archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2025-01-17 23:34:07 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

added core/shadow

Browse source
This commit is contained in:
Kevin Mihelich 2023-09-23 01:16:48 +00:00
parent 98f8c8950c
commit 56a482517c
10 changed files with 1810 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

727
core/shadow/0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch Normal file
View file

@ -0,0 +1,727 @@
From c6fe55f198b1e3bd3087f9213193d94f5c1c3d31 Mon Sep 17 00:00:00 2001
From: David Runge <dvzrv@archlinux.org>
Date: Sat, 5 Nov 2022 23:40:18 +0100
Subject: [PATCH 1/3] Disable replaced tools and their man pages and PAM
integration
etc/pam.d/Makefile.am:
Disable installation of PAM integration for chfn, chsh and login tools
as they are provided by util-linux.
man/Makefile.am, man/*/Makefile.am:
Disable man pages for chfn, chsh, login, logoutd, newgrp, nologin, vigr,
vipw and su as they are either no longer used or replaced by util-linux.
src/Makefile.am:
Set usbindir to use bin instead of sbin, as Arch Linux is a /usr and bin
merge distribution.
Remove the use of login, nologin, chfn, chsh, logoutd, vipw and vigr, as
they are either not used or replaced by util-linux.
Move newgrp to replace sg (instead of it being a symlink).
---
etc/pam.d/Makefile.am | 3 ---
man/Makefile.am | 20 +++-----------------
man/cs/Makefile.am | 8 ++------
man/da/Makefile.am | 8 +-------
man/de/Makefile.am | 11 +----------
man/fi/Makefile.am | 5 +----
man/fr/Makefile.am | 11 +----------
man/hu/Makefile.am | 6 +-----
man/id/Makefile.am | 2 --
man/it/Makefile.am | 11 +----------
man/ja/Makefile.am | 10 +---------
man/ko/Makefile.am | 8 +-------
man/pl/Makefile.am | 7 +------
man/ru/Makefile.am | 11 +----------
man/sv/Makefile.am | 8 +-------
man/tr/Makefile.am | 3 ---
man/uk/Makefile.am | 11 +----------
man/zh_CN/Makefile.am | 11 +----------
man/zh_TW/Makefile.am | 4 ----
src/Makefile.am | 18 +++++++-----------
20 files changed, 25 insertions(+), 151 deletions(-)
diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am
index 38ff26ae..a19ad431 100644
--- a/etc/pam.d/Makefile.am
+++ b/etc/pam.d/Makefile.am
@@ -2,10 +2,7 @@
# and also cooperate to make a distribution for `make dist'
pamd_files = \
- chfn \
- chsh \
groupmems \
- login \
passwd
pamd_acct_tools_files = \
diff --git a/man/Makefile.am b/man/Makefile.am
index 89d97937..d2741036 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -8,10 +8,8 @@ endif
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/chgpasswd.8 \
man8/chpasswd.8 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -26,12 +24,9 @@ man_MANS = \
man8/grpconv.8 \
man8/grpunconv.8 \
man5/gshadow.5 \
- man1/login.1 \
+ man8/lastlog.8 \
man5/login.defs.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man8/newusers.8 \
- man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
@@ -43,9 +38,7 @@ man_MANS = \
man5/suauth.5 \
man8/useradd.8 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
@@ -77,10 +70,8 @@ endif
man_XMANS = \
chage.1.xml \
- chfn.1.xml \
chgpasswd.8.xml \
chpasswd.8.xml \
- chsh.1.xml \
expiry.1.xml \
faillog.5.xml \
faillog.8.xml \
@@ -94,12 +85,9 @@ man_XMANS = \
grpck.8.xml \
gshadow.5.xml \
limits.5.xml \
- login.1.xml \
login.access.5.xml \
login.defs.5.xml \
- logoutd.8.xml \
newgidmap.1.xml \
- newgrp.1.xml \
newuidmap.1.xml \
newusers.8.xml \
nologin.8.xml \
@@ -111,14 +99,12 @@ man_XMANS = \
shadow.3.xml \
shadow.5.xml \
sg.1.xml \
- su.1.xml \
suauth.5.xml \
subgid.5.xml \
subuid.5.xml \
useradd.8.xml \
userdel.8.xml \
- usermod.8.xml \
- vipw.8.xml
+ usermod.8.xml
if ENABLE_LASTLOG
man_XMANS += lastlog.8.xml
diff --git a/man/cs/Makefile.am b/man/cs/Makefile.am
index 84407d71..c5ef7cf5 100644
--- a/man/cs/Makefile.am
+++ b/man/cs/Makefile.am
@@ -12,11 +12,8 @@ man_MANS = \
man1/groups.1 \
man8/grpck.8 \
man5/gshadow.5 \
- man8/nologin.8 \
man5/passwd.5 \
- man5/shadow.5 \
- man1/su.1 \
- man8/vipw.8
+ man5/shadow.5
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
@@ -24,6 +21,5 @@ endif
EXTRA_DIST = $(man_MANS) \
man1/id.1 \
- man8/groupmems.8 \
- man8/logoutd.8
+ man8/groupmems.8
diff --git a/man/da/Makefile.am b/man/da/Makefile.am
index a3b09224..e45bef66 100644
--- a/man/da/Makefile.am
+++ b/man/da/Makefile.am
@@ -3,16 +3,10 @@ mandir = @mandir@/da
# 2012.01.28 - activate manpages with more than 50% translated messages
man_MANS = \
- man1/chfn.1 \
man8/groupdel.8 \
man1/groups.1 \
man5/gshadow.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
- man8/nologin.8 \
- man1/sg.1 \
- man8/vigr.8 \
- man8/vipw.8
+ man1/sg.1
man_nopam =
diff --git a/man/de/Makefile.am b/man/de/Makefile.am
index 671432d3..333d5524 100644
--- a/man/de/Makefile.am
+++ b/man/de/Makefile.am
@@ -3,10 +3,8 @@ mandir = @mandir@/de
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/chgpasswd.8 \
man8/chpasswd.8 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -21,12 +19,8 @@ man_MANS = \
man8/grpconv.8 \
man8/grpunconv.8 \
man5/gshadow.5 \
- man1/login.1 \
man5/login.defs.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man8/newusers.8 \
- man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
@@ -35,13 +29,10 @@ man_MANS = \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
- man1/su.1 \
man5/suauth.5 \
man8/useradd.8 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/fi/Makefile.am b/man/fi/Makefile.am
index 26a1a848..f02b92f3 100644
--- a/man/fi/Makefile.am
+++ b/man/fi/Makefile.am
@@ -1,10 +1,7 @@
mandir = @mandir@/fi
-man_MANS = \
- man1/chfn.1 \
- man1/chsh.1 \
- man1/su.1
+man_MANS =
# Outdated manpages
# passwd.1 (https://bugs.launchpad.net/ubuntu/+bug/384024)
diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am
index 335e0298..9962c038 100644
--- a/man/fr/Makefile.am
+++ b/man/fr/Makefile.am
@@ -3,10 +3,8 @@ mandir = @mandir@/fr
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/chgpasswd.8 \
man8/chpasswd.8 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -21,12 +19,8 @@ man_MANS = \
man8/grpconv.8 \
man8/grpunconv.8 \
man5/gshadow.5 \
- man1/login.1 \
man5/login.defs.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man8/newusers.8 \
- man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
@@ -35,13 +29,10 @@ man_MANS = \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
- man1/su.1 \
man5/suauth.5 \
man8/useradd.8 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/hu/Makefile.am b/man/hu/Makefile.am
index 205bb0a8..3d813179 100644
--- a/man/hu/Makefile.am
+++ b/man/hu/Makefile.am
@@ -2,15 +2,11 @@
mandir = @mandir@/hu
man_MANS = \
- man1/chsh.1 \
man1/gpasswd.1 \
man1/groups.1 \
- man1/login.1 \
- man1/newgrp.1 \
man1/passwd.1 \
man5/passwd.5 \
- man1/sg.1 \
- man1/su.1
+ man1/sg.1
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/id/Makefile.am b/man/id/Makefile.am
index 21f3dbe9..6d10b930 100644
--- a/man/id/Makefile.am
+++ b/man/id/Makefile.am
@@ -2,8 +2,6 @@
mandir = @mandir@/id
man_MANS = \
- man1/chsh.1 \
- man1/login.1 \
man8/useradd.8
EXTRA_DIST = $(man_MANS)
diff --git a/man/it/Makefile.am b/man/it/Makefile.am
index b76187fa..1f62e20e 100644
--- a/man/it/Makefile.am
+++ b/man/it/Makefile.am
@@ -3,10 +3,8 @@ mandir = @mandir@/it
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/chgpasswd.8 \
man8/chpasswd.8 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -21,12 +19,8 @@ man_MANS = \
man8/grpconv.8 \
man8/grpunconv.8 \
man5/gshadow.5 \
- man1/login.1 \
man5/login.defs.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man8/newusers.8 \
