Re: [PATCH][STABLE] shadow: Add version 4.1.4.2 and checksum.

[Koen Kooi <k.kooi@student.utwente.nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Acked-by: Koen Kooi <koen@openembedded.org>

On 22-03-10 12:06, Marcin Juszkiewicz wrote:
> From: David-John Willis <John.Willis@Distant-earth.com>
> 
> * This version now has Linux-PAM support enabled in OE so will need some testing and maybe a little tweaking.
> * Add pam.d config files for common shadow utils in addition to the default ones.
> * Cleanup shadow defaults and make shadow 'play nice' with PAM.
> * Update pam.d service files to suggested upstream Linux-PAM layout.
> * TODO: Some Shadow default session files still use the older layout (incluse system-auth for everything). These will need newer files to be added to the pam.d folder in the recipe as they are found.
> ---
>  conf/checksums.ini                      |    8 +++
>  recipes/shadow/files/login_defs_pam.sed |   25 +++++++++
>  recipes/shadow/files/pam.d/chfn         |   14 +++++
>  recipes/shadow/files/pam.d/chpasswd     |    4 ++
>  recipes/shadow/files/pam.d/chsh         |   19 +++++++
>  recipes/shadow/files/pam.d/login        |   91 +++++++++++++++++++++++++++++++
>  recipes/shadow/files/pam.d/newusers     |    4 ++
>  recipes/shadow/files/pam.d/passwd       |    5 ++
>  recipes/shadow/files/pam.d/su           |   60 ++++++++++++++++++++
>  recipes/shadow/shadow_4.1.4.2.bb        |   52 ++++++++++++++++++
>  10 files changed, 282 insertions(+), 0 deletions(-)
>  create mode 100644 recipes/shadow/files/login_defs_pam.sed
>  create mode 100644 recipes/shadow/files/pam.d/chfn
>  create mode 100644 recipes/shadow/files/pam.d/chpasswd
>  create mode 100644 recipes/shadow/files/pam.d/chsh
>  create mode 100644 recipes/shadow/files/pam.d/login
>  create mode 100644 recipes/shadow/files/pam.d/newusers
>  create mode 100644 recipes/shadow/files/pam.d/passwd
>  create mode 100644 recipes/shadow/files/pam.d/su
>  create mode 100644 recipes/shadow/shadow_4.1.4.2.bb
> 
> diff --git a/conf/checksums.ini b/conf/checksums.ini
> index 08166db..fa8d4b9 100644
> --- a/conf/checksums.ini
> +++ b/conf/checksums.ini
> @@ -24126,6 +24126,10 @@ sha256=7dc418c1d361123ffc5e45d61f1b97257940a8eb35d0bfbbc493381cc5b1f959
>  md5=45f77f33a6b2a5c09c28511ebb733b87
>  sha256=7fd6495d6c3e8dac7ba086c68abed4930c958a94afc15359223074614559e462
>  
> +[ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-4.1.4.2.tar.bz2]
> +md5=d593a9cab93c48ee0a6ba056db8c1997
> +sha256=97987f6a7967a85e6aa0dba2a1d52db8bd69af5a717391de5693db768fb78990
> +
>  [ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-4.1.4.tar.gz]
>  md5=e1072df927bfb4410ee4dfe26dd81a17
>  sha256=7e38a7826f6e71e89b55669e8343af05ae33ecfba99aad178cad45845d950a93
> @@ -29906,6 +29910,10 @@ sha256=86b176b6efc52557b1c7631bfdd5c17e7060a438e1e85ce15ec9657be356c50b
>  md5=11080456822146ebc0118b15f4b911d9
>  sha256=6b5b3ef58e6646f004a5f1cbc6be8f32b824cfbf78a30bf242e4f07083668770
>  
> +[ftp://ftp.x.org/R5contrib/xloadimage.4.1.tar.gz]
> +md5=7331850fc04056ab8ae6b5725d1fb3d2
> +sha256=400bc7d84dcfb3265a7a1ce51819679dc3adaeda231514bd89b0f932b78ff5c4
> +
>  [http://xorg.freedesktop.org/releases/individual/app/xlogo-1.0.1.tar.bz2]
>  md5=4c5482552f38a7d42398a694cc9b2ee6
>  sha256=de59f9be3d45fe93f445f39bec3cea09753a671e56863ce77e3a797d2df526b2
> diff --git a/recipes/shadow/files/login_defs_pam.sed b/recipes/shadow/files/login_defs_pam.sed
> new file mode 100644
> index 0000000..655f115
> --- /dev/null
> +++ b/recipes/shadow/files/login_defs_pam.sed
> @@ -0,0 +1,25 @@
