diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2018-05-25 15:22:17 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2018-05-25 15:22:17 +0100 |
| commit | 22910f5d14da606bd7f06e19a2f61c5d1a8fc94b (patch) | |
| tree | 808b5701901fb54b53ec3ecf6f33272e933f3ea6 /sys-apps/shadow | |
| parent | 91c0ec2d7067f6ab1ef578bd9967b32ca07eb502 (diff) | |
gentoo resync : 25.05.2018
Diffstat (limited to 'sys-apps/shadow')
| -rw-r--r-- | sys-apps/shadow/Manifest | 6 | ||||
| -rw-r--r-- | sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch | 180 | ||||
| -rw-r--r-- | sys-apps/shadow/shadow-4.5-r1.ebuild | 212 | ||||
| -rw-r--r-- | sys-apps/shadow/shadow-4.5.ebuild | 209 | ||||
| -rw-r--r-- | sys-apps/shadow/shadow-4.6.ebuild | 2 |
5 files changed, 2 insertions, 607 deletions
diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest index 41b272e8a1ca..6628ec50e66d 100644 --- a/sys-apps/shadow/Manifest +++ b/sys-apps/shadow/Manifest @@ -2,10 +2,6 @@ AUX default/useradd 96 BLAKE2B 64b694bdff7f901e19ac21695e3b2eebeb5a03683be5a01e3 AUX pam.d-include/passwd 144 BLAKE2B 95e159c70416218950ad5cdc41c83b52f8d2ec042d35c9908ca400bd57dcb234fb7691aa2a5a7646a379553aa6dee0dd96ee569aa492d7f20774e991a90f8602 SHA512 31611a08d97cd2c129f18d451a555ff6c781f91603c77fc0c66ff406b5fa4a97db19ae4ce104816a6324529d10e131de0d5329646bdab2abc8dc3ee5b82b057f AUX pam.d-include/shadow 152 BLAKE2B 82d1f678abc60586ea873da7e2f4907349d77a64085cc475fa09c47cb008b41a7a00a7de2816b2c5cb2f48452d1b07523be35f8dd29026736ba8fbd3ae3d7c56 SHA512 d07611c350d0d6f3386db5080c80a84e4135cf33e44fd3a390cb1092e034f9bd2a69495fadd4bda6ede9962e9658e77f2c8e12d3189cdcda6c7b3c607336f0c3 AUX shadow-4.1.3-dots-in-usernames.patch 302 BLAKE2B a83f463be9267c3a704997b98d67cd0daddf8ee05debf447d091530517a855078bd53ce28c87045643b2b8c467dd09caad06a4eb0a6568c271e6a42b49a54dcc SHA512 ad20fb3f4f0292f39b5da796e41df71e9e8b1b81dd11a99b2d988440c1b435b0061333a0a5a37a909598d5a840a75946e8c59c74426bae7452de88cf673a5f7d -AUX shadow-4.5-CVE-2018-7169.patch 5778 BLAKE2B 59e06cda2d3b48d77548c22073f9c4ce018c16bdd128089ce6ae6d8eebe1ad9b73438530fb32b628bc5e72201852b7c452264a13707bcbfa826777b778a7b90b SHA512 fef082516e47ee4e3d9627916c47ffb8e1987580586639374d461b7b9d041370abe5b80dbbfacd4fd256a1bc2f9d23e0e71497298dd60ccd96d795811a13cd58 -DIST shadow-4.5.tar.gz 3804933 BLAKE2B c4714b7fe9a1af5a5751d4274e70e7fb31994cc40058b44c401bbbdf83c238fcf48e6e6e663d8a61f614b6291ea524862d9d2425d7d839340a10f8fb7c8eaa85 SHA512 02d6482a1159689e404dd49a68b4e2db85e9ffdcdfbacc8efcbd9043f14a1ec3fc4d749700df915d375df67d589219b6b0f57a6cfd9fb5b197012888a608913b DIST shadow-4.6.tar.gz 3804282 BLAKE2B 268c90e7daba138827aec6039f428f52cdcf7929743fa1f49f801cc669de7456ec5a69531194cdb29f051ce7d0b2f1e966fdf2513a9fc8f7fbdeb29d786a509f SHA512 36358333e7f03ef558772f3361bc5851a7d7fd3d85c993a6b732e37304b8068b2893d55607b9bfe8b8eed616a687264f947ff66cefc74ea1a48ba9396d464714 -EBUILD shadow-4.5-r1.ebuild 5405 BLAKE2B 7518b3700adf543a619413066415f64959a50efbbe669b28622e8d2d4cd749705b256c62e3ba73a88e6f3c0d6c195c87c377e7541e165ccbf4328ec5f4b1b0df SHA512 a50352c9b189d5265e921e977acff5c96dedef2634b046f66b376e6d6e2fdab40b629e453695a3153dd1edb13740e94d6d205daed544b3bba885fd35dbb7251e -EBUILD shadow-4.5.ebuild 5321 BLAKE2B fa760284cc0e44d1adb2735b90bdf8e191af67bfb51501551b0626a9646bbf3f3df2f34555c848d6ca6fb377d363621b8b8a2e52370313e0026fc94674257ca6 SHA512 33f57cbb2f8aef136deea2f4ded91a68a1358edec538ca2e4ddcb4d9ef55d477ca1c8e6424054e5e7cca21502dc4888a73af9661916a9eb3f2d328ff2ce49c60 -EBUILD shadow-4.6.ebuild 5351 BLAKE2B 