ca9430c1dc3f5d3827dc391999cb67e89d3758d31bdc694dff4601 - sha512sums = fcedd59f0c1294ca03ff2553591058295073e9c795500f66e571e34635016898b999afa816c5994846e459bf743d2c7a358a5be1f561a86a75846df2112194e1 + sha512sums = ac119fd4a7867021923c54d54612499313686bb2faa957133f63c77700b8777dd87628fd4f36d4e4c1160700624a776510bc5d450ef5be1adc128552edfcb062 + sha512sums = 57166e14262df3ddcf03008a34ef603a624a31b6d40b18b9fc4d8be50fb857540dea2ffc9dab81c91bcd87bbb3b0dee381219ebd3e68f71864c64a33d5ec7b15 + sha512sums = 16c00e8ae1e4f86c9075e08b420ddd5e948345db5611390167ce08d7e3e4ec469954b255b3384d855484803ce3fa5d78c88ff8ae722c0215b692b9dece2ed6f6 sha512sums = e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621 sha512sums = 2c8689b52029f6aa27d75b8b05b0b36e2fc322cab40fdfbb50cdbe331f61bc84e8db20f012cf9af3de8c4e7fdb10c2d5a4925ca1ba3b70eb5627772b94da84b3 - sha512sums = e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8 - b2sums = 315ab8a7e598aeefb50c11293e20cfa0982c3c3ae21c35ae243d09a4facf97a13c1d672990876e74ef94f5284402acf14997663743e2aaefa6cfc4369b7d24dc + sha512sums = 5afac4a96b599b0b8ed7be751e7160037c3beb191629928c6520bfd3f2adcd1c55c31029c92c2ff8543e6cd9e37e2cd515ba4e1789c6d66f9c93b4e7f209ee7a + sha512sums = 97a6a57c07502e02669dc1a91bffc447dba7d98d208b798d80e07de0d2fdf9d23264453978d2d3d1ba6652ca1f2e22cdadc4309c7b311e83fa71b00ad144f877 + sha512sums = 706ba6e7fa8298475f2605a28daffef421c9fa8d269cbd5cbcf7f7cb795b40a24d52c20e8d0b73e29e6cd35cd7226b3e9738dc513703e87dde04c1d24087a69c + b2sums = 6e9a6108f856953ec91c597e46ad4f912101a829c7b3ff3389510be43f56f0a70425bd562119282d73df269df45af354e626741ad748f9c1e6f27b74a462a62c b2sums = SKIP - b2sums = e109e09f7709270e6042389f74ee59f44d95c3bd02aa57fedbe27f1e111d36fdb2fc4bb9f837916bfd83ebfa7d1d0859a50d6fefe573da3fd6f849cfd61a0187 - b2sums = 9d3490810bc94c8809442e9e3928fd4dfc62a22e7134ecc63098a1e2ab5db6c64867f6f067641bb7bccf712a7269b67c36434d2ae3ed3e0a206ac66eef299dc9 - b2sums = 92474c0a9cd8bc4df08984a304c73122a9711f1e4c036361e1dcbc027b1e43e007d1e35cdd5db4295829603a097ab360adb66289c4b479a5d5ccee4947f72da7 - b2sums = aee9aaadae6d49872b4eb98334fbffee7a49b1625b81019927908ac79753364fdac4d87433fcd5d2d2327d7b65eddcfc2edabe7c6a2a67ad7b101ab0bf6deaad + b2sums = 77b6e4bc6dc070b992728440fc29a8ed04e8f51cc7e58628f294c68bec7f102c8a80af6a41cf9a3c37d33e7a40ead4f4729f2e68412ab5606e6ecbd3008f5048 + b2sums = e6359de24e563564979fd0b7915a3227239a84f175cb188392097394d4d41c782100655cbd0a779b6dfde7eddcf8b314ab15eb15ca891287a820547551d54c04 + b2sums = fe88e173ea5531c083c1f3fb640cad1de463ce5446cb097bd30bc54e9082ba0540a57a9effd11c0779196583cf58bfc7066ab10ef4088f78c7d74928a73889b2 b2sums = 5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b b2sums = a69191ab966f146c35e7e911e7e57c29fffd54436ea014aa8ffe0dd46aaf57c635d0a652b35916745c75d82b3fca7234366ea5f810b622e94730b45ec86f122c - b2sums = d5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879 + b2sums = 511c4ad9f3be530dc17dd68f2a3387d748dcdb84192d35f296b88f82442224477e2a74b1841ec3f107b39a5c41c2d961480e396a48d0578f8fd5f65dbe8d9f04 + b2sums = d727923dc6ed02e90ef31f10b3427df50afbfe416bd03c6de0c341857d1bb33ab6168312bd4ba18d19d0653020fb332cbcfeeb24e668ae3916add9d01b89ccb4 + b2sums = f743922062494fe342036b3acb8b747429eb33b1a13aa150daa4bb71a84e9c570cfcc8527a5f846e3ea7020e6f23c0b10d78cf2ba8363eea0224e4c34ea10161 pkgname = shadow-selinux diff --git a/0001-Disable-replaced-tools-and-man-pages.patch b/0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch index 193f73eccef4..98d36b674967 100644 --- a/0001-Disable-replaced-tools-and-man-pages.patch +++ b/0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch @@ -1,7 +1,12 @@ -From 2af563cb1ff3fc84549d58b64325be9606684c43 Mon Sep 17 00:00:00 2001 +From c6fe55f198b1e3bd3087f9213193d94f5c1c3d31 Mon Sep 17 00:00:00 2001 From: David Runge <dvzrv@archlinux.org> Date: Sat, 5 Nov 2022 23:40:18 +0100 -Subject: [PATCH 1/4] Disable replaced tools and man pages +Subject: [PATCH 1/3] Disable replaced tools and their man pages and PAM + integration + +etc/pam.d/Makefile.am: +Disable installation of PAM integration for chfn, chsh and login tools +as they are provided by util-linux. man/Makefile.am, man/*/Makefile.am: Disable man pages for chfn, chsh, login, logoutd, newgrp, nologin, vigr, @@ -14,7 +19,8 @@ Remove the use of login, nologin, chfn, chsh, logoutd, vipw and vigr, as they are either not used or replaced by util-linux. Move newgrp to replace sg (instead of it being a symlink). --- - man/Makefile.am | 19 ++----------------- + etc/pam.d/Makefile.am | 3 --- + man/Makefile.am | 20 +++----------------- man/cs/Makefile.am | 8 ++------ man/da/Makefile.am | 8 +------- man/de/Makefile.am | 11 +---------- @@ -33,10 +39,25 @@ Move newgrp to replace sg (instead of it being a symlink). man/zh_CN/Makefile.am | 11 +---------- man/zh_TW/Makefile.am | 4 ---- src/Makefile.am | 18 +++++++----------- - 19 files changed, 24 insertions(+), 148 deletions(-) + 20 files changed, 25 insertions(+), 151 deletions(-) +diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am +index 38ff26ae..a19ad431 100644 +--- a/etc/pam.d/Makefile.am ++++ b/etc/pam.d/Makefile.am +@@ -2,10 +2,7 @@ + # and also cooperate to make a distribution for `make dist' + + pamd_files = \ +- chfn \ +- chsh \ + groupmems \ +- login \ + passwd + + pamd_acct_tools_files = \ diff --git a/man/Makefile.am b/man/Makefile.am -index 4382df60..078db349 100644 +index 89d97937..d2741036 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -8,10 +8,8 @@ endif @@ -50,11 +71,12 @@ index 4382df60..078db349 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -27,12 +25,8 @@ man_MANS = \ +@@ -26,12 +24,9 @@ man_MANS = \ + man8/grpconv.8 \ man8/grpunconv.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man1/login.1 \ ++ man8/lastlog.8 \ man5/login.defs.5 \ - man8/logoutd.8 \ - man1/newgrp.1 \ @@ -63,7 +85,7 @@ index 4382df60..078db349 100644 man1/passwd.1 \ man5/passwd.5 \ man8/pwck.8 \ -@@ -44,9 +38,7 @@ man_MANS = \ +@@ -43,9 +38,7 @@ man_MANS = \ man5/suauth.5 \ man8/useradd.8 \ man8/userdel.8 \ @@ -72,9 +94,9 @@ index 4382df60..078db349 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/limits.5 \ -@@ -74,10 +66,8 @@ endif + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +@@ -77,10 +70,8 @@ endif man_XMANS = \ chage.1.xml \ @@ -85,9 +107,9 @@ index 4382df60..078db349 100644 expiry.1.xml \ faillog.5.xml \ faillog.8.xml \ -@@ -92,12 +82,9 @@ man_XMANS = \ +@@ -94,12 +85,9 @@ man_XMANS = \ + grpck.8.xml \ gshadow.5.xml \ - lastlog.8.xml \ limits.5.xml \ - login.1.xml \ login.access.5.xml \ @@ -98,7 +120,7 @@ index 4382df60..078db349 100644 newuidmap.1.xml \ newusers.8.xml \ nologin.8.xml \ -@@ -109,14 +96,12 @@ man_XMANS = \ +@@ -111,14 +99,12 @@ man_XMANS = \ shadow.3.xml \ shadow.5.xml \ sg.1.xml \ @@ -112,16 +134,16 @@ index 4382df60..078db349 100644 - vipw.8.xml + usermod.8.xml - login_defs_v = \ - CHFN_AUTH.xml \ + if ENABLE_LASTLOG + man_XMANS += lastlog.8.xml diff --git a/man/cs/Makefile.am b/man/cs/Makefile.am -index 3b2be0ce..50290f4a 100644 +index 84407d71..c5ef7cf5 100644 --- a/man/cs/Makefile.am +++ b/man/cs/Makefile.am -@@ -13,14 +13,10 @@ man_MANS = \ +@@ -12,11 +12,8 @@ man_MANS = \ + man1/groups.1 \ man8/grpck.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man8/nologin.8 \ man5/passwd.5 \ - man5/shadow.5 \ @@ -129,6 +151,10 @@ index 3b2be0ce..50290f4a 100644 - man8/vipw.8 + man5/shadow.5 + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +@@ -24,6 +21,5 @@ endif + EXTRA_DIST = $(man_MANS) \ man1/id.1 \ - man8/groupmems.8 \ @@ -158,7 +184,7 @@ index a3b09224..e45bef66 100644 man_nopam = diff --git a/man/de/Makefile.am b/man/de/Makefile.am -index 3cd302ee..dee3e2a1 100644 +index 671432d3..333d5524 100644 --- a/man/de/Makefile.am +++ b/man/de/Makefile.am @@ -3,10 +3,8 @@ mandir = @mandir@/de @@ -172,10 +198,10 @@ index 3cd302ee..dee3e2a1 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -22,12 +20,8 @@ man_MANS = \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ man8/grpunconv.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man1/login.1 \ man5/login.defs.5 \ - man8/logoutd.8 \ @@ -185,7 +211,7 @@ index 3cd302ee..dee3e2a1 100644 man1/passwd.1 \ man5/passwd.5 \ man8/pwck.8 \ -@@ -36,13 +30,10 @@ man_MANS = \ +@@ -35,13 +29,10 @@ man_MANS = \ man1/sg.1 \ man3/shadow.3 \ man5/shadow.5 \ @@ -198,8 +224,8 @@ index 3cd302ee..dee3e2a1 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/limits.5 \ + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/fi/Makefile.am b/man/fi/Makefile.am index 26a1a848..f02b92f3 100644 --- a/man/fi/Makefile.am @@ -217,7 +243,7 @@ index 26a1a848..f02b92f3 100644 # Outdated manpages # passwd.1 (https://bugs.launchpad.net/ubuntu/+bug/384024) diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am -index 230d2126..1955e94a 100644 +index 335e0298..9962c038 100644 --- a/man/fr/Makefile.am +++ b/man/fr/Makefile.am @@ -3,10 +3,8 @@ mandir = @mandir@/fr @@ -231,10 +257,10 @@ index 230d2126..1955e94a 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -22,12 +20,8 @@ man_MANS = \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ man8/grpunconv.