From 972dcfcdbfe75dcfeb777150c136576cf1a71e99 Mon Sep 17 00:00:00 2001 From: Tudor Florea Date: Fri, 9 Oct 2015 22:59:03 +0200 Subject: initial commit for Enea Linux 5.0 arm Signed-off-by: Tudor Florea --- ...o-not-read-login.defs-before-doing-chroot.patch | 46 +++ .../0001-su.c-fix-to-exec-command-correctly.patch | 25 ++ ...-create-parent-directories-when-necessary.patch | 109 ++++++ .../allow-for-setting-password-in-clear-text.patch | 201 +++++++++++ ..._of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch | 41 +++ ...fix-unexpected-open-failure-in-chroot-env.patch | 46 +++ .../shadow/files/disable-syslog.patch | 34 ++ ...installation-failure-with-subids-disabled.patch | 28 ++ .../shadow/files/login.defs_shadow-sysroot | 386 +++++++++++++++++++++ .../shadow/files/login_defs_pam.sed | 32 ++ meta/recipes-extended/shadow/files/pam.d/chfn | 14 + meta/recipes-extended/shadow/files/pam.d/chpasswd | 4 + meta/recipes-extended/shadow/files/pam.d/chsh | 19 + meta/recipes-extended/shadow/files/pam.d/login | 81 +++++ meta/recipes-extended/shadow/files/pam.d/newusers | 4 + meta/recipes-extended/shadow/files/pam.d/passwd | 5 + meta/recipes-extended/shadow/files/pam.d/su | 57 +++ meta/recipes-extended/shadow/files/securetty | 234 +++++++++++++ .../files/shadow-4.1.3-dots-in-usernames.patch | 27 ++ .../shadow/files/shadow-update-pam-conf.patch | 91 +++++ ...-compilation-failure-with-subids-disabled.patch | 33 ++ .../shadow/shadow-securetty_4.2.1.bb | 36 ++ .../shadow/shadow-sysroot_4.2.1.bb | 34 ++ meta/recipes-extended/shadow/shadow.inc | 176 ++++++++++ meta/recipes-extended/shadow/shadow_4.2.1.bb | 10 + 25 files changed, 1773 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch create mode 100644 meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch create mode 100644 meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch create mode 100644 meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch create mode 100644 meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch create mode 100644 meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch create mode 100644 meta/recipes-extended/shadow/files/disable-syslog.patch create mode 100644 meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch create mode 100644 meta/recipes-extended/shadow/files/login.defs_shadow-sysroot create mode 100644 meta/recipes-extended/shadow/files/login_defs_pam.sed create mode 100644 meta/recipes-extended/shadow/files/pam.d/chfn create mode 100644 meta/recipes-extended/shadow/files/pam.d/chpasswd create mode 100644 meta/recipes-extended/shadow/files/pam.d/chsh create mode 100644 meta/recipes-extended/shadow/files/pam.d/login create mode 100644 meta/recipes-extended/shadow/files/pam.d/newusers create mode 100644 meta/recipes-extended/shadow/files/pam.d/passwd create mode 100644 meta/recipes-extended/shadow/files/pam.d/su create mode 100644 meta/recipes-extended/shadow/files/securetty create mode 100644 meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch create mode 100644 meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch create mode 100644 meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch create mode 100644 meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb create mode 100644 meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb create mode 100644 meta/recipes-extended/shadow/shadow.inc create mode 100644 meta/recipes-extended/shadow/shadow_4.2.1.bb (limited to 'meta/recipes-extended/shadow') diff --git a/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch b/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch new file mode 100644 index 0000000000..828b95a572 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch @@ -0,0 +1,46 @@ +From 170c25c8e0b5c3dc2615d1db94c8d24a13ff99bf Mon Sep 17 00:00:00 2001 +From: Peter Kjellerstedt +Date: Thu, 11 Sep 2014 15:11:23 +0200 +Subject: [PATCH] Do not read login.defs before doing chroot() + +If "useradd --root ..." was used, the login.defs file would still +be read from /etc/login.defs instead of /etc/login.defs. This was +due to getdef_ulong() being called before process_root_flag(). + +Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2014-September/010446.html] + +Signed-off-by: Peter Kjellerstedt +--- + src/useradd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/useradd.c b/src/useradd.c +index a8a1f76..e1ebf50 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -1993,9 +1993,11 @@ int main (int argc, char **argv) + #endif /* USE_PAM */ + #endif /* ACCT_TOOLS_SETUID */ + ++#ifdef ENABLE_SUBIDS + /* Needed for userns check */ +- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ uid_t uid_min; ++ uid_t uid_max; ++#endif + + /* + * Get my name so that I can use it to report errors. +@@ -2026,6 +2028,8 @@ int main (int argc, char **argv) + is_shadow_grp = sgr_file_present (); + #endif + #ifdef ENABLE_SUBIDS ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + is_sub_uid = sub_uid_file_present () && !rflg && + (!user_id || (user_id <= uid_max && user_id >= uid_min)); + is_sub_gid = sub_gid_file_present () && !rflg && +-- +1.9.0 + diff --git a/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch b/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch new file mode 100644 index 0000000000..31337de362 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-su.c-fix-to-exec-command-correctly.patch @@ -0,0 +1,25 @@ +Upstream-Status: Pending + +Subject: su.c: fix to exec command correctly + +Signed-off-by: Chen Qi +--- + src/su.