Hello community,
here is the log from the commit of package shadow for openSUSE:Factory checked in at 2016-07-03 12:18:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shadow (Old)
and /work/SRC/openSUSE:Factory/.shadow.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shadow"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shadow/shadow.changes 2016-01-26 10:14:18.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.shadow.new/shadow.changes 2016-07-03 12:18:22.000000000 +0200
@@ -1,0 +2,46 @@
+Tue May 31 06:48:41 UTC 2016 - mvetter@suse.com
+
+- Add package dependency for aaa_base, fixing bnc#899409
+ (was done by tbehrens@suse.com but not submitted to Factory)
+
+-------------------------------------------------------------------
+Mon May 30 09:41:55 UTC 2016 - mvetter@suse.com
+
+- shadow 4.2.1 requested by fate#320422
+- bsc#979069: Dont include shadow-4.1.5.1-bug935203-manpage.patch
+- Dont set SUID bit yet. Once bsc#979282 is through, which will adapt the permissions package, we can enable the SUID bits.
+ Remove the files used to circumvent the check.
+- Remove:
+ * shadow-rpmlintrc
+ * shadow-subids
+ * shadow-subids.easy
+ * shadow-subids.secure
+ * shadow-subids.paranoid
+
+-------------------------------------------------------------------
+Thu May 19 12:28:47 UTC 2016 - christian.brauner@mailbox.org
+
+- Update to shadow-4.2.1:
+ - add support for subuids/subgids via newuidmap/newgidmap
+- Rename chkname-regex.diff to chkname-regex.patch
+- Rename encryption_method_nis.diff to encryption_method_nis.patch
+- Rename getdef-new-defs.diff to getdef-new-defs.patch
+- Rename shadow-login_defs.diff to shadow-login_defs.patch
+- Rename userdel-scripts.diff to userdel-script.patch
+- Rename useradd-script.diff to useradd-script.patch
+- Rename useradd-default.diff to useradd-default.patch
+- Rename useradd-mkdirs.diff to useradd-mkdirs.patch
+- Add fixes from Red Hat/Fedora:
+ - shadow-4.1.5.1-audit-owner.patch.patch:
+ - log owner changes for home directory
+ - shadow-4.1.5.1-userdel-helpfix.patch.patch:
+ - give a hint about what happens when you force the removal of a user
+ - shadow-4.2.1-defs-chroot.patch.patch:
+ - initialize uid_t uid_min and uid_t uid_max not before we need them
+ - shadow-4.2.1-merge-group.patch.patch:
+ - simplify by using a single call to snprintf()
+- Add upstream fix
+ - Fix-user-busy-errors-at-userdel.patch:
+ - call sub_uid_close()
+
+-------------------------------------------------------------------
Old:
----
chkname-regex.diff
encryption_method_nis.diff
getdef-new-defs.diff
shadow-4.1.5.1.tar.bz2
shadow-login_defs.diff
useradd-default.diff
useradd-mkdirs.diff
useradd-script.diff
userdel-scripts.diff
New:
----
Fix-user-busy-errors-at-userdel.patch
chkname-regex.patch
encryption_method_nis.patch
getdef-new-defs.patch
shadow-4.1.5.1-audit-owner.patch
shadow-4.1.5.1-userdel-helpfix.patch
shadow-4.2.1-defs-chroot.patch
shadow-4.2.1-merge-group.patch
shadow-4.2.1.tar.xz
shadow-login_defs.patch
useradd-default.patch
useradd-mkdirs.patch
useradd-script.patch
userdel-script.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shadow.spec ++++++
--- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200
+++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200
@@ -20,10 +20,10 @@
License: BSD-3-Clause and GPL-2.0+
Group: System/Base
Name: shadow
-Version: 4.1.5.1
+Version: 4.2.1
Release: 0
Url: http://pkg-shadow.alioth.debian.org/
-Source: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2
+Source: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
Source1: pamd.tar.bz2
