From c5c479e396fe8c45f77c9abb613b492925e1eb10 Mon Sep 17 00:00:00 2001 From: Yukari Chiba Date: Wed, 3 Sep 2025 15:50:55 +0800 Subject: [PATCH] [shadow] 4.18.0-1: init package --- ...-tools-their-man-pages-and-PAM-integ.patch | 724 ++++++++++++++++++ ...pt-login.defs-for-PAM-and-util-linux.patch | 699 +++++++++++++++++ ...d-Arch-Linux-defaults-for-login.defs.patch | 73 ++ LICENSE | 12 + PKGBUILD | 113 +++ shadow.sysusers | 1 + shadow.tmpfiles | 1 + useradd.defaults | 27 + 8 files changed, 1650 insertions(+) create mode 100644 0001-Disable-replaced-tools-their-man-pages-and-PAM-integ.patch create mode 100644 0002-Adapt-login.defs-for-PAM-and-util-linux.patch create mode 100644 0003-Add-Arch-Linux-defaults-for-login.defs.patch create mode 100644 LICENSE create mode 100644 PKGBUILD create mode 100644 shadow.sysusers create mode 100644 shadow.tmpfiles create mode 100644 useradd.defaults diff --git a/0001-Disable-replaced-tools-their-man-pages-and-PAM-integ.patch b/0001-Disable-replaced-tools-their-man-pages-and-PAM-integ.patch new file mode 100644 index 000000000..13c9a42fe --- /dev/null +++ b/0001-Disable-replaced-tools-their-man-pages-and-PAM-integ.patch @@ -0,0 +1,724 @@ +From a932bb97a4b564d9552697fad86bbd624602e3aa Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Sat, 5 Nov 2022 23:40:18 +0100 +Subject: [PATCH 1/3] Disable replaced tools, their man pages and PAM + integration + +etc/pam.d/Makefile.am: +Disable installation of PAM integration for `chfn`, `chsh` and `login` +tools as they are provided by util-linux. + +man/Makefile.am, man/*/Makefile.am: +The `chfn`, `chsh`, `login`, `newgrp`, `nologin`, `vigr`, `vipw` and +`su` tools are provided by util-linux. +The `groups` tool is provided by coreutils. +The `logoutd` tool is no longer used. +Disable man page integration for all of them. + +src/Makefile.am: +- Set `usbindir` to use `bin` instead of `sbin`, as Arch Linux is a /usr + and bin merge distribution. +- The `chfn`, `chsh`, `login`, `newgrp`, `nologin`, `vigr`, `vipw` and + `su` tools are provided by util-linux. + The `logoutd` tool is no longer used. + Remove their use entirely. +- Move `newgrp` to replace `sg` (instead of it being a symlink). +--- + etc/pam.d/Makefile.am | 3 --- + man/Makefile.am | 20 +++----------------- + man/cs/Makefile.am | 9 +++------ + man/da/Makefile.am | 8 +------- + man/de/Makefile.am | 11 +---------- + man/fi/Makefile.am | 5 +---- + man/fr/Makefile.am | 11 +---------- + man/hu/Makefile.am | 6 +----- + man/id/Makefile.am | 2 -- + man/it/Makefile.am | 11 +---------- + man/ja/Makefile.am | 10 +--------- + man/ko/Makefile.am | 3 --- + man/pl/Makefile.am | 7 +------ + man/ru/Makefile.am | 11 +---------- + man/sv/Makefile.am | 8 +------- + man/tr/Makefile.am | 3 --- + man/uk/Makefile.am | 11 +---------- + man/zh_CN/Makefile.am | 11 +---------- + man/zh_TW/Makefile.am | 4 ---- + src/Makefile.am | 18 +++++++----------- + 20 files changed, 25 insertions(+), 147 deletions(-) + +diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am +index a723e381..310ba034 100644 +--- a/etc/pam.d/Makefile.am ++++ b/etc/pam.d/Makefile.am +@@ -3,10 +3,7 @@ + + pamd_files = \ + chpasswd \ +- chfn \ +- chsh \ + groupmems \ +- login \ + newusers \ + passwd + +diff --git a/man/Makefile.am b/man/Makefile.am +index f34ed7ac..d4099ce5 100644 +--- a/man/Makefile.am ++++ b/man/Makefile.am +@@ -8,10 +8,8 @@ endif + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -25,12 +23,9 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ ++ man8/lastlog.8 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -41,9 +36,7 @@ man_MANS = \ + man5/shadow.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +@@ -76,10 +69,8 @@ endif + + man_XMANS = \ + chage.1.xml \ +- chfn.1.xml \ + chgpasswd.8.xml \ + chpasswd.8.xml \ +- chsh.1.xml \ + expiry.1.xml \ + faillog.5.xml \ + faillog.8.xml \ +@@ -92,12 +83,9 @@ man_XMANS = \ + grpck.8.xml \ + gshadow.5.xml \ + limits.5.xml \ +- login.1.xml \ + login.access.5.xml \ + login.defs.5.xml \ +- logoutd.8.xml \ + newgidmap.1.xml \ +- newgrp.1.xml \ + newuidmap.1.xml \ + newusers.8.xml \ + nologin.8.xml \ +@@ -109,14 +97,12 @@ man_XMANS = \ + shadow.3.xml \ + shadow.5.xml \ + sg.1.xml \ +- su.1.xml \ + suauth.5.xml \ + subgid.5.xml \ + subuid.5.xml \ + useradd.8.xml \ + userdel.8.xml \ +- usermod.8.xml \ +- vipw.8.xml ++ usermod.8.xml + + if ENABLE_LASTLOG + man_XMANS += lastlog.8.xml +diff --git a/man/cs/Makefile.am b/man/cs/Makefile.am +index 45aec38f..88cd649f 100644 +--- a/man/cs/Makefile.am ++++ b/man/cs/Makefile.am +@@ -11,17 +11,14 @@ man_MANS = \ + man8/groupmod.8 \ + man8/grpck.8 \ + man5/gshadow.5 \ +- man8/nologin.8 \ + man5/passwd.5 \ +- man5/shadow.5 \ +- man1/su.1 \ +- man8/vipw.8 ++ man5/shadow.5 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 + endif + + EXTRA_DIST = $(man_MANS) \ +- man8/groupmems.8 \ +- man8/logoutd.8 ++ man1/id.1 \ ++ man8/groupmems.8 + +diff --git a/man/da/Makefile.am b/man/da/Makefile.am +index c61b787d..813a2dcd 100644 +--- a/man/da/Makefile.am ++++ b/man/da/Makefile.am +@@ -3,15 +3,9 @@ mandir = @mandir@/da + + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ +- man1/chfn.1 \ + man8/groupdel.8 \ + man5/gshadow.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ +- man8/nologin.8 \ +- man1/sg.1 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man1/sg.1 + + man_nopam = + +diff --git a/man/de/Makefile.am b/man/de/Makefile.am +index d3a6d6c1..a44d4399 100644 +--- a/man/de/Makefile.am ++++ b/man/de/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/de + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -20,12 +18,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -34,13 +28,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/fi/Makefile.am b/man/fi/Makefile.am +index 26a1a848..f02b92f3 100644 +--- a/man/fi/Makefile.am ++++ b/man/fi/Makefile.am +@@ -1,10 +1,7 @@ + + mandir = @mandir@/fi + +-man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ +- man1/su.1 ++man_MANS = + + # Outdated manpages + # passwd.1 (https://bugs.launchpad.net/ubuntu/+bug/384024) +diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am +index 2365e23b..51d255e5 100644 +--- a/man/fr/Makefile.am ++++ b/man/fr/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/fr + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -20,12 +18,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -34,13 +28,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/hu/Makefile.am b/man/hu/Makefile.am +index 6bf68e8a..e6c9e780 100644 +--- a/man/hu/Makefile.am ++++ b/man/hu/Makefile.am +@@ -2,14 +2,10 @@ + mandir = @mandir@/hu + + man_MANS = \ +- man1/chsh.1 \ + man1/gpasswd.1 \ +- man1/login.1 \ +- man1/newgrp.1 \ + man1/passwd.1 \ + man5/passwd.5 \ +- man1/sg.1 \ +- man1/su.1 ++ man1/sg.1 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/id/Makefile.am b/man/id/Makefile.am +index 21f3dbe9..6d10b930 100644 +--- a/man/id/Makefile.am ++++ b/man/id/Makefile.am +@@ -2,8 +2,6 @@ + mandir = @mandir@/id + + man_MANS = \ +- man1/chsh.1 \ +- man1/login.1 \ + man8/useradd.8 + + EXTRA_DIST = $(man_MANS) +diff --git a/man/it/Makefile.am b/man/it/Makefile.am +index 736576c9..1f87a375 100644 +--- a/man/it/Makefile.am ++++ b/man/it/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/it + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -20,12 +18,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -34,13 +28,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am +index b759726c..d241e489 100644 +--- a/man/ja/Makefile.am ++++ b/man/ja/Makefile.am +@@ -3,9 +3,7 @@ mandir = @mandir@/ja + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -16,10 +14,7 @@ man_MANS = \ + man8/grpck.8 \ + man8/grpconv.8 \ + man8/grpunconv.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ + man1/passwd.1 \ + man5/passwd.5 \ +@@ -28,13 +23,10 @@ man_MANS = \ + man8/pwunconv.8 \ + man1/sg.1 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/ko/Makefile.am b/man/ko/Makefile.am +index 4f73651b..1efeae52 100644 +--- a/man/ko/Makefile.am ++++ b/man/ko/Makefile.am +@@ -2,9 +2,6 @@ + mandir = @mandir@/ko + + man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ +- man1/login.1 \ + man5/passwd.5 \ + man1/su.1 \ + man8/vigr.8 \ +diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am +index 2a015f3a..3cc46f71 100644 +--- a/man/pl/Makefile.am ++++ b/man/pl/Makefile.am +@@ -4,7 +4,6 @@ mandir = @mandir@/pl + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ + man1/chage.1 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -14,14 +13,10 @@ man_MANS = \ + man8/groupmems.8 \ + man8/groupmod.8 \ + man8/grpck.8 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man1/sg.1 \ + man3/shadow.3 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/ru/Makefile.am b/man/ru/Makefile.am +index 845a603e..850306a0 100644 +--- a/man/ru/Makefile.am ++++ b/man/ru/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/ru + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -20,12 +18,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -34,13 +28,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/sv/Makefile.am b/man/sv/Makefile.am +index 1918af72..9bb48df5 100644 +--- a/man/sv/Makefile.am ++++ b/man/sv/Makefile.am +@@ -3,7 +3,6 @@ mandir = @mandir@/sv + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ + man1/chage.1 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -14,18 +13,13 @@ man_MANS = \ + man8/groupmod.8 \ + man8/grpck.8 \ + man5/gshadow.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ + man1/sg.1 \ + man3/shadow.3 \ + man5/suauth.5 \ +- man8/userdel.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/userdel.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/tr/Makefile.am b/man/tr/Makefile.am +index 8d8b9166..4fe3632a 100644 +--- a/man/tr/Makefile.am ++++ b/man/tr/Makefile.am +@@ -2,15 +2,12 @@ mandir = @mandir@/tr + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/groupadd.8 \ + man8/groupdel.8 \ + man8/groupmod.8 \ +- man1/login.1 \ + man1/passwd.1 \ + man5/passwd.5 \ + man5/shadow.5 \ +- man1/su.1 \ + man8/useradd.8 \ + man8/userdel.8 \ + man8/usermod.8 +diff --git a/man/uk/Makefile.am b/man/uk/Makefile.am +index a0f106d6..cc20aad2 100644 +--- a/man/uk/Makefile.am ++++ b/man/uk/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/uk + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -20,12 +18,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -34,13 +28,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/zh_CN/Makefile.am b/man/zh_CN/Makefile.am +index 59d1072d..caa29e6d 100644 +--- a/man/zh_CN/Makefile.am ++++ b/man/zh_CN/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/zh_CN + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -20,12 +18,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -34,13 +28,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/zh_TW/Makefile.am b/man/zh_TW/Makefile.am +index c36ed2c7..26696b67 100644 +--- a/man/zh_TW/Makefile.am ++++ b/man/zh_TW/Makefile.am +@@ -2,15 +2,11 @@ + mandir = @mandir@/zh_TW + + man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ + man8/chpasswd.8 \ +- man1/newgrp.1 \ + man8/groupadd.8 \ + man8/groupdel.8 \ + man8/groupmod.8 \ + man5/passwd.5 \ +- man1/su.1 \ + man8/useradd.8 \ + man8/userdel.8 \ + man8/usermod.8 +diff --git a/src/Makefile.am b/src/Makefile.am +index 69818150..ce754591 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -3,7 +3,7 @@ EXTRA_DIST = \ + .indent.pro + + ubindir = ${prefix}/bin +-usbindir = ${prefix}/sbin ++usbindir = ${prefix}/bin + suidperms = 4755 + sgidperms = 2755 + +@@ -26,9 +26,9 @@ AM_CFLAGS = $(LIBBSD_CFLAGS) + # and installation would be much simpler (just two directories, + # $prefix/bin and $prefix/sbin, no install-data hacks...) + +-bin_PROGRAMS = login +-sbin_PROGRAMS = nologin +-ubin_PROGRAMS = faillog chage chfn chsh expiry gpasswd newgrp passwd ++bin_PROGRAMS = ++sbin_PROGRAMS = ++ubin_PROGRAMS = faillog lastlog chage expiry gpasswd newgrp passwd + if ENABLE_SUBIDS + ubin_PROGRAMS += newgidmap newuidmap + endif +@@ -48,22 +48,20 @@ usbin_PROGRAMS = \ + grpck \ + grpconv \ + grpunconv \ +- logoutd \ + newusers \ + pwck \ + pwconv \ + pwunconv \ + useradd \ + userdel \ +- usermod \ +- vipw ++ usermod + + # sulogin from sysvinit + noinst_PROGRAMS = sulogin + + suidusbins = + suidbins = +-suidubins = chage chfn chsh expiry gpasswd newgrp ++suidubins = chage expiry gpasswd newgrp + if WITH_SU + suidbins += su + endif +@@ -135,18 +133,16 @@ sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF) + useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl + userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) -ldl + usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl +-vipw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) + + install-am: all-am + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am +- ln -sf newgrp $(DESTDIR)$(ubindir)/sg +- ln -sf vipw $(DESTDIR)$(usbindir)/vigr + set -e; for i in $(suidbins); do \ + chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \ + done + set -e; for i in $(suidubins); do \ + chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \ + done ++ mv -v $(DESTDIR)$(ubindir)/newgrp $(DESTDIR)$(ubindir)/sg + set -e; for i in $(suidusbins); do \ + chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \ + done +-- +2.50.0 + diff --git