Re: Freeze exception for shadow
Hello,
Here is the patch I would like to get accepted:
debian/patches/300_SHA_crypt_method | 36 +
debian/patches/301_manpages_missing_options | 197 ++++++++++
shadow-4.1.1/debian/changelog | 26 +
shadow-4.1.1/debian/login.defs | 36 +
shadow-4.1.1/debian/patches/008_su_get_PAM_username | 23 -
shadow-4.1.1/debian/patches/406_vipw_resume_properly | 2
shadow-4.1.1/debian/patches/414_remove-unwise-advices | 10
shadow-4.1.1/debian/patches/434_login_stop_checking_args_after-- | 4
shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message | 2
shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection | 2
shadow-4.1.1/debian/patches/series | 2
11 files changed, 325 insertions(+), 15 deletions(-)
Compared to my previous mail, I added some comments in /etc/login.defs.
300_SHA_crypt_method is the only code change. Other changes are
documentation.
Can I upload it?
The full diff is attached.
Thanks in advance,
--
Nekral
diff -u shadow-4.1.1/debian/login.defs shadow-4.1.1/debian/login.defs
--- shadow-4.1.1/debian/login.defs
+++ shadow-4.1.1/debian/login.defs
@@ -176,12 +176,18 @@
#
UID_MIN 1000
UID_MAX 60000
+# System accounts
+#SYS_UID_MIN 100
+#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 100
GID_MAX 60000
+# System accounts
+#SYS_GID_MIN 100
+#SYS_GID_MAX 999
#
# Max number of login retries if password is bad. This will most likely be
@@ -266,8 +272,38 @@
#
# This variable is used by chpasswd, gpasswd and newusers.
#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
#MD5_CRYPT_ENAB no
+#
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+#ENCRYPT_METHOD DES
+
+#
+# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
################# OBSOLETED BY PAM ##############
# #
# These options are now handled by PAM. Please #
diff -u shadow-4.1.1/debian/changelog shadow-4.1.1/debian/changelog
--- shadow-4.1.1/debian/changelog
+++ shadow-4.1.1/debian/changelog
@@ -1,3 +1,29 @@
+shadow (1:4.1.1-2) UNRELEASED; urgency=low
+
+ * The "Brie de Meaux" and "Brie de Melun" double cheese release.
+ * Backported patches from upstream
+ - debian/patches/300_SHA_crypt_method:
+ This fixes bugs in the SHA encryption method that force the salt to have
+ 8 bytes (instead of a random length between 8 and 16 bytes), and force
+ the number of SHA rounds to be equal to the lowest limit (at least 1000
+ SHA rounds).
+ - debian/patches/301_manpages_missing_options:
+ This add the missing documentation of options in useradd, groupadd, and
+ newusers.
+ * Tag patches already applied upstream
+ - debian/patches/487_passwd_chauthtok_failed_message
+ - debian/patches/406_vipw_resume_properly
+ - debian/patches/008_su_get_PAM_username
+ - debian/patches/491_configure.in_friendly_selinux_detection
+ - debian/patches/434_login_stop_checking_args_after--
+ - debian/patches/414_remove-unwise-advices
+ * Added description of new variables in /etc/login.defs:
+ - SYS_UID_MIN, SYS_UID_MAX, SYS_GID_MIN, SYS_GID_MAX
+ - ENCRYPT_METHOD
+ - SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Wed, 21 May 2008 22:13:49 +0200
+
shadow (1:4.1.1-1) unstable; urgency=low
* New upstream release. This closes the following bugs:
diff -u shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message
--- shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message
+++ shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message
@@ -4,7 +4,7 @@
Fixes: #352137
-Status wrt upstream: not forwarded yet
+Status wrt upstream: Applied upstream.
