diff options
author | Kevin Tian <kevin.tian@intel.com> | 2010-08-06 10:34:29 +0800 |
---|---|---|
committer | Richard Purdie <rpurdie@linux.intel.com> | 2010-08-13 13:36:02 +0100 |
commit | f6535ea12ab7f4d99adbe78919a7ed252175565f (patch) | |
tree | fcab0f6719ab5f17d1ce9fdd7ba0e376e418c2ac /meta-lsb | |
parent | 44d7c5678f52593d55c23f16d0da6c188734b026 (diff) | |
download | poky-f6535ea12ab7f4d99adbe78919a7ed252175565f.tar.gz |
shadow: add new recipe 4.1.4.2
(borrow from OpenEmbedded with below tweaks)
Enhance login_defs_pam.sed according to shadow source, to ensuer we don't
leave any unknown definitions in /etc/login.defs when pam is enabled
no need for --disable-account-tools-setuid which is detected upon pam
automatically, and no specific CFLAGS append
move shadow site options to generic site files
adjust indention
RDEPENDS on a list of pam-plugins since they're separately packaged
test with both pam enabled and pam disabled. when pam is enabled, tried
some same tweak with desired effect.
Signed-off-by: Kevin Tian <kevin.tian@intel.com>
Diffstat (limited to 'meta-lsb')
16 files changed, 778 insertions, 0 deletions
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed b/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed new file mode 100644 index 0000000000..0a1f3be4af --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed | |||
@@ -0,0 +1,32 @@ | |||
1 | /^FAILLOG_ENAB/b comment | ||
2 | /^LASTLOG_ENAB/b comment | ||
3 | /^MAIL_CHECK_ENAB/b comment | ||
4 | /^OBSCURE_CHECKS_ENAB/b comment | ||
5 | /^PORTTIME_CHECKS_ENAB/b comment | ||
6 | /^QUOTAS_ENAB/b comment | ||
7 | /^MOTD_FILE/b comment | ||
8 | /^FTMP_FILE/b comment | ||
9 | /^NOLOGINS_FILE/b comment | ||
10 | /^ENV_HZ/b comment | ||
11 | /^ENV_TZ/b comment | ||
12 | /^PASS_MIN_LEN/b comment | ||
13 | /^SU_WHEEL_ONLY/b comment | ||
14 | /^CRACKLIB_DICTPATH/b comment | ||
15 | /^PASS_CHANGE_TRIES/b comment | ||
16 | /^PASS_ALWAYS_WARN/b comment | ||
17 | /^PASS_MAX_LEN/b comment | ||
18 | /^PASS_MIN_LEN/b comment | ||
19 | /^CHFN_AUTH/b comment | ||
20 | /^CHSH_AUTH/b comment | ||
21 | /^ISSUE_FILE/b comment | ||
22 | /^LOGIN_STRING/b comment | ||
23 | /^ULIMIT/b comment | ||
24 | /^ENVIRON_FILE/b comment | ||
25 | |||
26 | b exit | ||
27 | |||
28 | : comment | ||
29 | s:^:#: | ||
30 | |||
31 | : exit | ||
32 | |||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn new file mode 100644 index 0000000000..baf7698bba --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn | |||
@@ -0,0 +1,14 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `chfn' service | ||
3 | # | ||
4 | |||
5 | # This allows root to change user infomation without being | ||
6 | # prompted for a password | ||
7 | auth sufficient pam_rootok.so | ||
8 | |||
9 | # The standard Unix authentication modules, used with | ||
10 | # NIS (man nsswitch) as well as normal /etc/passwd and | ||
11 | # /etc/shadow entries. | ||
12 | auth include common-auth | ||
13 | account include common-account | ||
14 | session include common-session | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd new file mode 100644 index 0000000000..9e3efa68ba --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd | |||
@@ -0,0 +1,4 @@ | |||
1 | # The PAM configuration file for the Shadow 'chpasswd' service | ||
2 | # | ||
3 | |||
4 | password include common-password | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh new file mode 100644 index 0000000000..8fb169f64e --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `chsh' service | ||
3 | # | ||
4 | |||
5 | # This will not allow a user to change their shell unless | ||
6 | # their current one is listed in /etc/shells. This keeps | ||
7 | # accounts with special shells from changing them. | ||
8 | auth required pam_shells.so | ||
9 | |||
10 | # This allows root to change user shell without being | ||
11 | # prompted for a password | ||
12 | auth sufficient pam_rootok.so | ||
13 | |||
14 | # The standard Unix authentication modules, used with | ||
15 | # NIS (man nsswitch) as well as normal /etc/passwd and | ||
