From: "Mark Hatle" <mark.hatle@kernel.crashing.org>
To: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH 6/9] shadow: update 4.8.1 -> 4.9
Date: Wed, 4 Aug 2021 13:28:30 -0500 [thread overview]
Message-ID: <deab9df2-17a5-7589-6e25-a49c4aee7e08@kernel.crashing.org> (raw)
In-Reply-To: <fa019e92-7e26-a422-6603-eb103f4e9633@gmail.com>
On 8/4/21 1:13 PM, Khem Raj wrote:
>
>
> On 8/4/21 3:12 AM, Alexander Kanavin wrote:
>> Yes, plaintext passwords can no longer be there, which is a good thing
>> I'd say? The hashed/salted passwords can still be provided through the
>> same class, but this needs to be documented, and perhaps tested too.
>>
>
> Its perhaps fine to discourage plaintext password setting, but it is a
> user visible feature as it seems. So the documentation should change for
> sure to not use it and it should also go into migration guide since it
> has a potential of tripping a lot of folks. I think documenting the
> intent to move away from plaintext is urgent, then the question is if
> we want to fist deprecate it or delete this option all in one go.
We SHOULD discourage users from any hardcoded passwords! But, there is little
to no functional difference between specifying a plain text or salted password,
but there is a HUGE developer/user difference in behavior.
So, if we have a way to set a default password for any account, then we really
do need a way to have a plaintext password specified.
From a security perspective, there is no advantage between a salted or plain
text password. (Salted passwords can always be reversed through tables, etc!)
If the current implementation of the plain text passwords is not "secure" due to
bad salts, hash types, etc. Then lets fix that and move to a more secure style.
If it is decided to remove the -P option for plain text passwords, then we need
to document for the user HOW to generate password hashes. And if we're showing
them how to do it, it SHOULD be trivial to find a way to do the same thing
_using the build system_.
For example
useradd -P 'foobar' user
to
hash=$(echo 'foobar' | openssl passwd -1 -salt mysalt -stdin)
useradd -p $hash user
or
hash=$(python -c "import crypt; print crypt.crypt('foobar')")
useradd -p $hash user
or
....
but the point is, we SHOULD discourage _ANY_ hard coded passwords, not just
plain text. However if a user wants to do this, the system should assist the
user in setting a password into their environment.
--Mark
>> Alex
>>
>> On Wed, 4 Aug 2021 at 10:39, Yi Zhao <yi.zhao@windriver.com
>> <mailto:yi.zhao@windriver.com>> wrote:
>>
>>
>> On 7/30/21 7:45 PM, Alexander Kanavin wrote:
>>> Add a couple backports to fix builds.
>>>
>>> Drop 0002-Allow-for-setting-password-in-clear-text.patch;
>>> what it adds is horribly insecure and AB testing didn't reveal any
>>> regressions or use cases for it.
>>
>> Dropping this patch makes the password setting function in
>> extrausers.bbclass unavailable:
>> https://docs.yoctoproject.org/singleindex.html#extrausers-bbclass
>> <https://docs.yoctoproject.org/singleindex.html#extrausers-bbclass>
>>
>>
>> //Yi
>>
>>
>>> Drop /etc/default/ tweaks as files are no longer installed there.
>>>
>>> Drop manpage alternatives as manpages are no longer installed.
>>>
>>> Signed-off-by: Alexander Kanavin<alex.kanavin@gmail.com> <mailto:alex.kanavin@gmail.com>
>>> ---
>>> ...01-Disable-use-of-syslog-for-sysroot.patch | 29 +-
>>> ...builds-with-respect-to-libsubid-incl.patch | 114 +++++++
>>> .../0001-libsubid-link-to-PAM-libraries.patch | 31 ++
>>> ...w-for-setting-password-in-clear-text.patch | 301 ------------------
>>> ...nexpected-open-failure-in-chroot-env.patch | 6 +-
>>> meta/recipes-extended/shadow/shadow.inc | 21 +-
>>> .../shadow/{shadow_4.8.1.bb <http://shadow_4.8.1.bb> =>shadow_4.9.bb <http://shadow_4.9.bb>} | 0
>>> 7 files changed, 167 insertions(+), 335 deletions(-)
>>> create mode 100644 meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
