./0000775000175000017500000000000012511411357011435 5ustar nielsenrnielsenr./usermod-fix-compilation-failure-with-subids-disabled.patch0000664000175000017500000000133612511411357024671 0ustar nielsenrnielsenrUpstream-Status: Pending usermod: fix compilation failure with subids disabled Signed-off-by: Chen Qi --- src/usermod.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/usermod.c b/src/usermod.c index e7d4351..685b50a 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -1360,7 +1360,7 @@ static void process_flags (int argc, char **argv) Prog, (unsigned long) user_newid); exit (E_UID_IN_USE); } - +#ifdef ENABLE_SUBIDS if ( (vflg || Vflg) && !is_sub_uid) { fprintf (stderr, @@ -1376,6 +1376,7 @@ static void process_flags (int argc, char **argv) Prog, sub_gid_dbname (), "-w", "-W"); exit (E_USAGE); } +#endif } /* -- 1.7.9.5 ./check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch0000664000175000017500000000250312511411357024151 0ustar nielsenrnielsenrFrom 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Sat, 23 Aug 2014 09:46:39 +0100 Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF This built-in check is simpler than the previous method and, most importantly, works when cross-compiling. Upstream-Status: Accepted [https://github.com/shadow-maint/shadow/commit/2cb54158b80cdbd97ca3b36df83f9255e923ae3f] Signed-off-by: Serge Hallyn --- configure.in | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/configure.in b/configure.in index 1a3f841..4a4d6d0 100644 --- a/configure.in +++ b/configure.in @@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then dnl dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc dnl - AC_RUN_IFELSE([AC_LANG_SOURCE([ -#include -int main(void) { - uid_t u; - gid_t g; - return (sizeof u < 4) || (sizeof g < 4); -} - ])], [id32bit="yes"], [id32bit="no"]) - - if test "x$id32bit" = "xyes"; then + AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"]) + AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"]) + + if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.]) enable_subids="yes" else ./0001-Do-not-read-login.defs-before-doing-chroot.patch0000664000175000017500000000310312511411357022762 0ustar nielsenrnielsenrFrom 170c25c8e0b5c3dc2615d1db94c8d24a13ff99bf Mon Sep 17 00:00:00 2001 From: Peter Kjellerstedt Date: Thu, 11 Sep 2014 15:11:23 +0200 Subject: [PATCH] Do not read login.defs before doing chroot() If "useradd --root ..." was used, the login.defs file would still be read from /etc/login.defs instead of /etc/login.defs. This was due to getdef_ulong() being called before process_root_flag(). Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2014-September/010446.html] Signed-off-by: Peter Kjellerstedt --- src/useradd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/useradd.c b/src/useradd.c index a8a1f76..e1ebf50 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -1993,9 +1993,11 @@ int main (int argc, char **argv) #endif /* USE_PAM */ #endif /* ACCT_TOOLS_SETUID */ +#ifdef ENABLE_SUBIDS /* Needed for userns check */ - uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); - uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); + uid_t uid_min; + uid_t uid_max; +#endif /* * Get my name so that I can use it to report errors. @@ -2026,6 +2028,8 @@ int main (int argc, char **argv) is_shadow_grp = sgr_file_present (); #endif #ifdef ENABLE_SUBIDS + uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL); + uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL); is_sub_uid = sub_uid_file_present () && !rflg && (!user_id || (user_id <= uid_max && user_id >= uid_min)); is_sub_gid = sub_gid_file_present () && !rflg && -- 1.9.0 ./0001-useradd.c-create-parent-directories-when-necessary.patch0000664000175000017500000000527712511411357024712 0ustar nielsenrnielsenrUpstream-Status: Inappropriate [OE specific] Subject: useradd.c: create parent directories when necessary Signed-off-by: Chen Qi --- src/useradd.c | 72 +++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 49 insertions(+), 23 deletions(-) diff --git a/src/useradd.c b/src/useradd.c index 4bd969d..cb5dd6c 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -1893,6 +1893,35 @@ static void usr_update (void) } /* + * mkdir_p - create directories, including parent directories when needed + * + * similar to `mkdir -p' + */ +void mkdir_p(const char *path) { + int len = strlen(path); + char newdir[len + 1]; + mode_t mode = 0755; + int i = 0; + + if (path[i] == '\0') { + return; + } + + /* skip the leading '/' */ + i++; + + while(path[i] != '\0') { + if (path[i] == '/') { + strncpy(newdir, path, i); + newdir[i] = '\0'; + mkdir(newdir, mode); + } + i++; + } + mkdir(path, mode); +} + +/* * create_home - create the user's home directory * * create_home() creates the user's home directory if it does not @@ -1907,36 +1936,33 @@ static void create_home (void) fail_exit (E_HOMEDIR); } #endif - /* XXX - create missing parent directories. --marekm */ - if (mkdir (user_home, 0) != 0) { - fprintf (stderr, - _("%s: cannot create directory %s\n"), - Prog, user_home); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding home directory", - user_name, (unsigned int) user_id, - SHADOW_AUDIT_FAILURE); -#endif - fail_exit (E_HOMEDIR); - } - chown (user_home, user_id, user_gid); - chmod (user_home, - 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); - home_added = true; + mkdir_p(user_home); + } + if (access (user_home, F_OK) != 0) { #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_USER, Prog, "adding home directory", user_name, (unsigned int) user_id, - SHADOW_AUDIT_SUCCESS); + SHADOW_AUDIT_FAILURE); #endif -#ifdef WITH_SELINUX - /* Reset SELinux to create files with default contexts */ - if (reset_selinux_file_context () != 0) { - fail_exit (E_HOMEDIR); - } + fail_exit (E_HOMEDIR); + } + chown (user_home, user_id, user_gid); + chmod (user_home, + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); + home_added = true; +#ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "adding home directory", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_SUCCESS); #endif +#ifdef WITH_SELINUX + /* Reset SELinux to create files with default contexts */ + if (reset_selinux_file_context () != 0) { + fail_exit (E_HOMEDIR); } +#endif } /* -- 1.7.9.5 ./securetty0000664000175000017500000000342712511411357013415 0ustar nielsenrnielsenr# /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). console # Standard serial ports ttyS0 ttyS1 ttyS2 ttyS3 # ARM AMBA SoCs ttyAM0 ttyAM1 ttyAM2 ttyAM3 ttyAMA0 ttyAMA1 ttyAMA2 ttyAMA3 # QCOM Socs ttyHSL0 ttyHSL1 ttyHSL2 ttyHSL3 ttyMSM0 ttyMSM1 ttyMSM2 # Samsung ARM SoCs ttySAC0 ttySAC1 ttySAC2 ttySAC3 # STM SoCs ttyAS0 ttyAS1 ttyAS2 ttyAS3 # TI OMAP SoCs ttyO0 ttyO1 ttyO2 ttyO3 # USB dongles ttyUSB0 ttyUSB1 ttyUSB2 # USB serial gadget ttyGS0 # PowerMac ttyPZ0 ttyPZ1 ttyPZ2 ttyPZ3 # Embedded MPC platforms ttyPSC0 ttyPSC1 ttyPSC2 ttyPSC3 ttyPSC4 ttyPSC5 # PA-RISC mux ports ttyB0 ttyB1 # Standard hypervisor virtual console hvc0 # Oldstyle Xen console xvc0 # Standard consoles tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 tty12 tty13 tty14 tty15 tty16 tty17 tty18 tty19 tty20 tty21 tty22 tty23 tty24 tty25 tty26 tty27 tty28 tty29 tty30 tty31 tty32 tty33 tty34 tty35 tty36 tty37 tty38 tty39 tty40 tty41 tty42 tty43 tty44 tty45 tty46 tty47 tty48 tty49 tty50 tty51 tty52 tty53 tty54 tty55 tty56 tty57 tty58 tty59 tty60 tty61 tty62 tty63 # Local X displays (allows empty passwords with pam_unix's nullok_secure) pts/0 pts/1 pts/2 pts/3 # Embedded Freescale i.MX ports ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttymxc4 ttymxc5 # Freescale lpuart ports ttyLP0 ttyLP1 ttyLP2 ttyLP3 ttyLP4 ttyLP5 # Standard serial ports, with devfs tts/0 tts/1 # Standard consoles, with devfs vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 vc/12 vc/13 vc/14 vc/15 vc/16 vc/17 vc/18 vc/19 vc/20 vc/21 vc/22 vc/23 vc/24 vc/25 vc/26 vc/27 vc/28 vc/29 vc/30 vc/31 vc/32 vc/33 vc/34 vc/35 vc/36 vc/37 vc/38 vc/39 vc/40 vc/41 vc/42 vc/43 vc/44 vc/45 vc/46 vc/47 vc/48 vc/49 vc/50 vc/51 vc/52 vc/53 vc/54 vc/55 vc/56 vc/57 vc/58 vc/59 vc/60 vc/61 vc/62 vc/63 ./fix-installation-failure-with-subids-disabled.patch0000664000175000017500000000140312511411357023373 0ustar nielsenrnielsenrUpstream-Status: Pending Subject: fix installation failure with subids disabled Signed-off-by: Chen Qi --- src/Makefile.am | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Makefile.am b/src/Makefile.am index 25e288d..076f8ef 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -52,7 +52,10 @@ usbin_PROGRAMS = \ noinst_PROGRAMS = id sulogin suidbins = su -suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap +suidubins = chage chfn chsh expiry gpasswd newgrp passwd +if ENABLE_SUBIDS +suidubins += newgidmap newuidmap +endif if ACCT_TOOLS_SETUID suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod endif -- 1.7.9.5 ./0001-su.c-fix-to-exec-command-correctly.patch0000664000175000017500000000110512511411357021447 0ustar nielsenrnielsenrUpstream-Status: Pending Subject: su.c: fix to exec command correctly Signed-off-by: Chen Qi --- src/su.