diff options
Diffstat (limited to 'debian/patches')
23 files changed, 1588 insertions, 0 deletions
diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP new file mode 100644 index 0000000..b2851cc --- /dev/null +++ b/debian/patches/008_login_log_failure_in_FTMP @@ -0,0 +1,51 @@ +Goal: Log login failures to the btmp file + +Notes: + * I'm not sure login should add an entry in the FTMP file when PAM is used. + (but nothing in /etc/login.defs indicates that the failure is not logged) + +--- a/src/login.c ++++ b/src/login.c +@@ -835,6 +835,24 @@ + (void) puts (""); + (void) puts (_("Login incorrect")); + ++ if (getdef_str("FTMP_FILE") != NULL) { ++#ifdef USE_UTMPX ++ struct utmpx *failent = ++ prepare_utmpx (failent_user, ++ tty, ++ /* FIXME: or fromhost? */hostname, ++ utent); ++#else /* !USE_UTMPX */ ++ struct utmp *failent = ++ prepare_utmp (failent_user, ++ tty, ++ hostname, ++ utent); ++#endif /* !USE_UTMPX */ ++ failtmp (failent_user, failent); ++ free (failent); ++ } ++ + if (failcount >= retries) { + SYSLOG ((LOG_NOTICE, + "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -62,6 +62,7 @@ + {"ERASECHAR", NULL}, + {"FAIL_DELAY", NULL}, + {"FAKE_SHELL", NULL}, ++ {"FTMP_FILE", NULL}, + {"GID_MAX", NULL}, + {"GID_MIN", NULL}, + {"HUSHLOGIN_FILE", NULL}, +@@ -103,7 +104,6 @@ + {"ENVIRON_FILE", NULL}, + {"ENV_TZ", NULL}, + {"FAILLOG_ENAB", NULL}, +- {"FTMP_FILE", NULL}, + {"ISSUE_FILE", NULL}, + {"LASTLOG_ENAB", NULL}, + {"LOGIN_STRING", NULL}, diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/401_cppw_src.dpatch new file mode 100644 index 0000000..687f9e9 --- /dev/null +++ b/debian/patches/401_cppw_src.dpatch @@ -0,0 +1,276 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Add cppw / cpgr + +@DPATCH@ +--- /dev/null ++++ b/src/cppw.c +@@ -0,0 +1,238 @@ ++/* ++ cppw, cpgr copy with locking given file over the password or group file ++ with -s will copy with locking given file over shadow or gshadow file ++ ++ Copyright (C) 1999 Stephen Frost <sfrost@snowman.net> ++ ++ Based on vipw, vigr by: ++ Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu> ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, but ++ WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ ++ */ ++ ++#include <config.h> ++#include "defines.h" ++ ++#include <errno.h> ++#include <sys/stat.h> ++#include <unistd.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <sys/types.h> ++#include <signal.h> ++#include <utime.h> ++#include "exitcodes.h" ++#include "prototypes.h" ++#include "pwio.h" ++#include "shadowio.h" ++#include "groupio.h" ++#include "sgroupio.h" ++ ++ ++const char *Prog; ++ ++const char *filename, *filenewname; ++static bool filelocked = false; ++static int (*unlock) (void); ++ ++/* local function prototypes */ ++static int create_copy (FILE *fp, const char *dest, struct stat *sb); ++static void cppwexit (const char *msg, int syserr, int ret); ++static void cppwcopy (const char *file, ++ const char *in_file, ++ int (*file_lock) (void), ++ int (*file_unlock) (void)); ++ ++static int create_copy (FILE *fp, const char *dest, struct stat *sb) ++{ ++ struct utimbuf ub; ++ FILE *bkfp; ++ int c; ++ mode_t mask; ++ ++ mask = umask (077); ++ bkfp = fopen (dest, "w"); ++ (void) umask (mask); ++ if (NULL == bkfp) { ++ return -1; ++ } ++ ++ rewind (fp); ++ while ((c = getc (fp)) != EOF) { ++ if (putc (c, bkfp) == EOF) { ++ break; ++ } ++ } ++ ++ if ( (c != EOF) ++ || (fflush (bkfp) != 0)) { ++ (void) fclose (bkfp); ++ (void) unlink (dest); ++ return -1; ++ } ++ if ( (fsync (fileno (bkfp)) != 0) ++ || (fclose (bkfp) != 0)) { ++ (void) unlink (dest); ++ return -1; ++ } ++ ++ ub.actime = sb->st_atime; ++ ub.modtime = sb->st_mtime; ++ if ( (utime (dest, &ub) != 0) ++ || (chmod (dest, sb->st_mode) != 0) ++ || (chown (dest, sb->st_uid, sb->st_gid) != 0)) { ++ (void) unlink (dest); ++ return -1; ++ } ++ return 0; ++} ++ ++static void cppwexit (const char *msg, int syserr, int ret) ++{ ++ int err = errno; ++ if (filelocked) { ++ (*unlock) (); ++ } ++ if (NULL != msg) { ++ fprintf (stderr, "%s: %s", Prog, msg); ++ if (0 != syserr) { ++ fprintf (stderr, ": %s", strerror (err)); ++ } ++ (void) fputs ("\n", stderr); ++ } ++ if (NULL != filename) { ++ fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename); ++ } else { ++ fprintf (stderr, _("%s: no changes\n"), Prog); ++ } ++ ++ exit (ret); ++} ++ ++static void cppwcopy (const char *file, ++ const char *in_file, ++ int (*file_lock) (void), ++ int (*file_unlock) (void)) ++{ ++ struct stat st1; ++ FILE *f; ++ char filenew[1024]; ++ ++ snprintf (filenew, sizeof filenew, "%s.new", file); ++ unlock = file_unlock; ++ filename = file; ++ filenewname = filenew; ++ ++ if (access (file, F_OK) != 0) { ++ cppwexit (file, 1, 1); ++ } ++ if (file_lock () == 0) { ++ cppwexit (_("Couldn't lock file"), 0, 5); ++ } ++ filelocked = true; ++ ++ /* file to copy has same owners, perm */ ++ if (stat (file, &st1) != 0) { ++ cppwexit (file, 1, 1); ++ } ++ f = fopen (in_file, "r"); ++ if (NULL == f) { ++ cppwexit (in_file, 1, 1); ++ } ++ if (create_copy (f, filenew, &st1) != 0) { ++ cppwexit (_("Couldn't make copy"), errno, 1); ++ } ++ ++ /* XXX - here we should check filenew for errors; if there are any, ++ * fail w/ an appropriate error code and let the user manually fix ++ * it. Use pwck or grpck to do the check. - Stephen (Shamelessly ++ * stolen from '--marekm's comment) */ ++ ++ if (rename (filenew, file) != 0) { ++ fprintf (stderr, _("%s: can't copy %s: %s)\n"), ++ Prog, filenew, strerror (errno)); ++ cppwexit (NULL,0,1); ++ } ++ ++ (*file_unlock) (); ++} ++ ++int main (int argc, char **argv) ++{ ++ int flag; ++ bool cpshadow = false; ++ char *in_file; ++ int e = E_USAGE; ++ bool do_cppw = true; ++ ++ (void) setlocale (LC_ALL, ""); ++ (void) bindtextdomain (PACKAGE, LOCALEDIR); ++ (void) textdomain (PACKAGE); ++ ++ Prog = Basename (argv[0]); ++ if (strcmp (Prog, "cpgr") == 0) { ++ do_cppw = false; ++ } ++ ++ while ((flag = getopt (argc, argv, "ghps")) != EOF) { ++ switch (flag) { ++ case 'p': ++ do_cppw = true; ++ break; ++ case 'g': ++ do_cppw = false; ++ break; ++ case 's': ++ cpshadow = true; ++ break; ++ case 'h': ++ e = E_SUCCESS; ++ /*pass through*/ ++ default: ++ (void) fputs (_("Usage:\n\ ++`cppw <file>' copys over /etc/passwd `cppw -s <file>' copys over /etc/shadow\n\ ++`cpgr <file>' copys over /etc/group `cpgr -s <file>' copys over /etc/gshadow\n\ ++"), (E_SUCCESS != e) ? stderr : stdout); ++ exit (e); ++ } ++ } ++ ++ if (argc != optind + 1) { ++ cppwexit (_("wrong number of arguments, -h for usage"),0,1); ++ } ++ ++ in_file = argv[optind]; ++ ++ if (do_cppw) { ++ if (cpshadow) { ++ cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock); ++ } else { ++ cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock); ++ } ++ } else { ++#ifdef SHADOWGRP ++ if (cpshadow) { ++ cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock); ++ } else ++#endif /* SHADOWGRP */ ++ { ++ cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock); ++ } ++ } ++ ++ return 0; ++} ++ +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -26,6 +26,7 @@ + sbin_PROGRAMS = nologin + ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd + usbin_PROGRAMS = \ ++ cppw \ + chgpasswd \ + chpasswd \ + groupadd \ +@@ -82,6 +83,7 @@ + chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) ++cppw_LDADD = $(LDADD) $(LIBSELINUX) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -85,6 +85,7 @@ + src/chgpasswd.c + src/chpasswd.c + src/chsh.c ++src/cppw.c + src/expiry.c + src/faillog.c + src/gpasswd.c diff --git a/debian/patches/402_cppw_selinux b/debian/patches/402_cppw_selinux new file mode 100644 index 0000000..b92767f --- /dev/null +++ b/debian/patches/402_cppw_selinux @@ -0,0 +1,62 @@ +Goal: Add selinux support to cppw + +Fix: + +Status wrt upstream: cppw is not available upstream. + The patch was made based on the + 302_vim_selinux_support patch. It needs to be + reviewed by an SE-Linux aware person. + +Depends on 401_cppw_src.dpatch + +--- a/src/cppw.c ++++ b/src/cppw.c +@@ -34,6 +34,9 @@ + #include <sys/types.h> + #include <signal.h> + #include <utime.h> ++#ifdef WITH_SELINUX ++#include <selinux/selinux.h> ++#endif /* WITH_SELINUX */ + #include "exitcodes.h" + #include "prototypes.h" + #include "pwio.h" +@@ -139,6 +142,22 @@ + if (access (file, F_OK) != 0) { + cppwexit (file, 1, 1); + } ++#ifdef WITH_SELINUX ++ /* if SE Linux is enabled then set the context of all new files ++ * to be the context of the file we are editing */ ++ if (is_selinux_enabled () > 0) { ++ security_context_t passwd_context=NULL; ++ int ret = 0; ++ if (getfilecon (file, &passwd_context) < 0) { ++ cppwexit (_("Couldn't get file context"), errno, 1); ++ } ++ ret = setfscreatecon (passwd_context); ++ freecon (passwd_context); ++ if (0 != ret) { ++ cppwexit (_("setfscreatecon () failed"), errno, 1); ++ } ++ } ++#endif /* WITH_SELINUX */ + if (file_lock () == 0) { + cppwexit (_("Couldn't lock file"), 0, 5); + } +@@ -167,6 +186,15 @@ + cppwexit (NULL,0,1); + } + ++#ifdef WITH_SELINUX ++ /* unset the fscreatecon */ ++ if (is_selinux_enabled () > 0) { ++ if (setfscreatecon (NULL)) { ++ cppwexit (_("setfscreatecon() failed"), errno, 1); ++ } ++ } ++#endif /* WITH_SELINUX */ ++ + (*file_unlock) (); + } + diff --git a/debian/patches/428_grpck_add_prune_option b/debian/patches/428_grpck_add_prune_option new file mode 100644 index 0000000..e71f142 --- /dev/null +++ b/debian/patches/428_grpck_add_prune_option @@ -0,0 +1,26 @@ +Goal: grpck now has an (otherwise undocumented) -p option, so that + shadowconfig can clean up the results of the above, so the config + script will fail randomly less often. +Fixes: #103385 + +Status wrt upstream: It could certainly be submitted to upstream. + +--- a/src/grpck.c ++++ b/src/grpck.c +@@ -81,6 +81,7 @@ + /* Options */ + static bool read_only = false; + static bool sort_mode = false; ++static bool prune = false; + + /* local function prototypes */ + static void fail_exit (int status); +@@ -203,7 +204,7 @@ + /* + * Parse the command line arguments + */ +- while ((c = getopt_long (argc, argv, "hqrR:s", ++ while ((c = getopt_long (argc, argv, "hqprR:s", + long_options, NULL)) != -1) { + switch (c) { + case 'h': diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB new file mode 100644 index 0000000..57a6d15 --- /dev/null +++ b/debian/patches/429_login_FAILLOG_ENAB @@ -0,0 +1,92 @@ +Goal: Re-enable logging and displaying failures on login when login is + compiled with PAM and when FAILLOG_ENAB is set to yes. And create the + faillog file if it does not exist on postinst (as on Woody). +Depends: 008_login_more_LOG_UNKFAIL_ENAB +Fixes: #192849 + +Note: It could be removed if pam_tally could report the number of failures + preceding a successful login. + +--- a/src/login.c ++++ b/src/login.c +@@ -133,9 +133,9 @@ + /*@null@*/const struct utmp *utent); + #endif /* ! USE_PAM */ + +-#ifndef USE_PAM + static struct faillog faillog; + ++#ifndef USE_PAM + static void bad_time_notify (void); + static void check_nologin (bool login_to_root); + #else +@@ -795,6 +795,9 @@ + SYSLOG ((LOG_NOTICE, + "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", + failcount, fromhost, failent_user)); ++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { ++ failure (pwd->pw_uid, tty, &faillog); ++ } + fprintf (stderr, + _("Maximum number of tries exceeded (%u)\n"), + failcount); +@@ -812,6 +815,14 @@ + pam_strerror (pamh, retcode))); + failed = true; + } ++ if ( (NULL != pwd) ++ && getdef_bool("FAILLOG_ENAB") ++ && ! failcheck (pwd->pw_uid, &faillog, failed)) { ++ SYSLOG((LOG_CRIT, ++ "exceeded failure limit for `%s' %s", ++ failent_user, fromhost)); ++ failed = 1; ++ } + + if (!failed) { + break; +@@ -835,6 +846,10 @@ + (void) puts (""); + (void) puts (_("Login incorrect")); + ++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { ++ failure (pwd->pw_uid, tty, &faillog); ++ } ++ + if (getdef_str("FTMP_FILE") != NULL) { + #ifdef