summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2005-10-10 22:42:44 +0000
committerMike Frysinger <vapier@gentoo.org>2005-10-10 22:42:44 +0000
commit055432c7acaed04e674f5564b9144cc3cef735f8 (patch)
treee4ecab89c1ff02e42285ad6f8333ea4b27ea04cd /sys-apps/shadow
parent~alpha keyword, bug 107346. (diff)
downloadgentoo-2-055432c7acaed04e674f5564b9144cc3cef735f8.tar.gz
gentoo-2-055432c7acaed04e674f5564b9144cc3cef735f8.tar.bz2
gentoo-2-055432c7acaed04e674f5564b9144cc3cef735f8.zip
Version bump.
(Portage version: 2.0.53_rc4)
Diffstat (limited to 'sys-apps/shadow')
-rw-r--r--sys-apps/shadow/ChangeLog12
-rw-r--r--sys-apps/shadow/files/digest-shadow-4.0.131
-rw-r--r--sys-apps/shadow/files/shadow-4.0.13-dots-in-usernames.patch28
-rw-r--r--sys-apps/shadow/files/shadow-4.0.13-login.defs.patch25
-rw-r--r--sys-apps/shadow/files/shadow-4.0.13-long-groupnames.patch18
-rw-r--r--sys-apps/shadow/files/shadow-4.0.13-nonis.patch53
-rw-r--r--sys-apps/shadow/files/shadow-4.0.13-su-fix-environment.patch39
-rw-r--r--sys-apps/shadow/shadow-4.0.13.ebuild238
8 files changed, 413 insertions, 1 deletions
diff --git a/sys-apps/shadow/ChangeLog b/sys-apps/shadow/ChangeLog
index fe45ba40b403..27d462798f52 100644
--- a/sys-apps/shadow/ChangeLog
+++ b/sys-apps/shadow/ChangeLog
@@ -1,6 +1,16 @@
# ChangeLog for sys-apps/shadow
# Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.121 2005/08/24 11:33:18 azarah Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.122 2005/10/10 22:42:44 vapier Exp $
+
+*shadow-4.0.13 (10 Oct 2005)
+
+ 10 Oct 2005; Mike Frysinger <vapier@gentoo.org>
+ +files/shadow-4.0.13-dots-in-usernames.patch,
+ +files/shadow-4.0.13-login.defs.patch,
+ +files/shadow-4.0.13-long-groupnames.patch,
+ +files/shadow-4.0.13-nonis.patch,
+ +files/shadow-4.0.13-su-fix-environment.patch, +shadow-4.0.13.ebuild:
+ Version bump.
24 Aug 2005; Martin Schlemmer <azarah@gentoo.org>
+files/shadow-4.0.12-gcc2.patch, shadow-4.0.12.ebuild:
diff --git a/sys-apps/shadow/files/digest-shadow-4.0.13 b/sys-apps/shadow/files/digest-shadow-4.0.13
new file mode 100644
index 000000000000..6f8f6aa3d631
--- /dev/null
+++ b/sys-apps/shadow/files/digest-shadow-4.0.13
@@ -0,0 +1 @@
+MD5 5c6a105d89afb0900922260e9c5650cc shadow-4.0.13.tar.bz2 1087998
diff --git a/sys-apps/shadow/files/shadow-4.0.13-dots-in-usernames.patch b/sys-apps/shadow/files/shadow-4.0.13-dots-in-usernames.patch
new file mode 100644
index 000000000000..54e1d72e61b3
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.13-dots-in-usernames.patch
@@ -0,0 +1,28 @@
+Allow people to add users with dots in their names.
