diff --git a/SOURCES/shadow-4.3.1-manfix.patch b/SOURCES/shadow-4.3.1-manfix.patch deleted file mode 100644 index bd1577e..0000000 --- a/SOURCES/shadow-4.3.1-manfix.patch +++ /dev/null @@ -1,349 +0,0 @@ -Index: shadow-4.5/man/groupmems.8.xml -=================================================================== ---- shadow-4.5.orig/man/groupmems.8.xml -+++ shadow-4.5/man/groupmems.8.xml -@@ -179,20 +179,10 @@ - - SETUP - -- The groupmems executable should be in mode -- 2770 as user root and in group -- groups. The system administrator can add users to -- group groups to allow or disallow them using the -- groupmems utility to manage their own group -- membership list. -+ In this operating system the groupmems executable -+ is not setuid and regular users cannot use it to manipulate -+ the membership of their own group. - -- -- -- $ groupadd -r groups -- $ chmod 2770 groupmems -- $ chown root.groups groupmems -- $ groupmems -g groups -a gk4 -- - - - -Index: shadow-4.5/man/chage.1.xml -=================================================================== ---- shadow-4.5.orig/man/chage.1.xml -+++ shadow-4.5/man/chage.1.xml -@@ -102,6 +102,9 @@ - Set the number of days since January 1st, 1970 when the password - was last changed. The date may also be expressed in the format - YYYY-MM-DD (or the format more commonly used in your area). -+ If the LAST_DAY is set to -+ 0 the user is forced to change his password -+ on the next log on. - - - -@@ -119,6 +122,13 @@ - system again. - - -+ For example the following can be used to set an account to expire -+ in 180 days: -+ -+ -+ chage -E $(date -d +180days +%Y-%m-%d) -+ -+ - Passing the number -1 as the - EXPIRE_DATE will remove an account - expiration date. -@@ -233,6 +243,18 @@ - The chage program requires a shadow password file to - be available. - -+ -+ The chage program will report only the information from the shadow -+ password file. This implies that configuration from other sources -+ (e.g. LDAP or empty password hash field from the passwd file) that -+ affect the user's login will not be shown in the chage output. -+ -+ -+ The chage program will also not report any -+ inconsistency between the shadow and passwd files (e.g. missing x in -+ the passwd file). The pwck can be used to check -+ for this kind of inconsistencies. -+ - The chage command is restricted to the root - user, except for the option, which may be used by - an unprivileged user to determine when their password or account is due -Index: shadow-4.5/man/ja/man5/login.defs.5 -=================================================================== ---- shadow-4.5.orig/man/ja/man5/login.defs.5 -+++ shadow-4.5/man/ja/man5/login.defs.5 -@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_ - shadow パスワード機能のどのプログラムが - どのパラメータを使用するかを示したものである。 - .na --.IP chfn 12 --CHFN_AUTH CHFN_RESTRICT --.IP chsh 12 --CHFN_AUTH - .IP groupadd 12 - GID_MAX GID_MIN - .IP newusers 12 -Index: shadow-4.5/man/login.defs.5.xml -=================================================================== ---- shadow-4.5.orig/man/login.defs.5.xml -+++ shadow-4.5/man/login.defs.5.xml -@@ -162,6 +162,17 @@ - long numeric parameters is machine-dependent. - - -+ -+ Please note that the parameters in this configuration file control the -+ behavior of the tools from the shadow-utils component. None of these -+ tools uses the PAM mechanism, and the utilities that use PAM (such as the -+ passwd command) should be configured elsewhere. The only values that -+ affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS -+ for pam_unix module, FAIL_DELAY for pam_faildelay module, -+ and UMASK for pam_umask module. Refer to -+ pam(8) for more information. -+ -+ - The following configuration items are provided: - - -@@ -252,16 +263,6 @@ - - - -- chfn -- -- -- CHFN_AUTH -- CHFN_RESTRICT -- LOGIN_STRING -- -- -- -- - chgpasswd - - -@@ -282,14 +283,6 @@ - - - -- -- chsh -- -- -- CHSH_AUTH LOGIN_STRING -- -- -- - - - -@@ -350,34 +343,6 @@ - - - -- -- login -- -- -- CONSOLE -- CONSOLE_GROUPS DEFAULT_HOME -- ENV_HZ ENV_PATH ENV_SUPATH -- ENV_TZ ENVIRON_FILE -- ERASECHAR FAIL_DELAY -- FAILLOG_ENAB -- FAKE_SHELL -- FTMP_FILE -- HUSHLOGIN_FILE -- ISSUE_FILE -- KILLCHAR -- LASTLOG_ENAB -- LOGIN_RETRIES -- LOGIN_STRING -- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB -- MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE -- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB -- QUOTAS_ENAB -- TTYGROUP TTYPERM TTYTYPE_FILE -- ULIMIT UMASK -- USERGROUPS_ENAB -- -- -- - - - newgrp / sg -@@ -405,17 +370,6 @@ - - - -- -- passwd -- -- -- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB -- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN -- SHA_CRYPT_MAX_ROUNDS -- SHA_CRYPT_MIN_ROUNDS -- -- -- - - pwck - -@@ -442,32 +396,6 @@ - - - -- -- su -- -- -- CONSOLE -- CONSOLE_GROUPS DEFAULT_HOME -- ENV_HZ ENVIRON_FILE -- ENV_PATH ENV_SUPATH -- ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB -- MAIL_DIR MAIL_FILE QUOTAS_ENAB -- SULOG_FILE SU_NAME -- SU_WHEEL_ONLY -- SYSLOG_SU_ENAB -- USERGROUPS_ENAB -- -- -- -- -- sulogin -- -- -- ENV_HZ -- ENV_TZ -- -- -- - - useradd - -Index: shadow-4.5/man/shadow.5.xml -=================================================================== ---- shadow-4.5.orig/man/shadow.5.xml -+++ shadow-4.5/man/shadow.5.xml -@@ -129,7 +129,7 @@ - - - The date of the last password change, expressed as the number -- of days since Jan 1, 1970. -+ of days since Jan 1, 1970 00:00 UTC. - - - The value 0 has a special meaning, which is that the user -@@ -208,8 +208,8 @@ - - - After expiration of the password and this expiration period is -- elapsed, no login is possible using the current user's -- password. The user should contact her administrator. -+ elapsed, no login is possible for the user. -+ The user should contact her administrator. - - - An empty field means that there are no enforcement of an -@@ -224,7 +224,7 @@ - - - The date of expiration of the account, expressed as the number -- of days since Jan 1, 1970. -+ of days since Jan 1, 1970 00:00 UTC. - - - Note that an account expiration differs from a password -Index: shadow-4.5/man/useradd.8.xml -=================================================================== ---- shadow-4.5.orig/man/useradd.8.xml -+++ shadow-4.5/man/useradd.8.xml -@@ -347,6 +347,11 @@ - is not enabled, no home - directories are created. - -+ -+ The directory where the user's home directory is created must -+ exist and have proper SELinux context and permissions. Otherwise -+ the user's home directory cannot be created or accessed. -+ - - - -Index: shadow-4.5/man/usermod.8.xml -=================================================================== ---- shadow-4.5.orig/man/usermod.8.xml -+++ shadow-4.5/man/usermod.8.xml -@@ -132,7 +132,8 @@ - If the - option is given, the contents of the current home directory will - be moved to the new home directory, which is created if it does -- not already exist. -+ not already exist. If the current home directory does not exist -+ the new home directory will not be created. - - - -@@ -256,7 +257,8 @@ - - - Move the content of the user's home directory to the new -- location. -+ location. If the current home directory does not exist -+ the new home directory will not be created. - - - This option is only valid in combination with the -diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml -index 01ace007..93fe7421 100644 ---- a/man/login.defs.d/SUB_GID_COUNT.xml -+++ b/man/login.defs.d/SUB_GID_COUNT.xml -@@ -42,7 +42,7 @@ - - The default values for , - , -- are respectively 100000, 600100000 and 10000. -+ are respectively 100000, 600100000 and 65536. - - - -diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml -index 5ad812f7..516417b7 100644 ---- a/man/login.defs.d/SUB_UID_COUNT.xml -+++ b/man/login.defs.d/SUB_UID_COUNT.xml -@@ -42,7 +42,7 @@ - - The default values for , - , -- are respectively 100000, 600100000 and 10000. -+ are respectively 100000, 600100000 and 65536. - - - -diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml ---- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200 -+++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200 -@@ -320,13 +320,13 @@ - - 4 - -- GID not unique (when not used) -+ GID is already used (when called without ) - - - - 9 - -- group name not unique -+ group name is already used - - - - diff --git a/SOURCES/shadow-4.5-goodname.patch b/SOURCES/shadow-4.5-goodname.patch deleted file mode 100644 index 2f82828..0000000 --- a/SOURCES/shadow-4.5-goodname.patch +++ /dev/null @@ -1,110 +0,0 @@ -Index: shadow-4.5/libmisc/chkname.c -=================================================================== ---- shadow-4.5.orig/libmisc/chkname.c -+++ shadow-4.5/libmisc/chkname.c -@@ -47,27 +47,46 @@ - #include "chkname.h" - - static bool is_valid_name (const char *name) --{ -+{ - /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { -+ * User/group names must match gnu e-regex: -+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? -+ * -+ * as a non-POSIX, extension, allow "$" as the last char for -+ * sake of Samba 3.x "add machine script" -+ * -+ * Also do not allow fully numeric names or just "." or "..". -+ */ -+ int numeric; -+ -+ if ('\0' == *name || -+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || -+ '\0' == name[1])) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ *name == '_' || -+ *name == '.')) { - return false; - } - -+ numeric = isdigit(*name); -+ - while ('\0' != *++name) { -- if (!(( ('a' <= *name) && ('z' >= *name) ) || -- ( ('0' <= *name) && ('9' >= *name) ) || -- ('_' == *name) || -- ('-' == *name) || -- ( ('$' == *name) && ('\0' == *(name + 1)) ) -+ if (!((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ *name == '_' || -+ *name == '.' || -+ *name == '-' || -+ (*name == '$' && name[1] == '\0') - )) { - return false; - } -+ numeric &= isdigit(*name); - } - -- return true; -+ return !numeric; - } - - bool is_valid_user_name (const char *name) -Index: shadow-4.5/man/groupadd.8.xml -=================================================================== ---- shadow-4.5.orig/man/groupadd.8.xml -+++ shadow-4.5/man/groupadd.8.xml -@@ -256,10 +256,14 @@ - - CAVEATS - -- Groupnames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -+ Groupnames may contain only lower and upper case letters, digits, -+ underscores, or dashes. They can end with a dollar sign. -+ -+ Dashes are not allowed at the beginning of the groupname. -+ Fully numeric groupnames and groupnames . or .. are -+ also disallowed. -+ -+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? - - - Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. -Index: shadow-4.5/man/useradd.8.xml -=================================================================== ---- shadow-4.5.orig/man/useradd.8.xml -+++ shadow-4.5/man/useradd.8.xml -@@ -633,10 +633,16 @@ - - - -- Usernames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -+ Usernames may contain only lower and upper case letters, digits, -+ underscores, or dashes. They can end with a dollar sign. -+ -+ Dashes are not allowed at the beginning of the username. -+ Fully numeric usernames and usernames . or .. are -+ also disallowed. It is not recommended to use usernames beginning -+ with . character as their home directories will be hidden in -+ the ls output. -+ -+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? - - - Usernames may only be up to 32 characters long. diff --git a/SOURCES/shadow-4.6-goodname.patch b/SOURCES/shadow-4.6-goodname.patch new file mode 100644 index 0000000..13b5f75 --- /dev/null +++ b/SOURCES/shadow-4.6-goodname.patch @@ -0,0 +1,104 @@ +diff -up shadow-4.6/libmisc/chkname.c.goodname shadow-4.6/libmisc/chkname.c +--- shadow-4.6/libmisc/chkname.c.goodname 2020-10-23 12:50:47.202529031 +0200 ++++ shadow-4.6/libmisc/chkname.c 2020-10-23 12:54:54.604692559 +0200 +@@ -49,25 +49,44 @@ + static bool is_valid_name (const char *name) + { + /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { ++ * User/group names must match gnu e-regex: ++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? ++ * ++ * as a non-POSIX, extension, allow "$" as the last char for ++ * sake of Samba 3.x "add machine script" ++ * ++ * Also do not allow fully numeric names or just "." or "..". ++ */ ++ int numeric; ++ ++ if ('\0' == *name || ++ ('.' == *name && (('.' == name[1] && '\0' == name[2]) || ++ '\0' == name[1])) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.')) { + return false; + } + ++ numeric = isdigit(*name); ++ + while ('\0' != *++name) { +- if (!