3 files changed, 162 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch b/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch
new file mode 100644
index 0000000000..de0ba3ebb4
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch
@@ -0,0 +1,89 @@
+From fe34a2a0e44bc80ff213bfd185046a5f10c94997 Mon Sep 17 00:00:00 2001
+From: Chris Lamb <chris@chris-lamb.co.uk>
+Date: Wed, 2 Jan 2019 18:06:16 +0000
+Subject: [PATCH 1/2] Make the sp_lstchg shadow field reproducible (re. #71)
+From <https://github.com/shadow-maint/shadow/pull/71>:
+```
+The third field in the /etc/shadow file (sp_lstchg) contains the date of
+the last password change expressed as the number of days since Jan 1, 1970.
+As this is a relative time, creating a user today will result in:
+username:17238:0:99999:7:::
+whilst creating the same user tomorrow will result in:
+username:17239:0:99999:7:::
+This has an impact for the Reproducible Builds[0] project where we aim to
+be independent of as many elements the build environment as possible,
+including the current date.
+This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
+environment variable (instead of Jan 1, 1970) if valid.
+```
+This updated PR adds some missing calls to gettime (). This was originally
+filed by Johannes Schauer in Debian as #917773 [2].
+[0] https://reproducible-builds.org/
+[1] https://reproducible-builds.org/specs/source-date-epoch/
+[2] https://bugs.debian.org/917773
+Upstream-Status: Backport
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+---
+ libmisc/pwd2spwd.c | 3 +--
+ src/pwck.c         | 2 +-
+ src/pwconv.c       | 2 +-
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+diff --git a/libmisc/pwd2spwd.c b/libmisc/pwd2spwd.c
+index c1b9b29ac873..6799dd50d490 100644
+--- a/libmisc/pwd2spwd.c
+++ b/libmisc/pwd2spwd.c
+@@ -40,7 +40,6 @@
+ #include "prototypes.h"
+ #include "defines.h"
+ #include <pwd.h>
+-extern time_t time (time_t *);
+ 
+ /*
+  * pwd_to_spwd - create entries for new spwd structure
+@@ -66,7 +65,7 @@ struct spwd *pwd_to_spwd (const struct passwd *pw)
+                 */
+                sp.sp_min = 0;
+                sp.sp_max = (10000L * DAY) / SCALE;
+-               sp.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+               sp.sp_lstchg = (long) gettime () / SCALE;
+                if (0 == sp.sp_lstchg) {
+                        /* Better disable aging than requiring a password
+                         * change */
+diff --git a/src/pwck.c b/src/pwck.c
+index 0ffb711efb13..f70071b12500 100644
+--- a/src/pwck.c
+++ b/src/pwck.c
+@@ -609,7 +609,7 @@ static void check_pw_file (int *errors, bool *changed)
+                                        sp.sp_inact  = -1;
+                                        sp.sp_expire = -1;
+                                        sp.sp_flag   = SHADOW_SP_FLAG_UNSET;
+-                                       sp.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+                                       sp.sp_lstchg = (long) gettime () / SCALE;
+                                        if (0 == sp.sp_lstchg) {
+                                                /* Better disable aging than
+                                                 * requiring a password change
+diff --git a/src/pwconv.c b/src/pwconv.c
+index 9c69fa131d8e..f932f266c59c 100644
+--- a/src/pwconv.c
+++ b/src/pwconv.c
+@@ -267,7 +267,7 @@ int main (int argc, char **argv)
+                        spent.sp_flag   = SHADOW_SP_FLAG_UNSET;
+                }
+                spent.sp_pwdp = pw->pw_passwd;
+-               spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+               spent.sp_lstchg = (long) gettime () / SCALE;
+                if (0 == spent.sp_lstchg) {
+                        /* Better disable aging than requiring a password
+                         * change */
+-- 
+2.17.1
diff --git a/meta/recipes-extended/shadow/files/0002-gettime-Use-secure_getenv-over-getenv.patch b/meta/recipes-extended/shadow/files/0002-gettime-Use-secure_getenv-over-getenv.patch
new file mode 100644
index 0000000000..8c8234d038
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0002-gettime-Use-secure_getenv-over-getenv.patch
@@ -0,0 +1,71 @@
+From 3d921155e0a761f61c8f1ec37328724aee1e2eda Mon Sep 17 00:00:00 2001
+From: Chris Lamb <chris@chris-lamb.co.uk>
+Date: Sun, 31 Mar 2019 15:59:45 +0100
+Subject: [PATCH 2/2] gettime: Use secure_getenv over getenv.