16 | # /etc/shadow entries. | ||
17 | auth include common-auth | ||
18 | account include common-account | ||
19 | session include common-session | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login new file mode 100644 index 0000000000..e41eb04ec1 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login | |||
@@ -0,0 +1,91 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `login' service | ||
3 | # | ||
4 | |||
5 | # Enforce a minimal delay in case of failure (in microseconds). | ||
6 | # (Replaces the `FAIL_DELAY' setting from login.defs) | ||
7 | # Note that other modules may require another minimal delay. (for example, | ||
8 | # to disable any delay, you should add the nodelay option to pam_unix) | ||
9 | auth optional pam_faildelay.so delay=3000000 | ||
10 | |||
11 | # Outputs an issue file prior to each login prompt (Replaces the | ||
12 | # ISSUE_FILE option from login.defs). Uncomment for use | ||
13 | # auth required pam_issue.so issue=/etc/issue | ||
14 | |||
15 | # Disallows root logins except on tty's listed in /etc/securetty | ||
16 | # (Replaces the `CONSOLE' setting from login.defs) | ||
17 | # Note that it is included as a "requisite" module. No password prompts will | ||
18 | # be displayed if this module fails to avoid having the root password | ||
19 | # transmitted on unsecure ttys. | ||
20 | # You can change it to a "required" module if you think it permits to | ||
21 | # guess valid user names of your system (invalid user names are considered | ||
22 | # as possibly being root). | ||
23 | auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so | ||
24 | |||
25 | # Disallows other than root logins when /etc/nologin exists | ||
26 | # (Replaces the `NOLOGINS_FILE' option from login.defs) | ||
27 | auth requisite pam_nologin.so | ||
28 | |||
29 | # SELinux needs to be the first session rule. This ensures that any | ||
30 | # lingering context has been cleared. Without out this it is possible | ||
31 | # that a module could execute code in the wrong domain. | ||
32 | # When the module is present, "required" would be sufficient (When SELinux | ||
33 | # is disabled, this returns success.) | ||
34 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | ||
35 | |||
36 | # This module parses environment configuration file(s) | ||
37 | # and also allows you to use an extended config | ||
38 | # file /etc/security/pam_env.conf. | ||
39 | # | ||
40 | # parsing /etc/environment needs "readenv=1" | ||
41 | session required pam_env.so readenv=1 | ||
42 | # locale variables are also kept into /etc/default/locale in etch | ||
43 | # reading this file *in addition to /etc/environment* does not hurt | ||
44 | session required pam_env.so readenv=1 envfile=/etc/default/locale | ||
45 | |||
46 | # Standard Un*x authentication. | ||
47 | auth include common-auth | ||
48 | |||
49 | # This allows certain extra groups to be granted to a user | ||
50 | # based on things like time of day, tty, service, and user. | ||
51 | # Please edit /etc/security/group.conf to fit your needs | ||
52 | # (Replaces the `CONSOLE_GROUPS' option in login.defs) | ||
53 | auth optional pam_group.so | ||
54 | |||
55 | # Uncomment and edit /etc/security/time.conf if you need to set | ||
56 | # time restrainst on logins. | ||
57 | # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs | ||
58 | # as well as /etc/porttime) | ||
59 | # account requisite pam_time.so | ||
60 | |||
61 | # Uncomment and edit /etc/security/access.conf if you need to | ||
62 | # set access limits. | ||
63 | # (Replaces /etc/login.access file) | ||
64 | # account required pam_access.so | ||
65 | |||
66 | # Sets up user limits according to /etc/security/limits.conf | ||
67 | # (Replaces the use of /etc/limits in old login) | ||
68 | session required pam_limits.so | ||
69 | |||
70 | # Prints the last login info upon succesful login | ||
71 | # (Replaces the `LASTLOG_ENAB' option from login.defs) | ||
72 | session optional pam_lastlog.so | ||
73 | |||
74 | # Prints the motd upon succesful login | ||
