This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 80bc60228b53635aa3e742467195b63adff30c59 (commit)
via 46d8d50f459be1cc2220b8b0a0de9c6943e9ab1f (commit)
via da314725051fe0ebf56fd9d28dae78ab7406c6f4 (commit)
from 60fc489b045bc35ff50b15c9b263ca9a3b7d4247 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 80bc60228b53635aa3e742467195b63adff30c59
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Oct 1 18:55:23 2016 +0100
unbound: Print nicer error message when already running
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 46d8d50f459be1cc2220b8b0a0de9c6943e9ab1f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Oct 1 18:52:07 2016 +0100
unbound: Start unbound when invoked by DHCP scripts
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit da314725051fe0ebf56fd9d28dae78ab7406c6f4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Oct 1 18:37:28 2016 +0100
shadow-utils: Create standard set of configuration files
Previously we copied the default configuration from the upstream
package and modified that. Unfortunately a patch and a sed command
changed the file which resulted in unwanted changes.
This patch removes the patch and sed command and adds a new set
of configuration files that just need to be copied to the system.
Fixes #11195
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/shadow/limits | 30 ++
config/shadow/login.access | 54 ++++
config/shadow/login.defs | 316 +++++++++++++++++++++
lfs/shadow | 12 +-
.../networking/red.up/05-update-dns-forwarders | 12 +-
src/initscripts/init.d/unbound | 6 +
.../shadow-4.2.1-SHA512_password_hashing.patch | 38 ---
7 files changed, 423 insertions(+), 45 deletions(-)
create mode 100644 config/shadow/limits
create mode 100644 config/shadow/login.access
create mode 100644 config/shadow/login.defs
delete mode 100644 src/patches/shadow-4.2.1-SHA512_password_hashing.patch
Difference in files:
diff --git a/config/shadow/limits b/config/shadow/limits
new file mode 100644
index 0000000..d39f2d5
--- /dev/null
+++ b/config/shadow/limits
@@ -0,0 +1,30 @@
+# /etc/limits contains user resource limits.
+# See limits(5).
+#
+# Format:
+# <username> <limits-string>
+#
+# default entry is '*' for username
+#
+# Valid flags are:
+# A: max address space (KB)
+# C: max core file size (KB)
+# D: max data size (KB)
+# F: maximum filesize (KB)
+# M: max locked-in-memory address space (KB) [only for root on Linux 2.0.x]
+# N: max number of open files
+# R: max resident set size (KB) [no effect on Linux 2.0.x]
+# S: max stack size (KB)
+# T: max CPU time (MIN)
+# U: max number of processes
+# L: max number of logins for this user
+# I: max nice value (0..39 translates to 20..-19)
+# O: max real time priority (0..MAX_RT_PRIO)
+#
+# Examples:
+# the default entry
+#* L2 D6144 R2048 S2048 U32 N32 F16384 T5 C0 I20 O0
+# another way of suspending a user login
+#guest L0
+# this account has no limits
+#sysadm -
diff --git a/config/shadow/login.access b/config/shadow/login.access
new file mode 100644
index 0000000..3ed3688
--- /dev/null
+++ b/config/shadow/login.access
@@ -0,0 +1,54 @@
+# $Id$
+#
+# Login access control table.
+#
+# When someone logs in, the table is scanned for the first entry that
+# matches the (user, host) combination, or, in case of non-networked
+# logins, the first entry that matches the (user, tty) combination. The
+# permissions field of that table entry determines whether the login will
+# be accepted or refused.
+#
+# Format of the login access control table is three fields separated by a
+# ":" character:
+#
+# permission : users : origins
+#
+# The first field should be a "+" (access granted) or "-" (access denied)
+# character.
+#
+# The second field should be a list of one or more login names, group
+# names, or ALL (always matches). A pattern of the form user@host is
+# matched when the login name matches the "user" part, and when the
+# "host" part matches the local machine name.
+#
+# The third field should be a list of one or more tty names (for
+# non-networked logins), host names, domain names (begin with "."), host
+# addresses, internet network numbers (end with "."), ALL (always
+# matches) or LOCAL (matches any string that does not contain a "."
+# character).
+#
+# If you run NIS you can use @netgroupname in host or user patterns; this
+# even works for @usergroup@@hostgroup patterns. Weird.
+#
+# The EXCEPT operator makes it possible to write very compact rules.
