# # spec file for package shadow # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Summary: Utilities to Manage User and Group Accounts License: BSD-3-Clause and GPL-2.0+ Group: System/Base Name: shadow Version: 4.2.1 Release: 13.1 Url: http://pkg-shadow.alioth.debian.org/ Source: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz Source1: pamd.tar.bz2 Source2: README.changes-pwdutils Source3: useradd.local Source4: userdel-pre.local Source5: userdel-post.local Source6: shadow.service Source7: shadow.timer Patch: shadow-login_defs.patch Patch1: userdel-script.patch Patch2: useradd-script.patch Patch3: chkname-regex.patch Patch4: useradd-default.patch Patch5: getdef-new-defs.patch Patch6: shadow-4.1.5.1-manfix.patch Patch7: shadow-4.1.5.1-logmsg.patch Patch8: shadow-4.1.5.1-errmsg.patch Patch9: shadow-4.1.5.1-backup-mode.patch Patch10: encryption_method_nis.patch Patch11: useradd-mkdirs.patch Patch12: shadow-4.1.5.1-audit-owner.patch Patch13: shadow-4.1.5.1-userdel-helpfix.patch Patch14: shadow-4.2.1-defs-chroot.patch Patch15: shadow-4.2.1-merge-group.patch Patch16: Fix-user-busy-errors-at-userdel.patch Patch17: shadow-4.1.5.1-id-alloc.patch Patch18: shadow-4.1.5.1-pam_group.patch Patch19: shadow-4.2.1-reset-tallylog.patch Patch20: shadow-4.2.1-unknown-settings-if-pam.patch Patch21: shadow-4.2.1-CVE-2017-12424.patch Patch22: CVE-2018-7169.patch Requires: aaa_base BuildRequires: audit-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: docbook_4 BuildRequires: libacl-devel BuildRequires: libattr-devel BuildRequires: libselinux-devel BuildRequires: libsemanage-devel BuildRequires: pam-devel BuildRequires: xml2po BuildRequires: xsltproc BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: permissions Provides: pwdutils = 3.2.20 Obsoletes: pwdutils <= 3.2.19 %description This package includes the necessary programs for converting plain password files to the shadow password format and to manage user and group accounts. %prep %setup -q -a 1 %patch -p0 %patch1 -p0 %patch2 -p0 %patch3 -p0 %patch4 -p0 %patch5 -p0 %patch6 -p0 %patch7 -p0 %patch8 -p0 %patch9 -p0 %patch10 -p0 %patch11 -p0 %patch12 -p0 %patch13 -p0 %patch14 -p0 %patch15 -p0 %patch16 -p0 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p0 %patch21 -p1 %patch22 iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 mv -v doc/HOWTO.utf8 doc/HOWTO %build export CFLAGS="$RPM_OPT_FLAGS -fpie" export LDFLAGS="-pie" %configure \ --disable-shadowgrp \ --enable-account-tools-setuid \ --with-audit \ --with-libpam \ --with-sha-crypt \ --with-acl \ --with-attr \ --with-nscd \ --without-selinux \ --without-libcrack \ --disable-shared \ --with-group-name-max-length=32 \ --enable-man make %install cp %SOURCE2 . make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs # install useradd.local, userdel.local, ... install -m 0755 %SOURCE3 $RPM_BUILD_ROOT/%{_sbindir}/ install -m 0755 %SOURCE4 $RPM_BUILD_ROOT/%{_sbindir}/ install -m 0755 %SOURCE5 $RPM_BUILD_ROOT/%{_sbindir}/ install -Dm644 %{S:6} %{buildroot}%{_unitdir}/shadow.service install -Dm644 %{S:7} %{buildroot}%{_unitdir}/shadow.timer # Remove binaries we don't use. rm $RPM_BUILD_ROOT/%{_bindir}/groups rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.* rm $RPM_BUILD_ROOT/%{_sbindir}/grpconv rm $RPM_BUILD_ROOT/%{_mandir}/man8/grpconv.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/grpconv.* rm $RPM_BUILD_ROOT/%{_sbindir}/grpunconv rm $RPM_BUILD_ROOT/%{_mandir}/man8/grpunconv.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/grpunconv.* rm $RPM_BUILD_ROOT/%{_sbindir}/groupmems rm $RPM_BUILD_ROOT/%{_mandir}/man8/groupmems.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/groupmems.* rm $RPM_BUILD_ROOT/etc/pam.d/groupmems rm $RPM_BUILD_ROOT/%{_bindir}/login rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.* rm $RPM_BUILD_ROOT/etc/pam.d/login rm $RPM_BUILD_ROOT/%{_bindir}/su rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.* rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.* rm $RPM_BUILD_ROOT/etc/pam.d/su rm $RPM_BUILD_ROOT/%{_bindir}/faillog rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.* rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.* rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.* rm $RPM_BUILD_ROOT/%{_sbindir}/nologin rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.* rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.