diff --git a/trunk/FS66068.patch b/trunk/FS66068.patch new file mode 100644 index 0000000..f0a4374 --- /dev/null +++ b/trunk/FS66068.patch @@ -0,0 +1,19 @@ +diff --git a/etc/login.defs b/etc/login.defs +index 4965d58..ff018c4 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -81,12 +81,12 @@ TTYPERM 0600 + # 022 is the default value, but 027, or even 077, could be considered + # for increased privacy. There is no One True Answer here: each sysadmin + # must make up their mind. +-UMASK 077 ++UMASK 022 + + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. + # If HOME_MODE is not set, the value of UMASK is used to create the mode. +-#HOME_MODE 0700 ++HOME_MODE 0700 + + # + # Password aging controls: diff --git a/trunk/FS71393.patch b/trunk/FS71393.patch new file mode 100644 index 0000000..df89441 --- /dev/null +++ b/trunk/FS71393.patch @@ -0,0 +1,13 @@ +diff --git a/etc/login.defs b/etc/login.defs +index ff018c4..3c24592 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -157,7 +157,7 @@ CHFN_RESTRICT rwh + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # +-ENCRYPT_METHOD SHA512 ++ENCRYPT_METHOD YESCRYPT + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD index de451df..8763c61 100644 --- a/trunk/PKGBUILD +++ b/trunk/PKGBUILD @@ -2,8 +2,8 @@ # Maintainer: Aaron Griffin pkgname=shadow -pkgver=4.8.1 -pkgrel=4 +pkgver=4.11.1 +pkgrel=1 pkgdesc="Password and account management tool suite with support for shadow files and PAM" arch=('x86_64') url='https://github.com/shadow-maint/shadow' @@ -11,38 +11,97 @@ license=('BSD') # libcap-ng needed by install scriptlet for 'filecap' depends=('pam' 'acl' 'libacl.so' 'audit' 'libaudit.so' 'libcap-ng' 'libcap-ng.so' 'libxcrypt' 'libcrypt.so') +makedepends=('docbook-xsl' 'itstool') backup=(etc/login.defs etc/pam.d/{chage,passwd,shadow,useradd,usermod,userdel} etc/pam.d/{chpasswd,newusers,groupadd,groupdel,groupmod} etc/pam.d/{chgpasswd,groupmems} etc/default/useradd) -options=(strip debug) -validpgpkeys=('D5C2F9BFCA128BBA22A77218872F702C4D6E25A8' # Christian Perrier - 'F1D08DB778185BF784002DFFE9FEEA06A85E3F9D') # Serge Hallyn -source=("https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz"{,.asc} +validpgpkeys=('D5C2F9BFCA128BBA22A77218872F702C4D6E25A8' # Christian Perrier + 'F1D08DB778185BF784002DFFE9FEEA06A85E3F9D' # Serge Hallyn + '66D0387DB85D320F8408166DB175CFA98F192AF2') # Serge Hallyn no path of trust from above keys +source=("https://github.com/shadow-maint/shadow/releases/download/v$pkgver/shadow-$pkgver.tar.xz"{,.asc} + shadow-4.8-ignore-login-prompt.patch # From Fedora + unsupported-options.patch + login.defs-arch.patch + FS66068.patch + FS71393.patch LICENSE chgpasswd chpasswd defaults.pam - login.defs newusers passwd shadow.{timer,service} useradd.defaults) install=shadow.install -sha1sums=('63457a0ba58dc4e81b2663b839dc6c89d3343f12' +sha1sums=('9cb767b86ff2b46e880b428e817972aa07b3a67c' 'SKIP' + '21c84f51d0bb9e61f00bc30bba7bf24778278995' + '85c4f80ffd4f0943e74fd57c66d13e1cbd193836' + 'b18cbd416a7f29ad3b298f4fe253aba7127dd466' + 'ad3c7621c2c64b5c53d7095faed66859c5c9a3f7' + 'f57f8336c71003aab0cfe28c6875de38bf9644a9' '33a6cf1e44a1410e5c9726c89e5de68b78f5f922' '4ad0e059406a305c8640ed30d93c2a1f62c2f4ad' '12427b1ca92a9b85ca8202239f0d9f50198b818f' '0e56fed7fc93572c6bf0d8f3b099166558bb46f1' - '81a02eadb5f605fef5c75b6d8a03713a7041864b' '12427b1ca92a9b85ca8202239f0d9f50198b818f' '611be25d91c3f8f307c7fe2485d5f781e5dee75f' 'a154a94b47a3d0c6c287253b98c0d10b861226d0' 'b5540736f5acbc23b568973eb5645604762db3dd' 'c173208c5cf34528602f9931468a67b7f68abad3') +#PAMDEFS are options silently ignored by shadow when built with pam enabled +#MOTD_FILE is in PAMDEFS but is supported by login from util-linux +_unsupported_options=( + CHFN_AUTH #PAMDEFS + CONSOLE_GROUPS #Not with pam enabled + CONSOLE #Not with pam enabled + CRACKLIB_DICTPATH #PAMDEFS + ENV_HZ #PAMDEFS + ENVIRON_FILE #PAMDEFS + ENV_TZ #PAMDEFS + ERASECHAR #Not with login from util-linux + FAILLOG_ENAB #PAMDEFS + FTMP_FILE #PAMDEFS + ISSUE_FILE #PAMDEFS + KILLCHAR #Not with login from util-linux + LASTLOG_ENAB #PAMDEFS + LOGIN_STRING #PAMDEFS + LOG_OK_LOGINS #Not with login from util-linux + MAIL_CHECK_ENAB #PAMDEFS + MD5_CRYPT_ENAB #Not with pam enabled + NOLOGINS_FILE #PAMDEFS + OBSCURE_CHECKS_ENAB #PAMDEFS + PASS_ALWAYS_WARN #PAMDEFS + PASS_CHANGE_TRIES #PAMDEFS + PASS_MAX_LEN #PAMDEFS + PASS_MIN_LEN #PAMDEFS + PORTTIME_CHECKS_ENAB #PAMDEFS + PREVENT_NO_AUTH #Not with login or