+Upstream-Status: Backport
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+---
+ README            | 1 +
+ configure.ac      | 3 +++
+ lib/defines.h     | 6 ++++++
+ libmisc/gettime.c | 2 +-
+ 4 files changed, 11 insertions(+), 1 deletion(-)
+diff --git a/README b/README
+index 952ac5787f06..26cfff1e8fa8 100644
+--- a/README
+++ b/README
+@@ -51,6 +51,7 @@ Brian R. Gaeke <brg@dgate.org>
+ Calle Karlsson <ckn@kash.se>
+ Chip Rosenthal <chip@unicom.com>
+ Chris Evans <lady0110@sable.ox.ac.uk>
+Chris Lamb <chris@chris-lamb.co.uk>
+ Cristian Gafton <gafton@sorosis.ro>
+ Dan Walsh <dwalsh@redhat.com>
+ Darcy Boese <possum@chardonnay.niagara.com>
+diff --git a/configure.ac b/configure.ac
+index da236722766b..a738ad662cc3 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -110,6 +110,9 @@ AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
+ AC_REPLACE_FUNCS(snprintf strcasecmp strdup strerror strstr)
+ 
+ AC_CHECK_FUNC(setpgrp)
+AC_CHECK_FUNC(secure_getenv, [AC_DEFINE(HAS_SECURE_GETENV,
+                                        1,
+                                        [Defined to 1 if you have the declaration of 'secure_getenv'])])
+ 
+ if test "$ac_cv_header_shadow_h" = "yes"; then
+        AC_CACHE_CHECK(for working shadow group support,
+diff --git a/lib/defines.h b/lib/defines.h
+index cded1417fd12..2fb1b56eca6b 100644
+--- a/lib/defines.h
+++ b/lib/defines.h
+@@ -382,4 +382,10 @@ extern char *strerror ();
+ # endif
+ #endif
+ 
+#ifdef HAVE_SECURE_GETENV
+#  define shadow_getenv(name) secure_getenv(name)
+# else
+#  define shadow_getenv(name) getenv(name)
+#endif
+
+ #endif                         /* _DEFINES_H_ */
+diff --git a/libmisc/gettime.c b/libmisc/gettime.c
+index 53eaf51670bb..0e25a4b75061 100644
+--- a/libmisc/gettime.c
+++ b/libmisc/gettime.c
+@@ -52,7 +52,7 @@
+        unsigned long long epoch;
+ 
+        fallback = time (NULL);
+-       source_date_epoch = getenv ("SOURCE_DATE_EPOCH");
+       source_date_epoch = shadow_getenv ("SOURCE_DATE_EPOCH");
+ 
+        if (!source_date_epoch)
+                return fallback;
+-- 
+2.17.1
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 4de21acb77..831751d6de 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -11,6 +11,8 @@ DEPENDS = "virtual/crypt"
 UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases"
 SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \
           file://shadow-4.1.3-dots-in-usernames.patch \
+           file://0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch  \
+           file://0002-gettime-Use-secure_getenv-over-getenv.patch \
           ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
           "

diff --git a/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch b/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch new file mode 100644 index 0000000000..de0ba3ebb4 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch
@@ -0,0 +1,89 @@
		1	From fe34a2a0e44bc80ff213bfd185046a5f10c94997 Mon Sep 17 00:00:00 2001
		2	From: Chris Lamb <chris@chris-lamb.co.uk>
		3	Date: Wed, 2 Jan 2019 18:06:16 +0000
		4	Subject: [PATCH 1/2] Make the sp_lstchg shadow field reproducible (re. #71)
		5
		6	From <https://github.com/shadow-maint/shadow/pull/71>:
		7
		8	```
		9	The third field in the /etc/shadow file (sp_lstchg) contains the date of
		10	the last password change expressed as the number of days since Jan 1, 1970.