> +/^FAILLOG_ENAB/b comment
> +/^LASTLOG_ENAB/b comment
> +/^MAIL_CHECK_ENAB/b comment
> +/^OBSCURE_CHECKS_ENAB/b comment
> +/^PORTTIME_CHECKS_ENAB/b comment
> +/^QUOTAS_ENAB/b comment
> +/^MOTD_FILE/b comment
> +/^FTMP_FILE/b comment
> +/^NOLOGINS_FILE/b comment
> +/^ENV_HZ/b comment
> +/^PASS_MIN_LEN/b comment
> +/^SU_WHEEL_ONLY/b comment
> +/^CRACKLIB_DICTPATH/b comment
> +/^PASS_CHANGE_TRIES/b comment
> +/^PASS_ALWAYS_WARN/b comment
> +/^CHFN_AUTH/b comment
> +/^ENVIRON_FILE/b comment
> +
> +b exit
> +
> +: comment
> +  s:^:#:
> +
> +: exit
> +
> diff --git a/recipes/shadow/files/pam.d/chfn b/recipes/shadow/files/pam.d/chfn
> new file mode 100644
> index 0000000..baf7698
> --- /dev/null
> +++ b/recipes/shadow/files/pam.d/chfn
> @@ -0,0 +1,14 @@
> +#
> +# The PAM configuration file for the Shadow `chfn' service
> +#
> +
> +# This allows root to change user infomation without being
> +# prompted for a password
> +auth		sufficient	pam_rootok.so
> +
> +# The standard Unix authentication modules, used with
> +# NIS (man nsswitch) as well as normal /etc/passwd and
> +# /etc/shadow entries.
> +auth       include      common-auth
> +account    include      common-account
> +session    include      common-session
> diff --git a/recipes/shadow/files/pam.d/chpasswd b/recipes/shadow/files/pam.d/chpasswd
> new file mode 100644
> index 0000000..9e3efa6
> --- /dev/null
> +++ b/recipes/shadow/files/pam.d/chpasswd
> @@ -0,0 +1,4 @@
> +# The PAM configuration file for the Shadow 'chpasswd' service
> +#
> +
> +password   include      common-password
> diff --git a/recipes/shadow/files/pam.d/chsh b/recipes/shadow/files/pam.d/chsh
> new file mode 100644
> index 0000000..8fb169f
> --- /dev/null
> +++ b/recipes/shadow/files/pam.d/chsh
> @@ -0,0 +1,19 @@
> +#
> +# The PAM configuration file for the Shadow `chsh' service
> +#
> +
> +# This will not allow a user to change their shell unless
> +# their current one is listed in /etc/shells. This keeps
> +# accounts with special shells from changing them.
> +auth       required   pam_shells.so
> +
> +# This allows root to change user shell without being
> +# prompted for a password
> +auth		sufficient	pam_rootok.so
> +
> +# The standard Unix authentication modules, used with
> +# NIS (man nsswitch) as well as normal /etc/passwd and
> +# /etc/shadow entries.
> +auth       include      common-auth
> +account    include      common-account
> +session    include      common-session
> diff --git a/recipes/shadow/files/pam.d/login b/recipes/shadow/files/pam.d/login
> new file mode 100644
> index 0000000..2186d3e
> --- /dev/null
> +++ b/recipes/shadow/files/pam.d/login
> @@ -0,0 +1,91 @@
> +#
> +# The PAM configuration file for the Shadow `login' service
> +#
> +
> +# Enforce a minimal delay in case of failure (in microseconds).
> +# (Replaces the `FAIL_DELAY' setting from login.defs)
> +# Note that other modules may require another minimal delay. (for example,
> +# to disable any delay, you should add the nodelay option to pam_unix)
> +auth       optional   pam_faildelay.so  delay=3000000
> +
> +# Outputs an issue file prior to each login prompt (Replaces the
> +# ISSUE_FILE option from login.defs). Uncomment for use
> +# auth       required   pam_issue.so issue=/etc/issue
> +
> +# Disallows root logins except on tty's listed in /etc/securetty
> +# (Replaces the `CONSOLE' setting from login.defs)
> +# Note that it is included as a "requisite" module. No password prompts will
> +# be displayed if this module fails to avoid having the root password
> +# transmitted on unsecure ttys.
