diff options
Diffstat (limited to 'poky/meta/recipes-extended/shadow/files')
23 files changed, 1785 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/poky/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch new file mode 100644 index 000000000..a6f604b65 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch @@ -0,0 +1,124 @@ +From 8cf3454d567f77233023be49a39a33e9f0836f89 Mon Sep 17 00:00:00 2001 +From: Scott Garman <scott.a.garman@intel.com> +Date: Thu, 14 Apr 2016 12:28:57 +0200 +Subject: [PATCH] Disable use of syslog for sysroot + +Disable use of syslog to prevent sysroot user and group additions from +writing entries to the host's syslog. This patch should only be used +with the shadow-native recipe. + +Upstream-Status: Inappropriate [disable feature] + +Signed-off-by: Scott Garman <scott.a.garman@intel.com> +Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> +--- + src/groupadd.c | 3 +++ + src/groupdel.c | 3 +++ + src/groupmems.c | 3 +++ + src/groupmod.c | 3 +++ + src/useradd.c | 3 +++ + src/userdel.c | 3 +++ + src/usermod.c | 3 +++ + 7 files changed, 21 insertions(+) + +diff --git a/src/groupadd.c b/src/groupadd.c +index 39b4ec0..f716f57 100644 +--- a/src/groupadd.c ++++ b/src/groupadd.c +@@ -34,6 +34,9 @@ + + #ident "$Id$" + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include <ctype.h> + #include <fcntl.h> + #include <getopt.h> +diff --git a/src/groupdel.c b/src/groupdel.c +index da99347..46a679c 100644 +--- a/src/groupdel.c ++++ b/src/groupdel.c +@@ -34,6 +34,9 @@ + + #ident "$Id$" + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include <ctype.h> + #include <fcntl.h> + #include <grp.h> +diff --git a/src/groupmems.c b/src/groupmems.c +index e4f107f..95cb073 100644 +--- a/src/groupmems.c ++++ b/src/groupmems.c +@@ -32,6 +32,9 @@ + + #include <config.h> + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include <fcntl.h> + #include <getopt.h> + #include <grp.h> +diff --git a/src/groupmod.c b/src/groupmod.c +index d9d3807..6229737 100644 +--- a/src/groupmod.c ++++ b/src/groupmod.c +@@ -34,6 +34,9 @@ + + #ident "$Id$" + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include <ctype.h> + #include <fcntl.h> + #include <getopt.h> +diff --git a/src/useradd.c b/src/useradd.c +index e1ebf50..25679d8 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -34,6 +34,9 @@ + + #ident "$Id$" + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include <assert.h> + #include <ctype.h> + #include <errno.h> +diff --git a/src/userdel.c b/src/userdel.c +index 19b12bc..a083929 100644 +--- a/src/userdel.c ++++ b/src/userdel.c +@@ -34,6 +34,9 @@ + + #ident "$Id$" + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include <errno.h> + #include <fcntl.h> + #include <getopt.h> +diff --git a/src/usermod.c b/src/usermod.c +index 685b50a..28e5cfc 100644 +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -34,6 +34,9 @@ + + #ident "$Id$" + ++/* Disable use of syslog since we're running this command against a sysroot */ ++#undef USE_SYSLOG ++ + #include <ctype.h> + #include <errno.h> + #include <fcntl.h> +-- +2.1.0 + diff --git a/poky/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch b/poky/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch new file mode 100644 index 000000000..828b95a57 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/0001-Do-not-read-login.defs-before-doing-chroot.patch @@ -0,0 +1,46 @@ +From 170c25c8e0b5c3dc2615d1db94c8d24a13ff99bf Mon Sep 17 00:00:00 2001 +From: Peter Kjellerstedt <pkj@axis.com> +Date: Thu, 11 Sep 2014 15:11:23 +0200 +Subject: [PATCH] Do not read login.defs before doing chroot() + +If "useradd --root <root> ..." was used, the login.defs file would still +be read from /etc/login.defs instead of <root>/etc/login.defs. This was +due to getdef_ulong() being called before process_root_flag(). + +Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2014-September/010446.html] + +Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> +--- + src/useradd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/useradd.c b/src/useradd.c +index a8a1f76..e1ebf50 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -1993,9 +1993,11 @@ int main (int argc, char **argv) + #endif /* USE_PAM */ + #endif /* ACCT_TOOLS_SETUID */ + ++#ifdef ENABLE_SUBIDS + /* Needed for userns check */ +- uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); +- uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); ++ uid_t uid_min; ++ uid_t uid_max; ++#endif + + /* + * Get my name so that I can use it to report errors. +@@ -2026,6 +2028,8 @@ int main (int argc, char **argv) + is_shadow_grp = sgr_file_present (); + #endif + #ifdef ENABLE_SUBIDS ++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); ++ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + is_sub_uid = sub_uid_file_present () && !rflg && + (!user_id || (user_id <= uid_max && user_id >= uid_min)); + is_sub_gid = sub_gid_file_present () && !rflg && +-- +1.9.0 + diff --git a/poky/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 b/poky/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 new file mode 100644 index 000000000..4d3e1e016 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/0001-shadow-CVE-2017-12424 @@ -0,0 +1,46 @@ +From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz <tmraz@fedoraproject.org> +Date: Fri, 31 Mar 2017 16:25:06 +0200 +Subject: [PATCH] Fix buffer overflow if NULL line is present in db. + +If ptr->line == NULL for an entry, the first cycle will exit, +but the second one will happily write past entries buffer. +We actually do not want to exit the first cycle prematurely +on ptr->line == NULL. +Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org> + +CVE: CVE-2017-12424 +Upstream-Status: Backport +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + lib/commonio.