nekral-guest [Sun, 25 Nov 2007 21:02:32 +0000 (21:02 +0000)]
* configure.in, man/po/Makefile.in.in, man/po/Makevars,
man/po/POTFILES.in, man/Makefile.am: Generate the PO files for the
manpages in the man/po directory (instead of man/<lang>). Use a
Makefile.in.in based on gettext's one. This ensure that the PO are
generated before being used in the <lang> directories.
* man/generate_mans.mak, man/generate_translations.mak,
man/Makefile.am: New makefile for the generation of manpages from
XML (generate_mans.mak). This avoid duplicate chunks in
generate_translations.mak and Makefile.am
* man/de/de.po, man/fr/fr.po, man/it/it.po, man/pl/pl.po,
man/ru/ru.po, man/sv/sv.po: Moved to...
* man/po/de.po, man/po/fr.po, man/po/it.po, man/po/pl.po,
man/po/ru.po, man/po/sv.po: ... here.
nekral-guest [Sat, 24 Nov 2007 13:08:08 +0000 (13:08 +0000)]
* configure.in: New configure option: --with-sha-crypt enabled by
default. Keeping the feature enabled is safe. Disabling it permits
to disable the references to the SHA256 and SHA512 password
encryption algorithms from the usage help and manuals (in addition
to the support for these algorithms in the code).
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
src/chpasswd.c, src/chgpasswd.c, src/passwd.c: ENCRYPT_METHOD is
always supported in login.defs. Remove the ENCRYPTMETHOD_SELECT
preprocessor condition.
* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
src/chpasswd.c, src/chgpasswd.c, src/passwd.c: Disable SHA256 and
SHA512 if USE_SHA_CRYPT is not defined (this corresponds to a
subset of the ENCRYPTMETHOD_SELECT sections).
nekral-guest [Sat, 24 Nov 2007 00:37:37 +0000 (00:37 +0000)]
If we requested a non DES encryption, make sure crypt returned a encrypted
password longer than 13 chars. This protects against the GNU crypt() which
does not return NULL if the algorithm is not supported, and return a DES
encrypted password.
nekral-guest [Sat, 24 Nov 2007 00:16:41 +0000 (00:16 +0000)]
* libmisc/salt.c: Make sure method is not NULL, defaulting to DES.
Thanks to Dan Kopecek <dkopecek@redhat.com>.
* src/chpasswd.c, src/chgpasswd.c: Do not use DES by default, but
the system default define in /Etc/login.defs. Thanks to Dan
Kopecek <dkopecek@redhat.com>.
* NEWS, man/chpasswd.8.xml, man/chgpasswd.8.xml: Do not mention
DES as the default algorithm.
* src/chpasswd.c, src/chgpasswd.c: Tag the ENCRYPTMETHOD_SELECT
dependent code accordingly.
nekral-guest [Fri, 23 Nov 2007 19:55:47 +0000 (19:55 +0000)]
* Use <replaceable> for the values set by
users. (was sometimes <emphasis remap='I'>)
* Use <option> vor the variable names. This
makes the manpage much more readable.
* (ENCRYPT_METHOD, MD5_CRYPT_ENAB,
SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS): Mention that command
line option may supersede the system setting.
* Document the variables used by chpasswd
and chgpasswd.
nekral-guest [Fri, 23 Nov 2007 00:07:59 +0000 (00:07 +0000)]
* NEWS, lib/getdef.c, man/login.defs.5.xml: New login.defs
variable: MAX_MEMBERS_PER_GROUP. Used for the split groups support.
* lib/commonio.c, lib/commonio.h: Add an open_hook and close_hook
operation. They are called after the database is actually opened
and parse, or before it is closed.
* lib/groupio.c: Add an open_hook to merge split groups, and an
close group to split groups if MAX_MEMBERS_PER_GROUP is set.
This fixes gpasswd and chgpasswd when split groups are used.
* lib/sgroupio.c, lib/shadowio.c, lib/pwio.c: No open or close
hooks for these databases. (unsure about what should be the gshadow
behavior for split groups)
nekral-guest [Thu, 22 Nov 2007 21:55:12 +0000 (21:55 +0000)]
* NEWS, src/gpasswd.c: Read the group and shadow groups using
gr_locate and sgr_locate. gpasswd write in the file database. Thus
it should read information from the file database, not using
getgrnam. The change to sgr_locate is just for consistency. This
requires opening the group databases (read only) using
gr_open/sgr_open.
* NEWS: Indicate that manpages should be re-generated if configure
option are changed, due to conditions.
nekral-guest [Thu, 22 Nov 2007 21:36:38 +0000 (21:36 +0000)]
* configure.in: SHADOWGRP added to AM_CONDITIONAL for the
generation of manpages.
