91360f25a8
Provide binary from this package. Enable libpam and disable account-tools-setuid. Provide passwd PAM service file. Finally, provide --stdin option in passwd. Resolves: #2233275 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
307 lines
9.5 KiB
Diff
307 lines
9.5 KiB
Diff
From 43b4e5a6c41f5c43cad18810f9229e40e8c4a57e Mon Sep 17 00:00:00 2001
|
|
From: Alejandro Colomar <alx@kernel.org>
|
|
Date: Mon, 30 Oct 2023 12:53:37 +0100
|
|
Subject: [PATCH 1/2] Remove FascistHistory() and FascistHistoryPw() calls
|
|
|
|
These functions don't seem to exist anymore. I can't find them in
|
|
Debian, nor in a web search. They probably were functions from an
|
|
ancient implementation of cracklib that doesn't exist anymore.
|
|
|
|
$ git remote -v
|
|
origin git@github.com:cracklib/cracklib.git (fetch)
|
|
origin git@github.com:cracklib/cracklib.git (push)
|
|
$ grep -rni fascisthistory
|
|
$ git log --grep FascistHistory
|
|
$ git log -S FascistHistory
|
|
|
|
Closes: <https://codesearch.debian.net/search?q=FascistHistory&literal=1>
|
|
Cc: Mike Frysinger <vapier@gentoo.org>
|
|
Acked-by: Michael Vetter <jubalh@iodoru.org>
|
|
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
|
---
|
|
configure.ac | 4 ----
|
|
libmisc/obscure.c | 8 --------
|
|
src/passwd.c | 33 ++-------------------------------
|
|
3 files changed, 2 insertions(+), 43 deletions(-)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 2c8cca3f..5c8c7764 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -526,10 +526,6 @@ if test "$with_libcrack" = "yes"; then
|
|
echo "checking cracklib flavour, don't be surprised by the results"
|
|
AC_CHECK_LIB(crack, FascistCheck,
|
|
[LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
|
|
- AC_CHECK_LIB(crack, FascistHistory,
|
|
- AC_DEFINE(HAVE_LIBCRACK_HIST, 1, [Defined if you have the ts&szs cracklib.]))
|
|
- AC_CHECK_LIB(crack, FascistHistoryPw,
|
|
- AC_DEFINE(HAVE_LIBCRACK_PW, 1, [Defined if it includes *Pw functions.]))
|
|
fi
|
|
|
|
if test "$with_btrfs" != "no"; then
|
|
diff --git a/libmisc/obscure.c b/libmisc/obscure.c
|
|
index ccffb71d..4070d4e4 100644
|
|
--- a/libmisc/obscure.c
|
|
+++ b/libmisc/obscure.c
|
|
@@ -100,11 +100,7 @@ static /*@observer@*//*@null@*/const char *password_check (
|
|
#ifdef HAVE_LIBCRACK
|
|
char *dictpath;
|
|
|
|
-#ifdef HAVE_LIBCRACK_PW
|
|
- char *FascistCheckPw ();
|
|
-#else
|
|
char *FascistCheck ();
|
|
-#endif
|
|
#endif
|
|
|
|
if (strcmp (new, old) == 0) {
|
|
@@ -133,11 +129,7 @@ static /*@observer@*//*@null@*/const char *password_check (
|
|
|
|
dictpath = getdef_str ("CRACKLIB_DICTPATH");
|
|
if (NULL != dictpath) {
|
|
-#ifdef HAVE_LIBCRACK_PW
|
|
- msg = FascistCheckPw (new, dictpath, pwdp);
|
|
-#else
|
|
msg = FascistCheck (new, dictpath);
|
|
-#endif
|
|
}
|
|
#endif
|
|
}
|
|
diff --git a/src/passwd.c b/src/passwd.c
|
|
index 67608619..a4f49320 100644
|
|
--- a/src/passwd.c
|
|
+++ b/src/passwd.c
|
|
@@ -114,7 +114,6 @@ static bool do_update_pwd = false;
|
|
/* local function prototypes */
|
|
NORETURN static void usage (int);
|
|
|
|
-static bool reuse (const char *, const struct passwd *);
|
|
static int new_password (const struct passwd *);
|
|
|
|
static void check_password (const struct passwd *, const struct spwd *);
|
|
@@ -163,27 +162,6 @@ usage (int status)
|
|
exit (status);
|
|
}
|
|
|
|
-static bool reuse (const char *pass, const struct passwd *pw)
|
|
-{
|
|
-#ifdef HAVE_LIBCRACK_HIST
|
|
- const char *reason;
|
|
-
|
|
-#ifdef HAVE_LIBCRACK_PW
|
|
- const char *FascistHistoryPw (const char *, const struct passwd *);
|
|
-
|
|
- reason = FascistHistory (pass, pw);
|
|
-#else /* !HAVE_LIBCRACK_PW */
|
|
- const char *FascistHistory (const char *, int);
|
|
-
|
|
- reason = FascistHistory (pass, pw->pw_uid);
|
|
-#endif /* !HAVE_LIBCRACK_PW */
|
|
- if (NULL != reason) {
|
|
- (void) printf (_("Bad password: %s. "), reason);
|
|
- return true;
|
|
- }
|
|
-#endif /* HAVE_LIBCRACK_HIST */
|
|
- return false;
|
|
-}
|
|
|
|
/*
|
|
* new_password - validate old password and replace with new (both old and
|
|
@@ -202,10 +180,6 @@ static int new_password (const struct passwd *pw)
|
|
int pass_max_len = -1;
|
|
const char *method;
|
|
|
|
-#ifdef HAVE_LIBCRACK_HIST
|
|
- int HistUpdate (const char *, const char *);
|
|
-#endif /* HAVE_LIBCRACK_HIST */
|
|
-
|
|
/*
|
|
* Authenticate the user. The user will be prompted for their own
|
|
* password.