- man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
@@ -35,13 +29,10 @@ man_MANS = \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
- man1/su.1 \
man5/suauth.5 \
man8/useradd.8 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am
index 13f18da1..3401a085 100644
--- a/man/ja/Makefile.am
+++ b/man/ja/Makefile.am
@@ -3,9 +3,7 @@ mandir = @mandir@/ja
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/chpasswd.8 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -17,10 +15,7 @@ man_MANS = \
man8/grpck.8 \
man8/grpconv.8 \
man8/grpunconv.8 \
- man1/login.1 \
man5/login.defs.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man8/newusers.8 \
man1/passwd.1 \
man5/passwd.5 \
@@ -29,13 +24,10 @@ man_MANS = \
man8/pwunconv.8 \
man1/sg.1 \
man5/shadow.5 \
- man1/su.1 \
man5/suauth.5 \
man8/useradd.8 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/ko/Makefile.am b/man/ko/Makefile.am
index c269f0bb..9616cb3e 100644
--- a/man/ko/Makefile.am
+++ b/man/ko/Makefile.am
@@ -2,14 +2,8 @@
mandir = @mandir@/ko
man_MANS = \
- man1/chfn.1 \
- man1/chsh.1 \
man1/groups.1 \
- man1/login.1 \
- man5/passwd.5 \
- man1/su.1 \
- man8/vigr.8 \
- man8/vipw.8
+ man5/passwd.5
# newgrp.1 must be updated
# newgrp.1
diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am
index b2f096f7..00817d37 100644
--- a/man/pl/Makefile.am
+++ b/man/pl/Makefile.am
@@ -4,7 +4,6 @@ mandir = @mandir@/pl
# 2012.01.28 - activate manpages with more than 50% translated messages
man_MANS = \
man1/chage.1 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -15,14 +14,10 @@ man_MANS = \
man8/groupmod.8 \
man1/groups.1 \
man8/grpck.8 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man1/sg.1 \
man3/shadow.3 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/ru/Makefile.am b/man/ru/Makefile.am
index 84d55d9e..b65f4881 100644
--- a/man/ru/Makefile.am
+++ b/man/ru/Makefile.am
@@ -3,10 +3,8 @@ mandir = @mandir@/ru
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/chgpasswd.8 \
man8/chpasswd.8 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -21,12 +19,8 @@ man_MANS = \
man8/grpconv.8 \
man8/grpunconv.8 \
man5/gshadow.5 \
- man1/login.1 \
man5/login.defs.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man8/newusers.8 \
- man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
@@ -35,13 +29,10 @@ man_MANS = \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
- man1/su.1 \
man5/suauth.5 \
man8/useradd.8 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/sv/Makefile.am b/man/sv/Makefile.am
index 70329edf..58fa80e5 100644
--- a/man/sv/Makefile.am
+++ b/man/sv/Makefile.am
@@ -3,7 +3,6 @@ mandir = @mandir@/sv
# 2012.01.28 - activate manpages with more than 50% translated messages
man_MANS = \
man1/chage.1 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -15,18 +14,13 @@ man_MANS = \
man1/groups.1 \
man8/grpck.8 \
man5/gshadow.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
- man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
man1/sg.1 \
man3/shadow.3 \
man5/suauth.5 \
- man8/userdel.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/userdel.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/tr/Makefile.am b/man/tr/Makefile.am
index 8d8b9166..4fe3632a 100644
--- a/man/tr/Makefile.am
+++ b/man/tr/Makefile.am
@@ -2,15 +2,12 @@ mandir = @mandir@/tr
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/groupadd.8 \
man8/groupdel.8 \
man8/groupmod.8 \
- man1/login.1 \
man1/passwd.1 \
man5/passwd.5 \
man5/shadow.5 \
- man1/su.1 \
man8/useradd.8 \
man8/userdel.8 \
man8/usermod.8
diff --git a/man/uk/Makefile.am b/man/uk/Makefile.am
index 3fb5ffb3..e13c8fee 100644
--- a/man/uk/Makefile.am
+++ b/man/uk/Makefile.am
@@ -3,10 +3,8 @@ mandir = @mandir@/uk
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/chgpasswd.8 \
man8/chpasswd.8 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -21,12 +19,8 @@ man_MANS = \
man8/grpconv.8 \
man8/grpunconv.8 \
man5/gshadow.5 \
- man1/login.1 \
man5/login.defs.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man8/newusers.8 \
- man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
@@ -35,13 +29,10 @@ man_MANS = \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
- man1/su.1 \
man5/suauth.5 \
man8/useradd.8 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/zh_CN/Makefile.am b/man/zh_CN/Makefile.am
index a8b93a56..42ad764d 100644
--- a/man/zh_CN/Makefile.am
+++ b/man/zh_CN/Makefile.am
@@ -3,10 +3,8 @@ mandir = @mandir@/zh_CN
man_MANS = \
man1/chage.1 \
- man1/chfn.1 \
man8/chgpasswd.8 \
man8/chpasswd.8 \
- man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
@@ -21,12 +19,8 @@ man_MANS = \
man8/grpconv.8 \
man8/grpunconv.8 \
man5/gshadow.5 \
- man1/login.1 \
man5/login.defs.5 \
- man8/logoutd.8 \
- man1/newgrp.1 \
man8/newusers.8 \
- man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
@@ -35,13 +29,10 @@ man_MANS = \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
- man1/su.1 \
man5/suauth.5 \
man8/useradd.8 \
man8/userdel.8 \
- man8/usermod.8 \
- man8/vigr.8 \
- man8/vipw.8
+ man8/usermod.8
if ENABLE_LASTLOG
man_MANS += man8/lastlog.8
diff --git a/man/zh_TW/Makefile.am b/man/zh_TW/Makefile.am
index c36ed2c7..26696b67 100644
--- a/man/zh_TW/Makefile.am
+++ b/man/zh_TW/Makefile.am
@@ -2,15 +2,11 @@
mandir = @mandir@/zh_TW
man_MANS = \
- man1/chfn.1 \
- man1/chsh.1 \
man8/chpasswd.8 \
- man1/newgrp.1 \
man8/groupadd.8 \
man8/groupdel.8 \
man8/groupmod.8 \
man5/passwd.5 \
- man1/su.1 \
man8/useradd.8 \
man8/userdel.8 \
man8/usermod.8
diff --git a/src/Makefile.am b/src/Makefile.am
index 585a0b7e..69ec939a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -3,7 +3,7 @@ EXTRA_DIST = \
.indent.pro
ubindir = ${prefix}/bin
-usbindir = ${prefix}/sbin
+usbindir = ${prefix}/bin
suidperms = 4755
sgidperms = 2755
@@ -27,9 +27,9 @@ AM_CFLAGS = $(LIBBSD_CFLAGS)
# and installation would be much simpler (just two directories,
# $prefix/bin and $prefix/sbin, no install-data hacks...)
-bin_PROGRAMS = groups login
-sbin_PROGRAMS = nologin
-ubin_PROGRAMS = faillog chage chfn chsh expiry gpasswd newgrp passwd
+bin_PROGRAMS = groups
+sbin_PROGRAMS =
+ubin_PROGRAMS = faillog lastlog chage expiry gpasswd newgrp passwd
if ENABLE_SUBIDS
ubin_PROGRAMS += newgidmap newuidmap
endif
@@ -49,22 +49,20 @@ usbin_PROGRAMS = \
grpck \
grpconv \
grpunconv \
- logoutd \
newusers \
pwck \
pwconv \
pwunconv \
useradd \
userdel \
- usermod \
- vipw
+ usermod
# id and groups are from gnu, sulogin from sysvinit
noinst_PROGRAMS = id sulogin
suidusbins =
suidbins =
-suidubins = chage chfn chsh expiry gpasswd newgrp
+suidubins = chage expiry gpasswd newgrp
if WITH_SU
suidbins += su
endif
@@ -137,18 +135,16 @@ sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF)
useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl
userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) -ldl
usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl
-vipw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
install-am: all-am
$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
- ln -sf newgrp $(DESTDIR)$(ubindir)/sg
- ln -sf vipw $(DESTDIR)$(usbindir)/vigr
set -e; for i in $(suidbins); do \
chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \
done
set -e; for i in $(suidubins); do \
chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \
done
+ mv -v $(DESTDIR)$(ubindir)/newgrp $(DESTDIR)$(ubindir)/sg
set -e; for i in $(suidusbins); do \
chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \
done
--
2.42.0

