Date: Sunday, November 6, 2022 @ 13:07:49 Author: dvzrv Revision: 460775
upgpkg: shadow 4.11.1-4: Rebuild to apply distribution patches. Use distribution patches from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.11.1.arch2 to - not manually remove or move files in package() - install files to the correct bin location - modify login.defs to not include unsupported options (due to PAM and util-linux) - add distribution specific PAM integration - add distribution specific login.defs overrides Remove unused PAM files and patch for login.defs. Generically apply patches from the source array in prepare(). Use an array in build() to provide options to configure for ease of use. Added: shadow/trunk/0001-Disable-replaced-tools-and-man-pages.patch shadow/trunk/0002-Adapt-login.defs-for-PAM-and-util-linux.patch shadow/trunk/0003-Add-Arch-Linux-defaults-for-login.defs.patch shadow/trunk/0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch Modified: shadow/trunk/PKGBUILD Deleted: shadow/trunk/chgpasswd shadow/trunk/chpasswd shadow/trunk/defaults.pam shadow/trunk/newusers shadow/trunk/passwd shadow/trunk/shadow-4.11.1-login.defs.patch ----------------------------------------------------+ 0001-Disable-replaced-tools-and-man-pages.patch | 658 ++++++++++++++++++ 0002-Adapt-login.defs-for-PAM-and-util-linux.patch | 692 +++++++++++++++++++ 0003-Add-Arch-Linux-defaults-for-login.defs.patch | 73 ++ 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch | 201 +++++ PKGBUILD | 129 +-- chgpasswd | 4 chpasswd | 6 defaults.pam | 6 newusers | 6 passwd | 4 shadow-4.11.1-login.defs.patch | 308 -------- 11 files changed, 1673 insertions(+), 414 deletions(-) Added: 0001-Disable-replaced-tools-and-man-pages.patch =================================================================== --- 0001-Disable-replaced-tools-and-man-pages.patch (rev 0) +++ 0001-Disable-replaced-tools-and-man-pages.patch 2022-11-06 13:07:49 UTC (rev 460775) @@ -0,0 +1,658 @@ +From e0394dfa98a4b4a1b86a19f39a1a982adc1bb7fa Mon Sep 17 00:00:00 2001 +From: David Runge <[email protected]> +Date: Sat, 5 Nov 2022 23:40:18 +0100 +Subject: [PATCH 1/4] Disable replaced tools and man pages + +man/Makefile.am, man/*/Makefile.am: +Disable man pages for chfn, chsh, login, logoutd, newgrp, nologin, vigr, +vipw and su as they are either no longer used or replaced by util-linux. + +src/Makefile.am: +Set usbindir to use bin instead of sbin, as Arch Linux is a /usr and bin +merge distribution. +Remove the use of login, nologin, chfn, chsh, logoutd, vipw and vigr, as +they are either not used or replaced by util-linux. +Move newgrp to replace sg (instead of it being a symlink). +--- + man/Makefile.am | 19 ++----------------- + man/cs/Makefile.am | 8 ++------ + man/da/Makefile.am | 8 +------- + man/de/Makefile.am | 11 +---------- + man/fi/Makefile.am | 5 +---- + man/fr/Makefile.am | 11 +---------- + man/hu/Makefile.am | 6 +----- + man/id/Makefile.am | 2 -- + man/it/Makefile.am | 11 +---------- + man/ja/Makefile.am | 10 +--------- + man/ko/Makefile.am | 8 +------- + man/pl/Makefile.am | 7 +------ + man/ru/Makefile.am | 11 +---------- + man/sv/Makefile.am | 8 +------- + man/tr/Makefile.am | 3 --- + man/zh_CN/Makefile.am | 11 +---------- + man/zh_TW/Makefile.am | 4 ---- + src/Makefile.am | 18 +++++++----------- + 18 files changed, 23 insertions(+), 138 deletions(-) + +diff --git a/man/Makefile.am b/man/Makefile.am +index e9cab28a..7168625c 100644 +--- a/man/Makefile.am ++++ b/man/Makefile.am +@@ -8,10 +8,8 @@ endif + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -27,12 +25,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -44,9 +38,7 @@ man_MANS = \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +@@ -74,10 +66,8 @@ endif + + man_XMANS = \ + chage.1.xml \ +- chfn.1.xml \ + chgpasswd.8.xml \ + chpasswd.8.xml \ +- chsh.1.xml \ + expiry.1.xml \ + faillog.5.xml \ + faillog.8.xml \ +@@ -92,12 +82,9 @@ man_XMANS = \ + gshadow.5.xml \ + lastlog.8.xml \ + limits.5.xml \ +- login.1.xml \ + login.access.5.xml \ + login.defs.5.xml \ +- logoutd.8.xml \ + newgidmap.1.xml \ +- newgrp.1.xml \ + newuidmap.1.xml \ + newusers.8.xml \ + nologin.8.xml \ +@@ -109,14 +96,12 @@ man_XMANS = \ + shadow.3.xml \ + shadow.5.xml \ + sg.1.xml \ +- su.1.xml \ + suauth.5.xml \ + subgid.5.xml \ + subuid.5.xml \ + useradd.8.xml \ + userdel.8.xml \ +- usermod.8.xml \ +- vipw.8.xml ++ usermod.8.xml + + login_defs_v = \ + CHFN_AUTH.xml \ +diff --git a/man/cs/Makefile.am b/man/cs/Makefile.am +index 3b2be0ce..50290f4a 100644 +--- a/man/cs/Makefile.am ++++ b/man/cs/Makefile.am +@@ -13,14 +13,10 @@ man_MANS = \ + man8/grpck.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man8/nologin.8 \ + man5/passwd.5 \ +- man5/shadow.5 \ +- man1/su.1 \ +- man8/vipw.8 ++ man5/shadow.5 + + EXTRA_DIST = $(man_MANS) \ + man1/id.1 \ +- man8/groupmems.8 \ +- man8/logoutd.8 ++ man8/groupmems.8 + +diff --git a/man/da/Makefile.am b/man/da/Makefile.am +index a3b09224..e45bef66 100644 +--- a/man/da/Makefile.am ++++ b/man/da/Makefile.am +@@ -3,16 +3,10 @@ mandir = @mandir@/da + + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ +- man1/chfn.1 \ + man8/groupdel.8 \ + man1/groups.1 \ + man5/gshadow.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ +- man8/nologin.8 \ +- man1/sg.1 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man1/sg.1 + + man_nopam = + +diff --git a/man/de/Makefile.am b/man/de/Makefile.am +index 3cd302ee..dee3e2a1 100644 +--- a/man/de/Makefile.am ++++ b/man/de/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/de + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/fi/Makefile.am b/man/fi/Makefile.am +index 26a1a848..f02b92f3 100644 +--- a/man/fi/Makefile.am ++++ b/man/fi/Makefile.am +@@ -1,10 +1,7 @@ + + mandir = @mandir@/fi + +-man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ +- man1/su.1 ++man_MANS = + + # Outdated manpages + # passwd.1 (https://bugs.launchpad.net/ubuntu/+bug/384024) +diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am +index 230d2126..1955e94a 100644 +--- a/man/fr/Makefile.am ++++ b/man/fr/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/fr + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/hu/Makefile.am b/man/hu/Makefile.am +index e659aef1..ae80da49 100644 +--- a/man/hu/Makefile.am ++++ b/man/hu/Makefile.am +@@ -2,16 +2,12 @@ + mandir = @mandir@/hu + + man_MANS = \ +- man1/chsh.1 \ + man1/gpasswd.1 \ + man1/groups.1 \ + man8/lastlog.8 \ +- man1/login.1 \ +- man1/newgrp.1 \ + man1/passwd.1 \ + man5/passwd.5 \ +- man1/sg.1 \ +- man1/su.1 ++ man1/sg.1 + + EXTRA_DIST = $(man_MANS) + +diff --git a/man/id/Makefile.am b/man/id/Makefile.am +index 21f3dbe9..6d10b930 100644 +--- a/man/id/Makefile.am ++++ b/man/id/Makefile.am +@@ -2,8 +2,6 @@ + mandir = @mandir@/id + + man_MANS = \ +- man1/chsh.1 \ +- man1/login.1 \ + man8/useradd.8 + + EXTRA_DIST = $(man_MANS) +diff --git a/man/it/Makefile.am b/man/it/Makefile.am +index 94460aac..ecf5bd18 100644 +--- a/man/it/Makefile.am ++++ b/man/it/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/it + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am +index ffb75a98..b88c490a 100644 +--- a/man/ja/Makefile.am ++++ b/man/ja/Makefile.am +@@ -3,9 +3,7 @@ mandir = @mandir@/ja + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -18,10 +16,7 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ + man1/passwd.1 \ + man5/passwd.5 \ +@@ -30,13 +25,10 @@ man_MANS = \ + man8/pwunconv.8 \ + man1/sg.1 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/ko/Makefile.am b/man/ko/Makefile.am +index c269f0bb..9616cb3e 100644 +--- a/man/ko/Makefile.am ++++ b/man/ko/Makefile.am +@@ -2,14 +2,8 @@ + mandir = @mandir@/ko + + man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ + man1/groups.1 \ +- man1/login.1 \ +- man5/passwd.5 \ +- man1/su.1 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man5/passwd.5 + # newgrp.1 must be updated + # newgrp.1 + +diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am +index 724d25f3..fa6675b9 100644 +--- a/man/pl/Makefile.am ++++ b/man/pl/Makefile.am +@@ -4,7 +4,6 @@ mandir = @mandir@/pl + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ + man1/chage.1 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -16,14 +15,10 @@ man_MANS = \ + man1/groups.1 \ + man8/grpck.8 \ + man8/lastlog.8 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man1/sg.1 \ + man3/shadow.3 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/porttime.5 +diff --git a/man/ru/Makefile.am b/man/ru/Makefile.am +index 8a776a87..29e1b843 100644 +--- a/man/ru/Makefile.am ++++ b/man/ru/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/ru + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/sv/Makefile.am b/man/sv/Makefile.am +index e64b7bc8..fbb2a716 100644 +--- a/man/sv/Makefile.am ++++ b/man/sv/Makefile.am +@@ -3,7 +3,6 @@ mandir = @mandir@/sv + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ + man1/chage.1 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -16,18 +15,13 @@ man_MANS = \ + man8/grpck.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ + man1/sg.1 \ + man3/shadow.3 \ + man5/suauth.5 \ +- man8/userdel.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/userdel.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/tr/Makefile.am b/man/tr/Makefile.am +index 8d8b9166..4fe3632a 100644 +--- a/man/tr/Makefile.am ++++ b/man/tr/Makefile.am +@@ -2,15 +2,12 @@ mandir = @mandir@/tr + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/groupadd.8 \ + man8/groupdel.8 \ + man8/groupmod.8 \ +- man1/login.1 \ + man1/passwd.1 \ + man5/passwd.5 \ + man5/shadow.5 \ +- man1/su.1 \ + man8/useradd.8 \ + man8/userdel.8 \ + man8/usermod.8 +diff --git a/man/zh_CN/Makefile.am b/man/zh_CN/Makefile.am +index e9d8f2c2..c2e6cdfd 100644 +--- a/man/zh_CN/Makefile.am ++++ b/man/zh_CN/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/zh_CN + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -22,12 +20,8 @@ man_MANS = \ + man8/grpunconv.8 \ + man5/gshadow.5 \ + man8/lastlog.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -36,13 +30,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + man_nopam = \ + man5/limits.5 \ +diff --git a/man/zh_TW/Makefile.am b/man/zh_TW/Makefile.am +index c36ed2c7..26696b67 100644 +--- a/man/zh_TW/Makefile.am ++++ b/man/zh_TW/Makefile.am +@@ -2,15 +2,11 @@ + mandir = @mandir@/zh_TW + + man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ + man8/chpasswd.8 \ +- man1/newgrp.1 \ + man8/groupadd.8 \ + man8/groupdel.8 \ + man8/groupmod.8 \ + man5/passwd.5 \ +- man1/su.1 \ + man8/useradd.8 \ + man8/userdel.8 \ + man8/usermod.8 +diff --git a/src/Makefile.am b/src/Makefile.am +index a1a2e4e3..53cd7953 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -3,7 +3,7 @@ EXTRA_DIST = \ + .indent.pro + + ubindir = ${prefix}/bin +-usbindir = ${prefix}/sbin ++usbindir = ${prefix}/bin + suidperms = 4755 + sgidperms = 2755 + +@@ -24,9 +24,9 @@ AM_CPPFLAGS = \ + # and installation would be much simpler (just two directories, + # $prefix/bin and $prefix/sbin, no install-data hacks...) + +-bin_PROGRAMS = groups login +-sbin_PROGRAMS = nologin +-ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd ++bin_PROGRAMS = groups ++sbin_PROGRAMS = ++ubin_PROGRAMS = faillog lastlog chage expiry gpasswd newgrp passwd + if ENABLE_SUBIDS + ubin_PROGRAMS += newgidmap newuidmap + endif +@@ -43,22 +43,20 @@ usbin_PROGRAMS = \ + grpck \ + grpconv \ + grpunconv \ +- logoutd \ + newusers \ + pwck \ + pwconv \ + pwunconv \ + useradd \ + userdel \ +- usermod \ +- vipw ++ usermod + + # id and groups are from gnu, sulogin from sysvinit + noinst_PROGRAMS = id sulogin + + suidusbins = + suidbins = +-suidubins = chage chfn chsh expiry gpasswd newgrp ++suidubins = chage expiry gpasswd newgrp + if WITH_SU + suidbins += su + endif +@@ -131,18 +129,16 @@ sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF) + useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl + userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) -ldl + usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl +-vipw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) + + install-am: all-am + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am +- ln -sf newgrp $(DESTDIR)$(ubindir)/sg +- ln -sf vipw $(DESTDIR)$(usbindir)/vigr + set -e; for i in $(suidbins); do \ + chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \ + done + set -e; for i in $(suidubins); do \ + chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \ + done ++ mv -v $(DESTDIR)$(ubindir)/newgrp $(DESTDIR)$(ubindir)/sg + set -e; for i in $(suidusbins); do \ + chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \ + done +-- +2.38.1 + Added: 0002-Adapt-login.defs-for-PAM-and-util-linux.patch =================================================================== --- 0002-Adapt-login.defs-for-PAM-and-util-linux.patch (rev 0) +++ 0002-Adapt-login.defs-for-PAM-and-util-linux.patch 2022-11-06 13:07:49 UTC (rev 460775) @@ -0,0 +1,692 @@ +From 07fba2b985f29e49643cb1e543e625f02f218db9 Mon Sep 17 00:00:00 2001 +From: David Runge <[email protected]> +Date: Mon, 31 Oct 2022 09:45:13 +0100 +Subject: [PATCH 2/4] Adapt login.defs for PAM and util-linux + +etc/login.defs: +Remove unused login.defs options, that are either irrelevant due to the +use of PAM or because the util-linux version of a binary does not +support them. +Modify all options that are ignored when using PAM, but are supported by +util-linux. + +Removed options because they are part of PAMDEFS (options in PAMDEFS are +options silently ignored by shadow when built with PAM enabled): +* CHFN_AUTH +* CRACKLIB_DICTPATH +* ENV_HZ +* ENVIRON_FILE +* ENV_TZ +* FAILLOG_ENAB +* FTMP_FILE +* ISSUE_FILE +* LASTLOG_ENAB +* LOGIN_STRING +* MAIL_CHECK_ENAB +* NOLOGINS_FILE +* OBSCURE_CHECKS_ENAB +* PASS_ALWAYS_WARN +* PASS_CHANGE_TRIES +* PASS_MAX_LEN +* PASS_MIN_LEN +* PORTTIME_CHECKS_ENAB +* QUOTAS_ENAB +* SU_WHEEL_ONLY +* SYSLOG_SU_ENAB +* ULIMIT + +Removed options because they are not availablbe with PAM enabled: +* CONSOLE_GROUPS +* CONSOLE +* MD5_CRYPT_ENAB +* PREVENT_NO_AUTH + +Removed options because they are not supported by login from util-linux: +* ERASECHAR +* KILLCHAR +* LOG_OK_LOGINS +* TTYTYPE_FILE + +Removed options because they are not supported by su from util-linux: +* SULOG_FILE +* SU_NAME + +Adapted options because they are in PAMDEFS but are supported by login +from util-linux: +* MOTD_FILE + +man/login.defs.5.xml: +Remove unavailable options from man 5 login.defs. +--- + etc/login.defs | 212 +------------------------------------------ + man/login.defs.5.xml | 150 +----------------------------- + 2 files changed, 8 insertions(+), 354 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 114dbcd9..7c633a57 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -3,6 +3,8 @@ + # + # $Id$ + # ++# NOTE: This file is adapted for the use on Arch Linux! ++# Unsupported options due to the use of util-linux or PAM are removed. + + # + # Delay in seconds before being allowed another attempt after a login failure +@@ -11,26 +13,11 @@ + # + FAIL_DELAY 3 + +-# +-# Enable logging and display of /var/log/faillog login(1) failure info. +-# +-FAILLOG_ENAB yes +- + # + # Enable display of unknown usernames when login(1) failures are recorded. + # + LOG_UNKFAIL_ENAB no + +-# +-# Enable logging of successful logins +-# +-LOG_OK_LOGINS no +- +-# +-# Enable logging and display of /var/log/lastlog login(1) time info. +-# +-LASTLOG_ENAB yes +- + # + # Limit the highest user ID number for which the lastlog entries should + # be updated. +@@ -40,88 +27,13 @@ LASTLOG_ENAB yes + # + #LASTLOG_UID_MAX + +-# +-# Enable checking and display of mailbox status upon login. +-# +-# Disable if the shell startup files already check for mail +-# ("mailx -e" or equivalent). +-# +-MAIL_CHECK_ENAB yes +- +-# +-# Enable additional checks upon password changes. +-# +-OBSCURE_CHECKS_ENAB yes +- +-# +-# Enable checking of time restrictions specified in /etc/porttime. +-# +-PORTTIME_CHECKS_ENAB yes +- +-# +-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. +-# +-QUOTAS_ENAB yes +- +-# +-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). +-# +-SYSLOG_SU_ENAB yes +-SYSLOG_SG_ENAB yes +- +-# +-# If defined, either full pathname of a file containing device names or +-# a ":" delimited list of device names. Root logins will be allowed only +-# from these devices. +-# +-CONSOLE /etc/securetty +-#CONSOLE console:tty01:tty02:tty03:tty04 +- +-# +-# If defined, all su(1) activity is logged to this file. +-# +-#SULOG_FILE /var/log/sulog +- + # + # If defined, ":" delimited list of "message of the day" files to + # be displayed upon login. + # +-MOTD_FILE /etc/motd ++MOTD_FILE + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +-# +-# If defined, this file will be output before each login(1) prompt. +-# +-#ISSUE_FILE /etc/issue +- +-# +-# If defined, file which maps tty line to TERM environment parameter. +-# Each line of the file is in a format similar to "vt100 tty01". +-# +-#TTYTYPE_FILE /etc/ttytype +- +-# +-# If defined, login(1) failures will be logged here in a utmp format. +-# last(1), when invoked as lastb(1), will read /var/log/btmp, so... +-# +-FTMP_FILE /var/log/btmp +- +-# +-# If defined, name of file whose presence will inhibit non-root +-# logins. The content of this file should be a message indicating +-# why logins are inhibited. +-# +-NOLOGINS_FILE /etc/nologin +- +-# +-# If defined, the command name to display when running "su -". For +-# example, if this is defined as "su" then ps(1) will display the +-# command as "-su". If not defined, then ps(1) will display the +-# name of the shell actually being run, e.g. something like "-sh". +-# +-SU_NAME su +- + # + # *REQUIRED* + # Directory where mailboxes reside, _or_ name of file, relative to the +@@ -139,21 +51,6 @@ MAIL_DIR /var/spool/mail + HUSHLOGIN_FILE .hushlogin + #HUSHLOGIN_FILE /etc/hushlogins + +-# +-# If defined, either a TZ environment parameter spec or the +-# fully-rooted pathname of a file containing such a spec. +-# +-#ENV_TZ TZ=CST6CDT +-#ENV_TZ /etc/tzname +- +-# +-# If defined, an HZ environment parameter spec. +-# +-# for Linux/x86 +-ENV_HZ HZ=100 +-# For Linux/Alpha... +-#ENV_HZ HZ=1024 +- + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # +@@ -175,23 +72,6 @@ ENV_PATH PATH=/bin:/usr/bin + TTYGROUP tty + TTYPERM 0600 + +-# +-# Login configuration initializations: +-# +-# ERASECHAR Terminal ERASE character ('\010' = backspace). +-# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# ULIMIT Default "ulimit" value. +-# +-# The ERASECHAR and KILLCHAR are used only on System V machines. +-# The ULIMIT is used only if the system supports it. +-# (now it works with setrlimit too; ulimit is in 512-byte units) +-# +-# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +-# +-ERASECHAR 0177 +-KILLCHAR 025 +-#ULIMIT 2097152 +- + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. + # UMASK is also used by useradd(8) and newusers(8) to set the mode for new +@@ -211,27 +91,12 @@ UMASK 022 + # + # PASS_MAX_DAYS Maximum number of days a password may be used. + # PASS_MIN_DAYS Minimum number of days allowed between password changes. +-# PASS_MIN_LEN Minimum acceptable password length. + # PASS_WARN_AGE Number of days warning given before a password expires. + # + PASS_MAX_DAYS 99999 + PASS_MIN_DAYS 0 +-PASS_MIN_LEN 5 + PASS_WARN_AGE 7 + +-# +-# If "yes", the user must be listed as a member of the first gid 0 group +-# in /etc/group (called "root" on most Linux systems) to be able to "su" +-# to uid 0 accounts. If the group doesn't exist or is empty, no one +-# will be able to "su" to uid 0. +-# +-SU_WHEEL_ONLY no +- +-# +-# If compiled with cracklib support, sets the path to the dictionaries +-# +-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict +- + # + # Min/max values for automatic uid selection in useradd(8) + # +@@ -268,28 +133,6 @@ LOGIN_RETRIES 5 + # + LOGIN_TIMEOUT 60 + +-# +-# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +-# +-PASS_ALWAYS_WARN yes +- +-# +-# Number of significant characters in the password for crypt(). +-# Default is 8, don't change unless your crypt() is better. +-# Ignored if MD5_CRYPT_ENAB set to "yes". +-# +-#PASS_MAX_LEN 8 +- +-# +-# Require password before chfn(1)/chsh(1) can make any changes. +-# +-CHFN_AUTH yes +- + # + # Which fields may be changed by regular users using chfn(1) - use + # any combination of letters "frwh" (full name, room number, work +@@ -298,38 +141,14 @@ CHFN_AUTH yes + # + CHFN_RESTRICT rwh + +-# +-# Password prompt (%s will be replaced by user name). +-# +-# XXX - it doesn't work correctly yet, for now leave it commented out +-# to use the default which is just "Password: ". +-#LOGIN_STRING "%s's Password: " +- +-# +-# Only works if compiled with MD5_CRYPT defined: +-# If set to "yes", new passwords will be encrypted using the MD5-based +-# algorithm compatible with the one used by recent releases of FreeBSD. +-# It supports passwords of unlimited length and longer salt strings. +-# Set to "no" if you need to copy encrypted passwords to other systems +-# which don't understand the new algorithm. Default is "no". +-# +-# Note: If you use PAM, it is recommended to use a value consistent with +-# the PAM modules configuration. +-# +-# This variable is deprecated. You should use ENCRYPT_METHOD instead. +-# +-#MD5_CRYPT_ENAB no +- + # + # Only works if compiled with ENCRYPTMETHOD_SELECT defined: +-# If set to MD5, MD5-based algorithm will be used for encrypting password + # If set to SHA256, SHA256-based algorithm will be used for encrypting password + # If set to