		11	As this is a relative time, creating a user today will result in:
		12
		13	username:17238:0:99999:7:::
		14	whilst creating the same user tomorrow will result in:
		15
		16	username:17239:0:99999:7:::
		17	This has an impact for the Reproducible Builds[0] project where we aim to
		18	be independent of as many elements the build environment as possible,
		19	including the current date.
		20
		21	This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
		22	environment variable (instead of Jan 1, 1970) if valid.
		23	```
		24
		25	This updated PR adds some missing calls to gettime (). This was originally
		26	filed by Johannes Schauer in Debian as #917773 [2].
		27
		28	[0] https://reproducible-builds.org/
		29	[1] https://reproducible-builds.org/specs/source-date-epoch/
		30	[2] https://bugs.debian.org/917773
		31
		32	Upstream-Status: Backport
		33	Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
		34	---
		35	libmisc/pwd2spwd.c \| 3 +--
		36	src/pwck.c \| 2 +-
		37	src/pwconv.c \| 2 +-
		38	3 files changed, 3 insertions(+), 4 deletions(-)
		39
		40	diff --git a/libmisc/pwd2spwd.c b/libmisc/pwd2spwd.c
		41	index c1b9b29ac873..6799dd50d490 100644
		42	--- a/libmisc/pwd2spwd.c
		43	+++ b/libmisc/pwd2spwd.c
		44	@@ -40,7 +40,6 @@
		45	#include "prototypes.h"
		46	#include "defines.h"
		47	#include <pwd.h>
		48	-extern time_t time (time_t *);
		49
		50	/*
		51	* pwd_to_spwd - create entries for new spwd structure
		52	@@ -66,7 +65,7 @@ struct spwd pwd_to_spwd (const struct passwd pw)
		53	*/
		54	sp.sp_min = 0;
		55	sp.sp_max = (10000L * DAY) / SCALE;
		56	- sp.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
		57	+ sp.sp_lstchg = (long) gettime () / SCALE;
		58	if (0 == sp.sp_lstchg) {
		59	/* Better disable aging than requiring a password
		60	* change */
		61	diff --git a/src/pwck.c b/src/pwck.c
		62	index 0ffb711efb13..f70071b12500 100644
		63	--- a/src/pwck.c
		64	+++ b/src/pwck.c
		65	@@ -609,7 +609,7 @@ static void check_pw_file (int errors, bool changed)
		66	sp.sp_inact = -1;
		67	sp.sp_expire = -1;
		68	sp.sp_flag = SHADOW_SP_FLAG_UNSET;
		69	- sp.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
		70	+ sp.sp_lstchg = (long) gettime () / SCALE;
		71	if (0 == sp.sp_lstchg) {
		72	/* Better disable aging than
		73	* requiring a password change
		74	diff --git a/src/pwconv.c b/src/pwconv.c
		75	index 9c69fa131d8e..f932f266c59c 100644
		76	--- a/src/pwconv.c
		77	+++ b/src/pwconv.c
		78	@@ -267,7 +267,7 @@ int main (int argc, char **argv)
		79	spent.sp_flag = SHADOW_SP_FLAG_UNSET;
		80	}
		81	spent.sp_pwdp = pw->pw_passwd;
		82	- spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
		83	+ spent.sp_lstchg = (long) gettime () / SCALE;
		84	if (0 == spent.sp_lstchg) {
		85	/* Better disable aging than requiring a password
		86	* change */
		87	--
		88	2.17.1
		89


diff --git a/meta/recipes-extended/shadow/files/0002-gettime-Use-secure_getenv-over-getenv.patch b/meta/recipes-extended/shadow/files/0002-gettime-Use-secure_getenv-over-getenv.patch new file mode 100644 index 0000000000..8c8234d038 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0002-gettime-Use-secure_getenv-over-getenv.patch
