diff options
Diffstat (limited to 'sys-apps/shadow')
17 files changed, 801 insertions, 413 deletions
diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest index 19bec0338d02..072a4174ec3d 100644 --- a/sys-apps/shadow/Manifest +++ b/sys-apps/shadow/Manifest @@ -1,2 +1,8 @@ -DIST shadow-4.8.1.tar.xz 1611196 BLAKE2B 952707cdd55dc6c00dcbc60dbc3bf84ac618dbe916b36d993802b3ce42594de332a9bc22933a28881af3d317a340eab017ada55511b4e4fbc3ca6b422c4bc254 SHA512 780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b -DIST shadow-4.9.tar.xz 1627008 BLAKE2B 7a9a6a489115c7a20520cfec61f008fc0f70f7f50aaf539e94dfdcb20035d2de88ab3198e76812a4e3eb944b92c76c0ca2e85e35f4342537711c2c033248a72b SHA512 254cda49bb14505a7604821e7fa898bf4bf317d648e9ddc881ab80a6860d52053dfffacad6feab87c7d16608c35ed6b6cee99e7757eac930da3a7b31cdcd4b95 +DIST shadow-4.13.tar.xz 1762908 BLAKE2B 315ab8a7e598aeefb50c11293e20cfa0982c3c3ae21c35ae243d09a4facf97a13c1d672990876e74ef94f5284402acf14997663743e2aaefa6cfc4369b7d24dc SHA512 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e +DIST shadow-4.13.tar.xz.asc 488 BLAKE2B de1f8285c5713a772343a2a7c638d1d13429dd4fa867d4f91d4922aa0d083b4a3110d38e8a8ab82137fdf4fecb12ba3677f3fb235401fc6438ae663fbd9bfbd2 SHA512 f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648 +DIST shadow-4.14.2.tar.xz 1799548 BLAKE2B 419f0a516753616ef691f71ec9002eef6fd7568c013ac71900d7481eff1bd9165c69d9587b7ca25800543a2eac58cfb7ce4224063e8af7b278f589640485c28f SHA512 b417dbe0fbbeced1022e64efe9dcd8b41d14779c45163e6de63891ac63f837d43f3e559f99f884099aa45282299ceb4dcb9fd29d21c9925687ff8462fe6ead2f +DIST shadow-4.14.2.tar.xz.asc 833 BLAKE2B 9e085c79ccd3aa77489eb92e947dd4875dea84be2dbcbd2b8443e70b3dc065d288171ee024f81c6c3bf44d0ebfcabbb69937a906fdb26b6622d5a369aa415e8e SHA512 47a2607fa782a48b0333e353343a32f358115bb40225ea962fab86d4a8dbed1df976eb6231baf5b95f34a13139b99d6b719521626e5d3e9c80fc4c685767d9b7 +DIST shadow-4.14.6.tar.xz 1805900 BLAKE2B e910131eab6527c1222afadf02ebd7bd6a3460baf95c23cc9eefa7aa21ddb70c02e58e4f58db2cb24fa8e2996c82b11664420545a8b1af573e4e6a25ceb3f921 SHA512 994a81afbafb19622a1d0f84527f96a84b0955c4ffa5e826682ead82af7940b8e3a091514bd2075622ebdf7638643c9c6b6b7ac3e48d985278db896249d70ae6 +DIST shadow-4.14.6.tar.xz.asc 833 BLAKE2B 2fdcbd073687de829006ed9eb3ffd0b5f1312a94fe81b9c6840b25807e1268c58136d378da87f481c3cb53dc262d7afb6d97c77528e14dfbf5d54212fa7f84f2 SHA512 41f8fa92379392d4caa83987f9ea513ec18103dacfc01461f7bfb67ee6738a67e097fe76e7aa1f6004dfe14d5c55973667037c683fdd8ebb082264cb62222d27 +DIST shadow-4.14.7.tar.xz 1805860 BLAKE2B 5cc525292b9ba8fb85ec476a866be0b07a0b113539ad9f11d33eb87a87b95315485900a497c24465ad3b1d40b8f3273b6044a82829444024cc06d656427f3932 SHA512 ec64210b96ca0633683825df076e048ecba8f4794e9ad60125965d1490078c86ad26030bbec2e2ec7b53992d3ca68e4e659d6c460509fc6debb07bb686678885 +DIST shadow-4.14.7.tar.xz.asc 833 BLAKE2B 05c75a1de641cb766860959f1c1ed4788be40a6b0533d73a701b138c1aaf3b70f1e2807b7dafb74e35369091c40edf402abd96c9a5526c18ee644c12c48cd320 SHA512 6d13ddc810f27efd1bb2c9ef61d260b84ba9ce4e5721d844bd1f910fba072ae424360f6d3672b69dfa88c9a0905d93b6de415909791515f8da00d6c17ca79f9a diff --git a/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch deleted file mode 100644 index efcb33dbd9ef..000000000000 --- a/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- shadow-4.1.3/libmisc/chkname.c -+++ shadow-4.1.3/libmisc/chkname.c -@@ -66,6 +66,7 @@ - ( ('0' <= *name) && ('9' >= *name) ) || - ('_' == *name) || - ('-' == *name) || -+ ('.' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) - )) { - return false; diff --git a/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch b/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch new file mode 100644 index 000000000000..49868ba67c96 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch @@ -0,0 +1,100 @@ +From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 +From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> +Date: Thu, 23 Mar 2023 23:39:38 +0000 +Subject: [PATCH] Added control character check + +Added control character check, returning -1 (to "err") if control characters are present. +--- + lib/fields.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index 640be931f..fb51b5829 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -21,9 +21,9 @@ + * + * The supplied field is scanned for non-printable and other illegal + * characters. +- * + -1 is returned if an illegal character is present. +- * + 1 is returned if no illegal characters are present, but the field +- * contains a non-printable character. ++ * + -1 is returned if an illegal or control character is present. ++ * + 1 is returned if no illegal or control characters are present, ++ * but the field contains a non-printable character. + * + 0 is returned otherwise. + */ + int valid_field (const char *field, const char *illegal) +@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) + } + + if (0 == err) { +- /* Search if there are some non-printable characters */ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { + if (!isprint (*cp)) { + err = 1; ++ } ++ if (!iscntrl (*cp)) { ++ err = -1; + break; + } + } +From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> +Date: Fri, 31 Mar 2023 14:46:50 +0200 +Subject: [PATCH] Overhaul valid_field() + +e5905c4b ("Added control character check") introduced checking for +control characters but had the logic inverted, so it rejects all +characters that are not control ones. + +Cast the character to `unsigned char` before passing to the character +checking functions to avoid UB. + +Use strpbrk(3) for the illegal character test and return early. +--- + lib/fields.