|
|
@@ -306,7 +280,7 @@ static int new_password (const struct passwd *pw)
|
|
STRFCPY (pass, cp);
|
|
erase_pass (cp);
|
|
|
|
- if (!amroot && (!obscure (orig, pass, pw) || reuse (pass, pw))) {
|
|
+ if (!amroot && !obscure(orig, pass, pw)) {
|
|
(void) puts (_("Try again."));
|
|
continue;
|
|
}
|
|
@@ -317,7 +291,7 @@ static int new_password (const struct passwd *pw)
|
|
* --marekm
|
|
*/
|
|
if (amroot && !warned && getdef_bool ("PASS_ALWAYS_WARN")
|
|
- && (!obscure (orig, pass, pw) || reuse (pass, pw))) {
|
|
+ && !obscure(orig, pass, pw)) {
|
|
(void) puts (_("\nWarning: weak password (enter it again to use it anyway)."));
|
|
warned = true;
|
|
continue;
|
|
@@ -357,9 +331,6 @@ static int new_password (const struct passwd *pw)
|
|
return -1;
|
|
}
|
|
|
|
-#ifdef HAVE_LIBCRACK_HIST
|
|
- HistUpdate (pw->pw_name, crypt_passwd);
|
|
-#endif /* HAVE_LIBCRACK_HIST */
|
|
STRFCPY (crypt_passwd, cp);
|
|
return 0;
|
|
}
|
|
--
|
|
2.43.0
|
|
|
|
|
|
From 45f34ee8c196a98397504cb7ed8576b6f1825cf9 Mon Sep 17 00:00:00 2001
|
|
From: Alejandro Colomar <alx@kernel.org>
|
|
Date: Mon, 30 Oct 2023 13:31:42 +0100
|
|
Subject: [PATCH 2/2] Remove libcrack support
|
|
|
|
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
|
---
|
|
configure.ac | 11 -----------
|
|
etc/login.defs | 5 -----
|
|
lib/getdef.c | 1 -
|
|
libmisc/obscure.c | 22 ----------------------
|
|
libsubid/Makefile.am | 1 -
|
|
src/Makefile.am | 2 +-
|
|
7 files changed, 2 insertions(+), 42 deletions(-)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 5c8c7764..c2b0a1a5 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -243,9 +243,6 @@ AC_ARG_WITH(skey,
|
|
AC_ARG_WITH(tcb,
|
|
[AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
|
|
[with_tcb=$withval], [with_tcb=maybe])
|
|
-AC_ARG_WITH(libcrack,
|
|
- [AS_HELP_STRING([--with-libcrack], [use libcrack @<:@default=no@:>@])],
|
|
- [with_libcrack=$withval], [with_libcrack=no])
|
|
AC_ARG_WITH(sha-crypt,
|
|
[AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
|
|
[with_sha_crypt=$withval], [with_sha_crypt=yes])
|
|
@@ -521,13 +518,6 @@ if test "$with_audit" != "no"; then
|
|
fi
|
|
fi
|
|
|
|
-AC_SUBST(LIBCRACK)
|
|
-if test "$with_libcrack" = "yes"; then
|
|
- echo "checking cracklib flavour, don't be surprised by the results"
|
|
- AC_CHECK_LIB(crack, FascistCheck,
|
|
- [LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
|
|
-fi
|
|
-
|
|
if test "$with_btrfs" != "no"; then
|
|
AC_CHECK_HEADERS([sys/statfs.h linux/magic.h linux/btrfs_tree.h], \
|
|
[btrfs_headers="yes"], [btrfs_headers="no"])
|
|
@@ -768,7 +758,6 @@ echo
|
|
echo "shadow will be compiled with the following features:"
|
|
echo
|
|
echo " auditing support: $with_audit"
|
|
-echo " CrackLib support: $with_libcrack"
|
|
echo " PAM support: $with_libpam"
|
|
if test "$with_libpam" = "yes"; then
|
|
echo " suid account management tools: $enable_acct_tools_setuid"
|
|
diff --git a/etc/login.defs b/etc/login.defs
|
|
index 114dbcd9..33622c29 100644
|
|
--- a/etc/login.defs
|
|
+++ b/etc/login.defs