USE_UTMPX + struct utmpx *failent = +@@ -1291,6 +1306,7 @@ + */ + #ifndef USE_PAM + motd (); /* print the message of the day */ ++#endif + if ( getdef_bool ("FAILLOG_ENAB") + && (0 != faillog.fail_cnt)) { + failprint (&faillog); +@@ -1303,6 +1319,7 @@ + username, (int) faillog.fail_cnt)); + } + } ++#ifndef USE_PAM + if ( getdef_bool ("LASTLOG_ENAB") + && (ll.ll_time != 0)) { + time_t ll_time = ll.ll_time; +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -61,6 +61,7 @@ + {"ENV_SUPATH", NULL}, + {"ERASECHAR", NULL}, + {"FAIL_DELAY", NULL}, ++ {"FAILLOG_ENAB", NULL}, + {"FAKE_SHELL", NULL}, + {"FTMP_FILE", NULL}, + {"GID_MAX", NULL}, +@@ -103,7 +104,6 @@ + {"ENV_HZ", NULL}, + {"ENVIRON_FILE", NULL}, + {"ENV_TZ", NULL}, +- {"FAILLOG_ENAB", NULL}, + {"ISSUE_FILE", NULL}, + {"LASTLOG_ENAB", NULL}, + {"LOGIN_STRING", NULL}, diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM new file mode 100644 index 0000000..26285ea --- /dev/null +++ b/debian/patches/463_login_delay_obeys_to_PAM @@ -0,0 +1,105 @@ +Goal: Do not hardcode pam_fail_delay and let pam_unix do its + job to set a delay...or not + +Fixes: #87648 + +Status wrt upstream: Forwarded but not applied yet + +Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs + +--- a/src/login.c ++++ b/src/login.c +@@ -529,7 +529,6 @@ + #if defined(HAVE_STRFTIME) && !defined(USE_PAM) + char ptime[80]; + #endif +- unsigned int delay; + unsigned int retries; + bool subroot = false; + #ifndef USE_PAM +@@ -549,6 +548,7 @@ + pid_t child; + char *pam_user = NULL; + #else ++ unsigned int delay; + struct spwd *spwd = NULL; + #endif + /* +@@ -709,7 +709,6 @@ + } + + environ = newenvp; /* make new environment active */ +- delay = getdef_unum ("FAIL_DELAY", 1); + retries = getdef_unum ("LOGIN_RETRIES", RETRIES); + + #ifdef USE_PAM +@@ -725,8 +724,7 @@ + + /* + * hostname & tty are either set to NULL or their correct values, +- * depending on how much we know. We also set PAM's fail delay to +- * ours. ++ * depending on how much we know. + * + * PAM_RHOST and PAM_TTY are used for authentication, only use + * information coming from login or from the caller (e.g. no utmp) +@@ -735,10 +733,6 @@ + PAM_FAIL_CHECK; + retcode = pam_set_item (pamh, PAM_TTY, tty); + PAM_FAIL_CHECK; +-#ifdef HAS_PAM_FAIL_DELAY +- retcode = pam_fail_delay (pamh, 1000000 * delay); +- PAM_FAIL_CHECK; +-#endif + /* if fflg, then the user has already been authenticated */ + if (!fflg) { + unsigned int failcount = 0; +@@ -779,12 +773,6 @@ + bool failed = false; + + failcount++; +-#ifdef HAS_PAM_FAIL_DELAY +- if (delay > 0) { +- retcode = pam_fail_delay(pamh, 1000000*delay); +- PAM_FAIL_CHECK; +- } +-#endif + + retcode = pam_authenticate (pamh, 0); + +@@ -1107,14 +1095,17 @@ + free (username); + username = NULL; + ++#ifndef USE_PAM + /* + * Wait a while (a la SVR4 /usr/bin/login) before attempting + * to login the user again. If the earlier alarm occurs + * before the sleep() below completes, login will exit. + */ ++ delay = getdef_unum ("FAIL_DELAY", 1); + if (delay > 0) { + (void) sleep (delay); + } ++#endif + + (void) puts (_("Login incorrect")); + +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -60,7 +60,6 @@ + {"ENV_PATH", NULL}, + {"ENV_SUPATH", NULL}, + {"ERASECHAR", NULL}, +- {"FAIL_DELAY", NULL}, + {"FAILLOG_ENAB", NULL}, + {"FAKE_SHELL", NULL}, + {"FTMP_FILE", NULL}, +@@ -104,6 +103,7 @@ + {"ENV_HZ", NULL}, + {"ENVIRON_FILE", NULL}, + {"ENV_TZ", NULL}, ++ {"FAIL_DELAY", NULL}, + {"ISSUE_FILE", NULL}, + {"LASTLOG_ENAB", NULL}, + {"LOGIN_STRING", NULL}, diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/501_commonio_group_shadow new file mode 100644 index 0000000..436d48f --- /dev/null +++ b/debian/patches/501_commonio_group_shadow @@ -0,0 +1,37 @@ +Goal: save the [g]shadow files with the 'shadow' group and mode 0440 + +Fixes: #166793 + +--- a/lib/commonio.c ++++ b/lib/commonio.c +@@ -44,6 +44,7 @@ + #include <errno.h> + #include <stdio.h> + #include <signal.h> ++#include <grp.h> + #include "nscd.h" + #ifdef WITH_TCB + #include <tcb.h> +@@ -966,13 +967,20 @@ + goto fail; + } + } else { ++ struct group *grp; + /* + * Default permissions for new [g]shadow files. + * (passwd and group always exist...) + */ +- sb.st_mode = 0400; ++ sb.st_mode = 0440; + sb.st_uid = 0; +- sb.st_gid = 0; ++ /* ++ * Try to retrieve the shadow's GID, and fall back to GID 0. ++ */ ++ if ((grp = getgrnam("shadow")) != NULL) ++ sb.st_gid = grp->gr_gid; ++ else ++ sb.st_gid = 0; + } + + snprintf (buf, sizeof buf, "%s+", db->filename); diff --git a/debian/patches/503_shadowconfig.8 b/debian/patches/503_shadowconfig.8 new file mode 100644 index 0000000..9d78adf --- /dev/null +++ b/debian/patches/503_shadowconfig.8 @@ -0,0 +1,191 @@ +Goal: Document the shadowconfig utility + +Status wrt upstream: The shadowconfig utility is debian specific. + Its man page also (but it used to be distributed) + +--- /dev/null ++++ b/man/shadowconfig.8 +@@ -0,0 +1,41 @@ ++.\"Generated by db2man.xsl. Don't modify this, modify the source. ++.de Sh \" Subsection ++.br ++.if t .Sp ++.ne 5 ++.PP ++\fB\\$1\fR ++.PP ++.. ++.de Sp \" Vertical space (when we can't use .PP) ++.if t .sp .5v ++.if n .sp ++.. ++.de Ip \" List item ++.br ++.ie \\n(.$>=3 .ne \\$3 ++.el .ne 3 ++.IP "\\$1" \\$2 ++.. ++.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" "" ++.SH NAME ++shadowconfig \- toggle shadow passwords on and off ++.SH "SYNOPSIS" ++.ad l ++.hy 0 ++.HP 13 ++\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR ++.ad ++.hy ++ ++.SH "DESCRIPTION" ++ ++.PP ++\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&. ++ ++.PP ++Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&. ++ ++.PP ++Note that turning shadow passwords off and on again will lose all password aging information\&. ++ +--- /dev/null ++++ b/man/shadowconfig.8.xml +@@ -0,0 +1,52 @@ ++<?xml version="1.0" encoding="UTF-8"?