# Contributor: William Pitcock # Contributor: Jakub Jirutka # Maintainer: Stuart Cardall global pkgname := 'shadow' global pkgver := '4.2.1' global pkgrel := '11' global pkgdesc := '"PAM-using login and passwd utilities (usermod, useradd, ...)'" global url := '"http://pkg-shadow.alioth.debian.org/'" global arch := '"all'" global license := '"GPL'" global depends := ''"" global makedepends := '"linux-pam-dev'" global subpackages := ""$pkgname-doc $pkgname-dbg $pkgname-uidmap"" global source := ""http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz login.pamd dots-in-usernames.patch cross-size-checks.patch verbose-error-when-uid-doesnt-match.patch 301-CVE-2017-2616-su-properly-clear-child-PID.patch 302-CVE-2016-6252-fix-integer-overflow.patch 303-Reset-pid_child-only-if-waitpid-was-successful.patch useradd-usergroups.patch pam-useradd.patch "" # secfixes: # - CVE-2016-6252 # - CVE-2017-2616 (+ regression fix) global options := '"suid'" global builddir := ""$srcdir/shadow-$pkgver"" proc build { cd $builddir ./configure \ --build=$CBUILD \ --host=$CHOST \ --target=$CTARGET \ --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ --localstatedir=/var \ --disable-nls \ --with-libpam \ --without-audit \ --without-selinux \ --without-acl \ --without-attr \ --without-tcb \ --without-nscd \ --without-group-name-max-length \ || return 1 make || return 1 } proc check { cd $builddir make check } proc package { cd $builddir make DESTDIR="$pkgdir" install || return 1 # Do not install these pam.d files they are broken and outdated. rm "$pkgdir"/etc/pam.d/* || return 1 # install some pam.d files based on a patched useradd for pamf in [groupadd groupdel groupmems groupmod \ useradd userdel usermod] { install -m0644 etc/pam.d/useradd \ "$pkgdir/etc/pam.d/$pamf" || return 1 } # nologin is provided by util-linux. rm "$pkgdir"/sbin/nologin || return 1 # However, install our own for login. cp "$srcdir"/login.pamd "$pkgdir"/etc/pam.d/login || return 1 # /etc/login.defs is not very useful - replace it with an *almost* blank file. rm "$pkgdir"/etc/login.defs echo "USERGROUPS_ENAB yes" > "$pkgdir"/etc/login.defs # Avoid conflict with man-pages. rm "$pkgdir"/usr/share/man/man3/getspnam.3* \ "$pkgdir"/usr/share/man/man5/passwd.5* || return 1 } proc uidmap { global pkgdesc := '"Utilities for using subordinate UIDs and GIDs'" mkdir -p $subpkgdir cd $subpkgdir mkdir -p usr/bin mv "$pkgdir"/usr/bin/new*idmap usr/bin/ || return 1 chmod 4711 usr/bin/new*idmap || return 1 # Used e.g. for unprivileged LXC containers. mkdir etc touch etc/subuid etc/subgid } global sha512sums := '"7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz 46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd 745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch 1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch 0954920ce9307948848d8f9ca5ea5bba4db8394793ef314ab5c6770948e96071748192b52ba8c31d543fe71ce0e6e2a7f3a2a92862966a940639a19df1048634 301-CVE-2017-2616-su-properly-clear-child-PID.patch 36f494347cb980d85ea82331ec620a949be45f5f2c400a3b13f409a8d9c932c0f822cb0baa2ee78c6f356e7bf93de51c1b0f20730e8f3af36a746a5632d19bbe 302-CVE-2016-6252-fix-integer-overflow.patch e36d54759b71d48c62aefc4032e63deccafa69d22f8bae772b4c0ca135b431db9cd35a1a2a2adf5c76996e76e13ab82e1cf19bba70c6ca4414b3979a43c292c2 303-Reset-pid_child-only-if-waitpid-was-successful.patch 49f1d5ded82d2d479805c77d7cc6274c30233596e375b28306b31a33f8fbfc3611dbc77d606081b8300247908c267297dbb6c5d1a30d56095dda53c6a636fb56 useradd-usergroups.patch 