231e53bb1d28b4b6afb1e440f0b481353669a2b5b34e9f659df985d671edcc8e9f5423b8613302fc4925807c72b14630ecee28d238ba84214860f5a735b0666d SHA512 489c9c84d1c75d07be162698387195be245ac1b4d37343b0a61efe173113eb190fd89757ee5f3cab42f5179388b4fee67932797450b1dafc0c45c32d1620eaf9 +EBUILD shadow-4.6.ebuild 5349 BLAKE2B 06f7ef54c7e2f34a679364b51c0447ad9b4c221225e3d47489132da7ddf3b0c2d9483f0ae2a338f83242fc9969d57b5ce56a5ddc562b5ef481b7ae64c4b9d582 SHA512 2d6b2f974c4540ddc0ef987416636e3ce8e52feac028eaa29a6d86570c1b16d2b50c8613a7dff27a4132a0a3f2b554ae7cb000aed333e99b7883a3a10d26d479 MISC metadata.xml 565 BLAKE2B bdd91116c16f590eabb6f18f05a4f72b55651383431c78fb07c27b23e7152b25816895e2ae3e2afd1ecd6e2b9fa9dd0005d198f2ab7ee2061583b586e4c44b01 SHA512 be29faf2eb981bdb0d643ca691d48b10ee702c3a32ca7fca1d00365aa1c4beb5b1b4bec8104be4352fed32f3fabc3108061b8eb8f0054e612c268b5c6f4b1469 diff --git a/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch b/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch deleted file mode 100644 index 30ad9e614067..000000000000 --- a/sys-apps/shadow/files/shadow-4.5-CVE-2018-7169.patch +++ /dev/null @@ -1,180 +0,0 @@ -From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai <asarai@suse.de> -Date: Thu, 15 Feb 2018 23:49:40 +1100 -Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group - -This is necessary to match the kernel-side policy of "self-mapping in a -user namespace is fine, but you cannot drop groups" -- a policy that was -created in order to stop user namespaces from allowing trivial privilege -escalation by dropping supplementary groups that were "blacklisted" from -certain paths. - -This is the simplest fix for the underlying issue, and effectively makes -it so that unless a user has a valid mapping set in /etc/subgid (which -only administrators can modify) -- and they are currently trying to use -that mapping -- then /proc/$pid/setgroups will be set to deny. This -workaround is only partial, because ideally it should be possible to set -an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow -administrators to further restrict newgidmap(1). - -We also don't write anything in the "allow" case because "allow" is the -default, and users may have already written "deny" even if they -technically are allowed to use setgroups. And we don't write anything if -the setgroups policy is already "deny". - -Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 -Fixes: CVE-2018-7169 -Reported-by: Craig Furman <craig.furman89@gmail.com> -Signed-off-by: Aleksa Sarai <asarai@suse.de> ---- - src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 80 insertions(+), 9 deletions(-) - -diff --git a/src/newgidmap.c b/src/newgidmap.c -index b1e33513..59a2e75c 100644 ---- a/src/newgidmap.c -+++ b/src/newgidmap.c -@@ -46,32 +46,37 @@ - */ - const char *Prog; - --static bool verify_range(struct passwd *pw, struct map_range *range) -+ -+static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups) - { - /* An empty range is invalid */ - if (range->count == 0) - return false; - -- /* Test /etc/subgid */ -- if (have_sub_gids(pw->pw_name, range->lower, range->count)) -+ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */ -+ if (have_sub_gids(pw->pw_name, range->lower, range->count)) { -+ *allow_setgroups = true; - return true; -+ } - -- /* Allow a process to map its own gid */ -- if ((range->count == 1) && (pw->pw_gid == range->lower)) -+ /* Allow a process to map its own gid. */ -+ if ((range->count == 1) && (pw->pw_gid == range->lower)) { -+ /* noop -- if setgroups is enabled already we won't disable it. */ - return true; -+ } - - return false; - } - - static void verify_ranges(struct passwd *pw, int ranges, -- struct map_range *mappings) -+ struct map_range *mappings, bool *allow_setgroups) - { - struct map_range *mapping; - int idx; - - mapping = mappings; - for (idx = 0; idx < ranges; idx++, mapping++) { -- if (!verify_range(pw, mapping)) { -+ if (!verify_range(pw, mapping, allow_setgroups)) { - fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"), - Prog, - mapping->upper, -@@ -89,6 +94,70 @@ static void usage(void) - exit(EXIT_FAILURE); - } - -+void write_setgroups(int proc_dir_fd, bool allow_setgroups) -+{ -+ int setgroups_fd; -+ char *policy, policy_buffer[4096]; -+ -+ /* -+ * Default is "deny", and any "allow" will out-rank a "deny". We don't -+ * forcefully write an "allow" here because the process we are writing -+ * mappings for may have already set themselves to "deny" (and "allow" -+ * is the default anyway). So allow_setgroups == true is a noop. -+ */ -+ policy = "deny\n"; -+ if (allow_setgroups) -+ return; -+ -+ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC); -+ if (setgroups_fd < 0) { -+ /* -+ * If it's an ENOENT then we are on too old a kernel for the setgroups -+ * code to exist. Emit a warning and bail on this. -+ */ -+ if (ENOENT == errno) { -+ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog); -+ goto out; -+ } -+ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"), -+ Prog, -+ strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ -+ /* -+ * Check whether the policy is already what we want. /proc/self/setgroups -+ * is write-once, so attempting to write after it's already written to will -+ * fail. -+ */ -+ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) { -+ fprintf(stderr, _("%s: failed to read setgroups: %s\n"), -+ Prog, -+ strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ if (!strncmp(policy_buffer, policy, strlen(policy))) -+ goto out; -+ -+ /* Write the policy. */ -+ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) { -+ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"), -+ Prog, -+ strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ if (dprintf(setgroups_fd, "%s", policy) < 0) { -+ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"), -+ Prog, -+ policy, -+ strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ -+out: -+ close(setgroups_fd); -+} -+ - /* - * newgidmap - Set the gid_map for the specified process - */ -@@ -103,6 +172,7 @@ int main(int argc, char **argv) - struct stat st; - struct passwd *pw; - int written; -+ bool allow_setgroups = false; - - Prog = Basename (argv[0]); - -@@ -145,7 +215,7 @@ int main(int argc, char **argv) - (unsigned long) getuid ())); - return EXIT_FAILURE; - } -- -+ - /* Get the effective uid and effective gid of the target process */ - if (fstat(proc_dir_fd, &st) < 0) { - fprintf(stderr, _("%s: Could not stat directory for target %u\n"), -@@ -177,8 +247,9 @@ int main(int argc, char **argv) - if (!mappings) - usage(); - -- verify_ranges(pw, ranges, mappings); -+ verify_ranges(pw, ranges, mappings, &allow_setgroups); - -+ write_setgroups(proc_dir_fd, allow_setgroups); - write_mapping(proc_dir_fd, ranges, mappings, "gid_map"); - sub_gid_close(); - diff --git a/sys-apps/shadow/shadow-4.5-r1.ebuild b/sys-apps/shadow/shadow-4.5-r1.ebuild deleted file mode 100644 index 1e3d98f2593e..000000000000 --- a/sys-apps/shadow/shadow-4.5-r1.ebuild +++ /dev/null @@ -1,212 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit libtool pam multilib - -DESCRIPTION="Utilities to deal with user accounts" -HOMEPAGE="https://github.com/shadow-maint/shadow