|
|
@@ -227,11 +227,6 @@ PASS_WARN_AGE 7
|
|
#
|
|
SU_WHEEL_ONLY no
|
|
|
|
-#
|
|
-# If compiled with cracklib support, sets the path to the dictionaries
|
|
-#
|
|
-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
|
|
-
|
|
#
|
|
# Min/max values for automatic uid selection in useradd(8)
|
|
#
|
|
diff --git a/lib/getdef.c b/lib/getdef.c
|
|
index 977660c2..d64e6343 100644
|
|
--- a/lib/getdef.c
|
|
+++ b/lib/getdef.c
|
|
@@ -39,7 +39,6 @@ struct itemdef {
|
|
#define PAMDEFS \
|
|
{"CHFN_AUTH", NULL}, \
|
|
{"CHSH_AUTH", NULL}, \
|
|
- {"CRACKLIB_DICTPATH", NULL}, \
|
|
{"ENV_HZ", NULL}, \
|
|
{"ENVIRON_FILE", NULL}, \
|
|
{"ENV_TZ", NULL}, \
|
|
diff --git a/libmisc/obscure.c b/libmisc/obscure.c
|
|
index 4070d4e4..2aece68b 100644
|
|
--- a/libmisc/obscure.c
|
|
+++ b/libmisc/obscure.c
|
|
@@ -12,11 +12,6 @@
|
|
#ident "$Id$"
|
|
|
|
|
|
-/*
|
|
- * This version of obscure.c contains modifications to support "cracklib"
|
|
- * by Alec Muffet (alec.muffett@uk.sun.com). You must obtain the Cracklib
|
|
- * library source code for this function to operate.
|
|
- */
|
|
#include <ctype.h>
|
|
#include <stdio.h>
|
|
|
|
@@ -97,12 +92,6 @@ static /*@observer@*//*@null@*/const char *password_check (
|
|
const char *msg = NULL;
|
|
char *oldmono, *newmono, *wrapped;
|
|
|
|
-#ifdef HAVE_LIBCRACK
|
|
- char *dictpath;
|
|
-
|
|
- char *FascistCheck ();
|
|
-#endif
|
|
-
|
|
if (strcmp (new, old) == 0) {
|
|
return _("no change");
|
|
}
|
|
@@ -121,17 +110,6 @@ static /*@observer@*//*@null@*/const char *password_check (
|
|
msg = _("too similar");
|
|
} else if (strstr (wrapped, newmono) != NULL) {
|
|
msg = _("rotated");
|
|
- } else {
|
|
-#ifdef HAVE_LIBCRACK
|
|
- /*
|
|
- * Invoke Alec Muffett's cracklib routines.
|
|
- */
|
|
-
|
|
- dictpath = getdef_str ("CRACKLIB_DICTPATH");
|
|
- if (NULL != dictpath) {
|
|
- msg = FascistCheck (new, dictpath);
|
|
- }
|
|
-#endif
|
|
}
|
|
strzero (newmono);
|
|
strzero (oldmono);
|
|
diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
|
|
index 5ba0ab35..b6488e77 100644
|
|
--- a/libsubid/Makefile.am
|
|
+++ b/libsubid/Makefile.am
|
|
@@ -8,7 +8,6 @@ MISCLIBS = \
|
|
$(LIBAUDIT) \
|
|
$(LIBSELINUX) \
|
|
$(LIBSEMANAGE) \
|
|
- $(LIBCRACK) \
|
|
$(LIBCRYPT_NOPAM) \
|
|
$(LIBSKEY) \
|
|
$(LIBMD) \
|
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
|
index fcfee9d2..b6cb09ef 100644
|
|
--- a/src/Makefile.am
|
|
+++ b/src/Makefile.am
|
|
@@ -123,7 +123,7 @@ login_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(L
|
|
newgrp_LDADD = $(LDADD) $(LIBAUDIT) $(LIBCRYPT) $(LIBECONF)
|
|
newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl
|
|
nologin_LDADD =
|
|
-passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBECONF) -ldl
|
|
+passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBECONF) -ldl
|
|
pwck_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
|
|
pwconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
|
|
pwunconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
|
|
--
|
|
2.43.0
|
|
|