Index: shadow-4.1.0/libmisc/pam_pass.c
===================================================================
diff -u shadow-4.1.1/debian/patches/series shadow-4.1.1/debian/patches/series
--- shadow-4.1.1/debian/patches/series
+++ shadow-4.1.1/debian/patches/series
@@ -30,0 +31,2 @@
+300_SHA_crypt_method
+301_manpages_missing_options
diff -u shadow-4.1.1/debian/patches/406_vipw_resume_properly shadow-4.1.1/debian/patches/406_vipw_resume_properly
--- shadow-4.1.1/debian/patches/406_vipw_resume_properly
+++ shadow-4.1.1/debian/patches/406_vipw_resume_properly
@@ -4,7 +4,7 @@
Author: dean gaudet <dean@arctic.org>
-Status wrt upstream: should be forwarded
+Status wrt upstream: Fixed upstream
Index: shadow-4.1.0/src/vipw.c
===================================================================
diff -u shadow-4.1.1/debian/patches/008_su_get_PAM_username shadow-4.1.1/debian/patches/008_su_get_PAM_username
--- shadow-4.1.1/debian/patches/008_su_get_PAM_username
+++ shadow-4.1.1/debian/patches/008_su_get_PAM_username
@@ -1,9 +1,22 @@
-Goal: ???
+Goal: Retrieve the PAM username in case a module changed the PAM_USER
+ item.
-Notes:
- * It still needs more investigation.
- I don't know what this patch is used for. IMO, the user name is
- already known before calling pam_get_item(pamh, PAM_USER, ...)
+According to Linux-PAM_ADG:
+ * Note, modules can change the values of PAM_USER and PAM_RUSER during
+ any of the pam_*() library calls. For this reason, the application
+ should take care to use the pam_get_item() every time it wishes to
+ establish who the authenticated user is (or will currently be).
+
+PAM_USER description:
+
+ The username of the entity under whose identity service will be given. That
+ is, following authentication, PAM_USER identifies the local entity that
+ gets to use the service. Note, this value can be mapped from something
+ (eg., "anonymous") to something else (eg. "guest119") by any module in the
+ PAM stack. As such an application should consult the value of PAM_USER
+ after each call to a PAM function.
+
+See also: https://www.redhat.com/archives/pam-list/2008-May/msg00009.html
Index: shadow-4.1.0/src/su.c
===================================================================
diff -u shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection
--- shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection
+++ shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection
@@ -5,7 +5,7 @@
Author: Mike Frysinger <vapier@gentoo.org>
-Status wrt upstream: reported by Mike, not applied yet
+Status wrt upstream: Fixed upstream.
Index: shadow-4.1.0/configure.in
===================================================================
diff -u shadow-4.1.1/debian/patches/434_login_stop_checking_args_after-- shadow-4.1.1/debian/patches/434_login_stop_checking_args_after--
--- shadow-4.1.1/debian/patches/434_login_stop_checking_args_after--
+++ shadow-4.1.1/debian/patches/434_login_stop_checking_args_after--
@@ -1,9 +1,7 @@
Goal: terminate argument validation in login when it hits a '--'.
Fixes: #66368
-Status wrt upstream: It could certainly be submitted to upstream.
- Upstream comment: "Better will be rewrite login
- for use getopt_long()."
+Status wrt upstream: Applied upstream.
Index: shadow-4.1.0/src/login.c
===================================================================
diff -u shadow-4.1.1/debian/patches/414_remove-unwise-advices shadow-4.1.1/debian/patches/414_remove-unwise-advices
--- shadow-4.1.1/debian/patches/414_remove-unwise-advices
+++ shadow-4.1.1/debian/patches/414_remove-unwise-advices
@@ -1,7 +1,7 @@
Goal: Remove quite unwise password choice advices in passwd manpage
Fixes: #386818
-Status wrt upstream: Forwarded without patch but ignored up to now
+Status wrt upstream: Applied upstream
Note:
@@ -9,14 +9,16 @@
===================================================================
--- shadow-4.1.0.orig/man/passwd.1.xml
+++ shadow-4.1.0/man/passwd.1.xml
-@@ -114,35 +114,9 @@
+@@ -113,36 +113,10 @@
+ </para>
<para>
- Your password must be easily remembered so that you will not be forced
+- Your password must be easily remembered so that you will not be forced
- to write it on a piece of paper. This can be accomplished by
- appending two small words together and separating each with a
- special character or digit. For example, Pass%word.
-+ to write it on a piece of paper.
