Update version.

7 files changed, 449 insertions, 13 deletions

diff --git a/sys-apps/shadow/ChangeLog b/sys-apps/shadow/ChangeLog
index b5b744e73a9b..07e028bf2c14 100644
--- a/sys-apps/shadow/ChangeLog
+++ b/sys-apps/shadow/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-apps/shadow
 # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.47 2004/01/10 02:37:14 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.48 2004/01/22 19:20:09 azarah Exp $
+
+*shadow-4.0.4.1 (22 Jan 2004)
+
+  22 Jan 2004; Martin Schlemmer <azarah@gentoo.org> shadow-4.0.4.1.ebuild,
+  files/shadow-4.0.4.1-su-pam_open_session.patch,
+  files/shadow-4.0.4.1-useradd-manpage-update.patch:
+  Update version.
 
 *shadow-4.0.3-r10 (09 Jan 2004)
 
diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest
index 6b4fe1028468..b971dc97428a 100644
--- a/sys-apps/shadow/Manifest
+++ b/sys-apps/shadow/Manifest
@@ -1,20 +1,24 @@
 MD5 7452616f9e23975f06b648553542e190 shadow-4.0.3-r10.ebuild 5680
-MD5 e8541b13efd1985eb9e1175545c374e7 shadow-4.0.3-r9.ebuild 5428
-MD5 c0e4cb74513dd41eccff94322beb7938 ChangeLog 9414
+MD5 0bfea38d38f50550c81a99bd920f8c6c ChangeLog 9640
 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
-MD5 13c8bec4c2cffb2d73c2f5aa01229d03 files/shadow-4.0.3-su-pam_open_session.patch-v2 4882
-MD5 e70a5f61d37c3c67a4b860d8a6191dbc files/securetty 230
+MD5 62cc9812d368c9201eb3bb993481a05a shadow-4.0.3-r9.ebuild 5425
+MD5 1aa1fb968ea9691590663522962a7430 shadow-4.0.4.1.ebuild 5430
+MD5 52fc2a150fc27350a5f9990e0007d064 files/digest-shadow-4.0.3-r9 65
 MD5 6dfd34cef0901f49a1899aa59219bc8f files/shadow-4.0.3-shared-needs-pam.patch 646
 MD5 94728414b91e556a211379f6acc9b52d files/shadow-4.0.3-selinux.diff 3940
-MD5 52fc2a150fc27350a5f9990e0007d064 files/digest-shadow-4.0.3-r9 65
-MD5 de1e23b4a7d38545475dffc3c9dc73a0 files/shadow-4.0.3-useradd-manpage-update.patch 804
 MD5 52fc2a150fc27350a5f9990e0007d064 files/digest-shadow-4.0.3-r10 65
+MD5 e70a5f61d37c3c67a4b860d8a6191dbc files/securetty 230
+MD5 13c8bec4c2cffb2d73c2f5aa01229d03 files/shadow-4.0.3-su-pam_open_session.patch-v2 4882
 MD5 5be850b601aabd73a43b1a3bbb893386 files/shadow-4.0.3-nologin-run-sh.patch 972
+MD5 201f1321262da41ccd1a0283216ae9a7 files/shadow-4.0.4.1-su-pam_open_session.patch 4886
+MD5 cef6788bc7c8c5468c1b1f68df77ed9e files/digest-shadow-4.0.4.1 67
+MD5 bb55107c3a9354ef2d1977547fdb5a83 files/shadow-4.0.4.1-useradd-manpage-update.patch 958
+MD5 de1e23b4a7d38545475dffc3c9dc73a0 files/shadow-4.0.3-useradd-manpage-update.patch 804
 MD5 6e0bc0211949c624da0ea08d994a7038 files/default/useradd 96
-MD5 0a8b62ed0426b607b92e275d63fa7cbf files/pam.d/su 1247
-MD5 a5311bbc9c1fc378a6b0bfb3ca1b2394 files/pam.d/login 431
 MD5 344d17a865edc40adebe07797853c839 files/pam.d/other 198
-MD5 1baa646400c4a596290e9d4b9e1c09b2 files/pam.d/system-auth-1.1 491
+MD5 0a8b62ed0426b607b92e275d63fa7cbf files/pam.d/su 1247
+MD5 51b0337bd261f6ed5e53af5dc196431a files/pam.d/system-auth 499
 MD5 a1c7fb84c2dc309db86ba7b8d3dfae76 files/pam.d/passwd 214
 MD5 60d44a6f43aafcb9ca35858ab2534a49 files/pam.d/shadow 227
-MD5 51b0337bd261f6ed5e53af5dc196431a files/pam.d/system-auth 499
+MD5 a5311bbc9c1fc378a6b0bfb3ca1b2394 files/pam.d/login 431
+MD5 1baa646400c4a596290e9d4b9e1c09b2 files/pam.d/system-auth-1.1 491
diff --git a/sys-apps/shadow/files/digest-shadow-4.0.4.1 b/sys-apps/shadow/files/digest-shadow-4.0.4.1
new file mode 100644
index 000000000000..86c719561f0b
--- /dev/null