721
core/shadow/0002-Adapt-login.defs-for-PAM-and-util-linux.patch Normal file
View file

@ -0,0 +1,721 @@
From 04208ea372acef47175b48ad85959b43b8042831 Mon Sep 17 00:00:00 2001
From: David Runge <dvzrv@archlinux.org>
Date: Mon, 31 Oct 2022 09:45:13 +0100
Subject: [PATCH 2/3] Adapt login.defs for PAM and util-linux
etc/login.defs:
Remove unused login.defs options, that are either irrelevant due to the
use of PAM or because the util-linux version of a binary does not
support them.
Modify all options that are ignored when using PAM, but are supported by
util-linux.
Removed options because they are part of PAMDEFS (options in PAMDEFS are
options silently ignored by shadow when built with PAM enabled):
* CHFN_AUTH
* CRACKLIB_DICTPATH
* ENV_HZ
* ENVIRON_FILE
* ENV_TZ
* FAILLOG_ENAB
* FTMP_FILE
* ISSUE_FILE
* LASTLOG_ENAB
* LOGIN_STRING
* MAIL_CHECK_ENAB
* NOLOGINS_FILE
* OBSCURE_CHECKS_ENAB
* PASS_ALWAYS_WARN
* PASS_CHANGE_TRIES
* PASS_MAX_LEN
* PASS_MIN_LEN
* PORTTIME_CHECKS_ENAB
* QUOTAS_ENAB
* SU_WHEEL_ONLY
* SYSLOG_SU_ENAB
* ULIMIT
Removed options because they are not availablbe with PAM enabled:
* BCRYPT_MIN_ROUNDS
* BCRYPT_MAX_ROUNDS
* CONSOLE_GROUPS
* CONSOLE
* MD5_CRYPT_ENAB
* PREVENT_NO_AUTH
Removed encryption methods (`ENCRYPT_METHOD`), because they are unsafe
or not available with PAM:
* BCRYPT
* MD5
Removed options because they are not supported by login from util-linux:
* ERASECHAR
* KILLCHAR
* LOG_OK_LOGINS
* TTYTYPE_FILE
Removed options because they are not supported by su from util-linux:
* SULOG_FILE
* SU_NAME
Adapted options because they are in PAMDEFS but are supported by login
from util-linux:
* MOTD_FILE
man/login.defs.5.xml:
Remove unavailable options from man 5 login.defs.
---
etc/login.defs | 228 +------------------------------------------
man/login.defs.5.xml | 150 +---------------------------
2 files changed, 8 insertions(+), 370 deletions(-)
diff --git a/etc/login.defs b/etc/login.defs
index 114dbcd9..797ca6b3 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -3,6 +3,8 @@
#
# $Id$
#
+# NOTE: This file is adapted for the use on Arch Linux!
+# Unsupported options due to the use of util-linux or PAM are removed.
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -11,26 +13,11 @@
#
FAIL_DELAY 3
-#
-# Enable logging and display of /var/log/faillog login(1) failure info.
-#
-FAILLOG_ENAB yes
-
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
LOG_UNKFAIL_ENAB no
-#
-# Enable logging of successful logins
-#
-LOG_OK_LOGINS no
-
-#
-# Enable logging and display of /var/log/lastlog login(1) time info.
-#
-LASTLOG_ENAB yes
-
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
@@ -40,88 +27,13 @@ LASTLOG_ENAB yes
#
#LASTLOG_UID_MAX
-#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
-#
-QUOTAS_ENAB yes
-
-#
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
-#
-SYSLOG_SU_ENAB yes
-SYSLOG_SG_ENAB yes
-
-#
-# If defined, either full pathname of a file containing device names or
-# a ":" delimited list of device names. Root logins will be allowed only
-# from these devices.
-#
-CONSOLE /etc/securetty
-#CONSOLE console:tty01:tty02:tty03:tty04
-
-#
-# If defined, all su(1) activity is logged to this file.
-#
-#SULOG_FILE /var/log/sulog
-
#
# If defined, ":" delimited list of "message of the day" files to
# be displayed upon login.
#
-MOTD_FILE /etc/motd
+MOTD_FILE
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
-#
-# If defined, this file will be output before each login(1) prompt.
-#
-#ISSUE_FILE /etc/issue
-
-#
-# If defined, file which maps tty line to TERM environment parameter.
-# Each line of the file is in a format similar to "vt100 tty01".
-#
-#TTYTYPE_FILE /etc/ttytype
-
-#
-# If defined, login(1) failures will be logged here in a utmp format.
-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
-#
-FTMP_FILE /var/log/btmp
-
-#
-# If defined, name of file whose presence will inhibit non-root
-# logins. The content of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE /etc/nologin
-
-#
-# If defined, the command name to display when running "su -". For
-# example, if this is defined as "su" then ps(1) will display the
-# command as "-su". If not defined, then ps(1) will display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME su
-
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
@@ -139,21 +51,6 @@ MAIL_DIR /var/spool/mail
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
-#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ TZ=CST6CDT
-#ENV_TZ /etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ HZ=100
-# For Linux/Alpha...
-#ENV_HZ HZ=1024
-
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
@@ -175,23 +72,6 @@ ENV_PATH PATH=/bin:/usr/bin
TTYGROUP tty
TTYPERM 0600
-#
-# Login configuration initializations:
-#
-# ERASECHAR Terminal ERASE character ('\010' = backspace).
-# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
-# ULIMIT Default "ulimit" value.
-#
-# The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
-#
-ERASECHAR 0177
-KILLCHAR 025
-#ULIMIT 2097152
-
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
@@ -211,27 +91,12 @@ UMASK 022
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
-# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
-PASS_MIN_LEN 5
PASS_WARN_AGE 7
-#
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts. If the group doesn't exist or is empty, no one
-# will be able to "su" to uid 0.
-#
-SU_WHEEL_ONLY no
-
-#
-# If compiled with cracklib support, sets the path to the dictionaries
-#
-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
-
#
# Min/max values for automatic uid selection in useradd(8)
#
@@ -268,28 +133,6 @@ LOGIN_RETRIES 5
