summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/0001-gpasswd-1-Fix-password-leak.patch137
-rw-r--r--debian/patches/0002-Added-control-character-check.patch45
-rw-r--r--debian/patches/0003-Overhaul-valid_field.patch61
-rw-r--r--debian/patches/008_login_log_failure_in_FTMP51
-rw-r--r--debian/patches/429_login_FAILLOG_ENAB84
-rw-r--r--debian/patches/900_testsuite_groupmems81
-rw-r--r--debian/patches/901_testsuite_gcov76
-rw-r--r--debian/patches/Document-the-shadowconfig-utility.patch (renamed from debian/patches/503_shadowconfig.8)223
-rw-r--r--debian/patches/Keep-using-Debian-adduser-defaults.patch (renamed from debian/patches/502_debian_useradd_defaults)53
-rw-r--r--debian/patches/Let-pam_unix-handle-login-failure-delays.patch (renamed from debian/patches/463_login_delay_obeys_to_PAM)75
-rw-r--r--debian/patches/README.patches22
-rw-r--r--debian/patches/Recommend-using-adduser-and-deluser.patch (renamed from debian/patches/505_useradd_recommend_adduser)30
-rw-r--r--debian/patches/Relax-usernames-groupnames-checking.patch (renamed from debian/patches/506_relaxed_usernames)91
-rw-r--r--debian/patches/Set-group-and-mode-for-g-shadow-files.patch (renamed from debian/patches/501_commonio_group_shadow)35
-rw-r--r--debian/patches/ccpw-add-selinux-support.patch (renamed from debian/patches/402_cppw_selinux)27
-rw-r--r--debian/patches/cppw-Add-tool.patch (renamed from debian/patches/401_cppw_src.dpatch)80
-rw-r--r--debian/patches/series32
-rw-r--r--debian/patches/useradd-accept-the-O-flag-for-backward-compatibility.patch (renamed from debian/patches/542_useradd-O_option)22
18 files changed, 383 insertions, 842 deletions
diff --git a/debian/patches/0001-gpasswd-1-Fix-password-leak.patch b/debian/patches/0001-gpasswd-1-Fix-password-leak.patch
deleted file mode 100644
index 1596b2d..0000000
--- a/debian/patches/0001-gpasswd-1-Fix-password-leak.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
-From: Alejandro Colomar <alx@kernel.org>
-Date: Sat, 10 Jun 2023 16:20:05 +0200
-Subject: [PATCH] gpasswd(1): Fix password leak
-
-How to trigger this password leak?
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-When gpasswd(1) asks for the new password, it asks twice (as is usual
-for confirming the new password). Each of those 2 password prompts
-uses agetpass() to get the password. If the second agetpass() fails,
-the first password, which has been copied into the 'static' buffer
-'pass' via STRFCPY(), wasn't being zeroed.
-
-agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
-can fail for any of the following reasons:
-
-- malloc(3) or readpassphrase(3) failure.
-
- These are going to be difficult to trigger. Maybe getting the system
- to the limits of memory utilization at that exact point, so that the
- next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
- About readpassphrase(3), ENFILE and EINTR seem the only plausible
- ones, and EINTR probably requires privilege or being the same user;
- but I wouldn't discard ENFILE so easily, if a process starts opening
- files.
-
-- The password is longer than PASS_MAX.
-
- The is plausible with physical access. However, at that point, a
- keylogger will be a much simpler attack.
-
-And, the attacker must be able to know when the second password is being
-introduced, which is not going to be easy.
-
-How to read the password after the leak?
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Provoking the leak yourself at the right point by entering a very long
-password is easy, and inspecting the process stack at that point should
-be doable. Try to find some consistent patterns.
-
-Then, search for those patterns in free memory, right after the victim
-leaks their password.
-
-Once you get the leak, a program should read all the free memory
-searching for patterns that gpasswd(1) leaves nearby the leaked
-password.
-
-On 6/10/23 03:14, Seth Arnold wrote:
-> An attacker process wouldn't be able to use malloc(3) for this task.
-> There's a handful of tools available for userspace to allocate memory:
->
-> - brk / sbrk
-> - mmap MAP_ANONYMOUS
-> - mmap /dev/zero
-> - mmap some other file
-> - shm_open
-> - shmget
->
-> Most of these return only pages of zeros to a process. Using mmap of an
-> existing file, you can get some of the contents of the file demand-loaded
-> into the memory space on the first use.
->
-> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
-> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
->
-> malloc(3) doesn't zero memory, to our collective frustration, but all the
-> garbage in the allocations is from previous allocations in the current
-> process. It isn't leftover from other processes.
->
-> The avenues available for reading the memory:
-> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
-> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
-> - ptrace (requires ptrace privileges, mediated by YAMA)
-> - causing memory to be swapped to disk, and then inspecting the swap
->
-> These all require a certain amount of privileges.
-
-How to fix it?
-~~~~~~~~~~~~~~
-
-memzero(), which internally calls explicit_bzero(3), or whatever
-alternative the system provides with a slightly different name, will
-make sure that the buffer is zeroed in memory, and optimizations are not
-allowed to impede this zeroing.
-
-This is not really 100% effective, since compilers may place copies of
-the string somewhere hidden in the stack. Those copies won't get zeroed
-by explicit_bzero(3). However, that's arguably a compiler bug, since
-compilers should make everything possible to avoid optimizing strings
-that are later passed to explicit_bzero(3). But we all know that
-sometimes it's impossible to have perfect knowledge in the compiler, so
-this is plausible. Nevertheless, there's nothing we can do against such
-issues, except minimizing the time such passwords are stored in plain
-text.
-
-Security concerns
-~~~~~~~~~~~~~~~~~
-
-We believe this isn't easy to exploit. Nevertheless, and since the fix
-is trivial, this fix should probably be applied soon, and backported to
-all supported distributions, to prevent someone else having more
-imagination than us to find a way.
-
-Affected versions
-~~~~~~~~~~~~~~~~~
-
-All. Bug introduced in shadow 19990709. That's the second commit in
-the git history.