SHA512, SHA512-based algorithm will be used for encrypting password + # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password + # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password + # If set to DES, DES-based algorithm will be used for encrypting password (default) + # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +-# Overrides the MD5_CRYPT_ENAB option + # + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. +@@ -381,17 +200,6 @@ CHFN_RESTRICT rwh + # + #YESCRYPT_COST_FACTOR 5 + +-# +-# List of groups to add to the user's supplementary group set +-# when logging in from the console (as determined by the CONSOLE +-# setting). Default is none. +-# +-# Use with caution - it is possible for users to gain permanent +-# access to these groups, even when not logged in from the console. +-# How to do it is left as an exercise for the reader... +-# +-#CONSOLE_GROUPS floppy:audio:cdrom +- + # + # Should login be allowed if we can't cd to the home directory? + # Default is no. +@@ -406,12 +214,6 @@ DEFAULT_HOME yes + # + NONEXISTENT /nonexistent + +-# +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- + # + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by +@@ -459,14 +261,6 @@ USERGROUPS_ENAB yes + # + #GRANT_AUX_GROUP_SUBIDS yes + +-# +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +-PREVENT_NO_AUTH superuser +- + # + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message +diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml +index ab62fa86..d82c47f1 100644 +--- a/man/login.defs.5.xml ++++ b/man/login.defs.5.xml +@@ -7,69 +7,38 @@ + --> + <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ +-<!ENTITY CHFN_AUTH SYSTEM "login.defs.d/CHFN_AUTH.xml"> + <!ENTITY CHFN_RESTRICT SYSTEM "login.defs.d/CHFN_RESTRICT.xml"> +-<!ENTITY CHSH_AUTH SYSTEM "login.defs.d/CHSH_AUTH.xml"> +-<!ENTITY CONSOLE SYSTEM "login.defs.d/CONSOLE.xml"> +-<!ENTITY CONSOLE_GROUPS SYSTEM "login.defs.d/CONSOLE_GROUPS.xml"> + <!ENTITY CREATE_HOME SYSTEM "login.defs.d/CREATE_HOME.xml"> + <!ENTITY DEFAULT_HOME SYSTEM "login.defs.d/DEFAULT_HOME.xml"> + <!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml"> +-<!ENTITY ENV_HZ SYSTEM "login.defs.d/ENV_HZ.xml"> + <!ENTITY ENV_PATH SYSTEM "login.defs.d/ENV_PATH.xml"> + <!ENTITY ENV_SUPATH SYSTEM "login.defs.d/ENV_SUPATH.xml"> +-<!ENTITY ENV_TZ SYSTEM "login.defs.d/ENV_TZ.xml"> +-<!ENTITY ENVIRON_FILE SYSTEM "login.defs.d/ENVIRON_FILE.xml"> +-<!ENTITY ERASECHAR SYSTEM "login.defs.d/ERASECHAR.xml"> + <!ENTITY FAIL_DELAY SYSTEM "login.defs.d/FAIL_DELAY.xml"> +-<!ENTITY FAILLOG_ENAB SYSTEM "login.defs.d/FAILLOG_ENAB.xml"> +-<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml"> +-<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml"> + <!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml"> + <!ENTITY HMAC_CRYPTO_ALGO SYSTEM "login.defs.d/HMAC_CRYPTO_ALGO.xml"> + <!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml"> + <!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml"> +-<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml"> +-<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml"> +-<!ENTITY LASTLOG_ENAB SYSTEM "login.defs.d/LASTLOG_ENAB.xml"> + <!ENTITY LASTLOG_UID_MAX SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml"> +-<!ENTITY LOG_OK_LOGINS SYSTEM "login.defs.d/LOG_OK_LOGINS.xml"> + <!ENTITY LOG_UNKFAIL_ENAB SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml"> + <!ENTITY LOGIN_RETRIES SYSTEM "login.defs.d/LOGIN_RETRIES.xml"> +-<!ENTITY LOGIN_STRING SYSTEM "login.defs.d/LOGIN_STRING.xml"> + <!ENTITY LOGIN_TIMEOUT SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml"> +-<!ENTITY MAIL_CHECK_ENAB SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml"> + <!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml"> + <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml"> +-<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml"> + <!ENTITY MOTD_FILE SYSTEM "login.defs.d/MOTD_FILE.xml"> +-<!ENTITY NOLOGINS_FILE SYSTEM "login.defs.d/NOLOGINS_FILE.xml"> + <!ENTITY NONEXISTENT SYSTEM "login.defs.d/NONEXISTENT.xml"> +-<!ENTITY OBSCURE_CHECKS_ENAB SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml"> +-<!ENTITY PASS_ALWAYS_WARN SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml"> +-<!ENTITY PASS_CHANGE_TRIES SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml"> +-<!ENTITY PASS_MAX_LEN SYSTEM "login.defs.d/PASS_MAX_LEN.xml"> + <!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml"> + <!ENTITY PASS_MIN_DAYS SYSTEM "login.defs.d/PASS_MIN_DAYS.xml"> + <!ENTITY PASS_WARN_AGE SYSTEM "login.defs.d/PASS_WARN_AGE.xml"> +-<!ENTITY PORTTIME_CHECKS_ENAB SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml"> +-<!ENTITY QUOTAS_ENAB SYSTEM "login.defs.d/QUOTAS_ENAB.xml"> + <!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml"> +-<!ENTITY SULOG_FILE SYSTEM "login.defs.d/SULOG_FILE.xml"> +-<!ENTITY SU_NAME SYSTEM "login.defs.d/SU_NAME.xml"> +-<!ENTITY SU_WHEEL_ONLY SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml"> + <!ENTITY SUB_GID_COUNT SYSTEM "login.defs.d/SUB_GID_COUNT.xml"> + <!ENTITY SUB_UID_COUNT SYSTEM "login.defs.d/SUB_UID_COUNT.xml"> + <!ENTITY SYS_GID_MAX SYSTEM "login.defs.d/SYS_GID_MAX.xml"> + <!ENTITY SYSLOG_SG_ENAB SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml"> +-<!ENTITY SYSLOG_SU_ENAB SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml"> + <!ENTITY SYS_UID_MAX SYSTEM "login.defs.d/SYS_UID_MAX.xml"> + <!ENTITY TCB_AUTH_GROUP SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml"> + <!ENTITY TCB_SYMLINKS SYSTEM "login.defs.d/TCB_SYMLINKS.xml"> + <!ENTITY TTYGROUP SYSTEM "login.defs.d/TTYGROUP.xml"> +-<!ENTITY TTYTYPE_FILE SYSTEM "login.defs.d/TTYTYPE_FILE.xml"> + <!ENTITY UID_MAX SYSTEM "login.defs.d/UID_MAX.xml"> +-<!ENTITY ULIMIT SYSTEM "login.defs.d/ULIMIT.xml"> + <!ENTITY UMASK SYSTEM "login.defs.d/UMASK.xml"> + <!ENTITY USERDEL_CMD SYSTEM "login.defs.d/USERDEL_CMD.xml"> + <!ENTITY USERGROUPS_ENAB SYSTEM "login.defs.d/USERGROUPS_ENAB.xml"> +@@ -145,47 +114,25 @@ + <para>The following configuration items are provided:</para> + + <variablelist remap='IP'> +- &CHFN_AUTH; + &CHFN_RESTRICT; +- &CHSH_AUTH; +- &CONSOLE; +- &CONSOLE_GROUPS; + &CREATE_HOME; + &DEFAULT_HOME; + &ENCRYPT_METHOD; +- &ENV_HZ; + &ENV_PATH; + &ENV_SUPATH; +- &ENV_TZ; +- &ENVIRON_FILE; +- &ERASECHAR; + &FAIL_DELAY; +- &FAILLOG_ENAB; +- &FAKE_SHELL; +- &FTMP_FILE; + &GID_MAX; <!-- documents also GID_MIN --> + &HMAC_CRYPTO_ALGO; + &HOME_MODE; + &HUSHLOGIN_FILE; +- &ISSUE_FILE; +- &KILLCHAR; +- &LASTLOG_ENAB; + &LASTLOG_UID_MAX; +- &LOG_OK_LOGINS; + &LOG_UNKFAIL_ENAB; + &LOGIN_RETRIES; +- &LOGIN_STRING; + &LOGIN_TIMEOUT; +- &MAIL_CHECK_ENAB; + &MAIL_DIR; + &MAX_MEMBERS_PER_GROUP; +- &MD5_CRYPT_ENAB; + &MOTD_FILE; +- &NOLOGINS_FILE; + &NONEXISTENT; +- &OBSCURE_CHECKS_ENAB; +- &PASS_ALWAYS_WARN; +- &PASS_CHANGE_TRIES; + &PASS_MAX_DAYS; + &PASS_MIN_DAYS; + &PASS_WARN_AGE; +@@ -195,25 +142,16 @@ + time of account creation. Any changes to these settings won't affect + existing accounts. + </para> +- &PASS_MAX_LEN; <!-- documents also PASS_MIN_LEN --> +- &PORTTIME_CHECKS_ENAB; +- "AS_ENAB; + &SHA_CRYPT_MIN_ROUNDS; <!