shadow: add new recipe 4.1.4.2
(borrow from OpenEmbedded with below tweaks) Enhance login_defs_pam.sed according to shadow source, to ensuer we don't leave any unknown definitions in /etc/login.defs when pam is enabled no need for --disable-account-tools-setuid which is detected upon pam automatically, and no specific CFLAGS append move shadow site options to generic site files adjust indention RDEPENDS on a list of pam-plugins since they're separately packaged test with both pam enabled and pam disabled. when pam is enabled, tried some same tweak with desired effect. Signed-off-by: Kevin Tian <kevin.tian@intel.com>
This commit is contained in:
parent
44d7c5678f
commit
f6535ea12a
|
@ -0,0 +1,32 @@
|
|||
/^FAILLOG_ENAB/b comment
|
||||
/^LASTLOG_ENAB/b comment
|
||||
/^MAIL_CHECK_ENAB/b comment
|
||||
/^OBSCURE_CHECKS_ENAB/b comment
|
||||
/^PORTTIME_CHECKS_ENAB/b comment
|
||||
/^QUOTAS_ENAB/b comment
|
||||
/^MOTD_FILE/b comment
|
||||
/^FTMP_FILE/b comment
|
||||
/^NOLOGINS_FILE/b comment
|
||||
/^ENV_HZ/b comment
|
||||
/^ENV_TZ/b comment
|
||||
/^PASS_MIN_LEN/b comment
|
||||
/^SU_WHEEL_ONLY/b comment
|
||||
/^CRACKLIB_DICTPATH/b comment
|
||||
/^PASS_CHANGE_TRIES/b comment
|
||||
/^PASS_ALWAYS_WARN/b comment
|
||||
/^PASS_MAX_LEN/b comment
|
||||
/^PASS_MIN_LEN/b comment
|
||||
/^CHFN_AUTH/b comment
|
||||
/^CHSH_AUTH/b comment
|
||||
/^ISSUE_FILE/b comment
|
||||
/^LOGIN_STRING/b comment
|
||||
/^ULIMIT/b comment
|
||||
/^ENVIRON_FILE/b comment
|
||||
|
||||
b exit
|
||||
|
||||
: comment
|
||||
s:^:#:
|
||||
|
||||
: exit
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
#
|
||||
# The PAM configuration file for the Shadow `chfn' service
|
||||
#
|
||||
|
||||
# This allows root to change user infomation without being
|
||||
# prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
auth include common-auth
|
||||
account include common-account
|
||||
session include common-session
|
|
@ -0,0 +1,4 @@
|
|||
# The PAM configuration file for the Shadow 'chpasswd' service
|
||||
#
|
||||
|
||||
password include common-password
|
|
@ -0,0 +1,19 @@
|
|||
#
|
||||
# The PAM configuration file for the Shadow `chsh' service
|
||||
#
|
||||
|
||||
# This will not allow a user to change their shell unless
|
||||
# their current one is listed in /etc/shells. This keeps
|
||||
# accounts with special shells from changing them.
|
||||
auth required pam_shells.so
|
||||
|
||||
# This allows root to change user shell without being
|
||||
# prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
auth include common-auth
|
||||
account include common-account
|
||||
session include common-session
|
|
@ -0,0 +1,91 @@
|
|||
#
|
||||
# The PAM configuration file for the Shadow `login' service
|
||||
#
|
||||
|
||||
# Enforce a minimal delay in case of failure (in microseconds).
|
||||
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||
# Note that other modules may require another minimal delay. (for example,
|
||||
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||
auth optional pam_faildelay.so delay=3000000
|
||||
|
||||
# Outputs an issue file prior to each login prompt (Replaces the
|
||||
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||
# auth required pam_issue.so issue=/etc/issue
|
||||
|
||||
# Disallows root logins except on tty's listed in /etc/securetty
|
||||
# (Replaces the `CONSOLE' setting from login.defs)
|
||||
# Note that it is included as a "requisite" module. No password prompts will
|
||||
# be displayed if this module fails to avoid having the root password
|
||||
# transmitted on unsecure ttys.
|
||||
# You can change it to a "required" module if you think it permits to
|
||||
# guess valid user names of your system (invalid user names are considered
|
||||
# as possibly being root).
|
||||
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
|
||||
|
||||
# Disallows other than root logins when /etc/nologin exists
|
||||
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||
auth requisite pam_nologin.so
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without out this it is possible
|
||||
# that a module could execute code in the wrong domain.
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Standard Un*x authentication.
