diff --git a/.cvsignore b/.cvsignore index 44506c6..1aa7c2d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,4 @@ shadow-4.0.17-login.defs shadow-4.0.18.1-useradd shadow-4.1.1.tar.bz2 +shadow-4.1.2.tar.bz2 diff --git a/shadow-4.1.0-goodname.patch b/shadow-4.1.0-goodname.patch deleted file mode 100644 index 5456ceb..0000000 --- a/shadow-4.1.0-goodname.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff -up shadow-4.1.0/libmisc/chkname.c.goodname shadow-4.1.0/libmisc/chkname.c ---- shadow-4.1.0/libmisc/chkname.c.goodname 2007-11-11 00:45:59.000000000 +0100 -+++ shadow-4.1.0/libmisc/chkname.c 2007-12-12 13:57:20.000000000 +0100 -@@ -18,16 +18,24 @@ - static int good_name (const char *name) - { - /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -- if (!*name || !((*name >= 'a' && *name <= 'z') || *name == '_')) -+ * User/group names must match gnu e-regex: -+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? -+ * -+ * as a non-POSIX, extension, allow "$" as the last char for -+ * sake of Samba 3.x "add machine script" -+ */ -+ if (!*name || !((*name >= 'a' && *name <= 'z') -+ || (*name >= 'A' && *name <= 'Z') -+ || (*name >= '0' && *name <= '9') -+ || *name == '_' || *name == '.')) - return 0; - - while (*++name) { -- if (!((*name >= 'a' && *name <= 'z') || -- (*name >= '0' && *name <= '9') || -- *name == '_' || *name == '-' || -- (*name == '$' && *(name + 1) == '\0'))) -+ if (!( (*name >= 'a' && *name <= 'z') -+ || (*name >= 'A' && *name <= 'Z') -+ || (*name >= '0' && *name <= '9') -+ || *name == '_' || *name == '.' || *name == '-' -+ || (*name == '$' && *(name + 1) == '\0'))) - return 0; - } - -@@ -43,10 +51,9 @@ int check_user_name (const char *name) - #endif - - /* -- * User names are limited by whatever utmp can -- * handle (usually max 8 characters). -+ * User names are limited by whatever utmp can handle. - */ -- if (strlen (name) > sizeof (ut.ut_user)) -+ if (strlen(name) + 1 > sizeof(ut.ut_user)) - return 0; - - return good_name (name); -@@ -54,11 +61,13 @@ int check_user_name (const char *name) - - int check_group_name (const char *name) - { -- /* -- * Arbitrary limit for group names - max 16 -- * characters (same as on HP-UX 10). -- */ -- if (strlen (name) > 16) -+#if HAVE_UTMPX_H -+ struct utmpx ut; -+#else -+ struct utmp ut; -+#endif -+ -+ if (strlen(name) + 1 > sizeof(ut.ut_user)) - return 0; - - return good_name (name); -diff -up shadow-4.1.0/man/groupadd.8.goodname shadow-4.1.0/man/groupadd.8 ---- shadow-4.1.0/man/groupadd.8.goodname 2007-12-12 13:51:43.000000000 +0100 -+++ shadow-4.1.0/man/groupadd.8 2007-12-12 14:00:29.000000000 +0100 -@@ -126,9 +126,7 @@ Shadow password suite configuration\. - .RE - .SH "CAVEATS" - .PP --Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] --.PP --Groupnames may only be up to 16 characters long\. -+Groupnames may only be up to 32 characters long\. - .PP - You may not add a NIS or LDAP group\. This must be performed on the corresponding server\. - .PP -diff -up shadow-4.1.0/man/useradd.8.goodname shadow-4.1.0/man/useradd.8 ---- shadow-4.1.0/man/useradd.8.goodname 2007-12-12 13:51:43.000000000 +0100 -+++ shadow-4.1.0/man/useradd.8 2007-12-12 14:01:36.000000000 +0100 -@@ -242,8 +242,6 @@ You may not add a user to a NIS or LDAP - Similarly, if the username already exists in an external user database such as NIS or LDAP, - \fBuseradd\fR - will deny the user account creation request\. --.PP --Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] - .SH "CONFIGURATION" - .PP - The following configuration variables in diff --git a/shadow-4.1.1-audit.patch b/shadow-4.1.1-audit.patch deleted file mode 100644 index 964e0c1..0000000 --- a/shadow-4.1.1-audit.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up shadow-4.1.1/src/newgrp.c.audit shadow-4.1.1/src/newgrp.c ---- shadow-4.1.1/src/newgrp.c.audit 2008-04-03 15:20:25.000000000 +0200 -+++ shadow-4.1.1/src/newgrp.c 2008-04-03 15:22:00.000000000 +0200 -@@ -53,6 +53,10 @@ static GETGROUPS_T *grouplist; - static char *Prog; - static int is_newgrp; - -+#ifdef WITH_AUDIT -+ char audit_buf[80]; -+#endif -+ - /* local function prototypes */ - static void usage (void); - static void check_perms (const struct group *grp, -@@ -349,10 +353,9 @@ int main (int argc, char **argv) - #endif - - #ifdef WITH_AUDIT -- char audit_buf[80]; -- - audit_help_open (); - #endif -+ - setlocale (LC_ALL, ""); - bindtextdomain (PACKAGE, LOCALEDIR); - textdomain (PACKAGE); diff --git a/shadow-4.1.1-redhat.patch b/shadow-4.1.1-redhat.patch deleted file mode 100644 index 48ad96a..0000000 --- a/shadow-4.1.1-redhat.patch +++ /dev/null @@ -1,272 +0,0 @@ -diff -up shadow-4.1.1/libmisc/find_new_ids.c.redhat shadow-4.1.1/libmisc/find_new_ids.c ---- shadow-4.1.1/libmisc/find_new_ids.c.redhat 2008-04-03 12:18:51.000000000 +0200 -+++ shadow-4.1.1/libmisc/find_new_ids.c 2008-04-03 13:30:44.000000000 +0200 -@@ -26,11 +26,11 @@ int find_new_uid (int sys_user, uid_t *u - assert (uid != NULL); - - if (sys_user == 0) { -- uid_min = getdef_unum ("UID_MIN", 1000); -+ uid_min = getdef_unum ("UID_MIN", 500); - uid_max = getdef_unum ("UID_MAX", 60000); - } else { - uid_min = getdef_unum ("SYS_UID_MIN", 1); -- uid_max = getdef_unum ("UID_MIN", 1000) - 1; -+ uid_max = getdef_unum ("UID_MIN", 500) - 1; - uid_max = getdef_unum ("SYS_UID_MAX", uid_max); - } - -@@ -108,11 +108,11 @@ int find_new_gid (int sys_group, gid_t * - assert (gid != NULL); - - if (sys_group == 0) { -- gid_min = getdef_unum ("GID_MIN", 1000); -+ gid_min = getdef_unum ("GID_MIN", 500); - gid_max = getdef_unum ("GID_MAX", 60000); - } else { - gid_min = getdef_unum ("SYS_GID_MIN", 1); -- gid_max = getdef_unum ("GID_MIN", 1000) - 1; -+ gid_max = getdef_unum ("GID_MIN", 500) - 1; - gid_max = getdef_unum ("SYS_GID_MAX", gid_max); - } - -diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c ---- shadow-4.1.1/src/useradd.c.redhat 2008-03-08 23:42:05.000000000 +0100 -+++ shadow-4.1.1/src/useradd.c 2008-04-03 14:07:32.000000000 +0200 -@@ -82,7 +82,7 @@ - static gid_t def_group = 100; - static const char *def_gname = "other"; - static const char *def_home = "/home"; --static const char *def_shell = ""; -+static const char *def_shell = "/sbin/nologin"; - static const char *def_template = SKEL_DIR; - static const char *def_create_mail_spool = "no"; - -@@ -94,7 +94,7 @@ static char def_file[] = USER_DEFAULTS_F - #define VALID(s) (strcspn (s, ":\n") == strlen (s)) - - static const char *user_name = ""; --static const char *user_pass = "!"; -+static const char *user_pass = "!!"; - static uid_t user_id; - static gid_t user_gid; - static const char *user_comment = ""; -@@ -130,6 +130,7 @@ static int - kflg = 0, /* specify a directory to fill new user directory */ - lflg = 0, /* do not add user to lastlog database file */ - mflg = 0, /* create user's home directory if it doesn't exist */ -+ Mflg = 0, /* do NOT create user's home directory no matter what */ - Nflg = 0, /* do not create a group having the same name as the user, but add the user to def_group (or the group specified with -g) */ - oflg = 0, /* permit non-unique user ID to be specified with -u */ - rflg = 0, /* create a system account */ -@@ -653,6 +654,7 @@ static void usage (void) - " faillog databases\n" - " -m, --create-home create home directory for the new user\n" - " account\n" -+ " -M, do not create user's home directory(overrides /etc/login.defs)\n" - " -N, --no-user-group do not create a group with the same name as\n" - " the user\n" - " -o, --non-unique allow create user with duplicate\n" -@@ -883,7 +885,7 @@ static void process_flags (int argc, cha - {NULL, 0, NULL, '\0'} - }; - while ((c = -- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1023,6 +1025,10 @@ static void process_flags (int argc, cha - case 'm': - mflg++; - break; -+ case 'M': -+ Mflg++; -+ break; -+ case 'n': - case 'N': - Nflg++; - break; -@@ -1076,6 +1082,9 @@ static void process_flags (int argc, cha - Uflg = getdef_bool ("USERGROUPS_ENAB"); - } - -+ if (mflg && Mflg) /* the admin is not decided .. create or not ? */ -+ usage(); -+ - /* - * Certain options are only valid in combination with others. - * Check it here so that they can be specified in any order. -@@ -1625,6 +1634,14 @@ int main (int argc, char **argv) - } - #endif /* USE_PAM */ - -+ if (!rflg) /* for system accounts defaults are ignored and we -+ * do not create a home dir -- gafton */ -+ if (getdef_bool("CREATE_HOME")) -+ mflg = 1; -+ -+ if (Mflg) /* absolutely sure that we do not create home dirs */ -+ mflg = 0; -+ - /* - * See if we are messing with the defaults file, or creating - * a new user. -@@ -1724,27 +1741,22 @@ int main (int argc, char **argv) - ("%s: warning: the home directory already exists.\n" - "Not copying any file from skel directory into it.