diff options
Diffstat (limited to 'meta/recipes-extended/shadow')
25 files changed, 1773 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch b/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch new file mode 100644 index 0000000000..828b95a572 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 170c25c8e0b5c3dc2615d1db94c8d24a13ff99bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Kjellerstedt <pkj@axis.com> | ||
3 | Date: Thu, 11 Sep 2014 15:11:23 +0200 | ||
4 | Subject: [PATCH] Do not read login.defs before doing chroot() | ||
5 | |||
6 | If "useradd --root <root> ..." was used, the login.defs file would still | ||
7 | be read from /etc/login.defs instead of <root>/etc/login.defs. This was | ||
8 | due to getdef_ulong() being called before process_root_flag(). | ||
9 | |||
10 | Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2014-September/010446.html] | ||
11 | |||
12 | Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> | ||
13 | --- | ||
14 | src/useradd.c | 8 ++++++-- | ||
15 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
16 | |||
17 | diff --git a/src/useradd.c b/src/useradd.c | ||
18 | index a8a1f76..e1ebf50 100644 | ||
19 | --- a/src/useradd.c | ||
20 | +++ b/src/useradd.c | ||
21 | @@ -1993,9 +1993,11 @@ int main (int argc, char **argv) | ||
22 | #endif /* USE_PAM */ | ||
23 | #endif /* ACCT_TOOLS_SETUID */ | ||
24 | |||
25 | +#ifdef ENABLE_SUBIDS | ||
26 | /* Needed for userns check */ | ||
27 | - uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); | ||
28 | - uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); | ||
29 | + uid_t uid_min; | ||
30 | + uid_t uid_max; | ||
31 | +#endif | ||
32 | |||
33 | /* | ||
34 | * Get my name so that I can use it to report errors. | ||
35 | @@ -2026,6 +2028,8 @@ int main (int argc, char **argv) | ||
36 | is_shadow_grp = sgr_file_present (); | ||
37 | #endif | ||
38 | #ifdef ENABLE_SUBIDS | ||
39 | + uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); | ||
40 | + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); | ||
41 | is_sub_uid = sub_uid_file_present () && !rflg && | ||
42 | (!user_id || (user_id <= uid_max && user_id >= uid_min)); | ||
43 | is_sub_gid = sub_gid_file_present () && !rflg && | ||
44 | -- | ||
45 | 1.9.0 | ||
46 | |||
diff --git a/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch b/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch new file mode 100644 index 0000000000..31337de362 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | Subject: su.c: fix to exec command correctly | ||
4 | |||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
6 | --- | ||
7 | src/su.c | 2 +- | ||
8 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
9 | |||
10 | diff --git a/src/su.c b/src/su.c | ||
11 | index 3704217..bc4f2ac 100644 | ||
12 | --- a/src/su.c | ||
13 | +++ b/src/su.c | ||
14 | @@ -1156,7 +1156,7 @@ int main (int argc, char **argv) | ||
15 | * Use the shell and create an argv | ||
16 | * with the rest of the command line included. | ||
17 | */ | ||
18 | - argv[-1] = cp; | ||
19 | + argv[-1] = shellstr; | ||
20 | execve_shell (shellstr, &argv[-1], environ); | ||
21 | err = errno; | ||
22 | (void) fprintf (stderr, | ||
23 | -- | ||
24 | 1.7.9.5 | ||
25 | |||
diff --git a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch new file mode 100644 index 0000000000..85dde8e1bb --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | Upstream-Status: Inappropriate [OE specific] | ||
2 | |||
3 | Subject: useradd.c: create parent directories when necessary | ||
4 | |||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
6 | --- | ||
7 | src/useradd.c | 72 +++++++++++++++++++++++++++++++++++++++------------------ | ||
8 | 1 file changed, 49 insertions(+), 23 deletions(-) | ||
9 | |||
10 | diff --git a/src/useradd.c b/src/useradd.c | ||
11 | index 4bd969d..cb5dd6c 100644 | ||
12 | --- a/src/useradd.c | ||
13 | +++ b/src/useradd.c | ||
14 | @@ -1893,6 +1893,35 @@ static void usr_update (void) | ||
15 | } | ||
16 | |||
17 | /* | ||
18 | + * mkdir_p - create directories, including parent directories when needed | ||
19 | + * | ||
20 | + * similar to `mkdir -p' | ||
21 | + */ | ||
22 | +void mkdir_p(const char *path) { | ||
23 | + int len = strlen(path); | ||
24 | + char newdir[len + 1]; | ||
25 | + mode_t mode = 0755; | ||
26 | + int i = 0; | ||
27 | + | ||
28 | + if (path[i] == '\0') { | ||
29 | + return; | ||
30 | + } | ||
31 | + | ||
32 | + /* skip the leading '/' */ | ||
33 | + i++; | ||
34 | + | ||
35 | + while(path[i] != '\0') { | ||
36 | + if (path[i] == '/') { | ||
37 | + strncpy(newdir, path, i); | ||
38 | + newdir[i] = '\0'; | ||
39 | + mkdir(newdir, mode); | ||
40 | + } | ||
41 | + i++; | ||
42 | + } | ||
43 | + mkdir(path, mode); | ||
44 | +} | ||
45 | + | ||
46 | +/* | ||
47 | * create_home - create the user's home directory | ||
48 | * | ||
49 | * create_home() creates the user's home directory if it does not | ||
50 | @@ -1907,36 +1936,33 @@ static void create_home (void) | ||
51 | fail_exit (E_HOMEDIR); | ||
52 | } | ||
53 | #endif | ||
54 | - /* XXX - create missing parent directories. --marekm */ | ||
55 | - if (mkdir (user_home, 0) != 0) { | ||
56 | - fprintf (stderr, | ||
57 | - _("%s: cannot create directory %s\n"), | ||
58 | - Prog, user_home); | ||
59 | -#ifdef WITH_AUDIT | ||
60 | - audit_logger (AUDIT_ADD_USER, Prog, | ||
61 | - "adding home directory", | ||
62 | - user_name, (unsigned int) user_id, | ||
63 | - SHADOW_AUDIT_FAILURE); | ||
64 | -#endif | ||
65 | - fail_exit (E_HOMEDIR); | ||
66 | - } | ||
67 | - chown (user_home, user_id, user_gid); | ||
68 | - chmod (user_home, | ||
69 | - 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | ||
70 | - home_added = true; | ||
71 | + mkdir_p(user_home); | ||
72 | + } | ||
73 | + if (access (user_home, F_OK) != 0) { | ||
74 | #ifdef WITH_AUDIT | ||
75 | audit_logger (AUDIT_ADD_USER, Prog, | ||
76 | "adding home directory", | ||
77 | user_name, (unsigned int) user_id, | ||
78 | - SHADOW_AUDIT_SUCCESS); | ||
79 | + SHADOW_AUDIT_FAILURE); | ||
80 | #endif | ||
81 | -#ifdef WITH_SELINUX | ||
82 | - /* Reset SELinux to create files with default contexts */ | ||
83 | - if (reset_selinux_file_context () != 0) { | ||
84 | - fail_exit (E_HOMEDIR); | ||
85 | - } | ||
86 | + fail_exit (E_HOMEDIR); | ||
87 | + } | ||
88 | + chown (user_home, user_id, user_gid); | ||
89 | + chmod (user_home, | ||
90 | + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); | ||
91 | + home_added = true; | ||
92 | +#ifdef WITH_AUDIT | ||
93 | + audit_logger (AUDIT_ADD_USER, Prog, | ||
94 | + "adding home directory", | ||
95 | + user_name, (unsigned int) user_id, | ||
96 | + SHADOW_AUDIT_SUCCESS); | ||
97 | #endif | ||
98 | +#ifdef WITH_SELINUX | ||
99 | + /* Reset SELinux to create files with default contexts */ | ||
100 | + if (reset_selinux_file_context () != 0) { | ||
101 | + fail_exit (E_HOMEDIR); | ||
102 | } | ||
103 | +#endif | ||
104 | } | ||
105 | |||
106 | /* | ||
107 | -- | ||
108 | 1.7.9.5 | ||
109 | |||
diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch new file mode 100644 index 0000000000..68da25f406 --- /dev/null +++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch | |||
@@ -0,0 +1,201 @@ | |||
1 | Upstream-Status: Inappropriate [OE specific] | ||
2 | |||
3 | Allow for setting password in clear text. | ||
4 | |||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
6 | --- | ||
7 | src/Makefile.am | 8 ++++---- | ||
8 | src/groupadd.c | 8 +++++++- | ||
9 | src/groupmod.c | 8 +++++++- | ||
10 | src/useradd.c | 9 +++++++-- | ||
11 | src/usermod.c | 8 +++++++- | ||
12 | 5 files changed, 32 insertions(+), 9 deletions(-) | ||
13 | |||
14 | diff --git a/src/Makefile.am b/src/Makefile.am | ||
15 | index 25e288d..856b087 100644 | ||
16 | --- a/src/Makefile.am | ||
17 | +++ b/src/Makefile.am | ||
18 | @@ -88,10 +88,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) | ||
19 | chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) | ||
20 | chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) | ||
21 | gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) | ||
22 | -groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) | ||
23 | +groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) | ||
24 | groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) | ||
25 | groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) | ||
26 | -groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) | ||
27 | +groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) | ||
28 | grpck_LDADD = $(LDADD) $(LIBSELINUX) | ||
29 | grpconv_LDADD = $(LDADD) $(LIBSELINUX) | ||
30 | grpunconv_LDADD = $(LDADD) $(LIBSELINUX) | ||
31 | @@ -111,9 +111,9 @@ su_SOURCES = \ | ||
32 | suauth.c | ||
33 | su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) | ||
34 | sulogin_LDADD = $(LDADD) $(LIBCRYPT) | ||
35 | -useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) | ||
36 | +useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) | ||
37 | userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) | ||
38 | -usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) | ||