++ You can find advices on how to choose a strong password on
++ http://en.wikipedia.org/wiki/Password_strength
</para>
- <para>
only in patch2:
unchanged:
--- shadow-4.1.1.orig/debian/patches/300_SHA_crypt_method
+++ shadow-4.1.1/debian/patches/300_SHA_crypt_method
@@ -0,0 +1,36 @@
+Goal: Fix bugs in the SHA encryption method that force the salt to have 8
+ bytes (instead of a random length between 8 and 16 bytes), and force
+ the number of SHA rounds to be equal to the lowest limit (at least
+ 1000 SHA rounds).
+
+Status wrt upstream: Already applied upstream.
+
+Index: shadow-4.1.1/libmisc/salt.c
+===================================================================
+--- shadow-4.1.1.orig/libmisc/salt.c 2008-02-03 18:23:31.000000000 +0100
++++ shadow-4.1.1/libmisc/salt.c 2008-05-21 22:24:32.734281067 +0200
+@@ -90,9 +90,10 @@
+ */
+ static unsigned int SHA_salt_size (void)
+ {
+- double rand_rounds = 9 * random ();
+- rand_rounds /= RAND_MAX;
+- return 8 + rand_rounds;
++ double rand_size;
++ seedRNG ();
++ rand_size = (double) 9.0 * random () / RAND_MAX;
++ return 8 + rand_size;
+ }
+
+ /* ! Arguments evaluated twice ! */
+@@ -131,8 +132,8 @@
+ if (min_rounds > max_rounds)
+ max_rounds = min_rounds;
+
+- srand (time (NULL));
+- rand_rounds = (max_rounds-min_rounds+1) * random ();
++ seedRNG ();
++ rand_rounds = (double) (max_rounds-min_rounds+1.0) * random ();
+ rand_rounds /= RAND_MAX;
+ rounds = min_rounds + rand_rounds;
+ } else if (0 == *prefered_rounds)
only in patch2:
unchanged:
--- shadow-4.1.1.orig/debian/patches/301_manpages_missing_options
+++ shadow-4.1.1/debian/patches/301_manpages_missing_options
@@ -0,0 +1,197 @@
+Goal: Add missing documentation of options in useradd, groupadd and
+ newusers
+
+Status wrt upstream: Already applied.
+
+Index: shadow-4.1.1/man/useradd.8.xml
+===================================================================
+--- shadow-4.1.1.orig/man/useradd.8.xml 2008-05-21 22:44:47.654281023 +0200
++++ shadow-4.1.1/man/useradd.8.xml 2008-05-21 23:04:47.679903645 +0200
+@@ -189,23 +189,25 @@
+ </varlistentry>
+ <varlistentry>
+ <term>
+- <option>-m</option>, <option>--create-home</option>
++ <option>-k</option>, <option>--skel</option>
++ <replaceable>SKEL_DIR</replaceable>
+ </term>
+ <listitem>
+ <para>
+- The user's home directory will be created if it does not exist.
+- The files contained in <replaceable>SKEL_DIR</replaceable> will
+- be copied to the home directory if the <option>-k</option>
+- option is used, otherwise the files contained in
+- <filename>/etc/skel</filename> will be used instead. Any
+- directories contained in <replaceable>SKEL_DIR</replaceable> or
+- <filename>/etc/skel</filename> will be created in the user's
+- home directory as well. The <option>-k</option> option is only
+- valid in conjunction with the <option>-m</option> option. The
+- default is to not create the directory and to not copy any
+- files.
+- This option may not function correctly if the username has a / in it.
++ The skeleton directory, which contains files and directories
++ to be copied in the user's home directory, when the home
++ directory is created by <command>useradd</command>.
++ </para>
++ <para>
++ This option is only valid if the <option>-m</option> (or
++ <option>--create-home</option>) option is specified.
+ </para>
++ <para>
++ If this option is not set, the skeleton directory is defined
++ in <filename>/etc/default/useradd</filename> or, by default,
++ <filename>/etc/skel</filename>.
++ </para>
++ <para>This option may not function correctly if the username has a / in it.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+@@ -255,6 +257,22 @@
+ </varlistentry>
+ <varlistentry>
+ <term>
++ <option>-m</option>, <option>--create-home</option>
++ </term>
++ <listitem>
++ <para>
++ Create the user's home directory if it does not exist.
