From 6cfae0f7454977a2a1171b25e82cef512c14e156 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:54:38 +0200 Subject: Adding debian version 1:4.13+dfsg1-1. Signed-off-by: Daniel Baumann --- debian/patches/008_login_log_failure_in_FTMP | 51 +++++ debian/patches/401_cppw_src.dpatch | 276 +++++++++++++++++++++++++++ debian/patches/402_cppw_selinux | 64 +++++++ debian/patches/429_login_FAILLOG_ENAB | 84 ++++++++ debian/patches/463_login_delay_obeys_to_PAM | 97 ++++++++++ debian/patches/501_commonio_group_shadow | 60 ++++++ debian/patches/502_debian_useradd_defaults | 41 ++++ debian/patches/503_shadowconfig.8 | 201 +++++++++++++++++++ debian/patches/505_useradd_recommend_adduser | 36 ++++ debian/patches/506_relaxed_usernames | 111 +++++++++++ debian/patches/542_useradd-O_option | 40 ++++ debian/patches/900_testsuite_groupmems | 81 ++++++++ debian/patches/901_testsuite_gcov | 76 ++++++++ debian/patches/README.patches | 22 +++ debian/patches/series | 16 ++ 15 files changed, 1256 insertions(+) create mode 100644 debian/patches/008_login_log_failure_in_FTMP create mode 100644 debian/patches/401_cppw_src.dpatch create mode 100644 debian/patches/402_cppw_selinux create mode 100644 debian/patches/429_login_FAILLOG_ENAB create mode 100644 debian/patches/463_login_delay_obeys_to_PAM create mode 100644 debian/patches/501_commonio_group_shadow create mode 100644 debian/patches/502_debian_useradd_defaults create mode 100644 debian/patches/503_shadowconfig.8 create mode 100644 debian/patches/505_useradd_recommend_adduser create mode 100644 debian/patches/506_relaxed_usernames create mode 100644 debian/patches/542_useradd-O_option create mode 100644 debian/patches/900_testsuite_groupmems create mode 100644 debian/patches/901_testsuite_gcov create mode 100644 debian/patches/README.patches create mode 100644 debian/patches/series (limited to 'debian/patches') diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP new file mode 100644 index 0000000..0946ca0 --- /dev/null +++ b/debian/patches/008_login_log_failure_in_FTMP @@ -0,0 +1,51 @@ +Goal: Log login failures to the btmp file + +Notes: + * I'm not sure login should add an entry in the FTMP file when PAM is used. + (but nothing in /etc/login.defs indicates that the failure is not logged) + +--- a/src/login.c ++++ b/src/login.c +@@ -827,6 +827,24 @@ + (void) puts (""); + (void) puts (_("Login incorrect")); + ++ if (getdef_str("FTMP_FILE") != NULL) { ++#ifdef USE_UTMPX ++ struct utmpx *failent = ++ prepare_utmpx (failent_user, ++ tty, ++ /* FIXME: or fromhost? */hostname, ++ utent); ++#else /* !USE_UTMPX */ ++ struct utmp *failent = ++ prepare_utmp (failent_user, ++ tty, ++ hostname, ++ utent); ++#endif /* !USE_UTMPX */ ++ failtmp (failent_user, failent); ++ free (failent); ++ } ++ + if (failcount >= retries) { + SYSLOG ((LOG_NOTICE, + "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -38,7 +38,6 @@ + {"ENVIRON_FILE", NULL}, \ + {"ENV_TZ", NULL}, \ + {"FAILLOG_ENAB", NULL}, \ +- {"FTMP_FILE", NULL}, \ + {"HMAC_CRYPTO_ALGO", NULL}, \ + {"ISSUE_FILE", NULL}, \ + {"LASTLOG_ENAB", NULL}, \ +@@ -80,6 +79,7 @@ + {"ERASECHAR", NULL}, + {"FAIL_DELAY", NULL}, + {"FAKE_SHELL", NULL}, ++ {"FTMP_FILE", NULL}, + {"GID_MAX", NULL}, + {"GID_MIN", NULL}, + {"HOME_MODE", NULL}, diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/401_cppw_src.dpatch new file mode 100644 index 0000000..5244702 --- /dev/null +++ b/debian/patches/401_cppw_src.dpatch @@ -0,0 +1,276 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 401_cppw_src.dpatch by Nicolas FRANCOIS +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Add cppw / cpgr + +@DPATCH@ +--- /dev/null ++++ b/src/cppw.c +@@ -0,0 +1,238 @@ ++/* ++ cppw, cpgr copy with locking given file over the password or group file ++ with -s will copy with locking given file over shadow or gshadow file ++ ++ Copyright (C) 1999 Stephen Frost ++ ++ Based on vipw, vigr by: ++ Copyright (C) 1997 Guy Maor ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, but ++ WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ ++ */ ++ ++#include ++#include "defines.