75 | # (Replaces the `MOTD_FILE' option in login.defs) | ||
76 | session optional pam_motd.so | ||
77 | |||
78 | # Prints the status of the user's mailbox upon succesful login | ||
79 | # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). | ||
80 | # | ||
81 | # This also defines the MAIL environment variable | ||
82 | # However, userdel also needs MAIL_DIR and MAIL_FILE variables | ||
83 | # in /etc/login.defs to make sure that removing a user | ||
84 | # also removes the user's mail spool file. | ||
85 | # See comments in /etc/login.defs | ||
86 | session optional pam_mail.so standard | ||
87 | |||
88 | # Standard Un*x account and session | ||
89 | account include common-account | ||
90 | password include common-password | ||
91 | session include common-session | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers new file mode 100644 index 0000000000..4aa3dde48b --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers | |||
@@ -0,0 +1,4 @@ | |||
1 | # The PAM configuration file for the Shadow 'newusers' service | ||
2 | # | ||
3 | |||
4 | password include common-password | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd new file mode 100644 index 0000000000..f534992435 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd | |||
@@ -0,0 +1,5 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `passwd' service | ||
3 | # | ||
4 | |||
5 | password include common-password | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su new file mode 100644 index 0000000000..8e35137f37 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su | |||
@@ -0,0 +1,60 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `su' service | ||
3 | # | ||
4 | |||
5 | # This allows root to su without passwords (normal operation) | ||
6 | auth sufficient pam_rootok.so | ||
7 | |||
8 | # Uncomment this to force users to be a member of group root | ||
9 | # before they can use `su'. You can also add "group=foo" | ||
10 | # to the end of this line if you want to use a group other | ||
11 | # than the default "root" (but this may have side effect of | ||
12 | # denying "root" user, unless she's a member of "foo" or explicitly | ||
13 | # permitted earlier by e.g. "sufficient pam_rootok.so"). | ||
14 | # (Replaces the `SU_WHEEL_ONLY' option from login.defs) | ||
15 | # auth required pam_wheel.so | ||
16 | |||
17 | # Uncomment this if you want wheel members to be able to | ||
18 | # su without a password. | ||
19 | # auth sufficient pam_wheel.so trust | ||
20 | |||
21 | # Uncomment this if you want members of a specific group to not | ||
22 | # be allowed to use su at all. | ||
23 | # auth required pam_wheel.so deny group=nosu | ||
24 | |||
25 | # Uncomment and edit /etc/security/time.conf if you need to set | ||
26 | # time restrainst on su usage. | ||
27 | # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs | ||
28 | # as well as /etc/porttime) | ||
29 | # account requisite pam_time.so | ||
30 | |||
31 | # This module parses environment configuration file(s) | ||
32 | # and also allows you to use an extended config | ||
33 | # file /etc/security/pam_env.conf. | ||
34 | # | ||
35 | # parsing /etc/environment needs "readenv=1" | ||
36 | session required pam_env.so readenv=1 | ||
37 | # locale variables are also kept into /etc/default/locale in etch | ||
38 | # reading this file *in addition to /etc/environment* does not hurt | ||
39 | session required pam_env.so readenv=1 envfile=/etc/default/locale | ||
40 | |||
41 | # Defines the MAIL environment variable | ||
42 | # However, userdel also needs MAIL_DIR and MAIL_FILE variables | ||
43 | # in /etc/login.defs to make sure that removing a user | ||
44 | # also removes the user's mail spool file. | ||
45 | # See comments in /etc/login.defs | ||
46 | # | ||
47 | # "nopen" stands to avoid reporting new mail when su'ing to another user | ||
48 | session optional pam_mail.so nopen | ||
49 | |||
50 | # Sets up user limits, please uncomment and read /etc/security/limits.conf | ||
51 | # to enable this functionality. | ||
52 | # (Replaces the use of /etc/limits in old login) | ||