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index fb51b5829..539292485 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal) + + /* For each character of field, search if it appears in the list + * of illegal characters. */ ++ if (illegal && NULL != strpbrk (field, illegal)) { ++ return -1; ++ } ++ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { +- if (strchr (illegal, *cp) != NULL) { ++ unsigned char c = *cp; ++ if (!isprint (c)) { ++ err = 1; ++ } ++ if (iscntrl (c)) { + err = -1; + break; + } + } + +- if (0 == err) { +- /* Search if there are non-printable or control characters */ +- for (cp = field; '\0' != *cp; cp++) { +- if (!isprint (*cp)) { +- err = 1; +- } +- if (!iscntrl (*cp)) { +- err = -1; +- break; +- } +- } +- } +- + return err; + } + diff --git a/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch b/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch new file mode 100644 index 000000000000..4e703db93a6c --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch @@ -0,0 +1,38 @@ +https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef +https://github.com/shadow-maint/shadow/pull/595 + +From a281f241b592aec636d1b93a99e764499d68c7ef Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Mon, 21 Nov 2022 11:52:45 +0100 +Subject: [PATCH] Fix HAVE_SHADOWGRP configure check + +The missing #include <gshadow.h> causes the configure check to fail +spuriously, resulting in HAVE_SHADOWGRP not being defined even +on systems that actually have sgetsgent (such as current glibc). +--- a/configure.ac ++++ b/configure.ac +@@ -116,6 +116,10 @@ if test "$ac_cv_header_shadow_h" = "yes"; then + ac_cv_libc_shadowgrp, + AC_RUN_IFELSE([AC_LANG_SOURCE([ + #include <shadow.h> ++ #ifdef HAVE_GSHADOW_H ++ #include <gshadow.h> ++ #endif ++ int + main() + { + struct sgrp *sg = sgetsgent("test:x::"); + +--- a/configure ++++ b/configure +@@ -15684,6 +15684,10 @@ else $as_nop + /* end confdefs.h. */ + + #include <shadow.h> ++ #ifdef HAVE_GSHADOW_H ++ #include <gshadow.h> ++ #endif ++ int + main() + { + struct sgrp *sg = sgetsgent("test:x::"); diff --git a/sys-apps/shadow/files/shadow-4.13-password-leak.patch b/sys-apps/shadow/files/shadow-4.13-password-leak.patch new file mode 100644 index 000000000000..25b5ec39c5f8 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.13-password-leak.patch @@ -0,0 +1,135 @@ +https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904 + +From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar <alx@kernel.org> +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH] gpasswd(1): Fix password leak + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") +Reported-by: Alejandro Colomar <alx@kernel.org> +Cc: Serge Hallyn <serge@hallyn.com> +Cc: Iker Pedrosa <ipedrosa@redhat.com> +Cc: Seth Arnold <seth.arnold@canonical.com> +Cc: Christian Brauner <christian@brauner.io> +Cc: Balint Reczey <rbalint@debian.org> +Cc: Sam James <sam@gentoo.org> +Cc: David Runge <dvzrv@archlinux.org> +Cc: Andreas Jaeger <aj@suse.de> +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar <alx@kernel.org> +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -898,6 +898,7 @@ static void change_passwd (struct group *gr) + erase_pass (cp); + cp = agetpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + diff --git a/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch b/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch new file mode 100644 index 000000000000..50cbe699d15e --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch @@ -0,0 +1,33 @@ +https://bugs.gentoo.org/903083 +https://github.com/shadow-maint/shadow/pull/691 +https://github.com/shadow-maint/shadow/commit/bd2d0079c90241f24671a7946a3ad175dc1a3aeb + +From fcb04de38a0ddc263288a1c450b35bfb1503d523 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert <floppym@gentoo.org> +Date: Sat, 25 Mar 2023 21:16:55 -0400 +Subject: [PATCH] usermod: respect --prefix for --gid option + +The --gid option accepts a group name or id. When a name is provided, it +is resolved to an id by looking up the name in the group database +(/etc/group). + +The --prefix option overides the location of the passwd and group +databases. I suspect the --gid option was overlooked when wiring up the +--prefix option. + +useradd --gid already respects --prefix; this change makes usermod +behave the same way. + +Fixes: b6b2c756c91806b1c3e150ea0ee4721c6cdaf9d0 +Signed-off-by: Mike Gilbert <floppym@gentoo.org> +--- a/src/usermod.c ++++ b/src/usermod.c +@@ -1072,7 +1072,7 @@ static void process_flags (int argc, char **argv) + fflg = true; + break; + case 'g': +- grp = getgr_nam_gid (optarg); ++ grp = prefix_getgr_nam_gid (optarg); + if (NULL == grp) { + fprintf (stderr, + _("%s: group '%s' does not exist\n"), diff --git a/sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch b/sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch deleted file mode 100644 index 05be7adc1b19..000000000000 --- a/sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert <floppym@gentoo.org> -Date: Sat, 14 Aug 2021 13:24:34 -0400 -Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds() - -If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified, -use SHA_ROUNDS_DEFAULT. - -Previously, the code fell through, calling shadow_random(-1, -1). This -ultimately set rounds = (unsigned long) -1, which ends up being a very -large number! This then got capped to SHA_ROUNDS_MAX later in the -function. - -The new behavior matches BCRYPT_get_salt_rounds(). - -Bug: https://bugs.gentoo.org/808195 -Fixes: https://github.com/shadow-maint/shadow/issues/393 ---- - libmisc/salt.