summaryrefslogtreecommitdiff
path: root/repo/shadow
diff options
context:
space:
mode:
Diffstat (limited to 'repo/shadow')
-rw-r--r--repo/shadow/chage.pamd11
-rw-r--r--repo/shadow/chpasswd.pamd12
-rw-r--r--repo/shadow/login.pamd46
-rw-r--r--repo/shadow/newusers.pamd12
-rw-r--r--repo/shadow/passwd.pamd6
-rw-r--r--repo/shadow/shadow.xibuild136
-rw-r--r--repo/shadow/su.pamd27
7 files changed, 250 insertions, 0 deletions
diff --git a/repo/shadow/chage.pamd b/repo/shadow/chage.pamd
new file mode 100644
index 0000000..3f277f8
--- /dev/null
+++ b/repo/shadow/chage.pamd
@@ -0,0 +1,11 @@
+# Begin /etc/pam.d/chage
+
+# always allow root
+auth sufficient pam_rootok.so
+
+# include system auth and account settings
+auth include system-auth
+account include system-account
+
+# End /etc/pam.d/chage
+
diff --git a/repo/shadow/chpasswd.pamd b/repo/shadow/chpasswd.pamd
new file mode 100644
index 0000000..81afbee
--- /dev/null
+++ b/repo/shadow/chpasswd.pamd
@@ -0,0 +1,12 @@
+# Begin /etc/pam.d/newusers
+
+# always allow root
+auth sufficient pam_rootok.so
+
+# include system auth and account settings
+auth include system-auth
+account include system-account
+password include system-password
+
+# End /etc/pam.d/newusers
+
diff --git a/repo/shadow/login.pamd b/repo/shadow/login.pamd
new file mode 100644
index 0000000..c6410c1
--- /dev/null
+++ b/repo/shadow/login.pamd
@@ -0,0 +1,46 @@
+# Begin /etc/pam.d/login
+
+# Set failure delay before next prompt to 3 seconds
+auth optional pam_faildelay.so delay=3000000
+
+# Check to make sure that the user is allowed to login
+auth requisite pam_nologin.so
+
+# Check to make sure that root is allowed to login
+# Disabled by default. You will need to create /etc/securetty
+# file for this module to function. See man 5 securetty.
+#auth required pam_securetty.so
+
+# Additional group memberships - disabled by default
+#auth optional pam_group.so
+
+# include system auth settings
+auth include system-auth
+
+# check access for the user
+account required pam_access.so
+
+# include system account settings
+account include system-account
+
+# Set default environment variables for the user
+session required pam_env.so
+
+# Set resource limits for the user
+session required pam_limits.so
+
+# Display date of last login - Disabled by default
+#session optional pam_lastlog.so
+
+# Display the message of the day - Disabled by default
+#session optional pam_motd.so
+
+# Check user's mail - Disabled by default
+#session optional pam_mail.so standard quiet
+
+# include system session and password settings
+session include system-session
+password include system-password
+
+# End /etc/pam.d/login
+
diff --git a/repo/shadow/newusers.pamd b/repo/shadow/newusers.pamd
new file mode 100644
index 0000000..57f5cfa
--- /dev/null
+++ b/repo/shadow/newusers.pamd
@@ -0,0 +1,12 @@
+# Begin /etc/pam.d/chpasswd
+
+# always allow root
+auth sufficient pam_rootok.so
+
+# include system auth and account settings
+auth include system-auth
+account include system-account
+password include system-password
+
+# End /etc/pam.d/chpasswd
+
diff --git a/repo/shadow/passwd.pamd b/repo/shadow/passwd.pamd
new file mode 100644
index 0000000..83459e3
--- /dev/null
+++ b/repo/shadow/passwd.pamd
@@ -0,0 +1,6 @@
+# Begin /etc/pam.d/passwd
+
+password include system-password
+
+# End /etc/pam.d/passwd
+
diff --git a/repo/shadow/shadow.xibuild b/repo/shadow/shadow.xibuild
new file mode 100644
index 0000000..22bd2f1
--- /dev/null
+++ b/repo/shadow/shadow.xibuild
@@ -0,0 +1,136 @@
+#!/bin/sh
+
+MAKEDEPS="make "
+DEPS="acl libcap libxcrypt"
+
+PKG_VER=4.11.1
+
+SOURCE=https://github.com/shadow-maint/shadow/releases/download/v$PKG_VER/shadow-$PKG_VER.tar.xz