|
||||
auth include common-auth
|
||||
|
||||
# This allows certain extra groups to be granted to a user
|
||||
# based on things like time of day, tty, service, and user.
|
||||
# Please edit /etc/security/group.conf to fit your needs
|
||||
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||
auth optional pam_group.so
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restrainst on logins.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# Uncomment and edit /etc/security/access.conf if you need to
|
||||
# set access limits.
|
||||
# (Replaces /etc/login.access file)
|
||||
# account required pam_access.so
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
session required pam_limits.so
|
||||
|
||||
# Prints the last login info upon succesful login
|
||||
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||
session optional pam_lastlog.so
|
||||
|
||||
# Prints the motd upon succesful login
|
||||
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||
session optional pam_motd.so
|
||||
|
||||
# Prints the status of the user's mailbox upon succesful login
|
||||
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||
#
|
||||
# This also defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
session optional pam_mail.so standard
|
||||
|
||||
# Standard Un*x account and session
|
||||
account include common-account
|
||||
password include common-password
|
||||
session include common-session
|
|
@ -0,0 +1,4 @@
|
|||
# The PAM configuration file for the Shadow 'newusers' service
|
||||
#
|
||||
|
||||
password include common-password
|
|
@ -0,0 +1,5 @@
|
|||
#
|
||||
# The PAM configuration file for the Shadow `passwd' service
|
||||
#
|
||||
|
||||
password include common-password
|
|
@ -0,0 +1,60 @@
|
|||
#
|
||||
# The PAM configuration file for the Shadow `su' service
|
||||
#
|
||||
|
||||
# This allows root to su without passwords (normal operation)
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# Uncomment this to force users to be a member of group root
|
||||
# before they can use `su'. You can also add "group=foo"
|
||||
# to the end of this line if you want to use a group other
|
||||
# than the default "root" (but this may have side effect of
|
||||
# denying "root" user, unless she's a member of "foo" or explicitly
|
||||
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
||||
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
||||
# auth required pam_wheel.so
|
||||
|
||||
# Uncomment this if you want wheel members to be able to
|
||||
# su without a password.
|
||||
# auth sufficient pam_wheel.so trust
|
||||
|
||||
# Uncomment this if you want members of a specific group to not
|
||||
# be allowed to use su at all.
|
||||
# auth required pam_wheel.so deny group=nosu
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restrainst on su usage.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
