summaryrefslogtreecommitdiff
path: root/source/a
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2020-02-07 22:32:38 +0000
committerEric Hameleers <alien@slackware.com>2020-02-08 08:59:48 +0100
commit080300e1e7dec7bb1a6297b5a4406e2c0be46048 (patch)
tree4ca397920d9a177af9eb3ca6781e2c8498b3672d /source/a
parent194ec853e8f20fd32d5a91eec74ff77383093f4e (diff)
downloadcurrent-080300e1e7dec7bb1a6297b5a4406e2c0be46048.tar.gz
Fri Feb 7 22:32:38 UTC 202020200207223238
a/kernel-firmware-20200206_5351afe-noarch-1.txz: Upgraded. ap/ghostscript-9.50-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. ap/gutenprint-5.3.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. ap/nano-4.8-x86_64-1.txz: Upgraded. ap/screen-4.8.0-x86_64-1.txz: Upgraded. ap/vim-8.2.0224-x86_64-1.txz: Upgraded. d/cvs-1.11.23-x86_64-4.txz: Rebuilt. Recompiled against krb5-1.17.1. d/strace-5.5-x86_64-1.txz: Upgraded. kde/kdelibs-4.14.38-x86_64-6.txz: Rebuilt. Recompiled against krb5-1.17.1. l/gtk+2-2.24.32-x86_64-3.txz: Rebuilt. Recompiled against krb5-1.17.1. l/gtk+3-3.24.13-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/libsoup-2.68.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/libssh-0.9.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/loudmouth-1.5.3-x86_64-4.txz: Rebuilt. Recompiled against krb5-1.17.1. l/neon-0.30.2-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. n/cifs-utils-6.10-x86_64-2.txz: Rebuilt. Recompiled to build cifs.upcall. n/curl-7.68.0-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. n/cyrus-sasl-2.1.27-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. xap/vim-gvim-8.2.0224-x86_64-1.txz: Upgraded.
Diffstat (limited to 'source/a')
-rwxr-xr-xsource/a/libcgroup/libcgroup.SlackBuild12
-rw-r--r--source/a/shadow/doinst.sh23
-rw-r--r--source/a/shadow/login.defs.pam287
-rw-r--r--source/a/shadow/login.defs.shadow (renamed from source/a/shadow/login.defs)0
-rw-r--r--source/a/shadow/pam.d/chage4
-rw-r--r--source/a/shadow/pam.d/chfn4
-rw-r--r--source/a/shadow/pam.d/chgpasswd4
-rw-r--r--source/a/shadow/pam.d/chpasswd4
-rw-r--r--source/a/shadow/pam.d/chsh4
-rw-r--r--source/a/shadow/pam.d/groupadd4
-rw-r--r--source/a/shadow/pam.d/groupdel4
-rw-r--r--source/a/shadow/pam.d/groupmems4
-rw-r--r--source/a/shadow/pam.d/groupmod4
-rw-r--r--source/a/shadow/pam.d/login11
-rw-r--r--source/a/shadow/pam.d/newusers4
-rw-r--r--source/a/shadow/pam.d/other6
-rw-r--r--source/a/shadow/pam.d/passwd5
-rw-r--r--source/a/shadow/pam.d/postlogin4
-rw-r--r--source/a/shadow/pam.d/su11
-rw-r--r--source/a/shadow/pam.d/su-l6
-rw-r--r--source/a/shadow/pam.d/system-auth96
-rw-r--r--source/a/shadow/pam.d/useradd4
-rw-r--r--source/a/shadow/pam.d/userdel4
-rw-r--r--source/a/shadow/pam.d/usermod4
-rwxr-xr-xsource/a/shadow/shadow.SlackBuild55
-rw-r--r--source/a/shadow/shadow.login.display.short.hostname.diff24
-rw-r--r--source/a/shadow/slack-desc12
-rwxr-xr-xsource/a/util-linux/util-linux.SlackBuild13
28 files changed, 596 insertions, 21 deletions
diff --git a/source/a/libcgroup/libcgroup.SlackBuild b/source/a/libcgroup/libcgroup.SlackBuild
index 00fc2be8..e5ff9b4c 100755
--- a/source/a/libcgroup/libcgroup.SlackBuild
+++ b/source/a/libcgroup/libcgroup.SlackBuild
@@ -80,6 +80,15 @@ zcat $CWD/libcgroup.conf.diff.gz | patch -p1 --verbose || exit 1
# Apply combined patches from git, including for an infinate loop bug:
zcat $CWD/libcgroup.loop.diff.gz | patch -p1 --verbose || exit 1
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+ PAM_OPTIONS="--enable-pam --enable-pam-module-dir=/lib/security"