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "exitcodes.h" ++#include "prototypes.h" ++#include "pwio.h" ++#include "shadowio.h" ++#include "groupio.h" ++#include "sgroupio.h" ++ ++ ++const char *Prog; ++ ++const char *filename, *filenewname; ++static bool filelocked = false; ++static int (*unlock) (void); ++ ++/* local function prototypes */ ++static int create_copy (FILE *fp, const char *dest, struct stat *sb); ++static void cppwexit (const char *msg, int syserr, int ret); ++static void cppwcopy (const char *file, ++ const char *in_file, ++ int (*file_lock) (void), ++ int (*file_unlock) (void)); ++ ++static int create_copy (FILE *fp, const char *dest, struct stat *sb) ++{ ++ struct utimbuf ub; ++ FILE *bkfp; ++ int c; ++ mode_t mask; ++ ++ mask = umask (077); ++ bkfp = fopen (dest, "w"); ++ (void) umask (mask); ++ if (NULL == bkfp) { ++ return -1; ++ } ++ ++ rewind (fp); ++ while ((c = getc (fp)) != EOF) { ++ if (putc (c, bkfp) == EOF) { ++ break; ++ } ++ } ++ ++ if ( (c != EOF) ++ || (fflush (bkfp) != 0)) { ++ (void) fclose (bkfp); ++ (void) unlink (dest); ++ return -1; ++ } ++ if ( (fsync (fileno (bkfp)) != 0) ++ || (fclose (bkfp) != 0)) { ++ (void) unlink (dest); ++ return -1; ++ } ++ ++ ub.actime = sb->st_atime; ++ ub.modtime = sb->st_mtime; ++ if ( (utime (dest, &ub) != 0) ++ || (chmod (dest, sb->st_mode) != 0) ++ || (chown (dest, sb->st_uid, sb->st_gid) != 0)) { ++ (void) unlink (dest); ++ return -1; ++ } ++ return 0; ++} ++ ++static void cppwexit (const char *msg, int syserr, int ret) ++{ ++ int err = errno; ++ if (filelocked) { ++ (*unlock) (); ++ } ++ if (NULL != msg) { ++ fprintf (stderr, "%s: %s", Prog, msg); ++ if (0 != syserr) { ++ fprintf (stderr, ": %s", strerror (err)); ++ } ++ (void) fputs ("\n", stderr); ++ } ++ if (NULL != filename) { ++ fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename); ++ } else { ++ fprintf (stderr, _("%s: no changes\n"), Prog); ++ } ++ ++ exit (ret); ++} ++ ++static void cppwcopy (const char *file, ++ const char *in_file, ++ int (*file_lock) (void), ++ int (*file_unlock) (void)) ++{ ++ struct stat st1; ++ FILE *f; ++ char filenew[1024]; ++ ++ snprintf (filenew, sizeof filenew, "%s.new", file); ++ unlock = file_unlock; ++ filename = file; ++ filenewname = filenew; ++ ++ if (access (file, F_OK) != 0) { ++ cppwexit (file, 1, 1); ++ } ++ if (file_lock () == 0) { ++ cppwexit (_("Couldn't lock file"), 0, 5); ++ } ++ filelocked = true; ++ ++ /* file to copy has same owners, perm */ ++ if (stat (file, &st1) != 0) { ++ cppwexit (file, 1, 1); ++ } ++ f = fopen (in_file, "r"); ++ if (NULL == f) { ++ cppwexit (in_file, 1, 1); ++ } ++ if (create_copy (f, filenew, &st1) != 0) { ++ cppwexit (_("Couldn't make copy"), errno, 1); ++ } ++ ++ /* XXX - here we should check filenew for errors; if there are any, ++ * fail w/ an appropriate error code and let the user manually fix ++ * it. Use pwck or grpck to do the check. - Stephen (Shamelessly ++ * stolen from '--marekm's comment) */ ++ ++ if (rename (filenew, file) != 0) { ++ fprintf (stderr, _("%s: can't copy %s: %s)\n"), ++ Prog, filenew, strerror (errno)); ++ cppwexit (NULL,0,1); ++ } ++ ++ (*file_unlock) (); ++} ++ ++int main (int argc, char **argv) ++{ ++ int flag; ++ bool cpshadow = false; ++ char *in_file; ++ int e = E_USAGE; ++ bool do_cppw = true; ++ ++ (void) setlocale (LC_ALL, ""); ++ (void) bindtextdomain (PACKAGE, LOCALEDIR); ++ (void) textdomain (PACKAGE); ++ ++ Prog = Basename (argv[0]); ++ if (strcmp (Prog, "cpgr") == 0) { ++ do_cppw = false; ++ } ++ ++ while ((flag = getopt (argc, argv, "ghps")) != EOF) { ++ switch (flag) { ++ case 'p': ++ do_cppw = true; ++ break; ++ case 'g': ++ do_cppw = false; ++ break; ++ case 's': ++ cpshadow = true; ++ break; ++ case 'h': ++ e = E_SUCCESS; ++ /*pass through*/ ++ default: ++ (void) fputs (_("Usage:\n\ ++`cppw ' copys over /etc/passwd `cppw -s ' copys over /etc/shadow\n\ ++`cpgr ' copys over /etc/group `cpgr -s ' copys over /etc/gshadow\n\ ++"), (E_SUCCESS != e) ? stderr : stdout); ++ exit (e); ++ } ++ } ++ ++ if (argc != optind + 1) { ++ cppwexit (_("wrong number of arguments, -h for usage"),0,1); ++ } ++ ++ in_file = argv[optind]; ++ ++ if (do_cppw) { ++ if (cpshadow) { ++ cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock); ++ } else { ++ cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock); ++ } ++ } else { ++#ifdef SHADOWGRP ++ if (cpshadow) { ++ cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock); ++ } else ++#endif /* SHADOWGRP */ ++ { ++ cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock); ++ } ++ } ++ ++ return 0; ++} ++ +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -34,6 +34,7 @@ + bin_PROGRAMS += su + endif + usbin_PROGRAMS = \ ++ cppw \ + chgpasswd \ + chpasswd \ + groupadd \ +@@ -102,6 +103,7 @@ + chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) + chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) ++cppw_LDADD = $(LDADD) $(LIBSELINUX) $(LIBAUDIT) + expiry_LDADD = $(LDADD) $(LIBECONF) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) + groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -91,6 +91,7 @@ + src/chgpasswd.c + src/chpasswd.c + src/chsh.c ++src/cppw.c + src/expiry.c + src/faillog.c + src/gpasswd.c diff --git a/debian/patches/402_cppw_selinux b/debian/patches/402_cppw_selinux new file mode 100644 index 0000000..5f2da1b --- /dev/null +++ b/debian/patches/402_cppw_selinux @@ -0,0 +1,64 @@ +Goal: Add selinux support to cppw + +Fix: + +Status wrt upstream: cppw is not available upstream. + The patch was made based on the + 302_vim_selinux_support patch. It needs to be + reviewed by an SE-Linux aware person. + +Depends on 401_cppw_src.dpatch + +Index: git/src/cppw.c +=================================================================== +--- git.orig/src/cppw.c ++++ git/src/cppw.c +@@ -34,6 +34,9 @@ + #include + #include + #include ++#ifdef WITH_SELINUX ++#include ++#endif /* WITH_SELINUX */ + #include "exitcodes.h" + #include "prototypes.h" + #include "pwio.h" +@@ -139,6 +142,22 @@ + if (access (file, F_OK) != 0) { + cppwexit (file, 1, 1); + } ++#ifdef WITH_SELINUX ++ /* if SE Linux is enabled then set the context of all new files ++ * to be the context of the file we are editing */ ++ if (is_selinux_enabled () > 0) { ++ security_context_t passwd_context=NULL; ++ int ret = 0; ++ if (getfilecon (file, &passwd_context) < 0) { ++ cppwexit (_("Couldn't get file context"), errno, 1); ++ } ++ ret = setfscreatecon (passwd_context); ++ freecon (passwd_context); ++ if (0 != ret) { ++ cppwexit (_("setfscreatecon () failed"), errno, 1); ++ } ++ } ++#endif /* WITH_SELINUX */ + if (file_lock () == 0) { + cppwexit (_("Couldn't lock file"), 0, 5); + } +@@ -167,6 +186,15 @@ + cppwexit (NULL,0,1); + } + ++#ifdef WITH_SELINUX ++ /* unset the fscreatecon */ ++ if (is_selinux_enabled () > 0) { ++ if (setfscreatecon (NULL)) { ++ cppwexit (_("setfscreatecon() failed"), errno, 1); ++ } ++ } ++#endif /* WITH_SELINUX */ ++ + (*file_unlock) (); + } + diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB new file mode 100644 index 0000000..d8e6034 --- /dev/null +++ b/debian/patches/429_login_FAILLOG_ENAB @@ -0,0 +1,84 @@ +Goal: Re-enable logging and displaying failures on login when login is + compiled with PAM and when FAILLOG_ENAB is set to yes. And create the + faillog file if it does not exist on postinst (as on Woody). +Depends: 008_login_more_LOG_UNKFAIL_ENAB +Fixes: #192849 + +Note: It could be removed if pam_tally could report the number of failures + preceding a successful login. + +--- a/src/login.c ++++ b/src/login.c +@@ -114,9 +114,9 @@ + #endif + ); + +-#ifndef USE_PAM + static struct faillog faillog; + ++#ifndef USE_PAM + static void bad_time_notify (void); + static void check_nologin (bool login_to_root); + #else +@@ -787,6 +787,9 @@ + SYSLOG ((LOG_NOTICE, + "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", + failcount, fromhost, failent_user)); ++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { ++ failure (pwd->pw_uid, tty, &faillog); ++ } + fprintf (stderr, + _("Maximum number of tries exceeded (%u)\n"), + failcount); +@@ -804,6 +807,14 @@ + pam_strerror (pamh, retcode))); + failed = true; + } ++ if ( (NULL != pwd) ++ && getdef_bool("FAILLOG_ENAB") ++ && ! failcheck (pwd->pw_uid, &faillog, failed)) { ++ SYSLOG((LOG_CRIT, ++ "exceeded failure limit for `%s' %s", ++ failent_user, fromhost)); ++ failed = 1; ++ } + + if (!failed) { + break; +@@ -827,6 +838,10 @@ + (void) puts (""); + (void) puts (_("Login incorrect")); + ++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { ++ failure (pwd->pw_uid, tty, &faillog); ++ } ++ + if (getdef_str("FTMP_FILE") != NULL) { + #ifdef USE_UTMPX + struct utmpx *failent = +@@ -1295,6 +1310,7 @@ + */ + #ifndef USE_PAM + motd (); /* print the message of the day */ ++#endif + if ( getdef_bool ("FAILLOG_ENAB") + && (0 != faillog.fail_cnt)) { + failprint (&faillog); +@@ -1307,6 +1323,7 @@ + username, (int) faillog.fail_cnt)); + } + } ++#ifndef USE_PAM + if ( getdef_bool ("LASTLOG_ENAB") + && pwd->pw_uid <= (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL) + && (ll.ll_time != 0)) { +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -78,6 +78,7 @@ + {"ENV_SUPATH", NULL}, + {"ERASECHAR", NULL}, + {"FAIL_DELAY", NULL}, ++ {"FAILLOG_ENAB", NULL}, + {"FAKE_SHELL", NULL}, + {"FTMP_FILE", NULL}, + {"GID_MAX", NULL}, diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM new file mode 100644 index 0000000..ab32c2a --- /dev/null +++ b/debian/patches/463_login_delay_obeys_to_PAM @@ -0,0 +1,97 @@ +Goal: Do not hardcode pam_fail_delay and let pam_unix do its + job to set a delay...or not + +Fixes: #87648 + +Status wrt upstream: Forwarded but not applied yet + +Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs + +--- a/src/login.c ++++ b/src/login.c +@@ -512,7 +512,6 @@ + #if !defined(USE_PAM) + char ptime[80]; + #endif +- unsigned int delay; + unsigned int retries; + bool subroot = false; + #ifndef USE_PAM +@@ -537,6 +536,7 @@ + pid_t child; + char *pam_user = NULL; + #else ++ unsigned int delay; + struct spwd *spwd = NULL; + #endif + /* +@@ -701,7 +701,6 @@ + } + + environ = newenvp; /* make new environment active */ +- delay = getdef_unum ("FAIL_DELAY", 1); + retries = getdef_unum ("LOGIN_RETRIES", RETRIES); + + #ifdef USE_PAM +@@ -717,8 +716,7 @@ + + /* + * hostname & tty are either set to NULL or their correct values, +- * depending on how much we know. We also set PAM's fail delay to +- * ours. ++ * depending on how much we know. + * + * PAM_RHOST and PAM_TTY are used for authentication, only use + * information coming from login or from the caller (e.g. no utmp) +@@ -727,10 +725,6 @@ + PAM_FAIL_CHECK; + retcode = pam_set_item (pamh, PAM_TTY, tty); + PAM_FAIL_CHECK; +-#ifdef HAS_PAM_FAIL_DELAY +- retcode = pam_fail_delay (pamh, 1000000 * delay); +- PAM_FAIL_CHECK; +-#endif + /* if fflg, then the user has already been authenticated */ + if (!fflg) { + unsigned int failcount = 0; +@@ -771,12 +765,6 @@ + bool failed = false; + + failcount++; +-#ifdef HAS_PAM_FAIL_DELAY +- if (delay > 0) { +- retcode = pam_fail_delay(pamh, 1000000*delay); +- PAM_FAIL_CHECK; +- } +-#endif + + retcode = pam_authenticate (pamh, 0); + +@@ -1110,14 +1098,17 @@ + free (username); + username = NULL; + ++#ifndef USE_PAM + /* + * Wait a while (a la SVR4 /usr/bin/login) before attempting + * to login the user again. If the earlier alarm occurs + * before the sleep() below completes, login will exit. + */ ++ delay = getdef_unum ("FAIL_DELAY", 1); + if (delay > 0) { + (void) sleep (delay); + } ++#endif + + (void) puts (_("Login incorrect")); + +--- a/lib/getdef.c ++++ b/lib/getdef.c +@@ -77,7 +77,6 @@ + {"ENV_PATH", NULL}, + {"ENV_SUPATH", NULL}, + {"ERASECHAR", NULL}, +- {"FAIL_DELAY", NULL}, + {"FAILLOG_ENAB", NULL}, + {"FAKE_SHELL", NULL}, + {"FTMP_FILE", NULL}, diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/501_commonio_group_shadow new file mode 100644 index 0000000..cfdf10c --- /dev/null +++ b/debian/patches/501_commonio_group_shadow @@ -0,0 +1,60 @@ +Goal: save the [g]shadow files with the 'shadow' group and mode 0440 + +Fixes: #166793 + +--- a/lib/commonio.c ++++ b/lib/commonio.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include "nscd.h" + #include "sssd.h" + #ifdef WITH_TCB +@@ -970,12 +971,23 @@ + goto fail; + } + } else { ++ struct group *grp; + /* + * Default permissions for new [g]shadow files. + */ + sb.st_mode = db->st_mode; + sb.st_uid = db->st_uid; + sb.st_gid = db->st_gid; ++ ++ /* ++ * Try to retrieve the shadow's GID, and fall back to GID 0. ++ */ ++ if (sb.st_gid == 0) { ++ if ((grp = getgrnam("shadow")) != NULL) ++ sb.st_gid = grp->gr_gid; ++ else ++ sb.st_gid = 0; ++ } + } + + snprintf (buf, sizeof buf, "%s+", db->filename); +--- a/lib/sgroupio.c ++++ b/lib/sgroupio.c +@@ -206,7 +206,7 @@ + #ifdef WITH_SELINUX + NULL, /* scontext */ + #endif +- 0400, /* st_mode */ ++ 0440, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ + NULL, /* head */ +--- a/lib/shadowio.c ++++ b/lib/shadowio.c +@@ -84,7 +84,7 @@ + #ifdef WITH_SELINUX + NULL, /* scontext */ + #endif /* WITH_SELINUX */ +- 0400, /* st_mode */ ++ 0440, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ + NULL, /* head */ diff --git a/debian/patches/502_debian_useradd_defaults b/debian/patches/502_debian_useradd_defaults new file mode 100644 index 0000000..6317ed6 --- /dev/null +++ b/debian/patches/502_debian_useradd_defaults @@ -0,0 +1,41 @@ +From: Balint Reczey +Description: Keep using Debian's adduser defaults + Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit + in 4.9 merged those values from upstream's default configuration file + which is not shipped in Debian. + This patch keeps the program's compiled in defaults in sync with the + configuration files shipped in Debian (debian/default/useradd). +Bug: https://github.com/shadow-maint/shadow/issues/501 +Bug-Debian: https://bugs.debian.org/1004710 +Forwarded: not-needed + +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -79,12 +79,12 @@ + /* + * These defaults are used if there is no defaults file. + */ +-static gid_t def_group = 1000; ++static gid_t def_group = 100; + static const char *def_gname = "other"; + static const char *def_home = "/home"; + static const char *def_shell = "/bin/bash"; + static const char *def_template = SKEL_DIR; +-static const char *def_create_mail_spool = "yes"; ++static const char *def_create_mail_spool = "no"; + static const char *def_log_init = "yes"; + + static long def_inactive = -1; +diff --git a/man/useradd.8.xml b/man/useradd.8.xml +index af02a23f..c7f95b47 100644 +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -248,7 +248,7 @@ + command line), useradd will set the primary group of the new + user to the value specified by the + variable in /etc/default/useradd, or +- 1000 by default. ++ 100 by default. + + + diff --git a/debian/patches/503_shadowconfig.8 b/debian/patches/503_shadowconfig.8 new file mode 100644 index 0000000..0f0d339 --- /dev/null +++ b/debian/patches/503_shadowconfig.8 @@ -0,0 +1,201 @@ +Goal: Document the shadowconfig utility + +Status wrt upstream: The shadowconfig utility is debian specific. + Its man page also (but it used to be distributed) + +Index: git/man/shadowconfig.8 +=================================================================== +--- /dev/null ++++ git/man/shadowconfig.8 +@@ -0,0 +1,41 @@ ++.\"Generated by db2man.xsl. Don't modify this, modify the source. ++.de Sh \" Subsection ++.br ++.if t .Sp ++.ne 5 ++.PP ++\fB\\$1\fR ++.PP ++.. ++.de Sp \" Vertical space (when we can't use .PP) ++.if t .sp .5v ++.if n .sp ++.. ++.de Ip \" List item ++.br ++.ie \\n(.$>=3 .ne \\$3 ++.el .ne 3 ++.IP "\\$1" \\$2 ++.. ++.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" "" ++.SH NAME ++shadowconfig \- toggle shadow passwords on and off ++.SH "SYNOPSIS" ++.ad l ++.hy 0 ++.HP 13 ++\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR ++.ad ++.hy ++ ++.SH "DESCRIPTION" ++ ++.PP ++\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&. ++ ++.PP ++Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&. ++ ++.PP ++Note that turning shadow passwords off and on again will lose all password aging information\&. ++ +Index: git/man/shadowconfig.8.xml +=================================================================== +--- /dev/null ++++ git/man/shadowconfig.8.xml +@@ -0,0 +1,52 @@ ++ ++ ++ ++ ++ ++ 19 Apr 1997 ++ ++ ++ shadowconfig ++ 8 ++ 19 Apr 1997 ++ Debian GNU/Linux ++ ++ ++ shadowconfig ++ toggle shadow passwords on and off ++ ++ ++ ++ ++ shadowconfig ++ ++ on ++ off ++ ++ ++ ++ ++ ++ DESCRIPTION ++ shadowconfig on will turn shadow passwords on; ++ shadowconfig off will turn shadow ++ passwords off. shadowconfig will print an error ++ message and exit with a nonzero code if it finds anything awry. If ++ that happens, you should correct the error and run it again. Turning ++ shadow passwords on when they are already on, or off when they are ++ already off, is harmless. ++ ++ ++ ++ Read /usr/share/doc/passwd/README.Debian for a ++ brief introduction ++ to shadow passwords and related features. ++ ++ ++ Note that turning shadow passwords off and on again will lose all ++ password ++ aging information. ++ ++ ++ +Index: git/man/fr/shadowconfig.8 +=================================================================== +--- /dev/null ++++ git/man/fr/shadowconfig.8 +@@ -0,0 +1,26 @@ ++.\" This file was generated with po4a. Translate the source file. ++.\" ++.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $ ++.