> +# You can change it to a "required" module if you think it permits to
> +# guess valid user names of your system (invalid user names are considered
> +# as possibly being root).
> +auth       requisite  pam_securetty.so
> +
> +# Disallows other than root logins when /etc/nologin exists
> +# (Replaces the `NOLOGINS_FILE' option from login.defs)
> +auth       requisite  pam_nologin.so
> +
> +# SELinux needs to be the first session rule. This ensures that any 
> +# lingering context has been cleared. Without out this it is possible 
> +# that a module could execute code in the wrong domain.
> +# When the module is present, "required" would be sufficient (When SELinux
> +# is disabled, this returns success.)
> +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
> +
> +# This module parses environment configuration file(s)
> +# and also allows you to use an extended config
> +# file /etc/security/pam_env.conf.
> +# 
> +# parsing /etc/environment needs "readenv=1"
> +session       required   pam_env.so readenv=1
> +# locale variables are also kept into /etc/default/locale in etch
> +# reading this file *in addition to /etc/environment* does not hurt
> +session       required   pam_env.so readenv=1 envfile=/etc/default/locale
> +
> +# Standard Un*x authentication.
> +@include common-auth
> +
> +# This allows certain extra groups to be granted to a user
> +# based on things like time of day, tty, service, and user.
> +# Please edit /etc/security/group.conf to fit your needs
> +# (Replaces the `CONSOLE_GROUPS' option in login.defs)
> +auth       optional   pam_group.so
> +
> +# Uncomment and edit /etc/security/time.conf if you need to set
> +# time restrainst on logins.
> +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
> +# as well as /etc/porttime)
> +# account    requisite  pam_time.so
> +
> +# Uncomment and edit /etc/security/access.conf if you need to
> +# set access limits.
> +# (Replaces /etc/login.access file)
> +# account  required       pam_access.so
> +
> +# Sets up user limits according to /etc/security/limits.conf
> +# (Replaces the use of /etc/limits in old login)
> +session    required   pam_limits.so
> +
> +# Prints the last login info upon succesful login
> +# (Replaces the `LASTLOG_ENAB' option from login.defs)
> +session    optional   pam_lastlog.so
> +
> +# Prints the motd upon succesful login
> +# (Replaces the `MOTD_FILE' option in login.defs)
> +session    optional   pam_motd.so
> +
> +# Prints the status of the user's mailbox upon succesful login
> +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
> +#
> +# This also defines the MAIL environment variable
> +# However, userdel also needs MAIL_DIR and MAIL_FILE variables
> +# in /etc/login.defs to make sure that removing a user 
> +# also removes the user's mail spool file.
> +# See comments in /etc/login.defs
> +session    optional   pam_mail.so standard
> +
> +# Standard Un*x account and session
> +account    include      common-account
> +password   include      common-password
> +session    include      common-session
> diff --git a/recipes/shadow/files/pam.d/newusers b/recipes/shadow/files/pam.d/newusers
> new file mode 100644
> index 0000000..4aa3dde
> --- /dev/null
> +++ b/recipes/shadow/files/pam.d/newusers
> @@ -0,0 +1,4 @@
> +# The PAM configuration file for the Shadow 'newusers' service
> +#
> +
> +password   include      common-password
> diff --git a/recipes/shadow/files/pam.d/passwd b/recipes/shadow/files/pam.d/passwd
> new file mode 100644
> index 0000000..f534992
> --- /dev/null
> +++ b/recipes/shadow/files/pam.d/passwd
> @@ -0,0 +1,5 @@
> +#
> +# The PAM configuration file for the Shadow `passwd' service
> +#
> +
> +password   include      common-password
> diff --git a/recipes/shadow/files/pam.d/su b/recipes/shadow/files/pam.d/su
> new file mode 100644
> index 0000000..8e35137
> --- /dev/null
> +++ b/recipes/shadow/files/pam.d/su
> @@ -0,0 +1,60 @@
> +#
> +# The PAM configuration file for the Shadow `su' service
> +#
> +
> +# This allows root to su without passwords (normal operation)
> +auth       sufficient pam_rootok.so
> +
> +# Uncomment this to force users to be a member of group root
> +# before they can use `su'. You can also add "group=foo"
> +# to the end of this line if you want to use a group other
> +# than the default "root" (but this may have side effect of
> +# denying "root" user, unless she's a member of "foo" or explicitly
> +# permitted earlier by e.g. "sufficient pam_rootok.so").