su from util-linux + QUOTAS_ENAB #PAMDEFS + SULOG_FILE #Not with su from util-linux + SU_NAME #Not with su from util-linux + SU_WHEEL_ONLY #PAMDEFS + SYSLOG_SU_ENAB #PAMDEFS + TTYTYPE_FILE #Not with login from util-linux + ULIMIT #PAMDEFS + ) + +prepare() { + cd "$pkgname-$pkgver" + patch -p1 -i ../shadow-4.8-ignore-login-prompt.patch # Do not complain about LOGIN_PLAIN_PROMPT option that is used by login from util-linux. + patch -p1 -i ../unsupported-options.patch # Remove uptions not supported due to use of pam or util-linux from login.defs. + patch -p1 -i ../login.defs-arch.patch # Set Arch defaults. + patch -p1 -i ../FS66068.patch # Changes to login.defs for FS#66068 should be merged into above patch if accepted. + patch -p1 -i ../FS71393.patch # Changes to login.defs for FS#71393 should be merged into above patch if accepted. + for _option in "${_unsupported_options[@]}" + do + sed -i -e "/${_option}.xml/d" -e "/\&${_option}\;/d" man/login.defs.5.xml + done +} + build() { cd "$pkgname-$pkgver" @@ -58,8 +117,12 @@ build() { --with-libpam \ --with-group-name-max-length=32 \ --with-audit \ - --without-selinux + --without-selinux \ + --enable-man \ + --with-bcrypt \ + --with-yescrypt + sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool make } @@ -80,9 +143,6 @@ package() { install -d -m755 "$pkgdir/usr/lib/systemd/system/timers.target.wants" ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer" - # login.defs - install -Dm644 "$srcdir/login.defs" "$pkgdir/etc/login.defs" - # PAM config - custom rm "$pkgdir/etc/pam.d"/* install -t "$pkgdir/etc/pam.d" -m644 "$srcdir"/{passwd,chgpasswd,chpasswd,newusers} diff --git a/trunk/login.defs-arch.patch b/trunk/login.defs-arch.patch new file mode 100644 index 0000000..9194f65 --- /dev/null +++ b/trunk/login.defs-arch.patch @@ -0,0 +1,76 @@ +diff --git a/etc/login.defs b/etc/login.defs +index 5c709e9..4965d58 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -1,8 +1,14 @@ + # + # /etc/login.defs - Configuration control definitions for the shadow package. + # +-# $Id$ ++# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. ++# If unspecified, some arbitrary (and possibly incorrect) value will ++# be assumed. All other items are optional - if not specified then ++# the described action or option will be inhibited. + # ++# Comment lines (lines beginning with "#") and blank lines are ignored. ++# ++# Modified for Linux. --marekm + + # + # Enable display of unknown usernames when login(1) failures are recorded. +@@ -27,7 +33,7 @@ SYSLOG_SG_ENAB yes + # If defined, ":" delimited list of "message of the day" files to + # be displayed upon login. + # +-MOTD_FILE /etc/motd ++MOTD_FILE + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + + # +@@ -51,8 +57,8 @@ HUSHLOGIN_FILE .hushlogin + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ++ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + + # + # Terminal permissions +@@ -75,7 +81,7 @@ TTYPERM 0600 + # 022 is the default value, but 027, or even 077, could be considered + # for increased privacy. There is no One True Answer here: each sysadmin + # must make up their mind. +-UMASK 022 ++UMASK 077 + + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. +@@ -99,7 +105,7 @@ PASS_WARN_AGE 7 + UID_MIN 1000 + UID_MAX 60000 + # System accounts +-SYS_UID_MIN 101 ++SYS_UID_MIN 500 + SYS_UID_MAX 999 + # Extra per user uids + SUB_UID_MIN 100000 +@@ -112,7 +118,7 @@ SUB_UID_COUNT 65536 + GID_MIN 1000 + GID_MAX 60000 + # System accounts +-SYS_GID_MIN 101 ++SYS_GID_MIN 500 + SYS_GID_MAX 999 + # Extra per user group ids + SUB_GID_MIN 100000 +@@ -151,7 +157,7 @@ CHFN_RESTRICT rwh + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # +-#ENCRYPT_METHOD DES ++ENCRYPT_METHOD SHA512 + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. diff --git a/trunk/shadow-4.8-ignore-login-prompt.patch b/trunk/shadow-4.8-ignore-login-prompt.patch new file mode 100644 index 0000000..c93aae7 --- /dev/null +++ b/trunk/shadow-4.8-ignore-login-prompt.patch @@ -0,0 +1,11 @@ +diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c +--- shadow-4.8/lib/getdef.c.login-prompt 2020-01-13 10:38:44.852796681 +0100 ++++ shadow-4.8/lib/getdef.c 2020-01-13 10:39:54.472612511 +0100 +@@ -98,6 +98,7 @@ static struct itemdef def_table[] = { + {"LASTLOG_UID_MAX", NULL}, + {"LOGIN_RETRIES", NULL}, + {"LOGIN_TIMEOUT", NULL}, ++ {"LOGIN_PLAIN_PROMPT", NULL}, + {"LOG_OK_LOGINS", NULL}, + {"LOG_UNKFAIL_ENAB", NULL}, + {"MAIL_DIR", NULL},