@@ -0,0 +1,71 @@
		1	From 3d921155e0a761f61c8f1ec37328724aee1e2eda Mon Sep 17 00:00:00 2001
		2	From: Chris Lamb <chris@chris-lamb.co.uk>
		3	Date: Sun, 31 Mar 2019 15:59:45 +0100
		4	Subject: [PATCH 2/2] gettime: Use secure_getenv over getenv.
		5
		6	Upstream-Status: Backport
		7	Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
		8	---
		9	README \| 1 +
		10	configure.ac \| 3 +++
		11	lib/defines.h \| 6 ++++++
		12	libmisc/gettime.c \| 2 +-
		13	4 files changed, 11 insertions(+), 1 deletion(-)
		14
		15	diff --git a/README b/README
		16	index 952ac5787f06..26cfff1e8fa8 100644
		17	--- a/README
		18	+++ b/README
		19	@@ -51,6 +51,7 @@ Brian R. Gaeke <brg@dgate.org>
		20	Calle Karlsson <ckn@kash.se>
		21	Chip Rosenthal <chip@unicom.com>
		22	Chris Evans <lady0110@sable.ox.ac.uk>
		23	+Chris Lamb <chris@chris-lamb.co.uk>
		24	Cristian Gafton <gafton@sorosis.ro>
		25	Dan Walsh <dwalsh@redhat.com>
		26	Darcy Boese <possum@chardonnay.niagara.com>
		27	diff --git a/configure.ac b/configure.ac
		28	index da236722766b..a738ad662cc3 100644
		29	--- a/configure.ac
		30	+++ b/configure.ac
		31	@@ -110,6 +110,9 @@ AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
		32	AC_REPLACE_FUNCS(snprintf strcasecmp strdup strerror strstr)
		33
		34	AC_CHECK_FUNC(setpgrp)
		35	+AC_CHECK_FUNC(secure_getenv, [AC_DEFINE(HAS_SECURE_GETENV,
		36	+ 1,
		37	+ [Defined to 1 if you have the declaration of 'secure_getenv'])])
		38
		39	if test "$ac_cv_header_shadow_h" = "yes"; then
		40	AC_CACHE_CHECK(for working shadow group support,
		41	diff --git a/lib/defines.h b/lib/defines.h
		42	index cded1417fd12..2fb1b56eca6b 100644
		43	--- a/lib/defines.h
		44	+++ b/lib/defines.h
		45	@@ -382,4 +382,10 @@ extern char *strerror ();
		46	# endif
		47	#endif
		48
		49	+#ifdef HAVE_SECURE_GETENV
		50	+# define shadow_getenv(name) secure_getenv(name)
		51	+# else
		52	+# define shadow_getenv(name) getenv(name)
		53	+#endif
		54	+
		55	#endif /* _DEFINES_H_ */
		56	diff --git a/libmisc/gettime.c b/libmisc/gettime.c
		57	index 53eaf51670bb..0e25a4b75061 100644
		58	--- a/libmisc/gettime.c
		59	+++ b/libmisc/gettime.c
		60	@@ -52,7 +52,7 @@
		61	unsigned long long epoch;
		62
		63	fallback = time (NULL);
		64	- source_date_epoch = getenv ("SOURCE_DATE_EPOCH");
		65	+ source_date_epoch = shadow_getenv ("SOURCE_DATE_EPOCH");
		66
		67	if (!source_date_epoch)
		68	return fallback;
		69	--
		70	2.17.1
		71


diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 4de21acb77..831751d6de 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc
@@ -11,6 +11,8 @@ DEPENDS = "virtual/crypt"
11	UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases"	11	UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases"
12	SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \	12	SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \
13	file://shadow-4.1.3-dots-in-usernames.patch \	13	file://shadow-4.1.3-dots-in-usernames.patch \
		14	file://0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch \
		15	file://0002-gettime-Use-secure_getenv-over-getenv.patch \
14	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \	16	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
15	"	17	"
16		18