#
LOGIN_TIMEOUT 60
-#
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES 5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
-#
-PASS_ALWAYS_WARN yes
-
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
-#
-#PASS_MAX_LEN 8
-
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH yes
-
#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
@@ -298,38 +141,13 @@ CHFN_AUTH yes
#
CHFN_RESTRICT rwh
-#
-# Password prompt (%s will be replaced by user name).
-#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING "%s's Password: "
-
-#
-# Only works if compiled with MD5_CRYPT defined:
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm. Default is "no".
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-#
-#MD5_CRYPT_ENAB no
-
#
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
-# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
-# Overrides the MD5_CRYPT_ENAB option
#
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
@@ -353,21 +171,6 @@ CHFN_RESTRICT rwh
#SHA_CRYPT_MIN_ROUNDS 5000
#SHA_CRYPT_MAX_ROUNDS 5000
-#
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 13
-
#
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
#
@@ -381,17 +184,6 @@ CHFN_RESTRICT rwh
#
#YESCRYPT_COST_FACTOR 5
-#
-# List of groups to add to the user's supplementary group set
-# when logging in from the console (as determined by the CONSOLE
-# setting). Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in from the console.
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS floppy:audio:cdrom
-
#
# Should login be allowed if we can't cd to the home directory?
# Default is no.
@@ -406,12 +198,6 @@ DEFAULT_HOME yes
#
NONEXISTENT /nonexistent
-#
-# If this file exists and is readable, login environment will be
-# read from it. Every line should be in the form name=value.
-#
-ENVIRON_FILE /etc/environment
-
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
@@ -459,14 +245,6 @@ USERGROUPS_ENAB yes
#
#GRANT_AUX_GROUP_SUBIDS yes
-#
-# Prevents an empty password field to be interpreted as "no authentication
-# required".
-# Set to "yes" to prevent for all accounts
-# Set to "superuser" to prevent for UID 0 / root (default)
-# Set to "no" to not prevent for any account (dangerous, historical default)
-PREVENT_NO_AUTH superuser
-
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
index ab62fa86..d82c47f1 100644
--- a/man/login.defs.5.xml
+++ b/man/login.defs.5.xml
@@ -7,69 +7,38 @@
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-<!ENTITY CHFN_AUTH SYSTEM "login.defs.d/CHFN_AUTH.xml">
<!ENTITY CHFN_RESTRICT SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
-<!ENTITY CHSH_AUTH SYSTEM "login.defs.d/CHSH_AUTH.xml">
-<!ENTITY CONSOLE SYSTEM "login.defs.d/CONSOLE.xml">
-<!ENTITY CONSOLE_GROUPS SYSTEM "login.defs.d/CONSOLE_GROUPS.xml">
<!ENTITY CREATE_HOME SYSTEM "login.defs.d/CREATE_HOME.xml">
<!ENTITY DEFAULT_HOME SYSTEM "login.defs.d/DEFAULT_HOME.xml">
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
-<!ENTITY ENV_HZ SYSTEM "login.defs.d/ENV_HZ.xml">
<!ENTITY ENV_PATH SYSTEM "login.defs.d/ENV_PATH.xml">
<!ENTITY ENV_SUPATH SYSTEM "login.defs.d/ENV_SUPATH.xml">
-<!ENTITY ENV_TZ SYSTEM "login.defs.d/ENV_TZ.xml">
-<!ENTITY ENVIRON_FILE SYSTEM "login.defs.d/ENVIRON_FILE.xml">
-<!ENTITY ERASECHAR SYSTEM "login.defs.d/ERASECHAR.xml">
<!ENTITY FAIL_DELAY SYSTEM "login.defs.d/FAIL_DELAY.xml">
-<!ENTITY FAILLOG_ENAB SYSTEM "login.defs.d/FAILLOG_ENAB.xml">
-<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml">
-<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HMAC_CRYPTO_ALGO SYSTEM "login.defs.d/HMAC_CRYPTO_ALGO.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
-<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml">
-<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml">
-<!ENTITY LASTLOG_ENAB SYSTEM "login.defs.d/LASTLOG_ENAB.xml">
<!ENTITY LASTLOG_UID_MAX SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
-<!ENTITY LOG_OK_LOGINS SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
<!ENTITY LOG_UNKFAIL_ENAB SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
<!ENTITY LOGIN_RETRIES SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
-<!ENTITY LOGIN_STRING SYSTEM "login.defs.d/LOGIN_STRING.xml">
<!ENTITY LOGIN_TIMEOUT SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
-<!ENTITY MAIL_CHECK_ENAB SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
<!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
-<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
<!ENTITY MOTD_FILE SYSTEM "login.defs.d/MOTD_FILE.xml">
-<!ENTITY NOLOGINS_FILE SYSTEM "login.defs.d/NOLOGINS_FILE.xml">
<!ENTITY NONEXISTENT SYSTEM "login.defs.d/NONEXISTENT.xml">
-<!ENTITY OBSCURE_CHECKS_ENAB SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml">
-<!ENTITY PASS_ALWAYS_WARN SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml">
-<!ENTITY PASS_CHANGE_TRIES SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml">
-<!ENTITY PASS_MAX_LEN SYSTEM "login.defs.d/PASS_MAX_LEN.xml">
<!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
<!ENTITY PASS_MIN_DAYS SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
<!ENTITY PASS_WARN_AGE SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
-<!ENTITY PORTTIME_CHECKS_ENAB SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml">
-<!ENTITY QUOTAS_ENAB SYSTEM "login.defs.d/QUOTAS_ENAB.xml">
<!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
-<!ENTITY SULOG_FILE SYSTEM "login.defs.d/SULOG_FILE.xml">
-<!ENTITY SU_NAME SYSTEM "login.defs.d/SU_NAME.xml">
-<!ENTITY SU_WHEEL_ONLY SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
<!ENTITY SUB_GID_COUNT SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
