[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/pam.d-include/, sys-apps/shadow/ - gentoo-commits

From:	Lars Wendler <polynomial-c@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sys-apps/shadow/files/pam.d-include/, sys-apps/shadow/
Date:	Sun, 19 Jan 2020 01:01:41
Message-Id:	`1579395617.c7da130a443ab9811b242ae2cbf8259cb85d43b1.polynomial-c@gentoo`

1

commit:     c7da130a443ab9811b242ae2cbf8259cb85d43b1

2

Author:     Michael Weiser <michael.weiser <AT> gmx <DOT> de>

3

AuthorDate: Tue Dec 17 19:02:40 2019 +0000

4

Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

5

CommitDate: Sun Jan 19 01:00:17 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a

7

8

sys-apps/shadow: Revbump to fix up PAM configuration

9

10

shadow includes a number of administrative account management binaries

11

like useradd, chage and chpasswd, traditionally only useable by root.

12

In shadow they can be compiled with PAM support and installed setuid.

13

PAM configuration can then be used to delegate account management to

14

users other than root.

15

16

The previous config contained the pam_rootok module to provide default

17

behaviour of allowing account management when called as root. But it

18

also contained pam_permit which would allow everyone else to also do

19

account management without any authentication.

20

21

To close this loophole we remove pam_permit from the config. Also,

22

chpasswd, chgpasswd and newusers are batch-mode mass-change tools meant

23

for scripting. They only contain PAM support if configure flag

24

--enable-account-tools-setuid is in effect and are then installed setuid

25

root. They should use the same restrictive PAM configuration as their

26

siblings.  But with setuid user management tools and PAM support within

27

them disabled by commit f569e607 we can stop installing the

28

configuration files as well.

29

30

chfn and chsh are intended to be called by the user as self-service

31

tools. For this reason they're always installed setuid root and contain

32

PAM support. They should be allowed to work but maybe not without some

33

prior authentication to avoid attacks such as someone finding an

34

unlocked session and using chfn to redirect phone calls intended for the

35

user to himself. The existing passwd config seems perfect for that and

36

is aptly named in that both tools change user information normally

37

stored in /etc/passwd.

38

39

groupmems is another user self-service tool. It allows the user to add

40

people to their user-private group, allowing them trusted access to

41

normally private files. It is not installed setuid like chfn and chsh

42

but always contains PAM support. Upstream installs a locked down PAM

43

config by default.

44

45

Since default shell profiles on Gentoo do not change umask to 0002 when

46

a private user group is in use, impact will only be to allow read access

47

to those additional users by default.

48

49

Since the idea of adding more users to the user *private* group is

50

questionable, go with upstream's default of locking the PAM config down

51

so that an admin not only needs to make the binary suid but also adjust

52

the PAM config, in the process hopefully considering what they're doing.

53

54

Bug: https://bugs.gentoo.org/702252

55

Closes: https://github.com/gentoo/gentoo/pull/14032

56

Reviewed-by: Mikle Kolyada <zlogene <AT> gentoo.org>

57

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

58

59

 sys-apps/shadow/files/pam.d-include/shadow-r1 |   7 +

60

 sys-apps/shadow/shadow-4.8-r3.ebuild          | 233 ++++++++++++++++++++++++++

61

 2 files changed, 240 insertions(+)

62

63

diff --git a/sys-apps/shadow/files/pam.d-include/shadow-r1 b/sys-apps/shadow/files/pam.d-include/shadow-r1

64

new file mode 100644

65

index 00000000000..e42e8493ffe

66

--- /dev/null

67

+++ b/sys-apps/shadow/files/pam.d-include/shadow-r1

68

@@ -0,0 +1,7 @@

69

+#%PAM-1.0

70

+

71

+auth       sufficient	pam_rootok.so

72

+

73

+account    include		system-auth

74

+

75

+password   required		pam_permit.so

76

77

diff --git a/sys-apps/shadow/shadow-4.8-r3.ebuild b/sys-apps/shadow/shadow-4.8-r3.ebuild

78

new file mode 100644

79

index 00000000000..ce51a62e4d9

80

--- /dev/null

81

+++ b/sys-apps/shadow/shadow-4.8-r3.ebuild

82

@@ -0,0 +1,233 @@

83

+# Copyright 1999-2019 Gentoo Authors

84

+# Distributed under the terms of the GNU General Public License v2

85

+

86

+EAPI=7

87

+

88

+inherit autotools libtool pam

89

+

90

+DESCRIPTION="Utilities to deal with user accounts"

91

+HOMEPAGE="https://github.com/shadow-maint/shadow"

92

+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz"

93

+

94

+LICENSE="BSD GPL-2"

95

+SLOT="0"

96

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86"

97

+IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr"

98

+# Taken from the man/Makefile.am file.