* rm $RPM_BUILD_ROOT/etc/pam.d/chgpasswd rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.* rm $RPM_BUILD_ROOT/%{_mandir}/man5/gshadow.5* rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/gshadow.5* rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.5* rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.5* rm -rf $RPM_BUILD_ROOT%{_mandir}/{??,??_??} %find_lang shadow %clean rm -rf $RPM_BUILD_ROOT %pre %service_add_pre shadow.service shadow.timer %post %set_permissions /usr/bin/chage %set_permissions /usr/bin/chfn %set_permissions /usr/bin/chsh %set_permissions /usr/bin/expiry %set_permissions /usr/bin/gpasswd %set_permissions /usr/bin/newgrp %set_permissions /usr/bin/passwd %set_permissions /usr/bin/newgidmap %set_permissions /usr/bin/newuidmap %service_add_post shadow.service shadow.timer %verifyscript %verify_permissions /usr/bin/chage %verify_permissions /usr/bin/chfn %verify_permissions /usr/bin/chsh %verify_permissions /usr/bin/expiry %verify_permissions /usr/bin/gpasswd %verify_permissions /usr/bin/newgrp %verify_permissions /usr/bin/passwd %verify_permissions /usr/bin/newgidmap %verify_permissions /usr/bin/newuidmap %preun %service_del_preun shadow.service shadow.timer %postun %service_del_postun shadow.service shadow.timer %files -f shadow.lang %defattr(-,root,root) %doc NEWS doc/HOWTO README README.changes-pwdutils %attr(0644,root,root) %config %{_sysconfdir}/login.defs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd %config /etc/pam.d/chage %config /etc/pam.d/chfn %config /etc/pam.d/chsh %config /etc/pam.d/passwd %config /etc/pam.d/useradd %config /etc/pam.d/chpasswd %config /etc/pam.d/groupadd %config /etc/pam.d/groupdel %config /etc/pam.d/groupmod %config /etc/pam.d/newusers %config /etc/pam.d/useradd %config /etc/pam.d/userdel %config /etc/pam.d/usermod %verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage %verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn %verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh %verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry %verify(not mode) %attr(4755,root,shadow) %{_bindir}/gpasswd %verify(not mode) %attr(4755,root,root) %{_bindir}/newgrp %verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd %verify(not mode) %attr(0755,root,shadow) %{_bindir}/newgidmap %verify(not mode) %attr(0755,root,shadow) %{_bindir}/newuidmap %{_bindir}/lastlog %{_bindir}/sg %{_sbindir}/groupadd %{_sbindir}/groupdel %{_sbindir}/groupmod %{_sbindir}/grpck %{_sbindir}/pwck %{_sbindir}/useradd %{_sbindir}/userdel %{_sbindir}/usermod %{_sbindir}/pwconv %{_sbindir}/pwunconv %{_sbindir}/chpasswd %{_sbindir}/newusers %{_sbindir}/vipw %{_sbindir}/vigr %verify(not md5 size mtime) %config(noreplace) %{_sbindir}/useradd.local %verify(not md5 size mtime) %config(noreplace) %{_sbindir}/userdel-pre.local %verify(not md5 size mtime) %config(noreplace) %{_sbindir}/userdel-post.local %{_mandir}/man1/chage.1* %{_mandir}/man1/chfn.1* %{_mandir}/man1/chsh.1* %{_mandir}/man1/expiry.1* %{_mandir}/man1/gpasswd.1* %{_mandir}/man1/newgrp.1* %{_mandir}/man1/passwd.1* %{_mandir}/man1/sg.1* %{_mandir}/man3/shadow.3* %{_mandir}/man5/login.defs.5* %{_mandir}/man5/shadow.5* %{_mandir}/man8/chpasswd.8* %{_mandir}/man8/groupadd.8* %{_mandir}/man8/groupdel.8* %{_mandir}/man8/groupmod.8* %{_mandir}/man8/grpck.8* %{_mandir}/man8/lastlog.8* %{_mandir}/man8/newusers.8* %{_mandir}/man8/pwck.8* %{_mandir}/man8/pwconv.8* %{_mandir}/man8/pwunconv.8* %{_mandir}/man8/useradd.8* %{_mandir}/man8/userdel.8* %{_mandir}/man8/usermod.8* %{_mandir}/man8/vigr.8* %{_mandir}/man8/vipw.8* %{_mandir}/man5/subuid.5* %{_mandir}/man5/subgid.5* %{_mandir}/man1/newgidmap.1* %{_mandir}/man1/newuidmap.1* %{_unitdir}/* %changelog * Fri Feb 16 2018 kbabioch@suse.com - Added CVE-2018-7169.patch: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (CVE-2018-7169 bsc#1081294) * Fri Sep 8 2017 mvetter@suse.com - bsc#1052261: shadow-4.2.1-CVE-2017-12424.patch Fix buffer overflow if NULL line is present in db * Fri Sep 1 2017 mvetter@suse.com - bsc#1023895 * man page contained invalid options because they depend on compile flags and we shipped pre built ones. New BuildRequires: docbook-xsl-stylesheets docbook_4 xml2po xsltproc * shadow-4.2.1-unknown-settings-if-pam.patch Additionally we need this patch, which is included from 4.3.0 onward, so the tools don't complain about these options. * Thu Aug 31 