> +# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
> +# auth       required   pam_wheel.so
> +
> +# Uncomment this if you want wheel members to be able to
> +# su without a password.
> +# auth       sufficient pam_wheel.so trust
> +
> +# Uncomment this if you want members of a specific group to not
> +# be allowed to use su at all.
> +# auth       required   pam_wheel.so deny group=nosu
> +
> +# Uncomment and edit /etc/security/time.conf if you need to set
> +# time restrainst on su usage.
> +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
> +# as well as /etc/porttime)
> +# account    requisite  pam_time.so
> +
> +# This module parses environment configuration file(s)
> +# and also allows you to use an extended config
> +# file /etc/security/pam_env.conf.
> +# 
> +# parsing /etc/environment needs "readenv=1"
> +session       required   pam_env.so readenv=1
> +# locale variables are also kept into /etc/default/locale in etch
> +# reading this file *in addition to /etc/environment* does not hurt
> +session       required   pam_env.so readenv=1 envfile=/etc/default/locale
> +
> +# Defines the MAIL environment variable
> +# However, userdel also needs MAIL_DIR and MAIL_FILE variables
> +# in /etc/login.defs to make sure that removing a user 
> +# also removes the user's mail spool file.
> +# See comments in /etc/login.defs
> +#
> +# "nopen" stands to avoid reporting new mail when su'ing to another user
> +session    optional   pam_mail.so nopen
> +
> +# Sets up user limits, please uncomment and read /etc/security/limits.conf
> +# to enable this functionality.
> +# (Replaces the use of /etc/limits in old login)
> +# session    required   pam_limits.so
> +
> +# The standard Unix authentication modules, used with
> +# NIS (man nsswitch) as well as normal /etc/passwd and
> +# /etc/shadow entries.
> +auth       include      common-auth
> +account    include      common-account
> +session    include      common-session
> diff --git a/recipes/shadow/shadow_4.1.4.2.bb b/recipes/shadow/shadow_4.1.4.2.bb
> new file mode 100644
> index 0000000..04887a0
> --- /dev/null
> +++ b/recipes/shadow/shadow_4.1.4.2.bb
> @@ -0,0 +1,52 @@
> +DESCRIPTION = "login/password and account utilities"
> +LICENSE = "GPL"
> +
> +DEPEND = "libpam"
> +RDEPEND = "${DEPEND}"
> +
> +PR = "r5"
> +
> +EXTRA_OECONF += " --enable-shared  --enable-static --with-libpam --without-libcrack"
> +
> +inherit autotools
> +
> +HOMEPAGE = "http://pkg-shadow.alioth.debian.org/"
> +SRC_URI = "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-${PV}.tar.bz2 \
> +           file://login_defs_pam.sed \
> +"
> +
> +# Additional Policy files for PAM
> +SRC_URI_append = " \
> +           file://pam.d/chfn \ 
> +           file://pam.d/chpasswd \
> +           file://pam.d/chsh \
> +           file://pam.d/login \
> +           file://pam.d/newusers \
> +           file://pam.d/passwd \
> +           file://pam.d/su \
> +"
> +
> +S = "${WORKDIR}/shadow-${PV}"
> +
> +CFLAGS_append = " -I../include"
> +
> +do_install_append() {
> +  # Ensure that the image has as /var/spool/mail dir so shadow can put mailboxes there if the user
> +  # reconfigures Shadow to default (see sed below).
> +  install -d ${D}${localstatedir}/spool/mail/  
> +  
> +  install -d ${D}${sysconfdir}/pam.d/  
> +  install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
> +
> +  # Remove defaults that are not used when supporting PAM
> +  sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs
> +
> +  # Enable CREATE_HOME by default.
> +  sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs 
> +  
> +  # As we are on an embedded system ensure the users mailbox is in ~/ not 
> +  # /var/spool/mail by default as who knows where or how big /var is.
> +  # The system MDA will set this later anyway.
> +  sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs 
> +  sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs 
> +}

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFLp2QeMkyGM64RGpERAqTOAJ9Szo3Jx9CU3Zlgz7oeTz2bRcainACfXfCk
R+fn76SabKh/Q2u6741adJY=
=/lJz
-----END PGP SIGNATURE-----