>>> create mode 100644 meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch
>>> delete mode 100644 meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch
>>> rename meta/recipes-extended/shadow/{shadow_4.8.1.bb <http://shadow_4.8.1.bb> =>shadow_4.9.bb <http://shadow_4.9.bb>} (100%)
>>>
>>> diff --git a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
>>> index ab317b9aa0..95728bcd3f 100644
>>> --- a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
>>> +++ b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
>>> @@ -1,4 +1,4 @@
>>> -From fa2d9453656641002802d8165e80adb9e6a729d2 Mon Sep 17 00:00:00 2001
>>> +From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001
>>> From: Scott Garman<scott.a.garman@intel.com> <mailto:scott.a.garman@intel.com>
>>> Date: Thu, 14 Apr 2016 12:28:57 +0200
>>> Subject: [PATCH] Disable use of syslog for sysroot
>>> @@ -19,12 +19,12 @@ Signed-off-by: Chen Qi<Qi.Chen@windriver.com> <mailto:Qi.Chen@windriver.com>
>>> src/groupmems.c | 3 +++
>>> src/groupmod.c | 3 +++
>>> src/useradd.c | 3 +++
>>> - src/userdel.c | 3 +++
>>> + src/userdel.c | 4 ++++
>>> src/usermod.c | 3 +++
>>> - 7 files changed, 21 insertions(+)
>>> + 7 files changed, 22 insertions(+)
>>>
>>> diff --git a/src/groupadd.c b/src/groupadd.c
>>> -index 2dd8eec..e9c4bb7 100644
>>> +index d7f68b1..5fe5f43 100644
>>> --- a/src/groupadd.c
>>> +++ b/src/groupadd.c
>>> @@ -34,6 +34,9 @@
>>> @@ -38,7 +38,7 @@ index 2dd8eec..e9c4bb7 100644
>>> #include <fcntl.h>
>>> #include <getopt.h>
>>> diff --git a/src/groupdel.c b/src/groupdel.c
>>> -index f941a84..5a70056 100644
>>> +index 5c89312..2aefc5a 100644
>>> --- a/src/groupdel.c
>>> +++ b/src/groupdel.c
>>> @@ -34,6 +34,9 @@
>>> @@ -52,7 +52,7 @@ index f941a84..5a70056 100644
>>> #include <fcntl.h>
>>> #include <grp.h>
>>> diff --git a/src/groupmems.c b/src/groupmems.c
>>> -index fc91c8b..2842514 100644
>>> +index 654a8f3..6b2026b 100644
>>> --- a/src/groupmems.c
>>> +++ b/src/groupmems.c
>>> @@ -32,6 +32,9 @@
>>> @@ -66,7 +66,7 @@ index fc91c8b..2842514 100644
>>> #include <getopt.h>
>>> #include <grp.h>
>>> diff --git a/src/groupmod.c b/src/groupmod.c
>>> -index 1dca5fc..bc14438 100644
>>> +index acd6f35..a2c5247 100644
>>> --- a/src/groupmod.c
>>> +++ b/src/groupmod.c
>>> @@ -34,6 +34,9 @@
>>> @@ -80,7 +80,7 @@ index 1dca5fc..bc14438 100644
>>> #include <fcntl.h>
>>> #include <getopt.h>
>>> diff --git a/src/useradd.c b/src/useradd.c
>>> -index 4af0f7c..1b7bf06 100644
>>> +index 127177e..b80e505 100644
>>> --- a/src/useradd.c
>>> +++ b/src/useradd.c
>>> @@ -34,6 +34,9 @@
>>> @@ -94,21 +94,22 @@ index 4af0f7c..1b7bf06 100644
>>> #include <ctype.h>
>>> #include <errno.h>
>>> diff --git a/src/userdel.c b/src/userdel.c
>>> -index cc951e5..153e0be 100644
>>> +index 79a7c89..c1e010a 100644
>>> --- a/src/userdel.c
>>> +++ b/src/userdel.c
>>> -@@ -34,6 +34,9 @@
>>> -
>>> - #ident "$Id$"
>>> +@@ -31,6 +31,10 @@
>>> + */
>>>
>>> + #include <config.h>
>>> ++
>>> +/* Disable use of syslog since we're running this command against a sysroot */
>>> +#undef USE_SYSLOG
>>> +
>>> #include <assert.h>
>>> + #include <dirent.h>
>>> #include <errno.h>
>>> - #include <fcntl.h>
>>> diff --git a/src/usermod.c b/src/usermod.c
>>> -index 05b9871..21c6da9 100644
>>> +index 03bb9b9..e15fdd4 100644
>>> --- a/src/usermod.c
>>> +++ b/src/usermod.c
>>> @@ -34,6 +34,9 @@
>>> diff --git a/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
>>> new file mode 100644
>>> index 0000000000..c577be6505
>>> --- /dev/null
>>> +++ b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
>>> @@ -0,0 +1,114 @@
>>> +From eced8077b57946fe0b723e7c6c510e8f344ce89b Mon Sep 17 00:00:00 2001
>>> +From: Serge Hallyn<serge@hallyn.com> <mailto:serge@hallyn.com>
>>> +Date: Fri, 23 Jul 2021 17:51:13 -0500
>>> +Subject: [PATCH] Fix out of tree builds with respect to libsubid includes
>>> +
>>> +There's a better way to do this, and I hope to clean that up,
>>> +but this fixes out of tree builds for me right now.
