diff options
author | Mike Frysinger <vapier@gentoo.org> | 2005-10-10 22:42:44 +0000 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2005-10-10 22:42:44 +0000 |
commit | 055432c7acaed04e674f5564b9144cc3cef735f8 (patch) | |
tree | e4ecab89c1ff02e42285ad6f8333ea4b27ea04cd /sys-apps/shadow | |
parent | ~alpha keyword, bug 107346. (diff) | |
download | gentoo-2-055432c7acaed04e674f5564b9144cc3cef735f8.tar.gz gentoo-2-055432c7acaed04e674f5564b9144cc3cef735f8.tar.bz2 gentoo-2-055432c7acaed04e674f5564b9144cc3cef735f8.zip |
Version bump.
(Portage version: 2.0.53_rc4)
Diffstat (limited to 'sys-apps/shadow')
-rw-r--r-- | sys-apps/shadow/ChangeLog | 12 | ||||
-rw-r--r-- | sys-apps/shadow/files/digest-shadow-4.0.13 | 1 | ||||
-rw-r--r-- | sys-apps/shadow/files/shadow-4.0.13-dots-in-usernames.patch | 28 | ||||
-rw-r--r-- | sys-apps/shadow/files/shadow-4.0.13-login.defs.patch | 25 | ||||
-rw-r--r-- | sys-apps/shadow/files/shadow-4.0.13-long-groupnames.patch | 18 | ||||
-rw-r--r-- | sys-apps/shadow/files/shadow-4.0.13-nonis.patch | 53 | ||||
-rw-r--r-- | sys-apps/shadow/files/shadow-4.0.13-su-fix-environment.patch | 39 | ||||
-rw-r--r-- | sys-apps/shadow/shadow-4.0.13.ebuild | 238 |
8 files changed, 413 insertions, 1 deletions
diff --git a/sys-apps/shadow/ChangeLog b/sys-apps/shadow/ChangeLog index fe45ba40b403..27d462798f52 100644 --- a/sys-apps/shadow/ChangeLog +++ b/sys-apps/shadow/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for sys-apps/shadow # Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.121 2005/08/24 11:33:18 azarah Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.122 2005/10/10 22:42:44 vapier Exp $ + +*shadow-4.0.13 (10 Oct 2005) + + 10 Oct 2005; Mike Frysinger <vapier@gentoo.org> + +files/shadow-4.0.13-dots-in-usernames.patch, + +files/shadow-4.0.13-login.defs.patch, + +files/shadow-4.0.13-long-groupnames.patch, + +files/shadow-4.0.13-nonis.patch, + +files/shadow-4.0.13-su-fix-environment.patch, +shadow-4.0.13.ebuild: + Version bump. 24 Aug 2005; Martin Schlemmer <azarah@gentoo.org> +files/shadow-4.0.12-gcc2.patch, shadow-4.0.12.ebuild: diff --git a/sys-apps/shadow/files/digest-shadow-4.0.13 b/sys-apps/shadow/files/digest-shadow-4.0.13 new file mode 100644 index 000000000000..6f8f6aa3d631 --- /dev/null +++ b/sys-apps/shadow/files/digest-shadow-4.0.13 @@ -0,0 +1 @@ +MD5 5c6a105d89afb0900922260e9c5650cc shadow-4.0.13.tar.bz2 1087998 diff --git a/sys-apps/shadow/files/shadow-4.0.13-dots-in-usernames.patch b/sys-apps/shadow/files/shadow-4.0.13-dots-in-usernames.patch new file mode 100644 index 000000000000..54e1d72e61b3 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.0.13-dots-in-usernames.patch @@ -0,0 +1,28 @@ +Allow people to add users with dots in their names. + +http://bugs.gentoo.org/22920 + +Index: libmisc/chkname.c +=================================================================== +RCS file: /cvsroot/shadow/libmisc/chkname.c,v +retrieving revision 1.11 +diff -u -p -r1.11 chkname.c +--- libmisc/chkname.c 31 Aug 2005 17:24:57 -0000 1.11 ++++ libmisc/chkname.c 10 Oct 2005 22:20:16 -0000 +@@ -18,7 +18,7 @@ + static int good_name (const char *name) + { + /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] ++ * User/group names must match [a-z_][a-z0-9_-.]