Index: 4.8.1/Makefile
===================================================================
--- 4.8.1/Makefile (nonexistent)
+++ 4.8.1/Makefile (revision 5)
@@ -0,0 +1,298 @@
+
+COMPONENT_TARGETS = $(HARDWARE_INTEL_PC32)
+COMPONENT_TARGETS += $(HARDWARE_INTEL_PC64)
+COMPONENT_TARGETS += $(HARDWARE_EBOX_3350DX2)
+COMPONENT_TARGETS += $(HARDWARE_CB1X)
+COMPONENT_TARGETS += $(HARDWARE_CB2X)
+COMPONENT_TARGETS += $(HARDWARE_CB3X)
+COMPONENT_TARGETS += $(HARDWARE_ORANGE_PP2E)
+COMPONENT_TARGETS += $(HARDWARE_NANOPI_NEO)
+COMPONENT_TARGETS += $(HARDWARE_ORANGE_PP)
+COMPONENT_TARGETS += $(HARDWARE_ORANGE_PL2)
+COMPONENT_TARGETS += $(HARDWARE_WECHIP_TX6)
+COMPONENT_TARGETS += $(HARDWARE_FFRK3288)
+COMPONENT_TARGETS += $(HARDWARE_POIN2)
+COMPONENT_TARGETS += $(HARDWARE_RK3328_CC)
+COMPONENT_TARGETS += $(HARDWARE_KHADAS_EDGE)
+COMPONENT_TARGETS += $(HARDWARE_LEEZ_P710)
+COMPONENT_TARGETS += $(HARDWARE_M201)
+COMPONENT_TARGETS += $(HARDWARE_MXV)
+COMPONENT_TARGETS += $(HARDWARE_P201)
+COMPONENT_TARGETS += $(HARDWARE_NEXBOX_A95X)
+COMPONENT_TARGETS += $(HARDWARE_ODROID_C2)
+COMPONENT_TARGETS += $(HARDWARE_P212)
+COMPONENT_TARGETS += $(HARDWARE_KHADAS_VIM)
+COMPONENT_TARGETS += $(HARDWARE_Q201)
+COMPONENT_TARGETS += $(HARDWARE_ENYBOX_X2)
+COMPONENT_TARGETS += $(HARDWARE_KHADAS_VIM2)
+COMPONENT_TARGETS += $(HARDWARE_NIT6Q)
+COMPONENT_TARGETS += $(HARDWARE_OKMX6DL_C)
+COMPONENT_TARGETS += $(HARDWARE_OKMX6Q_C)
+COMPONENT_TARGETS += $(HARDWARE_BONE_BLACK)
+COMPONENT_TARGETS += $(HARDWARE_OMAP5UEVM)
+COMPONENT_TARGETS += $(HARDWARE_DRA7XXEVM)
+COMPONENT_TARGETS += $(HARDWARE_CI20)
+COMPONENT_TARGETS += $(HARDWARE_BAIKAL_T1)
+COMPONENT_TARGETS += $(HARDWARE_BAIKAL_M1)
+COMPONENT_TARGETS += $(HARDWARE_S824L)
+COMPONENT_TARGETS += $(HARDWARE_VESNIN)
+COMPONENT_TARGETS += $(HARDWARE_S824L_LSB)
+COMPONENT_TARGETS += $(HARDWARE_VESNIN_LSB)
+COMPONENT_TARGETS += $(HARDWARE_TL2WK2)
+COMPONENT_TARGETS += $(HARDWARE_TL2SV2)
+COMPONENT_TARGETS += $(HARDWARE_TL2WK2_LSB)
+COMPONENT_TARGETS += $(HARDWARE_TL2SV2_LSB)
+COMPONENT_TARGETS += $(HARDWARE_SIFIVE_U740)
+
+
+NEED_ABS_PATH = true
+COMPONENT_IS_3PP = true
+
+
+include ../../../build-system/constants.mk
+
+
+SOURCE_REQUIRES = sources/packages/s/shadow
+
+REQUIRES = secure/pam/1.5.1
+REQUIRES += app/acl/2.2.53
+
+# ======= __END_OF_REQUIRES__ =======
+
+
+version = 4.8.1
+tar_xz_archive = $(SRC_PACKAGE_PATH)/packages/s/shadow/shadow-$(version).tar.xz
+SRC_ARCHIVE = $(tar_xz_archive)
+SRC_DIR = $(TARGET_BUILD_DIR)/shadow-$(version)
+src_dir_name = shadow-$(version)
+src_done = $(TARGET_BUILD_DIR)/.source_done
+
+PATCHES = PATCHES
+
+build_target = $(TARGET_BUILD_DIR)/.build_done
+install_target = $(TARGET_BUILD_DIR)/.install_done
+
+
+####### Targets
+
+PKG_GROUP = app
+
+#
+# *PKG_NAME & *PKG_VERSION shouldn't be a reference to value.
+#
+SHADOW_PKG_NAME = shadow
+SHADOW_PKG_VERSION = 4.8.1
+SHADOW_PKG_ARCH = $(PKGARCH)
+SHADOW_PKG_DISTRO_NAME = $(DISTRO_NAME)
+SHADOW_PKG_DISTRO_VERSION = $(DISTRO_VERSION)
+SHADOW_PKG_GROUP = $(PKG_GROUP)
+### |---handy-ruler-------------------------------|
+SHADOW_PKG_SHORT_DESCRIPTION = shadow password suite
+SHADOW_PKG_URL = $(BUG_URL)
+SHADOW_PKG_LICENSE = BSD
+SHADOW_PKG_DESCRIPTION_FILE = $(TARGET_BUILD_DIR)/$(SHADOW_PKG_NAME)-pkg-description
+SHADOW_PKG_DESCRIPTION_FILE_IN = $(SHADOW_PKG_NAME)-pkg-description.in
+SHADOW_PKG_INSTALL_SCRIPT = $(SHADOW_PKG_NAME)-pkg-install.sh
+
+SHADOW_PKG = $(CURDIR)/$(TARGET_BUILD_DIR)/$(SHADOW_PKG_NAME)-package
+
+pkg_basename = $(SHADOW_PKG_NAME)-$(SHADOW_PKG_VERSION)-$(SHADOW_PKG_ARCH)-$(SHADOW_PKG_DISTRO_NAME)-$(SHADOW_PKG_DISTRO_VERSION)
+
+pkg_archive = $(TARGET_BUILD_DIR)/$(PKG_GROUP)/$(pkg_basename).$(pkg_arch_suffix)
+pkg_certificate = $(call cert-name,$(pkg_archive))
+pkg_signature = $(call sign-name,$(pkg_archive))
+pkg_description = $(call desc-name,$(pkg_archive))
+products = $(call pkg-files,$(pkg_archive))
+
+BUILD_TARGETS = $(build_target)
+BUILD_TARGETS += $(install_target)
+
+PRODUCT_TARGETS = $(products)
+
+ROOTFS_TARGETS = $(pkg_archive)
+
+
+include ../../../build-system/core.mk
+
+
+env_sysroot = DESTDIR=$(SHADOW_PKG)
+
+
+extra_configure_switches = --libdir=/usr/lib$(LIBSUFFIX)
+extra_configure_switches += --mandir=/usr/share/man
+extra_configure_switches += --docdir=/usr/share/doc/$(src_dir_name)
+extra_configure_switches += --disable-dependency-tracking
+extra_configure_switches += --bindir=/usr/bin
+extra_configure_switches += --sbindir=/usr/sbin
+extra_configure_switches += --sysconfdir=/etc
+extra_configure_switches += --with-libpam
+extra_configure_switches += --with-acl
+extra_configure_switches += --with-attr
+extra_configure_switches += --with-group-name-max-length=32
+extra_configure_switches += --enable-subordinate-ids
+extra_configure_switches += --enable-man
+extra_configure_switches += --disable-shared
+
+
+TARGET_RPATH = /lib$(LIBSUFFIX):/usr/lib$(LIBSUFFIX)
+
+
+####### Dependencies
+
+$(src_done): $(SRC_ARCHIVE) $(PATCHES_DEP)
+ $(UNPACK_SRC_ARCHIVE)
+ $(APPLY_PATCHES)
+ @( cd $(SRC_DIR) ; autoreconf -v -f --install )
+ @touch $@
+
+$(build_target): $(src_done)
+ @cd $(SRC_DIR) && \
+ $(BUILD_ENVIRONMENT) ../$(src_dir_name)/configure \
+ --prefix=/usr \
+ --build=$(BUILD) \
+ --host=$(TARGET) \
+ $(extra_configure_switches)
+ @cd $(SRC_DIR) && $(BUILD_ENVIRONMENT) $(MAKE)
+ @touch $@
+
+$(install_target): $(build_target)
+ @mkdir -p $(SHADOW_PKG)
+ @cd $(SRC_DIR) && $(BUILD_ENVIRONMENT) $(MAKE) -j1 install $(env_sysroot)
+ # ======= Don't ship the login utilities provided by util-linux and coreutils =======
+ @( cd $(SHADOW_PKG) ; \