>>> +
>>> +Closes #386
>>> +
>>> +Signed-off-by: Serge Hallyn<serge@hallyn.com> <mailto:serge@hallyn.com>
>>> +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/537b8cd90be7b47b45c45cfd27765ef85eb0ebf1 <https://github.com/shadow-maint/shadow/commit/537b8cd90be7b47b45c45cfd27765ef85eb0ebf1>]
>>> +Signed-off-by: Alexander Kanavin<alex.kanavin@gmail.com> <mailto:alex.kanavin@gmail.com>
>>> +---
>>> + lib/Makefile.am | 2 ++
>>> + libmisc/Makefile.am | 2 +-
>>> + libsubid/Makefile.am | 4 ++--
>>> + src/Makefile.am | 6 ++++++
>>> + 4 files changed, 11 insertions(+), 3 deletions(-)
>>> +
>>> +diff --git a/lib/Makefile.am b/lib/Makefile.am
>>> +index ecf3ee25..5ac2e111 100644
>>> +--- a/lib/Makefile.am
>>> ++++ b/lib/Makefile.am
>>> +@@ -10,6 +10,8 @@ if HAVE_VENDORDIR
>>> + libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
>>> + endif
>>> +
>>> ++libshadow_la_CPPFLAGS += -I$(top_srcdir)
>>> ++
>>> + libshadow_la_SOURCES = \
>>> + commonio.c \
>>> + commonio.h \
>>> +diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
>>> +index 9766a7ec..9f237e0d 100644
>>> +--- a/libmisc/Makefile.am
>>> ++++ b/libmisc/Makefile.am
>>> +@@ -1,7 +1,7 @@
>>> +
>>> + EXTRA_DIST = .indent.pro <http://indent.pro> xgetXXbyYY.c
>>> +
>>> +-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
>>> ++AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
>>> +
>>> + noinst_LTLIBRARIES =libmisc.la <http://libmisc.la>
>>> +
>>> +diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
>>> +index 189165b0..cdc41fe6 100644
>>> +--- a/libsubid/Makefile.am
>>> ++++ b/libsubid/Makefile.am
>>> +@@ -19,8 +19,8 @@ MISCLIBS = \
>>> + $(LIBTCB)
>>> +
>>> + libsubid_la_LIBADD = \
>>> +- $(top_srcdir)/lib/libshadow.la <http://libshadow.la> \
>>> +- $(top_srcdir)/libmisc/libmisc.la <http://libmisc.la> \
>>> ++ $(top_builddir)/lib/libshadow.la <http://libshadow.la> \
>>> ++ $(top_builddir)/libmisc/libmisc.la <http://libmisc.la> \
>>> + $(MISCLIBS) -ldl
>>> +
>>> + AM_CPPFLAGS = \
>>> +diff --git a/src/Makefile.am b/src/Makefile.am
>>> +index 35027013..7c1a3491 100644
>>> +--- a/src/Makefile.am
>>> ++++ b/src/Makefile.am
>>> +@@ -10,6 +10,7 @@ sgidperms = 2755
>>> + AM_CPPFLAGS = \
>>> + -I${top_srcdir}/lib \
>>> + -I$(top_srcdir)/libmisc \
>>> ++ -I$(top_srcdir) \
>>> + -DLOCALEDIR=\"$(datadir)/locale\"
>>> +
>>> + # XXX why are login and su in /bin anyway (other than for
>>> +@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \
>>> + list_subid_ranges_CPPFLAGS = \
>>> + -I$(top_srcdir)/lib \
>>> + -I$(top_srcdir)/libmisc \
>>> ++ -I$(top_srcdir) \
>>> + -I$(top_srcdir)/libsubid
>>> +
>>> + get_subid_owners_LDADD = \
>>> +@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \
>>> + get_subid_owners_CPPFLAGS = \
>>> + -I$(top_srcdir)/lib \
>>> + -I$(top_srcdir)/libmisc \
>>> ++ -I$(top_srcdir) \
>>> + -I$(top_srcdir)/libsubid
>>> +
>>> + new_subid_range_CPPFLAGS = \
>>> + -I$(top_srcdir)/lib \
>>> + -I$(top_srcdir)/libmisc \
>>> ++ -I$(top_srcdir) \
>>> + -I$(top_srcdir)/libsubid
>>> +
>>> + new_subid_range_LDADD = \
>>> +@@ -210,6 +214,7 @@ new_subid_range_LDADD = \
>>> + free_subid_range_CPPFLAGS = \
>>> + -I$(top_srcdir)/lib \
>>> + -I$(top_srcdir)/libmisc \
>>> ++ -I$(top_srcdir) \
>>> + -I$(top_srcdir)/libsubid
>>> +
>>> + free_subid_range_LDADD = \
>>> +@@ -220,6 +225,7 @@ free_subid_range_LDADD = \
>>> +
>>> + check_subid_range_CPPFLAGS = \
>>> + -I$(top_srcdir)/lib \
>>> ++ -I$(top_srcdir) \
>>> + -I$(top_srcdir)/libmisc
>>> +
>>> + check_subid_range_LDADD = \
>>> +--
>>> +2.31.1
>>> +
>>> diff --git a/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch b/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch
>>> new file mode 100644
>>> index 0000000000..ea7a99dbf7
>>> --- /dev/null
>>> +++ b/meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch
>>> @@ -0,0 +1,31 @@
>>> +From 4f44617af3a0c59be267ac5fcc33586e3783f5e6 Mon Sep 17 00:00:00 2001
>>> +From: Xi Ruoyao<xry111@mengyan1223.wang> <mailto:xry111@mengyan1223.wang>
>>> +Date: Fri, 23 Jul 2021 14:38:08 +0800
>>> +Subject: [PATCH] libsubid: link to PAM libraries
>>> +
>>> +libsubid.so links to libmisc.a, which contains several routines referring to
>>> +PAM functions.