39 | +usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) | ||
40 | vipw_LDADD = $(LDADD) $(LIBSELINUX) | ||
41 | |||
42 | install-am: all-am | ||
43 | diff --git a/src/groupadd.c b/src/groupadd.c | ||
44 | index f716f57..4e28c26 100644 | ||
45 | --- a/src/groupadd.c | ||
46 | +++ b/src/groupadd.c | ||
47 | @@ -124,6 +124,7 @@ static /*@noreturn@*/void usage (int status) | ||
48 | (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" | ||
49 | " (non-unique) GID\n"), usageout); | ||
50 | (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); | ||
51 | + (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); | ||
52 | (void) fputs (_(" -r, --system create a system account\n"), usageout); | ||
53 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | ||
54 | (void) fputs ("\n", usageout); | ||
55 | @@ -387,12 +388,13 @@ static void process_flags (int argc, char **argv) | ||
56 | {"key", required_argument, NULL, 'K'}, | ||
57 | {"non-unique", no_argument, NULL, 'o'}, | ||
58 | {"password", required_argument, NULL, 'p'}, | ||
59 | + {"clear-password", required_argument, NULL, 'P'}, | ||
60 | {"system", no_argument, NULL, 'r'}, | ||
61 | {"root", required_argument, NULL, 'R'}, | ||
62 | {NULL, 0, NULL, '\0'} | ||
63 | }; | ||
64 | |||
65 | - while ((c = getopt_long (argc, argv, "fg:hK:op:rR:", | ||
66 | + while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:", | ||
67 | long_options, NULL)) != -1) { | ||
68 | switch (c) { | ||
69 | case 'f': | ||
70 | @@ -444,6 +446,10 @@ static void process_flags (int argc, char **argv) | ||
71 | pflg = true; | ||
72 | group_passwd = optarg; | ||
73 | break; | ||
74 | + case 'P': | ||
75 | + pflg = true; | ||
76 | + group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); | ||
77 | + break; | ||
78 | case 'r': | ||
79 | rflg = true; | ||
80 | break; | ||
81 | diff --git a/src/groupmod.c b/src/groupmod.c | ||
82 | index d9d3807..68f49d1 100644 | ||
83 | --- a/src/groupmod.c | ||
84 | +++ b/src/groupmod.c | ||
85 | @@ -127,6 +127,7 @@ static void usage (int status) | ||
86 | (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); | ||
87 | (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" | ||
88 | " PASSWORD\n"), usageout); | ||
89 | + (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); | ||
90 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | ||
91 | (void) fputs ("\n", usageout); | ||
92 | exit (status); | ||
93 | @@ -375,10 +376,11 @@ static void process_flags (int argc, char **argv) | ||
94 | {"new-name", required_argument, NULL, 'n'}, | ||
95 | {"non-unique", no_argument, NULL, 'o'}, | ||
96 | {"password", required_argument, NULL, 'p'}, | ||
97 | + {"clear-password", required_argument, NULL, 'P'}, | ||
98 | {"root", required_argument, NULL, 'R'}, | ||
99 | {NULL, 0, NULL, '\0'} | ||
100 | }; | ||
101 | - while ((c = getopt_long (argc, argv, "g:hn:op:R:", | ||
102 | + while ((c = getopt_long (argc, argv, "g:hn:op:P:R:", | ||
103 | long_options, NULL)) != -1) { | ||
104 | switch (c) { | ||
105 | case 'g': | ||
106 | @@ -405,6 +407,10 @@ static void process_flags (int argc, char **argv) | ||
107 | group_passwd = optarg; | ||
108 | pflg = true; | ||
109 | break; | ||
110 | + case 'P': | ||
111 | + group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); | ||
112 | + pflg = true; | ||
113 | + break; | ||
114 | case 'R': /* no-op, handled in process_root_flag () */ | ||
115 | break; | ||
116 | default: | ||
117 | diff --git a/src/useradd.c b/src/useradd.c | ||
118 | index b3bd451..4416f90 100644 | ||
119 | --- a/src/useradd.c | ||
120 | +++ b/src/useradd.c | ||
121 | @@ -773,6 +773,7 @@ static void usage (int status) | ||
122 | (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" | ||
123 | " (non-unique) UID\n"), usageout); | ||
124 | (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); | ||
125 | + (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); | ||
126 | (void) fputs (_(" -r, --system create a system account\n"), usageout); | ||
127 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | ||
128 | (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); | ||
129 | @@ -1047,6 +1048,7 @@ static void process_flags (int argc, char **argv) | ||
130 | {"no-user-group", no_argument, NULL, 'N'}, | ||
131 | {"non-unique", no_argument, NULL, 'o'}, | ||
132 | {"password", required_argument, NULL, 'p'}, | ||
133 | + {"clear-password", required_argument, NULL, 'P'}, | ||
134 | {"system", no_argument, NULL, 'r'}, | ||
135 | {"root", required_argument, NULL, 'R'}, | ||
136 | {"shell", required_argument, NULL, 's'}, | ||
137 | @@ -1059,9 +1061,9 @@ static void process_flags (int argc, char **argv) | ||
138 | }; | ||
139 | while ((c = getopt_long (argc, argv, | ||
140 | #ifdef WITH_SELINUX | ||
141 | - "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", | ||
142 | + "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:UZ:", | ||
143 | #else /* !WITH_SELINUX */ | ||
144 | - "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", | ||
145 | + "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:U", | ||
146 | #endif /* !WITH_SELINUX */ | ||
147 | long_options, NULL)) != -1) { | ||
148 | switch (c) { | ||
149 | @@ -1227,6 +1229,9 @@ static void process_flags (int argc, char **argv) | ||
150 | } | ||
151 | user_pass = optarg; | ||
152 | break; | ||
153 | + case 'P': /* set clear text password */ | ||
154 | + user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); | ||
155 | + break; | ||
156 | case 'r': | ||
157 | rflg = true; | ||
158 | break; | ||
159 | diff --git a/src/usermod.c b/src/usermod.c | ||
160 | index e7d4351..b79f7a3 100644 | ||
161 | --- a/src/usermod.c | ||
162 | +++ b/src/usermod.c | ||
163 | @@ -419,6 +419,7 @@ static /*@noreturn@*/void usage (int status) | ||
164 | " new location (use only with -d)\n"), usageout); | ||
165 | (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); | ||
166 | (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); | ||
167 | + (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); | ||
168 | (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); | ||
169 | (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); | ||
170 | (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); | ||
171 | @@ -996,6 +997,7 @@ static void process_flags (int argc, char **argv) | ||
172 | {"move-home", no_argument, NULL, 'm'}, | ||
173 | {"non-unique", no_argument, NULL, 'o'}, | ||
174 | {"password", required_argument, NULL, 'p'}, | ||
175 | + {"clear-password", required_argument, NULL, 'P'}, | ||
176 | {"root", required_argument, NULL, 'R'}, | ||
177 | {"shell", required_argument, NULL, 's'}, | ||
178 | {"uid", required_argument, NULL, 'u'}, | ||
179 | @@ -1012,7 +1014,7 @@ static void process_flags (int argc, char **argv) | ||
180 | {NULL, 0, NULL, '\0'} | ||
181 | }; | ||
182 | while ((c = getopt_long (argc, argv, | ||
183 | - "ac:d:e:f:g:G:hl:Lmop:R:s:u:U" | ||
184 | + "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U" | ||
185 | #ifdef ENABLE_SUBIDS | ||
186 | "v:w:V:W:" | ||
187 | #endif /* ENABLE_SUBIDS */ | ||
188 | @@ -1112,6 +1114,10 @@ static void process_flags (int argc, char **argv) | ||
189 | user_pass = optarg; | ||
190 | pflg = true; | ||
191 | break; | ||
192 | + case 'P': | ||
193 | + user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); | ||
194 | + pflg = true; | ||
195 | + break; | ||
196 | case 'R': /* no-op, handled in process_root_flag () */ | ||
197 | break; | ||
198 | case 's': | ||
199 | -- | ||
200 | 1.7.9.5 | ||
201 | |||
diff --git a/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch b/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch new file mode 100644 index 0000000000..60f2ed548a --- /dev/null +++ b/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001 | ||
2 | From: James Le Cuirot <chewi@aura-online.co.uk> | ||
3 | Date: Sat, 23 Aug 2014 09:46:39 +0100 | ||
4 | Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF | ||
5 | |||
6 | This built-in check is simpler than the previous method and, most | ||
7 | importantly, works when cross-compiling. | ||
8 | |||
9 | Upstream-Status: Accepted | ||
10 | [https://github.com/shadow-maint/shadow/commit/2cb54158b80cdbd97ca3b36df83f9255e923ae3f] | ||
11 | |||
12 | Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> | ||
13 | --- | ||
14 | configure.in | 14 ++++---------- | ||
15 | 1 file changed, 4 insertions(+), 10 deletions(-) | ||
16 | |||
17 | diff --git a/configure.in b/configure.in | ||
18 | index 1a3f841..4a4d6d0 100644 | ||
19 | --- a/configure.in | ||
20 | +++ b/configure.in | ||
21 | @@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then | ||
22 | dnl | ||
23 | dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc | ||
24 | dnl | ||
25 | - AC_RUN_IFELSE([AC_LANG_SOURCE([ | ||
26 | -#include <sys/types.h> | ||
27 | -int main(void) { | ||
28 | - uid_t u; | ||
29 | - gid_t g; | ||
30 | - return (sizeof u < 4) || (sizeof g < 4); | ||
31 | -} | ||
32 | - ])], [id32bit="yes"], [id32bit="no"]) | ||
33 | - | ||
34 | - if test "x$id32bit" = "xyes"; then | ||