+#
+# The group file is searched only when a name does not match that of the
+# logged-in user. Only groups are matched in which users are explicitly
+# listed: the program does not look at a user's primary group id value.
+#
+##############################################################################
+#
+# Disallow console logins to all but a few accounts.
+#
+#-:ALL EXCEPT wheel shutdown sync:console
+#
+# Disallow non-local logins to privileged accounts (group wheel).
+#
+#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
+#
+# Some accounts are not allowed to login from anywhere:
+#
+#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
+#
+# All other accounts are allowed to login from anywhere.
+#
diff --git a/config/shadow/login.defs b/config/shadow/login.defs
new file mode 100644
index 0000000..d99597a
--- /dev/null
+++ b/config/shadow/login.defs
@@ -0,0 +1,316 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+# $Id$
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
+# pam_unix(8) enforces a 2s delay)
+#
+FAIL_DELAY 3
+
+#
+# Enable logging and display of /var/log/faillog login(1) failure info.
+#
+FAILLOG_ENAB yes
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable logging and display of /var/log/lastlog login(1) time info.
+#
+LASTLOG_ENAB yes
+
+#
+# Enable checking and display of mailbox status upon login.
+#
+# Disable if the shell startup files already check for mail
+# ("mailx -e" or equivalent).
+#
+MAIL_CHECK_ENAB yes
+
+#
+# Enable additional checks upon password changes.
+#
+OBSCURE_CHECKS_ENAB yes
+
+#
+# Enable checking of time restrictions specified in /etc/porttime.
+#
+PORTTIME_CHECKS_ENAB yes
+
+#
+# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
+#
+QUOTAS_ENAB yes
+
+#
+# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# from these devices.
+#
+CONSOLE /etc/securetty
+
+#
+# If defined, all su(1) activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, ":" delimited list of "message of the day" files to
+# be displayed upon login.
+#
+MOTD_FILE /etc/motd
+
+#
+# If defined, login(1) failures will be logged here in a utmp format.
+# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
+#
+FTMP_FILE /var/log/btmp
+
+#
+# If defined, name of file whose presence will inhibit non-root
+# logins. The content of this file should be a message indicating
+# why logins are inhibited.
+#
+NOLOGINS_FILE /etc/nologin
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then ps(1) will display the
+# command as "-su". If not defined, then ps(1) will display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR /var/mail
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a write(1) program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP as the number of such group
+# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
+# set TTYPERM to either 622 or 600.
+#
+TTYGROUP tty
+TTYPERM 0600
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# ULIMIT Default "ulimit" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+#ULIMIT 2097152
+
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up his/her mind.
+UMASK 022
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_MIN_LEN Minimum acceptable password length.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_MIN_LEN 5
+PASS_WARN_AGE 7
+
+#
+# If "yes", the user must be listed as a member of the first gid 0 group
+# in /etc/group (called "root" on most Linux systems) to be able to "su"
+# to uid 0 accounts. If the group doesn't exist or is empty, no one
+# will be able to "su" to uid 0.
+#
+SU_WHEEL_ONLY no
+
+#
+# If compiled with cracklib support, sets the path to the dictionaries
+#
+CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
+
+#
+# Min/max values for automatic uid selection in useradd(8)
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+SYS_UID_MIN 101
+SYS_UID_MAX 999
+# Extra per user uids
+SUB_UID_MIN 100000
+SUB_UID_MAX 600100000
+SUB_UID_COUNT 65536
+
+#
+# Min/max values for automatic gid selection in groupadd(8)
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+SYS_GID_MIN 101
+SYS_GID_MAX 999
+# Extra per user group ids
+SUB_GID_MIN 100000
+SUB_GID_MAX 600100000
+SUB_GID_COUNT 65536
+
+#
+# Max number of login(1) retries if password is bad
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login(1)
+#
+LOGIN_TIMEOUT 60
+
+#
+# Maximum number of attempts to change password if rejected (too easy)
+#
+PASS_CHANGE_TRIES 5
+
+#
+# Warn about weak passwords (but still allow them) if you are root.
+#
+PASS_ALWAYS_WARN yes
+
+#
+# Require password before chfn(1)/chsh(1) can make any changes.
+#
+CHFN_AUTH yes
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# Password prompt (%s will be replaced by user name).
+#
+# XXX - it doesn't work correctly yet, for now leave it commented out
+# to use the default which is just "Password: ".