> ++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" ++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> ++<refentry id='shadowconfig.8'> ++ <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ --> ++ <refentryinfo> ++ <date>19 Apr 1997</date> ++ </refentryinfo> ++ <refmeta> ++ <refentrytitle>shadowconfig</refentrytitle> ++ <manvolnum>8</manvolnum> ++ <refmiscinfo class='date'>19 Apr 1997</refmiscinfo> ++ <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo> ++ </refmeta> ++ <refnamediv id='name'> ++ <refname>shadowconfig</refname> ++ <refpurpose>toggle shadow passwords on and off</refpurpose> ++ </refnamediv> ++ ++ <refsynopsisdiv id='synopsis'> ++ <cmdsynopsis> ++ <command>shadowconfig</command> ++ <group choice='plain'> ++ <arg choice='plain'><replaceable>on</replaceable></arg> ++ <arg choice='plain'><replaceable>off</replaceable></arg> ++ </group> ++ </cmdsynopsis> ++ </refsynopsisdiv> ++ ++ <refsect1 id='description'> ++ <title>DESCRIPTION</title> ++ <para><command>shadowconfig</command> on will turn shadow passwords on; ++ <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow ++ passwords off. <command>shadowconfig</command> will print an error ++ message and exit with a nonzero code if it finds anything awry. If ++ that happens, you should correct the error and run it again. Turning ++ shadow passwords on when they are already on, or off when they are ++ already off, is harmless. ++ </para> ++ ++ <para> ++ Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a ++ brief introduction ++ to shadow passwords and related features. ++ </para> ++ ++ <para>Note that turning shadow passwords off and on again will lose all ++ password ++ aging information. ++ </para> ++ </refsect1> ++</refentry> +--- /dev/null ++++ b/man/fr/shadowconfig.8 +@@ -0,0 +1,26 @@ ++.\" This file was generated with po4a. Translate the source file. ++.\" ++.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $ ++.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux" ++.SH NOM ++shadowconfig \- active ou désactive les mots de passe cachés ++.SH SYNOPSIS ++\fBshadowconfig\fP \fIon\fP | \fIoff\fP ++.SH DESCRIPTION ++.PP ++\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message ++d'erreur et quitte avec une valeur de retour non nulle s'il rencontre ++quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant ++de recommencer. ++ ++Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les ++désactiver lorsqu'ils ne sont pas actifs est sans effet. ++ ++Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux ++mots de passe cachés et à leurs fonctionnalités. ++ ++Notez que désactiver puis réactiver les mots de passe cachés aura pour ++conséquence la perte des informations d'âge sur les mots de passe. ++.SH TRADUCTION ++Nicolas FRANÇOIS, 2004. ++Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>. +--- /dev/null ++++ b/man/ja/shadowconfig.8 +@@ -0,0 +1,25 @@ ++.\" all right reserved, ++.\" Translated Tue Oct 30 11:59:11 JST 2001 ++.\" by Maki KURODA <mkuroda@aisys-jp.com> ++.\" ++.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux" ++.SH 名前 ++shadowconfig \- shadow パスワードの設定をオン及びオフに切替える ++.SH 書式 ++.B "shadowconfig" ++.IR on " | " off ++.SH 説明 ++.PP ++.B shadowconfig on ++は shadow パスワードを有効にする。 ++.B shadowconfig off ++は shadow パスワードを無効にする。 ++.B shadowconfig ++は何らかの間違いがあると、エラーメッセージを表示し、 ++ゼロではない返り値を返す。 ++もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。 ++shadow パスワードの設定がすでにオンの場合にオンに設定したり、 ++すでにオフの場合にオフに設定しても、何の影響もない。 ++ ++.I /usr/share/doc/passwd/README.debian.gz ++には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。 +--- /dev/null ++++ b/man/pl/shadowconfig.8 +@@ -0,0 +1,27 @@ ++.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $ ++.\" {PTM/WK/1999-09-14} ++.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux" ++.SH NAZWA ++shadowconfig - przełącza ochronę haseł i grup przez pliki shadow ++.SH SKŁADNIA ++.B "shadowconfig" ++.IR on " | " off ++.SH OPIS ++.PP ++.B shadowconfig on ++włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow); ++.B shadowconfig off ++wyłącza dodatkowe pliki haseł i grup. ++.B shadowconfig ++wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli ++znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd ++.\" if it finds anything awry. ++i uruchomić program ponownie. ++ ++Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie, ++gdy jest wyłączona jest nieszkodliwe. ++ ++Przeczytaj ++.IR /usr/share/doc/passwd/README.debian.gz , ++gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych ++plików haseł przesłanianych (shadow passwords) i związanych tematów. diff --git a/debian/patches/505_useradd_recommend_adduser b/debian/patches/505_useradd_recommend_adduser new file mode 100644 index 0000000..c5c3587 --- /dev/null +++ b/debian/patches/505_useradd_recommend_adduser @@ -0,0 +1,36 @@ +Goal: Recommend using adduser and deluser. + +Fixes: #406046 + +Status wrt upstream: Debian specific patch. + +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -84,6 +84,12 @@ + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> ++ <command>useradd</command> is a low level utility for adding ++ users. On Debian, administrators should usually use ++ <citerefentry><refentrytitle>adduser</refentrytitle> ++ <manvolnum>8</manvolnum></citerefentry> instead. ++ </para> ++ <para> + When invoked without the <option>-D</option> option, the + <command>useradd</command> command creates a new user account using + the values specified on the command line plus the default values from +--- a/man/userdel.8.xml ++++ b/man/userdel.8.xml +@@ -64,6 +64,12 @@ + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> ++ <command>userdel</command> is a low level utility for removing ++ users. On Debian, administrators should usually use ++ <citerefentry><refentrytitle>deluser</refentrytitle> ++ <manvolnum>8</manvolnum></citerefentry> instead. ++ </para> ++ <para> + The <command>userdel</command> command modifies the system account + files, deleting all entries that refer to the user name <emphasis + remap='I'>LOGIN</emphasis>. The named