35 | + AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"]) | ||
36 | + AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"]) | ||
37 | + | ||
38 | + if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then | ||
39 | AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.]) | ||
40 | enable_subids="yes" | ||
41 | else | ||
diff --git a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch new file mode 100644 index 0000000000..4fa3d184ed --- /dev/null +++ b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | Upstream-Status: Inappropriate [OE specific] | ||
2 | |||
3 | commonio.c: fix unexpected open failure in chroot environment | ||
4 | |||
5 | When using commands with '-R <newroot>' option in our pseudo environment, | ||
6 | we would usually get the 'Pemission Denied' error. This patch serves as | ||
7 | a workaround to this problem. | ||
8 | |||
9 | Note that this patch doesn't change the logic in the code, it just expands | ||
10 | the codes. | ||
11 | |||
12 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
13 | --- | ||
14 | lib/commonio.c | 16 ++++++++++++---- | ||
15 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
16 | |||
17 | diff --git a/lib/commonio.c b/lib/commonio.c | ||
18 | index cc536bf..51cafd9 100644 | ||
19 | --- a/lib/commonio.c | ||
20 | +++ b/lib/commonio.c | ||
21 | @@ -613,10 +613,18 @@ int commonio_open (struct commonio_db *db, int mode) | ||
22 | db->cursor = NULL; | ||
23 | db->changed = false; | ||
24 | |||
25 | - fd = open (db->filename, | ||
26 | - (db->readonly ? O_RDONLY : O_RDWR) | ||
27 | - | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); | ||
28 | - saved_errno = errno; | ||
29 | + if (db->readonly) { | ||
30 | + fd = open (db->filename, | ||
31 | + (true ? O_RDONLY : O_RDWR) | ||
32 | + | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); | ||
33 | + saved_errno = errno; | ||
34 | + } else { | ||
35 | + fd = open (db->filename, | ||
36 | + (false ? O_RDONLY : O_RDWR) | ||
37 | + | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); | ||
38 | + saved_errno = errno; | ||
39 | + } | ||
40 | + | ||
41 | db->fp = NULL; | ||
42 | if (fd >= 0) { | ||
43 | #ifdef WITH_TCB | ||
44 | -- | ||
45 | 1.7.9.5 | ||
46 | |||
diff --git a/meta/recipes-extended/shadow/files/disable-syslog.patch b/meta/recipes-extended/shadow/files/disable-syslog.patch new file mode 100644 index 0000000000..1943fd6faf --- /dev/null +++ b/meta/recipes-extended/shadow/files/disable-syslog.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | Disable use of syslog to prevent sysroot user and group additions from | ||
2 | writing entries to the host's syslog. This patch should only be used | ||
3 | with the shadow-native recipe. | ||
4 | |||
5 | Upstream-Status: Inappropriate [disable feature] | ||
6 | |||
7 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | ||
8 | |||
9 | diff -urN shadow-4.1.4.3.orig//src/groupadd.c shadow-4.1.4.3/src/groupadd.c | ||
10 | --- shadow-4.1.4.3.orig//src/groupadd.c 2011-02-13 09:58:16.000000000 -0800 | ||
11 | +++ shadow-4.1.4.3/src/groupadd.c 2012-04-05 10:05:59.440001758 -0700 | ||
12 | @@ -34,6 +34,9 @@ | ||
13 | |||
14 | #ident "$Id: groupadd.c 3015 2009-06-05 22:16:56Z nekral-guest $" | ||
15 | |||
16 | +/* Disable use of syslog since we're running this command against a sysroot */ | ||
17 | +#undef USE_SYSLOG | ||
18 | + | ||
19 | #include <ctype.h> | ||
20 | #include <fcntl.h> | ||
21 | #include <getopt.h> | ||
22 | diff -urN shadow-4.1.4.3.orig//src/useradd.c shadow-4.1.4.3/src/useradd.c | ||
23 | --- shadow-4.1.4.3.orig//src/useradd.c 2011-02-13 09:58:16.000000000 -0800 | ||
24 | +++ shadow-4.1.4.3/src/useradd.c 2012-04-05 10:06:25.076001315 -0700 | ||
25 | @@ -34,6 +34,9 @@ | ||
26 | |||
27 | #ident "$Id: useradd.c 3015 2009-06-05 22:16:56Z nekral-guest $" | ||
28 | |||
29 | +/* Disable use of syslog since we're running this command against a sysroot */ | ||
30 | +#undef USE_SYSLOG | ||
31 | + | ||
32 | #include <assert.h> | ||
33 | #include <ctype.h> | ||
34 | #include <errno.h> | ||
diff --git a/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch b/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch new file mode 100644 index 0000000000..02cb91aafd --- /dev/null +++ b/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | Subject: fix installation failure with subids disabled | ||
4 | |||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
6 | --- | ||
7 | src/Makefile.am | 5 ++++- | ||
8 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
9 | |||
10 | diff --git a/src/Makefile.am b/src/Makefile.am | ||
11 | index 25e288d..076f8ef 100644 | ||
12 | --- a/src/Makefile.am | ||
13 | +++ b/src/Makefile.am | ||
14 | @@ -52,7 +52,10 @@ usbin_PROGRAMS = \ | ||
15 | noinst_PROGRAMS = id sulogin | ||
16 | |||
17 | suidbins = su | ||
18 | -suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap | ||
19 | +suidubins = chage chfn chsh expiry gpasswd newgrp passwd | ||
20 | +if ENABLE_SUBIDS | ||
21 | +suidubins += newgidmap newuidmap | ||
22 | +endif | ||
23 | if ACCT_TOOLS_SETUID | ||
24 | suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod | ||
25 | endif | ||
26 | -- | ||
27 | 1.7.9.5 | ||
28 | |||
diff --git a/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot new file mode 100644 index 0000000000..8a68dd341a --- /dev/null +++ b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot | |||
@@ -0,0 +1,386 @@ | |||
1 | # | ||
2 | # /etc/login.defs - Configuration control definitions for the shadow package. | ||
3 | # | ||
4 | # $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ | ||
5 | # | ||
6 | |||
7 | # | ||
8 | # Delay in seconds before being allowed another attempt after a login failure | ||
9 | # Note: When PAM is used, some modules may enfore a minimal delay (e.g. | ||
10 | # pam_unix enforces a 2s delay) | ||
11 | # | ||
12 | FAIL_DELAY 3 | ||
13 | |||
14 | # | ||
15 | # Enable logging and display of /var/log/faillog login failure info. | ||
16 | # | ||
17 | #FAILLOG_ENAB yes | ||
18 | |||
19 | # | ||
20 | # Enable display of unknown usernames when login failures are recorded. | ||
21 | # | ||
22 | LOG_UNKFAIL_ENAB no | ||
23 | |||
24 | # | ||
25 | # Enable logging of successful logins | ||
26 | # | ||
27 | LOG_OK_LOGINS no | ||
28 | |||
29 | # | ||
30 | # Enable logging and display of /var/log/lastlog login time info. | ||
31 | # | ||
32 | #LASTLOG_ENAB yes | ||
33 | |||
34 | # | ||
35 | # Enable checking and display of mailbox status upon login. | ||
36 | # | ||
37 | # Disable if the shell startup files already check for mail | ||
38 | # ("mailx -e" or equivalent). | ||
39 | # | ||
40 | ##MAIL_CHECK_ENAB yes | ||
41 | |||
42 | # | ||
43 | # Enable additional checks upon password changes. | ||
44 | # | ||
45 | #OBSCURE_CHECKS_ENAB yes | ||
46 | |||
47 | # | ||
48 | # Enable checking of time restrictions specified in /etc/porttime. | ||
49 | # | ||
50 | #PORTTIME_CHECKS_ENAB yes | ||
51 | |||
52 | # | ||
53 | # Enable setting of ulimit, umask, and niceness from passwd gecos field. | ||
54 | # | ||
55 | #QUOTAS_ENAB yes | ||
56 | |||
57 | # | ||
58 | # Enable "syslog" logging of su activity - in addition to sulog file logging. | ||
59 | # SYSLOG_SG_ENAB does the same for newgrp and sg. | ||
60 | # | ||
61 | SYSLOG_SU_ENAB yes | ||
62 | SYSLOG_SG_ENAB yes | ||
63 | |||
64 | # | ||
65 | # If defined, either full pathname of a file containing device names or | ||
66 | # a ":" delimited list of device names. Root logins will be allowed only | ||
67 | # upon these devices. | ||
68 | # | ||
69 | CONSOLE /etc/securetty | ||
70 | #CONSOLE console:tty01:tty02:tty03:tty04 | ||
71 | |||
72 | # | ||
73 | # If defined, all su activity is logged to this file. | ||
74 | # | ||
75 | #SULOG_FILE /var/log/sulog | ||
76 | |||
77 | # | ||
78 | # If defined, ":" delimited list of "message of the day" files to | ||
79 | # be displayed upon login. | ||
80 | # | ||
81 | #MOTD_FILE /etc/motd | ||
82 | #MOTD_FILE /etc/motd:/usr/lib/news/news-motd | ||
83 | |||
84 | # | ||
85 | # If defined, this file will be output before each login prompt. | ||
86 | # | ||
87 | #ISSUE_FILE /etc/issue | ||
88 | |||
89 | # | ||
90 | # If defined, file which maps tty line to TERM environment parameter. | ||
91 | # Each line of the file is in a format something like "vt100 tty01". | ||
92 | # | ||
93 | #TTYTYPE_FILE /etc/ttytype | ||
94 | |||
95 | # | ||
96 | # If defined, login failures will be logged here in a utmp format. | ||
97 | # last, when invoked as lastb, will read /var/log/btmp, so... | ||
98 | # | ||
99 | #FTMP_FILE /var/log/btmp | ||
100 | |||
101 | # | ||
102 | # If defined, name of file whose presence which will inhibit non-root | ||
103 | # logins. The contents of this file should be a message indicating | ||
104 | # why logins are inhibited. | ||
105 | # | ||
106 | #NOLOGINS_FILE /etc/nologin | ||
107 | |||
108 | # | ||
109 | # If defined, the command name to display when running "su -". For | ||
110 | # example, if this is defined as "su" then a "ps" will display the | ||
111 | # command is "-su". If not defined, then "ps" would display the | ||