\n"), - Prog); -- -- } else if (getdef_str ("CREATE_HOME")) { -- /* -- * RedHat added the CREATE_HOME option in login.defs in their -- * version of shadow-utils (which makes -m the default, with -- * new -M option to turn it off). Unfortunately, this -- * changes the way useradd works (it can be run by scripts -- * expecting some standard behaviour), compared to other -- * Unices and other Linux distributions, and also adds a lot -- * of confusion :-(. -- * So we now recognize CREATE_HOME and give a warning here -- * (better than "configuration error ... notify administrator" -- * errors in every program that reads /etc/login.defs). -MM -- */ -- fprintf (stderr, -- _ -- ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"), -- Prog); - } -- -- create_mail (); -+ /* Warning removed to protect the innocent. */ -+ /* -+ * The whole idea about breaking some stupid scripts by creating a new -+ * variable is crap - I could care less about the scripts. Historically -+ * adduser type programs have always created the home directories and -+ * I don't like the idea of providing a script when we can fix the -+ * binary itself. And if the scripts are using the right options to the -+ * useradd then they will not break. If not, they depend on unspecified -+ * behavior and they will break, but they were broken anyway to begin -+ * with --gafton -+ */ -+ -+ /* Do not create mail directory for system accounts */ -+ if( !rflg ) -+ create_mail (); - - close_files (); - -diff -up shadow-4.1.1/src/groupadd.c.redhat shadow-4.1.1/src/groupadd.c -diff -up shadow-4.1.1/man/useradd.8.redhat shadow-4.1.1/man/useradd.8 ---- shadow-4.1.1/man/useradd.8.redhat 2008-04-03 00:43:14.000000000 +0200 -+++ shadow-4.1.1/man/useradd.8 2008-04-03 14:20:23.000000000 +0200 -@@ -25,9 +25,9 @@ When invoked without the - \fB\-D\fR - option, the - \fBuseradd\fR --command creates a new user account using the values specified on the command line plus the default values from the system\. Depending on command line options, the -+command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the - \fBuseradd\fR --command will update system files and may also create the new user\'s home directory and copy initial files\. -+command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default. - .SH "OPTIONS" - .PP - The options which apply to the -@@ -84,7 +84,7 @@ The number of days after a password expi - .PP - \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR - .RS 4 --The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. The default group number is 1 or whatever is specified in -+The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. - \fI/etc/default/useradd\fR\. - .RE - .PP -@@ -100,6 +100,13 @@ option\. The default is for the user to - Display help message and exit\. - .RE - .PP -+\fB-M\fR -+.RS 4 -+The user\'s home directory will not be created, even if the system wide settings from -+\fI/etc/login.defs\fR -+is to create home dirs\. -+.RE -+.PP - \fB\-m\fR, \fB\-\-create\-home\fR - .RS 4 - The user\'s home directory will be created if it does not exist\. The files contained in -@@ -174,6 +181,19 @@ The encrypted password, as returned by - \fBcrypt\fR(3)\. The default is to disable the account\. - .RE - .PP -+\fB-r\fR -+.RS 4 -+This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in -+\fI/etc/login.defs\fR -+and whose password does not expire\. Note that -+\fBuseradd\fR -+will not create a home directory for such an user, regardless of the default setting in -+\fI/etc/login.defs\fR\. -+You have to specify -+\fB-m\fR -+option if you want a home directory for a system account to be created\. This is an option added by Red Hat\. -+.RE -+.PP - \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR - .RS 4 - The name of the user\'s login shell\. The default is to leave this field blank, which causes the system to select the default login shell\. -@@ -244,6 +264,8 @@ The name of a new user\'s login shell\. - The system administrator is responsible for placing the default user files in the - \fI/etc/skel/\fR - directory\. -+.br -+This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\. - .SH "CAVEATS" - .PP - You may not add a user to a NIS or LDAP group\. This must be performed on the corresponding server\. -@@ -381,6 +403,11 @@ Secure user account information\. - Group account information\. - .RE - .PP -+\fI/etc/gshadow\fR -+.RS 4 -+Secure group account information\. -+.RE -+.PP - \fI/etc/default/useradd\fR - .RS 4 - Default values for account creation\. -diff -up shadow-4.1.1/man/groupadd.8.redhat shadow-4.1.1/man/groupadd.8 ---- shadow-4.1.1/man/groupadd.8.redhat 2008-04-03 00:42:54.000000000 +0200 -+++ shadow-4.1.1/man/groupadd.8 2008-04-03 14:27:04.000000000 +0200 -@@ -14,7 +14,7 @@ - groupadd \- create a new group - .SH "SYNOPSIS" - .HP 9 --\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR -+\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR - .SH "DESCRIPTION" - .PP - The -@@ -34,11 +34,22 @@ This option causes the command to simply - is turned off)\. - .RE - .PP -+\fB-r\fR -+.RS 4 -+This flag instructs -+\fBgroupadd\fR -+to add a system account\. The first available -+\fIgid\fR -+lower than 499 will be automatically selected unless the -+\fB-g\fR -+option is also given on the command line\. This is an option added by Red Hat\. -+.RE -+.PP - \fB\-g\fR, \fB\-\-gid\fR \fIGID\fR - .RS 4 - The numerical value of the group\'s ID\. This value must be unique, unless the - \fB\-o\fR --option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 999 and greater than every other group\. Values between 0 and 999 are typically reserved for system accounts\. -+option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 499 and greater than every other group\. Values between 0 and 500 are typically reserved for system accounts\. - .RE - .PP - \fB\-h\fR, \fB\-\-help\fR diff --git a/shadow-4.1.1-saltSize.patch b/shadow-4.1.1-saltSize.patch deleted file mode 100644 index aaf1dec..0000000 --- a/shadow-4.1.1-saltSize.