+ for file in login chfn chsh groups ; do \
+ rm -f usr/bin/$$file ; \
+ find ./usr/share/man -type f -name "$${file}.*" -exec rm -f {} \; ; \
+ done ; \
+ )
+ # ======= Put some stuff back in FHS locations =======
+ @mkdir -p $(SHADOW_PKG)/bin $(SHADOW_PKG)/sbin
+ @( cd $(SHADOW_PKG)/usr/bin ; \
+ mv groups ../../bin ; \
+ mv su ../../bin ; \
+ mv faillog ../sbin ; \
+ mv lastlog ../sbin ; \
+ ln -sf ../sbin/faillog . ; \
+ ln -sf ../sbin/lastlog . ; \
+ )
+ # ======= Set default GID = 100 =======
+ @sed -i 's,^GROUP=.*,GROUP=100,' $(SHADOW_PKG)/etc/default/useradd
+ @mv $(SHADOW_PKG)/etc/default/useradd $(SHADOW_PKG)/etc/default/useradd.new
+ # ======= Install config files in /etc/pam.d/ =======
+ @rm -rf $(SHADOW_PKG)/etc/pam.d
+ @mkdir -p $(SHADOW_PKG)/etc/pam.d
+ @for file in $(CURDIR)/etc/pam.d/* ; do \
+ cp -a $$file $(SHADOW_PKG)/etc/pam.d/ ; \
+ done
+ @chmod 644 $(SHADOW_PKG)/etc/pam.d/*
+ @find $(SHADOW_PKG)/etc/pam.d -type f -exec mv {} {}.new \;
+ @rm -f $(SHADOW_PKG)/etc/login.defs
+ @cat $(CURDIR)/scripts/login.defs.pam > $(SHADOW_PKG)/etc/login.defs.new
+ # ======= Add the friendly 'adduser' script: =======
+ @cat $(CURDIR)/scripts/adduser > $(SHADOW_PKG)/usr/sbin/adduser
+ @chmod 0755 $(SHADOW_PKG)/usr/sbin/adduser
+ # ======= /etc/suauth doesn't work with PAM: =======
+ @find $(SHADOW_PKG)/usr/share/man -type f -name "suauth.5" -exec rm -f {} \;
+ # ======= Add sulogin to the package: =======
+ @cp -a $(SRC_DIR)/src/sulogin $(SHADOW_PKG)/sbin
+ @( cd $(SHADOW_PKG)/bin ; ln -s ../sbin/sulogin )
+ # ======= Add the empty faillog log file: =======
+ @mkdir -p $(SHADOW_PKG)/var/log
+ @touch $(SHADOW_PKG)/var/log/faillog.new
+ # ======= Use 4711 rather than 4755 permissions where setuid root is required: =======
+ @find $(SHADOW_PKG) -type f -perm 4755 -exec chmod 4711 "{}" \;
+ # ======= Install Documentation =======
+ @( cd $(SHADOW_PKG)/usr/share/man ; \
+ for page in `find . -type f -exec echo {} \;` ; do \
+ if [ -n "`cat $$page | grep '^\.so '`" ] ; then \
+ dir=`dirname $$page | sed 's,^\./,,'` ; \
+ ( cd $$dir ; \
+ for file in * ; do \
+ ln=`head -n 1 $$file` ; \
+ if [ "`echo $$ln | grep '^\.so '`" != "" ] ; then \
+ origin=`echo $$ln | cut -f 2 -d ' '` ; \
+ origin=`basename $$origin` ; \
+ rm -f $$file ; \
+ ln -sf $$origin $$file ; \
+ fi ; \
+ done ; \
+ ) ; \
+ fi ; \
+ done ; \
+ )
+ @if [ -d $(SHADOW_PKG)/usr/share/man ]; then \
+ ( cd $(SHADOW_PKG)/usr/share/man ; \
+ for manpagedir in `find . -type d -name "man*"` ; do \
+ ( cd $$manpagedir ; \
+ for eachpage in `find . -type l -maxdepth 1` ; do \
+ ln -s `readlink $$eachpage`.gz $$eachpage.gz ; \
+ rm $$eachpage ; \
+ done ; \
+ gzip -9 *.? ; \
+ ) \
+ done \
+ ) \
+ fi
+ @mkdir -p $(SHADOW_PKG)/usr/doc/$(src_dir_name)
+ @cp -a $(CURDIR)/license/* $(SHADOW_PKG)/usr/doc/$(src_dir_name)
+ @cp -a $(SRC_DIR)/COPYING* \
+ $(SHADOW_PKG)/usr/doc/$(src_dir_name)
+ @mkdir -p $(SHADOW_PKG)/usr/share/doc/$(src_dir_name)/{PAM,html}
+ @( cd $(SRC_DIR) ; \
+ cp -a COPYING NEWS README TODO doc/{README.limits,HOWTO,WISHLIST} \
+ $(SHADOW_PKG)/usr/share/doc/$(src_dir_name) \
+ )
+ @cp -a $(SRC_DIR)/docs/*.html $(SHADOW_PKG)/usr/share/doc/$(src_dir_name)/html
+ @cp -a $(CURDIR)/doc/* $(SHADOW_PKG)/usr/share/doc/$(src_dir_name)/PAM
+ # ======= Install ChangeLog into docdir =======
+ @( cd $(SRC_DIR) ; \
+ if [ -r ChangeLog ]; then \
+ DOCSDIR=`echo $(SHADOW_PKG)/usr/share/doc/$(src_dir_name)` ; \
+ cat ChangeLog | head -n 1000 > $$DOCSDIR/ChangeLog ; \
+ touch -r ChangeLog $$DOCSDIR/ChangeLog ; \
+ fi ; \
+ )
+ # ======= Install the same to $(TARGET_DEST_DIR) =======
+ $(call install-into-devenv, $(SHADOW_PKG))
+ # ======= Strip binaries =======
+ @( cd $(SHADOW_PKG) ; \
+ find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs $(STRIP) --strip-unneeded 2> /dev/null \
+ )
+ifneq ($(PATCHELF),)
+ # ======= Set RPATH/RUNPATH for target binaries =======
+ @( cd $(SHADOW_PKG) ; \
+ for file in `find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs echo` ; do \
+ rpath=`$(PATCHELF) --print-rpath $$file 2> /dev/null` ; \
+ if echo "$$rpath" | grep -q "$(TARGET_DEST_DIR)" ; then \
+ $(PATCHELF) --set-rpath $(TARGET_RPATH) $$file 1> /dev/null 2> /dev/null ; \
+ fi ; \
+ done ; \
+ )
+endif
+ @touch $@
+
+$(SHADOW_PKG_DESCRIPTION_FILE): $(SHADOW_PKG_DESCRIPTION_FILE_IN)
+ @cat $< | $(SED) -e "s/@VERSION@/$(version)/g" > $@
+
+$(pkg_certificate) : $(pkg_archive) ;
+$(pkg_signature) : $(pkg_archive) ;
+$(pkg_description) : $(pkg_archive) ;
+
+$(pkg_archive): $(install_target) $(SHADOW_PKG_DESCRIPTION_FILE) $(SHADOW_PKG_INSTALL_SCRIPT)
+ @cp $(SHADOW_PKG_DESCRIPTION_FILE) $(SHADOW_PKG)/.DESCRIPTION
+ @cp $(SHADOW_PKG_INSTALL_SCRIPT) $(SHADOW_PKG)/.INSTALL
+ @$(BUILD_PKG_REQUIRES) $(SHADOW_PKG)/.REQUIRES
+ @echo "pkgname=$(SHADOW_PKG_NAME)" > $(SHADOW_PKG)/.PKGINFO ; \
+ echo "pkgver=$(SHADOW_PKG_VERSION)" >> $(SHADOW_PKG)/.PKGINFO ; \
+ echo "arch=$(SHADOW_PKG_ARCH)" >> $(SHADOW_PKG)/.PKGINFO ; \
+ echo "distroname=$(SHADOW_PKG_DISTRO_NAME)" >> $(SHADOW_PKG)/.PKGINFO ; \
+ echo "distrover=$(SHADOW_PKG_DISTRO_VERSION)" >> $(SHADOW_PKG)/.PKGINFO ; \
+ echo "group=$(SHADOW_PKG_GROUP)" >> $(SHADOW_PKG)/.PKGINFO ; \
+ echo "short_description=\"$(SHADOW_PKG_SHORT_DESCRIPTION)\"" >> $(SHADOW_PKG)/.PKGINFO ; \
+ echo "url=$(SHADOW_PKG_URL)" >> $(SHADOW_PKG)/.PKGINFO ; \
+ echo "license=$(SHADOW_PKG_LICENSE)" >> $(SHADOW_PKG)/.PKGINFO
+ @$(PSEUDO) sh -c "cd $(SHADOW_PKG) && \
+ chown -R root:root . && \
+ chmod 4711 bin/su && \
+ chmod 4711 usr/bin/passwd && \
+ $(MAKE_PACKAGE) -J --linkadd=yes $(GNUPG_OPTIONS) -m -d .. ."