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux" ++.SH NOM ++shadowconfig \- active ou désactive les mots de passe cachés ++.SH SYNOPSIS ++\fBshadowconfig\fP \fIon\fP | \fIoff\fP ++.SH DESCRIPTION ++.PP ++\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message ++d'erreur et quitte avec une valeur de retour non nulle s'il rencontre ++quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant ++de recommencer. ++ ++Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les ++désactiver lorsqu'ils ne sont pas actifs est sans effet. ++ ++Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux ++mots de passe cachés et à leurs fonctionnalités. ++ ++Notez que désactiver puis réactiver les mots de passe cachés aura pour ++conséquence la perte des informations d'âge sur les mots de passe. ++.SH TRADUCTION ++Nicolas FRANÇOIS, 2004. ++Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>. +Index: git/man/ja/shadowconfig.8 +=================================================================== +--- /dev/null ++++ git/man/ja/shadowconfig.8 +@@ -0,0 +1,25 @@ ++.\" all right reserved, ++.\" Translated Tue Oct 30 11:59:11 JST 2001 ++.\" by Maki KURODA ++.\" ++.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux" ++.SH 名前 ++shadowconfig \- shadow パスワードの設定をオン及びオフに切替える ++.SH 書式 ++.B "shadowconfig" ++.IR on " | " off ++.SH 説明 ++.PP ++.B shadowconfig on ++は shadow パスワードを有効にする。 ++.B shadowconfig off ++は shadow パスワードを無効にする。 ++.B shadowconfig ++は何らかの間違いがあると、エラーメッセージを表示し、 ++ゼロではない返り値を返す。 ++もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。 ++shadow パスワードの設定がすでにオンの場合にオンに設定したり、 ++すでにオフの場合にオフに設定しても、何の影響もない。 ++ ++.I /usr/share/doc/passwd/README.debian.gz ++には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。 +Index: git/man/pl/shadowconfig.8 +=================================================================== +--- /dev/null ++++ git/man/pl/shadowconfig.8 +@@ -0,0 +1,27 @@ ++.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $ ++.\" {PTM/WK/1999-09-14} ++.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux" ++.SH NAZWA ++shadowconfig - przełącza ochronę haseł i grup przez pliki shadow ++.SH SKŁADNIA ++.B "shadowconfig" ++.IR on " | " off ++.SH OPIS ++.PP ++.B shadowconfig on ++włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow); ++.B shadowconfig off ++wyłącza dodatkowe pliki haseł i grup. ++.B shadowconfig ++wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli ++znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd ++.\" if it finds anything awry. ++i uruchomić program ponownie. ++ ++Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie, ++gdy jest wyłączona jest nieszkodliwe. ++ ++Przeczytaj ++.IR /usr/share/doc/passwd/README.debian.gz , ++gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych ++plików haseł przesłanianych (shadow passwords) i związanych tematów. diff --git a/debian/patches/505_useradd_recommend_adduser b/debian/patches/505_useradd_recommend_adduser new file mode 100644 index 0000000..9fb3fe3 --- /dev/null +++ b/debian/patches/505_useradd_recommend_adduser @@ -0,0 +1,36 @@ +Goal: Recommend using adduser and deluser. + +Fixes: #406046 + +Status wrt upstream: Debian specific patch. + +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -83,6 +83,12 @@ + + DESCRIPTION + ++ useradd is a low level utility for adding ++ users. On Debian, administrators should usually use ++ adduser ++ 8 instead. ++ ++ + When invoked without the option, the + useradd command creates a new user account using + the values specified on the command line plus the default values from +--- a/man/userdel.8.xml ++++ b/man/userdel.8.xml +@@ -59,6 +59,12 @@ + + DESCRIPTION + ++ userdel is a low level utility for removing ++ users. On Debian, administrators should usually use ++ deluser ++ 8 instead. ++ ++ + The userdel command modifies the system account + files, deleting all entries that refer to the user name LOGIN. The named user must exist. diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames new file mode 100644 index 0000000..0e066d9 --- /dev/null +++ b/debian/patches/506_relaxed_usernames @@ -0,0 +1,111 @@ +Goal: Relaxed usernames/groupnames checking patch. + +Status wrt upstream: Debian specific. Not to be used