#
|
||||
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
||||
session optional pam_mail.so nopen
|
||||
|
||||
# Sets up user limits, please uncomment and read /etc/security/limits.conf
|
||||
# to enable this functionality.
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
# session required pam_limits.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
auth include common-auth
|
||||
account include common-account
|
||||
session include common-session
|
|
@ -0,0 +1,206 @@
|
|||
# /etc/securetty: list of terminals on which root is allowed to login.
|
||||
# See securetty(5) and login(1).
|
||||
console
|
||||
|
||||
# Standard serial ports
|
||||
ttyS0
|
||||
ttyS1
|
||||
ttyS2
|
||||
ttyS3
|
||||
|
||||
# Samsung ARM SoCs
|
||||
ttySAC0
|
||||
ttySAC1
|
||||
ttySAC2
|
||||
ttySAC3
|
||||
|
||||
# TI OMAP SoCs
|
||||
ttyO0
|
||||
ttyO1
|
||||
ttyO2
|
||||
ttyO3
|
||||
|
||||
# USB dongles
|
||||
ttyUSB0
|
||||
ttyUSB1
|
||||
ttyUSB2
|
||||
|
||||
# PowerMac
|
||||
ttyPZ0
|
||||
ttyPZ1
|
||||
ttyPZ2
|
||||
ttyPZ3
|
||||
|
||||
# Embedded MPC platforms
|
||||
ttyPSC0
|
||||
ttyPSC1
|
||||
ttyPSC2
|
||||
ttyPSC3
|
||||
ttyPSC4
|
||||
ttyPSC5
|
||||
|
||||
# PA-RISC mux ports
|
||||
ttyB0
|
||||
ttyB1
|
||||
|
||||
# Standard hypervisor virtual console
|
||||
hvc0
|
||||
|
||||
# Oldstyle Xen console
|
||||
xvc0
|
||||
|
||||
# Standard consoles
|
||||
tty1
|
||||
tty2
|
||||
tty3
|
||||
tty4
|
||||
tty5
|
||||
tty6
|
||||
tty7
|
||||
tty8
|
||||
tty9
|
||||
tty10
|
||||
tty11
|
||||
tty12
|
||||
tty13
|
||||
tty14
|
||||
tty15
|
||||
tty16
|
||||
tty17
|
||||
tty18
|
||||
tty19
|
||||
tty20
|
||||
tty21
|
||||
tty22
|
||||
tty23
|
||||
tty24
|
||||
tty25
|
||||
tty26
|
||||
tty27
|
||||
tty28
|
||||
tty29
|
||||
tty30
|
||||
tty31
|
||||
tty32
|
||||
tty33
|
||||
tty34
|
||||
tty35
|
||||
tty36
|
||||
tty37
|
||||
tty38
|
||||
tty39
|
||||
tty40
|
||||
tty41
|
||||
tty42
|
||||
tty43
|
||||
tty44
|
||||
tty45
|
||||
tty46
|
||||
tty47
|
||||
tty48
|
||||
tty49
|
||||
tty50
|
||||
tty51
|
||||
tty52
|
||||
tty53
|
||||
tty54
|
||||
tty55
|
||||
tty56
|
||||
tty57
|
||||
tty58
|
||||
tty59
|
||||
tty60
|
||||
tty61
|
||||
tty62
|
||||
tty63
|
||||
|
||||
# Local X displays (allows empty passwords with pam_unix's nullok_secure)
|
||||
:0
|
||||
:0.0
|
||||
:0.1
|
||||
:1
|
||||
:1.0
|
||||
:1.1
|
||||
:2
|
||||
:2.0
|
||||
:2.1
|
||||
:3
|
||||
:3.0
|
||||
:3.1
|
||||
|
||||
# Embedded Freescale i.MX ports
|
||||
ttymxc0
|
||||
ttymxc1
|
||||
ttymxc2
|
||||
ttymxc3
|
||||
ttymxc4
|
||||
ttymxc5
|
||||
|
||||
# Standard serial ports, with devfs
|
||||
tts/0
|
||||
tts/1
|
||||
|
||||
# Standard consoles, with devfs
|
||||
vc/1
|
||||
vc/2
|
||||
vc/3
|
||||
vc/4
|
||||
vc/5
|
||||
vc/6
|
||||
vc/7
|
||||
vc/8
|
||||
vc/9
|
||||
vc/10
|
||||
vc/11
|
||||
vc/12
|
||||
vc/13
|
||||
vc/14
|
||||
vc/15
|
||||
vc/16
|
||||
vc/17
|
||||
vc/18
|
||||
vc/19
|
||||
vc/20
|
||||
vc/21
|
||||
vc/22
|
||||
vc/23
|
||||
vc/24
|
||||
vc/25
|
||||
vc/26
|
||||
vc/27
|
||||
vc/28
|
||||
vc/29
|
||||
vc/30
|
||||
vc/31
|
||||
vc/32
|
||||
vc/33
|
||||
vc/34
|
||||
vc/35
|
||||
vc/36
|
||||
vc/37
|
||||
vc/38
|
||||
vc/39
|
||||
vc/40
|
||||
vc/41
|
||||
vc/42
|
||||
vc/43
|
||||
vc/44
|
||||
vc/45
|
||||
vc/46
|
||||
vc/47
|
||||
vc/48
|
||||
vc/49
|
||||
vc/50
|
||||
vc/51
|
||||
vc/52
|
||||
vc/53
|
||||
vc/54
|
||||
vc/55
|
||||
vc/56
|
||||
vc/57
|
||||
vc/58
|
||||
vc/59
|
||||