53 | # session required pam_limits.so | ||
54 | |||
55 | # The standard Unix authentication modules, used with | ||
56 | # NIS (man nsswitch) as well as normal /etc/passwd and | ||
57 | # /etc/shadow entries. | ||
58 | auth include common-auth | ||
59 | account include common-account | ||
60 | session include common-session | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty b/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty new file mode 100644 index 0000000000..28fa0afb72 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty | |||
@@ -0,0 +1,206 @@ | |||
1 | # /etc/securetty: list of terminals on which root is allowed to login. | ||
2 | # See securetty(5) and login(1). | ||
3 | console | ||
4 | |||
5 | # Standard serial ports | ||
6 | ttyS0 | ||
7 | ttyS1 | ||
8 | ttyS2 | ||
9 | ttyS3 | ||
10 | |||
11 | # Samsung ARM SoCs | ||
12 | ttySAC0 | ||
13 | ttySAC1 | ||
14 | ttySAC2 | ||
15 | ttySAC3 | ||
16 | |||
17 | # TI OMAP SoCs | ||
18 | ttyO0 | ||
19 | ttyO1 | ||
20 | ttyO2 | ||
21 | ttyO3 | ||
22 | |||
23 | # USB dongles | ||
24 | ttyUSB0 | ||
25 | ttyUSB1 | ||
26 | ttyUSB2 | ||
27 | |||
28 | # PowerMac | ||
29 | ttyPZ0 | ||
30 | ttyPZ1 | ||
31 | ttyPZ2 | ||
32 | ttyPZ3 | ||
33 | |||
34 | # Embedded MPC platforms | ||
35 | ttyPSC0 | ||
36 | ttyPSC1 | ||
37 | ttyPSC2 | ||
38 | ttyPSC3 | ||
39 | ttyPSC4 | ||
40 | ttyPSC5 | ||
41 | |||
42 | # PA-RISC mux ports | ||
43 | ttyB0 | ||
44 | ttyB1 | ||
45 | |||
46 | # Standard hypervisor virtual console | ||
47 | hvc0 | ||
48 | |||
49 | # Oldstyle Xen console | ||
50 | xvc0 | ||
51 | |||
52 | # Standard consoles | ||
53 | tty1 | ||
54 | tty2 | ||
55 | tty3 | ||
56 | tty4 | ||
57 | tty5 | ||
58 | tty6 | ||
59 | tty7 | ||
60 | tty8 | ||
61 | tty9 | ||
62 | tty10 | ||
63 | tty11 | ||
64 | tty12 | ||
65 | tty13 | ||
66 | tty14 | ||
67 | tty15 | ||
68 | tty16 | ||
69 | tty17 | ||
70 | tty18 | ||
71 | tty19 | ||
72 | tty20 | ||
73 | tty21 | ||
74 | tty22 | ||
75 | tty23 | ||
76 | tty24 | ||
77 | tty25 | ||
78 | tty26 | ||
79 | tty27 | ||
80 | tty28 | ||
81 | tty29 | ||
82 | tty30 | ||
83 | tty31 | ||
84 | tty32 | ||
85 | tty33 | ||
86 | tty34 | ||
87 | tty35 | ||
88 | tty36 | ||
89 | tty37 | ||
90 | tty38 | ||
91 | tty39 | ||
92 | tty40 | ||
93 | tty41 | ||
94 | tty42 | ||
95 | tty43 | ||
96 | tty44 | ||
97 | tty45 | ||
98 | tty46 | ||
99 | tty47 | ||
100 | tty48 | ||
101 | tty49 | ||
102 | tty50 | ||
103 | tty51 | ||
104 | tty52 | ||
105 | tty53 | ||
106 | tty54 | ||
107 | tty55 | ||
108 | tty56 | ||
109 | tty57 | ||
110 | tty58 | ||
111 | tty59 | ||
112 | tty60 | ||
113 | tty61 | ||
114 | tty62 | ||
115 | tty63 | ||
116 | |||
117 | # Local X displays (allows empty passwords with pam_unix's nullok_secure) | ||
118 | :0 | ||
119 | :0.0 | ||
120 | :0.1 | ||
121 | :1 | ||
122 | :1.0 | ||
123 | :1.1 | ||
124 | :2 | ||
125 | :2.0 | ||
126 | :2.1 | ||
127 | :3 | ||
128 | :3.0 | ||
129 | :3.1 | ||
130 | |||
131 | # Embedded Freescale i.MX ports | ||
132 | ttymxc0 | ||
133 | ttymxc1 | ||
134 | ttymxc2 | ||
135 | ttymxc3 | ||
136 | ttymxc4 | ||
137 | ttymxc5 | ||
138 | |||
139 | # Standard serial ports, with devfs | ||
140 | tts/0 | ||
141 | tts/1 | ||
142 | |||
143 | # Standard consoles, with devfs | ||
144 | vc/1 | ||
145 | vc/2 | ||
146 | vc/3 | ||
147 | vc/4 | ||
148 | vc/5 | ||
149 | vc/6 | ||
150 | vc/7 | ||
151 | vc/8 | ||
152 | vc/9 | ||
153 | vc/10 | ||
154 | vc/11 | ||
155 | vc/12 | ||
156 | vc/13 | ||
157 | vc/14 | ||
158 | vc/15 | ||
159 | vc/16 | ||
160 | vc/17 | ||
161 | vc/18 | ||
162 | vc/19 | ||
163 | vc/20 | ||
164 | vc/21 | ||
165 | vc/22 | ||
166 | vc/23 | ||
167 | vc/24 | ||
168 | vc/25 | ||
169 | vc/26 | ||
170 | vc/27 | ||
171 | vc/28 | ||
172 | vc/29 | ||
173 | vc/30 | ||
174 | vc/31 | ||
175 | vc/32 | ||
176 | vc/33 | ||
177 | vc/34 | ||
178 | vc/35 | ||
179 | vc/36 | ||
180 | vc/37 | ||
181 | vc/38 | ||
182 | vc/39 | ||
183 | vc/40 | ||
184 | vc/41 | ||
185 | vc/42 | ||
186 | vc/43 | ||
187 | vc/44 | ||
188 | vc/45 | ||
189 | vc/46 | ||
190 | vc/47 | ||
191 | vc/48 | ||
192 | vc/49 | ||