+
+http://bugs.gentoo.org/22920
+
+Index: libmisc/chkname.c
+===================================================================
+RCS file: /cvsroot/shadow/libmisc/chkname.c,v
+retrieving revision 1.11
+diff -u -p -r1.11 chkname.c
+--- libmisc/chkname.c 31 Aug 2005 17:24:57 -0000 1.11
++++ libmisc/chkname.c 10 Oct 2005 22:20:16 -0000
+@@ -18,7 +18,7 @@
+ static int good_name (const char *name)
+ {
+ /*
+- * User/group names must match [a-z_][a-z0-9_-]*[$]
++ * User/group names must match [a-z_][a-z0-9_-.]*[$]
+ */
+ if (!*name || !((*name >= 'a' && *name <= 'z') || *name == '_'))
+ return 0;
+@@ -27,6 +27,7 @@ static int good_name (const char *name)
+ if (!((*name >= 'a' && *name <= 'z') ||
+ (*name >= '0' && *name <= '9') ||
+ *name == '_' || *name == '-' ||
++ *name == '.' ||
+ (*name == '$' && *(name + 1) == '\0')))
+ return 0;
+ }
diff --git a/sys-apps/shadow/files/shadow-4.0.13-login.defs.patch b/sys-apps/shadow/files/shadow-4.0.13-login.defs.patch
new file mode 100644
index 000000000000..4ac4b4ec5513
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.13-login.defs.patch
@@ -0,0 +1,25 @@
+Index: etc/login.defs
+===================================================================
+RCS file: /cvsroot/shadow/etc/login.defs,v
+retrieving revision 1.8
+diff -u -p -U0 -r1.8 login.defs
+--- etc/login.defs 1 Sep 2005 19:57:45 -0000 1.8
++++ etc/login.defs 10 Oct 2005 22:17:39 -0000
+@@ -38 +38 @@
+-MAIL_CHECK_ENAB yes
++MAIL_CHECK_ENAB no
+@@ -205 +205 @@
+-SU_WHEEL_ONLY no
++SU_WHEEL_ONLY yes
+@@ -210 +210 @@
+-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
++CRACKLIB_DICTPATH /usr/lib/cracklib_dict
+@@ -227 +227 @@
+-LOGIN_RETRIES 5
++LOGIN_RETRIES 3
+@@ -279 +279 @@
+-#MD5_CRYPT_ENAB no
++MD5_CRYPT_ENAB yes
+@@ -330 +330 @@
+-#GETPASS_ASTERISKS 1
++GETPASS_ASTERISKS 0
diff --git a/sys-apps/shadow/files/shadow-4.0.13-long-groupnames.patch b/sys-apps/shadow/files/shadow-4.0.13-long-groupnames.patch
new file mode 100644
index 000000000000..df322cf28b2c
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.13-long-groupnames.patch
@@ -0,0 +1,18 @@
+Remove arbitrary requirement on the length of groups. Perhaps we
+should turn this into a configure option and send upstream ?
+
+http://bugs.gentoo.org/3485
+
+--- libmisc/chkname.c
++++ libmisc/chkname.c
+@@ -59,8 +60,10 @@
+ * Arbitrary limit for group names - max 16
+ * characters (same as on HP-UX 10).
+ */
++#if 0
+ if (strlen (name) > 16)
+ return 0;
++#endif
+
+ return good_name (name);
+ }
diff --git a/sys-apps/shadow/files/shadow-4.0.13-nonis.patch b/sys-apps/shadow/files/shadow-4.0.13-nonis.patch
new file mode 100644
index 000000000000..0c89e90e2123
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.13-nonis.patch
@@ -0,0 +1,53 @@
+--- src/login_nopam.c
++++ src/login_nopam.c
+@@ -50,7 +50,9 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h> /* for inet_ntoa() */
+ extern struct group *getgrnam ();
++#ifdef USE_NIS
+ extern int innetgr ();
++#endif
+
+ #if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64)
+ #undef MAXHOSTNAMELEN
+@@ -178,6 +180,7 @@ static char *myhostname (void)
+ return (name);
+ }
+
++#ifdef USE_NIS
+ /* netgroup_match - match group against machine or user */
+ static int
+ netgroup_match (const char *group, const char *machine, const char *user)
+@@ -193,6 +196,7 @@ netgroup_match (const char *group, const
+
+ return innetgr (group, machine, user, mydomain);
+ }
++#endif
+
+ /* user_match - match a username against one token */
+ static int user_match (const char *tok, const char *string)
+@@ -214,8 +218,10 @@ static int user_match (const char *tok,
+ *at = 0;
+ return (user_match (tok, string)
+ && from_match (at + 1, myhostname ()));
++#ifdef USE_NIS
+ } else if (tok[0] == '@') { /* netgroup */
+ return (netgroup_match (tok + 1, (char *) 0, string));
++#endif
+ } else if (string_match (tok, string)) { /* ALL or exact match */
+ return (YES);
+ } else if ((group = getgrnam (tok))) { /* try group membership */
+@@ -271,9 +277,12 @@ static int from_match (const char *tok,
+ * contain a "." character. If the token is a network number, return YES
+ * if it matches the head of the string.