>>> +
>>> +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/f4a84efb468b8be21be124700ce35159c444e9d6 <https://github.com/shadow-maint/shadow/commit/f4a84efb468b8be21be124700ce35159c444e9d6>]
>>> +Signed-off-by: Alexander Kanavin<alex.kanavin@gmail.com> <mailto:alex.kanavin@gmail.com>
>>> +---
>>> + libsubid/Makefile.am | 3 ++-
>>> + 1 file changed, 2 insertions(+), 1 deletion(-)
>>> +
>>> +diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
>>> +index cdc41fe6..99308c1f 100644
>>> +--- a/libsubid/Makefile.am
>>> ++++ b/libsubid/Makefile.am
>>> +@@ -16,7 +16,8 @@ MISCLIBS = \
>>> + $(LIBCRYPT) \
>>> + $(LIBACL) \
>>> + $(LIBATTR) \
>>> +- $(LIBTCB)
>>> ++ $(LIBTCB) \
>>> ++ $(LIBPAM)
>>> +
>>> + libsubid_la_LIBADD = \
>>> + $(top_builddir)/lib/libshadow.la <http://libshadow.la> \
>>> +--
>>> +2.31.1
>>> +
>>> diff --git a/meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch
>>> deleted file mode 100644
>>> index c6332e4f76..0000000000
>>> --- a/meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch
>>> +++ /dev/null
>>> @@ -1,301 +0,0 @@
>>> -From a7d995228491ad5255ad86c1f04ba071f6880897 Mon Sep 17 00:00:00 2001
>>> -From: Chen Qi<Qi.Chen@windriver.com> <mailto:Qi.Chen@windriver.com>
>>> -Date: Sat, 16 Nov 2013 15:27:47 +0800
>>> -Subject: [PATCH] Allow for setting password in clear text
>>> -
>>> -Upstream-Status: Inappropriate [OE specific]
>>> -
>>> -Signed-off-by: Chen Qi<Qi.Chen@windriver.com> <mailto:Qi.Chen@windriver.com>
>>> -
>>> ----
>>> - src/Makefile.am | 8 ++++----
>>> - src/groupadd.c | 20 +++++++++++++++-----
>>> - src/groupmod.c | 20 +++++++++++++++-----
>>> - src/useradd.c | 21 +++++++++++++++------
>>> - src/usermod.c | 20 +++++++++++++++-----
>>> - 5 files changed, 64 insertions(+), 25 deletions(-)
>>> -
>>> -diff --git a/src/Makefile.am b/src/Makefile.am
>>> -index f31fd7a..4a317a3 100644
>>> ---- a/src/Makefile.am
>>> -+++ b/src/Makefile.am
>>> -@@ -103,10 +103,10 @@ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM)
>>> - chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
>>> - expiry_LDADD = $(LDADD) $(LIBECONF)
>>> - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
>>> --groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
>>> -+groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) $(LIBCRYPT)
>>> - groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
>>> - groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
>>> --groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
>>> -+groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) $(LIBCRYPT)
>>> - grpck_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
>>> - grpconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
>>> - grpunconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
>>> -@@ -127,9 +127,9 @@ su_SOURCES = \
>>> - suauth.c
>>> - su_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
>>> - sulogin_LDADD = $(LDADD) $(LIBCRYPT) $(LIBECONF)
>>> --useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF)
>>> -+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) $(LIBCRYPT)
>>> - userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF)
>>> --usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF)
>>> -+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBECONF) $(LIBCRYPT)
>>> - vipw_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
>>> -
>>> - install-am: all-am
>>> -diff --git a/src/groupadd.c b/src/groupadd.c
>>> -index e9c4bb7..d572c00 100644
>>> ---- a/src/groupadd.c
>>> -+++ b/src/groupadd.c
>>> -@@ -127,9 +127,10 @@ static /*@noreturn@*/void usage (int status)
>>> - (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n"
>>> - " (non-unique) GID\n"), usageout);
>>> - (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout);
>>> -+ (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout);
>>> - (void) fputs (_(" -r, --system create a system account\n"), usageout);
>>> - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
>>> -- (void) fputs (_(" -P, --prefix PREFIX_DIR directory prefix\n"), usageout);
>>> -+ (void) fputs (_(" -A, --prefix PREFIX_DIR directory prefix\n"), usageout);
>>> - (void) fputs ("\n", usageout);
>>> - exit (status);
>>> - }
>>> -@@ -391,13 +392,14 @@ static void process_flags (int argc, char **argv)