Source2: README.changes-pwdutils
Source3: useradd.local
@@ -31,18 +31,24 @@
Source5: userdel-post.local
Source6: shadow.service
Source7: shadow.timer
-Patch: shadow-login_defs.diff
-Patch1: userdel-scripts.diff
-Patch2: useradd-script.diff
-Patch3: chkname-regex.diff
-Patch4: useradd-default.diff
-Patch5: getdef-new-defs.diff
+Patch: shadow-login_defs.patch
+Patch1: userdel-script.patch
+Patch2: useradd-script.patch
+Patch3: chkname-regex.patch
+Patch4: useradd-default.patch
+Patch5: getdef-new-defs.patch
Patch6: shadow-4.1.5.1-manfix.patch
Patch7: shadow-4.1.5.1-logmsg.patch
Patch8: shadow-4.1.5.1-errmsg.patch
Patch9: shadow-4.1.5.1-backup-mode.patch
-Patch10: encryption_method_nis.diff
-Patch11: useradd-mkdirs.diff
+Patch10: encryption_method_nis.patch
+Patch11: useradd-mkdirs.patch
+Patch12: shadow-4.1.5.1-audit-owner.patch
+Patch13: shadow-4.1.5.1-userdel-helpfix.patch
+Patch14: shadow-4.2.1-defs-chroot.patch
+Patch15: shadow-4.2.1-merge-group.patch
+Patch16: Fix-user-busy-errors-at-userdel.patch
+Requires: aaa_base
BuildRequires: audit-devel
BuildRequires: libacl-devel
BuildRequires: libattr-devel
@@ -67,12 +73,17 @@
%patch3 -p0
%patch4 -p0
%patch5 -p0
-%patch6 -p1
-%patch7 -p1
+%patch6 -p0
+%patch7 -p0
%patch8 -p0
-%patch9 -p1
+%patch9 -p0
%patch10 -p0
-%patch11 -p1
+%patch11 -p0
+%patch12 -p0
+%patch13 -p0
+%patch14 -p0
+%patch15 -p0
+%patch16 -p0
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
mv -v doc/HOWTO.utf8 doc/HOWTO
@@ -181,6 +192,8 @@
%set_permissions /usr/bin/gpasswd
%set_permissions /usr/bin/newgrp
%set_permissions /usr/bin/passwd
+%set_permissions /usr/bin/newgidmap
+%set_permissions /usr/bin/newuidmap
%service_add_post shadow.service shadow.timer
@@ -192,6 +205,8 @@
%verify_permissions /usr/bin/gpasswd
%verify_permissions /usr/bin/newgrp
%verify_permissions /usr/bin/passwd
+%verify_permissions /usr/bin/newgidmap
+%verify_permissions /usr/bin/newuidmap
%preun
%service_del_preun shadow.service shadow.timer
@@ -225,6 +240,8 @@
%{_bindir}/lastlog
%attr(4755,root,root) %{_bindir}/newgrp
%attr(4755,root,shadow) %{_bindir}/passwd
+%attr(0755,root,shadow) %{_bindir}/newgidmap
+%attr(0755,root,shadow) %{_bindir}/newuidmap
%{_bindir}/sg
%{_sbindir}/groupadd
%{_sbindir}/groupdel
@@ -268,6 +285,10 @@
%{_mandir}/man8/usermod.8*
%{_mandir}/man8/vigr.8*
%{_mandir}/man8/vipw.8*
+%{_mandir}/man5/subuid.5*
+%{_mandir}/man5/subgid.5*
+%{_mandir}/man1/newgidmap.1*
+%{_mandir}/man1/newuidmap.1*
%{_unitdir}/*
++++++ Fix-user-busy-errors-at-userdel.patch ++++++
From 546e2ae44955510b06a922647796ec54744f10ce Mon Sep 17 00:00:00 2001
From: Bastian Blank
Date: Tue, 17 Nov 2015 10:52:24 -0600
Subject: [PATCH 17/17] Fix user busy errors at userdel
Acked-by: Serge Hallyn
---
libmisc/user_busy.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- libmisc/user_busy.c
+++ libmisc/user_busy.c
@@ -175,6 +175,9 @@ static int user_busy_processes (const char *name, uid_t uid)
if (stat ("/", &sbroot) != 0) {
perror ("stat (\"/\")");
(void) closedir (proc);
+#ifdef ENABLE_SUBIDS
+ sub_uid_close();
+#endif
return 0;
}
@@ -212,6 +215,9 @@ static int user_busy_processes (const char *name, uid_t uid)
if (check_status (name, tmp_d_name, uid) != 0) {
(void) closedir (proc);
+#ifdef ENABLE_SUBIDS
+ sub_uid_close();
+#endif
fprintf (stderr,
_("%s: user %s is currently used by process %d\n"),
Prog, name, pid);
@@ -232,6 +238,9 @@ static int user_busy_processes (const char *name, uid_t uid)
}
if (check_status (name, task_path+6, uid) != 0) {
(void) closedir (proc);
+#ifdef ENABLE_SUBIDS
+ sub_uid_close();
+#endif
fprintf (stderr,