99

+LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )

100

+

101

+DEPEND="

102

+	acl? ( sys-apps/acl:0= )

103

+	audit? ( >=sys-process/audit-2.6:0= )

104

+	cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )

105

+	nls? ( virtual/libintl )

106

+	pam? ( sys-libs/pam:0= )

107

+	skey? ( sys-auth/skey:0= )

108

+	selinux? (

109

+		>=sys-libs/libselinux-1.28:0=

110

+		sys-libs/libsemanage:0=

111

+	)

112

+	su? ( !sys-apps/util-linux[su] )

113

+	xattr? ( sys-apps/attr:0= )

114

+"

115

+BDEPEND="

116

+	app-arch/xz-utils

117

+	sys-devel/gettext

118

+"

119

+RDEPEND="

120

+	${DEPEND}

121

+	pam? ( >=sys-auth/pambase-20150213 )

122

+"

123

+

124

+PATCHES=(

125

+	"${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"

126

+	"${FILESDIR}/${P}-revert-bin-merge.patch"

127

+)

128

+

129

+src_prepare() {

130

+	default

131

+	eautoreconf

132

+	#elibtoolize

133

+}

134

+

135

+src_configure() {

136

+	local myeconfargs=(

137

+		--disable-account-tools-setuid

138

+		--enable-shared=no

139

+		--enable-static=yes

140

+		--with-btrfs

141

+		--without-group-name-max-length

142

+		--without-tcb

143

+		$(use_enable nls)

144

+		$(use_with acl)

145

+		$(use_with audit)

146

+		$(use_with bcrypt)

147

+		$(use_with cracklib libcrack)

148

+		$(use_with elibc_glibc nscd)

149

+		$(use_with pam libpam)

150

+		$(use_with selinux)

151

+		$(use_with skey)

152

+		$(use_with su)

153

+		$(use_with xattr attr)

154

+	)

155

+	econf "${myeconfargs[@]}"

156

+

157

+	has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052

158

+

159

+	if use nls ; then

160

+		local l langs="po" # These are the pot files.

161

+		for l in ${LANGS[*]} ; do

162

+			has ${l} ${LINGUAS-${l}} && langs+=" ${l}"

163

+		done

164

+		sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die

165

+	fi

166

+}

167

+

168

+set_login_opt() {

169

+	local comment="" opt=$1 val=$2

170

+	if [[ -z ${val} ]]; then

171

+		comment="#"

172

+		sed -i \

173

+			-e "/^${opt}\>/s:^:#:" \

174

+			"${ED}"/etc/login.defs || die

175

+	else

176

+		sed -i -r \

177

+			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \

178

+			"${ED}"/etc/login.defs

179

+	fi

180

+	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)

181

+	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"

182

+}

183

+

184

+src_install() {

185

+	emake DESTDIR="${D}" suidperms=4711 install

186

+

187

+	# Remove libshadow and libmisc; see bug 37725 and the following

188

+	# comment from shadow's README.linux:

189

+	#   Currently, libshadow.a is for internal use only, so if you see

190

+	#   -lshadow in a Makefile of some other package, it is safe to

191

+	#   remove it.