+ unset SHADOW_OPTIONS
+else
+ unset PAM_OPTIONS
+ SHADOW_OPTIONS="--disable-pam"
+fi
+
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
@@ -97,7 +106,8 @@ CFLAGS="$SLKCFLAGS" \
--libdir=/usr/lib${LIBDIRSUFFIX} \
--mandir=/usr/man \
--infodir=/usr/info \
- --disable-pam \
+ $PAM_OPTIONS \
+ $SHADOW_OPTIONS \
--disable-static \
--build=$ARCH-slackware-linux || exit 1
diff --git a/source/a/shadow/doinst.sh b/source/a/shadow/doinst.sh
index a7bf2ee4..ce3e8116 100644
--- a/source/a/shadow/doinst.sh
+++ b/source/a/shadow/doinst.sh
@@ -10,8 +10,29 @@ config() {
# Otherwise, we leave the .new copy for the admin to consider...
}
+# First, check for PAM:
+if [ -r etc/pam.d/login.new ]; then
+ # If there's an existing /etc/login.defs that contains an obsolete option
+ # intended for a non-pam system, rename it to back it up and allow the
+ # pam-enabled login.defs to be installed automatically:
+ if grep -q "^LASTLOG_ENAB" etc/login.defs 1> /dev/null 2> /dev/null ; then
+ mv etc/login.defs etc/login.defs.non-pam.backup
+ fi
+else # Same thing, but in reverse for a non-pam system:
+ if ! grep -q "^LASTLOG_ENAB" etc/login.defs 1> /dev/null 2> /dev/null ; then
+ mv etc/login.defs etc/login.defs.pam.backup
+ fi
+fi
+
config etc/default/useradd.new
-config etc/login.access.new
config etc/login.defs.new
config var/log/faillog.new
rm -f var/log/faillog.new
+if [ -r etc/login.access.new ]; then
+ config etc/login.access.new
+fi
+for configfile in chage.new chfn.new chgpasswd.new chpasswd.new chsh.new groupadd.new groupdel.new groupmems.new groupmod.new login.new newusers.new other.new passwd.new postlogin.new su-l.new su.new system-auth.new useradd.new userdel.new usermod.new ; do
+ if [ -r etc/pam.d/$configfile ]; then
+ config etc/pam.d/$configfile
+ fi
+done
diff --git a/source/a/shadow/login.defs.pam b/source/a/shadow/login.defs.pam
new file mode 100644
index 00000000..cc15db6a
--- /dev/null
+++ b/source/a/shadow/login.defs.pam
@@ -0,0 +1,287 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+#
+FAIL_DELAY 3
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE /etc/securetty
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su". If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR /var/spool/mail
+#MAIL_FILE .mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP tty
+TTYPERM 0620
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+
+#
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories if HOME_MODE is not set.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up their mind.
+UMASK 022
+
+#
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_WARN_AGE 7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+SYS_UID_MIN 101
+SYS_UID_MAX 999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+SYS_GID_MIN 101
+SYS_GID_MAX 999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT 60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT frwh
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+ENCRYPT_METHOD SHA256
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# Only works if ENCRYPT_METHOD is set to BCRYPT.
+#
+# Define the number of BCRYPT rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, 13 rounds will be attempted.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#BCRYPT_MIN_ROUNDS 13
+#BCRYPT_MAX_ROUNDS 13
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# Most of these groups are self-explanatory, but in the case of
+# "lp", it is because group lp is needed to use a scanner that
+# is part of a multifunction printer.