_("%s: user %s is currently used by process %d\n"),
Prog, name, pid);
++++++ chkname-regex.patch ++++++
--- lib/getdef.c
+++ lib/getdef.c
@@ -51,6 +51,7 @@ struct itemdef {
#define NUMDEFS (sizeof(def_table)/sizeof(def_table[0]))
static struct itemdef def_table[] = {
+ {"CHARACTER_CLASS", NULL},
{"CHFN_RESTRICT", NULL},
{"CONSOLE_GROUPS", NULL},
{"CONSOLE", NULL},
--- libmisc/chkname.c
+++ libmisc/chkname.c
@@ -43,30 +43,57 @@
#ident "$Id$"
#include
+#include
#include "defines.h"
#include "chkname.h"
+#include "getdef.h"
+#include
static bool is_valid_name (const char *name)
{
- /*
- * User/group names must match [a-z_][a-z0-9_-]*[$]
- */
- if (('\0' == *name) ||
- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+ const char *class;
+ regex_t reg;
+ int result;
+ char *buf;
+
+ /* User/group names must match [A-Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]?.
+ This is the POSIX portable character class. The $ at the end is
+ needed for SAMBA. But user can also specify something else in
+ /etc/login.defs. */
+ class = getdef_str ("CHARACTER_CLASS");
+ if (!class)
+ class = "[a-z_][a-z0-9_.-]*[a-z0-9_.$-]\\?";
+
+ if (asprintf (&buf, "^%s$", class) < 0)
+ return -1;
+
+ memset (®, 0, sizeof (regex_t));
+ result = regcomp (®, buf, 0);
+ free (buf);
+
+ if (result) {
+ size_t length = regerror (result, ®, NULL, 0);
+ char *buffer = malloc (length);
+ if (buffer == NULL)
+ fputs ("running out of memory!\n", stderr);
+
+ /* else
+ {
+ regerror (result, ®, buffer, length);
+ fprintf (stderr, _("Can't compile regular expression: %s\n"),
+ buffer);
+ } */
+
+ regfree(®);
return false;
}
- while ('\0' != *++name) {
- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
- ( ('0' <= *name) && ('9' >= *name) ) ||
- ('_' == *name) ||
- ('-' == *name) ||
- ( ('$' == *name) && ('\0' == *(name + 1)) )
- )) {
- return false;
- }
+ if (regexec (®, name, 0, NULL, 0) != 0) {
+ regfree(®);
+ return false;
}
+ regfree(®);
return true;
}
++++++ encryption_method_nis.patch ++++++
--- lib/getdef.c
+++ lib/getdef.c
@@ -58,6 +58,7 @@ static struct itemdef def_table[] = {
{"CREATE_HOME", NULL},
{"DEFAULT_HOME", NULL},
{"ENCRYPT_METHOD", NULL},
+ {"ENCRYPT_METHOD_NIS", NULL},
{"ENV_PATH", NULL},
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
++++++ getdef-new-defs.patch ++++++
--- lib/getdef.c
+++ lib/getdef.c
@@ -65,6 +65,7 @@ static struct itemdef def_table[] = {
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
+ {"GROUPADD_CMD", NULL},
{"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL},
{"LOGIN_RETRIES", NULL},
@@ -100,7 +101,10 @@ static struct itemdef def_table[] = {
{"UID_MAX", NULL},
{"UID_MIN", NULL},
{"UMASK", NULL},
+ {"USERADD_CMD", NULL},
{"USERDEL_CMD", NULL},
+ {"USERDEL_PRECMD", NULL},
+ {"USERDEL_POSTCMD", NULL},
{"USERGROUPS_ENAB", NULL},
#ifndef USE_PAM
{"CHFN_AUTH", NULL},
@@ -136,6 +140,10 @@ static struct itemdef def_table[] = {
{"TCB_SYMLINKS", NULL},
{"USE_TCB", NULL},
#endif
+ /* Used by /bin/login */
+ {"MOTD_FILE", NULL},
+ {"ENV_PATH", NULL},
+ {"ENV_ROOTPATH", NULL},
{NULL, NULL}
};
++++++ shadow-4.1.5.1-audit-owner.patch ++++++
--- src/usermod.c
+++ src/usermod.c
@@ -1808,6 +1808,14 @@ static void move_home (void)
fail_exit (E_HOMEDIR);
}
+#ifdef WITH_AUDIT
+ if (uflg || gflg) {
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "changing home directory owner",
+ user_newname, (unsigned int) user_newid, 1);
+ }
+#endif
+
if (rename (user_home, user_newhome) == 0) {
/* FIXME: rename above may have broken symlinks
* pointing to the user's home directory
@@ -2254,6 +2262,13 @@ int main (int argc, char **argv)
* ownership.