*[$] + */ + if (!*name || !((*name >= 'a' && *name <= 'z') || *name == '_')) + return 0; +@@ -27,6 +27,7 @@ static int good_name (const char *name) + if (!((*name >= 'a' && *name <= 'z') || + (*name >= '0' && *name <= '9') || + *name == '_' || *name == '-' || ++ *name == '.' || + (*name == '$' && *(name + 1) == '\0'))) + return 0; + } diff --git a/sys-apps/shadow/files/shadow-4.0.13-login.defs.patch b/sys-apps/shadow/files/shadow-4.0.13-login.defs.patch new file mode 100644 index 000000000000..4ac4b4ec5513 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.0.13-login.defs.patch @@ -0,0 +1,25 @@ +Index: etc/login.defs +=================================================================== +RCS file: /cvsroot/shadow/etc/login.defs,v +retrieving revision 1.8 +diff -u -p -U0 -r1.8 login.defs +--- etc/login.defs 1 Sep 2005 19:57:45 -0000 1.8 ++++ etc/login.defs 10 Oct 2005 22:17:39 -0000 +@@ -38 +38 @@ +-MAIL_CHECK_ENAB yes ++MAIL_CHECK_ENAB no +@@ -205 +205 @@ +-SU_WHEEL_ONLY no ++SU_WHEEL_ONLY yes +@@ -210 +210 @@ +-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict ++CRACKLIB_DICTPATH /usr/lib/cracklib_dict +@@ -227 +227 @@ +-LOGIN_RETRIES 5 ++LOGIN_RETRIES 3 +@@ -279 +279 @@ +-#MD5_CRYPT_ENAB no ++MD5_CRYPT_ENAB yes +@@ -330 +330 @@ +-#GETPASS_ASTERISKS 1 ++GETPASS_ASTERISKS 0 diff --git a/sys-apps/shadow/files/shadow-4.0.13-long-groupnames.patch b/sys-apps/shadow/files/shadow-4.0.13-long-groupnames.patch new file mode 100644 index 000000000000..df322cf28b2c --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.0.13-long-groupnames.patch @@ -0,0 +1,18 @@ +Remove arbitrary requirement on the length of groups. Perhaps we +should turn this into a configure option and send upstream ? + +http://bugs.gentoo.org/3485 + +--- libmisc/chkname.c ++++ libmisc/chkname.c +@@ -59,8 +60,10 @@ + * Arbitrary limit for group names - max 16 + * characters (same as on HP-UX 10). + */ ++#if 0 + if (strlen (name) > 16) + return 0; ++#endif + + return good_name (name); + } diff --git a/sys-apps/shadow/files/shadow-4.0.13-nonis.patch b/sys-apps/shadow/files/shadow-4.0.13-nonis.patch new file mode 100644 index 000000000000..0c89e90e2123 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.0.13-nonis.patch @@ -0,0 +1,53 @@ +--- src/login_nopam.c ++++ src/login_nopam.c +@@ -50,7 +50,9 @@ + #include <netinet/in.h> + #include <arpa/inet.h> /* for inet_ntoa() */ + extern struct group *getgrnam (); ++#ifdef USE_NIS + extern int innetgr (); ++#endif + + #if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64) + #undef MAXHOSTNAMELEN +@@ -178,6 +180,7 @@ static char *myhostname (void) + return (name); + } + ++#ifdef USE_NIS + /* netgroup_match - match group against machine or user */ + static int + netgroup_match (const char *group, const char *machine, const char *user) +@@ -193,6 +196,7 @@ netgroup_match (const char *group, const + + return innetgr (group, machine, user, mydomain); + } ++#endif + + /* user_match - match a username against one token */ + static int user_match (const char *tok, const char *string) +@@ -214,8 +218,10 @@ static int user_match (const char *tok, + *at = 