+ */
++#ifdef USE_NIS
+ if (tok[0] == '@') { /* netgroup */
+ return (netgroup_match (tok + 1, string, (char *) 0));
+- } else if (string_match (tok, string)) { /* ALL or exact match */
++ } else
++#endif
++ if (string_match (tok, string)) { /* ALL or exact match */
+ return (YES);
+ } else if (tok[0] == '.') { /* domain: match last fields */
+ if ((str_len = strlen (string)) > (tok_len = strlen (tok))
diff --git a/sys-apps/shadow/files/shadow-4.0.13-su-fix-environment.patch b/sys-apps/shadow/files/shadow-4.0.13-su-fix-environment.patch
new file mode 100644
index 000000000000..5db08fd5fd73
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.13-su-fix-environment.patch
@@ -0,0 +1,39 @@
+The patch from upstream (shadow-4.0.11.1-SUPATH.patch) sets environ too
+early when using PAM, so move it to !USE_PAM. Also set USER and SHELL.
+
+--- shadow-4.0.11.1/src/su.c 2005-08-04 12:34:35.000000000 +0200
++++ shadow-4.0.11.1.az/src/su.c 2005-08-04 12:38:57.000000000 +0200
+@@ -594,11 +594,6 @@
+ addenv ("PATH", cp);
+ }
+
+-#ifndef USE_PAM
+- /* setup the environment for PAM later on, else we run into auth problems */
+- environ = newenvp; /* make new environment active */
+-#endif
+-
+ if (getenv ("IFS")) /* don't export user IFS ... */
+ addenv ("IFS= \t\n", NULL); /* ... instead, set a safe IFS */
+
+@@ -666,6 +664,8 @@
+ exit (1);
+ }
+ #else /* !USE_PAM */
++ environ = newenvp; /* make new environment active */
++
+ if (!amroot) /* no limits if su from root */
+ setup_limits (&pwent);
+
+@@ -676,8 +676,11 @@
+ if (fakelogin)
+ setup_env (&pwent);
+ #if 1 /* Suggested by Joey Hess. XXX - is this right? */
+- else
++ else {
+ addenv ("HOME", pwent.pw_dir);
++ addenv ("USER", pwent.pw_name);
++ addenv ("SHELL", pwent.pw_shell);
++ }
+ #endif
+
+ /*
diff --git a/sys-apps/shadow/shadow-4.0.13.ebuild b/sys-apps/shadow/shadow-4.0.13.ebuild
new file mode 100644
index 000000000000..801d296373cd
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.0.13.ebuild
@@ -0,0 +1,238 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.13.ebuild,v 1.1 2005/10/10 22:42:44 vapier Exp $
+
+inherit eutils libtool toolchain-funcs flag-o-matic
+
+# We should remove this login after pam-0.78 goes stable.
+FORCE_SYSTEMAUTH_UPDATE="no"
+
+DESCRIPTION="Utilities to deal with user accounts"
+HOMEPAGE="http://shadow.pld.org.pl/"
+SRC_URI="ftp://ftp.pld.org.pl/software/${PN}/${P}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="-*" #~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="nls pam selinux skey nousuid"
+
+RDEPEND=">=sys-libs/cracklib-2.7-r3
+ pam? ( virtual/pam )
+ !pam? ( !sys-apps/pam-login )
+ skey? ( app-admin/skey )
+ selinux? ( sys-libs/libselinux )"
+DEPEND="${RDEPEND}
+ >=sys-apps/portage-2.0.51-r2
+ nls? ( sys-devel/gettext )"
+# We moved /etc/pam.d/login to pam-login
+PDEPEND="pam? ( >=sys-apps/pam-login-4.0.11.1-r2 )"
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ # uclibc support, corrects NIS usage
+ epatch "${FILESDIR}"/${PN}-4.0.13-nonis.patch
+
+ # If su should not simulate a login shell, use '/bin/sh' as shell to enable
+ # running of commands as user with /bin/false as shell, closing bug #15015.