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - -diff --git a/libmisc/salt.c b/libmisc/salt.c -index 91d528fd..30eefb9c 100644 ---- a/libmisc/salt.c -+++ b/libmisc/salt.c -@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre - if ((-1 == min_rounds) && (-1 == max_rounds)) { - rounds = SHA_ROUNDS_DEFAULT; - } -+ else { -+ if (-1 == min_rounds) { -+ min_rounds = max_rounds; -+ } - -- if (-1 == min_rounds) { -- min_rounds = max_rounds; -- } -+ if (-1 == max_rounds) { -+ max_rounds = min_rounds; -+ } - -- if (-1 == max_rounds) { -- max_rounds = min_rounds; -- } -+ if (min_rounds > max_rounds) { -+ max_rounds = min_rounds; -+ } - -- if (min_rounds > max_rounds) { -- max_rounds = min_rounds; -+ rounds = (unsigned long) shadow_random (min_rounds, max_rounds); - } -- -- rounds = (unsigned long) shadow_random (min_rounds, max_rounds); - } else if (0 == *prefered_rounds) { - rounds = SHA_ROUNDS_DEFAULT; - } else { diff --git a/sys-apps/shadow/files/shadow-4.9-configure-typo.patch b/sys-apps/shadow/files/shadow-4.9-configure-typo.patch deleted file mode 100644 index 1a6db304a013..000000000000 --- a/sys-apps/shadow/files/shadow-4.9-configure-typo.patch +++ /dev/null @@ -1,19 +0,0 @@ -https://github.com/shadow-maint/shadow/commit/049f9a7f6b320c728a6274299041e360381d7cd5 - -From 049f9a7f6b320c728a6274299041e360381d7cd5 Mon Sep 17 00:00:00 2001 -From: Andy Zaugg <andy.zaugg@gmail.com> -Date: Tue, 21 Sep 2021 21:51:10 -0700 -Subject: [PATCH] Fix parentheses in configure.ac - -Resolving issue https://github.com/shadow-maint/shadow/issues/419 ---- a/configure.ac -+++ b/configure.ac -@@ -345,7 +345,7 @@ if test "$with_sssd" = "yes"; then - [AC_MSG_ERROR([posix_spawn is needed for sssd support])]) - fi - --AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])]) -+AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])) - AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"]) - - dnl Check for some functions in libc first, only if not found check for diff --git a/sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch b/sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch deleted file mode 100644 index d7102ce03c32..000000000000 --- a/sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch +++ /dev/null @@ -1,35 +0,0 @@ -https://github.com/shadow-maint/shadow/commit/117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 - -From 117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 Mon Sep 17 00:00:00 2001 -From: Michael Vetter <jubalh@iodoru.org> -Date: Mon, 20 Sep 2021 11:04:50 +0200 -Subject: [PATCH] Only free sgent if it was initialized - -`sgent` is only initialized in `get_group()` if `is_shadowgrp` is true. -So we should also only attempt to free it if this is actually the case. - -Can otherwise lead to: -``` -free() double free detected in tcache 2 (gpasswd) -``` ---- a/src/gpasswd.c -+++ b/src/gpasswd.c -@@ -1207,11 +1207,13 @@ int main (int argc, char **argv) - sssd_flush_cache (SSSD_DB_GROUP); - - #ifdef SHADOWGRP -- if (sgent.sg_adm) { -- xfree(sgent.sg_adm); -- } -- if (sgent.sg_mem) { -- xfree(sgent.sg_mem); -+ if (is_shadowgrp) { -+ if (sgent.sg_adm) { -+ xfree(sgent.sg_adm); -+ } -+ if (sgent.sg_mem) { -+ xfree(sgent.sg_mem); -+ } - } - #endif - if (grent.gr_mem) { diff --git a/sys-apps/shadow/files/shadow-4.9-libcrack.patch b/sys-apps/shadow/files/shadow-4.9-libcrack.patch deleted file mode 100644 index 5c954feac1ae..000000000000 --- a/sys-apps/shadow/files/shadow-4.9-libcrack.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 6becc82e262205f8a23bf9fe1127af57286826ee Mon Sep 17 00:00:00 2001 -From: Mike Gilbert <floppym@gentoo.org> -Date: Mon, 2 Aug 2021 11:51:44 -0400 -Subject: [PATCH] libsubid: fix build with libcrack - -Fixes a link failure: - - ../libsubid/.libs/libsubid.so: undefined reference to `FascistCheck' - -Bug: https://bugs.gentoo.org/806124 -Signed-off-by: Mike Gilbert <floppym@gentoo.org> ---- - libsubid/Makefile.am | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am -index 8bba02ab..bfc982ef 100644 ---- a/libsubid/Makefile.am -+++ b/libsubid/Makefile.am -@@ -11,6 +11,7 @@ MISCLIBS = \ - $(LIBAUDIT) \ - $(LIBSELINUX) \ - $(LIBSEMANAGE) \ -+ $(LIBCRACK) \ - $(LIBCRYPT_NOPAM) \ - $(LIBSKEY) \ - $(LIBMD) \ diff --git a/sys-apps/shadow/files/shadow-4.9-libsubid_oot_build.patch b/sys-apps/shadow/files/shadow-4.9-libsubid_oot_build.patch deleted file mode 100644 index 6609ccd6d3a5..000000000000 --- a/sys-apps/shadow/files/shadow-4.9-libsubid_oot_build.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 537b8cd90be7b47b45c45cfd27765ef85eb0ebf1 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn <serge@hallyn.com> -Date: Fri, 23 Jul 2021 17:51:13 -0500 -Subject: [PATCH] Fix out of tree builds with respect to libsubid includes - -There's a better way to do this, and I hope to clean that up, -but this fixes out of tree builds for me right now. - -Closes #386 - -Signed-off-by: Serge Hallyn <serge@hallyn.com> ---- - lib/Makefile.am | 2 ++ - libmisc/Makefile.am | 2 +- - libsubid/Makefile.am | 4 ++-- - src/Makefile.am | 6 ++++++ - 4 files changed, 11 insertions(+), 3 deletions(-) - -diff --git a/lib/Makefile.am b/lib/Makefile.am -index ecf3ee25..5ac2e111 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -10,6 +10,8 @@ if HAVE_VENDORDIR - libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" - endif - -+libshadow_la_CPPFLAGS += -I$(top_srcdir) -+ - libshadow_la_SOURCES = \ - commonio.c \ - commonio.h \ -diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am -index 9766a7ec..9f237e0d 100644 ---- a/libmisc/Makefile.am -+++ b/libmisc/Makefile.am -@@ -1,7 +1,7 @@ - - EXTRA_DIST = .indent.pro xgetXXbyYY.c - --AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS) -+AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS) - - noinst_LTLIBRARIES = libmisc.la - -diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am -index 83051560..99308c1f 100644 ---- a/libsubid/Makefile.am -+++ b/libsubid/Makefile.am -@@ -20,8 +20,8 @@ MISCLIBS = \ - $(LIBPAM) - - libsubid_la_LIBADD = \ -- $(top_srcdir)/lib/libshadow.la \ -- $(top_srcdir)/libmisc/libmisc.la \ -+ $(top_builddir)/lib/libshadow.la \ -+ $(top_builddir)/libmisc/libmisc.la \ - $(MISCLIBS) -ldl - - AM_CPPFLAGS = \ -diff --git a/src/Makefile.am b/src/Makefile.am -index 35027013..7c1a3491 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -10,6 +10,7 @@ sgidperms = 2755 - AM_CPPFLAGS = \ - -I${top_srcdir}/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -DLOCALEDIR=\"$(datadir)/locale\" - - # XXX why are login and su in /bin anyway (other than for -@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \ - list_subid_ranges_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - get_subid_owners_LDADD = \ -@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \ - get_subid_owners_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - new_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - new_subid_range_LDADD = \ -@@ -210,6 +214,7 @@ new_subid_range_LDADD = \ - free_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ - -I$(top_srcdir)/libmisc \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libsubid - - free_subid_range_LDADD = \ -@@ -220,6 +225,7 @@ free_subid_range_LDADD = \ - - check_subid_range_CPPFLAGS = \ - -I$(top_srcdir)/lib \ -+ -I$(top_srcdir) \ - -I$(top_srcdir)/libmisc - - check_subid_range_LDADD = \ diff --git a/sys-apps/shadow/files/shadow-4.9-libsubid_pam_linking.patch b/sys-apps/shadow/files/shadow-4.9-libsubid_pam_linking.patch deleted file mode 100644 index 7fb03f6ff429..000000000000 --- a/sys-apps/shadow/files/shadow-4.9-libsubid_pam_linking.patch +++ /dev/null @@ -1,28 +0,0 @@ -From f4a84efb468b8be21be124700ce35159c444e9d6 Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao <xry111@mengyan1223.wang> -Date: Fri, 23 Jul 2021 14:38:08 +0800 -Subject: [PATCH] libsubid: link to PAM libraries - -libsubid.so links to libmisc.a, which contains several routines referring to -PAM functions. ---- - libsubid/Makefile.am | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am -index 189165b0..83051560 100644 ---- a/libsubid/Makefile.am -+++ b/libsubid/Makefile.am -@@ -16,7 +16,8 @@ MISCLIBS = \ - $(LIBCRYPT) \ - $(LIBACL) \ - $(LIBATTR) \ -- $(LIBTCB) -+ $(LIBTCB) \ -+ $(LIBPAM) - - libsubid_la_LIBADD = \ - $(top_srcdir)/lib/libshadow.la \ --- -2.32.0 - diff --git a/sys-apps/shadow/metadata.xml b/sys-apps/shadow/metadata.xml index 980dcbed0ddb..732ee860c25d 100644 --- a/sys-apps/shadow/metadata.xml +++ b/sys-apps/shadow/metadata.xml @@ -9,7 +9,9 @@ <flag name="bcrypt">build the bcrypt password encryption algorithm</flag> <flag name="su">build the su program</flag> </use> - <!-- only for USE=pam --> + <slots> + <subslots>Reflect ABI of libsubids.so</subslots> + </slots> <upstream> <remote-id type="cpe">cpe:/a:debian:shadow</remote-id> <remote-id type="github">shadow-maint/shadow</remote-id> diff --git a/sys-apps/shadow/shadow-4.9-r3.ebuild b/sys-apps/shadow/shadow-4.13-r4.ebuild index 69a16bb519be..b2cbba68a664 100644 --- a/sys-apps/shadow/shadow-4.9-r3.ebuild +++ b/sys-apps/shadow/shadow-4.13-r4.ebuild @@ -1,45 +1,50 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -inherit autotools pam +# Upstream sometimes pushes releases as pre-releases before marking them +# official. Don't keyword the pre-releases! +# Check https://github.com/shadow-maint/shadow/releases. + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sergehallyn.asc +inherit libtool pam verify-sig DESCRIPTION="Utilities to deal with user accounts" HOMEPAGE="https://github.com/shadow-maint/shadow" -SRC_URI="https://github.com/shadow-maint/shadow/releases/download/v${PV}/${P}.tar.xz" +SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz" +SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz.asc )" LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" -IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su xattr" +# Subslot is for libsubid's SONAME. +SLOT="0/4" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" +IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr" # Taken from the man/Makefile.am file. LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) REQUIRED_USE="?? ( cracklib pam )" -BDEPEND=" - app-arch/xz-utils - sys-devel/gettext -" COMMON_DEPEND=" virtual/libcrypt:= - acl? ( sys-apps/acl:0= ) - audit? ( >=sys-process/audit-2.6:0= ) - cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) + acl? ( sys-apps/acl:= ) + audit? ( >=sys-process/audit-2.6:= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:= ) nls? ( virtual/libintl ) - pam? ( sys-libs/pam:0= ) - skey? ( sys-auth/skey:0= ) + pam? ( sys-libs/pam:= ) + skey? ( sys-auth/skey:= ) selinux? ( - >=sys-libs/libselinux-1.28:0= - sys-libs/libsemanage:0= + >=sys-libs/libselinux-1.28:= + sys-libs/libsemanage:= ) - xattr? ( sys-apps/attr:0= ) + xattr? ( sys-apps/attr:= ) " -DEPEND="${COMMON_DEPEND} +DEPEND=" + ${COMMON_DEPEND} >=sys-kernel/linux-headers-4.14 " -RDEPEND="${COMMON_DEPEND} +RDEPEND=" + ${COMMON_DEPEND} !<sys-apps/man-pages-5.11-r1 !=sys-apps/man-pages-5.12-r0 !