Debian Bug report logs -
#21357
login: New upstream version of shadow suite available.
Reported by: Joel Klecker <jk@espy.org>
Date: Sat, 18 Apr 1998 17:18:01 UTC
Severity: fixed
Found in version 970616-1
Done: Ben Collins <bcollins@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Guy Maor <maor@debian.org>
:
Bug#21357
; Package login
.
(full text, mbox, link).
Acknowledgement sent to Joel Klecker <jk@espy.org>
:
New bug report received and forwarded. Copy sent to Guy Maor <maor@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: login
Version: 970616-1
A newer version of the shadow suite is available from: <ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/shadow-980403.tar.gz>.
It has a large number of bug fixes over the current version and fixes at least one critical bug,
therefore I suggest it be made a part of hamm.
Here is a report on various bugs filed against login and passwd
(two of secure-su's normal bugs are in the debian-specific parts, and the other isn't fixed)
along with my recommendations:
13485: fixed
13753: has patch
14655: wishlist
15705: easy to implement
16587: add patch, and forward upstream
16793: close, duplicates 17894
16958: wishlist
17529: easily fixed
17532: fixed
17894: forward upstream
17911: easily fixed
18132: fixed
For your convenience; here is the changelog:
shadow-980130 => shadow-980403
- security: su now creates the sulog file (if enabled and doesn't
already exist) with umask 077
- hopefully removed arbitrary group size limits (not yet for
shadow groups though - sgetsgent() still needs a rewrite,
but I don't want to delay this release any longer...)
- fixed NULL dereference in groupmod -n
shadow-971215 => shadow-980130
- Debian binary packages can be built without root privileges
(tar wrapper - debian/tar.c)
- new subdir "redhat" (needs more work, see redhat/README)
- in several places, exit(127) if exec fails with ENOENT, and
exit(126) on other errors (as in ksh and bash)
- renamed getpass() and md5_crypt() to libshadow_* to avoid name
conflicts with libc functions - md5_crypt() is also in libcrypt.a
on Linux/PPC, thanks to Anton Gluck <gluc@midway.uchicago.edu>
- handle crypt() returning NULL (possible according to Single Unix
Spec) more gracefully (exit instead of SIGSEGV)
- fixed bug in putgrent() that showed up when realloc() moved the
buffer while expanding it, thanks to Floody <flood@evcom.net>
- fixed bug in login session limits (with a limit set to N logins,
only N-1 logins were allowed), thanks to Floody <flood@evcom.net>
- upgraded to libtool-1.0h (now recognizes GNU ld on Debian 1.3.1)
- newer config.guess and config.sub (should work on x86 for x > 5)
- removed doc/automake-1.0.diff (obsoleted by automake-1.2)
- added doc/cracklib26.diff (some patches for cracklib-2.6)
- documented more (not all yet) login.defs(5) settings
- replaced more exit status numeric values with #defines
- shadow-utils.spec now generated from shadow-utils.spec.in
(so I don't have to edit version numbers for every new release)
- groupadd -f option, based on RedHat's shadow-utils-970616-9 patch
("force" - exit(0) if the group already exists); other RedHat-
specific options not added yet (best done in a perl script that
runs useradd/usermod/groupadd - see Debian's adduser-3.x)
- added -O option (override login.defs values) to useradd and groupadd
- if usermod can't update the group file(s), exit(10) but update the
password file(s) anyway (as documented by Solaris man page)
- useradd should no longer set sp_expire to the current date (oops)
- configure.in: added --enable-desrpc, check for gethostbyname in libc
before trying libnsl (necessary for Solaris; not for Linux or Irix,
even though libnsl may be present), fixed pw_age/pw_comment/pw_quota
detection, setpgrp vs. setpgid, other minor tweaks
- various */Makefile.am tweaks
- login.defs: added FAKE_SHELL - program to run instead of the login
shell, with the real shell in argv[0] (Frank Denis)
- login.defs: ignore case in yes/no settings
- more E_* defines instead of hardcoded numbers for exit()
- added sanitize_env() for setuid programs
- login_desrpc() checks for getnetname() errors
- new password is not "too similar" if it is long enough
- replacement strstr() was static, no one noticed :-)
- {pw,spw}_lock() and {pw,spw}_unlock() track the lock count and call
lckpwdf() and ulckpwdf() as needed, *_lock_first() hack removed
- login sets $REMOTEHOST for remote logins
- added newgrp -l option (Single Unix Spec, same as "-")
- EXPERIMENTAL shared lib support using libtool (libshadow.so saves about
200K of disk space on Linux/x86), enabled by default if supported by
the system, use ./configure --disable-shared if it causes any problems.
