sys-apps/shadow: Security cleanup (bug #610804).

Package-Manager: Portage-2.3.4, Repoman-2.3.2

4 files changed, 0 insertions, 332 deletions

diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest
index 251f1ce80a1c..df4f7606de48 100644
--- a/sys-apps/shadow/Manifest
+++ b/sys-apps/shadow/Manifest
@@ -1,2 +1 @@
-DIST shadow-4.2.1.tar.xz 1594536 SHA256 3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 SHA512 7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 WHIRLPOOL 032857f5fae8486cc3dd11303bfa7da55019000ce8ad7bac2f398f9f9764c8659e20a1547d05c5e4f366db749a52afb3083017faf14f6a72ee48345dcd1f86aa
 DIST shadow-4.4.tar.gz 3706812 SHA256 2398fe436e548786c17ec387b4c41f5339f72ec9ee2f3f7a6e0cc2cb240bb482 SHA512 c1e0f65a4fbd0f9d8de38e488b4a374cac5c476180e233269fc666988d9201c0dcc694605c5e54d54f81039c2e30c95b14c12f10adef749a45cc31f0b4b5d5a6 WHIRLPOOL a22fc0f90ec0623cbbcef253378a16ad605cf71345074880e3fd12fb5914058d3e721f378730c9684497cc597595b7defc7e710206268ae320a090c8c35fd41e
diff --git a/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch b/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch
deleted file mode 100644
index f067caab204d..000000000000
--- a/sys-apps/shadow/files/shadow-4.2.1-cross-size-checks.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 2cb54158b80cdbd97ca3b36df83f9255e923ae3f Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <chewi@aura-online.co.uk>
-Date: Sat, 23 Aug 2014 09:46:39 +0100
-Subject: [PATCH] Check size of uid_t and gid_t using AC_CHECK_SIZEOF
-
-This built-in check is simpler than the previous method and, most
-importantly, works when cross-compiling.
-
-Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
----
- configure.in | 14 ++++----------
- 1 file changed, 4 insertions(+), 10 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index 1a3f841..4a4d6d0 100644
---- a/configure.in
-+++ b/configure.in
-@@ -335,16 +335,10 @@ if test "$enable_subids" != "no"; then
- 	dnl
- 	dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
- 	dnl
--	AC_RUN_IFELSE([AC_LANG_SOURCE([
--#include <sys/types.h>
--int main(void) {
--	uid_t u;
--	gid_t g;
--	return (sizeof u < 4) || (sizeof g < 4);
--}
--	])], [id32bit="yes"], [id32bit="no"])
--
--	if test "x$id32bit" = "xyes"; then
-+	AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
-+	AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
-+
-+	if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
- 		AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
- 		enable_subids="yes"
- 	else
--- 
-2.3.6
-
diff --git a/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch b/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch
deleted file mode 100644
index 340424eb12e3..000000000000
--- a/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: Hank Leininger <hlein@korelogic.com>
-Date: Mon, 6 Apr 2015 08:22:48 -0500
-Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not
- like the user/group ownership of their target process.
-
-Currently the error is just:
-
-newuidmap: Target [pid] is owned by a different user
-
-With this patch it will be like:
-
-newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99
-
-Why is this useful?  Well, in my case...
-
-The grsecurity kernel-hardening patch includes an option to make parts
-of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
-the current uid.  This comes with an option to make /proc/pid/
-directories readable by a specific gid; sysadmins and the like are then
-put into that group so they can see a full 'ps'.
-
-This means that the check in new[ug]idmap fails, as in the above quoted
-error - /proc/[targetpid] is owned by root, but the group is 99 so that
-users in group 99 can see the process.
-
-Some Googling finds dozens of people hitting this problem, but not
-*knowing* that they have hit this problem, because the errors and
-circumstances are non-obvious.
-
-Some graceful way of handling this and not failing, will be next ;)  But
-in the meantime it'd be nice to have new[ug]idmap emit a more useful
-error, so that it's easier to troubleshoot.
-
-Thanks!