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up shadow-4.1.1/libmisc/salt.c.saltSize shadow-4.1.1/libmisc/salt.c ---- shadow-4.1.1/libmisc/salt.c.saltSize 2008-05-20 13:36:06.000000000 +0200 -+++ shadow-4.1.1/libmisc/salt.c 2008-05-20 13:39:30.000000000 +0200 -@@ -90,9 +90,10 @@ static void seedRNG (void) - */ - static unsigned int SHA_salt_size (void) - { -- double rand_rounds = 9 * random (); -- rand_rounds /= RAND_MAX; -- return 8 + rand_rounds; -+ unsigned int rand_rounds; -+ seedRNG (); -+ rand_rounds = random () % 9; -+ return 8 + rand_rounds; - } - - /* ! Arguments evaluated twice ! */ diff --git a/shadow-4.1.1-sysAccountDownhill.patch b/shadow-4.1.1-sysAccountDownhill.patch deleted file mode 100644 index 63f6911..0000000 --- a/shadow-4.1.1-sysAccountDownhill.patch +++ /dev/null @@ -1,94 +0,0 @@ -diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/libmisc/find_new_ids.c ---- shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill 2008-04-04 21:46:08.000000000 +0200 -+++ shadow-4.1.1/libmisc/find_new_ids.c 2008-04-04 21:50:04.000000000 +0200 -@@ -22,6 +22,7 @@ int find_new_uid (int sys_user, uid_t *u - { - const struct passwd *pwd; - uid_t uid_min, uid_max, user_id; -+ char * index; - - assert (uid != NULL); - -@@ -32,6 +33,8 @@ int find_new_uid (int sys_user, uid_t *u - uid_min = getdef_unum ("SYS_UID_MIN", 1); - uid_max = getdef_unum ("UID_MIN", 500) - 1; - uid_max = getdef_unum ("SYS_UID_MAX", uid_max); -+ index = alloca (sizeof (char) * uid_max +1); -+ memset (index, 0, sizeof (char) * uid_max + 1); - } - - if ( (NULL != preferred_uid) -@@ -61,8 +64,24 @@ int find_new_uid (int sys_user, uid_t *u - pw_rewind (); - while ( ((pwd = getpwent ()) != NULL) - || ((pwd = pw_next ()) != NULL)) { -- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -- user_id = pwd->pw_uid + 1; -+ if (sys_user == 0) { -+ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { -+ user_id = pwd->pw_uid + 1; -+ } -+ } -+ else { -+ /* create index of occupied system accounts UIDs */ -+ if (pwd->pw_uid <= uid_max) -+ index[pwd->pw_uid] = 1; -+ } -+ } -+ -+ /* find free system account */ -+ if(sys_user) { -+ for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); -+ if ( user_id < uid_min ) { -+ fputs (_("Can't get unique UID (no more available UIDs)\n"), stderr); -+ return -1; - } - } - -@@ -104,6 +123,7 @@ int find_new_gid (int sys_group, gid_t * - { - const struct group *grp; - gid_t gid_min, gid_max, group_id; -+ char * index; - - assert (gid != NULL); - -@@ -114,6 +134,8 @@ int find_new_gid (int sys_group, gid_t * - gid_min = getdef_unum ("SYS_GID_MIN", 1); - gid_max = getdef_unum ("GID_MIN", 500) - 1; - gid_max = getdef_unum ("SYS_GID_MAX", gid_max); -+ index = alloca (sizeof (char) * gid_max +1); -+ memset (index, 0, sizeof (char) * gid_max + 1); - } - - if ( (NULL != preferred_gid) -@@ -142,11 +164,27 @@ int find_new_gid (int sys_group, gid_t * - gr_rewind (); - while ( ((grp = getgrent ()) != NULL) - || ((grp = gr_next ()) != NULL)) { -- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -- group_id = grp->gr_gid + 1; -+ if (sys_group == 0) { -+ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { -+ group_id = grp->gr_gid + 1; -+ } -+ } -+ else { -+ /* create index of occupied system accounts GIDs */ -+ if (grp->gr_gid <= gid_max) -+ index[grp->gr_gid] = 1; - } - } - -+ /* find free system account */ -+ if(sys_group) { -+ for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--); -+ if ( group_id < gid_min ) { -+ fputs (_("Can't get unique GID (no more available GIDs)\n"), stderr); -+ return -1; -+ } -+ } -+ - /* - * If a group with GID equal to GID_MAX exists, the above algorithm - * will give us GID_MAX+1 even if not unique. Search for the first diff --git a/shadow-4.1.2-goodname.patch b/shadow-4.1.2-goodname.patch new file mode 100644 index 0000000..273ad2b --- /dev/null +++ b/shadow-4.1.2-goodname.patch @@ -0,0 +1,93 @@ +diff -up shadow-4.1.2/libmisc/chkname.c.goodname shadow-4.1.2/libmisc/chkname.c +--- shadow-4.1.2/libmisc/chkname.c.goodname 2008-04-27 02:40:13.000000000 +0200 ++++ shadow-4.1.2/libmisc/chkname.c 2008-05-26 14:37:09.000000000 +0200 +@@ -50,16 +50,24 @@ + static int good_name (const char *name) + { + /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- if (!