webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
5b28df47a5f94bf05cd19de1439e6cf78307b96f
bpfire/config/shadow/login.defs
Adolf Belka 5b28df47a5 shadow: Update to version 4.11.1 and fix bug 12762 
- Update from 4.2.1 (2015) to 4.11.1 (2021)
- Update rootfile
- Update patch for suppression of groups installation
- Change default hash from sha512 to yescrypt in lfs and logins.def
- Changelog
   * Release 4.11.1
     * build: include lib/shadowlog_internal.h in dist tarballs (Sam James)
   * Release 4.11
     * Handle possible TOCTTOU issues in usermod/userdel (edneville)
       * (CVE-2013-4235)
       * Use O_NOFOLLOW when copying file
       * Kill all user tasks in userdel
     * Fix useradd -D segfault (Xi Ruoyao)
     * Clean up obsolete libc feature-check ifdefs (Alejandro Colomar)
     * Fix -fno-common build breaks due to duplicate Prog declarations
       (Adam Sampson)
     * Have single date_to_str definition (Alejandro Colomar)
     * Fix libsubid SONAME version (Sam James)
     * Clarify licensing info, use SPDX.
   * Release 4.10
      Note: From this release forward, su from this package should be
             considered deprecated. Please replace any users of it with su from
             util-linux. Please open an issue if there is a problem with that.
            We intend to remove it in an upcoming release.
            This release features many fixes expecially to the building of
             libsubid, some SELinux labeling issues, and a few signaling
             issues.
     * libsubid fixes (Xi Ruoyao, Serge Hallyn, Iker Pedrosa, Mike Gilbert,
       GalaxyMaster, and Luís Ferreira)
     * Rename the test program list_subid_ranges to getsubids, write
       a manpage, so distros can ship it. (Iker Pedrosa)
     * Add libeconf dep for new*idmap (Iker Pedrosa)
     * Allow all group types with usermod -G (Iker Pedrosa)
     * Avoid useradd generating empty subid range (Iker Pedrosa)
     * Handle NULL pw_passwd (Jaroslav Jindrak)
     * Fix default value SHA_get_salt_rounds (Mike Gilbert)
     * Use https where possible in README (Paul Menzel)
     * Update content and format of README (Iker Pedrosa)
     * Translation updates (Balint Reczey, Frans Spiesschaert)
     * Switch from xml2po to itstool in 'make dist' (Serge Hallyn)
     * Fix double frees (Michael Vetter)
     * Add LOG_INIT configurable to useradd (Andy Zaugg)
     * Add CREATE_MAIL_SPOOL documentation (Andy Zaugg)
     * Create a security.md
     * Fix su never being SIGKILLd when trapping TERM (Ruihan li)
     * Fix wrong SELinux labels in several possible cases (Iker Pedrosa)
     * Fix missing chmod in chadowtb_move (GalaxyMaster)
     * Handle malformed hushlogins entries (Tobias Stoeckmann)
     * Fix groupdel segv when passwd does not exist (François Rigault)
     * Fix covscan-found newgrp segfault (Iker Pedrosa)
     * Remove trailing slash on hoedir (Ed Neville)
     * Fix passwd -l message - it does not change expirey (Ed Neville)
     * Fix SIGCHLD handling bugs in su and vipw (Tobias Stoeckmann)
     * Remove special case for "" in usermod (Alejandro Colomar)
     * Implement usermod -rG to remove a specific group
       (Andy Zaugg)
     * call pam_end() after fork in child path for su and login
       (Björn Fischer)
     * useradd: In absence of /etc/passwd, assume 0 == root
       (Ludwig Nussel)
     * lib: check NULL before freeing data (Iker Pedrosa)
     * Fix pwck segfault (Iker Pedrosa)
     * Release 4.9
        2021-07-22  Serge Hallyn <serge@hallyn.com>
	 * Updated translations (Björn Esser, Juergen Hoetzel)
     * Major salt updates (Björn Esser)
     * Various coverity and cleanup fixes (Iker Pedrosa)
     * Consistently use 0 to disable PASS_MIN_DAYS  in man (tzccinct)
     * Implement NSS support for subids and a libsubid (Serge Hallyn)