0b4587e263cb6be12fa5ae6bc3b3fc4d3696dae355bc67d085dc58c52ff96edb4d163b95db2092b8c2f3310839430cac03c7af356641b42e24ee4aa6410f5cf1 pam-useradd.patch'" (CommandList children: [ (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:pkgname) op:Equal rhs:{(shadow)} spids:[9])] spids: [9] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:pkgver) op:Equal rhs:{(4.2.1)} spids:[12])] spids: [12] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:pkgrel) op:Equal rhs:{(11)} spids:[15])] spids: [15] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:pkgdesc) op: Equal rhs: {(DQ ("PAM-using login and passwd utilities (usermod, useradd, ...)"))} spids: [18] ) ] spids: [18] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:url) op: Equal rhs: {(DQ ("http://pkg-shadow.alioth.debian.org/"))} spids: [23] ) ] spids: [23] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:arch) op:Equal rhs:{(DQ (all))} spids:[28])] spids: [28] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:license) op:Equal rhs:{(DQ (GPL))} spids:[33])] spids: [33] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:depends) op:Equal rhs:{(DQ )} spids:[38])] spids: [38] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:makedepends) op: Equal rhs: {(DQ (linux-pam-dev))} spids: [42] ) ] spids: [42] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:subpackages) op: Equal rhs: { (DQ ($ VSub_Name "$pkgname") ("-doc ") ($ VSub_Name "$pkgname") ("-dbg ") ($ VSub_Name "$pkgname") (-uidmap) ) } spids: [47] ) ] spids: [47] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:source) op: Equal rhs: { (DQ ("http://pkg-shadow.alioth.debian.org/releases/shadow-") ($ VSub_Name "$pkgver") (".tar.xz\n") ("\tlogin.pamd\n") ("\tdots-in-usernames.patch\n") ("\tcross-size-checks.patch\n") ("\tverbose-error-when-uid-doesnt-match.patch\n") ("\t301-CVE-2017-2616-su-properly-clear-child-PID.patch\n") ("\t302-CVE-2016-6252-fix-integer-overflow.patch\n") ("\t303-Reset-pid_child-only-if-waitpid-was-successful.patch\n") ("\tuseradd-usergroups.patch\n") ("\tpam-useradd.patch\n") ("\t") ) } spids: [57] ) ] spids: [57] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:options) op:Equal rhs:{(DQ (suid))} spids:[84])] spids: [84] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:builddir) op: Equal rhs: {(DQ ($ VSub_Name "$srcdir") (/shadow-) ($ VSub_Name "$pkgver"))} spids: [89] ) ] spids: [89] ) (FuncDef name: build body: (BraceGroup children: [ (C {(cd)} {(DQ ($ VSub_Name "$builddir"))}) (AndOr children: [ (C {(./configure)} {(--build) (Lit_Other "=") ($ VSub_Name "$CBUILD")} {(--host) (Lit_Other "=") ($ VSub_Name "$CHOST")} {(--target) (Lit_Other "=") ($ VSub_Name "$CTARGET")} {(--prefix) (Lit_Other "=") (/usr)} {(--sysconfdir) (Lit_Other "=") (/etc)} {(--mandir) (Lit_Other "=") (/usr/share/man)} {(--infodir) (Lit_Other "=") (/usr/share/info)} {(--localstatedir) (Lit_Other "=") (/var)} {(--disable-nls)} {(--with-libpam)} {(--without-audit)} {(--without-selinux)} {(--without-acl)} {(--without-attr)} {(--without-tcb)} {(--without-nscd)} {(--without-group-name-max-length)} ) (ControlFlow token: arg_word:{(1)}) ] op_id: Op_DPipe ) (AndOr children: [(C {(make)}) (ControlFlow token: arg_word:{(1)})] op_id: Op_DPipe ) ] spids: [101] ) spids: [97 100] ) (FuncDef name: check body: (BraceGroup children: [(C {(cd)} {(DQ ($ VSub_Name "$builddir"))}) (C {(make)} {(check)})] spids: [222] ) spids: [218 221] ) (FuncDef name: package body: (BraceGroup children: [ (C {(cd)} {(DQ ($ VSub_Name "$builddir"))}) (AndOr children: [ (C {(make)} {(Lit_VarLike "DESTDIR=") (DQ ($ VSub_Name "$pkgdir"))} {(install)}) (ControlFlow token: arg_word:{(1)}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(rm)} {(DQ ($ VSub_Name "$pkgdir")) (/etc/pam.d/) (Lit_Other "*")}) (ControlFlow token: arg_word:{(1)}) ] op_id: Op_DPipe ) (ForEach iter_name: pamf iter_words: [ {(groupadd)} {(groupdel)} {(groupmems)} {(groupmod)} {(useradd)} {(userdel)} {(usermod)} ] do_arg_iter: False body: (DoGroup children: [ (AndOr children: [ (C {(install)} {(-m0644)} {(etc/pam.d/useradd)} {(DQ ($ VSub_Name "$pkgdir") (/etc/pam.d/) ($ VSub_Name "$pamf"))} ) (ControlFlow token: arg_word: {(1)} ) ] op_id: Op_DPipe ) ] spids: [318 342] ) spids: [300 -1] ) (AndOr children: [ (C {(rm)} {(DQ ($ VSub_Name "$pkgdir")) (/sbin/nologin)}) (ControlFlow token: arg_word:{(1)}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(cp)} {(DQ ($ VSub_Name "$srcdir")) (/login.pamd)} {(DQ ($ VSub_Name "$pkgdir")) (/etc/pam.d/login)} ) (ControlFlow token: arg_word:{(1)}) ] op_id: Op_DPipe ) (C {(rm)} {(DQ ($ VSub_Name "$pkgdir")) (/etc/login.defs)}) (SimpleCommand words: [{(echo)} {(DQ ("USERGROUPS_ENAB yes"))}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(DQ ($ VSub_Name "$pkgdir")) (/etc/login.defs)} spids: [406] ) ] ) (AndOr children: [ (C {(rm)} {(DQ ($ VSub_Name "$pkgdir")) (/usr/share/man/man3/getspnam.3) (Lit_Other "*")} {(DQ ($ VSub_Name "$pkgdir")) (/usr/share/man/man5/passwd.5) (Lit_Other "*")} ) (ControlFlow token: arg_word:{(1)}) ] op_id: Op_DPipe ) ] spids: [243] ) spids: [239 242] ) (FuncDef name: uidmap body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:pkgdesc) op: Equal rhs: {(DQ ("Utilities for using subordinate UIDs and GIDs"))} spids: [451] ) ] spids: [451] ) (C {(mkdir)} {(-p)} {(DQ ($ VSub_Name "$subpkgdir"))}) (C {(cd)} {(DQ ($ VSub_Name "$subpkgdir"))}) (C {(mkdir)} {(-p)} {(usr/bin)}) (AndOr children: [ (C {(mv)} {(DQ ($ VSub_Name "$pkgdir")) (/usr/bin/new) (Lit_Other "*") (idmap)} {(usr/bin/)} ) (ControlFlow token: arg_word:{(1)}) ] op_id: Op_DPipe ) (AndOr children: [ (C {(chmod)} {(4711)} {(usr/bin/new) (Lit_Other "*") (idmap)}) (ControlFlow token: arg_word:{(1)}) ] op_id: Op_DPipe ) (C {(mkdir)} {(etc)}) (C {(touch)} {(etc/subuid)} {(etc/subgid)}) ] spids: [448] ) spids: [444 447] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:sha512sums) op: Equal rhs: { (DQ ( "7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz\n" ) ( "46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd\n" ) ( "745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch\n" ) ( "c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch\n" ) ( "1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch\n" ) ( "0954920ce9307948848d8f9ca5ea5bba4db8394793ef314ab5c6770948e96071748192b52ba8c31d543fe71ce0e6e2a7f3a2a92862966a940639a19df1048634 301-CVE-2017-2616-su-properly-clear-child-PID.patch\n" ) ( "36f494347cb980d85ea82331ec620a949be45f5f2c400a3b13f409a8d9c932c0f822cb0baa2ee78c6f356e7bf93de51c1b0f20730e8f3af36a746a5632d19bbe 302-CVE-2016-6252-fix-integer-overflow.patch\n" ) ( "e36d54759b71d48c62aefc4032e63deccafa69d22f8bae772b4c0ca135b431db9cd35a1a2a2adf5c76996e76e13ab82e1cf19bba70c6ca4414b3979a43c292c2 303-Reset-pid_child-only-if-waitpid-was-successful.patch\n" ) ( "49f1d5ded82d2d479805c77d7cc6274c30233596e375b28306b31a33f8fbfc3611dbc77d606081b8300247908c267297dbb6c5d1a30d56095dda53c6a636fb56 useradd-usergroups.patch\n" ) ( "0b4587e263cb6be12fa5ae6bc3b3fc4d3696dae355bc67d085dc58c52ff96edb4d163b95db2092b8c2f3310839430cac03c7af356641b42e24ee4aa6410f5cf1 pam-useradd.patch" ) ) } spids: [534] ) ] spids: [534] ) ] )