vc/60
|
||||
vc/61
|
||||
vc/62
|
||||
vc/63
|
23
meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch
vendored
Normal file
23
meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch
vendored
Normal file
|
@ -0,0 +1,23 @@
|
|||
# commit message copied from openembedded:
|
||||
# commit 246c80637b135f3a113d319b163422f98174ee6c
|
||||
# Author: Khem Raj <raj.khem@gmail.com>
|
||||
# Date: Wed Jun 9 13:37:03 2010 -0700
|
||||
#
|
||||
# shadow-4.1.4.2: Add patches to support dots in login id.
|
||||
#
|
||||
# Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
||||
#
|
||||
# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11
|
||||
|
||||
Index: shadow-4.1.4.2/libmisc/chkname.c
|
||||
===================================================================
|
||||
--- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700
|
||||
+++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700
|
||||
@@ -61,6 +61,7 @@ static bool is_valid_name (const char *n
|
||||
( ('0' <= *name) && ('9' >= *name) ) ||
|
||||
('_' == *name) ||
|
||||
('-' == *name) ||
|
||||
+ ('.' == *name) ||
|
||||
( ('$' == *name) && ('\0' == *(name + 1)) )
|
||||
)) {
|
||||
return false;
|
27
meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch
vendored
Normal file
27
meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch
vendored
Normal file
|
@ -0,0 +1,27 @@
|
|||
# commit message copied from openembedded:
|
||||
# commit 246c80637b135f3a113d319b163422f98174ee6c
|
||||
# Author: Khem Raj <raj.khem@gmail.com>
|
||||
# Date: Wed Jun 9 13:37:03 2010 -0700
|
||||
#
|
||||
# shadow-4.1.4.2: Add patches to support dots in login id.
|
||||
#
|
||||
# Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
||||
#
|
||||
# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11
|
||||
|
||||
http://bugs.gentoo.org/283725
|
||||
https://alioth.debian.org/tracker/index.php?func=detail&aid=311740&group_id=30580&atid=411480
|
||||
|
||||
Index: shadow-4.1.4.2/libmisc/env.c
|
||||
===================================================================
|
||||
--- shadow-4.1.4.2.orig/libmisc/env.c 2009-04-27 13:07:56.000000000 -0700
|
||||
+++ shadow-4.1.4.2/libmisc/env.c 2010-06-03 17:44:51.456408474 -0700
|
||||
@@ -251,7 +251,7 @@ void sanitize_env (void)
|
||||
if (strncmp (*cur, *bad, strlen (*bad)) != 0) {
|
||||
continue;
|
||||
}
|
||||
- if (strchr (*cur, '/') != NULL) {
|
||||
+ if (strchr (*cur, '/') == NULL) {
|
||||
continue; /* OK */
|
||||
}
|
||||
for (move = cur; NULL != *move; move++) {
|
32
meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch
vendored
Normal file
32
meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch
vendored
Normal file
|
@ -0,0 +1,32 @@
|
|||
# commit message copied from openembedded:
|
||||
# commit 246c80637b135f3a113d319b163422f98174ee6c
|
||||
# Author: Khem Raj <raj.khem@gmail.com>
|
||||
# Date: Wed Jun 9 13:37:03 2010 -0700
|
||||
#
|
||||
# shadow-4.1.4.2: Add patches to support dots in login id.
|
||||
#
|
||||
# Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
||||
#
|
||||
# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11
|
||||
|
||||
http://bugs.gentoo.org/300790
|
||||
http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2009-November/007850.html
|
||||
|
||||
2009-11-05 Nicolas François <nicolas.francois@centraliens.net>
|
||||
|
||||
* NEWS, src/groupmod.c: Fixed groupmod when configured with
|
||||
--enable-account-tools-setuid.