-- documents also SHA_CRYPT_MAX_ROUNDS --> +- &SULOG_FILE; +- &SU_NAME; +- &SU_WHEEL_ONLY; + &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX --> + &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX --> + &SYS_GID_MAX; <!-- documents also SYS_GID_MIN --> + &SYS_UID_MAX; <!-- documents also SYS_UID_MIN --> + &SYSLOG_SG_ENAB; +- &SYSLOG_SU_ENAB; + &TCB_AUTH_GROUP; + &TCB_SYMLINKS; + &TTYGROUP; +- &TTYTYPE_FILE; + &UID_MAX; <!-- documents also UID_MIN --> +- &ULIMIT; + &UMASK; + &USERDEL_CMD; + &USERGROUPS_ENAB; +@@ -239,9 +177,7 @@ + <term>chfn</term> + <listitem> + <para> +- <phrase condition="no_pam">CHFN_AUTH</phrase> + CHFN_RESTRICT +- <phrase condition="no_pam">LOGIN_STRING</phrase> + </para> + </listitem> + </varlistentry> +@@ -249,7 +185,7 @@ + <term>chgpasswd</term> + <listitem> + <para> +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -259,8 +195,6 @@ + <term>chpasswd</term> + <listitem> + <para> +- <phrase condition="no_pam">ENCRYPT_METHOD +- MD5_CRYPT_ENAB </phrase> + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -270,7 +204,7 @@ + <term>chsh</term> + <listitem> + <para> +- CHSH_AUTH LOGIN_STRING ++ CHSH_AUTH + </para> + </listitem> + </varlistentry> +@@ -280,7 +214,7 @@ + <term>gpasswd</term> + <listitem> + <para> +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -339,35 +273,6 @@ + <para>LASTLOG_UID_MAX</para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>login</term> +- <listitem> +- <para> +- <phrase condition="no_pam">CONSOLE</phrase> +- CONSOLE_GROUPS DEFAULT_HOME +- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE</phrase> +- ERASECHAR FAIL_DELAY +- <phrase condition="no_pam">FAILLOG_ENAB</phrase> +- FAKE_SHELL +- <phrase condition="no_pam">FTMP_FILE</phrase> +- HUSHLOGIN_FILE +- <phrase condition="no_pam">ISSUE_FILE</phrase> +- KILLCHAR +- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase> +- LOGIN_RETRIES +- <phrase condition="no_pam">LOGIN_STRING</phrase> +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB</phrase> +- TTYGROUP TTYPERM TTYTYPE_FILE +- <phrase condition="no_pam">ULIMIT UMASK</phrase> +- USERGROUPS_ENAB +- </para> +- </listitem> +- </varlistentry> +- <!-- logoutd: no variables --> + <varlistentry> + <term>newgrp / sg</term> + <listitem> +@@ -382,7 +287,7 @@ + <para> + ENCRYPT_METHOD + GID_MAX GID_MIN +- MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ MAX_MEMBERS_PER_GROUP + HOME_MODE + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS +@@ -399,8 +304,7 @@ + <term>passwd</term> + <listitem> + <para> +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN ++ ENCRYPT_METHOD + <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS</phrase> + </para> +@@ -432,32 +336,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>su</term> +- <listitem> +- <para> +- <phrase condition="no_pam">CONSOLE</phrase> +- CONSOLE_GROUPS DEFAULT_HOME +- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase> +- ENV_PATH ENV_SUPATH +- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase> +- SULOG_FILE SU_NAME +- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase> +- SYSLOG_SU_ENAB +- <phrase condition="no_pam">USERGROUPS_ENAB</phrase> +- </para> +- </listitem> +- </varlistentry> +- <varlistentry> +- <term>sulogin</term> +- <listitem> +- <para> +- ENV_HZ +- <phrase condition="no_pam">ENV_TZ</phrase> +- </para> +- </listitem> +- </varlistentry> + <varlistentry> + <term>useradd</term> + <listitem> +@@ -486,24 +364,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term>usermod</term> +- <listitem> +- <para> +- LASTLOG_UID_MAX +- MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP +- <phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase> +- </para> +- </listitem> +- </varlistentry> +- <varlistentry condition="tcb"> +- <term>vipw</term> +- <listitem> +- <para> +- <phrase condition="tcb">USE_TCB</phrase> +- </para> +- </listitem> +- </varlistentry> + </variablelist> + </refsect1> + +-- +2.38.1 + Added: 0003-Add-Arch-Linux-defaults-for-login.defs.patch =================================================================== --- 0003-Add-Arch-Linux-defaults-for-login.defs.patch (rev 0) +++ 0003-Add-Arch-Linux-defaults-for-login.defs.patch 2022-11-06 13:07:49 UTC (rev 460775) @@ -0,0 +1,73 @@ +From ea4efaa94e473474b9cba0d38de414c9e4cbca69 Mon Sep 17 00:00:00 2001 +From: David Runge <[email protected]> +Date: Mon, 31 Oct 2022 10:10:22 +0100 +Subject: [PATCH 3/4] Add Arch Linux defaults for login.defs + +etc/login.defs: +Change ENV_SUPATH and ENV_SUPATH to only use +/usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr merge +and bin merge distribution. +Change UMASK to 077 as it is considered a more privacy conserving +default than 022. +Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for +distribution added UIDs and GIDs. +Change ENCRYPT_METHOD to SHA512 as it is a safer hashing algorithm than +DES. +--- + etc/login.defs | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 7c633a57..ea841257 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -55,8 +55,8 @@ HUSHLOGIN_FILE .hushlogin + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ++ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + + # + # Terminal permissions +@@ -79,7 +79,7 @@ TTYPERM 0600 + # 022 is the default value, but 027, or even 077, could be considered + # for increased privacy. There is no One True Answer here: each sysadmin + # must make up their mind. +-UMASK 022 ++UMASK 077 + + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. +@@ -103,7 +103,7 @@ PASS_WARN_AGE 7 + UID_MIN 1000 + UID_MAX 60000 + # System accounts +-SYS_UID_MIN 101 ++SYS_UID_MIN 500 + SYS_UID_MAX 999 + # Extra per user uids + SUB_UID_MIN 100000 +@@ -116,7 +116,7 @@ SUB_UID_COUNT 65536 + GID_MIN 1000 + GID_MAX 60000 + # System accounts +-SYS_GID_MIN 101 ++SYS_GID_MIN 500 + SYS_GID_MAX 999 + # Extra per user group ids + SUB_GID_MIN 100000 +@@ -153,7 +153,7 @@ CHFN_RESTRICT rwh + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # +-#ENCRYPT_METHOD DES ++ENCRYPT_METHOD SHA512 + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +-- +2.38.1 + Added: 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch =================================================================== --- 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch (rev 0) +++ 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch 2022-11-06 13:07:49 UTC (rev 460775) @@ -0,0 +1,201 @@ +From 440f7bcaad147729629640ddb06bc9e82f173efc Mon Sep 17 00:00:00 2001 +From: David Runge <[email protected]> +Date: Sat, 5 Nov 2022 22:52:58 +0100 +Subject: [PATCH 4/4] Add Arch Linux defaults for /etc/pam.d/ + +etc/pam.d/Makefile.am: +Disable chfn, chsh and login. +Enable shadow. +Always install the PAM integration for the account tools (even if they +are not setuid). + +etc/pam.d/{chage,chpasswd,group{add,del,mod},newusers,passwd,shadow,user{add,del,mod}}: +Add distribution defaults for Arch Linux. + +s +--- + etc/pam.d/Makefile.am | 7 ++----- + etc/pam.d/chage | 6 ++++-- + etc/pam.d/chpasswd | 6 ++++-- + etc/pam.d/groupadd | 6 ++++-- + etc/pam.d/groupdel | 6 ++++-- + etc/pam.d/groupmod | 6 ++++-- + etc/pam.d/newusers | 6 ++++-- + etc/pam.d/passwd | 4 +--- + etc/pam.d/shadow | 6 ++++++ + etc/pam.d/useradd | 6 ++++-- + etc/pam.d/userdel | 6 ++++-- + etc/pam.d/usermod | 6 ++++-- + 12 files changed, 45 insertions(+), 26 deletions(-) + create mode 100644 etc/pam.d/shadow + +diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am +index 38ff26ae..41e43e01 100644 +--- a/etc/pam.d/Makefile.am ++++ b/etc/pam.d/Makefile.am +@@ -2,10 +2,8 @@ + # and also cooperate to make a distribution for `make dist' + + pamd_files = \ +- chfn \ +- chsh \ + groupmems \ +- login \ ++ shadow \ + passwd + + pamd_acct_tools_files = \ +@@ -23,10 +21,9 @@ pamd_acct_tools_files = \ + if USE_PAM + pamddir = $(sysconfdir)/pam.d + pamd_DATA = $(pamd_files) +-if ACCT_TOOLS_SETUID ++# NOTE: we are always installing the PAM integration for the account tools + pamd_DATA += $(pamd_acct_tools_files) + endif +-endif + + if WITH_SU + pamd_files += su +diff --git a/etc/pam.d/chage b/etc/pam.d/chage +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/chage ++++ b/etc/pam.d/chage +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/chpasswd b/etc/pam.d/chpasswd +index 8f49f5cc..5d447985 100644 +--- a/etc/pam.d/chpasswd ++++ b/etc/pam.d/chpasswd +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_unix.so sha512 shadow +diff --git a/etc/pam.d/groupadd b/etc/pam.d/groupadd +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/groupadd ++++ b/etc/pam.d/groupadd +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/groupdel b/etc/pam.d/groupdel +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/groupdel ++++ b/etc/pam.d/groupdel +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/groupmod b/etc/pam.d/groupmod +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/groupmod ++++ b/etc/pam.d/groupmod +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/newusers b/etc/pam.d/newusers +index 8f49f5cc..5d447985 100644 +--- a/etc/pam.d/newusers ++++ b/etc/pam.d/newusers +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_unix.so sha512 shadow +diff --git a/etc/pam.d/passwd b/etc/pam.d/passwd +index 731c0d36..08d819b2 100644 +--- a/etc/pam.d/passwd ++++ b/etc/pam.d/passwd +@@ -1,4 +1,2 @@ + #%PAM-1.0 +-auth include system-auth +-account include system-auth +-password include system-auth ++password required pam_unix.so sha512 shadow nullok +diff --git a/etc/pam.d/shadow b/etc/pam.d/shadow +new file mode 100644 +index 00000000..a7bf8a4a +--- /dev/null ++++ b/etc/pam.d/shadow +@@ -0,0 +1,6 @@ ++#%PAM-1.0 ++auth sufficient pam_rootok.so ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/useradd b/etc/pam.d/useradd +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/useradd ++++ b/etc/pam.d/useradd +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/userdel b/etc/pam.d/userdel +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/userdel ++++ b/etc/pam.d/userdel +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +diff --git a/etc/pam.d/usermod b/etc/pam.d/usermod +index 8f49f5cc..a7bf8a4a 100644 +--- a/etc/pam.d/usermod ++++ b/etc/pam.d/usermod +@@ -1,4 +1,6 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so +-account required pam_permit.so +-password include system-auth ++auth required pam_unix.so ++account required pam_unix.so ++session required pam_unix.so ++password required pam_permit.so +-- +2.38.1 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-11-06 12:16:41 UTC (rev 460774) +++ PKGBUILD 2022-11-06 13:07:49 UTC (rev 460775) @@ -4,7 +4,7 @@ pkgname=shadow pkgver=4.11.1 -pkgrel=3 +pkgrel=4 pkgdesc="Password and account management tool suite with support for shadow files and PAM" arch=(x86_64) url="https://github.com/shadow-maint/shadow"; @@ -17,7 +17,7 @@ libxcrypt libcrypt.so pam libpam.so libpam_misc.so ) -makedepends=(libcap) +makedepends=(docbook-xsl git itstool libcap libxslt) backup=( etc/default/useradd etc/login.defs @@ -24,66 +24,73 @@ etc/pam.d/{chage,{,ch,chg}passwd,group{add,del,mems,mod},newusers,shadow,user{add,del,mod}} ) options=(debug !emptydirs) +# NOTE: distribution patches are taken from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.11.1.arch2 source=( https://github.com/shadow-maint/shadow/releases/download/v$pkgver/shadow-$pkgver.tar.xz{,.asc} - chgpasswd - chpasswd - defaults.pam - newusers - passwd + 0001-Disable-replaced-tools-and-man-pages.patch + 0002-Adapt-login.defs-for-PAM-and-util-linux.patch + 0003-Add-Arch-Linux-defaults-for-login.defs.patch + 0004-Add-Arch-Linux-defaults-for-etc-pam.d.patch shadow.{timer,service} useradd.defaults - $pkgname-4.11.1-login.defs.patch ) sha512sums=('12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f' 'SKIP' - 'aef316f283a0ba0387afd5bd049b20d748dcfe8aebc5f5ea1ce1308167d6a578ae7d0007a5ed4d9862de7d377851edd2c8771e1fb1076262468078c2c76e42fc' - 'dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df' - '41c856d893c4157b158d79341fe2b1892be463e17f7a007f1c17397b5625c1d2d5671bc0b37879064ae715a918fb9b05c32d18d1aaa64284cddd8ecbda9b2434' - 'dc75dfeafa901f9988176b82ef9db5d927dfe687a72ca36ca13ba3e7ac1b0c8055db1104373f2a7ac463e156f079cbc1f0a9f5e6e16b9f74153eb63dcb8f96df' - '4fb7474ea9dedf86e4c65bf18f503a6d8c00d477a7c32be3cfdfd026bd62ef866d009c50e5a2dc2101bea332c5697bc1e0d55225f39c83252860f5b9b7461aeb' + '495edd2eb2c6ed36121fd5a73e112e5a7c7c15b10c00fc5cf31c8c8671a2317581f9d4468871b69d8302e18decf91e0ed4c37ea875e00a83a3bc14e7edcdd168' + 'f6c6ecf958714df3dd74cfef3e33f6d8def82645fdccbed034e330eeffe87a54491e774a237b18fb097695ed9314bb29f7ca39d8d93e642557f558daa0d0e9c3' + '9aaddc6919b513adff5e07ba9f4cfefe294aa98ba60274d90cf56ba4bb0df8f4205e04aa7752bcd830d48d96bd30e4640a10cdaf1bb8472e87e1d4b67a313eb9' + 'a3d39d452a8ad51e8801be09f54b11ee18c1d8b1625c78e190b649923429c98ad6f06237a1fbfb2ccabbd8656dd46419444bf2b51bf433e3d89f14d9e2723270' 'e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621' '67a49415f676a443f81021bfa29d198462008da1224086f8c549b19c2fd21514ca3302d5ac23edec28b9c724fef921596586423ebe41e852ebfbe7216af727e6' - 'e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8' - 'f5f1fad77363db46ca513c76f22654924dd732cdf2e596fcfccb0a47a70d6099b6705e90adb661cd45af076959ef1f9f6bba66942500e603df9421caa9ed2f80') + 'e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8') b2sums=('d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f0b960554c8155af6dc0564c585335b27aecca6538b394a0d58d927588' 'SKIP' - '31e74eebedf8cb6e5ade36096b4399892d7091b9dce4645fde591f64802dc8befd73ae8019e78f8d326a605b224c7828694d21788bd6073db43c41cf5a9c2805' - '1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666' - '5fde901d7d29995523cf261de973cc053265f37cf8fecc5511ccfff35a6ef4308f8cf36dc94e37c8b7604694ffa6ab87331c9b533b3538c6f7d7d911c9f94d19' - '1518839dbfe12f2f55190976de808515f93eb8c06f1570f02780a5ce8c237e0be43aa7cd0fbbe4c88af1f641586e4d3cf122896d97c7594ef72991e1801ee666' - '5b4e20609d38dcec82eae66acdfb7d45288574e7bf9684fa0f66bc0fb1c45cd78ee503d04a5084e28755fb7a1c6cea95854c93b33d76ab20964f45420c68403c' + '1df7f3b7a7637f2977ee581fefa4a56f92ad57585d140bdd4aeef90e51a36568d7624657fdb81aa53b8114ca9d0bd8ba1eb67110c4bc8d36a4c26229b5170c0a' + '2e17e67bd9671aeb6897c116b8ecf69acd0da073515ecc14fb42a83bafded0ad3532ddafcbed3e303d3f8511f7c5430bd50a9b8b808f578952eab476bdc46dfb' + 