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/su.c b/src/su.c index 3704217..bc4f2ac 100644 --- a/src/su.c +++ b/src/su.c @@ -1156,7 +1156,7 @@ int main (int argc, char **argv) * Use the shell and create an argv * with the rest of the command line included. */ - argv[-1] = cp; + argv[-1] = shellstr; execve_shell (shellstr, &argv[-1], environ); err = errno; (void) fprintf (stderr, -- 1.7.9.5 ./commonio.c-fix-unexpected-open-failure-in-chroot-env.patch0000664000175000017500000000237112511411357024522 0ustar nielsenrnielsenrUpstream-Status: Inappropriate [OE specific] commonio.c: fix unexpected open failure in chroot environment When using commands with '-R ' option in our pseudo environment, we would usually get the 'Pemission Denied' error. This patch serves as a workaround to this problem. Note that this patch doesn't change the logic in the code, it just expands the codes. Signed-off-by: Chen Qi --- lib/commonio.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/commonio.c b/lib/commonio.c index cc536bf..51cafd9 100644 --- a/lib/commonio.c +++ b/lib/commonio.c @@ -613,10 +613,18 @@ int commonio_open (struct commonio_db *db, int mode) db->cursor = NULL; db->changed = false; - fd = open (db->filename, - (db->readonly ? O_RDONLY : O_RDWR) - | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); - saved_errno = errno; + if (db->readonly) { + fd = open (db->filename, + (true ? O_RDONLY : O_RDWR) + | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); + saved_errno = errno; + } else { + fd = open (db->filename, + (false ? O_RDONLY : O_RDWR) + | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); + saved_errno = errno; + } + db->fp = NULL; if (fd >= 0) { #ifdef WITH_TCB -- 1.7.9.5 ./login.defs_shadow-sysroot0000664000175000017500000002456412511411357016510 0ustar nielsenrnielsenr# # /etc/login.defs - Configuration control definitions for the shadow package. # # $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enfore a minimal delay (e.g. # pam_unix enforces a 2s delay) # FAIL_DELAY 3 # # Enable logging and display of /var/log/faillog login failure info. # #FAILLOG_ENAB yes # # Enable display of unknown usernames when login failures are recorded. # LOG_UNKFAIL_ENAB no # # Enable logging of successful logins # LOG_OK_LOGINS no # # Enable logging and display of /var/log/lastlog login time info. # #LASTLOG_ENAB yes # # Enable checking and display of mailbox status upon login. # # Disable if the shell startup files already check for mail # ("mailx -e" or equivalent). # ##MAIL_CHECK_ENAB yes # # Enable additional checks upon password changes. # #OBSCURE_CHECKS_ENAB yes # # Enable checking of time restrictions specified in /etc/porttime. # #PORTTIME_CHECKS_ENAB yes # # Enable setting of ulimit, umask, and niceness from passwd gecos field. # #QUOTAS_ENAB yes # # Enable "syslog" logging of su activity - in addition to sulog file logging. # SYSLOG_SG_ENAB does the same for newgrp and sg. # SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes # # If defined, either full pathname of a file containing device names or # a ":" delimited list of device names. Root logins will be allowed only # upon these devices. # CONSOLE /etc/securetty #CONSOLE console:tty01:tty02:tty03:tty04 # # If defined, all su activity is logged to this file. # #SULOG_FILE /var/log/sulog # # If defined, ":" delimited list of "message of the day" files to # be displayed upon login. # #MOTD_FILE /etc/motd #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # # If defined, this file will be output before each login prompt. # #ISSUE_FILE /etc/issue # # If defined, file which maps tty line to TERM environment parameter. # Each line of the file is in a format something like "vt100 tty01". # #TTYTYPE_FILE /etc/ttytype # # If defined, login failures will be logged here in a utmp format. # last, when invoked as lastb, will read /var/log/btmp, so... # #FTMP_FILE /var/log/btmp # # If defined, name of file whose presence which will inhibit non-root # logins. The contents of this file should be a message indicating # why logins are inhibited. # #NOLOGINS_FILE /etc/nologin # # If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the # command is "-su". If not defined, then "ps" would display the # name of the shell actually being run, e.g. something like "-sh". # SU_NAME su # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, #MAIL_DIR takes precedence. # #MAIL_DIR /var/spool/mail MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # # If defined, either