community/shadow: move from testing

5 files changed, 230 insertions, 0 deletions

diff --git a/community/shadow/APKBUILD b/community/shadow/APKBUILD
new file mode 100644
index 0000000000..c5ac99edb4
--- /dev/null
+++ b/community/shadow/APKBUILD
@@ -0,0 +1,96 @@
+# Contributor: William Pitcock <nenolod@dereferenced.org>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
+pkgname=shadow
+pkgver=4.2.1
+pkgrel=6
+pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)"
+url="http://pkg-shadow.alioth.debian.org/"
+arch="all"
+license="GPL"
+depends=""
+makedepends="linux-pam-dev"
+subpackages="$pkgname-doc $pkgname-dbg $pkgname-uidmap"
+source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz
+	login.pamd
+	dots-in-usernames.patch
+	cross-size-checks.patch
+	verbose-error-when-uid-doesnt-match.patch
+	"
+options="suid"
+builddir="$srcdir/shadow-$pkgver"
+
+build() {
+	cd "$builddir"
+
+	./configure --prefix=/usr \
+		--sysconfdir=/etc \
+		--mandir=/usr/share/man \
+		--infodir=/usr/share/info \
+		--localstatedir=/var \
+		--disable-nls \
+		--with-libpam \
+		--without-audit \
+		--without-selinux \
+		--without-acl \
+		--without-attr \
+		--without-tcb \
+		--without-nscd \
+		--without-group-name-max-length \
+		|| return 1
+	make || return 1
+}
+
+package() {
+	cd "$builddir"
+
+	make DESTDIR="$pkgdir" install || return 1
+
+	# Do not install these pam.d files they are broken and outdated.
+	# nologin is provided by util-linux.
+	rm "$pkgdir"/etc/pam.d/* \
+		"$pkgdir"/sbin/nologin \
+		|| return 1
+
+	# However, install our own for login.
+	cp "$srcdir"/login.pamd "$pkgdir"/etc/pam.d/login || return 1
+
+	# /etc/login.defs is not very useful - replace it with a blank file.
+	rm "$pkgdir"/etc/login.defs
+	touch "$pkgdir"/etc/login.defs
+
+	# Avoid conflict with man-pages.
+	rm "$pkgdir"/usr/share/man/man3/getspnam.3* \
+		"$pkgdir"/usr/share/man/man5/passwd.5* || return 1
+}
+
+uidmap() {
+	pkgdesc="Utilities for using subordinate UIDs and GIDs"
+
+	mkdir -p "$subpkgdir"
+	cd "$subpkgdir"
+
+	mkdir -p usr/bin
+	mv "$pkgdir"/usr/bin/new*idmap usr/bin/ || return 1
+	chmod 4711 usr/bin/new*idmap || return 1
+
+	# Used e.g. for unprivileged LXC containers.
+	mkdir etc
+	touch etc/subuid etc/subgid
+}
+
+md5sums="2bfafe7d4962682d31b5eba65dba4fc8  shadow-4.2.1.tar.xz
+72dfc077a61ab7163e312640cc98bba8  login.pamd
+f5fe3d7351d5e4046588b652c482c170  dots-in-usernames.patch
+75bc0cafb44aa86075d2ec056816cc3e  cross-size-checks.patch
+6d938a758cba620dde3b9e4ce6e87703  verbose-error-when-uid-doesnt-match.patch"
+sha256sums="3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41  shadow-4.2.1.tar.xz
+c0d0f2f77133b0663c5a578afeba45d5a9c703ff6f3f6aba3727dfe01877dac0  login.pamd
+ee58c622d1e8283dc4b17e93cc5e68f4ea4336654ebcfb48e46e0efaa864b77f  dots-in-usernames.patch
+fc3e32ddfc8eeb284412e8df7ad045ad27b742f5ee733db1a0bc14c97480e013  cross-size-checks.patch
+7d9156d39afa3a937fc64130b1bfe0ddc1dd593caa629f29410ebbf84c258568  verbose-error-when-uid-doesnt-match.patch"
+sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0  shadow-4.2.1.tar.xz
+46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d  login.pamd
+745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d  dots-in-usernames.patch
+c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4  cross-size-checks.patch
+1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c  verbose-error-when-uid-doesnt-match.patch"
diff --git a/community/shadow/cross-size-checks.patch b/community/shadow/cross-size-checks.patch
new file mode 100644
index 0000000000..bd451ba1bb
--- /dev/null
+++ b/community/shadow/cross-size-checks.patch
@@ -0,0 +1,42 @@
+From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <chewi@aura-online.co.uk>
+Date: Sat, 23 Aug 2014 09:46:39 +0100
+Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF
+
+This built-in check is simpler than the previous method and, most
+importantly, works when cross-compiling.
