From 7c7479d7ea98f4becfd0012b0d50d2e4e3cb249c Mon Sep 17 00:00:00 2001 From: Britney Fransen Date: Sun, 4 Oct 2020 16:49:52 +0000 Subject: shadow: update to 4.8.1 --- abs/core/shadow/PKGBUILD | 75 ++++++++++++------------------ abs/core/shadow/lastlog.tmpfiles | 1 - abs/core/shadow/login.defs | 9 +++- abs/core/shadow/shadow-strncpy-usage.patch | 25 ---------- abs/core/shadow/shadow.cron.daily | 6 --- abs/core/shadow/shadow.install | 27 ++++++++--- abs/core/shadow/shadow.service | 11 +++++ abs/core/shadow/shadow.timer | 7 +++ abs/core/shadow/useradd.defaults | 2 +- abs/core/shadow/xstrdup.patch | 9 ---- 10 files changed, 77 insertions(+), 95 deletions(-) delete mode 100644 abs/core/shadow/lastlog.tmpfiles delete mode 100644 abs/core/shadow/shadow-strncpy-usage.patch delete mode 100755 abs/core/shadow/shadow.cron.daily create mode 100644 abs/core/shadow/shadow.service create mode 100644 abs/core/shadow/shadow.timer delete mode 100644 abs/core/shadow/xstrdup.patch diff --git a/abs/core/shadow/PKGBUILD b/abs/core/shadow/PKGBUILD index 0ca6f54..de451df 100644 --- a/abs/core/shadow/PKGBUILD +++ b/abs/core/shadow/PKGBUILD @@ -1,24 +1,25 @@ -# $Id: PKGBUILD 197840 2013-10-30 11:06:53Z allan $ # Maintainer: Dave Reisner # Maintainer: Aaron Griffin pkgname=shadow -pkgver=4.1.5.1 -pkgrel=7 +pkgver=4.8.1 +pkgrel=4 pkgdesc="Password and account management tool suite with support for shadow files and PAM" -arch=('i686' 'x86_64') -url='http://pkg-shadow.alioth.debian.org/' +arch=('x86_64') +url='https://github.com/shadow-maint/shadow' license=('BSD') -groups=('base') -depends=('bash' 'pam' 'acl') +# libcap-ng needed by install scriptlet for 'filecap' +depends=('pam' 'acl' 'libacl.so' 'audit' 'libaudit.so' 'libcap-ng' 'libcap-ng.so' + 'libxcrypt' 'libcrypt.so') backup=(etc/login.defs etc/pam.d/{chage,passwd,shadow,useradd,usermod,userdel} etc/pam.d/{chpasswd,newusers,groupadd,groupdel,groupmod} etc/pam.d/{chgpasswd,groupmems} etc/default/useradd) options=(strip debug) -install='shadow.install' -source=("http://pkg-shadow.alioth.debian.org/releases/$pkgname-$pkgver.tar.bz2"{,.sig} +validpgpkeys=('D5C2F9BFCA128BBA22A77218872F702C4D6E25A8' # Christian Perrier + 'F1D08DB778185BF784002DFFE9FEEA06A85E3F9D') # Serge Hallyn +source=("https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz"{,.asc} LICENSE chgpasswd chpasswd @@ -26,52 +27,38 @@ source=("http://pkg-shadow.alioth.debian.org/releases/$pkgname-$pkgver.tar.bz2"{ login.defs newusers passwd - shadow.cron.daily - useradd.defaults - xstrdup.patch - shadow-strncpy-usage.patch - lastlog.tmpfiles) -sha1sums=('81f38720b953ef9c2c100c43d02dfe19cafd6c30' + shadow.{timer,service} + useradd.defaults) +install=shadow.install +sha1sums=('63457a0ba58dc4e81b2663b839dc6c89d3343f12' 'SKIP' '33a6cf1e44a1410e5c9726c89e5de68b78f5f922' '4ad0e059406a305c8640ed30d93c2a1f62c2f4ad' '12427b1ca92a9b85ca8202239f0d9f50198b818f' '0e56fed7fc93572c6bf0d8f3b099166558bb46f1' - 'e92045fb75e0c21a3f294a00de0bd2cd252e9463' + '81a02eadb5f605fef5c75b6d8a03713a7041864b' '12427b1ca92a9b85ca8202239f0d9f50198b818f' '611be25d91c3f8f307c7fe2485d5f781e5dee75f' - '98f4919014b1a9eb9f01ca7731e04b1d973cedd5' - '9ae93de5987dd0ae428f0cc1a5a5a5cd53583f19' - '6010fffeed1fc6673ad9875492e1193b1a847b53' - '21e12966a6befb25ec123b403cd9b5c492fe5b16' - 'f57ecde3f72b4738fad75c097d19cf46a412350f') + 'a154a94b47a3d0c6c287253b98c0d10b861226d0' + 