+#LOGIN_STRING "%s's Password: "
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD SHA512
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be within the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME yes
+
+#
+# If this file exists and is readable, login environment will be
+# read from it. Every line should be in the form name=value.
+#
+ENVIRON_FILE /etc/environment
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel(8) to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-zero number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permits to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP 0
+
+#
+# If useradd(8) should create home directories for users by default (non
+# system users only).
+# This option is overridden with the -M or -m flags on the useradd(8)
+# command-line.
+#
+#CREATE_HOME yes
diff --git a/lfs/shadow b/lfs/shadow
index b4777b9..c445dd3 100644
--- a/lfs/shadow
+++ b/lfs/shadow
@@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/shadow-4.2.1-suppress_installation_of_groups.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/shadow-4.2.1-SHA512_password_hashing.patch
cd $(DIR_APP) && ./configure --libdir=/lib \
--sysconfdir=/etc \
--enable-shared \
@@ -80,12 +79,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--with-group-name-max-length=32
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
- cd $(DIR_APP) && cp -v etc/{limits,login.access} /etc
- cd $(DIR_APP) && sed -e's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
- -e 's@/var/spool/mail@/var/mail@' \
- etc/login.defs > /etc/login.defs
+
mv -v /usr/bin/passwd /bin
ln -sfv ../../lib/libshadow.so.0 /usr/lib/libshadow.so
+
+ # Install configuration
+ install -m 644 $(DIR_SRC)/config/shadow/limits /etc/limits
+ install -m 644 $(DIR_SRC)/config/shadow/login.access /etc/login.access
+ install -m 644 $(DIR_SRC)/config/shadow/login.defs /etc/login.defs
+
touch /etc/shadow
chmod 600 /etc/shadow
pwconv
diff --git a/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders b/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders
index 7f35696..be8879c 100644
--- a/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders
+++ b/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders
@@ -1,4 +1,12 @@
#!/bin/bash
-# Update DNS forwarders for unbound
-exec /etc/init.d/unbound update-forwarders
+# If network has not fully been brought up here, we start unbound
+# so that all following scripts can rely on DNS resolution
+
+# Update DNS forwarders if unbound is running
+if pgrep -q unbound; then
+ exec /etc/init.d/unbound update-forwarders
+fi
+
+# Start unbound if it is not running, yet
+exec /etc/init.d/unbound start
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
index 6496265..1b2649f 100644
--- a/src/initscripts/init.d/unbound
+++ b/src/initscripts/init.d/unbound
@@ -181,6 +181,12 @@ get_memory_amount() {
case "$1" in
start)
+ # Print a nicer messagen when unbound is already running
+ if pidofproc -s unbound; then
+ statusproc /usr/sbin/unbound
+ exit 0
+ fi
+
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
# Create control keys at first run
diff --git a/src/patches/shadow-4.2.1-SHA512_password_hashing.patch b/src/patches/shadow-4.2.1-SHA512_password_hashing.patch
deleted file mode 100644
index 7fc5bc9..0000000
--- a/src/patches/shadow-4.2.1-SHA512_password_hashing.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -crB shadow-4.2.1-a/etc/login.defs shadow-4.2.1-b/etc/login.defs
-*** shadow-4.2.1-a/etc/login.defs 2014-05-09 10:20:28.000000000 +0000
---- shadow-4.2.1-b/etc/login.defs 2016-03-13 10:51:09.680171239 +0000
-***************
-*** 118,124 ****
- # Directory where mailboxes reside, _or_ name of file, relative to the
- # home directory. If you _do_ define both, MAIL_DIR takes precedence.
- #
-! MAIL_DIR /var/spool/mail
- #MAIL_FILE .mail
-
- #
---- 118,124 ----
- # Directory where mailboxes reside, _or_ name of file, relative to the
- # home directory. If you _do_ define both, MAIL_DIR takes precedence.
- #
-! MAIL_DIR /var/mail
- #MAIL_FILE .mail
-
- #
-***************
-*** 317,323 ****
- # Note: If you use PAM, it is recommended to use a value consistent with
- # the PAM modules configuration.
- #
-! #ENCRYPT_METHOD DES
-
- #
- # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
---- 317,323 ----
- # Note: If you use PAM, it is recommended to use a value consistent with
- # the PAM modules configuration.
- #
-! ENCRYPT_METHOD SHA512
-
- #
- # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-Only in shadow-4.2.1-b: SHA512_password_hashing.patch
hooks/post-receive
--
IPFire 2.x development tree