<!ENTITY SUB_UID_COUNT SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
<!ENTITY SYS_GID_MAX SYSTEM "login.defs.d/SYS_GID_MAX.xml">
<!ENTITY SYSLOG_SG_ENAB SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml">
-<!ENTITY SYSLOG_SU_ENAB SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
<!ENTITY SYS_UID_MAX SYSTEM "login.defs.d/SYS_UID_MAX.xml">
<!ENTITY TCB_AUTH_GROUP SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
<!ENTITY TCB_SYMLINKS SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
<!ENTITY TTYGROUP SYSTEM "login.defs.d/TTYGROUP.xml">
-<!ENTITY TTYTYPE_FILE SYSTEM "login.defs.d/TTYTYPE_FILE.xml">
<!ENTITY UID_MAX SYSTEM "login.defs.d/UID_MAX.xml">
-<!ENTITY ULIMIT SYSTEM "login.defs.d/ULIMIT.xml">
<!ENTITY UMASK SYSTEM "login.defs.d/UMASK.xml">
<!ENTITY USERDEL_CMD SYSTEM "login.defs.d/USERDEL_CMD.xml">
<!ENTITY USERGROUPS_ENAB SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
@@ -145,47 +114,25 @@
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
- &CHFN_AUTH;
&CHFN_RESTRICT;
- &CHSH_AUTH;
- &CONSOLE;
- &CONSOLE_GROUPS;
&CREATE_HOME;
&DEFAULT_HOME;
&ENCRYPT_METHOD;
- &ENV_HZ;
&ENV_PATH;
&ENV_SUPATH;
- &ENV_TZ;
- &ENVIRON_FILE;
- &ERASECHAR;
&FAIL_DELAY;
- &FAILLOG_ENAB;
- &FAKE_SHELL;
- &FTMP_FILE;
&GID_MAX; <!-- documents also GID_MIN -->
&HMAC_CRYPTO_ALGO;
&HOME_MODE;
&HUSHLOGIN_FILE;
- &ISSUE_FILE;
- &KILLCHAR;
- &LASTLOG_ENAB;
&LASTLOG_UID_MAX;
- &LOG_OK_LOGINS;
&LOG_UNKFAIL_ENAB;
&LOGIN_RETRIES;
- &LOGIN_STRING;
&LOGIN_TIMEOUT;
- &MAIL_CHECK_ENAB;
&MAIL_DIR;
&MAX_MEMBERS_PER_GROUP;
- &MD5_CRYPT_ENAB;
&MOTD_FILE;
- &NOLOGINS_FILE;
&NONEXISTENT;
- &OBSCURE_CHECKS_ENAB;
- &PASS_ALWAYS_WARN;
- &PASS_CHANGE_TRIES;
&PASS_MAX_DAYS;
&PASS_MIN_DAYS;
&PASS_WARN_AGE;
@@ -195,25 +142,16 @@
time of account creation. Any changes to these settings won't affect
existing accounts.
</para>
- &PASS_MAX_LEN; <!-- documents also PASS_MIN_LEN -->
- &PORTTIME_CHECKS_ENAB;
- &QUOTAS_ENAB;
&SHA_CRYPT_MIN_ROUNDS; <!-- documents also SHA_CRYPT_MAX_ROUNDS -->
- &SULOG_FILE;
- &SU_NAME;
- &SU_WHEEL_ONLY;
&SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX -->
&SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX -->
&SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
&SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
&SYSLOG_SG_ENAB;
- &SYSLOG_SU_ENAB;
&TCB_AUTH_GROUP;
&TCB_SYMLINKS;
&TTYGROUP;
- &TTYTYPE_FILE;
&UID_MAX; <!-- documents also UID_MIN -->
- &ULIMIT;
&UMASK;
&USERDEL_CMD;
&USERGROUPS_ENAB;
@@ -239,9 +177,7 @@
<term>chfn</term>
<listitem>
<para>
- <phrase condition="no_pam">CHFN_AUTH</phrase>
CHFN_RESTRICT
- <phrase condition="no_pam">LOGIN_STRING</phrase>
</para>
</listitem>
</varlistentry>
@@ -249,7 +185,7 @@
<term>chgpasswd</term>
<listitem>
<para>
- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
+ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
</para>
@@ -259,8 +195,6 @@
<term>chpasswd</term>
<listitem>
<para>
- <phrase condition="no_pam">ENCRYPT_METHOD
- MD5_CRYPT_ENAB </phrase>
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
</para>
@@ -270,7 +204,7 @@
<term>chsh</term>
<listitem>
<para>
- CHSH_AUTH LOGIN_STRING
+ CHSH_AUTH
</para>
</listitem>
</varlistentry>
@@ -280,7 +214,7 @@
<term>gpasswd</term>
<listitem>
<para>
- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
+ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
</para>
@@ -339,35 +273,6 @@
<para>LASTLOG_UID_MAX</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>login</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
- ENV_TZ ENVIRON_FILE</phrase>
- ERASECHAR FAIL_DELAY
- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
- FAKE_SHELL
- <phrase condition="no_pam">FTMP_FILE</phrase>
- HUSHLOGIN_FILE
- <phrase condition="no_pam">ISSUE_FILE</phrase>
- KILLCHAR
- <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
- LOGIN_RETRIES
- <phrase condition="no_pam">LOGIN_STRING</phrase>
- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
- QUOTAS_ENAB</phrase>
- TTYGROUP TTYPERM TTYTYPE_FILE
- <phrase condition="no_pam">ULIMIT UMASK</phrase>
- USERGROUPS_ENAB
- </para>
- </listitem>
- </varlistentry>
- <!-- logoutd: no variables -->
<varlistentry>
<term>newgrp / sg</term>
<listitem>
@@ -382,7 +287,7 @@
<para>
ENCRYPT_METHOD
GID_MAX GID_MIN
- MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
+ MAX_MEMBERS_PER_GROUP
HOME_MODE
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
@@ -399,8 +304,7 @@
<term>passwd</term>
<listitem>
<para>
- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
+ ENCRYPT_METHOD
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
</para>
@@ -432,32 +336,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>su</term>
- <listitem>
- <para>
- <phrase condition="no_pam">CONSOLE</phrase>
- CONSOLE_GROUPS DEFAULT_HOME
- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
- ENV_PATH ENV_SUPATH
- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
- SULOG_FILE SU_NAME
- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
- SYSLOG_SU_ENAB
- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>sulogin</term>
- <listitem>
- <para>
- ENV_HZ
- <phrase condition="no_pam">ENV_TZ</phrase>
- </para>
- </listitem>
- </varlistentry>
<varlistentry>
<term>useradd</term>
<listitem>
@@ -486,24 +364,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>usermod</term>
- <listitem>
- <para>
- LASTLOG_UID_MAX
- MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
- <phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry condition="tcb">
- <term>vipw</term>
- <listitem>
- <para>
- <phrase condition="tcb">USE_TCB</phrase>
- </para>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>
--
2.42.0

