summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2006-07-06 01:31:15 +0000
committerMike Frysinger <vapier@gentoo.org>2006-07-06 01:31:15 +0000
commit5fdd47b327a880b1c6ddedaede0491df3b2421ef (patch)
treee9096cf27fb3a65fc621b75304f1bd4a8333442c /sys-apps
parentStable on amd64. See security bug #137622. (diff)
downloadgentoo-2-5fdd47b327a880b1c6ddedaede0491df3b2421ef.tar.gz
gentoo-2-5fdd47b327a880b1c6ddedaede0491df3b2421ef.tar.bz2
gentoo-2-5fdd47b327a880b1c6ddedaede0491df3b2421ef.zip
Backport fix from upstream for mail spool creation #139346 by Wolfram Schlich.
(Portage version: 2.1.1_pre2-r2)
Diffstat (limited to 'sys-apps')
-rw-r--r--sys-apps/shadow/ChangeLog8
-rw-r--r--sys-apps/shadow/files/digest-shadow-4.0.16-r23
-rw-r--r--sys-apps/shadow/files/shadow-4.0.16-mail-creation.patch64
-rw-r--r--sys-apps/shadow/shadow-4.0.16-r2.ebuild270
4 files changed, 344 insertions, 1 deletions
diff --git a/sys-apps/shadow/ChangeLog b/sys-apps/shadow/ChangeLog
index a1479a63f845..b8212f204104 100644
--- a/sys-apps/shadow/ChangeLog
+++ b/sys-apps/shadow/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for sys-apps/shadow
# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.152 2006/07/04 19:55:18 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/ChangeLog,v 1.153 2006/07/06 01:31:15 vapier Exp $
+
+*shadow-4.0.16-r2 (06 Jul 2006)
+
+ 06 Jul 2006; Mike Frysinger <vapier@gentoo.org>
+ +files/shadow-4.0.16-mail-creation.patch, +shadow-4.0.16-r2.ebuild:
+ Backport fix from upstream for mail spool creation #139346 by Wolfram Schlich.
*shadow-4.0.16-r1 (04 Jul 2006)
diff --git a/sys-apps/shadow/files/digest-shadow-4.0.16-r2 b/sys-apps/shadow/files/digest-shadow-4.0.16-r2
new file mode 100644
index 000000000000..e6b69a954530
--- /dev/null
+++ b/sys-apps/shadow/files/digest-shadow-4.0.16-r2
@@ -0,0 +1,3 @@
+MD5 1d91f7479143d1d705b94180c0d4874b shadow-4.0.16.tar.bz2 1438030
+RMD160 9ac436d89913441b448da90ece25b77e818f3bd4 shadow-4.0.16.tar.bz2 1438030
+SHA256 2cbd0af0b4682d91282d2d0ad3110e6dfcad4e365d25a3b6beaf7048dd477bdd shadow-4.0.16.tar.bz2 1438030
diff --git a/sys-apps/shadow/files/shadow-4.0.16-mail-creation.patch b/sys-apps/shadow/files/shadow-4.0.16-mail-creation.patch
new file mode 100644
index 000000000000..f4772a0ffec1
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.0.16-mail-creation.patch
@@ -0,0 +1,64 @@
+rip out fixes from upstream for mail creation bug
+
+http://bugs.gentoo.org/139346
+
+Index: useradd.c
+===================================================================
+RCS file: /cvsroot/shadow/src/useradd.c,v
+retrieving revision 1.96
+retrieving revision 1.99
+diff -u -p -r1.96 -r1.99
+--- shadow/src/useradd.c 30 May 2006 18:28:45 -0000 1.96
++++ shadow/src/useradd.c 22 Jun 2006 11:30:32 -0000 1.99
+@@ -1246,6 +1247,11 @@ static void process_flags (int argc, cha
+
+ if (!sflg)
+ user_shell = def_shell;
++
++ /* TODO: add handle change default spool mail creation by
++ -K CREATE_MAIL_SPOOL={yes,no}. It need rewrite internal API for handle
++ shadow tools configuration */
++ create_mail_spool = def_create_mail_spool;
+ }
+
+ /*
+@@ -1599,24 +1605,24 @@ static void create_mail (void)
+ if (fd < 0) {
+ perror (_("Creating mailbox file"));
+ return;
++ }
+
+- gr = getgrnam ("mail");
+- if (!gr) {
+- fprintf (stderr,
+- _
+- ("Group 'mail' not found. Creating the user mailbox file with 0600 mode.\n"));
+- gid = user_gid;
+- mode = 0600;
+- } else {
+- gid = gr->gr_gid;
+- mode = 0660;
+- }
++ gr = getgrnam ("mail");
++ if (!gr) {
++ fprintf (stderr,
++ _
