diff options
author | Kevin Tian <kevin.tian@intel.com> | 2010-08-06 10:34:29 +0800 |
---|---|---|
committer | Richard Purdie <rpurdie@linux.intel.com> | 2010-08-13 13:36:02 +0100 |
commit | f6535ea12ab7f4d99adbe78919a7ed252175565f (patch) | |
tree | fcab0f6719ab5f17d1ce9fdd7ba0e376e418c2ac | |
parent | 44d7c5678f52593d55c23f16d0da6c188734b026 (diff) | |
download | openembedded-core-f6535ea12ab7f4d99adbe78919a7ed252175565f.tar.gz openembedded-core-f6535ea12ab7f4d99adbe78919a7ed252175565f.tar.bz2 openembedded-core-f6535ea12ab7f4d99adbe78919a7ed252175565f.zip |
shadow: add new recipe 4.1.4.2
(borrow from OpenEmbedded with below tweaks)
Enhance login_defs_pam.sed according to shadow source, to ensuer we don't
leave any unknown definitions in /etc/login.defs when pam is enabled
no need for --disable-account-tools-setuid which is detected upon pam
automatically, and no specific CFLAGS append
move shadow site options to generic site files
adjust indention
RDEPENDS on a list of pam-plugins since they're separately packaged
test with both pam enabled and pam disabled. when pam is enabled, tried
some same tweak with desired effect.
Signed-off-by: Kevin Tian <kevin.tian@intel.com>
17 files changed, 786 insertions, 0 deletions
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed b/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed new file mode 100644 index 0000000000..0a1f3be4af --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed @@ -0,0 +1,32 @@ +/^FAILLOG_ENAB/b comment +/^LASTLOG_ENAB/b comment +/^MAIL_CHECK_ENAB/b comment +/^OBSCURE_CHECKS_ENAB/b comment +/^PORTTIME_CHECKS_ENAB/b comment +/^QUOTAS_ENAB/b comment +/^MOTD_FILE/b comment +/^FTMP_FILE/b comment +/^NOLOGINS_FILE/b comment +/^ENV_HZ/b comment +/^ENV_TZ/b comment +/^PASS_MIN_LEN/b comment +/^SU_WHEEL_ONLY/b comment +/^CRACKLIB_DICTPATH/b comment +/^PASS_CHANGE_TRIES/b comment +/^PASS_ALWAYS_WARN/b comment +/^PASS_MAX_LEN/b comment +/^PASS_MIN_LEN/b comment +/^CHFN_AUTH/b comment +/^CHSH_AUTH/b comment +/^ISSUE_FILE/b comment +/^LOGIN_STRING/b comment +/^ULIMIT/b comment +/^ENVIRON_FILE/b comment + +b exit + +: comment + s:^:#: + +: exit + diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn new file mode 100644 index 0000000000..baf7698bba --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn @@ -0,0 +1,14 @@ +# +# The PAM configuration file for the Shadow `chfn' service +# + +# This allows root to change user infomation without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd new file mode 100644 index 0000000000..9e3efa68ba --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd @@ -0,0 +1,4 @@ +# The PAM configuration file for the Shadow 'chpasswd' service +# + +password include common-password diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh new file mode 100644 index 0000000000..8fb169f64e --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh @@ -0,0 +1,19 @@ +# +# The PAM configuration file for the Shadow `chsh' service +# + +# This will not allow a user to change their shell unless +# their current one is listed in /etc/shells. This keeps +# accounts with special shells from changing them. +auth required pam_shells.so + +# This allows root to change user shell without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login new file mode 100644 index 0000000000..e41eb04ec1 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login @@ -0,0 +1,91 