diff options
Diffstat (limited to 'meta/recipes-extended/shadow')
15 files changed, 123 insertions, 544 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch deleted file mode 100644 index 95728bcd3f..0000000000 --- a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001 -From: Scott Garman <scott.a.garman@intel.com> -Date: Thu, 14 Apr 2016 12:28:57 +0200 -Subject: [PATCH] Disable use of syslog for sysroot - -Disable use of syslog to prevent sysroot user and group additions from -writing entries to the host's syslog. This patch should only be used -with the shadow-native recipe. - -Upstream-Status: Inappropriate [disable feature] - -Signed-off-by: Scott Garman <scott.a.garman@intel.com> -Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> - ---- - src/groupadd.c | 3 +++ - src/groupdel.c | 3 +++ - src/groupmems.c | 3 +++ - src/groupmod.c | 3 +++ - src/useradd.c | 3 +++ - src/userdel.c | 4 ++++ - src/usermod.c | 3 +++ - 7 files changed, 22 insertions(+) - -diff --git a/src/groupadd.c b/src/groupadd.c -index d7f68b1..5fe5f43 100644 ---- a/src/groupadd.c -+++ b/src/groupadd.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <getopt.h> -diff --git a/src/groupdel.c b/src/groupdel.c -index 5c89312..2aefc5a 100644 ---- a/src/groupdel.c -+++ b/src/groupdel.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <grp.h> -diff --git a/src/groupmems.c b/src/groupmems.c -index 654a8f3..6b2026b 100644 ---- a/src/groupmems.c -+++ b/src/groupmems.c -@@ -32,6 +32,9 @@ - - #include <config.h> - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <fcntl.h> - #include <getopt.h> - #include <grp.h> -diff --git a/src/groupmod.c b/src/groupmod.c -index acd6f35..a2c5247 100644 ---- a/src/groupmod.c -+++ b/src/groupmod.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <getopt.h> -diff --git a/src/useradd.c b/src/useradd.c -index 127177e..b80e505 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <assert.h> - #include <ctype.h> - #include <errno.h> -diff --git a/src/userdel.c b/src/userdel.c -index 79a7c89..c1e010a 100644 ---- a/src/userdel.c -+++ b/src/userdel.c -@@ -31,6 +31,10 @@ - */ - - #include <config.h> -+ -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <assert.h> - #include <dirent.h> - #include <errno.h> -diff --git a/src/usermod.c b/src/usermod.c -index 03bb9b9..e15fdd4 100644 ---- a/src/usermod.c -+++ b/src/usermod.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <assert.h> - #include <ctype.h> - #include <errno.h> diff --git a/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch deleted file mode 100644 index c577be6505..0000000000 --- a/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch +++ /dev/null @@ -1,114 +0,0 @@ -From eced8077b57946fe0b723e7c6c510e8f344ce89b Mon Sep 17 00:00:00 2001 -From: Serge Hallyn <serge@hallyn.com> -Date: Fri, 23 Jul 2021 17:51:13 -0500 -Subject: [PATCH] Fix out of tree builds with respect to libsubid includes - -There's a better way to do this, and I hope to clean that up, -but this fixes out of tree builds for me right now. - -Closes #386 - -Signed-off-by: Serge Hallyn <serge@hallyn.com> -Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/537b8cd90be7b47b45c45cfd27765ef85eb0ebf1] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - lib/Makefile.am | 2 ++ - libmisc/Makefile.am | 2 +- - libsubid/Makefile.am | 4 ++-- - src/Makefile.am | 6 ++++++ - 4 files changed, 11 insertions(+), 3 deletions(-) - -diff --git a/lib/Makefile.am b/lib/Makefile.am -index ecf3ee25..5ac2e111 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -10,6 +10,8 @@ if HAVE_VENDORDIR - libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" - endif - -+libshadow_la_CPPFLAGS += -I$(top_srcdir) -+ - libshadow_la_SOURCES = \ - commonio.c \ - commonio.h \ -diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am -index 9766a7ec..9f237e0d 100644 ---- a/libmisc/Makefile.am -+++ b/libmisc/Makefile.am -@@ -1,7 +1,7 @@ - - EXTRA_DIST = .indent.pro xgetXXbyYY.c - --AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS) -+AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS) - - noinst_LTLIBRARIES = libmisc.la - -diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am -index 189165b0..cdc41fe6 100644 ---- a/libsubid/Makefile.am -+++ b/libsubid/Makefile.am -@@ -19,8 +19,8 @@ MISCLIBS = \ - $(LIBTCB) - - libsubid_la_LIBADD = \ -- $(top_srcdir)/lib/libshadow.la \ -- $(top_srcdir)/libmisc/libmisc.la \ -+ $(top_builddir)/lib/libshadow.la \ -+ $(top_builddir)/libmisc/libmisc.la \ - $(MISCLIBS) -ldl - - AM_CPPFLAGS = \ -diff --git a/src/Makefile.am b/src/Makefile.am -index 35027013..7c1a3491 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -10,6 +10,7 @@ sgidperms = 2755 - AM_CPPFLAGS = \ - -I${top_srcdir}/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -DLOCALEDIR=\"$(datadir)/locale\" - - # XXX why are login and su in /bin anyway (other than for -@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \ - list_subid_ranges_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - get_subid_owners_LDADD = \ -@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \ - get_subid_owners_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - new_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - new_subid_range_LDADD = \ -@@ -210,6 +214,7 @@ new_subid_range_LDADD = \ - free_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - free_subid_range_LDADD = \ -@@ -220,6 +225,7 @@ free_subid_range_LDADD = \ - - check_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libmisc - - check_subid_range_LDADD = \ --- -2.31.1 - diff --git a/meta/recipes-extended/shadow/files/0001-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch b/meta/recipes-extended/shadow/files/0001-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch deleted file mode 100644 index 2c9b1d06cd..0000000000 --- a/meta/recipes-extended/shadow/files/0001-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert <floppym@gentoo.org> -Date: Sat, 14 Aug 2021 13:24:34 -0400 -Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds() - -If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified, -use SHA_ROUNDS_DEFAULT. - -Previously, the code fell through, calling shadow_random(-1, -1). This -ultimately set rounds = (unsigned long) -1, which ends up being a very -large number! This then got capped to SHA_ROUNDS_MAX later in the -function. - -The new behavior matches BCRYPT_get_salt_rounds(). - -Bug: https://bugs.gentoo.org/808195 -Fixes: https://github.com/shadow-maint/shadow/issues/393 - -Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62] - -Signed-off-by: Mingli Yu <mingli.yu@windriver.com> ---- - libmisc/salt.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - -diff --git a/libmisc/salt.c b/libmisc/salt.c -index 91d528fd..30eefb9c 100644 ---- a/libmisc/salt.c -+++ b/libmisc/salt.c -@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre - if ((-1 == min_rounds) && (-1 == max_rounds)) { - rounds = SHA_ROUNDS_DEFAULT; - } -+ else { -+ if (-1 == min_rounds) { -+ min_rounds = max_rounds; -+ } - -- if (-1 == min_rounds) { -- min_rounds = max_rounds; -- } -+ if (-1 == max_rounds) { -+ max_rounds = min_rounds; -+ } - -- if (-1 == max_rounds) { -- max_rounds = min_rounds; -- } -+ if (min_rounds > max_rounds) { -+ max_rounds = min_rounds; -+ } - -- if (min_rounds > max_rounds) { -- max_rounds = min_rounds; -+ rounds = (unsigned long) shadow_random (min_rounds, max_rounds); - } -- -- rounds = (unsigned long) shadow_random (min_rounds, max_rounds); - } else if (0 == *prefered_rounds) { - rounds = SHA_ROUNDS_DEFAULT; - } else { --- -2.17.1 - diff --git a/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch b/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch deleted file mode 100644 index ea7a99dbf7..0000000000 --- a/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 4f44617af3a0c59be267ac5fcc33586e3783f5e6 Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao <xry111@mengyan1223.wang> -Date: Fri, 23 Jul 2021 14:38:08 +0800 -Subject: [PATCH] libsubid: link to PAM libraries - -libsubid.so links to libmisc.a, which contains several routines referring to -PAM functions. - -Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/f4a84efb468b8be21be124700ce35159c444e9d6] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - libsubid/Makefile.am | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am -index cdc41fe6..99308c1f 100644 ---- a/libsubid/Makefile.am -+++ b/libsubid/Makefile.am -@@ -16,7 +16,8 @@ MISCLIBS = \ - $(LIBCRYPT) \ - $(LIBACL) \ - $(LIBATTR) \ -- $(LIBTCB) -+ $(LIBTCB) \ -+ $(LIBPAM) - - libsubid_la_LIBADD = \ - $(top_builddir)/lib/libshadow.la \ --- -2.31.1 - diff --git a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch index bd24626a26..cd99aad135 100644 --- a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch +++ b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch @@ -1,4 +1,4 @@ -From 1422c24f7266b553c82100e3d18a10c55cd91063 Mon Sep 17 00:00:00 2001 +From f512071dd3a4c29d4bf048c5a89c4ba9160e37b1 Mon Sep 17 00:00:00 2001 From: Chen Qi <Qi.Chen@windriver.com> Date: Thu, 17 Jul 2014 15:53:34 +0800 Subject: [PATCH] commonio.c-fix-unexpected-open-failure-in-chroot-env @@ -15,32 +15,31 @@ Note that this patch doesn't change the logic in the code, it just expands the codes. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> - --- lib/commonio.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/commonio.c b/lib/commonio.c -index cef404b..66908fb 100644 +index 01a26c9..82b2868 100644 --- a/lib/commonio.c +++ b/lib/commonio.c -@@ -646,10 +646,18 @@ int commonio_open (struct commonio_db *db, int mode) +@@ -601,10 +601,18 @@ int commonio_open (struct commonio_db *db, int mode) db->cursor = NULL; db->changed = false; - fd = open (db->filename, - (db->readonly ? O_RDONLY : O_RDWR) -- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); +- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC); - saved_errno = errno; + if (db->readonly) { + fd = open (db->filename, + (true ? O_RDONLY : O_RDWR) -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC); + saved_errno = errno; + } else { + fd = open (db->filename, + (false ? O_RDONLY : O_RDWR) -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW| O_CLOEXEC); + saved_errno = errno; + } + diff --git a/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot index 8a68dd341a..09df77d2e7 100644 --- a/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot +++ b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: BSD-3-Clause OR Artistic-1.0 # # /etc/login.defs - Configuration control definitions for the shadow package. # diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login index b340058539..d39e09b1ea 100644 --- a/meta/recipes-extended/shadow/files/pam.d/login +++ b/meta/recipes-extended/shadow/files/pam.d/login @@ -57,10 +57,6 @@ auth optional pam_group.so # (Replaces the use of /etc/limits in old login) session required pam_limits.so -# Prints the last login info upon succesful login -# (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so - # Prints the motd upon succesful login # (Replaces the `MOTD_FILE' option in login.defs) session optional pam_motd.so diff --git a/meta/recipes-extended/shadow/files/securetty b/meta/recipes-extended/shadow/files/securetty index 2be341a216..820728faa6 100644 --- a/meta/recipes-extended/shadow/files/securetty +++ b/meta/recipes-extended/shadow/files/securetty @@ -7,6 +7,7 @@ ttyS0 ttyS1 ttyS2 ttyS3 +ttyS4 # ARM AMBA SoCs ttyAM0 diff --git a/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch deleted file mode 100644 index a7bb0a9290..0000000000 --- a/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch +++ /dev/null @@ -1,27 +0,0 @@ -# commit message copied from openembedded: -# commit 246c80637b135f3a113d319b163422f98174ee6c -# Author: Khem Raj <raj.khem@gmail.com> -# Date: Wed Jun 9 13:37:03 2010 -0700 -# -# shadow-4.1.4.2: Add patches to support dots in login id. -# -# Signed-off-by: Khem Raj <raj.khem@gmail.com> -# -# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 - -Upstream-Status: Pending - -Signed-off-by: Scott Garman <scott.a.garman@intel.com> - -Index: shadow-4.1.4.2/libmisc/chkname.c -=================================================================== ---- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 -+++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 -@@ -61,6 +61,7 @@ static bool is_valid_name (const char *n - ( ('0' <= *name) && ('9' >= *name) ) || - ('_' == *name) || - ('-' == *name) || -+ ('.' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) - )) { - return false; diff --git a/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch b/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch deleted file mode 100644 index cc833362e9..0000000000 --- a/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch +++ /dev/null @@ -1,111 +0,0 @@ -From ca472d6866e545aaa70a70020e3226f236a8aafc Mon Sep 17 00:00:00 2001 -From: Shan Hai <shan.hai@windriver.com> -Date: Tue, 13 Sep 2016 13:45:46 +0800 -Subject: [PATCH] shadow: use relaxed usernames - -The groupadd from shadow does not allow upper case group names, the -same is true for the upstream shadow. But distributions like -Debian/Ubuntu/CentOS has their own way to cope with this problem, -this patch is picked up from CentOS release 7.0 to relax the usernames -restrictions to allow the upper case group names, and the relaxation is -POSIX compliant because POSIX indicate that usernames are composed of -characters from the portable filename character set [A-Za-z0-9._-]. - -Upstream-Status: Pending - -Signed-off-by: Shan Hai <shan.hai@windriver.com> - ---- - libmisc/chkname.c | 30 ++++++++++++++++++------------ - man/groupadd.8.xml | 6 ------ - man/useradd.8.xml | 8 +------- - 3 files changed, 19 insertions(+), 25 deletions(-) - -diff --git a/libmisc/chkname.c b/libmisc/chkname.c -index 90f185c..65762b4 100644 ---- a/libmisc/chkname.c -+++ b/libmisc/chkname.c -@@ -55,22 +55,28 @@ static bool is_valid_name (const char *name) - } - - /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -- -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { -+ * User/group names must match gnu e-regex: -+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? -+ * -+ * as a non-POSIX, extension, allow "$" as the last char for -+ * sake of Samba 3.x "add machine script" -+ */ -+ if ( ('\0' == *name) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') -+ )) { - return false; - } - - while ('\0' != *++name) { -- if (!(( ('a' <= *name) && ('z' >= *name) ) || -- ( ('0' <= *name) && ('9' >= *name) ) || -- ('_' == *name) || -- ('-' == *name) || -- ('.' == *name) || -- ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -+ if (!( (*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') || (*name == '-') || -+ (*name == '$' && *(name + 1) == '\0') -+ )) { - return false; - } - } -diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml -index 1e58f09..d804b61 100644 ---- a/man/groupadd.8.xml -+++ b/man/groupadd.8.xml -@@ -272,12 +272,6 @@ - - <refsect1 id='caveats'> - <title>CAVEATS</title> -- <para> -- Groupnames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- </para> - <para> - Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. - </para> -diff --git a/man/useradd.8.xml b/man/useradd.8.xml -index a16d730..c0bd777 100644 ---- a/man/useradd.8.xml -+++ b/man/useradd.8.xml -@@ -366,7 +366,7 @@ - </term> - <listitem> - <para> -- Do no create the user's home directory, even if the system -+ Do not create the user's home directory, even if the system - wide setting from <filename>/etc/login.defs</filename> - (<option>CREATE_HOME</option>) is set to - <replaceable>yes</replaceable>. -@@ -660,12 +660,6 @@ - the user account creation request. - </para> - -- <para> -- Usernames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- </para> - <para> - Usernames may only be up to 32 characters long. - </para> diff --git a/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch b/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch index 15f8044fa2..1eacb8a53f 100644 --- a/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch +++ b/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch @@ -1,88 +1,115 @@ +From 38882ab288fd4d2cc2e45dff222ae3412c8fe357 Mon Sep 17 00:00:00 2001 +From: Kang Kai <kai.kang@windriver.com> +Date: Wed, 20 Jul 2011 19:18:14 +0800 +Subject: [PATCH] shadow: update pam related configure files + The system-auth in the configure files is from Fedora which put all the 4 pam type rules in one file. In yocto it obey the way with Debian/Ubuntu, and the names are common-auth, common-account, common-password and common-session. So update them with oe way. -Upstream-Status: Pending +See meta/recipes-extended/pam/libpam/pam.d/common-password + +Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Kang Kai <kai.kang@windriver.com> +--- + etc/pam.d/chage | 2 +- + etc/pam.d/chgpasswd | 2 +- + etc/pam.d/groupadd | 2 +- + etc/pam.d/groupdel | 2 +- + etc/pam.d/groupmems | 2 +- + etc/pam.d/groupmod | 2 +- + etc/pam.d/useradd | 2 +- + etc/pam.d/userdel | 2 +- + etc/pam.d/usermod | 2 +- + 9 files changed, 9 insertions(+), 9 deletions(-) -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chage shadow-4.1.4.3/etc/pam.d/chage ---- shadow-4.1.4.3/etc/pam.d.orig/chage 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/chage 2011-07-20 19:03:08.964844958 +0800 +diff --git a/etc/pam.d/chage b/etc/pam.d/chage +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/chage ++++ b/etc/pam.d/chage @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chgpasswd shadow-4.1.4.3/etc/pam.d/chgpasswd ---- shadow-4.1.4.3/etc/pam.d.orig/chgpasswd 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/chgpasswd 2011-07-20 19:03:26.544844958 +0800 +diff --git a/etc/pam.d/chgpasswd b/etc/pam.d/chgpasswd +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/chgpasswd ++++ b/etc/pam.d/chgpasswd @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupadd shadow-4.1.4.3/etc/pam.d/groupadd ---- shadow-4.1.4.3/etc/pam.d.orig/groupadd 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/groupadd 2011-07-20 19:04:08.124844958 +0800 +diff --git a/etc/pam.d/groupadd b/etc/pam.d/groupadd +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/groupadd ++++ b/etc/pam.d/groupadd @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupdel shadow-4.1.4.3/etc/pam.d/groupdel ---- shadow-4.1.4.3/etc/pam.d.orig/groupdel 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/groupdel 2011-07-20 19:04:26.114844958 +0800 +diff --git a/etc/pam.d/groupdel b/etc/pam.d/groupdel +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/groupdel ++++ b/etc/pam.d/groupdel @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmems shadow-4.1.4.3/etc/pam.d/groupmems ---- shadow-4.1.4.3/etc/pam.d.orig/groupmems 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/groupmems 2011-07-20 19:04:35.074844958 +0800 +diff --git a/etc/pam.d/groupmems b/etc/pam.d/groupmems +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/groupmems ++++ b/etc/pam.d/groupmems @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmod shadow-4.1.4.3/etc/pam.d/groupmod ---- shadow-4.1.4.3/etc/pam.d.orig/groupmod 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/groupmod 2011-07-20 19:04:44.864844958 +0800 +diff --git a/etc/pam.d/groupmod b/etc/pam.d/groupmod +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/groupmod ++++ b/etc/pam.d/groupmod @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/useradd shadow-4.1.4.3/etc/pam.d/useradd ---- shadow-4.1.4.3/etc/pam.d.orig/useradd 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/useradd 2011-07-20 19:07:26.244844958 +0800 +diff --git a/etc/pam.d/useradd b/etc/pam.d/useradd +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/useradd ++++ b/etc/pam.d/useradd @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/userdel shadow-4.1.4.3/etc/pam.d/userdel ---- shadow-4.1.4.3/etc/pam.d.orig/userdel 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/userdel 2011-07-20 19:07:35.734844958 +0800 +diff --git a/etc/pam.d/userdel b/etc/pam.d/userdel +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/userdel ++++ b/etc/pam.d/userdel @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/usermod shadow-4.1.4.3/etc/pam.d/usermod ---- shadow-4.1.4.3/etc/pam.d.orig/usermod 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/usermod 2011-07-20 19:07:42.024844958 +0800 +diff --git a/etc/pam.d/usermod b/etc/pam.d/usermod +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/usermod ++++ b/etc/pam.d/usermod @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so diff --git a/meta/recipes-extended/shadow/shadow-securetty_4.6.bb b/meta/recipes-extended/shadow/shadow-securetty_4.6.bb index c78f888cf4..913c159c81 100644 --- a/meta/recipes-extended/shadow/shadow-securetty_4.6.bb +++ b/meta/recipes-extended/shadow/shadow-securetty_4.6.bb @@ -5,11 +5,11 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 INHIBIT_DEFAULT_DEPS = "1" -PR = "r3" SRC_URI = "file://securetty" -S = "${WORKDIR}" +S = "${WORKDIR}/sources" +UNPACKDIR = "${S}" # Since SERIAL_CONSOLES is likely to be set from the machine configuration PACKAGE_ARCH = "${MACHINE_ARCH}" @@ -18,7 +18,7 @@ do_install () { # Ensure we add a suitable securetty file to the package that has # most common embedded TTYs defined. install -d ${D}${sysconfdir} - install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty + install -m 0400 ${S}/securetty ${D}${sysconfdir}/securetty if [ ! -z "${SERIAL_CONSOLES}" ]; then # Our SERIAL_CONSOLES contains a baud rate and sometimes extra # options as well. The following pearl :) takes that and converts diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb index e05fa237a2..13cfab6aab 100644 --- a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb +++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb @@ -3,18 +3,18 @@ HOMEPAGE = "http://github.com/shadow-maint/shadow" BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" SECTION = "base utils" LICENSE = "BSD-3-Clause | Artistic-1.0" -LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" +LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;endline=1;md5=ceddfb61608e4db87012499555184aed" DEPENDS = "base-passwd" -PR = "r3" # The sole purpose of this recipe is to provide the /etc/login.defs # file for the target sysroot - needed so the shadow-native utilities # can add custom users/groups for recipes that use inherit useradd. SRC_URI = "file://login.defs_shadow-sysroot" -S = "${WORKDIR}" +S = "${WORKDIR}/sources" +UNPACKDIR = "${S}" do_install() { install -d ${D}${sysconfdir} diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index c91f2739cf..171d6e27c3 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -3,20 +3,16 @@ HOMEPAGE = "http://github.com/shadow-maint/shadow" DESCRIPTION = "${SUMMARY}" BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" SECTION = "base/utils" -LICENSE = "BSD-3-Clause | Artistic-1.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ - file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=c9a450b7be84eac23e6353efecb60b5b \ + file://src/passwd.c;beginline=2;endline=7;md5=67bcf314687820b2f010d4863fce3fc5 \ + " DEPENDS = "virtual/crypt" -UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases" -SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP}.tar.gz \ - file://shadow-4.1.3-dots-in-usernames.patch \ +GITHUB_BASE_URI = "https://github.com/shadow-maint/shadow/releases" +SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://shadow-relaxed-usernames.patch \ - file://0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch \ - file://0001-libsubid-link-to-PAM-libraries.patch \ - file://0001-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch \ file://useradd \ " @@ -26,14 +22,9 @@ SRC_URI:append:class-target = " \ " SRC_URI:append:class-native = " \ - file://0001-Disable-use-of-syslog-for-sysroot.patch \ file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ " -SRC_URI:append:class-nativesdk = " \ - file://0001-Disable-use-of-syslog-for-sysroot.patch \ - " - -SRC_URI[sha256sum] = "6c4627ff9c9422b96664517ae753c944f2902e92809d0698b65f5fef11985212" +SRC_URI[sha256sum] = "1744f339e07a2b41056347ddd612839762ff565d7e9494fb049428002fa2e7e0" # Additional Policy files for PAM PAM_SRC_URI = "file://pam.d/chfn \ @@ -44,16 +35,18 @@ PAM_SRC_URI = "file://pam.d/chfn \ file://pam.d/passwd \ file://pam.d/su" -inherit autotools gettext +inherit autotools gettext github-releases pkgconfig export CONFIG_SHELL="/bin/sh" -EXTRA_OECONF += "--without-libcrack \ +EXTRA_OECONF += " \ --with-group-name-max-length=24 \ --enable-subordinate-ids=yes \ --without-sssd \ ${NSCDOPT}" +CFLAGS:append:libc-musl = " -DLIBBSD_OVERLAY" + NSCDOPT = "" NSCDOPT:class-native = "--without-nscd" NSCDOPT:class-nativesdk = "--without-nscd" @@ -66,23 +59,22 @@ PAM_PLUGINS = "libpam-runtime \ pam-plugin-env \ pam-plugin-group \ pam-plugin-limits \ - pam-plugin-lastlog \ pam-plugin-motd \ pam-plugin-mail \ pam-plugin-shells \ pam-plugin-rootok" -PAM_PLUGINS:remove:libc-musl = "pam-plugin-lastlog" - PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" -PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" +PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} libbsd" PACKAGECONFIG:class-nativesdk = "" PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}" PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit" PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage" +PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd" +PACKAGECONFIG[logind] = "--enable-logind,--disable-logind,systemd" RDEPENDS:${PN} = "shadow-securetty \ base-passwd \ @@ -118,7 +110,7 @@ do_install() { sed -i 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/' ${D}${sysconfdir}/login.defs install -d ${D}${sysconfdir}/default - install -m 0644 ${WORKDIR}/useradd ${D}${sysconfdir}/default + install -m 0644 ${UNPACKDIR}/useradd ${D}${sysconfdir}/default } do_install:append() { @@ -128,11 +120,11 @@ do_install:append() { install -m 0775 -d ${D}${localstatedir}/spool/mail chown root:mail ${D}${localstatedir}/spool/mail - if [ -e ${WORKDIR}/pam.d ]; then + if [ -e ${UNPACKDIR}/pam.d ]; then install -d ${D}${sysconfdir}/pam.d/ - install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + install -m 0644 ${UNPACKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ # Remove defaults that are not used when supporting PAM. - sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs + sed -i -f ${UNPACKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs fi install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} @@ -151,6 +143,36 @@ do_install:append() { # Handle link properly after rename, otherwise missing files would # lead rpm failed dependencies. ln -sf newgrp.${BPN} ${D}${bindir}/sg + + # usermod requires the subuid/subgid files to be in place before being + # able to use the -v/-V flags otherwise it fails: + # usermod: /etc/subuid does not exist, you cannot use the flags -v or -V + install -d ${D}${sysconfdir} + touch ${D}${sysconfdir}/subuid + touch ${D}${sysconfdir}/subgid +} + +# Make executables look for dynamically linked libraries in a custom location, and install +# the needed libraries there. That way we can use them from sstate +# in setscene tasks without worrying about the dependency libraries being available. +do_install:append:class-native() { + binaries=$(find ${D}${base_bindir}/ ${D}${base_sbindir}/ ${D}${bindir}/ ${D}${sbindir}/ -executable -type f) + chrpath -k -r ${STAGING_DIR_NATIVE}/lib-shadow-deps $binaries + mkdir -p ${D}${STAGING_DIR_NATIVE}/lib-shadow-deps/ + libattr=${@bb.utils.contains('DISTRO_FEATURES', 'xattr', "${STAGING_LIBDIR_NATIVE}/libattr.so.*", '', d)} + install $libattr ${STAGING_LIBDIR_NATIVE}/libbsd.so.* ${STAGING_LIBDIR_NATIVE}/libmd.so.* ${D}${STAGING_DIR_NATIVE}/lib-shadow-deps/ + install ${D}${libdir}/*.so.* ${D}${STAGING_DIR_NATIVE}/lib-shadow-deps/ +} + +SYSROOT_DIRS:append:class-native = " ${STAGING_DIR_NATIVE}/lib-shadow-deps/" +INSANE_SKIP:${PN}:class-native = "already-stripped" + +do_install:append:class-nativesdk() { + oe_runmake -C ${B}/man DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install-man +} + +do_install:append:class-target() { + oe_runmake -C ${B}/man DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install-man } PACKAGES =+ "${PN}-base" @@ -178,6 +200,11 @@ ALTERNATIVE_LINK_NAME[vipw] = "${base_sbindir}/vipw" ALTERNATIVE_LINK_NAME[vigr] = "${base_sbindir}/vigr" ALTERNATIVE_LINK_NAME[nologin] = "${base_sbindir}/nologin" +ALTERNATIVE:${PN}-doc = "chfn.1 chsh.1 groups.1" +ALTERNATIVE_LINK_NAME[chfn.1] = "${mandir}/man1/chfn.1" +ALTERNATIVE_LINK_NAME[chsh.1] = "${mandir}/man1/chsh.1" +ALTERNATIVE_LINK_NAME[groups.1] = "${mandir}/man1/groups.1" + ALTERNATIVE:${PN}-base = "newgrp groups login su" ALTERNATIVE_LINK_NAME[login] = "${base_bindir}/login" ALTERNATIVE_LINK_NAME[su] = "${base_bindir}/su" diff --git a/meta/recipes-extended/shadow/shadow_4.9.bb b/meta/recipes-extended/shadow/shadow_4.16.0.bb index 2fbd81bf72..e57676c1da 100644 --- a/meta/recipes-extended/shadow/shadow_4.9.bb +++ b/meta/recipes-extended/shadow/shadow_4.16.0.bb @@ -6,6 +6,5 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p BBCLASSEXTEND = "native nativesdk" -# Severity is low and marked as closed and won't fix. # https://bugzilla.redhat.com/show_bug.cgi?id=884658 -CVE_CHECK_WHITELIST += "CVE-2013-4235" +CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix." |