+++ b/sys-apps/shadow/files/digest-shadow-4.0.4.1
@@ -0,0 +1 @@
+MD5 3a3d17d3d7c630b602baf66ae7434c61 shadow-4.0.4.1.tar.bz2 814234
diff --git a/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch b/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch
new file mode 100644
index 000000000000..3bdeb9795401
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch
@@ -0,0 +1,210 @@
+--- shadow-4.0.3/src/su.c.orig	2002-10-20 16:43:21.000000000 +0200
++++ shadow-4.0.3/src/su.c	2002-10-20 16:50:57.000000000 +0200
+@@ -134,6 +134,108 @@
+ 	exit (1);
+ }
+ 
++#ifdef USE_PAM
++static int caught=0;
++
++/* Signal handler for parent process later */
++static void su_catch_sig(int sig)
++{ 
++	++caught;
++} 
++
++/* This I ripped out of su.c from sh-utils after the Mandrake pam patch
++ * have been applied.  Some work was needed to get it integrated into
++ * su.c from shadow.
++ */
++static void run_shell (const char *shellstr, char *args[], int doshell)
++{
++	int child;
++	sigset_t ourset;
++	int status; 
++	int ret;
++
++	child = fork();
++	if (child == 0) {  /* child shell */
++		pam_end (pamh, PAM_SUCCESS);
++		
++		if (doshell)
++			shell (shellstr, (char *) args[0]);
++		else
++			(void) execv (shellstr, (char **) args);
++		{
++			int exit_status = (errno == ENOENT ? 127 : 126);
++			exit (exit_status);
++		}
++	} else if (child == -1) {
++		(void) fprintf(stderr, "%s: Cannot fork user shell\n", Prog);
++		SYSLOG ((LOG_WARN, "Cannot execute %s", pwent.pw_shell));
++		closelog ();
++		exit(1);
++	}
++	/* parent only */
++	sigfillset(&ourset);
++	if (sigprocmask(SIG_BLOCK, &ourset, NULL)) {
++		(void) fprintf(stderr, "%s: signal malfunction\n", Prog);
++		caught = 1;
++	}
++	if (!caught) {
++		struct sigaction action;
++		action.sa_handler = su_catch_sig;
++		sigemptyset(&action.sa_mask);
++		action.sa_flags = 0;
++		sigemptyset(&ourset);
++
++		if (sigaddset(&ourset, SIGTERM)
++		    || sigaddset(&ourset, SIGALRM)
++		    || sigaction(SIGTERM, &action, NULL)
++		    || sigprocmask(SIG_UNBLOCK, &ourset, NULL)
++		   ) {
++			fprintf(stderr, "%s: signal masking malfunction\n", Prog);
++			caught = 1;
++		}
++	}
++	
++	if (!caught) {
++		do {
++			int pid;
++
++			pid = waitpid(-1, &status, WUNTRACED);
++   
++			if (WIFSTOPPED(status)) {
++				kill(getpid(), SIGSTOP);
++				/* once we get here, we must have resumed */
++				kill(pid, SIGCONT);
++			}
++		} while (WIFSTOPPED(status));
++	}
++
++	if (caught) {
++		fprintf(stderr, "\nSession terminated, killing shell...");
++		kill (child, SIGTERM);
++	}
++
++	ret = pam_close_session(pamh, 0);
++	if (ret != PAM_SUCCESS) {
++		SYSLOG ((LOG_ERR, "pam_close_session: %s",
++			pam_strerror (pamh, ret)));
++		fprintf (stderr, "%s: %s\n", Prog,
++			pam_strerror (pamh, ret));
++		pam_end (pamh, ret);
++		exit (1);
++	}
++
++	ret = pam_end(pamh, PAM_SUCCESS);
++
++	if (caught) {
++		sleep(2);
++		kill(child, SIGKILL);
++		fprintf(stderr, " ...killed.\n");
++		exit(-1);
++	}
++
++	exit (WEXITSTATUS(status));
++}
++#endif
+ 
+ /*
+  * su - switch user id
+@@ -152,6 +254,7 @@
+ int main (int argc, char **argv)
+ {
+ 	char *cp;
++	char **envcp;
+ 	const char *tty = 0;	/* Name of tty SU is run from        */
+ 	int doshell = 0;
+ 	int fakelogin = 0;
+@@ -252,6 +355,14 @@
+ 		 */
+ 		if ((cp = getenv ("TERM")))
+ 			addenv ("TERM", cp);
++		/*
++		 * Also leave DISPLAY and XAUTHORITY if present, else
++		 * pam_xauth will not work.