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# Note that it is included as a "requisite" module. No password prompts will +# be displayed if this module fails to avoid having the root password +# transmitted on unsecure ttys. +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root). +auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +account include common-account +password include common-password +session include common-session diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers new file mode 100644 index 0000000000..4aa3dde48b --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers @@ -0,0 +1,4 @@ +# The PAM configuration file for the Shadow 'newusers' service +# + +password include common-password diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd new file mode 100644 index 0000000000..f534992435 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd @@ -0,0 +1,5 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su new file mode 100644 index 0000000000..8e35137f37 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su @@ -0,0 +1,60 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits, please uncomment and read /etc/security/limits.conf +# to enable this functionality. +# (Replaces the use of /etc/limits in old login) +# session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty b/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty new file mode 100644 index 0000000000..28fa0afb72 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty @@ -0,0 +1,206 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). +console + +# Standard serial ports +ttyS0 +ttyS1 +ttyS2 +ttyS3 + +# Samsung ARM SoCs +ttySAC0 +ttySAC1 +ttySAC2 +ttySAC3 + +# TI OMAP SoCs +ttyO0 +ttyO1 +ttyO2 +ttyO3 + +# USB dongles +ttyUSB0 +ttyUSB1 +ttyUSB2 + +# PowerMac +ttyPZ0 +ttyPZ1 +ttyPZ2 +ttyPZ3 + +# Embedded MPC platforms +ttyPSC0 +ttyPSC1 +ttyPSC2 +ttyPSC3 +ttyPSC4 +ttyPSC5 + +# PA-RISC mux ports +ttyB0 +ttyB1 + +# Standard hypervisor virtual console +hvc0 + +# Oldstyle Xen console +xvc0 + +# Standard consoles +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 +tty11 +tty12 +tty13 +tty14 +tty15 +tty16 +tty17 +tty18 +tty19 +tty20 +tty21 +tty22 +tty23 +tty24 +tty25 +tty26 +tty27 +tty28 +tty29 +tty30 +tty31 +tty32 +tty33 +tty34 +tty35 +tty36 +tty37 +tty38 +tty39 +tty40 +tty41 +tty42 +tty43 +tty44 +tty45 +tty46 +tty47 +tty48 +tty49 +tty50 +tty51 +tty52 +tty53 +tty54 +tty55 +tty56 +tty57 +tty58 +tty59 +tty60 +tty61 +tty62 +tty63 + +# Local X displays (allows empty passwords with pam_unix's nullok_secure) +:0 +:0.0 +:0.1 +:1 +:1.0 +:1.1 +:2 +:2.0 +:2.1 +:3 +:3.0 +:3.1 + +# Embedded Freescale i.MX ports +ttymxc0 +ttymxc1 +ttymxc2 +ttymxc3 +ttymxc4 +ttymxc5 + +# Standard serial ports, with devfs +tts/0 +tts/1 + +# Standard consoles, with devfs +vc/1 +vc/2 +vc/3 +vc/4 +vc/5 +vc/6 +vc/7 +vc/8 +vc/9 +vc/10 +vc/11 +vc/12 +vc/13 +vc/14 +vc/15 +vc/16 +vc/17 +vc/18 +vc/19 +vc/20 +vc/21 +vc/22 +vc/23 +vc/24 +vc/25 +vc/26 +vc/27 +vc/28 +vc/29 +vc/30 +vc/31 +vc/32 +vc/33 +vc/34 +vc/35 +vc/36 +vc/37 +vc/38 +vc/39 +vc/40 +vc/41 +vc/42 +vc/43 +vc/44 +vc/45 +vc/46 +vc/47 +vc/48 +vc/49 +vc/50 +vc/51 +vc/52 +vc/53 +vc/54 +vc/55 +vc/56 +vc/57 +vc/58 +vc/59 +vc/60 +vc/61 +vc/62 +vc/63 diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch new file mode 100644 index 0000000000..7a2ff2e24e --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch @@ -0,0 +1,23 @@ +# commit message copied from openembedded: +# commit 246c80637b135f3a113d319b163422f98174ee6c +# Author: Khem Raj <raj.khem@gmail.com> +# Date: Wed Jun 9 13:37:03 2010 -0700 +# +# shadow-4.1.4.2: Add patches to support dots in login id. +# +# Signed-off-by: Khem Raj <raj.khem@gmail.com> +# +# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 + +Index: shadow-4.1.4.2/libmisc/chkname.c +=================================================================== +--- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 ++++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 +@@ -61,6 +61,7 @@ static bool is_valid_name (const char *n + ( ('0' <= *name) && ('9' >= *name) ) || + ('_' == *name) || + ('-' == *name) || ++ ('.' == *name) || + ( ('$' == *name) && ('\0' == *(name + 1)) ) + )) { + return false; diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch new file mode 100644 index 0000000000..124065c7f9 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch @@ -0,0 +1,27 @@ +# commit message copied from openembedded: +# commit 246c80637b135f3a113d319b163422f98174ee6c +# Author: Khem Raj <raj.khem@gmail.com> +# Date: Wed Jun 9 13:37:03 2010 -0700 +# +# shadow-4.1.4.2: Add patches to support dots in login id. +# +# Signed-off-by: Khem Raj <raj.khem@gmail.com> +# +# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 + +http://bugs.gentoo.org/283725 +https://alioth.debian.org/tracker/index.php?func=detail&aid=311740&group_id=30580&atid=411480 + +Index: shadow-4.1.4.2/libmisc/env.c +=================================================================== +--- shadow-4.1.4.2.orig/libmisc/env.c 2009-04-27 13:07:56.000000000 -0700 ++++ shadow-4.1.4.2/libmisc/env.c 2010-06-03 17:44:51.456408474 -0700 +@@ -251,7 +251,7 @@ void sanitize_env (void) + if (strncmp (*cur, *bad, strlen (*bad)) != 0) { + continue; + } +- if (strchr (*cur, '/') != NULL) { ++ if (strchr (*cur, '/') == NULL) { + continue; /* OK */ + } + for (move = cur; NULL != *move; move++) { diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch new file mode 100644 index 0000000000..6682fe8078 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch @@ -0,0 +1,32 @@ +# commit message copied from openembedded: +# commit 246c80637b135f3a113d319b163422f98174ee6c +# Author: Khem Raj <raj.khem@gmail.com> +# Date: Wed Jun 9 13:37:03 2010 -0700 +# +# shadow-4.1.4.2: Add patches to support dots in login id. +# +# Signed-off-by: Khem Raj <raj.khem@gmail.com> +# +# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 + +http://bugs.gentoo.org/300790 +http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2009-November/007850.html + +2009-11-05 Nicolas François <nicolas.francois@centraliens.net> + + * NEWS, src/groupmod.c: Fixed groupmod when configured with + --enable-account-tools-setuid. + +Index: shadow-4.1.4.2/src/groupmod.c +=================================================================== +--- shadow-4.1.4.2.orig/src/groupmod.c 2009-06-05 15:16:58.000000000 -0700 ++++ shadow-4.1.4.2/src/groupmod.c 2010-06-03 17:45:43.828952613 -0700 +@@ -720,7 +720,7 @@ int main (int argc, char **argv) + { + struct passwd *pampw; + pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */ +- if (NULL == pamh) { ++ if (NULL == pampw) { + fprintf (stderr, + _("%s: Cannot determine your user name.