*
*/
+#ifdef WITH_AUDIT
+ if (uflg || gflg) {
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "changing home directory owner",
+ user_newname, (unsigned int) user_newid, 1);
+ }
+#endif
if (chown_tree (dflg ? user_newhome : user_home,
user_id,
uflg ? user_newid : (uid_t)-1,
++++++ shadow-4.1.5.1-backup-mode.patch ++++++
--- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200
+++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200
@@ -1,7 +1,6 @@
-diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c
---- shadow-4.1.5.1/lib/commonio.c.backup-mode 2012-05-18 21:44:54.000000000 +0200
-+++ shadow-4.1.5.1/lib/commonio.c 2012-09-19 20:27:16.089444234 +0200
-@@ -301,15 +301,12 @@ static int create_backup (const char *ba
+--- lib/commonio.c
++++ lib/commonio.c
+@@ -301,15 +301,12 @@ static int create_backup (const char *backup, FILE * fp)
struct utimbuf ub;
FILE *bkfp;
int c;
++++++ shadow-4.1.5.1-errmsg.patch ++++++
--- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200
+++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200
@@ -1,6 +1,6 @@
--- src/useradd.c
-+++ src/useradd.c 2013/09/17 12:30:31
-@@ -1759,6 +1759,9 @@
++++ src/useradd.c
+@@ -1896,6 +1896,9 @@ static void create_home (void)
if (access (user_home, F_OK) != 0) {
#ifdef WITH_SELINUX
if (set_selinux_file_context (user_home) != 0) {
@@ -10,7 +10,7 @@
fail_exit (E_HOMEDIR);
}
#endif
-@@ -1788,6 +1791,9 @@
+@@ -1925,6 +1928,9 @@ static void create_home (void)
#ifdef WITH_SELINUX
/* Reset SELinux to create files with default contexts */
if (reset_selinux_file_context () != 0) {
++++++ shadow-4.1.5.1-logmsg.patch ++++++
--- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200
+++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200
@@ -1,7 +1,6 @@
-diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c
---- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100
-+++ shadow-4.1.5.1/src/useradd.c 2013-03-19 18:40:04.908292810 +0100
-@@ -275,7 +275,7 @@ static void fail_exit (int code)
+--- src/useradd.c
++++ src/useradd.c
+@@ -320,7 +320,7 @@ static void fail_exit (int code)
user_name, AUDIT_NO_ID,
SHADOW_AUDIT_FAILURE);
#endif
++++++ shadow-4.1.5.1-manfix.patch ++++++
--- /var/tmp/diff_new_pack.g70l4r/_old 2016-07-03 12:18:24.000000000 +0200
+++ /var/tmp/diff_new_pack.g70l4r/_new 2016-07-03 12:18:24.000000000 +0200
@@ -1,16 +1,6 @@
-diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml
---- shadow-4.1.5.1/man/useradd.8.xml.manfix 2013-06-14 15:25:44.000000000 +0200
-+++ shadow-4.1.5.1/man/useradd.8.xml 2013-07-19 07:33:53.768619759 +0200
-@@ -161,7 +161,7 @@
- </varlistentry>
- <varlistentry>
- <term>
-- <option>-d</option>, <option>--home</option>
-+ <option>-d</option>, <option>--home-dir</option>
- <replaceable>HOME_DIR</replaceable>
- </term>
- <listitem>
-@@ -362,7 +362,7 @@
+--- man/useradd.8.xml
++++ man/useradd.8.xml
+@@ -351,7 +351,7 @@
</varlistentry>
<varlistentry>
<term>
++++++ shadow-4.1.5.1-userdel-helpfix.patch ++++++
--- src/userdel.c
+++ src/userdel.c
@@ -143,8 +143,9 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog);
- (void) fputs (_(" -f, --force force removal of files,\n"
- " even if not owned by user\n"),
+ (void) fputs (_(" -f, --force force some actions that would fail otherwise\n"
+ " e.g. removal of user still logged in\n"
+ " or files, even if not owned by the user\n"),
usageout);
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
(void) fputs (_(" -r, --remove remove home directory and mail spool\n"), usageout);
++++++ shadow-4.2.1-defs-chroot.patch ++++++
--- src/useradd.c
+++ src/useradd.c
@@ -2054,8 +2054,8 @@ int main (int argc, char **argv)
#endif /* ACCT_TOOLS_SETUID */
/* Needed for userns check */
- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+ uid_t uid_min;
+ uid_t uid_max;
/*
* Get my name so that I can use it to report errors.
