From 080300e1e7dec7bb1a6297b5a4406e2c0be46048 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 7 Feb 2020 22:32:38 +0000 Subject: Fri Feb 7 22:32:38 UTC 2020 a/kernel-firmware-20200206_5351afe-noarch-1.txz: Upgraded. ap/ghostscript-9.50-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. ap/gutenprint-5.3.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. ap/nano-4.8-x86_64-1.txz: Upgraded. ap/screen-4.8.0-x86_64-1.txz: Upgraded. ap/vim-8.2.0224-x86_64-1.txz: Upgraded. d/cvs-1.11.23-x86_64-4.txz: Rebuilt. Recompiled against krb5-1.17.1. d/strace-5.5-x86_64-1.txz: Upgraded. kde/kdelibs-4.14.38-x86_64-6.txz: Rebuilt. Recompiled against krb5-1.17.1. l/gtk+2-2.24.32-x86_64-3.txz: Rebuilt. Recompiled against krb5-1.17.1. l/gtk+3-3.24.13-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/libsoup-2.68.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/libssh-0.9.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/loudmouth-1.5.3-x86_64-4.txz: Rebuilt. Recompiled against krb5-1.17.1. l/neon-0.30.2-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. n/cifs-utils-6.10-x86_64-2.txz: Rebuilt. Recompiled to build cifs.upcall. n/curl-7.68.0-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. n/cyrus-sasl-2.1.27-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. xap/vim-gvim-8.2.0224-x86_64-1.txz: Upgraded. --- source/a/libcgroup/libcgroup.SlackBuild | 12 +- source/a/shadow/doinst.sh | 23 +- source/a/shadow/login.defs | 422 --------------------- source/a/shadow/login.defs.pam | 287 ++++++++++++++ source/a/shadow/login.defs.shadow | 422 +++++++++++++++++++++ source/a/shadow/pam.d/chage | 4 + source/a/shadow/pam.d/chfn | 4 + source/a/shadow/pam.d/chgpasswd | 4 + source/a/shadow/pam.d/chpasswd | 4 + source/a/shadow/pam.d/chsh | 4 + source/a/shadow/pam.d/groupadd | 4 + source/a/shadow/pam.d/groupdel | 4 + source/a/shadow/pam.d/groupmems | 4 + source/a/shadow/pam.d/groupmod | 4 + source/a/shadow/pam.d/login | 11 + source/a/shadow/pam.d/newusers | 4 + source/a/shadow/pam.d/other | 6 + source/a/shadow/pam.d/passwd | 5 + source/a/shadow/pam.d/postlogin | 4 + source/a/shadow/pam.d/su | 11 + source/a/shadow/pam.d/su-l | 6 + source/a/shadow/pam.d/system-auth | 96 +++++ source/a/shadow/pam.d/useradd | 4 + source/a/shadow/pam.d/userdel | 4 + source/a/shadow/pam.d/usermod | 4 + source/a/shadow/shadow.SlackBuild | 55 ++- .../shadow.login.display.short.hostname.diff | 24 +- source/a/shadow/slack-desc | 12 +- source/a/util-linux/util-linux.SlackBuild | 13 +- 29 files changed, 1018 insertions(+), 443 deletions(-) delete mode 100644 source/a/shadow/login.defs create mode 100644 source/a/shadow/login.defs.pam create mode 100644 source/a/shadow/login.defs.shadow create mode 100644 source/a/shadow/pam.d/chage create mode 100644 source/a/shadow/pam.d/chfn create mode 100644 source/a/shadow/pam.d/chgpasswd create mode 100644 source/a/shadow/pam.d/chpasswd create mode 100644 source/a/shadow/pam.d/chsh create mode 100644 source/a/shadow/pam.d/groupadd create mode 100644 source/a/shadow/pam.d/groupdel create mode 100644 source/a/shadow/pam.d/groupmems create mode 100644 source/a/shadow/pam.d/groupmod create mode 100644 source/a/shadow/pam.d/login create mode 100644 source/a/shadow/pam.d/newusers create mode 100644 source/a/shadow/pam.d/other create mode 100644 source/a/shadow/pam.d/passwd create mode 100644 source/a/shadow/pam.d/postlogin create mode 100644 source/a/shadow/pam.d/su create mode 100644 source/a/shadow/pam.d/su-l create mode 100644 source/a/shadow/pam.d/system-auth create mode 100644 source/a/shadow/pam.d/useradd create mode 100644 source/a/shadow/pam.d/userdel create mode 100644 source/a/shadow/pam.d/usermod (limited to 'source/a') diff --git a/source/a/libcgroup/libcgroup.SlackBuild b/source/a/libcgroup/libcgroup.SlackBuild index 00fc2be8..e5ff9b4c 100755 --- a/source/a/libcgroup/libcgroup.SlackBuild +++ b/source/a/libcgroup/libcgroup.SlackBuild @@ -80,6 +80,15 @@ zcat $CWD/libcgroup.conf.diff.gz | patch -p1 --verbose || exit 1 # Apply combined patches from git, including for an infinate loop bug: zcat $CWD/libcgroup.loop.diff.gz | patch -p1 --verbose || exit 1 +# Choose correct options depending on whether PAM is installed: +if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then + PAM_OPTIONS="--enable-pam --enable-pam-module-dir=/lib/security" + unset SHADOW_OPTIONS +else + unset PAM_OPTIONS + SHADOW_OPTIONS="--disable-pam" +fi + chown -R root:root . find . \ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ @@ -97,7 +106,8 @@ CFLAGS="$SLKCFLAGS" \ --libdir=/usr/lib${LIBDIRSUFFIX} \ --mandir=/usr/man \ --infodir=/usr/info \ - --disable-pam \ + $PAM_OPTIONS \ + $SHADOW_OPTIONS \ --disable-static \ --build=$ARCH-slackware-linux || exit 1 diff --git a/source/a/shadow/doinst.sh b/source/a/shadow/doinst.sh index a7bf2ee4..ce3e8116 100644 --- a/source/a/shadow/doinst.sh +++ b/source/a/shadow/doinst.sh @@ -10,8 +10,29 @@ config() { # Otherwise, we leave the .new copy for the