+DESC="Password and account management tool suite with support for shadow files and PAM"
+ADDITIONAL="
+ chage.pamd
+ chpasswd.pamd
+ login.pamd
+ newusers.pamd
+ passwd.pamd
+ su.pamd
+"
+
+prepare () {
+
+ sed -i 's/groups$(EXEEXT) //' src/Makefile.in
+ find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
+ find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
+ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;
+
+ sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
+ -e 's:/var/spool/mail:/var/mail:' \
+ -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
+ -i etc/login.defs
+
+ mkdir -p $PKG_DEST/usr/bin
+ touch $PKG_DEST/usr/bin/passwd
+
+}
+
+build () {
+ ./configure \
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --localstatedir=/var \
+ --disable-account-tools-setuid \
+ --disable-nls \
+ --without-audit \
+ --with-libpam \
+ --without-selinux \
+ --without-acl \
+ --without-attr \
+ --without-tcb \
+ --with-yescrypt \
+ --without-nscd \
+ --without-group-name-max-length \
+ --with-fcaps
+
+ make
+}
+
+package () {
+ make exec_prefix=/usr DESTDIR=$PKG_DEST install
+ make DESTDIR=$PKG_DEST -C man install-man
+ mkdir -p $PKG_DEST/etc/default
+
+ [ -d $PKG_DEST/etc/pam.d ] && rm -rf $PKG_DEST/etc/pam.d/*
+
+
+ install -m644 $PKG_DEST/etc/login.defs $PKG_DEST/etc/login.defs.orig &&
+ echo "USERGROUPS_ENAB yes"> $PKG_DEST/etc/login.defs
+
+ for f in $ADDITIONAL; do
+ case $f in
+ *.pamd)
+ cp $f $PKG_DEST/etc/pam.d/${f%.pamd}
+ ;;
+ esac
+ done
+ cp $PKG_DEST/etc/pam.d/su $PKG_DEST/etc/pam.d/su-l
+
+ for PROGRAM in chfn chgpasswd chsh groupadd groupdel \
+ groupmems groupmod useradd userdel usermod
+ do
+ install -m644 chage.pamd $PKG_DEST/etc/pam.d/${PROGRAM}
+ sed -i "s/chage/$PROGRAM/" $PKG_DEST/etc/pam.d/${PROGRAM}
+ done
+
+ [ -f $PKG_DEST/etc/login.access ] && mv $PKG_DEST/etc/login.access $PKG_DEST/etc/login.access.NOUSE || true
+ [ -f $PKG_DEST/etc/limits ] && mv $PKG_DEST/etc/limits $PKG_DEST/etc/limits.NOUSE || true
+
+ rm $PKG_DEST/usr/bin/su
+}
+
+postinstall () {
+
+ [ ! -f /etc/passwd ] &&
+ cat > /etc/passwd << "EOF"
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/dev/null:/usr/bin/false
+daemon:x:6:6:Daemon User:/dev/null:/usr/bin/false
+messagebus:x:18:18:D-Bus Message Daemon User:/run/dbus:/usr/bin/false
+uuidd:x:80:80:UUID Generation Daemon User:/dev/null:/usr/bin/false
+nobody:x:99:99:Unprivileged User:/dev/null:/usr/bin/false
+EOF
+
+ [ ! -f /etc/group ] &&
+ cat > /etc/group << "EOF"
+root:x:0:root
+bin:x:1:daemon
+sys:x:2:
+kmem:x:3:
+tape:x:4:
+tty:x:5:
+daemon:x:6:
+floppy:x:7:
+disk:x:8:
+lp:x:9:
+dialout:x:10:
+audio:x:11:
+video:x:12:
+utmp:x:13:
+usb:x:14:
+cdrom:x:15:
+adm:x:16:
+messagebus:x:18:
+input:x:24:
+mail:x:34:
+kvm:x:61:
+uuidd:x:80:
+wheel:x:97:
+nogroup:x:99:
+users:x:999:
+EOF
+ /usr/sbin/pwconv
+ /usr/sbin/grpconv
+ chmod 0640 /etc/shadow
+ mkdir -p /etc/default
+ /usr/sbin/useradd -D --gid 999
+}
diff --git a/repo/shadow/su.pamd b/repo/shadow/su.pamd
new file mode 100644
index 0000000..ca6ab90
--- /dev/null
+++ b/repo/shadow/su.pamd
@@ -0,0 +1,27 @@
+# Begin /etc/pam.d/su
+
+# always allow root
+auth sufficient pam_rootok.so
+
+# Allow users in the wheel group to execute su without a password
+# disabled by default
+#auth sufficient pam_wheel.so trust use_uid
+
+# include system auth settings
+auth include system-auth
+
+# limit su to users in the wheel group
+# disabled by default
+#auth required pam_wheel.so use_uid
+
+# include system account settings
+account include system-account
+
+# Set default environment variables for the service user
+session required pam_env.so
+
+# include system session settings
+session include system-session
+
+# End /etc/pam.d/su
+