++ The files and directories contained in the skeleton directory
++ (which can be defined with the <option>-k</option> option)
++ will be copied to the home directory.
++ </para>
++ <para>
++ By default, no home directories are created.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
+ <option>-N</option>, <option>--no-user-group</option>
+ </term>
+ <listitem>
+@@ -295,6 +313,25 @@
+ </varlistentry>
+ <varlistentry>
+ <term>
++ <option>-r</option>, <option>--system</option>
++ </term>
++ <listitem>
++ <para>
++ Create a system account.
++ </para>
++ <para>
++ System users will be created with no aging information in
++ <filename>/etc/shadow</filename>, and their numeric
++ identifiers are choosen in the
++ <option>SYS_UID_MIN</option>-<option>SYS_UID_MAX</option>
++ range, defined in <filename>login.defs</filename>, instead of
++ <option>UID_MIN</option>-<option>UID_MAX</option> (and their
++ <option>GID</option> counterparts for the creation of groups).
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
+ <option>-s</option>, <option>--shell</option>
+ <replaceable>SHELL</replaceable>
+ </term>
+Index: shadow-4.1.1/man/groupadd.8.xml
+===================================================================
+--- shadow-4.1.1.orig/man/groupadd.8.xml 2008-02-25 22:14:56.000000000 +0100
++++ shadow-4.1.1/man/groupadd.8.xml 2008-05-21 22:44:47.702280863 +0200
+@@ -126,6 +126,22 @@
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>-r</option>, <option>--system</option>
++ </term>
++ <listitem>
++ <para>
++ Create a system group.
++ </para>
++ <para>
++ The numeric identifiers of new system groups are choosen in
++ the <option>SYS_GID_MIN</option>-<option>SYS_GID_MAX</option>
++ range, defined in <filename>login.defs</filename>, instead of
++ <option>GID_MIN</option>-<option>GID_MAX</option>.
++ </para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+Index: shadow-4.1.1/man/newusers.8.xml
+===================================================================
+--- shadow-4.1.1.orig/man/newusers.8.xml 2008-02-25 22:14:56.000000000 +0100
++++ shadow-4.1.1/man/newusers.8.xml 2008-05-21 22:44:47.702280863 +0200
+@@ -94,6 +94,68 @@
+ </para>
+ </refsect1>
+
++ <refsect1 id='options'>
++ <title>OPTIONS</title>
++ <para>The options which apply to the <command>newusers</command> command are:
++ </para>
++ <variablelist remap='IP'>
++ <varlistentry>
++ <term><option>-c</option>, <option>--crypt-method</option></term>
++ <listitem>
++ <para>Use the specified method to encrypt the passwords.</para>
++ <para>
++ The available methods are DES, MD5, NONE, and SHA256 or SHA512
++ if your libc support these methods.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>-r</option>, <option>--system</option>
++ </term>
++ <listitem>
++ <para>
++ Create a system account.
++ </para>
++ <para>
++ System users will be created with no aging information in
++ <filename>/etc/shadow</filename>, and their numeric
++ identifiers are choosen in the
++ <option>SYS_UID_MIN</option>-<option>SYS_UID_MAX</option>
++ range, defined in <filename>login.defs</filename>, instead of
++ <option>UID_MIN</option>-<option>UID_MAX</option> (and their
++ <option>GID</option> counterparts for the creation of groups).
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry condition="sha_crypt">
++ <term><option>-s</option>, <option>--sha-rounds</option></term>
++ <listitem>
++ <para>
++ Use the specified number of rounds to encrypt the passwords.
++ </para>
++ <para>
++ The value 0 means that the system will choose the default
++ number of rounds for the crypt method (5000).
++ </para>
++ <para>
++ A minimal value of 1000 and a maximal value of 999,999,999
++ will be enforced.
++ </para>
++ <para>
++ You can only use this option with the SHA256 or SHA512
++ crypt method.
++ </para>
++ <para>
++ By default, the number of rounds is defined by the
++ SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
++ <filename>/etc/login.defs</filename>.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
+ <refsect1 id='caveats'>
+ <title>CAVEATS</title>
+ <para>
Reply to: