From 56a482517c2d35355cad22bb4cdcdb27cc11e198 Mon Sep 17 00:00:00 2001 From: Kevin Mihelich Date: Sat, 23 Sep 2023 01:16:48 +0000 Subject: [PATCH] added core/shadow --- ...-tools-and-their-man-pages-and-PAM-i.patch | 727 ++++++++++++++++++ ...pt-login.defs-for-PAM-and-util-linux.patch | 721 +++++++++++++++++ ...d-Arch-Linux-defaults-for-login.defs.patch | 73 ++ core/shadow/PKGBUILD | 136 ++++ ...D0387DB85D320F8408166DB175CFA98F192AF2.asc | 80 ++ core/shadow/shadow.service | 37 + core/shadow/shadow.sysusers | 1 + core/shadow/shadow.timer | 7 + core/shadow/shadow.tmpfiles | 1 + core/shadow/useradd.defaults | 27 + 10 files changed, 1810 insertions(+) create mode 100644 core/shadow/0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch create mode 100644 core/shadow/0002-Adapt-login.defs-for-PAM-and-util-linux.patch create mode 100644 core/shadow/0003-Add-Arch-Linux-defaults-for-login.defs.patch create mode 100644 core/shadow/PKGBUILD create mode 100644 core/shadow/keys/pgp/66D0387DB85D320F8408166DB175CFA98F192AF2.asc create mode 100644 core/shadow/shadow.service create mode 100644 core/shadow/shadow.sysusers create mode 100644 core/shadow/shadow.timer create mode 100644 core/shadow/shadow.tmpfiles create mode 100644 core/shadow/useradd.defaults diff --git a/core/shadow/0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch b/core/shadow/0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch new file mode 100644 index 000000000..98d36b674 --- /dev/null +++ b/core/shadow/0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch @@ -0,0 +1,727 @@ +From c6fe55f198b1e3bd3087f9213193d94f5c1c3d31 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Sat, 5 Nov 2022 23:40:18 +0100 +Subject: [PATCH 1/3] Disable replaced tools and their man pages and PAM + integration + +etc/pam.d/Makefile.am: +Disable installation of PAM integration for chfn, chsh and login tools +as they are provided by util-linux. + +man/Makefile.am, man/*/Makefile.am: +Disable man pages for chfn, chsh, login, logoutd, newgrp, nologin, vigr, +vipw and su as they are either no longer used or replaced by util-linux. + +src/Makefile.am: +Set usbindir to use bin instead of sbin, as Arch Linux is a /usr and bin +merge distribution. +Remove the use of login, nologin, chfn, chsh, logoutd, vipw and vigr, as +they are either not used or replaced by util-linux. +Move newgrp to replace sg (instead of it being a symlink). +--- + etc/pam.d/Makefile.am | 3 --- + man/Makefile.am | 20 +++----------------- + man/cs/Makefile.am | 8 ++------ + man/da/Makefile.am | 8 +------- + man/de/Makefile.am | 11 +---------- + man/fi/Makefile.am | 5 +---- + man/fr/Makefile.am | 11 +---------- + man/hu/Makefile.am | 6 +----- + man/id/Makefile.am | 2 -- + man/it/Makefile.am | 11 +---------- + man/ja/Makefile.am | 10 +--------- + man/ko/Makefile.am | 8 +------- + man/pl/Makefile.am | 7 +------ + man/ru/Makefile.am | 11 +---------- + man/sv/Makefile.am | 8 +------- + man/tr/Makefile.am | 3 --- + man/uk/Makefile.am | 11 +---------- + man/zh_CN/Makefile.am | 11 +---------- + man/zh_TW/Makefile.am | 4 ---- + src/Makefile.am | 18 +++++++----------- + 20 files changed, 25 insertions(+), 151 deletions(-) + +diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am +index 38ff26ae..a19ad431 100644 +--- a/etc/pam.d/Makefile.am ++++ b/etc/pam.d/Makefile.am +@@ -2,10 +2,7 @@ + # and also cooperate to make a distribution for `make dist' + + pamd_files = \ +- chfn \ +- chsh \ + groupmems \ +- login \ + passwd + + pamd_acct_tools_files = \ +diff --git a/man/Makefile.am b/man/Makefile.am +index 89d97937..d2741036 100644 +--- a/man/Makefile.am ++++ b/man/Makefile.am +@@ -8,10 +8,8 @@ endif + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -26,12 +24,9 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ ++ man8/lastlog.8 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -43,9 +38,7 @@ man_MANS = \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +@@ -77,10 +70,8 @@ endif + + man_XMANS = \ + chage.1.xml \ +- chfn.1.xml \ + chgpasswd.8.xml \ + chpasswd.8.xml \ +- chsh.1.xml \ + expiry.1.xml \ + faillog.5.xml \ + faillog.8.xml \ +@@ -94,12 +85,9 @@ man_XMANS = \ + grpck.8.xml \ + gshadow.5.xml \ + limits.5.xml \ +- login.1.xml \ + login.access.5.xml \ + login.defs.5.xml \ +- logoutd.8.xml \ + newgidmap.1.xml \ +- newgrp.1.xml \ + newuidmap.1.xml \ + newusers.8.xml \ + nologin.8.xml \ +@@ -111,14 +99,12 @@ man_XMANS = \ + shadow.3.xml \ + shadow.5.xml \ + sg.1.xml \ +- su.1.xml \ + suauth.5.xml \ + subgid.5.xml \ + subuid.5.xml \ + useradd.8.xml \ + userdel.8.xml \ +- usermod.8.xml \ +- vipw.8.xml ++ usermod.8.xml + + if ENABLE_LASTLOG + man_XMANS += lastlog.8.xml +diff --git a/man/cs/Makefile.am b/man/cs/Makefile.am +index 84407d71..c5ef7cf5 100644 +--- a/man/cs/Makefile.am ++++ b/man/cs/Makefile.am +@@ -12,11 +12,8 @@ man_MANS = \ + man1/groups.1 \ + man8/grpck.8 \ + man5/gshadow.5 \ +- man8/nologin.8 \ + man5/passwd.5 \ +- man5/shadow.5 \ +- man1/su.1 \ +- man8/vipw.8 ++ man5/shadow.5 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +@@ -24,6 +21,5 @@ endif + + EXTRA_DIST = $(man_MANS) \ + man1/id.1 \ +- man8/groupmems.8 \ +- man8/logoutd.8 ++ man8/groupmems.8 + +diff --git a/man/da/Makefile.am b/man/da/Makefile.am +index a3b09224..e45bef66 100644 +--- a/man/da/Makefile.am ++++ b/man/da/Makefile.am +@@ -3,16 +3,10 @@ mandir = @mandir@/da + + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ +- man1/chfn.1 \ + man8/groupdel.8 \ + man1/groups.1 \ + man5/gshadow.