(( ('a' <= *name) && ('z' >= *name) ) || +- ( ('0' <= *name) && ('9' >= *name) ) || +- ('_' == *name) || +- ('-' == *name) || +- ( ('$' == *name) && ('\0' == *(name + 1)) ) ++ if (!((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ *name == '_' || ++ *name == '.' || ++ *name == '-' || ++ (*name == '$' && name[1] == '\0') + )) { + return false; + } ++ numeric &= isdigit(*name); + } + +- return true; ++ return !numeric; + } + + bool is_valid_user_name (const char *name) +diff -up shadow-4.6/man/groupadd.8.xml.goodname shadow-4.6/man/groupadd.8.xml +--- shadow-4.6/man/groupadd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/groupadd.8.xml 2020-10-23 12:50:47.202529031 +0200 +@@ -273,10 +273,14 @@ + + CAVEATS + +- Groupnames must start with a lower case letter or an underscore, +- followed by lower case letters, digits, underscores, or dashes. +- They can end with a dollar sign. +- In regular expression terms: [a-z_][a-z0-9_-]*[$]? ++ Groupnames may begin with lower and upper case letters, digits, ++ underscores, or periods. They may continue with all the aforementioned ++ characters, or dashes. Finally, they can end with a dollar sign. ++ ++ Fully numeric groupnames and groupnames containing only . or .. are ++ disallowed. ++ ++ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? + + + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. +diff -up shadow-4.6/man/useradd.8.xml.goodname shadow-4.6/man/useradd.8.xml +--- shadow-4.6/man/useradd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/useradd.8.xml 2020-10-23 12:50:47.202529031 +0200 +@@ -650,10 +650,16 @@ + + + +- Usernames must start with a lower case letter or an underscore, +- followed by lower case letters, digits, underscores, or dashes. +- They can end with a dollar sign. +- In regular expression terms: [a-z_][a-z0-9_-]*[$]? ++ Usernames may begin with lower and upper case letters, digits, ++ underscores, or periods. They may continue with all the aforementioned ++ characters, or dashes. Finally, they can end with a dollar sign. ++ ++ Fully numeric usernames and usernames containing only . or .. are ++ disallowed. It is not recommended to use usernames beginning ++ with . character as their home directories will be hidden in ++ the ls output. ++ ++ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? + + + Usernames may only be up to 32 characters long. diff --git a/SOURCES/shadow-4.6-manfix.patch b/SOURCES/shadow-4.6-manfix.patch new file mode 100644 index 0000000..80ae198 --- /dev/null +++ b/SOURCES/shadow-4.6-manfix.patch @@ -0,0 +1,349 @@ +diff -up shadow-4.6/man/groupmems.8.xml.manfix shadow-4.6/man/groupmems.8.xml +--- shadow-4.6/man/groupmems.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/groupmems.8.xml 2020-10-23 13:15:24.105387634 +0200 +@@ -179,20 +179,10 @@ + + SETUP + +- The groupmems executable should be in mode +- 2770 as user root and in group +- groups. The system administrator can add users to +- group groups to allow or disallow them using the +- groupmems utility to manage their own group +- membership list. ++ In this operating system the groupmems executable ++ is not setuid and regular users cannot use it to manipulate ++ the membership of their own group. + +- +- +- $ groupadd -r groups +- $ chmod 2770 groupmems +- $ chown root.groups groupmems +- $ groupmems -g groups -a gk4 +- + + + +diff -up shadow-4.6/man/chage.1.xml.manfix shadow-4.6/man/chage.1.xml +--- shadow-4.6/man/chage.1.xml.manfix 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/chage.1.xml 2020-10-23 13:15:24.105387634 +0200 +@@ -102,6 +102,9 @@ + Set the number of days since January 1st, 1970 when the password + was last changed. The date may also be expressed in the format + YYYY-MM-DD (or the format more commonly used in your area). ++ If the LAST_DAY is set to ++ 0 the user is forced to change his password ++ on the next log on. + + + +@@ -119,6 +122,13 @@ + system again. + + ++ For example the following can be used to set an account to expire ++ in 180 days: ++ ++ ++ chage -E $(date -d +180days +%Y-%m-%d) ++ ++ + Passing the number -1 as the + EXPIRE_DATE will remove an account + expiration date. +@@ -233,6 +243,18 @@ + The chage program requires a shadow password file to + be available. + ++ ++ The chage program will report only the information from the shadow ++ password file. This implies that configuration from other sources ++ (e.g. LDAP or empty password hash field from the passwd file) that ++ affect the user's login will not be shown in the chage output. ++ ++ ++ The chage program will also not report any ++ inconsistency between the shadow and passwd files (e.g. missing x in ++ the passwd file). The pwck can be used to check ++ for this kind of inconsistencies. ++ + The chage command is restricted to the root + user, except for the option, which may be used by + an unprivileged user to determine when their password or account is due +diff -up shadow-4.6/man/ja/man5/login.defs.5.manfix shadow-4.6/man/ja/man5/login.defs.5 +--- shadow-4.6/man/ja/man5/login.defs.5.manfix 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/ja/man5/login.defs.5 2020-10-23 13:15:24.106387639 +0200 +@@ -147,10 +147,6 @@ 以下の参照表は、 + shadow パスワード機能のどのプログラムが + どのパラメータを使用するかを示したものである。 + .na +-.IP chfn 12 +-CHFN_AUTH CHFN_RESTRICT +-.IP chsh 12 +-CHFN_AUTH + .IP groupadd 12 + GID_MAX GID_MIN + .IP newusers 12 +diff -up shadow-4.6/man/login.defs.5.xml.manfix shadow-4.6/man/login.defs.5.xml +--- shadow-4.6/man/login.defs.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/login.defs.5.xml 2020-10-23 13:15:43.280475188 +0200 +@@ -162,6 +162,27 @@ + long numeric parameters is machine-dependent. + + ++ ++ Please note that the parameters in this configuration file control the ++ behavior of the tools from the shadow-utils component. None of these ++ tools uses the PAM mechanism, and the utilities that use PAM (such as the ++ passwd command) should be configured elsewhere. The only values that ++ affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS ++ for pam_unix module, FAIL_DELAY for pam_faildelay module, ++ and UMASK for pam_umask module. Refer to ++ pam(8) for more information. ++ ++ ++ ++ Please also take into account that this man page is generic and some of ++ the options may be unsupported by currently installed tools. In case of ++ doubt check and ++ . For example see ++ login ++ 1 for login specific options such ++ as LOGIN_STRING. ++ ++ + The following configuration items are provided: + + +@@ -252,16 +273,6 @@ + + + +- chfn +- +- +- CHFN_AUTH +- CHFN_RESTRICT +- LOGIN_STRING +- +- +- +- + chgpasswd + + +@@ -282,14 +293,6 @@ + + + +- +- chsh +- +- +- CHSH_AUTH LOGIN_STRING +- +- +- + + + +@@ -350,34 +353,6 @@ + + + +- +- login +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE +- ERASECHAR FAIL_DELAY +- FAILLOG_ENAB +- FAKE_SHELL +- FTMP_FILE +- HUSHLOGIN_FILE +- ISSUE_FILE +- KILLCHAR +- LASTLOG_ENAB +- LOGIN_RETRIES +- LOGIN_STRING +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB +- TTYGROUP TTYPERM TTYTYPE_FILE +- ULIMIT UMASK +- USERGROUPS_ENAB +- +- +- + + + newgrp / sg +@@ -405,17 +380,6 @@ + + + +- +- passwd +- +- +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN +- SHA_CRYPT_MAX_ROUNDS +- SHA_CRYPT_MIN_ROUNDS +- +- +- + + pwck + +@@ -442,32 +406,6 @@ + + + +- +- su +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENVIRON_FILE +- ENV_PATH ENV_SUPATH +- ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB +- SULOG_FILE SU_NAME +- SU_WHEEL_ONLY +- SYSLOG_SU_ENAB +- USERGROUPS_ENAB +- +- +- +- +- sulogin +- +- +- ENV_HZ +- ENV_TZ +- +- +- + + useradd + +diff -up shadow-4.6/man/shadow.5.xml.manfix shadow-4.6/man/shadow.5.xml +--- shadow-4.6/man/shadow.