Index: 4.8.1/PATCHES
===================================================================
--- 4.8.1/PATCHES (nonexistent)
+++ 4.8.1/PATCHES (revision 5)
@@ -0,0 +1,4 @@
+
+../../../sources/packages/s/shadow/patches/shadow-4.8.1-CVE-2005-4890.patch -p0
+../../../sources/packages/s/shadow/patches/shadow-4.8.1-short-hostname.patch -p0
+../../../sources/packages/s/shadow/patches/shadow-4.8.1-sulogin-man.patch -p0
Index: 4.8.1/doc/pam.html
===================================================================
--- 4.8.1/doc/pam.html (nonexistent)
+++ 4.8.1/doc/pam.html (revision 5)
@@ -0,0 +1,631 @@
+<html>
+<head>
+<meta http-equiv="content-type" content="text/html; charset=UTF-8">
+</head>
+<body>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<h3>PAM Explanation</h3>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>The Pluggable Authentication Modules system allows an administrator
+to fully control how authentication is done on a system, and releaves a
+developer from implementing all kinds of authentication mechanisms.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>The "old" way of doing authentication is through /etc/passwd, which
+contained the username, uid and password. As long as everybody used
+/etc/passwd there was nog problem, but when different schemes came into
+play, like NIS, Kerberos, LDAP, and even the shadow system, it meant
+that developers needed to support all these different ways in their
+product, which created a enormous amount of duplicated code and a lot of
+ overhead for the developers. To overcome this issue PAM was created.
+PAM provides a single interface for the developer to talk to. It just
+tells an application if a user is allowed or not. Meaning that the
+developer only has to support PAM.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>By means of modules the administrator can on the fly change the e.g.
+the login policy for a certain system from /etc/passwd to kerberos
+without the users or applications noticing the change. And as long as
+all programs on a certain system, responsible for user authentication,
+work with PAM all should be fine.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p><table border="0">
+<tbody><tr><td align="center" bgcolor="#ffeedd">login</td>
+ <td align="center" bgcolor="#ddccbb">ftp</td>
+ <td align="center" bgcolor="#bbaa99">telnet</td>
+ <td align="center" bgcolor="#998877">ssh</td></tr>
+<tr><td colspan="4" align="center" bgcolor="#fedcba">PAM API</td></tr>
+<tr><td colspan="2" align="center" bgcolor="#fedcba">PAM library</td>
+ <td colspan="2" align="center" bgcolor="#fedcba">PAM configuration</td></tr>
+<tr><td colspan="4" align="center" bgcolor="#fedcba">PAM SPI</td></tr>
+<tr><td bgcolor="#dcba98">account checks</td>
+ <td bgcolor="#ba9876">authentication</td>
+ <td bgcolor="#987654">session management</td>
+ <td bgcolor="#765432">password management</td></tr>
+</tbody></table>
+</div>
+
+</p>
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>As said PAM is a modular system, hence the name. The
+configuration of PAM can be done in two different ways. You could have
+one long configuration file, or you could have a /etc/pam.d directory
+which contains several files for the configuration. This document will
+only discuss the /etc/pam.d variant.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>Within the /etc/pam.d directory there are files for every program
+that needs authentication. In each file there are rules for that
+specific service. Of course there would be a lot of duplication if your
+created rules specific for every service, since most services will use
+the same way of authentication. To solve this issue there is an include
+statement that you can use in the configuration files.</p>
+<pre>auth include file
+</pre>
+which includes the auth sections from the mentioned file.<p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>On Red Hat based systems the included file is often system-auth,
+while for Debian based system you have a common-* file per "type" in the
+ configuration file.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>The "type" mentioned is the first colomn in the configuration file. The complete syntax for the file is:
+</p>
+<pre>type control module-path module-arguments</pre>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+The type can be:
+<table border="1">
+<tbody><tr>
+ <th>Type</th>
+ <th>Function</th>
+ <th>Description</th>
+ </tr>
+<tr>
+ <td>account</td>
+ <td>pam_acct_mgmt</td>
+ <td>Tests if the user is allowed to access the service, meaning if
+the password is not expired, if the user is allowed during this time of
+day, if the load is not too high, etc.</td>
+ </tr>
+<tr>
+ <td rowspan="2">auth</td>
+ <td>pam_authenticate</td>
+ <td>This is the actual authentication. In the good old fashioned way
+ it means that the password is checked to see if the user is who he or
+she claims to be.</td>
+ </tr>
+<tr>
+ <td>pam_setcred</td>
+ <td>Sets UID, GID and limits</td>
+ </tr>
+<tr>
+ <td rowspan="2">session</td>
+ <td>pam_open_session</td>
+ <td>Things that should be done when the user is authenticated, and thus logs in.</td>
+ </tr>
+<tr>
+ <td>pam_close_session</td>
+ <td>Things that should be done when the user logs off.</td>
+ </tr>
+<tr>
+ <td>password</td>
+ <td>pam_chauthtok</td>
+ <td>Used when the user wants to change the authentication credentials (password). Check password length, strength, etc.</td>
+ </tr>
+</tbody></table><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>Per type you can have multiple lines. So you can have "stacked"
+modules that describe what should be done, or to what rules the username
+ and credentials should comply, before a user is authenticated to the
+system.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>The second column in our configuration file is the "control" column.
+The field tells PAM what it should do when the module reports a failure.
+ This field can be:
+</p>
+</div>
+<div style="padding: 0 1.5em; text-align: justify;">
+<dl>
+<dt>[value1=action1 value2=action2 ...]</dt>
+ <dd><p>PAM started with some predefined actions, which are described
+ below. The use of [...] in the control field is a later addition that
+gives you full control of PAMs actions. The list below is split in two
+parts, those that are relevant for system administrators and those that
+are needed for debugging modules. Within the remainder of this document
+we are only concerned about the administrators part.</p>
+ <p>For system administrators:
+ </p><dl>
+ <dt>abort</dt>
+ <dd>Critical error (?module fail now request)</dd>
+ <dt>acct_expired</dt>
+ <dd>User account has expired</dd>
+ <dt>auth_err</dt>
+ <dd>Authentication failure</dd>
+ <dt>authinfo_unavail</dt>
+ <dd>Underlying authentication service can not retrieve authentication information</dd>
+ <dt>authtok_err</dt>
+ <dd>Authentication token manipulation error</dd>
+ <dt>authtok_expired</dt>
+ <dd>user's authentication token has expired</dd>
+ <dt>authtok_disable_aging</dt>
+ <dd>Authentication token aging disabled</dd>
+ <dt>authtok_recover_err</dt>
+ <dd>Authentication information cannot be recovered</dd>
+ <dt>cred_err</dt>
+ <dd>Failure setting user credentials</dd>
+ <dt>cred_expired</dt>
+ <dd>User credentials expired</dd>
+ <dt>cred_insufficient</dt>
+ <dd>Can not access authentication data due to insufficient credentials</dd>
+ <dt>cred_unavail</dt>
+ <dd>Underlying authentication service can not retrieve user credentials unavailable</dd>
+ <dt>default</dt>
+ <dd>all not explicitly mentioned values</dd>
+ <dt>ignore</dt>
+ <dd>Ignore underlying account module regardless of whether the control flag is required, optional, or sufficient</dd>
+ <dt>maxtries</dt>
+ <dd>An authentication service has maintained a retry count which has been reached. No further retries should be attempted</dd>
+ <dt>module_unknown</dt>
+ <dd>module is not known</dd>
+ <dt>new_authtok_reqd</dt>
+ <dd>New authentication token required. This is normally returned if
+the machine security policies require that the password should be
+changed beccause the password is NULL or it has aged</dd>
+ <dt>perm_denied</dt>
+ <dd>Permission denied</dd>
+ <dt>session_err</dt>
+ <dd>Can not make/remove an entry for the specified session</dd>
+ <dt>success</dt>
+ <dd>Successful function return</dd>
+ <dt>try_again</dt>
+ <dd>Preliminary check by password service</dd>
+ <dt>user_unknown</dt>
+ <dd>User not known to the underlying authenticaiton module</dd>
+ </dl><p></p>
+
+ <p>Debugging modules:
+ </p><dl>
+ <dt>authtok_lock_busy</dt>
+ <dd>Authentication token lock busy</dd>
+ <dt>bad_item</dt>
+ <dd>Bad item passed to pam_*_item()</dd>
+ <dt>buf_err</dt>
+ <dd>Memory buffer error</dd>
+ <dt>conv_again</dt>
+ <dd>conversation function is event driven and data is not available yet</dd>
+ <dt>conv_err</dt>
+ <dd>Conversation error</dd>
+ <dt>incomplete</dt>
+ <dd>please call this function again to complete authentication stack. Before calling again, verify that conversation is completed</dd>
+ <dt>no_module_data</dt>
+ <dd>No module specific data is present</dd>
+ <dt>open_err</dt>
+ <dd>The module could not be loaded</dd>
+ <dt>service_err</dt>
+ <dd>Error in service module</dd>
+ <dt>symbol_err</dt>
+ <dd>Symbol not found</dd>
+ <dt>system_err</dt>
+ <dd>System error</dd>
+ </dl>
+ <p></p>
+ <p>The action part can be any of:
+ </p><dl>
+ <dt>ignore</dt>
+ <dd>The return status will not contribute to the return code.</dd>
+ <dt>bad</dt>
+ <dd>The return status is set to fail.</dd>
+ <dt>die</dt>
+ <dd>The return status is set to fail and the stack is terminated immediately and the return status reported to the application</dd>
+ <dt>ok</dt>
+ <dd>If the modules fails, the total stack state will be fail, if
+the stack was already fail, the return code of this module will do
+nothing.</dd>
+ <dt>done</dt>
+ <dd>Some as ok, but with direct termination of the stack</dd>
+ <dt>reset</dt>
+ <dd>Clear all memory of the state of the module stack and start again with the next module.</dd>
+ </dl>
+ </dd>
+<p></p>
+<dt><span style="font-weight:bold; color:black">requisite</span> ([success=ok new_authtok_reqd=ok ignore=ignore default=die])</dt>
+ <dd>When the module reports failure, the user gets denied
+immediately. Meaning that e.g. a non-existend username can immediately
+be denied. The downside is that an attacker knows that the username is
+invalid.</dd>
+<dt><span style="font-weight:bold; color:black">required</span> ([success=ok new_authtok_reqd=ok ignore=ignore default=bad])</dt><dt>
+ </dt><dd>When the module reports failure, the user gets denied after
+ all other lines in the type-section are checked. The reason that even
+when the user is denied access all other lines are checked has to do
+with system reponse. By checking all other lines a possible attacked has
+ no clue which module created the denial state, and thus makes it harder
+ for the attacker to create an alternative attack method.</dd>
+<dt><span style="font-weight:bold; color:black">sufficient</span> ([success=done new_authtok_reqd=done default=ignore])</dt>
+ <dd>If no status is set by a previous required module and this
+module reports success, the PAM framework returns success to the
+application immediately without trying any other modules. A failure
+means that the remaining lines are checked.</dd><dd>
+</dd><dt><span style="font-weight:bold; color:black">optional</span> ([success=ok new_authtok_reqd=ok default=ignore])</dt>
+ <dd>According to the pam(8) manpage, will only cause an operation to fail if it's the only module in the stack for that facility</dd>
+</dl>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>The third field in the configuration is the "module-path". This tells
+ PAM the modules to use and most the times the path to find the module.