@@ -2073,6 +2073,9 @@ int main (int argc, char **argv)
audit_help_open ();
#endif
+ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+
sys_ngroups = sysconf (_SC_NGROUPS_MAX);
user_groups = (char **) xmalloc ((1 + sys_ngroups) * sizeof (char *));
/*
++++++ shadow-4.2.1-merge-group.patch ++++++
--- lib/groupio.c
+++ lib/groupio.c
@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry *merge_group_entries (
errno = ENOMEM;
return NULL;
}
- snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line);
- new_line[new_line_len] = '\0';
+ snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line);
/* Concatenate the 2 list of members */
for (i=0; NULL != gptr1->gr_mem[i]; i++);
++++++ shadow-login_defs.patch ++++++
--- etc/login.defs
+++ etc/login.defs
@@ -1,8 +1,5 @@
#
# /etc/login.defs - Configuration control definitions for the shadow package.
-#
-# $Id$
-#
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -12,11 +9,6 @@
FAIL_DELAY 3
#
-# Enable logging and display of /var/log/faillog login(1) failure info.
-#
-FAILLOG_ENAB yes
-
-#
# Enable display of unknown usernames when login(1) failures are recorded.
#
LOG_UNKFAIL_ENAB no
@@ -27,34 +19,6 @@ LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
#
-# Enable logging and display of /var/log/lastlog login(1) time info.
-#
-LASTLOG_ENAB yes
-
-#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
-#
-QUOTAS_ENAB yes
-
-#
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
#
@@ -82,75 +46,31 @@ MOTD_FILE /etc/motd
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
#
-# If defined, this file will be output before each login(1) prompt.
-#
-#ISSUE_FILE /etc/issue
-
-#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format similar to "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
-# If defined, login(1) failures will be logged here in a utmp format.
-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
-#
-FTMP_FILE /var/log/btmp
-
-#
-# If defined, name of file whose presence will inhibit non-root
-# logins. The content of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE /etc/nologin
-
-#
-# If defined, the command name to display when running "su -". For
-# example, if this is defined as "su" then ps(1) will display the
-# command as "-su". If not defined, then ps(1) will display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME su
-
-#
-# *REQUIRED*
-# Directory where mailboxes reside, _or_ name of file, relative to the
-# home directory. If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR /var/spool/mail
-#MAIL_FILE .mail
-
-#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
-HUSHLOGIN_FILE .hushlogin
-#HUSHLOGIN_FILE /etc/hushlogins
-
-#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ TZ=CST6CDT
-#ENV_TZ /etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ HZ=100
-# For Linux/Alpha...
-#ENV_HZ HZ=1024
+# HUSHLOGIN_FILE .hushlogin
+HUSHLOGIN_FILE /etc/hushlogins
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH PATH=/bin:/usr/bin
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin
+
+#
+# The default PATH settings for root (used by login):
+#
+ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
#
# Terminal permissions
@@ -164,24 +84,20 @@ ENV_PATH PATH=/bin:/usr/bin
# set TTYPERM to either 622 or 600.
#
TTYGROUP tty
-TTYPERM 0600
+TTYPERM 0620
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
-# ULIMIT Default "ulimit" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
-#ULIMIT 2097152
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -197,35 +113,25 @@ UMASK 022
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
-# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
-PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts. If the group doesn't exist or is empty, no one
-# will be able to "su" to uid 0.