-
-Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
-Reported-by: Alejandro Colomar <alx@kernel.org>
-Cc: Serge Hallyn <serge@hallyn.com>
-Cc: Iker Pedrosa <ipedrosa@redhat.com>
-Cc: Seth Arnold <seth.arnold@canonical.com>
-Cc: Christian Brauner <christian@brauner.io>
-Cc: Balint Reczey <rbalint@debian.org>
-Cc: Sam James <sam@gentoo.org>
-Cc: David Runge <dvzrv@archlinux.org>
-Cc: Andreas Jaeger <aj@suse.de>
-Cc: <~hallyn/shadow@lists.sr.ht>
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
----
- src/gpasswd.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/src/gpasswd.c
-+++ b/src/gpasswd.c
-@@ -896,6 +896,7 @@
- strzero (cp);
- cp = getpass (_("Re-enter new password: "));
- if (NULL == cp) {
-+ memzero (pass, sizeof pass);
- exit (1);
- }
-
diff --git a/debian/patches/0002-Added-control-character-check.patch b/debian/patches/0002-Added-control-character-check.patch
deleted file mode 100644
index 29adce1..0000000
--- a/debian/patches/0002-Added-control-character-check.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
-From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
-Date: Thu, 23 Mar 2023 23:39:38 +0000
-Subject: [PATCH] Added control character check
-
-Added control character check, returning -1 (to "err") if control characters are present.
----
- lib/fields.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/lib/fields.c b/lib/fields.c
-index 640be931..fb51b582 100644
---- a/lib/fields.c
-+++ b/lib/fields.c
-@@ -21,9 +21,9 @@
- *
- * The supplied field is scanned for non-printable and other illegal
- * characters.
-- * + -1 is returned if an illegal character is present.
-- * + 1 is returned if no illegal characters are present, but the field
-- * contains a non-printable character.
-+ * + -1 is returned if an illegal or control character is present.
-+ * + 1 is returned if no illegal or control characters are present,
-+ * but the field contains a non-printable character.
- * + 0 is returned otherwise.
- */
- int valid_field (const char *field, const char *illegal)
-@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
- }
-
- if (0 == err) {
-- /* Search if there are some non-printable characters */
-+ /* Search if there are non-printable or control characters */
- for (cp = field; '\0' != *cp; cp++) {
- if (!isprint (*cp)) {
- err = 1;
-+ }
-+ if (!iscntrl (*cp)) {
-+ err = -1;
- break;
- }
- }
---
-2.34.1
-
diff --git a/debian/patches/0003-Overhaul-valid_field.patch b/debian/patches/0003-Overhaul-valid_field.patch
deleted file mode 100644
index b7a8428..0000000
--- a/debian/patches/0003-Overhaul-valid_field.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Fri, 31 Mar 2023 14:46:50 +0200
-Subject: [PATCH] Overhaul valid_field()
-
-e5905c4b ("Added control character check") introduced checking for
-control characters but had the logic inverted, so it rejects all
-characters that are not control ones.
-
-Cast the character to `unsigned char` before passing to the character
-checking functions to avoid UB.
-
-Use strpbrk(3) for the illegal character test and return early.
----
- lib/fields.c | 24 ++++++++++--------------
- 1 file changed, 10 insertions(+), 14 deletions(-)
-
-diff --git a/lib/fields.c b/lib/fields.c
-index fb51b582..53929248 100644
---- a/lib/fields.c
-+++ b/lib/fields.c
-@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
-
- /* For each character of field, search if it appears in the list
- * of illegal characters. */
-+ if (illegal && NULL != strpbrk (field, illegal)) {
-+ return -1;
-+ }
-+
-+ /* Search if there are non-printable or control characters */
- for (cp = field; '\0' != *cp; cp++) {
-- if (strchr (illegal, *cp) != NULL) {
-+ unsigned char c = *cp;
-+ if (!isprint (c)) {
-+ err = 1;
-+ }
-+ if (iscntrl (c)) {
- err = -1;
- break;
- }
- }
-
-- if (0 == err) {
-- /* Search if there are non-printable or control characters */
-- for (cp = field; '\0' != *cp; cp++) {
-- if (!isprint (*cp)) {
-- err = 1;
-- }
-- if (!iscntrl (*cp)) {
-- err = -1;
-- break;
-- }
-- }
-- }
--
- return err;
- }
-
---
-2.34.1
-
diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP
deleted file mode 100644
index 0946ca0..0000000
--- a/debian/patches/008_login_log_failure_in_FTMP
+++ /dev/null
@@ -1,51 +0,0 @@
-Goal: Log login failures to the btmp file
-
-Notes:
- * I'm not sure login should add an entry in the FTMP file when PAM is used.
- (but nothing in /etc/login.defs indicates that the failure is not logged)
-
---- a/src/login.c
-+++ b/src/login.c
-@@ -827,6 +827,24 @@
- (void) puts ("");
- (void) puts (_("Login incorrect"));
-
-+ if (getdef_str("FTMP_FILE") != NULL) {
-+#ifdef USE_UTMPX
-+ struct utmpx *failent =
-+ prepare_utmpx (failent_user,
-+ tty,
-+ /* FIXME: or fromhost? */hostname,
-+ utent);
-+#else /* !USE_UTMPX */
-+ struct utmp *failent =
-+ prepare_utmp (failent_user,
-+ tty,
-+ hostname,
-+ utent);
-+#endif /* !USE_UTMPX */
-+ failtmp (failent_user, failent);
-+ free (failent);
-+ }
-+
- if (failcount >= retries) {
- SYSLOG ((LOG_NOTICE,
- "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
---- a/lib/getdef.c
-+++ b/lib/getdef.c
-@@ -38,7 +38,6 @@
- {"ENVIRON_FILE", NULL}, \
- {"ENV_TZ", NULL}, \
- {"FAILLOG_ENAB", NULL}, \
-- {"FTMP_FILE", NULL}, \
- {"HMAC_CRYPTO_ALGO", NULL}, \
- {"ISSUE_FILE", NULL}, \
- {"LASTLOG_ENAB", NULL}, \
-@@ -80,6 +79,7 @@
- {"ERASECHAR", NULL},
- {"FAIL_DELAY", NULL},
- {"FAKE_SHELL", NULL},
-+ {"FTMP_FILE", NULL},
- {"GID_MAX", NULL},
- {"GID_MIN", NULL},
- {"HOME_MODE", NULL},
diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB
deleted file mode 100644
index d8e6034..0000000
--- a/debian/patches/429_login_FAILLOG_ENAB
+++ /dev/null
@@ -1,84 +0,0 @@
-Goal: Re-enable logging and displaying failures on login when login is
- compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
- faillog file if it does not exist on postinst (as on Woody).
-Depends: 008_login_more_LOG_UNKFAIL_ENAB
-Fixes: #192849
-
-Note: It could be removed if pam_tally could report the number of failures
- preceding a successful login.