193 | vc/50 | ||
194 | vc/51 | ||
195 | vc/52 | ||
196 | vc/53 | ||
197 | vc/54 | ||
198 | vc/55 | ||
199 | vc/56 | ||
200 | vc/57 | ||
201 | vc/58 | ||
202 | vc/59 | ||
203 | vc/60 | ||
204 | vc/61 | ||
205 | vc/62 | ||
206 | vc/63 | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch new file mode 100644 index 0000000000..7a2ff2e24e --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | # commit message copied from openembedded: | ||
2 | # commit 246c80637b135f3a113d319b163422f98174ee6c | ||
3 | # Author: Khem Raj <raj.khem@gmail.com> | ||
4 | # Date: Wed Jun 9 13:37:03 2010 -0700 | ||
5 | # | ||
6 | # shadow-4.1.4.2: Add patches to support dots in login id. | ||
7 | # | ||
8 | # Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
9 | # | ||
10 | # comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 | ||
11 | |||
12 | Index: shadow-4.1.4.2/libmisc/chkname.c | ||
13 | =================================================================== | ||
14 | --- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 | ||
15 | +++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 | ||
16 | @@ -61,6 +61,7 @@ static bool is_valid_name (const char *n | ||
17 | ( ('0' <= *name) && ('9' >= *name) ) || | ||
18 | ('_' == *name) || | ||
19 | ('-' == *name) || | ||
20 | + ('.' == *name) || | ||
21 | ( ('$' == *name) && ('\0' == *(name + 1)) ) | ||
22 | )) { | ||
23 | return false; | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch new file mode 100644 index 0000000000..124065c7f9 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | # commit message copied from openembedded: | ||
2 | # commit 246c80637b135f3a113d319b163422f98174ee6c | ||
3 | # Author: Khem Raj <raj.khem@gmail.com> | ||
4 | # Date: Wed Jun 9 13:37:03 2010 -0700 | ||
5 | # | ||
6 | # shadow-4.1.4.2: Add patches to support dots in login id. | ||
7 | # | ||
8 | # Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
9 | # | ||
10 | # comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 | ||
11 | |||
12 | http://bugs.gentoo.org/283725 | ||
13 | https://alioth.debian.org/tracker/index.php?func=detail&aid=311740&group_id=30580&atid=411480 | ||
14 | |||
15 | Index: shadow-4.1.4.2/libmisc/env.c | ||
16 | =================================================================== | ||
17 | --- shadow-4.1.4.2.orig/libmisc/env.c 2009-04-27 13:07:56.000000000 -0700 | ||
18 | +++ shadow-4.1.4.2/libmisc/env.c 2010-06-03 17:44:51.456408474 -0700 | ||
19 | @@ -251,7 +251,7 @@ void sanitize_env (void) | ||
20 | if (strncmp (*cur, *bad, strlen (*bad)) != 0) { | ||
21 | continue; | ||
22 | } | ||
23 | - if (strchr (*cur, '/') != NULL) { | ||
24 | + if (strchr (*cur, '/') == NULL) { | ||
25 | continue; /* OK */ | ||
26 | } | ||
27 | for (move = cur; NULL != *move; move++) { | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch new file mode 100644 index 0000000000..6682fe8078 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | # commit message copied from openembedded: | ||
2 | # commit 246c80637b135f3a113d319b163422f98174ee6c | ||
3 | # Author: Khem Raj <raj.khem@gmail.com> | ||
4 | # Date: Wed Jun 9 13:37:03 2010 -0700 | ||
5 | # | ||
6 | # shadow-4.1.4.2: Add patches to support dots in login id. | ||
7 | # | ||
8 | # Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
9 | # | ||
10 | # comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 | ||
11 | |||
12 | http://bugs.gentoo.org/300790 | ||
13 | http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2009-November/007850.html | ||
14 | |||
15 | 2009-11-05 Nicolas François <nicolas.francois@centraliens.net> | ||
16 | |||
17 | * NEWS, src/groupmod.c: Fixed groupmod when configured with | ||
18 | --enable-account-tools-setuid. | ||
19 | |||
20 | Index: shadow-4.1.4.2/src/groupmod.c | ||
21 | =================================================================== | ||
22 | --- shadow-4.1.4.2.orig/src/groupmod.c 2009-06-05 15:16:58.000000000 -0700 | ||
23 | +++ shadow-4.1.4.2/src/groupmod.c 2010-06-03 17:45:43.828952613 -0700 | ||
24 | @@ -720,7 +720,7 @@ int main (int argc, char **argv) | ||
