Debian Bug report logs - #21357
login: New upstream version of shadow suite available.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joel Klecker <jk@espy.org>

To: submit@bugs.debian.org

Subject: login: New upstream version of shadow suite available.

Date: Sat, 18 Apr 1998 09:43:18 -0700

Package: login
Version: 970616-1

A newer version of the shadow suite is available from: <ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/shadow-980403.tar.gz>.

It has a large number of bug fixes over the current version and fixes at least one critical bug,
therefore I suggest it be made a part of hamm.

Here is a report on various bugs filed against login and passwd
(two of secure-su's normal bugs are in the debian-specific parts, and the other isn't fixed)
along with my recommendations:

13485: fixed
13753: has patch
14655: wishlist
15705: easy to implement
16587: add patch, and forward upstream
16793: close, duplicates 17894
16958: wishlist
17529: easily fixed
17532: fixed
17894: forward upstream
17911: easily fixed
18132: fixed


For your convenience; here is the changelog:

shadow-980130 => shadow-980403

- security: su now creates the sulog file (if enabled and doesn't
  already exist) with umask 077
- hopefully removed arbitrary group size limits (not yet for
  shadow groups though - sgetsgent() still needs a rewrite,
  but I don't want to delay this release any longer...)
- fixed NULL dereference in groupmod -n

shadow-971215 => shadow-980130

- Debian binary packages can be built without root privileges
  (tar wrapper - debian/tar.c)
- new subdir "redhat" (needs more work, see redhat/README)
- in several places, exit(127) if exec fails with ENOENT, and
  exit(126) on other errors (as in ksh and bash)
- renamed getpass() and md5_crypt() to libshadow_* to avoid name
  conflicts with libc functions - md5_crypt() is also in libcrypt.a
  on Linux/PPC, thanks to Anton Gluck <gluc@midway.uchicago.edu>
- handle crypt() returning NULL (possible according to Single Unix
  Spec) more gracefully (exit instead of SIGSEGV)
- fixed bug in putgrent() that showed up when realloc() moved the
  buffer while expanding it, thanks to Floody <flood@evcom.net>
- fixed bug in login session limits (with a limit set to N logins,
  only N-1 logins were allowed), thanks to Floody <flood@evcom.net>
- upgraded to libtool-1.0h (now recognizes GNU ld on Debian 1.3.1)
- newer config.guess and config.sub (should work on x86 for x > 5)
- removed doc/automake-1.0.diff (obsoleted by automake-1.2)
- added doc/cracklib26.diff (some patches for cracklib-2.6)
- documented more (not all yet) login.defs(5) settings
- replaced more exit status numeric values with #defines
- shadow-utils.spec now generated from shadow-utils.spec.in
  (so I don't have to edit version numbers for every new release)
- groupadd -f option, based on RedHat's shadow-utils-970616-9 patch
  ("force" - exit(0) if the group already exists); other RedHat-
  specific options not added yet (best done in a perl script that
  runs useradd/usermod/groupadd - see Debian's adduser-3.x)
- added -O option (override login.defs values) to useradd and groupadd
- if usermod can't update the group file(s), exit(10) but update the
  password file(s) anyway (as documented by Solaris man page)
- useradd should no longer set sp_expire to the current date (oops)
- configure.in: added --enable-desrpc, check for gethostbyname in libc
  before trying libnsl (necessary for Solaris; not for Linux or Irix,
  even though libnsl may be present), fixed pw_age/pw_comment/pw_quota
  detection, setpgrp vs. setpgid, other minor tweaks
- various */Makefile.am tweaks
- login.defs: added FAKE_SHELL - program to run instead of the login
  shell, with the real shell in argv[0] (Frank Denis)
- login.defs: ignore case in yes/no settings
- more E_* defines instead of hardcoded numbers for exit()
- added sanitize_env() for setuid programs
- login_desrpc() checks for getnetname() errors
- new password is not "too similar" if it is long enough
- replacement strstr() was static, no one noticed :-)
- {pw,spw}_lock() and {pw,spw}_unlock() track the lock count and call
  lckpwdf() and ulckpwdf() as needed, *_lock_first() hack removed
- login sets $REMOTEHOST for remote logins
- added newgrp -l option (Single Unix Spec, same as "-")
- EXPERIMENTAL shared lib support using libtool (libshadow.so saves about
  200K of disk space on Linux/x86), enabled by default if supported by
  the system, use ./configure --disable-shared if it causes any problems.
  Warning: libshadow.so is intended for internal use by this package
  only - binary compatibility with future releases is not guaranteed.
  There should be no need to link any other programs with libshadow.so -
  the libshadow.so -> libshadow.so.x.x symlink is unnecessary.
- pam_strerror() takes one or two arguments, depending on the Linux-PAM
  version (!) - added check to configure; fixed do_pam_passwd prototype
- libmisc/login_access.c should compile on Linux/PPC and Solaris
- added information about the new ftp site to doc/README.mirrors