a/0002-Adapt-login.defs-for-PAM-and-util-linux.patch b/0002-Adapt-login.defs-for-PAM-and-util-linux.patch new file mode 100644 index 000000000..64f7e7bf3 --- /dev/null +++ b/0002-Adapt-login.defs-for-PAM-and-util-linux.patch @@ -0,0 +1,699 @@ +From 5ee3a8b44bba6bdbf136931c96bfec71d2f64eb5 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 31 Oct 2022 09:45:13 +0100 +Subject: [PATCH 2/3] Adapt login.defs for PAM and util-linux + +etc/login.defs: +Remove unused login.defs options, that are either irrelevant due to the +use of PAM or because the util-linux version of a binary does not +support them. +Modify all options that are ignored when using PAM, but are supported by +util-linux. + +Removed options because they are part of PAMDEFS (options in PAMDEFS are +options silently ignored by shadow when built with PAM enabled): +* CHFN_AUTH +* CRACKLIB_DICTPATH +* ENV_HZ +* ENVIRON_FILE +* ENV_TZ +* FAILLOG_ENAB +* FTMP_FILE +* ISSUE_FILE +* LASTLOG_ENAB +* LOGIN_STRING +* MAIL_CHECK_ENAB +* NOLOGINS_FILE +* OBSCURE_CHECKS_ENAB +* PASS_ALWAYS_WARN +* PASS_CHANGE_TRIES +* PASS_MAX_LEN +* PASS_MIN_LEN +* PORTTIME_CHECKS_ENAB +* QUOTAS_ENAB +* SU_WHEEL_ONLY +* SYSLOG_SU_ENAB +* ULIMIT + +Removed options because they are not availablbe with PAM enabled: +* BCRYPT_MIN_ROUNDS +* BCRYPT_MAX_ROUNDS +* CONSOLE_GROUPS +* CONSOLE +* MD5_CRYPT_ENAB +* PREVENT_NO_AUTH + +Removed encryption methods (`ENCRYPT_METHOD`), because they are unsafe +or not available with PAM: +* BCRYPT +* MD5 + +Removed options because they are not supported by login from util-linux: +* ERASECHAR +* KILLCHAR +* LOG_OK_LOGINS +* TTYTYPE_FILE + +Removed options because they are not supported by su from util-linux: +* SULOG_FILE +* SU_NAME + +Adapted options because they are in PAMDEFS but are supported by login +from util-linux: +* MOTD_FILE + +man/login.defs.5.xml: +Remove unavailable options from man 5 login.defs. +--- + etc/login.defs | 223 +------------------------------------------ + man/login.defs.5.xml | 148 +--------------------------- + 2 files changed, 8 insertions(+), 363 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 33622c29..797ca6b3 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -3,6 +3,8 @@ + # + # $Id$ + # ++# NOTE: This file is adapted for the use on Arch Linux! ++# Unsupported options due to the use of util-linux or PAM are removed. + + # + # Delay in seconds before being allowed another attempt after a login failure +@@ -11,26 +13,11 @@ + # + FAIL_DELAY 3 + +-# +-# Enable logging and display of /var/log/faillog login(1) failure info. +-# +-FAILLOG_ENAB yes +- + # + # Enable display of unknown usernames when login(1) failures are recorded. + # + LOG_UNKFAIL_ENAB no + +-# +-# Enable logging of successful logins +-# +-LOG_OK_LOGINS no +- +-# +-# Enable logging and display of /var/log/lastlog login(1) time info. +-# +-LASTLOG_ENAB yes +- + # + # Limit the highest user ID number for which the lastlog entries should + # be updated. +@@ -40,88 +27,13 @@ LASTLOG_ENAB yes + # + #LASTLOG_UID_MAX + +-# +-# Enable checking and display of mailbox status upon login. +-# +-# Disable if the shell startup files already check for mail +-# ("mailx -e" or equivalent). +-# +-MAIL_CHECK_ENAB yes +- +-# +-# Enable additional checks upon password changes. +-# +-OBSCURE_CHECKS_ENAB yes +- +-# +-# Enable checking of time restrictions specified in /etc/porttime. +-# +-PORTTIME_CHECKS_ENAB yes +- +-# +-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. +-# +-QUOTAS_ENAB yes +- +-# +-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). +-# +-SYSLOG_SU_ENAB yes +-SYSLOG_SG_ENAB yes +- +-# +-# If defined, either full pathname of a file containing device names or +-# a ":" delimited list of device names. Root logins will be allowed only +-# from these devices. +-# +-CONSOLE /etc/securetty +-#CONSOLE console:tty01:tty02:tty03:tty04 +- +-# +-# If defined, all su(1) activity is logged to this file. +-# +-#SULOG_FILE /var/log/sulog +- + # + # If defined, ":" delimited list of "message of the day" files to + # be displayed upon login. + # +-MOTD_FILE /etc/motd ++MOTD_FILE + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +-# +-# If defined, this file will be output before each login(1) prompt. +-# +-#ISSUE_FILE /etc/issue +- +-# +-# If defined, file which maps tty line to TERM environment parameter. +-# Each line of the file is in a format similar to "vt100 tty01". +-# +-#TTYTYPE_FILE /etc/ttytype +- +-# +-# If defined, login(1) failures will be logged here in a utmp format. +-# last(1), when invoked as lastb(1), will read /var/log/btmp, so... +-# +-FTMP_FILE /var/log/btmp +- +-# +-# If defined, name of file whose presence will inhibit non-root +-# logins. The content of this file should be a message indicating +-# why logins are inhibited. +-# +-NOLOGINS_FILE /etc/nologin +- +-# +-# If defined, the command name to display when running "su -". For +-# example, if this is defined as "su" then ps(1) will display the +-# command as "-su". If not defined, then ps(1) will display the +-# name of the shell actually being run, e.g. something like "-sh". +-# +-SU_NAME su +- + # + # *REQUIRED* + # Directory where mailboxes reside, _or_ name of file, relative to the +@@ -139,21 +51,6 @@ MAIL_DIR /var/spool/mail + HUSHLOGIN_FILE .hushlogin + #HUSHLOGIN_FILE /etc/hushlogins + +-# +-# If defined, either a TZ environment parameter spec or the +-# fully-rooted pathname of a file containing such a spec. +-# +-#ENV_TZ TZ=CST6CDT +-#ENV_TZ /etc/tzname +- +-# +-# If defined, an HZ environment parameter spec. +-# +-# for Linux/x86 +-ENV_HZ HZ=100 +-# For Linux/Alpha... +-#ENV_HZ HZ=1024 +- + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # +@@ -175,23 +72,6 @@ ENV_PATH PATH=/bin:/usr/bin + TTYGROUP tty + TTYPERM 0600 + +-# +-# Login configuration initializations: +-# +-# ERASECHAR Terminal ERASE character ('\010' = backspace). +-# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# ULIMIT Default "ulimit" value. +-# +-# The ERASECHAR and KILLCHAR are used only on System V machines. +-# The ULIMIT is used only if the system supports it. +-# (now it works with setrlimit too; ulimit is in 512-byte units) +-# +-# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +-# +-ERASECHAR 0177 +-KILLCHAR 025 +-#ULIMIT 2097152 +- + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. + # UMASK is also used by useradd(8) and newusers(8) to set the mode for new +@@ -211,22 +91,12 @@ UMASK 022 + # + # PASS_MAX_DAYS Maximum number of days a password may be used. + # PASS_MIN_DAYS Minimum number of days allowed between password changes. +-# PASS_MIN_LEN Minimum acceptable password length. + # PASS_WARN_AGE Number of days warning given before a password expires. + # + PASS_MAX_DAYS 99999 + PASS_MIN_DAYS 0 +-PASS_MIN_LEN 5 + PASS_WARN_AGE 7 + +-# +-# If "yes", the user must be listed as a member of the first gid 0 group +-# in /etc/group (called "root" on most Linux systems) to be able to "su" +-# to uid 0 accounts. If the group doesn't exist or is empty, no one +-# will be able to "su" to uid 0. +-# +-SU_WHEEL_ONLY no +- + # + # Min/max values for automatic uid selection in useradd(8) + # +@@ -263,28 +133,6 @@ LOGIN_RETRIES 5 + # + LOGIN_TIMEOUT 60 + +-# +-# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +-# +-PASS_ALWAYS_WARN yes +- +-# +-# Number of significant characters in the password for crypt(). +-# Default is 8, don't change unless your crypt() is better. +-# Ignored if MD5_CRYPT_ENAB set to "yes". +-# +-#PASS_MAX_LEN 8 +- +-# +-# Require password before chfn(1)/chsh(1) can make any changes. +-# +-CHFN_AUTH yes +- + # + # Which fields may be changed by regular users using chfn(1) - use + # any combination of letters "frwh" (full name, room number, work +@@ -293,38 +141,13 @@ CHFN_AUTH yes + # + CHFN_RESTRICT rwh + +-# +-# Password prompt (%s will be replaced by user name). +-# +-# XXX - it doesn't work correctly yet, for now leave it commented out +-# to use the default which is just "Password: ". +-#LOGIN_STRING "%s's Password: " +- +-# +-# Only works if compiled with MD5_CRYPT defined: +-# If set to "yes", new passwords will be encrypted using the MD5-based +-# algorithm compatible with the one used by recent releases of FreeBSD. +-# It supports passwords of unlimited length and longer salt strings. +-# Set to "no" if you need to copy encrypted passwords to other systems +-# which don't understand the new algorithm. Default is "no". +-# +-# Note: If you use PAM, it is recommended to use a value consistent with +-# the PAM modules configuration. +-# +-# This variable is deprecated. You should use ENCRYPT_METHOD instead. +-# +-#MD5_CRYPT_ENAB no +- + # + # Only works if compiled with ENCRYPTMETHOD_SELECT defined: +-# If set to MD5, MD5-based algorithm will be used for encrypting password + # If set to SHA256, SHA256-based algorithm will be used for encrypting password + # If set to SHA512, SHA512-based algorithm will be used for encrypting password +-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password + # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password + # If set to DES, DES-based algorithm will be used for encrypting password (default) + # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +-# Overrides the MD5_CRYPT_ENAB option + # + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. +@@ -348,21 +171,6 @@ CHFN_RESTRICT rwh + #SHA_CRYPT_MIN_ROUNDS 5000 + #SHA_CRYPT_MAX_ROUNDS 5000 + +-# +-# Only works if ENCRYPT_METHOD is set to BCRYPT. +-# +-# Define the number of BCRYPT rounds. +-# With a lot of rounds, it is more difficult to brute-force the password. +-# However, more CPU resources will be needed to authenticate users if +-# this value is increased. +-# +-# If not specified, 13 rounds will be attempted. +-# If only one of the MIN or MAX values is set, then this value will be used. +-# If MIN > MAX, the highest value will be used. +-# +-#BCRYPT_MIN_ROUNDS 13 +-#BCRYPT_MAX_ROUNDS 13 +- + # + # Only works if ENCRYPT_METHOD is set to YESCRYPT. + # +@@ -376,17 +184,6 @@ CHFN_RESTRICT rwh + # + #YESCRYPT_COST_FACTOR 5 + +-# +-# List of groups to add to the user's supplementary group set +-# when logging in from the console (as determined by the CONSOLE +-# setting). Default is none. +-# +-# Use with caution - it is possible for users to gain permanent +-# access to these groups, even when not logged in from the console. +-# How to do it is left as an exercise for the reader... +-# +-#CONSOLE_GROUPS floppy:audio:cdrom +- + # + # Should login be allowed if we can't cd to the home directory? + # Default is no. +@@ -401,12 +198,6 @@ DEFAULT_HOME yes + # + NONEXISTENT /nonexistent + +-# +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- + # + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by +@@ -454,14 +245,6 @@ USERGROUPS_ENAB yes + # + #GRANT_AUX_GROUP_SUBIDS yes + +-# +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +-PREVENT_NO_AUTH superuser +- + # + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message +diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml +index 7263395c..e873b215 100644 +--- a/man/login.defs.5.xml ++++ b/man/login.defs.5.xml +@@ -7,70 +7,38 @@ + --> + +- + +- +- +- + + + +- + + +- +- +- + +- +- +- + + + + +- +- +- + +- + + +- + +- + + +- + +- + +- +- +- +- + + + +- +- + +- +- +- + + + + +- + + + + +- + +- + + + +@@ -147,48 +115,25 @@ + The following configuration items are provided: + + +- &BCRYPT_MIN_ROUNDS; +- &CHFN_AUTH; + &CHFN_RESTRICT; +- &CHSH_AUTH; +- &CONSOLE; +- &CONSOLE_GROUPS; + &CREATE_HOME; + &DEFAULT_HOME; + &ENCRYPT_METHOD; +- &ENV_HZ; + &ENV_PATH; + &ENV_SUPATH; +- &ENV_TZ; +- &ENVIRON_FILE; +- &ERASECHAR; + &FAIL_DELAY; +- &FAILLOG_ENAB; +- &FAKE_SHELL; +- &FTMP_FILE; + &GID_MAX; + &HMAC_CRYPTO_ALGO; + &HOME_MODE; + &HUSHLOGIN_FILE; +- &ISSUE_FILE; +- &KILLCHAR; +- &LASTLOG_ENAB; + &LASTLOG_UID_MAX; +- &LOG_OK_LOGINS; + &LOG_UNKFAIL_ENAB; + &LOGIN_RETRIES; +- &LOGIN_STRING; + &LOGIN_TIMEOUT; +- &MAIL_CHECK_ENAB; + &MAIL_DIR; + &MAX_MEMBERS_PER_GROUP; +- &MD5_CRYPT_ENAB; + &MOTD_FILE; +- &NOLOGINS_FILE; + &NONEXISTENT; +- &OBSCURE_CHECKS_ENAB; +- &PASS_ALWAYS_WARN; +- &PASS_CHANGE_TRIES; + &PASS_MAX_DAYS; + &PASS_MIN_DAYS; + &PASS_WARN_AGE; +@@ -198,25 +143,16 @@ + time of account creation. Any changes to these settings won't affect + existing accounts. + +- &PASS_MAX_LEN; +- &PORTTIME_CHECKS_ENAB; +- "AS_ENAB; + &SHA_CRYPT_MIN_ROUNDS; +- &SULOG_FILE; +- &SU_NAME; +- &SU_WHEEL_ONLY; + &SUB_GID_COUNT; + &SUB_UID_COUNT; + &SYS_GID_MAX; + &SYS_UID_MAX; + &SYSLOG_SG_ENAB; +- &SYSLOG_SU_ENAB; + &TCB_AUTH_GROUP; + &TCB_SYMLINKS; + &TTYGROUP; +- &TTYTYPE_FILE; + &UID_MAX; +- &ULIMIT; + &UMASK; + &USERDEL_CMD; + &USERGROUPS_ENAB; +@@ -255,7 +191,7 @@ + + BCRYPT_MAX_ROUNDS + BCRYPT_MIN_ROUNDS +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + YESCRYPT_COST_FACTOR +@@ -280,7 +216,7 @@ + chsh + + +- CHSH_AUTH LOGIN_STRING ++ CHSH_AUTH + + + +@@ -292,7 +228,7 @@ + + BCRYPT_MAX_ROUNDS + BCRYPT_MIN_ROUNDS +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + YESCRYPT_COST_FACTOR +@@ -351,35 +287,6 @@ + LASTLOG_UID_MAX + + +- +- login +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE +- ERASECHAR FAIL_DELAY +- FAILLOG_ENAB +- FAKE_SHELL +- FTMP_FILE +- HUSHLOGIN_FILE +- ISSUE_FILE +- KILLCHAR +- LASTLOG_ENAB LASTLOG_UID_MAX +- LOGIN_RETRIES +- LOGIN_STRING +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB +- TTYGROUP TTYPERM TTYTYPE_FILE +- ULIMIT UMASK +- USERGROUPS_ENAB +- +- +- +- + + newgrp / sg + +@@ -396,7 +303,7 @@ + BCRYPT_MIN_ROUNDS + ENCRYPT_METHOD + GID_MAX GID_MIN +- MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ MAX_MEMBERS_PER_GROUP + HOME_MODE + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + SHA_CRYPT_MAX_ROUNDS +@@ -416,8 +323,7 @@ + + BCRYPT_MAX_ROUNDS + BCRYPT_MIN_ROUNDS +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN ++ ENCRYPT_METHOD + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + YESCRYPT_COST_FACTOR +@@ -450,32 +356,6 @@ + + + +- +- su +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENVIRON_FILE +- ENV_PATH ENV_SUPATH +- ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB +- SULOG_FILE SU_NAME +- SU_WHEEL_ONLY +- SYSLOG_SU_ENAB +- USERGROUPS_ENAB +- +- +- +- +- sulogin +- +- +- ENV_HZ +- ENV_TZ +- +- +- + + useradd + +@@ -504,24 +384,6 @@ + + + +- +- usermod +- +- +- LASTLOG_UID_MAX +- MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP +- TCB_SYMLINKS USE_TCB +- +- +- +- +- vipw +- +- +- USE_TCB +- +- +- + + + +-- +2.50.0 + diff --git a/0003-Add-Arch-Linux-defaults-for-login.defs.patch b/0003-Add-Arch-Linux-defaults-for-login.defs.patch new file mode 100644 index 000000000..0ad8546d7 --- /dev/null +++ b/0003-Add-Arch-Linux-defaults-for-login.defs.patch @@ -0,0 +1,73 @@ +From 23800dc9ac32da588f516371caf026dd67e1597f Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 31 Oct 2022 10:10:22 +0100 +Subject: [PATCH 3/3] Add Arch Linux defaults for login.defs + +etc/login.defs: +- Change `ENV_PATH` and `ENV_SUPATH` to only use + /usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr and + bin merge distribution. +- Set `HOME_MODE` to `0700` to be able to rely on a `UMASK` of `022` + while creating home directories in a privacy conserving manner. +- Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for + distribution added UIDs and GIDs of system users. +- Change ENCRYPT_METHOD to YESCRYPT as it is a safer hashing algorithm + than DES. +--- + etc/login.defs | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 797ca6b3..c4accbf8 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -55,8 +55,8 @@ HUSHLOGIN_FILE .hushlogin + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ++ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + + # + # Terminal permissions +@@ -84,7 +84,7 @@ UMASK 022 + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. + # If HOME_MODE is not set, the value of UMASK is used to create the mode. +-#HOME_MODE 0700 ++HOME_MODE 0700 + + # + # Password aging controls: +@@ -103,7 +103,7 @@ PASS_WARN_AGE 7 + UID_MIN 1000 + UID_MAX 60000 + # System accounts +-SYS_UID_MIN 101 ++SYS_UID_MIN 500 + SYS_UID_MAX 999 + # Extra per user uids + SUB_UID_MIN 100000 +@@ -116,7 +116,7 @@ SUB_UID_COUNT 65536 + GID_MIN 1000 + GID_MAX 60000 + # System accounts +-SYS_GID_MIN 101 ++SYS_GID_MIN 500 + SYS_GID_MAX 999 + # Extra per user group ids + SUB_GID_MIN 100000 +@@ -152,7 +152,7 @@ CHFN_RESTRICT rwh + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # +-#ENCRYPT_METHOD DES ++ENCRYPT_METHOD YESCRYPT + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +-- +2.50.0 + diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000..b87c5e4be --- /dev/null +++ b/LICENSE @@ -0,0 +1,12 @@ +Copyright Arch Linux Contributors + +Permission to use, copy, modify, and/or distribute this software for +any purpose with or without fee is hereby granted. + +THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL +WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE +FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY +DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN +AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000..30ff0e906 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,113 @@ +# Maintainer: Yukari Chiba + +pkgname=shadow +pkgver=4.18.0 +pkgrel=1 +pkgdesc="Password and account management tool suite with support for shadow files and PAM" +arch=(x86_64 aarch64 riscv64 loongarch64) +url="https://github.com/shadow-maint/shadow" +license=( + 0BSD + BSD-3-Clause +) +depends=( + musl +) +makedepends=( + acl + attr + docbook-xsl + git + itstool + libcap + libxcrypt + libxslt + linux-headers + pam +) +backup=( + etc/default/useradd + etc/login.defs + etc/pam.d/chpasswd + etc/pam.d/groupmems + etc/pam.d/newusers + etc/pam.d/passwd +) +options=(!emptydirs) +# NOTE: distribution patches are taken from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/4.18.0.arch1 +source=( + git+$url.git#tag=$pkgver + 0001-Disable-replaced-tools-their-man-pages-and-PAM-integ.patch + 0002-Adapt-login.defs-for-PAM-and-util-linux.patch + 0003-Add-Arch-Linux-defaults-for-login.defs.patch + shadow.{sysusers,tmpfiles} + useradd.defaults + LICENSE +) +sha512sums=('14275673ac2a7eecf13079cb8896eb49293d5bc5504f7900f359e0f21a107848d207aaf5c43d39cf96c0ee9e289929d1e53d2ecfbb39cfcc8175a86d85337eb8' + '127948d66a3be0874d7118e674afc7a15eb9047ea943f7feca81922376ca9bdf52000ad48dca7cb4c32b8f9bd4558eeff4f0701e4944aedc1b1779c35ef26c47' + '5e47fef33ccd0cf5ce92a049f8cedc7c8d720740f0407e3f281b294d9538edf17714769c990698320a8c27efc63dce56682d2857b8d7f2108909d66fd314974a' + '90f46612970f324f60ab5d997ec202b53a829f1c802ea10c16b8ebd075529f5193eee3aca842a03504a9a492d23e763208ad82904c05e274a02be1b5edd2bd12' + '5afac4a96b599b0b8ed7be751e7160037c3beb191629928c6520bfd3f2adcd1c55c31029c92c2ff8543e6cd9e37e2cd515ba4e1789c6d66f9c93b4e7f209ee7a' + '97a6a57c07502e02669dc1a91bffc447dba7d98d208b798d80e07de0d2fdf9d23264453978d2d3d1ba6652ca1f2e22cdadc4309c7b311e83fa71b00ad144f877' + '706ba6e7fa8298475f2605a28daffef421c9fa8d269cbd5cbcf7f7cb795b40a24d52c20e8d0b73e29e6cd35cd7226b3e9738dc513703e87dde04c1d24087a69c' + 'a33658d9271e5c537ccd41bf540b463ad2a5eca4a060c80486ff42a736f0aa042d10436e7177c34d792177cb11285243dee1f31c4df54fb0bfaabbc306406930') + +prepare() { + _patch_ $pkgname + cd $pkgname + autoreconf -fiv +} + +build() { + local configure_options=( + --bindir=/usr/bin + --disable-account-tools-setuid # no setuid for chgpasswd, chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod + --enable-man + --libdir=/usr/lib + --mandir=/usr/share/man + --prefix=/usr + --sbindir=/usr/bin + --sysconfdir=/etc + --without-audit + --with-fcaps # use capabilities instead of setuid for setuidmap and setgidmap + --with-group-name-max-length=32 + --with-libpam # PAM integration for chpasswd, groupmems, newusers, passwd + --with-yescrypt + --without-bcrypt + --without-libbsd # shadow can use internal implementation for getting passphrase + --without-nscd # we do not ship nscd anymore + --without-selinux + --without-su # su is provided by util-linux + ) + + cd $pkgname + # add extra check, preventing accidental deletion of other user's home dirs when using `userdel -r ` + export CFLAGS="$CFLAGS -DEXTRA_CHECK_HOME_DIR" + ./configure "${configure_options[@]}" + make +} + +package() { + depends+=( + acl attr libxcrypt pam + ) + + cd $pkgname + + make DESTDIR="$pkgdir" install + make DESTDIR="$pkgdir" -C man install + + # license + install -vDm 644 COPYING -t "$pkgdir/usr/share/licenses/$pkgname/" + install -vDm 644 ../LICENSE "$pkgdir/usr/share/licenses/$pkgname/0BSD.txt" + + # custom useradd(8) defaults (not provided by upstream) + install -vDm 600 ../useradd.defaults "$pkgdir/etc/default/useradd" + + install -vDm 644 ../$pkgname.sysusers "$pkgdir/usr/lib/sysusers.d/$pkgname.conf" + install -vDm 644 ../$pkgname.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/$pkgname.conf" + + # adapt executables to match the modes used by tmpfiles.d, so that pacman does not complain: + chmod 750 "$pkgdir/usr/bin/groupmems" +} diff --git a/shadow.sysusers b/shadow.sysusers new file mode 100644 index 000000000..fc536aa20 --- /dev/null +++ b/shadow.sysusers @@ -0,0 +1 @@ +g groups - - diff --git a/shadow.tmpfiles b/shadow.tmpfiles new file mode 100644 index 000000000..dabf54576 --- /dev/null +++ b/shadow.tmpfiles @@ -0,0 +1 @@ +z /usr/bin/groupmems 2750 root groups - - diff --git a/useradd.defaults b/useradd.defaults new file mode 100644 index 000000000..9bc422c52 --- /dev/null +++ b/useradd.defaults @@ -0,0 +1,27 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +SHELL=/usr/bin/bash + +# The default group for users +GROUP=users + +# The default home directory. +HOME=/home + +# The number of days after a password expires until the account is permanently +# disabled +INACTIVE=-1 + +# The default expire date +EXPIRE= + +# The SKEL variable specifies the directory containing "skeletal" user files; +# in other words, files such as a sample .profile that will be copied to the +# new user's home directory when it is created. +SKEL=/etc/skel + +# Defines whether the mail spool should be created while +# creating the account +CREATE_MAIL_SPOOL=no