     * setfcap: retain setfcap when mapping uid 0 (Christian Brauner)
     * login.defs: include HMAC_CRYPTO_ALGO key (Iker Pedrosa)
     * selinux fixes (Christian Göttsche)
     * Fix path prefix path handling (Lucas Servén Marín)
     * Manpage updates (tzccinct, Sevan Janiyan, Iker Pedrosa, Geert Ijewski,
		谭九鼎, Jamin W. Collins, towerpark, andydna, Frans Spiesschaert)
     * Treat an empty passwd field as invalid (Haelwenn Monnier)
     * newxidmap: allow running under alternative gid (Martijn de Gouw)
     * usermod: check that  shell is executable (Geert Ijewski)
     * Add yescript support (Rodolphe Bréard)
     * useradd memleak fixes (whzhe)
     * useradd: use built-in settings by default (Ludwig Nussel)
     * getdefs: add foreign (non-shadow-utils) items (Karel Zak)
     * buffer overflow fixes (Tobias Stoeckmann)
     * Adding run-parts style for pre and post useradd/del (ed@s5h.net)
       2020-01-23  Serge Hallyn <serge@hallyn.com>
	* selinux: inclue stdio (Michael Vetter)
	* man: don't suggest making groupmems user-writeable (Michael Weiser)
	* Makefile: bail out on error in for loops (Wolfgang Bumiller)
	* Adding logging of SSH_ORIGINAL_COMMAND to nologin. (ed@s5h.net)
	* add new HOME_MODE login.defs option (Duncan Overbruck)
	* Add tty logging to useradd (ed@s5h.net)
	* Useradd: make non-executable shell check only a warning (Tomas Mraz)
	* Update Dutch translation (Frans-Spiesschaert)
	* user_busy: Do not mistake a regular user process for a namespaced one (Tomas Mraz)
	* Revert "Honor --sbindir and --bindir for binary installation" Patrick McLean)
       2019-12-20  Dave Reisner <dreisner@archlinux.org>
	* Do not auto-enable acct_tools_setuid just because
	  pam is enabled.  NOTE - any distros which are relying
	  on this behavior will need to switch to configure
	  --enable-account-tools-setuid
   * Release 4.8
       2019-12-01  Serge Hallyn <serge@hallyn.com>
	* Initial optional bcrypt support.
	* Make build/install of 'su' optional.
	* Fix for vipw not resuming correctly when suspended
	* Sync password field descriptions in manpages
	* Check for valid shell argument in useradd
	* Allow translation of new strings through POTFILES.in
	* Migrate to itstool for translations
	* Migrate to new SELinux api
	* Support --enable-vendordir
	* pwck: Only check homedir if set and not a system user
	* Support nonstandard usernames
	* sget{pw,gr}ent: check for data at EOL
	* Add YYY-MM-DD support in chage
	* Fix failing chmod calls for suidubins
	* Fix --sbindir and --bindir for binary installations
	* Fix LASTLOG_UID_MAX in login.defs
	* Fix configure error with dash
    * Release 4.7
       2019-06-13  Serge Hallyn <serge@hallyn.com>
	* Spawn: don't loop forever on ECHILD
	* Do not fail locking if there is a stale lockfile Tomas Mraz)
	* Use lckpwdf if prefix not set (Tomas Mraz)
	* Build: check correct DocBook version (Jan Tojnar)
	* Usermod: Print 'no changes' to stdout, not stderr (Serge Hallyn)
	* Add support for btrfs subvolumes for home (Adam Majer)
	* Fix chpasswd long line handling (Nathan Ruiz)
	* Use secure_getenv for gettime (Chris Lamb)
	* Make sp_lstchg reproducible (Chris Lamb)
	* Do not crash commonio_close if db file is not open (Tomas Mraz)
	* Don't flush nscd and sssd cache in read-only mode (Charlie Vuillemez)
	* French manpage update (Alban VIDAL)
	* Fix manpage defaults for SUB_UID/GID_COUNT (Tomas Mraz)
	* Sync po files from shadow.pot (Alban VIDAL)
	* Usermod: guard against unsafe chown of homedir contents (Tomas Mraz)
	* Add LASTLOG_UID_MAX to login.defs (Tomas Mraz)
	* new[ug]idmap file capabilities support (Giuseppe Scrivano and Christian Brauner)
	* Fix segfault in useradd (Tomas Mraz)
	* Coverity issues (Tomas Mraz)
	* Flush sssd caches (Jakub Hrozek)
	* Log UID in nologin (Vladimir Ivanov)
	* run pam_getenvlist after setup_env in su.c (Michael Vogt)
