From 0eb68566b5438528d79dba87ab17bb788bc4510c Mon Sep 17 00:00:00 2001 From: dataCobra Date: Tue, 20 Feb 2024 16:11:21 +0100 Subject: [PATCH] shadow: update to 4.14.5. --- common/shlibs | 1 + srcpkgs/shadow/files/login.defs | 87 --- ...pt-login.defs-for-PAM-and-util-linux.patch | 721 ++++++++++++++++++ ...d-Arch-Linux-defaults-for-login.defs.patch | 55 ++ .../patches/fix-undefined-reference.patch | 19 + .../shadow/patches/shadow-strncpy-usage.patch | 23 - srcpkgs/shadow/patches/useradd-defaults.patch | 21 + srcpkgs/shadow/patches/xstrdup.patch | 9 - srcpkgs/shadow/template | 46 +- 9 files changed, 843 insertions(+), 139 deletions(-) delete mode 100644 srcpkgs/shadow/files/login.defs create mode 100644 srcpkgs/shadow/patches/0002-Adapt-login.defs-for-PAM-and-util-linux.patch create mode 100644 srcpkgs/shadow/patches/0003-Add-Arch-Linux-defaults-for-login.defs.patch create mode 100644 srcpkgs/shadow/patches/fix-undefined-reference.patch delete mode 100644 srcpkgs/shadow/patches/shadow-strncpy-usage.patch create mode 100644 srcpkgs/shadow/patches/useradd-defaults.patch delete mode 100644 srcpkgs/shadow/patches/xstrdup.patch diff --git a/common/shlibs b/common/shlibs index 34596bac98f4b5..6bd786075ec1d8 100644 --- a/common/shlibs +++ b/common/shlibs @@ -4277,3 +4277,4 @@ libunicode_ucd.so.0.4 libunicode-0.4.0_1 libunicode_loader.so.0.4 libunicode-0.4.0_1 force-stage.so.0.1 void-force-stage-0.1_1 libliftoff.so.0 libliftoff-0.4.1_1 +libsubid.so.4 shadow-4.14.5_1 diff --git a/srcpkgs/shadow/files/login.defs b/srcpkgs/shadow/files/login.defs deleted file mode 100644 index 350764846af4b0..00000000000000 --- a/srcpkgs/shadow/files/login.defs +++ /dev/null @@ -1,87 +0,0 @@ -# Configuration file for login(1). For more information see -# login.defs(5). - -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you do define both, MAIL_DIR takes precedence. -# -MAIL_DIR /var/mail -#MAIL_FILE .mail - -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. -# PASS_WARN_AGE Number of days warning given before a password expires. -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 - -# Min/max values for automatic uid selection in useradd -UID_MIN 1000 -UID_MAX 60000 -# System accounts -SYS_UID_MIN 100 -SYS_UID_MAX 999 - -# Min/max values for automatic gid selection in groupadd -GID_MIN 1000 -GID_MAX 60000 -# System accounts -SYS_GID_MIN 100 -SYS_GID_MAX 999 - -# If useradd should create home directories for users by default -CREATE_HOME yes - -# This enables userdel to remove user groups if no members exist. -USERGROUPS_ENAB yes - -# Disable MOTD_FILE (empty); use pam_motd(8) instead. -MOTD_FILE - - -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# upon these devices. -# -CONSOLE /etc/securetty - -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a "write" program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP to the group number and -# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign -# TTYPERM to either 622 or 600. -# -TTYGROUP tty -TTYPERM 0600 - -# Login configuration initializations: -# -# ERASECHAR Terminal ERASE character ('\010' = backspace). -# KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# UMASK Default "umask" value. -# -# The ERASECHAR and KILLCHAR are used only on System V machines. -# The ULIMIT is used only if the system supports it. -# (now it works with setrlimit too; ulimit is in 512-byte units) -# -# Prefix these values with "0" to get octal, "0x" to get hexadecimal. -# -ERASECHAR 0177 -KILLCHAR 025 -UMASK 022 -HOME_MODE 0700 - -# Max number of login retries if password is bad -# -LOGIN_RETRIES 5 - -# -# Max time in seconds for login -# -LOGIN_TIMEOUT 60 diff --git a/srcpkgs/shadow/patches/0002-Adapt-login.defs-for-PAM-and-util-linux.patch