|
||||
|
||||
Index: shadow-4.1.4.2/src/groupmod.c
|
||||
===================================================================
|
||||
--- shadow-4.1.4.2.orig/src/groupmod.c 2009-06-05 15:16:58.000000000 -0700
|
||||
+++ shadow-4.1.4.2/src/groupmod.c 2010-06-03 17:45:43.828952613 -0700
|
||||
@@ -720,7 +720,7 @@ int main (int argc, char **argv)
|
||||
{
|
||||
struct passwd *pampw;
|
||||
pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
|
||||
- if (NULL == pamh) {
|
||||
+ if (NULL == pampw) {
|
||||
fprintf (stderr,
|
||||
_("%s: Cannot determine your user name.\n"),
|
||||
Prog);
|
27
meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch
vendored
Normal file
27
meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch
vendored
Normal file
|
@ -0,0 +1,27 @@
|
|||
# commit message copied from openembedded:
|
||||
# commit 246c80637b135f3a113d319b163422f98174ee6c
|
||||
# Author: Khem Raj <raj.khem@gmail.com>
|
||||
# Date: Wed Jun 9 13:37:03 2010 -0700
|
||||
#
|
||||
# shadow-4.1.4.2: Add patches to support dots in login id.
|
||||
#
|
||||
# Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
||||
#
|
||||
# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11
|
||||
|
||||
http://bugs.gentoo.org/show_bug.cgi?id=301957
|
||||
https://alioth.debian.org/scm/browser.php?group_id=30580
|
||||
|
||||
Index: shadow-4.1.4.2/src/su.c
|
||||
===================================================================
|
||||
--- shadow-4.1.4.2.orig/src/su.c 2009-07-23 13:38:56.000000000 -0700
|
||||
+++ shadow-4.1.4.2/src/su.c 2010-06-03 17:46:47.718944010 -0700
|
||||
@@ -378,7 +378,7 @@ int main (int argc, char **argv)
|
||||
#endif
|
||||
#endif /* !USE_PAM */
|
||||
|
||||
- sanitize_env ();
|
||||
+ /* sanitize_env (); */
|
||||
|
||||
(void) setlocale (LC_ALL, "");
|
||||
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
|
@ -0,0 +1,102 @@
|
|||
# patch is from openembedded:
|
||||
# commit 2db61370333f7a2fc1dbb86385734883387e0217
|
||||
# Author: Martin Jansa <Martin.Jansa@gmail.com>
|
||||
# Date: Fri Apr 2 07:34:46 2010 +0200
|
||||
#
|
||||
# shadow: fix do_install with automake-1.11
|
||||
#
|
||||
# Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
||||
#
|
||||
# comment added by Kevin Tian <kevin.tian@intel.com>
|
||||
|
||||
man_nopan is for !USE_PAM already included in man_MANS and automake-1.11 hates to install some file twice
|
||||
|
||||
diff -uNr shadow-4.1.4.2.orig/man/Makefile.am shadow-4.1.4.2/man/Makefile.am
|
||||
--- shadow-4.1.4.2.orig/man/Makefile.am 2009-03-14 15:40:10.000000000 +0100
|
||||
+++ shadow-4.1.4.2/man/Makefile.am 2010-04-02 07:31:17.000000000 +0200
|
||||
@@ -163,7 +163,6 @@
|
||||
$(man_MANS) \
|
||||
$(man_XMANS) \
|
||||
$(addprefix login.defs.d/,$(login_defs_v)) \
|
||||
- $(man_nopam) \
|
||||
id.1 \
|
||||
id.1.xml \
|
||||
sulogin.8 \
|
||||