-
-Signed-off-by: Hank Leininger <hlein@korelogic.com>
-Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
----
- src/newgidmap.c | 6 ++++--
- src/newuidmap.c | 6 ++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/src/newgidmap.c b/src/newgidmap.c
-index a532b45..451c6a6 100644
---- a/src/newgidmap.c
-+++ b/src/newgidmap.c
-@@ -161,8 +161,10 @@ int main(int argc, char **argv)
- 	    (getgid() != pw->pw_gid) ||
- 	    (pw->pw_uid != st.st_uid) ||
- 	    (pw->pw_gid != st.st_gid)) {
--		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
--			Prog, target);
-+		fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
-+			Prog, target,
-+			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
-+			(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
- 		return EXIT_FAILURE;
- 	}
- 
-diff --git a/src/newuidmap.c b/src/newuidmap.c
-index 5150078..9c8bc1b 100644
---- a/src/newuidmap.c
-+++ b/src/newuidmap.c
-@@ -161,8 +161,10 @@ int main(int argc, char **argv)
- 	    (getgid() != pw->pw_gid) ||
- 	    (pw->pw_uid != st.st_uid) ||
- 	    (pw->pw_gid != st.st_gid)) {
--		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
--			Prog, target);
-+		fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
-+			Prog, target,
-+			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
-+			(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
- 		return EXIT_FAILURE;
- 	}
- 
diff --git a/sys-apps/shadow/shadow-4.2.1-r2.ebuild b/sys-apps/shadow/shadow-4.2.1-r2.ebuild
deleted file mode 100644
index 0e9e3a4d4e52..000000000000
--- a/sys-apps/shadow/shadow-4.2.1-r2.ebuild
+++ /dev/null
@@ -1,214 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils libtool pam multilib autotools
-
-DESCRIPTION="Utilities to deal with user accounts"
-HOMEPAGE="http://shadow.pld.org.pl/ http://pkg-shadow.alioth.debian.org/"
-SRC_URI="http://pkg-shadow.alioth.debian.org/releases/${P}.tar.xz"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
-IUSE="acl audit cracklib nls pam selinux skey xattr"
-# Taken from the man/Makefile.am file.
-LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
-IUSE+=" $(printf 'linguas_%s ' ${LANGS[*]})"
-
-RDEPEND="acl? ( sys-apps/acl )
-	audit? ( sys-process/audit )
-	cracklib? ( >=sys-libs/cracklib-2.7-r3 )
-	pam? ( virtual/pam )
-	skey? ( sys-auth/skey )
-	selinux? (
-		>=sys-libs/libselinux-1.28
-		sys-libs/libsemanage
-	)
-	nls? ( virtual/libintl )
-	xattr? ( sys-apps/attr )"
-DEPEND="${RDEPEND}
-	app-arch/xz-utils
-	sys-devel/gettext"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20150213 )"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-4.1.3-dots-in-usernames.patch
-	"${FILESDIR}"/${P}-cross-size-checks.patch
-	"${FILESDIR}"/${P}-verbose-error-when-uid-doesnt-match.patch
-)
-
-src_prepare() {
-	epatch "${PATCHES[@]}"
-	epatch_user
-	# https://github.com/shadow-maint/shadow/pull/5
-	mv configure.{in,ac} || die
-	eautoreconf
-	#elibtoolize
-}
-
-src_configure() {
-	econf \
-		--without-group-name-max-length \
-		--without-tcb \
-		--enable-shared=no \
-		--enable-static=yes \
-		$(use_with acl) \
-		$(use_with audit) \
-		$(use_with cracklib libcrack) \
-		$(use_with pam libpam) \
-		$(use_with skey) \
-		$(use_with selinux) \
-		$(use_enable nls) \
-		$(use_with elibc_glibc nscd) \
-		$(use_with xattr attr)
-	has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052
-
-	if use nls ; then
-		local l langs="po" # These are the pot files.