b/srcpkgs/shadow/patches/0002-Adapt-login.defs-for-PAM-and-util-linux.patch new file mode 100644 index 00000000000000..dc794a7c14591f --- /dev/null +++ b/srcpkgs/shadow/patches/0002-Adapt-login.defs-for-PAM-and-util-linux.patch @@ -0,0 +1,721 @@ +From dcc12b1d2bd612923c6c73d0da92fbe1aefa46b1 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 31 Oct 2022 09:45:13 +0100 +Subject: [PATCH 2/3] Adapt login.defs for PAM and util-linux + +etc/login.defs: +Remove unused login.defs options, that are either irrelevant due to the +use of PAM or because the util-linux version of a binary does not +support them. +Modify all options that are ignored when using PAM, but are supported by +util-linux. + +Removed options because they are part of PAMDEFS (options in PAMDEFS are +options silently ignored by shadow when built with PAM enabled): +* CHFN_AUTH +* CRACKLIB_DICTPATH +* ENV_HZ +* ENVIRON_FILE +* ENV_TZ +* FAILLOG_ENAB +* FTMP_FILE +* ISSUE_FILE +* LASTLOG_ENAB +* LOGIN_STRING +* MAIL_CHECK_ENAB +* NOLOGINS_FILE +* OBSCURE_CHECKS_ENAB +* PASS_ALWAYS_WARN +* PASS_CHANGE_TRIES +* PASS_MAX_LEN +* PASS_MIN_LEN +* PORTTIME_CHECKS_ENAB +* QUOTAS_ENAB +* SU_WHEEL_ONLY +* SYSLOG_SU_ENAB +* ULIMIT + +Removed options because they are not availablbe with PAM enabled: +* BCRYPT_MIN_ROUNDS +* BCRYPT_MAX_ROUNDS +* CONSOLE_GROUPS +* CONSOLE +* MD5_CRYPT_ENAB +* PREVENT_NO_AUTH + +Removed encryption methods (`ENCRYPT_METHOD`), because they are unsafe +or not available with PAM: +* BCRYPT +* MD5 + +Removed options because they are not supported by login from util-linux: +* ERASECHAR +* KILLCHAR +* LOG_OK_LOGINS +* TTYTYPE_FILE + +Removed options because they are not supported by su from util-linux: +* SULOG_FILE +* SU_NAME + +Adapted options because they are in PAMDEFS but are supported by login +from util-linux: +* MOTD_FILE + +man/login.defs.5.xml: +Remove unavailable options from man 5 login.defs. +--- + etc/login.defs | 228 +------------------------------------------ + man/login.defs.5.xml | 150 +--------------------------- + 2 files changed, 8 insertions(+), 370 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 114dbcd9..797ca6b3 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -3,6 +3,8 @@ + # + # $Id$ + # ++# NOTE: This file is adapted for the use on Arch Linux! ++# Unsupported options due to the use of util-linux or PAM are removed. + + # + # Delay in seconds before being allowed another attempt after a login failure +@@ -11,26 +13,11 @@ + # + FAIL_DELAY 3 + +-# +-# Enable logging and display of /var/log/faillog login(1) failure info. +-# +-FAILLOG_ENAB yes +- + # + # Enable display of unknown usernames when login(1) failures are recorded. + # + LOG_UNKFAIL_ENAB no + +-# +-# Enable logging of successful logins +-# +-LOG_OK_LOGINS no +- +-# +-# Enable logging and display of /var/log/lastlog login(1) time info. +-# +-LASTLOG_ENAB yes +- + # + # Limit the highest user ID number for which the lastlog entries should + # be updated. +@@ -40,88 +27,13 @@ LASTLOG_ENAB yes + # + #LASTLOG_UID_MAX + +-# +-# Enable checking and display of mailbox status upon login. +-# +-# Disable if the shell startup files already check for mail +-# ("mailx -e" or equivalent). +-# +-MAIL_CHECK_ENAB yes +- +-# +-# Enable additional checks upon password changes. +-# +-OBSCURE_CHECKS_ENAB yes +- +-# +-# Enable checking of time restrictions specified in /etc/porttime. +-# +-PORTTIME_CHECKS_ENAB yes +- +-# +-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. +-# +-QUOTAS_ENAB yes +- +-# +-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). +-# +-SYSLOG_SU_ENAB yes +-SYSLOG_SG_ENAB yes +- +-# +-# If defined, either full pathname of a file containing device names or +-# a ":" delimited list of device names. Root logins will be allowed only +-# from these devices. +-# +-CONSOLE /etc/securetty +-#CONSOLE console:tty01:tty02:tty03:tty04 +- +-# +-# If defined, all su(1) activity is logged to this file. +-# +-#SULOG_FILE /var/log/sulog +- + # + # If defined, ":" delimited list of "message of the day" files to + # be displayed upon login. + # +-MOTD_FILE /etc/motd ++MOTD_FILE + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +-# +-# If defined, this file will be output before each login(1) prompt. +-# +-#ISSUE_FILE /etc/issue +- +-# +-# If defined, file which maps tty line to TERM environment parameter. +-# Each line of the file is in a format similar to "vt100 tty01". +-# +-#TTYTYPE_FILE /etc/ttytype +- +-# +-# If defined, login(1) failures will be logged here in a utmp format. +-# last(1), when invoked as lastb(1), will read /var/log/btmp, so... +-# +-FTMP_FILE /var/log/btmp +- +-# +-# If defined, name of file whose presence will inhibit non-root +-# logins. The content of this file should be a message indicating +-# why logins are inhibited. +-# +-NOLOGINS_FILE /etc/nologin +- +-# +-# If defined, the command name to display when running "su -". For +-# example, if this is defined as "su" then ps(1) will display the +-# command as "-su". If not defined, then ps(1) will display the +-# name of the shell actually being run, e.g. something like "-sh". +-# +-SU_NAME su +- + # + # *REQUIRED* + # Directory where mailboxes reside, _or_ name of file, relative to the +@@ -139,21 +51,6 @@ MAIL_DIR /var/spool/mail + HUSHLOGIN_FILE .hushlogin + #HUSHLOGIN_FILE /etc/hushlogins + +-# +-# If defined, either a TZ environment parameter spec or the +-# fully-rooted pathname of a file containing such a spec. +-# +-#ENV_TZ TZ=CST6CDT +-#ENV_TZ /etc/tzname +- +-# +-# If defined, an HZ environment parameter spec. +-# +-# for Linux/x86 +-ENV_HZ HZ=100 +-# For Linux/Alpha... +-#ENV_HZ HZ=1024 +- + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # +@@ -175,23 +72,6 @@ ENV_PATH PATH=/bin:/usr/bin + TTYGROUP tty + TTYPERM 0600 + +-# +-# Login configuration initializations: +-# +-# ERASECHAR Terminal ERASE character ('\010' = backspace). +-# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# ULIMIT Default "ulimit" value. +-# +-# The ERASECHAR and KILLCHAR are used only on System V machines. +-# The ULIMIT is used only if the system supports it. +-# (now it works with setrlimit too; ulimit is in 512-byte units) +-# +-# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +-# +-ERASECHAR 0177 +-KILLCHAR 025 +-#ULIMIT 2097152 +- + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. + # UMASK is also used by useradd(8) and newusers(8) to set the mode for new +@@ -211,27 +91,12 @@ UMASK 022 + # + # PASS_MAX_DAYS Maximum number of days a password may be used. + # PASS_MIN_DAYS Minimum number of days allowed between password changes. +-# PASS_MIN_LEN Minimum acceptable password length. + # PASS_WARN_AGE Number of days warning given before a password expires. + # + PASS_MAX_DAYS 99999 + PASS_MIN_DAYS 0 +-PASS_MIN_LEN 5 + PASS_WARN_AGE 7 + +-# +-# If "yes", the user must be listed as a member of the first gid 0 group +-# in /etc/group (called "root" on most Linux systems) to be able to "su" +-# to uid 0 accounts. If the group doesn't exist or is empty, no one +-# will be able to "su" to uid 0. +-# +-SU_WHEEL_ONLY no +- +-# +-# If compiled with cracklib support, sets the path to the dictionaries +-# +-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict +- + # + # Min/max values for automatic uid selection in useradd(8) + # +@@ -268,28 +133,6 @@ LOGIN_RETRIES 5 + # + LOGIN_TIMEOUT 60 + +-# +-# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +-# +-PASS_ALWAYS_WARN