73
core/shadow/0003-Add-Arch-Linux-defaults-for-login.defs.patch Normal file
View file

@ -0,0 +1,73 @@
From 2642dcf11171a701f1997dcd19a769bb5baec410 Mon Sep 17 00:00:00 2001
From: David Runge <dvzrv@archlinux.org>
Date: Mon, 31 Oct 2022 10:10:22 +0100
Subject: [PATCH 3/3] Add Arch Linux defaults for login.defs
etc/login.defs:
- Change `ENV_SUPATH` and `ENV_SUPATH` to only use
/usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr and
bin merge distribution.
- Set `HOME_MODE` to `0700` to be able to rely on a `UMASK` of `022`
while creating home directories in a privacy conserving manner.
- Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for
distribution added UIDs and GIDs of system users.
- Change ENCRYPT_METHOD to YESCRYPT as it is a safer hashing algorithm
than DES.
---
etc/login.defs | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/etc/login.defs b/etc/login.defs
index 797ca6b3..c4accbf8 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -55,8 +55,8 @@ HUSHLOGIN_FILE .hushlogin
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH PATH=/bin:/usr/bin
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
#
# Terminal permissions
@@ -84,7 +84,7 @@ UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
-#HOME_MODE 0700
+HOME_MODE 0700
#
# Password aging controls:
@@ -103,7 +103,7 @@ PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
# System accounts
-SYS_UID_MIN 101
+SYS_UID_MIN 500
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
@@ -116,7 +116,7 @@ SUB_UID_COUNT 65536
GID_MIN 1000
GID_MAX 60000
# System accounts
-SYS_GID_MIN 101
+SYS_GID_MIN 500
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
@@ -152,7 +152,7 @@ CHFN_RESTRICT rwh
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
-#ENCRYPT_METHOD DES
+ENCRYPT_METHOD YESCRYPT
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
--
2.42.0

136
core/shadow/PKGBUILD Normal file
View file

@ -0,0 +1,136 @@
# Maintainer: David Runge <dvzrv@archlinux.org>
# Contributor: Dave Reisner <dreisner@archlinux.org>
# Contributor: Aaron Griffin <aaron@archlinux.org>
# ALARM: Kevin Mihelich <kevin@archlinuxarm.org>
# - build with libbsd until toolchain is updated
pkgname=shadow
pkgver=4.14.0
pkgrel=3
pkgdesc="Password and account management tool suite with support for shadow files and PAM"
arch=(x86_64)
url="https://github.com/shadow-maint/shadow"
license=(BSD-3-Clause)
depends=(
acl libacl.so
attr libattr.so
audit libaudit.so
glibc libbsd
libxcrypt libcrypt.so
pam libpam.so libpam_misc.so
)
makedepends=(
docbook-xsl
itstool
libcap
libxslt
)
backup=(
etc/default/useradd
etc/login.defs
etc/pam.d/chpasswd
etc/pam.d/groupmems
etc/pam.d/newusers
etc/pam.d/passwd
)
options=(!emptydirs)
# NOTE: distribution patches are taken from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.14.0.arch2
source=(
$url/releases/download/$pkgver/$pkgname-$pkgver.tar.xz{,.asc}
0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch
0002-Adapt-login.defs-for-PAM-and-util-linux.patch
0003-Add-Arch-Linux-defaults-for-login.defs.patch
shadow.{timer,service}
shadow.{sysusers,tmpfiles}
useradd.defaults
)
sha512sums=('ff960481d576f9db5a9f10becc4e1a74c03de484ecfdcd7f1ea735fded683d7ba0f9cd895dc6a431b77e5a633752273178b1bcda4cefaa5adbf0f143c9a0c86f'
'SKIP'
'ac119fd4a7867021923c54d54612499313686bb2faa957133f63c77700b8777dd87628fd4f36d4e4c1160700624a776510bc5d450ef5be1adc128552edfcb062'
'57166e14262df3ddcf03008a34ef603a624a31b6d40b18b9fc4d8be50fb857540dea2ffc9dab81c91bcd87bbb3b0dee381219ebd3e68f71864c64a33d5ec7b15'
'16c00e8ae1e4f86c9075e08b420ddd5e948345db5611390167ce08d7e3e4ec469954b255b3384d855484803ce3fa5d78c88ff8ae722c0215b692b9dece2ed6f6'
'e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621'
'2c8689b52029f6aa27d75b8b05b0b36e2fc322cab40fdfbb50cdbe331f61bc84e8db20f012cf9af3de8c4e7fdb10c2d5a4925ca1ba3b70eb5627772b94da84b3'
'5afac4a96b599b0b8ed7be751e7160037c3beb191629928c6520bfd3f2adcd1c55c31029c92c2ff8543e6cd9e37e2cd515ba4e1789c6d66f9c93b4e7f209ee7a'
'08a56b16673f282404f3ee026236f3d361045b4448bad7d3cc5d7cbeaf06a1d66a3a3e0848accaebde206741a7998699b9f18bd56a44d93422370567fe8cb180'
'e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8')
b2sums=('6e9a6108f856953ec91c597e46ad4f912101a829c7b3ff3389510be43f56f0a70425bd562119282d73df269df45af354e626741ad748f9c1e6f27b74a462a62c'
'SKIP'
'77b6e4bc6dc070b992728440fc29a8ed04e8f51cc7e58628f294c68bec7f102c8a80af6a41cf9a3c37d33e7a40ead4f4729f2e68412ab5606e6ecbd3008f5048'
'e6359de24e563564979fd0b7915a3227239a84f175cb188392097394d4d41c782100655cbd0a779b6dfde7eddcf8b314ab15eb15ca891287a820547551d54c04'
'fe88e173ea5531c083c1f3fb640cad1de463ce5446cb097bd30bc54e9082ba0540a57a9effd11c0779196583cf58bfc7066ab10ef4088f78c7d74928a73889b2'
'5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b'
'a69191ab966f146c35e7e911e7e57c29fffd54436ea014aa8ffe0dd46aaf57c635d0a652b35916745c75d82b3fca7234366ea5f810b622e94730b45ec86f122c'
'511c4ad9f3be530dc17dd68f2a3387d748dcdb84192d35f296b88f82442224477e2a74b1841ec3f107b39a5c41c2d961480e396a48d0578f8fd5f65dbe8d9f04'
'b425e7b3d48de694114dfdf378e66175b1ef32cb773be2506813ace8a6dfd1035e7d10c30efb6791df2ae920bdec3aa7cb862ed93bac4cde713c549bd896d1b2'
'd5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879')
validpgpkeys=(66D0387DB85D320F8408166DB175CFA98F192AF2) # Serge Hallyn <sergeh@kernel.org>
prepare() {
local filename
cd $pkgname-$pkgver
for filename in "${source[@]}"; do
if [[ "$filename" =~ \.patch$ ]]; then
printf "Applying patch %s\n" "${filename##*/}"
patch -Np1 -i "$srcdir/${filename##*/}"
fi
done
autoreconf -fiv
}
build() {
local configure_options=(
--bindir=/usr/bin
--disable-account-tools-setuid # no setuid for chgpasswd, chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod
--enable-man
--libdir=/usr/lib
--mandir=/usr/share/man
--prefix=/usr
--sbindir=/usr/bin
--sysconfdir=/etc
--with-audit
--with-fcaps # use capabilities instead of setuid for setuidmap and setgidmap
--with-group-name-max-length=32
--with-libpam # PAM integration for chpasswd, groupmems, newusers, passwd
#--without-libbsd # shadow can use internal implementation for getting passphrase
--without-selinux
--without-su # su is provided by util-linux
)
cd $pkgname-$pkgver
# add extra check, preventing accidental deletion of other user's home dirs when using `userdel -r <user with home in />`
export CFLAGS="$CFLAGS -DEXTRA_CHECK_HOME_DIR"
./configure "${configure_options[@]}"
# prevent excessive overlinking due to libtool
sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
make
}
package() {
cd $pkgname-$pkgver
make DESTDIR="$pkgdir" install
make DESTDIR="$pkgdir" -C man install
# license
install -vDm 644 COPYING -t "$pkgdir/usr/share/licenses/$pkgname/"
# custom useradd(8) defaults (not provided by upstream)
install -vDm 600 ../useradd.defaults "$pkgdir/etc/default/useradd"
# systemd units
install -vDm 644 ../shadow.timer -t "$pkgdir/usr/lib/systemd/system/"
install -vDm 644 ../shadow.service -t "$pkgdir/usr/lib/systemd/system/"
install -vdm 755 "$pkgdir/usr/lib/systemd/system/timers.target.wants"
ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer"
install -vDm 644 ../$pkgname.sysusers "$pkgdir/usr/lib/sysusers.d/$pkgname.conf"
install -vDm 644 ../$pkgname.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/$pkgname.conf"
# manually add PAM config for chpasswd and newusers: https://github.com/shadow-maint/shadow/issues/810
install -vDm 644 etc/pam.d/{chpasswd,newusers} -t "$pkgdir/etc/pam.d/"
}