25 | { | ||
26 | struct passwd *pampw; | ||
27 | pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */ | ||
28 | - if (NULL == pamh) { | ||
29 | + if (NULL == pampw) { | ||
30 | fprintf (stderr, | ||
31 | _("%s: Cannot determine your user name.\n"), | ||
32 | Prog); | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch new file mode 100644 index 0000000000..f67251c840 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | # commit message copied from openembedded: | ||
2 | # commit 246c80637b135f3a113d319b163422f98174ee6c | ||
3 | # Author: Khem Raj <raj.khem@gmail.com> | ||
4 | # Date: Wed Jun 9 13:37:03 2010 -0700 | ||
5 | # | ||
6 | # shadow-4.1.4.2: Add patches to support dots in login id. | ||
7 | # | ||
8 | # Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
9 | # | ||
10 | # comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 | ||
11 | |||
12 | http://bugs.gentoo.org/show_bug.cgi?id=301957 | ||
13 | https://alioth.debian.org/scm/browser.php?group_id=30580 | ||
14 | |||
15 | Index: shadow-4.1.4.2/src/su.c | ||
16 | =================================================================== | ||
17 | --- shadow-4.1.4.2.orig/src/su.c 2009-07-23 13:38:56.000000000 -0700 | ||
18 | +++ shadow-4.1.4.2/src/su.c 2010-06-03 17:46:47.718944010 -0700 | ||
19 | @@ -378,7 +378,7 @@ int main (int argc, char **argv) | ||
20 | #endif | ||
21 | #endif /* !USE_PAM */ | ||
22 | |||
23 | - sanitize_env (); | ||
24 | + /* sanitize_env (); */ | ||
25 | |||
26 | (void) setlocale (LC_ALL, ""); | ||
27 | (void) bindtextdomain (PACKAGE, LOCALEDIR); | ||
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch new file mode 100644 index 0000000000..36d7be6fd0 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | # patch is from openembedded: | ||
2 | # commit 2db61370333f7a2fc1dbb86385734883387e0217 | ||
3 | # Author: Martin Jansa <Martin.Jansa@gmail.com> | ||
4 | # Date: Fri Apr 2 07:34:46 2010 +0200 | ||
5 | # | ||
6 | # shadow: fix do_install with automake-1.11 | ||
7 | # | ||
8 | # Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
9 | # | ||
10 | # comment added by Kevin Tian <kevin.tian@intel.com> | ||
11 | |||
12 | man_nopan is for !USE_PAM already included in man_MANS and automake-1.11 hates to install some file twice | ||
13 | |||
14 | diff -uNr shadow-4.1.4.2.orig/man/Makefile.am shadow-4.1.4.2/man/Makefile.am | ||
15 | --- shadow-4.1.4.2.orig/man/Makefile.am 2009-03-14 15:40:10.000000000 +0100 | ||
16 | +++ shadow-4.1.4.2/man/Makefile.am 2010-04-02 07:31:17.000000000 +0200 | ||
17 | @@ -163,7 +163,6 @@ | ||
18 | $(man_MANS) \ | ||
19 | $(man_XMANS) \ | ||
20 | $(addprefix login.defs.d/,$(login_defs_v)) \ | ||
21 | - $(man_nopam) \ | ||
22 | id.1 \ | ||
23 | id.1.xml \ | ||
24 | sulogin.8 \ | ||
25 | diff -uNr shadow-4.1.4.2.orig/man/fr/Makefile.am shadow-4.1.4.2/man/fr/Makefile.am | ||
26 | --- shadow-4.1.4.2.orig/man/fr/Makefile.am 2008-09-06 18:44:45.000000000 +0200 | ||
27 | +++ shadow-4.1.4.2/man/fr/Makefile.am 2010-04-02 07:42:11.000000000 +0200 | ||
28 | @@ -52,7 +52,6 @@ | ||
29 | |||
30 | EXTRA_DIST = \ | ||
31 | $(man_MANS) \ | ||
32 | - $(man_nopam) \ | ||
33 | id.1 | ||
34 | |||
35 | include ../generate_translations.mak | ||
36 | diff -uNr shadow-4.1.4.2.orig/man/it/Makefile.am shadow-4.1.4.2/man/it/Makefile.am | ||
37 | --- shadow-4.1.4.2.orig/man/it/Makefile.am 2008-09-06 18:44:45.000000000 +0200 | ||
38 | +++ shadow-4.1.4.2/man/it/Makefile.am 2010-04-02 07:42:20.000000000 +0200 | ||
39 | @@ -46,7 +46,6 @@ | ||
40 | |||
41 | EXTRA_DIST = \ | ||
42 | $(man_MANS) \ | ||
43 | - $(man_nopam) \ | ||
44 | id.1 \ | ||
45 | logoutd.8 | ||
46 | |||
47 | diff -uNr shadow-4.1.4.2.orig/man/ja/Makefile.am shadow-4.1.4.2/man/ja/Makefile.am | ||
48 | --- shadow-4.1.4.2.orig/man/ja/Makefile.am 2007-12-31 17:48:28.000000000 +0100 | ||
49 | +++ shadow-4.1.4.2/man/ja/Makefile.am 2010-04-02 07:42:17.000000000 +0200 | ||
50 | @@ -49,7 +49,6 @@ | ||
51 | |||
52 | EXTRA_DIST = \ | ||
53 | $(man_MANS) \ | ||
54 | - $(man_nopam) \ | ||
55 | id.1 \ | ||
56 | shadow.3 \ | ||