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ +- man8/nologin.8 \ +- man1/sg.1 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man1/sg.1 + + man_nopam = + +diff --git a/man/de/Makefile.am b/man/de/Makefile.am +index 671432d3..333d5524 100644 +--- a/man/de/Makefile.am ++++ b/man/de/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/de + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -35,13 +29,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/fi/Makefile.am b/man/fi/Makefile.am +index 26a1a848..f02b92f3 100644 +--- a/man/fi/Makefile.am ++++ b/man/fi/Makefile.am +@@ -1,10 +1,7 @@ + + mandir = @mandir@/fi + +-man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ +- man1/su.1 ++man_MANS = + + # Outdated manpages + # passwd.1 (https://bugs.launchpad.net/ubuntu/+bug/384024) +diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am +index 335e0298..9962c038 100644 +--- a/man/fr/Makefile.am ++++ b/man/fr/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/fr + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -35,13 +29,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/hu/Makefile.am b/man/hu/Makefile.am +index 205bb0a8..3d813179 100644 +--- a/man/hu/Makefile.am ++++ b/man/hu/Makefile.am +@@ -2,15 +2,11 @@ + mandir = @mandir@/hu + + man_MANS = \ +- man1/chsh.1 \ + man1/gpasswd.1 \ + man1/groups.1 \ +- man1/login.1 \ +- man1/newgrp.1 \ + man1/passwd.1 \ + man5/passwd.5 \ +- man1/sg.1 \ +- man1/su.1 ++ man1/sg.1 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/id/Makefile.am b/man/id/Makefile.am +index 21f3dbe9..6d10b930 100644 +--- a/man/id/Makefile.am ++++ b/man/id/Makefile.am +@@ -2,8 +2,6 @@ + mandir = @mandir@/id + + man_MANS = \ +- man1/chsh.1 \ +- man1/login.1 \ + man8/useradd.8 + + EXTRA_DIST = $(man_MANS) +diff --git a/man/it/Makefile.am b/man/it/Makefile.am +index b76187fa..1f62e20e 100644 +--- a/man/it/Makefile.am ++++ b/man/it/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/it + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -35,13 +29,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am +index 13f18da1..3401a085 100644 +--- a/man/ja/Makefile.am ++++ b/man/ja/Makefile.am +@@ -3,9 +3,7 @@ mandir = @mandir@/ja + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -17,10 +15,7 @@ man_MANS = \ + man8/grpck.8 \ + man8/grpconv.8 \ + man8/grpunconv.8 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ + man1/passwd.1 \ + man5/passwd.5 \ +@@ -29,13 +24,10 @@ man_MANS = \ + man8/pwunconv.8 \ + man1/sg.1 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/ko/Makefile.am b/man/ko/Makefile.am +index c269f0bb..9616cb3e 100644 +--- a/man/ko/Makefile.am ++++ b/man/ko/Makefile.am +@@ -2,14 +2,8 @@ + mandir = @mandir@/ko + + man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ + man1/groups.1 \ +- man1/login.1 \ +- man5/passwd.5 \ +- man1/su.1 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man5/passwd.5 + # newgrp.1 must be updated + # newgrp.1 + +diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am +index b2f096f7..00817d37 100644 +--- a/man/pl/Makefile.am ++++ b/man/pl/Makefile.am +@@ -4,7 +4,6 @@ mandir = @mandir@/pl + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ + man1/chage.1 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -15,14 +14,10 @@ man_MANS = \ + man8/groupmod.8 \ + man1/groups.1 \ + man8/grpck.8 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man1/sg.1 \ + man3/shadow.3 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/ru/Makefile.am b/man/ru/Makefile.am +index 84d55d9e..b65f4881 100644 +--- a/man/ru/Makefile.am ++++ b/man/ru/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/ru + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -35,13 +29,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/sv/Makefile.am b/man/sv/Makefile.am +index 70329edf..58fa80e5 100644 +--- a/man/sv/Makefile.am ++++ b/man/sv/Makefile.am +@@ -3,7 +3,6 @@ mandir = @mandir@/sv + # 2012.01.28 - activate manpages with more than 50% translated messages + man_MANS = \ + man1/chage.1 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -15,18 +14,13 @@ man_MANS = \ + man1/groups.1 \ + man8/grpck.8 \ + man5/gshadow.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ + man1/sg.1 \ + man3/shadow.3 \ + man5/suauth.5 \ +- man8/userdel.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/userdel.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/tr/Makefile.am b/man/tr/Makefile.am +index 8d8b9166..4fe3632a 100644 +--- a/man/tr/Makefile.am ++++ b/man/tr/Makefile.am +@@ -2,15 +2,12 @@ mandir = @mandir@/tr + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/groupadd.8 \ + man8/groupdel.8 \ + man8/groupmod.8 \ +- man1/login.1 \ + man1/passwd.1 \ + man5/passwd.5 \ + man5/shadow.5 \ +- man1/su.1 \ + man8/useradd.8 \ + man8/userdel.8 \ + man8/usermod.8 +diff --git a/man/uk/Makefile.am b/man/uk/Makefile.am +index 3fb5ffb3..e13c8fee 100644 +--- a/man/uk/Makefile.am ++++ b/man/uk/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/uk + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -35,13 +29,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/zh_CN/Makefile.am b/man/zh_CN/Makefile.am +index a8b93a56..42ad764d 100644 +--- a/man/zh_CN/Makefile.am ++++ b/man/zh_CN/Makefile.am +@@ -3,10 +3,8 @@ mandir = @mandir@/zh_CN + + man_MANS = \ + man1/chage.1 \ +- man1/chfn.1 \ + man8/chgpasswd.8 \ + man8/chpasswd.8 \ +- man1/chsh.1 \ + man1/expiry.1 \ + man5/faillog.5 \ + man8/faillog.8 \ +@@ -21,12 +19,8 @@ man_MANS = \ + man8/grpconv.8 \ + man8/grpunconv.8 \ + man5/gshadow.5 \ +- man1/login.1 \ + man5/login.defs.5 \ +- man8/logoutd.8 \ +- man1/newgrp.1 \ + man8/newusers.8 \ +- man8/nologin.8 \ + man1/passwd.1 \ + man5/passwd.5 \ + man8/pwck.8 \ +@@ -35,13 +29,10 @@ man_MANS = \ + man1/sg.1 \ + man3/shadow.3 \ + man5/shadow.5 \ +- man1/su.1 \ + man5/suauth.5 \ + man8/useradd.8 \ + man8/userdel.8 \ +- man8/usermod.8 \ +- man8/vigr.8 \ +- man8/vipw.8 ++ man8/usermod.8 + + if ENABLE_LASTLOG + man_MANS += man8/lastlog.8 +diff --git a/man/zh_TW/Makefile.am b/man/zh_TW/Makefile.am +index c36ed2c7..26696b67 100644 +--- a/man/zh_TW/Makefile.am ++++ b/man/zh_TW/Makefile.am +@@ -2,15 +2,11 @@ + mandir = @mandir@/zh_TW + + man_MANS = \ +- man1/chfn.1 \ +- man1/chsh.1 \ + man8/chpasswd.8 \ +- man1/newgrp.1 \ + man8/groupadd.8 \ + man8/groupdel.8 \ + man8/groupmod.8 \ + man5/passwd.5 \ +- man1/su.1 \ + man8/useradd.8 \ + man8/userdel.8 \ + man8/usermod.8 +diff --git a/src/Makefile.am b/src/Makefile.am +index 585a0b7e..69ec939a 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -3,7 +3,7 @@ EXTRA_DIST = \ + .indent.pro + + ubindir = ${prefix}/bin +-usbindir = ${prefix}/sbin ++usbindir = ${prefix}/bin + suidperms = 4755 + sgidperms = 2755 + +@@ -27,9 +27,9 @@ AM_CFLAGS = $(LIBBSD_CFLAGS) + # and installation would be much simpler (just two directories, + # $prefix/bin and $prefix/sbin, no install-data hacks...) + +-bin_PROGRAMS = groups login +-sbin_PROGRAMS = nologin +-ubin_PROGRAMS = faillog chage chfn chsh expiry gpasswd newgrp passwd ++bin_PROGRAMS = groups ++sbin_PROGRAMS = ++ubin_PROGRAMS = faillog lastlog chage expiry gpasswd newgrp passwd + if ENABLE_SUBIDS + ubin_PROGRAMS += newgidmap newuidmap + endif +@@ -49,22 +49,20 @@ usbin_PROGRAMS = \ + grpck \ + grpconv \ + grpunconv \ +- logoutd \ + newusers \ + pwck \ + pwconv \ + pwunconv \ + useradd \ + userdel \ +- usermod \ +- vipw ++ usermod + + # id and groups are from gnu, sulogin from sysvinit + noinst_PROGRAMS = id sulogin + + suidusbins = + suidbins = +-suidubins = chage chfn chsh expiry gpasswd newgrp ++suidubins = chage expiry gpasswd newgrp + if WITH_SU + suidbins += su + endif +@@ -137,18 +135,16 @@ sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF) + useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl + userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) -ldl + usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) -ldl +-vipw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) + + install-am: all-am + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am +- ln -sf newgrp $(DESTDIR)$(ubindir)/sg +- ln -sf vipw $(DESTDIR)$(usbindir)/vigr + set -e; for i in $(suidbins); do \ + chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \ + done + set -e; for i in $(suidubins); do \ + chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \ + done ++ mv -v $(DESTDIR)$(ubindir)/newgrp $(DESTDIR)$(ubindir)/sg + set -e; for i in $(suidusbins); do \ + chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \ + done +-- +2.42.0 + diff --git a/core/shadow/0002-Adapt-login.defs-for-PAM-and-util-linux.patch b/core/shadow/0002-Adapt-login.defs-for-PAM-and-util-linux.patch new file mode 100644 index 000000000..2c8d026e8 --- /dev/null +++ b/core/shadow/0002-Adapt-login.defs-for-PAM-and-util-linux.patch @@ -0,0 +1,721 @@ +From 04208ea372acef47175b48ad85959b43b8042831 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 31 Oct 2022 09:45:13 +0100 +Subject: [PATCH 2/3] Adapt login.defs for PAM and util-linux + +etc/login.defs: +Remove unused login.defs options, that are either irrelevant due to the +use of PAM or because the util-linux version of a binary does not +support them. +Modify all options that are ignored when using PAM, but are supported by +util-linux. + +Removed options because they are part of PAMDEFS (options in PAMDEFS are +options silently ignored by shadow when built with PAM enabled): +* CHFN_AUTH +* CRACKLIB_DICTPATH +* ENV_HZ +* ENVIRON_FILE +* ENV_TZ +* FAILLOG_ENAB +* FTMP_FILE +* ISSUE_FILE +* LASTLOG_ENAB +* LOGIN_STRING +* MAIL_CHECK_ENAB +* NOLOGINS_FILE +* OBSCURE_CHECKS_ENAB +* PASS_ALWAYS_WARN +* PASS_CHANGE_TRIES +* PASS_MAX_LEN +* PASS_MIN_LEN +* PORTTIME_CHECKS_ENAB +* QUOTAS_ENAB +* SU_WHEEL_ONLY +* SYSLOG_SU_ENAB +* ULIMIT + +Removed options because they are not availablbe with PAM enabled: +* BCRYPT_MIN_ROUNDS +* BCRYPT_MAX_ROUNDS +* CONSOLE_GROUPS +* CONSOLE +* MD5_CRYPT_ENAB +* PREVENT_NO_AUTH + +Removed encryption methods (`ENCRYPT_METHOD`), because they are unsafe +or not available with PAM: +* BCRYPT +* MD5 + +Removed options because they are not supported by login from util-linux: +* ERASECHAR +* KILLCHAR +* LOG_OK_LOGINS +* TTYTYPE_FILE + +Removed options because they are not supported by su from util-linux: +* SULOG_FILE +* SU_NAME + +Adapted options because they are in PAMDEFS but are supported by login +from util-linux: +* MOTD_FILE + +man/login.defs.5.xml: +Remove unavailable options from man 5 login.defs. +--- + etc/login.defs | 228 +------------------------------------------ + man/login.defs.5.xml | 150 +--------------------------- + 2 files changed, 8 insertions(+), 370 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 114dbcd9..797ca6b3 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -3,6 +3,8 @@ + # + # $Id$ + # ++# NOTE: This file is adapted for the use on Arch Linux! ++# Unsupported options due to the use of util-linux or PAM are removed. + + # + # Delay in seconds before being allowed another attempt after a login failure +@@ -11,26 +13,11 @@ + # + FAIL_DELAY 3 + +-# +-# Enable logging and display of /var/log/faillog login(1) failure info. +-# +-FAILLOG_ENAB yes +- + # + # Enable display of unknown usernames when login(1) failures are recorded. + # + LOG_UNKFAIL_ENAB no + +-# +-# Enable logging of successful logins +-# +-LOG_OK_LOGINS no +- +-# +-# Enable logging and display of /var/log/lastlog login(1) time info. +-# +-LASTLOG_ENAB yes +- + # + # Limit the highest user ID number for which the lastlog entries should + # be updated. +@@ -40,88 +27,13 @@ LASTLOG_ENAB yes + # + #LASTLOG_UID_MAX + +-# +-# Enable checking and