80
core/shadow/keys/pgp/66D0387DB85D320F8408166DB175CFA98F192AF2.asc Normal file
View file

@ -0,0 +1,80 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBE+oKZQBCACz5WylGAr+eitZjuSigzR+y30W3E+gkU0DSNlBB3WlorOtmzMX
9F2d+z+ozJuez4NPqwfQ5y2ExKSbL8i1rwYmExZIzTDpm1Q6N3hG+vLbxwbrbsKT
qW9rPiXriU5yRwuvVJl4NOU6T/Pau3/VD8iFN7U4mVpNFVPlB8vCvDJ+07Z0xIH9
MXe8uaERG3v2EL7Mv8L5w05XEeuTT/CJiw6NdzwjZc1FymVoFjntetl8HaJ+5JCB
2ylAbnw/wZJHORgsLxZhOL6/zrJRG8GvjgB+1l8izgl4n0DOqjyyoQIZJ+mfuHR0
6wDqwvP5F9RZqCh8Md4hYujop5a0BKfAzLfdABEBAAG0IFNlcmdlIEhhbGx5biA8
c2VyZ2VoQGtlcm5lbC5vcmc+iQFOBBMBCgA4FiEEZtA4fbhdMg+ECBZtsXXPqY8Z
KvIFAl2r0d0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQsXXPqY8ZKvIM
nAgAiTpLlXuzyD4C+9I/yCA9N/BqK43jnMfJOl/Ky56vgJ/WbrFJLuO3wubMlRLD
3jurC6SK2g0TpygyoX2MjwZVT60Sq3ZcgIh71yyWHhtZ29NuUiKsKnajb9IlP+AM
1V0g9py41YdDUmAuC/5crqyK+8u1CVrB/is7Eym598gIl9nyGvaZrzgjG1cRCjzf
ZU8pRG+VPMr5Xla8rDKBZl+LcusV90eAUa0E/KVFS5N1dQ6HKckYXPSBN3DKHZy+
qKa1k7Dq0CnkTjQmjaMu3j5sdOXg4QUfhCHeLDFAtadNdP04I6g5KZRvC44XdQ1A
bxFMLyObhCsq/QxSh/nYrKsw0rQsU2VyZ2UgSGFsbHluIChrZXJuZWwub3JnKSA8
c2VyZ2VAaGFsbHluLmNvbT6JATgEEwECACIFAk+oKZQCGwMGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJELF1z6mPGSryYfEIAJviOHYwzXjnHWrsbQQ75rJq2wQ4
NlM5FRljskufCXtIz/DUpKKT3aqG3y7ywtEwl4ePofJmLbC0O5bZF9blgSSCV02z
zGdeUosAJsxumYHVi9CRHWsiAaNMX8gif9vePqz/iY/caPS4w4gBXJK8vLwvxToI
4CZDwIlMkMov//3HQ5v5OKfeqbA1rnsGI74vUw9Zt/Sqgudz5bY65693OqeRRWU6
tOH8zo4HkFew26Ydh80qAn1R7ALnk68zwfXj8vdyR9f05dEqbg/4thZWcjWC/Frn
QOjcTwKu5DnUCE937a1MPzt4t1FCYUHrqcLN99uzGuOD42o9/S+JAa2HWhe5AQ0E
XavhqwEIAMKECc/f8f0/CenKkz3wXGEtlG46YLjtTt2tWYXdt9Z04ihVaYePanFt
vuujyO3I3jUQNv2foU1CtOuVyfZqX+TXqs0BUPXWwTCkMOyc/fEQ5u0BFJjWYtmr
2sZY4Ag1juJsmzI7g3cnMLL9LbjpbHRruFIT5rnv9NwG7PURn1XnCt9tdZ/d0h7v
EaNkD37j67rjy8UElVVcwVGhsCR8CkqwZ6ZwpQxE9wyq/Txb+v8qEJcohc5SWbYl
70AtzHObokkW6cvRjNz+BcEpnPfu10lbPO/8a16B96VDdjDGPj2shfNsFLaT8MtF
fDAdjZRGlrfv3Wp4qFRlSUGrjInvOLMAEQEAAYkBNgQYAQoAIBYhBGbQOH24XTIP
hAgWbbF1z6mPGSryBQJdq+GrAhsgAAoJELF1z6mPGSryW4wH/3Xk9x+WUxeJNtm+
5hOfe/KBsXQUbBz+JHGFjd9YQw98jUvPNN1RfgtKf31b+FDKbk/cu+9bNLSfhKDz
2AEREViogKRcVjJDy9XmmWQd1oo+M4GHNYhpIt5ZK1d3CROIiqisLQsih64/gl9g
boMcsUuHRkc3hVKUb2umCZPG37hUdAvOmOMS7/0KCGS5pXnfsX+zegSKjps12siE
xYXiRpkxbF9MW7er6/6ukvHLx4jHpgiZ5Sjt/9OqUiAOgUSQfhpAUJlaLxe9E3nj
+ABs7LV+FOjtI64skqgqbYo5VXobFSJhqFTog1+KmMznfsdKaOZQuZh3v3TtGUzk
xoMUHPe5AQ0EXavhYgEIAMd+iVOTx6FC3Ghv2PASeXsnxtb9Af+aBjNf0m8WKTLg
IS9xQbxgNJctG6AEptkBfAStRLIA5qOa0iYIpkJynEPbonJ12qvtlJ6b6g1h3ATh
YXQBjTQ89X+rlFzVGQsieqanjI+fiSNbDarOLQUbeJOrkfFukr34o5xloKENL/kw
u1lDG/Y2GMxZRLe1aVJUXQg4FiEiaE+LNFbrUHxdNR2PE4XuJHetneHEiT/zXpvE
F4MCisjJTGAHEC43rl7OqHU/GDdcW0udyf9v33LCFWTRLlgKKHVyUrHVhVzbB2z1
+xnxxh/bQXjgttIP3Zqn8LXiLnUNU5+ejJiuAwdwcn8AEQEAAYkBNgQYAQoAIBYh
BGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+FiAhsMAAoJELF1z6mPGSry9/UH/0vO
oYu6b57UxsJNR5dCMhsPYV7FFIX9uj5XIDo/bQt2RTMa2PuKMbcDGINsDqHXqOFp
Zq5WDHhq0cEoIqhlkgj1uC77LLGw7mWyiaMbITQDlRzP9c9Qj3NkGNKW6FTwR7LP
h43kgXygO1StVADIdHapiw9hI52rF8FrNYy4oNRXhUcDPfn03akuIbF75saCHaYO
/xoQeEqE+0qV82V/FT5tISMygkzgq+9zUhiA4XQjxiVhSK2cAi0iUTXZecyEueLk
6zZ9vkD8JZagSirTFgxtLrnhVpUBJMOgffv5jmO/Sun4s+3JbAdicmsFqw90hWmG
Nwa0F5HZ20rEVAwkdt25AQ0EXavgpgEIAOk8dMgYu4Q7hU461EC/MtxIiwSD8i7l
izUB8SzxFPnyWgkvG2Fik5lUiDJmEstLdCm3dpapiJudzcTgl9Abo4xgoq+VbKRC
Pk0017JE2bNSbF3TmxhaHAHiBvhU/U+kRz+lDnUE1SmhzGd1yn1kCvmG9MmWjiQP
kG9vLx3d46DBnqHO6wn1AFeKiKuyCs1igvtT2qz+2+izY9tyd+s2O95+1CDQslqQ