=sys-apps/man-pages-5.12-r1 @@ -51,24 +56,29 @@ RDEPEND="${COMMON_DEPEND} pam? ( >=sys-auth/pambase-20150213 ) su? ( !sys-apps/util-linux[su(-)] ) " +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext + verify-sig? ( sec-keys/openpgp-keys-sergehallyn ) +" PATCHES=( - "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" - "${FILESDIR}/${P}-libsubid_pam_linking.patch" - "${FILESDIR}/${P}-libsubid_oot_build.patch" - "${FILESDIR}/shadow-4.9-libcrack.patch" - "${FILESDIR}/shadow-4.9-SHA-rounds.patch" + "${FILESDIR}"/${P}-configure-clang16.patch + "${FILESDIR}"/${P}-CVE-2023-29383.patch + "${FILESDIR}"/${P}-usermod-prefix-gid.patch + "${FILESDIR}"/${P}-password-leak.patch ) src_prepare() { default - eautoreconf - #elibtoolize + + elibtoolize } src_configure() { local myeconfargs=( --disable-account-tools-setuid + --disable-static --with-btrfs --without-group-name-max-length --without-tcb @@ -84,9 +94,8 @@ src_configure() { $(use_with su) $(use_with xattr attr) ) - econf "${myeconfargs[@]}" - has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 + econf "${myeconfargs[@]}" if use nls ; then local l langs="po" # These are the pot files. @@ -158,7 +167,7 @@ src_install() { else dopamd "${FILESDIR}"/pam.d-include/shadow - for x in chsh shfn ; do + for x in chsh chfn ; do newpamd "${FILESDIR}"/pam.d-include/passwd ${x} done @@ -168,7 +177,7 @@ src_install() { newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems - # comment out login.defs options that pam hates + # Comment out login.defs options that pam hates local opt sed_args=() for opt in \ CHFN_AUTH \ @@ -199,7 +208,7 @@ src_install() { -e ': exit' \ "${ED}"/etc/login.defs || die - # remove manpages that pam will install for us + # Remove manpages that pam will install for us # and/or don't apply when using pam find "${ED}"/usr/share/man -type f \ '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ @@ -215,13 +224,21 @@ src_install() { # Remove manpages that are handled by other packages find "${ED}"/usr/share/man -type f \ '(' -name id.1 -o -name getspnam.3 ')' \ - -delete + -delete || die + + if ! use su ; then + find "${ED}"/usr/share/man -type f -name su.1 -delete || die + fi cd "${S}" || die dodoc ChangeLog NEWS TODO newdoc README README.download cd doc || die dodoc HOWTO README* WISHLIST *.txt + + if use elibc_musl; then + QA_CONFIG_IMPL_DECL_SKIP+=( sgetsgent ) + fi } pkg_preinst() { @@ -230,12 +247,18 @@ pkg_preinst() { } pkg_postinst() { + # Missing entries from /etc/passwd can cause odd system blips. + # See bug #829872. + if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then + ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors." + fi + # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT}" 2>/dev/null ; then - grpconv -R "${EROOT}" + if [[ ! -f "${EROOT}"/etc/gshadow ]] ; then + if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then + grpconv -R "${EROOT:-/}" else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" ewarn "run 'grpconv' afterwards!" fi fi diff --git a/sys-apps/shadow/shadow-4.14.2.ebuild b/sys-apps/shadow/shadow-4.14.2.ebuild new file mode 100644 index 000000000000..25b40053cf39 --- /dev/null +++ b/sys-apps/shadow/shadow-4.14.2.ebuild @@ -0,0 +1,280 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Upstream sometimes pushes releases as pre-releases before marking them +# official. Don't keyword the pre-releases! +# Check https://github.com/shadow-maint/shadow/releases. + +inherit libtool pam verify-sig + +DESCRIPTION="Utilities to deal with user accounts" +HOMEPAGE="https://github.com/shadow-maint/shadow" +SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz" +SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz.asc )" + +LICENSE="BSD GPL-2" +# Subslot is for libsubid's SONAME. +SLOT="0/4" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" +IUSE="acl audit cracklib nls pam selinux skey split-usr su systemd xattr" +# Taken from the man/Makefile.am file. +LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) + +REQUIRED_USE="?? ( cracklib pam )" + +# TODO: Revisit libbsd dep once glibc-2.28 is stable as it provides strlcpy. +COMMON_DEPEND=" + dev-libs/libbsd + virtual/libcrypt:= + acl? ( sys-apps/acl:= ) + audit? ( >=sys-process/audit-2.6:= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:= ) + nls? ( virtual/libintl ) + pam? ( sys-libs/pam:= ) + skey? ( sys-auth/skey:= ) + selinux? ( + >=sys-libs/libselinux-1.28:= + sys-libs/libsemanage:= + ) + systemd? ( sys-apps/systemd:= ) + xattr? ( sys-apps/attr:= ) +" +DEPEND=" + ${COMMON_DEPEND} + >=sys-kernel/linux-headers-4.14 +" +RDEPEND=" + ${COMMON_DEPEND} + !<sys-apps/man-pages-5.11-r1 + !=sys-apps/man-pages-5.12-r0 + !=sys-apps/man-pages-5.12-r1 + nls? ( + !<app-i18n/man-pages-it-5.06-r1 + !<app-i18n/man-pages-ja-20180315-r1 + !