display of mailbox status upon login. +-# +-# Disable if the shell startup files already check for mail +-# ("mailx -e" or equivalent). +-# +-MAIL_CHECK_ENAB yes +- +-# +-# Enable additional checks upon password changes. +-# +-OBSCURE_CHECKS_ENAB yes +- +-# +-# Enable checking of time restrictions specified in /etc/porttime. +-# +-PORTTIME_CHECKS_ENAB yes +- +-# +-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. +-# +-QUOTAS_ENAB yes +- +-# +-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). +-# +-SYSLOG_SU_ENAB yes +-SYSLOG_SG_ENAB yes +- +-# +-# If defined, either full pathname of a file containing device names or +-# a ":" delimited list of device names. Root logins will be allowed only +-# from these devices. +-# +-CONSOLE /etc/securetty +-#CONSOLE console:tty01:tty02:tty03:tty04 +- +-# +-# If defined, all su(1) activity is logged to this file. +-# +-#SULOG_FILE /var/log/sulog +- + # + # If defined, ":" delimited list of "message of the day" files to + # be displayed upon login. + # +-MOTD_FILE /etc/motd ++MOTD_FILE + #MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +-# +-# If defined, this file will be output before each login(1) prompt. +-# +-#ISSUE_FILE /etc/issue +- +-# +-# If defined, file which maps tty line to TERM environment parameter. +-# Each line of the file is in a format similar to "vt100 tty01". +-# +-#TTYTYPE_FILE /etc/ttytype +- +-# +-# If defined, login(1) failures will be logged here in a utmp format. +-# last(1), when invoked as lastb(1), will read /var/log/btmp, so... +-# +-FTMP_FILE /var/log/btmp +- +-# +-# If defined, name of file whose presence will inhibit non-root +-# logins. The content of this file should be a message indicating +-# why logins are inhibited. +-# +-NOLOGINS_FILE /etc/nologin +- +-# +-# If defined, the command name to display when running "su -". For +-# example, if this is defined as "su" then ps(1) will display the +-# command as "-su". If not defined, then ps(1) will display the +-# name of the shell actually being run, e.g. something like "-sh". +-# +-SU_NAME su +- + # + # *REQUIRED* + # Directory where mailboxes reside, _or_ name of file, relative to the +@@ -139,21 +51,6 @@ MAIL_DIR /var/spool/mail + HUSHLOGIN_FILE .hushlogin + #HUSHLOGIN_FILE /etc/hushlogins + +-# +-# If defined, either a TZ environment parameter spec or the +-# fully-rooted pathname of a file containing such a spec. +-# +-#ENV_TZ TZ=CST6CDT +-#ENV_TZ /etc/tzname +- +-# +-# If defined, an HZ environment parameter spec. +-# +-# for Linux/x86 +-ENV_HZ HZ=100 +-# For Linux/Alpha... +-#ENV_HZ HZ=1024 +- + # + # *REQUIRED* The default PATH settings, for superuser and normal users. + # +@@ -175,23 +72,6 @@ ENV_PATH PATH=/bin:/usr/bin + TTYGROUP tty + TTYPERM 0600 + +-# +-# Login configuration initializations: +-# +-# ERASECHAR Terminal ERASE character ('\010' = backspace). +-# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +-# ULIMIT Default "ulimit" value. +-# +-# The ERASECHAR and KILLCHAR are used only on System V machines. +-# The ULIMIT is used only if the system supports it. +-# (now it works with setrlimit too; ulimit is in 512-byte units) +-# +-# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +-# +-ERASECHAR 0177 +-KILLCHAR 025 +-#ULIMIT 2097152 +- + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. + # UMASK is also used by useradd(8) and newusers(8) to set the mode for new +@@ -211,27 +91,12 @@ UMASK 022 + # + # PASS_MAX_DAYS Maximum number of days a password may be used. + # PASS_MIN_DAYS Minimum number of days allowed between password changes. +-# PASS_MIN_LEN Minimum acceptable password length. + # PASS_WARN_AGE Number of days warning given before a password expires. + # + PASS_MAX_DAYS 99999 + PASS_MIN_DAYS 0 +-PASS_MIN_LEN 5 + PASS_WARN_AGE 7 + +-# +-# If "yes", the user must be listed as a member of the first gid 0 group +-# in /etc/group (called "root" on most Linux systems) to be able to "su" +-# to uid 0 accounts. If the group doesn't exist or is empty, no one +-# will be able to "su" to uid 0. +-# +-SU_WHEEL_ONLY no +- +-# +-# If compiled with cracklib support, sets the path to the dictionaries +-# +-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict +- + # + # Min/max values for automatic uid selection in useradd(8) + # +@@ -268,28 +133,6 @@ LOGIN_RETRIES 5 + # + LOGIN_TIMEOUT 60 + +-# +-# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +-# +-PASS_ALWAYS_WARN yes +- +-# +-# Number of significant characters in the password for crypt(). +-# Default is 8, don't change unless your crypt() is better. +-# Ignored if MD5_CRYPT_ENAB set to "yes". +-# +-#PASS_MAX_LEN 8 +- +-# +-# Require password before chfn(1)/chsh(1) can make any changes. +-# +-CHFN_AUTH yes +- + # + # Which fields may be changed by regular users using chfn(1) - use + # any combination of letters "frwh" (full name, room number, work +@@ -298,38 +141,13 @@ CHFN_AUTH yes + # + CHFN_RESTRICT rwh + +-# +-# Password prompt (%s will be replaced by user name). +-# +-# XXX - it doesn't work correctly yet, for now leave it commented out +-# to use the default which is just "Password: ". +-#LOGIN_STRING "%s's Password: " +- +-# +-# Only works if compiled with MD5_CRYPT defined: +-# If set to "yes", new passwords will be encrypted using the MD5-based +-# algorithm compatible with the one used by recent releases of FreeBSD. +-# It supports passwords of unlimited length and longer salt strings. +-# Set to "no" if you need to copy encrypted passwords to other systems +-# which don't understand the new algorithm. Default is "no". +-# +-# Note: If you use PAM, it is recommended to use a value consistent with +-# the PAM modules configuration. +-# +-# This variable is deprecated. You