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/commonio.c b/lib/commonio.c +index b10da06..31edbaa 100644 +--- a/lib/commonio.c ++++ b/lib/commonio.c +@@ -751,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *)) + for (ptr = db->head; + (NULL != ptr) + #if KEEP_NIS_AT_END +- && (NULL != ptr->line) +- && ( ('+' != ptr->line[0]) +- && ('-' != ptr->line[0])) ++ && ((NULL == ptr->line) ++ || (('+' != ptr->line[0]) ++ && ('-' != ptr->line[0]))) + #endif + ; + ptr = ptr->next) { + n++; + } + #if KEEP_NIS_AT_END +- if ((NULL != ptr) && (NULL != ptr->line)) { ++ if (NULL != ptr) { + nis = ptr; + } + #endif +-- +2.1.0 + diff --git a/poky/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/poky/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch new file mode 100644 index 000000000..60a46e125 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch @@ -0,0 +1,47 @@ +From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Tue, 7 Mar 2017 16:03:03 +0100 +Subject: [PATCH] useradd: copy extended attributes of home +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The Home directory wasn't getting the extended attributes +of /etc/skel. This patch fixes that issue and adds the copy +of the extended attributes of the root of the home directory. + +Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html] + +Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/useradd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/useradd.c b/src/useradd.c +index a8a1f76..8aefb9c 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -52,6 +52,9 @@ + #include <sys/stat.h> + #include <sys/types.h> + #include <time.h> ++#ifdef WITH_ATTR ++#include <attr/libattr.h> ++#endif + #include "chkname.h" + #include "defines.h" + #include "faillog.h" +@@ -1915,6 +1918,9 @@ static void create_home (void) + chown (user_home, user_id, user_gid); + chmod (user_home, + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++#ifdef WITH_ATTR ++ attr_copy_file (def_template, user_home, NULL, NULL); ++#endif + home_added = true; + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +-- +2.9.3 + diff --git a/poky/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/poky/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch new file mode 100644 index 000000000..2f084b4e9 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch @@ -0,0 +1,115 @@ +Upstream-Status: Inappropriate [OE specific] + +Subject: useradd.c: create parent directories when necessary + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/useradd.c | 72 +++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 49 insertions(+), 23 deletions(-) + +diff --git a/src/useradd.c b/src/useradd.c +index 4bd969d..cb5dd6c 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -1896,6 +1896,35 @@ static void usr_update (void) + } + + /* ++ * mkdir_p - create directories, including parent directories when needed ++ * ++ * similar to `mkdir -p' ++ */ ++void mkdir_p(const char *path) { ++ int len = strlen(path); ++ char newdir[len + 1]; ++ mode_t mode = 0755; ++ int i = 0; ++ ++ if (path[i] == '\0') { ++ return; ++ } ++ ++ /* skip the leading '/' */ ++ i++; ++ ++ while(path[i] != '\0') { ++ if (path[i] == '/') { ++ strncpy(newdir, path, i); ++ newdir[i] = '\0'; ++ mkdir(newdir, mode); ++ } ++ i++; ++ } ++ mkdir(path, mode); ++} ++ ++/* + * create_home - create the user's home directory + * + * create_home() creates the user's home directory if it does not +@@ -1910,39 +1939,36 @@ static void create_home (void) + fail_exit (E_HOMEDIR); + } + #endif +- /* XXX - create missing parent directories. --marekm */ +- if (mkdir (user_home, 0) != 0) { +- fprintf (stderr, +- _("%s: cannot create directory %s\n"), +- Prog, user_home); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding home directory", +- user_name, (unsigned int) user_id, +- SHADOW_AUDIT_FAILURE); +-#endif +- fail_exit (E_HOMEDIR); +- } +- chown (user_home, user_id, user_gid); +- chmod (user_home, +- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); +-#ifdef WITH_ATTR +- attr_copy_file (def_template, user_home, NULL, NULL); +-#endif +- home_added = true; ++ mkdir_p(user_home); ++ } ++ if (access (user_home, F_OK) != 0) { + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "adding home directory", + user_name, (unsigned int) user_id, +- SHADOW_AUDIT_SUCCESS); ++ SHADOW_AUDIT_FAILURE); + #endif +-#ifdef WITH_SELINUX +- /* Reset SELinux to create files with default contexts */ +- if (reset_selinux_file_context () != 0) { +- fail_exit (E_HOMEDIR); +- } ++ fail_exit (E_HOMEDIR); ++ } ++ chown (user_home, user_id, user_gid); ++ chmod (user_home, ++ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++#ifdef