-
---- a/src/login.c
-+++ b/src/login.c
-@@ -114,9 +114,9 @@
- #endif
- );
-
--#ifndef USE_PAM
- static struct faillog faillog;
-
-+#ifndef USE_PAM
- static void bad_time_notify (void);
- static void check_nologin (bool login_to_root);
- #else
-@@ -787,6 +787,9 @@
- SYSLOG ((LOG_NOTICE,
- "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
- failcount, fromhost, failent_user));
-+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
-+ failure (pwd->pw_uid, tty, &faillog);
-+ }
- fprintf (stderr,
- _("Maximum number of tries exceeded (%u)\n"),
- failcount);
-@@ -804,6 +807,14 @@
- pam_strerror (pamh, retcode)));
- failed = true;
- }
-+ if ( (NULL != pwd)
-+ && getdef_bool("FAILLOG_ENAB")
-+ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
-+ SYSLOG((LOG_CRIT,
-+ "exceeded failure limit for `%s' %s",
-+ failent_user, fromhost));
-+ failed = 1;
-+ }
-
- if (!failed) {
- break;
-@@ -827,6 +838,10 @@
- (void) puts ("");
- (void) puts (_("Login incorrect"));
-
-+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
-+ failure (pwd->pw_uid, tty, &faillog);
-+ }
-+
- if (getdef_str("FTMP_FILE") != NULL) {
- #ifdef USE_UTMPX
- struct utmpx *failent =
-@@ -1295,6 +1310,7 @@
- */
- #ifndef USE_PAM
- motd (); /* print the message of the day */
-+#endif
- if ( getdef_bool ("FAILLOG_ENAB")
- && (0 != faillog.fail_cnt)) {
- failprint (&faillog);
-@@ -1307,6 +1323,7 @@
- username, (int) faillog.fail_cnt));
- }
- }
-+#ifndef USE_PAM
- if ( getdef_bool ("LASTLOG_ENAB")
- && pwd->pw_uid <= (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL)
- && (ll.ll_time != 0)) {
---- a/lib/getdef.c
-+++ b/lib/getdef.c
-@@ -78,6 +78,7 @@
- {"ENV_SUPATH", NULL},
- {"ERASECHAR", NULL},
- {"FAIL_DELAY", NULL},
-+ {"FAILLOG_ENAB", NULL},
- {"FAKE_SHELL", NULL},
- {"FTMP_FILE", NULL},
- {"GID_MAX", NULL},
diff --git a/debian/patches/900_testsuite_groupmems b/debian/patches/900_testsuite_groupmems
deleted file mode 100644
index 6bdc497..0000000
--- a/debian/patches/900_testsuite_groupmems
+++ /dev/null
@@ -1,81 +0,0 @@
---- a/debian/passwd.install
-+++ b/debian/passwd.install
-@@ -9,6 +9,7 @@
- usr/sbin/cppw
- usr/sbin/groupadd
- usr/sbin/groupdel
-+usr/sbin/groupmems
- usr/sbin/groupmod
- usr/sbin/grpck
- usr/sbin/grpconv
-@@ -33,6 +34,7 @@
- usr/share/man/*/man8/chpasswd.8
- usr/share/man/*/man8/groupadd.8
- usr/share/man/*/man8/groupdel.8
-+usr/share/man/*/man8/groupmems.8
- usr/share/man/*/man8/groupmod.8
- usr/share/man/*/man8/grpck.8
- usr/share/man/*/man8/grpconv.8
-@@ -59,6 +61,7 @@
- usr/share/man/man8/chpasswd.8
- usr/share/man/man8/groupadd.8
- usr/share/man/man8/groupdel.8
-+usr/share/man/man8/groupmems.8
- usr/share/man/man8/groupmod.8
- usr/share/man/man8/grpck.8
- usr/share/man/man8/grpconv.8
---- a/debian/passwd.postinst
-+++ b/debian/passwd.postinst
-@@ -31,6 +31,24 @@
- exit 1
- )
- fi
-+ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
-+ then
-+ groupadd -g 99 groupmems || (
-+ cat <<EOF
-+************************ TESTSUITE *****************************
-+Group ID 99 has been allocated for the groupmems group. You have either
-+used 99 yourself or created a groupmems group with a different ID.
-+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
-+
-+Note that both user and group IDs in the range 0-99 are globally
-+allocated by the Debian project and must be the same on every Debian
-+system.
-+EOF
-+ exit 1
-+ )
-+# FIXME
-+ chgrp groupmems /usr/sbin/groupmems
-+ fi
- ;;
- esac
-
---- a/debian/rules
-+++ b/debian/rules
-@@ -60,6 +60,7 @@
- dh_installpam -p passwd --name=chsh
- dh_installpam -p passwd --name=chpasswd
- dh_installpam -p passwd --name=newusers
-+ dh_installpam -p passwd --name=groupmems
- ifeq ($(DEB_HOST_ARCH_OS),hurd)
- # login is not built on The Hurd, but some utilities of passwd depends on
- # /etc/login.defs.
-@@ -87,3 +88,6 @@
- chgrp shadow debian/passwd/usr/bin/expiry
- chmod g+s debian/passwd/usr/bin/chage
- chmod g+s debian/passwd/usr/bin/expiry
-+ chgrp groupmems debian/passwd/usr/sbin/groupmems
-+ chmod u+s debian/passwd/usr/sbin/groupmems
-+ chmod o-x debian/passwd/usr/sbin/groupmems
---- /dev/null
-+++ b/debian/passwd.groupmems.pam
-@@ -0,0 +1,8 @@
-+# The PAM configuration file for the Shadow 'groupmod' service
-+#
-+
-+# This allows root to modify groups without being prompted for a password
-+auth sufficient pam_rootok.so
-+
-+@include common-auth
-+@include common-account
diff --git a/debian/patches/901_testsuite_gcov b/debian/patches/901_testsuite_gcov
deleted file mode 100644
index 717ccca..0000000
--- a/debian/patches/901_testsuite_gcov
+++ /dev/null
@@ -1,76 +0,0 @@
---- a/lib/Makefile.am
-+++ b/lib/Makefile.am
-@@ -1,6 +1,8 @@
-
- AUTOMAKE_OPTIONS = 1.0 foreign
-
-+CFLAGS += -fprofile-arcs -ftest-coverage
-+
- DEFS =
-
- noinst_LTLIBRARIES = libshadow.la
---- a/libmisc/Makefile.am
-+++ b/libmisc/Makefile.am
-@@ -1,6 +1,8 @@
-
- EXTRA_DIST = .indent.pro xgetXXbyYY.c
-
-+CFLAGS += -fprofile-arcs -ftest-coverage
-+
- INCLUDES = -I$(top_srcdir)/lib
-
- noinst_LIBRARIES = libmisc.a
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -7,6 +7,8 @@
- suidperms = 4755
- sgidperms = 2755
-
-+CFLAGS += -fprofile-arcs -ftest-coverage
-+
- INCLUDES = \
- -I${top_srcdir}/lib \
- -I$(top_srcdir)/libmisc
---- a/debian/rules
-+++ b/debian/rules
-@@ -40,6 +40,12 @@
- endif
- export CFLAGS
-
-+clean:: clean_gcov
-+
-+clean_gcov:
-+ find . -name "*.gcda" -delete
-+ find . -name "*.gcno" -delete
-+
- # Add extras to the install process:
- binary-install/login::
- dh_installpam -p login
---- a/lib/defines.h
-+++ b/lib/defines.h
-@@ -174,23 +174,9 @@
- trust the formatted time received from the unix domain (or worse,
- UDP) socket. -MM */
- /* Avoid translated PAM error messages: Set LC_ALL to "C".