diff -uNr shadow-4.1.4.2.orig/man/fr/Makefile.am shadow-4.1.4.2/man/fr/Makefile.am
|
||||
--- shadow-4.1.4.2.orig/man/fr/Makefile.am 2008-09-06 18:44:45.000000000 +0200
|
||||
+++ shadow-4.1.4.2/man/fr/Makefile.am 2010-04-02 07:42:11.000000000 +0200
|
||||
@@ -52,7 +52,6 @@
|
||||
|
||||
EXTRA_DIST = \
|
||||
$(man_MANS) \
|
||||
- $(man_nopam) \
|
||||
id.1
|
||||
|
||||
include ../generate_translations.mak
|
||||
diff -uNr shadow-4.1.4.2.orig/man/it/Makefile.am shadow-4.1.4.2/man/it/Makefile.am
|
||||
--- shadow-4.1.4.2.orig/man/it/Makefile.am 2008-09-06 18:44:45.000000000 +0200
|
||||
+++ shadow-4.1.4.2/man/it/Makefile.am 2010-04-02 07:42:20.000000000 +0200
|
||||
@@ -46,7 +46,6 @@
|
||||
|
||||
EXTRA_DIST = \
|
||||
$(man_MANS) \
|
||||
- $(man_nopam) \
|
||||
id.1 \
|
||||
logoutd.8
|
||||
|
||||
diff -uNr shadow-4.1.4.2.orig/man/ja/Makefile.am shadow-4.1.4.2/man/ja/Makefile.am
|
||||
--- shadow-4.1.4.2.orig/man/ja/Makefile.am 2007-12-31 17:48:28.000000000 +0100
|
||||
+++ shadow-4.1.4.2/man/ja/Makefile.am 2010-04-02 07:42:17.000000000 +0200
|
||||
@@ -49,7 +49,6 @@
|
||||
|
||||
EXTRA_DIST = \
|
||||
$(man_MANS) \
|
||||
- $(man_nopam) \
|
||||
id.1 \
|
||||
shadow.3 \
|
||||
sulogin.8
|
||||
diff -uNr shadow-4.1.4.2.orig/man/pl/Makefile.am shadow-4.1.4.2/man/pl/Makefile.am
|
||||
--- shadow-4.1.4.2.orig/man/pl/Makefile.am 2008-09-06 18:44:45.000000000 +0200
|
||||
+++ shadow-4.1.4.2/man/pl/Makefile.am 2010-04-02 07:42:07.000000000 +0200
|
||||
@@ -49,7 +49,6 @@
|
||||
|
||||
EXTRA_DIST = \
|
||||
$(man_MANS) \
|
||||
- $(man_nopam) \
|
||||
getspnam.3 \
|
||||
id.1 \
|
||||
shadow.3 \
|
||||
diff -uNr shadow-4.1.4.2.orig/man/ru/Makefile.am shadow-4.1.4.2/man/ru/Makefile.am
|
||||
--- shadow-4.1.4.2.orig/man/ru/Makefile.am 2010-04-02 07:39:00.000000000 +0200
|
||||
+++ shadow-4.1.4.2/man/ru/Makefile.am 2010-04-02 07:42:01.000000000 +0200
|
||||
@@ -54,7 +54,6 @@
|
||||
|
||||
EXTRA_DIST = \
|
||||
$(man_MANS) \
|
||||
- $(man_nopam) \
|
||||
id.1 \
|
||||
sulogin.8
|
||||
|
||||
diff -uNr shadow-4.1.4.2.orig/man/sv/Makefile.am shadow-4.1.4.2/man/sv/Makefile.am
|
||||
--- shadow-4.1.4.2.orig/man/sv/Makefile.am 2008-09-06 18:44:45.000000000 +0200
|
||||
+++ shadow-4.1.4.2/man/sv/Makefile.am 2010-04-02 07:42:24.000000000 +0200
|
||||
@@ -53,8 +53,7 @@
|
||||
endif
|
||||
|
||||
EXTRA_DIST = \
|
||||
- $(man_MANS) \
|
||||
- $(man_nopam)
|
||||
+ $(man_MANS)
|
||||
|
||||
include ../generate_translations.mak
|
||||
|
||||
--- shadow-4.1.4.2.orig/man/ru/Makefile.am 2010-04-02 07:54:09.000000000 +0200
|
||||
+++ shadow-4.1.4.2/man/ru/Makefile.am 2010-04-02 07:51:57.000000000 +0200
|
||||
@@ -1,7 +1,6 @@
|
||||
mandir = @mandir@/ru
|
||||
|
||||
man_MANS = \
|
||||
- $(man_nopam) \
|
||||
chage.1 \
|
||||
chfn.1 \
|
||||
chgpasswd.8 \
|
|
@ -0,0 +1,121 @@
|
|||
DESCRIPTION = "Tools to change and administer password and group data."