WITH_ATTR ++ attr_copy_file (def_template, user_home, NULL, NULL); ++#endif ++ home_added = true; ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_USER, Prog, ++ "adding home directory", ++ user_name, (unsigned int) user_id, ++ SHADOW_AUDIT_SUCCESS); + #endif ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ if (reset_selinux_file_context () != 0) { ++ fail_exit (E_HOMEDIR); + } ++#endif + } + + /* +-- +1.7.9.5 + diff --git a/poky/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/poky/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch new file mode 100644 index 000000000..615c6e002 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch @@ -0,0 +1,201 @@ +Upstream-Status: Inappropriate [OE specific] + +Allow for setting password in clear text. + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/Makefile.am | 8 ++++---- + src/groupadd.c | 8 +++++++- + src/groupmod.c | 8 +++++++- + src/useradd.c | 9 +++++++-- + src/usermod.c | 8 +++++++- + 5 files changed, 32 insertions(+), 9 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 25e288d..856b087 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -88,10 +88,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) + chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) + gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) +-groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) ++groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) + groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) +-groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) ++groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) + grpck_LDADD = $(LDADD) $(LIBSELINUX) + grpconv_LDADD = $(LDADD) $(LIBSELINUX) + grpunconv_LDADD = $(LDADD) $(LIBSELINUX) +@@ -111,9 +111,9 @@ su_SOURCES = \ + suauth.c + su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) + sulogin_LDADD = $(LDADD) $(LIBCRYPT) +-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) ++useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) + userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) +-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) ++usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) + vipw_LDADD = $(LDADD) $(LIBSELINUX) + + install-am: all-am +diff --git a/src/groupadd.c b/src/groupadd.c +index f716f57..4e28c26 100644 +--- a/src/groupadd.c ++++ b/src/groupadd.c +@@ -124,6 +124,7 @@ static /*@noreturn@*/void usage (int status) + (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" + " (non-unique) GID\n"), usageout); + (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); ++ (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); + (void) fputs (_(" -r, --system create a system account\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs ("\n", usageout); +@@ -387,12 +388,13 @@ static void process_flags (int argc, char **argv) + {"key", required_argument, NULL, 'K'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++ {"clear-password", required_argument, NULL, 'P'}, + {"system", no_argument, NULL, 'r'}, + {"root", required_argument, NULL, 'R'}, + {NULL, 0, NULL, '\0'} + }; + +- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:", ++ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:", + long_options, NULL)) != -1) { + switch (c) { + case 'f': +@@ -444,6 +446,10 @@ static void process_flags (int argc, char **argv) + pflg = true; + group_passwd = optarg; + break; ++ case 'P': ++ pflg = true; ++ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); ++ break; + case 'r': + rflg = true; + break; +diff --git a/src/groupmod.c b/src/groupmod.c +index d9d3807..68f49d1 100644 +--- a/src/groupmod.c ++++ b/src/groupmod.c +@@ -127,6 +127,7 @@ static void usage (int status) + (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); + (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" + " PASSWORD\n"), usageout); ++ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs ("\n", usageout); + exit (status); +@@ -375,10 +376,11 @@ static void process_flags (int argc, char **argv) + {"new-name", required_argument, NULL, 'n'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++ {"clear-password", required_argument, NULL, 'P'}, + {"root", required_argument, NULL, 'R'}, + {NULL, 0, NULL, '\0'} + }; +- while ((c = getopt_long (argc, argv, "g:hn:op:R:", ++ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:", + long_options, NULL)) != -1) { + switch (c) { + case 'g': +@@ -405,6 +407,10 @@ static void process_flags (int argc, char **argv) + group_passwd = optarg; + pflg = true; + break; ++ case 'P': ++ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); ++ pflg = true; ++ break; + case 'R': /* no-op, handled in process_root_flag () */ + break; + default: +diff --git a/src/useradd.c b/src/useradd.c +index b3bd451..4416f90 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -776,6 +776,7 @@ static void usage (int status) + (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" + " (non-unique) UID\n"), usageout); + (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); ++ (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); + (void) fputs (_(" -r, --system create a system account\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); +@@ -1050,6 +1051,7 @@ static void