192

+	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}

193

+

194

+	insinto /etc

195

+	if ! use pam ; then

196

+		insopts -m0600

197

+		doins etc/login.access etc/limits

198

+	fi

199

+

200

+	# needed for 'useradd -D'

201

+	insinto /etc/default

202

+	insopts -m0600

203

+	doins "${FILESDIR}"/default/useradd

204

+

205

+	if use split-usr ; then

206

+		# move passwd to / to help recover broke systems #64441

207

+		# We cannot simply remove this or else net-misc/scponly

208

+		# and other tools will break because of hardcoded passwd

209

+		# location

210

+		dodir /bin

211

+		mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die

212

+		dosym ../../bin/passwd /usr/bin/passwd

213

+	fi

214

+

215

+	cd "${S}" || die

216

+	insinto /etc

217

+	insopts -m0644

218

+	newins etc/login.defs login.defs

219

+

220

+	set_login_opt CREATE_HOME yes

221

+	if ! use pam ; then

222

+		set_login_opt MAIL_CHECK_ENAB no

223

+		set_login_opt SU_WHEEL_ONLY yes

224

+		set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict

225

+		set_login_opt LOGIN_RETRIES 3

226

+		set_login_opt ENCRYPT_METHOD SHA512

227

+		set_login_opt CONSOLE

228

+	else

229

+		dopamd "${FILESDIR}"/pam.d-include/shadow

230

+

231

+		for x in chsh shfn ; do

232

+			newpamd "${FILESDIR}"/pam.d-include/passwd ${x}

233

+		done

234

+

235

+		newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems

236

+

237

+		# comment out login.defs options that pam hates

238

+		local opt sed_args=()

239

+		for opt in \

240

+			CHFN_AUTH \

241

+			CONSOLE \

242

+			CRACKLIB_DICTPATH \

243

+			ENV_HZ \

244

+			ENVIRON_FILE \

245

+			FAILLOG_ENAB \

246

+			FTMP_FILE \

247

+			LASTLOG_ENAB \

248

+			MAIL_CHECK_ENAB \

249

+			MOTD_FILE \

250

+			NOLOGINS_FILE \

251

+			OBSCURE_CHECKS_ENAB \

252

+			PASS_ALWAYS_WARN \

253

+			PASS_CHANGE_TRIES \

254

+			PASS_MIN_LEN \

255

+			PORTTIME_CHECKS_ENAB \

256

+			QUOTAS_ENAB \

257

+			SU_WHEEL_ONLY

258

+		do

259

+			set_login_opt ${opt}

260

+			sed_args+=( -e "/^#${opt}\>/b pamnote" )

261

+		done

262

+		sed -i "${sed_args[@]}" \

263

+			-e 'b exit' \

264

+			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \

265

+			-e ': exit' \

266

+			"${ED}"/etc/login.defs || die

267

+

268

+		# remove manpages that pam will install for us

269

+		# and/or don't apply when using pam

270

+		find "${ED}"/usr/share/man -type f \

271

+			'(' -name 'limits.5*' -o -name 'suauth.5*' ')' \

272

+			-delete

273

+

274

+		# Remove pam.d files provided by pambase.

275

+		rm "${ED}"/etc/pam.d/{login,passwd} || die

276

+		if use su ; then

277

+			rm "${ED}"/etc/pam.d/su || die

278

+		fi

279

+	fi

280

+

281

+	# Remove manpages that are handled by other packages

282

+	find "${ED}"/usr/share/man \

283

+		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \

284

+		-delete

285

+

286

+	cd "${S}" || die

287

+	dodoc ChangeLog NEWS TODO

288

+	newdoc README README.download

289

+	cd doc || die

290

+	dodoc HOWTO README* WISHLIST *.txt

291

+}

292

+

293

+pkg_preinst() {

294

+	rm -f "${EROOT}"/etc/pam.d/system-auth.new \

295

+		"${EROOT}/etc/login.defs.new"

296

+}

297

+

298

+pkg_postinst() {

299

+	# Enable shadow groups.

300

+	if [ ! -f "${EROOT}"/etc/gshadow ] ; then

301

+		if grpck -r -R "${EROOT}" 2>/dev/null ; then

302

+			grpconv -R "${EROOT}"

303

+		else

304

+			ewarn "Running 'grpck' returned errors.  Please run it by hand, and then"

305

+			ewarn "run 'grpconv' afterwards!"

306

+		fi

307

+	fi

308

+

309

+	[[ ! -f "${EROOT}"/etc/subgid ]] &&

310

+		touch "${EROOT}"/etc/subgid

311

+	[[ ! -f "${EROOT}"/etc/subuid ]] &&

312

+		touch "${EROOT}"/etc/subuid

313

+

314

+	einfo "The 'adduser' symlink to 'useradd' has been dropped."