-+ * This is disabled for coverage testing
- * --Nekral */
--#define SYSLOG(x) \
-- do { \
-- char *old_locale = setlocale (LC_ALL, NULL); \
-- char *saved_locale = NULL; \
-- if (NULL != old_locale) { \
-- saved_locale = strdup (old_locale); \
-- } \
-- if (NULL != saved_locale) { \
-- (void) setlocale (LC_ALL, "C"); \
-- } \
-- syslog x ; \
-- if (NULL != saved_locale) { \
-- (void) setlocale (LC_ALL, saved_locale); \
-- free (saved_locale); \
-- } \
-- } while (false)
-+#define SYSLOG(x) syslog x
- #else /* !ENABLE_NLS */
- #define SYSLOG(x) syslog x
- #endif /* !ENABLE_NLS */
diff --git a/debian/patches/503_shadowconfig.8 b/debian/patches/Document-the-shadowconfig-utility.patch
index 0f0d339..a00afb2 100644
--- a/debian/patches/503_shadowconfig.8
+++ b/debian/patches/Document-the-shadowconfig-utility.patch
@@ -1,12 +1,125 @@
-Goal: Document the shadowconfig utility
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Document the shadowconfig utility
Status wrt upstream: The shadowconfig utility is debian specific.
- Its man page also (but it used to be distributed)
+Its man page also (but it used to be distributed)
-Index: git/man/shadowconfig.8
-===================================================================
+Gbp-Topic: debian
+---
+ man/fr/shadowconfig.8 | 26 +++++++++++++++++++++++++
+ man/ja/shadowconfig.8 | 25 ++++++++++++++++++++++++
+ man/pl/shadowconfig.8 | 27 ++++++++++++++++++++++++++
+ man/shadowconfig.8 | 41 +++++++++++++++++++++++++++++++++++++++
+ man/shadowconfig.8.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 171 insertions(+)
+ create mode 100644 man/fr/shadowconfig.8
+ create mode 100644 man/ja/shadowconfig.8
+ create mode 100644 man/pl/shadowconfig.8
+ create mode 100644 man/shadowconfig.8
+ create mode 100644 man/shadowconfig.8.xml
+
+diff --git a/man/fr/shadowconfig.8 b/man/fr/shadowconfig.8
+new file mode 100644
+index 0000000..784da70
+--- /dev/null
++++ b/man/fr/shadowconfig.8
+@@ -0,0 +1,26 @@
++.\" This file was generated with po4a. Translate the source file.
++.\"
++.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
++.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
++.SH NOM
++shadowconfig \- active ou désactive les mots de passe cachés
++.SH SYNOPSIS
++\fBshadowconfig\fP \fIon\fP | \fIoff\fP
++.SH DESCRIPTION
++.PP
++\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
++d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
++quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
++de recommencer.
++
++Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
++désactiver lorsqu'ils ne sont pas actifs est sans effet.
++
++Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
++mots de passe cachés et à leurs fonctionnalités.
++
++Notez que désactiver puis réactiver les mots de passe cachés aura pour
++conséquence la perte des informations d'âge sur les mots de passe.
++.SH TRADUCTION
++Nicolas FRANÇOIS, 2004.
++Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
+diff --git a/man/ja/shadowconfig.8 b/man/ja/shadowconfig.8
+new file mode 100644
+index 0000000..a75c6f7
+--- /dev/null
++++ b/man/ja/shadowconfig.8
+@@ -0,0 +1,25 @@
++.\" all right reserved,
++.\" Translated Tue Oct 30 11:59:11 JST 2001
++.\" by Maki KURODA <mkuroda@aisys-jp.com>
++.\"
++.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
++.SH 名前
++shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
++.SH 書式
++.B "shadowconfig"
++.IR on " | " off
++.SH 説明
++.PP
++.B shadowconfig on
++は shadow パスワードを有効にする。
++.B shadowconfig off
++は shadow パスワードを無効にする。
++.B shadowconfig
++は何らかの間違いがあると、エラーメッセージを表示し、
++ゼロではない返り値を返す。
++もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
++shadow パスワードの設定がすでにオンの場合にオンに設定したり、
++すでにオフの場合にオフに設定しても、何の影響もない。
++
++.I /usr/share/doc/passwd/README.debian.gz
++には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
+diff --git a/man/pl/shadowconfig.8 b/man/pl/shadowconfig.8
+new file mode 100644
+index 0000000..2016c9f
+--- /dev/null
++++ b/man/pl/shadowconfig.8
+@@ -0,0 +1,27 @@
++.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
++.\" {PTM/WK/1999-09-14}
++.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
++.SH NAZWA
++shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
++.SH SKŁADNIA
++.B "shadowconfig"
++.IR on " | " off
++.SH OPIS
++.PP
++.B shadowconfig on
++włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
++.B shadowconfig off
++wyłącza dodatkowe pliki haseł i grup.
++.B shadowconfig
++wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
++znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
++.\" if it finds anything awry.
++i uruchomić program ponownie.
++
++Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
++gdy jest wyłączona jest nieszkodliwe.
++
++Przeczytaj
++.IR /usr/share/doc/passwd/README.debian.gz ,
++gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
++plików haseł przesłanianych (shadow passwords) i związanych tematów.
+diff --git a/man/shadowconfig.8 b/man/shadowconfig.8
+new file mode 100644
+index 0000000..c0ee0af
--- /dev/null
-+++ git/man/shadowconfig.8
++++ b/man/shadowconfig.8
@@ -0,0 +1,41 @@
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
@@ -49,10 +162,11 @@ Index: git/man/shadowconfig.8
+.PP
+Note that turning shadow passwords off and on again will lose all password aging information\&.