http://pkg-shadow.alioth.debian.org/" -SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.gz" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" -IUSE="acl audit +cracklib nls pam selinux skey xattr" -# Taken from the man/Makefile.am file. -LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) - -RDEPEND="acl? ( sys-apps/acl:0= ) - audit? ( >=sys-process/audit-2.6:0= ) - cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) - pam? ( virtual/pam:0= ) - skey? ( sys-auth/skey:0= ) - selinux? ( - >=sys-libs/libselinux-1.28:0= - sys-libs/libsemanage:0= - ) - nls? ( virtual/libintl ) - xattr? ( sys-apps/attr:0= )" -DEPEND="${RDEPEND} - app-arch/xz-utils - nls? ( sys-devel/gettext )" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20150213 )" - -PATCHES=( - "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" - "${FILESDIR}/${P}-CVE-2018-7169.patch" #647790 -) - -src_prepare() { - default - #eautoreconf - elibtoolize -} - -src_configure() { - local myeconfargs=( - --without-group-name-max-length - --without-tcb - --enable-shared=no - --enable-static=yes - $(use_with acl) - $(use_with audit) - $(use_with cracklib libcrack) - $(use_with pam libpam) - $(use_with skey) - $(use_with selinux) - $(use_enable nls) - $(use_with elibc_glibc nscd) - $(use_with xattr attr) - ) - econf "${myeconfargs[@]}" - - has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 - - if use nls ; then - local l langs="po" # These are the pot files. - for l in ${LANGS[*]} ; do - has ${l} ${LINGUAS-${l}} && langs+=" ${l}" - done - sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die - fi -} - -set_login_opt() { - local comment="" opt=$1 val=$2 - if [[ -z ${val} ]]; then - comment="#" - sed -i \ - -e "/^${opt}\>/s:^:#:" \ - "${ED%/}"/etc/login.defs || die - else - sed -i -r \ - -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED%/}"/etc/login.defs - fi - local res=$(grep "^${comment}${opt}\>" "${ED%/}"/etc/login.defs) - einfo "${res:-Unable to find ${opt} in /etc/login.defs}" -} - -src_install() { - emake DESTDIR="${D}" suidperms=4711 install - - # Remove libshadow and libmisc; see bug 37725 and the following - # comment from shadow's README.linux: - # Currently, libshadow.a is for internal use only, so if you see - # -lshadow in a Makefile of some other package, it is safe to - # remove it. - rm -f "${ED%/}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} - - insinto /etc - if ! use pam ; then - insopts -m0600 - doins etc/login.access etc/limits - fi - - # needed for 'useradd -D' - insinto /etc/default - insopts -m0600 - doins "${FILESDIR}"/default/useradd - - # move passwd to / to help recover broke systems #64441 - mv "${ED%/}"/usr/bin/passwd "${ED%/}"/bin/ || die - dosym /bin/passwd /usr/bin/passwd - - cd "${S}" || die - insinto /etc - insopts -m0644 - newins etc/login.defs login.defs - - set_login_opt CREATE_HOME yes - if ! use pam ; then - set_login_opt MAIL_CHECK_ENAB no - set_login_opt SU_WHEEL_ONLY yes - set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict - set_login_opt LOGIN_RETRIES 3 - set_login_opt ENCRYPT_METHOD SHA512 - set_login_opt CONSOLE - else - dopamd "${FILESDIR}"/pam.d-include/shadow - - for x in chpasswd chgpasswd newusers; do - newpamd "${FILESDIR}"/pam.d-include/passwd ${x} - done - - for x in chage chsh chfn \ - user{add,del,mod} group{add,del,mod} ; do - newpamd "${FILESDIR}"/pam.d-include/shadow ${x} - done - - # comment out login.defs options that pam hates - local opt sed_args=() - for opt in \ - CHFN_AUTH \ - CONSOLE \ - CRACKLIB_DICTPATH \ - ENV_HZ \ - ENVIRON_FILE \ - FAILLOG_ENAB \ - FTMP_FILE \ - LASTLOG_ENAB \ - MAIL_CHECK_ENAB \ - MOTD_FILE \ - NOLOGINS_FILE \ - OBSCURE_CHECKS_ENAB \ - PASS_ALWAYS_WARN \ - PASS_CHANGE_TRIES \ - PASS_MIN_LEN \ - PORTTIME_CHECKS_ENAB \ - QUOTAS_ENAB \ - SU_WHEEL_ONLY - do - set_login_opt ${opt} - sed_args+=( -e "/^#${opt}\>/b pamnote" ) - done - sed -i "${sed_args[@]}" \ - -e 'b exit' \ - -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ - -e ': exit' \ - "${ED%/}"/etc/login.defs || die - - # remove manpages that pam will install for us - # and/or don't apply when using pam - find "${ED%/}"/usr/share/man \ - '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ - -delete - - # Remove pam.d files provided by pambase. - rm "${ED%/}"/etc/pam.d/{login,passwd,su} || die - fi - - # Remove manpages that are handled by other packages - find "${ED%/}"/usr/share/man \ - '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ - -delete - - cd "${S}" || die - dodoc ChangeLog NEWS TODO - newdoc README README.download - cd doc || die - dodoc HOWTO README* WISHLIST *.txt -} - -pkg_preinst() { - rm -f "${EROOT}"/etc/pam.d/system-auth.new \ - "${EROOT}/etc/login.defs.new" -} - -pkg_postinst() { - # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT}" 2>/dev/null ; then - grpconv -R "${EROOT}" - else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" - ewarn "run 'grpconv' afterwards!" - fi - fi - - einfo "The 'adduser' symlink to 'useradd' has been dropped." -} diff --git a/sys-apps/shadow/shadow-4.5.ebuild b/sys-apps/shadow/shadow-4.5.ebuild deleted file mode 100644 index 0b67db2fe8aa..000000000000 --- a/sys-apps/shadow/shadow-4.5.ebuild +++ /dev/null @@ -1,209 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" - -inherit eutils libtool pam multilib - -DESCRIPTION="Utilities to deal with user accounts" -HOMEPAGE="https://github.com/shadow-maint/shadow http://pkg-shadow.alioth.debian.org/" -SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.gz" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" -IUSE="acl audit +cracklib nls pam selinux skey xattr" -# Taken from the man/Makefile.am file. -LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) - -RDEPEND="acl? ( sys-apps/acl:0= ) - audit? ( >=sys-process/audit-2.6:0= ) - cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) - pam? ( virtual/pam:0= ) - skey? ( sys-auth/skey:0= ) - selinux? ( - >=sys-libs/libselinux-1.28:0= - sys-libs/libsemanage:0= - ) - nls? ( virtual/libintl ) - xattr? ( sys-apps/attr:0= )" -DEPEND="${RDEPEND} - app-arch/xz-utils - nls? ( sys-devel/gettext )" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20150213 )" - -PATCHES=( - "${FILESDIR}"/${PN}-4.1.3-dots-in-usernames.patch -) - -src_prepare() { - epatch "${PATCHES[@]}" - epatch_user - #eautoreconf - elibtoolize -} - -src_configure() { - econf \ - --without-group-name-max-length \ - --without-tcb \ - --enable-shared=no \ - --enable-static=yes \ - $(use_with acl) \ - $(use_with audit) \ - $(use_with cracklib libcrack) \ - $(use_with pam libpam) \ - $(use_with skey) \ - $(use_with selinux) \ - $(use_enable nls) \ - $(use_with elibc_glibc nscd) \ - $(use_with xattr attr) - has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 - - if use nls ; then - local l langs="po" # These are the pot files. - for l in ${LANGS[*]} ; do - has ${l} ${LINGUAS-${l}} && langs+=" ${l}" - done - sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die - fi -} - -set_login_opt() { - local comment="" opt=$1 val=$2 - if [[ -z ${val} ]]; then - comment="#" - sed -i \ - -e "/^${opt}\>/s:^:#:" \ - "${ED}"/etc/login.defs || die - else - sed -i -r \ - -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED}"/etc/login.defs - fi - local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) - einfo "${res:-Unable to find ${opt} in /etc/login.defs}" -} - -src_install() { - emake DESTDIR="${D}" suidperms=4711 install - - # Remove libshadow and libmisc; see bug 37725 and the following - # comment from shadow's README.linux: - # Currently, libshadow.a is for internal use only, so if you see - # -lshadow in a Makefile of some other package, it is safe to - # remove it. - rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} - - insinto /etc - if ! use pam ; then - insopts -m0600 - doins etc/login.access etc/limits - fi - - # needed for 'useradd -D' - insinto /etc/default - insopts -m0600 - doins "${FILESDIR}"/default/useradd - - # move passwd to / to help recover broke systems #64441 - mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die - dosym /bin/passwd /usr/bin/passwd - - cd "${S}" - insinto /etc - insopts -m0644 - newins etc/login.defs login.defs - - set_login_opt CREATE_HOME yes - if ! use pam ; then - set_login_opt MAIL_CHECK_ENAB no - set_login_opt SU_WHEEL_ONLY yes - set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict - set_login_opt LOGIN_RETRIES 3 - set_login_opt ENCRYPT_METHOD SHA512 - set_login_opt CONSOLE - else - dopamd "${FILESDIR}"/pam.d-include/shadow - - for x in chpasswd chgpasswd newusers; do - newpamd "${FILESDIR}"/pam.d-include/passwd ${x} - done - - for x in chage chsh chfn \ - user{add,del,mod} group{add,del,mod} ; do - newpamd "${FILESDIR}"/pam.d-include/shadow ${x} - done - - # comment out login.defs options that pam hates - local opt sed_args=() - for opt in \ - CHFN_AUTH \ - CONSOLE \ - CRACKLIB_DICTPATH \ - ENV_HZ \ - ENVIRON_FILE \ - FAILLOG_ENAB \ - FTMP_FILE \ - LASTLOG_ENAB \ - MAIL_CHECK_ENAB \ - MOTD_FILE \ - NOLOGINS_FILE \ - OBSCURE_CHECKS_ENAB \ - PASS_ALWAYS_WARN \ - PASS_CHANGE_TRIES \ - PASS_MIN_LEN \ - PORTTIME_CHECKS_ENAB \ - QUOTAS_ENAB \ - SU_WHEEL_ONLY - do - set_login_opt ${opt} - sed_args+=( -e "/^#${opt}\>/b pamnote" ) - done - sed -i "${sed_args[@]}" \ - -e 'b exit' \ - -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ - -e ': exit' \ - "${ED}"/etc/login.defs || die - - # remove manpages that pam will install for us - # and/or don't apply when using pam - find "${ED}"/usr/share/man \ - '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ - -delete - - # Remove pam.d files provided by pambase. - rm "${ED}"/etc/pam.d/{login,passwd,su} || die - fi - - # Remove manpages that are handled by other packages - find "${ED}"/usr/share/man \ - '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ - -delete - - cd "${S}" - dodoc ChangeLog NEWS TODO - newdoc README README.download - cd doc - dodoc HOWTO README* WISHLIST *.txt -} - -pkg_preinst() { - rm -f "${EROOT}"/etc/pam.d/system-auth.new \ - "${EROOT}/etc/login.defs.new" -} - -pkg_postinst() { - # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT}" 2>/dev/null ; then - grpconv -R "${EROOT}" - else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" - ewarn "run 'grpconv' afterwards!" - fi - fi - - einfo "The 'adduser' symlink to 'useradd' has been dropped." -} diff --git a/sys-apps/shadow/shadow-4.6.ebuild b/sys-apps/shadow/shadow-4.6.ebuild index fd1e15e8a1ff..2c4f91f2ecd8 100644 --- a/sys-apps/shadow/shadow-4.6.ebuild +++ b/sys-apps/shadow/shadow-4.6.ebuild @@ -11,7 +11,7 @@ SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 ~hppa ia64 m68k ~mips ppc ~ppc64 s390 sh sparc x86" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" IUSE="acl audit +cracklib nls pam selinux skey xattr" # Taken from the man/Makefile.am file. LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) |