+According to the LFS, the modules should be located in /lib/security.
+However the PAM default is /usr/lib/security.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>The last field is the "module-arguments" which varies per module.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<h3>PAM examples</h3>
+<p>The examples below are a mix of Debian, Red Hat and CentOS system configurations mixed with additional features.</p>
+
+<p>The following examples are tested with login and with sshd. Do know
+if you should replace system-auth (RHEL) or common-* (Debian) files with
+ it.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<h4>Example: Be a minimal plain old Unix replacement</h4>
+<p>To act as a normal unix machine using /etc/passwd, /etc/shadow and
+/etc/group we use the pam_unix.so. We need this anyway to support the
+system accounts of our system like root.</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+# Per default the pam_unix.so module treats empty password fields as
+# disabled accounts. The "nullok" option overrides this behaviour.
+# To disable an account according to CERT policies, change the
+# password field to * and set the login shell to /bin/false.
+#
+# The "md5" option enables MD5 passwords. Without this option, the
+# default is Unix crypt.
+auth sufficient pam_unix.so nullok
+auth required pam_deny.so
+
+account required pam_unix.so
+account required pam_permit.so
+
+session required pam_unix.so
+
+# NOT tested
+password sufficient pam_unix.so shadow nullok md5
+password required pam_deny.so
+</pre>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<h4>Example: plain old unix towards pam only control</h4>
+<p>Especially for the login functionality, there are a couple of
+"native" files that give a system administrator control of who is
+allowed to do what from where with which restrictions. The first ones
+that you will probably know are the hosts.allow and hosts.deny files.
+But also /etc/securetty, /etc/login.defs, and a couple more. If we want
+to control everything through pam we have to adjust our stack a little
+bit.</p>
+
+<p>Let's start with the auth section:</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+# Load the /etc/security/pam_env.conf file. Just to be sure
+auth required pam_env.so
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth optional pam_faildelay.so delay=3000000
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth requisite pam_nologin.so
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
+
+# Check if the users shell exists
+# (Uses /etc/shells)
+auth required pam_shells.so
+
+# Outputs an issue file prior to each login prompt
+# (Replaces the ISSUE_FILE option from login.defs).
+auth optional pam_issue.so issue=/etc/issue
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth optional pam_group.so
+
+auth sufficient pam_unix.so nullok
+auth required pam_deny.so
+
+</pre><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>Next we adjust the account section:</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+# Edit /etc/security/time.conf if you need to set time
+# restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+account requisite pam_time.so
+
+# Edit /etc/security/access.conf if you need to set
+# access limits.
+# (Replaces /etc/login.access file)
+account required pam_access.so
+
+account required pam_unix.so
+account required pam_permit.so
+</pre><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>Then the session section:</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+
+# Backwards compatibility for /etc/environment
+session required pam_env.so readenv=1 envfile=/etc/environment
+
+# Setting the locale or i18n settings
+# Debian: locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+# RHEL: locale variables are kept in /etc/sysconfig/i18n
+#
+# Debian: session required pam_env.so readenv=1 envfile=/etc/default/locale
+# RHEL: session required pam_env.so readenv=1 envfile=/etc/sysconfig/i18n
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session required pam_limits.so
+
+# Sets the umask
+# (Replaces UMASK setting in login.defs)
+# Does not seem to have any influence on the umask...
+# needs more testing
+session optional pam_umask.so umask=0077
+
+# The following two options report some additional
+# information when a user logs in. sshd also reports
+# this information, so to prevent duplicate messages
+# set in sshd_config:
+# PrintLastLog no
+# PrintMotd no
+# (Replaces the `LASTLOG_ENAB' and `MOTD_FILE' options
+# from login.defs)
+session optional pam_lastlog.so
+session optional pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session optional pam_mail.so standard
+
+# Create home dir if it does not exist on login
+session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context.
+# Uncomment the following line to enable SELinux
+# session required pam_selinux.so select_context
+# Did NOT test this:
+# session required pam_unix.so
+
+session required pam_unix.so
+</pre><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>And last the password section:</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+# Alternate strength checking for password. Note that this
+# requires the libpam-cracklib package to be installed.
+# You will need to comment out the password line above and
+# uncomment the next two in order to use this.
+# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
+#
+
+# This is NOT tested
+
+password required pam_cracklib.so retry=3 minlen=6 difok=3
+password required pam_unix.so use_authtok nullok md5
+password required pam_deny.so
+</pre><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<h4>Example: migrate to ldap</h4>
+<p>This section builds on the previous one, but adds LDAP support. We
+assume that users having a UID above 500 are in LDAP and all others are
+in the default files (passwd, shadow, group). The password for the users
+ in LDAP is also placed in LDAP.</p>
+
+<p>One extra feature supported is the fact that we need to be able to
+login to our servers with a normal unix account (root) when there is
+trouble with LDAP.</p>
+
+<p>Let's start with the auth section:</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+auth required pam_env.so
+auth optional pam_faildelay.so delay=3000000
+auth requisite pam_nologin.so
+auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
+auth required pam_shells.so
+auth optional pam_issue.so issue=/etc/issue
+auth optional pam_group.so
+
+# We assume that UIDs above 500 are in LDAP
+# If LDAP fails we want to still be able to login through local accounts
+auth sufficient pam_unix.so nullok
+auth requisite pam_succeed_if.so uid >= 500 quiet
+auth sufficient pam_ldap.so use_first_pass
+auth required pam_deny.so
+
+</pre><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>Next we adjust the account section:</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+account requisite pam_time.so
+account required pam_access.so
+
+# If the user id is below 500 end the account section, if LDAP failes
+# we can still login with a local account
+account required pam_unix.so
+account sufficient pam_succeed_if.so uid < 500 quit
+account [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account required pam_permit.so
+</pre><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>Then the session section:</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+session required pam_env.so readenv=1 envfile=/etc/environment
+session required pam_env.so readenv=1 envfile=/etc/sysconfig/i18n
+session required pam_limits.so
+session optional pam_umask.so umask=0077
+session optional pam_lastlog.so
+session optional pam_motd.so
+session optional pam_mail.so standard
+session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
+
+session required pam_unix.so
+</pre><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<p>And last the password section:</p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+# This is NOT tested
+# We need pam_ldap.so to set the password in LDAP
+# Additional rules we might need:
+# password sufficient pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass
+# password sufficient pam_ldap.so
+
+password required pam_cracklib.so retry=3 minlen=6 difok=3
+password sufficient pam_unix.so use_authtok md5
+password required pam_ldap.so use_authtok
+password required pam_deny.so
+</pre><p></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: justify;">
+<h4>Example: add kerberos support</h4>
+<p>Only tested with LDAP, kerberos still needs testing.</p>
+
+<p>This example expands the above one, with kerberos. The users above
+UID 500 are still in LDAP, but their password is stored in kerberos.</p>
+
+<p>NOTE: Debian supplies: <a href="http://www.eyrie.org/%7Eeagle/software/pam-krb5/">http://www.eyrie.org/~eagle/software/pam-krb5/</a><br>
+RHEL supplies: <a href="http://people.redhat.com/nalin/pam_krb5/">http://people.redhat.com/nalin/pam_krb5/</a></p>
+</div>
+
+<div style="padding: 0 1.5em; text-align: left;">
+<pre>
+auth required pam_env.so
+auth optional pam_faildelay.so delay=3000000
+auth requisite pam_nologin.so
+auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
+auth required pam_shells.so
+auth optional pam_issue.so issue=/etc/issue
+auth optional pam_group.so
+
+# pam_ldap.so is in here for migration purposes, when all your
+# users are kerberized you can remove the pam_ldap.so line
+auth sufficient pam_unix.so nullok try_first_pass
+auth requisite pam_succeed_if.so uid >= 500 quiet
+auth sufficient pam_ldap.so use_first_pass
+auth sufficient pam_krb5.so use_first_pass
+auth required pam_deny.so
+
+account requisite pam_time.so
+account required pam_access.so
+
+account sufficient pam_unix.so broken_shadow
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_ldap.so
+account [default=bad success=ok user_unknown=ignore] pam_krb5.so
+account required pam_permit.so
+
+session required pam_env.so readenv=1 envfile=/etc/environment
+session required pam_env.so readenv=1 envfile=/etc/sysconfig/i18n
+session required pam_limits.so
+session optional pam_umask.so umask=0077
+session optional pam_lastlog.so
+session optional pam_motd.so
+session optional pam_mail.so standard
+session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
+
+# pam_ldap.so for session?