should use ENCRYPT_METHOD instead. +-# +-#MD5_CRYPT_ENAB no +- + # + # Only works if compiled with ENCRYPTMETHOD_SELECT defined: +-# If set to MD5, MD5-based algorithm will be used for encrypting password + # If set to SHA256, SHA256-based algorithm will be used for encrypting password + # If set to SHA512, SHA512-based algorithm will be used for encrypting password +-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password + # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password + # If set to DES, DES-based algorithm will be used for encrypting password (default) + # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +-# Overrides the MD5_CRYPT_ENAB option + # + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. +@@ -353,21 +171,6 @@ CHFN_RESTRICT rwh + #SHA_CRYPT_MIN_ROUNDS 5000 + #SHA_CRYPT_MAX_ROUNDS 5000 + +-# +-# Only works if ENCRYPT_METHOD is set to BCRYPT. +-# +-# Define the number of BCRYPT rounds. +-# With a lot of rounds, it is more difficult to brute-force the password. +-# However, more CPU resources will be needed to authenticate users if +-# this value is increased. +-# +-# If not specified, 13 rounds will be attempted. +-# If only one of the MIN or MAX values is set, then this value will be used. +-# If MIN > MAX, the highest value will be used. +-# +-#BCRYPT_MIN_ROUNDS 13 +-#BCRYPT_MAX_ROUNDS 13 +- + # + # Only works if ENCRYPT_METHOD is set to YESCRYPT. + # +@@ -381,17 +184,6 @@ CHFN_RESTRICT rwh + # + #YESCRYPT_COST_FACTOR 5 + +-# +-# List of groups to add to the user's supplementary group set +-# when logging in from the console (as determined by the CONSOLE +-# setting). Default is none. +-# +-# Use with caution - it is possible for users to gain permanent +-# access to these groups, even when not logged in from the console. +-# How to do it is left as an exercise for the reader... +-# +-#CONSOLE_GROUPS floppy:audio:cdrom +- + # + # Should login be allowed if we can't cd to the home directory? + # Default is no. +@@ -406,12 +198,6 @@ DEFAULT_HOME yes + # + NONEXISTENT /nonexistent + +-# +-# If this file exists and is readable, login environment will be +-# read from it. Every line should be in the form name=value. +-# +-ENVIRON_FILE /etc/environment +- + # + # If defined, this command is run when removing a user. + # It should remove any at/cron/print jobs etc. owned by +@@ -459,14 +245,6 @@ USERGROUPS_ENAB yes + # + #GRANT_AUX_GROUP_SUBIDS yes + +-# +-# Prevents an empty password field to be interpreted as "no authentication +-# required". +-# Set to "yes" to prevent for all accounts +-# Set to "superuser" to prevent for UID 0 / root (default) +-# Set to "no" to not prevent for any account (dangerous, historical default) +-PREVENT_NO_AUTH superuser +- + # + # Select the HMAC cryptography algorithm. + # Used in pam_timestamp module to calculate the keyed-hash message +diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml +index ab62fa86..d82c47f1 100644 +--- a/man/login.defs.5.xml ++++ b/man/login.defs.5.xml +@@ -7,69 +7,38 @@ + --> + + +- +- +- + + + +- + + +- +- +- + +- +- +- + + + + +- +- +- + +- + + +- + +- + + +- + +- + +- +- +- +- + + + +- +- + +- +- +- + + + + +- + + + + +- + +- + + + +@@ -145,47 +114,25 @@ + The following configuration items are provided: + + +- &CHFN_AUTH; + &CHFN_RESTRICT; +- &CHSH_AUTH; +- &CONSOLE; +- &CONSOLE_GROUPS; + &CREATE_HOME; + &DEFAULT_HOME; + &ENCRYPT_METHOD; +- &ENV_HZ; + &ENV_PATH; + &ENV_SUPATH; +- &ENV_TZ; +- &ENVIRON_FILE; +- &ERASECHAR; + &FAIL_DELAY; +- &FAILLOG_ENAB; +- &FAKE_SHELL; +- &FTMP_FILE; + &GID_MAX; + &HMAC_CRYPTO_ALGO; + &HOME_MODE; + &HUSHLOGIN_FILE; +- &ISSUE_FILE; +- &KILLCHAR; +- &LASTLOG_ENAB; + &LASTLOG_UID_MAX; +- &LOG_OK_LOGINS; + &LOG_UNKFAIL_ENAB; + &LOGIN_RETRIES; +- &LOGIN_STRING; + &LOGIN_TIMEOUT; +- &MAIL_CHECK_ENAB; + &MAIL_DIR; + &MAX_MEMBERS_PER_GROUP; +- &MD5_CRYPT_ENAB; + &MOTD_FILE; +- &NOLOGINS_FILE; + &NONEXISTENT; +- &OBSCURE_CHECKS_ENAB; +- &PASS_ALWAYS_WARN; +- &PASS_CHANGE_TRIES; + &PASS_MAX_DAYS; + &PASS_MIN_DAYS; + &PASS_WARN_AGE; +@@ -195,25 +142,16 @@ + time of account creation. Any changes to these settings won't affect + existing accounts. + +- &PASS_MAX_LEN; +- &PORTTIME_CHECKS_ENAB; +- "AS_ENAB; + &SHA_CRYPT_MIN_ROUNDS; +- &SULOG_FILE; +- &SU_NAME; +- &SU_WHEEL_ONLY; + &SUB_GID_COUNT; + &SUB_UID_COUNT; + &SYS_GID_MAX; + &SYS_UID_MAX; + &SYSLOG_SG_ENAB; +- &SYSLOG_SU_ENAB; + &TCB_AUTH_GROUP; + &TCB_SYMLINKS; + &TTYGROUP; +- &TTYTYPE_FILE; + &UID_MAX; +- &ULIMIT; + &UMASK; + &USERDEL_CMD; + &USERGROUPS_ENAB; +@@ -239,9 +177,7 @@ + chfn + + +- CHFN_AUTH + CHFN_RESTRICT +- LOGIN_STRING + + + +@@ -249,7 +185,7 @@ + chgpasswd + + +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + +@@ -259,8 +195,6 @@ + chpasswd + + +- ENCRYPT_METHOD +- MD5_CRYPT_ENAB + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + +@@ -270,7 +204,7 @@ + chsh + + +- CHSH_AUTH LOGIN_STRING ++ CHSH_AUTH + + + +@@ -280,7 +214,7 @@ + gpasswd + + +- ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + +@@ -339,35 +273,6 @@ + LASTLOG_UID_MAX + + +- +- login +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENV_PATH ENV_SUPATH +- ENV_TZ ENVIRON_FILE +- ERASECHAR FAIL_DELAY +- FAILLOG_ENAB +- FAKE_SHELL +- FTMP_FILE +- HUSHLOGIN_FILE +- ISSUE_FILE +- KILLCHAR +- LASTLOG_ENAB LASTLOG_UID_MAX +- LOGIN_RETRIES +- LOGIN_STRING +- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB +- MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE +- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB +- QUOTAS_ENAB +- TTYGROUP TTYPERM TTYTYPE_FILE +- ULIMIT UMASK +- USERGROUPS_ENAB +- +- +- +- + + newgrp / sg + +@@ -382,7 +287,7 @@ + + ENCRYPT_METHOD + GID_MAX GID_MIN +- MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ MAX_MEMBERS_PER_GROUP + HOME_MODE + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + SHA_CRYPT_MAX_ROUNDS +@@ -399,8 +304,7 @@ + passwd + + +- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB +- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN ++ ENCRYPT_METHOD + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS + +@@ -432,32 +336,6 @@ + + + +- +- su +- +- +- CONSOLE +- CONSOLE_GROUPS DEFAULT_HOME +- ENV_HZ ENVIRON_FILE +- ENV_PATH ENV_SUPATH +- ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB +- MAIL_DIR MAIL_FILE QUOTAS_ENAB +- SULOG_FILE SU_NAME +- SU_WHEEL_ONLY +- SYSLOG_SU_ENAB +- USERGROUPS_ENAB +- +- +- +- +- sulogin +- +- +- ENV_HZ +- ENV_TZ +- +- +- + + useradd + +@@ -486,24 +364,6 @@ + + + +- +- usermod +- +- +- LASTLOG_UID_MAX +- MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP +- TCB_SYMLINKS USE_TCB +- +- +- +- +- vipw +- +- +- USE_TCB +- +- +- + + + +-- +2.42.0 + diff --git a/core/shadow/0003-Add-Arch-Linux-defaults-for-login.defs.patch b/core/shadow/0003-Add-Arch-Linux-defaults-for-login.defs.patch new file mode 100644 index 000000000..5e687b02a --- /dev/null +++ b/core/shadow/0003-Add-Arch-Linux-defaults-for-login.defs.patch @@ -0,0 +1,73 @@ +From 2642dcf11171a701f1997dcd19a769bb5baec410 Mon Sep 17 00:00:00 2001 +From: David Runge +Date: Mon, 31 Oct 2022 10:10:22 +0100 +Subject: [PATCH 3/3] Add Arch Linux defaults for login.defs + +etc/login.defs: +- Change `ENV_SUPATH` and `ENV_SUPATH` to only use + /usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr and + bin merge distribution. +- Set `HOME_MODE` to `0700` to be able to rely on a `UMASK` of `022` + while creating home directories in a privacy conserving manner. +- Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for + distribution added UIDs and GIDs of system users. +- Change ENCRYPT_METHOD to YESCRYPT as it is a safer hashing algorithm + than DES. +--- + etc/login.defs | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 797ca6b3..c4accbf8 100644 +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -55,8 +55,8 @@ HUSHLOGIN_FILE .hushlogin + # *REQUIRED* The default PATH settings, for superuser and normal users. + # + # (they are minimal, add the rest in the shell startup files) +-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +-ENV_PATH PATH=/bin:/usr/bin ++ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ++ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + + # + # Terminal permissions +@@ -84,7 +84,7 @@ UMASK 022 + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. + # If HOME_MODE is not set, the value of UMASK is used to create the mode. +-#HOME_MODE 0700 ++HOME_MODE 0700 + + # + # Password aging controls: +@@ -103,7 +103,7 @@ PASS_WARN_AGE 7 + UID_MIN 1000 + UID_MAX 60000 + # System accounts +-SYS_UID_MIN 101 ++SYS_UID_MIN 500 + SYS_UID_MAX 999 + # Extra per user uids + SUB_UID_MIN 100000 +@@ -116,7 +116,7 @@ SUB_UID_COUNT 65536 + GID_MIN 1000 + GID_MAX 60000 + # System accounts +-SYS_GID_MIN 101 ++SYS_GID_MIN 500 + SYS_GID_MAX 999 + # Extra per user group ids + SUB_GID_MIN 100000 +@@ -152,7 +152,7 @@ CHFN_RESTRICT rwh + # Note: If you use PAM, it is recommended to use a value consistent with + # the PAM modules configuration. + # +-#ENCRYPT_METHOD DES ++ENCRYPT_METHOD YESCRYPT + + # + # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +-- +2.42.0 + diff --git a/core/shadow/PKGBUILD b/core/shadow/PKGBUILD new file mode 100644 index 000000000..950e916b5 --- /dev/null +++ b/core/shadow/PKGBUILD @@ -0,0 +1,136 @@ +# Maintainer: David Runge +# Contributor: Dave Reisner +# Contributor: Aaron Griffin + +# ALARM: Kevin Mihelich +# - build with libbsd until toolchain is updated + +pkgname=shadow +pkgver=4.14.0 +pkgrel=3 +pkgdesc="Password and account management tool suite with support for shadow files and PAM" +arch=(x86_64) +url="https://github.com/shadow-maint/shadow" +license=(BSD-3-Clause) +depends=( + acl libacl.so + attr libattr.so + audit libaudit.so + glibc libbsd + libxcrypt libcrypt.so + pam libpam.so libpam_misc.so +) +makedepends=( + docbook-xsl + itstool + libcap + libxslt +) +backup=( + etc/default/useradd + etc/login.defs + etc/pam.d/chpasswd + etc/pam.d/groupmems + etc/pam.d/newusers + etc/pam.d/passwd +) +options=(!emptydirs) +# NOTE: distribution patches are taken from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/v4.14.0.arch2 +source=( + $url/releases/download/$pkgver/$pkgname-$pkgver.tar.xz{,.asc} + 0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch + 0002-Adapt-login.defs-for-PAM-and-util-linux.patch + 0003-Add-Arch-Linux-defaults-for-login.defs.patch + shadow.{timer,service} + shadow.{sysusers,tmpfiles} + useradd.defaults +) +sha512sums=('ff960481d576f9db5a9f10becc4e1a74c03de484ecfdcd7f1ea735fded683d7ba0f9cd895dc6a431b77e5a633752273178b1bcda4cefaa5adbf0f143c9a0c86f' + 'SKIP' + 'ac119fd4a7867021923c54d54612499313686bb2faa957133f63c77700b8777dd87628fd4f36d4e4c1160700624a776510bc5d450ef5be1adc128552edfcb062' + '57166e14262df3ddcf03008a34ef603a624a31b6d40b18b9fc4d8be50fb857540dea2ffc9dab81c91bcd87bbb3b0dee381219ebd3e68f71864c64a33d5ec7b15' + '16c00e8ae1e4f86c9075e08b420ddd5e948345db5611390167ce08d7e3e4ec469954b255b3384d855484803ce3fa5d78c88ff8ae722c0215b692b9dece2ed6f6' + 'e4edf705dd04e088c6b561713eaa1afeb92f42ac13722bff037aede6ac5ad7d4d00828cfb677f7b1ff048db8b6788238c1ab6a71dfcfd3e02ef6cb78ae09a621' + '2c8689b52029f6aa27d75b8b05b0b36e2fc322cab40fdfbb50cdbe331f61bc84e8db20f012cf9af3de8c4e7fdb10c2d5a4925ca1ba3b70eb5627772b94da84b3' + '5afac4a96b599b0b8ed7be751e7160037c3beb191629928c6520bfd3f2adcd1c55c31029c92c2ff8543e6cd9e37e2cd515ba4e1789c6d66f9c93b4e7f209ee7a' + '08a56b16673f282404f3ee026236f3d361045b4448bad7d3cc5d7cbeaf06a1d66a3a3e0848accaebde206741a7998699b9f18bd56a44d93422370567fe8cb180' + 