\n"), + Prog); diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch new file mode 100644 index 0000000000..f67251c840 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch @@ -0,0 +1,27 @@ +# commit message copied from openembedded: +# commit 246c80637b135f3a113d319b163422f98174ee6c +# Author: Khem Raj <raj.khem@gmail.com> +# Date: Wed Jun 9 13:37:03 2010 -0700 +# +# shadow-4.1.4.2: Add patches to support dots in login id. +# +# Signed-off-by: Khem Raj <raj.khem@gmail.com> +# +# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 + +http://bugs.gentoo.org/show_bug.cgi?id=301957 +https://alioth.debian.org/scm/browser.php?group_id=30580 + +Index: shadow-4.1.4.2/src/su.c +=================================================================== +--- shadow-4.1.4.2.orig/src/su.c 2009-07-23 13:38:56.000000000 -0700 ++++ shadow-4.1.4.2/src/su.c 2010-06-03 17:46:47.718944010 -0700 +@@ -378,7 +378,7 @@ int main (int argc, char **argv) + #endif + #endif /* !USE_PAM */ + +- sanitize_env (); ++ /* sanitize_env (); */ + + (void) setlocale (LC_ALL, ""); + (void) bindtextdomain (PACKAGE, LOCALEDIR); diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch new file mode 100644 index 0000000000..36d7be6fd0 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch @@ -0,0 +1,102 @@ +# patch is from openembedded: +# commit 2db61370333f7a2fc1dbb86385734883387e0217 +# Author: Martin Jansa <Martin.Jansa@gmail.com> +# Date: Fri Apr 2 07:34:46 2010 +0200 +# +# shadow: fix do_install with automake-1.11 +# +# Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +# +# comment added by Kevin Tian <kevin.tian@intel.com> + +man_nopan is for !USE_PAM already included in man_MANS and automake-1.11 hates to install some file twice + +diff -uNr shadow-4.1.4.2.orig/man/Makefile.am shadow-4.1.4.2/man/Makefile.am +--- shadow-4.1.4.2.orig/man/Makefile.am 2009-03-14 15:40:10.000000000 +0100 ++++ shadow-4.1.4.2/man/Makefile.am 2010-04-02 07:31:17.000000000 +0200 +@@ -163,7 +163,6 @@ + $(man_MANS) \ + $(man_XMANS) \ + $(addprefix login.defs.d/,$(login_defs_v)) \ +- $(man_nopam) \ + id.1 \ + id.1.xml \ + sulogin.8 \ +diff -uNr shadow-4.1.4.2.orig/man/fr/Makefile.am shadow-4.1.4.2/man/fr/Makefile.am +--- shadow-4.1.4.2.orig/man/fr/Makefile.am 2008-09-06 18:44:45.000000000 +0200 ++++ shadow-4.1.4.2/man/fr/Makefile.am 2010-04-02 07:42:11.000000000 +0200 +@@ -52,7 +52,6 @@ + + EXTRA_DIST = \ + $(man_MANS) \ +- $(man_nopam) \ + id.1 + + include ../generate_translations.mak +diff -uNr shadow-4.1.4.2.orig/man/it/Makefile.am shadow-4.1.4.2/man/it/Makefile.am +--- shadow-4.1.4.2.orig/man/it/Makefile.am 2008-09-06 18:44:45.000000000 +0200 ++++ shadow-4.1.4.2/man/it/Makefile.am 2010-04-02 07:42:20.000000000 +0200 +@@ -46,7 +46,6 @@ + + EXTRA_DIST = \ + $(man_MANS) \ +- $(man_nopam) \ + id.1 \ + logoutd.8 + +diff -uNr shadow-4.1.4.2.orig/man/ja/Makefile.am shadow-4.1.4.2/man/ja/Makefile.am +--- shadow-4.1.4.2.orig/man/ja/Makefile.am 2007-12-31 17:48:28.000000000 +0100 ++++ shadow-4.1.4.2/man/ja/Makefile.am 2010-04-02 07:42:17.000000000 +0200 +@@ -49,7 +49,6 @@ + + EXTRA_DIST = \ + $(man_MANS) \ +- $(man_nopam) \ + id.1 \ + shadow.3 \ + sulogin.8 +diff -uNr shadow-4.1.4.2.orig/man/pl/Makefile.am shadow-4.1.4.2/man/pl/Makefile.am +--- shadow-4.1.4.2.orig/man/pl/Makefile.am 2008-09-06 18:44:45.000000000 +0200 ++++ shadow-4.1.4.2/man/pl/Makefile.am 2010-04-02 07:42:07.000000000 +0200 +@@ -49,7 +49,6 @@ + + EXTRA_DIST = \ + $(man_MANS) \ +- $(man_nopam) \ + getspnam.3 \ + id.1 \ + shadow.3 \ +diff -uNr shadow-4.1.4.2.orig/man/ru/Makefile.am