shadow-971001 => shadow-971215

- added workaround for NYS libc 5.3.12 (RedHat 4.2) bug to grpck
- updated the RPM .spec file
- renamed rlogin() to do_rlogin() to avoid Linux/PPC build problem
  (glibc defines something else named "rlogin" in utmpbits.h ?)
- added MD5 checksums in Debian packages
- added -p and -g options to vipw (edit the password or group file
  respectively, regardless of the command name in argv[0])
- removed old DBM support (NDBM code is still there)
- fixed a bug in gpasswd: current username was incorrectly identified as
  "root" because of setuid(0) done too early.  It may be a security hole
  when using shadow groups - if "root" is listed as a group administrator,
  any user can add/remove members in that group.  Thanks to Jesse Thilo.
- gpasswd now logs which user (root or group admin) made the changes
- passwd now uses $PATH to search for the chfn, chsh, gpasswd commands
- newgrp and add_groups() allocate supplementary group lists dynamically
- moved check_shell() from src/chsh.c to libmisc/chkshell.c
- CHFN_RESTRICT in login.defs can now specify exactly which fields may be
  changed by regular users (any combination of letters "frwh")
- fixed contrib/pwdauth.c segfault with non-existent usernames
- minor change in lib/getdef.c to handle quotes better (Juergen Heinzl)
- new date parsing code (from GNU date) used by useradd, usermod, chage
- upgraded to automake-1.2, added libtool-0.7 (no libshadow.so yet)
- converted code to ANSI C, added ansi2knr (untested - use gcc!)
- fixed useradd -G segfault (one '*' that shouldn't be there)
- allow 8-bit characters in chfn
- added support for RLIMIT_AS (max address space) in libmisc/limits.c
- changed the handling of NIS plus entries in password files
- some more tweaking in various debian/* files
- logoutd uses getutent() instead of reading utmp file directly
- fixed lckpwdf() called twice (and failing) when changing password
  if the user is not listed in /etc/shadow (Mike Pakovic)
- erase and kill characters left unchanged if not defined in login.defs

shadow-970616 => shadow-971001

- Debian: mkpasswd no longer installed (dbm files not supported)
- chpasswd checks for shadow/non-shadow at run time, too
- added chpasswd -e (input file with encrypted passwords) - Jay Soffian
- changed libmisc/login_access.c as suggested by Dave Hagewood
- replaced sprintf() with snprintf() in several places
- added lib/snprintf.[ch] (from XFree86) for systems without snprintf()
- minor tweaks in contrib/adduser.c (/usr/local -> /usr)
- non-root users can only run su with a terminal on stdin
- temporarily disabled DES_RPC because getsecretkey() causes login to hang
  for 5 minutes on at least one RH 4.0 system.  Not sure if this is a bug
  in libc, or system misconfiguration.  Needs further investigation.
- check for strerror() and -lrpcsvc (should compile on SunOS again)
- fixed free() called twice in libmisc/mail.c
- added information about mirror sites (doc/README.mirrors)
- updated pwconv.8 and pwunconv.8 man pages
- "make install" now installs pwconv, pwunconv, grpconv, grpunconv
- pwauth.8 no longer installed (AUTH_METHODS not supported by default)
- corrected su.1 man page ($SHELL not used)
- no need for --with-md5crypt if the MD5-based crypt() is already in libc
  (or another library specified in /etc/ld.so.preload - Linux ld.so 1.8.0+)
- cleaned up PASS_MAX in getpass() (127 always assumed)
- default editor for vipw changed from /bin/ae to a real editor :)

Please let me know if it would be helpful to you if I do a non-maintainer release, because I am willing to do so.

Send a report that this bug log contains spam.