+
-Index: git/man/shadowconfig.8.xml
-===================================================================
+diff --git a/man/shadowconfig.8.xml b/man/shadowconfig.8.xml
+new file mode 100644
+index 0000000..b4080ea
--- /dev/null
-+++ git/man/shadowconfig.8.xml
++++ b/man/shadowconfig.8.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
@@ -106,96 +220,3 @@ Index: git/man/shadowconfig.8.xml
+ </para>
+ </refsect1>
+</refentry>
-Index: git/man/fr/shadowconfig.8
-===================================================================
---- /dev/null
-+++ git/man/fr/shadowconfig.8
-@@ -0,0 +1,26 @@
-+.\" This file was generated with po4a. Translate the source file.
-+.\"
-+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
-+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
-+.SH NOM
-+shadowconfig \- active ou désactive les mots de passe cachés
-+.SH SYNOPSIS
-+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
-+.SH DESCRIPTION
-+.PP
-+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
-+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
-+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
-+de recommencer.
-+
-+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
-+désactiver lorsqu'ils ne sont pas actifs est sans effet.
-+
-+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
-+mots de passe cachés et à leurs fonctionnalités.
-+
-+Notez que désactiver puis réactiver les mots de passe cachés aura pour
-+conséquence la perte des informations d'âge sur les mots de passe.
-+.SH TRADUCTION
-+Nicolas FRANÇOIS, 2004.
-+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
-Index: git/man/ja/shadowconfig.8
-===================================================================
---- /dev/null
-+++ git/man/ja/shadowconfig.8
-@@ -0,0 +1,25 @@
-+.\" all right reserved,
-+.\" Translated Tue Oct 30 11:59:11 JST 2001
-+.\" by Maki KURODA <mkuroda@aisys-jp.com>
-+.\"
-+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
-+.SH 名前
-+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
-+.SH 書式
-+.B "shadowconfig"
-+.IR on " | " off
-+.SH 説明
-+.PP
-+.B shadowconfig on
-+は shadow パスワードを有効にする。
-+.B shadowconfig off
-+は shadow パスワードを無効にする。
-+.B shadowconfig
-+は何らかの間違いがあると、エラーメッセージを表示し、
-+ゼロではない返り値を返す。
-+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
-+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
-+すでにオフの場合にオフに設定しても、何の影響もない。
-+
-+.I /usr/share/doc/passwd/README.debian.gz
-+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
-Index: git/man/pl/shadowconfig.8
-===================================================================
---- /dev/null
-+++ git/man/pl/shadowconfig.8
-@@ -0,0 +1,27 @@
-+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
-+.\" {PTM/WK/1999-09-14}
-+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
-+.SH NAZWA
-+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
-+.SH SKŁADNIA
-+.B "shadowconfig"
-+.IR on " | " off
-+.SH OPIS
-+.PP
-+.B shadowconfig on
-+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
-+.B shadowconfig off
-+wyłącza dodatkowe pliki haseł i grup.
-+.B shadowconfig
-+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
-+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
-+.\" if it finds anything awry.
-+i uruchomić program ponownie.
-+
-+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
-+gdy jest wyłączona jest nieszkodliwe.
-+
-+Przeczytaj
-+.IR /usr/share/doc/passwd/README.debian.gz ,
-+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
-+plików haseł przesłanianych (shadow passwords) i związanych tematów.
diff --git a/debian/patches/502_debian_useradd_defaults b/debian/patches/Keep-using-Debian-adduser-defaults.patch
index 6317ed6..51dfb88 100644
--- a/debian/patches/502_debian_useradd_defaults
+++ b/debian/patches/Keep-using-Debian-adduser-defaults.patch
@@ -1,41 +1,54 @@
From: Balint Reczey <balint@balintreczey.hu>
-Description: Keep using Debian's adduser defaults
- Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit
- in 4.9 merged those values from upstream's default configuration file
- which is not shipped in Debian.
- This patch keeps the program's compiled in defaults in sync with the
- configuration files shipped in Debian (debian/default/useradd).
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Keep using Debian's adduser defaults
+
Bug: https://github.com/shadow-maint/shadow/issues/501
Bug-Debian: https://bugs.debian.org/1004710
Forwarded: not-needed
+Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit
+in 4.9 merged those values from upstream's default configuration file
+which is not shipped in Debian.
+This patch keeps the program's compiled in defaults in sync with the
+configuration files shipped in Debian (debian/default/useradd).
+
+Gbp-Topic: debian
+---
+ man/useradd.8.xml | 2 +-
+ src/useradd.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 001e7d1..4888100 100644
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -248,7 +248,7 @@
+ command line), useradd will set the primary group of the new
+ user to the value specified by the <option>GROUP</option>
+ variable in <filename>/etc/default/useradd</filename>, or
+- 1000 by default.
++ 100 by default.
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/src/useradd.c b/src/useradd.c
+index 347334a..ac43edd 100644
--- a/src/useradd.c
+++ b/src/useradd.c
-@@ -79,12 +79,12 @@
+@@ -91,14 +91,14 @@ static const char Prog[] = "useradd";
/*
* These defaults are used if there is no defaults file.
*/
-static gid_t def_group = 1000;
+static gid_t def_group = 100;
+ static const char *def_groups = "";
static const char *def_gname = "other";
static const char *def_home = "/home";
static const char *def_shell = "/bin/bash";
static const char *def_template = SKEL_DIR;
+ static const char *def_usrtemplate = USRSKELDIR;
-static const char *def_create_mail_spool = "yes";
+static const char *def_create_mail_spool = "no";
static const char *def_log_init = "yes";
static long def_inactive = -1;
-diff --git a/man/useradd.8.xml b/man/useradd.8.xml
-index af02a23f..c7f95b47 100644
---- a/man/useradd.8.xml
-+++ b/man/useradd.8.xml
-@@ -248,7 +248,7 @@
- command line), useradd will set the primary group of the new
- user to the value specified by the <option>GROUP</option>
- variable in <filename>/etc/default/useradd</filename>, or
-- 1000 by default.
-+ 100 by default.