|
||||
HOMEPAGE = "http://pkg-shadow.alioth.debian.org/"
|
||||
BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580"
|
||||
SECTION = "base utils"
|
||||
LICENSE = "BSD | Artistic"
|
||||
LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \
|
||||
file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe"
|
||||
|
||||
PAM_PLUGINS = " libpam-runtime \
|
||||
pam-plugin-faildelay \
|
||||
pam-plugin-securetty \
|
||||
pam-plugin-nologin \
|
||||
pam-plugin-env \
|
||||
pam-plugin-group \
|
||||
pam-plugin-limits \
|
||||
pam-plugin-lastlog \
|
||||
pam-plugin-motd \
|
||||
pam-plugin-mail \
|
||||
pam-plugin-shells \
|
||||
pam-plugin-rootok"
|
||||
|
||||
DEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
|
||||
RDEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_PLUGINS}', '', d)}"
|
||||
|
||||
# since we deduce from ${SERIAL_CONSOLE}
|
||||
PACKAGE_ARCH = "${MACHINE_ARCH}"
|
||||
|
||||
# Additional Policy files for PAM
|
||||
PAM_SRC_URI = "file://pam.d/chfn \
|
||||
file://pam.d/chpasswd \
|
||||
file://pam.d/chsh \
|
||||
file://pam.d/login \
|
||||
file://pam.d/newusers \
|
||||
file://pam.d/passwd \
|
||||
file://pam.d/su"
|
||||
|
||||
SRC_URI = "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-${PV}.tar.bz2 \
|
||||
file://login_defs_pam.sed \
|
||||
${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
|
||||
file://securetty"
|
||||
|
||||
inherit autotools gettext
|
||||
|
||||
EXTRA_OECONF += "--without-audit \
|
||||
--without-libcrack \
|
||||
${@base_contains('DISTRO_FEATURES', 'pam', '--with-libpam', '--without-libpam', d)} \
|
||||
--without-selinux"
