1 |
commit: c7da130a443ab9811b242ae2cbf8259cb85d43b1 |
2 |
Author: Michael Weiser <michael.weiser <AT> gmx <DOT> de> |
3 |
AuthorDate: Tue Dec 17 19:02:40 2019 +0000 |
4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jan 19 01:00:17 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a |
7 |
|
8 |
sys-apps/shadow: Revbump to fix up PAM configuration |
9 |
|
10 |
shadow includes a number of administrative account management binaries |
11 |
like useradd, chage and chpasswd, traditionally only useable by root. |
12 |
In shadow they can be compiled with PAM support and installed setuid. |
13 |
PAM configuration can then be used to delegate account management to |
14 |
users other than root. |
15 |
|
16 |
The previous config contained the pam_rootok module to provide default |
17 |
behaviour of allowing account management when called as root. But it |
18 |
also contained pam_permit which would allow everyone else to also do |
19 |
account management without any authentication. |
20 |
|
21 |
To close this loophole we remove pam_permit from the config. Also, |
22 |
chpasswd, chgpasswd and newusers are batch-mode mass-change tools meant |
23 |
for scripting. They only contain PAM support if configure flag |
24 |
--enable-account-tools-setuid is in effect and are then installed setuid |
25 |
root. They should use the same restrictive PAM configuration as their |
26 |
siblings. But with setuid user management tools and PAM support within |
27 |
them disabled by commit f569e607 we can stop installing the |
28 |
configuration files as well. |
29 |
|
30 |
chfn and chsh are intended to be called by the user as self-service |
31 |
tools. For this reason they're always installed setuid root and contain |
32 |
PAM support. They should be allowed to work but maybe not without some |
33 |
prior authentication to avoid attacks such as someone finding an |
34 |
unlocked session and using chfn to redirect phone calls intended for the |
35 |
user to himself. The existing passwd config seems perfect for that and |
36 |
is aptly named in that both tools change user information normally |
37 |
stored in /etc/passwd. |
38 |
|
39 |
groupmems is another user self-service tool. It allows the user to add |
40 |
people to their user-private group, allowing them trusted access to |
41 |
normally private files. It is not installed setuid like chfn and chsh |
42 |
but always contains PAM support. Upstream installs a locked down PAM |
43 |
config by default. |
44 |
|
45 |
Since default shell profiles on Gentoo do not change umask to 0002 when |
46 |
a private user group is in use, impact will only be to allow read access |
47 |
to those additional users by default. |
48 |
|
49 |
Since the idea of adding more users to the user *private* group is |
50 |
questionable, go with upstream's default of locking the PAM config down |
51 |
so that an admin not only needs to make the binary suid but also adjust |
52 |
the PAM config, in the process hopefully considering what they're doing. |
53 |
|
54 |
Bug: https://bugs.gentoo.org/702252 |
55 |
Closes: https://github.com/gentoo/gentoo/pull/14032 |
56 |
Reviewed-by: Mikle Kolyada <zlogene <AT> gentoo.org> |
57 |
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> |
58 |
|
59 |
sys-apps/shadow/files/pam.d-include/shadow-r1 | 7 + |
60 |
sys-apps/shadow/shadow-4.8-r3.ebuild | 233 ++++++++++++++++++++++++++ |
61 |
2 files changed, 240 insertions(+) |
62 |
|
63 |
diff --git a/sys-apps/shadow/files/pam.d-include/shadow-r1 b/sys-apps/shadow/files/pam.d-include/shadow-r1 |
64 |
new file mode 100644 |
65 |
index 00000000000..e42e8493ffe |
66 |
--- /dev/null |
67 |
+++ b/sys-apps/shadow/files/pam.d-include/shadow-r1 |
68 |
@@ -0,0 +1,7 @@ |
69 |
+#%PAM-1.0 |
70 |
+ |
71 |
+auth sufficient pam_rootok.so |
72 |
+ |
73 |
+account include system-auth |
74 |
+ |
75 |
+password required pam_permit.so |
76 |
|
77 |