- </para>
- </listitem>
- </varlistentry>
diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/Let-pam_unix-handle-login-failure-delays.patch
index ab32c2a..66f5063 100644
--- a/debian/patches/463_login_delay_obeys_to_PAM
+++ b/debian/patches/Let-pam_unix-handle-login-failure-delays.patch
@@ -1,5 +1,6 @@
-Goal: Do not hardcode pam_fail_delay and let pam_unix do its
- job to set a delay...or not
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Let pam_unix handle login failure delays
Fixes: #87648
@@ -7,25 +8,45 @@ Status wrt upstream: Forwarded but not applied yet
Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+Gbp-Topic: debian
+---
+ lib/getdef.c | 1 -
+ src/login.c | 19 +++++--------------
+ 2 files changed, 5 insertions(+), 15 deletions(-)
+
+diff --git a/lib/getdef.c b/lib/getdef.c
+index 30f54ba..21307bb 100644
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -84,7 +84,6 @@ static struct itemdef def_table[] = {
+ {"ENV_PATH", NULL},
+ {"ENV_SUPATH", NULL},
+ {"ERASECHAR", NULL},
+- {"FAIL_DELAY", NULL},
+ {"FAKE_SHELL", NULL},
+ {"GID_MAX", NULL},
+ {"GID_MIN", NULL},
+diff --git a/src/login.c b/src/login.c
+index 9fed7b3..a5512d1 100644
--- a/src/login.c
+++ b/src/login.c
-@@ -512,7 +512,6 @@
- #if !defined(USE_PAM)
- char ptime[80];
- #endif
-- unsigned int delay;
- unsigned int retries;
- bool subroot = false;
- #ifndef USE_PAM
-@@ -537,6 +536,7 @@
- pid_t child;
- char *pam_user = NULL;
+@@ -490,7 +490,6 @@ int main (int argc, char **argv)
+ const char *tmptty;
+ const char *cp;
+ const char *tmp;
+- unsigned int delay;
+ unsigned int retries;
+ unsigned int timeout;
+ struct passwd *pwd = NULL;
+@@ -500,6 +499,7 @@ int main (int argc, char **argv)
+ char *pam_user = NULL;
+ pid_t child;
#else
-+ unsigned int delay;
++ unsigned int delay;
+ bool is_console;
struct spwd *spwd = NULL;
- #endif
- /*
-@@ -701,7 +701,6 @@
+ # if defined(ENABLE_LASTLOG)
+@@ -669,7 +669,6 @@ int main (int argc, char **argv)
}
environ = newenvp; /* make new environment active */
@@ -33,7 +54,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
#ifdef USE_PAM
-@@ -717,8 +716,7 @@
+@@ -685,8 +684,7 @@ int main (int argc, char **argv)
/*
* hostname & tty are either set to NULL or their correct values,
@@ -43,7 +64,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
*
* PAM_RHOST and PAM_TTY are used for authentication, only use
* information coming from login or from the caller (e.g. no utmp)
-@@ -727,10 +725,6 @@
+@@ -695,10 +693,6 @@ int main (int argc, char **argv)
PAM_FAIL_CHECK;
retcode = pam_set_item (pamh, PAM_TTY, tty);
PAM_FAIL_CHECK;
@@ -53,8 +74,8 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
-#endif
/* if fflg, then the user has already been authenticated */
if (!fflg) {
- unsigned int failcount = 0;
-@@ -771,12 +765,6 @@
+ char hostn[256];
+@@ -736,12 +730,6 @@ int main (int argc, char **argv)
bool failed = false;
failcount++;
@@ -67,7 +88,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
retcode = pam_authenticate (pamh, 0);
-@@ -1110,14 +1098,17 @@
+@@ -1032,14 +1020,17 @@ int main (int argc, char **argv)
free (username);
username = NULL;
@@ -85,13 +106,3 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
(void) puts (_("Login incorrect"));
---- a/lib/getdef.c
-+++ b/lib/getdef.c
-@@ -77,7 +77,6 @@
- {"ENV_PATH", NULL},
- {"ENV_SUPATH", NULL},
- {"ERASECHAR", NULL},
-- {"FAIL_DELAY", NULL},
- {"FAILLOG_ENAB", NULL},
- {"FAKE_SHELL", NULL},
- {"FTMP_FILE", NULL},
diff --git a/debian/patches/README.patches b/debian/patches/README.patches
deleted file mode 100644
index a804fe3..0000000
--- a/debian/patches/README.patches
+++ /dev/null
@@ -1,22 +0,0 @@
-Small intro to the system for numbering the patches here...
-
--The 00xx-... patches are forwarded to upstream's git repository
-
--The 0xx_... series of patches are patches isolated from the latest
- version of the shadow Debian package not using quilt in order to
- separate upstream from Debian-specific stuff.
-
- NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
-
--The 4xx series are patches which have been applied to Debian's shadow
- and have NOT been accepted and/or applied upstream. These patches MUST be kept
- even after resynced with upstream
-
--The 5xx series are patches which are applied to Debian's shadow
- and will never be proposed upstream because they're too specific
- This list SHOULD BE AS SHORT AS POSSIBLE
-
-In short, while we are working towards synchronisation with upstream,
-our goal is to make 0xx patches disappear by moving them either to 3xx
-series (things already implemented upstream) or to 4xx series
-(Debian-specific patches).
diff --git a/debian/patches/505_useradd_recommend_adduser b/debian/patches/Recommend-using-adduser-and-deluser.patch
index 9fb3fe3..79019a4 100644
--- a/debian/patches/505_useradd_recommend_adduser
+++ b/debian/patches/Recommend-using-adduser-and-deluser.patch
@@ -1,36 +1,48 @@
-Goal: Recommend using adduser and deluser.
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Recommend using adduser and deluser
Fixes: #406046
Status wrt upstream: Debian specific patch.
+Gbp-Topic: debian
+---
+ man/useradd.8.xml | 6 ++++++
+ man/userdel.8.xml | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 4888100..17987a6 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
-@@ -83,6 +83,12 @@
+@@ -82,6 +82,12 @@
+
<refsect1 id='description'>
<title>DESCRIPTION</title>
- <para>
++ <para>
+ <command>useradd</command> is a low level utility for adding
+ users. On Debian, administrators should usually use
+ <citerefentry><refentrytitle>adduser</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> instead.
+ </para>
-+ <para>
+ <para>
When invoked without the <option>-D</option> option, the
<command>useradd</command> command creates a new user account using
- the values specified on the command line plus the default values from
+diff --git a/man/userdel.8.xml b/man/userdel.8.xml
+index 5bd2981..384cc86 100644
--- a/man/userdel.8.xml
+++ b/man/userdel.8.xml
-@@ -59,6 +59,12 @@
+@@ -58,6 +58,12 @@
+
<refsect1 id='description'>
<title>DESCRIPTION</title>
- <para>
++ <para>
+ <command>userdel</command> is a low level utility for removing
+ users. On Debian, administrators should usually use
+ <citerefentry><refentrytitle>deluser</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> instead.
+ </para>
-+ <para>
+ <para>
The <command>userdel</command> command modifies the system account
files, deleting all entries that refer to the user name <emphasis
- remap='I'>LOGIN</emphasis>. The named user must exist.
diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/Relax-usernames-groupnames-checking.patch
index 0e066d9..bb3c027 100644
--- a/debian/patches/506_relaxed_usernames
+++ b/debian/patches/Relax-usernames-groupnames-checking.patch
@@ -1,28 +1,38 @@
-Goal: Relaxed usernames/groupnames checking patch.