<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1 + ) + pam? ( >=sys-auth/pambase-20150213 ) + su? ( !sys-apps/util-linux[su(-)] ) +" +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext +" + +if [[ ${PV} == *.0 ]]; then + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-sergehallyn )" + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sergehallyn.asc +else + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-alejandro-colomar )" + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/alejandro-colomar.asc +fi + +src_prepare() { + default + elibtoolize +} + +src_configure() { + local myeconfargs=( + # Negate new upstream default of disabling for now + --enable-lastlog + --disable-account-tools-setuid + --disable-static + --with-btrfs + # shadow uses a bundled copy of readpassphrase if --without-libbsd + --with-libbsd + --without-group-name-max-length + --without-tcb + --with-bcrypt + --with-yescrypt + $(use_enable nls) + # TODO: wire up upstream for elogind too (bug #931119) + $(use_enable systemd logind) + $(use_with acl) + $(use_with audit) + $(use_with cracklib libcrack) + $(use_with elibc_glibc nscd) + $(use_with pam libpam) + $(use_with selinux) + $(use_with skey) + $(use_with su) + $(use_with xattr attr) + ) + + econf "${myeconfargs[@]}" + + if use nls ; then + local l langs="po" # These are the pot files. + for l in ${LANGS[*]} ; do + has ${l} ${LINGUAS-${l}} && langs+=" ${l}" + done + sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die + fi +} + +set_login_opt() { + local comment="" opt=${1} val=${2} + if [[ -z ${val} ]]; then + comment="#" + sed -i \ + -e "/^${opt}\>/s:^:#:" \ + "${ED}"/etc/login.defs || die + else + sed -i -r \ + -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ + "${ED}"/etc/login.defs + fi + local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) + einfo "${res:-Unable to find ${opt} in /etc/login.defs}" +} + +src_install() { + emake DESTDIR="${D}" suidperms=4711 install + + # 4.9 regression: https://github.com/shadow-maint/shadow/issues/389 + emake DESTDIR="${D}" -C man install + + find "${ED}" -name '*.la' -type f -delete || die + + insinto /etc + if ! use pam ; then + insopts -m0600 + doins etc/login.access etc/limits + fi + + # needed for 'useradd -D' + insinto /etc/default + insopts -m0600 + doins "${FILESDIR}"/default/useradd + + if use split-usr ; then + # move passwd to / to help recover broke systems #64441 + # We cannot simply remove this or else net-misc/scponly + # and other tools will break because of hardcoded passwd + # location + dodir /bin + mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die + dosym ../../bin/passwd /usr/bin/passwd + fi + + cd "${S}" || die + insinto /etc + insopts -m0644 + newins etc/login.defs login.defs + + set_login_opt CREATE_HOME yes + if ! use pam ; then + set_login_opt MAIL_CHECK_ENAB no + set_login_opt SU_WHEEL_ONLY yes + set_login_opt CRACKLIB_DICTPATH /usr/lib/cracklib_dict + set_login_opt LOGIN_RETRIES 3 + set_login_opt ENCRYPT_METHOD SHA512 + set_login_opt CONSOLE + else + dopamd "${FILESDIR}"/pam.d-include/shadow + + for x in chsh chfn ; do + newpamd "${FILESDIR}"/pam.d-include/passwd ${x} + done + + for x in chpasswd newusers ; do + newpamd "${FILESDIR}"/pam.d-include/chpasswd ${x} + done + + newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems + + # Comment out login.defs options that pam hates + local opt sed_args=() + for opt in \ + CHFN_AUTH \ + CONSOLE \ + CRACKLIB_DICTPATH \ + ENV_HZ \ + ENVIRON_FILE \ + FAILLOG_ENAB \ + FTMP_FILE \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + MOTD_FILE \ + NOLOGINS_FILE \ + OBSCURE_CHECKS_ENAB \ + PASS_ALWAYS_WARN \ + PASS_CHANGE_TRIES \ + PASS_MIN_LEN \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + SU_WHEEL_ONLY + do + set_login_opt ${opt} + sed_args+=( -e "/^#${opt}\>/b pamnote" ) + done + sed -i "${sed_args[@]}" \ + -e 'b exit' \ + -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ + -e ': exit' \ + "${ED}"/etc/login.defs || die + + # Remove manpages that pam will install for us + # and/or don't apply when using pam + find "${ED}"/usr/share/man -type f \ + '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ + -delete + + # Remove pam.d files provided by pambase. + rm "${ED}"/etc/pam.d/{login,passwd} || die + if use su ; then + rm "${ED}"/etc/pam.d/su || die + fi + fi + + # Remove manpages that are handled by other packages + find "${ED}"/usr/share/man -type f \ + '(' -name id.1 -o -name getspnam.3 ')' \ + -delete || die + + if ! use su ; then + find "${ED}"/usr/share/man -type f -name su.1 -delete || die + fi + + cd "${S}" || die + dodoc ChangeLog NEWS TODO + newdoc README README.download + cd doc || die + dodoc HOWTO README* WISHLIST *.txt + + if use elibc_musl; then + QA_CONFIG_IMPL_DECL_SKIP+=( sgetsgent ) + fi +} + +pkg_preinst() { + rm -f "${EROOT}"/etc/pam.d/system-auth.new \ + "${EROOT}/etc/login.defs.new" +} + +pkg_postinst() { + # Missing entries from /etc/passwd can cause odd system blips. + # See bug #829872. + if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then + ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors." + fi + + # Enable shadow groups. + if [[ ! -f "${EROOT}"/etc/gshadow ]] ; then + if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then + grpconv -R "${EROOT:-/}" + else + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "run 'grpconv' afterwards!" + fi + fi + + [[ ! -f "${EROOT}"/etc/subgid ]] && + touch "${EROOT}"/etc/subgid + [[ ! -f "${EROOT}"/etc/subuid ]] && + touch "${EROOT}"/etc/subuid + + einfo "The 'adduser' symlink to 'useradd' has been dropped." +} diff --git a/sys-apps/shadow/shadow-4.9-r4.ebuild b/sys-apps/shadow/shadow-4.14.6-r1.ebuild index 044718eed4c1..2cfb43e405bd 100644 --- a/sys-apps/shadow/shadow-4.9-r4.ebuild +++ b/sys-apps/shadow/shadow-4.14.6-r1.ebuild @@ -1,45 +1,50 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -inherit autotools pam +# Upstream sometimes pushes releases as pre-releases before marking them +# official. Don't keyword the pre-releases! +# Check https://github.com/shadow-maint/shadow/releases. + +inherit libtool pam verify-sig DESCRIPTION="Utilities to deal with user accounts" HOMEPAGE="https://github.com/shadow-maint/shadow" -SRC_URI="https://github.com/shadow-maint/shadow/releases/download/v${PV}/${P}.tar.xz" +SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz" +SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz.asc )" LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" -IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su xattr" +# Subslot is for libsubid's SONAME. +SLOT="0/4" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="acl audit cracklib nls pam selinux skey split-usr su systemd xattr" # Taken from the man/Makefile.am file. LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) REQUIRED_USE="?? ( cracklib pam )" -BDEPEND=" - app-arch/xz-utils - sys-devel/gettext -" COMMON_DEPEND=" virtual/libcrypt:= - acl? ( sys-apps/acl:0= ) - audit? ( >=sys-process/audit-2.6:0= ) - cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) + acl? ( sys-apps/acl:= ) + audit? ( >=sys-process/audit-2.6:= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:= ) nls? ( virtual/libintl ) - pam? ( sys-libs/pam:0= ) - skey? ( sys-auth/skey:0= ) + pam? ( sys-libs/pam:= ) + skey? ( sys-auth/skey:= ) selinux? ( - >=sys-libs/libselinux-1.28:0= - sys-libs/libsemanage:0= + >=sys-libs/libselinux-1.28:= + sys-libs/libsemanage:= ) - xattr? ( sys-apps/attr:0= ) + systemd? ( sys-apps/systemd:= ) + xattr? ( sys-apps/attr:= ) " -DEPEND="${COMMON_DEPEND} +DEPEND=" + ${COMMON_DEPEND} >=sys-kernel/linux-headers-4.14 " -RDEPEND="${COMMON_DEPEND} +RDEPEND=" + ${COMMON_DEPEND} !<sys-apps/man-pages-5.11-r1 !=sys-apps/man-pages-5.12-r0 !=sys-apps/man-pages-5.12-r1 @@ -51,33 +56,42 @@ RDEPEND="${COMMON_DEPEND} pam? ( >=sys-auth/pambase-20150213 ) su? ( !sys-apps/util-linux[su(-)] ) " +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext +" -PATCHES=( - "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" - "${FILESDIR}/${P}-libsubid_pam_linking.patch" - "${FILESDIR}/${P}-libsubid_oot_build.patch" - "${FILESDIR}/shadow-4.9-libcrack.patch" - "${FILESDIR}/shadow-4.9-SHA-rounds.patch" - "${FILESDIR}/${P}-gpasswd-double-free.patch" - "${FILESDIR}/${P}-configure-typo.patch" -) +if [[ ${PV} == *.0 ]]; then + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-sergehallyn )" + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sergehallyn.asc +else + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-alejandro-colomar )" + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/alejandro-colomar.asc +fi src_prepare() { default - eautoreconf - #elibtoolize + elibtoolize } src_configure() { local myeconfargs=( + # Negate new upstream default of disabling for now + --enable-lastlog --disable-account-tools-setuid + --disable-static --with-btrfs + # Use bundled replacements for readpassphrase and freezero + --without-libbsd --without-group-name-max-length --without-tcb + --with-bcrypt + --with-yescrypt $(use_enable nls) + # TODO: wire up upstream for elogind too (bug #931119) + $(use_enable systemd logind) $(use_with acl) $(use_with audit) - $(use_with bcrypt) $(use_with cracklib libcrack) $(use_with elibc_glibc nscd) $(use_with pam libpam) @@ -86,9 +100,8 @@ src_configure() { $(use_with su) $(use_with xattr attr) ) - econf "${myeconfargs[@]}" - has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 + econf "${myeconfargs[@]}" if use nls ; then local l langs="po" # These are the pot files. @@ -160,7 +173,7 @@ src_install() { else dopamd "${FILESDIR}"/pam.d-include/shadow - for x in chsh shfn ; do + for x in chsh chfn ; do newpamd "${FILESDIR}"/pam.d-include/passwd ${x} done @@ -170,7 +183,7 @@ src_install() { newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems - # comment out login.defs options that pam hates + # Comment out login.defs options that pam hates local opt sed_args=() for opt in \ CHFN_AUTH \ @@ -201,7 +214,7 @@ src_install() { -e ': exit' \ "${ED}"/etc/login.defs || die - # remove manpages that pam will install for us + # Remove manpages that pam will install for us # and/or don't apply when using pam find "${ED}"/usr/share/man -type f \ '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ @@ -217,13 +230,21 @@ src_install() { # Remove manpages that are handled by other packages find "${ED}"/usr/share/man -type f \ '(' -name id.1 -o -name getspnam.3 ')' \ - -delete + -delete || die + + if ! use su ; then + find "${ED}"/usr/share/man -type f -name su.1 -delete || die + fi cd "${S}" || die dodoc ChangeLog NEWS TODO newdoc README README.download cd doc || die dodoc HOWTO README* WISHLIST *.txt + + if use elibc_musl; then + QA_CONFIG_IMPL_DECL_SKIP+=( sgetsgent ) + fi } pkg_preinst() { @@ -232,12 +253,18 @@ pkg_preinst() { } pkg_postinst() { + # Missing entries from /etc/passwd can cause odd system blips. + # See bug #829872. + if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then + ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors." + fi + # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT}" 2>/dev/null ; then - grpconv -R "${EROOT}" + if [[ ! -f "${EROOT}"/etc/gshadow ]] ; then + if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then + grpconv -R "${EROOT:-/}" else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" ewarn "run 'grpconv' afterwards!" fi fi diff --git a/sys-apps/shadow/shadow-4.8.1-r4.ebuild b/sys-apps/shadow/shadow-4.14.7.ebuild index 0f0c0c206359..2cfb43e405bd 100644 --- a/sys-apps/shadow/shadow-4.8.1-r4.ebuild +++ b/sys-apps/shadow/shadow-4.14.7.ebuild @@ -1,45 +1,50 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -inherit autotools pam +# Upstream sometimes pushes releases as pre-releases before marking them +# official. Don't keyword the pre-releases! +# Check https://github.com/shadow-maint/shadow/releases. + +inherit libtool pam verify-sig DESCRIPTION="Utilities