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/su.c b/src/su.c +index 3704217..bc4f2ac 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -1156,7 +1156,7 @@ int main (int argc, char **argv) + * Use the shell and create an argv + * with the rest of the command line included. + */ +- argv[-1] = cp; ++ argv[-1] = shellstr; + execve_shell (shellstr, &argv[-1], environ); + err = errno; + (void) fprintf (stderr, +-- +1.7.9.5 + diff --git a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch new file mode 100644 index 0000000000..85dde8e1bb --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch @@ -0,0 +1,109 @@ +Upstream-Status: Inappropriate [OE specific] + +Subject: useradd.c: create parent directories when necessary + +Signed-off-by: Chen Qi +--- + src/useradd.c | 72 +++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 49 insertions(+), 23 deletions(-) + +diff --git a/src/useradd.c b/src/useradd.c +index 4bd969d..cb5dd6c 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -1893,6 +1893,35 @@ static void usr_update (void) + } + + /* ++ * mkdir_p - create directories, including parent directories when needed ++ * ++ * similar to `mkdir -p' ++ */ ++void mkdir_p(const char *path) { ++ int len = strlen(path); ++ char newdir[len + 1]; ++ mode_t mode = 0755; ++ int i = 0; ++ ++ if (path[i] == '\0') { ++ return; ++ } ++ ++ /* skip the leading '/' */ ++ i++; ++ ++ while(path[i] != '\0') { ++ if (path[i] == '/') { ++ strncpy(newdir, path, i); ++ newdir[i] = '\0'; ++ mkdir(newdir, mode); ++ } ++ i++; ++ } ++ mkdir(path, mode); ++} ++ ++/* + * create_home - create the user's home directory + * + * create_home() creates the user's home directory if it does not +@@ -1907,36 +1936,33 @@ static void create_home (void) + fail_exit (E_HOMEDIR); + } + #endif +- /* XXX - create missing parent directories. --marekm */ +- if (mkdir (user_home, 0) != 0) { +- fprintf (stderr, +- _("%s: cannot create directory %s\n"), +- Prog, user_home); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding home directory", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif +- fail_exit (E_HOMEDIR); +- } +- chown (user_home, user_id, user_gid); +- chmod (user_home, +- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); +- home_added = true; ++ mkdir_p(user_home); ++ } ++ if (access (user_home, F_OK) != 0) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "adding home directory", + user_name, (unsigned int) user_id, +- SHADOW_AUDIT_SUCCESS); ++ SHADOW_AUDIT_FAILURE); + #endif +-#ifdef WITH_SELINUX +- /* Reset SELinux to create files with default contexts */ +- if (reset_selinux_file_context () != 0) { +- fail_exit (E_HOMEDIR); +- } ++ fail_exit (E_HOMEDIR); ++ } ++ chown (user_home, user_id, user_gid); ++ chmod (user_home, ++ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++ home_added = true; ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_USER, Prog, ++ "adding home directory", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_SUCCESS); + #endif ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ if (reset_selinux_file_context () != 0) { ++ fail_exit (E_HOMEDIR); + } ++#endif + } + + /* +-- +1.7.9.5 + diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch new file mode 100644 index 0000000000..68da25f406 --- /dev/null +++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch @@ -0,0 +1,201 @@ +Upstream-Status: Inappropriate [OE specific] + +Allow for setting password in clear text. + +Signed-off-by: Chen Qi +--- + src/Makefile.am | 8 ++++---- + src/groupadd.c | 8 +++++++- + src/groupmod.c | 8 +++++++- + src/useradd.c | 9 +++++++-- + src/usermod.c | 8 +++++++- + 5 files changed, 32 insertions(+), 9 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 25e288d..856b087 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -88,10 +88,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) +-groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) ++groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) +-groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) ++groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + grpck_LDADD = $(LDADD) $(LIBSELINUX) + grpconv_LDADD = $(LDADD) $(LIBSELINUX) + grpunconv_LDADD = $(LDADD) $(LIBSELINUX) +@@ -111,9 +111,9 @@ su_SOURCES = \ + suauth.c + su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + sulogin_LDADD = $(LDADD) $(LIBCRYPT) +-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) ++useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) + userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) +-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) ++usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) + vipw_LDADD = $(LDADD) $(LIBSELINUX) + + install-am: all-am +diff --git a/src/groupadd.c b/src/groupadd.c +index f716f57..4e28c26 100644 +--- a/src/groupadd.c ++++ b/src/groupadd.c +@@ -124,6 +124,7 @@ static /*@noreturn@*/void usage (int status) + (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" + " (non-unique) GID\n"), usageout); + (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); ++ (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); + (void) fputs (_(" -r, --system create a system account\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs ("\n", usageout); +@@ -387,12 +388,13 @@ static void process_flags (int argc, char **argv) + {"key", required_argument, NULL, 'K'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++ {"clear-password", required_argument, NULL, 'P'}, + {"system", no_argument, NULL, 'r'}, + {"root", required_argument, NULL, 'R'}, + {NULL, 0, NULL, '\0'} + }; + +- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:", ++ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:", + long_options, NULL)) != -1) { + switch (c) { + case 'f': +@@ -444,6 +446,10 @@ static void process_flags (int argc, char **argv) + pflg = true; + group_passwd = optarg; + break; ++ case 'P': ++ pflg = true; ++ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); ++ break; + case 'r': + rflg = true; + break; +diff --git