shadow-4.1.4.2/man/ru/Makefile.am +--- shadow-4.1.4.2.orig/man/ru/Makefile.am 2010-04-02 07:39:00.000000000 +0200 ++++ shadow-4.1.4.2/man/ru/Makefile.am 2010-04-02 07:42:01.000000000 +0200 +@@ -54,7 +54,6 @@ + + EXTRA_DIST = \ + $(man_MANS) \ +- $(man_nopam) \ + id.1 \ + sulogin.8 + +diff -uNr shadow-4.1.4.2.orig/man/sv/Makefile.am shadow-4.1.4.2/man/sv/Makefile.am +--- shadow-4.1.4.2.orig/man/sv/Makefile.am 2008-09-06 18:44:45.000000000 +0200 ++++ shadow-4.1.4.2/man/sv/Makefile.am 2010-04-02 07:42:24.000000000 +0200 +@@ -53,8 +53,7 @@ + endif + + EXTRA_DIST = \ +- $(man_MANS) \ +- $(man_nopam) ++ $(man_MANS) + + include ../generate_translations.mak + +--- shadow-4.1.4.2.orig/man/ru/Makefile.am 2010-04-02 07:54:09.000000000 +0200 ++++ shadow-4.1.4.2/man/ru/Makefile.am 2010-04-02 07:51:57.000000000 +0200 +@@ -1,7 +1,6 @@ + mandir = @mandir@/ru + + man_MANS = \ +- $(man_nopam) \ + chage.1 \ + chfn.1 \ + chgpasswd.8 \ diff --git a/meta-lsb/packages/shadow/shadow.inc b/meta-lsb/packages/shadow/shadow.inc new file mode 100644 index 0000000000..fcbcb3eb75 --- /dev/null +++ b/meta-lsb/packages/shadow/shadow.inc @@ -0,0 +1,121 @@ +DESCRIPTION = "Tools to change and administer password and group data." +HOMEPAGE = "http://pkg-shadow.alioth.debian.org/" +BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" +SECTION = "base utils" +LICENSE = "BSD | Artistic" +LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \ + file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe" + +PAM_PLUGINS = " libpam-runtime \ + pam-plugin-faildelay \ + pam-plugin-securetty \ + pam-plugin-nologin \ + pam-plugin-env \ + pam-plugin-group \ + pam-plugin-limits \ + pam-plugin-lastlog \ + pam-plugin-motd \ + pam-plugin-mail \ + pam-plugin-shells \ + pam-plugin-rootok" + +DEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" +RDEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_PLUGINS}', '', d)}" + +# since we deduce from ${SERIAL_CONSOLE} +PACKAGE_ARCH = "${MACHINE_ARCH}" + +# Additional Policy files for PAM +PAM_SRC_URI = "file://pam.d/chfn \ + file://pam.d/chpasswd \ + file://pam.d/chsh \ + file://pam.d/login \ + file://pam.d/newusers \ + file://pam.d/passwd \ + file://pam.d/su" + +SRC_URI = "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-${PV}.tar.bz2 \ + file://login_defs_pam.sed \ + ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://securetty" + +inherit autotools gettext + +EXTRA_OECONF += "--without-audit \ + --without-libcrack \ + ${@base_contains('DISTRO_FEATURES', 'pam', '--with-libpam', '--without-libpam', d)} \ + --without-selinux" + +do_install_append() { + # Ensure that the image has as /var/spool/mail dir so shadow can put mailboxes there if the user + # reconfigures Shadow to default (see sed below). + install -d ${D}${localstatedir}/spool/mail + + if [ -e ${WORKDIR}/pam.d ]; then + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + # Remove defaults that are not used when supporting PAM + sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs + fi + + # Enable CREATE_HOME by default. + sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs + + # As we are on an embedded system ensure the users mailbox is in ~/ not + # /var/spool/mail by default as who knows where or how big /var is. + # The system MDA will set this later anyway. + sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs + sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs + + # disable checking emails at all + sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs + + # now we don't have a mail system. disable mail creation for now + sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd + sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd + + install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} + for i in passwd chfn newgrp chsh ; do + mv ${D}${bindir}/$i ${D}${bindir}/$i.