process_flags (int argc, char **argv) + {"no-user-group", no_argument, NULL, 'N'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++ {"clear-password", required_argument, NULL, 'P'}, + {"system", no_argument, NULL, 'r'}, + {"root", required_argument, NULL, 'R'}, + {"shell", required_argument, NULL, 's'}, +@@ -1062,9 +1064,9 @@ static void process_flags (int argc, char **argv) + }; + while ((c = getopt_long (argc, argv, + #ifdef WITH_SELINUX +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", ++ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:UZ:", + #else /* !WITH_SELINUX */ +- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", ++ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:U", + #endif /* !WITH_SELINUX */ + long_options, NULL)) != -1) { + switch (c) { +@@ -1230,6 +1232,9 @@ static void process_flags (int argc, char **argv) + } + user_pass = optarg; + break; ++ case 'P': /* set clear text password */ ++ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); ++ break; + case 'r': + rflg = true; + break; +diff --git a/src/usermod.c b/src/usermod.c +index e7d4351..b79f7a3 100644 +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -419,6 +419,7 @@ static /*@noreturn@*/void usage (int status) + " new location (use only with -d)\n"), usageout); + (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); + (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); ++ (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); + (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); +@@ -996,6 +997,7 @@ static void process_flags (int argc, char **argv) + {"move-home", no_argument, NULL, 'm'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++ {"clear-password", required_argument, NULL, 'P'}, + {"root", required_argument, NULL, 'R'}, + {"shell", required_argument, NULL, 's'}, + {"uid", required_argument, NULL, 'u'}, +@@ -1012,7 +1014,7 @@ static void process_flags (int argc, char **argv) + {NULL, 0, NULL, '\0'} + }; + while ((c = getopt_long (argc, argv, +- "ac:d:e:f:g:G:hl:Lmop:R:s:u:U" ++ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U" + #ifdef ENABLE_SUBIDS + "v:w:V:W:" + #endif /* ENABLE_SUBIDS */ +@@ -1112,6 +1114,10 @@ static void process_flags (int argc, char **argv) + user_pass = optarg; + pflg = true; + break; ++ case 'P': ++ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); ++ pflg = true; ++ break; + case 'R': /* no-op, handled in process_root_flag () */ + break; + case 's': +-- +1.7.9.5 + diff --git a/poky/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch b/poky/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch new file mode 100644 index 000000000..185590cab --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch @@ -0,0 +1,41 @@ +From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001 +From: James Le Cuirot <chewi@aura-online.co.uk> +Date: Sat, 23 Aug 2014 09:46:39 +0100 +Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF + +This built-in check is simpler than the previous method and, most +importantly, works when cross-compiling. + +Upstream-Status: Accepted +[https://github.com/shadow-maint/shadow/commit/2cb54158b80cdbd97ca3b36df83f9255e923ae3f] + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +--- + configure.in | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/configure.in b/configure.in +index 1a3f841..4a4d6d0 100644 +--- a/configure.in ++++ b/configure.in +@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then + dnl + dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc + dnl +- AC_RUN_IFELSE([AC_LANG_SOURCE([ +-#include <sys/types.h> +-int main(void) { +- uid_t u; +- gid_t g; +- return (sizeof u < 4) || (sizeof g < 4); +-} +- ])], [id32bit="yes"], [id32bit="no"]) +- +- if test "x$id32bit" = "xyes"; then ++ AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"]) ++ AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"]) ++ ++ if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then + AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.]) + enable_subids="yes" + else diff --git a/poky/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch b/poky/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch new file mode 100644 index 000000000..4fa3d184e --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch @@ -0,0 +1,46 @@ +Upstream-Status: Inappropriate [OE specific] + +commonio.c: fix unexpected open failure in chroot environment + +When using commands with '-R <newroot>' option in our pseudo environment, +we would usually get the 'Pemission Denied' error. This patch serves as +a workaround to this problem. + +Note that this patch doesn't change the logic in the code, it just expands +the codes. + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + lib/commonio.