+#
+# Note that users are added to these default groups only when
+# logging into a shell with /bin/login, not when using a login
+# manager such as kdm. In that case, users who should have
+# hardware access must be added to the appropriate groups
+# when the user is added with adduser or useradd, or by editing
+# /etc/group directly, preferably using "vigr"
+#
+CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-nul number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permit to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP 0
+
+#
+# If useradd should create home directories for users by default (non
+# system users only)
+# This option is overridden with the -M or -m flags on the useradd command
+# line.
+#
+#CREATE_HOME yes
+
diff --git a/source/a/shadow/login.defs b/source/a/shadow/login.defs.shadow
index 022dd36f..022dd36f 100644
--- a/source/a/shadow/login.defs
+++ b/source/a/shadow/login.defs.shadow
diff --git a/source/a/shadow/pam.d/chage b/source/a/shadow/pam.d/chage
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chage
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/chfn b/source/a/shadow/pam.d/chfn
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chfn
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/chgpasswd b/source/a/shadow/pam.d/chgpasswd
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chgpasswd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/chpasswd b/source/a/shadow/pam.d/chpasswd
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chpasswd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/chsh b/source/a/shadow/pam.d/chsh
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/chsh
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/groupadd b/source/a/shadow/pam.d/groupadd
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/groupadd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/groupdel b/source/a/shadow/pam.d/groupdel
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/groupdel
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/groupmems b/source/a/shadow/pam.d/groupmems
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/groupmems
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/groupmod b/source/a/shadow/pam.d/groupmod
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/groupmod
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/login b/source/a/shadow/pam.d/login
new file mode 100644
index 00000000..eb312199
--- /dev/null
+++ b/source/a/shadow/pam.d/login
@@ -0,0 +1,11 @@
+#%PAM-1.0
+auth required pam_securetty.so
+auth include system-auth
+auth include postlogin
+account required pam_nologin.so
+account include system-auth
+password include system-auth
+session include system-auth
+session include postlogin
+session required pam_loginuid.so
+session optional pam_ck_connector.so nox11
diff --git a/source/a/shadow/pam.d/newusers b/source/a/shadow/pam.d/newusers
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/newusers
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/other b/source/a/shadow/pam.d/other
new file mode 100644
index 00000000..57282493
--- /dev/null
+++ b/source/a/shadow/pam.d/other
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
diff --git a/source/a/shadow/pam.d/passwd b/source/a/shadow/pam.d/passwd
new file mode 100644
index 00000000..67f8ff54
--- /dev/null
+++ b/source/a/shadow/pam.d/passwd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
diff --git a/source/a/shadow/pam.d/postlogin b/source/a/shadow/pam.d/postlogin
new file mode 100644
index 00000000..9777b897
--- /dev/null
+++ b/source/a/shadow/pam.d/postlogin
@@ -0,0 +1,4 @@
+#%PAM-1.0
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp showfailed
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/source/a/shadow/pam.d/su b/source/a/shadow/pam.d/su
new file mode 100644
index 00000000..c7c81487
--- /dev/null
+++ b/source/a/shadow/pam.d/su
@@ -0,0 +1,11 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth sufficient pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth required pam_wheel.so use_uid
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
+session optional pam_xauth.so
diff --git a/source/a/shadow/pam.d/su-l b/source/a/shadow/pam.d/su-l
new file mode 100644
index 00000000..656a139a
--- /dev/null
+++ b/source/a/shadow/pam.d/su-l
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth include su
+account include su
+password include su
+session optional pam_keyinit.so force revoke
+session include su
diff --git a/source/a/shadow/pam.d/system-auth b/source/a/shadow/pam.d/system-auth
new file mode 100644
index 00000000..5fa10c80
--- /dev/null
+++ b/source/a/shadow/pam.d/system-auth
@@ -0,0 +1,96 @@
+#%PAM-1.0
+#
+# Most of these PAM modules have man pages included, like
+# PAM_UNIX(8) for example.