upstream + +Details: + Allows any non-empty user/grounames that don't contain ':', ',' or '\n' + characters and don't start with '-', '+', or '~'. This patch is more + restrictive than original Karl's version. closes: #264879 + Also closes: #377844 + + Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400): + + I can't come up with a good justification as to why characters other + than ':'s and '\0's should be disallowed in group and usernames (other + than '-' as the leading character). Thus, the maintenance tools don't + anymore. closes: #79682, #166798, #171179 + +--- a/libmisc/chkname.c ++++ b/libmisc/chkname.c +@@ -32,44 +32,26 @@ + } + + /* +- * User/group names must match gnu e-regex: +- * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? +- * +- * as a non-POSIX, extension, allow "$" as the last char for +- * sake of Samba 3.x "add machine script" +- * +- * Also do not allow fully numeric names or just "." or "..". +- */ +- int numeric; +- +- if ('\0' == *name || +- ('.' == *name && (('.' == name[1] && '\0' == name[2]) || +- '\0' == name[1])) || +- !((*name >= 'a' && *name <= 'z') || +- (*name >= 'A' && *name <= 'Z') || +- (*name >= '0' && *name <= '9') || +- *name == '_' || +- *name == '.')) { ++ * POSIX indicate that usernames are composed of characters from the ++ * portable filename character set [A-Za-z0-9._-], and that the hyphen ++ * should not be used as the first character of a portable user name. ++ * ++ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$ ++ */ ++ if ( ('\0' == *name) ++ || ('-' == *name) ++ || ('~' == *name) ++ || ('+' == *name)) { + return false; + } +- +- numeric = isdigit(*name); +- +- while ('\0' != *++name) { +- if (!((*name >= 'a' && *name <= 'z') || +- (*name >= 'A' && *name <= 'Z') || +- (*name >= '0' && *name <= '9') || +- *name == '_' || +- *name == '.' || +- *name == '-' || +- (*name == '$' && name[1] == '\0') +- )) { ++ do { ++ if ((':' == *name) || (',' == *name) || isspace(*name)) { + return false; + } +- numeric &= isdigit(*name); +- } ++ name++; ++ } while ('\0' != *name); + +- return !numeric; ++ return true; + } + + bool is_valid_user_name (const char *name) +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -708,6 +708,14 @@ + the ls output. + + ++ On Debian, the only constraints are that usernames must neither start ++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a ++ colon (':'), a comma (','), or a whitespace (space: ' ', ++ end of line: '\n', tabulation: '\t', etc.). Note that using a slash ++ ('/') may break the default algorithm for the definition of the ++ user's home directory. ++ ++ + Usernames may only be up to 32 characters long. + + +--- a/man/groupadd.8.xml ++++ b/man/groupadd.8.xml +@@ -72,6 +72,12 @@ + also disallowed. + + ++ On Debian, the only constraints are that groupnames must neither start ++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a ++ colon (':'), a comma (','), or a whitespace (space:' ', ++ end of line: '\n', tabulation: '\t', etc.). ++ ++ + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. + + diff --git a/debian/patches/542_useradd-O_option b/debian/patches/542_useradd-O_option new file mode 100644 index 0000000..3745826 --- /dev/null +++ b/debian/patches/542_useradd-O_option @@ -0,0 +1,40 @@ +Goal: accepts the -O flag for backward compatibility. (was used by adduser?) + +Note: useradd.8 needs to be regenerated. + +Status wrt upstream: not included as this is just specific + backward compatibility for Debian + +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -326,6 +326,11 @@ + =100   + UID_MAX=499 + ++ ++ For the compatibility with previous Debian's ++ useradd, the option is ++ also supported. ++ +