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/lib/commonio.c b/lib/commonio.c +index cc536bf..51cafd9 100644 +--- a/lib/commonio.c ++++ b/lib/commonio.c +@@ -613,10 +613,18 @@ int commonio_open (struct commonio_db *db, int mode) + db->cursor = NULL; + db->changed = false; + +- fd = open (db->filename, +- (db->readonly ? O_RDONLY : O_RDWR) +- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); +- saved_errno = errno; ++ if (db->readonly) { ++ fd = open (db->filename, ++ (true ? O_RDONLY : O_RDWR) ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ saved_errno = errno; ++ } else { ++ fd = open (db->filename, ++ (false ? O_RDONLY : O_RDWR) ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ saved_errno = errno; ++ } ++ + db->fp = NULL; + if (fd >= 0) { + #ifdef WITH_TCB +-- +1.7.9.5 + diff --git a/poky/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch b/poky/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch new file mode 100644 index 000000000..02cb91aaf --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/fix-installation-failure-with-subids-disabled.patch @@ -0,0 +1,28 @@ +Upstream-Status: Pending + +Subject: fix installation failure with subids disabled + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/Makefile.am | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 25e288d..076f8ef 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -52,7 +52,10 @@ usbin_PROGRAMS = \ + noinst_PROGRAMS = id sulogin + + suidbins = su +-suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap ++suidubins = chage chfn chsh expiry gpasswd newgrp passwd ++if ENABLE_SUBIDS ++suidubins += newgidmap newuidmap ++endif + if ACCT_TOOLS_SETUID + suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod + endif +-- +1.7.9.5 + diff --git a/poky/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot b/poky/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot new file mode 100644 index 000000000..8a68dd341 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot @@ -0,0 +1,386 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# +# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enfore a minimal delay (e.g. +# pam_unix enforces a 2s delay) +# +FAIL_DELAY 3 + +# +# Enable logging and display of /var/log/faillog login failure info. +# +#FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable logging and display of /var/log/lastlog login time info. +# +#LASTLOG_ENAB yes + +# +# Enable checking and display of mailbox status upon login. +# +# Disable if the shell startup files already check for mail +# ("mailx -e" or equivalent). +# +##MAIL_CHECK_ENAB yes + +# +# Enable additional checks upon password changes. +# +#OBSCURE_CHECKS_ENAB yes + +# +# Enable checking of time restrictions specified in /etc/porttime. +# +#PORTTIME_CHECKS_ENAB yes + +# +# Enable setting of ulimit, umask, and niceness from passwd gecos field. +# +#QUOTAS_ENAB yes + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +CONSOLE /etc/securetty +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, ":" delimited list of "message of the day" files to +# be displayed upon login. +# +#MOTD_FILE /etc/motd +#MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +# +# If defined, this file will be output before each login prompt. +# +#ISSUE_FILE /etc/issue + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format. +# last, when invoked as lastb, will read /var/log/btmp, so... +# +#FTMP_FILE /var/log/btmp + +# +# If defined, name of file whose presence which will inhibit non-root +# logins. The contents of this file should be a message indicating +# why logins are inhibited. +# +#NOLOGINS_FILE /etc/nologin + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, #MAIL_DIR takes precedence. +# +#MAIL_DIR /var/spool/mail +MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# If defined, either a TZ environment parameter spec or the +# fully-rooted pathname of a file containing such a spec. +# +#ENV_TZ TZ=CST6CDT +#ENV_TZ /etc/tzname + +# +# If defined, an HZ environment parameter spec. +# +# for Linux/x86 +#ENV_HZ HZ=100 +# For Linux/Alpha... +#ENV_HZ HZ=1024 + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# ULIMIT Default "ulimit" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# The ULIMIT is used only if the system supports it. +# (now it works with setrlimit too; ulimit is in 512-byte units) +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +#ULIMIT 2097152 + +# Default initial "umask" value for non-PAM enabled systems. +# UMASK is also used by useradd and newusers to set the mode of new home +# directories. +# 022 is the default value, but 027, or even 077, could be considered +# better for privacy. There is no One True Answer here: each sysadmin +# must make up her mind. +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +#PASS_MIN_LEN 5 +PASS_WARN_AGE 7 + +# +# If "yes", the user must be listed as a member of the first gid 0 group +# in /etc/group (called "root" on most Linux systems) to be able to "su" +# to uid 0 accounts. If the group doesn't exist or is empty, no one +# will be able to "su" to uid 0. +# +#SU_WHEEL_ONLY no + +# +# If compiled with cracklib support, where are the dictionaries +# +#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 101 +SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 101 +SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Maximum number of attempts to change password if rejected (too easy) +# +#PASS_CHANGE_TRIES 5 + +# +# Warn about weak passwords (but still allow them) if you are root. +# +#PASS_ALWAYS_WARN yes + +# +# Number of significant characters in the password for crypt(). +# Default is 8, don't change unless your crypt() is better. +# Ignored if MD5_CRYPT_ENAB set to "yes". +# +#PASS_MAX_LEN 8 + +# +# Require password before chfn/chsh can make any changes. +# +#CHFN_AUTH yes + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Password prompt (%s will be replaced by user name). +# +# XXX - it doesn't work correctly yet, for now leave it commented out +# to use the default which is just "Password: ". +#LOGIN_STRING "%s's Password: " + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If this file exists and is readable, login environment will be +# read from it. Every line should be in the form name=value. +# +#ENVIRON_FILE /etc/environment + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# +# If set to a non-nul number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permit to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd should create home directories for users by default (non +# system users only) +# This option is overridden with the -M or -m flags on the useradd command +# line. +# +CREATE_HOME yes + diff --git a/poky/meta/recipes-extended/shadow/files/login_defs_pam.sed b/poky/meta/recipes-extended/shadow/files/login_defs_pam.sed new file mode 100644 index 000000000..0a1f3be4a --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/login_defs_pam.sed @@ -0,0 +1,32 @@ +/^FAILLOG_ENAB/b comment +/^LASTLOG_ENAB/b comment +/^MAIL_CHECK_ENAB/b comment +/^OBSCURE_CHECKS_ENAB/b comment +/^PORTTIME_CHECKS_ENAB/b comment +/^QUOTAS_ENAB/b comment +/^MOTD_FILE/b comment +/^FTMP_FILE/b comment +/^NOLOGINS_FILE/b comment +/^ENV_HZ/b comment +/^ENV_TZ/b comment +/^PASS_MIN_LEN/b comment +/^SU_WHEEL_ONLY/b comment +/^CRACKLIB_DICTPATH/b comment +/^PASS_CHANGE_TRIES/b comment +/^PASS_ALWAYS_WARN/b comment +/^PASS_MAX_LEN/b comment +/^PASS_MIN_LEN/b comment +/^CHFN_AUTH/b comment +/^CHSH_AUTH/b comment +/^ISSUE_FILE/b comment +/^LOGIN_STRING/b comment +/^ULIMIT/b comment +/^ENVIRON_FILE/b comment + +b exit + +: comment + s:^:#: + +: exit + diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/chfn b/poky/meta/recipes-extended/shadow/files/pam.d/chfn new file mode 100644 index 000000000..baf7698bb --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/pam.d/chfn @@ -0,0 +1,14 @@ +# +# The PAM configuration file for the Shadow `chfn' service +# + +# This allows root to change user infomation without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd b/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd new file mode 100644 index 000000000..9e3efa68b --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd @@ -0,0 +1,4 @@ +# The PAM configuration file for the Shadow 'chpasswd' service +# + +password include common-password diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/chsh b/poky/meta/recipes-extended/shadow/files/pam.d/chsh new file mode 100644 index 000000000..8fb169f64 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/pam.d/chsh @@ -0,0 +1,19 @@ +# +# The PAM configuration file for the Shadow `chsh' service +# + +# This will not allow a user to change their shell unless +# their current one is listed in /etc/shells. This keeps +# accounts with special shells from changing them. +auth required pam_shells.so + +# This allows root to change user shell without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/login b/poky/meta/recipes-extended/shadow/files/pam.d/login new file mode 100644 index 000000000..b34005853 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/pam.d/login @@ -0,0 +1,81 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# Note that it is included as a "requisite" module. No password prompts will +# be displayed if this module fails to avoid having the root password +# transmitted on unsecure ttys. +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root). +auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 + +# Standard Un*x authentication. +auth include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +account include common-account +password include common-password +session include common-session diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/newusers b/poky/meta/recipes-extended/shadow/files/pam.d/newusers new file mode 100644 index 000000000..4aa3dde48 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/pam.d/newusers @@ -0,0 +1,4 @@ +# The PAM configuration file for the Shadow 'newusers' service +# + +password include common-password diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/passwd b/poky/meta/recipes-extended/shadow/files/pam.d/passwd new file mode 100644 index 000000000..f53499243 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/pam.d/passwd @@ -0,0 +1,5 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/su b/poky/meta/recipes-extended/shadow/files/pam.d/su new file mode 100644 index 000000000..8d590a32e --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/pam.d/su @@ -0,0 +1,57 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits, please uncomment and read /etc/security/limits.conf +# to enable this functionality. +# (Replaces the use of /etc/limits in old login) +# session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/poky/meta/recipes-extended/shadow/files/securetty b/poky/meta/recipes-extended/shadow/files/securetty new file mode 100644 index 000000000..2be341a21 