57 | sulogin.8 | ||
58 | diff -uNr shadow-4.1.4.2.orig/man/pl/Makefile.am shadow-4.1.4.2/man/pl/Makefile.am | ||
59 | --- shadow-4.1.4.2.orig/man/pl/Makefile.am 2008-09-06 18:44:45.000000000 +0200 | ||
60 | +++ shadow-4.1.4.2/man/pl/Makefile.am 2010-04-02 07:42:07.000000000 +0200 | ||
61 | @@ -49,7 +49,6 @@ | ||
62 | |||
63 | EXTRA_DIST = \ | ||
64 | $(man_MANS) \ | ||
65 | - $(man_nopam) \ | ||
66 | getspnam.3 \ | ||
67 | id.1 \ | ||
68 | shadow.3 \ | ||
69 | diff -uNr shadow-4.1.4.2.orig/man/ru/Makefile.am shadow-4.1.4.2/man/ru/Makefile.am | ||
70 | --- shadow-4.1.4.2.orig/man/ru/Makefile.am 2010-04-02 07:39:00.000000000 +0200 | ||
71 | +++ shadow-4.1.4.2/man/ru/Makefile.am 2010-04-02 07:42:01.000000000 +0200 | ||
72 | @@ -54,7 +54,6 @@ | ||
73 | |||
74 | EXTRA_DIST = \ | ||
75 | $(man_MANS) \ | ||
76 | - $(man_nopam) \ | ||
77 | id.1 \ | ||
78 | sulogin.8 | ||
79 | |||
80 | diff -uNr shadow-4.1.4.2.orig/man/sv/Makefile.am shadow-4.1.4.2/man/sv/Makefile.am | ||
81 | --- shadow-4.1.4.2.orig/man/sv/Makefile.am 2008-09-06 18:44:45.000000000 +0200 | ||
82 | +++ shadow-4.1.4.2/man/sv/Makefile.am 2010-04-02 07:42:24.000000000 +0200 | ||
83 | @@ -53,8 +53,7 @@ | ||
84 | endif | ||
85 | |||
86 | EXTRA_DIST = \ | ||
87 | - $(man_MANS) \ | ||
88 | - $(man_nopam) | ||
89 | + $(man_MANS) | ||
90 | |||
91 | include ../generate_translations.mak | ||
92 | |||
93 | --- shadow-4.1.4.2.orig/man/ru/Makefile.am 2010-04-02 07:54:09.000000000 +0200 | ||
94 | +++ shadow-4.1.4.2/man/ru/Makefile.am 2010-04-02 07:51:57.000000000 +0200 | ||
95 | @@ -1,7 +1,6 @@ | ||
96 | mandir = @mandir@/ru | ||
97 | |||
98 | man_MANS = \ | ||
99 | - $(man_nopam) \ | ||
100 | chage.1 \ | ||
101 | chfn.1 \ | ||
102 | chgpasswd.8 \ | ||
diff --git a/meta-lsb/packages/shadow/shadow.inc b/meta-lsb/packages/shadow/shadow.inc new file mode 100644 index 0000000000..fcbcb3eb75 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow.inc | |||
@@ -0,0 +1,121 @@ | |||
1 | DESCRIPTION = "Tools to change and administer password and group data." | ||
2 | HOMEPAGE = "http://pkg-shadow.alioth.debian.org/" | ||
3 | BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" | ||
4 | SECTION = "base utils" | ||
5 | LICENSE = "BSD | Artistic" | ||
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \ | ||
7 | file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe" | ||
8 | |||
9 | PAM_PLUGINS = " libpam-runtime \ | ||
10 | pam-plugin-faildelay \ | ||
11 | pam-plugin-securetty \ | ||
12 | pam-plugin-nologin \ | ||
13 | pam-plugin-env \ | ||
14 | pam-plugin-group \ | ||
15 | pam-plugin-limits \ | ||
16 | pam-plugin-lastlog \ | ||
17 | pam-plugin-motd \ | ||
18 | pam-plugin-mail \ | ||
19 | pam-plugin-shells \ | ||
20 | pam-plugin-rootok" | ||
21 | |||
22 | DEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | ||
23 | RDEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_PLUGINS}', '', d)}" | ||
24 | |||
25 | # since we deduce from ${SERIAL_CONSOLE} | ||
26 | PACKAGE_ARCH = "${MACHINE_ARCH}" | ||
27 | |||
28 | # Additional Policy files for PAM | ||
29 | PAM_SRC_URI = "file://pam.d/chfn \ | ||
30 | file://pam.d/chpasswd \ | ||
31 | file://pam.d/chsh \ | ||
32 | file://pam.d/login \ | ||
33 | file://pam.d/newusers \ | ||
34 | file://pam.d/passwd \ | ||
35 | file://pam.d/su" | ||
36 | |||
37 | SRC_URI = "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-${PV}.tar.bz2 \ | ||
38 | file://login_defs_pam.sed \ | ||
39 | ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | ||
40 | file://securetty" | ||
41 | |||
42 | inherit autotools gettext | ||
43 | |||
44 | EXTRA_OECONF += "--without-audit \ | ||
45 | --without-libcrack \ | ||
46 | ${@base_contains('DISTRO_FEATURES', 'pam', '--with-libpam', '--without-libpam', d)} \ | ||
47 | --without-selinux" | ||
48 | |||
49 | do_install_append() { | ||
50 | # Ensure that the image has as /var/spool/mail dir so shadow can put mailboxes there if the user | ||
51 | # reconfigures Shadow to default (see sed below). | ||
52 | install -d ${D}${localstatedir}/spool/mail | ||
53 | |||
54 | if [ -e ${WORKDIR}/pam.d ]; then | ||