yes +- +-# +-# Number of significant characters in the password for crypt(). +-# Default is 8, don't change unless your crypt() is better. +-# Ignored if MD5_CRYPT_ENAB set to "yes". +-# +-#PASS_MAX_LEN 8 +- +-# +-# Require password before chfn(1)/chsh(1) can make any changes. +-# +-CHFN_AUTH yes +- + # + # Which fields may be changed by regular users using chfn(1) - use + # any combination of letters "frwh" (full name, room number, work +@@ -298,38 +141,13 @@ CHFN_AUTH yes + # + CHFN_RESTRICT rwh + +-# +-# Password prompt (%s will be replaced by user name). +-# +-# XXX - it doesn't work correctly yet, for now leave it commented out +-# to use the default which is just "Password: ". +-#LOGIN_STRING "%s's Password: " +- +-# +-# Only works if compiled with MD5_CRYPT defined: +-# If set to "yes", new passwords will be encrypted using the MD5-based +-# algorithm compatible with the one used by recent releases of FreeBSD. +-# It supports passwords of unlimited length and longer salt strings. +-# Set to "no" if you need to copy encrypted passwords to other systems +-# which don't understand the new algorithm. Default is "no". +-# +-# Note: If you use PAM, it is recommended to use a value consistent with +-# the PAM modules configuration. +-# +-# This variable is deprecated. You should use ENCRYPT_METHOD instead. +-# +-#MD5_CRYPT_ENAB no +- + # + # Only works if compiled with ENCRYPTMETHOD_SELECT defined: +-# If set to MD5, MD5-based algorithm will be used for encrypting password + # If set to SHA256, SHA256-based algorithm will be used for encrypting password + # If set to SHA512, SHA512-based algorithm will be used for encrypting password +-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password + # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password + # If set to DES, DES-based algorithm will be used for encrypting password (default) + # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +-# Overrides the MD5_CRYPT_ENAB option + # + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. +@@ -353,21 +171,6 @@ CHFN_RESTRICT rwh + #SHA_CRYPT_MIN_ROUNDS 5000 + #SHA_CRYPT_MAX_ROUNDS 5000 + +-# +-# Only works if ENCRYPT_METHOD is set to BCRYPT. +-# +-# Define the number of BCRYPT rounds. +-# With a lot of rounds, it is more difficult to brute-force the password. +-# However, more CPU resources will be needed to authenticate users if +-# this value is increased. +-# +-# If not specified, 13 rounds will be attempted. +-# If only one of the MIN or MAX values is set, then this value will be used. +-# If MIN > MAX, the highest value will be used. +-# +-#BCRYPT_MIN_ROUNDS 13 +-#BCRYPT_MAX_ROUNDS 13 +- + # + # Only works if ENCRYPT_METHOD is set to YESCRYPT. + # +@@ -381,17 +184,6 @@ CHFN_RESTRICT rwh + # + #YESCRYPT_COST_FACTOR 5 + +-# +-# List of groups to add to the user's supplementary group set +-# when logging in from the console (as determined by the CONSOLE +-# setting). Default is none. +-# +-# Use with caution - it is possible for users to gain permanent +-# access to these groups, even when not logged in from the console. +-# How to do it is left as an exercise for the reader... +-# +-#CONSOLE_GROUPS floppy:audio:cdrom +- + # + # Should login be allowed if we can't cd to the home directory? + # Default is no. +@@ -406,12 +198,6 @@ DEFAULT_HOME yes + # + NONEXISTENT /nonexistent + +-# +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- + # + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by +@@ -459,14 +245,6 @@ USERGROUPS_ENAB yes + # + #GRANT_AUX_GROUP_SUBIDS yes + +-# +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +-PREVENT_NO_AUTH superuser +- + # + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message +diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml +index ab62fa86..d82c47f1 100644 +--- a/man/login.defs.5.xml ++++ b/man/login.defs.5.xml +@@ -7,69 +7,38 @@ + --> + + +- +- +- + + + +- + + +- +- +- + +- +- +- + + + + +- +- +- + +- + + +- + +- + + +- + +- + +- +- +- +- + + + +- +- + +- +- +- + + + + +- + + + + +- + +- + + + +@@ -145,47 +114,25 @@ + The following configuration items are provided: + + +- &CHFN_AUTH; + &CHFN_RESTRICT; +- &CHSH_AUTH; +- &CONSOLE; +- &CONSOLE_GROUPS; + &CREATE_HOME; + &DEFAULT_HOME; + &ENCRYPT_METHOD; +- &ENV_HZ; + &ENV_PATH; + &ENV_SUPATH; +- &ENV_TZ; +- &ENVIRON_FILE; +- &ERASECHAR; + &FAIL_DELAY; +- &FAILLOG_ENAB; +- &FAKE_SHELL; +- &FTMP_FILE; + &GID_MAX; + &HMAC_CRYPTO_ALGO; + &HOME_MODE; + &HUSHLOGIN_FILE; +- &ISSUE_FILE; +- &KILLCHAR; +- &LASTLOG_ENAB; + &LASTLOG_UID_MAX; +- &LOG_OK_LOGINS; + &LOG_UNKFAIL_ENAB; + &LOGIN_RETRIES; +- &LOGIN_STRING; + &LOGIN_TIMEOUT; +- &MAIL_CHECK_ENAB; + &MAIL_DIR; + &MAX_MEMBERS_PER_GROUP; +- &MD5_CRYPT_ENAB; + &MOTD_FILE; +- &NOLOGINS_FILE; + &NONEXISTENT; +- &OBSCURE_CHECKS_ENAB; +- &PASS_ALWAYS_WARN; +- &PASS_CHANGE_TRIES; + &PASS_MAX_DAYS; + &PASS_MIN_DAYS; + &PASS_WARN_AGE; +@@ -195,25 +142,16 @@ + time of account creation. Any changes to these settings won't affect + existing accounts. + +- &PASS_MAX_LEN; +- &PORTTIME_CHECKS_ENAB; +- "AS_ENAB; + &SHA_CRYPT_MIN_ROUNDS; +- &SULOG_FILE; +- &SU_NAME; +- &SU_WHEEL_ONLY; + &SUB_GID_COUNT; + &SUB_UID_COUNT; + &SYS_GID_MAX; + &SYS_UID_MAX; + &SYSLOG_SG_ENAB; +- &SYSLOG_SU_ENAB; + &TCB_AUTH_GROUP; + &TCB_SYMLINKS; + &TTYGROUP; +- &TTYTYPE_FILE; + &UID_MAX; +- &ULIMIT; + &UMASK; + &USERDEL_CMD; + &USERGROUPS_ENAB; +@@ -239,9 +177,7 @@ + chfn + + +- CHFN_AUTH + CHFN_RESTRICT +- LOGIN_STRING + + + +@@ -249,7 +185,7 @@ + chgpasswd + + +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + +@@ -259,8 +195,6 @@ + chpasswd + + +- ENCRYPT_METHOD +- MD5_CRYPT_ENAB + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + +@@ -270,7 +204,7 @@ + chsh + + +- CHSH_AUTH LOGIN_STRING ++ CHSH_AUTH + + + +@@ -280,7 +214,7 @@ + gpasswd + + +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + +@@ -339,35 +273,6 @@ + LASTLOG_UID_MAX + + +- +- login +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE +- ERASECHAR FAIL_DELAY +- FAILLOG_ENAB +- FAKE_SHELL +- FTMP_FILE +- HUSHLOGIN_FILE +- ISSUE_FILE +- KILLCHAR +- LASTLOG_ENAB LASTLOG_UID_MAX +- LOGIN_RETRIES +- LOGIN_STRING +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB +- TTYGROUP TTYPERM TTYTYPE_FILE +- ULIMIT UMASK +- USERGROUPS_ENAB +- +- +- +- + + newgrp / sg + +@@ -382,7 +287,7 @@ + + ENCRYPT_METHOD + GID_MAX GID_MIN +- MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ MAX_MEMBERS_PER_GROUP + HOME_MODE + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + SHA_CRYPT_MAX_ROUNDS +@@ -399,8 +304,7 @@ + passwd + + +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN ++ ENCRYPT_METHOD + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + +@@ -432,32 +336,6 @@ + + + +- +- su +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENVIRON_FILE +- ENV_PATH ENV_SUPATH +- ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB +- SULOG_FILE SU_NAME +- SU_WHEEL_ONLY +- SYSLOG_SU_ENAB +- USERGROUPS_ENAB +- +- +- +- +- sulogin +- +- +- ENV_HZ +- ENV_TZ +- +- +- + + useradd + +@@ -486,24 +364,6 @@ + + + +- +- usermod +- +- +- LASTLOG_UID_MAX +- MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP +- TCB_SYMLINKS USE_TCB +- +- +- +- +- vipw +- +- +- USE_TCB +- +- +- + + + +-- +2.43.2 + diff --git a/srcpkgs/shadow/patches/0003-Add-Arch-Linux-defaults-for-login.defs.patch b/srcpkgs/shadow/patches/0003-Add-Arch-Linux-defaults-for-login.defs.patch new file mode 100644 index 00000000000000..e8b5885d1250bf --- /dev/null +++ b/srcpkgs/shadow/patches/0003-Add-Arch-Linux-defaults-for-login.defs.patch @@ -0,0 +1,55 @@ +From 7eb2d0b9eff128c404ef7a6d07aa597ac9ca2d84 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 31 Oct 2022 10:10:22 +0100 +Subject: [PATCH 3/3] Add Arch Linux defaults for login.defs + +etc/login.defs: +- Change `ENV_SUPATH` and `ENV_SUPATH` to only use + /usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr and + bin merge distribution. +- Set `HOME_MODE` to `0700` to be able to rely on a `UMASK` of `022` + while creating home directories in a privacy conserving manner. +- Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for + distribution added UIDs and GIDs of system users. +- Change ENCRYPT_METHOD to YESCRYPT as it is a safer hashing algorithm + than DES. +--- + etc/login.defs | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 797ca6b3..c4accbf8 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -55,8 +55,8 @@ HUSHLOGIN_FILE .hushlogin + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ++ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + + # + # Terminal permissions +@@ -84,7 +84,7 @@ UMASK 022 + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. + # If HOME_MODE is not set, the value of UMASK is used to create the mode. +-#HOME_MODE 0700 ++HOME_MODE 0700 + + # + # Password aging controls: +@@ -152,7 +152,7 @@ CHFN_RESTRICT rwh + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # +-#ENCRYPT_METHOD DES ++ENCRYPT_METHOD YESCRYPT + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +-- +2.43.2 + diff --git a/srcpkgs/shadow/patches/fix-undefined-reference.patch b/srcpkgs/shadow/patches/fix-undefined-reference.patch new file mode 100644 index 00000000000000..4a3e742b9837b7 --- /dev/null +++ b/srcpkgs/shadow/patches/fix-undefined-reference.patch @@ -0,0 +1,19 @@ +--- a/lib/alloc.h ++++ b/lib/alloc.h +@@ -84,14 +84,14 @@ + } + + +-inline void * ++static inline void * + mallocarray(size_t nmemb, size_t size) + { + return reallocarray(NULL, nmemb, size); + } + + +-inline void * ++static inline void * + reallocarrayf(void *p, size_t nmemb, size_t size) + { + void *q; diff --git a/srcpkgs/shadow/patches/shadow-strncpy-usage.patch b/srcpkgs/shadow/patches/shadow-strncpy-usage.patch deleted file mode 100644 index c5564fffdc3852..00000000000000 --- a/srcpkgs/shadow/patches/shadow-strncpy-usage.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- a/src/usermod.c 2012-02-13 08:19:43.792146449 -0500 -+++ b/src/usermod.c 2012-02-13 08:21:19.375114500 -0500 -@@ -182,7 +182,7 @@ - struct tm *tp; - - if (date < 0) { -- strncpy (buf, "never", maxsize); -+ strncpy (buf, "never", maxsize - 1); - } else { - time_t t = (time_t) date; - tp = gmtime (&t); ---- a/src/login.c 2012-02-13 08:19:50.951994454 -0500 -+++ b/src/login.c 2012-02-13 08:21:04.490430937 -0500 -@@ -752,7 +752,8 @@ - _("%s login: "), hostn); - } else { - strncpy (loginprompt, _("login: "), -- sizeof (loginprompt)); -+ sizeof (loginprompt) - 1); -+ loginprompt[sizeof (loginprompt) - 1] = '\0'; - } - - retcode = pam_set_item (pamh, PAM_USER_PROMPT, loginprompt); diff --git a/srcpkgs/shadow/patches/useradd-defaults.patch b/srcpkgs/shadow/patches/useradd-defaults.patch new file mode 100644 index 00000000000000..38035df40cfcab --- /dev/null +++ b/srcpkgs/shadow/patches/useradd-defaults.patch @@ -0,0 +1,21 @@ +diff --git a/src/useradd.c b/src/useradd.c +index 677ea5a636f..49f55211a17 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -87,14 +87,14 @@ const char *Prog; + /* + * These defaults are used if there is no defaults file. + */ +-static gid_t def_group = 1000; ++static gid_t def_group = 100; + static const char *def_groups = ""; + static const char *def_gname = "other"; + static const char *def_home = "/home"; + static const char *def_shell = "/bin/bash"; + static const char *def_template = SKEL_DIR; + static const char *def_usrtemplate = USRSKELDIR; +-static const char *def_create_mail_spool = "yes"; ++static const char *def_create_mail_spool = "no"; + static const char *def_log_init = "yes"; + + static long def_inactive = -1; diff --git a/srcpkgs/shadow/patches/xstrdup.patch b/srcpkgs/shadow/patches/xstrdup.patch deleted file mode 100644 index 562febcf4164f1..00000000000000 --- a/srcpkgs/shadow/patches/xstrdup.