+ # *** This one could be a security hole; disable for now ***
+ #epatch "${FILESDIR}"/${P}-nologin-run-sh.patch
+
+ # don't install manpages if USE=-nls
+ epatch "${FILESDIR}"/${PN}-4.0.10-nls-manpages.patch
+
+ # tweak the default login.defs
+ epatch "${FILESDIR}"/${PN}-4.0.13-login.defs.patch
+
+ # The new configure changes do not detect utmp/logdir properly
+ epatch "${FILESDIR}"/${PN}-4.0.10-fix-configure.patch
+
+ # skeychallenge call needs updating #69741
+ epatch "${FILESDIR}"/shadow-4.0.5-skey.patch
+
+ # Make user/group names more flexible #3485 / #22920
+ epatch "${FILESDIR}"/${PN}-4.0.13-dots-in-usernames.patch
+ epatch "${FILESDIR}"/${PN}-4.0.13-long-groupnames.patch
+
+ # Fix compiling with gcc-2.95.x
+ epatch "${FILESDIR}"/${PN}-4.0.12-gcc2.patch
+
+ # Patch from upstream enables the new environment too early for PAM
+ epatch "${FILESDIR}"/${PN}-4.0.13-su-fix-environment.patch
+
+ # Some UCLIBC patches
+ epatch "${FILESDIR}"/${PN}-4.0.11.1-uclibc-missing-l64a.patch
+
+ # lock down setuid perms #47208
+ epatch "${FILESDIR}"/${PN}-4.0.11.1-perms.patch
+
+ # Needed by the UCLIBC patches
+ autoconf || die
+
+ elibtoolize
+ epunt_cxx
+}
+
+src_compile() {
+ append-ldflags -Wl,-z,now
+ tc-is-cross-compiler && export ac_cv_func_setpgrp_void=yes
+ econf \
+ --disable-desrpc \
+ --with-libcrypt \
+ --with-libcrack \
+ --enable-shared=no \
+ --enable-static=yes \
+ $(use_with pam libpam) \
+ $(use_with skey libskey) \
+ $(use_with selinux) \
+ $(use_enable nls) \
+ || die "bad configure"
+ emake || die "compile problem"
+}
+
+src_install() {
+ local perms=4711
+ use nousuid && perms=711
+ make DESTDIR=${D} suiduperms=${perms} install || die "install problem"
+ dosym useradd /usr/sbin/adduser
+
+ # Remove libshadow and libmisc; see bug 37725 and the following
+ # comment from shadow's README.linux:
+ # Currently, libshadow.a is for internal use only, so if you see
+ # -lshadow in a Makefile of some other package, it is safe to
+ # remove it.
+ rm -f "${D}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
+
+ if use pam; then
+ # These is now shipped with pam-login, and login
+ # had/have a serious root exploit with pam support
+ # enabled.