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/securetty @@ -0,0 +1,238 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). +console + +# Standard serial ports +ttyS0 +ttyS1 +ttyS2 +ttyS3 + +# ARM AMBA SoCs +ttyAM0 +ttyAM1 +ttyAM2 +ttyAM3 +ttyAMA0 +ttyAMA1 +ttyAMA2 +ttyAMA3 + +# QCOM Socs +ttyHSL0 +ttyHSL1 +ttyHSL2 +ttyHSL3 +ttyMSM0 +ttyMSM1 +ttyMSM2 + +# Samsung ARM SoCs +ttySAC0 +ttySAC1 +ttySAC2 +ttySAC3 + +# STM SoCs +ttyAS0 +ttyAS1 +ttyAS2 +ttyAS3 + +# TI OMAP SoCs +ttyO0 +ttyO1 +ttyO2 +ttyO3 + +# Xilinx Zynq SoC +ttyPS0 +ttyPS1 + +# USB dongles +ttyUSB0 +ttyUSB1 +ttyUSB2 + +# USB serial gadget +ttyGS0 + +# PowerMac +ttyPZ0 +ttyPZ1 +ttyPZ2 +ttyPZ3 + +# Embedded MPC platforms +ttyPSC0 +ttyPSC1 +ttyPSC2 +ttyPSC3 +ttyPSC4 +ttyPSC5 + +# PA-RISC mux ports +ttyB0 +ttyB1 + +# Standard hypervisor virtual console +hvc0 + +# Oldstyle Xen console +xvc0 + +# Standard consoles +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 +tty11 +tty12 +tty13 +tty14 +tty15 +tty16 +tty17 +tty18 +tty19 +tty20 +tty21 +tty22 +tty23 +tty24 +tty25 +tty26 +tty27 +tty28 +tty29 +tty30 +tty31 +tty32 +tty33 +tty34 +tty35 +tty36 +tty37 +tty38 +tty39 +tty40 +tty41 +tty42 +tty43 +tty44 +tty45 +tty46 +tty47 +tty48 +tty49 +tty50 +tty51 +tty52 +tty53 +tty54 +tty55 +tty56 +tty57 +tty58 +tty59 +tty60 +tty61 +tty62 +tty63 + +# Local X displays (allows empty passwords with pam_unix's nullok_secure) +pts/0 +pts/1 +pts/2 +pts/3 + +# Embedded Freescale i.MX ports +ttymxc0 +ttymxc1 +ttymxc2 +ttymxc3 +ttymxc4 +ttymxc5 + +# Freescale lpuart ports +ttyLP0 +ttyLP1 +ttyLP2 +ttyLP3 +ttyLP4 +ttyLP5 + +# Standard serial ports, with devfs +tts/0 +tts/1 + +# Standard consoles, with devfs +vc/1 +vc/2 +vc/3 +vc/4 +vc/5 +vc/6 +vc/7 +vc/8 +vc/9 +vc/10 +vc/11 +vc/12 +vc/13 +vc/14 +vc/15 +vc/16 +vc/17 +vc/18 +vc/19 +vc/20 +vc/21 +vc/22 +vc/23 +vc/24 +vc/25 +vc/26 +vc/27 +vc/28 +vc/29 +vc/30 +vc/31 +vc/32 +vc/33 +vc/34 +vc/35 +vc/36 +vc/37 +vc/38 +vc/39 +vc/40 +vc/41 +vc/42 +vc/43 +vc/44 +vc/45 +vc/46 +vc/47 +vc/48 +vc/49 +vc/50 +vc/51 +vc/52 +vc/53 +vc/54 +vc/55 +vc/56 +vc/57 +vc/58 +vc/59 +vc/60 +vc/61 +vc/62 +vc/63 diff --git a/poky/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/poky/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch new file mode 100644 index 000000000..a7bb0a929 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch @@ -0,0 +1,27 @@ +# commit message copied from openembedded: +# commit 246c80637b135f3a113d319b163422f98174ee6c +# Author: Khem Raj <raj.khem@gmail.com> +# Date: Wed Jun 9 13:37:03 2010 -0700 +# +# shadow-4.1.4.2: Add patches to support dots in login id. +# +# Signed-off-by: Khem Raj <raj.khem@gmail.com> +# +# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 + +Upstream-Status: Pending + +Signed-off-by: Scott Garman <scott.a.garman@intel.com> + +Index: shadow-4.1.4.2/libmisc/chkname.c +=================================================================== +--- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 ++++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 +@@ -61,6 +61,7 @@ static bool is_valid_name (const char *n + ( ('0' <= *name) && ('9' >= *name) ) || + ('_' == *name) || + ('-' == *name) || ++ ('.' == *name) || + ( ('$' == *name) && ('\0' == *(name + 1)) ) + )) { + return false; diff --git a/poky/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch b/poky/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch new file mode 100644 index 000000000..1af04d5fe --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch @@ -0,0 +1,100 @@ + +The groupadd from shadow does not allow upper case group names, the +same is true for the upstream shadow. But distributions like +Debian/Ubuntu/CentOS has their own way to cope with this problem, +this patch is picked up from CentOS release 7.0 to relax the usernames +restrictions to allow the upper case group names, and the relaxation is +POSIX compliant because POSIX indicate that usernames are composed of +characters from the portable filename character set [A-Za-z0-9._-]. + +Upstream-Status: Pending + +Signed-off-by: Shan Hai <shan.hai@windriver.com> + +diff -urpN a/libmisc/chkname.c b/libmisc/chkname.c +index 5089112..f40a0da 100644 +--- a/libmisc/chkname.c ++++ b/libmisc/chkname.c +@@ -49,21 +49,28 @@ + static bool is_valid_name (const char *name) + { + /* +- * User/group names must match [a-z_][a-z0-9_-]*[$] +- */ +- if (('\0' == *name) || +- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { ++ * User/group names must match gnu e-regex: ++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? ++ * ++ * as a non-POSIX, extension, allow "$" as the last char for ++ * sake of Samba 3.x "add machine script" ++ */ ++ if ( ('\0' == *name) || ++ !((*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') ++ )) { + return false; + } + + while ('\0' != *++name) { +- if (!(( ('a' <= *name) && ('z' >= *name) ) || +- ( ('0' <= *name) && ('9' >= *name) ) || +- ('_' == *name) || +- ('-' == *name) || +- ('.' == *name) || +- ( ('$' == *name) && ('\0' == *(name + 1)) ) +- )) { ++ if (!