a/src/groupmod.c b/src/groupmod.c +index d9d3807..68f49d1 100644 +--- a/src/groupmod.c ++++ b/src/groupmod.c +@@ -127,6 +127,7 @@ static void usage (int status) + (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); + (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" + " PASSWORD\n"), usageout); ++ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs ("\n", usageout); + exit (status); +@@ -375,10 +376,11 @@ static void process_flags (int argc, char **argv) + {"new-name", required_argument, NULL, 'n'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++ {"clear-password", required_argument, NULL, 'P'}, + {"root", required_argument, NULL, 'R'}, + {NULL, 0, NULL, '\0'} + }; +- while ((c = getopt_long (argc, argv, "g:hn:op:R:", ++ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:", + long_options, NULL)) != -1) { + switch (c) { + case 'g': +@@ -405,6 +407,10 @@ static void process_flags (int argc, char **argv) + group_passwd = optarg; + pflg = true; + break; ++ case 'P': ++ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); ++ pflg = true; ++ break; + case 'R': /* no-op, handled in process_root_flag () */ + break; + default: +diff --git a/src/useradd.c b/src/useradd.c +index b3bd451..4416f90 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -773,6 +773,7 @@ static void usage (int status) + (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" + " (non-unique) UID\n"), usageout); + (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); ++ (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); + (void) fputs (_(" -r, --system create a system account\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); +@@ -1047,6 +1048,7 @@ static void process_flags (int argc, char **argv) + {"no-user-group", no_argument, NULL, 'N'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++ {"clear-password", required_argument, NULL, 'P'}, + {"system", no_argument, NULL, 'r'}, + {"root", required_argument, NULL, 'R'}, + {"shell", required_argument, NULL, 's'}, +@@ -1059,9 +1061,9 @@ static void process_flags (int argc, char **argv) + }; + while ((c = getopt_long (argc, argv, + #ifdef WITH_SELINUX +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:UZ:", + #else /* !WITH_SELINUX */ +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", ++ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:U", + #endif /* !WITH_SELINUX */ + long_options, NULL)) != -1) { + switch (c) { +@@ -1227,6 +1229,9 @@ static void process_flags (int argc, char **argv) + } + user_pass = optarg; + break; ++ case 'P': /* set clear text password */ ++ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); ++ break; + case 'r': + rflg = true; + break; +diff --git a/src/usermod.c b/src/usermod.c +index e7d4351..b79f7a3 100644 +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -419,6 +419,7 @@ static /*@noreturn@*/void usage (int status) + " new location (use only with -d)\n"), usageout); + (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); + (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); ++ (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); + (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); +@@ -996,6 +997,7 @@ static void process_flags (int argc, char **argv) + {"move-home", no_argument, NULL, 'm'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++ {"clear-password", required_argument, NULL, 'P'}, + {"root", required_argument, NULL, 'R'}, + {"shell", required_argument, NULL, 's'}, + {"uid", required_argument, NULL, 'u'}, +@@ -1012,7 +1014,7 @@ static void process_flags (int argc, char **argv) + {NULL, 0, NULL, '\0'} + }; + while ((c = getopt_long (argc, argv, +- "ac:d:e:f:g:G:hl:Lmop:R:s:u:U" ++ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U" + #ifdef ENABLE_SUBIDS + "v:w:V:W:" + #endif /* ENABLE_SUBIDS */ +@@ -1112,6 +1114,10 @@ static void process_flags (int argc, char **argv) + user_pass = optarg; + pflg = true; + break; ++ case 'P': ++ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); ++ pflg = true; ++ break; + case 'R': /* no-op, handled in process_root_flag () */ + break; + case 's': +-- +1.7.9.5 + diff --git a/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch b/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch new file mode 100644 index 0000000000..60f2ed548a --- /dev/null +++ b/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch @@ -0,0 +1,41 @@ +From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001 +From: James Le Cuirot +Date: Sat, 23 Aug 2014 09:46:39 +0100 +Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF + +This built-in check is simpler than the previous method and, most +importantly, works when cross-compiling. + +Upstream-Status: Accepted +[https://github.com/shadow-maint/shadow/commit/2cb54158b80cdbd97ca3b36df83f9255e923ae3f] + +Signed-off-by: Serge Hallyn +--- + configure.in | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/configure.in b/configure.in +index 1a3f841..4a4d6d0 100644 +--- a/configure.in ++++ b/configure.in +@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then + dnl + dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc + dnl +- AC_RUN_IFELSE([AC_LANG_SOURCE([ +-#include +-int main(void) { +- uid_t u; +- gid_t g; +- return (sizeof u < 4) || (sizeof g < 4); +-} +- ])], [id32bit="yes"], [id32bit="no"]) +- +- if test "x$id32bit" = "xyes"; then ++ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"]) ++ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"]) ++ ++ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then + AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.]) + enable_subids="yes" + else diff --git a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch new file mode 100644 index 0000000000..4fa3d184ed --- /dev/null +++ b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch @@ -0,0 +1,46 @@ +Upstream-Status: Inappropriate [OE specific] + +commonio.c: fix unexpected open failure in chroot environment + +When using commands with '-R ' option in our pseudo environment, +we would usually get the 'Pemission Denied' error. This patch serves as +a workaround to this problem. + +Note that this patch doesn't change the logic in the code, it just expands +the codes. + +Signed-off-by: Chen Qi +--- + lib/commonio.