55 | install -d ${D}${sysconfdir}/pam.d/ | ||
56 | install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ | ||
57 | # Remove defaults that are not used when supporting PAM | ||
58 | sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs | ||
59 | fi | ||
60 | |||
61 | # Enable CREATE_HOME by default. | ||
62 | sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs | ||
63 | |||
64 | # As we are on an embedded system ensure the users mailbox is in ~/ not | ||
65 | # /var/spool/mail by default as who knows where or how big /var is. | ||
66 | # The system MDA will set this later anyway. | ||
67 | sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs | ||
68 | sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs | ||
69 | |||
70 | # disable checking emails at all | ||
71 | sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs | ||
72 | |||
73 | # now we don't have a mail system. disable mail creation for now | ||
74 | sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd | ||
75 | sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd | ||
76 | |||
77 | install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} | ||
78 | for i in passwd chfn newgrp chsh ; do | ||
79 | mv ${D}${bindir}/$i ${D}${bindir}/$i.${PN} | ||
80 | done | ||
81 | |||
82 | mv ${D}${sbindir}/chpasswd ${D}${sbindir}/chpasswd.${PN} | ||
83 | mv ${D}${sbindir}/vigr ${D}${base_sbindir}/vigr.${PN} | ||
84 | mv ${D}${sbindir}/vipw ${D}${base_sbindir}/vipw.${PN} | ||
85 | mv ${D}${bindir}/login ${D}${base_bindir}/login.${PN} | ||
86 | |||
87 | # Ensure we add a suitable securetty file to the package that has most common embedded TTYs defined. | ||
88 | if [ ! -z "${SERIAL_CONSOLE}" ]; then | ||
89 | # our SERIAL_CONSOLE contains baud rate too and sometime -L option as well. | ||
90 | # the following pearl :) takes that and converts it into newline sepated tty's and appends | ||
91 | # them into securetty. So if a machine has a weird looking console device node (e.g. ttyAMA0) that securetty | ||
92 | # does not know then it will get appended to securetty and root login will be allowed on | ||
93 | # that console. | ||
94 | echo "${SERIAL_CONSOLE}" | sed -e 's/[0-9][0-9]\|\-L//g'|tr "[ ]" "[\n]" >> ${WORKDIR}/securetty | ||
95 | fi | ||
96 | install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty | ||
97 | } | ||
98 | |||
99 | pkg_postinst_${PN} () { | ||
100 | update-alternatives --install ${bindir}/passwd passwd passwd.${PN} 200 | ||
101 | update-alternatives --install ${sbindir}/chpasswd chpasswd chpasswd.${PN} 200 | ||
102 | update-alternatives --install ${bindir}/chfn chfn chfn.${PN} 200 | ||
103 | update-alternatives --install ${bindir}/newgrp newgrp newgrp.${PN} 200 | ||
104 | update-alternatives --install ${bindir}/chsh chsh chsh.${PN} 200 | ||
105 | update-alternatives --install ${base_bindir}/login login login.${PN} 200 | ||
106 | update-alternatives --install ${base_sbindir}/vipw vipw vipw.${PN} 200 | ||
107 | update-alternatives --install ${base_sbindir}/vigr vigr vigr.${PN} 200 | ||
108 | |||
109 | if [ "x$D" != "x" ]; then | ||
110 | exit 1 | ||
111 | fi | ||
112 | |||
113 | pwconv | ||
114 | grpconv | ||
115 | } | ||
116 | |||
117 | pkg_prerm_${PN} () { | ||
118 | for i in passwd chpasswd chfn newgrp chsh login vipw vigr ; do | ||
119 | update-alternatives --remove $i $i.${PN} | ||
120 | done | ||
121 | } | ||
diff --git a/meta-lsb/packages/shadow/shadow_4.1.4.2.bb b/meta-lsb/packages/shadow/shadow_4.1.4.2.bb new file mode 100644 index 0000000000..bc00c099bf --- /dev/null +++ b/meta-lsb/packages/shadow/shadow_4.1.4.2.bb | |||
@@ -0,0 +1,11 @@ | |||
1 | require shadow.inc | ||
2 | |||
3 | PR = "r0" | ||
4 | |||
5 | SRC_URI += "file://shadow.automake-1.11.patch \ | ||
6 | file://shadow-4.1.3-dots-in-usernames.patch \ | ||
7 | file://shadow-4.1.4.2-env-reset-keep-locale.patch \ | ||
8 | file://shadow-4.1.4.2-groupmod-pam-check.patch \ | ||
9 | file://shadow-4.1.4.2-su_no_sanitize_env.patch" | ||
10 | |||
11 | EXTRA_OECONF_libc-uclibc += " --with-nscd=no " | ||