315

+}

1	commit: c7da130a443ab9811b242ae2cbf8259cb85d43b1
2	Author: Michael Weiser <michael.weiser <AT> gmx <DOT> de>
3	AuthorDate: Tue Dec 17 19:02:40 2019 +0000
4	Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5	CommitDate: Sun Jan 19 01:00:17 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a
7
8	sys-apps/shadow: Revbump to fix up PAM configuration
9
10	shadow includes a number of administrative account management binaries
11	like useradd, chage and chpasswd, traditionally only useable by root.
12	In shadow they can be compiled with PAM support and installed setuid.
13	PAM configuration can then be used to delegate account management to
14	users other than root.
15
16	The previous config contained the pam_rootok module to provide default
17	behaviour of allowing account management when called as root. But it
18	also contained pam_permit which would allow everyone else to also do
19	account management without any authentication.
20
21	To close this loophole we remove pam_permit from the config. Also,
22	chpasswd, chgpasswd and newusers are batch-mode mass-change tools meant
23	for scripting. They only contain PAM support if configure flag
24	--enable-account-tools-setuid is in effect and are then installed setuid
25	root. They should use the same restrictive PAM configuration as their
26	siblings. But with setuid user management tools and PAM support within
27	them disabled by commit f569e607 we can stop installing the
28	configuration files as well.
29
30	chfn and chsh are intended to be called by the user as self-service
31	tools. For this reason they're always installed setuid root and contain
32	PAM support. They should be allowed to work but maybe not without some
33	prior authentication to avoid attacks such as someone finding an
34	unlocked session and using chfn to redirect phone calls intended for the
35	user to himself. The existing passwd config seems perfect for that and
36	is aptly named in that both tools change user information normally
37	stored in /etc/passwd.
38
39	groupmems is another user self-service tool. It allows the user to add
40	people to their user-private group, allowing them trusted access to
41	normally private files. It is not installed setuid like chfn and chsh
42	but always contains PAM support. Upstream installs a locked down PAM
43	config by default.
44
45	Since default shell profiles on Gentoo do not change umask to 0002 when
46	a private user group is in use, impact will only be to allow read access
47	to those additional users by default.
48
49	Since the idea of adding more users to the user private group is
50	questionable, go with upstream's default of locking the PAM config down
51	so that an admin not only needs to make the binary suid but also adjust
52	the PAM config, in the process hopefully considering what they're doing.
53
54	Bug: https://bugs.gentoo.org/702252
55	Closes: https://github.com/gentoo/gentoo/pull/14032
56	Reviewed-by: Mikle Kolyada <zlogene <AT> gentoo.org>
57	Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
58
59	sys-apps/shadow/files/pam.d-include/shadow-r1 \| 7 +
60	sys-apps/shadow/shadow-4.8-r3.ebuild \| 233 ++++++++++++++++++++++++++
61	2 files changed, 240 insertions(+)
62
63	diff --git a/sys-apps/shadow/files/pam.d-include/shadow-r1 b/sys-apps/shadow/files/pam.d-include/shadow-r1
64	new file mode 100644
65	index 00000000000..e42e8493ffe
66	--- /dev/null
67	+++ b/sys-apps/shadow/files/pam.d-include/shadow-r1
68	@@ -0,0 +1,7 @@
69	+#%PAM-1.0
70	+