>>> - {"key", required_argument, NULL, 'K'},
>>> - {"non-unique", no_argument, NULL, 'o'},
>>> - {"password", required_argument, NULL, 'p'},
>>> -+ {"clear-password", required_argument, NULL, 'P'},
>>> - {"system", no_argument, NULL, 'r'},
>>> - {"root", required_argument, NULL, 'R'},
>>> -- {"prefix", required_argument, NULL, 'P'},
>>> -+ {"prefix", required_argument, NULL, 'A'},
>>> - {NULL, 0, NULL, '\0'}
>>> - };
>>> -
>>> -- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:P:",
>>> -+ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:A:",
>>> - long_options, NULL)) != -1) {
>>> - switch (c) {
>>> - case 'f':
>>> -@@ -449,12 +451,20 @@ static void process_flags (int argc, char **argv)
>>> - pflg = true;
>>> - group_passwd = optarg;
>>> - break;
>>> -+ case 'P':
>>> -+ pflg = true;
>>> -+ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
>>> -+ break;
>>> - case 'r':
>>> - rflg = true;
>>> - break;
>>> - case 'R': /* no-op, handled in process_root_flag () */
>>> - break;
>>> -- case 'P': /* no-op, handled in process_prefix_flag () */
>>> -+ case 'A': /* no-op, handled in process_prefix_flag () */
>>> -+ fprintf (stderr,
>>> -+ _("%s: -A is deliberately not supported \n"),
>>> -+ Prog);
>>> -+ exit (E_BAD_ARG);
>>> - break;
>>> - default:
>>> - usage (E_USAGE);
>>> -@@ -588,7 +598,7 @@ int main (int argc, char **argv)
>>> - (void) textdomain (PACKAGE);
>>> -
>>> - process_root_flag ("-R", argc, argv);
>>> -- prefix = process_prefix_flag ("-P", argc, argv);
>>> -+ prefix = process_prefix_flag ("-A", argc, argv);
>>> -
>>> - OPENLOG ("groupadd");
>>> - #ifdef WITH_AUDIT
>>> -diff --git a/src/groupmod.c b/src/groupmod.c
>>> -index bc14438..25ccb44 100644
>>> ---- a/src/groupmod.c
>>> -+++ b/src/groupmod.c
>>> -@@ -138,8 +138,9 @@ static void usage (int status)
>>> - (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout);
>>> - (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n"
>>> - " PASSWORD\n"), usageout);
>>> -+ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout);
>>> - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
>>> -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
>>> -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
>>> - (void) fputs ("\n", usageout);
>>> - exit (status);
>>> - }
>>> -@@ -387,11 +388,12 @@ static void process_flags (int argc, char **argv)
>>> - {"new-name", required_argument, NULL, 'n'},
>>> - {"non-unique", no_argument, NULL, 'o'},
>>> - {"password", required_argument, NULL, 'p'},
>>> -+ {"clear-password", required_argument, NULL, 'P'},
>>> - {"root", required_argument, NULL, 'R'},
>>> -- {"prefix", required_argument, NULL, 'P'},
>>> -+ {"prefix", required_argument, NULL, 'A'},
>>> - {NULL, 0, NULL, '\0'}
>>> - };
>>> -- while ((c = getopt_long (argc, argv, "g:hn:op:R:P:",
>>> -+ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:A:",
>>> - long_options, NULL)) != -1) {
>>> - switch (c) {
>>> - case 'g':
>>> -@@ -418,9 +420,17 @@ static void process_flags (int argc, char **argv)
>>> - group_passwd = optarg;
>>> - pflg = true;
>>> - break;
>>> -+ case 'P':
>>> -+ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
>>> -+ pflg = true;
>>> -+ break;
>>> - case 'R': /* no-op, handled in process_root_flag () */
>>> - break;
>>> -- case 'P': /* no-op, handled in process_prefix_flag () */
>>> -+ case 'A': /* no-op, handled in process_prefix_flag () */
>>> -+ fprintf (stderr,
>>> -+ _("%s: -A is deliberately not supported \n"),
>>> -+ Prog);
>>> -+ exit (E_BAD_ARG);
>>> - break;
>>> - default:
>>> - usage (E_USAGE);
>>> -@@ -761,7 +771,7 @@ int main (int argc, char **argv)
>>> - (void) textdomain (PACKAGE);
>>> -
>>> - process_root_flag ("-R", argc, argv);
>>> -- prefix = process_prefix_flag ("-P", argc, argv);
>>> -+ prefix = process_prefix_flag ("-A", argc, argv);
>>> -
>>> - OPENLOG ("groupmod");
>>> - #ifdef WITH_AUDIT
>>> -diff --git a/src/useradd.c b/src/useradd.c
>>> -index 1b7bf06..44f09e2 100644
>>> ---- a/src/useradd.c
>>> -+++ b/src/useradd.c
>>> -@@ -853,9 +853,10 @@ static void usage (int status)
>>> - (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n"
>>> - " (non-unique) UID\n"), usageout);
>>> - (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout);