++		 */
++		if ((cp = getenv ("DISPLAY")))
++			addenv ("DISPLAY", cp);
++		if ((cp = getenv ("XAUTHORITY")))
++			addenv ("XAUTHORITY", cp);
+ 	} else {
+ 		while (*envp)
+ 			addenv (*envp++, NULL);
+@@ -507,7 +618,10 @@
+ 	}
+ #endif
+ 
++/* setup the environment for pam later on, else we run into auth problems */
++#ifndef USE_PAM
+ 	environ = newenvp;	/* make new environment active */
++#endif
+ 
+ 	if (getenv ("IFS"))	/* don't export user IFS ... */
+ 		addenv ("IFS= \t\n", NULL);	/* ... instead, set a safe IFS */
+@@ -555,6 +669,31 @@
+ 		exit (1);
+ 	}
+ 
++	ret = pam_open_session (pamh, 0);
++	if (ret != PAM_SUCCESS) {
++		SYSLOG ((LOG_ERR, "pam_open_session: %s",
++			pam_strerror (pamh, ret)));
++		fprintf (stderr, "%s: %s\n", Prog,
++			pam_strerror (pamh, ret));
++		pam_end (pamh, ret);
++		exit (1);
++	}
++
++	/* we need to setup the environment *after* pam_open_session(),
++	 * else the UID is changed before stuff like pam_xauth could
++	 * run, and we cannot access /etc/shadow and co
++	 */
++	environ = newenvp;      /* make new environment active */
++
++	/* update environment with all pam set variables */
++	envcp = pam_getenvlist(pamh);
++	if(envcp) {
++		while(*envcp) {
++			putenv(*envcp);
++			envcp++;
++		}
++	}
++
+ 	/* become the new user */
+ 	if (change_uid (&pwent)) {
+ 		pam_setcred (pamh, PAM_DELETE_CRED);
+@@ -562,9 +701,6 @@
+ 		exit (1);
+ 	}
+ 
+-	/* now we are done using PAM */
+-	pam_end (pamh, PAM_SUCCESS);
+-
+ #else				/* !USE_PAM */
+ 	if (!amroot)		/* no limits if su from root */
+ 		setup_limits (&pwent);
+@@ -622,13 +758,21 @@
+ 		 */
+ 
+ 		argv[-1] = pwent.pw_shell;
++#ifndef USE_PAM
+ 		(void) execv (pwent.pw_shell, &argv[-1]);
++#else
++		run_shell (pwent.pw_shell, &argv[-1], 0);
++#endif
+ 		(void) fprintf (stderr, _("No shell\n"));
+ 		SYSLOG ((LOG_WARN, "Cannot execute %s", pwent.pw_shell));
+ 		closelog ();
+ 		exit (1);
+ 	}
+ 
++#ifndef USE_PAM
+ 	shell (pwent.pw_shell, cp);
++#else
++	run_shell (pwent.pw_shell, &cp, 1);
++#endif
+ 	/* NOT REACHED */
+ 	exit (1);
+ }
diff --git a/sys-apps/shadow/files/shadow-4.0.4.1-useradd-manpage-update.patch b/sys-apps/shadow/files/shadow-4.0.4.1-useradd-manpage-update.patch
new file mode 100644
index 000000000000..b444d118356a
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.4.1-useradd-manpage-update.patch
@@ -0,0 +1,17 @@
+--- shadow-4.0.4.1.orig/man/useradd.8	2004-01-22 21:09:46.369993928 +0200
++++ shadow-4.0.4.1/man/useradd.8	2004-01-22 21:12:39.043743528 +0200
+@@ -49,10 +49,10 @@
+ .SS Creating New Users
+ When invoked without the \fB-D\fR option, the \fBuseradd\fR command creates
+ a new user account using the values specified on the command line and the
+-default values from the system. The new user account will be entered into
+-the system files as needed, the home directory will be created, and initial
+-files copied, depending on the command line options. The options which apply
+-to the \fBuseradd\fR command are:
++default values from the system. Depending on command line options, the
++useradd command will update system files and may also create the new user's
++home directory and copy initial files. The options which apply to the
++\fBuseradd\fR command are:
+ .IP "\fB-c\fR \fIcomment\fR"
+ The new user's password file comment field.