	* Support systems with only utmpx (A. Wilcox)
	* Fix unguarded ENABLE_SUBIDS code (Jan Chren (rindeal))
	* Update po/zh_CN translation (Lion Yang)
	* Create parent dirs for useradd -m (Michael Vetter)
	* Prevent usermod segv
	* Fix usermod crash (fariouche)
    * Release 4.6
       2018-04-29  Serge Hallyn <serge@hallyn.com>
	* Newgrp: avoid unnecessary lookups
	* Make language less binary
	* Add error when turning off man switch
	* Spelling fixes
	* Make userdel work with -R
	* newgidmap: enforce setgroups=deny if self-mapping a group
	* Norwegian bokmål translation
	* pwck: prevent crash by not passing O_CREAT
	* WITH_TCB fixes from Mandriva
	* Fix pwconv and grpconv entry skips
	* Fix -- slurping in su
	* add --prefix option
       2017-07-16  Serge Hallyn <serge@hallyn.com>
	* Import new Dutch translations.
       2017-07-10  Serge Hallyn <serge@hallyn.com>
	* Expand error codes for groupmod.
       2017-05-17  Serge Hallyn <serge@hallyn.com>
    * Release 4.5
       2017-05-17  Serge Hallyn <serge@hallyn.com>
	* Patch from Tobias Stoeckmann fixing regression in previous CVE fix
	  preventing SIGTERM to su from being propagated to the job.
	* Patch from Chris Lamb making sp_lstchg shadow field reproducible.
	* Merge Russian translation updates from Yuri Kozlov
	* Fix missing close of subuid file on error
       2017-02-23  Serge Hallyn <serge@hallyn.com>
	* Merge patch by Tobias Stoeckmann <tobias@stoeckmann.org> to fix
	  the equivalent of util-linux CVE-2017-2616.
       2017-02-08  Serge Hallyn <serge@hallyn.com>
	* Update Kazakh translations
	* Consult configuration before calculating subuids
	* Remove misplaced semicolon
       2017-01-29  Serge Hallyn <serge@hallyn.com>
	* Patch from Fedora to improve performance with SSSD, Winbind,
	  or nss_ldap. (Tomas Mraz)
	* Make sure knowndef_table is NULL-terminated.  (Bernhard Rosenkränzer)
       2016-12-21  Serge Hallyn <serge@hallyn.com>
	* Drop leading underscore from _COMMONIO_H and _SHADOWIO_H
	* Fix readability in usermod error messages.
	* Reset user in tallylog
	* Add audit support to su
    * Changes since 4.4
       2016-12-02  Serge Hallyn <serge@hallyn.com>
	  - Use sizeof rather than hardcoding snprintf args
	  - Fix useradd improper default loading
	  - Update Vietnamese translations
	  - Update Polish translations
	  - Remove non-POSIX chmod option in Makefile
	  - Fix suidubins assignments
	  - Fix --add-subuids etc spelling in manpages
	  - Audit homedir ownership change.
	  - Print error on selinux file context update failure
	  - Keep original file perms when creating a backup
    * Changes since 4.2.1:
       2016-12-02  Serge Hallyn <serge@hallyn.com>
	  - Documentation, error report and translations updates
	  - Replace path_max with 32
	  - User namespace support fixes/updates including:
	    - Correct sanity checks in newXidmap
	    - Fix building without subuid support
	    - Add /etc/subuid support for UID matching
	    - Support subuid for nonlocal users
	    - Default to 65536 subuid allocations
	    - Respect -r
	    - Check for range overflows
	  - Add tests from svn tree
	  - Use AC_CHECK_SIZEOF for uid_t size checks
	  - Accomodate missing /etc and login.defs
	  - Support FORCE_SHADOW
	  - Be more robust in hostile environment
	  - Allow removing a primary group
	  - Clear passwords on __pw_dup errors
	  - Memory leak fix in commonio_update and get_map_ranges
	  - Fix resource leak in syslog_sg
	  - Fix user busy error at userdel
	  - Support set/clear lastlog record via lastlog command
	  - Add --no-create-home as longopt for -M
	  - Fix signal races
	  - Reduce syslog priority of common usage events

Fixes: Bug 12762
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
2022-01-18 21:23:42 +00:00

320 lines
8.6 KiB
Plaintext
Raw Blame History