diff --git a/sys-apps/shadow/shadow-4.8-r3.ebuild b/sys-apps/shadow/shadow-4.8-r3.ebuild |
78 |
new file mode 100644 |
79 |
index 00000000000..ce51a62e4d9 |
80 |
--- /dev/null |
81 |
+++ b/sys-apps/shadow/shadow-4.8-r3.ebuild |
82 |
@@ -0,0 +1,233 @@ |
83 |
+# Copyright 1999-2019 Gentoo Authors |
84 |
+# Distributed under the terms of the GNU General Public License v2 |
85 |
+ |
86 |
+EAPI=7 |
87 |
+ |
88 |
+inherit autotools libtool pam |
89 |
+ |
90 |
+DESCRIPTION="Utilities to deal with user accounts" |
91 |
+HOMEPAGE="https://github.com/shadow-maint/shadow" |
92 |
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz" |
93 |
+ |
94 |
+LICENSE="BSD GPL-2" |
95 |
+SLOT="0" |
96 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86" |
97 |
+IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr" |
98 |
+# Taken from the man/Makefile.am file. |
99 |
+LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) |
100 |
+ |
101 |
+DEPEND=" |
102 |
+ acl? ( sys-apps/acl:0= ) |
103 |
+ audit? ( >=sys-process/audit-2.6:0= ) |
104 |
+ cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) |
105 |
+ nls? ( virtual/libintl ) |
106 |
+ pam? ( sys-libs/pam:0= ) |
107 |
+ skey? ( sys-auth/skey:0= ) |
108 |
+ selinux? ( |
109 |
+ >=sys-libs/libselinux-1.28:0= |
110 |
+ sys-libs/libsemanage:0= |
111 |
+ ) |
112 |
+ su? ( !sys-apps/util-linux[su] ) |
113 |
+ xattr? ( sys-apps/attr:0= ) |
114 |
+" |
115 |
+BDEPEND=" |
116 |
+ app-arch/xz-utils |
117 |
+ sys-devel/gettext |
118 |
+" |
119 |
+RDEPEND=" |
120 |
+ ${DEPEND} |
121 |
+ pam? ( >=sys-auth/pambase-20150213 ) |
122 |
+" |
123 |
+ |
124 |
+PATCHES=( |
125 |
+ "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" |
126 |
+ "${FILESDIR}/${P}-revert-bin-merge.patch" |
127 |
+) |
128 |
+ |
129 |
+src_prepare() { |
130 |
+ default |
131 |
+ eautoreconf |
132 |
+ #elibtoolize |
133 |
+} |
134 |
+ |
135 |
+src_configure() { |
136 |
+ local myeconfargs=( |
137 |
+ --disable-account-tools-setuid |
138 |
+ --enable-shared=no |
139 |
+ --enable-static=yes |
140 |
+ --with-btrfs |
141 |
+ --without-group-name-max-length |
142 |
+ --without-tcb |
143 |
+ $(use_enable nls) |
144 |
+ $(use_with acl) |
145 |
+ $(use_with audit) |
146 |
+ $(use_with bcrypt) |
147 |
+ $(use_with cracklib libcrack) |
148 |
+ $(use_with elibc_glibc nscd) |
149 |
+ $(use_with pam libpam) |
150 |
+ $(use_with selinux) |
151 |
+ $(use_with skey) |
152 |
+ $(use_with su) |
153 |
+ $(use_with xattr attr) |
154 |
+ ) |
155 |
+ econf "${myeconfargs[@]}" |
156 |
+ |
157 |
+ has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 |
158 |
+ |
159 |
+ if use nls ; then |
160 |
+ local l langs="po" # These are the pot files. |
161 |
+ for l in ${LANGS[*]} ; do |
162 |
+ has ${l} ${LINGUAS-${l}} && langs+=" ${l}" |
163 |
+ done |
164 |
+ sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die |
165 |
+ fi |
166 |
+} |
167 |
+ |
168 |
+set_login_opt() { |
169 |
+ local comment="" opt=$1 val=$2 |
170 |
+ if [[ -z ${val} ]]; then |
171 |
+ comment="#" |
172 |
+ sed -i \ |
173 |
+ -e "/^${opt}\>/s:^:#:" \ |
174 |
+ "${ED}"/etc/login.defs || die |
175 |
+ else |
176 |
+ sed -i -r \ |
177 |
+ -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ |
178 |
+ "${ED}"/etc/login.defs |
179 |
+ fi |
180 |
+ local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) |
181 |
+ einfo "${res:-Unable to find ${opt} in /etc/login.defs}" |
182 |
+} |
183 |
+ |
184 |
+src_install() { |
185 |
+ emake DESTDIR="${D}" suidperms=4711 install |
186 |
+ |
187 |
+ # Remove libshadow and libmisc; see bug 37725 and the following |
188 |
+ # comment from shadow's README.linux: |
189 |
+ # Currently, libshadow.a is for internal use only, so if you see |
190 |
+ # -lshadow in a Makefile of some other package, it is safe to |
191 |
+ # remove it. |
192 |
+ rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} |
193 |
+ |
194 |
+ insinto /etc |
195 |
+ if ! use pam ; then |