>>> -+ (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout);
>>> - (void) fputs (_(" -r, --system create a system account\n"), usageout);
>>> - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
>>> -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
>>> -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
>>> - (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout);
>>> - (void) fputs (_(" -u, --uid UID user ID of the new account\n"), usageout);
>>> - (void) fputs (_(" -U, --user-group create a group with the same name as the user\n"), usageout);
>>> -@@ -1133,9 +1134,10 @@ static void process_flags (int argc, char **argv)
>>> - {"no-user-group", no_argument, NULL, 'N'},
>>> - {"non-unique", no_argument, NULL, 'o'},
>>> - {"password", required_argument, NULL, 'p'},
>>> -+ {"clear-password", required_argument, NULL, 'P'},
>>> - {"system", no_argument, NULL, 'r'},
>>> - {"root", required_argument, NULL, 'R'},
>>> -- {"prefix", required_argument, NULL, 'P'},
>>> -+ {"prefix", required_argument, NULL, 'A'},
>>> - {"shell", required_argument, NULL, 's'},
>>> - {"uid", required_argument, NULL, 'u'},
>>> - {"user-group", no_argument, NULL, 'U'},
>>> -@@ -1146,9 +1148,9 @@ static void process_flags (int argc, char **argv)
>>> - };
>>> - while ((c = getopt_long (argc, argv,
>>> - #ifdef WITH_SELINUX
>>> -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
>>> -+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:UZ:",
>>> - #else /* !WITH_SELINUX */
>>> -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
>>> -+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:U",
>>> - #endif /* !WITH_SELINUX */
>>> - long_options, NULL)) != -1) {
>>> - switch (c) {
>>> -@@ -1320,12 +1322,19 @@ static void process_flags (int argc, char **argv)
>>> - }
>>> - user_pass = optarg;
>>> - break;
>>> -+ case 'P': /* set clear text password */
>>> -+ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
>>> -+ break;
>>> - case 'r':
>>> - rflg = true;
>>> - break;
>>> - case 'R': /* no-op, handled in process_root_flag () */
>>> - break;
>>> -- case 'P': /* no-op, handled in process_prefix_flag () */
>>> -+ case 'A': /* no-op, handled in process_prefix_flag () */
>>> -+ fprintf (stderr,
>>> -+ _("%s: -A is deliberately not supported \n"),
>>> -+ Prog);
>>> -+ exit (E_BAD_ARG);
>>> - break;
>>> - case 's':
>>> - if ( ( !VALID (optarg) )
>>> -@@ -2257,7 +2266,7 @@ int main (int argc, char **argv)
>>> -
>>> - process_root_flag ("-R", argc, argv);
>>> -
>>> -- prefix = process_prefix_flag("-P", argc, argv);
>>> -+ prefix = process_prefix_flag("-A", argc, argv);
>>> -
>>> - OPENLOG ("useradd");
>>> - #ifdef WITH_AUDIT
>>> -diff --git a/src/usermod.c b/src/usermod.c
>>> -index 21c6da9..cffdb3e 100644
>>> ---- a/src/usermod.c
>>> -+++ b/src/usermod.c
>>> -@@ -431,8 +431,9 @@ static /*@noreturn@*/void usage (int status)
>>> - " new location (use only with -d)\n"), usageout);
>>> - (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout);
>>> - (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout);
>>> -+ (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout);
>>> - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
>>> -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
>>> -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
>>> - (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout);
>>> - (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout);
>>> - (void) fputs (_(" -U, --unlock unlock the user account\n"), usageout);
>>> -@@ -1010,8 +1011,9 @@ static void process_flags (int argc, char **argv)
>>> - {"move-home", no_argument, NULL, 'm'},
>>> - {"non-unique", no_argument, NULL, 'o'},
>>> - {"password", required_argument, NULL, 'p'},
>>> -+ {"clear-password", required_argument, NULL, 'P'},
>>> - {"root", required_argument, NULL, 'R'},
>>> -- {"prefix", required_argument, NULL, 'P'},
>>> -+ {"prefix", required_argument, NULL, 'A'},
>>> - {"shell", required_argument, NULL, 's'},
>>> - {"uid", required_argument, NULL, 'u'},
>>> - {"unlock", no_argument, NULL, 'U'},
>>> -@@ -1027,7 +1029,7 @@ static void process_flags (int argc, char **argv)
>>> - {NULL, 0, NULL, '\0'}
>>> - };
>>> - while ((c = getopt_long (argc, argv,
>>> -- "abc:d:e:f:g:G:hl:Lmop:R:s:u:UP:"
>>> -+ "abc:d:e:f:g:G:hl:Lmop:P:R:s:u:UA:"