-#
-SU_WHEEL_ONLY no
-
-#
-# If compiled with cracklib support, sets the path to the dictionaries
-#
-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
-
-#
# Min/max values for automatic uid selection in useradd(8)
#
+# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
+# UIDs for dynamically allocated administrative and system accounts.
+# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
+# allocated user accounts.
+#
UID_MIN 1000
UID_MAX 60000
# System accounts
-SYS_UID_MIN 101
-SYS_UID_MAX 999
+SYS_UID_MIN 100
+SYS_UID_MAX 499
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
@@ -234,11 +140,16 @@ SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
+# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
+# GIDs for dynamically allocated administrative and system groups.
+# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
+# allocated groups.
+#
GID_MIN 1000
GID_MAX 60000
# System accounts
-SYS_GID_MIN 101
-SYS_GID_MAX 999
+SYS_GID_MIN 100
+SYS_GID_MAX 499
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
@@ -247,7 +158,7 @@ SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
#
-LOGIN_RETRIES 5
+LOGIN_RETRIES 3
#
# Max time in seconds for login(1)
@@ -255,28 +166,6 @@ LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
#
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES 5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
-#
-PASS_ALWAYS_WARN yes
-
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
-#
-#PASS_MAX_LEN 8
-
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH yes
-
-#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
@@ -285,28 +174,6 @@ CHFN_AUTH yes
CHFN_RESTRICT rwh
#
-# Password prompt (%s will be replaced by user name).
-#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING "%s's Password: "
-
-#
-# Only works if compiled with MD5_CRYPT defined:
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm. Default is "no".
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-#
-#MD5_CRYPT_ENAB no
-
-#
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
@@ -317,7 +184,8 @@ CHFN_RESTRICT rwh
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
-#ENCRYPT_METHOD DES
+ENCRYPT_METHOD SHA512
+ENCRYPT_METHOD_NIS DES
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -353,16 +221,12 @@ CHFN_RESTRICT rwh
DEFAULT_HOME yes
#
-# If this file exists and is readable, login environment will be
-# read from it. Every line should be in the form name=value.
-#
-ENVIRON_FILE /etc/environment
-
-#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
+# See USERDEL_PRECMD/POSTCMD below.
+#
#USERDEL_CMD /usr/sbin/userdel_local
#
@@ -372,7 +236,7 @@ ENVIRON_FILE /etc/environment
#
# This also enables userdel(8) to remove user groups if no members exist.
#
-USERGROUPS_ENAB yes
+USERGROUPS_ENAB no
#
# If set to a non-zero number, the shadow utilities will make sure that
@@ -391,5 +255,40 @@ USERGROUPS_ENAB yes
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
-#CREATE_HOME yes
+CREATE_HOME no
+
+#
+# User/group names must match the following regex expression.
+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
+# but be aware that the result could depend on the locale settings.
+#
+#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
+CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
+#
+# If defined, this command is run when adding a group.
+# It should rebuild any NIS database etc. to add the
+# new created group.
+#
+GROUPADD_CMD /usr/sbin/groupadd.local
+
+#
+# If defined, this command is run when adding a user.
+# It should rebuild any NIS database etc. to add the
+# new created account.
+#
+USERADD_CMD /usr/sbin/useradd.local
+
+#
+# If defined, this command is run before removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed.
+#
+USERDEL_PRECMD /usr/sbin/userdel-pre.local
+
+#
+# If defined, this command is run after removing a user.
+# It should rebuild any NIS database etc. to remove the
+# account from it.