to deal with user accounts" HOMEPAGE="https://github.com/shadow-maint/shadow" SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz" +SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz.asc )" LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" -IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su xattr" +# Subslot is for libsubid's SONAME. +SLOT="0/4" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="acl audit cracklib nls pam selinux skey split-usr su systemd xattr" # Taken from the man/Makefile.am file. LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) REQUIRED_USE="?? ( cracklib pam )" -BDEPEND=" - app-arch/xz-utils - sys-devel/gettext -" COMMON_DEPEND=" virtual/libcrypt:= - acl? ( sys-apps/acl:0= ) - audit? ( >=sys-process/audit-2.6:0= ) - cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) + acl? ( sys-apps/acl:= ) + audit? ( >=sys-process/audit-2.6:= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:= ) nls? ( virtual/libintl ) - pam? ( sys-libs/pam:0= ) - skey? ( sys-auth/skey:0= ) + pam? ( sys-libs/pam:= ) + skey? ( sys-auth/skey:= ) selinux? ( - >=sys-libs/libselinux-1.28:0= - sys-libs/libsemanage:0= + >=sys-libs/libselinux-1.28:= + sys-libs/libsemanage:= ) - xattr? ( sys-apps/attr:0= ) + systemd? ( sys-apps/systemd:= ) + xattr? ( sys-apps/attr:= ) " -DEPEND="${COMMON_DEPEND} +DEPEND=" + ${COMMON_DEPEND} >=sys-kernel/linux-headers-4.14 " -RDEPEND="${COMMON_DEPEND} +RDEPEND=" + ${COMMON_DEPEND} !<sys-apps/man-pages-5.11-r1 !=sys-apps/man-pages-5.12-r0 !=sys-apps/man-pages-5.12-r1 @@ -51,29 +56,42 @@ RDEPEND="${COMMON_DEPEND} pam? ( >=sys-auth/pambase-20150213 ) su? ( !sys-apps/util-linux[su(-)] ) " +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext +" -PATCHES=( - "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" -) +if [[ ${PV} == *.0 ]]; then + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-sergehallyn )" + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sergehallyn.asc +else + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-alejandro-colomar )" + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/alejandro-colomar.asc +fi src_prepare() { default - eautoreconf - #elibtoolize + elibtoolize } src_configure() { local myeconfargs=( + # Negate new upstream default of disabling for now + --enable-lastlog --disable-account-tools-setuid - --enable-shared=no - --enable-static=yes + --disable-static --with-btrfs + # Use bundled replacements for readpassphrase and freezero + --without-libbsd --without-group-name-max-length --without-tcb + --with-bcrypt + --with-yescrypt $(use_enable nls) + # TODO: wire up upstream for elogind too (bug #931119) + $(use_enable systemd logind) $(use_with acl) $(use_with audit) - $(use_with bcrypt) $(use_with cracklib libcrack) $(use_with elibc_glibc nscd) $(use_with pam libpam) @@ -82,9 +100,8 @@ src_configure() { $(use_with su) $(use_with xattr attr) ) - econf "${myeconfargs[@]}" - has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 + econf "${myeconfargs[@]}" if use nls ; then local l langs="po" # These are the pot files. @@ -114,12 +131,10 @@ set_login_opt() { src_install() { emake DESTDIR="${D}" suidperms=4711 install - # Remove libshadow and libmisc; see bug 37725 and the following - # comment from shadow's README.linux: - # Currently, libshadow.a is for internal use only, so if you see - # -lshadow in a Makefile of some other package, it is safe to - # remove it. - rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} + # 4.9 regression: https://github.com/shadow-maint/shadow/issues/389 + emake DESTDIR="${D}" -C man install + + find "${ED}" -name '*.la' -type f -delete || die insinto /etc if ! use pam ; then @@ -158,7 +173,7 @@ src_install() { else dopamd "${FILESDIR}"/pam.d-include/shadow - for x in chsh shfn ; do + for x in chsh chfn ; do newpamd "${FILESDIR}"/pam.d-include/passwd ${x} done @@ -168,7 +183,7 @@ src_install() { newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems - # comment out login.defs options that pam hates + # Comment out login.defs options that pam hates local opt sed_args=() for opt in \ CHFN_AUTH \ @@ -199,7 +214,7 @@ src_install() { -e ': exit' \ "${ED}"/etc/login.defs || die - # remove manpages that pam will install for us + # Remove manpages that pam will install for us # and/or don't apply when using pam find "${ED}"/usr/share/man -type f \ '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ @@ -215,13 +230,21 @@ src_install() { # Remove manpages that are handled by other packages find "${ED}"/usr/share/man -type f \ '(' -name id.1 -o -name getspnam.3 ')' \ - -delete + -delete || die + + if ! use su ; then + find "${ED}"/usr/share/man -type f -name su.1 -delete || die + fi cd "${S}" || die dodoc ChangeLog NEWS TODO newdoc README README.download cd doc || die dodoc HOWTO README* WISHLIST *.txt + + if use elibc_musl; then + QA_CONFIG_IMPL_DECL_SKIP+=( sgetsgent ) + fi } pkg_preinst() { @@ -230,12 +253,18 @@ pkg_preinst() { } pkg_postinst() { + # Missing entries from /etc/passwd can cause odd system blips. + # See bug #829872. + if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then + ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors." + fi + # Enable shadow groups. - if [ ! -f "${EROOT}"/etc/gshadow ] ; then - if grpck -r -R "${EROOT}" 2>/dev/null ; then - grpconv -R "${EROOT}" + if [[ ! -f "${EROOT}"/etc/gshadow ]] ; then + if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then + grpconv -R "${EROOT:-/}" else - ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" ewarn "run 'grpconv' afterwards!" fi fi |