>>> - #ifdef ENABLE_SUBIDS
>>> - "v:w:V:W:"
>>> - #endif /* ENABLE_SUBIDS */
>>> -@@ -1130,9 +1132,17 @@ static void process_flags (int argc, char **argv)
>>> - user_pass = optarg;
>>> - pflg = true;
>>> - break;
>>> -+ case 'P':
>>> -+ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
>>> -+ pflg = true;
>>> -+ break;
>>> - case 'R': /* no-op, handled in process_root_flag () */
>>> - break;
>>> -- case 'P': /* no-op, handled in process_prefix_flag () */
>>> -+ case 'A': /* no-op, handled in process_prefix_flag () */
>>> -+ fprintf (stderr,
>>> -+ _("%s: -A is deliberately not supported \n"),
>>> -+ Prog);
>>> -+ exit (E_BAD_ARG);
>>> - break;
>>> - case 's':
>>> - if (!VALID (optarg)) {
>>> -@@ -2127,7 +2137,7 @@ int main (int argc, char **argv)
>>> - (void) textdomain (PACKAGE);
>>> -
>>> - process_root_flag ("-R", argc, argv);
>>> -- prefix = process_prefix_flag ("-P", argc, argv);
>>> -+ prefix = process_prefix_flag ("-A", argc, argv);
>>> -
>>> - OPENLOG ("usermod");
>>> - #ifdef WITH_AUDIT
>>> diff --git a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch
>>> index 9825216369..bd24626a26 100644
>>> --- a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch
>>> +++ b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch
>>> @@ -1,4 +1,4 @@
>>> -From 66533c7c6f347d257020675a1ed6e0c59cbbc3f0 Mon Sep 17 00:00:00 2001
>>> +From 1422c24f7266b553c82100e3d18a10c55cd91063 Mon Sep 17 00:00:00 2001
>>> From: Chen Qi<Qi.Chen@windriver.com> <mailto:Qi.Chen@windriver.com>
>>> Date: Thu, 17 Jul 2014 15:53:34 +0800
>>> Subject: [PATCH] commonio.c-fix-unexpected-open-failure-in-chroot-env
>>> @@ -21,10 +21,10 @@ Signed-off-by: Chen Qi<Qi.Chen@windriver.com> <mailto:Qi.Chen@windriver.com>
>>> 1 file changed, 12 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/lib/commonio.c b/lib/commonio.c
>>> -index 16fa7e7..d6bc297 100644
>>> +index cef404b..66908fb 100644
>>> --- a/lib/commonio.c
>>> +++ b/lib/commonio.c
>>> -@@ -632,10 +632,18 @@ int commonio_open (struct commonio_db *db, int mode)
>>> +@@ -646,10 +646,18 @@ int commonio_open (struct commonio_db *db, int mode)
>>> db->cursor = NULL;
>>> db->changed = false;
>>>
>>> diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
>>> index 2cbdfbc1cf..51d2ca5f16 100644
>>> --- a/meta/recipes-extended/shadow/shadow.inc
>>> +++ b/meta/recipes-extended/shadow/shadow.inc
>>> @@ -10,10 +10,12 @@ LIC_FILES_CHKSUM ="file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ DEPENDS = "virtual/crypt"
>>>
>>> UPSTREAM_CHECK_URI ="https://github.com/shadow-maint/shadow/releases" <https://github.com/shadow-maint/shadow/releases>
>>> -SRC_URI ="https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz
>>> \ +SRC_URI = " <https://github.com/shadow-maint/shadow/releases/download/$%7BPV%7D/$%7BBP%7D.tar.gz%5C+SRC_URI=>https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP}.tar.gz <https://github.com/shadow-maint/shadow/releases/download/v$%7BPV%7D/$%7BBP%7D.tar.gz> \
>>> file://shadow-4.1.3-dots-in-usernames.patch \
>>> ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
>>> file://shadow-relaxed-usernames.patch \
>>> + file://0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch \
>>> + file://0001-libsubid-link-to-PAM-libraries.patch \
>>> "
>>>
>>> SRC_URI_append_class-target = " \
>>> @@ -23,15 +25,13 @@ SRC_URI_append_class-target = " \
>>>
>>> SRC_URI_append_class-native = " \
>>> file://0001-Disable-use-of-syslog-for-sysroot.patch \
>>> -file://0002-Allow-for-setting-password-in-clear-text.patch \
>>> file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
>>> "
>>> SRC_URI_append_class-nativesdk = " \
>>> file://0001-Disable-use-of-syslog-for-sysroot.patch \
>>> "
>>>
>>> -SRC_URI[md5sum] = "3d97f11e66bfb0b14702b115fa8be480"
>>> -SRC_URI[sha256sum] = "3ee3081fbbcbcfea5c8916419e46bc724807bab271072104f23e7a29e9668f3a"
>>> +SRC_URI[sha256sum] = "6c4627ff9c9422b96664517ae753c944f2902e92809d0698b65f5fef11985212"
>>>
>>> # Additional Policy files for PAM
>>> PAM_SRC_URI ="file://pam.d/chfn \ @@ -115,12 +115,6 @@ do_install() { # Use
>>> proper encryption for passwords sed -i
>>> 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/'
>>> ${D}${sysconfdir}/login.defs - # Now we don't have a mail system.