112 | # name of the shell actually being run, e.g. something like "-sh". | ||
113 | # | ||
114 | SU_NAME su | ||
115 | |||
116 | # | ||
117 | # *REQUIRED* | ||
118 | # Directory where mailboxes reside, _or_ name of file, relative to the | ||
119 | # home directory. If you _do_ define both, #MAIL_DIR takes precedence. | ||
120 | # | ||
121 | #MAIL_DIR /var/spool/mail | ||
122 | MAIL_FILE .mail | ||
123 | |||
124 | # | ||
125 | # If defined, file which inhibits all the usual chatter during the login | ||
126 | # sequence. If a full pathname, then hushed mode will be enabled if the | ||
127 | # user's name or shell are found in the file. If not a full pathname, then | ||
128 | # hushed mode will be enabled if the file exists in the user's home directory. | ||
129 | # | ||
130 | HUSHLOGIN_FILE .hushlogin | ||
131 | #HUSHLOGIN_FILE /etc/hushlogins | ||
132 | |||
133 | # | ||
134 | # If defined, either a TZ environment parameter spec or the | ||
135 | # fully-rooted pathname of a file containing such a spec. | ||
136 | # | ||
137 | #ENV_TZ TZ=CST6CDT | ||
138 | #ENV_TZ /etc/tzname | ||
139 | |||
140 | # | ||
141 | # If defined, an HZ environment parameter spec. | ||
142 | # | ||
143 | # for Linux/x86 | ||
144 | #ENV_HZ HZ=100 | ||
145 | # For Linux/Alpha... | ||
146 | #ENV_HZ HZ=1024 | ||
147 | |||
148 | # | ||
149 | # *REQUIRED* The default PATH settings, for superuser and normal users. | ||
150 | # | ||
151 | # (they are minimal, add the rest in the shell startup files) | ||
152 | ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin | ||
153 | ENV_PATH PATH=/bin:/usr/bin | ||
154 | |||
155 | # | ||
156 | # Terminal permissions | ||
157 | # | ||
158 | # TTYGROUP Login tty will be assigned this group ownership. | ||
159 | # TTYPERM Login tty will be set to this permission. | ||
160 | # | ||
161 | # If you have a "write" program which is "setgid" to a special group | ||
162 | # which owns the terminals, define TTYGROUP to the group number and | ||
163 | # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign | ||
164 | # TTYPERM to either 622 or 600. | ||
165 | # | ||
166 | TTYGROUP tty | ||
167 | TTYPERM 0600 | ||
168 | |||
169 | # | ||
170 | # Login configuration initializations: | ||
171 | # | ||
172 | # ERASECHAR Terminal ERASE character ('\010' = backspace). | ||
173 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U). | ||
174 | # ULIMIT Default "ulimit" value. | ||
175 | # | ||
176 | # The ERASECHAR and KILLCHAR are used only on System V machines. | ||
177 | # The ULIMIT is used only if the system supports it. | ||
178 | # (now it works with setrlimit too; ulimit is in 512-byte units) | ||
179 | # | ||
180 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal. | ||
181 | # | ||
182 | ERASECHAR 0177 | ||
183 | KILLCHAR 025 | ||
184 | #ULIMIT 2097152 | ||
185 | |||
186 | # Default initial "umask" value for non-PAM enabled systems. | ||
187 | # UMASK is also used by useradd and newusers to set the mode of new home | ||
188 | # directories. | ||
189 | # 022 is the default value, but 027, or even 077, could be considered | ||
190 | # better for privacy. There is no One True Answer here: each sysadmin | ||
191 | # must make up her mind. | ||
192 | UMASK 022 | ||
193 | |||
194 | # | ||
195 | # Password aging controls: | ||
196 | # | ||
197 | # PASS_MAX_DAYS Maximum number of days a password may be used. | ||
198 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. | ||
199 | # PASS_MIN_LEN Minimum acceptable password length. | ||
200 | # PASS_WARN_AGE Number of days warning given before a password expires. | ||
201 | # | ||
202 | PASS_MAX_DAYS 99999 | ||
203 | PASS_MIN_DAYS 0 | ||
204 | #PASS_MIN_LEN 5 | ||
205 | PASS_WARN_AGE 7 | ||
206 | |||
207 | # | ||
208 | # If "yes", the user must be listed as a member of the first gid 0 group | ||
209 | # in /etc/group (called "root" on most Linux systems) to be able to "su" | ||
210 | # to uid 0 accounts. If the group doesn't exist or is empty, no one | ||
211 | # will be able to "su" to uid 0. | ||
212 | # | ||
213 | #SU_WHEEL_ONLY no | ||
214 | |||
215 | # | ||
216 | # If compiled with cracklib support, where are the dictionaries | ||
217 | # | ||
218 | #CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict | ||
219 | |||
220 | # | ||
221 | # Min/max values for automatic uid selection in useradd | ||
222 | # | ||
223 | UID_MIN 1000 | ||
224 | UID_MAX 60000 | ||
225 | # System accounts | ||
226 | SYS_UID_MIN 101 | ||
227 | SYS_UID_MAX 999 | ||
228 | |||
229 | # | ||
230 | # Min/max values for automatic gid selection in groupadd | ||
231 | # | ||
232 | GID_MIN 1000 | ||
233 | GID_MAX 60000 | ||
234 | # System accounts | ||
235 | SYS_GID_MIN 101 | ||
236 | SYS_GID_MAX 999 | ||
237 | |||
238 | # | ||
239 | # Max number of login retries if password is bad | ||
240 | # | ||
241 | LOGIN_RETRIES 5 | ||
242 | |||
243 | # | ||
244 | # Max time in seconds for login | ||
245 | # | ||
246 | LOGIN_TIMEOUT 60 | ||
247 | |||
248 | # | ||
249 | # Maximum number of attempts to change password if rejected (too easy) | ||
250 | # | ||
251 | #PASS_CHANGE_TRIES 5 | ||
252 | |||
253 | # | ||
254 | # Warn about weak passwords (but still allow them) if you are root. | ||
255 | # | ||
256 | #PASS_ALWAYS_WARN yes | ||
257 | |||
258 | # | ||
259 | # Number of significant characters in the password for crypt(). | ||
260 | # Default is 8, don't change unless your crypt() is better. | ||
261 | # Ignored if MD5_CRYPT_ENAB set to "yes". | ||
262 | # | ||
263 | #PASS_MAX_LEN 8 | ||
264 | |||
265 | # | ||
266 | # Require password before chfn/chsh can make any changes. | ||
267 | # | ||
268 | #CHFN_AUTH yes | ||
269 | |||
270 | # | ||
271 | # Which fields may be changed by regular users using chfn - use | ||
272 | # any combination of letters "frwh" (full name, room number, work | ||
273 | # phone, home phone). If not defined, no changes are allowed. | ||
274 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh". | ||
275 | # | ||
276 | CHFN_RESTRICT rwh | ||
277 | |||
278 | # | ||
279 | # Password prompt (%s will be replaced by user name). | ||
280 | # | ||
281 | # XXX - it doesn't work correctly yet, for now leave it commented out | ||
282 | # to use the default which is just "Password: ". | ||
283 | #LOGIN_STRING "%s's Password: " | ||
284 | |||
285 | # | ||
286 | # Only works if compiled with MD5_CRYPT defined: | ||
287 | # If set to "yes", new passwords will be encrypted using the MD5-based | ||
288 | # algorithm compatible with the one used by recent releases of FreeBSD. | ||
289 | # It supports passwords of unlimited length and longer salt strings. | ||
290 | # Set to "no" if you need to copy encrypted passwords to other systems | ||
291 | # which don't understand the new algorithm. Default is "no". | ||
292 | # | ||
293 | # Note: If you use PAM, it is recommended to use a value consistent with | ||
294 | # the PAM modules configuration. | ||
295 | # | ||
296 | # This variable is deprecated. You should use ENCRYPT_METHOD. | ||
297 | # | ||
298 | #MD5_CRYPT_ENAB no | ||
299 | |||
300 | # | ||
301 | # Only works if compiled with ENCRYPTMETHOD_SELECT defined: | ||
302 | # If set to MD5 , MD5-based algorithm will be used for encrypting password | ||
303 | # If set to SHA256, SHA256-based algorithm will be used for encrypting password | ||
304 | # If set to SHA512, SHA512-based algorithm will be used for encrypting password | ||
305 | # If set to DES, DES-based algorithm will be used for encrypting password (default) | ||
306 | # Overrides the MD5_CRYPT_ENAB option | ||
307 | # | ||
308 | # Note: If you use PAM, it is recommended to use a value consistent with | ||
309 | # the PAM modules configuration. | ||
310 | # | ||
311 | #ENCRYPT_METHOD DES | ||
312 | |||
313 | # | ||
314 | # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. | ||
315 | # | ||
316 | # Define the number of SHA rounds. | ||
317 | # With a lot of rounds, it is more difficult to brute forcing the password. | ||
318 | # But note also that it more CPU resources will be needed to authenticate | ||
319 | # users. | ||
320 | # | ||
321 | # If not specified, the libc will choose the default number of rounds (5000). | ||
322 | # The values must be inside the 1000-999999999 range. | ||
323 | # If only one of the MIN or MAX values is set, then this value will be used. | ||
324 | # If MIN > MAX, the highest value will be used. | ||
325 | # | ||
326 | # SHA_CRYPT_MIN_ROUNDS 5000 | ||
327 | # SHA_CRYPT_MAX_ROUNDS 5000 | ||
328 | |||
329 | # | ||
330 | # List of groups to add to the user's supplementary group set | ||
331 | # when logging in on the console (as determined by the CONSOLE | ||
332 | # setting). Default is none. | ||
333 | # | ||
334 | # Use with caution - it is possible for users to gain permanent | ||
335 | # access to these groups, even when not logged in on the console. | ||
336 | # How to do it is left as an exercise for the reader... | ||
337 | # | ||
338 | #CONSOLE_GROUPS floppy:audio:cdrom | ||
339 | |||
340 | # | ||
341 | # Should login be allowed if we can't cd to the home directory? | ||
342 | # Default in no. | ||
343 | # | ||