* man/generate_translations.mak: Added pam/no_pam condition (like
in man/Makefile.am).
* man/Makefile.am, man/generate_translations.mak: Added
gshadow/no_gshadow condition.
* man/gpasswd.1.xml: Use the gshadow/no_gshadow condition to
change the manpage depending on the shadow group support.
nekral-guest [Wed, 21 Nov 2007 22:12:14 +0000 (22:12 +0000)]
* man/newusers.8.xml: Added /etc/gshadow, /etc/group, /etc/shadow,
and /etc/passwd to section FILES.
* man/newusers.8.xml: Mentions that PAM is not used to set the
passwords.
* man/chpasswd.8.xml: Added section FILES (/etc/passwd,
/etc/shadow, /etc/login.defs).
* man/chpasswd.8.xml: Use the same paragraph as in newusers.8.xml
to indicate that PAM is not used.
* man/chgpasswd.8.xml: Added section FILES (/etc/group,
/etc/gshadow, /etc/login.defs).
nekral-guest [Wed, 21 Nov 2007 21:27:44 +0000 (21:27 +0000)]
* Try harder to get the GID equal to the UID.
This was not the case when the GID is not specified, and a GID
exist with an ID higher than the all the UIDs.
* Typo in comment: contrained -> constrained.
nekral-guest [Tue, 20 Nov 2007 20:00:16 +0000 (20:00 +0000)]
* libmisc/obscure.c, libmisc/salt.c, src/passwd.c: Match DES, MD5,
SHA256, and SHA512 exactly (not only the first 3/6 chars).
* libmisc/salt.c (SHA_salt_rounds): Set rounds to the specified
prefered_rounds value, if specified.
* src/gpasswd.c, libmisc/salt.c: Fix compilation warnings (use
size_t for lengths).
* src/chpasswd.c, src/chgpasswd.c: Add missing parenthesis.
nekral-guest [Tue, 20 Nov 2007 12:59:20 +0000 (12:59 +0000)]
* man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the
encryption algorithm is chosen for the passwords. Document the new
-c and -s options. Add a reference to login.defs(5).
* man/login.defs.5.xml: Document the ENCRYPT_METHOD,
MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS
variables.
* etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated.
Document the relationship with PAM for MD5_CRYPT_ENAB and
ENCRYPT_METHOD.
nekral-guest [Tue, 20 Nov 2007 09:33:52 +0000 (09:33 +0000)]
* lib/prototypes.h, libmisc/salt.c: Add parameters to
crypt_make_salt to force the crypt method and number of rounds.
* libmisc/salt.c: Add parameter to SHA_salt_rounds to force the
number of rounds.
* libmisc/salt.c, lib/getdef.c: ENCRYPT_METHOD and MD5_CRYPT_ENAB
are needed also when USE_PAM (e.g. for chpasswd).
* src/newusers.c, src/gpasswd.c: Use the new crypt_make_salt prototype.
* src/chpasswd.c, src/chgpasswd.c: Add option -c, --crypt-method
and -s, --sha-rounds to specify the crypt method and number of
rounds in case of one of the SHA methods. The new prototype of
crypt_make_salt simplifies the handling of -m, --md5.
nekral-guest [Tue, 20 Nov 2007 00:05:54 +0000 (00:05 +0000)]
* libmisc/salt.c: The salt has a random size (between 8 and 16
bytes).
* lib/getdef.c, etc/login.defs: Add definitions for
SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS.
* libmisc/salt.c: Use SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS
to add a random number of rounds if needed.
nekral-guest [Mon, 19 Nov 2007 22:34:48 +0000 (22:34 +0000)]
* libmisc/salt.c (MAGNUM): Terminate the array with nul (the array
is then used with strcat).
* libmisc/salt.c (crypt_make_salt): Initialize result[0] to nul at
the beginning (was not initialized when USE_PAM).
* libmisc/salt.c (crypt_make_salt): Check that ENCRYPT_METHOD is a
valid crypt method.
nekral-guest [Mon, 19 Nov 2007 22:14:19 +0000 (22:14 +0000)]
Add support for SHA256 and SHA512 encrypt methods. Apply RedHat's patch
shadow-4.0.18.1-sha256.patch. Thanks to Peter Vrabec. Hardly no changes
except re-indent and changes related to recent modifications (max_salt_len
in crypt_make_salt). Changes in lib/defines.h not applied (definition of
ENCRYPTMETHOD_SELECT). I will add a configure check or flag.
nekral-guest [Mon, 19 Nov 2007 20:25:36 +0000 (20:25 +0000)]
Fix some compilation warnings:
* src/login.c: "dereferencing type-punned pointer will break
strict-aliasing rules", add a variable indirection: ptr_pam_user.