|
||||
|
||||
do_install_append() {
|
||||
# Ensure that the image has as /var/spool/mail dir so shadow can put mailboxes there if the user
|
||||
# reconfigures Shadow to default (see sed below).
|
||||
install -d ${D}${localstatedir}/spool/mail
|
||||
|
||||
if [ -e ${WORKDIR}/pam.d ]; then
|
||||
install -d ${D}${sysconfdir}/pam.d/
|
||||
install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
|
||||
# Remove defaults that are not used when supporting PAM
|
||||
sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs
|
||||
fi
|
||||
|
||||
# Enable CREATE_HOME by default.
|
||||
sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs
|
||||
|
||||
# As we are on an embedded system ensure the users mailbox is in ~/ not
|
||||
# /var/spool/mail by default as who knows where or how big /var is.
|
||||
# The system MDA will set this later anyway.
|
||||
sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs
|
||||
sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs
|
||||
|
||||
# disable checking emails at all
|
||||
sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs
|
||||
|
||||
# now we don't have a mail system. disable mail creation for now
|
||||
sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd
|
||||
sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd
|
||||
|
||||
install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir}
|
||||
for i in passwd chfn newgrp chsh ; do
|
||||
mv ${D}${bindir}/$i ${D}${bindir}/$i.${PN}
|
||||
done
|
||||
|
||||
mv ${D}${sbindir}/chpasswd ${D}${sbindir}/chpasswd.${PN}
|
||||
mv ${D}${sbindir}/vigr ${D}${base_sbindir}/vigr.${PN}
|
||||
mv ${D}${sbindir}/vipw ${D}${base_sbindir}/vipw.${PN}
|
||||
mv ${D}${bindir}/login ${D}${base_bindir}/login.${PN}
|
||||
|
||||
# Ensure we add a suitable securetty file to the package that has most common embedded TTYs defined.
|
||||
if [ ! -z "${SERIAL_CONSOLE}" ]; then
|
||||
# our SERIAL_CONSOLE contains baud rate too and sometime -L option as well.
|
||||
# the following pearl :) takes that and converts it into newline sepated tty's and appends
|
||||
# them into securetty. So if a machine has a weird looking console device node (e.g. ttyAMA0) that securetty
|
||||
# does not know then it will get appended to securetty and root login will be allowed on
|
||||
# that console.
|
||||
echo "${SERIAL_CONSOLE}" | sed -e 's/[0-9][0-9]\|\-L//g'|tr "[ ]" "[\n]" >> ${WORKDIR}/securetty
|
||||
fi
|
||||
install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty
|
||||
}
|
||||
|
||||
pkg_postinst_${PN} () {
|
||||
update-alternatives --install ${bindir}/passwd passwd passwd.${PN} 200
|
||||
update-alternatives --install ${sbindir}/chpasswd chpasswd chpasswd.${PN} 200
|
||||
update-alternatives --install ${bindir}/chfn chfn chfn.${PN} 200
|
||||
update-alternatives --install ${bindir}/newgrp newgrp newgrp.${PN} 200
|
||||
update-alternatives --install ${bindir}/chsh chsh chsh.${PN} 200
|
||||
update-alternatives --install ${base_bindir}/login login login.${PN} 200
|
||||
update-alternatives --install ${base_sbindir}/vipw vipw vipw.${PN} 200
|
||||
update-alternatives --install ${base_sbindir}/vigr vigr vigr.${PN} 200
|
||||
|
||||
if [ "x$D" != "x" ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
pwconv
|
||||
grpconv
|
||||
}
|
||||
|
||||
pkg_prerm_${PN} () {
|
||||
for i in passwd chpasswd chfn newgrp chsh login vipw vigr ; do
|
||||
update-alternatives --remove $i $i.${PN}
|
||||
done
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
require shadow.inc
|
||||
|
||||
PR = "r0"
|
||||
|
||||
SRC_URI += "file://shadow.automake-1.11.patch \
|
||||
file://shadow-4.1.3-dots-in-usernames.patch \
|
||||
file://shadow-4.1.4.2-env-reset-keep-locale.patch \
|
||||
file://shadow-4.1.4.2-groupmod-pam-check.patch \
|
||||
file://shadow-4.1.4.2-su_no_sanitize_env.patch"
|
||||
|
||||
EXTRA_OECONF_libc-uclibc += " --with-nscd=no "
|
|
@ -7,3 +7,11 @@ ac_cv_file__dev_random=${ac_cv_file__dev_random=yes}
|
|||
# Avoid sudo to assume void for unsetenv in cross environment, or else it conflicts with
|
||||
# target stdlib.h prototype which follows POSIX compiliance. Mark for upstream.
|
||||
sudo_cv_func_unsetenv_void=no
|
||||
|
||||
# shadow dir info, to avoid searching build system
|
||||
shadow_cv_maildir=${localstatedir}/spool/mail
|
||||
shadow_cv_mailfile=Mailbox
|
||||
shadow_cv_utmpdir=${localstatedir}/run
|
||||
shadow_cv_logdir=${localstatedir}/log
|
||||
shadow_cv_passwd_dir=${bindir}
|
||||
|
||||
|
|
Loading…
Reference in New Issue