196 |
+ insopts -m0600 |
197 |
+ doins etc/login.access etc/limits |
198 |
+ fi |
199 |
+ |
200 |
+ # needed for 'useradd -D' |
201 |
+ insinto /etc/default |
202 |
+ insopts -m0600 |
203 |
+ doins "${FILESDIR}"/default/useradd |
204 |
+ |
205 |
+ if use split-usr ; then |
206 |
+ # move passwd to / to help recover broke systems #64441 |
207 |
+ # We cannot simply remove this or else net-misc/scponly |
208 |
+ # and other tools will break because of hardcoded passwd |
209 |
+ # location |
210 |
+ dodir /bin |
211 |
+ mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die |
212 |
+ dosym ../../bin/passwd /usr/bin/passwd |
213 |
+ fi |
214 |
+ |
215 |
+ cd "${S}" || die |
216 |
+ insinto /etc |
217 |
+ insopts -m0644 |
218 |
+ newins etc/login.defs login.defs |
219 |
+ |
220 |
+ set_login_opt CREATE_HOME yes |
221 |
+ if ! use pam ; then |
222 |
+ set_login_opt MAIL_CHECK_ENAB no |
223 |
+ set_login_opt SU_WHEEL_ONLY yes |
224 |
+ set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict |
225 |
+ set_login_opt LOGIN_RETRIES 3 |
226 |
+ set_login_opt ENCRYPT_METHOD SHA512 |
227 |
+ set_login_opt CONSOLE |
228 |
+ else |
229 |
+ dopamd "${FILESDIR}"/pam.d-include/shadow |
230 |
+ |
231 |
+ for x in chsh shfn ; do |
232 |
+ newpamd "${FILESDIR}"/pam.d-include/passwd ${x} |
233 |
+ done |
234 |
+ |
235 |
+ newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems |
236 |
+ |
237 |
+ # comment out login.defs options that pam hates |
238 |
+ local opt sed_args=() |
239 |
+ for opt in \ |
240 |
+ CHFN_AUTH \ |
241 |
+ CONSOLE \ |
242 |
+ CRACKLIB_DICTPATH \ |
243 |
+ ENV_HZ \ |
244 |
+ ENVIRON_FILE \ |
245 |
+ FAILLOG_ENAB \ |
246 |
+ FTMP_FILE \ |
247 |
+ LASTLOG_ENAB \ |
248 |
+ MAIL_CHECK_ENAB \ |
249 |
+ MOTD_FILE \ |
250 |
+ NOLOGINS_FILE \ |
251 |
+ OBSCURE_CHECKS_ENAB \ |
252 |
+ PASS_ALWAYS_WARN \ |
253 |
+ PASS_CHANGE_TRIES \ |
254 |
+ PASS_MIN_LEN \ |
255 |
+ PORTTIME_CHECKS_ENAB \ |
256 |
+ QUOTAS_ENAB \ |
257 |
+ SU_WHEEL_ONLY |
258 |
+ do |
259 |
+ set_login_opt ${opt} |
260 |
+ sed_args+=( -e "/^#${opt}\>/b pamnote" ) |
261 |
+ done |
262 |
+ sed -i "${sed_args[@]}" \ |
263 |
+ -e 'b exit' \ |
264 |
+ -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ |
265 |
+ -e ': exit' \ |
266 |
+ "${ED}"/etc/login.defs || die |
267 |
+ |
268 |
+ # remove manpages that pam will install for us |
269 |
+ # and/or don't apply when using pam |
270 |
+ find "${ED}"/usr/share/man -type f \ |
271 |
+ '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ |
272 |
+ -delete |
273 |
+ |
274 |
+ # Remove pam.d files provided by pambase. |
275 |
+ rm "${ED}"/etc/pam.d/{login,passwd} || die |
276 |
+ if use su ; then |
277 |
+ rm "${ED}"/etc/pam.d/su || die |
278 |
+ fi |
279 |
+ fi |
280 |
+ |
281 |
+ # Remove manpages that are handled by other packages |
282 |
+ find "${ED}"/usr/share/man \ |
283 |
+ '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ |
284 |
+ -delete |
285 |
+ |
286 |
+ cd "${S}" || die |
287 |
+ dodoc ChangeLog NEWS TODO |
288 |
+ newdoc README README.download |
289 |
+ cd doc || die |
290 |
+ dodoc HOWTO README* WISHLIST *.txt |
291 |
+} |
292 |
+ |
293 |
+pkg_preinst() { |
294 |
+ rm -f "${EROOT}"/etc/pam.d/system-auth.new \ |
295 |
+ "${EROOT}/etc/login.defs.new" |
296 |
+} |
297 |
+ |
298 |
+pkg_postinst() { |
299 |
+ # Enable shadow groups. |
300 |
+ if [ ! -f "${EROOT}"/etc/gshadow ] ; then |
301 |
+ if grpck -r -R "${EROOT}" 2>/dev/null ; then |
302 |
+ grpconv -R "${EROOT}" |
303 |
+ else |
304 |
+ ewarn "Running 'grpck' returned errors. Please run it by hand, and then" |
305 |
+ ewarn "run 'grpconv' afterwards!" |
306 |
+ fi |
307 |
+ fi |
308 |
+ |
309 |
+ [[ ! -f "${EROOT}"/etc/subgid ]] && |
310 |
+ touch "${EROOT}"/etc/subgid |
311 |
+ [[ ! -f "${EROOT}"/etc/subuid ]] && |
312 |
+ touch "${EROOT}"/etc/subuid |
313 |
+ |
314 |
+ einfo "The 'adduser' symlink to 'useradd' has been dropped." |
315 |
+} |