+#
+USERDEL_POSTCMD /usr/sbin/userdel-post.local
++++++ useradd-default.patch ++++++
--- etc/useradd
+++ etc/useradd
@@ -1,5 +1,5 @@
# useradd defaults file
-GROUP=1000
+GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
++++++ useradd-mkdirs.patch ++++++
--- src/useradd.c
+++ src/useradd.c
@@ -1894,6 +1894,13 @@ static void usr_update (void)
static void create_home (void)
{
if (access (user_home, F_OK) != 0) {
+ char path[strlen (user_home) + 2];
+ char *bhome, *cp;
+
+ path[0] = '\0';
+ bhome = strdup (user_home);
+ ++bhome;
+
#ifdef WITH_SELINUX
if (set_selinux_file_context (user_home) != 0) {
fprintf (stderr,
@@ -1902,19 +1909,42 @@ static void create_home (void)
fail_exit (E_HOMEDIR);
}
#endif
- /* XXX - create missing parent directories. --marekm */
- if (mkdir (user_home, 0) != 0) {
- fprintf (stderr,
- _("%s: cannot create directory %s\n"),
- Prog, user_home);
+
+ /* Check for every part of the path, if the directory
+ exists. If not, create it with permissions 755 and
+ owner root:root.
+ */
+ cp = strtok (bhome, "/");
+ while (cp) {
+ strcat (path, "/");
+ strcat (path, cp);
+ if (access (path, F_OK) != 0) {
+ if (mkdir (path, 0) != 0) {
+ fprintf (stderr,
+ _("%s: cannot create directory %s\n"),
+ Prog, path);
#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding home directory",
- user_name, (unsigned int) user_id,
- SHADOW_AUDIT_FAILURE);
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding home directory",
+ user_name, (unsigned int) user_id,
+ SHADOW_AUDIT_FAILURE);
#endif
- fail_exit (E_HOMEDIR);
+ fail_exit (E_HOMEDIR);
+ }
+ if (chown (path, 0, 0) < 0) {
+ fprintf (stderr,
+ _("%s: warning: chown on `%s' failed: %m\n"),
+ Prog, path);
+ }
+ if (chmod (path, 0777) < 0) {
+ fprintf (stderr,
+ _("%s: warning: chmod on `%s' failed: %m\n"),
+ Prog, path);
+ }
+ }
+ cp = strtok (NULL, "/");
}
+
chown (user_home, user_id, user_gid);
chmod (user_home,
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++++++ useradd-script.patch ++++++
--- src/useradd.c
+++ src/useradd.c
@@ -1982,6 +1982,30 @@ static void create_mail (void)
}
/*
+ * call_script - call a script to do some work
+ *
+ * call_script calls a script for additional changes to the
+ * account.
+ */
+
+static void call_script (const char *user)
+{
+ const char *cmd;
+ const char *argv[3];
+ int status;
+
+ cmd = getdef_str ("USERADD_CMD");
+ if (NULL == cmd) {
+ return;
+ }
+ argv[0] = cmd;
+ argv[1] = user;
+ argv[2] = (char *)0;
+ (void) run_command (cmd, argv, NULL, &status);
+}
+
+
+/*
* main - useradd command
*/
int main (int argc, char **argv)
@@ -2242,6 +2266,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ call_script (user_name);
+
return E_SUCCESS;
}
-
++++++ userdel-script.patch ++++++
--- src/userdel.c
+++ src/userdel.c
@@ -762,13 +762,13 @@ static void update_user (void)
* cron, at, or print jobs.
*/
-static void user_cancel (const char *user)
+static void call_script (const char *program, const char *user)
{
const char *cmd;
const char *argv[3];
int status;
- cmd = getdef_str ("USERDEL_CMD");
+ cmd = getdef_str (program);
if (NULL == cmd) {
return;
}
@@ -1163,9 +1163,10 @@ int main (int argc, char **argv)
}
/*
- * Do the hard stuff - open the files, create the user entries,
- * create the home directory, then close and update the files.
+ * Do the hard stuff - open the files, remove the user entries,
+ * remove the home directory, then close and update the files.
*/
+ call_script ("USERDEL_PRECMD", user_name);
open_files ();
update_user ();
update_groups ();
@@ -1268,7 +1269,7 @@ int main (int argc, char **argv)
* Cancel any crontabs or at jobs. Have to do this before we remove
* the entry from /etc/passwd.
*/
- user_cancel (user_name);
+ call_script ("USERDEL_CMD", user_name);
close_files ();
#ifdef WITH_TCB
@@ -1278,6 +1279,8 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ /* Call the post script, for example to rebuild NIS database */
+ call_script ("USERDEL_POSTCMD", user_name);
+
return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
}
-