Warning: libshadow.so is intended for internal use by this package
only - binary compatibility with future releases is not guaranteed.
There should be no need to link any other programs with libshadow.so -
the libshadow.so -> libshadow.so.x.x symlink is unnecessary.
- pam_strerror() takes one or two arguments, depending on the Linux-PAM
version (!) - added check to configure; fixed do_pam_passwd prototype
- libmisc/login_access.c should compile on Linux/PPC and Solaris
- added information about the new ftp site to doc/README.mirrors
shadow-971001 => shadow-971215
- added workaround for NYS libc 5.3.12 (RedHat 4.2) bug to grpck
- updated the RPM .spec file
- renamed rlogin() to do_rlogin() to avoid Linux/PPC build problem
(glibc defines something else named "rlogin" in utmpbits.h ?)
- added MD5 checksums in Debian packages
- added -p and -g options to vipw (edit the password or group file
respectively, regardless of the command name in argv[0])
- removed old DBM support (NDBM code is still there)
- fixed a bug in gpasswd: current username was incorrectly identified as
"root" because of setuid(0) done too early. It may be a security hole
when using shadow groups - if "root" is listed as a group administrator,
any user can add/remove members in that group. Thanks to Jesse Thilo.
- gpasswd now logs which user (root or group admin) made the changes
- passwd now uses $PATH to search for the chfn, chsh, gpasswd commands
- newgrp and add_groups() allocate supplementary group lists dynamically
- moved check_shell() from src/chsh.c to libmisc/chkshell.c
- CHFN_RESTRICT in login.defs can now specify exactly which fields may be
changed by regular users (any combination of letters "frwh")
- fixed contrib/pwdauth.c segfault with non-existent usernames
- minor change in lib/getdef.c to handle quotes better (Juergen Heinzl)
- new date parsing code (from GNU date) used by useradd, usermod, chage
- upgraded to automake-1.2, added libtool-0.7 (no libshadow.so yet)
- converted code to ANSI C, added ansi2knr (untested - use gcc!)
- fixed useradd -G segfault (one '*' that shouldn't be there)
- allow 8-bit characters in chfn
- added support for RLIMIT_AS (max address space) in libmisc/limits.c
- changed the handling of NIS plus entries in password files
- some more tweaking in various debian/* files
- logoutd uses getutent() instead of reading utmp file directly
- fixed lckpwdf() called twice (and failing) when changing password
if the user is not listed in /etc/shadow (Mike Pakovic)
- erase and kill characters left unchanged if not defined in login.defs
shadow-970616 => shadow-971001
- Debian: mkpasswd no longer installed (dbm files not supported)
- chpasswd checks for shadow/non-shadow at run time, too
- added chpasswd -e (input file with encrypted passwords) - Jay Soffian
- changed libmisc/login_access.c as suggested by Dave Hagewood
- replaced sprintf() with snprintf() in several places
- added lib/snprintf.[ch] (from XFree86) for systems without snprintf()
- minor tweaks in contrib/adduser.c (/usr/local -> /usr)
- non-root users can only run su with a terminal on stdin
- temporarily disabled DES_RPC because getsecretkey() causes login to hang
for 5 minutes on at least one RH 4.0 system. Not sure if this is a bug
in libc, or system misconfiguration. Needs further investigation.
- check for strerror() and -lrpcsvc (should compile on SunOS again)
- fixed free() called twice in libmisc/mail.c
- added information about mirror sites (doc/README.mirrors)
- updated pwconv.8 and pwunconv.8 man pages
- "make install" now installs pwconv, pwunconv, grpconv, grpunconv
- pwauth.8 no longer installed (AUTH_METHODS not supported by default)
- corrected su.1 man page ($SHELL not used)
- no need for --with-md5crypt if the MD5-based crypt() is already in libc
(or another library specified in /etc/ld.so.preload - Linux ld.so 1.8.0+)
- cleaned up PASS_MAX in getpass() (127 always assumed)
- default editor for vipw changed from /bin/ae to a real editor :)
Please let me know if it would be helpful to you if I do a non-maintainer release, because I am willing to do so.
Severity set to `fixed'.
Request was from Christian Kurz <shorty@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug closed, ack sent to submitter - they'd better know why !
Request was from Ben Collins <bcollins@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue May 7 10:47:48 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.