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man1/login.1 \ man5/login.defs.5 \ - man8/logoutd.8 \ @@ -244,7 +270,7 @@ index 230d2126..1955e94a 100644 man1/passwd.1 \ man5/passwd.5 \ man8/pwck.8 \ -@@ -36,13 +30,10 @@ man_MANS = \ +@@ -35,13 +29,10 @@ man_MANS = \ man1/sg.1 \ man3/shadow.3 \ man5/shadow.5 \ @@ -257,20 +283,19 @@ index 230d2126..1955e94a 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/limits.5 \ + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/hu/Makefile.am b/man/hu/Makefile.am -index e659aef1..ae80da49 100644 +index 205bb0a8..3d813179 100644 --- a/man/hu/Makefile.am +++ b/man/hu/Makefile.am -@@ -2,16 +2,12 @@ +@@ -2,15 +2,11 @@ mandir = @mandir@/hu man_MANS = \ - man1/chsh.1 \ man1/gpasswd.1 \ man1/groups.1 \ - man8/lastlog.8 \ - man1/login.1 \ - man1/newgrp.1 \ man1/passwd.1 \ @@ -279,8 +304,8 @@ index e659aef1..ae80da49 100644 - man1/su.1 + man1/sg.1 - EXTRA_DIST = $(man_MANS) - + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/id/Makefile.am b/man/id/Makefile.am index 21f3dbe9..6d10b930 100644 --- a/man/id/Makefile.am @@ -295,7 +320,7 @@ index 21f3dbe9..6d10b930 100644 EXTRA_DIST = $(man_MANS) diff --git a/man/it/Makefile.am b/man/it/Makefile.am -index 94460aac..ecf5bd18 100644 +index b76187fa..1f62e20e 100644 --- a/man/it/Makefile.am +++ b/man/it/Makefile.am @@ -3,10 +3,8 @@ mandir = @mandir@/it @@ -309,10 +334,10 @@ index 94460aac..ecf5bd18 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -22,12 +20,8 @@ man_MANS = \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ man8/grpunconv.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man1/login.1 \ man5/login.defs.5 \ - man8/logoutd.8 \ @@ -322,7 +347,7 @@ index 94460aac..ecf5bd18 100644 man1/passwd.1 \ man5/passwd.5 \ man8/pwck.8 \ -@@ -36,13 +30,10 @@ man_MANS = \ +@@ -35,13 +29,10 @@ man_MANS = \ man1/sg.1 \ man3/shadow.3 \ man5/shadow.5 \ @@ -335,10 +360,10 @@ index 94460aac..ecf5bd18 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/limits.5 \ + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am -index ffb75a98..b88c490a 100644 +index 13f18da1..3401a085 100644 --- a/man/ja/Makefile.am +++ b/man/ja/Makefile.am @@ -3,9 +3,7 @@ mandir = @mandir@/ja @@ -351,10 +376,10 @@ index ffb75a98..b88c490a 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -18,10 +16,7 @@ man_MANS = \ +@@ -17,10 +15,7 @@ man_MANS = \ + man8/grpck.8 \ man8/grpconv.8 \ man8/grpunconv.8 \ - man8/lastlog.8 \ - man1/login.1 \ man5/login.defs.5 \ - man8/logoutd.8 \ @@ -362,7 +387,7 @@ index ffb75a98..b88c490a 100644 man8/newusers.8 \ man1/passwd.1 \ man5/passwd.5 \ -@@ -30,13 +25,10 @@ man_MANS = \ +@@ -29,13 +24,10 @@ man_MANS = \ man8/pwunconv.8 \ man1/sg.1 \ man5/shadow.5 \ @@ -375,8 +400,8 @@ index ffb75a98..b88c490a 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/limits.5 \ + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/ko/Makefile.am b/man/ko/Makefile.am index c269f0bb..9616cb3e 100644 --- a/man/ko/Makefile.am @@ -398,7 +423,7 @@ index c269f0bb..9616cb3e 100644 # newgrp.1 diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am -index 724d25f3..fa6675b9 100644 +index b2f096f7..00817d37 100644 --- a/man/pl/Makefile.am +++ b/man/pl/Makefile.am @@ -4,7 +4,6 @@ mandir = @mandir@/pl @@ -409,10 +434,10 @@ index 724d25f3..fa6675b9 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -16,14 +15,10 @@ man_MANS = \ +@@ -15,14 +14,10 @@ man_MANS = \ + man8/groupmod.8 \ man1/groups.1 \ man8/grpck.8 \ - man8/lastlog.8 \ - man8/logoutd.8 \ - man1/newgrp.1 \ man1/sg.1 \ @@ -423,10 +448,10 @@ index 724d25f3..fa6675b9 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/porttime.5 + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/ru/Makefile.am b/man/ru/Makefile.am -index 8a776a87..29e1b843 100644 +index 84d55d9e..b65f4881 100644 --- a/man/ru/Makefile.am +++ b/man/ru/Makefile.am @@ -3,10 +3,8 @@ mandir = @mandir@/ru @@ -440,10 +465,10 @@ index 8a776a87..29e1b843 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -22,12 +20,8 @@ man_MANS = \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ man8/grpunconv.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man1/login.1 \ man5/login.defs.5 \ - man8/logoutd.8 \ @@ -453,7 +478,7 @@ index 8a776a87..29e1b843 100644 man1/passwd.1 \ man5/passwd.5 \ man8/pwck.8 \ -@@ -36,13 +30,10 @@ man_MANS = \ +@@ -35,13 +29,10 @@ man_MANS = \ man1/sg.1 \ man3/shadow.3 \ man5/shadow.5 \ @@ -466,10 +491,10 @@ index 8a776a87..29e1b843 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/limits.5 \ + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/sv/Makefile.am b/man/sv/Makefile.am -index e64b7bc8..fbb2a716 100644 +index 70329edf..58fa80e5 100644 --- a/man/sv/Makefile.am +++ b/man/sv/Makefile.am @@ -3,7 +3,6 @@ mandir = @mandir@/sv @@ -480,10 +505,10 @@ index e64b7bc8..fbb2a716 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -16,18 +15,13 @@ man_MANS = \ +@@ -15,18 +14,13 @@ man_MANS = \ + man1/groups.1 \ man8/grpck.