+session optional pam_keyinit.so revoke
+session required pam_unix.so
+session optional pam_krb5.so minimum_uid=500
+
+# Set password in krb database
+password requisite pam_cracklib.so try_first_pass retry=3
+password sufficient pam_unix.so md5 shadow nullok use_authtok
+password required pam_krb5.so use_authtok clear_on_fail
+password required pam_deny.so
+</pre>
+</div>
+</body>
+</html>
Index: 4.8.1/doc/pam_wheel.txt
===================================================================
--- 4.8.1/doc/pam_wheel.txt (nonexistent)
+++ 4.8.1/doc/pam_wheel.txt (revision 5)
@@ -0,0 +1,27 @@
+
+Protect su with pam_wheel:
+=========================
+
+You need to add a new group "wheel" to your system.
+
+ # addgroup --system wheel
+
+Add users that should be able to su to this group.
+
+ # usermod -a -G wheel user1
+
+Then add the following line to /etc/pam.d/su:
+
+ auth requisite pam_wheel.so group=wheel
+
+Other users will not be able to become root, they
+ willget a denied message if they try to become root.
+
+test1@deby:~$ su -
+su: Permission denied
+
+If you want wheel members to be able to su without
+a password add the following.
+
+ auth sufficient pam_wheel.so group=wheel trust use_uid
+.
Index: 4.8.1/doc
===================================================================
--- 4.8.1/doc (nonexistent)
+++ 4.8.1/doc (revision 5)
Property changes on: 4.8.1/doc
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: 4.8.1/etc/pam.d/chage
===================================================================
--- 4.8.1/etc/pam.d/chage (nonexistent)
+++ 4.8.1/etc/pam.d/chage (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/chgpasswd
===================================================================
--- 4.8.1/etc/pam.d/chgpasswd (nonexistent)
+++ 4.8.1/etc/pam.d/chgpasswd (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/chpasswd
===================================================================
--- 4.8.1/etc/pam.d/chpasswd (nonexistent)
+++ 4.8.1/etc/pam.d/chpasswd (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/groupadd
===================================================================
--- 4.8.1/etc/pam.d/groupadd (nonexistent)
+++ 4.8.1/etc/pam.d/groupadd (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/groupdel
===================================================================
--- 4.8.1/etc/pam.d/groupdel (nonexistent)
+++ 4.8.1/etc/pam.d/groupdel (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/groupmems
===================================================================
--- 4.8.1/etc/pam.d/groupmems (nonexistent)
+++ 4.8.1/etc/pam.d/groupmems (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/groupmod
===================================================================
--- 4.8.1/etc/pam.d/groupmod (nonexistent)
+++ 4.8.1/etc/pam.d/groupmod (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/newusers
===================================================================
--- 4.8.1/etc/pam.d/newusers (nonexistent)
+++ 4.8.1/etc/pam.d/newusers (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/other
===================================================================
--- 4.8.1/etc/pam.d/other (nonexistent)
+++ 4.8.1/etc/pam.d/other (revision 5)
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
Index: 4.8.1/etc/pam.d/passwd
===================================================================
--- 4.8.1/etc/pam.d/passwd (nonexistent)
+++ 4.8.1/etc/pam.d/passwd (revision 5)
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
Index: 4.8.1/etc/pam.d/postlogin
===================================================================
--- 4.8.1/etc/pam.d/postlogin (nonexistent)
+++ 4.8.1/etc/pam.d/postlogin (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp showfailed
+session optional pam_lastlog.so silent noupdate showfailed
Index: 4.8.1/etc/pam.d/su
===================================================================
--- 4.8.1/etc/pam.d/su (nonexistent)
+++ 4.8.1/etc/pam.d/su (revision 5)
@@ -0,0 +1,11 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth sufficient pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth required pam_wheel.so use_uid
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
+session optional pam_xauth.so
Index: 4.8.1/etc/pam.d/su-l
===================================================================
--- 4.8.1/etc/pam.d/su-l (nonexistent)
+++ 4.8.1/etc/pam.d/su-l (revision 5)
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth include su
+account include su
+password include su
+session optional pam_keyinit.so force revoke
+session include su
Index: 4.8.1/etc/pam.d/system-auth
===================================================================
--- 4.8.1/etc/pam.d/system-auth (nonexistent)
+++ 4.8.1/etc/pam.d/system-auth (revision 5)
@@ -0,0 +1,69 @@
+#%PAM-1.0
+#
+# Most of these PAM modules have man pages included, like
+# pam_unix(8) for example.
+#
+
+##################
+# Authentication #
+##################
+#
+auth required pam_env.so
+auth optional pam_group.so
+auth required pam_unix.so likeauth nullok
+-auth optional pam_gnome_keyring.so
+
+##################
+# Account checks #
+##################
+#
+# Only root can login if file /etc/nologin exists.
+# This is equivalent to NOLOGINS_FILE on login.defs
+#
+account required pam_nologin.so
+#
+# Enable restrictions by time, specified in /etc/security/time.conf
+# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs
+#
+account required pam_time.so
+account required pam_unix.so
+account sufficient pam_succeed_if.so uid < 100 quiet
+account required pam_permit.so
+
+#############################
+# Password quality checking #
+#############################
+#
+# Please note that unless cracklib and libpwquality are installed, setting
+# passwords will not work unless the lines for the pam_pwquality module are
+# commented out and the line for the traditional no-quality-check password
+# changing is uncommented.
+#
+# The pam_pwquality module will check the quality of a user-supplied password
+# against the dictionary installed for cracklib. Other tests are (or may be)
+# done as well - see: man pam_pwquality
+#
+# Default password quality checking with pam_pwquality. If you don't want
+# password quality checking, comment out these two lines and uncomment the
+# traditional password handling line below.
+password requisite pam_pwquality.so minlen=6 retry=3
+password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
+
+# Traditional password handling without pam_pwquality password checking.
+# Commented out by default to use the two pam_pwquality lines above.
+#password sufficient pam_unix.so nullok sha512 shadow minlen=6
+
+# ATTENTION: always keep this line for pam_deny.so:
+password required pam_deny.so
+
+#########################
+# Session Configuration #
+#########################
+#
+# This applies the limits specified in /etc/security/limits.conf
+#
+session required pam_limits.so
+session required pam_unix.so
+#session required pam_lastlog.so showfailed
+#session optional pam_mail.so standard
+-session optional pam_gnome_keyring.so auto_start
Index: 4.8.1/etc/pam.d/useradd
===================================================================
--- 4.8.1/etc/pam.d/useradd (nonexistent)
+++ 4.8.1/etc/pam.d/useradd (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/userdel
===================================================================
--- 4.8.1/etc/pam.d/userdel (nonexistent)
+++ 4.8.1/etc/pam.d/userdel (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d/usermod
===================================================================
--- 4.8.1/etc/pam.d/usermod (nonexistent)
+++ 4.8.1/etc/pam.d/usermod (revision 5)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
Index: 4.8.1/etc/pam.d
===================================================================
--- 4.8.1/etc/pam.d (nonexistent)
+++ 4.8.1/etc/pam.d (revision 5)
Property changes on: 4.8.1/etc/pam.d
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: 4.8.1/etc
===================================================================
--- 4.8.1/etc (nonexistent)
+++ 4.8.1/etc (revision 5)
Property changes on: 4.8.1/etc
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: 4.8.1/license/LICENSE
===================================================================
--- 4.8.1/license/LICENSE (nonexistent)
+++ 4.8.1/license/LICENSE (revision 5)
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 1990 - 1994, Julianne Frances Haugh
+ * Copyright (c) 1996 - 2000, Marek Michałkiewicz
+ * Copyright (c) 2001 - 2006, Tomasz Kłoczko
+ * Copyright (c) 2007 - 2009, Nicolas François
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the copyright holders or contributors may not be used to
+ * endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
Index: 4.8.1/license
===================================================================
--- 4.8.1/license (nonexistent)
+++ 4.8.1/license (revision 5)
Property changes on: 4.8.1/license
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: 4.8.1/scripts/adduser
===================================================================
--- 4.8.1/scripts/adduser (nonexistent)
+++ 4.8.1/scripts/adduser (revision 5)
@@ -0,0 +1,454 @@
+#!/bin/bash
+#
+# Copyright 1995 Hrvoje Dogan, Croatia.