-		for l in ${LANGS[*]} ; do
-			use linguas_${l} && langs+=" ${l}"
-		done
-		sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die
-	fi
-}
-
-set_login_opt() {
-	local comment="" opt=$1 val=$2
-	if [[ -z ${val} ]]; then
-		comment="#"
-		sed -i \
-			-e "/^${opt}\>/s:^:#:" \
-			"${ED}"/etc/login.defs || die
-	else
-		sed -i -r \
-			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
-			"${ED}"/etc/login.defs
-	fi
-	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
-	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
-}
-
-src_install() {
-	emake DESTDIR="${D}" suidperms=4711 install
-
-	# Remove libshadow and libmisc; see bug 37725 and the following
-	# comment from shadow's README.linux:
-	#   Currently, libshadow.a is for internal use only, so if you see
-	#   -lshadow in a Makefile of some other package, it is safe to
-	#   remove it.
-	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
-
-	insinto /etc
-	if ! use pam ; then
-		insopts -m0600
-		doins etc/login.access etc/limits
-	fi
-
-	# needed for 'useradd -D'
-	insinto /etc/default
-	insopts -m0600
-	doins "${FILESDIR}"/default/useradd
-
-	# move passwd to / to help recover broke systems #64441
-	mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
-	dosym /bin/passwd /usr/bin/passwd
-
-	cd "${S}"
-	insinto /etc
-	insopts -m0644
-	newins etc/login.defs login.defs
-
-	set_login_opt CREATE_HOME yes
-	if ! use pam ; then
-		set_login_opt MAIL_CHECK_ENAB no
-		set_login_opt SU_WHEEL_ONLY yes
-		set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict
-		set_login_opt LOGIN_RETRIES 3
-		set_login_opt ENCRYPT_METHOD SHA512
-		set_login_opt CONSOLE
-	else
-		dopamd "${FILESDIR}"/pam.d-include/shadow
-
-		for x in chpasswd chgpasswd newusers; do
-			newpamd "${FILESDIR}"/pam.d-include/passwd ${x}
-		done
-
-		for x in chage chsh chfn \
-				 user{add,del,mod} group{add,del,mod} ; do
-			newpamd "${FILESDIR}"/pam.d-include/shadow ${x}
-		done
-
-		# comment out login.defs options that pam hates
-		local opt sed_args=()
-		for opt in \
-			CHFN_AUTH \
-			CONSOLE \
-			CRACKLIB_DICTPATH \
-			ENV_HZ \
-			ENVIRON_FILE \
-			FAILLOG_ENAB \
-			FTMP_FILE \
-			LASTLOG_ENAB \
-			MAIL_CHECK_ENAB \
-			MOTD_FILE \
-			NOLOGINS_FILE \
-			OBSCURE_CHECKS_ENAB \
-			PASS_ALWAYS_WARN \
-			PASS_CHANGE_TRIES \
-			PASS_MIN_LEN \
-			PORTTIME_CHECKS_ENAB \
-			QUOTAS_ENAB \
-			SU_WHEEL_ONLY
-		do
-			set_login_opt ${opt}
-			sed_args+=( -e "/^#${opt}\>/b pamnote" )
-		done
-		sed -i "${sed_args[@]}" \
-			-e 'b exit' \
-			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
-			-e ': exit' \
-			"${ED}"/etc/login.defs || die
-
-		# remove manpages that pam will install for us
-		# and/or don't apply when using pam
-		find "${ED}"/usr/share/man \
-			'(' -name 'limits.5*' -o -name 'suauth.5*' ')' \
-			-delete
-
-		# Remove pam.d files provided by pambase.
-		rm "${ED}"/etc/pam.d/{login,passwd,su} || die
-	fi
-
-	# Remove manpages that are handled by other packages
-	find "${ED}"/usr/share/man \
-		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
-		-delete
-
-	cd "${S}"
-	dodoc ChangeLog NEWS TODO
-	newdoc README README.download
-	cd doc
-	dodoc HOWTO README* WISHLIST *.txt
-}
-
-pkg_preinst() {
-	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
-		"${EROOT}/etc/login.defs.new"
-}
-
-pkg_postinst() {
-	# Enable shadow groups.
-	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
-		if grpck -r -R "${EROOT}" 2>/dev/null ; then
-			grpconv -R "${EROOT}"
-		else
-			ewarn "Running 'grpck' returned errors.  Please run it by hand, and then"
-			ewarn "run 'grpconv' afterwards!"
-		fi
-	fi
-
-	einfo "The 'adduser' symlink to 'useradd' has been dropped."
-}