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Relax usernames/groupnames checking
+
+Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
+characters and don't start with '-', '+', or '~'. This patch is more
+restrictive than original Karl's version. closes: #264879
+Also closes: #377844
+
+Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
+
+I can't come up with a good justification as to why characters other
+than ':'s and '\0's should be disallowed in group and usernames (other
+than '-' as the leading character). Thus, the maintenance tools don't
+anymore. closes: #79682, #166798, #171179
Status wrt upstream: Debian specific. Not to be used upstream
-Details:
- Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
- characters and don't start with '-', '+', or '~'. This patch is more
- restrictive than original Karl's version. closes: #264879
- Also closes: #377844
-
- Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
-
- I can't come up with a good justification as to why characters other
- than ':'s and '\0's should be disallowed in group and usernames (other
- than '-' as the leading character). Thus, the maintenance tools don't
- anymore. closes: #79682, #166798, #171179
+Gbp-Topic: debian
+---
+ lib/chkname.c | 47 +++++++++++++++--------------------------------
+ man/groupadd.8.xml | 6 ++++++
+ man/useradd.8.xml | 7 ++++++-
+ 3 files changed, 27 insertions(+), 33 deletions(-)
---- a/libmisc/chkname.c
-+++ b/libmisc/chkname.c
-@@ -32,44 +32,26 @@
+diff --git a/lib/chkname.c b/lib/chkname.c
+index 995562f..d9678c6 100644
+--- a/lib/chkname.c
++++ b/lib/chkname.c
+@@ -54,44 +54,27 @@ static bool is_valid_name (const char *name)
}
/*
-- * User/group names must match gnu e-regex:
-- * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+- * User/group names must match BRE regex:
+- * [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
- *
- * as a non-POSIX, extension, allow "$" as the last char for
- * sake of Samba 3.x "add machine script"
@@ -51,7 +61,7 @@ Details:
+ || ('+' == *name)) {
return false;
}
--
+
- numeric = isdigit(*name);
-
- while ('\0' != *++name) {
@@ -76,36 +86,39 @@ Details:
+ return true;
}
- bool is_valid_user_name (const char *name)
+
+diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml
+index 61a548f..d472bd0 100644
+--- a/man/groupadd.8.xml
++++ b/man/groupadd.8.xml
+@@ -71,6 +71,12 @@
+ Fully numeric groupnames and groupnames . or .. are
+ also disallowed.
+ </para>
++ <para>
++ On Debian, the only constraints are that groupnames must neither start
++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++ colon (':'), a comma (','), or a whitespace (space:' ',
++ end of line: '\n', tabulation: '\t', etc.).
++ </para>
+ <para>
+ Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+ </para>
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 17987a6..4fc95d1 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
-@@ -708,6 +708,14 @@
+@@ -733,7 +733,12 @@
the <command>ls</command> output.
</para>
<para>
+- Usernames may only be up to 256 characters long.
+ On Debian, the only constraints are that usernames must neither start
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+ colon (':'), a comma (','), or a whitespace (space: ' ',
+ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
+ ('/') may break the default algorithm for the definition of the
+ user's home directory.
-+ </para>
-+ <para>
- Usernames may only be up to 32 characters long.
</para>
</refsect1>
---- a/man/groupadd.8.xml
-+++ b/man/groupadd.8.xml
-@@ -72,6 +72,12 @@
- also disallowed.
- </para>
- <para>
-+ On Debian, the only constraints are that groupnames must neither start
-+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
-+ colon (':'), a comma (','), or a whitespace (space:' ',
-+ end of line: '\n', tabulation: '\t', etc.).
-+ </para>
-+ <para>
- Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
- </para>
- </refsect1>
+
diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/Set-group-and-mode-for-g-shadow-files.patch
index cfdf10c..c5e21ac 100644
--- a/debian/patches/501_commonio_group_shadow
+++ b/debian/patches/Set-group-and-mode-for-g-shadow-files.patch
@@ -1,7 +1,20 @@
-Goal: save the [g]shadow files with the 'shadow' group and mode 0440
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Set group and mode for [g]shadow files
+
+Set group 'shadow' and mode 0400.
Fixes: #166793
+Gbp-Topic: debian
+---
+ lib/commonio.c | 12 ++++++++++++
+ lib/sgroupio.c | 2 +-
+ lib/shadowio.c | 2 +-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 01a26c9..72e53b0 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -21,6 +21,7 @@
@@ -9,12 +22,12 @@ Fixes: #166793
#include <stdio.h>
#include <signal.h>
+#include <grp.h>
- #include "nscd.h"
- #include "sssd.h"
- #ifdef WITH_TCB
-@@ -970,12 +971,23 @@
+
+ #include "alloc.h"
+ #include "memzero.h"
+@@ -956,12 +957,23 @@ int commonio_close (struct commonio_db *db)
+ if (errors != 0)
goto fail;
- }
} else {
+ struct group *grp;
/*
@@ -35,10 +48,12 @@ Fixes: #166793
+ }
}
- snprintf (buf, sizeof buf, "%s+", db->filename);
+ if (SNPRINTF(buf, "%s+", db->filename) == -1)
+diff --git a/lib/sgroupio.c b/lib/sgroupio.c
+index 0297df4..107b1e5 100644
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
-@@ -206,7 +206,7 @@
+@@ -209,7 +209,7 @@ static struct commonio_db gshadow_db = {
#ifdef WITH_SELINUX
NULL, /* scontext */
#endif
@@ -47,9 +62,11 @@ Fixes: #166793
0, /* st_uid */
0, /* st_gid */
NULL, /* head */
+diff --git a/lib/shadowio.c b/lib/shadowio.c
+index d2c3b47..53dac0b 100644
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
-@@ -84,7 +84,7 @@
+@@ -85,7 +85,7 @@ static struct commonio_db shadow_db = {
#ifdef WITH_SELINUX
NULL, /* scontext */
#endif /* WITH_SELINUX */
diff --git a/debian/patches/402_cppw_selinux b/debian/patches/ccpw-add-selinux-support.patch
index 5f2da1b..d64210f 100644
--- a/debian/patches/402_cppw_selinux
+++ b/debian/patches/ccpw-add-selinux-support.patch
@@ -1,18 +1,19 @@
-Goal: Add selinux support to cppw
-
-Fix:
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: ccpw: add selinux support
Status wrt upstream: cppw is not available upstream.
- The patch was made based on the
- 302_vim_selinux_support patch. It needs to be
- reviewed by an SE-Linux aware person.
+Needs to be reviewed by an SE-Linux aware person.