+# Copyright 2002-2004, 2008, 2009, 2010 Stuart Winter, Surrey, England, UK.
+# Copyright 2004, 2008-2010 Slackware Linux, Inc., Concord, CA, USA
+# Copyright 2012 Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+##########################################################################
+# Program: /usr/sbin/adduser
+# Purpose: Interactive front end to /usr/sbin/useradd for Slackware Linux
+# Author : Stuart Winter <mozes@slackware.com>
+# Based on the original Slackware adduser by Hrvoje Dogan
+# with modifications by Patrick Volkerding
+# Version: 1.16
+##########################################################################
+# Usage..: adduser [<new_user_name>]
+##########################################################################
+# History #
+###########
+# v1.17 - 2019-04-01
+# * Re-invoking input requests when human error causes failure. <ttk>
+# qv: https://www.linuxquestions.org/questions/slackware-14/adduser-shell-script-error-4175650984/
+# v1.16 - 2018-07-22
+# * Added input group. <pjv>
+# v1.15 - 2012-09-13
+# * Added scanner group, which may be required by third party drivers.
+# v1.14 - 2012-08-24
+# * Added lp group, which is now required for scanning. <pjv>
+# v1.13 - 13/01/10
+# * Fixed bug that removed underscore characters from UNIX group names.
+# Thanks to mRgOBLIN for the report and Jim Hawkins for the fix. <sw>
+# v1.12 - 21/07/09
+# * Adjusted the search of /etc/passwd to exclude the NIS inclusion
+# string. Thanks to Dominik L. Borkowski.
+# v1.11 - 04/06/09
+# * Add power and netdev to the suggested group list
+# v1.10 - 24/03/08
+# * To facilitate use of the automatic mounting features of HAL,
+# allow the admin to easily add users to the default groups:
+# audio,cdrom,video,plugdev,floppy.
+# The default is not to add new users to these groups.
+# And by the way, this script is "useradd from Slackware" not
+# "superadduser from Gentoo" ;-)
+# v1.09 - 07/06/04
+# * Added standard Slackware script licence to the head of this file.
+# v1.08 - 25/04/04
+# * Disallow user names that begin with a numeric because useradd
+# (from shadow v4.03) does not allow them. <sw>
+# v1.07 - 07/03/03
+# * When supplying a null string for the uid (meaning 'Choose next available'),
+# if there were file names in the range 'a-z' in the pwd then the
+# egrep command considered these files rather than the null string.
+# The egrep expression is now in quotes.
+# Reported & fixed by Vadim O. Ustiansky <sw>
+# v1.06 - 31/03/03
+# * Ask to chown user.group the home directory if it already exists.
+# This helps reduce later confusion when adding users whose home dir
+# already exists (mounted partition for example) and is owned
+# by a user other than the user to which the directory is being
+# assigned as home. Default is not to chown.
+# Brought to my attention by mRgOBLIN. <sw>
+# v1.05 - 04/01/03
+# * Advise & prevent users from creating logins with '.' characters
+# in the user name. <sw>
+# * Made pending account creation info look neater <sw>
+# v1.04 - 09/06/02
+# * Catered for shadow-4.0.3's 'useradd' binary that no longer
+# will let you create a user that has any uppercase chars in it
+# This was reported on the userlocal.org forums
+# by 'xcp' - thanks. <sw,pjv>
+# v1.03 - 20/05/02
+# * Support 'broken' (null lines in) /etc/passwd and
+# /etc/group files <sw>
+# * For recycling UIDs (default still 'off'), we now look in
+# /etc/login.defs for the UID_MIN value and use it
+# If not found then default to 1000 <sw>
+# v1.02 - 10/04/02
+# * Fix user-specified UID bug. <pjv>
+# v1.01 - 23/03/02
+# * Match Slackware indenting style, simplify. <pjv>
+# v1.00 - 22/03/02
+# * Created
+#######################################################################
+
+# Path to files
+pfile=/etc/passwd
+gfile=/etc/group
+sfile=/etc/shells
+
+# Paths to binaries
+useradd=/usr/sbin/useradd
+chfn=/usr/bin/chfn
+passwd=/usr/bin/passwd
+chmod=/bin/chmod
+
+# Defaults
+defhome=/home
+defshell=/bin/bash
+defchmod=711 # home dir permissions - may be preferable to use 701, however.
+defgroup=users
+AGID="audio cdrom floppy input lp netdev plugdev power scanner video" # additional groups for desktop users
+
+# Determine what the minimum UID is (for UID recycling)
+# (we ignore it if it's not at the beginning of the line (i.e. commented out with #))
+export recycleUIDMIN="$(grep ^UID_MIN /etc/login.defs | awk '{print $2}' 2>/dev/null)"
+# If we couldn't find it, set it to the default of 1000
+if [ -z "$recycleUIDMIN" ]; then
+ export recycleUIDMIN=1000 # this is the default from Slackware's /etc/login.defs
+fi
+
+
+# This setting enables the 'recycling' of older unused UIDs.
+# When you userdel a user, it removes it from passwd and shadow but it will
+# never get used again unless you specify it expliticly -- useradd (appears to) just
+# look at the last line in passwd and increment the uid. I like the idea of
+# recycling uids but you may have very good reasons not to (old forgotten
+# confidential files still on the system could then be owned by this new user).
+# We'll set this to no because this is what the original adduser shell script
+# did and it's what users expect.
+recycleuids=no
+
+# Function to read keyboard input.
+# bash1 is broken (even ash will take read -ep!), so we work around
+# it (even though bash1 is no longer supported on Slackware).
+function get_input() {
+ local output
+ if [ "`echo $BASH_VERSION | cut -b1`" = "1" ]; then
+ echo -n "${1} " >&2 # fudge for use with bash v1
+ read output
+ else # this should work with any other /bin/sh
+ read -ep "${1} " output
+ fi
+ echo $output
+}
+
+# Function to display the account info
+function display () {
+ local goose
+ goose="$(echo $2 | cut -d ' ' -f 2-)" # lop off the prefixed argument useradd needs
+ echo -n "$1 "
+ # If it's null then display the 'other' information
+ if [ -z "$goose" -a ! -z "$3" ]; then
+ echo "$3"
+ else
+ echo "$goose"
+ fi
+}
+
+# Function to check whether groups exist in the /etc/group file
+function check_group () {
+ local got_error group
+ if [ ! -z "$@" ]; then
+ for group in $@ ; do
+ local uid_not_named="" uid_not_num=""
+ grep -v "$^" $gfile | awk -F: '{print $1}' | grep "^${group}$" >/dev/null 2>&1 || uid_not_named=yes
+ grep -v "$^" $gfile | awk -F: '{print $3}' | grep "^${group}$" >/dev/null 2>&1 || uid_not_num=yes
+ if [ ! -z "$uid_not_named" -a ! -z "$uid_not_num" ]; then
+ echo "- Group '$group' does not exist"
+ got_error=yes
+ fi
+ done
+ fi
+ # Return exit code of 1 if at least one of the groups didn't exist
+ if [ ! -z "$got_error" ]; then
+ return 1
+ fi
+}
+
+#: Read the login name for the new user :#
+#
+# Remember that most Mail Transfer Agents are case independant, so having
+# 'uSer' and 'user' may cause confusion/things to break. Because of this,
+# useradd from shadow-4.0.3 no longer accepts usernames containing uppercase,
+# and we must reject them, too.