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/lib/commonio.c b/lib/commonio.c +index cc536bf..51cafd9 100644 +--- a/lib/commonio.c ++++ b/lib/commonio.c +@@ -613,10 +613,18 @@ int commonio_open (struct commonio_db *db, int mode) + db->cursor = NULL; + db->changed = false; + +- fd = open (db->filename, +- (db->readonly ? O_RDONLY : O_RDWR) +- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); +- saved_errno = errno; ++ if (db->readonly) { ++ fd = open (db->filename, ++ (true ? O_RDONLY : O_RDWR) ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ saved_errno = errno; ++ } else { ++ fd = open (db->filename, ++ (false ? O_RDONLY : O_RDWR) ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ saved_errno = errno; ++ } ++ + db->fp = NULL; + if (fd >= 0) { + #ifdef WITH_TCB +-- +1.7.9.5 + diff --git a/meta/recipes-extended/shadow/files/disable-syslog.patch b/meta/recipes-extended/shadow/files/disable-syslog.patch new file mode 100644 index 0000000000..1943fd6faf --- /dev/null +++ b/meta/recipes-extended/shadow/files/disable-syslog.patch @@ -0,0 +1,34 @@ +Disable use of syslog to prevent sysroot user and group additions from +writing entries to the host's syslog. This patch should only be used +with the shadow-native recipe. + +Upstream-Status: Inappropriate [disable feature] + +Signed-off-by: Scott Garman + +diff -urN shadow-4.1.4.3.orig//src/groupadd.c shadow-4.1.4.3/src/groupadd.c +--- shadow-4.1.4.3.orig//src/groupadd.c 2011-02-13 09:58:16.000000000 -0800 ++++ shadow-4.1.4.3/src/groupadd.c 2012-04-05 10:05:59.440001758 -0700 +@@ -34,6 +34,9 @@ + + #ident "$Id: groupadd.c 3015 2009-06-05 22:16:56Z nekral-guest $" + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include + #include + #include +diff -urN shadow-4.1.4.3.orig//src/useradd.c shadow-4.1.4.3/src/useradd.c +--- shadow-4.1.4.3.orig//src/useradd.c 2011-02-13 09:58:16.000000000 -0800 ++++ shadow-4.1.4.3/src/useradd.c 2012-04-05 10:06:25.076001315 -0700 +@@ -34,6 +34,9 @@ + + #ident "$Id: useradd.c 3015 2009-06-05 22:16:56Z nekral-guest $" + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include + #include + #include diff --git a/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch b/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch new file mode 100644 index 0000000000..02cb91aafd --- /dev/null +++ b/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch @@ -0,0 +1,28 @@ +Upstream-Status: Pending + +Subject: fix installation failure with subids disabled + +Signed-off-by: Chen Qi +--- + src/Makefile.am | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 25e288d..076f8ef 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -52,7 +52,10 @@ usbin_PROGRAMS = \ + noinst_PROGRAMS = id sulogin + + suidbins = su +-suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap ++suidubins = chage chfn chsh expiry gpasswd newgrp passwd ++if ENABLE_SUBIDS ++suidubins += newgidmap newuidmap ++endif + if ACCT_TOOLS_SETUID + suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod + endif +-- +1.7.9.5 + diff --git a/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot new file mode 100644 index 0000000000..8a68dd341a --- /dev/null +++ b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot @@ -0,0 +1,386 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# +# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enfore a minimal delay (e.g. +# pam_unix enforces a 2s delay) +# +FAIL_DELAY 3 + +# +# Enable logging and display of /var/log/faillog login failure info. +# +#FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable logging and display of /var/log/lastlog login time info. +# +#LASTLOG_ENAB yes + +# +# Enable checking and display of mailbox status upon login. +# +# Disable if the shell startup files already check for mail +# ("mailx -e" or equivalent). +# +##MAIL_CHECK_ENAB yes + +# +# Enable additional checks upon password changes. +# +#OBSCURE_CHECKS_ENAB yes + +# +# Enable checking of time restrictions specified in /etc/porttime. +# +#PORTTIME_CHECKS_ENAB yes + +# +# Enable setting of ulimit, umask, and niceness from passwd gecos field. +# +#QUOTAS_ENAB yes + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +CONSOLE /etc/securetty +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, ":" delimited list of "message of the day" files to +# be displayed upon login. +# +#MOTD_FILE /etc/motd +#MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +# +# If defined, this file will be output before each login prompt. +# +#ISSUE_FILE /etc/issue + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format. +# last, when invoked as lastb, will read /var/log/btmp, so... +# +#FTMP_FILE /var/log/btmp + +# +# If defined, name of file whose presence which will inhibit non-root +# logins. The contents of this file should be a message indicating +# why logins are inhibited. +# +#NOLOGINS_FILE /etc/nologin + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, #MAIL_DIR takes precedence. +# +#MAIL_DIR /var/spool/mail +MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# If defined, either a TZ environment parameter spec or the +# fully-rooted pathname of a file containing such a spec. +# +#ENV_TZ TZ=CST6CDT +#ENV_TZ /etc/tzname + +# +# If defined, an HZ environment parameter spec. +# +# for Linux/x86 +#ENV_HZ HZ=100 +# For Linux/Alpha... +#ENV_HZ HZ=1024 + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# ULIMIT Default "ulimit" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# The ULIMIT is used only if the system supports it. +# (now it works with setrlimit too; ulimit is in 512-byte units) +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +#ULIMIT 2097152 + +# Default initial "umask" value for non-PAM enabled systems. +# UMASK is also used by useradd and newusers to set the mode of new home +# directories. +# 022 is the default value, but 027, or even 077, could be considered +# better for privacy. There is no One True Answer here: each sysadmin +# must make up her mind. +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +#PASS_MIN_LEN 5 +PASS_WARN_AGE 7 + +# +# If "yes", the user must be listed as a member of the first gid 0 group +# in /etc/group (called "root" on most Linux systems) to be able to "su" +# to uid 0 accounts. If the group doesn't exist or is empty, no one +# will be able to "su" to uid 0. +# +#SU_WHEEL_ONLY no + +# +# If compiled with cracklib support, where are the dictionaries +# +#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 101 +SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 101 +SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Maximum number of attempts to change password if rejected (too easy) +# +#PASS_CHANGE_TRIES 5 + +# +# Warn about weak passwords (but still allow them) if you are root. +# +#PASS_ALWAYS_WARN yes + +# +# Number of significant characters in the password for crypt(). +# Default is 8, don't change unless your crypt() is better. +# Ignored if MD5_CRYPT_ENAB set to "yes". +# +#PASS_MAX_LEN 8 + +# +# Require password before chfn/chsh can make any changes. +# +#CHFN_AUTH yes + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Password prompt (%s will be replaced by user name). +# +# XXX - it doesn't work correctly yet, for now leave it commented out +# to use the default which is just "Password: ". +#LOGIN_STRING "%s's Password: " + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If this file exists and is readable, login environment will be +# read from it. Every line should be in the form name=value. +# +#ENVIRON_FILE /etc/environment + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# +# If set to a non-nul number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permit to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd should create home directories for users by default (non +# system users only) +# This option is overridden with the -M or -m flags on the useradd command +# line. +# +CREATE_HOME yes + diff --git a/meta/recipes-extended/shadow/files/login_defs_pam.sed b/meta/recipes-extended/shadow/files/login_defs_pam.sed new file mode 100644 index 0000000000..0a1f3be4af --- /dev/null +++ b/meta/recipes-extended/shadow/files/login_defs_pam.sed @@ -0,0 +1,32 @@ +/^FAILLOG_ENAB/b comment +/^LASTLOG_ENAB/b comment +/^MAIL_CHECK_ENAB/b comment +/^OBSCURE_CHECKS_ENAB/b comment +/^PORTTIME_CHECKS_ENAB/b comment +/^QUOTAS_ENAB/b comment +/^MOTD_FILE/b comment +/^FTMP_FILE/b comment +/^NOLOGINS_FILE/b comment +/^ENV_HZ/b comment +/^ENV_TZ/b comment +/^PASS_MIN_LEN/b comment +/^SU_WHEEL_ONLY/b comment +/^CRACKLIB_DICTPATH/b comment +/^PASS_CHANGE_TRIES/b comment +/^PASS_ALWAYS_WARN/b comment +/^PASS_MAX_LEN/b comment +/^PASS_MIN_LEN/b comment +/^CHFN_AUTH/b comment +/^CHSH_AUTH/b comment +/^ISSUE_FILE/b comment +/^LOGIN_STRING/b comment +/^ULIMIT/b comment +/^ENVIRON_FILE/b comment + +b exit + +: comment + s:^:#: + +: exit + diff --git a/meta/recipes-extended/shadow/files/pam.d/chfn b/meta/recipes-extended/shadow/files/pam.d/chfn new file mode 100644 index 0000000000..baf7698bba --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chfn @@ -0,0 +1,14 @@ +# +# The PAM configuration file for the Shadow `chfn' service +# + +# This allows root to change user infomation without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/meta/recipes-extended/shadow/files/pam.d/chpasswd b/meta/recipes-extended/shadow/files/pam.d/chpasswd new file mode 100644 index 0000000000..9e3efa68ba --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chpasswd @@ -0,0 +1,4 @@ +# The PAM configuration file for the Shadow 'chpasswd' service +# + +password include common-password diff --git a/meta/recipes-extended/shadow/files/pam.d/chsh b/meta/recipes-extended/shadow/files/pam.d/chsh new file mode 100644 index 0000000000..8fb169f64e --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chsh @@ -0,0 +1,19 @@ +# +# The PAM configuration file for the Shadow `chsh' service +# + +# This will not allow a user to change their shell unless +# their current one is listed in /etc/shells. This keeps +# accounts with special shells from changing them. +auth required pam_shells.so + +# This allows root to change user shell without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login new file mode 100644 index 0000000000..b340058539 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/login @@ -0,0 +1,81 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# Note that it is included as a "requisite" module. No password prompts will +# be displayed if this module fails to avoid having the root password +# transmitted on unsecure ttys. +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root). +auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 + +# Standard Un*x authentication. +auth include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +account include common-account +password include common-password +session include common-session diff --git a/meta/recipes-extended/shadow/files/pam.d/newusers b/meta/recipes-extended/shadow/files/pam.d/newusers new file mode 100644 index 0000000000..4aa3dde48b --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/newusers @@ -0,0 +1,4 @@ +# The PAM configuration file for the Shadow 'newusers' service +# + +password include common-password diff --git a/meta/recipes-extended/shadow/files/pam.d/passwd b/meta/recipes-extended/shadow/files/pam.d/passwd new file mode 100644 index 0000000000..f534992435 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/passwd @@ -0,0 +1,5 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password diff --git a/meta/recipes-extended/shadow/files/pam.d/su b/meta/recipes-extended/shadow/files/pam.d/su new file mode 100644 index 0000000000..8d590a32e6 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/su @@ -0,0 +1,57 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits, please uncomment and read /etc/security/limits.conf +# to enable this functionality. +# (Replaces the use of /etc/limits in old login) +# session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/meta/recipes-extended/shadow/files/securetty b/meta/recipes-extended/shadow/files/securetty new file mode 100644 index 0000000000..ecc246f799 --- /dev/null +++ b/meta/recipes-extended/shadow/files/securetty @@ -0,0 +1,234 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). +console + +# Standard serial ports +ttyS0 +ttyS1 +ttyS2 +ttyS3 + +# ARM AMBA SoCs +ttyAM0 +ttyAM1 +ttyAM2 +ttyAM3 +ttyAMA0 +ttyAMA1 +ttyAMA2 +ttyAMA3 + +# QCOM Socs +ttyHSL0 +ttyHSL1 +ttyHSL2 +ttyHSL3 +ttyMSM0 +ttyMSM1 +ttyMSM2 + +# Samsung ARM SoCs +ttySAC0 +ttySAC1 +ttySAC2 +ttySAC3 + +# STM SoCs +ttyAS0 +ttyAS1 +ttyAS2 +ttyAS3 + +# TI OMAP SoCs +ttyO0 +ttyO1 +ttyO2 +ttyO3 + +# USB dongles +ttyUSB0 +ttyUSB1 +ttyUSB2 + +# USB serial gadget +ttyGS0 + +# PowerMac +ttyPZ0 +ttyPZ1 +ttyPZ2 +ttyPZ3 + +# Embedded MPC platforms +ttyPSC0 +ttyPSC1 +ttyPSC2 +ttyPSC3 +ttyPSC4 +ttyPSC5 + +# PA-RISC mux ports +ttyB0 +ttyB1 + +# Standard hypervisor virtual console +hvc0 + +# Oldstyle Xen console +xvc0 + +# Standard consoles +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 +tty11 +tty12 +tty13 +tty14 +tty15 +tty16 +tty17 +tty18 +tty19 +tty20 +tty21 +tty22 +tty23 +tty24 +tty25 +tty26 +tty27 +tty28 +tty29 +tty30 +tty31 +tty32 +tty33 +tty34 +tty35 +tty36 +tty37 +tty38 +tty39 +tty40 +tty41 +tty42 +tty43 +tty44 +tty45 +tty46 +tty47 +tty48 +tty49 +tty50 +tty51 +tty52 +tty53 +tty54 +tty55 +tty56 +tty57 +tty58 +tty59 +tty60 +tty61 +tty62 +tty63 + +# Local X displays (allows empty passwords with pam_unix's nullok_secure) +pts/0 +pts/1 +pts/2 +pts/3 + +# Embedded Freescale i.MX ports +ttymxc0 +ttymxc1 +ttymxc2 +ttymxc3 +ttymxc4 +ttymxc5 + +# Freescale lpuart ports +ttyLP0 +ttyLP1 +ttyLP2 +ttyLP3 +ttyLP4 +ttyLP5 + +# Standard serial ports, with devfs +tts/0 +tts/1 + +# Standard consoles, with devfs +vc/1 +vc/2 +vc/3 +vc/4 +vc/5 +vc/6 +vc/7 +vc/8 +vc/9 +vc/10 +vc/11 +vc/12 +vc/13 +vc/14 +vc/15 +vc/16 +vc/17 +vc/18 +vc/19 +vc/20 +vc/21 +vc/22 +vc/23 +vc/24 +vc/25 +vc/26 +vc/27 +vc/28 +vc/29 +vc/30 +vc/31 +vc/32 +vc/33 +vc/34 +vc/35 +vc/36 +vc/37 +vc/38 +vc/39 +vc/40 +vc/41 +vc/42 +vc/43 +vc/44 +vc/45 +vc/46 +vc/47 +vc/48 +vc/49 +vc/50 +vc/51 +vc/52 +vc/53 +vc/54 +vc/55 +vc/56 +vc/57 +vc/58 +vc/59 +vc/60 +vc/61 +vc/62 +vc/63 diff --git a/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch new file mode 100644 index 0000000000..a7bb0a9290 --- /dev/null +++ b/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch @@ -0,0 +1,27 @@ +# commit message copied from openembedded: +# commit 246c80637b135f3a113d319b163422f98174ee6c +# Author: Khem Raj +# Date: Wed Jun 9 13:37:03 2010 -0700 +# +# shadow-4.1.4.2: Add patches to support dots in login id. +# +# Signed-off-by: Khem Raj +# +# comment added by Kevin Tian , 2010-08-11 + +Upstream-Status: Pending + +Signed-off-by: Scott Garman + +Index: shadow-4.1.4.2/libmisc/chkname.c +=================================================================== +--- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 ++++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 +@@ -61,6 +61,7 @@ static bool is_valid_name (const char *n + ( ('0' <= *name) && ('9' >= *name) ) || + ('_' == *name) || + ('-' == *name) || ++ ('.' == *name) || + ( ('$' == *name) && ('\0' == *(name + 1)) ) + )) { + return false; diff --git a/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch b/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch new file mode 100644 index 0000000000..15f8044fa2 --- /dev/null +++ b/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch @@ -0,0 +1,91 @@ +The system-auth in the configure files is from Fedora which put all the 4 pam type rules +in one file. +In yocto it obey the way with Debian/Ubuntu, and the names are common-auth, common-account, +common-password and common-session. +So update them with oe way. + +Upstream-Status: Pending + +Signed-off-by: Kang Kai + +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chage shadow-4.1.4.3/etc/pam.d/chage +--- shadow-4.1.4.3/etc/pam.d.orig/chage 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/chage 2011-07-20 19:03:08.964844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chgpasswd shadow-4.1.4.3/etc/pam.d/chgpasswd +--- shadow-4.1.4.3/etc/pam.d.orig/chgpasswd 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/chgpasswd 2011-07-20 19:03:26.544844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupadd shadow-4.1.4.3/etc/pam.d/groupadd +--- shadow-4.1.4.3/etc/pam.d.orig/groupadd 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/groupadd 2011-07-20 19:04:08.124844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupdel shadow-4.1.4.3/etc/pam.d/groupdel +--- shadow-4.1.4.3/etc/pam.d.orig/groupdel 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/groupdel 2011-07-20 19:04:26.114844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmems shadow-4.1.4.3/etc/pam.d/groupmems +--- shadow-4.1.4.3/etc/pam.d.orig/groupmems 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/groupmems 2011-07-20 19:04:35.074844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmod shadow-4.1.4.3/etc/pam.d/groupmod +--- shadow-4.1.4.3/etc/pam.d.orig/groupmod 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/groupmod 2011-07-20 19:04:44.864844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/useradd shadow-4.1.4.3/etc/pam.d/useradd +--- shadow-4.1.4.3/etc/pam.d.orig/useradd 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/useradd 2011-07-20 19:07:26.244844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/userdel shadow-4.1.4.3/etc/pam.d/userdel +--- shadow-4.1.4.3/etc/pam.d.orig/userdel 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/userdel 2011-07-20 19:07:35.734844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/usermod shadow-4.1.4.3/etc/pam.d/usermod +--- shadow-4.1.4.3/etc/pam.d.orig/usermod 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/usermod 2011-07-20 19:07:42.024844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password diff --git a/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch b/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch new file mode 100644 index 0000000000..37dc153fca --- /dev/null +++ b/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch @@ -0,0 +1,33 @@ +Upstream-Status: Pending + +usermod: fix compilation failure with subids disabled + +Signed-off-by: Chen Qi +--- + src/usermod.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/usermod.c b/src/usermod.c +index e7d4351..685b50a 100644 +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -1360,7 +1360,7 @@ static void process_flags (int argc, char **argv) + Prog, (unsigned long) user_newid); + exit (E_UID_IN_USE); + } +- ++#ifdef ENABLE_SUBIDS + if ( (vflg || Vflg) + && !is_sub_uid) { + fprintf (stderr, +@@ -1376,6 +1376,7 @@ static void process_flags (int argc, char **argv) + Prog, sub_gid_dbname (), "-w", "-W"); + exit (E_USAGE); + } ++#endif + } + + /* +-- +1.7.9.5 + diff --git a/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb b/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb new file mode 100644 index 0000000000..0e0410043b --- /dev/null +++ b/meta/recipes-extended/shadow/shadow-securetty_4.2.1.bb @@ -0,0 +1,36 @@ +SUMMARY = "Provider of the machine specific securetty file" +SECTION = "base utils" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +INHIBIT_DEFAULT_DEPS = "1" + +PR = "r3" + +SRC_URI = "file://securetty" + +# Since SERIAL_CONSOLES is likely to be set from the machine configuration +PACKAGE_ARCH = "${MACHINE_ARCH}" + +do_install () { + # Ensure we add a suitable securetty file to the package that has + # most common embedded TTYs defined. + install -d ${D}${sysconfdir} + install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty + if [ ! -z "${SERIAL_CONSOLES}" ]; then + # Our SERIAL_CONSOLES contains a baud rate and sometimes extra + # options as well. The following pearl :) takes that and converts + # it into newline-separated tty's and appends them into + # securetty. So if a machine has a weird looking console device + # node (e.g. ttyAMA0) that securetty does not know, it will get + # appended to securetty and root logins will be allowed on that + # console. + tmp="${SERIAL_CONSOLES}" + for entry in $tmp ; do + ttydev=`echo "$entry" | sed -e 's/^[0-9]*\;//' -e 's/\;.*//'` + if ! grep -q $ttydev ${D}${sysconfdir}/securetty; then + echo $ttydev >> ${D}${sysconfdir}/securetty + fi + done + fi +} diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb new file mode 100644 index 0000000000..697569c47e --- /dev/null +++ b/meta/recipes-extended/shadow/shadow-sysroot_4.2.1.bb @@ -0,0 +1,34 @@ +SUMMARY = "Shadow utils requirements for useradd.bbclass" +HOMEPAGE = "http://pkg-shadow.alioth.debian.org" +BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" +SECTION = "base utils" +LICENSE = "BSD | Artistic-1.0" +LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" + +DEPENDS = "base-passwd" + +PR = "r3" + +# The sole purpose of this recipe is to provide the /etc/login.defs +# file for the target sysroot - needed so the shadow-native utilities +# can add custom users/groups for recipes that use inherit useradd. +SRC_URI = "file://login.defs_shadow-sysroot" + +SRC_URI[md5sum] = "b8608d8294ac88974f27b20f991c0e79" +SRC_URI[sha256sum] = "633f5bb4ea0c88c55f3642c97f9d25cbef74f82e0b4cf8d54e7ad6f9f9caa778" + +S = "${WORKDIR}" + +do_install() { + install -d ${D}${sysconfdir} + install -p -m 755 ${S}/login.defs_shadow-sysroot ${D}${sysconfdir}/login.defs +} + +sysroot_stage_all() { + sysroot_stage_dir ${D} ${SYSROOT_DESTDIR} +} + +# don't create any packages +# otherwise: dbus-dev depends on shadow-sysroot-dev which depends on shadow-sysroot +# and this has another copy of /etc/login.defs already provided by shadow +PACKAGES = "" diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc new file mode 100644 index 0000000000..bb3a927c17 --- /dev/null +++ b/meta/recipes-extended/shadow/shadow.inc @@ -0,0 +1,176 @@ +SUMMARY = "Tools to change and administer password and group data" +HOMEPAGE = "http://pkg-shadow.alioth.debian.org" +BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" +SECTION = "base/utils" +LICENSE = "BSD | Artistic-1.