admin to consider... } +# First, check for PAM: +if [ -r etc/pam.d/login.new ]; then + # If there's an existing /etc/login.defs that contains an obsolete option + # intended for a non-pam system, rename it to back it up and allow the + # pam-enabled login.defs to be installed automatically: + if grep -q "^LASTLOG_ENAB" etc/login.defs 1> /dev/null 2> /dev/null ; then + mv etc/login.defs etc/login.defs.non-pam.backup + fi +else # Same thing, but in reverse for a non-pam system: + if ! grep -q "^LASTLOG_ENAB" etc/login.defs 1> /dev/null 2> /dev/null ; then + mv etc/login.defs etc/login.defs.pam.backup + fi +fi + config etc/default/useradd.new -config etc/login.access.new config etc/login.defs.new config var/log/faillog.new rm -f var/log/faillog.new +if [ -r etc/login.access.new ]; then + config etc/login.access.new +fi +for configfile in chage.new chfn.new chgpasswd.new chpasswd.new chsh.new groupadd.new groupdel.new groupmems.new groupmod.new login.new newusers.new other.new passwd.new postlogin.new su-l.new su.new system-auth.new useradd.new userdel.new usermod.new ; do + if [ -r etc/pam.d/$configfile ]; then + config etc/pam.d/$configfile + fi +done diff --git a/source/a/shadow/login.defs b/source/a/shadow/login.defs deleted file mode 100644 index 022dd36f..00000000 --- a/source/a/shadow/login.defs +++ /dev/null @@ -1,422 +0,0 @@ -# -# /etc/login.defs - Configuration control definitions for the shadow package. -# -# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ -# - -# -# Delay in seconds before being allowed another attempt after a login failure -# -FAIL_DELAY 3 - -# -# Enable logging and display of /var/log/faillog login failure info. -# -FAILLOG_ENAB yes - -# -# Enable display of unknown usernames when login failures are recorded. -# -LOG_UNKFAIL_ENAB no - -# -# Enable logging of successful logins -# -LOG_OK_LOGINS no - -# -# Enable logging and display of /var/log/lastlog login time info. -# -LASTLOG_ENAB yes - -# -# Limit the highest user ID number for which the lastlog entries should -# be updated. -# -# No LASTLOG_UID_MAX means that there is no user ID limit for writing -# lastlog entries. -# -#LASTLOG_UID_MAX - -# -# Enable checking and display of mailbox status upon login. -# -# Disable if the shell startup files already check for mail -# ("mailx -e" or equivalent). -# -MAIL_CHECK_ENAB yes - -# -# Enable additional checks upon password changes. -# -OBSCURE_CHECKS_ENAB yes - -# -# Enable checking of time restrictions specified in /etc/porttime. -# -PORTTIME_CHECKS_ENAB yes - -# -# Enable setting of ulimit, umask, and niceness from passwd gecos field. -# -QUOTAS_ENAB yes - -# -# Enable "syslog" logging of su activity - in addition to sulog file logging. -# SYSLOG_SG_ENAB does the same for newgrp and sg. -# -SYSLOG_SU_ENAB yes -SYSLOG_SG_ENAB yes - -# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# upon these devices. -# -CONSOLE /etc/securetty -#CONSOLE console:tty01:tty02:tty03:tty04 - -# -# If defined, all su activity is logged to this file. -# -#SULOG_FILE /var/log/sulog - -# -# If defined, ":" delimited list of "message of the day" files to -# be displayed upon login. -# -MOTD_FILE /etc/motd -#MOTD_FILE /etc/motd:/usr/lib/news/news-motd - -# -# If defined, this file will be output before each login prompt. -# -#ISSUE_FILE /etc/issue - -# -# If defined, file which maps tty line to TERM environment parameter. -# Each line of the file is in a format something like "vt100 tty01". -# -#TTYTYPE_FILE /etc/ttytype - -# -# If defined, login failures will be logged here in a utmp format. -# last, when invoked as lastb, will read /var/log/btmp, so... -# -FTMP_FILE /var/log/btmp - -# -# If defined, name of file whose presence which will inhibit non-root -# logins. The contents of this file should be a message indicating -# why logins are inhibited. -# -NOLOGINS_FILE /etc/nologin - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then a "ps" will display the -# command is "-su". If not defined, then "ps" would display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# -MAIL_DIR /var/spool/mail -#MAIL_FILE .mail - -# -# If defined, file which inhibits all the usual chatter during the login -# sequence. If a full pathname, then hushed mode will be enabled if the -# user's name or shell are found in the file. If not a full pathname, then -# hushed mode will be enabled if the file exists in the user's home directory. -# -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins - -# -# If defined, either a TZ environment parameter spec or the -# fully-rooted pathname of a file containing such a spec. -# -#ENV_TZ TZ=CST6CDT -#ENV_TZ /etc/tzname - -# -# If defined, an HZ environment parameter spec. -# -# for Linux/x86 -ENV_HZ HZ=100 -# For Linux/Alpha... -#ENV_HZ HZ=1024 - -# -# *REQUIRED* The default PATH settings, for superuser and normal users. -# -# (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin -ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin - -# -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a "write" program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP to the group number and -# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign -# TTYPERM to either 622 or 600. -# -TTYGROUP tty -TTYPERM 0620 - -# -# Login configuration initializations: -# -# ERASECHAR Terminal ERASE character ('\010' = backspace). -# KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# ULIMIT Default "ulimit" value. -# -# The ERASECHAR and KILLCHAR are used only on System V machines. -# The ULIMIT is used only if the system supports it. -# (now it works with setrlimit too; ulimit is in 512-byte units) -# -# Prefix these values with "0" to get octal, "0x" to get hexadecimal. -# -ERASECHAR 0177 -KILLCHAR 025 -#ULIMIT 2097152 - -# -# Default initial "umask" value used by login(1) on non-PAM enabled systems. -# Default "umask" value for pam_umask(8) on PAM enabled systems. -# UMASK is also used by useradd(8) and newusers(8) to set the mode for new -# home directories if HOME_MODE is not set. -# 022 is the default value, but 027, or even 077, could be considered -# for increased privacy. There is no One True Answer here: each sysadmin -# must make up their mind. -UMASK 022 - -# -# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new -# home directories. -# If HOME_MODE is not set, the value of UMASK is used to create the mode. -#HOME_MODE 0700 - -# -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_MIN_LEN 5 -PASS_WARN_AGE 7 - -# -# If "yes", the user must be listed as a member of the first gid 0 group -# in /etc/group (called "root" on most Linux systems) to be able to "su" -# to uid 0 accounts. If the group doesn't exist or is empty, no one -# will be able to "su" to uid 0. -# -SU_WHEEL_ONLY no - -# -# If compiled with cracklib support, where are the dictionaries -# -#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict - -# -# Min/max values for automatic uid selection in useradd -# -UID_MIN 1000 -UID_MAX 60000 -# System accounts -SYS_UID_MIN 101 -SYS_UID_MAX 999 - -# -# Min/max values for automatic gid selection in groupadd -# -GID_MIN 1000 -GID_MAX 60000 -# System accounts -SYS_GID_MIN 101 -SYS_GID_MAX 999 - -# -# Max number of login retries if password is bad -# -LOGIN_RETRIES 5 - -# -# Max time in seconds for login -# -LOGIN_TIMEOUT 60 - -# -# Maximum number of attempts to change password if rejected (too easy) -# -PASS_CHANGE_TRIES 5 - -# -# Warn about weak passwords (but still allow them) if you are root. -# -PASS_ALWAYS_WARN yes - -# -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. -# Ignored if MD5_CRYPT_ENAB set to "yes". -# -#PASS_MAX_LEN 8 - -# -# Require password before chfn/chsh can make any changes. -# -CHFN_AUTH yes - -# -# Which fields may be changed by regular users using chfn - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# -CHFN_RESTRICT frwh - -# -# Password prompt (%s will be replaced by user name). -# -# XXX - it doesn't work correctly yet, for now leave it commented out -# to use the default which is just "Password: ". -#LOGIN_STRING "%s's Password: " - -# -# Only works if compiled with MD5_CRYPT defined: -# If set to "yes", new passwords will be encrypted using the MD5-based -# algorithm compatible with the one used by recent releases of FreeBSD. -# It supports passwords of unlimited length and longer salt strings. -# Set to "no" if you need to copy encrypted passwords to other systems -# which don't understand the new algorithm. Default is "no". -# -# This variable is deprecated. You should use ENCRYPT_METHOD. -# -#MD5_CRYPT_ENAB no - -# -# Only works if compiled with ENCRYPTMETHOD_SELECT defined: -# If set to MD5 , MD5-based algorithm will be used for encrypting password -# If set to SHA256, SHA256-based algorithm will be used for encrypting password -# If set to SHA512, SHA512-based algorithm will be used for encrypting password -# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password -# If set to DES, DES-based algorithm will be used for encrypting password (default) -# Overrides the MD5_CRYPT_ENAB option -# -ENCRYPT_METHOD SHA256 - -# -# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -# -# Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute forcing the password. -# But note also that it more CPU resources will be needed to authenticate -# users. -# -# If not specified, the libc will choose the default number of rounds (5000). -# The values must be inside the 1000-999999999 range. -# If only one of the MIN or MAX values is set, then this value will be used. -# If MIN > MAX, the highest value will be used. -# -#SHA_CRYPT_MIN_ROUNDS 5000 -#SHA_CRYPT_MAX_ROUNDS 5000 - -# -# Only works if ENCRYPT_METHOD is set to BCRYPT. -# -# Define the number of BCRYPT rounds. -# With a lot of rounds, it is more difficult to brute-force the password. -# However, more CPU resources will be needed to authenticate users if -# this value is increased. -# -# If not specified, 13 rounds will