'b5540736f5acbc23b568973eb5645604762db3dd' + 'c173208c5cf34528602f9931468a67b7f68abad3') build() { cd "$pkgname-$pkgver" - # avoid transitive linking issues with binutils 2.22 - sed -i '/^user\(mod\|add\)_LDADD/s|$| -lattr|' src/Makefile.am - - # link to glibc's crypt(3) - export LIBS="-lcrypt" - - # need to offer these upstream - patch -Np1 <"$srcdir/xstrdup.patch" - patch -Np1 <"$srcdir/shadow-strncpy-usage.patch" - - # supress etc/pam.d/*, we provide our own - sed -i '/^SUBDIRS/s/pam.d//' etc/Makefile.in - + autoreconf -fsiv ./configure \ --prefix=/usr \ --bindir=/usr/bin \ --sbindir=/usr/bin \ - --libdir=/lib \ + --libdir=/usr/lib \ --mandir=/usr/share/man \ --sysconfdir=/etc \ + --disable-account-tools-setuid \ --with-libpam \ - --without-selinux \ - --with-group-name-max-length=32 + --with-group-name-max-length=32 \ + --with-audit \ + --without-selinux make } @@ -85,16 +72,19 @@ package() { install -Dm644 "$srcdir/LICENSE" "$pkgdir/usr/share/licenses/shadow/LICENSE" # useradd defaults - install -Dm644 "$srcdir/useradd.defaults" "$pkgdir/etc/default/useradd" + install -Dm600 "$srcdir/useradd.defaults" "$pkgdir/etc/default/useradd" - # cron job - install -Dm744 "$srcdir/shadow.cron.daily" "$pkgdir/etc/cron.daily/shadow" + # systemd units + install -D -m644 "$srcdir/shadow.timer" "$pkgdir/usr/lib/systemd/system/shadow.timer" + install -D -m644 "$srcdir/shadow.service" "$pkgdir/usr/lib/systemd/system/shadow.service" + install -d -m755 "$pkgdir/usr/lib/systemd/system/timers.target.wants" + ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer" # login.defs install -Dm644 "$srcdir/login.defs" "$pkgdir/etc/login.defs" # PAM config - custom - install -dm755 "$pkgdir/etc/pam.d" + rm "$pkgdir/etc/pam.d"/* install -t "$pkgdir/etc/pam.d" -m644 "$srcdir"/{passwd,chgpasswd,chpasswd,newusers} # PAM config - from tarball @@ -106,9 +96,6 @@ package() { install -Dm644 "$srcdir/defaults.pam" "$pkgdir/etc/pam.d/$file" done - # lastlog log file creation - install -Dm644 "$srcdir/lastlog.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/lastlog.conf" - # Remove evil/broken tools rm "$pkgdir"/usr/sbin/logoutd diff --git a/abs/core/shadow/lastlog.tmpfiles b/abs/core/shadow/lastlog.tmpfiles deleted file mode 100644 index 9c07b39..0000000 --- a/abs/core/shadow/lastlog.tmpfiles +++ /dev/null @@ -1 +0,0 @@ -f /var/log/lastlog 0644 root root diff --git a/abs/core/shadow/login.defs b/abs/core/shadow/login.defs index 5913671..a0afbc1 100644 --- a/abs/core/shadow/login.defs +++ b/abs/core/shadow/login.defs @@ -81,8 +81,8 @@ HUSHLOGIN_FILE .hushlogin # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/usr/bin -ENV_PATH PATH=/usr/bin +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin +ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin # # Terminal permissions @@ -201,3 +201,8 @@ USERGROUPS_ENAB yes # file. # MOTD_FILE + +# +# Hash shadow passwords with SHA512. +# +ENCRYPT_METHOD SHA512 diff --git a/abs/core/shadow/shadow-strncpy-usage.patch b/abs/core/shadow/shadow-strncpy-usage.patch deleted file mode 100644 index 5aba8fa..0000000 --- a/abs/core/shadow/shadow-strncpy-usage.