a TZ environment parameter spec or the # fully-rooted pathname of a file containing such a spec. # #ENV_TZ TZ=CST6CDT #ENV_TZ /etc/tzname # # If defined, an HZ environment parameter spec. # # for Linux/x86 #ENV_HZ HZ=100 # For Linux/Alpha... #ENV_HZ HZ=1024 # # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a "write" program which is "setgid" to a special group # which owns the terminals, define TTYGROUP to the group number and # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign # TTYPERM to either 622 or 600. # TTYGROUP tty TTYPERM 0600 # # Login configuration initializations: # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). # ULIMIT Default "ulimit" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. # The ULIMIT is used only if the system supports it. # (now it works with setrlimit too; ulimit is in 512-byte units) # # Prefix these values with "0" to get octal, "0x" to get hexadecimal. # ERASECHAR 0177 KILLCHAR 025 #ULIMIT 2097152 # Default initial "umask" value for non-PAM enabled systems. # UMASK is also used by useradd and newusers to set the mode of new home # directories. # 022 is the default value, but 027, or even 077, could be considered # better for privacy. There is no One True Answer here: each sysadmin # must make up her mind. UMASK 022 # # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 #PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # If "yes", the user must be listed as a member of the first gid 0 group # in /etc/group (called "root" on most Linux systems) to be able to "su" # to uid 0 accounts. If the group doesn't exist or is empty, no one # will be able to "su" to uid 0. # #SU_WHEEL_ONLY no # # If compiled with cracklib support, where are the dictionaries # #CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 101 SYS_UID_MAX 999 # # Min/max values for automatic gid selection in groupadd # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 101 SYS_GID_MAX 999 # # Max number of login retries if password is bad # LOGIN_RETRIES 5 # # Max time in seconds for login # LOGIN_TIMEOUT 60 # # Maximum number of attempts to change password if rejected (too easy) # #PASS_CHANGE_TRIES 5 # # Warn about weak passwords (but still allow them) if you are root. # #PASS_ALWAYS_WARN yes # # Number of significant characters in the password for crypt(). # Default is 8, don't change unless your crypt() is better. # Ignored if MD5_CRYPT_ENAB set to "yes". # #PASS_MAX_LEN 8 # # Require password before chfn/chsh can make any changes. # #CHFN_AUTH yes # # Which fields may be changed by regular users using chfn - use # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. # For backward compatibility, "yes" = "rwh" and "no" = "frwh". # CHFN_RESTRICT rwh # # Password prompt (%s will be replaced by user name). # # XXX - it doesn't work correctly yet, for now leave it commented out # to use the default which is just "Password: ". #LOGIN_STRING "%s's Password: " # # Only works if compiled with MD5_CRYPT defined: # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. # It supports passwords of unlimited length and longer salt strings. # Set to "no" if you need to copy encrypted passwords to other systems # which don't understand the new algorithm. Default is "no". # # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # # This variable is deprecated. You should use ENCRYPT_METHOD. # #MD5_CRYPT_ENAB no # # Only works if compiled with ENCRYPTMETHOD_SELECT defined: # If set to MD5 , MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password # If set to DES, DES-based algorithm will be used for encrypting password (default) # Overrides the MD5_CRYPT_ENAB option # # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # #ENCRYPT_METHOD DES # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # # Define the number of SHA rounds. # With a lot of rounds, it is more difficult to brute forcing the password. # But note also that it more CPU resources will be needed to authenticate # users. # # If not specified, the libc will choose the default number of rounds (5000). # The values must be inside the 1000-999999999 range. # If only one of the MIN or MAX values is set, then this value will be used. # If MIN > MAX, the highest value will be used. # # SHA_CRYPT_MIN_ROUNDS 5000 # SHA_CRYPT_MAX_ROUNDS 5000 # # List of groups to add to the user's supplementary group set # when logging in on the console (as determined by the CONSOLE # setting). Default is none. # # Use with caution - it is possible for users to gain permanent # access to these