be attempted. -# If only one of the MIN or MAX values is set, then this value will be used. -# If MIN > MAX, the highest value will be used. -# -#BCRYPT_MIN_ROUNDS 13 -#BCRYPT_MAX_ROUNDS 13 - -# -# List of groups to add to the user's supplementary group set -# when logging in on the console (as determined by the CONSOLE -# setting). Default is none. -# -# Use with caution - it is possible for users to gain permanent -# access to these groups, even when not logged in on the console. -# How to do it is left as an exercise for the reader... -# -# Most of these groups are self-explanatory, but in the case of -# "lp", it is because group lp is needed to use a scanner that -# is part of a multifunction printer. -# -# Note that users are added to these default groups only when -# logging into a shell with /bin/login, not when using a login -# manager such as kdm. In that case, users who should have -# hardware access must be added to the appropriate groups -# when the user is added with adduser or useradd, or by editing -# /etc/group directly, preferably using "vigr" -# -CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner - -# -# Should login be allowed if we can't cd to the home directory? -# Default in no. -# -DEFAULT_HOME yes - -# -# If this file exists and is readable, login environment will be -# read from it. Every line should be in the form name=value. -# -ENVIRON_FILE /etc/environment - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -#USERDEL_CMD /usr/sbin/userdel_local - -# -# Enable setting of the umask group bits to be the same as owner bits -# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is -# the same as gid, and username is the same as the primary group name. -# -# This also enables userdel to remove user groups if no members exist. -# -USERGROUPS_ENAB yes - -# -# If set to a non-nul number, the shadow utilities will make sure that -# groups never have more than this number of users on one line. -# This permit to support split groups (groups split into multiple lines, -# with the same group ID, to avoid limitation of the line length in the -# group file). -# -# 0 is the default value and disables this feature. -# -#MAX_MEMBERS_PER_GROUP 0 - -# -# If useradd should create home directories for users by default (non -# system users only) -# This option is overridden with the -M or -m flags on the useradd command -# line. -# -#CREATE_HOME yes - diff --git a/source/a/shadow/login.defs.pam b/source/a/shadow/login.defs.pam new file mode 100644 index 00000000..cc15db6a --- /dev/null +++ b/source/a/shadow/login.defs.pam @@ -0,0 +1,287 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# +# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# +FAIL_DELAY 3 + +# +# Enable display of unknown usernames when login failures are recorded. +# +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +CONSOLE /etc/securetty +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin +ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0620 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# (now it works with setrlimit too; ulimit is in 512-byte units) +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 + +# +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +#HOME_MODE 0700 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 101 +SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 101 +SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT frwh + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +ENCRYPT_METHOD SHA256 + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 + +# +# Only works if ENCRYPT_METHOD is set to BCRYPT. +# +# Define the number of BCRYPT rounds. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. +# +# If not specified, 13 rounds will be attempted. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#BCRYPT_MIN_ROUNDS 13 +#BCRYPT_MAX_ROUNDS 13 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# Most of these groups are self-explanatory, but in the case of +# "lp", it is because group lp is needed to use a scanner that +# is part of a multifunction printer. +# +# Note that users are added to these default groups only when +# logging into a shell with /bin/login, not when using a login +# manager such as kdm. In that case, users who should have +# hardware access must be added to the appropriate groups +# when the user is added with adduser or useradd, or by editing +# /etc/group directly, preferably using "vigr" +# +CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# +# If set to a non-nul number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permit to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd should create home directories for users by default (non +# system users only) +# This option is overridden with the -M or -m flags on the useradd command +# line. +# +#CREATE_HOME yes + diff --git a/source/a/shadow/login.defs.shadow b/source/a/shadow/login.defs.shadow new file mode 100644 index 00000000..022dd36f --- /dev/null +++ b/source/a/shadow/login.defs.shadow @@ -0,0 +1,422 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# +# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# +FAIL_DELAY 3 + +# +# Enable logging and display of /var/log/faillog login failure info. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable logging and display of /var/log/lastlog login time info. +# +LASTLOG_ENAB yes + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# +# Enable checking and display of mailbox status upon login. +# +# Disable if the shell startup files already check for mail +# ("mailx -e" or equivalent). +# +MAIL_CHECK_ENAB yes + +# +# Enable additional checks upon password changes. +# +OBSCURE_CHECKS_ENAB yes + +# +# Enable checking of time restrictions specified in /etc/porttime. +# +PORTTIME_CHECKS_ENAB yes + +# +# Enable setting of ulimit, umask, and niceness from passwd gecos field. +# +QUOTAS_ENAB yes + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +CONSOLE /etc/securetty +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, ":" delimited list of "message of the day" files to +# be displayed upon login. +# +MOTD_FILE /etc/motd +#MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +# +# If defined, this file will be output before each login prompt. +# +#ISSUE_FILE /etc/issue + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format. +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, name of file whose presence which will inhibit non-root +# logins. The contents of this file should be a message indicating +# why logins are inhibited. +# +NOLOGINS_FILE /etc/nologin + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# If defined, either a TZ environment parameter spec or the +# fully-rooted pathname of a file containing such a spec. +# +#ENV_TZ TZ=CST6CDT +#ENV_TZ /etc/tzname + +# +# If defined, an HZ environment parameter spec. +# +# for Linux/x86 +ENV_HZ HZ=100 +# For Linux/Alpha... +#ENV_HZ HZ=1024 + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin +ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0620 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# ULIMIT Default "ulimit" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# The ULIMIT is used only if the system supports it. +# (now it works with setrlimit too; ulimit is in 512-byte units) +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +#ULIMIT 2097152 + +# +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +#HOME_MODE 0700 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_MIN_LEN 5 +PASS_WARN_AGE 7 + +# +# If "yes", the user must be listed as a member of the first gid 0 group +# in /etc/group (called "root" on most Linux systems) to be able to "su" +# to uid 0 accounts. If the group doesn't exist or is empty, no one +# will be able to "su" to uid 0. +# +SU_WHEEL_ONLY no + +# +# If compiled with cracklib support, where are the dictionaries +# +#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 101 +SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 101 +SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Maximum number of attempts to change password if rejected (too easy) +# +PASS_CHANGE_TRIES 5 + +# +# Warn about weak passwords (but still allow them) if you are root. +# +PASS_ALWAYS_WARN yes + +# +# Number of significant characters in the password for crypt(). +# Default is 8, don't change unless your crypt() is better. +# Ignored if MD5_CRYPT_ENAB set to "yes". +# +#PASS_MAX_LEN 8 + +# +# Require password before chfn/chsh can make any changes. +# +CHFN_AUTH yes + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT frwh + +# +# Password prompt (%s will be replaced by user name). +# +# XXX - it doesn't work correctly yet, for now leave it commented out +# to use the default which is just "Password: ". +#LOGIN_STRING "%s's Password: " + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +ENCRYPT_METHOD SHA256 + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 + +# +# Only works if ENCRYPT_METHOD is set to BCRYPT. +# +# Define the number of BCRYPT rounds. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. +# +# If not specified, 13 rounds will be attempted. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#BCRYPT_MIN_ROUNDS 13 +#BCRYPT_MAX_ROUNDS 13 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# Most of these groups are self-explanatory, but in the case of +# "lp", it is because group lp is needed to use a scanner that +# is part of a multifunction printer. +# +# Note that users are added to these default groups only when +# logging into a shell with /bin/login, not when using a login +# manager such as kdm. In that case, users who should have +# hardware access must be added to the appropriate groups +# when the user is added with adduser or useradd, or by editing +# /etc/group directly, preferably using "vigr" +# +CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If this file exists and is readable, login environment will be +# read from