2017 mvetter@suse.com - bsc#980486: shadow-4.2.1-reset-tallylog.patch Reset user in /var/log/tallylog because we use pam_tally2 and not faillog anymore. * Thu Apr 6 2017 adam.majer@suse.de - bsc#1031643: shadow-4.1.5.1-pam_group.patch dynamically added users via pam_group are not listed in groups databases but are still valid. * Wed Nov 30 2016 adam.majer@suse.de - bsc#1003978: shadow-4.1.5.1-id-alloc.patch useradd and groupadd performance fix when using SSSD Previously the entire possible UID/GID is iterated to find an available UID/GID. This can take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. * Wed Oct 19 2016 mvetter@suse.com - bsc#1002975: Use permissions according to permissions package and dont try to manipulate them in %%files section. * Wed Sep 14 2016 mvetter@suse.com - boo#994486: Include shadow.5 manpage Previously this was provided by man-pages package in the man-pages-addons tarball which got removed later on. * Tue May 31 2016 mvetter@suse.com - Add package dependency for aaa_base, fixing bnc#899409 (was done by tbehrens@suse.com but not submitted to Factory) * Mon May 30 2016 mvetter@suse.com - shadow 4.2.1 requested by fate#320422 - bsc#979069: Dont include shadow-4.1.5.1-bug935203-manpage.patch - Dont set SUID bit yet. Once bsc#979282 is through, which will adapt the permissions package, we can enable the SUID bits. Remove the files used to circumvent the check. - Remove: * shadow-rpmlintrc * shadow-subids * shadow-subids.easy * shadow-subids.secure * shadow-subids.paranoid * Thu May 19 2016 christian.brauner@mailbox.org - Update to shadow-4.2.1: - add support for subuids/subgids via newuidmap/newgidmap - Rename chkname-regex.diff to chkname-regex.patch - Rename encryption_method_nis.diff to encryption_method_nis.patch - Rename getdef-new-defs.diff to getdef-new-defs.patch - Rename shadow-login_defs.diff to shadow-login_defs.patch - Rename userdel-scripts.diff to userdel-script.patch - Rename useradd-script.diff to useradd-script.patch - Rename useradd-default.diff to useradd-default.patch - Rename useradd-mkdirs.diff to useradd-mkdirs.patch - Add fixes from Red Hat/Fedora: - shadow-4.1.5.1-audit-owner.patch.patch: - log owner changes for home directory - shadow-4.1.5.1-userdel-helpfix.patch.patch: - give a hint about what happens when you force the removal of a user - shadow-4.2.1-defs-chroot.patch.patch: - initialize uid_t uid_min and uid_t uid_max not before we need them - shadow-4.2.1-merge-group.patch.patch: - simplify by using a single call to snprintf() - Add upstream fix - Fix-user-busy-errors-at-userdel.patch: - call sub_uid_close() * Fri Jan 15 2016 fvogt@suse.com - Moved call from %%verifyscript into %%post: * Caused call to %%service_add_post shadow.service shadow.timer during rpm -qV shadow * Wed Jul 15 2015 jkeil@suse.de - Add systemd unit files to continuously check password & groupfile integrity * Idea from Arch Linux * pending request to systemd-presets-branding-openSUSE to enable by default * Mon Mar 31 2014 tbehrens@suse.com - Add patch useradd-mkdirs.diff: fix for bnc#865563, create all parts of the path * Fri Nov 22 2013 werner@suse.de - Stop any systemd user manager instance in case a user entry will be deleted (bnc#849870). Nevertheless a running process requires the option --force for the userdel command. * Tue Nov 12 2013 kukuk@suse.de - Add ENCRYPT_METHOD_NIS for pam_unix.so (encryption_method_nis.diff) * Tue Sep 17 2013 kukuk@suse.de - Add some fixes from Fedora: - shadow-4.1.5.1-backup-mode.patch: open backup file with correct permissions. - shadow-4.1.5.1-logmsg.patch: fix error message - shadow-4.1.5.1-errmsg.patch: print error reason - shadow-4.1.5.1-manfix.patch: fix manual page * Tue Feb 5 2013 kukuk@suse.de - Cleanup login.defs and enable ENCRYPT_METHOD [bnc#802006] * Tue Nov 13 2012 kukuk@suse.de - Fix getdef default variables (getdef-new-defs.diff) * Tue Nov 13 2012 kukuk@suse.de - Fix default group value in /etc/default/useradd (useradd-default.diff) * Thu Sep 27 2012 kukuk@suse.de - Implement CHARACTER_CLASS support (chkname-regex.diff) * Wed Sep 26 2012 kukuk@suse.de - Add support for useradd.local (useradd-script.diff) * Tue Sep 25 2012 kukuk@suse.de - Fix spec file - Adjust login.defs (shadow-login_defs.diff) - Add userdel*.local script support and scrips (userdel-scripts.diff) * Mon Sep 24 2012 kukuk@suse.de - Initial package [FATE#314473]