-Depends on 401_cppw_src.dpatch
+Gbp-Topic: debian
+---
+ src/cppw.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
-Index: git/src/cppw.c
-===================================================================
---- git.orig/src/cppw.c
-+++ git/src/cppw.c
+diff --git a/src/cppw.c b/src/cppw.c
+index beb4c36..2cbbbc0 100644
+--- a/src/cppw.c
++++ b/src/cppw.c
@@ -34,6 +34,9 @@
#include <sys/types.h>
#include <signal.h>
@@ -23,7 +24,7 @@ Index: git/src/cppw.c
#include "exitcodes.h"
#include "prototypes.h"
#include "pwio.h"
-@@ -139,6 +142,22 @@
+@@ -139,6 +142,22 @@ static void cppwcopy (const char *file,
if (access (file, F_OK) != 0) {
cppwexit (file, 1, 1);
}
@@ -46,7 +47,7 @@ Index: git/src/cppw.c
if (file_lock () == 0) {
cppwexit (_("Couldn't lock file"), 0, 5);
}
-@@ -167,6 +186,15 @@
+@@ -167,6 +186,15 @@ static void cppwcopy (const char *file,
cppwexit (NULL,0,1);
}
diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/cppw-Add-tool.patch
index 5244702..a738898 100644
--- a/debian/patches/401_cppw_src.dpatch
+++ b/debian/patches/cppw-Add-tool.patch
@@ -1,10 +1,50 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Add cppw / cpgr
+From: Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: cppw: Add tool
-@DPATCH@
+Gbp-Topic: debian
+---
+ po/POTFILES.in | 1 +
+ src/Makefile.am | 2 +
+ src/cppw.c | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 241 insertions(+)
+ create mode 100644 src/cppw.c
+
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 9ff6100..a60c93e 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -86,6 +86,7 @@ src/chfn.c
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
++src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c
+diff --git a/src/Makefile.am b/src/Makefile.am
+index b6cb09e..c86ba52 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -39,6 +39,7 @@ if WITH_SU
+ bin_PROGRAMS += su
+ endif
+ usbin_PROGRAMS = \
++ cppw \
+ chgpasswd \
+ chpasswd \
+ groupadd \
+@@ -104,6 +105,7 @@ newuidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -l
+ newgidmap_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
+ chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
++cppw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX)
+ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl
+ expiry_LDADD = $(LDADD) $(LIBECONF)
+diff --git a/src/cppw.c b/src/cppw.c
+new file mode 100644
+index 0000000..beb4c36
--- /dev/null
+++ b/src/cppw.c
@@ -0,0 +1,238 @@
@@ -246,31 +286,3 @@
+ return 0;
+}
+
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -34,6 +34,7 @@
- bin_PROGRAMS += su
- endif
- usbin_PROGRAMS = \
-+ cppw \
- chgpasswd \
- chpasswd \
- groupadd \
-@@ -102,6 +103,7 @@
- chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
- chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
- chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
-+cppw_LDADD = $(LDADD) $(LIBSELINUX) $(LIBAUDIT)
- expiry_LDADD = $(LDADD) $(LIBECONF)
- gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
- groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
---- a/po/POTFILES.in
-+++ b/po/POTFILES.in
-@@ -91,6 +91,7 @@
- src/chgpasswd.c
- src/chpasswd.c
- src/chsh.c
-+src/cppw.c
- src/expiry.c
- src/faillog.c
- src/gpasswd.c
diff --git a/debian/patches/series b/debian/patches/series
index c2b8dfd..35d8303 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,24 +1,10 @@
-# CVE-2023-4641
-0001-gpasswd-1-Fix-password-leak.patch
-
-# CVE-2023-29383
-0002-Added-control-character-check.patch
-0003-Overhaul-valid_field.patch
-
-# These patches are only for the testsuite:
-#900_testsuite_groupmems
-#901_testsuite_gcov
-
-008_login_log_failure_in_FTMP
-401_cppw_src.dpatch
-# 402 should be merged in 401, but should be reviewed by SE Linux experts first
-402_cppw_selinux
-429_login_FAILLOG_ENAB
-463_login_delay_obeys_to_PAM
-501_commonio_group_shadow
-502_debian_useradd_defaults
-503_shadowconfig.8
-505_useradd_recommend_adduser
-506_relaxed_usernames
-542_useradd-O_option
+cppw-Add-tool.patch
+ccpw-add-selinux-support.patch
+Let-pam_unix-handle-login-failure-delays.patch
+Set-group-and-mode-for-g-shadow-files.patch
+Keep-using-Debian-adduser-defaults.patch
+Document-the-shadowconfig-utility.patch
+Recommend-using-adduser-and-deluser.patch
+Relax-usernames-groupnames-checking.patch
+useradd-accept-the-O-flag-for-backward-compatibility.patch
progress-linux/0001-login-prompt.patch
diff --git a/debian/patches/542_useradd-O_option b/debian/patches/useradd-accept-the-O-flag-for-backward-compatibility.patch
index 3745826..74b41c8 100644
--- a/debian/patches/542_useradd-O_option
+++ b/debian/patches/useradd-accept-the-O-flag-for-backward-compatibility.patch
@@ -1,13 +1,23 @@
-Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: useradd: accept the -O flag for backward compatibility
Note: useradd.8 needs to be regenerated.
-Status wrt upstream: not included as this is just specific
+Status wrt upstream: not included as this is just specific
backward compatibility for Debian
+Gbp-Topic: debian
+---
+ man/useradd.8.xml | 5 +++++
+ src/useradd.c | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 4fc95d1..c513e56 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
-@@ -326,6 +326,11 @@
+@@ -333,6 +333,11 @@
=<replaceable>100</replaceable>&nbsp;<option>-K</option>&nbsp;
<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
</para>
@@ -19,9 +29,11 @@ Status wrt upstream: not included as this is just specific
<!--para>
Note: <option>-K</option>&nbsp;<replaceable>UID_MIN</replaceable>=<replaceable>10</replaceable>,<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
doesn't work yet.
+diff --git a/src/useradd.c b/src/useradd.c
+index ac43edd..1cf3349 100644
--- a/src/useradd.c
+++ b/src/useradd.c
-@@ -1227,7 +1227,7 @@
+@@ -1215,7 +1215,7 @@ static void process_flags (int argc, char **argv)
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
@@ -30,7 +42,7 @@ Status wrt upstream: not included as this is just specific
#ifdef WITH_SELINUX
"Z:"
#endif /* WITH_SELINUX */
-@@ -1367,6 +1367,7 @@
+@@ -1355,6 +1355,7 @@ static void process_flags (int argc, char **argv)
kflg = true;
break;
case 'K':