++ ("Group 'mail' not found. Creating the user mailbox file with 0600 mode.\n"));
++ gid = user_gid;
++ mode = 0600;
++ } else {
++ gid = gr->gr_gid;
++ mode = 0660;
++ }
+
+- if (fchown (fd, user_id, gid) || fchmod (fd, mode))
+- perror (_("Setting mailbox file permissions"));
++ if (fchown (fd, user_id, gid) || fchmod (fd, mode))
++ perror (_("Setting mailbox file permissions"));
+
+- close (fd);
+- }
++ close (fd);
+ }
+ }
+
diff --git a/sys-apps/shadow/shadow-4.0.16-r2.ebuild b/sys-apps/shadow/shadow-4.0.16-r2.ebuild
new file mode 100644
index 000000000000..5bbc44700cf2
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.0.16-r2.ebuild
@@ -0,0 +1,270 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.16-r2.ebuild,v 1.1 2006/07/06 01:31:15 vapier Exp $
+
+inherit eutils libtool toolchain-funcs flag-o-matic autotools pam
+
+# We should remove this login after pam-0.78 goes stable.
+FORCE_SYSTEMAUTH_UPDATE="no"
+
+DESCRIPTION="Utilities to deal with user accounts"
+HOMEPAGE="http://shadow.pld.org.pl/"
+SRC_URI="ftp://ftp.pld.org.pl/software/${PN}/${P}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="nls pam selinux skey nousuid"
+
+RDEPEND=">=sys-libs/cracklib-2.7-r3
+ pam? ( virtual/pam )
+ !sys-apps/pam-login
+ skey? ( app-admin/skey )
+ selinux? ( >=sys-libs/libselinux-1.28 )
+ nls? ( virtual/libintl )"
+DEPEND="${RDEPEND}
+ >=sys-apps/portage-2.0.51-r2
+ nls? ( sys-devel/gettext )"
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ # uclibc support, corrects NIS usage
+ epatch "${FILESDIR}"/${PN}-4.0.13-nonis.patch
+
+ # If su should not simulate a login shell, use '/bin/sh' as shell to enable
+ # running of commands as user with /bin/false as shell, closing bug #15015.
+ # *** This one could be a security hole; disable for now ***
+ #epatch "${FILESDIR}"/${P}-nologin-run-sh.patch
+
+ # tweak the default login.defs
+ epatch "${FILESDIR}"/${PN}-4.0.13-login.defs.patch
+
+ # Make user/group names more flexible #3485 / #22920
+ epatch "${FILESDIR}"/${PN}-4.0.13-dots-in-usernames.patch
+ epatch "${FILESDIR}"/${PN}-4.0.13-long-groupnames.patch
+
+ # Fix compiling with gcc-2.95.x
+ epatch "${FILESDIR}"/${PN}-4.0.12-gcc2.patch
+
+ # Patch from upstream enables the new environment too early for PAM
+ epatch "${FILESDIR}"/${PN}-4.0.14-su-fix-environment.patch
+
+ # lock down setuid perms #47208
+ epatch "${FILESDIR}"/${PN}-4.0.11.1-perms.patch
+
+ epatch "${FILESDIR}"/${PN}-4.0.15-uclibc-missing-l64a.patch
+
+ epatch "${FILESDIR}"/${PN}-4.0.16-check-opendir.patch #139148
+ epatch "${FILESDIR}"/${PN}-4.0.16-fix-useradd-usergroups.patch #128715
+ epatch "${FILESDIR}"/${PN}-4.0.16-mail-creation.patch #139346
+
+ # Needed by the UCLIBC patches
+ eautoconf || die
+
+ elibtoolize
+ epunt_cxx
+}
+
+src_compile() {
+ append-ldflags $(bindnow-flags)
+ tc-is-cross-compiler && export ac_cv_func_setpgrp_void=yes
+ econf \
+ --disable-desrpc \
+ --with-libcrypt \
+ --with-libcrack \
+ --enable-shared=no \
+ --enable-static=yes \
+ $(use_with pam libpam) \
+ $(use_with skey) \
+ $(use_with selinux) \
+ $(use_enable nls) \
+ || die "bad configure"
+ emake || die "compile problem"
+}
+
+src_install() {
+ local perms=4711
+ use nousuid && perms=711
+ make DESTDIR="${D}" suiduperms=${perms} install || die "install problem"
+ dosym useradd /usr/sbin/adduser
+
+ # Remove libshadow and libmisc; see bug 37725 and the following
+ # comment from shadow's README.linux:
+ # Currently, libshadow.a is for internal use only, so if you see
+ # -lshadow in a Makefile of some other package, it is safe to
+ # remove it.