>>> Disable mail creation for now. - sed -i 's:/bin/bash:/bin/sh:g'
>>> ${D}${sysconfdir}/default/useradd - sed -i '/^CREATE_MAIL_SPOOL/
>>> s:^:#:' ${D}${sysconfdir}/default/useradd - - # Use users group by
>>> default - sed -i 's,^GROUP=1000,GROUP=100,g'
>>> ${D}${sysconfdir}/default/useradd } do_install_append() { @@
>>> -184,13 +178,6 @@ ALTERNATIVE_${PN}-base = "newgrp groups login su"
>>> ALTERNATIVE_LINK_NAME[login] = "${base_bindir}/login"
>>> ALTERNATIVE_LINK_NAME[su] = "${base_bindir}/su"
>>>
>>> -ALTERNATIVE_${PN}-doc = "passwd.5 getspnam.3 groups.1 su.1 nologin.8"
>>> -ALTERNATIVE_LINK_NAME[passwd.5] = "${mandir}/man5/passwd.5"
>>> -ALTERNATIVE_LINK_NAME[getspnam.3] = "${mandir}/man3/getspnam.3"
>>> -ALTERNATIVE_LINK_NAME[groups.1] = "${mandir}/man1/groups.1"
>>> -ALTERNATIVE_LINK_NAME[su.1] = "${mandir}/man1/su.1"
>>> -ALTERNATIVE_LINK_NAME[nologin.8] = "${mandir}/man8/nologin.8"
>>> -
>>> PACKAGE_WRITE_DEPS += "shadow-native"
>>> pkg_postinst_${PN}_class-target () {
>>> if [ "x$D" != "x" ]; then
>>> diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb <http://shadow_4.8.1.bb> b/meta/recipes-extended/shadow/shadow_4.9.bb <http://shadow_4.9.bb>
>>> similarity index 100%
>>> rename from meta/recipes-extended/shadow/shadow_4.8.1.bb <http://shadow_4.8.1.bb>
>>> rename to meta/recipes-extended/shadow/shadow_4.9.bb <http://shadow_4.9.bb>
>>>
>>
>>
>>
>>
>>
>>
>>
>>
next prev parent reply other threads:[~2021-08-04 18:28 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-30 11:44 [PATCH 1/9] cmake: update 3.21.0 -> 3.21.1 Alexander Kanavin
2021-07-30 11:45 ` [PATCH 2/9] mtools: update 4.0.32 -> 4.0.34 Alexander Kanavin
2021-07-30 11:45 ` [PATCH 3/9] util-linux: update 2.37 -> 2.37.1 Alexander Kanavin
2021-07-30 11:45 ` [PATCH 4/9] iputils: update 20210202 -> 20210722 Alexander Kanavin
2021-08-03 22:04 ` [OE-core] " Martin Jansa
2021-07-30 11:45 ` [PATCH 5/9] freetype: update 2.10.4 -> 2.11.0 Alexander Kanavin
2021-07-30 11:45 ` [PATCH 6/9] shadow: update 4.8.1 -> 4.9 Alexander Kanavin
2021-08-04 8:39 ` [OE-core] " Yi Zhao
2021-08-04 10:12 ` Alexander Kanavin
2021-08-04 18:13 ` Khem Raj
2021-08-04 18:28 ` Mark Hatle [this message]
2021-07-30 11:45 ` [PATCH 7/9] devtool: print a warning on upgrades if PREFERRED_VERSION is set Alexander Kanavin
2021-07-30 11:45 ` [PATCH 8/9] rpm: do not RRECOMMEND rpm-build Alexander Kanavin
2021-07-30 11:45 ` [PATCH 9/9] selftest: add core-image-weston to no-gpl3-no-meta-gpl2 image test Alexander Kanavin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=deab9df2-17a5-7589-6e25-a49c4aee7e08@kernel.crashing.org \
--to=mark.hatle@kernel.crashing.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.