+#
+
+##################
+# Authentication #
+##################
+#
+# To set a limit on failed authentications, the tallying modules
+# can be enabled.
+#
+auth required pam_env.so
+auth required pam_tally2.so
+#
+auth sufficient pam_unix.so likeauth nullok
+auth required pam_deny.so
+auth optional pam_gnome_keyring.so
+
+##################
+# Account checks #
+##################
+#
+# Only root can login if file /etc/nologin exists.
+# This is equivalent to NOLOGINS_FILE on login.defs
+#
+account required pam_nologin.so
+#
+# Enable restrictions by time, specified in /etc/security/time.conf
+# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs
+#
+account required pam_time.so
+account required pam_unix.so
+account sufficient pam_succeed_if.so uid < 100 quiet
+account required pam_permit.so
+
+#####################
+# Password handling #
+#####################
+#
+# If you have CrackLib installed and enabled
+#
+# Passwords will be checked against a huge dictionary and need to
+# have at least 6 characters (cracklib can't use 5). Some options
+# of cracklib modules are:
+#
+# difok Number of characters that needs to be different
+# between old and new characters
+# minlen Password minimal length
+# retry How many times the user can try bad new passwords
+# dcredit,ocredit,ucredit,lcredit
+# Digiti, Others, Uppercase, Lowercase characters
+# Positive numbers marks the max number of credits given
+# by one character class. With dcredit=5 and minlen=6, you
+# can't use a full numeric password because more than 5
+# digit characters doesn't count credits to achieve the
+# minimal length
+# Negative numbers determine that a password needs to have
+# at least N characters
+#
+# You can see many other pam_cracklib options at pam_cracklib(8) manpage
+#
+# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib
+# in sharing the password stack. See pam_unix(8) for more details.
+#
+# If you need to use CrackLib to enforce your passwords, uncomment
+# two statements:
+#password requisite pam_cracklib.so retry=3 minlen=6 \
+# difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5
+#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
+#
+# --
+# A less intense option for cracklib, is:
+#password requisite pam_cracklib.so retry=3
+#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
+# --
+# The default is the "traditional" way without CrackLib.
+# Passwords need to have at least 8 characters. If you are using Cracklib,
+# please comment the next statement.
+password sufficient pam_unix.so nullok sha512 shadow minlen=8
+
+# ATTENTION: keep the line for pam_deny.so
+password required pam_deny.so
+
+#########################
+# Session Configuration #
+#########################
+#
+# This applies the limits specified in /etc/security/limits.conf
+#
+session required pam_limits.so
+session required pam_unix.so
+#session required pam_lastlog.so showfailed
+#session optional pam_mail.so standard
+session optional pam_gnome_keyring.so auto_start
diff --git a/source/a/shadow/pam.d/useradd b/source/a/shadow/pam.d/useradd
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/useradd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/userdel b/source/a/shadow/pam.d/userdel