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -u shadow-4.1.5/src/usermod.c.orig shadow-4.1.5/src/usermod.c ---- shadow-4.1.5/src/usermod.c.orig 2012-02-13 08:19:43.792146449 -0500 -+++ shadow-4.1.5/src/usermod.c 2012-02-13 08:21:19.375114500 -0500 -@@ -182,7 +182,7 @@ - struct tm *tp; - - if (date < 0) { -- strncpy (buf, "never", maxsize); -+ strncpy (buf, "never", maxsize - 1); - } else { - time_t t = (time_t) date; - tp = gmtime (&t); -diff -u shadow-4.1.5/src/login.c.orig shadow-4.1.5/src/login.c ---- shadow-4.1.5/src/login.c.orig 2012-02-13 08:19:50.951994454 -0500 -+++ shadow-4.1.5/src/login.c 2012-02-13 08:21:04.490430937 -0500 -@@ -752,7 +752,8 @@ - _("%s login: "), hostn); - } else { - strncpy (loginprompt, _("login: "), -- sizeof (loginprompt)); -+ sizeof (loginprompt) - 1); -+ loginprompt[sizeof (loginprompt) - 1] = '\0'; - } - - retcode = pam_set_item (pamh, PAM_USER_PROMPT, loginprompt); diff --git a/abs/core/shadow/shadow.cron.daily b/abs/core/shadow/shadow.cron.daily deleted file mode 100755 index 1373ecd..0000000 --- a/abs/core/shadow/shadow.cron.daily +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -# Verify integrity of password and group files -/usr/bin/pwck -r -/usr/bin/grpck -r - diff --git a/abs/core/shadow/shadow.install b/abs/core/shadow/shadow.install index 14384c3..83d9ab7 100644 --- a/abs/core/shadow/shadow.install +++ b/abs/core/shadow/shadow.install @@ -1,9 +1,22 @@ +setcaps() { + _setcap() { + if filecap "$1" "$2"; then + chmod -s "$1" + fi + } + + # shadow ships these as setuid, but if we can apply file caps, use those instead. + # 'filecap' insists on absolute paths + _setcap /usr/bin/newuidmap setuid + _setcap /usr/bin/newgidmap setgid +} + +post_install() { + setcaps +} + post_upgrade() { - grpck -r >/dev/null 2>&1 - if [ $? -eq 2 ]; then - printf '%s\n' \ - "==> Warning: /etc/group or /etc/gshadow are inconsistent." \ - " Run 'grpck' to correct this." - fi - return 0 + setcaps } + +# vim:set ts=2 sw=2 et: diff --git a/abs/core/shadow/shadow.service b/abs/core/shadow/shadow.service new file mode 100644 index 0000000..39025d9 --- /dev/null +++ b/abs/core/shadow/shadow.service @@ -0,0 +1,11 @@ +[Unit] +Description=Verify integrity of password and group files +After=systemd-sysusers.service + +[Service] +Type=simple +# Always run both checks, but fail the service if either fails +ExecStart=/bin/sh -c '/usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r' +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 diff --git a/abs/core/shadow/shadow.timer b/abs/core/shadow/shadow.timer new file mode 100644 index 0000000..9cc6baa --- /dev/null +++ b/abs/core/shadow/shadow.timer @@ -0,0 +1,7 @@ +[Unit] +Description=Daily verification of password and group files + +[Timer] +OnCalendar=daily +AccuracySec=12h +Persistent=true diff --git a/abs/core/shadow/useradd.defaults b/abs/core/shadow/useradd.defaults index b800b17..e07fe27 100644 --- a/abs/core/shadow/useradd.defaults +++ b/abs/core/shadow/useradd.defaults @@ -1,6 +1,6 @@ # useradd defaults file for ArchLinux # original changes by TomK -GROUP=100 +GROUP=users HOME=/home INACTIVE=-1 EXPIRE= diff --git a/abs/core/shadow/xstrdup.patch b/abs/core/shadow/xstrdup.patch deleted file mode 100644 index bce4342..0000000 --- a/abs/core/shadow/xstrdup.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- shadow-4.1.2.1/libmisc/xmalloc.c 2008-08-30 21:55:44.000000000 -0500 -+++ shadow-4.1.2.1/libmisc/xmalloc.c.new 2008-08-30 21:55:36.000000000 -0500 -@@ -61,5 +61,6 @@ - - char *xstrdup (const char *str) - { -+ if(str == NULL) return NULL; - return strcpy (xmalloc (strlen (str) + 1), str); - } -- cgit v0.12