groups, even when not logged in on the console. # How to do it is left as an exercise for the reader... # #CONSOLE_GROUPS floppy:audio:cdrom # # Should login be allowed if we can't cd to the home directory? # Default in no. # DEFAULT_HOME yes # # If this file exists and is readable, login environment will be # read from it. Every line should be in the form name=value. # #ENVIRON_FILE /etc/environment # # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local # # Enable setting of the umask group bits to be the same as owner bits # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is # the same as gid, and username is the same as the primary group name. # # This also enables userdel to remove user groups if no members exist. # USERGROUPS_ENAB yes # # If set to a non-nul number, the shadow utilities will make sure that # groups never have more than this number of users on one line. # This permit to support split groups (groups split into multiple lines, # with the same group ID, to avoid limitation of the line length in the # group file). # # 0 is the default value and disables this feature. # #MAX_MEMBERS_PER_GROUP 0 # # If useradd should create home directories for users by default (non # system users only) # This option is overridden with the -M or -m flags on the useradd command # line. # CREATE_HOME yes ./disable-syslog.patch0000664000175000017500000000230312511411357015375 0ustar nielsenrnielsenrDisable use of syslog to prevent sysroot user and group additions from writing entries to the host's syslog. This patch should only be used with the shadow-native recipe. Upstream-Status: Inappropriate [disable feature] Signed-off-by: Scott Garman diff -urN shadow-4.1.4.3.orig//src/groupadd.c shadow-4.1.4.3/src/groupadd.c --- shadow-4.1.4.3.orig//src/groupadd.c 2011-02-13 09:58:16.000000000 -0800 +++ shadow-4.1.4.3/src/groupadd.c 2012-04-05 10:05:59.440001758 -0700 @@ -34,6 +34,9 @@ #ident "$Id: groupadd.c 3015 2009-06-05 22:16:56Z nekral-guest $" +/* Disable use of syslog since we're running this command against a sysroot */ +#undef USE_SYSLOG + #include #include #include diff -urN shadow-4.1.4.3.orig//src/useradd.c shadow-4.1.4.3/src/useradd.c --- shadow-4.1.4.3.orig//src/useradd.c 2011-02-13 09:58:16.000000000 -0800 +++ shadow-4.1.4.3/src/useradd.c 2012-04-05 10:06:25.076001315 -0700 @@ -34,6 +34,9 @@ #ident "$Id: useradd.c 3015 2009-06-05 22:16:56Z nekral-guest $" +/* Disable use of syslog since we're running this command against a sysroot */ +#undef USE_SYSLOG + #include #include #include ./shadow-4.1.3-dots-in-usernames.patch0000664000175000017500000000173012511411357017760 0ustar nielsenrnielsenr# commit message copied from openembedded: # commit 246c80637b135f3a113d319b163422f98174ee6c # Author: Khem Raj # Date: Wed Jun 9 13:37:03 2010 -0700 # # shadow-4.1.4.2: Add patches to support dots in login id. # # Signed-off-by: Khem Raj # # comment added by Kevin Tian , 2010-08-11 Upstream-Status: Pending Signed-off-by: Scott Garman Index: shadow-4.1.4.2/libmisc/chkname.c =================================================================== --- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 +++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 @@ -61,6 +61,7 @@ static bool is_valid_name (const char *n ( ('0' <= *name) && ('9' >= *name) ) || ('_' == *name) || ('-' == *name) || + ('.' == *name) || ( ('$' == *name) && ('\0' == *(name + 1)) ) )) { return false; ./shadow-update-pam-conf.patch0000664000175000017500000000743112511411357016726 0ustar nielsenrnielsenrThe system-auth in the configure files is from Fedora which put all the 4 pam type rules in one file. In yocto it obey the way with Debian/Ubuntu, and the names are common-auth, common-account, common-password and common-session. So update them with oe way. Upstream-Status: Pending Signed-off-by: Kang Kai diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chage shadow-4.1.4.3/etc/pam.d/chage --- shadow-4.1.4.3/etc/pam.d.orig/chage 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/chage 2011-07-20 19:03:08.964844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chgpasswd shadow-4.1.4.3/etc/pam.d/chgpasswd --- shadow-4.1.4.3/etc/pam.d.orig/chgpasswd 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/chgpasswd 2011-07-20 19:03:26.544844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupadd shadow-4.1.4.3/etc/pam.d/groupadd --- shadow-4.1.4.3/etc/pam.d.orig/groupadd 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/groupadd 2011-07-20 19:04:08.124844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupdel shadow-4.1.4.3/etc/pam.d/groupdel --- shadow-4.1.4.3/etc/pam.d.orig/groupdel 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/groupdel 2011-07-20 19:04:26.114844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmems shadow-4.1.4.3/etc/pam.d/groupmems --- shadow-4.1.4.3/etc/pam.d.orig/groupmems 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/groupmems 2011-07-20 19:04:35.074844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmod shadow-4.1.4.3/etc/pam.d/groupmod --- shadow-4.1.4.3/etc/pam.d.orig/groupmod 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/groupmod 2011-07-20 19:04:44.864844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password diff -Nur shadow-4.1.4.3/etc/pam.d.orig/useradd shadow-4.1.4.3/etc/pam.d/useradd --- shadow-4.1.4.3/etc/pam.d.orig/useradd 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/useradd 2011-07-20 19:07:26.244844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password diff -Nur shadow-4.1.4.3/etc/pam.d.orig/userdel shadow-4.1.4.3/etc/pam.d/userdel --- shadow-4.1.4.3/etc/pam.d.orig/userdel 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/userdel 2011-07-20 19:07:35.734844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password diff -Nur shadow-4.1.4.3/etc/pam.d.orig/usermod shadow-4.1.4.3/etc/pam.d/usermod --- shadow-4.1.4.3/etc/pam.d.orig/usermod 2011-07-20 19:02:27.384844958 +0800 +++ shadow-4.1.4.3/etc/pam.d/usermod 2011-07-20 19:07:42.024844958 +0800 @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password ./allow-for-setting-password-in-clear-text.patch0000664000175000017500000002232612511411357022352 0ustar nielsenrnielsenrUpstream-Status: Inappropriate [OE specific] Allow for setting password in clear text. Signed-off-by: Chen Qi --- src/Makefile.am | 8 ++++---- src/groupadd.c | 8 +++++++- src/groupmod.c | 8 +++++++- src/useradd.c | 9 +++++++-- src/usermod.c | 8 +++++++- 5 files changed, 32 insertions(+), 9 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index 25e288d..856b087 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -88,10 +88,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) -groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) -groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) grpck_LDADD = $(LDADD) $(LIBSELINUX) grpconv_LDADD = $(LDADD) $(LIBSELINUX) grpunconv_LDADD = $(LDADD) $(LIBSELINUX) @@ -111,9 +111,9 @@ su_SOURCES = \ suauth.c su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) sulogin_LDADD = $(LDADD) $(LIBCRYPT) -useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) +useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) -usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) +usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) vipw_LDADD = $(LDADD) $(LIBSELINUX) install-am: all-am diff --git a/src/groupadd.c b/src/groupadd.c index f716f57..4e28c26 100644 --- a/src/groupadd.c +++ b/src/groupadd.c @@ -124,6 +124,7 @@ static /*@noreturn@*/void usage (int status) (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" " (non-unique) GID\n"), usageout); (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); + (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); (void) fputs (_(" -r, --system create a system account\n"), usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); (void) fputs ("\n", usageout); @@ -387,12 +388,13 @@ static void process_flags (int argc, char **argv) {"key", required_argument, NULL, 'K'}, {"non-unique", no_argument, NULL, 'o'}, {"password", required_argument, NULL, 'p'}, + {"clear-password", required_argument, NULL, 'P'}, {"system", no_argument, NULL, 'r'}, {"root", required_argument, NULL, 'R'}, {NULL, 0, NULL, '\0'} }; - while ((c = getopt_long (argc, argv, "fg:hK:op:rR:", + while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:", long_options, NULL)) != -1) { switch (c) { case 'f': @@ -444,6 +446,10 @@ static void process_flags (int argc, char **argv) pflg = true; group_passwd = optarg; break; + case 'P': + pflg = true; + group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); + break; case 'r': rflg = true; break; diff --git a/src/groupmod.c b/src/groupmod.c index d9d3807..68f49d1 100644 --- a/src/groupmod.c +++ b/src/groupmod.c @@ -127,6 +127,7 @@ static void usage (int status) (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" " PASSWORD\n"), usageout); + (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); (void) fputs ("\n", usageout); exit (status); @@ -375,10 +376,11 @@ static void process_flags (int argc, char **argv) {"new-name", required_argument, NULL, 'n'}, {"non-unique", no_argument, NULL, 'o'}, {"password", required_argument, NULL, 'p'}, + {"clear-password", required_argument, NULL, 'P'}, {"root", required_argument, NULL, 'R'}, {NULL, 0, NULL, '\0'} }; - while ((c = getopt_long (argc, argv, "g:hn:op:R:", + while ((c = getopt_long (argc, argv, "g:hn:op:P:R:", long_options, NULL)) != -1) { switch (c) { case 'g': @@ -405,6 +407,10 @@ static void process_flags (int argc, char **argv) group_passwd = optarg; pflg = true; break; + case 'P': + group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); + pflg = true; + break; case 'R': /* no-op, handled in process_root_flag () */ break; default: diff --git a/src/useradd.c b/src/useradd.c index b3bd451..4416f90 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -773,6 +773,7 @@ static void usage (int status) (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" " (non-unique) UID\n"), usageout); (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); + (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); (void) fputs (_(" -r, --system create a system account\n"), usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); @@ -1047,6 +1048,7 @@ static void process_flags (int argc, char **argv) {"no-user-group", no_argument, NULL, 'N'}, {"non-unique", no_argument, NULL, 'o'}, {"password", required_argument, NULL, 'p'}, + {"clear-password", required_argument, NULL, 'P'}, {"system", no_argument, NULL, 'r'}, {"root", required_argument, NULL, 'R'}, {"shell", required_argument, NULL, 's'}, @@ -1059,9 +1061,9 @@ static void process_flags (int argc, char **argv) }; while ((c = getopt_long (argc, argv, #ifdef WITH_SELINUX - "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:", + "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:UZ:", #else /* !WITH_SELINUX */ - "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U", + "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:s:u:U", #endif /* !WITH_SELINUX */ long_options, NULL)) != -1) { switch (c) { @@ -1227,6 +1229,9 @@ static void process_flags (int argc, char **argv) } user_pass = optarg; break; + case 'P': /* set clear text password */ + user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); + break; case 'r': rflg = true; break; diff --git a/src/usermod.c b/src/usermod.c index e7d4351..b79f7a3 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -419,6 +419,7 @@ static /*@noreturn@*/void usage (int status) " new location (use only with -d)\n"), usageout); (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); + (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); @@ -996,6 +997,7 @@ static void process_flags (int argc, char **argv) {"move-home", no_argument, NULL, 'm'}, {"non-unique", no_argument, NULL, 'o'}, {"password", required_argument, NULL, 'p'}, + {"clear-password", required_argument, NULL, 'P'}, {"root", required_argument, NULL, 'R'}, {"shell", required_argument, NULL, 's'}, {"uid", required_argument, NULL, 'u'}, @@ -1012,7 +1014,7 @@ static void process_flags (int argc, char **argv) {NULL, 0, NULL, '\0'} }; while ((c = getopt_long (argc, argv, - "ac:d:e:f:g:G:hl:Lmop:R:s:u:U" + "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U" #ifdef ENABLE_SUBIDS "v:w:V:W:" #endif /* ENABLE_SUBIDS */ @@ -1112,6 +1114,10 @@ static void process_flags (int argc, char **argv) user_pass = optarg; pflg = true; break; + case 'P': + user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); + pflg = true; + break; case 'R': /* no-op, handled in process_root_flag () */ break; case 's': -- 1.7.9.5 ./login_defs_pam.sed0000664000175000017500000000117612511411357015105 0ustar nielsenrnielsenr/^FAILLOG_ENAB/b comment /^LASTLOG_ENAB/b comment /^MAIL_CHECK_ENAB/b comment /^OBSCURE_CHECKS_ENAB/b comment /^PORTTIME_CHECKS_ENAB/b comment /^QUOTAS_ENAB/b comment /^MOTD_FILE/b comment /^FTMP_FILE/b comment /^NOLOGINS_FILE/b comment /^ENV_HZ/b comment /^ENV_TZ/b comment /^PASS_MIN_LEN/b comment /^SU_WHEEL_ONLY/b comment /^CRACKLIB_DICTPATH/b comment /^PASS_CHANGE_TRIES/b comment /^PASS_ALWAYS_WARN/b comment /^PASS_MAX_LEN/b comment /^PASS_MIN_LEN/b comment /^CHFN_AUTH/b comment /^CHSH_AUTH/b comment /^ISSUE_FILE/b comment /^LOGIN_STRING/b comment /^ULIMIT/b comment /^ENVIRON_FILE/b comment b exit : comment s:^:#: : exit ./pam.d/0000775000175000017500000000000012511411357012434 5ustar nielsenrnielsenr./pam.d/login0000664000175000017500000000620212511411357013467 0ustar nielsenrnielsenr# # The PAM configuration file for the Shadow `login' service # # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the `FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=3000000 # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) # Note that it is included as a "requisite" module. No password prompts will # be displayed if this module fails to avoid having the root password # transmitted on unsecure ttys. # You can change it to a "required" module if you think it permits to # guess valid user names of your system (invalid user names are considered # as possibly being root). auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # Standard Un*x authentication. auth include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the `CONSOLE_GROUPS' option in login.defs) auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on logins. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) session required pam_limits.so # Prints the last login info upon succesful login # (Replaces the `LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so # Prints the motd upon succesful login # (Replaces the `MOTD_FILE' option in login.defs) session optional pam_motd.so # Prints the status of the user's mailbox upon succesful login # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). # # This also defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs session optional pam_mail.so standard # Standard Un*x account and session account include common-account password include common-password session include common-session ./pam.d/chpasswd0000664000175000017500000000015212511411357014171 0ustar nielsenrnielsenr# The PAM configuration file for the Shadow 'chpasswd' service # password include common-password ./pam.d/passwd0000664000175000017500000000015212511411357013656 0ustar nielsenrnielsenr# # The PAM configuration file for the Shadow `passwd' service # password include common-password ./pam.d/chsh0000664000175000017500000000116112511411357013303 0ustar nielsenrnielsenr# # The PAM configuration file for the Shadow `chsh' service # # This will not allow a user to change their shell unless # their current one is listed in /etc/shells. This keeps # accounts with special shells from changing them. auth required pam_shells.so # This allows root to change user shell without being # prompted for a password auth sufficient pam_rootok.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. auth include common-auth account include common-account session include common-session ./pam.d/newusers0000664000175000017500000000015212511411357014230 0ustar nielsenrnielsenr# The PAM configuration file for the Shadow 'newusers' service # password include common-password ./pam.d/su0000664000175000017500000000413412511411357013010 0ustar nielsenrnielsenr# # The PAM configuration file for the Shadow `su' service # # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so # Uncomment this to force users to be a member of group root # before they can use `su'. You can also add "group=foo" # to the end of this line if you want to use a group other # than the default "root" (but this may have side effect of # denying "root" user, unless she's a member of "foo" or explicitly # permitted earlier by e.g. "sufficient pam_rootok.so"). # (Replaces the `SU_WHEEL_ONLY' option from login.defs) # auth required pam_wheel.so # Uncomment this if you want wheel members to be able to # su without a password. # auth sufficient pam_wheel.so trust # Uncomment this if you want members of a specific group to not # be allowed to use su at all. # auth required pam_wheel.so deny group=nosu # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on su usage. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # Defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs # # "nopen" stands to avoid reporting new mail when su'ing to another user session optional pam_mail.so nopen # Sets up user limits, please uncomment and read /etc/security/limits.conf # to enable this functionality. # (Replaces the use of /etc/limits in old login) # session required pam_limits.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. auth include common-auth account include common-account session include common-session ./pam.d/chfn0000664000175000017500000000065312511411357013301 0ustar nielsenrnielsenr# # The PAM configuration file for the Shadow `chfn' service # # This allows root to change user infomation without being # prompted for a password auth sufficient pam_rootok.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. auth include common-auth account include common-account session include common-session