+ rm -f "${D}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
+
+ insinto /etc
+ # Using a securetty with devfs device names added
+ # (compat names kept for non-devfs compatibility)
+ insopts -m0600 ; doins "${FILESDIR}"/securetty
+ if ! use pam ; then
+ insopts -m0600
+ doins etc/login.access etc/limits
+ else
+ newpamd "${FILESDIR}/login.pamd" login
+ use selinux || sed -i -e '/@selinux@/d' "${D}"/etc/pam.d/login
+ use selinux && sed -i -e 's:@selinux@::g' "${D}"/etc/pam.d/login
+
+ insinto /etc
+ insopts -m0644
+ newins "${FILESDIR}/login.defs" login.defs
+
+ # Also install another one that we can use to check if
+ # we need to update it if FORCE_LOGIN_DEFS = "yes"
+ [ "${FORCE_LOGIN_DEFS}" = "yes" ] \
+ && newins "${FILESDIR}/login.defs" login.defs.new
+ fi
+ # Output arch-specific cruft
+ case $(tc-arch) in
+ ppc*) echo "hvc0" >> "${D}"/etc/securetty
+ echo "hvsi0" >> "${D}"/etc/securetty;;
+ hppa) echo "ttyB0" >> "${D}"/etc/securetty;;
+ arm) echo "ttyFB0" >> "${D}"/etc/securetty;;
+ esac
+
+ # needed for 'adduser -D'
+ insinto /etc/default
+ insopts -m0600
+ doins "${FILESDIR}"/default/useradd
+
+ # move passwd to / to help recover broke systems #64441
+ mv "${D}"/usr/bin/passwd "${D}"/bin/
+ dosym /bin/passwd /usr/bin/passwd
+
+ if use pam ; then
+ local INSTALL_SYSTEM_PAMD="yes"
+
+ # Do not install below pam.d files if we have pam-0.78 or later
+ has_version '>=sys-libs/pam-0.78' && \
+ INSTALL_SYSTEM_PAMD="no"
+
+ for x in "${FILESDIR}"/pam.d-include/*; do
+ case "${x##*/}" in
+ "login")
+ # We do no longer install this one, as its from
+ # pam-login now.
+ ;;
+ "system-auth"|"system-auth-1.1"|"other")
+ # These we only install if we do not have pam-0.78
+ # or later.
+ [ "${INSTALL_SYSTEM_PAMD}" = "yes" ] && [ -f ${x} ] && \
+ dopamd ${x}
+ ;;
+ "su")
+ # Disable support for pam_env and pam_wheel on openpam
+ has_version sys-libs/pam && dopamd ${x}
+ ;;
+ "su-openpam")
+ has_version sys-libs/openpam && newpamd ${x} su
+ ;;
+ *)
+ [ -f ${x} ] && dopamd ${x}
+ ;;
+ esac
+ done
+ for x in chage chsh chfn chpasswd newusers \
+ user{add,del,mod} group{add,del,mod} ; do
+ newpamd "${FILESDIR}"/pam.d-include/shadow ${x}
+ done
+
+ # Only add this one if needed.
