Large version jump from 4.8.1 to 4.19.4 (latest upstream LTS).
Build changes:
- Refresh patches/004-fix-su-controoling-term.patch: su.c moved the
ioctl() call from line 1122 to 1169 and changed (char *) 0 to
(char *) NULL; update patch context and re-canonicalise through
quilt (blank context line spacing).
- New CONFIGURE_ARGS:
* --disable-logind: 4.19.4 added an optional libsystemd-based
logind integration which OpenWrt doesn't ship.
* --without-libbsd: shadow's configure now hard-fails on missing
readpassphrase() unless libbsd is found; the in-tree
lib/readpassphrase.c fallback is enabled by --without-libbsd.
* --without-sssd: avoid dragging in an sssd build dep.
* --disable-subordinate-ids: 4.19.4 builds libsubid (subuid/subgid
runtime API) unconditionally when subids are enabled, and its
libtool -export-symbols-regex generates a version script that
binutils 2.40+ rejects against libxcrypt's versioned
crypt_checksalt@@XCRYPT_4.3 symbol. Disabling subordinate-ids
skips libsubid entirely; OpenWrt doesn't ship libsubid.
- Drop newgidmap, newuidmap, lastlog and groups from SHADOW_APPLETS:
newgidmap/newuidmap are only built when subordinate-ids are
enabled, lastlog defaults to disabled in 4.19.4, and the groups
binary was removed from shadow upstream (use coreutils).
Test coverage:
- Replace the per-applet --version check in test.sh with per-applet
functional tests:
pwck -> 'pwck -r' read-only consistency check; accept
non-zero exit since the CI container's /etc/passwd
trips minor warnings.
grpck -> 'grpck -r' read-only consistency check.
chage -> 'chage -l root' lists password aging info.
useradd -> 'useradd -D' dumps defaults without modifying state.
passwd -> 'passwd -S root' prints the password status line.
faillog -> create empty /var/log/faillog then 'faillog -a'
must emit a header line.
login/su -> PAM-interactive; presence covered by generic tests.
Other applets -> verify binary presence (CI's generic tests
already check stripped, no build paths, linked-libs).
- Add test-version.sh as a generic-version-check override: shadow
tools don't honour --version (only --help), so the framework's
probe finds no PKG_VERSION match in any binary and would otherwise
fail Generic tests for every sub-package.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Seems a lot of packages are just getting abandoned by people.
Will pick these up and see them through.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
This reverts commit f18594a00f.
The whole libxcrypt package was reworked in the base repo to fix
libcrypto-compat and the name was restored to libxcrypt.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Since size is not a problem here, use libxcrypt to avoid algorithm
availability. Changed default to bcrypt as that's the strongest
supported by shadow-utils.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
If musl has no bcrypt:
passwd: failed to crypt password with salt '$2a$13$w8EJ0Yfz5bGsG4U/0m7bk/': Function not implemented
The password for root is unchanged.
glibc output as it has no bcrypt:
passwd: failed to crypt password with salt '$2a$13$xbpmAYmq6Q/rZN5jOlNxJZ': Invalid argument
The password for root is unchanged.
--without-bcrypt output:
Invalid ENCRYPT_METHOD value: 'BCRYPT'.
Defaulting to DES.
passwd: password changed.
The solution was tested on glibc despite using a musl specific variable
Still works.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fixed license information.
Removed patch requiring autoreconf and replaced with a configure variable.
Removed faulty patch that broke systems without a disabled crypt size hack.
Replaced with using a SED command as well as bcrypt, which works in musl.
Removed su patch and converted it to a SED command in the Makefile.
Added new shadow utilities.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Busybox in default uses SHA512 as well.
On big ditribution this default is sourced from PAM. That means that
shadow reads pam settings and uses that. OpenWrt in most cases does not
have PAM installed and in such case shadow fallbacks to its own default
which is DES. This just changes that default to SHA512 which is
consistent with rest of the system.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
During 4.2.1 version update support for subordinate IDs has been
disabled. It was handled by:
1) Adding --disable-subordinate-ids to avoid:
configure: error: cannot run test program while cross compiling
2) Adding patch 003-fix-disabling-subids.patch to avoid:
usermod.c: In function 'process_flags':
usermod.c:1364:10: error: 'vflg' undeclared (first use in this function)
if ( (vflg || Vflg)
^
This commit adds a patch with a proper configure.in fix. We don't need
to disable subordinate IDs anymore.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
fix Makefile chmod (644)
replace MD5SUM with HASH
add PKG_MIRROR_HASH when PKG_SOURCE_PROTO:=git
(PKG_SOURCE_PROTO:=svn tarballs are not reproducible for now)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
If you have a firstboot script which seeds a passwd based on
run-time information (like MAC addresses, hostname, etc) then
you need to be able to pass in a cleartext string via chpasswd.
Other applets are similarly potentially useful in other corner
cases.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
The "+ALL:shadow" dependency causes conflict with passwd utility
as it is provided by busybox in the default configuration.
Signed-off-by: Gergely Kiss <mail.gery@gmail.com>
Include nls.mk rather than explicitly using the stub versions.
This allows to make the packages depend on the full versions
of libiconv & libintl and thus to have full language support.
Signed-off-by: Gergely Kiss <mail.gery@gmail.com>
Alexandru Ardelean