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man8/logoutd.8 \ - man1/newgrp.1 \ - man8/nologin.8 \ @@ -498,8 +523,8 @@ index e64b7bc8..fbb2a716 100644 - man8/vipw.8 + man8/userdel.8 - man_nopam = \ - man5/limits.5 \ + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/tr/Makefile.am b/man/tr/Makefile.am index 8d8b9166..4fe3632a 100644 --- a/man/tr/Makefile.am @@ -521,7 +546,7 @@ index 8d8b9166..4fe3632a 100644 man8/userdel.8 \ man8/usermod.8 diff --git a/man/uk/Makefile.am b/man/uk/Makefile.am -index 30c86272..82dc3a82 100644 +index 3fb5ffb3..e13c8fee 100644 --- a/man/uk/Makefile.am +++ b/man/uk/Makefile.am @@ -3,10 +3,8 @@ mandir = @mandir@/uk @@ -535,10 +560,10 @@ index 30c86272..82dc3a82 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -22,12 +20,8 @@ man_MANS = \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ man8/grpunconv.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man1/login.1 \ man5/login.defs.5 \ - man8/logoutd.8 \ @@ -548,7 +573,7 @@ index 30c86272..82dc3a82 100644 man1/passwd.1 \ man5/passwd.5 \ man8/pwck.8 \ -@@ -36,13 +30,10 @@ man_MANS = \ +@@ -35,13 +29,10 @@ man_MANS = \ man1/sg.1 \ man3/shadow.3 \ man5/shadow.5 \ @@ -561,10 +586,10 @@ index 30c86272..82dc3a82 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/login.access.5 \ + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/zh_CN/Makefile.am b/man/zh_CN/Makefile.am -index e9d8f2c2..c2e6cdfd 100644 +index a8b93a56..42ad764d 100644 --- a/man/zh_CN/Makefile.am +++ b/man/zh_CN/Makefile.am @@ -3,10 +3,8 @@ mandir = @mandir@/zh_CN @@ -578,10 +603,10 @@ index e9d8f2c2..c2e6cdfd 100644 man1/expiry.1 \ man5/faillog.5 \ man8/faillog.8 \ -@@ -22,12 +20,8 @@ man_MANS = \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ man8/grpunconv.8 \ man5/gshadow.5 \ - man8/lastlog.8 \ - man1/login.1 \ man5/login.defs.5 \ - man8/logoutd.8 \ @@ -591,7 +616,7 @@ index e9d8f2c2..c2e6cdfd 100644 man1/passwd.1 \ man5/passwd.5 \ man8/pwck.8 \ -@@ -36,13 +30,10 @@ man_MANS = \ +@@ -35,13 +29,10 @@ man_MANS = \ man1/sg.1 \ man3/shadow.3 \ man5/shadow.5 \ @@ -604,8 +629,8 @@ index e9d8f2c2..c2e6cdfd 100644 - man8/vipw.8 + man8/usermod.8 - man_nopam = \ - man5/limits.5 \ + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 diff --git a/man/zh_TW/Makefile.am b/man/zh_TW/Makefile.am index c36ed2c7..26696b67 100644 --- a/man/zh_TW/Makefile.am @@ -627,7 +652,7 @@ index c36ed2c7..26696b67 100644 man8/userdel.8 \ man8/usermod.8 diff --git a/src/Makefile.am b/src/Makefile.am -index a1a2e4e3..53cd7953 100644 +index 585a0b7e..69ec939a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -3,7 +3,7 @@ EXTRA_DIST = \ @@ -639,20 +664,20 @@ index a1a2e4e3..53cd7953 100644 suidperms = 4755 sgidperms = 2755 -@@ -24,9 +24,9 @@ AM_CPPFLAGS = \ +@@ -27,9 +27,9 @@ AM_CFLAGS = $(LIBBSD_CFLAGS) # and installation would be much simpler (just two directories, # $prefix/bin and $prefix/sbin, no install-data hacks...) -bin_PROGRAMS = groups login -sbin_PROGRAMS = nologin --ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd +-ubin_PROGRAMS = faillog chage chfn chsh expiry gpasswd newgrp passwd +bin_PROGRAMS = groups +sbin_PROGRAMS = +ubin_PROGRAMS = faillog lastlog chage expiry gpasswd newgrp passwd if ENABLE_SUBIDS ubin_PROGRAMS += newgidmap newuidmap endif -@@ -43,22 +43,20 @@ usbin_PROGRAMS = \ +@@ -49,22 +49,20 @@ usbin_PROGRAMS = \ grpck \ grpconv \ grpunconv \ @@ -677,7 +702,7 @@ index a1a2e4e3..53cd7953 100644 if WITH_SU suidbins += su endif -@@ -131,18 +129,16 @@ sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF) +@@ -137,18 +135,16 @@ sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF) useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) -ldl usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl @@ -698,5 +723,5 @@ index a1a2e4e3..53cd7953 100644 chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \ done -- -2.39.0 +2.42.0 diff --git a/0002-Adapt-login.defs-for-PAM-and-util-linux.patch b/0002-Adapt-login.defs-for-PAM-and-util-linux.patch index 05ac6eb7f232..2c8d026e8b8a 100644 --- a/0002-Adapt-login.defs-for-PAM-and-util-linux.patch +++ b/0002-Adapt-login.defs-for-PAM-and-util-linux.patch @@ -1,7 +1,7 @@ -From e5cd1303ef4dab4e25ad01d4795b80a32cafa469 Mon Sep 17 00:00:00 2001 +From 04208ea372acef47175b48ad85959b43b8042831 Mon Sep 17 00:00:00 2001 From: David Runge <dvzrv@archlinux.org> Date: Mon, 31 Oct 2022 09:45:13 +0100 -Subject: [PATCH 2/4] Adapt login.defs for PAM and util-linux +Subject: [PATCH 2/3] Adapt login.defs for PAM and util-linux etc/login.defs: Remove unused login.defs options, that are either irrelevant due to the @@ -36,11 +36,18 @@ options silently ignored by shadow when built with PAM enabled): * ULIMIT Removed options because they are not availablbe with PAM enabled: +* BCRYPT_MIN_ROUNDS +* BCRYPT_MAX_ROUNDS * CONSOLE_GROUPS * CONSOLE * MD5_CRYPT_ENAB * PREVENT_NO_AUTH +Removed encryption methods (`ENCRYPT_METHOD`), because they are unsafe +or not available with PAM: +* BCRYPT +* MD5 + Removed options because they are not supported by login from util-linux: * ERASECHAR * KILLCHAR @@ -58,12 +65,12 @@ from util-linux: man/login.defs.5.xml: Remove unavailable options from man 5 login.defs. --- - etc/login.defs | 212 +------------------------------------------ - man/login.defs.5.xml | 150 +----------------------------- - 2 files changed, 8 insertions(+), 354 deletions(-) + etc/login.defs | 228 +------------------------------------------ + man/login.defs.5.xml | 150 +--------------------------- + 2 files changed, 8 insertions(+), 370 deletions(-) diff --git a/etc/login.defs b/etc/login.defs -index 114dbcd9..7c633a57 100644 +index 114dbcd9..797ca6b3 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -3,6 +3,8 @@ @@ -295,7 +302,7 @@ index 114dbcd9..7c633a57 100644 # # Which fields may be changed by regular users using chfn(1) - use # any combination of letters "frwh" (full name, room number, work -@@ -298,38 +141,14 @@ CHFN_AUTH yes +@@ -298,38 +141,13 @@ CHFN_AUTH yes # CHFN_RESTRICT rwh @@ -326,7 +333,7 @@ index 114dbcd9..7c633a57 100644 -# If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password - # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password # If set to DES, DES-based algorithm will be used for encrypting password (default) # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. @@ -334,7 +341,29 @@ index 114dbcd9..7c633a57 100644 # # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. -@@ -381,17 +200,6 @@ CHFN_RESTRICT rwh +@@ -353,21 +171,6 @@ CHFN_RESTRICT rwh + #SHA_CRYPT_MIN_ROUNDS 5000 + #SHA_CRYPT_MAX_ROUNDS 5000 + +-# +-# Only works if ENCRYPT_METHOD is set to BCRYPT. +-# +-# Define the number of BCRYPT rounds. +-# With a lot of rounds, it is more difficult to brute-force the password. +-# However, more CPU resources will be needed to authenticate users if +-# this value is increased. +-# +-# If not specified, 13 rounds will be attempted. +-# If only one of the MIN or MAX values is set, then this value will be used. +-# If MIN > MAX, the highest value will be used. +-# +-#BCRYPT_MIN_ROUNDS 13 +-#BCRYPT_MAX_ROUNDS 13 +- + # + # Only works if ENCRYPT_METHOD is set to YESCRYPT. + # +@@ -381,17 +184,6 @@ CHFN_RESTRICT rwh # #YESCRYPT_COST_FACTOR 5 @@ -352,7 +381,7 @@ index 114dbcd9..7c633a57 100644 # # Should login be allowed if we can't cd to the home directory? # Default is no. -@@ -406,12 +214,6 @@ DEFAULT_HOME yes +@@ -406,12 +198,6 @@ DEFAULT_HOME yes # NONEXISTENT /nonexistent @@ -365,7 +394,7 @@ index 114dbcd9..7c633a57 100644 # # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by -@@ -459,14 +261,6 @@ USERGROUPS_ENAB yes +@@ -459,14 +245,6 @@ USERGROUPS_ENAB yes # #GRANT_AUX_GROUP_SUBIDS yes @@ -688,5 +717,5 @@ index ab62fa86..d82c47f1 100644 </refsect1> -- -2.39.0 +2.42.0 diff --git a/0003-Add-Arch-Linux-defaults-for-login.defs.patch b/0003-Add-Arch-Linux-defaults-for-login.defs.patch index 0d2fe8ac5437..5e687b02a2c3 100644 --- a/0003-Add-Arch-Linux-defaults-for-login.defs.patch +++ b/0003-Add-Arch-Linux-defaults-for-login.defs.patch @@ -1,24 +1,24 @@ -From 8c2a5c7d695fc6066c92b102d26853f25e0bedb8 Mon Sep 17 00:00:00 2001 +From 2642dcf11171a701f1997dcd19a769bb5baec410 Mon Sep 17 00:00:00 2001 From: David Runge <dvzrv@archlinux.org> Date: Mon, 31 Oct 2022 10:10:22 +0100 -Subject: [PATCH 3/4] Add Arch Linux defaults for login.defs +Subject: [PATCH 3/3] Add Arch Linux defaults for login.defs etc/login.defs: -Change ENV_SUPATH and ENV_SUPATH to only use -/usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr merge -and bin merge distribution. -Change UMASK to 077 as it is considered a more privacy conserving -default than 022. -Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for -distribution added UIDs and GIDs. -Change ENCRYPT_METHOD to SHA512 as it is a safer hashing algorithm than -DES. +- Change `ENV_SUPATH` and `ENV_SUPATH` to only use + /usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr and + bin merge distribution. +- Set `HOME_MODE` to `0700` to be able to rely on a `UMASK` of `022` + while creating home directories in a privacy conserving manner. +- Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for + distribution added UIDs and GIDs of system users. +- Change ENCRYPT_METHOD to YESCRYPT as it is a safer hashing algorithm + than DES. --- etc/login.defs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/login.defs b/etc/login.defs -index 7c633a57..ea841257 100644 +index 797ca6b3..c4accbf8 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -55,8 +55,8 @@ HUSHLOGIN_FILE .hushlogin @@ -32,15 +32,15 @@ index 7c633a57..ea841257 100644 # # Terminal permissions -@@ -79,7 +79,7 @@ TTYPERM 0600 - # 022 is the default value, but 027, or even 077, could be considered - # for increased privacy. There is no One True Answer here: each sysadmin - # must make up their mind. --UMASK 022 -+UMASK 077 - +@@ -84,7 +84,7 @@ UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. + # If HOME_MODE is not set, the value of UMASK is used to create the mode. +-#HOME_MODE 0700 ++HOME_MODE 0700 + + # + # Password aging controls: @@ -103,7 +103,7 @@ PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 @@ -59,15 +59,15 @@ index 7c633a57..ea841257 100644 SYS_GID_MAX 999 # Extra per user group ids SUB_GID_MIN 100000 -@@ -153,7 +153,7 @@ CHFN_RESTRICT rwh +@@ -152,7 +152,7 @@ CHFN_RESTRICT rwh # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # -#ENCRYPT_METHOD DES -+ENCRYPT_METHOD SHA512 ++ENCRYPT_METHOD YESCRYPT # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -- -2.39.0 +2.42.0 diff --git a/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch b/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch deleted file mode 100644 index 6522342e66ef..000000000000 --- a/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 8727ea3e58908d3270e68c1614308682b70a44c1 Mon Sep 17 00:00:00 2001 -From: David Runge <dvzrv@archlinux.org> -Date: Sat, 5 Nov 2022 22:52:58 +0100 -Subject: [PATCH 4/4] Add Arch Linux defaults for /etc/pam.d/ - -etc/pam.d/Makefile.am: -Disable chfn, chsh and login. -Enable shadow. -Always install the PAM integration for the account tools (even if they -are not setuid). - -etc/pam.d/{chage,chpasswd,group{add,del,mod},newusers,passwd,shadow,user{add,del,mod}}: -Add distribution defaults for Arch Linux. - -s ---- - etc/pam.d/Makefile.am | 7 ++----- - etc/pam.d/chage | 6 ++++-- - etc/pam.d/chpasswd | 6 ++++-- - etc/pam.d/groupadd | 6 ++++-- - etc/pam.d/groupdel | 6 ++++-- - etc/pam.d/groupmod | 6 ++++-- - etc/pam.d/newusers | 6 ++++-- - etc/pam.d/passwd | 4 +--- - etc/pam.d/shadow | 6 ++++++ - etc/pam.d/useradd | 6 ++++-- - etc/pam.d/userdel | 6 ++++-- - etc/pam.d/usermod | 6 ++++-- - 12 files changed, 45 insertions(+), 26 deletions(-) - create mode 100644 etc/pam.d/shadow - -diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am -index 38ff26ae..41e43e01 100644 ---- a/etc/pam.d/Makefile.am -+++ b/etc/pam.d/Makefile.am -@@ -2,10 +2,8 @@ - # and also cooperate to make a distribution for `make dist' - - pamd_files = \ -- chfn \ -- chsh \ - groupmems \ -- login \ -+ shadow \ - passwd - - pamd_acct_tools_files = \ -@@ -23,10 +21,9 @@ pamd_acct_tools_files = \ - if USE_PAM - pamddir = $(sysconfdir)/pam.d - pamd_DATA = $(pamd_files) --if ACCT_TOOLS_SETUID -+# NOTE: we are always installing the PAM integration for the account tools - pamd_DATA += $(pamd_acct_tools_files) - endif --endif - - if WITH_SU - pamd_files += su -diff --git a/etc/pam.d/chage b/etc/pam.d/chage -index 8f49f5cc..a7bf8a4a 100644 ---- a/etc/pam.d/chage -+++ b/etc/pam.d/chage -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_permit.so -diff --git a/etc/pam.d/chpasswd b/etc/pam.d/chpasswd -index 8f49f5cc..5d447985 100644 ---- a/etc/pam.d/chpasswd -+++ b/etc/pam.d/chpasswd -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_unix.so sha512 shadow -diff --git a/etc/pam.d/groupadd b/etc/pam.d/groupadd -index 8f49f5cc..a7bf8a4a 100644 ---- a/etc/pam.d/groupadd -+++ b/etc/pam.d/groupadd -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_permit.so -diff --git a/etc/pam.d/groupdel b/etc/pam.d/groupdel -index 8f49f5cc..a7bf8a4a 100644 ---- a/etc/pam.d/groupdel -+++ b/etc/pam.d/groupdel -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_permit.so -diff --git a/etc/pam.d/groupmod b/etc/pam.d/groupmod -index 8f49f5cc..a7bf8a4a 100644 ---- a/etc/pam.d/groupmod -+++ b/etc/pam.d/groupmod -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_permit.so -diff --git a/etc/pam.d/newusers b/etc/pam.d/newusers -index 8f49f5cc..5d447985 100644 ---- a/etc/pam.d/newusers -+++ b/etc/pam.d/newusers -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_unix.so sha512 shadow -diff --git a/etc/pam.d/passwd b/etc/pam.d/passwd -index 731c0d36..08d819b2 100644 ---- a/etc/pam.d/passwd -+++ b/etc/pam.d/passwd -@@ -1,4 +1,2 @@ - #%PAM-1.0 --auth include system-auth --account include system-auth --password include system-auth -+password required pam_unix.so sha512 shadow nullok -diff --git a/etc/pam.d/shadow b/etc/pam.d/shadow -new file mode 100644 -index 00000000..a7bf8a4a ---- /dev/null -+++ b/etc/pam.d/shadow -@@ -0,0 +1,6 @@ -+#%PAM-1.0 -+auth sufficient pam_rootok.so -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_permit.so -diff --git a/etc/pam.d/useradd b/etc/pam.d/useradd -index 8f49f5cc..a7bf8a4a 100644 ---- a/etc/pam.d/useradd -+++ b/etc/pam.d/useradd -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_permit.so -diff --git a/etc/pam.d/userdel b/etc/pam.d/userdel -index 8f49f5cc..a7bf8a4a 100644 ---- a/etc/pam.d/userdel -+++ b/etc/pam.d/userdel -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_permit.so -diff --git a/etc/pam.d/usermod b/etc/pam.d/usermod -index 8f49f5cc..a7bf8a4a 100644 ---- a/etc/pam.d/usermod -+++ b/etc/pam.d/usermod -@@ -1,4 +1,6 @@ - #%PAM-1.0 - auth sufficient pam_rootok.so --account required pam_permit.so --password include system-auth -+auth required pam_unix.so -+account required pam_unix.so -+session required pam_unix.so -+password required pam_permit.so --- -2.39.0 - diff --git a/LICENSE b/LICENSE deleted file mode 100644 index c5ab15a5607a..000000000000 --- a/LICENSE +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (c) 1990 - 1994, Julianne Frances Haugh - * Copyright (c) 1996 - 2000, Marek Michałkiewicz - * Copyright (c) 2001 - 2006, Tomasz Kłoczko - * Copyright (c) 2007 - 2009, Nicolas François - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the copyright holders or contributors may not be used to - * endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ @@ -10,12 +10,12 @@ # If you want to help keep it up to date, please open a Pull Request there. pkgname=shadow-selinux -pkgver=4.13 -pkgrel=3 +pkgver=4.14.0 +pkgrel=4 pkgdesc="Password and account management tool suite with support for shadow files and PAM - SELinux support" arch=(x86_64 aarch64) url="https://github.com/shadow-maint/shadow" -license=(BSD) +license=(BSD-3-Clause) groups=(selinux) depends=( acl libacl.so @@ -26,44 +26,54 @@ depends=( pam-selinux libpam.so libpam_misc.so 'libsemanage>=3.2' ) -makedepends=(docbook-xsl itstool libcap libxslt) +makedepends=( + docbook-xsl + itstool + libcap + libxslt +) backup=( etc/default/useradd etc/login.defs - etc/pam.d/{chage,{,ch,chg}passwd,group{add,del,mems,mod},newusers,shadow,user{add,del,mod}} + etc/pam.d/chpasswd + etc/pam.d/groupmems + etc/pam.d/newusers + etc/pam.d/passwd ) conflicts=("${pkgname/-selinux}" "selinux-${pkgname/-selinux}") provides=("${pkgname/-selinux}=${pkgver}-${pkgrel}" "selinux-${pkgname/-selinux}=${pkgver}-${pkgrel}") options=(!emptydirs) -# NOTE: distribution patches are taken from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.13.0.arch1 +# NOTE: distribution patches are taken from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.14.0.arch2 source=( - https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz{,.asc} - 0001-Disable-replaced-tools-and-man-pages.patch + $url/releases/download/$pkgver/${pkgname/-selinux}-$pkgver.tar.xz{,.asc} + 0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch 0002-Adapt-login.defs-for-PAM-and-util-linux.patch 0003-Add-Arch-Linux-defaults-for-login.defs.patch - 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch shadow.{timer,service} + shadow.{sysusers,tmpfiles} useradd.defaults ) -sha512sums=('2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e' +sha512sums=('ff960481d576f9db5a9f10becc4e1a74c03de484ecfdcd7f1ea735fded683d7ba0f9cd895dc6a431b77e5a633752273178b1bcda4cefaa5adbf0f143c9a0c86f' 'SKIP' - '23215dbc4efa5cb321f32442be30b92f79f1e008c7418ee5daac27540785c1674e790a5e4ee755e9a5a086589be8437e25efbee4a4668918b14337b86309192b' - '26160ba1bc42619077dd826fc6e472196e47f4f2e29f9a70d68373a73df9d6187e3a2671369a223e230b05b42af113c38aacf24cd6cb99fbc00b8baca71ab6b7' - '3b8bec1dc5dfdc5a3b7b3a4579c05d7fc71ac80c87bdb35031820c2442efcae5dfcc97c763ca9430c1dc3f5d3827dc391999cb67e89d3758d31bdc694dff4601' - 'fcedd59f0c1294ca03ff2553591058295073e9c795500f66e571e34635016898b999afa816c5994846e459bf743d2c7a358a5be1f561a86a75846df2112194e1' + 'ac119fd4a7867021923c54d54612499313686bb2faa957133f63c77700b8777dd87628fd4f36d4e4c1160700624a776510bc5d450ef5be1adc128552edfcb062' + '57166e14262df3ddcf03008a34ef603a624a31b6d40b18b9fc4d8be50fb857540dea2ffc9dab81c91bcd87bbb3b0dee381219ebd3e68f71864c64a33d5ec7b15' + '16c00e8ae1e4f86c9075e08b420ddd5e948345db5611390167ce08d7e3e4ec469954b255b3384d855484803ce3fa5d78c88ff8ae722c0215b692b9dece2ed6f6' 'e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621' '2c8689b52029f6aa27d75b8b05b0b36e2fc322cab40fdfbb50cdbe331f61bc84e8db20f012cf9af3de8c4e7fdb10c2d5a4925ca1ba3b70eb5627772b94da84b3' - 