#
# /etc/login.defs - Configuration control definitions for the shadow package.
#
# $Id$
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
FAIL_DELAY 3
#
# Enable logging and display of /var/log/faillog login(1) failure info.
#
FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
LOG_UNKFAIL_ENAB no
#
# Enable logging of successful logins
#
LOG_OK_LOGINS no
#
# Enable logging and display of /var/log/lastlog login(1) time info.
#
LASTLOG_ENAB yes
#
# Enable checking and display of mailbox status upon login.
#
# Disable if the shell startup files already check for mail
# ("mailx -e" or equivalent).
#
MAIL_CHECK_ENAB yes
#
# Enable additional checks upon password changes.
#
OBSCURE_CHECKS_ENAB yes
#
# Enable checking of time restrictions specified in /etc/porttime.
#
PORTTIME_CHECKS_ENAB yes
#
# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
#
QUOTAS_ENAB yes
#
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
#
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names. Root logins will be allowed only
# from these devices.
#
CONSOLE /etc/securetty
#
# If defined, all su(1) activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
#
# If defined, ":" delimited list of "message of the day" files to
# be displayed upon login.
#
MOTD_FILE /etc/motd
#
# If defined, login(1) failures will be logged here in a utmp format.
# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
#
FTMP_FILE /var/log/btmp
#
# If defined, name of file whose presence will inhibit non-root
# logins. The content of this file should be a message indicating
# why logins are inhibited.
#
NOLOGINS_FILE /etc/nologin
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then ps(1) will display the
# command as "-su". If not defined, then ps(1) will display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME su
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/mail
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
TTYGROUP tty
TTYPERM 0600
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# ULIMIT Default "ulimit" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
# The ULIMIT is used only if the system supports it.
# (now it works with setrlimit too; ulimit is in 512-byte units)
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
#ULIMIT 2097152
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up his/her mind.
UMASK 022
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts. If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
#
SU_WHEEL_ONLY no
#
# If compiled with cracklib support, sets the path to the dictionaries
#
CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 101
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 101
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
#
LOGIN_RETRIES 5
#
# Max time in seconds for login(1)
#
LOGIN_TIMEOUT 60
#
# Maximum number of attempts to change password if rejected (too easy)
#
PASS_CHANGE_TRIES 5
#
# Warn about weak passwords (but still allow them) if you are root.
#
PASS_ALWAYS_WARN yes
#
# Require password before chfn(1)/chsh(1) can make any changes.
#
CHFN_AUTH yes
#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT rwh
#
# Password prompt (%s will be replaced by user name).
#
# XXX - it doesn't work correctly yet, for now leave it commented out
# to use the default which is just "Password: ".
#LOGIN_STRING "%s's Password: "
#
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
# Overrides the MD5_CRYPT_ENAB option
#
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD YESCRYPT
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be within the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000
#
# Should login be allowed if we can't cd to the home directory?
# Default is no.
#
DEFAULT_HOME yes
#
# If this file exists and is readable, login environment will be
# read from it. Every line should be in the form name=value.
#
ENVIRON_FILE /etc/environment
#
# Enable setting of the umask group bits to be the same as owner bits
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
# the same as gid, and username is the same as the primary group name.
#
# This also enables userdel(8) to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
# If set to a non-zero number, the shadow utilities will make sure that
# groups never have more than this number of users on one line.
# This permits to support split groups (groups split into multiple lines,
# with the same group ID, to avoid limitation of the line length in the
# group file).
#
# 0 is the default value and disables this feature.
#
#MAX_MEMBERS_PER_GROUP 0
#
# If useradd(8) should create home directories for users by default (non
# system users only).
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
#CREATE_HOME yes
Reference in New Issue View Git Blame Copy Permalink