+ .IP "\fB-d\fR \fIhome_dir\fR"
diff --git a/sys-apps/shadow/shadow-4.0.3-r9.ebuild b/sys-apps/shadow/shadow-4.0.3-r9.ebuild
index 8c14828e110a..ccefe1b5887a 100644
--- a/sys-apps/shadow/shadow-4.0.3-r9.ebuild
+++ b/sys-apps/shadow/shadow-4.0.3-r9.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Copyright 1999-2004 Gentoo Technologies, Inc.
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.3-r9.ebuild,v 1.6 2003/12/17 04:07:23 brad_mssw Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.3-r9.ebuild,v 1.7 2004/01/22 19:20:09 azarah Exp $
 
 IUSE="pam selinux"
 
diff --git a/sys-apps/shadow/shadow-4.0.4.1.ebuild b/sys-apps/shadow/shadow-4.0.4.1.ebuild
new file mode 100644
index 000000000000..0e5ce81369c0
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.0.4.1.ebuild
@@ -0,0 +1,197 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.4.1.ebuild,v 1.1 2004/01/22 19:20:09 azarah Exp $
+
+IUSE="pam selinux"
+
+inherit eutils libtool gnuconfig
+
+FORCE_SYSTEMAUTH_UPDATE="no"
+
+SELINUX_PATCH="shadow-4.0.3-selinux.diff"
+
+S="${WORKDIR}/${P}"
+HOMEPAGE="http://shadow.pld.org.pl/"
+DESCRIPTION="Utilities to deal with user accounts"
+SRC_URI="ftp://ftp.pld.org.pl/software/shadow/${P}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~x86 ~amd64 ~ppc ~sparc ~alpha ~mips ~hppa ~arm ~ia64 ~ppc64"
+
+DEPEND=">=sys-libs/cracklib-2.7-r3
+	pam? ( >=sys-libs/pam-0.75-r4 )
+	nls? ( sys-devel/gettext )
+	selinux? ( sys-libs/libselinux )"
+
+RDEPEND=">=sys-libs/cracklib-2.7-r3
+	pam? ( >=sys-libs/pam-0.75-r4 )
+	selinux? ( sys-libs/libselinux )"
+
+
+pkg_preinst() {
+	rm -f ${ROOT}/etc/pam.d/system-auth.new
+}
+
+src_unpack() {
+	unpack ${A}
+
+	cd ${S}
+
+	use selinux && epatch ${FILESDIR}/${SELINUX_PATCH}
+
+	# Get su to call pam_open_session(), and also set DISPLAY and XAUTHORITY,
+	# else the session entries in /etc/pam.d/su never get executed, and
+	# pam_xauth for one, is then never used.  This should close bug #8831.
+	#
+	# <azarah@gentoo.org> (19 Oct 2002)
+	use pam && epatch ${FILESDIR}/${P}-su-pam_open_session.patch
+
+	# If su should not simulate a login shell, use '/bin/sh' as shell to enable
+	# running of commands as user with /bin/false as shell, closing bug #15015.
+	#
+	# <azarah@gentoo.org> (23 Feb 2003)
+# This one could be a security hole ...
+#	cd ${S}; epatch ${FILESDIR}/${P}-nologin-run-sh.patch
+
+	# Patch the useradd manpage to be a bit more clear, closing bug #13203.
+	# Thanks to Guy <guycad@mindspring.com>.
+	epatch ${FILESDIR}/${P}-useradd-manpage-update.patch
+}
+
+src_compile() {
+	# Allows shadow configure detect mips systems properly
+	gnuconfig_update
+
+	elibtoolize
+
+	local myconf=
+	use pam \
+		&& myconf="${myconf} --with-libpam --with-libcrack" \
+		|| myconf="${myconf} --without-libpam"
+
+	./configure --disable-desrpc \
+		--with-libcrypt \
+		--with-libcrack \
+		--enable-shared=no \
+		--enable-static=yes \
+		--host=${CHOST} \
+		`use_enable nls` \
+		${myconf} || die "bad configure"
+
+	# Parallel make fails sometimes
+	make || die "compile problem"
+}
+
+src_install() {
+	dodir /etc/default /etc/skel
+
+	make prefix=${D}/usr \
+		exec_prefix=${D} \
+		mandir=${D}/usr/share/man \
+		install || die "install problem"
+
+	# Do not install this login, but rather the one from
+	# pam-login, as this one have a serious root exploit
+	# with pam_limits in use.