it. Every line should be in the form name=value. +# +ENVIRON_FILE /etc/environment + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# +# If set to a non-nul number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permit to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd should create home directories for users by default (non +# system users only) +# This option is overridden with the -M or -m flags on the useradd command +# line. +# +#CREATE_HOME yes + diff --git a/source/a/shadow/pam.d/chage b/source/a/shadow/pam.d/chage new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/chage @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/chfn b/source/a/shadow/pam.d/chfn new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/chfn @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/chgpasswd b/source/a/shadow/pam.d/chgpasswd new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/chgpasswd @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/chpasswd b/source/a/shadow/pam.d/chpasswd new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/chpasswd @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/chsh b/source/a/shadow/pam.d/chsh new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/chsh @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/groupadd b/source/a/shadow/pam.d/groupadd new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/groupadd @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/groupdel b/source/a/shadow/pam.d/groupdel new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/groupdel @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/groupmems b/source/a/shadow/pam.d/groupmems new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/groupmems @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/groupmod b/source/a/shadow/pam.d/groupmod new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/groupmod @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/login b/source/a/shadow/pam.d/login new file mode 100644 index 00000000..eb312199 --- /dev/null +++ b/source/a/shadow/pam.d/login @@ -0,0 +1,11 @@ +#%PAM-1.0 +auth required pam_securetty.so +auth include system-auth +auth include postlogin +account required pam_nologin.so +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session required pam_loginuid.so +session optional pam_ck_connector.so nox11 diff --git a/source/a/shadow/pam.d/newusers b/source/a/shadow/pam.d/newusers new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/newusers @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/other b/source/a/shadow/pam.d/other new file mode 100644 index 00000000..57282493 --- /dev/null +++ b/source/a/shadow/pam.d/other @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/source/a/shadow/pam.d/passwd b/source/a/shadow/pam.d/passwd new file mode 100644 index 00000000..67f8ff54 --- /dev/null +++ b/source/a/shadow/pam.d/passwd @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/source/a/shadow/pam.d/postlogin b/source/a/shadow/pam.d/postlogin new file mode 100644 index 00000000..9777b897 --- /dev/null +++ b/source/a/shadow/pam.d/postlogin @@ -0,0 +1,4 @@ +#%PAM-1.0 +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp showfailed +session optional pam_lastlog.so silent noupdate showfailed diff --git a/source/a/shadow/pam.d/su b/source/a/shadow/pam.d/su new file mode 100644 index 00000000..c7c81487 --- /dev/null +++ b/source/a/shadow/pam.d/su @@ -0,0 +1,11 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +#auth required pam_wheel.so use_uid +auth include system-auth +account include system-auth +password include system-auth +session include system-auth +session optional pam_xauth.so diff --git a/source/a/shadow/pam.d/su-l b/source/a/shadow/pam.d/su-l new file mode 100644 index 00000000..656a139a --- /dev/null +++ b/source/a/shadow/pam.d/su-l @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include su +account include su +password include su +session optional pam_keyinit.so force revoke +session include su diff --git a/source/a/shadow/pam.d/system-auth b/source/a/shadow/pam.d/system-auth new file mode 100644 index 00000000..5fa10c80 --- /dev/null +++ b/source/a/shadow/pam.d/system-auth @@ -0,0 +1,96 @@ +#%PAM-1.0 +# +# Most of these PAM modules have man pages included, like +# PAM_UNIX(8) for example. +# + +################## +# Authentication # +################## +# +# To set a limit on failed authentications, the tallying modules +# can be enabled. +# +auth required pam_env.so +auth required pam_tally2.so +# +auth sufficient pam_unix.so likeauth nullok +auth required pam_deny.so +auth optional pam_gnome_keyring.so + +################## +# Account checks # +################## +# +# Only root can login if file /etc/nologin exists. +# This is equivalent to NOLOGINS_FILE on login.defs +# +account required pam_nologin.so +# +# Enable restrictions by time, specified in /etc/security/time.conf +# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs +# +account required