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/shadow.5.xml 2020-10-23 13:15:24.106387639 +0200 +@@ -129,7 +129,7 @@ + + + The date of the last password change, expressed as the number +- of days since Jan 1, 1970. ++ of days since Jan 1, 1970 00:00 UTC. + + + The value 0 has a special meaning, which is that the user +@@ -208,8 +208,8 @@ + + + After expiration of the password and this expiration period is +- elapsed, no login is possible using the current user's +- password. The user should contact her administrator. ++ elapsed, no login is possible for the user. ++ The user should contact her administrator. + + + An empty field means that there are no enforcement of an +@@ -224,7 +224,7 @@ + + + The date of expiration of the account, expressed as the number +- of days since Jan 1, 1970. ++ of days since Jan 1, 1970 00:00 UTC. + + + Note that an account expiration differs from a password +diff -up shadow-4.6/man/useradd.8.xml.manfix shadow-4.6/man/useradd.8.xml +--- shadow-4.6/man/useradd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200 ++++ shadow-4.6/man/useradd.8.xml 2020-10-23 13:15:24.106387639 +0200 +@@ -347,6 +347,11 @@ + is not enabled, no home + directories are created. + ++ ++ The directory where the user's home directory is created must ++ exist and have proper SELinux context and permissions. Otherwise ++ the user's home directory cannot be created or accessed. ++ + + + +diff -up shadow-4.6/man/usermod.8.xml.manfix shadow-4.6/man/usermod.8.xml +--- shadow-4.6/man/usermod.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/usermod.8.xml 2020-10-23 13:15:24.106387639 +0200 +@@ -132,7 +132,8 @@ + If the + option is given, the contents of the current home directory will + be moved to the new home directory, which is created if it does +- not already exist. ++ not already exist. If the current home directory does not exist ++ the new home directory will not be created. + + + +@@ -256,7 +257,8 @@ + + + Move the content of the user's home directory to the new +- location. ++ location. If the current home directory does not exist ++ the new home directory will not be created. + + + This option is only valid in combination with the +diff -up shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml +--- shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200 +@@ -42,7 +42,7 @@ + + The default values for , + , +- are respectively 100000, 600100000 and 10000. ++ are respectively 100000, 600100000 and 65536. + + + +diff -up shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml +--- shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200 ++++ shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200 +@@ -42,7 +42,7 @@ + + The default values for , + , +- are respectively 100000, 600100000 and 10000. ++ are respectively 100000, 600100000 and 65536. + + + +diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml +--- shadow-4.6/man/groupadd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200 ++++ shadow-4.6/man/groupadd.8.xml 2020-10-23 13:15:24.106387639 +0200 +@@ -322,13 +322,13 @@ + + 4 + +- GID not unique (when not used) ++ GID is already used (when called without ) + + + + 9 + +- group name not unique ++ group name is already used + + + diff --git a/SOURCES/shadow-4.6-sssd-redirect-warning.patch b/SOURCES/shadow-4.6-sssd-redirect-warning.patch new file mode 100644 index 0000000..c452231 --- /dev/null +++ b/SOURCES/shadow-4.6-sssd-redirect-warning.patch @@ -0,0 +1,59 @@ +From 87257a49a1821d67870aa9760c71b6791583709c Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Fri, 2 Oct 2020 16:09:42 +0200 +Subject: [PATCH] lib/sssd: redirect warning message to file + +Instead of printing warning in stderr print it to file. This way the +user is not spammed with unnecessary messages when updating packages. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749001 +--- + lib/sssd.