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- a/libmisc/xmalloc.c 2008-08-30 21:55:44.000000000 -0500 -+++ b/libmisc/xmalloc.c.new 2008-08-30 21:55:36.000000000 -0500 -@@ -61,5 +61,6 @@ - - char *xstrdup (const char *str) - { -+ if(str == NULL) return NULL; - return strcpy (xmalloc (strlen (str) + 1), str); - } diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template index c7ece33540c9a0..c7cdec783bf7a8 100644 --- a/srcpkgs/shadow/template +++ b/srcpkgs/shadow/template @@ -1,23 +1,35 @@ # Template file for 'shadow' pkgname=shadow -version=4.8.1 -revision=3 +version=4.14.5 +revision=1 build_style=gnu-configure -configure_args="--bindir=/usr/bin --sbindir=/usr/bin - --enable-shared --disable-static - --with-libpam --without-selinux --with-acl --with-attr --without-su - --disable-nls --enable-subordinate-ids --disable-account-tools-setuid +configure_args="--bindir=/usr/bin --sbindir=/usr/bin --libdir=/usr/lib + --enable-shared --disable-static --enable-lastlog --with-libpam --with-yescrypt + --without-selinux --with-acl --with-attr --without-su --disable-nls + --enable-subordinate-ids --disable-account-tools-setuid --with-group-name-max-length=32" -hostmakedepends="libtool" -makedepends="acl-devel pam-devel" +hostmakedepends="libtool pkg-config" +makedepends="acl-devel pam-devel libbsd-devel" depends="pam" short_desc="Shadow password file utilities" maintainer="Enno Boland " license="BSD-3-Clause" homepage="https://github.com/shadow-maint/shadow" distfiles="${homepage}/releases/download/${version}/shadow-${version}.tar.xz" -checksum=a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62 -conf_files="/etc/pam.d/* /etc/default/* /etc/login.defs" +checksum=cba74bc7b05d89c015afe23131f9159ece38779d40a8af4cf162852e6e85ca23 +conf_files=" + /etc/pam.d/chage + /etc/pam.d/chgpasswd + /etc/pam.d/chpasswd + /etc/pam.d/groupadd + /etc/pam.d/groupdel + /etc/pam.d/groupmems + /etc/pam.d/groupmod + /etc/pam.d/newusers + /etc/pam.d/passwd + /etc/pam.d/useradd + /etc/pam.d/userdel + /etc/pam.d/usermod" if [ "$XBPS_TARGET_LIBC" = "glibc" ]; then makedepends+=" libxcrypt-devel" @@ -32,14 +44,16 @@ pre_configure() { do_build() { # Don't install groups(1), we use the one from coreutils. - sed -i 's/groups$(EXEEXT) //' src/Makefile - for f in $(find man -name Makefile); do + sed -i 's/groups$(EXEEXT) //' src/Makefile.in + for f in $(find man -name Makefile.in); do sed -i 's/groups\.1 / /' $f done make ${makejobs} } post_install() { + make -C man DESTDIR="$DESTDIR" install-man + mv ${DESTDIR}/usr/sbin/* ${DESTDIR}/usr/bin # Install our pam files not the ones supplied with shadow. @@ -51,14 +65,6 @@ post_install() { groupmod newusers useradd userdel usermod; do install -m644 $DESTDIR/etc/pam.d/chage $DESTDIR/etc/pam.d/${f} done - install -m644 ${FILESDIR}/login.defs ${DESTDIR}/etc - - # Disable creating mailbox files by default. - sed -i -e 's/yes/no/' $DESTDIR/etc/default/useradd - # Change default group to the users gid (100). - sed -i -e 's/^\(GROUP\)=\(.*\)$/\1=100/' ${DESTDIR}/etc/default/useradd - - chmod 644 ${DESTDIR}/etc/default/useradd # Install the cron daily job. install -Dm744 ${FILESDIR}/shadow.cron-daily \