344 | DEFAULT_HOME yes | ||
345 | |||
346 | # | ||
347 | # If this file exists and is readable, login environment will be | ||
348 | # read from it. Every line should be in the form name=value. | ||
349 | # | ||
350 | #ENVIRON_FILE /etc/environment | ||
351 | |||
352 | # | ||
353 | # If defined, this command is run when removing a user. | ||
354 | # It should remove any at/cron/print jobs etc. owned by | ||
355 | # the user to be removed (passed as the first argument). | ||
356 | # | ||
357 | #USERDEL_CMD /usr/sbin/userdel_local | ||
358 | |||
359 | # | ||
360 | # Enable setting of the umask group bits to be the same as owner bits | ||
361 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is | ||
362 | # the same as gid, and username is the same as the primary group name. | ||
363 | # | ||
364 | # This also enables userdel to remove user groups if no members exist. | ||
365 | # | ||
366 | USERGROUPS_ENAB yes | ||
367 | |||
368 | # | ||
369 | # If set to a non-nul number, the shadow utilities will make sure that | ||
370 | # groups never have more than this number of users on one line. | ||
371 | # This permit to support split groups (groups split into multiple lines, | ||
372 | # with the same group ID, to avoid limitation of the line length in the | ||
373 | # group file). | ||
374 | # | ||
375 | # 0 is the default value and disables this feature. | ||
376 | # | ||
377 | #MAX_MEMBERS_PER_GROUP 0 | ||
378 | |||
379 | # | ||
380 | # If useradd should create home directories for users by default (non | ||
381 | # system users only) | ||
382 | # This option is overridden with the -M or -m flags on the useradd command | ||
383 | # line. | ||
384 | # | ||
385 | CREATE_HOME yes | ||
386 | |||
diff --git a/meta/recipes-extended/shadow/files/login_defs_pam.sed b/meta/recipes-extended/shadow/files/login_defs_pam.sed new file mode 100644 index 0000000000..0a1f3be4af --- /dev/null +++ b/meta/recipes-extended/shadow/files/login_defs_pam.sed | |||
@@ -0,0 +1,32 @@ | |||
1 | /^FAILLOG_ENAB/b comment | ||
2 | /^LASTLOG_ENAB/b comment | ||
3 | /^MAIL_CHECK_ENAB/b comment | ||
4 | /^OBSCURE_CHECKS_ENAB/b comment | ||
5 | /^PORTTIME_CHECKS_ENAB/b comment | ||
6 | /^QUOTAS_ENAB/b comment | ||
7 | /^MOTD_FILE/b comment | ||
8 | /^FTMP_FILE/b comment | ||
9 | /^NOLOGINS_FILE/b comment | ||
10 | /^ENV_HZ/b comment | ||
11 | /^ENV_TZ/b comment | ||
12 | /^PASS_MIN_LEN/b comment | ||
13 | /^SU_WHEEL_ONLY/b comment | ||
14 | /^CRACKLIB_DICTPATH/b comment | ||
15 | /^PASS_CHANGE_TRIES/b comment | ||
16 | /^PASS_ALWAYS_WARN/b comment | ||
17 | /^PASS_MAX_LEN/b comment | ||
18 | /^PASS_MIN_LEN/b comment | ||
19 | /^CHFN_AUTH/b comment | ||
20 | /^CHSH_AUTH/b comment | ||
21 | /^ISSUE_FILE/b comment | ||
22 | /^LOGIN_STRING/b comment | ||
23 | /^ULIMIT/b comment | ||
24 | /^ENVIRON_FILE/b comment | ||
25 | |||
26 | b exit | ||
27 | |||
28 | : comment | ||
29 | s:^:#: | ||
30 | |||
31 | : exit | ||
32 | |||
diff --git a/meta/recipes-extended/shadow/files/pam.d/chfn b/meta/recipes-extended/shadow/files/pam.d/chfn new file mode 100644 index 0000000000..baf7698bba --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chfn | |||
@@ -0,0 +1,14 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `chfn' service | ||
3 | # | ||
4 | |||
5 | # This allows root to change user infomation without being | ||
6 | # prompted for a password | ||
7 | auth sufficient pam_rootok.so | ||
8 | |||
9 | # The standard Unix authentication modules, used with | ||
10 | # NIS (man nsswitch) as well as normal /etc/passwd and | ||
11 | # /etc/shadow entries. | ||
12 | auth include common-auth | ||
13 | account include common-account | ||
14 | session include common-session | ||
diff --git a/meta/recipes-extended/shadow/files/pam.d/chpasswd b/meta/recipes-extended/shadow/files/pam.d/chpasswd new file mode 100644 index 0000000000..9e3efa68ba --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chpasswd | |||
@@ -0,0 +1,4 @@ | |||
1 | # The PAM configuration file for the Shadow 'chpasswd' service | ||
2 | # | ||
3 | |||
4 | password include common-password | ||
diff --git a/meta/recipes-extended/shadow/files/pam.d/chsh b/meta/recipes-extended/shadow/files/pam.d/chsh new file mode 100644 index 0000000000..8fb169f64e --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chsh | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `chsh' service | ||
3 | # | ||
4 | |||
5 | # This will not allow a user to change their shell unless | ||
6 | # their current one is listed in /etc/shells. This keeps | ||
7 | # accounts with special shells from changing them. | ||
8 | auth required pam_shells.so | ||
9 | |||
10 | # This allows root to change user shell without being | ||
11 | # prompted for a password | ||
12 | auth sufficient pam_rootok.so | ||
13 | |||
14 | # The standard Unix authentication modules, used with | ||
15 | # NIS (man nsswitch) as well as normal /etc/passwd and | ||
16 | # /etc/shadow entries. | ||
17 | auth include common-auth | ||
18 | account include common-account | ||
19 | session include common-session | ||
diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login new file mode 100644 index 0000000000..b340058539 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/login | |||
@@ -0,0 +1,81 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `login' service | ||
3 | # | ||
4 | |||
5 | # Enforce a minimal delay in case of failure (in microseconds). | ||
6 | # (Replaces the `FAIL_DELAY' setting from login.defs) | ||
7 | # Note that other modules may require another minimal delay. (for example, | ||
8 | # to disable any delay, you should add the nodelay option to pam_unix) | ||
9 | auth optional pam_faildelay.so delay=3000000 | ||
10 | |||
11 | # Outputs an issue file prior to each login prompt (Replaces the | ||
12 | # ISSUE_FILE option from login.defs). Uncomment for use | ||
13 | # auth required pam_issue.so issue=/etc/issue | ||
14 | |||
15 | # Disallows root logins except on tty's listed in /etc/securetty | ||
16 | # (Replaces the `CONSOLE' setting from login.defs) | ||
17 | # Note that it is included as a "requisite" module. No password prompts will | ||
18 | # be displayed if this module fails to avoid having the root password | ||
19 | # transmitted on unsecure ttys. | ||
20 | # You can change it to a "required" module if you think it permits to | ||
21 | # guess valid user names of your system (invalid user names are considered | ||
22 | # as possibly being root). | ||
23 | auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so | ||
24 | |||
25 | # Disallows other than root logins when /etc/nologin exists | ||
26 | # (Replaces the `NOLOGINS_FILE' option from login.defs) | ||
27 | auth requisite pam_nologin.so | ||
28 | |||
29 | # This module parses environment configuration file(s) | ||
30 | # and also allows you to use an extended config | ||
31 | # file /etc/security/pam_env.conf. | ||
32 | # | ||
33 | # parsing /etc/environment needs "readenv=1" | ||
34 | session required pam_env.so readenv=1 | ||
35 | |||
36 | # Standard Un*x authentication. | ||
37 | auth include common-auth | ||
38 | |||
39 | # This allows certain extra groups to be granted to a user | ||
40 | # based on things like time of day, tty, service, and user. | ||
41 | # Please edit /etc/security/group.conf to fit your needs | ||
42 | # (Replaces the `CONSOLE_GROUPS' option in login.defs) | ||
43 | auth optional pam_group.so | ||
44 | |||
45 | # Uncomment and edit /etc/security/time.conf if you need to set | ||
46 | # time restrainst on logins. | ||
47 | # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs | ||
48 | # as well as /etc/porttime) | ||
49 | # account requisite pam_time.so | ||
50 | |||
51 | # Uncomment and edit /etc/security/access.conf if you need to | ||
52 | # set access limits. | ||
53 | # (Replaces /etc/login.access file) | ||
54 | # account required pam_access.so | ||
55 | |||
56 | # Sets up user limits according to /etc/security/limits.conf | ||
57 | # (Replaces the use of /etc/limits in old login) | ||
58 | session required pam_limits.so | ||
59 | |||
60 | # Prints the last login info upon succesful login | ||
61 | # (Replaces the `LASTLOG_ENAB' option from login.defs) | ||
62 | session optional pam_lastlog.so | ||
63 | |||
64 | # Prints the motd upon succesful login | ||
65 | # (Replaces the `MOTD_FILE' option in login.defs) | ||
66 | session optional pam_motd.so | ||
67 | |||
68 | # Prints the status of the user's mailbox upon succesful login | ||
69 | # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). | ||
70 | # | ||
71 | # This also defines the MAIL environment variable | ||
72 | # However, userdel also needs MAIL_DIR and MAIL_FILE variables | ||
73 | # in /etc/login.defs to make sure that removing a user | ||
74 | # also removes the user's mail spool file. | ||
75 | # See comments in /etc/login.defs | ||
76 | session optional pam_mail.so standard | ||
77 | |||
78 | # Standard Un*x account and session | ||
79 | account include common-account | ||
80 | password include common-password | ||
81 | session include common-session | ||
diff --git a/meta/recipes-extended/shadow/files/pam.d/newusers b/meta/recipes-extended/shadow/files/pam.d/newusers new file mode 100644 index 0000000000..4aa3dde48b --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/newusers | |||
@@ -0,0 +1,4 @@ | |||
1 | # The PAM configuration file for the Shadow 'newusers' service | ||
2 | # | ||
3 | |||
4 | password include common-password | ||
diff --git a/meta/recipes-extended/shadow/files/pam.d/passwd b/meta/recipes-extended/shadow/files/pam.d/passwd new file mode 100644 index 0000000000..f534992435 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/passwd | |||
@@ -0,0 +1,5 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `passwd' service | ||
3 | # | ||
4 | |||
5 | password include common-password | ||
diff --git a/meta/recipes-extended/shadow/files/pam.d/su b/meta/recipes-extended/shadow/files/pam.d/su new file mode 100644 index 0000000000..8d590a32e6 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/su | |||
@@ -0,0 +1,57 @@ | |||
1 | # | ||
2 | # The PAM configuration file for the Shadow `su' service | ||
3 | # | ||
4 | |||
5 | # This allows root to su without passwords (normal operation) | ||
6 | auth sufficient pam_rootok.so | ||
7 | |||
8 | # Uncomment this to force users to be a member of group root | ||
9 | # before they can use `su'. You can also add "group=foo" | ||
10 | # to the end of this line if you want to use a group other | ||
11 | # than the default "root" (but this may have side effect of | ||
12 | # denying "root" user, unless she's a member of "foo" or explicitly | ||
13 | # permitted earlier by e.g. "sufficient pam_rootok.so"). | ||
14 | # (Replaces the `SU_WHEEL_ONLY' option from login.defs) | ||
15 | # auth required pam_wheel.so | ||
16 | |||
17 | # Uncomment this if you want wheel members to be able to | ||
18 | # su without a password. | ||
19 | # auth sufficient pam_wheel.so trust | ||
20 | |||
21 | # Uncomment this if you want members of a specific group to not | ||
22 | # be allowed to use su at all. | ||
23 | # auth required pam_wheel.so deny group=nosu | ||
24 | |||
25 | # Uncomment and edit /etc/security/time.conf if you need to set | ||
26 | # time restrainst on su usage. | ||
27 | # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs | ||
28 | # as well as /etc/porttime) | ||
29 | # account requisite pam_time.so | ||
30 | |||
31 | # This module parses environment configuration file(s) | ||
32 | # and also allows you to use an extended config | ||
33 | # file /etc/security/pam_env.conf. | ||
34 | # | ||
35 | # parsing /etc/environment needs "readenv=1" | ||
36 | session required pam_env.so readenv=1 | ||
37 | |||
38 | # Defines the MAIL environment variable | ||
39 | # However, userdel also needs MAIL_DIR and MAIL_FILE variables | ||
40 | # in /etc/login.defs to make sure that removing a user | ||
41 | # also removes the user's mail spool file. | ||
42 | # See comments in /etc/login.defs | ||
43 | # | ||
44 | # "nopen" stands to avoid reporting new mail when su'ing to another user | ||
45 | session optional pam_mail.so nopen | ||
46 | |||
47 | # Sets up user limits, please uncomment and read /etc/security/limits.conf | ||
48 | # to enable this functionality. | ||
49 | # (Replaces the use of /etc/limits in old login) | ||
50 | # session required pam_limits.so | ||
51 | |||
52 | # The standard Unix authentication modules, used with | ||
53 | # NIS (man nsswitch) as well as normal /etc/passwd and | ||
54 | # /etc/shadow entries. | ||
55 | auth include common-auth | ||
56 | account include common-account | ||
57 | session include common-session | ||
diff --git a/meta/recipes-extended/shadow/files/securetty b/meta/recipes-extended/shadow/files/securetty new file mode 100644 index 0000000000..ecc246f799 --- /dev/null +++ b/meta/recipes-extended/shadow/files/securetty | |||
@@ -0,0 +1,234 @@ | |||
1 | # /etc/securetty: list of terminals on which root is allowed to login. | ||
2 | # See securetty(5) and login(1). | ||
3 | console | ||
4 | |||
5 | # Standard serial ports | ||
6 | ttyS0 | ||
7 | ttyS1 | ||
8 | ttyS2 | ||
9 | ttyS3 | ||
10 | |||
11 | # ARM AMBA SoCs | ||
12 | ttyAM0 | ||
13 | ttyAM1 | ||
14 | ttyAM2 | ||
15 | ttyAM3 | ||
16 | ttyAMA0 | ||
17 | ttyAMA1 | ||
18 | ttyAMA2 | ||
19 | ttyAMA3 | ||
20 | |||
21 | # QCOM Socs | ||
22 | ttyHSL0 | ||
23 | ttyHSL1 | ||
24 | ttyHSL2 | ||
25 | ttyHSL3 | ||
26 | ttyMSM0 | ||
27 | ttyMSM1 | ||
28 | ttyMSM2 | ||
29 | |||
30 | # Samsung ARM SoCs | ||
31 | ttySAC0 | ||
32 | ttySAC1 | ||
33 | ttySAC2 | ||
34 | ttySAC3 | ||
35 | |||
36 | # STM SoCs | ||
37 | ttyAS0 | ||
38 | ttyAS1 | ||
39 | ttyAS2 | ||
40 | ttyAS3 | ||
41 | |||
42 | # TI OMAP SoCs | ||
43 | ttyO0 | ||
44 | ttyO1 | ||
45 | ttyO2 | ||
46 | ttyO3 | ||
47 | |||
48 | # USB dongles | ||
49 | ttyUSB0 | ||
50 | ttyUSB1 | ||
51 | ttyUSB2 | ||
52 | |||
53 | # USB serial gadget | ||
54 | ttyGS0 | ||
55 | |||
56 | # PowerMac | ||
57 | ttyPZ0 | ||
58 | ttyPZ1 | ||
59 | ttyPZ2 | ||
60 | ttyPZ3 | ||
61 | |||
62 | # Embedded MPC platforms | ||
63 | ttyPSC0 | ||
64 | ttyPSC1 | ||
65 | ttyPSC2 | ||
66 | ttyPSC3 | ||
67 | ttyPSC4 | ||
68 | ttyPSC5 | ||
69 | |||
70 | # PA-RISC mux ports | ||
71 | ttyB0 | ||
72 | ttyB1 | ||
73 | |||
74 | # Standard hypervisor virtual console | ||
75 | hvc0 | ||
76 | |||
77 | # Oldstyle Xen console | ||
78 | xvc0 | ||
79 | |||
80 | # Standard consoles | ||
81 | tty1 | ||
82 | tty2 | ||
83 | tty3 | ||
84 | tty4 | ||
85 | tty5 | ||
86 | tty6 | ||
87 | tty7 | ||
88 | tty8 | ||
89 | tty9 | ||
90 | tty10 | ||
91 | tty11 | ||
92 | tty12 | ||
93 | tty13 | ||
94 | tty14 | ||
95 | tty15 | ||
96 | tty16 | ||
97 | tty17 | ||
98 | tty18 | ||
99 | tty19 | ||
100 | tty20 | ||
101 | tty21 | ||
102 | tty22 | ||
103 | tty23 | ||
104 | tty24 | ||
105 | tty25 | ||
106 | tty26 | ||
107 | tty27 | ||
108 | tty28 | ||
109 | tty29 | ||
110 | tty30 | ||
111 | tty31 | ||
112 | tty32 | ||
113 | tty33 | ||
114 | tty34 | ||
115 | tty35 | ||
116 | tty36 | ||
117 | tty37 | ||
118 | tty38 | ||
119 | tty39 | ||
120 | tty40 | ||
121 | tty41 | ||
122 | tty42 | ||
123 | tty43 | ||
124 | tty44 | ||
125 | tty45 | ||
126 | tty46 | ||
127 | tty47 | ||
128 | tty48 | ||
129 | tty49 | ||
130 | tty50 | ||
131 | tty51 | ||
132 | tty52 | ||
133 | tty53 | ||
134 | tty54 | ||
135 | tty55 | ||
136 | tty56 | ||
137 | tty57 | ||
138 | tty58 | ||
139 | tty59 | ||
140 | tty60 | ||
141 | tty61 | ||
142 | tty62 | ||
143 | tty63 | ||
144 | |||
145 | # Local X displays (allows empty passwords with pam_unix's nullok_secure) | ||
146 | pts/0 | ||
147 | pts/1 | ||
148 | pts/2 | ||
149 | pts/3 | ||
150 | |||
151 | # Embedded Freescale i.MX ports | ||
152 | ttymxc0 | ||
153 | ttymxc1 | ||
154 | ttymxc2 | ||
155 | ttymxc3 | ||
156 | ttymxc4 | ||
157 | ttymxc5 | ||
158 | |||
159 | # Freescale lpuart ports | ||
160 | ttyLP0 | ||
161 | ttyLP1 | ||
162 | ttyLP2 | ||
163 | ttyLP3 | ||
164 | ttyLP4 | ||
165 | ttyLP5 | ||
166 | |||
167 | # Standard serial ports, with devfs | ||
168 | tts/0 | ||
169 | tts/1 | ||
170 | |||
171 | # Standard consoles, with devfs | ||
172 | vc/1 | ||
173 | vc/2 | ||
174 | vc/3 | ||
175 | vc/4 | ||
176 | vc/5 | ||
177 | vc/6 | ||
178 | vc/7 | ||
179 | vc/8 | ||
180 | vc/9 | ||
181 | vc/10 | ||
182 | vc/11 | ||
183 | vc/12 | ||
184 | vc/13 | ||
185 | vc/14 | ||
186 | vc/15 | ||
187 | vc/16 | ||
188 | vc/17 | ||
189 | vc/18 | ||
190 | vc/19 | ||
191 | vc/20 | ||
192 | vc/21 | ||
193 | vc/22 | ||
194 | vc/23 | ||
195 | vc/24 | ||
196 | vc/25 | ||
197 | vc/26 | ||
198 | vc/27 | ||
199 | vc/28 | ||
200 | vc/29 | ||
201 | vc/30 | ||
202 | vc/31 | ||
203 | vc/32 | ||
204 | vc/33 | ||
205 | vc/34 | ||
206 | vc/35 | ||
207 | vc/36 | ||
208 | vc/37 | ||
209 | vc/38 | ||
210 | vc/39 | ||
211 | vc/40 | ||
212 | vc/41 | ||
213 | vc/42 | ||
214 | vc/43 | ||
215 | vc/44 | ||
216 | vc/45 | ||
217 | vc/46 | ||
218 | vc/47 | ||
219 | vc/48 | ||
220 | vc/49 | ||
221 | vc/50 | ||
222 | vc/51 | ||
223 | vc/52 | ||
224 | vc/53 | ||
225 | vc/54 | ||
226 | vc/55 | ||
227 | vc/56 | ||
228 | vc/57 | ||
229 | vc/58 | ||
230 | vc/59 | ||
231 | vc/60 | ||
232 | vc/61 | ||
233 | vc/62 | ||
234 | vc/63 | ||
diff --git a/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch new file mode 100644 index 0000000000..a7bb0a9290 --- /dev/null +++ b/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | # commit message copied from openembedded: | ||
2 | # commit 246c80637b135f3a113d319b163422f98174ee6c | ||
3 | # Author: Khem Raj <raj.khem@gmail.com> | ||
4 | # Date: Wed Jun 9 13:37:03 2010 -0700 | ||
5 | # | ||
6 | # shadow-4.1.4.2: Add patches to support dots in login id. | ||
7 | # | ||
8 | # Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
9 | # | ||
10 | # comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 | ||
11 | |||
12 | Upstream-Status: Pending | ||
13 | |||
14 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | ||
15 | |||
16 | Index: shadow-4.1.4.2/libmisc/chkname.c | ||
17 | =================================================================== | ||
18 | --- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 | ||
19 | +++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 | ||
20 | @@ -61,6 +61,7 @@ static bool is_valid_name (const char *n | ||
21 | ( ('0' <= *name) && ('9' >= *name) ) || | ||
22 | ('_' == *name) || | ||
23 | ('-' == *name) || | ||
24 | + ('.' == *name) || | ||
25 | ( ('$' == *name) && ('\0' == *(name + 1)) ) | ||
26 | )) { | ||
27 | return false; | ||
diff --git a/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch b/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch new file mode 100644 index 0000000000..15f8044fa2 --- /dev/null +++ b/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | The system-auth in the configure files is from Fedora which put all the 4 pam type rules | ||
2 | in one file. | ||
3 | In yocto it obey the way with Debian/Ubuntu, and the names are common-auth, common-account, | ||
4 | common-password and common-session. | ||
5 | So update them with oe way. | ||
6 | |||
7 | Upstream-Status: Pending | ||
8 | |||
9 | Signed-off-by: Kang Kai <kai.kang@windriver.com> | ||
10 | |||
11 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chage shadow-4.1.4.3/etc/pam.d/chage | ||
12 | --- shadow-4.1.4.3/etc/pam.d.orig/chage 2011-07-20 19:02:27.384844958 +0800 | ||
13 | +++ shadow-4.1.4.3/etc/pam.d/chage 2011-07-20 19:03:08.964844958 +0800 | ||
14 | @@ -1,4 +1,4 @@ | ||
15 | #%PAM-1.0 | ||
16 | auth sufficient pam_rootok.so | ||
17 | account required pam_permit.so | ||
18 | -password include system-auth | ||
19 | +password include common-password | ||
20 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chgpasswd shadow-4.1.4.3/etc/pam.d/chgpasswd | ||
21 | --- shadow-4.1.4.3/etc/pam.d.orig/chgpasswd 2011-07-20 19:02:27.384844958 +0800 | ||
22 | +++ shadow-4.1.4.3/etc/pam.d/chgpasswd 2011-07-20 19:03:26.544844958 +0800 | ||
23 | @@ -1,4 +1,4 @@ | ||
24 | #%PAM-1.0 | ||
25 | auth sufficient pam_rootok.so | ||
26 | account required pam_permit.so | ||
27 | -password include system-auth | ||
28 | +password include common-password | ||
29 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupadd shadow-4.1.4.3/etc/pam.d/groupadd | ||
30 | --- shadow-4.1.4.3/etc/pam.d.orig/groupadd 2011-07-20 19:02:27.384844958 +0800 | ||
31 | +++ shadow-4.1.4.3/etc/pam.d/groupadd 2011-07-20 19:04:08.124844958 +0800 | ||
32 | @@ -1,4 +1,4 @@ | ||
33 | #%PAM-1.0 | ||
34 | auth sufficient pam_rootok.so | ||
35 | account required pam_permit.so | ||
36 | -password include system-auth | ||
37 | +password include common-password | ||
38 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupdel shadow-4.1.4.3/etc/pam.d/groupdel | ||
39 | --- shadow-4.1.4.3/etc/pam.d.orig/groupdel 2011-07-20 19:02:27.384844958 +0800 | ||
40 | +++ shadow-4.1.4.3/etc/pam.d/groupdel 2011-07-20 19:04:26.114844958 +0800 | ||
41 | @@ -1,4 +1,4 @@ | ||
42 | #%PAM-1.0 | ||
43 | auth sufficient pam_rootok.so | ||
44 | account required pam_permit.so | ||
45 | -password include system-auth | ||
46 | +password include common-password | ||
47 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmems shadow-4.1.4.3/etc/pam.d/groupmems | ||
48 | --- shadow-4.1.4.3/etc/pam.d.orig/groupmems 2011-07-20 19:02:27.384844958 +0800 | ||
49 | +++ shadow-4.1.4.3/etc/pam.d/groupmems 2011-07-20 19:04:35.074844958 +0800 | ||
50 | @@ -1,4 +1,4 @@ | ||
51 | #%PAM-1.0 | ||
52 | auth sufficient pam_rootok.so | ||
53 | account required pam_permit.so | ||
54 | -password include system-auth | ||
55 | +password include common-password | ||
56 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmod shadow-4.1.4.3/etc/pam.d/groupmod | ||
57 | --- shadow-4.1.4.3/etc/pam.d.orig/groupmod 2011-07-20 19:02:27.384844958 +0800 | ||
58 | +++ shadow-4.1.4.3/etc/pam.d/groupmod 2011-07-20 19:04:44.864844958 +0800 | ||
59 | @@ -1,4 +1,4 @@ | ||
60 | #%PAM-1.0 | ||
61 | auth sufficient pam_rootok.so | ||
62 | account required pam_permit.so | ||
63 | -password include system-auth | ||
64 | +password include common-password | ||
65 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/useradd shadow-4.1.4.3/etc/pam.d/useradd | ||
66 | --- shadow-4.1.4.3/etc/pam.d.orig/useradd 2011-07-20 19:02:27.384844958 +0800 | ||
67 | +++ shadow-4.1.4.3/etc/pam.d/useradd 2011-07-20 19:07:26.244844958 +0800 | ||
68 | @@ -1,4 +1,4 @@ | ||
69 | #%PAM-1.0 | ||
70 | auth sufficient pam_rootok.so | ||
71 | account required pam_permit.so | ||
72 | -password include system-auth | ||
73 | +password include common-password | ||
74 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/userdel shadow-4.1.4.3/etc/pam.d/userdel | ||
75 | --- shadow-4.1.4.3/etc/pam.d.orig/userdel 2011-07-20 19:02:27.384844958 +0800 | ||
76 | +++ shadow-4.1.4.3/etc/pam.d/userdel 2011-07-20 19:07:35.734844958 +0800 | ||
77 | @@ -1,4 +1,4 @@ | ||
78 | #%PAM-1.0 | ||
79 | auth sufficient pam_rootok.so | ||
80 | account required pam_permit.so | ||
81 | -password include system-auth | ||
82 | +password include common-password | ||
83 | diff -Nur shadow-4.1.4.3/etc/pam.d.orig/usermod shadow-4.1.4.3/etc/pam.d/usermod | ||
84 | --- shadow-4.1.4.3/etc/pam.d.orig/usermod 2011-07-20 19:02:27.384844958 +0800 | ||
85 | +++ shadow-4.1.4.3/etc/pam.d/usermod 2011-07-20 19:07:42.024844958 +0800 | ||
86 | @@ -1,4 +1,4 @@ | ||
87 | #%PAM-1.0 | ||
88 | auth sufficient pam_rootok.so | ||
89 | account required pam_permit.so | ||
90 | -password include system-auth | ||
91 | +password include common-password | ||
diff --git a/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch b/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch new file mode 100644 index 0000000000..37dc153fca --- /dev/null +++ b/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | usermod: fix compilation failure with subids disabled | ||
4 | |||
5 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
6 | --- | ||
7 | src/usermod.c | 3 ++- | ||
8 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
9 | |||
10 | diff --git a/src/usermod.c b/src/usermod.c | ||
11 | index e7d4351..685b50a 100644 | ||
12 | --- a/src/usermod.c | ||
13 | +++ b/src/usermod.c | ||
14 | @@ -1360,7 +1360,7 @@ static void process_flags (int argc, char **argv) | ||
15 | Prog, (unsigned long) user_newid); | ||
16 | exit (E_UID_IN_USE); | ||
17 | } | ||
18 | - | ||
19 | +#ifdef ENABLE_SUBIDS | ||
20 | if ( (vflg || Vflg) | ||
21 | && !is_sub_uid) { | ||
22 | fprintf (stderr, | ||
23 | @@ -1376,6 +1376,7 @@ static void process_flags (int argc, char **argv) | ||
24 | Prog, sub_gid_dbname (), "-w", "-W"); | ||
25 | exit (E_USAGE); | ||
26 | } | ||
27 | +#endif | ||
28 | } | ||
29 | |||
30 | /* | ||
31 | -- | ||
32 | 1.7.9.5 | ||
33 | |||
diff --git a/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb b/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb new file mode 100644 index 0000000000..0e0410043b --- /dev/null +++ b/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb | |||
@@ -0,0 +1,36 @@ | |||
1 | SUMMARY = "Provider of the machine specific securetty file" | ||
2 | SECTION = "base utils" | ||
3 | LICENSE = "MIT" | ||
4 | LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" | ||
5 | |||
6 | INHIBIT_DEFAULT_DEPS = "1" | ||
7 | |||
8 | PR = "r3" | ||
9 | |||
10 | SRC_URI = "file://securetty" | ||
11 | |||
12 | # Since SERIAL_CONSOLES is likely to be set from the machine configuration | ||
13 | PACKAGE_ARCH = "${MACHINE_ARCH}" | ||
14 | |||
15 | do_install () { | ||
16 | # Ensure we add a suitable securetty file to the package that has | ||
17 | # most common embedded TTYs defined. | ||
18 | install -d ${D}${sysconfdir} | ||
19 | install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty | ||
20 | if [ ! -z "${SERIAL_CONSOLES}" ]; then | ||
21 | # Our SERIAL_CONSOLES contains a baud rate and sometimes extra | ||
22 | # options as well. The following pearl :) takes that and converts | ||
23 | # it into newline-separated tty's and appends them into | ||
24 | # securetty. So if a machine has a weird looking console device | ||
25 | # node (e.g. ttyAMA0) that securetty does not know, it will get | ||
26 | # appended to securetty and root logins will be allowed on that | ||
27 | # console. | ||
28 | tmp="${SERIAL_CONSOLES}" | ||
29 | for entry in $tmp ; do | ||
30 | ttydev=`echo "$entry" | sed -e 's/^[0-9]*\;//' -e 's/\;.*//'` | ||
31 | if ! grep -q $ttydev ${D}${sysconfdir}/securetty; then | ||
32 | echo $ttydev >> ${D}${sysconfdir}/securetty | ||
33 | fi | ||
34 | done | ||
35 | fi | ||
36 | } | ||
diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb new file mode 100644 index 0000000000..697569c47e --- /dev/null +++ b/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb | |||
@@ -0,0 +1,34 @@ | |||
1 | SUMMARY = "Shadow utils requirements for useradd.bbclass" | ||
2 | HOMEPAGE = "http://pkg-shadow.alioth.debian.org" | ||
3 | BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" | ||
4 | SECTION = "base utils" | ||
5 | LICENSE = "BSD | Artistic-1.0" | ||
6 | LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" | ||
7 | |||
8 | DEPENDS = "base-passwd" | ||
9 | |||
10 | PR = "r3" | ||
11 | |||
12 | # The sole purpose of this recipe is to provide the /etc/login.defs | ||
13 | # file for the target sysroot - needed so the shadow-native utilities | ||
14 | # can add custom users/groups for recipes that use inherit useradd. | ||
15 | SRC_URI = "file://login.defs_shadow-sysroot" | ||
16 | |||
17 | SRC_URI[md5sum] = "b8608d8294ac88974f27b20f991c0e79" | ||
18 | SRC_URI[sha256sum] = "633f5bb4ea0c88c55f3642c97f9d25cbef74f82e0b4cf8d54e7ad6f9f9caa778" | ||
19 | |||
20 | S = "${WORKDIR}" | ||
21 | |||
22 | do_install() { | ||
23 | install -d ${D}${sysconfdir} | ||
24 | install -p -m 755 ${S}/login.defs_shadow-sysroot ${D}${sysconfdir}/login.defs | ||
25 | } | ||
26 | |||
27 | sysroot_stage_all() { | ||
28 | sysroot_stage_dir ${D} ${SYSROOT_DESTDIR} | ||
29 | } | ||
30 | |||
31 | # don't create any packages | ||
32 | # otherwise: dbus-dev depends on shadow-sysroot-dev which depends on shadow-sysroot | ||
33 | # and this has another copy of /etc/login.defs already provided by shadow | ||
34 | PACKAGES = "" | ||
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc new file mode 100644 index 0000000000..bb3a927c17 --- /dev/null +++ b/meta/recipes-extended/shadow/shadow.inc | |||
@@ -0,0 +1,176 @@ | |||
1 | SUMMARY = "Tools to change and administer password and group data" | ||
2 | HOMEPAGE = "http://pkg-shadow.alioth.debian.org" | ||
3 | BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" | ||
4 | SECTION = "base/utils" | ||
5 | LICENSE = "BSD | Artistic-1.0" | ||
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ | ||
7 | file://src/passwd.c;beginline=8;endline=30;md5=d83888ea14ae61951982d77125947661" | ||
8 | |||
9 | DEPENDS = "shadow-native" | ||
10 | DEPENDS_class-native = "" | ||
11 | DEPENDS_class-nativesdk = "" | ||
12 | |||
13 | SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ | ||
14 | file://shadow-4.1.3-dots-in-usernames.patch \ | ||
15 | file://usermod-fix-compilation-failure-with-subids-disabled.patch \ | ||
16 | file://fix-installation-failure-with-subids-disabled.patch \ | ||
17 | file://0001-su.c-fix-to-exec-command-correctly.patch \ | ||
18 | file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ | ||
19 | file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ | ||
20 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ | ||
21 | " | ||
22 | |||
23 | SRC_URI_append_class-target = " \ | ||
24 | file://login_defs_pam.sed \ | ||
25 | file://shadow-update-pam-conf.patch \ | ||
26 | " | ||
27 | |||
28 | SRC_URI_append_class-native = " \ | ||
29 | file://disable-syslog.patch \ | ||
30 | file://allow-for-setting-password-in-clear-text.patch \ | ||
31 | file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ | ||
32 | file://0001-useradd.c-create-parent-directories-when-necessary.patch \ | ||
33 | " | ||
34 | SRC_URI_append_class-nativesdk = " \ | ||
35 | file://disable-syslog.patch \ | ||
36 | " | ||
37 | |||
38 | SRC_URI[md5sum] = "2bfafe7d4962682d31b5eba65dba4fc8" | ||
39 | SRC_URI[sha256sum] = "3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41" | ||
40 | |||
41 | # Additional Policy files for PAM | ||
42 | PAM_SRC_URI = "file://pam.d/chfn \ | ||
43 | file://pam.d/chpasswd \ | ||
44 | file://pam.d/chsh \ | ||
45 | file://pam.d/login \ | ||
46 | file://pam.d/newusers \ | ||
47 | file://pam.d/passwd \ | ||
48 | file://pam.d/su" | ||
49 | |||
50 | inherit autotools gettext | ||
51 | |||
52 | EXTRA_OECONF += "--without-audit \ | ||
53 | --without-libcrack \ | ||
54 | --without-selinux \ | ||
55 | --with-group-name-max-length=24 \ | ||
56 | --enable-subordinate-ids=yes \ | ||
57 | ${NSCDOPT}" | ||
58 | |||
59 | NSCDOPT = "" | ||
60 | NSCDOPT_class-native = "--without-nscd" | ||
61 | NSCDOPT_class-nativesdk = "--without-nscd" | ||
62 | NSCDOPT_libc-uclibc = " --without-nscd" | ||
63 | NSCDOPT_libc-glibc = "${@bb.utils.contains('DISTRO_FEATURES', 'libc-spawn', '--with-nscd', '--without-nscd', d)}" | ||
64 | |||
65 | PAM_PLUGINS = "libpam-runtime \ | ||
66 | pam-plugin-faildelay \ | ||
67 | pam-plugin-securetty \ | ||
68 | pam-plugin-nologin \ | ||
69 | pam-plugin-env \ | ||
70 | pam-plugin-group \ | ||
71 | pam-plugin-limits \ | ||
72 | pam-plugin-lastlog \ | ||
73 | pam-plugin-motd \ | ||
74 | pam-plugin-mail \ | ||
75 | pam-plugin-shells \ | ||
76 | pam-plugin-rootok" | ||
77 | |||
78 | PACKAGECONFIG = "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" | ||
79 | PACKAGECONFIG_class-native = "" | ||
80 | PACKAGECONFIG_class-nativesdk = "" | ||
81 | PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}" | ||
82 | PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" | ||
83 | PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" | ||
84 | |||
85 | RDEPENDS_${PN} = "shadow-securetty \ | ||
86 | base-passwd" | ||
87 | RDEPENDS_${PN}_class-native = "" | ||
88 | RDEPENDS_${PN}_class-nativesdk = "" | ||
89 | |||
90 | do_install() { | ||
91 | oe_runmake DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install | ||
92 | |||
93 | # Info dir listing isn't interesting at this point so remove it if it exists. | ||
94 | if [ -e "${D}${infodir}/dir" ]; then | ||
95 | rm -f ${D}${infodir}/dir | ||
96 | fi | ||
97 | |||
98 | # Enable CREATE_HOME by default. | ||
99 | sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs | ||
100 | |||
101 | # As we are on an embedded system, ensure the users mailbox is in | ||
102 | # ~/ not /var/spool/mail by default, as who knows where or how big | ||
103 | # /var is. The system MDA will set this later anyway. | ||
104 | sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs | ||
105 | sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs | ||
106 | |||
107 | # Disable checking emails. | ||
108 | sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs | ||
109 | |||
110 | # Use proper encryption for passwords | ||
111 | sed -i 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/' ${D}${sysconfdir}/login.defs | ||
112 | |||
113 | # Now we don't have a mail system. Disable mail creation for now. | ||
114 | sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd | ||
115 | sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd | ||
116 | |||
117 | # Use users group by default | ||
118 | sed -i 's,^GROUP=1000,GROUP=100,g' ${D}${sysconfdir}/default/useradd | ||
119 | } | ||
120 | |||
121 | do_install_append() { | ||
122 | # Ensure that the image has as a /var/spool/mail dir so shadow can | ||
123 | # put mailboxes there if the user reconfigures shadow to its | ||
124 | # defaults (see sed below). | ||
125 | install -d ${D}${localstatedir}/spool/mail | ||
126 | |||
127 | if [ -e ${WORKDIR}/pam.d ]; then | ||
128 | install -d ${D}${sysconfdir}/pam.d/ | ||
129 | install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ | ||
130 | # Remove defaults that are not used when supporting PAM. | ||
131 | sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs | ||
132 | fi | ||
133 | |||
134 | install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} | ||
135 | |||
136 | # Move binaries to the locations we want | ||
137 | rm ${D}${sbindir}/vigr | ||
138 | ln -sf vipw.${BPN} ${D}${base_sbindir}/vigr | ||
139 | if [ "${sbindir}" != "${base_sbindir}" ]; then | ||
140 | mv ${D}${sbindir}/vipw ${D}${base_sbindir}/vipw | ||
141 | fi | ||
142 | if [ "${bindir}" != "${base_bindir}" ]; then | ||
143 | mv ${D}${bindir}/login ${D}${base_bindir}/login | ||
144 | mv ${D}${bindir}/su ${D}${base_bindir}/su | ||
145 | fi | ||
146 | |||
147 | # Handle link properly after rename, otherwise missing files would | ||
148 | # lead rpm failed dependencies. | ||
149 | ln -sf newgrp.${BPN} ${D}${bindir}/sg | ||
150 | } | ||
151 | |||
152 | inherit update-alternatives | ||
153 | |||
154 | ALTERNATIVE_PRIORITY = "200" | ||
155 | |||
156 | ALTERNATIVE_${PN} = "passwd chfn newgrp chsh groups chpasswd login vipw vigr su" | ||
157 | ALTERNATIVE_LINK_NAME[chpasswd] = "${sbindir}/chpasswd" | ||
158 | ALTERNATIVE_LINK_NAME[login] = "${base_bindir}/login" | ||
159 | ALTERNATIVE_LINK_NAME[vipw] = "${base_sbindir}/vipw" | ||
160 | ALTERNATIVE_LINK_NAME[vigr] = "${base_sbindir}/vigr" | ||
161 | ALTERNATIVE_LINK_NAME[su] = "${base_bindir}/su" | ||
162 | |||
163 | ALTERNATIVE_${PN}-doc = "passwd.5 getspnam.3" | ||
164 | ALTERNATIVE_LINK_NAME[passwd.5] = "${mandir}/man5/passwd.5" | ||
165 | ALTERNATIVE_LINK_NAME[getspnam.3] = "${mandir}/man3/getspnam.3" | ||
166 | |||
167 | pkg_postinst_${PN} () { | ||
168 | if [ "x$D" != "x" ]; then | ||
169 | rootarg="--root $D" | ||
170 | else | ||
171 | rootarg="" | ||
172 | fi | ||
173 | |||
174 | pwconv $rootarg || exit 1 | ||
175 | grpconv $rootarg || exit 1 | ||
176 | } | ||
diff --git a/meta/recipes-extended/shadow/shadow_4.2.1.bb b/meta/recipes-extended/shadow/shadow_4.2.1.bb new file mode 100644 index 0000000000..5675cb8cc9 --- /dev/null +++ b/meta/recipes-extended/shadow/shadow_4.2.1.bb | |||
@@ -0,0 +1,10 @@ | |||
1 | require shadow.inc | ||
2 | |||
3 | # Build falsely assumes that if --enable-libpam is set, we don't need to link against | ||
4 | # libcrypt. This breaks chsh. | ||
5 | BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', bb.utils.contains('DISTRO_FEATURES', 'libc-crypt', '-lcrypt', '', d), '', d)}" | ||
6 | |||
7 | BBCLASSEXTEND = "native nativesdk" | ||
8 | |||
9 | |||
10 | |||