+ if [ "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ]; then
+ newpamd "${FILESDIR}"/pam.d-include/system-auth-1.1 system-auth.new || \
+ die "Failed to install system-auth.new!"
+ fi
+
+ # remove manpages that pam will install for us
+ # and/or don't apply when using pam
+
+ find "${D}"/usr/share/man \
+ '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \
+ -exec rm {} \;
+ else
+ insinto /etc
+ insopts -m0644
+ newins etc/login.defs login.defs
+ fi
+
+ # libshadow_getpass() is only used sometimes now which means
+ # GETPASS_ASTERISKS may not always be applicable
+ use skey || sed -i -e '/^GETPASS_ASTERISKS/s:^:#:' "${D}"/etc/login.defs
+
+ # Remove manpages that are handled by other packages
+ find "${D}"/usr/share/man \
+ '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
+ -exec rm {} \;
+
+ cd "${S}"
+ dodoc ChangeLog NEWS TODO
+ newdoc README README.download
+ cd doc
+ dodoc HOWTO LSM README* WISHLIST *.txt
+}
+
+pkg_preinst() {
+ rm -f "${ROOT}"/etc/pam.d/system-auth.new \
+ "${ROOT}/etc/login.defs.new"
+}
+
+pkg_postinst() {
+ # Enable shadow groups (we need ROOT=/ here, as grpconv only
+ # operate on / ...).
+ if [[ ${ROOT} == / && ! -f /etc/gshadow ]] ; then
+ if grpck -r &>/dev/null; then
+ grpconv
+ else
+ ewarn "Running 'grpck' returned errors. Please run it by hand, and then"
+ ewarn "run 'grpconv' afterwards!"
+ fi
+ fi
+
+ use pam || return 0
+
+ if [ "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ]; then
+ local CHECK1=$(md5sum "${ROOT}"/etc/pam.d/system-auth | cut -d ' ' -f 1)
+ local CHECK2=$(md5sum "${ROOT}"/etc/pam.d/system-auth.new | cut -d ' ' -f 1)
+
+ if [ "${CHECK1}" != "${CHECK2}" ]; then
+ ewarn "Due to a security issue, ${ROOT}etc/pam.d/system-auth "
+ ewarn "is being updated automatically. Your old "
+ ewarn "system-auth will be backed up as:"
+ ewarn
+ ewarn " ${ROOT}etc/pam.d/system-auth.bak"
+ echo
+
+ cp -pPR "${ROOT}"/etc/pam.d/system-auth \
+ "${ROOT}"/etc/pam.d/system-auth.bak;
+ mv -f "${ROOT}"/etc/pam.d/system-auth.new \
+ "${ROOT}"/etc/pam.d/system-auth
+ rm -f "${ROOT}"/etc/pam.d/._cfg????_system-auth
+ else
+ rm -f "${ROOT}"/etc/pam.d/system-auth.new
+ fi
+ fi
+
+ [ "${FORCE_LOGIN_DEFS}" != "yes" ] && return 0
+
+ ewarn "Due to a compatibility issue, ${ROOT}etc/login.defs "
+ ewarn "is being updated automatically. Your old login.defs"
+ ewarn "will be backed up as: ${ROOT}etc/login.defs.bak"
+ echo
+
+ local CHECK1="`md5sum ${ROOT}/etc/login.defs | cut -d ' ' -f 1`"
+ local CHECK2="`md5sum ${ROOT}/etc/login.defs.new | cut -d ' ' -f 1`"
+
+ if [ "${CHECK1}" != "${CHECK2}" ]
+ then
+ cp -pPR ${ROOT}/etc/login.defs ${ROOT}/etc/login.defs.bak
+ mv -f ${ROOT}/etc/login.defs.new ${ROOT}/etc/login.defs
+ elif [ ! -f ${ROOT}/etc/login.defs ]
+ then
+ mv -f ${ROOT}/etc/login.defs.new ${ROOT}/etc/login.defs
+ else
+ rm -f ${ROOT}/etc/login.defs.new
+ fi
+}
+