71	+auth sufficient pam_rootok.so
72	+
73	+account include system-auth
74	+
75	+password required pam_permit.so
76
77	diff --git a/sys-apps/shadow/shadow-4.8-r3.ebuild b/sys-apps/shadow/shadow-4.8-r3.ebuild
78	new file mode 100644
79	index 00000000000..ce51a62e4d9
80	--- /dev/null
81	+++ b/sys-apps/shadow/shadow-4.8-r3.ebuild
82	@@ -0,0 +1,233 @@
83	+# Copyright 1999-2019 Gentoo Authors
84	+# Distributed under the terms of the GNU General Public License v2
85	+
86	+EAPI=7
87	+
88	+inherit autotools libtool pam
89	+
90	+DESCRIPTION="Utilities to deal with user accounts"
91	+HOMEPAGE="https://github.com/shadow-maint/shadow"
92	+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz"
93	+
94	+LICENSE="BSD GPL-2"
95	+SLOT="0"
96	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86"
97	+IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr"
98	+# Taken from the man/Makefile.am file.
99	+LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
100	+
101	+DEPEND="
102	+ acl? ( sys-apps/acl:0= )
103	+ audit? ( >=sys-process/audit-2.6:0= )
104	+ cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
105	+ nls? ( virtual/libintl )
106	+ pam? ( sys-libs/pam:0= )
107	+ skey? ( sys-auth/skey:0= )
108	+ selinux? (
109	+ >=sys-libs/libselinux-1.28:0=
110	+ sys-libs/libsemanage:0=
111	+ )
112	+ su? ( !sys-apps/util-linux[su] )
113	+ xattr? ( sys-apps/attr:0= )
114	+"
115	+BDEPEND="
116	+ app-arch/xz-utils
117	+ sys-devel/gettext
118	+"
119	+RDEPEND="
120	+ ${DEPEND}
121	+ pam? ( >=sys-auth/pambase-20150213 )
122	+"
123	+
124	+PATCHES=(
125	+ "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"
126	+ "${FILESDIR}/${P}-revert-bin-merge.patch"
127	+)
128	+
129	+src_prepare() {
130	+ default
131	+ eautoreconf
132	+ #elibtoolize
133	+}
134	+
135	+src_configure() {
136	+ local myeconfargs=(
137	+ --disable-account-tools-setuid
138	+ --enable-shared=no
139	+ --enable-static=yes
140	+ --with-btrfs
141	+ --without-group-name-max-length
142	+ --without-tcb
143	+ $(use_enable nls)
144	+ $(use_with acl)
145	+ $(use_with audit)
146	+ $(use_with bcrypt)
147	+ $(use_with cracklib libcrack)
148	+ $(use_with elibc_glibc nscd)
149	+ $(use_with pam libpam)
150	+ $(use_with selinux)
151	+ $(use_with skey)
152	+ $(use_with su)
153	+ $(use_with xattr attr)
154	+ )
155	+ econf "${myeconfargs[@]}"
156	+
157	+ has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052
158	+
159	+ if use nls ; then
160	+ local l langs="po" # These are the pot files.
161	+ for l in ${LANGS[*]} ; do
162	+ has ${l} ${LINGUAS-${l}} && langs+=" ${l}"
163	+ done
164	+ sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile \|\| die
165	+ fi
166	+}
167	+
168	+set_login_opt() {
169	+ local comment="" opt=$1 val=$2
170	+ if [[ -z ${val} ]]; then
171	+ comment="#"
172	+ sed -i \
173	+ -e "/^${opt}\>/s:^:#:" \
174	+ "${ED}"/etc/login.defs \|\| die
175	+ else
176	+ sed -i -r \
177	+ -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
178	+ "${ED}"/etc/login.defs
179	+ fi
180	+ local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
181	+ einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
182	+}
183	+
184	+src_install() {
185	+ emake DESTDIR="${D}" suidperms=4711 install
186	+
187	+ # Remove libshadow and libmisc; see bug 37725 and the following
188	+ # comment from shadow's README.linux:
189	+ # Currently, libshadow.a is for internal use only, so if you see
190	+ # -lshadow in a Makefile of some other package, it is safe to
191	+ # remove it.
192	+ rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