+
+# Set the login variable to the command line param
+echo
+LOGIN="$1"
+needinput=yes
+while [ ! -z $needinput ]; do
+ if [ -z "$LOGIN" ]; then
+ while [ -z "$LOGIN" ]; do
+ LOGIN="$(get_input "Login name for new user []:")"
+ done
+ fi
+ grep "^${LOGIN}:" $pfile >/dev/null 2>&1 # ensure it's not already used
+ if [ $? -eq 0 ]; then
+ echo "- User '$LOGIN' already exists; please choose another"
+ unset LOGIN
+ elif [ ! -z "$( echo $LOGIN | grep "^[0-9]" )" ]; then
+ echo "- User names cannot begin with a number; please choose another"
+ unset LOGIN
+ elif [ ! "$LOGIN" = "`echo $LOGIN | tr A-Z a-z`" ]; then # useradd does not allow uppercase
+ echo "- User '$LOGIN' contains illegal characters (uppercase); please choose another"
+ unset LOGIN
+ elif [ ! -z "$( echo $LOGIN | grep '\.' )" ]; then
+ echo "- User '$LOGIN' contains illegal characters (period/dot); please choose another"
+ unset LOGIN
+ else
+ unset needinput
+ fi
+done
+
+# Display the user name passed from the shell if it hasn't changed
+if [ "$1" = "$LOGIN" ]; then
+ echo "Login name for new user: $LOGIN"
+fi
+
+#: Get the UID for the user & ensure it's not already in use :#
+#
+# Whilst we _can_ allow users with identical UIDs, it's not a 'good thing' because
+# when you change password for the uid, it finds the first match in /etc/passwd
+# which isn't necessarily the correct user
+#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ _UID="$(get_input "User ID ('UID') [ defaults to next available ]:")"
+ egrep -v "^$|^\+" $pfile | awk -F: '{print $3}' | grep "^${_UID}$" >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo "- That UID is already in use; please choose another"
+ elif [ ! -z "$(echo $_UID | egrep '[A-Za-z]')" ]; then
+ echo "- UIDs are numerics only"
+ else
+ unset needinput
+ fi
+done
+# If we were given a UID, then syntax up the variable to pass to useradd
+if [ ! -z "$_UID" ]; then
+ U_ID="-u ${_UID}"
+else
+ # Will we be recycling UIDs?
+ if [ "$recycleuids" = "yes" ]; then
+ U_ID="-u $(awk -F: '{uid[$3]=1} END { for (i=ENVIRON["recycleUIDMIN"];i in uid;i++);print i}' $pfile)"
+ fi
+fi
+
+#: Get the initial group for the user & ensure it exists :#
+#
+# We check /etc/group for both the text version and the group ID number
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ GID="$(get_input "Initial group [ ${defgroup} ]:")"
+ check_group "$GID"
+ if [ $? -gt 0 ]; then
+ echo "- Please choose another"
+ else
+ unset needinput
+ fi
+done
+# Syntax the variable ready for useradd
+if [ -z "$GID" ]; then
+ GID="-g ${defgroup}"
+else
+ GID="-g ${GID}"
+fi
+
+#: Get additional groups for the user :#
+#
+echo "Additional UNIX groups:"
+echo
+echo "Users can belong to additional UNIX groups on the system."
+echo "For local users using graphical desktop login managers such"
+echo "as XDM/KDM, users may need to be members of additional groups"
+echo "to access the full functionality of removable media devices."
+echo
+echo "* Security implications *"
+echo "Please be aware that by adding users to additional groups may"
+echo "potentially give access to the removable media of other users."
+echo
+echo "If you are creating a new user for remote shell access only,"
+echo "users do not need to belong to any additional groups as standard,"
+echo "so you may press ENTER at the next prompt."
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ history -c
+ history -s "$AGID"
+ echo "Press ENTER to continue without adding any additional groups"
+ echo "Or press the UP arrow key to add/select/edit additional groups"
+ AGID="$(get_input ": " | sed 's/[^A-Za-z0-9 _]//g;s/ */ /g;s/^ $//g' )"
+ if [ ! -z "$AGID" ]; then
+ check_group "$AGID" # check all groups at once (treated as N # of params)
+ if [ $? -gt 0 ]; then
+ echo "- Please re-enter the group(s)"
+ echo
+ else
+ unset needinput # we found all groups specified
+ AGID="-G $(echo $AGID | tr ' ' ,)" # useradd takes comma delimited groups
+ fi
+ else
+ unset needinput # we don't *have* to have additional groups
+ fi
+done
+
+#: Get the new user's home dir :#
+#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ HME="$(get_input "Home directory [ ${defhome}/${LOGIN} ]")"
+ if [ -z "$HME" ]; then
+ HME="${defhome}/${LOGIN}"
+ fi
+ # Warn the user if the home dir already exists
+ if [ -d "$HME" ]; then
+ echo "- Warning: '$HME' already exists !"
+ getyn="$(get_input " Do you wish to change the home directory path ? (Y/n) ")"
+ if [ "$(echo $getyn | grep -i "n")" ]; then
+ unset needinput
+ # You're most likely going to only do this if you have the dir *mounted* for this user's $HOME
+ getyn="$(get_input " Do you want to chown $LOGIN.$( echo $GID | awk '{print $2}') $HME ? (y/N) ")"
+ if [ "$(echo $getyn | grep -i "y")" ]; then
+ CHOWNHOMEDIR=$HME # set this to the home directory
+ fi
+ fi
+ else
+ unset needinput
+ fi
+done
+HME="-d ${HME}"
+
+#: Get the new user's shell :#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ unset got_error
+ SHL="$(get_input "Shell [ ${defshell} ]")"
+ if [ -z "$SHL" ]; then
+ SHL="${defshell}"
+ fi
+ # Warn the user if the shell doesn't exist in /etc/shells or as a file
+ if [ -z "$(grep "^${SHL}$" $sfile)" ]; then
+ echo "- Warning: ${SHL} is not in ${sfile} (potential problem using FTP)"
+ got_error=yes
+ fi
+ if [ ! -f "$SHL" ]; then
+ echo "- Warning: ${SHL} does not exist as a file"
+ got_error=yes
+ fi
+ if [ ! -z "$got_error" ]; then
+ getyn="$(get_input " Do you wish to change the shell ? (Y/n) ")"
+ if [ "$(echo $getyn | grep -i "n")" ]; then
+ unset needinput
+ fi
+ else
+ unset needinput
+ fi
+done
+SHL="-s ${SHL}"
+
+#: Get the expiry date :#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ EXP="$(get_input "Expiry date (YYYY-MM-DD) []:")"
+ if [ ! -z "$EXP" ]; then
+ # Check to see whether the expiry date is in the valid format
+ if [ -z "$(echo "$EXP" | grep "^[[:digit:]]\{4\}[-]\?[[:digit:]]\{2\}[-]\?[[:digit:]]\{2\}$")" ]; then
+ echo "- That is not a valid expiration date"
+ else
+ unset needinput
+ EXP="-e ${EXP}"
+ fi
+ else
+ unset needinput
+ fi
+done
+
+# Display the info about the new impending account
+echo
+echo "New account will be created as follows:"
+echo
+echo "---------------------------------------"
+display "Login name.......: " "$LOGIN"
+display "UID..............: " "$_UID" "[ Next available ]"
+display "Initial group....: " "$GID"
+display "Additional groups: " "$AGID" "[ None ]"
+display "Home directory...: " "$HME"
+display "Shell............: " "$SHL"
+display "Expiry date......: " "$EXP" "[ Never ]"
+echo
+
+echo "This is it... if you want to bail out, hit Control-C. Otherwise, press"
+echo "ENTER to go ahead and make the account."
+read junk
+
+echo
+echo "Creating new account..."
+echo
+echo
+
+# Add the account to the system
+CMD="$useradd "$HME" -m "$EXP" "$U_ID" "$GID" "$AGID" "$SHL" "$LOGIN""
+$CMD
+
+if [ $? -gt 0 ]; then
+ echo "- Error running useradd command -- account not created!"
+ echo "(cmd: $CMD)"
+ exit 1
+fi
+
+# chown the home dir? We can only do this once the useradd has
+# completed otherwise the user name doesn't exist.
+if [ ! -z "${CHOWNHOMEDIR}" ]; then
+ chown "$LOGIN"."$( echo $GID | awk '{print $2}')" "${CHOWNHOMEDIR}"
+fi
+
+# Set the finger information
+$chfn "$LOGIN"
+while [ $? -gt 0 ]; do
+ echo "- Warning: an error occurred while setting finger information."
+ echo " Please try again."
+ $chfn "$LOGIN"
+done
+
+# Set a password
+$passwd "$LOGIN"
+while [ $? -gt 0 ]; do
+ echo "- Warning: An error occured while setting the password for"
+ echo " this account. Please try again."
+ $passwd "$LOGIN"
+done
+
+# If it was created (it should have been!), set the permissions for that user's dir
+HME="$(echo "$HME" | awk '{print $2}')" # We have to remove the -g prefix
+if [ -d "$HME" ]; then
+ $chmod $defchmod "$HME"
+fi
+
+echo
+echo
+echo "Account setup complete."
+exit 0
Index: 4.8.1/scripts/login.defs.pam
===================================================================
--- 4.8.1/scripts/login.defs.pam (nonexistent)
+++ 4.8.1/scripts/login.defs.pam (revision 5)
@@ -0,0 +1,287 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+#
+FAIL_DELAY 3
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE /etc/securetty
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su". If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR /var/spool/mail
+#MAIL_FILE .mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP tty
+TTYPERM 0620
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+
+#
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories if HOME_MODE is not set.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up their mind.
+UMASK 022
+
+#
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_WARN_AGE 7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+SYS_UID_MIN 101
+SYS_UID_MAX 999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+SYS_GID_MIN 101
+SYS_GID_MAX 999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT 60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT frwh
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+ENCRYPT_METHOD SHA256
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# Only works if ENCRYPT_METHOD is set to BCRYPT.
+#
+# Define the number of BCRYPT rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, 13 rounds will be attempted.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#BCRYPT_MIN_ROUNDS 13
+#BCRYPT_MAX_ROUNDS 13
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# Most of these groups are self-explanatory, but in the case of
+# "lp", it is because group lp is needed to use a scanner that
+# is part of a multifunction printer.
+#
+# Note that users are added to these default groups only when
+# logging into a shell with /bin/login, not when using a login
+# manager such as kdm. In that case, users who should have
+# hardware access must be added to the appropriate groups
+# when the user is added with adduser or useradd, or by editing
+# /etc/group directly, preferably using "vigr"
+#
+CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-nul number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permit to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP 0
+
+#
+# If useradd should create home directories for users by default (non
+# system users only)
+# This option is overridden with the -M or -m flags on the useradd command
+# line.
+#
+#CREATE_HOME yes
+
Index: 4.8.1/scripts/login.defs.shadow
===================================================================
--- 4.8.1/scripts/login.defs.shadow (nonexistent)
+++ 4.8.1/scripts/login.defs.shadow (revision 5)
@@ -0,0 +1,422 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+#
+FAIL_DELAY 3
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+#
+FAILLOG_ENAB yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable logging and display of /var/log/lastlog login time info.
+#
+LASTLOG_ENAB yes
+
+#
+# Limit the highest user ID number for which the lastlog entries should
+# be updated.
+#
+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
+# lastlog entries.
+#
+#LASTLOG_UID_MAX
+
+#
+# Enable checking and display of mailbox status upon login.
+#
+# Disable if the shell startup files already check for mail
+# ("mailx -e" or equivalent).
+#
+MAIL_CHECK_ENAB yes
+
+#
+# Enable additional checks upon password changes.
+#
+OBSCURE_CHECKS_ENAB yes
+
+#
+# Enable checking of time restrictions specified in /etc/porttime.
+#
+PORTTIME_CHECKS_ENAB yes
+
+#
+# Enable setting of ulimit, umask, and niceness from passwd gecos field.
+#
+QUOTAS_ENAB yes
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE /etc/securetty
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, ":" delimited list of "message of the day" files to
+# be displayed upon login.
+#
+MOTD_FILE /etc/motd
+#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
+
+#
+# If defined, this file will be output before each login prompt.
+#
+#ISSUE_FILE /etc/issue
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format.
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE /var/log/btmp
+
+#
+# If defined, name of file whose presence which will inhibit non-root
+# logins. The contents of this file should be a message indicating
+# why logins are inhibited.
+#
+NOLOGINS_FILE /etc/nologin
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su". If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR /var/spool/mail
+#MAIL_FILE .mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# If defined, either a TZ environment parameter spec or the
+# fully-rooted pathname of a file containing such a spec.
+#
+#ENV_TZ TZ=CST6CDT
+#ENV_TZ /etc/tzname
+
+#
+# If defined, an HZ environment parameter spec.
+#
+# for Linux/x86
+ENV_HZ HZ=100
+# For Linux/Alpha...
+#ENV_HZ HZ=1024
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP tty
+TTYPERM 0620
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# ULIMIT Default "ulimit" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+#ULIMIT 2097152
+
+#
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories if HOME_MODE is not set.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up their mind.
+UMASK 022
+
+#
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_MIN_LEN Minimum acceptable password length.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_MIN_LEN 5
+PASS_WARN_AGE 7
+
+#
+# If "yes", the user must be listed as a member of the first gid 0 group
+# in /etc/group (called "root" on most Linux systems) to be able to "su"
+# to uid 0 accounts. If the group doesn't exist or is empty, no one
+# will be able to "su" to uid 0.
+#
+SU_WHEEL_ONLY no
+
+#
+# If compiled with cracklib support, where are the dictionaries
+#
+#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+SYS_UID_MIN 101
+SYS_UID_MAX 999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+SYS_GID_MIN 101
+SYS_GID_MAX 999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT 60
+
+#
+# Maximum number of attempts to change password if rejected (too easy)
+#
+PASS_CHANGE_TRIES 5
+
+#
+# Warn about weak passwords (but still allow them) if you are root.
+#
+PASS_ALWAYS_WARN yes
+
+#
+# Number of significant characters in the password for crypt().
+# Default is 8, don't change unless your crypt() is better.
+# Ignored if MD5_CRYPT_ENAB set to "yes".
+#
+#PASS_MAX_LEN 8
+
+#
+# Require password before chfn/chsh can make any changes.
+#
+CHFN_AUTH yes
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT frwh
+
+#
+# Password prompt (%s will be replaced by user name).
+#
+# XXX - it doesn't work correctly yet, for now leave it commented out
+# to use the default which is just "Password: ".
+#LOGIN_STRING "%s's Password: "
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+ENCRYPT_METHOD SHA256
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# Only works if ENCRYPT_METHOD is set to BCRYPT.
+#
+# Define the number of BCRYPT rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, 13 rounds will be attempted.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#BCRYPT_MIN_ROUNDS 13
+#BCRYPT_MAX_ROUNDS 13
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# Most of these groups are self-explanatory, but in the case of
+# "lp", it is because group lp is needed to use a scanner that
+# is part of a multifunction printer.
+#
+# Note that users are added to these default groups only when
+# logging into a shell with /bin/login, not when using a login
+# manager such as kdm. In that case, users who should have
+# hardware access must be added to the appropriate groups
+# when the user is added with adduser or useradd, or by editing
+# /etc/group directly, preferably using "vigr"
+#
+CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME yes
+
+#
+# If this file exists and is readable, login environment will be
+# read from it. Every line should be in the form name=value.
+#
+ENVIRON_FILE /etc/environment
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-nul number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permit to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP 0
+
+#
+# If useradd should create home directories for users by default (non
+# system users only)
+# This option is overridden with the -M or -m flags on the useradd command
+# line.
+#
+#CREATE_HOME yes
+
Index: 4.8.1/scripts
===================================================================
--- 4.8.1/scripts (nonexistent)
+++ 4.8.1/scripts (revision 5)
Property changes on: 4.8.1/scripts
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: 4.8.1/shadow-pkg-description.in
===================================================================
--- 4.8.1/shadow-pkg-description.in (nonexistent)
+++ 4.8.1/shadow-pkg-description.in (revision 5)
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+shadow: shadow @VERSION@ (shadow password suite)
+shadow:
+shadow: This package includes the necessary programs for handling
+shadow: account information in the shadow password format, plus programs
+shadow: for managing user and group accounts. It was written by Julianne
+shadow: Frances Haugh and the Linux port is maintained by Tomasz Kloczko.
+shadow:
+shadow: Homepage: https://github.com/shadow-maint/shadow
+shadow:
+shadow:
+shadow:
Index: 4.8.1/shadow-pkg-install.sh
===================================================================
--- 4.8.1/shadow-pkg-install.sh (nonexistent)
+++ 4.8.1/shadow-pkg-install.sh (revision 5)
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Preserve new files
+install_file() {
+ NEW="$1"
+ OLD="`dirname $NEW`/`basename $NEW .new`"
+ # If there's no file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+
+# arg 1: the new package version
+pre_install() {
+ /bin/true
+}
+
+# arg 1: the new package version
+post_install() {
+ for cfgfile in chage.new chgpasswd.new chpasswd.new groupadd.new groupdel.new groupmems.new groupmod.new newusers.new other.new passwd.new postlogin.new su.new su-l.new system-auth.new useradd.new userdel.new usermod.new ; do
+ if [ -r etc/pam.d/$cfgfile ]; then
+ install_file etc/pam.d/$cfgfile
+ fi
+ done
+
+ install_file etc/default/useradd.new
+ install_file etc/login.defs.new
+
+ install_file var/log/faillog.new
+ rm -f var/log/faillog.new
+
+ if [ -r etc/login.access.new ]; then
+ install_file etc/login.access.new
+ fi
+}
+
+# arg 1: the new package version
+# arg 2: the old package version
+pre_update() {
+ /bin/true
+}
+
+# arg 1: the new package version
+# arg 2: the old package version
+post_update() {
+ post_install
+}
+
+# arg 1: the old package version
+pre_remove() {
+ /bin/true
+}
+
+# arg 1: the old package version
+post_remove() {
+ /bin/true
+}
+
+
+operation=$1
+shift
+
+$operation $*
Property changes on: 4.8.1/shadow-pkg-install.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: 4.8.1
===================================================================
--- 4.8.1 (nonexistent)
+++ 4.8.1 (revision 5)
Property changes on: 4.8.1
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: .
===================================================================
--- . (nonexistent)
+++ . (revision 5)
Property changes on: .
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~