*name || !((*name >= 'a' && *name <= 'z') || *name == '_')) ++ * User/group names must match gnu e-regex: ++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? ++ * ++ * as a non-POSIX, extension, allow "$" as the last char for ++ * sake of Samba 3.x "add machine script" ++ */ ++ if (!*name || !((*name >= 'a' && *name <= 'z') ++ || (*name >= 'A' && *name <= 'Z') ++ || (*name >= '0' && *name <= '9') ++ || *name == '_' || *name == '.')) + return 0; + + while (*++name) { +- if (!((*name >= 'a' && *name <= 'z') || +- (*name >= '0' && *name <= '9') || +- *name == '_' || *name == '-' || +- (*name == '$' && *(name + 1) == '\0'))) ++ if (!( (*name >= 'a' && *name <= 'z') ++ || (*name >= 'A' && *name <= 'Z') ++ || (*name >= '0' && *name <= '9') ++ || *name == '_' || *name == '.' || *name == '-' ++ || (*name == '$' && *(name + 1) == '\0'))) + return 0; + } + +@@ -75,10 +83,9 @@ int check_user_name (const char *name) + #endif + + /* +- * User names are limited by whatever utmp can +- * handle (usually max 8 characters). ++ * User names are limited by whatever utmp can handle. + */ +- if (strlen (name) > sizeof (ut.ut_user)) ++ if (strlen(name) + 1 > sizeof(ut.ut_user)) + return 0; + + return good_name (name); +@@ -86,11 +93,13 @@ int check_user_name (const char *name) + + int check_group_name (const char *name) + { +- /* +- * Arbitrary limit for group names - max 16 +- * characters (same as on HP-UX 10). +- */ +- if (strlen (name) > 16) ++#if HAVE_UTMPX_H ++ struct utmpx ut; ++#else ++ struct utmp ut; ++#endif ++ ++ if (strlen(name) + 1 > sizeof(ut.ut_user)) + return 0; + + return good_name (name); +diff -up shadow-4.1.2/man/groupadd.8.goodname shadow-4.1.2/man/groupadd.8 +--- shadow-4.1.2/man/groupadd.8.goodname 2008-05-26 14:37:09.000000000 +0200 ++++ shadow-4.1.2/man/groupadd.8 2008-05-26 14:40:51.000000000 +0200 +@@ -150,9 +150,7 @@ Shadow password suite configuration\&. + .RE + .SH "CAVEATS" + .PP +-Groupnames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] +-.PP +-Groupnames may only be up to 16 characters long\&. ++Groupnames may only be up to 32 characters long\&. + .PP + You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. + .PP +diff -up shadow-4.1.2/man/useradd.8.goodname shadow-4.1.2/man/useradd.8 +--- shadow-4.1.2/man/useradd.8.goodname 2008-05-26 14:37:09.000000000 +0200 ++++ shadow-4.1.2/man/useradd.8 2008-05-26 14:41:48.000000000 +0200 +@@ -293,8 +293,6 @@ You may not add a user to a NIS or LDAP + Similarly, if the username already exists in an external user database such as NIS or LDAP, + \fBuseradd\fR + will deny the user account creation request\&. +-.PP +-Usernames must begin with a lower case letter or an underscore, and only lower case letters, underscores, dashes, and dollar signs may follow\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$] + .SH "CONFIGURATION" + .PP + The following configuration variables in diff --git a/shadow-4.1.2-redhat.patch b/shadow-4.1.2-redhat.patch new file mode 100644 index 0000000..75c84a8 --- /dev/null +++ b/shadow-4.1.2-redhat.patch @@ -0,0 +1,269 @@ +diff -up shadow-4.1.2/libmisc/find_new_ids.c.redhat shadow-4.1.2/libmisc/find_new_ids.c +--- shadow-4.1.2/libmisc/find_new_ids.c.redhat 2008-04-22 00:00:19.000000000 +0200 ++++ shadow-4.1.2/libmisc/find_new_ids.c 2008-05-26 14:18:43.000000000 +0200 +@@ -56,11 +56,11 @@ int find_new_uid (int sys_user, uid_t *u + assert (uid != NULL); + + if (sys_user == 0) { +- uid_min = getdef_unum ("UID_MIN", 1000); ++ uid_min = getdef_unum ("UID_MIN", 500); + uid_max = getdef_unum ("UID_MAX", 60000); + } else { + uid_min = getdef_unum ("SYS_UID_MIN", 1); +- uid_max = getdef_unum ("UID_MIN", 1000) - 1; ++ uid_max = getdef_unum ("UID_MIN", 500) - 1; + uid_max = getdef_unum ("SYS_UID_MAX", uid_max); + } + +@@ -139,11 +139,11 @@ int find_new_gid (int sys_group, gid_t * + assert (gid != NULL); + + if (sys_group == 0) { +- gid_min = getdef_unum ("GID_MIN", 1000); ++ gid_min = getdef_unum ("GID_MIN", 500); + gid_max = getdef_unum ("GID_MAX", 60000); + } else { + gid_min = getdef_unum ("SYS_GID_MIN", 1); +- gid_max = getdef_unum ("GID_MIN", 1000) - 1; ++ gid_max = getdef_unum ("GID_MIN", 500) - 1; + gid_max = getdef_unum ("SYS_GID_MAX", gid_max); + } + +diff -up shadow-4.1.2/src/useradd.c.redhat shadow-4.1.2/src/useradd.c +--- shadow-4.1.2/src/useradd.c.redhat 2008-05-19 22:31:52.000000000 +0200 ++++ shadow-4.1.2/src/useradd.c 2008-05-26 14:18:43.000000000 +0200 +@@ -85,7 +85,7 @@ + static gid_t def_group = 100; + static const char *def_gname = "other"; + static const char *def_home = "/home"; +-static const char *def_shell = ""; ++static const char *def_shell = "/sbin/nologin"; + static const char *def_template = SKEL_DIR; + static const char *def_create_mail_spool = "no"; + +@@ -97,7 +97,7 @@ static char def_file[] = USER_DEFAULTS_F + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + + static const char *user_name = ""; +-static const char *user_pass = "!"; ++static const char *user_pass = "!!"; + static uid_t user_id; + static gid_t user_gid; + static const char *user_comment = ""; +@@ -133,6 +133,7 @@ static int + kflg = 0, /* specify a directory to fill new user directory */ + lflg = 0, /* do not add user to lastlog database file */ + mflg = 0, /* create user's home directory if it doesn't exist */ ++ Mflg = 0, /* do NOT create user's home directory no matter what */ + Nflg = 0, /* do not create a group having the same name as the user, but add the user to def_group (or the group specified with -g) */ + oflg = 0, /* permit non-unique user ID to be specified with -u */ + rflg = 0, /* create a system account */ +@@ -656,6 +657,7 @@ static void usage (void) + " faillog databases\n" + " -m, --create-home create home directory for the new user\n" + " account\n" ++ " -M, do not create user's home directory(overrides /etc/login.defs)\n" + " -N, --no-user-group do not create a group with the same name as\n" + " the user\n" + " -o, --non-unique allow create user with duplicate\n" +@@ -886,7 +888,7 @@ static void process_flags (int argc, cha + {NULL, 0, NULL, '\0'} + }; + while ((c = +- getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U", ++ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", + long_options, NULL)) != -1) { + switch (c) { + case 'b': +@@ -1026,6 +1028,10 @@ static void process_flags (int argc, cha + case 'm': + mflg++; + break; ++ case 'M': ++ Mflg++; ++ break; ++ case 'n': + case 'N': + Nflg++; + break; +@@ -1079,6 +1085,9 @@ static void process_flags (int argc, cha + Uflg = getdef_bool ("USERGROUPS_ENAB"); + } + ++ if (mflg && Mflg) /* the admin is not decided .. create or not ? */ ++ usage(); ++ + /* + * Certain options are only valid in combination with others. + * Check it here so that they can be specified in any order. +@@ -1628,6 +1637,14 @@ int main (int argc, char **argv) + } + #endif /* USE_PAM */ + ++ if (!rflg) /* for system accounts defaults are ignored and we ++ * do not create a home dir -- gafton */ ++ if (getdef_bool("CREATE_HOME")) ++ mflg = 1; ++ ++ if (Mflg) /* absolutely sure that we do not create home dirs */ ++ mflg = 0; ++ + /* + * See if we are messing with the defaults file, or creating + * a new user. +@@ -1727,27 +1744,22 @@ int main (int argc, char **argv) + ("%s: warning: the home directory already exists.\n" + "Not copying any file from skel directory into it.\n"), + Prog); +- +- } else if (getdef_str ("CREATE_HOME")) { +- /* +- * RedHat added the CREATE_HOME option in login.defs in their +- * version of shadow-utils (which makes -m the default, with +- * new -M option to turn it off). Unfortunately, this +- * changes the way useradd works (it can be run by scripts +- * expecting some standard behaviour), compared to other +- * Unices and other Linux distributions, and also adds a lot +- * of confusion :-(. +- * So we now recognize CREATE_HOME and give a warning here +- * (better than "configuration error ... notify administrator" +- * errors in every program that reads /etc/login.defs). -MM +- */ +- fprintf (stderr, +- _ +- ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"), +- Prog); + } +- +- create_mail (); ++ /* Warning removed to protect the innocent. */ ++ /* ++ * The whole idea about breaking some stupid scripts by creating a new ++ * variable is crap - I could care less about the scripts. Historically ++ * adduser type programs have always created the home directories and ++ * I don't like the idea of providing a script when we can fix the ++ * binary itself. And if the scripts are using the right options to the ++ * useradd then they will not break. If not, they depend on unspecified ++ * behavior and they will break, but they were broken anyway to begin ++ * with --gafton ++ */ ++ ++ /* Do not create mail directory for system accounts */ ++ if( !rflg ) ++ create_mail (); + + close_files (); + +diff -up shadow-4.1.2/man/useradd.8.redhat shadow-4.1.2/man/useradd.8 +--- shadow-4.1.2/man/useradd.8.redhat 2008-05-25 01:20:26.000000000 +0200 ++++ shadow-4.1.2/man/useradd.8 2008-05-26 14:26:14.000000000 +0200 +@@ -27,7 +27,7 @@ option, the + \fBuseradd\fR + command creates a new user account using the values specified on the command line plus the default values from the system\&. Depending on command line options, the + \fBuseradd\fR +-command