8IQNP00cFTJljsk3dmZXQb6SkxxTNG+E/2vMdUZhUbb7UIFUOmFekZvGZMIf9sNM
JGCVIN+vyMMhE1MA17iJGxtAFVqeMN4wA9+MA4z5udkegdbxnWxLtg0AEQEAAYkC
bAQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+CmAhsCAUAJELF1z6mP
GSrywHQgBBkBCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAl2r4KYACgkQNXDa
FycKziT2fAf+PgS08m9Uiks9LWAp9BpaiVn0SXx/XYhTJmRr78UrCHogZstAET2h
aLqWwMIoyOpie5Vutxi2WXQtzsJ1BHV9LB/NP3nFT/P9asZXzFtBBRQsDwxW5ii2
0hkHKG10M2+QGiC0ssfi1zjQFKbaOpxvou5Pi+zBQuT1RQ65NQrFYQI4zdyLbnni
X2EZpDipLFJeGs881HQt7RjwSUtAjXW9M/pQQDp/JWEjp6D3R4ys0/Y4cJblCci5
rM8Un/aVvXYGBqEpsddhH9xGpk0JTWtGAfw1a0ovRv39D1uwG8uXTQiUDTGGlllX
hzpLkcJBtT8VeogiAGZC99pbNW5BU8cbFyOHB/9Q/HBmIqmj5MYvQZCQ//cf9Af9
gc+o2YA4/Kg2pSf9GKZizd3J8NO05O6YSsXqIsBr2lIGjw4klkE7GyRd/KVMQOxr
FY9vFcdSxQuklnFUeiH73RFP3nsdzw+MRr4Hcpbm9F0fCnB6aU1gqf74e/6Qiv6d
2pq7Dzyzx7ZCm8BRLT2HZbFeYQ6GsdOIYgWzWXqurk/68rlE1D7Fo9KK9lmrLOwr
r7ez1pOLHA8pPDhZhxI5D3ZhDsLUux3caCUfFdP/VpaJijGNc1HYt8mk4U1Qb6Zl
afTYb75F9d61v8/M/HATZ5KpT9gr0aGkfwptzCwlBJ8ypcRI9AuUUDCTAXIGuQEN
BE+oKZQBCADc9sYSnWAj3y6QE9sGNDUFaKpAFUsprpQ8LeA05nh3RUxYDd75qc0e
wtGR1+SlgpehKQfSXVQT254jM5lJanNDPYffk9k9lMwgSVoTP2QaszfDgir7WKKQ
uj3dBwnmYHdIY2mq+eaAh/1cCU//ggdaATo4ENQhKTAIiuviGKBpYX/zHAlPIvyF
jERsBmq0woQKvDGsoQEObx1zu1GaTWeTSIEnHyRhajMQrKUAxSCh9Th2Vj6xOhvx
9TK6li+ecxYuuBVP0Xllg1GdoQBC8KWITDOrU18suj1vEGK4YOzQQPxANs6I81Sv
Vddd2bh71cyAjhHr1kugw3PWQvLe4yHHABEBAAGJAR8EGAECAAkFAk+oKZQCGwwA
CgkQsXXPqY8ZKvJrVAgAi7CVXJt8mZiN+yzwiZVlzrkRQduB2cgvGZD6Hm3MJc1a
VA3Gh0tJcLo+SdutCOzKSmPRSsnWT19EKxpDMrc9j97Pi9SDrGyUOx7Bz8gKjTI6
BcfPNAhAyIr5Gr9SDyTx6tUduSmmErrvjYWP1/Jz7spInN2wQd5ZVRSvS/rNZGh1
NU31oeWlbpkU0JpGbZkMXv4JIy+1caH5zzrcRMC9JFxfm/bYdaq+jHhMufnSy0Qa
3QgJkKvzxzvlIG9BaUmuNeR+XoA9ISEMQzAYXqxJQSL28Er9IVaNgtz5mqCMf8vu
DTPGpkYyqGnOjtQNF695wiA7CAr3/WTeiEl6kKsBFg==
=YnIc
-----END PGP PUBLIC KEY BLOCK-----

37
core/shadow/shadow.service Normal file
View file

@ -0,0 +1,37 @@
[Unit]
Description=Verify integrity of password and group files
After=systemd-sysusers.service
[Service]
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
# Always run both checks, but fail the service if either fails
ExecStart=/bin/sh -c '/usr/bin/pwck -qr || r=1; /usr/bin/grpck -r && exit $r'
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources
SystemCallFilter=~@privileged
UMask=0077

1
core/shadow/shadow.sysusers Normal file
View file

@ -0,0 +1 @@
g groups - -

7
core/shadow/shadow.timer Normal file
View file

@ -0,0 +1,7 @@
[Unit]
Description=Daily verification of password and group files
[Timer]
OnCalendar=daily
AccuracySec=12h
Persistent=true

1
core/shadow/shadow.tmpfiles Normal file
View file

@ -0,0 +1 @@
z /usr/bin/groupmems 2710 root groups - -

27
core/shadow/useradd.defaults Normal file
View file

@ -0,0 +1,27 @@
# Default values for useradd(8)
#
# The SHELL variable specifies the default login shell on your
# system.
SHELL=/bin/bash
# The default group for users
GROUP=users
# The default home directory.
HOME=/home
# The number of days after a password expires until the account is permanently
# disabled
INACTIVE=-1
# The default expire date
EXPIRE=
# The SKEL variable specifies the directory containing "skeletal" user files;
# in other words, files such as a sample .profile that will be copied to the
# new user's home directory when it is created.
SKEL=/etc/skel
# Defines whether the mail spool should be created while
# creating the account
CREATE_MAIL_SPOOL=no