'e9ffea021ee4031b9ad3a534bfb94dbf9d0dfd45a55ecac5dedb2453ea0c17fb80bbb9ad039686bc1f3349dc371977eb548e3a665c56531469c22f29fc4eced8') +b2sums=('6e9a6108f856953ec91c597e46ad4f912101a829c7b3ff3389510be43f56f0a70425bd562119282d73df269df45af354e626741ad748f9c1e6f27b74a462a62c' + 'SKIP' + '77b6e4bc6dc070b992728440fc29a8ed04e8f51cc7e58628f294c68bec7f102c8a80af6a41cf9a3c37d33e7a40ead4f4729f2e68412ab5606e6ecbd3008f5048' + 'e6359de24e563564979fd0b7915a3227239a84f175cb188392097394d4d41c782100655cbd0a779b6dfde7eddcf8b314ab15eb15ca891287a820547551d54c04' + 'fe88e173ea5531c083c1f3fb640cad1de463ce5446cb097bd30bc54e9082ba0540a57a9effd11c0779196583cf58bfc7066ab10ef4088f78c7d74928a73889b2' + '5cfc936555aa2b2e15f8830ff83764dad6e11a80e2a102c5f2bd3b7c83db22a5457a3afdd182e3648c9d7d5bca90fa550f59576d0ac47a11a31dfb636cb18f2b' + 'a69191ab966f146c35e7e911e7e57c29fffd54436ea014aa8ffe0dd46aaf57c635d0a652b35916745c75d82b3fca7234366ea5f810b622e94730b45ec86f122c' + '511c4ad9f3be530dc17dd68f2a3387d748dcdb84192d35f296b88f82442224477e2a74b1841ec3f107b39a5c41c2d961480e396a48d0578f8fd5f65dbe8d9f04' + 'b425e7b3d48de694114dfdf378e66175b1ef32cb773be2506813ace8a6dfd1035e7d10c30efb6791df2ae920bdec3aa7cb862ed93bac4cde713c549bd896d1b2' + 'd5bea0cfc2e6d3d1749c65440ca911533d41b6f8117fe09e9efec23524637cfa823d230303a7fbb45d3cd251bf8036d48b9b21049ced208f7ed191fcbd75e879') +validpgpkeys=(66D0387DB85D320F8408166DB175CFA98F192AF2) # Serge Hallyn + +prepare() { + local filename + + cd $pkgname-$pkgver + for filename in "${source[@]}"; do + if [[ "$filename" =~ \.patch$ ]]; then + printf "Applying patch %s\n" "${filename##*/}" + patch -Np1 -i "$srcdir/${filename##*/}" + fi + done + + autoreconf -fiv +} + +build() { + local configure_options=( + --bindir=/usr/bin + --disable-account-tools-setuid # no setuid for chgpasswd, chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod + --enable-man + --libdir=/usr/lib + --mandir=/usr/share/man + --prefix=/usr + --sbindir=/usr/bin + --sysconfdir=/etc + --with-audit + --with-fcaps # use capabilities instead of setuid for setuidmap and setgidmap + --with-group-name-max-length=32 + --with-libpam # PAM integration for chpasswd, groupmems, newusers, passwd + #--without-libbsd # shadow can use internal implementation for getting passphrase + --without-selinux + --without-su # su is provided by util-linux + ) + + cd $pkgname-$pkgver + # add extra check, preventing accidental deletion of other user's home dirs when using `userdel -r ` + export CFLAGS="$CFLAGS -DEXTRA_CHECK_HOME_DIR" + ./configure "${configure_options[@]}" + + # prevent excessive overlinking due to libtool + sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool + make +} + +package() { + cd $pkgname-$pkgver + + make DESTDIR="$pkgdir" install + make DESTDIR="$pkgdir" -C man install + + # license + install -vDm 644 COPYING -t "$pkgdir/usr/share/licenses/$pkgname/" + + # custom useradd(8) defaults (not provided by upstream) + install -vDm 600 ../useradd.defaults "$pkgdir/etc/default/useradd" + + # systemd units + install -vDm 644 ../shadow.timer -t "$pkgdir/usr/lib/systemd/system/" + install -vDm 644 ../shadow.service -t "$pkgdir/usr/lib/systemd/system/" + install -vdm 755 "$pkgdir/usr/lib/systemd/system/timers.target.wants" + ln -s ../shadow.timer "$pkgdir/usr/lib/systemd/system/timers.target.wants/shadow.timer" + + install -vDm 644 ../$pkgname.sysusers "$pkgdir/usr/lib/sysusers.d/$pkgname.conf" + install -vDm 644 ../$pkgname.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/$pkgname.conf" + + # manually add PAM config for chpasswd and newusers: https://github.com/shadow-maint/shadow/issues/810 + install -vDm 644 etc/pam.d/{chpasswd,newusers} -t "$pkgdir/etc/pam.d/" +} diff --git a/core/shadow/keys/pgp/66D0387DB85D320F8408166DB175CFA98F192AF2.asc b/core/shadow/keys/pgp/66D0387DB85D320F8408166DB175CFA98F192AF2.asc new file mode 100644 index 000000000..f5d36a1a8 --- /dev/null +++ b/core/shadow/keys/pgp/66D0387DB85D320F8408166DB175CFA98F192AF2.asc @@ -0,0 +1,80 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBE+oKZQBCACz5WylGAr+eitZjuSigzR+y30W3E+gkU0DSNlBB3WlorOtmzMX +9F2d+z+ozJuez4NPqwfQ5y2ExKSbL8i1rwYmExZIzTDpm1Q6N3hG+vLbxwbrbsKT +qW9rPiXriU5yRwuvVJl4NOU6T/Pau3/VD8iFN7U4mVpNFVPlB8vCvDJ+07Z0xIH9 +MXe8uaERG3v2EL7Mv8L5w05XEeuTT/CJiw6NdzwjZc1FymVoFjntetl8HaJ+5JCB +2ylAbnw/wZJHORgsLxZhOL6/zrJRG8GvjgB+1l8izgl4n0DOqjyyoQIZJ+mfuHR0 +6wDqwvP5F9RZqCh8Md4hYujop5a0BKfAzLfdABEBAAG0IFNlcmdlIEhhbGx5biA8 +c2VyZ2VoQGtlcm5lbC5vcmc+iQFOBBMBCgA4FiEEZtA4fbhdMg+ECBZtsXXPqY8Z +KvIFAl2r0d0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQsXXPqY8ZKvIM +nAgAiTpLlXuzyD4C+9I/yCA9N/BqK43jnMfJOl/Ky56vgJ/WbrFJLuO3wubMlRLD +3jurC6SK2g0TpygyoX2MjwZVT60Sq3ZcgIh71yyWHhtZ29NuUiKsKnajb9IlP+AM +1V0g9py41YdDUmAuC/5crqyK+8u1CVrB/is7Eym598gIl9nyGvaZrzgjG1cRCjzf +ZU8pRG+VPMr5Xla8rDKBZl+LcusV90eAUa0E/KVFS5N1dQ6HKckYXPSBN3DKHZy+ +qKa1k7Dq0CnkTjQmjaMu3j5sdOXg4QUfhCHeLDFAtadNdP04I6g5KZRvC44XdQ1A +bxFMLyObhCsq/QxSh/nYrKsw0rQsU2VyZ2UgSGFsbHluIChrZXJuZWwub3JnKSA8 +c2VyZ2VAaGFsbHluLmNvbT6JATgEEwECACIFAk+oKZQCGwMGCwkIBwMCBhUIAgkK +CwQWAgMBAh4BAheAAAoJELF1z6mPGSryYfEIAJviOHYwzXjnHWrsbQQ75rJq2wQ4 +NlM5FRljskufCXtIz/DUpKKT3aqG3y7ywtEwl4ePofJmLbC0O5bZF9blgSSCV02z +zGdeUosAJsxumYHVi9CRHWsiAaNMX8gif9vePqz/iY/caPS4w4gBXJK8vLwvxToI +4CZDwIlMkMov//3HQ5v5OKfeqbA1rnsGI74vUw9Zt/Sqgudz5bY65693OqeRRWU6 +tOH8zo4HkFew26Ydh80qAn1R7ALnk68zwfXj8vdyR9f05dEqbg/4thZWcjWC/Frn +QOjcTwKu5DnUCE937a1MPzt4t1FCYUHrqcLN99uzGuOD42o9/S+JAa2HWhe5AQ0E +XavhqwEIAMKECc/f8f0/CenKkz3wXGEtlG46YLjtTt2tWYXdt9Z04ihVaYePanFt +vuujyO3I3jUQNv2foU1CtOuVyfZqX+TXqs0BUPXWwTCkMOyc/fEQ5u0BFJjWYtmr +2sZY4Ag1juJsmzI7g3cnMLL9LbjpbHRruFIT5rnv9NwG7PURn1XnCt9tdZ/d0h7v +EaNkD37j67rjy8UElVVcwVGhsCR8CkqwZ6ZwpQxE9wyq/Txb+v8qEJcohc5SWbYl +70AtzHObokkW6cvRjNz+BcEpnPfu10lbPO/8a16B96VDdjDGPj2shfNsFLaT8MtF +fDAdjZRGlrfv3Wp4qFRlSUGrjInvOLMAEQEAAYkBNgQYAQoAIBYhBGbQOH24XTIP +hAgWbbF1z6mPGSryBQJdq+GrAhsgAAoJELF1z6mPGSryW4wH/3Xk9x+WUxeJNtm+ +5hOfe/KBsXQUbBz+JHGFjd9YQw98jUvPNN1RfgtKf31b+FDKbk/cu+9bNLSfhKDz +2AEREViogKRcVjJDy9XmmWQd1oo+M4GHNYhpIt5ZK1d3CROIiqisLQsih64/gl9g +boMcsUuHRkc3hVKUb2umCZPG37hUdAvOmOMS7/0KCGS5pXnfsX+zegSKjps12siE +xYXiRpkxbF9MW7er6/6ukvHLx4jHpgiZ5Sjt/9OqUiAOgUSQfhpAUJlaLxe9E3nj ++ABs7LV+FOjtI64skqgqbYo5VXobFSJhqFTog1+KmMznfsdKaOZQuZh3v3TtGUzk +xoMUHPe5AQ0EXavhYgEIAMd+iVOTx6FC3Ghv2PASeXsnxtb9Af+aBjNf0m8WKTLg +IS9xQbxgNJctG6AEptkBfAStRLIA5qOa0iYIpkJynEPbonJ12qvtlJ6b6g1h3ATh +YXQBjTQ89X+rlFzVGQsieqanjI+fiSNbDarOLQUbeJOrkfFukr34o5xloKENL/kw +u1lDG/Y2GMxZRLe1aVJUXQg4FiEiaE+LNFbrUHxdNR2PE4XuJHetneHEiT/zXpvE +F4MCisjJTGAHEC43rl7OqHU/GDdcW0udyf9v33LCFWTRLlgKKHVyUrHVhVzbB2z1 ++xnxxh/bQXjgttIP3Zqn8LXiLnUNU5+ejJiuAwdwcn8AEQEAAYkBNgQYAQoAIBYh +BGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+FiAhsMAAoJELF1z6mPGSry9/UH/0vO +oYu6b57UxsJNR5dCMhsPYV7FFIX9uj5XIDo/bQt2RTMa2PuKMbcDGINsDqHXqOFp +Zq5WDHhq0cEoIqhlkgj1uC77LLGw7mWyiaMbITQDlRzP9c9Qj3NkGNKW6FTwR7LP +h43kgXygO1StVADIdHapiw9hI52rF8FrNYy4oNRXhUcDPfn03akuIbF75saCHaYO +/xoQeEqE+0qV82V/FT5tISMygkzgq+9zUhiA4XQjxiVhSK2cAi0iUTXZecyEueLk +6zZ9vkD8JZagSirTFgxtLrnhVpUBJMOgffv5jmO/Sun4s+3JbAdicmsFqw90hWmG +Nwa0F5HZ20rEVAwkdt25AQ0EXavgpgEIAOk8dMgYu4Q7hU461EC/MtxIiwSD8i7l +izUB8SzxFPnyWgkvG2Fik5lUiDJmEstLdCm3dpapiJudzcTgl9Abo4xgoq+VbKRC +Pk0017JE2bNSbF3TmxhaHAHiBvhU/U+kRz+lDnUE1SmhzGd1yn1kCvmG9MmWjiQP +kG9vLx3d46DBnqHO6wn1AFeKiKuyCs1igvtT2qz+2+izY9tyd+s2O95+1CDQslqQ +8IQNP00cFTJljsk3dmZXQb6SkxxTNG+E/2vMdUZhUbb7UIFUOmFekZvGZMIf9sNM +JGCVIN+vyMMhE1MA17iJGxtAFVqeMN4wA9+MA4z5udkegdbxnWxLtg0AEQEAAYkC +bAQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+CmAhsCAUAJELF1z6mP +GSrywHQgBBkBCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAl2r4KYACgkQNXDa +FycKziT2fAf+PgS08m9Uiks9LWAp9BpaiVn0SXx/XYhTJmRr78UrCHogZstAET2h +aLqWwMIoyOpie5Vutxi2WXQtzsJ1BHV9LB/NP3nFT/P9asZXzFtBBRQsDwxW5ii2 +0hkHKG10M2+QGiC0ssfi1zjQFKbaOpxvou5Pi+zBQuT1RQ65NQrFYQI4zdyLbnni +X2EZpDipLFJeGs881HQt7RjwSUtAjXW9M/pQQDp/JWEjp6D3R4ys0/Y4cJblCci5 +rM8Un/aVvXYGBqEpsddhH9xGpk0JTWtGAfw1a0ovRv39D1uwG8uXTQiUDTGGlllX +hzpLkcJBtT8VeogiAGZC99pbNW5BU8cbFyOHB/9Q/HBmIqmj5MYvQZCQ//cf9Af9 +gc+o2YA4/Kg2pSf9GKZizd3J8NO05O6YSsXqIsBr2lIGjw4klkE7GyRd/KVMQOxr +FY9vFcdSxQuklnFUeiH73RFP3nsdzw+MRr4Hcpbm9F0fCnB6aU1gqf74e/6Qiv6d +2pq7Dzyzx7ZCm8BRLT2HZbFeYQ6GsdOIYgWzWXqurk/68rlE1D7Fo9KK9lmrLOwr +r7ez1pOLHA8pPDhZhxI5D3ZhDsLUux3caCUfFdP/VpaJijGNc1HYt8mk4U1Qb6Zl +afTYb75F9d61v8/M/HATZ5KpT9gr0aGkfwptzCwlBJ8ypcRI9AuUUDCTAXIGuQEN +BE+oKZQBCADc9sYSnWAj3y6QE9sGNDUFaKpAFUsprpQ8LeA05nh3RUxYDd75qc0e +wtGR1+SlgpehKQfSXVQT254jM5lJanNDPYffk9k9lMwgSVoTP2QaszfDgir7WKKQ +uj3dBwnmYHdIY2mq+eaAh/1cCU//ggdaATo4ENQhKTAIiuviGKBpYX/zHAlPIvyF +jERsBmq0woQKvDGsoQEObx1zu1GaTWeTSIEnHyRhajMQrKUAxSCh9Th2Vj6xOhvx +9TK6li+ecxYuuBVP0Xllg1GdoQBC8KWITDOrU18suj1vEGK4YOzQQPxANs6I81Sv +Vddd2bh71cyAjhHr1kugw3PWQvLe4yHHABEBAAGJAR8EGAECAAkFAk+oKZQCGwwA +CgkQsXXPqY8ZKvJrVAgAi7CVXJt8mZiN+yzwiZVlzrkRQduB2cgvGZD6Hm3MJc1a +VA3Gh0tJcLo+SdutCOzKSmPRSsnWT19EKxpDMrc9j97Pi9SDrGyUOx7Bz8gKjTI6 +BcfPNAhAyIr5Gr9SDyTx6tUduSmmErrvjYWP1/Jz7spInN2wQd5ZVRSvS/rNZGh1 +NU31oeWlbpkU0JpGbZkMXv4JIy+1caH5zzrcRMC9JFxfm/bYdaq+jHhMufnSy0Qa +3QgJkKvzxzvlIG9BaUmuNeR+XoA9ISEMQzAYXqxJQSL28Er9IVaNgtz5mqCMf8vu +DTPGpkYyqGnOjtQNF695wiA7CAr3/WTeiEl6kKsBFg== +=YnIc +-----END PGP PUBLIC KEY BLOCK----- diff --git a/core/shadow/shadow.service b/core/shadow/shadow.service new file mode 100644 index 000000000..1810ef21d --- /dev/null +++ b/core/shadow/shadow.service @@ -0,0 +1,37 @@ +[Unit] +Description=Verify integrity of password and group files +After=systemd-sysusers.service + +[Service] +CapabilityBoundingSet=CAP_DAC_READ_SEARCH +# Always run both checks, but fail the service if either fails +ExecStart=/bin/sh -c '/usr/bin/pwck -qr || r=1; /usr/bin/grpck -r && exit $r' +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictSUIDSGID=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources +SystemCallFilter=~@privileged +UMask=0077 diff --git a/core/shadow/shadow.sysusers b/core/shadow/shadow.sysusers new file mode 100644 index 000000000..fc536aa20 --- /dev/null +++ b/core/shadow/shadow.sysusers @@ -0,0 +1 @@ +g groups - - diff --git a/core/shadow/shadow.timer b/core/shadow/shadow.timer new file mode 100644 index 000000000..9cc6baaa9 --- /dev/null +++ b/core/shadow/shadow.timer @@ -0,0 +1,7 @@ +[Unit] +Description=Daily verification of password and group files + +[Timer] +OnCalendar=daily +AccuracySec=12h +Persistent=true diff --git a/core/shadow/shadow.tmpfiles b/core/shadow/shadow.tmpfiles new file mode 100644 index 000000000..837b763b9 --- /dev/null +++ b/core/shadow/shadow.tmpfiles @@ -0,0 +1 @@ +z /usr/bin/groupmems 2710 root groups - - diff --git a/core/shadow/useradd.defaults b/core/shadow/useradd.defaults new file mode 100644 index 000000000..a2808876b --- /dev/null +++ b/core/shadow/useradd.defaults @@ -0,0 +1,27 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +SHELL=/bin/bash + +# The default group for users +GROUP=users + +# The default home directory. +HOME=/home + +# The number of days after a password expires until the account is permanently +# disabled +INACTIVE=-1 + +# The default expire date +EXPIRE= + +# The SKEL variable specifies the directory containing "skeletal" user files; +# in other words, files such as a sample .profile that will be copied to the +# new user's home directory when it is created. +SKEL=/etc/skel + +# Defines whether the mail spool should be created while +# creating the account +CREATE_MAIL_SPOOL=no