( (*name >= 'a' && *name <= 'z') || ++ (*name >= 'A' && *name <= 'Z') || ++ (*name >= '0' && *name <= '9') || ++ (*name == '_') || (*name == '.') || (*name == '-') || ++ (*name == '$' && *(name + 1) == '\0') ++ )) { + return false; + } + } +diff -urpN a/man/groupadd.8.xml b/man/groupadd.8.xml +index 230fd0c..94f7807 100644 +--- a/man/groupadd.8.xml ++++ b/man/groupadd.8.xml +@@ -222,12 +222,6 @@ + <refsect1 id='caveats'> + <title>CAVEATS</title> + <para> +- Groupnames must start with a lower case letter or an underscore, +- followed by lower case letters, digits, underscores, or dashes. +- They can end with a dollar sign. +- In regular expression terms: [a-z_][a-z0-9_-]*[$]? +- </para> +- <para> + Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. + </para> + <para> +diff -urpN a/man/useradd.8.xml b/man/useradd.8.xml +index 5dec989..fe623b9 100644 +--- a/man/useradd.8.xml ++++ b/man/useradd.8.xml +@@ -336,7 +336,7 @@ + </term> + <listitem> + <para> +- Do no create the user's home directory, even if the system ++ Do not create the user's home directory, even if the system + wide setting from <filename>/etc/login.defs</filename> + (<option>CREATE_HOME</option>) is set to + <replaceable>yes</replaceable>. +@@ -607,12 +607,6 @@ + </para> + + <para> +- Usernames must start with a lower case letter or an underscore, +- followed by lower case letters, digits, underscores, or dashes. +- They can end with a dollar sign. +- In regular expression terms: [a-z_][a-z0-9_-]*[$]? +- </para> +- <para> + Usernames may only be up to 32 characters long. + </para> + </refsect1> diff --git a/poky/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch b/poky/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch new file mode 100644 index 000000000..15f8044fa --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch @@ -0,0 +1,91 @@ +The system-auth in the configure files is from Fedora which put all the 4 pam type rules +in one file. +In yocto it obey the way with Debian/Ubuntu, and the names are common-auth, common-account, +common-password and common-session. +So update them with oe way. + +Upstream-Status: Pending + +Signed-off-by: Kang Kai <kai.kang@windriver.com> + +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chage shadow-4.1.4.3/etc/pam.d/chage +--- shadow-4.1.4.3/etc/pam.d.orig/chage 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/chage 2011-07-20 19:03:08.964844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chgpasswd shadow-4.1.4.3/etc/pam.d/chgpasswd +--- shadow-4.1.4.3/etc/pam.d.orig/chgpasswd 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/chgpasswd 2011-07-20 19:03:26.544844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupadd shadow-4.1.4.3/etc/pam.d/groupadd +--- shadow-4.1.4.3/etc/pam.d.orig/groupadd 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/groupadd 2011-07-20 19:04:08.124844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupdel shadow-4.1.4.3/etc/pam.d/groupdel +--- shadow-4.1.4.3/etc/pam.d.orig/groupdel 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/groupdel 2011-07-20 19:04:26.114844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmems shadow-4.1.4.3/etc/pam.d/groupmems +--- shadow-4.1.4.3/etc/pam.d.orig/groupmems 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/groupmems 2011-07-20 19:04:35.074844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmod shadow-4.1.4.3/etc/pam.d/groupmod +--- shadow-4.1.4.3/etc/pam.d.orig/groupmod 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/groupmod 2011-07-20 19:04:44.864844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/useradd shadow-4.1.4.3/etc/pam.d/useradd +--- shadow-4.1.4.3/etc/pam.d.orig/useradd 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/useradd 2011-07-20 19:07:26.244844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/userdel shadow-4.1.4.3/etc/pam.d/userdel +--- shadow-4.1.4.3/etc/pam.d.orig/userdel 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/userdel 2011-07-20 19:07:35.734844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password +diff -Nur shadow-4.1.4.3/etc/pam.d.orig/usermod shadow-4.1.4.3/etc/pam.d/usermod +--- shadow-4.1.4.3/etc/pam.d.orig/usermod 2011-07-20 19:02:27.384844958 +0800 ++++ shadow-4.1.4.3/etc/pam.d/usermod 2011-07-20 19:07:42.024844958 +0800 +@@ -1,4 +1,4 @@ + #%PAM-1.0 + auth sufficient pam_rootok.so + account required pam_permit.so +-password include system-auth ++password include common-password diff --git a/poky/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch b/poky/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch new file mode 100644 index 000000000..37dc153fc --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/usermod-fix-compilation-failure-with-subids-disabled.patch @@ -0,0 +1,33 @@ +Upstream-Status: Pending + +usermod: fix compilation failure with subids disabled + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/usermod.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/usermod.c b/src/usermod.c +index e7d4351..685b50a 100644 +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -1360,7 +1360,7 @@ static void process_flags (int argc, char **argv) + Prog, (unsigned long) user_newid); + exit (E_UID_IN_USE); + } +- ++#ifdef ENABLE_SUBIDS + if ( (vflg || Vflg) + && !is_sub_uid) { + fprintf (stderr, +@@ -1376,6 +1376,7 @@ static void process_flags (int argc, char **argv) + Prog, sub_gid_dbname (), "-w", "-W"); + exit (E_USAGE); + } ++#endif + } + + /* +-- +1.7.9.5 + |