${PN} + done + + mv ${D}${sbindir}/chpasswd ${D}${sbindir}/chpasswd.${PN} + mv ${D}${sbindir}/vigr ${D}${base_sbindir}/vigr.${PN} + mv ${D}${sbindir}/vipw ${D}${base_sbindir}/vipw.${PN} + mv ${D}${bindir}/login ${D}${base_bindir}/login.${PN} + + # Ensure we add a suitable securetty file to the package that has most common embedded TTYs defined. + if [ ! -z "${SERIAL_CONSOLE}" ]; then + # our SERIAL_CONSOLE contains baud rate too and sometime -L option as well. + # the following pearl :) takes that and converts it into newline sepated tty's and appends + # them into securetty. So if a machine has a weird looking console device node (e.g. ttyAMA0) that securetty + # does not know then it will get appended to securetty and root login will be allowed on + # that console. + echo "${SERIAL_CONSOLE}" | sed -e 's/[0-9][0-9]\|\-L//g'|tr "[ ]" "[\n]" >> ${WORKDIR}/securetty + fi + install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty +} + +pkg_postinst_${PN} () { + update-alternatives --install ${bindir}/passwd passwd passwd.${PN} 200 + update-alternatives --install ${sbindir}/chpasswd chpasswd chpasswd.${PN} 200 + update-alternatives --install ${bindir}/chfn chfn chfn.${PN} 200 + update-alternatives --install ${bindir}/newgrp newgrp newgrp.${PN} 200 + update-alternatives --install ${bindir}/chsh chsh chsh.${PN} 200 + update-alternatives --install ${base_bindir}/login login login.${PN} 200 + update-alternatives --install ${base_sbindir}/vipw vipw vipw.${PN} 200 + update-alternatives --install ${base_sbindir}/vigr vigr vigr.${PN} 200 + + if [ "x$D" != "x" ]; then + exit 1 + fi + + pwconv + grpconv +} + +pkg_prerm_${PN} () { + for i in passwd chpasswd chfn newgrp chsh login vipw vigr ; do + update-alternatives --remove $i $i.${PN} + done +} diff --git a/meta-lsb/packages/shadow/shadow_4.1.4.2.bb b/meta-lsb/packages/shadow/shadow_4.1.4.2.bb new file mode 100644 index 0000000000..bc00c099bf --- /dev/null +++ b/meta-lsb/packages/shadow/shadow_4.1.4.2.bb @@ -0,0 +1,11 @@ +require shadow.inc + +PR = "r0" + +SRC_URI += "file://shadow.automake-1.11.patch \ + file://shadow-4.1.3-dots-in-usernames.patch \ + file://shadow-4.1.4.2-env-reset-keep-locale.patch \ + file://shadow-4.1.4.2-groupmod-pam-check.patch \ + file://shadow-4.1.4.2-su_no_sanitize_env.patch" + +EXTRA_OECONF_libc-uclibc += " --with-nscd=no " diff --git a/meta/site/common b/meta/site/common index e2dd4b57f7..5da3ff41de 100644 --- a/meta/site/common +++ b/meta/site/common @@ -7,3 +7,11 @@ ac_cv_file__dev_random=${ac_cv_file__dev_random=yes} # Avoid sudo to assume void for unsetenv in cross environment, or else it conflicts with # target stdlib.h prototype which follows POSIX compiliance. Mark for upstream. sudo_cv_func_unsetenv_void=no + +# shadow dir info, to avoid searching build system +shadow_cv_maildir=${localstatedir}/spool/mail +shadow_cv_mailfile=Mailbox +shadow_cv_utmpdir=${localstatedir}/run +shadow_cv_logdir=${localstatedir}/log +shadow_cv_passwd_dir=${bindir} + |