'c3145b63e42d2e25d702c59787889ebd13acdb1e97416119dd8dd5a6035f6c5f52c32f46c282f0ba4401c43c92bcc5fdb237c7b1d04c3a53da63e9774bf42a61' + '85009831f3e2ad74801393b7d6351f0a553517706b2bd0a72daf379b903768ffcaa9696340abcbc489f3364e50ca5d287430b72cef0cf504d5e25728fe0dc8a4' '5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b' '4a9cb6fe6658f2182655d42761d9d669654c6f0e891610e1b7fd256ce32a561f05e71daf8e473d98f16f5ee9d16d46a097a2d0de42eac58b4ce3be1525a74856' - 'd5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879' - 'ecc517a22ba12bd7afa3a0eefb68febf27b164cfac6502e66930bd12c62947ae362b4113472544fddc2f39e9c64d78cc662605a359c9988baaba8613d4c0f468') -validpgpkeys=('66D0387DB85D320F8408166DB175CFA98F192AF2') # Serge Hallyn <[email protected]> + 'd5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879') +validpgpkeys=(66D0387DB85D320F8408166DB175CFA98F192AF2) # Serge Hallyn <[email protected]> prepare() { - # comment options that are taken over by util-linux and apply defaults - patch -Np1 -d $pkgname-$pkgver -i ../$pkgname-4.11.1-login.defs.patch + local filename + + cd $pkgname-$pkgver + for filename in "${source[@]}"; do + if [[ "$filename" =~ \.patch$ ]]; then + printf "Applying patch %s\n" "${filename##*/}" + patch -Np1 -i "$srcdir/${filename##*/}" + fi + done + + autoreconf -fiv } build() { + local configure_options=( + --prefix=/usr + --bindir=/usr/bin + --sbindir=/usr/bin + --libdir=/usr/lib + --mandir=/usr/share/man + --sysconfdir=/etc + --disable-account-tools-setuid + --enable-man + --with-fcaps + --with-libpam + --with-group-name-max-length=32 + --with-audit + --with-bcrypt + --with-yescrypt + --without-selinux + --without-su + ) + cd $pkgname-$pkgver + ./configure "${configure_options[@]}" - ./configure \ - --prefix=/usr \ - --bindir=/usr/bin \ - --sbindir=/usr/bin \ - --libdir=/usr/lib \ - --mandir=/usr/share/man \ - --sysconfdir=/etc \ - --disable-account-tools-setuid \ - --with-fcaps \ - --with-libpam \ - --with-group-name-max-length=32 \ - --with-audit \ - --with-bcrypt \ - --with-yescrypt \ - --without-selinux \ - --without-su - # prevent excessive overlinking due to libtool sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool make @@ -106,42 +113,4 @@ install -vDm 644 ../shadow.service -t "$pkgdir/usr/lib/systemd/system/" install -vdm 755 "$pkgdir/usr/lib/systemd/system/timers.target.wants" ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer" - - # PAM config - custom - rm "$pkgdir/etc/pam.d"/* - install -vDm 644 ../{passwd,chgpasswd,chpasswd,newusers} -t "$pkgdir/etc/pam.d/" - - # PAM config - from tarball - install -vDm 644 etc/pam.d/groupmems -t "$pkgdir/etc/pam.d/" - - # we use the 'useradd' PAM file for other similar utilities - for file in chage group{add,del,mod} shadow user{add,del,mod}; do - install -vDm 644 ../defaults.pam "$pkgdir/etc/pam.d/$file" - done - - # Remove evil/broken tools - rm -v "$pkgdir"/usr/sbin/logoutd - - # Remove utilities provided by util-linux - rm -v "$pkgdir"/usr/{bin/{login,chsh,chfn,sg,nologin},sbin/{vipw,vigr}} - - # but we keep newgrp, as sg is really an alias to it - mv -v "$pkgdir"/usr/bin/{newgrp,sg} - - # ...and their many man pages - find "$pkgdir"/usr/share/man \ - '(' -name 'chsh.1' -o \ - -name 'chfn.1' -o \ - -name 'su.1' -o \ - -name 'logoutd.8' -o \ - -name 'login.1' -o \ - -name 'nologin.8' -o \ - -name 'vipw.8' -o \ - -name 'vigr.8' -o \ - -name 'newgrp.1' ')' \ - -delete - - # move everything else to /usr/bin, because this isn't handled by ./configure - mv -v "$pkgdir"/usr/sbin/* "$pkgdir"/usr/bin - rmdir -v "$pkgdir/usr/sbin" } Deleted: chgpasswd =================================================================== --- chgpasswd 2022-11-06 12:16:41 UTC (rev 460774) +++ chgpasswd 2022-11-06 13:07:49 UTC (rev 460775) @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -account required pam_permit.so -password include system-auth Deleted: chpasswd =================================================================== --- chpasswd 2022-11-06 12:16:41 UTC (rev 460774) +++ chpasswd 2022-11-06 13:07:49 UTC (rev 460775) @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -auth required pam_unix.so -account required pam_unix.so -session required pam_unix.so -password required pam_unix.so sha512 shadow Deleted: defaults.pam =================================================================== --- defaults.pam 2022-11-06 12:16:41 UTC (rev 460774) +++ defaults.pam 2022-11-06 13:07:49 UTC (rev 460775) @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -auth required pam_unix.so -account required pam_unix.so -session required pam_unix.so -password required pam_permit.so Deleted: newusers =================================================================== --- newusers 2022-11-06 12:16:41 UTC (rev 460774) +++ newusers 2022-11-06 13:07:49 UTC (rev 460775) @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -auth required pam_unix.so -account required pam_unix.so -session required pam_unix.so -password required pam_unix.so sha512 shadow Deleted: passwd =================================================================== --- passwd 2022-11-06 12:16:41 UTC (rev 460774) +++ passwd 2022-11-06 13:07:49 UTC (rev 460775) @@ -1,4 +0,0 @@ -#%PAM-1.0 -#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 -#password required pam_unix.so sha512 shadow use_authtok -password required pam_unix.so sha512 shadow nullok Deleted: shadow-4.11.1-login.defs.patch =================================================================== --- shadow-4.11.1-login.defs.patch 2022-11-06 12:16:41 UTC (rev 460774) +++ shadow-4.11.1-login.defs.patch 2022-11-06 13:07:49 UTC (rev 460775) @@ -1,308 +0,0 @@ -diff --git i/etc/login.defs w/etc/login.defs -index 114dbcd9..4cb8cdf5 100644 ---- i/etc/login.defs -+++ w/etc/login.defs -@@ -3,6 +3,8 @@ - # - # $Id$ - # -+# This file is adapted for the use on Arch Linux. -+# Options unsupported due to the use of util-linux or PAM are commented. - - # - # Delay in seconds before being allowed another attempt after a login failure -@@ -14,7 +16,7 @@ FAIL_DELAY 3 - # - # Enable logging and display of /var/log/faillog login(1) failure info. - # --FAILLOG_ENAB yes -+# FAILLOG_ENAB is currently not supported - - # - # Enable display of unknown usernames when login(1) failures are recorded. -@@ -24,12 +26,12 @@ LOG_UNKFAIL_ENAB no - # - # Enable logging of successful logins - # --LOG_OK_LOGINS no -+# LOG_OK_LOGINS is currently not supported - - # - # Enable logging and display of /var/log/lastlog login(1) time info. - # --LASTLOG_ENAB yes -+# LASTLOG_ENAB is currently not supported - - # - # Limit the highest user ID number for which the lastlog entries should -@@ -46,28 +48,28 @@ LASTLOG_ENAB yes - # Disable if the shell startup files already check for mail - # ("mailx -e" or equivalent). - # --MAIL_CHECK_ENAB yes -+# MAIL_CHECK_ENAB is currently not supported - - # - # Enable additional checks upon password changes. - # --OBSCURE_CHECKS_ENAB yes -+# OBSCURE_CHECKS_ENAB is currently not supported - - # - # Enable checking of time restrictions specified in /etc/porttime. - # --PORTTIME_CHECKS_ENAB yes -+# PORTTIME_CHECKS_ENAB is currently not supported - - # - # Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. - # --QUOTAS_ENAB yes -+# QUOTAS_ENAB is currently not supported - - # - # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. - # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). - # --SYSLOG_SU_ENAB yes -+# SYSLOG_SU_ENAB is currently not supported - SYSLOG_SG_ENAB yes - - # -@@ -75,44 +77,43 @@ SYSLOG_SG_ENAB yes - # a ":" delimited list of device names. Root logins will be allowed only - # from these devices. - # --CONSOLE /etc/securetty --#CONSOLE console:tty01:tty02:tty03:tty04 -+# CONSOLE is currently not supported - - # - # If defined, all su(1) activity is logged to this file. - # --#SULOG_FILE /var/log/sulog -+# SULOG_FILE is currently not supported - - # - # If defined, ":" delimited list of "message of the day" files to - # be displayed upon login. - # --MOTD_FILE /etc/motd -+MOTD_FILE - #MOTD_FILE /etc/motd:/usr/lib/news/news-motd - - # - # If defined, this file will be output before each login(1) prompt. - # --#ISSUE_FILE /etc/issue -+# ISSUE_FILE is currently not supported - - # - # If defined, file which maps tty line to TERM environment parameter. - # Each line of the file is in a format similar to "vt100 tty01". - # --#TTYTYPE_FILE /etc/ttytype -+# TTYTYPE_FILE is currently not supported - - # - # If defined, login(1) failures will be logged here in a utmp format. - # last(1), when invoked as lastb(1), will read /var/log/btmp, so... - # --FTMP_FILE /var/log/btmp -+# FTMP_FILE is currently not supported - - # - # If defined, name of file whose presence will inhibit non-root - # logins. The content of this file should be a message indicating - # why logins are inhibited. - # --NOLOGINS_FILE /etc/nologin -+# NOLOGINS_FILE is currently not supported - - # - # If defined, the command name to display when running "su -". For -@@ -120,7 +121,7 @@ NOLOGINS_FILE /etc/nologin - # command as "-su". If not defined, then ps(1) will display the - # name of the shell actually being run, e.g. something like "-sh". - # --SU_NAME su -+# SU_NAME is currently not supported - - # - # *REQUIRED* -@@ -143,23 +144,22 @@ HUSHLOGIN_FILE .hushlogin - # If defined, either a TZ environment parameter spec or the - # fully-rooted pathname of a file containing such a spec. - # --#ENV_TZ TZ=CST6CDT --#ENV_TZ /etc/tzname -+# ENV_TZ is currently not supported - - # - # If defined, an HZ environment parameter spec. - # - # for Linux/x86 --ENV_HZ HZ=100 -+# ENV_HZ HZ=100 - # For Linux/Alpha... --#ENV_HZ HZ=1024 -+# ENV_HZ is currently not supported - - # - # *REQUIRED* The default PATH settings, for superuser and normal users. - # - # (they are minimal, add the rest in the shell startup files) --ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin --ENV_PATH PATH=/bin:/usr/bin -+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -+ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin - - # - # Terminal permissions -@@ -188,9 +188,9 @@ TTYPERM 0600 - # - # Prefix these values with "0" to get octal, "0x" to get hexadecimal. - # --ERASECHAR 0177 --KILLCHAR 025 --#ULIMIT 2097152 -+# ERASECHAR is currently not supported -+# KILLCHAR is currently not supported -+# ULIMIT is currently not supported - - # Default initial "umask" value used by login(1) on non-PAM enabled systems. - # Default "umask" value for pam_umask(8) on PAM enabled systems. -@@ -199,7 +199,7 @@ KILLCHAR 025 - # 022 is the default value, but 027, or even 077, could be considered - # for increased privacy. There is no One True Answer here: each sysadmin - # must make up their mind. --UMASK 022 -+UMASK 077 - - # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new - # home directories. -@@ -216,7 +216,7 @@ UMASK 022 - # - PASS_MAX_DAYS 99999 - PASS_MIN_DAYS 0 --PASS_MIN_LEN 5 -+# PASS_MIN_LEN is currently not supported - PASS_WARN_AGE 7 - - # -@@ -225,12 +225,12 @@ PASS_WARN_AGE 7 - # to uid 0 accounts. If the group doesn't exist or is empty, no one - # will be able to "su" to uid 0. - # --SU_WHEEL_ONLY no -+# SU_WHEEL_ONLY is currently not supported - - # - # If compiled with cracklib support, sets the path to the dictionaries - # --CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict -+# CRACKLIB_DICTPATH is currently not supported - - # - # Min/max values for automatic uid selection in useradd(8) -@@ -238,7 +238,7 @@ CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict - UID_MIN 1000 - UID_MAX 60000 - # System accounts --SYS_UID_MIN 101 -+SYS_UID_MIN 500 - SYS_UID_MAX 999 - # Extra per user uids - SUB_UID_MIN 100000 -@@ -251,7 +251,7 @@ SUB_UID_COUNT 65536 - GID_MIN 1000 - GID_MAX 60000 - # System accounts --SYS_GID_MIN 101 -+SYS_GID_MIN 500 - SYS_GID_MAX 999 - # Extra per user group ids - SUB_GID_MIN 100000 -@@ -271,24 +271,24 @@ LOGIN_TIMEOUT 60 - # - # Maximum number of attempts to change password if rejected (too easy) - # --PASS_CHANGE_TRIES 5 -+# PASS_CHANGE_TRIES is currently not supported - - # - # Warn about weak passwords (but still allow them) if you are root. - # --PASS_ALWAYS_WARN yes -+# PASS_ALWAYS_WARN is currently not supported - - # - # Number of significant characters in the password for crypt(). - # Default is 8, don't change unless your crypt() is better. - # Ignored if MD5_CRYPT_ENAB set to "yes". - # --#PASS_MAX_LEN 8 -+# PASS_MAX_LEN is currently not supported - - # - # Require password before chfn(1)/chsh(1) can make any changes. - # --CHFN_AUTH yes -+# CHFN_AUTH is currently not supported - - # - # Which fields may be changed by regular users using chfn(1) - use -@@ -303,7 +303,7 @@ CHFN_RESTRICT rwh - # - # XXX - it doesn't work correctly yet, for now leave it commented out - # to use the default which is just "Password: ". --#LOGIN_STRING "%s's Password: " -+# LOGIN_STRING is currently not supported - - # - # Only works if compiled with MD5_CRYPT defined: -@@ -318,7 +318,7 @@ CHFN_RESTRICT rwh - # - # This variable is deprecated. You should use ENCRYPT_METHOD instead. - # --#MD5_CRYPT_ENAB no -+# MD5_CRYPT_ENAB is currently not supported - - # - # Only works if compiled with ENCRYPTMETHOD_SELECT defined: -@@ -334,7 +334,7 @@ CHFN_RESTRICT rwh - # Note: If you use PAM, it is recommended to use a value consistent with - # the PAM modules configuration. - # --#ENCRYPT_METHOD DES -+ENCRYPT_METHOD SHA512 - - # - # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -@@ -390,7 +390,7 @@ CHFN_RESTRICT rwh - # access to these groups, even when not logged in from the console. - # How to do it is left as an exercise for the reader... - # --#CONSOLE_GROUPS floppy:audio:cdrom -+# CONSOLE_GROUPS is currently not supported - - # - # Should login be allowed if we can't cd to the home directory? -@@ -410,7 +410,7 @@ NONEXISTENT /nonexistent - # If this file exists and is readable, login environment will be - # read from it. Every line should be in the form name=value. - # --ENVIRON_FILE /etc/environment -+# ENVIRON_FILE is currently not supported - - # - # If defined, this command is run when removing a user. -@@ -465,7 +465,7 @@ USERGROUPS_ENAB yes - # Set to "yes" to prevent for all accounts - # Set to "superuser" to prevent for UID 0 / root (default) - # Set to "no" to not prevent for any account (dangerous, historical default) --PREVENT_NO_AUTH superuser -+# PREVENT_NO_AUTH is currently not supported - - # - # Select the HMAC cryptography algorithm.