0; + return (user_match (tok, string) + && from_match (at + 1, myhostname ())); ++#ifdef USE_NIS + } else if (tok[0] == '@') { /* netgroup */ + return (netgroup_match (tok + 1, (char *) 0, string)); ++#endif + } else if (string_match (tok, string)) { /* ALL or exact match */ + return (YES); + } else if ((group = getgrnam (tok))) { /* try group membership */ +@@ -271,9 +277,12 @@ static int from_match (const char *tok, + * contain a "." character. If the token is a network number, return YES + * if it matches the head of the string. + */ ++#ifdef USE_NIS + if (tok[0] == '@') { /* netgroup */ + return (netgroup_match (tok + 1, string, (char *) 0)); +- } else if (string_match (tok, string)) { /* ALL or exact match */ ++ } else ++#endif ++ if (string_match (tok, string)) { /* ALL or exact match */ + return (YES); + } else if (tok[0] == '.') { /* domain: match last fields */ + if ((str_len = strlen (string)) > (tok_len = strlen (tok)) diff --git a/sys-apps/shadow/files/shadow-4.0.13-su-fix-environment.patch b/sys-apps/shadow/files/shadow-4.0.13-su-fix-environment.patch new file mode 100644 index 000000000000..5db08fd5fd73 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.0.13-su-fix-environment.patch @@ -0,0 +1,39 @@ +The patch from upstream (shadow-4.0.11.1-SUPATH.patch) sets environ too +early when using PAM, so move it to !USE_PAM. Also set USER and SHELL. + +--- shadow-4.0.11.1/src/su.c 2005-08-04 12:34:35.000000000 +0200 ++++ shadow-4.0.11.1.az/src/su.c 2005-08-04 12:38:57.000000000 +0200 +@@ -594,11 +594,6 @@ + addenv ("PATH", cp); + } + +-#ifndef USE_PAM +- /* setup the environment for PAM later on, else we run into auth problems */ +- environ = newenvp; /* make new environment active */ +-#endif +- + if (getenv ("IFS")) /* don't export user IFS ... */ + addenv ("IFS= \t\n", NULL); /* ... instead, set a safe IFS */ + +@@ -666,6 +664,8 @@ + exit (1); + } + #else /* !USE_PAM */ ++ environ = newenvp; /* make new environment active */ ++ + if (!amroot) /* no limits if su from root */ + setup_limits (&pwent); + +@@ -676,8 +676,11 @@ + if (fakelogin) + setup_env (&pwent); + #if 1 /* Suggested by Joey Hess. XXX - is this right? */ +- else ++ else { + addenv ("HOME", pwent.pw_dir); ++ addenv ("USER", pwent.pw_name); ++ addenv ("SHELL", pwent.pw_shell); ++ } + #endif + + /* diff --git a/sys-apps/shadow/shadow-4.0.13.ebuild b/sys-apps/shadow/shadow-4.0.13.ebuild new file mode 100644 index 000000000000..801d296373cd --- /dev/null +++ b/sys-apps/shadow/shadow-4.0.13.ebuild @@ -0,0 +1,238 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.13.ebuild,v 1.1 2005/10/10 22:42:44 vapier Exp $ + +inherit eutils libtool toolchain-funcs flag-o-matic + +# We should remove this login after pam-0.78 goes stable. +FORCE_SYSTEMAUTH_UPDATE="no" + +DESCRIPTION="Utilities to deal with user accounts" +HOMEPAGE="http://shadow.pld.org.pl/" +SRC_URI="ftp://ftp.pld.org.pl/software/${PN}/${P}.tar.bz2" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="-*" #~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="nls pam selinux skey nousuid" + +RDEPEND=">=sys-libs/cracklib-2.7-r3 + pam? ( virtual/pam ) + !pam? ( !sys-apps/pam-login ) + skey? ( app-admin/skey ) + selinux? ( sys-libs/libselinux )" +DEPEND="${RDEPEND} + >=sys-apps/portage-2.0.51-r2 + nls? ( sys-devel/gettext )" +# We moved /etc/pam.d/login to pam-login +PDEPEND="pam? ( >=sys-apps/pam-login-4.0.11.1-r2 )" + +src_unpack() { + unpack ${A} + cd "${S}" + + # uclibc support, corrects NIS usage + epatch "${FILESDIR}"/${PN}-4.0.13-nonis.patch + + # If su should not simulate a login shell, use '/bin/sh' as shell to enable + # running of commands as user with /bin/false as shell, closing bug #15015. + # *** This one could be a security hole; disable for now *** + #epatch "${FILESDIR}"/${P}-nologin-run-sh.patch + + # don't install manpages if USE=-nls + epatch "${FILESDIR}"/${PN}-4.0.10-nls-manpages.patch + + # tweak the default login.defs + epatch "${FILESDIR}"/${PN}-4.0.13-login.defs.patch + + # The new configure changes do not detect utmp/logdir properly + epatch "${FILESDIR}"/${PN}-4.0.10-fix-configure.patch + + # skeychallenge call needs updating #69741 + epatch "${FILESDIR}"/shadow-4.0.5-skey.patch + + # Make user/group names more flexible #3485 / #22920 + epatch "${FILESDIR}"/${PN}-4.0.13-dots-in-usernames.patch + epatch "${FILESDIR}"/${PN}-4.0.13-long-groupnames.patch + + # Fix compiling with gcc-2.95.x + epatch "${FILESDIR}"/${PN}-4.0.12-gcc2.patch + + # Patch from upstream enables the new environment too early for PAM + epatch "${FILESDIR}"/${PN}-4.0.13-su-fix-environment.patch + + # Some UCLIBC patches + epatch "${FILESDIR}"/${PN}-4.0.11.1-uclibc-missing-l64a.patch + + # lock down setuid perms #47208 + epatch "${FILESDIR}"/${PN}-4.0.11.1-perms.patch + + # Needed by the UCLIBC patches + autoconf || die + + elibtoolize + epunt_cxx +} + +src_compile() { + append-ldflags -Wl,-z,now + tc-is-cross-compiler && export ac_cv_func_setpgrp_void=yes + econf \ + --disable-desrpc \ + --with-libcrypt \ + --with-libcrack \ + --enable-shared=no \ + --enable-static=yes \ + $(use_with pam libpam) \ + $(use_with skey libskey) \ + $(use_with selinux) \ + $(use_enable nls) \ + || die "bad configure" + emake || die "compile problem" +} + +src_install() { + local perms=4711 + use nousuid && perms=711 + make DESTDIR=${D} suiduperms=${perms} install || die "install problem" + dosym useradd /usr/sbin/adduser + + # Remove libshadow and libmisc; see bug 37725 and the following + # comment from shadow's README.linux: + # Currently, libshadow.a is for internal use only, so if you see + # -lshadow in a Makefile of some other package, it is safe to + # remove it. + rm -f "${D}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} + + if use pam; then + # These is now shipped with pam-login, and login + # had/have a serious root exploit with pam support + # enabled. + for x in "${D}"/bin/login \ + "${D}"/usr/bin/faillog "${D}"/usr/bin/lastlog \ + "${D}"/usr/share/man/man1/login.1* \ + "${D}"/usr/share/man/man5/login.