+ for x in "${D}"/bin/login \
+ "${D}"/usr/bin/faillog "${D}"/usr/bin/lastlog \
+ "${D}"/usr/share/man/man1/login.1* \
+ "${D}"/usr/share/man/man5/login.{access,defs}.5* \
+ "${D}"/usr/share/man/man5/faillog.5* \
+ "${D}"/usr/share/man/man8/lastlog.8* \
+ "${D}"/usr/share/man/man8/faillog.8*; do
+ [[ -f ${x} ]] && rm -f ${x}
+ done
+ fi
+
+ insinto /etc
+ # Using a securetty with devfs device names added
+ # (compat names kept for non-devfs compatibility)
+ insopts -m0600 ; doins "${FILESDIR}"/securetty
+ use pam || { insopts -m0600 ; doins etc/login.access ; }
+ use pam || { insopts -m0600 ; doins etc/limits ; }
+ # Output arch-specific cruft
+ case $(tc-arch) in
+ ppc64) echo "hvc0" >> "${D}"/etc/securetty
+ echo "hvsi0" >> "${D}"/etc/securetty;;
+ hppa) echo "ttyB0" >> "${D}"/etc/securetty;;
+ arm) echo "ttyFB0" >> "${D}"/etc/securetty;;
+ esac
+
+ # needed for 'adduser -D'
+ insinto /etc/default
+ insopts -m0600
+ doins "${FILESDIR}"/default/useradd
+
+ # move passwd to / to help recover broke systems #64441
+ mv "${D}"/usr/bin/passwd "${D}"/bin/
+ dosym /bin/passwd /usr/bin/passwd
+
+ if use pam ; then
+ local INSTALL_SYSTEM_PAMD="yes"
+
+ # Do not install below pam.d files if we have pam-0.78 or later
+ portageq has_version / '>=sys-libs/pam-0.78' && \
+ INSTALL_SYSTEM_PAMD="no"
+
+ for x in "${FILESDIR}"/pam.d-include/*; do
+ case "${x##*/}" in
+ "login")
+ # We do no longer install this one, as its from
+ # pam-login now.
+ ;;
+ "system-auth"|"system-auth-1.1"|"other")
+ # These we only install if we do not have pam-0.78
+ # or later.
+ [ "${INSTALL_SYSTEM_PAMD}" = "yes" ] && [ -f ${x} ] && \
+ dopamd ${x}
+ ;;
+ "su")
+ # Disable support for pam_env and pam_wheel on openpam
+ has_version sys-libs/pam && dopamd ${x}
+ ;;
+ "su-openpam")
+ has_version sys-libs/openpam && newpamd ${x} su
+ ;;
+ *)
+ [ -f ${x} ] && dopamd ${x}
+ ;;
+ esac
+ done
+ for x in chage chsh chfn chpasswd newusers \
+ user{add,del,mod} group{add,del,mod} ; do
+ newpamd "${FILESDIR}"/pam.d-include/shadow ${x}
+ done
+
+ # Only add this one if needed.
+ if [ "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ]; then
+ newpamd "${FILESDIR}"/pam.d-include/system-auth-1.1 system-auth.new || \
+ die "Failed to install system-auth.new!"
+ fi
+
+ # remove manpages that pam will install for us
+ # and/or don't apply when using pam
+
+ find "${D}"/usr/share/man \
+ '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \
+ -exec rm {} \;
+ else
+ insinto /etc
+ insopts -m0644
+ newins etc/login.defs.linux login.defs
+ fi
+
+ # Remove manpages that are handled by other packages
+ find "${D}"/usr/share/man \
+ '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
+ -exec rm {} \;
+
+ cd "${S}"/doc
+ dodoc INSTALL README WISHLIST
+ docinto txt
+ dodoc HOWTO LSM README.* *.txt
+}
+
+pkg_preinst() {
+ rm -f "${ROOT}"/etc/pam.d/system-auth.new
+}
+
+pkg_postinst() {
+ use pam || return 0;
+
+ if [ "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ]; then
+ local CHECK1="$(md5sum ${ROOT}/etc/pam.d/system-auth | cut -d ' ' -f 1)"
+ local CHECK2="$(md5sum ${ROOT}/etc/pam.d/system-auth.new | cut -d ' ' -f 1)"
+
+ if [ "${CHECK1}" != "${CHECK2}" ]; then
+ ewarn "Due to a security issue, ${ROOT}etc/pam.d/system-auth "
+ ewarn "is being updated automatically. Your old "
+ ewarn "system-auth will be backed up as:"
+ ewarn
+ ewarn " ${ROOT}etc/pam.d/system-auth.bak"
+ echo
+
+ cp -pPR ${ROOT}/etc/pam.d/system-auth \
+ ${ROOT}/etc/pam.d/system-auth.bak;
+ mv -f ${ROOT}/etc/pam.d/system-auth.new \
+ ${ROOT}/etc/pam.d/system-auth
+ rm -f ${ROOT}/etc/pam.d/._cfg????_system-auth
+ else
+ rm -f ${ROOT}/etc/pam.d/system-auth.new
+ fi
+ fi
+}