will update system files and may also create the new user\'s home directory and copy initial files\&. ++command will update system files and may also create the new user\'s home directory and copy initial files\&. The version provided with Red Hat Linux will create a group for each user added to the system by default\&. + .SH "OPTIONS" + .PP + The options which apply to the +@@ -84,8 +84,7 @@ The number of days after a password expi + .PP + \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR + .RS 4 +-The group name or number of the user\'s initial login group\&. The group name must exist\&. A group number must refer to an already existing group\&. The default group number is 1 or whatever is specified in +-\fI/etc/default/useradd\fR\&. ++The group name or number of the user\'s initial login group\&. The group name must exist\&. A group number must refer to an already existing group\&. + .RE + .PP + \fB\-G\fR, \fB\-\-groups\fR \fIGROUP1\fR[\fI,GROUP2,\&.\&.\&.\fR[\fI,GROUPN\fR]]] +@@ -143,6 +142,13 @@ Do not add the user to the lastlog and f + By default, the user\'s entries in the lastlog and faillog databases are resetted to avoid reusing the entry from a previously deleted user\&. + .RE + .PP ++\fB-M\fR ++.RS 4 ++The user\'s home directory will not be created, even if the system wide settings from ++\fI/etc/login.defs\fR ++is to create home dirs\. ++.RE ++.PP + \fB\-m\fR, \fB\-\-create\-home\fR + .RS 4 + Create the user\'s home directory if it does not exist\&. The files and directories contained in the skeleton directory (which can be defined with the +@@ -195,6 +201,19 @@ range, defined in + counterparts for the creation of groups)\&. + .RE + .PP ++\fB-r\fR ++.RS 4 ++This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in ++\fI/etc/login.defs\fR ++and whose password does not expire\. Note that ++\fBuseradd\fR ++will not create a home directory for such an user, regardless of the default setting in ++\fI/etc/login.defs\fR\. ++You have to specify ++\fB-m\fR ++option if you want a home directory for a system account to be created\. This is an option added by Red Hat\. ++.RE ++.PP + \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR + .RS 4 + The name of the user\'s login shell\&. The default is to leave this field blank, which causes the system to select the default login shell\&. +@@ -265,6 +284,8 @@ The name of a new user\'s login shell\&. + The system administrator is responsible for placing the default user files in the + \fI/etc/skel/\fR + directory\&. ++.br ++This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\&. + .SH "CAVEATS" + .PP + You may not add a user to a NIS or LDAP group\&. This must be performed on the corresponding server\&. +@@ -407,6 +428,11 @@ Group account information\&. + Secure group account information\&. + .RE + .PP ++\fI/etc/gshadow\fR ++.RS 4 ++Secure group account information\. ++.RE ++.PP + \fI/etc/default/useradd\fR + .RS 4 + Default values for account creation\&. +diff -up shadow-4.1.2/man/groupadd.8.redhat shadow-4.1.2/man/groupadd.8 +--- shadow-4.1.2/man/groupadd.8.redhat 2008-05-25 01:20:05.000000000 +0200 ++++ shadow-4.1.2/man/groupadd.8 2008-05-26 14:35:49.000000000 +0200 +@@ -14,7 +14,7 @@ + groupadd \- create a new group + .SH "SYNOPSIS" + .HP 9 +-\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR ++\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR + .SH "DESCRIPTION" + .PP + The +@@ -34,11 +34,22 @@ This option causes the command to simply + is turned off)\&. + .RE + .PP ++\fB-r\fR ++.RS 4 ++This flag instructs ++\fBgroupadd\fR ++to add a system account\. The first available ++\fIgid\fR ++lower than 500 will be automatically selected unless the ++\fB-g\fR ++option is also given on the command line\. This is an option added by Red Hat\. ++.RE ++.PP + \fB\-g\fR, \fB\-\-gid\fR \fIGID\fR + .RS 4 + The numerical value of the group\'s ID\&. This value must be unique, unless the + \fB\-o\fR +-option is used\&. The value must be non\-negative\&. The default is to use the smallest ID value greater than 999 and greater than every other group\&. Values between 0 and 999 are typically reserved for system accounts\&. ++option is used\&. The value must be non\-negative\&. The default is to use the smallest ID value greater than 499 and greater than every other group\&. Values between 0 and 500 are typically reserved for system accounts\&. + .RE + .PP + \fB\-h\fR, \fB\-\-help\fR diff --git a/shadow-4.1.2-sysAccountDownhill.patch b/shadow-4.1.2-sysAccountDownhill.patch new file mode 100644 index 0000000..2071190 --- /dev/null +++ b/shadow-4.1.2-sysAccountDownhill.patch @@ -0,0 +1,99 @@ +diff -up shadow-4.1.2/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.2/libmisc/find_new_ids.c +--- shadow-4.1.2/libmisc/find_new_ids.c.sysAccountDownhill 2008-05-26 14:52:49.000000000 +0200 ++++ shadow-4.1.2/libmisc/find_new_ids.c 2008-05-26 14:58:55.000000000 +0200 +@@ -52,6 +52,7 @@ int find_new_uid (int sys_user, uid_t *u + { + const struct passwd *pwd; + uid_t uid_min, uid_max, user_id; ++ char * index; + + assert (uid != NULL); + +@@ -62,6 +63,8 @@ int find_new_uid (int sys_user, uid_t *u + uid_min = getdef_unum ("SYS_UID_MIN", 1); + uid_max = getdef_unum ("UID_MIN", 500) - 1; + uid_max = getdef_unum ("SYS_UID_MAX", uid_max); ++ index = alloca (sizeof (char) * uid_max +1); ++ memset (index, 0, sizeof (char) * uid_max + 1); + } + + if ( (NULL != preferred_uid) +@@ -91,12 +94,28 @@ int find_new_uid (int sys_user, uid_t *u + pw_rewind (); + while ( ((pwd = getpwent ()) != NULL) + || ((pwd = pw_next ()) != NULL)) { +- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { +- user_id = pwd->pw_uid + 1; ++ if (sys_user == 0) { ++ if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) { ++ user_id = pwd->pw_uid + 1; ++ } ++ } ++ else { ++ /* create index of occupied system accounts UIDs */ ++ if (pwd->pw_uid <= uid_max) ++ index[pwd->pw_uid] = 1; + } + } + endpwent (); + ++ /* find free system account */ ++ if(sys_user) { ++ for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--); ++ if ( user_id < uid_min ) { ++ fputs (_("Can't get unique UID (no more available UIDs)\n"), stderr); ++ return -1; ++ } ++ } ++ + /* + * If a user with UID equal to UID_MAX exists, the above algorithm + * will give us UID_MAX+1 even if not unique. Search for the first +@@ -135,6 +154,7 @@ int find_new_gid (int sys_group, gid_t * + { + const struct group *grp; + gid_t gid_min, gid_max, group_id; ++ char * index; + + assert (gid != NULL); + +@@ -145,6 +165,8 @@ int find_new_gid (int sys_group, gid_t * + gid_min = getdef_unum ("SYS_GID_MIN", 1); + gid_max = getdef_unum ("GID_MIN", 500) - 1; + gid_max = getdef_unum ("SYS_GID_MAX", gid_max); ++ index = alloca (sizeof (char) * gid_max +1); ++ memset (index, 0, sizeof (char) * gid_max + 1); + } + + if ( (NULL != preferred_gid) +@@ -173,12 +195,28 @@ int find_new_gid (int sys_group, gid_t * + gr_rewind (); + while ( ((grp = getgrent ()) != NULL) + || ((grp = gr_next ()) != NULL)) { +- if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { +- group_id = grp->gr_gid + 1; ++ if (sys_group == 0) { ++ if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) { ++ group_id = grp->gr_gid + 1; ++ } ++ } ++ else { ++ /* create index of occupied system accounts GIDs */ ++ if (grp->gr_gid <= gid_max) ++ index[grp->gr_gid] = 1; + } + } + endgrent (); + ++ /* find free system account */ ++ if(sys_group) { ++ for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--); ++ if ( group_id < gid_min ) { ++ fputs (_("Can't get unique GID (no more available GIDs)\n"), stderr); ++ return -1; ++ } ++ } ++ + /* + * If a group with GID equal to GID_MAX exists, the above algorithm + * will give us GID_MAX+1 even if not unique. Search for the first diff --git a/shadow-utils.spec b/shadow-utils.spec index e99796b..200f07e 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -4,20 +4,18 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils -Version: 4.1.1 -Release: 2%{?dist} +Version: 4.1.2 +Release: 1%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source1: shadow-4.0.17-login.defs Source2: shadow-4.0.18.1-useradd -Patch0: shadow-4.1.1-redhat.patch -Patch1: shadow-4.1.1-audit.patch -Patch3: shadow-4.1.0-goodname.patch -Patch4: shadow-4.1.1-selinux.patch -Patch5: shadow-4.1.1-sysAccountDownhill.patch -Patch6: shadow-4.1.1-saltSize.patch +Patch0: shadow-4.1.2-redhat.patch +Patch1: shadow-4.1.2-goodname.patch +Patch2: shadow-4.1.1-selinux.patch +Patch3: shadow-4.1.2-sysAccountDownhill.patch License: BSD Group: System Environment/Base @@ -43,11 +41,9 @@ are used for managing group accounts. %prep %setup -q -n shadow-%{version} %patch0 -p1 -b .redhat -%patch1 -p1 -b .audit -%patch3 -p1 -b .goodname -%patch4 -p1 -b .selinux -%patch5 -p1 -b .sysAccountDownhill -%patch6 -p1 -b .saltSize +%patch1 -p1 -b .goodname +%patch2 -p1 -b .selinux +%patch3 -p1 -b .sysAccountDownhill rm po/*.gmo @@ -188,6 +184,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Mon May 26 2008 Peter Vrabec 2:4.1.2-1 +- upgrade + * Tue May 20 2008 Peter Vrabec 2:4.1.1-2 - fix salt size problem (#447136) diff --git a/sources b/sources index a48c6ec..0c72fb3 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ e91727c55dbafc9915250e31535f13bb shadow-4.0.17-login.defs ebdf46b79f9b414353c9ae8aba4d55cc shadow-4.0.18.1-useradd b1aa30abb3cce16a37b53e45e1ec70a4 shadow-4.1.1.tar.bz2 +ce90cbe9cba7f6673cb10cad49083c1c shadow-4.1.2.tar.bz2