* lib/commonio.c: do not initialize the sb stat structure.
* lib/pwio.c, lib/shadowio.c, lib/sgroupio.c, lib/groupio.c:
initialize the security context if WITH_SELINUX.
* lib/nscd.c: The service argument is not const (used in the exec*
parameters). This matches with the prototype definition.
* src/groupmems.c: Avoid ++i when i is also used in the same line.
* src/newusers.c: i is positive every time it is compared. Add
cast to unsigned int.
* src/nologin.c: Use a main() prototype with no arguments.
* libmisc/getdate.y: Initialize the type and value fields of the
terminating entry for each TABLE.
* libmisc/tz.c: Use "TZ=CST6CDT" as the default timezone.
nekral-guest [Mon, 19 Nov 2007 01:16:42 +0000 (01:16 +0000)]
* man/pl/Makefile.am: Add getspnam.3 to EXTRA_DIST since it is
generated with shadow.3.
* man/generate_translations.mak: Clean all the manpages, based on
$(EXTRA_DIST), not $(man_MANS).
nekral-guest [Sun, 18 Nov 2007 23:15:26 +0000 (23:15 +0000)]
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
nekral-guest [Sun, 18 Nov 2007 22:58:31 +0000 (22:58 +0000)]
Some fixes for the manpages:
* man/pl/pl.po: Fix typo: chgpassw -> chgpasswd.
* man/pl/Makefile.am: Fix typo: chgpassw -> chgpasswd.
* man/de/de.po: groups shall not be translated (for command,
refname, or refentrytitle).
nekral-guest [Sat, 17 Nov 2007 21:24:06 +0000 (21:24 +0000)]
Make sure that the prefix is the name of a directory (not only the
beginning of a directory).
Openwall patch shadow-4.0.4.1-owl-userdel-path_prefix.diff.
nekral-guest [Sat, 17 Nov 2007 21:03:33 +0000 (21:03 +0000)]
* src/newgrp.c: Do not give an indication that the group has no
password.
* src/newgrp.c: Do not only bail on syslog if the password is not
valid. Also give an indication to the user on stderr.
nekral-guest [Sat, 17 Nov 2007 20:28:32 +0000 (20:28 +0000)]
Last parts of the Openwall patch shadow-4.0.4.1-owl-chage-drop-priv.diff:
* src/chage.c: Make chage -l also drop the saved GID.
* src/chage.c: Prefer setregid/setreuid to setgid/setuid.
nekral-guest [Sat, 17 Nov 2007 20:09:54 +0000 (20:09 +0000)]
* src/chage.c: Remove cleanup(). pw_lock is never called. Replace
cleanup(2) by spw_unlock and remove the calls to cleanup(1).
* src/chage.c: Remove variable pwrw. It is always set to 0. The
password database is always read only.
nekral-guest [Sat, 17 Nov 2007 18:45:22 +0000 (18:45 +0000)]
* man/generate_translations.mak: Generic rules for all the
generated translated manpages (if ENABLE_REGENERATE_MAN).
* man/Makefile.am: Removed rules for all the generated translated
manpages.
* man/sv/Makefile.am, man/de/Makefile.am, man/fr/Makefile.am,
man/pl/Makefile.am, man/ru/Makefile.am, man/it/Makefile.am:
Include generate_translations.mak to handle the generated
translations (XML and roff files).
* man/Makefile.am: Translated XML files moved from the CLEANFILES
variable of man/Makefile.am to the various languages Makefiles.
nekral-guest [Sat, 17 Nov 2007 18:13:17 +0000 (18:13 +0000)]
Fixes from Openwall patch shadow-4.0.4.1-alt-man.diff:
* man/useradd.8.xml: Indicate that the NIS caveats is also valid
for any external database as LDAP.
* man/groupadd.8.xml: Likewise.
* man/groupadd.8.xml: Reorder and reformat the caveats bullets.
nekral-guest [Sat, 17 Nov 2007 17:47:02 +0000 (17:47 +0000)]
Start applying Debian patch 409_man_generate_from_PO:
* NEWS: Applied Debian patch 409_man_generate_from_PO to
automatically generate the translated manpages from the POs.
* man/Makefile.am: Replace the individual rules for the generation
of the manpages (from XML) by a generic Makefile rule an
dependencies for the linked manpages.
nekral-guest [Sat, 17 Nov 2007 17:19:44 +0000 (17:19 +0000)]
Avoid terminating the PAM library in the forked child. This is done later
in the parent after closing the PAM session.
This fixes http://bugs.debian.org/412061.
Debian patch 405_su_no_pam_end_before_exec.
projects / shadow / log