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ + file://src/passwd.c;beginline=8;endline=30;md5=d83888ea14ae61951982d77125947661" + +DEPENDS = "shadow-native" +DEPENDS_class-native = "" +DEPENDS_class-nativesdk = "" + +SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ + file://shadow-4.1.3-dots-in-usernames.patch \ + file://usermod-fix-compilation-failure-with-subids-disabled.patch \ + file://fix-installation-failure-with-subids-disabled.patch \ + file://0001-su.c-fix-to-exec-command-correctly.patch \ + file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ + file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ + ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ + " + +SRC_URI_append_class-target = " \ + file://login_defs_pam.sed \ + file://shadow-update-pam-conf.patch \ + " + +SRC_URI_append_class-native = " \ + file://disable-syslog.patch \ + file://allow-for-setting-password-in-clear-text.patch \ + file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ + file://0001-useradd.c-create-parent-directories-when-necessary.patch \ + " +SRC_URI_append_class-nativesdk = " \ + file://disable-syslog.patch \ + " + +SRC_URI[md5sum] = "2bfafe7d4962682d31b5eba65dba4fc8" +SRC_URI[sha256sum] = "3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41" + +# Additional Policy files for PAM +PAM_SRC_URI = "file://pam.d/chfn \ + file://pam.d/chpasswd \ + file://pam.d/chsh \ + file://pam.d/login \ + file://pam.d/newusers \ + file://pam.d/passwd \ + file://pam.d/su" + +inherit autotools gettext + +EXTRA_OECONF += "--without-audit \ + --without-libcrack \ + --without-selinux \ + --with-group-name-max-length=24 \ + --enable-subordinate-ids=yes \ + ${NSCDOPT}" + +NSCDOPT = "" +NSCDOPT_class-native = "--without-nscd" +NSCDOPT_class-nativesdk = "--without-nscd" +NSCDOPT_libc-uclibc = " --without-nscd" +NSCDOPT_libc-glibc = "${@bb.utils.contains('DISTRO_FEATURES', 'libc-spawn', '--with-nscd', '--without-nscd', d)}" + +PAM_PLUGINS = "libpam-runtime \ + pam-plugin-faildelay \ + pam-plugin-securetty \ + pam-plugin-nologin \ + pam-plugin-env \ + pam-plugin-group \ + pam-plugin-limits \ + pam-plugin-lastlog \ + pam-plugin-motd \ + pam-plugin-mail \ + pam-plugin-shells \ + pam-plugin-rootok" + +PACKAGECONFIG = "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" +PACKAGECONFIG_class-native = "" +PACKAGECONFIG_class-nativesdk = "" +PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}" +PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" +PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" + +RDEPENDS_${PN} = "shadow-securetty \ + base-passwd" +RDEPENDS_${PN}_class-native = "" +RDEPENDS_${PN}_class-nativesdk = "" + +do_install() { + oe_runmake DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install + + # Info dir listing isn't interesting at this point so remove it if it exists. + if [ -e "${D}${infodir}/dir" ]; then + rm -f ${D}${infodir}/dir + fi + + # Enable CREATE_HOME by default. + sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs + + # As we are on an embedded system, ensure the users mailbox is in + # ~/ not /var/spool/mail by default, as who knows where or how big + # /var is. The system MDA will set this later anyway. + sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs + sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs + + # Disable checking emails. + sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs + + # Use proper encryption for passwords + sed -i 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/' ${D}${sysconfdir}/login.defs + + # Now we don't have a mail system. Disable mail creation for now. + sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd + sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd + + # Use users group by default + sed -i 's,^GROUP=1000,GROUP=100,g' ${D}${sysconfdir}/default/useradd +} + +do_install_append() { + # Ensure that the image has as a /var/spool/mail dir so shadow can + # put mailboxes there if the user reconfigures shadow to its + # defaults (see sed below). + install -d ${D}${localstatedir}/spool/mail + + if [ -e ${WORKDIR}/pam.d ]; then + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + # Remove defaults that are not used when supporting PAM. + sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs + fi + + install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} + + # Move binaries to the locations we want + rm ${D}${sbindir}/vigr + ln -sf vipw.${BPN} ${D}${base_sbindir}/vigr + if [ "${sbindir}" != "${base_sbindir}" ]; then + mv ${D}${sbindir}/vipw ${D}${base_sbindir}/vipw + fi + if [ "${bindir}" != "${base_bindir}" ]; then + mv ${D}${bindir}/login ${D}${base_bindir}/login + mv ${D}${bindir}/su ${D}${base_bindir}/su + fi + + # Handle link properly after rename, otherwise missing files would + # lead rpm failed dependencies. + ln -sf newgrp.${BPN} ${D}${bindir}/sg +} + +inherit update-alternatives + +ALTERNATIVE_PRIORITY = "200" + +ALTERNATIVE_${PN} = "passwd chfn newgrp chsh groups chpasswd login vipw vigr su" +ALTERNATIVE_LINK_NAME[chpasswd] = "${sbindir}/chpasswd" +ALTERNATIVE_LINK_NAME[login] = "${base_bindir}/login" +ALTERNATIVE_LINK_NAME[vipw] = "${base_sbindir}/vipw" +ALTERNATIVE_LINK_NAME[vigr] = "${base_sbindir}/vigr" +ALTERNATIVE_LINK_NAME[su] = "${base_bindir}/su" + +ALTERNATIVE_${PN}-doc = "passwd.5 getspnam.3" +ALTERNATIVE_LINK_NAME[passwd.5] = "${mandir}/man5/passwd.5" +ALTERNATIVE_LINK_NAME[getspnam.3] = "${mandir}/man3/getspnam.3" + +pkg_postinst_${PN} () { + if [ "x$D" != "x" ]; then + rootarg="--root $D" + else + rootarg="" + fi + + pwconv $rootarg || exit 1 + grpconv $rootarg || exit 1 +} diff --git a/meta/recipes-extended/shadow/shadow_4.2.1.bb b/meta/recipes-extended/shadow/shadow_4.2.1.bb new file mode 100644 index 0000000000..5675cb8cc9 --- /dev/null +++ b/meta/recipes-extended/shadow/shadow_4.2.1.bb @@ -0,0 +1,10 @@ +require shadow.inc + +# Build falsely assumes that if --enable-libpam is set, we don't need to link against +# libcrypt. This breaks chsh. +BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', bb.utils.contains('DISTRO_FEATURES', 'libc-crypt', '-lcrypt', '', d), '', d)}" + +BBCLASSEXTEND = "native nativesdk" + + + -- cgit v1.2.3-54-g00ecf