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/lib/sssd.c b/lib/sssd.c +index 80e49e55..f864ce68 100644 +--- a/lib/sssd.c ++++ b/lib/sssd.c +@@ -11,7 +11,7 @@ + #include "prototypes.h" + #include "sssd.h" + +-#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n" ++#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache." + + int sssd_flush_cache (int dbflags) + { +@@ -46,24 +46,22 @@ int sssd_flush_cache (int dbflags) + free(sss_cache_args); + if (rv != 0) { + /* run_command writes its own more detailed message. */ +- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog); ++ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog)); + return -1; + } + + code = WEXITSTATUS (status); + if (!WIFEXITED (status)) { +- (void) fprintf (stderr, +- _("%s: sss_cache did not terminate normally (signal %d)\n"), +- Prog, WTERMSIG (status)); ++ SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)", ++ Prog, WTERMSIG (status))); + return -1; + } else if (code == E_CMD_NOTFOUND) { + /* sss_cache is not installed, or it is installed but uses an + interpreter that is missing. Probably the former. */ + return 0; + } else if (code != 0) { +- (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"), +- Prog, code); +- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog); ++ SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code)); ++ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog)); + return -1; + } + +-- +2.26.2 + diff --git a/SOURCES/shadow-utils.login.defs b/SOURCES/shadow-utils.login.defs index 0adfb66..12d516c 100644 --- a/SOURCES/shadow-utils.login.defs +++ b/SOURCES/shadow-utils.login.defs @@ -15,6 +15,20 @@ MAIL_DIR /var/spool/mail #MAIL_FILE .mail +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0700 + # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. @@ -59,10 +73,6 @@ SYS_GID_MAX 999 # CREATE_HOME yes -# The permission mask is initialized to this value. If not specified, -# the permission mask will be initialized to 022. -UMASK 077 - # This enables userdel to remove user groups if no members exist. # USERGROUPS_ENAB yes diff --git a/SPECS/shadow-utils.spec b/SPECS/shadow-utils.spec index 24e0573..a806a39 100644 --- a/SPECS/shadow-utils.spec +++ b/SPECS/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.6 -Release: 10%{?dist} +Release: 12%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -11,13 +11,13 @@ Source3: shadow-utils.login.defs Source4: shadow-bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: shadow-4.6-redhat.patch -Patch1: shadow-4.5-goodname.patch +Patch1: shadow-4.6-goodname.patch Patch2: shadow-4.1.5.1-info-parent-dir.patch Patch6: shadow-4.6-selinux.patch Patch10: shadow-4.6-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch Patch14: shadow-4.1.5.1-default-range.patch -Patch15: shadow-4.3.1-manfix.patch +Patch15: shadow-4.6-manfix.patch Patch17: shadow-4.1.5.1-userdel-helpfix.patch Patch19: shadow-4.2.1-date-parsing.patch Patch21: shadow-4.6-move-home.patch @@ -43,6 +43,8 @@ Patch42: shadow-4.6-regular-user.patch Patch43: shadow-4.6-home_mode-directive.patch # Upstreamed Patch44: shadow-4.6-check-local-groups.patch +# https://github.com/shadow-maint/shadow/commit/e84df9e163e133eb11a2728024ff3e3440592cf8 +Patch45: shadow-4.6-sssd-redirect-warning.patch License: BSD and GPLv2+ Group: System Environment/Base @@ -105,6 +107,7 @@ are used for managing group accounts. %patch42 -p1 -b .regular-user %patch43 -p1 -b .home_mode-directive %patch44 -p1 -b .check-local-groups +%patch45 -p1 -b .sssd-redirect-warning iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -259,6 +262,14 @@ done %{_mandir}/man8/vigr.8* %changelog +* Fri Oct 23 2020 Iker Pedrosa - 2:4.6-12 +- lib/sssd: redirect warning message to file (#1749001) +- useradd: clarify valid usernames/groupnames (#1869432) +- login.defs: link login specific information to its own package (#1804766) + +* Fri Aug 7 2020 Iker Pedrosa - 2:4.6-11 +- change UMASK value and add HOME_MODE in login.defs (#1777718) + * Tue May 5 2020 Iker Pedrosa - 2:4.6-10 - check only local groups when adding new supplementary groups to a user