+	use pam && rm ${D}/bin/login
+
+	mv ${D}/lib ${D}/usr
+	dosed "s:/lib':/usr/lib':g" /usr/lib/libshadow.la
+	dosed "s:/lib/:/usr/lib/:g" /usr/lib/libshadow.la
+	dosed "s:/lib':/usr/lib':g" /usr/lib/libmisc.la
+	dosed "s:/lib/:/usr/lib/:g" /usr/lib/libmisc.la
+	dosym /usr/bin/newgrp /usr/bin/sg
+	dosym /usr/sbin/useradd /usr/sbin/adduser
+	dosym /usr/sbin/vipw /usr/sbin/vigr
+	# Remove dead links
+	rm -f ${D}/bin/{sg,vipw}
+
+	insinto /etc
+	# Using a securetty with devfs device names added
+	# (compat names kept for non-devfs compatibility)
+	insopts -m0600 ; doins ${FILESDIR}/securetty
+	insopts -m0600 ; doins ${S}/etc/login.access
+	insopts -m0644 ; doins ${S}/etc/limits
+
+	# needed for 'adduser -D'
+	insinto /etc/default
+	insopts -m0600
+	doins ${FILESDIR}/default/useradd
+# From sys-apps/pam-login now
+#	insopts -m0644 ; doins ${FILESDIR}/login.defs
+
+	if [ `use pam` ] ; then
+		insinto /etc/pam.d ; insopts -m0644
+		for x in ${FILESDIR}/pam.d/*
+		do
+			[ -f ${x} ] && doins ${x}
+		done
+		cd ${FILESDIR}/pam.d
+		# Make sure /etc/pam.d/system-auth is the new version ..
+		mv ${D}/etc/pam.d/system-auth-1.1 ${D}/etc/pam.d/system-auth
+		newins system-auth-1.1 system-auth.new || die
+		newins shadow chage
+		newins shadow chsh
+		newins shadow chfn
+		newins shadow useradd
+		newins shadow groupadd
+	fi
+
+	cd ${S}
+	# The manpage install is beyond my comprehension, and
+	# also broken. Just do it over.
+	rm -rf ${D}/usr/share/man/*
+
+	rm -f man/id.1 man/getspnam.3 man/passwd.5
+	for x in man/*.[0-9]
+	do
+		[ -f ${x} ] && doman ${x}
+	done
+
+	if [ ! `use pam` ] ; then
+		# Dont install the manpage, since we dont use
+		# login with shadow
+		rm -f ${D}/usr/share/man/man1/login.*
+		# We use pam, so this is not applicable.
+		rm -f ${D}/usr/share/man/man5/suauth.*
+	fi
+
+	cd ${S}/doc
+	dodoc ANNOUNCE INSTALL LICENSE README WISHLIST
+	docinto txt
+	dodoc HOWTO LSM README.* *.txt
+
+	# Fix sparc serial console
+	if [ "${ARCH}" = "sparc" -o "${ARCH}" = "" ]
+	then
+		# ttyS0 and its devfsd counterpart (Sparc serial port "A")
+		dosed 's:\(vc/1\)$:tts/0\n\1:' /etc/securetty
+		dosed 's:\(tty1\)$:ttyS0\n\1:' /etc/securetty
+	fi
+}
+
+pkg_postinst() {
+	use pam || return 0;
+	local CHECK1="$(md5sum ${ROOT}/etc/pam.d/system-auth | cut -d ' ' -f 1)"
+	local CHECK2="$(md5sum ${ROOT}/etc/pam.d/system-auth.new | cut -d ' ' -f 1)"
+
+	if [ "${CHECK1}" != "${CHECK2}" -a "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ]
+	then
+		ewarn "Due to a security issue, ${ROOT}etc/pam.d/system-auth "
+		ewarn "is being updated automatically. Your old "
+		ewarn "system-auth will be backed up as:"
+		ewarn
+		ewarn "  ${ROOT}etc/pam.d/system-auth.bak"
+		echo
+
+		cp -a ${ROOT}/etc/pam.d/system-auth \
+			${ROOT}/etc/pam.d/system-auth.bak;
+		mv -f ${ROOT}/etc/pam.d/system-auth.new \
+			${ROOT}/etc/pam.d/system-auth
+		rm -f ${ROOT}/etc/pam.d/._cfg????_system-auth
+	else
+		rm -f ${ROOT}/etc/pam.d/system-auth.new
+	fi
+}
+