'e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8') -b2sums=('315ab8a7e598aeefb50c11293e20cfa0982c3c3ae21c35ae243d09a4facf97a13c1d672990876e74ef94f5284402acf14997663743e2aaefa6cfc4369b7d24dc' + '5afac4a96b599b0b8ed7be751e7160037c3beb191629928c6520bfd3f2adcd1c55c31029c92c2ff8543e6cd9e37e2cd515ba4e1789c6d66f9c93b4e7f209ee7a' + '97a6a57c07502e02669dc1a91bffc447dba7d98d208b798d80e07de0d2fdf9d23264453978d2d3d1ba6652ca1f2e22cdadc4309c7b311e83fa71b00ad144f877' + '706ba6e7fa8298475f2605a28daffef421c9fa8d269cbd5cbcf7f7cb795b40a24d52c20e8d0b73e29e6cd35cd7226b3e9738dc513703e87dde04c1d24087a69c') +b2sums=('6e9a6108f856953ec91c597e46ad4f912101a829c7b3ff3389510be43f56f0a70425bd562119282d73df269df45af354e626741ad748f9c1e6f27b74a462a62c' 'SKIP' - 'e109e09f7709270e6042389f74ee59f44d95c3bd02aa57fedbe27f1e111d36fdb2fc4bb9f837916bfd83ebfa7d1d0859a50d6fefe573da3fd6f849cfd61a0187' - '9d3490810bc94c8809442e9e3928fd4dfc62a22e7134ecc63098a1e2ab5db6c64867f6f067641bb7bccf712a7269b67c36434d2ae3ed3e0a206ac66eef299dc9' - '92474c0a9cd8bc4df08984a304c73122a9711f1e4c036361e1dcbc027b1e43e007d1e35cdd5db4295829603a097ab360adb66289c4b479a5d5ccee4947f72da7' - 'aee9aaadae6d49872b4eb98334fbffee7a49b1625b81019927908ac79753364fdac4d87433fcd5d2d2327d7b65eddcfc2edabe7c6a2a67ad7b101ab0bf6deaad' + '77b6e4bc6dc070b992728440fc29a8ed04e8f51cc7e58628f294c68bec7f102c8a80af6a41cf9a3c37d33e7a40ead4f4729f2e68412ab5606e6ecbd3008f5048' + 'e6359de24e563564979fd0b7915a3227239a84f175cb188392097394d4d41c782100655cbd0a779b6dfde7eddcf8b314ab15eb15ca891287a820547551d54c04' + 'fe88e173ea5531c083c1f3fb640cad1de463ce5446cb097bd30bc54e9082ba0540a57a9effd11c0779196583cf58bfc7066ab10ef4088f78c7d74928a73889b2' '5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b' 'a69191ab966f146c35e7e911e7e57c29fffd54436ea014aa8ffe0dd46aaf57c635d0a652b35916745c75d82b3fca7234366ea5f810b622e94730b45ec86f122c' - 'd5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879') + '511c4ad9f3be530dc17dd68f2a3387d748dcdb84192d35f296b88f82442224477e2a74b1841ec3f107b39a5c41c2d961480e396a48d0578f8fd5f65dbe8d9f04' + 'd727923dc6ed02e90ef31f10b3427df50afbfe416bd03c6de0c341857d1bb33ab6168312bd4ba18d19d0653020fb332cbcfeeb24e668ae3916add9d01b89ccb4' + 'f743922062494fe342036b3acb8b747429eb33b1a13aa150daa4bb71a84e9c570cfcc8527a5f846e3ea7020e6f23c0b10d78cf2ba8363eea0224e4c34ea10161') validpgpkeys=(66D0387DB85D320F8408166DB175CFA98F192AF2) # Serge Hallyn <sergeh@kernel.org> prepare() { @@ -82,25 +92,27 @@ prepare() { build() { local configure_options=( - --prefix=/usr --bindir=/usr/bin - --sbindir=/usr/bin + --disable-account-tools-setuid # no setuid for chgpasswd, chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod + --enable-man --libdir=/usr/lib --mandir=/usr/share/man + --prefix=/usr + --sbindir=/usr/bin --sysconfdir=/etc - --disable-account-tools-setuid - --enable-man - --with-fcaps - --with-libpam - --with-group-name-max-length=32 --with-audit - --with-bcrypt - --with-yescrypt + --with-fcaps # use capabilities instead of setuid for setuidmap and setgidmap + --with-group-name-max-length=32 + --with-libpam # PAM integration for chpasswd, groupmems, newusers, passwd + --without-libbsd # shadow can use internal implementation for getting passphrase + --without-nscd # we do not ship nscd anymore --with-selinux - --without-su + --without-su # su is provided by util-linux ) cd "${pkgname/-selinux}-$pkgver" + # add extra check, preventing accidental deletion of other user's home dirs when using `userdel -r <user with home in />` + export CFLAGS="$CFLAGS -DEXTRA_CHECK_HOME_DIR" ./configure "${configure_options[@]}" # prevent excessive overlinking due to libtool @@ -125,4 +137,13 @@ package() { install -vDm 644 ../shadow.service -t "$pkgdir/usr/lib/systemd/system/" install -vdm 755 "$pkgdir/usr/lib/systemd/system/timers.target.wants" ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer" + + install -vDm 644 ../${pkgname/-selinux}.sysusers "$pkgdir/usr/lib/sysusers.d/${pkgname/-selinux}.conf" + install -vDm 644 ../${pkgname/-selinux}.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/${pkgname/-selinux}.conf" + + # adapt executables to match the modes used by tmpfiles.d, so that pacman does not complain: + chmod 750 "$pkgdir/usr/bin/groupmems" + + # manually add PAM config for chpasswd and newusers: https://github.com/shadow-maint/shadow/issues/810 + install -vDm 644 etc/pam.d/{chpasswd,newusers} -t "$pkgdir/etc/pam.d/" } diff --git a/shadow.sysusers b/shadow.sysusers new file mode 100644 index 000000000000..fc536aa209dc --- /dev/null +++ b/shadow.sysusers @@ -0,0 +1 @@ +g groups - - diff --git a/shadow.tmpfiles b/shadow.tmpfiles new file mode 100644 index 000000000000..dabf54576aae --- /dev/null +++ b/shadow.tmpfiles @@ -0,0 +1 @@ +z /usr/bin/groupmems 2750 root groups - - diff --git a/useradd.defaults b/useradd.defaults index a2808876bb42..9bc422c523fc 100644 --- a/useradd.defaults +++ b/useradd.defaults @@ -2,7 +2,7 @@ # # The SHELL variable specifies the default login shell on your # system. -SHELL=/bin/bash +SHELL=/usr/bin/bash # The default group for users GROUP=users |