193	+
194	+ insinto /etc
195	+ if ! use pam ; then
196	+ insopts -m0600
197	+ doins etc/login.access etc/limits
198	+ fi
199	+
200	+ # needed for 'useradd -D'
201	+ insinto /etc/default
202	+ insopts -m0600
203	+ doins "${FILESDIR}"/default/useradd
204	+
205	+ if use split-usr ; then
206	+ # move passwd to / to help recover broke systems #64441
207	+ # We cannot simply remove this or else net-misc/scponly
208	+ # and other tools will break because of hardcoded passwd
209	+ # location
210	+ dodir /bin
211	+ mv "${ED}"/usr/bin/passwd "${ED}"/bin/ \|\| die
212	+ dosym ../../bin/passwd /usr/bin/passwd
213	+ fi
214	+
215	+ cd "${S}" \|\| die
216	+ insinto /etc
217	+ insopts -m0644
218	+ newins etc/login.defs login.defs
219	+
220	+ set_login_opt CREATE_HOME yes
221	+ if ! use pam ; then
222	+ set_login_opt MAIL_CHECK_ENAB no
223	+ set_login_opt SU_WHEEL_ONLY yes
224	+ set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict
225	+ set_login_opt LOGIN_RETRIES 3
226	+ set_login_opt ENCRYPT_METHOD SHA512
227	+ set_login_opt CONSOLE
228	+ else
229	+ dopamd "${FILESDIR}"/pam.d-include/shadow
230	+
231	+ for x in chsh shfn ; do
232	+ newpamd "${FILESDIR}"/pam.d-include/passwd ${x}
233	+ done
234	+
235	+ newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems
236	+
237	+ # comment out login.defs options that pam hates
238	+ local opt sed_args=()
239	+ for opt in \
240	+ CHFN_AUTH \
241	+ CONSOLE \
242	+ CRACKLIB_DICTPATH \
243	+ ENV_HZ \
244	+ ENVIRON_FILE \
245	+ FAILLOG_ENAB \
246	+ FTMP_FILE \
247	+ LASTLOG_ENAB \
248	+ MAIL_CHECK_ENAB \
249	+ MOTD_FILE \
250	+ NOLOGINS_FILE \
251	+ OBSCURE_CHECKS_ENAB \
252	+ PASS_ALWAYS_WARN \
253	+ PASS_CHANGE_TRIES \
254	+ PASS_MIN_LEN \
255	+ PORTTIME_CHECKS_ENAB \
256	+ QUOTAS_ENAB \
257	+ SU_WHEEL_ONLY
258	+ do
259	+ set_login_opt ${opt}
260	+ sed_args+=( -e "/^#${opt}\>/b pamnote" )
261	+ done
262	+ sed -i "${sed_args[@]}" \
263	+ -e 'b exit' \
264	+ -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
265	+ -e ': exit' \
266	+ "${ED}"/etc/login.defs \|\| die
267	+
268	+ # remove manpages that pam will install for us
269	+ # and/or don't apply when using pam
270	+ find "${ED}"/usr/share/man -type f \
271	+ '(' -name 'limits.5' -o -name 'suauth.5' ')' \
272	+ -delete
273	+
274	+ # Remove pam.d files provided by pambase.
275	+ rm "${ED}"/etc/pam.d/{login,passwd} \|\| die
276	+ if use su ; then
277	+ rm "${ED}"/etc/pam.d/su \|\| die
278	+ fi
279	+ fi
280	+
281	+ # Remove manpages that are handled by other packages
282	+ find "${ED}"/usr/share/man \
283	+ '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
284	+ -delete
285	+
286	+ cd "${S}" \|\| die
287	+ dodoc ChangeLog NEWS TODO
288	+ newdoc README README.download
289	+ cd doc \|\| die
290	+ dodoc HOWTO README* WISHLIST *.txt
291	+}
292	+
293	+pkg_preinst() {
294	+ rm -f "${EROOT}"/etc/pam.d/system-auth.new \
295	+ "${EROOT}/etc/login.defs.new"
296	+}
297	+
298	+pkg_postinst() {
299	+ # Enable shadow groups.
300	+ if [ ! -f "${EROOT}"/etc/gshadow ] ; then
301	+ if grpck -r -R "${EROOT}" 2>/dev/null ; then
302	+ grpconv -R "${EROOT}"
303	+ else
304	+ ewarn "Running 'grpck' returned errors. Please run it by hand, and then"
305	+ ewarn "run 'grpconv' afterwards!"
306	+ fi
307	+ fi
308	+
309	+ [[ ! -f "${EROOT}"/etc/subgid ]] &&
310	+ touch "${EROOT}"/etc/subgid
311	+ [[ ! -f "${EROOT}"/etc/subuid ]] &&
312	+ touch "${EROOT}"/etc/subuid
313	+
314	+ einfo "The 'adduser' symlink to 'useradd' has been dropped."
315	+}

Gentoo Archives: gentoo-commits