pam_time.so +account required pam_unix.so +account sufficient pam_succeed_if.so uid < 100 quiet +account required pam_permit.so + +##################### +# Password handling # +##################### +# +# If you have CrackLib installed and enabled +# +# Passwords will be checked against a huge dictionary and need to +# have at least 6 characters (cracklib can't use 5). Some options +# of cracklib modules are: +# +# difok Number of characters that needs to be different +# between old and new characters +# minlen Password minimal length +# retry How many times the user can try bad new passwords +# dcredit,ocredit,ucredit,lcredit +# Digiti, Others, Uppercase, Lowercase characters +# Positive numbers marks the max number of credits given +# by one character class. With dcredit=5 and minlen=6, you +# can't use a full numeric password because more than 5 +# digit characters doesn't count credits to achieve the +# minimal length +# Negative numbers determine that a password needs to have +# at least N characters +# +# You can see many other pam_cracklib options at pam_cracklib(8) manpage +# +# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib +# in sharing the password stack. See pam_unix(8) for more details. +# +# If you need to use CrackLib to enforce your passwords, uncomment +# two statements: +#password requisite pam_cracklib.so retry=3 minlen=6 \ +# difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5 +#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok +# +# -- +# A less intense option for cracklib, is: +#password requisite pam_cracklib.so retry=3 +#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok +# -- +# The default is the "traditional" way without CrackLib. +# Passwords need to have at least 8 characters. If you are using Cracklib, +# please comment the next statement. +password sufficient pam_unix.so nullok sha512 shadow minlen=8 + +# ATTENTION: keep the line for pam_deny.so +password required pam_deny.so + +######################### +# Session Configuration # +######################### +# +# This applies the limits specified in /etc/security/limits.conf +# +session required pam_limits.so +session required pam_unix.so +#session required pam_lastlog.so showfailed +#session optional pam_mail.so standard +session optional pam_gnome_keyring.so auto_start diff --git a/source/a/shadow/pam.d/useradd b/source/a/shadow/pam.d/useradd new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/useradd @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/userdel b/source/a/shadow/pam.d/userdel new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/userdel @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/pam.d/usermod b/source/a/shadow/pam.d/usermod new file mode 100644 index 00000000..8f49f5cc --- /dev/null +++ b/source/a/shadow/pam.d/usermod @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +account required pam_permit.so +password include system-auth diff --git a/source/a/shadow/shadow.SlackBuild b/source/a/shadow/shadow.SlackBuild index 4264a24d..360da370 100755 --- a/source/a/shadow/shadow.SlackBuild +++ b/source/a/shadow/shadow.SlackBuild @@ -51,12 +51,16 @@ PKG=$TMP/package-shadow if [ "$ARCH" = "i586" ]; then SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" elif [ "$ARCH" = "s390" ]; then SLKCFLAGS="-O2" + LIBDIRSUFFIX="" elif [ "$ARCH" = "x86_64" ]; then SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" else SLKCFLAGS="-O2" + LIBDIRSUFFIX="" fi rm -rf $PKG @@ -66,6 +70,15 @@ rm -rf shadow-$VERSION tar xvf $CWD/shadow-$VERSION.tar.xz || exit 1 cd shadow-$VERSION +# Choose correct options depending on whether PAM is installed: +if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then + PAM_OPTIONS="--with-libpam" + unset SHADOW_OPTIONS +else + unset PAM_OPTIONS + SHADOW_OPTIONS="--enable-shadowgrp --without-libcrack" +fi + # Apply some patches taken from the svn trunk that # fix some of the more serious bugs in 4.1.4.3: for patch in $CWD/patches/*.diff.gz ; do @@ -109,7 +122,8 @@ CFLAGS="$SLKCFLAGS" \ --enable-man \ --enable-subordinate-ids \ --disable-shared \ - --without-libcrack \ + $SHADOW_OPTIONS \ + $PAM_OPTIONS \ --build=$ARCH-slackware-linux # --enable-utmpx # defaults to 'no' @@ -134,16 +148,42 @@ mkdir -p $PKG/bin $PKG/sbin ) mv $PKG/usr/sbin/nologin $PKG/sbin/nologin +if [ ! -z "$PAM_OPTIONS" ]; then + # Don't ship the login utilities. We'll be using the ones from util-linux: + for file in /bin/login /bin/su /sbin/runuser /usr/bin/chfn /usr/bin/chsh \ + /usr/man/man1/chfn.1.gz /usr/man/man1/chsh.1.gz /usr/man/man1/login.1.gz \ + /usr/man/man1/runuser.1.gz /usr/man/man1/su.1.gz \ + /usr/share/bash-completion/completions/chfn \ + /usr/share/bash-completion/completions/chsh \ + /usr/share/bash-completion/completions/su ; do + rm -f $PKG${file} + done + # Install config files in /etc/pam.d/. We'll use our own copies... I'm not + # sure that I trust upstream enough to let them handle this stuff. + rm -rf $PKG/etc/pam.d + mkdir -p $PKG/etc/pam.d + for file in $CWD/pam.d/* ; do + cp -a ${file} $PKG/etc/pam.d/ + done + # Ensure correct perms/ownership on files in /etc/pam.d/: + chown root:root $PKG/etc/pam.d/* + chmod 644 $PKG/etc/pam.d/* + # Don't clobber existing config files: + find $PKG/etc/pam.d -type f -exec mv {} {}.new \; + # Install a login.defs with unsurprising defaults: + rm -f $PKG/etc/login.defs + zcat $CWD/login.defs.pam.gz > $PKG/etc/login.defs.new +else # not using PAM + mv $PKG/etc/login.access $PKG/etc/login.access.new + # Install a login.defs with unsurprising defaults: + rm -f $PKG/etc/login.defs + zcat $CWD/login.defs.shadow.gz > $PKG/etc/login.defs.new +fi + # /bin/groups is provided by coreutils. rm -f $PKG/bin/groups find $PKG -name groups.1 -exec rm {} \+ -# Install a login.defs with unsurprising defaults: -rm -f $PKG/etc/login.defs -zcat $CWD/login.defs.gz > $PKG/etc/login.defs.new - -mv $PKG/etc/login.access $PKG/etc/login.access.new - # I don't think this works well enough to recommend it. #mv $PKG/etc/limits $PKG/etc/limits.new rm -f $PKG/etc/limits @@ -197,4 +237,3 @@ zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh cd $PKG /sbin/makepkg -l y -c n $TMP/shadow-$VERSION-$ARCH-$BUILD.txz - diff --git a/source/a/shadow/shadow.login.display.short.hostname.diff b/source/a/shadow/shadow.login.display.short.hostname.diff index ad5c3eba..53a22f8b 100644 --- a/source/a/shadow/shadow.login.display.short.hostname.diff +++ b/source/a/shadow/shadow.login.display.short.hostname.diff @@ -1,5 +1,6 @@ ---- ./libmisc/loginprompt.c.orig 2014-03-01 12:59:51.000000000 -0600 -+++ ./libmisc/loginprompt.c 2017-11-21 18:17:27.492000123 -0600 +diff -u -r --new-file shadow-4.8.1.orig/libmisc/loginprompt.c shadow-4.8.1/libmisc/loginprompt.c +--- shadow-4.8.1.orig/libmisc/loginprompt.c 2019-07-23 10:26:08.000000000 -0500 ++++ shadow-4.8.1/libmisc/loginprompt.c 2020-02-06 17:29:43.386954096 -0600 @@ -99,6 +99,15 @@ } } @@ -16,3 +17,22 @@ printf (prompt, buf); (void) fflush (stdout); } +diff -u -r --new-file shadow-4.8.1.orig/src/login.c shadow-4.8.1/src/login.c +--- shadow-4.8.1.orig/src/login.c 2020-01-12 07:58:49.000000000 -0600 ++++ shadow-4.8.1/src/login.c 2020-02-06 17:29:33.191954722 -0600 +@@ -761,6 +761,15 @@ + + /* Make the login prompt look like we want it */ + if (gethostname (hostn, sizeof (hostn)) == 0) { ++ /* Trim away everything after the first '.': */ ++ int i = 0; ++ while (hostn[i] != '\0' && i < sizeof(hostn) - 1) { ++ if (hostn[i] == '.') { ++ hostn[i] = '\0'; ++ break; ++ } ++ i++; ++ } + snprintf (loginprompt, + sizeof (loginprompt), + _("%s login: "), hostn); diff --git a/source/a/shadow/slack-desc b/source/a/shadow/slack-desc index 7263ee77..cb249741 100644 --- a/source/a/shadow/slack-desc +++ b/source/a/shadow/slack-desc @@ -8,12 +8,12 @@ |-----handy-ruler------------------------------------------------------| shadow: shadow (shadow password suite) shadow: -shadow: This set of login related programs utilizes an alternate, non-readable -shadow: file to contain the actual encrypted passwords. This is presumed to -shadow: increase system security by increasing the difficulty with which -shadow: system crackers obtain encrypted passwords. It was written by -shadow: Julianne Frances Haugh and the Linux port is maintained by Tomasz -shadow: Kloczko. +shadow: This package includes the necessary programs for handling account +shadow: information in the shadow password format, plus programs for managing +shadow: user and group accounts. It was written by Julianne Frances Haugh and +shadow: the Linux port is maintained by Tomasz Kloczko. shadow: shadow: Homepage: https://github.com/shadow-maint/shadow shadow: +shadow: +shadow: diff --git a/source/a/util-linux/util-linux.SlackBuild b/source/a/util-linux/util-linux.SlackBuild index 8d6ff21c..662eb75c 100755 --- a/source/a/util-linux/util-linux.SlackBuild +++ b/source/a/util-linux/util-linux.SlackBuild @@ -82,6 +82,13 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \+ +# Choose correct options depending on whether PAM is installed: +if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then + LOGIN_OPTIONS="" +else + LOGIN_OPTIONS="--disable-login" +fi + # Changing the fdisk -l output (this was done prior to util-linux-ng) broke # our installation scripts, so we have changed the name of partition type # 83 back to "Linux swap": @@ -119,7 +126,7 @@ configure_with_python(){ --enable-pg \ --enable-raw \ --enable-rename \ - --disable-login \ + $LOGIN_OPTIONS \ --enable-schedutils \ --enable-wall \ --enable-write \ @@ -136,13 +143,13 @@ CFLAGS="$SLKCFLAGS" \ configure_with_python 2 || exit 1 make $NUMJOBS || make || exit 1 -make install DESTDIR=$PKG || exit 1 +make install $NUMJOBS DESTDIR=$PKG || exit 1 # Build python3 bindings for libmount: make clean CFLAGS="$SLKCFLAGS" \ configure_with_python 3 || exit 1 -make \ +make $NUMJOBS \ install-pylibmountexecLTLIBRARIES \ install-pylibmountexecPYTHON \ DESTDIR=$PKG || exit 1 -- cgit v1.2.3