+
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+---
+ configure.in | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index 1a3f841..4a4d6d0 100644
+--- a/configure.in
++++ b/configure.in
+@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then
+ 	dnl
+ 	dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
+ 	dnl
+-	AC_RUN_IFELSE([AC_LANG_SOURCE([
+-#include <sys/types.h>
+-int main(void) {
+-	uid_t u;
+-	gid_t g;
+-	return (sizeof u < 4) || (sizeof g < 4);
+-}
+-	])], [id32bit="yes"], [id32bit="no"])
+-
+-	if test "x$id32bit" = "xyes"; then
++	AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
++	AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
++
++	if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
+ 		AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
+ 		enable_subids="yes"
+ 	else
+-- 
+2.3.6
+
+
diff --git a/community/shadow/dots-in-usernames.patch b/community/shadow/dots-in-usernames.patch
new file mode 100644
index 0000000000..b684c9d02f
--- /dev/null
+++ b/community/shadow/dots-in-usernames.patch
@@ -0,0 +1,11 @@
+--- shadow-4.1.3/libmisc/chkname.c
++++ shadow-4.1.3/libmisc/chkname.c
+@@ -66,6 +66,7 @@
+ 		      ( ('0' <= *name) && ('9' >= *name) ) ||
+ 		      ('_' == *name) ||
+ 		      ('-' == *name) ||
++		      ('.' == *name) ||
+ 		      ( ('$' == *name) && ('\0' == *(name + 1)) )
+ 		     )) {
+ 			return false;
+
diff --git a/community/shadow/login.pamd b/community/shadow/login.pamd
new file mode 100644
index 0000000000..ad45558094
--- /dev/null
+++ b/community/shadow/login.pamd
@@ -0,0 +1,6 @@
+# /bin/login opens an interactive session.
+
+auth		include		base-auth
+account		include		base-account
+password	include		base-password
+session		include		base-session
diff --git a/community/shadow/verbose-error-when-uid-doesnt-match.patch b/community/shadow/verbose-error-when-uid-doesnt-match.patch
new file mode 100644
index 0000000000..6f104b438c
--- /dev/null
+++ b/community/shadow/verbose-error-when-uid-doesnt-match.patch
@@ -0,0 +1,75 @@
+From: Hank Leininger <hlein@korelogic.com>
+Date: Mon, 6 Apr 2015 08:22:48 -0500
+Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not
+ like the user/group ownership of their target process.
+
+Currently the error is just:
+
+newuidmap: Target [pid] is owned by a different user
+
+With this patch it will be like:
+
+newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99
+
+Why is this useful?  Well, in my case...
+
+The grsecurity kernel-hardening patch includes an option to make parts
+of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
+the current uid.  This comes with an option to make /proc/pid/
+directories readable by a specific gid; sysadmins and the like are then
+put into that group so they can see a full 'ps'.
+
+This means that the check in new[ug]idmap fails, as in the above quoted
+error - /proc/[targetpid] is owned by root, but the group is 99 so that
+users in group 99 can see the process.
+
+Some Googling finds dozens of people hitting this problem, but not
+*knowing* that they have hit this problem, because the errors and
+circumstances are non-obvious.
+
+Some graceful way of handling this and not failing, will be next ;)  But
+in the meantime it'd be nice to have new[ug]idmap emit a more useful
+error, so that it's easier to troubleshoot.
+
+Thanks!
+
+Signed-off-by: Hank Leininger <hlein@korelogic.com>
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/newgidmap.c | 6 ++++--
+ src/newuidmap.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index a532b45..451c6a6 100644
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -161,8 +161,10 @@ int main(int argc, char **argv)
+ 	    (getgid() != pw->pw_gid) ||
+ 	    (pw->pw_uid != st.st_uid) ||
+ 	    (pw->pw_gid != st.st_gid)) {
+-		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
+-			Prog, target);
++		fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
++			Prog, target,
++			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
++			(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
+ 		return EXIT_FAILURE;
+ 	}
+ 
+diff --git a/src/newuidmap.c b/src/newuidmap.c
+index 5150078..9c8bc1b 100644
+--- a/src/newuidmap.c
++++ b/src/newuidmap.c
+@@ -161,8 +161,10 @@ int main(int argc, char **argv)
+ 	    (getgid() != pw->pw_gid) ||
+ 	    (pw->pw_uid != st.st_uid) ||
+ 	    (pw->pw_gid != st.st_gid)) {
+-		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
+-			Prog, target);
++		fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
++			Prog, target,
++			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
++			(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
+ 		return EXIT_FAILURE;
+ 	}
\ No newline at end of file