diff options
author | Michael Weiser <michael.weiser@gmx.de> | 2019-12-17 20:02:40 +0100 |
---|---|---|
committer | Lars Wendler <polynomial-c@gentoo.org> | 2020-01-19 02:00:17 +0100 |
commit | c7da130a443ab9811b242ae2cbf8259cb85d43b1 (patch) | |
tree | 42f09954ad7d19f4e8111b01e0388645f8602559 /sys-apps/shadow | |
parent | net-p2p/cpuminer-opt: Cleanup old versions (diff) | |
download | gentoo-c7da130a443ab9811b242ae2cbf8259cb85d43b1.tar.gz gentoo-c7da130a443ab9811b242ae2cbf8259cb85d43b1.tar.bz2 gentoo-c7da130a443ab9811b242ae2cbf8259cb85d43b1.zip |
sys-apps/shadow: Revbump to fix up PAM configuration
shadow includes a number of administrative account management binaries
like useradd, chage and chpasswd, traditionally only useable by root.
In shadow they can be compiled with PAM support and installed setuid.
PAM configuration can then be used to delegate account management to
users other than root.
The previous config contained the pam_rootok module to provide default
behaviour of allowing account management when called as root. But it
also contained pam_permit which would allow everyone else to also do
account management without any authentication.
To close this loophole we remove pam_permit from the config. Also,
chpasswd, chgpasswd and newusers are batch-mode mass-change tools meant
for scripting. They only contain PAM support if configure flag
--enable-account-tools-setuid is in effect and are then installed setuid
root. They should use the same restrictive PAM configuration as their
siblings. But with setuid user management tools and PAM support within
them disabled by commit f569e607 we can stop installing the
configuration files as well.
chfn and chsh are intended to be called by the user as self-service
tools. For this reason they're always installed setuid root and contain
PAM support. They should be allowed to work but maybe not without some
prior authentication to avoid attacks such as someone finding an
unlocked session and using chfn to redirect phone calls intended for the
user to himself. The existing passwd config seems perfect for that and
is aptly named in that both tools change user information normally
stored in /etc/passwd.
groupmems is another user self-service tool. It allows the user to add
people to their user-private group, allowing them trusted access to
normally private files. It is not installed setuid like chfn and chsh
but always contains PAM support. Upstream installs a locked down PAM
config by default.
Since default shell profiles on Gentoo do not change umask to 0002 when
a private user group is in use, impact will only be to allow read access
to those additional users by default.
Since the idea of adding more users to the user *private* group is
questionable, go with upstream's default of locking the PAM config down
so that an admin not only needs to make the binary suid but also adjust
the PAM config, in the process hopefully considering what they're doing.
Bug: https://bugs.gentoo.org/702252
Closes: https://github.com/gentoo/gentoo/pull/14032
Reviewed-by: Mikle Kolyada <zlogene@gentoo.org>
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Diffstat (limited to 'sys-apps/shadow')
-rw-r--r-- | sys-apps/shadow/files/pam.d-include/shadow-r1 | 7 | ||||
-rw-r--r-- | sys-apps/shadow/shadow-4.8-r3.ebuild | 233 |
2 files changed, 240 insertions, 0 deletions
diff --git a/sys-apps/shadow/files/pam.d-include/shadow-r1 b/sys-apps/shadow/files/pam.d-include/shadow-r1 new file mode 100644 index 000000000000..e42e8493ffe3 --- /dev/null +++ b/sys-apps/shadow/files/pam.d-include/shadow-r1 @@ -0,0 +1,7 @@ +#%PAM-1.0 + +auth sufficient pam_rootok.so + +account include system-auth + +password required pam_permit.so diff --git a/sys-apps/shadow/shadow-4.8-r3.ebuild b/sys-apps/shadow/shadow-4.8-r3.ebuild new file mode 100644 index 000000000000..ce51a62e4d92 --- /dev/null +++ b/sys-apps/shadow/shadow-4.8-r3.ebuild @@ -0,0 +1,233 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools libtool pam + +DESCRIPTION="Utilities to deal with user accounts" +HOMEPAGE="https://github.com/shadow-maint/shadow" +SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86" +IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr" +# Taken from the man/Makefile.am file. +LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) + +DEPEND=" + acl? ( sys-apps/acl:0= ) + audit? ( >=sys-process/audit-2.6:0= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) + nls? ( virtual/libintl ) + pam? ( sys-libs/pam:0= ) + skey? ( sys-auth/skey:0= ) + selinux? ( + >=sys-libs/libselinux-1.28:0= + sys-libs/libsemanage:0= + ) + su? ( !sys-apps/util-linux[su] ) + xattr? ( sys-apps/attr:0= ) +" +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext +" +RDEPEND=" + ${DEPEND} + pam? ( >=sys-auth/pambase-20150213 ) +" + +PATCHES=( + "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" + "${FILESDIR}/${P}-revert-bin-merge.patch" +) + +src_prepare() { + default + eautoreconf + #elibtoolize +} + +src_configure() { + local myeconfargs=( + --disable-account-tools-setuid + --enable-shared=no + --enable-static=yes + --with-btrfs + --without-group-name-max-length + --without-tcb + $(use_enable nls) + $(use_with acl) + $(use_with audit) + $(use_with bcrypt) + $(use_with cracklib libcrack) + $(use_with elibc_glibc nscd) + $(use_with pam libpam) + $(use_with selinux) + $(use_with skey) + $(use_with su) + $(use_with xattr attr) + ) + econf "${myeconfargs[@]}" + + has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 + + if use nls ; then + local l langs="po" # These are the pot files. + for l in ${LANGS[*]} ; do + has ${l} ${LINGUAS-${l}} && langs+=" ${l}" + done + sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die + fi +} + +set_login_opt() { + local comment="" opt=$1 val=$2 + if [[ -z ${val} ]]; then + comment="#" + sed -i \ + -e "/^${opt}\>/s:^:#:" \ + "${ED}"/etc/login.defs || die + else + sed -i -r \ + -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ + "${ED}"/etc/login.defs + fi + local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) + einfo "${res:-Unable to find ${opt} in /etc/login.defs}" +} + +src_install() { + emake DESTDIR="${D}" suidperms=4711 install + + # Remove libshadow and libmisc; see bug 37725 and the following + # comment from shadow's README.linux: + # Currently, libshadow.a is for internal use only, so if you see + # -lshadow in a Makefile of some other package, it is safe to + # remove it. + rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la} + + insinto /etc + if ! use pam ; then + insopts -m0600 + doins etc/login.access etc/limits + fi + + # needed for 'useradd -D' + insinto /etc/default + insopts -m0600 + doins "${FILESDIR}"/default/useradd + + if use split-usr ; then + # move passwd to / to help recover broke systems #64441 + # We cannot simply remove this or else net-misc/scponly + # and other tools will break because of hardcoded passwd + # location + dodir /bin + mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die + dosym ../../bin/passwd /usr/bin/passwd + fi + + cd "${S}" || die + insinto /etc + insopts -m0644 + newins etc/login.defs login.defs + + set_login_opt CREATE_HOME yes + if ! use pam ; then + set_login_opt MAIL_CHECK_ENAB no + set_login_opt SU_WHEEL_ONLY yes + set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict + set_login_opt LOGIN_RETRIES 3 + set_login_opt ENCRYPT_METHOD SHA512 + set_login_opt CONSOLE + else + dopamd "${FILESDIR}"/pam.d-include/shadow + + for x in chsh shfn ; do + newpamd "${FILESDIR}"/pam.d-include/passwd ${x} + done + + newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems + + # comment out login.defs options that pam hates + local opt sed_args=() + for opt in \ + CHFN_AUTH \ + CONSOLE \ + CRACKLIB_DICTPATH \ + ENV_HZ \ + ENVIRON_FILE \ + FAILLOG_ENAB \ + FTMP_FILE \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + MOTD_FILE \ + NOLOGINS_FILE \ + OBSCURE_CHECKS_ENAB \ + PASS_ALWAYS_WARN \ + PASS_CHANGE_TRIES \ + PASS_MIN_LEN \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + SU_WHEEL_ONLY + do + set_login_opt ${opt} + sed_args+=( -e "/^#${opt}\>/b pamnote" ) + done + sed -i "${sed_args[@]}" \ + -e 'b exit' \ + -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ + -e ': exit' \ + "${ED}"/etc/login.defs || die + + # remove manpages that pam will install for us + # and/or don't apply when using pam + find "${ED}"/usr/share/man -type f \ + '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ + -delete + + # Remove pam.d files provided by pambase. + rm "${ED}"/etc/pam.d/{login,passwd} || die + if use su ; then + rm "${ED}"/etc/pam.d/su || die + fi + fi + + # Remove manpages that are handled by other packages + find "${ED}"/usr/share/man \ + '(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \ + -delete + + cd "${S}" || die + dodoc ChangeLog NEWS TODO + newdoc README README.download + cd doc || die + dodoc HOWTO README* WISHLIST *.txt +} + +pkg_preinst() { + rm -f "${EROOT}"/etc/pam.d/system-auth.new \ + "${EROOT}/etc/login.defs.new" +} + +pkg_postinst() { + # Enable shadow groups. + if [ ! -f "${EROOT}"/etc/gshadow ] ; then + if grpck -r -R "${EROOT}" 2>/dev/null ; then + grpconv -R "${EROOT}" + else + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "run 'grpconv' afterwards!" + fi + fi + + [[ ! -f "${EROOT}"/etc/subgid ]] && + touch "${EROOT}"/etc/subgid + [[ ! -f "${EROOT}"/etc/subuid ]] && + touch "${EROOT}"/etc/subuid + + einfo "The 'adduser' symlink to 'useradd' has been dropped." +} |