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/userdel
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/pam.d/usermod b/source/a/shadow/pam.d/usermod
new file mode 100644
index 00000000..8f49f5cc
--- /dev/null
+++ b/source/a/shadow/pam.d/usermod
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+account required pam_permit.so
+password include system-auth
diff --git a/source/a/shadow/shadow.SlackBuild b/source/a/shadow/shadow.SlackBuild
index 4264a24d..360da370 100755
--- a/source/a/shadow/shadow.SlackBuild
+++ b/source/a/shadow/shadow.SlackBuild
@@ -51,12 +51,16 @@ PKG=$TMP/package-shadow
if [ "$ARCH" = "i586" ]; then
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+ LIBDIRSUFFIX=""
elif [ "$ARCH" = "s390" ]; then
SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
else
SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
fi
rm -rf $PKG
@@ -66,6 +70,15 @@ rm -rf shadow-$VERSION
tar xvf $CWD/shadow-$VERSION.tar.xz || exit 1
cd shadow-$VERSION
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+ PAM_OPTIONS="--with-libpam"
+ unset SHADOW_OPTIONS
+else
+ unset PAM_OPTIONS
+ SHADOW_OPTIONS="--enable-shadowgrp --without-libcrack"
+fi
+
# Apply some patches taken from the svn trunk that
# fix some of the more serious bugs in 4.1.4.3:
for patch in $CWD/patches/*.diff.gz ; do
@@ -109,7 +122,8 @@ CFLAGS="$SLKCFLAGS" \
--enable-man \
--enable-subordinate-ids \
--disable-shared \
- --without-libcrack \
+ $SHADOW_OPTIONS \
+ $PAM_OPTIONS \
--build=$ARCH-slackware-linux
# --enable-utmpx # defaults to 'no'
@@ -134,16 +148,42 @@ mkdir -p $PKG/bin $PKG/sbin
)
mv $PKG/usr/sbin/nologin $PKG/sbin/nologin
+if [ ! -z "$PAM_OPTIONS" ]; then
+ # Don't ship the login utilities. We'll be using the ones from util-linux:
+ for file in /bin/login /bin/su /sbin/runuser /usr/bin/chfn /usr/bin/chsh \
+ /usr/man/man1/chfn.1.gz /usr/man/man1/chsh.1.gz /usr/man/man1/login.1.gz \
+ /usr/man/man1/runuser.1.gz /usr/man/man1/su.1.gz \
+ /usr/share/bash-completion/completions/chfn \
+ /usr/share/bash-completion/completions/chsh \
+ /usr/share/bash-completion/completions/su ; do
+ rm -f $PKG${file}
+ done
+ # Install config files in /etc/pam.d/. We'll use our own copies... I'm not
+ # sure that I trust upstream enough to let them handle this stuff.
+ rm -rf $PKG/etc/pam.d
+ mkdir -p $PKG/etc/pam.d
+ for file in $CWD/pam.d/* ; do
+ cp -a ${file} $PKG/etc/pam.d/
+ done
+ # Ensure correct perms/ownership on files in /etc/pam.d/:
+ chown root:root $PKG/etc/pam.d/*
+ chmod 644 $PKG/etc/pam.d/*
+ # Don't clobber existing config files:
+ find $PKG/etc/pam.d -type f -exec mv {} {}.new \;
+ # Install a login.defs with unsurprising defaults:
+ rm -f $PKG/etc/login.defs
+ zcat $CWD/login.defs.pam.gz > $PKG/etc/login.defs.new
+else # not using PAM
+ mv $PKG/etc/login.access $PKG/etc/login.access.new
+ # Install a login.defs with unsurprising defaults:
+ rm -f $PKG/etc/login.defs
+ zcat $CWD/login.defs.shadow.gz > $PKG/etc/login.defs.new
+fi
+
# /bin/groups is provided by coreutils.
rm -f $PKG/bin/groups
find $PKG -name groups.1 -exec rm {} \+
-# Install a login.defs with unsurprising defaults:
-rm -f $PKG/etc/login.defs
-zcat $CWD/login.defs.gz > $PKG/etc/login.defs.new
-
-mv $PKG/etc/login.access $PKG/etc/login.access.new
-
# I don't think this works well enough to recommend it.
#mv $PKG/etc/limits $PKG/etc/limits.new
rm -f $PKG/etc/limits
@@ -197,4 +237,3 @@ zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
cd $PKG
/sbin/makepkg -l y -c n $TMP/shadow-$VERSION-$ARCH-$BUILD.txz
-
diff --git a/source/a/shadow/shadow.login.display.short.hostname.diff b/source/a/shadow/shadow.login.display.short.hostname.diff
index ad5c3eba..53a22f8b 100644
--- a/source/a/shadow/shadow.login.display.short.hostname.diff
+++ b/source/a/shadow/shadow.login.display.short.hostname.diff
@@ -1,5 +1,6 @@
---- ./libmisc/loginprompt.c.orig 2014-03-01 12:59:51.000000000 -0600
-+++ ./libmisc/loginprompt.c 2017-11-21 18:17:27.492000123 -0600
+diff -u -r --new-file shadow-4.8.1.orig/libmisc/loginprompt.c shadow-4.8.1/libmisc/loginprompt.c
+--- shadow-4.8.1.orig/libmisc/loginprompt.c 2019-07-23 10:26:08.000000000 -0500
++++ shadow-4.8.1/libmisc/loginprompt.c 2020-02-06 17:29:43.386954096 -0600
@@ -99,6 +99,15 @@
}
}
@@ -16,3 +17,22 @@
printf (prompt, buf);
(void) fflush (stdout);
}
+diff -u -r --new-file shadow-4.8.1.orig/src/login.c shadow-4.8.1/src/login.c
+--- shadow-4.8.1.orig/src/login.c 2020-01-12 07:58:49.000000000 -0600
++++ shadow-4.8.1/src/login.c 2020-02-06 17:29:33.191954722 -0600
+@@ -761,6 +761,15 @@
+
+ /* Make the login prompt look like we want it */
+ if (gethostname (hostn, sizeof (hostn)) == 0) {
++ /* Trim away everything after the first '.': */
++ int i = 0;
++ while (hostn[i] != '\0' && i < sizeof(hostn) - 1) {
++ if (hostn[i] == '.') {
++ hostn[i] = '\0';
++ break;
++ }
++ i++;
++ }
+ snprintf (loginprompt,
+ sizeof (loginprompt),
+ _("%s login: "), hostn);
diff --git a/source/a/shadow/slack-desc b/source/a/shadow/slack-desc
index 7263ee77..cb249741 100644
--- a/source/a/shadow/slack-desc
+++ b/source/a/shadow/slack-desc
@@ -8,12 +8,12 @@
|-----handy-ruler------------------------------------------------------|
shadow: shadow (shadow password suite)
shadow:
-shadow: This set of login related programs utilizes an alternate, non-readable
-shadow: file to contain the actual encrypted passwords. This is presumed to
-shadow: increase system security by increasing the difficulty with which
-shadow: system crackers obtain encrypted passwords. It was written by
-shadow: Julianne Frances Haugh and the Linux port is maintained by Tomasz
-shadow: Kloczko.
+shadow: This package includes the necessary programs for handling account
+shadow: information in the shadow password format, plus programs for managing
+shadow: user and group accounts. It was written by Julianne Frances Haugh and
+shadow: the Linux port is maintained by Tomasz Kloczko.
shadow:
shadow: Homepage: https://github.com/shadow-maint/shadow
shadow:
+shadow:
+shadow:
diff --git a/source/a/util-linux/util-linux.SlackBuild b/source/a/util-linux/util-linux.SlackBuild
index 8d6ff21c..662eb75c 100755
--- a/source/a/util-linux/util-linux.SlackBuild
+++ b/source/a/util-linux/util-linux.SlackBuild
@@ -82,6 +82,13 @@ find . \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \+
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+ LOGIN_OPTIONS=""
+else
+ LOGIN_OPTIONS="--disable-login"
+fi
+
# Changing the fdisk -l output (this was done prior to util-linux-ng) broke
# our installation scripts, so we have changed the name of partition type
# 83 back to "Linux swap":
@@ -119,7 +126,7 @@ configure_with_python(){
--enable-pg \
--enable-raw \
--enable-rename \
- --disable-login \
+ $LOGIN_OPTIONS \
--enable-schedutils \
--enable-wall \
--enable-write \
@@ -136,13 +143,13 @@ CFLAGS="$SLKCFLAGS" \
configure_with_python 2 || exit 1
make $NUMJOBS || make || exit 1
-make install DESTDIR=$PKG || exit 1
+make install $NUMJOBS DESTDIR=$PKG || exit 1
# Build python3 bindings for libmount:
make clean
CFLAGS="$SLKCFLAGS" \
configure_with_python 3 || exit 1
-make \
+make $NUMJOBS \
install-pylibmountexecLTLIBRARIES \
install-pylibmountexecPYTHON \
DESTDIR=$PKG || exit 1