{access,defs}.5* \ + "${D}"/usr/share/man/man5/faillog.5* \ + "${D}"/usr/share/man/man8/lastlog.8* \ + "${D}"/usr/share/man/man8/faillog.8*; do + [[ -f ${x} ]] && rm -f ${x} + done + fi + + insinto /etc + # Using a securetty with devfs device names added + # (compat names kept for non-devfs compatibility) + insopts -m0600 ; doins "${FILESDIR}"/securetty + use pam || { insopts -m0600 ; doins etc/login.access ; } + use pam || { insopts -m0600 ; doins etc/limits ; } + # Output arch-specific cruft + case $(tc-arch) in + ppc64) echo "hvc0" >> "${D}"/etc/securetty + echo "hvsi0" >> "${D}"/etc/securetty;; + hppa) echo "ttyB0" >> "${D}"/etc/securetty;; + arm) echo "ttyFB0" >> "${D}"/etc/securetty;; + esac + + # needed for 'adduser -D' + insinto /etc/default + insopts -m0600 + doins "${FILESDIR}"/default/useradd + + # move passwd to / to help recover broke systems #64441 + mv "${D}"/usr/bin/passwd "${D}"/bin/ + dosym /bin/passwd /usr/bin/passwd + + if use pam ; then + local INSTALL_SYSTEM_PAMD="yes" + + # Do not install below pam.d files if we have pam-0.78 or later + portageq has_version / '>=sys-libs/pam-0.78' && \ + INSTALL_SYSTEM_PAMD="no" + + for x in "${FILESDIR}"/pam.d-include/*; do + case "${x##*/}" in + "login") + # We do no longer install this one, as its from + # pam-login now. + ;; + "system-auth"|"system-auth-1.1"|"other") + # These we only install if we do not have pam-0.78 + # or later. + [ "${INSTALL_SYSTEM_PAMD}" = "yes" ] && [ -f ${x} ] && \ + dopamd ${x} + ;; + "su") + # Disable support for pam_env and pam_wheel on openpam + has_version sys-libs/pam && dopamd ${x} + ;; + "su-openpam") + has_version sys-libs/openpam && newpamd ${x} su + ;; + *) + [ -f ${x} ] && dopamd ${x} + ;; + esac + done + for x in chage chsh chfn chpasswd newusers \ + user{add,del,mod} group{add,del,mod} ; do + newpamd "${FILESDIR}"/pam.d-include/shadow ${x} + done + + # Only add this one if needed. + if [ "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ]; then + newpamd "${FILESDIR}"/pam.d-include/system-auth-1.1 system-auth.new || \ + die "Failed to install system-auth.new!" + fi + + # remove manpages that pam will install for us + # and/or don't apply when using pam + + find "${D}"/usr/share/man \ + '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ + -exec rm {} \; + else + insinto /etc + insopts -m0644 + newins etc/login.defs.linux login.defs + fi + + # Remove manpages that are handled by other packages + find "${D}"/usr/share/man \ + '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ + -exec rm {} \; + + cd "${S}"/doc + dodoc INSTALL README WISHLIST + docinto txt + dodoc HOWTO LSM README.* *.txt +} + +pkg_preinst() { + rm -f "${ROOT}"/etc/pam.d/system-auth.new +} + +pkg_postinst() { + use pam || return 0; + + if [ "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ]; then + local CHECK1="$(md5sum ${ROOT}/etc/pam.d/system-auth | cut -d ' ' -f 1)" + local CHECK2="$(md5sum ${ROOT}/etc/pam.d/system-auth.new | cut -d ' ' -f 1)" + + if [ "${CHECK1}" != "${CHECK2}" ]; then + ewarn "Due to a security issue, ${ROOT}etc/pam.d/system-auth " + ewarn "is being updated automatically. Your old " + ewarn "system-auth will be backed up as:" + ewarn + ewarn " ${ROOT}etc/pam.d/system-auth.bak" + echo + + cp -pPR ${ROOT}/etc/pam.d/system-auth \ + ${ROOT}/etc/pam.d/system-auth.bak; + mv -f ${ROOT}/etc/pam.d/system-auth.new \ + ${ROOT}/etc/pam.d/system-auth + rm -f ${ROOT}/etc/pam.d/._cfg????_system-auth + else + rm -f ${ROOT}/etc/pam.d/system-auth.new + fi + fi +} |