user must exist. diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames new file mode 100644 index 0000000..bdf3961 --- /dev/null +++ b/debian/patches/506_relaxed_usernames @@ -0,0 +1,100 @@ +Goal: Relaxed usernames/groupnames checking patch. + +Status wrt upstream: Debian specific. Not to be used upstream + +Details: + Allows any non-empty user/grounames that don't contain ':', ',' or '\n' + characters and don't start with '-', '+', or '~'. This patch is more + restrictive than original Karl's version. closes: #264879 + Also closes: #377844 + + Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400): + + I can't come up with a good justification as to why characters other + than ':'s and '\0's should be disallowed in group and usernames (other + than '-' as the leading character). Thus, the maintenance tools don't + anymore. closes: #79682, #166798, #171179 + +--- a/libmisc/chkname.c ++++ b/libmisc/chkname.c +@@ -48,6 +48,7 @@ + + static bool is_valid_name (const char *name) + { ++#if 0 + /* + * User/group names must match [a-z_][a-z0-9_-]*[$] + */ +@@ -66,6 +67,26 @@ + return false; + } + } ++#endif ++ /* ++ * POSIX indicate that usernames are composed of characters from the ++ * portable filename character set [A-Za-z0-9._-], and that the hyphen ++ * should not be used as the first character of a portable user name. ++ * ++ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$ ++ */ ++ if ( ('\0' == *name) ++ || ('-' == *name) ++ || ('~' == *name) ++ || ('+' == *name)) { ++ return false; ++ } ++ do { ++ if ((':' == *name) || (',' == *name) || isspace(*name)) { ++ return false; ++ } ++ name++; ++ } while ('\0' != *name); + + return true; + } +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -635,12 +635,20 @@ + </para> + + <para> +- Usernames must start with a lower case letter or an underscore, ++ It is usually recommended to only use usernames that begin with a lower case letter or an underscore, + followed by lower case letters, digits, underscores, or dashes. + They can end with a dollar sign. + In regular expression terms: [a-z_][a-z0-9_-]*[$]? + </para> + <para> ++ On Debian, the only constraints are that usernames must neither start ++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a ++ colon (':'), a comma (','), or a whitespace (space: ' ', ++ end of line: '\n', tabulation: '\t', etc.). Note that using a slash ++ ('/') may break the default algorithm for the definition of the ++ user's home directory. ++ </para> ++ <para> + Usernames may only be up to 32 characters long. + </para> + </refsect1> +--- a/man/groupadd.8.xml ++++ b/man/groupadd.8.xml +@@ -240,12 +240,18 @@ + <refsect1 id='caveats'> + <title>CAVEATS</title> + <para> +- Groupnames must start with a lower case letter or an underscore, ++ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore, + followed by lower case letters, digits, underscores, or dashes. + They can end with a dollar sign. + In regular expression terms: [a-z_][a-z0-9_-]*[$]? + </para> + <para> ++ On Debian, the only constraints are that groupnames must neither start ++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a ++ colon (':'), a comma (','), or a whitespace (space:' ', ++ end of line: '\n', tabulation: '\t', etc.). ++ </para> ++ <para> + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. + </para> + <para> diff --git a/debian/patches/508_nologin_in_usr_sbin b/debian/patches/508_nologin_in_usr_sbin new file mode 100644 index 0000000..026e2db --- /dev/null +++ b/debian/patches/508_nologin_in_usr_sbin @@ -0,0 +1,18 @@ +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -23,7 +23,6 @@ + # $prefix/bin and $prefix/sbin, no install-data hacks...) + + bin_PROGRAMS = groups login su +-sbin_PROGRAMS = nologin + ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd + usbin_PROGRAMS = \ + cppw \ +@@ -38,6 +37,7 @@ + grpunconv \ + logoutd \ + newusers \ ++ nologin \ + pwck \ + pwconv \ + pwunconv \ diff --git a/debian/patches/523_su_arguments_are_concatenated b/debian/patches/523_su_arguments_are_concatenated new file mode 100644 index 0000000..0abc4c5 --- /dev/null +++ b/debian/patches/523_su_arguments_are_concatenated @@ -0,0 +1,48 @@ +Goal: Concatenate the non-su arguments and provide them to the shell with + the -c option +Fixes: #317264 + see also #276419 + +Status wrt upstream: This is a Debian specific patch. + +Note: the fix of the man page is still missing. + (to be taken from the trunk) + +--- a/src/su.c ++++ b/src/su.c +@@ -1150,6 +1150,35 @@ + argv[0] = "-c"; + argv[1] = command; + } ++ /* On Debian, the arguments are concatenated and the ++ * resulting string is always given to the shell with its ++ * -c option. ++ */ ++ { ++ char **parg; ++ unsigned int cmd_len = 0; ++ char *cmd = NULL; ++ if (strcmp(argv[0], "-c") != 0) { ++ argv--; ++ argv[0] = "-c"; ++ } ++ /* Now argv[0] is always -c, and other arguments ++ * can be concatenated ++ */ ++ cmd_len = 1; /* finale '\0' */ ++ for (parg = &argv[1]; *parg; parg++) { ++ cmd_len += strlen (*parg) + 1; ++ } ++ cmd = (char *) xmalloc (sizeof (char) * cmd_len); ++ cmd[0] = '\0'; ++ for (parg = &argv[1]; *parg; parg++) { ++ strcat (cmd, " "); ++ strcat (cmd, *parg); ++ } ++ cmd[cmd_len - 1] = '\0'; ++ argv[1] = &cmd[1]; /* do not take first space */ ++ argv[2] = NULL; ++ } + /* + * Use the shell and create an argv + * with the rest of the command line included. diff --git a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default new file mode 100644 index 0000000..d421345 --- /dev/null +++ b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default @@ -0,0 +1,50 @@ +Goal: Do not concatenate the additional arguments, and support an + environment variable to revert to the old Debian's su behavior. + +This patch needs the su_arguments_are_concatenated patch. + +This patch, and su_arguments_are_concatenated should be dropped after +Etch. + +Status wrt upstream: This patch is Debian specific. + +--- a/src/su.c ++++ b/src/su.c +@@ -104,6 +104,19 @@ + /* If nonzero, change some environment vars to indicate the user su'd to. */ + static bool change_environment = true; + ++/* ++ * If nonzero, keep the old Debian behavior: ++ * * concatenate all the arguments and provide them to the -c option of ++ * the shell ++ * * If there are some additional arguments, but no -c, add a -c ++ * argument anyway ++ * Drawbacks: ++ * * you can't provide options to the shell (other than -c) ++ * * you can't rely on the argument count ++ * See http://bugs.debian.org/276419 ++ */ ++static int old_debian_behavior; ++ + #ifdef USE_PAM + static pam_handle_t *pamh = NULL; + static int caught = 0; +@@ -950,6 +963,8 @@ + int ret; + #endif /* USE_PAM */ + ++ old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL); ++ + (void) setlocale (LC_ALL, ""); + (void) bindtextdomain (PACKAGE, LOCALEDIR); + (void) textdomain (PACKAGE); +@@ -1154,7 +1169,7 @@ + * resulting string is always given to the shell with its + * -c option. + */ +- { ++ if (old_debian_behavior) { + char **parg; + unsigned int cmd_len = 0; + char *cmd = NULL; diff --git a/debian/patches/542_useradd-O_option b/debian/patches/542_useradd-O_option new file mode 100644 index 0000000..506352f --- /dev/null +++ b/debian/patches/542_useradd-O_option @@ -0,0 +1,43 @@ +Goal: accepts the -O flag for backward compatibility. (was used by adduser?) + +Note: useradd.8 needs to be regenerated. + +Status wrt upstream: not included as this is just specific + backward compatibility for Debian + +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -321,6 +321,11 @@ + databases are resetted to avoid reusing the entry from a previously + deleted user. + </para> ++ <para> ++ For the compatibility with previous Debian's ++ <command>useradd</command>, the <option>-O</option> option is ++ also supported. ++ </para> + </listitem> + </varlistentry> + <varlistentry> +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -1011,9 +1011,9 @@ + }; + while ((c = getopt_long (argc, argv, + #ifdef WITH_SELINUX +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:UZ:", + #else /* !WITH_SELINUX */ +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", ++ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:U", + #endif /* !WITH_SELINUX */ + long_options, NULL)) != -1) { + switch (c) { +@@ -1136,6 +1136,7 @@ + kflg = true; + break; + case 'K': ++ case 'O': /* compatibility with previous Debian useradd */ + /* + * override login.defs defaults (-K name=value) + * example: -K UID_MIN=100 -K UID_MAX=499 diff --git a/debian/patches/900_testsuite_groupmems b/debian/patches/900_testsuite_groupmems new file mode 100644 index 0000000..6bdc497 --- /dev/null +++ b/debian/patches/900_testsuite_groupmems @@ -0,0 +1,81 @@ +--- a/debian/passwd.install ++++ b/debian/passwd.install +@@ -9,6 +9,7 @@ + usr/sbin/cppw + usr/sbin/groupadd + usr/sbin/groupdel ++usr/sbin/groupmems + usr/sbin/groupmod + usr/sbin/grpck + usr/sbin/grpconv +@@ -33,6 +34,7 @@ + usr/share/man/*/man8/chpasswd.8 + usr/share/man/*/man8/groupadd.8 + usr/share/man/*/man8/groupdel.8 ++usr/share/man/*/man8/groupmems.8 + usr/share/man/*/man8/groupmod.8 + usr/share/man/*/man8/grpck.8 + usr/share/man/*/man8/grpconv.8 +@@ -59,6 +61,7 @@ + usr/share/man/man8/chpasswd.8 + usr/share/man/man8/groupadd.8 + usr/share/man/man8/groupdel.8 ++usr/share/man/man8/groupmems.8 + usr/share/man/man8/groupmod.8 + usr/share/man/man8/grpck.8 + usr/share/man/man8/grpconv.8 +--- a/debian/passwd.postinst ++++ b/debian/passwd.postinst +@@ -31,6 +31,24 @@ + exit 1 + ) + fi ++ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99' ++ then ++ groupadd -g 99 groupmems || ( ++ cat <<EOF ++************************ TESTSUITE ***************************** ++Group ID 99 has been allocated for the groupmems group. You have either ++used 99 yourself or created a groupmems group with a different ID. ++Please correct this problem and reconfigure with ``dpkg --configure passwd''. ++ ++Note that both user and group IDs in the range 0-99 are globally ++allocated by the Debian project and must be the same on every Debian ++system. ++EOF ++ exit 1 ++ ) ++# FIXME ++ chgrp groupmems /usr/sbin/groupmems ++ fi + ;; + esac + +--- a/debian/rules ++++ b/debian/rules +@@ -60,6 +60,7 @@ + dh_installpam -p passwd --name=chsh + dh_installpam -p passwd --name=chpasswd + dh_installpam -p passwd --name=newusers ++ dh_installpam -p passwd --name=groupmems + ifeq ($(DEB_HOST_ARCH_OS),hurd) + # login is not built on The Hurd, but some utilities of passwd depends on + # /etc/login.defs. +@@ -87,3 +88,6 @@ + chgrp shadow debian/passwd/usr/bin/expiry + chmod g+s debian/passwd/usr/bin/chage + chmod g+s debian/passwd/usr/bin/expiry ++ chgrp groupmems debian/passwd/usr/sbin/groupmems ++ chmod u+s debian/passwd/usr/sbin/groupmems ++ chmod o-x debian/passwd/usr/sbin/groupmems +--- /dev/null ++++ b/debian/passwd.groupmems.pam +@@ -0,0 +1,8 @@ ++# The PAM configuration file for the Shadow 'groupmod' service ++# ++ ++# This allows root to modify groups without being prompted for a password ++auth sufficient pam_rootok.so ++ ++@include common-auth ++@include common-account diff --git a/debian/patches/901_testsuite_gcov b/debian/patches/901_testsuite_gcov new file mode 100644 index 0000000..717ccca --- /dev/null +++ b/debian/patches/901_testsuite_gcov @@ -0,0 +1,76 @@ +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -1,6 +1,8 @@ + + AUTOMAKE_OPTIONS = 1.0 foreign + ++CFLAGS += -fprofile-arcs -ftest-coverage ++ + DEFS = + + noinst_LTLIBRARIES = libshadow.la +--- a/libmisc/Makefile.am ++++ b/libmisc/Makefile.am +@@ -1,6 +1,8 @@ + + EXTRA_DIST = .indent.pro xgetXXbyYY.c + ++CFLAGS += -fprofile-arcs -ftest-coverage ++ + INCLUDES = -I$(top_srcdir)/lib + + noinst_LIBRARIES = libmisc.a +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -7,6 +7,8 @@ + suidperms = 4755 + sgidperms = 2755 + ++CFLAGS += -fprofile-arcs -ftest-coverage ++ + INCLUDES = \ + -I${top_srcdir}/lib \ + -I$(top_srcdir)/libmisc +--- a/debian/rules ++++ b/debian/rules +@@ -40,6 +40,12 @@ + endif + export CFLAGS + ++clean:: clean_gcov ++ ++clean_gcov: ++ find . -name "*.gcda" -delete ++ find . -name "*.gcno" -delete ++ + # Add extras to the install process: + binary-install/login:: + dh_installpam -p login +--- a/lib/defines.h ++++ b/lib/defines.h +@@ -174,23 +174,9 @@ + trust the formatted time received from the unix domain (or worse, + UDP) socket. -MM */ + /* Avoid translated PAM error messages: Set LC_ALL to "C". ++ * This is disabled for coverage testing + * --Nekral */ +-#define SYSLOG(x) \ +- do { \ +- char *old_locale = setlocale (LC_ALL, NULL); \ +- char *saved_locale = NULL; \ +- if (NULL != old_locale) { \ +- saved_locale = strdup (old_locale); \ +- } \ +- if (NULL != saved_locale) { \ +- (void) setlocale (LC_ALL, "C"); \ +- } \ +- syslog x ; \ +- if (NULL != saved_locale) { \ +- (void) setlocale (LC_ALL, saved_locale); \ +- free (saved_locale); \ +- } \ +- } while (false) ++#define SYSLOG(x) syslog x + #else /* !ENABLE_NLS */ + #define SYSLOG(x) syslog x + #endif /* !ENABLE_NLS */ diff --git a/debian/patches/README.patches b/debian/patches/README.patches new file mode 100644 index 0000000..8df4cd3 --- /dev/null +++ b/debian/patches/README.patches @@ -0,0 +1,71 @@ +Small intro to the system for numbering the patches here... + +-The 0xx series of patches are patches isolated from the latest + version of the shadow Debian package not using quilt in order to + separate upstream from Debian-specific stuff. + + NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES + +-The 1xx series are l10n patches to upstream 4.0.18.1. As upstream has + adopted Debian translations, it is very likely that these patches + will become useless when we will have synced with upstream + +-The 2xx series are patches for manual pages translations to upstream + 4.0.18.1. + +-The 3xx series are patches which have been temporarily applied to + Debian's shadow while we *know* they have been applied upstream as well + These patches should NOT be kept when we will sync with upstream + +-The 4xx series are patches which have been applied to Debian's shadow + and have NOT been accepted and/or applied upstream. These patches MUST be kept + even after resynced with upstream + +-The 5xx series are patches which are applied to Debian's shadow + and will never be proposed upstream because they're too specific + This list SHOULD BE AS SHORT AS POSSIBLE + +In short, while we are working towards synchronisation with upstream, +our goal is to make 0xx patches disappear by moving them either to 3xx +series (things already implemented upstream) or to 4xx series +(Debian-specific patches). + + +Short HOWTO for quilt +===================== + +The quilt system can be assimilated to a Pile Of Patches management system. +Patches live in debian/patches, the working directory is "." + +The basic commands are (abbreviation accepted): +quilt push (asks to apply the next patch in the pile) +quilt pop (removes the current patch and go up in the pile) +quilt refresh (take the current changes in tree onto the patch) + +When a file is changed by a patch, quilt saves it somewhere under .pc on +application. This is how it can refresh it afterward (comparing the version +in .pc and the one you currently have in your working dir). + +There are three common pitfalls with quilt: + - doing "quilt pop" without doing "quilt refresh". The version of current + dir is replaced with the version of the .pc dir. Your changes are lost. + Quilt wont let you do so, but you can force it with '-f' if you're fool. + - editing a file with is not in the patch yet. Quilt didn't do any previous + backup. + Use "quilt add" to add files to patches. + Set $EDITOR and use "quilt edit" to edit a file, and add it onto the + patch if needed. + - If you update your working directory, patches may not revert cleanly. + It is thus recommended to use "quilt pop -a" before updating with + "svn up". + If you forget (and run into trouble), you may want to remove the whole + shadow-?.?.? directory. If you use the makefile which is in the upper + directory (trunk/), shadow-?.?.?/debian/patches is a link to + debian/patches, so this dirctory does not contain any valuable info. + +The documentation is quite well done, I think. "quilt -h" will list you the +commands. "quilt <cmd> -h" will give you some hints about it. "man quilt" is +a reference documentation. /usr/share/doc/quilt/quilt.pdf.gz is a complete +manual, with tutorial. + + diff --git a/debian/patches/environ.patch b/debian/patches/environ.patch new file mode 100644 index 0000000..4f1f9b1 --- /dev/null +++ b/debian/patches/environ.patch @@ -0,0 +1,26 @@ +Index: shadow-4.1.5/lib/spawn.c +=================================================================== +--- shadow-4.1.5.orig/lib/spawn.c 2011-10-16 18:05:19.000000000 +0000 ++++ shadow-4.1.5/lib/spawn.c 2012-05-29 00:09:49.520136311 +0000 +@@ -38,6 +38,8 @@ + #include "exitcodes.h" + #include "prototypes.h" + ++extern char **environ; ++ + int run_command (const char *cmd, const char *argv[], + /*@null@*/const char *envp[], /*@out@*/int *status) + { +Index: shadow-4.1.5/src/su.c +=================================================================== +--- shadow-4.1.5.orig/src/su.c 2012-05-28 20:21:23.981943165 +0000 ++++ shadow-4.1.5/src/su.c 2012-05-29 00:10:44.318173199 +0000 +@@ -78,6 +78,8 @@ + /*@-exitarg@*/ + #include "exitcodes.h" + ++extern char **environ; ++ + /* + * Global variables + */ diff --git a/debian/patches/getspnam_r.patch b/debian/patches/getspnam_r.patch new file mode 100644 index 0000000..e0603cc --- /dev/null +++ b/debian/patches/getspnam_r.patch @@ -0,0 +1,64 @@ +Index: shadow-4.1.5/configure.in +=================================================================== +--- shadow-4.1.5.orig/configure.in 2012-05-29 01:07:07.625675582 +0000 ++++ shadow-4.1.5/configure.in 2012-05-29 01:08:12.699463029 +0000 +@@ -45,6 +45,25 @@ + getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo) + AC_SYS_LARGEFILE + ++AC_MSG_CHECKING(if getspnam_r take 5 arguments) ++AC_TRY_COMPILE( ++ [ ++#include <sys/types.h> ++#include <shadow.h> ++ ], ++ [ ++struct spwd *pw; ++struct spwd pwbuf; ++char pwdata[512]; ++(void) getspnam_r("bin", &pwbuf, pwdata, sizeof(pwdata), &pw); ++ ], ++ [AC_MSG_RESULT(yes) ++ AC_DEFINE(GETSPNAM_R_5ARG, 1, ++ [Define if your getspnam_r() ++ functions take 5 arguments])], ++ [AC_MSG_RESULT(no)] ++) ++ + dnl Checks for typedefs, structures, and compiler characteristics. + AC_C_CONST + AC_TYPE_UID_T +Index: shadow-4.1.5/libmisc/xgetXXbyYY.c +=================================================================== +--- shadow-4.1.5.orig/libmisc/xgetXXbyYY.c 2012-05-29 01:07:07.652770807 +0000 ++++ shadow-4.1.5/libmisc/xgetXXbyYY.c 2012-05-29 01:11:08.044438439 +0000 +@@ -89,9 +89,15 @@ + exit (13); + } + errno = 0; ++#ifndef __use_4_args + status = REENTRANT_NAME(ARG_NAME, result, buffer, + length, &resbuf); + if ((0 == status) && (resbuf == result)) { ++#else ++ resbuf = REENTRANT_NAME(ARG_NAME, result, buffer, ++ length); ++ if (resbuf == result) { ++#endif + /* Build a result structure that can be freed by + * the shadow *_free functions. */ + LOOKUP_TYPE *ret_result = DUP_FUNCTION(result); +Index: shadow-4.1.5/libmisc/xgetspnam.c +=================================================================== +--- shadow-4.1.5.orig/libmisc/xgetspnam.c 2012-05-29 01:07:07.687176476 +0000 ++++ shadow-4.1.5/libmisc/xgetspnam.c 2012-05-29 01:11:15.833088840 +0000 +@@ -60,5 +60,9 @@ + #define DUP_FUNCTION __spw_dup + #define HAVE_FUNCTION_R (defined HAVE_GETSPNAM_R) + ++#ifndef GETSPNAM_R_5ARG ++#define __use_4_args ++#endif ++ + #include "xgetXXbyYY.c" + diff --git a/debian/patches/putgrent.patch b/debian/patches/putgrent.patch new file mode 100644 index 0000000..ea326c2 --- /dev/null +++ b/debian/patches/putgrent.patch @@ -0,0 +1,51 @@ +Index: shadow-4.1.5/lib/groupio.c +=================================================================== +--- shadow-4.1.5.orig/lib/groupio.c 2012-05-29 01:52:46.829380353 +0000 ++++ shadow-4.1.5/lib/groupio.c 2012-05-29 01:54:54.027846005 +0000 +@@ -44,6 +44,46 @@ + #include "getdef.h" + #include "groupio.h" + ++#ifndef HAVE_PUTGRENT ++#define _nn(x) x ? x : "" ++int putgrent (const struct group *gr, FILE *fp) ++{ ++ int rc; ++ int i; ++ ++ if ((NULL == gr) || (NULL == fp)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ flockfile(fp); ++ if (gr->gr_name[0] == '+' || gr->gr_name[0] == '-') { ++ rc = fprintf(fp, "%s:%s::", gr->gr_name, _nn(gr->gr_passwd)); ++ } else { ++ rc = fprintf(fp, "%s:%s:%lu:", gr->gr_name, _nn(gr->gr_passwd), (unsigned long int) gr->gr_gid); ++ } ++ ++ if (rc < 0) { ++ funlockfile(fp); ++ return -1; ++ } ++ ++ if (NULL != gr->gr_mem) { ++ for (i = 0; gr->gr_mem[i] != NULL; ++i) { ++ if (0 > fprintf(fp, i == 0 ? "%s" : ",%s", gr->gr_mem[i])) { ++ funlockfile(fp); ++ return -1; ++ } ++ } ++ } ++ ++ putc_unlocked('\n', fp); ++ funlockfile(fp); ++ return 0; ++} ++#undef _nn ++#endif /* HAVE_PUTGRENT */ ++ + static /*@null@*/struct commonio_entry *merge_group_entries ( + /*@null@*/ /*@returned@*/struct commonio_entry *gr1, + /*@null@*/struct commonio_entry *gr2); diff --git a/debian/patches/putpwent-segfault.patch b/debian/patches/putpwent-segfault.patch new file mode 100644 index 0000000..601ecf6 --- /dev/null +++ b/debian/patches/putpwent-segfault.patch @@ -0,0 +1,13 @@ +Index: shadow-4.1.5/lib/pwmem.c +=================================================================== +--- shadow-4.1.5.orig/lib/pwmem.c 2009-09-07 19:08:21.000000000 +0000 ++++ shadow-4.1.5/lib/pwmem.c 2012-06-03 18:39:48.377996169 +0000 +@@ -44,7 +44,7 @@ + { + struct passwd *pw; + +- pw = (struct passwd *) malloc (sizeof *pw); ++ pw = (struct passwd *) calloc (1, sizeof *pw); + if (NULL == pw) { + return NULL; + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..6d2d836 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,24 @@ +# These patches are only for the testsuite: +#900_testsuite_groupmems +#901_testsuite_gcov + +503_shadowconfig.8 +428_grpck_add_prune_option +008_login_log_failure_in_FTMP +429_login_FAILLOG_ENAB +401_cppw_src.dpatch +# 402 should be merged in 401, but should be reviewed by SE Linux experts first +402_cppw_selinux +506_relaxed_usernames +542_useradd-O_option +501_commonio_group_shadow +463_login_delay_obeys_to_PAM +523_su_arguments_are_concatenated +523_su_arguments_are_no_more_concatenated_by_default +508_nologin_in_usr_sbin +505_useradd_recommend_adduser +utmp.c.patch +getspnam_r.patch +environ.patch +putgrent.patch +putpwent-segfault.patch diff --git a/debian/patches/utmp.c.patch b/debian/patches/utmp.c.patch new file mode 100644 index 0000000..624303f --- /dev/null +++ b/debian/patches/utmp.c.patch @@ -0,0 +1,47 @@ +Index: shadow-4.1.5/libmisc/utmp.c +=================================================================== +--- shadow-4.1.5.orig/libmisc/utmp.c 2012-05-29 01:00:07.623017148 +0000 ++++ shadow-4.1.5/libmisc/utmp.c 2012-05-29 01:08:05.294474465 +0000 +@@ -32,15 +32,19 @@ + + #include <config.h> + +-#include "defines.h" +-#include "prototypes.h" +- +-#include <utmp.h> + + #ifdef USE_UTMPX + #include <utmpx.h> ++#define utmp utmpx ++#define updwtmp updwtmpx ++#define pututline pututxline ++#else ++#include <utmp.h> + #endif + ++#include "defines.h" ++#include "prototypes.h" ++ + #include <assert.h> + #include <netdb.h> + #include <stdio.h> +@@ -281,6 +285,10 @@ + /* ut_exit is only for DEAD_PROCESS */ + utent->ut_session = getsid (0); + if (gettimeofday (&tv, NULL) == 0) { ++#ifdef USE_UTMPX ++ utent->ut_tv.tv_sec = tv.tv_sec; ++ utent->ut_tv.tv_usec = tv.tv_usec; ++#else + #ifdef HAVE_STRUCT_UTMP_UT_TIME + utent->ut_time = tv.tv_sec; + #endif /* HAVE_STRUCT_UTMP_UT_TIME */ +@@ -291,6 +299,7 @@ + utent->ut_tv.tv_sec = tv.tv_sec; + utent->ut_tv.tv_usec = tv.tv_usec; + #endif /* HAVE_STRUCT_UTMP_UT_TV */ ++#endif + } + + return utent; |