[shadow] 4.18.0-1: init package

0003-Add-Arch-Linux-defaults-for-login.defs.patch

@@ -0,0 +1,73 @@
+From 23800dc9ac32da588f516371caf026dd67e1597f Mon Sep 17 00:00:00 2001
+From: David Runge <[email protected]>
+Date: Mon, 31 Oct 2022 10:10:22 +0100
+Subject: [PATCH 3/3] Add Arch Linux defaults for login.defs
+
+etc/login.defs:
+- Change `ENV_PATH` and `ENV_SUPATH` to only use
+  /usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr and
+  bin merge distribution.
+- Set `HOME_MODE` to `0700` to be able to rely on a `UMASK` of `022`
+  while creating home directories in a privacy conserving manner.
+- Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for
+  distribution added UIDs and GIDs of system users.
+- Change ENCRYPT_METHOD to YESCRYPT as it is a safer hashing algorithm
+  than DES.
+---
+ etc/login.defs | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/etc/login.defs b/etc/login.defs
+index 797ca6b3..c4accbf8 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -55,8 +55,8 @@ HUSHLOGIN_FILE	.hushlogin
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+ # (they are minimal, add the rest in the shell startup files)
+-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+-ENV_PATH	PATH=/bin:/usr/bin
++ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
++ENV_PATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+
+ #
+ # Terminal permissions
+@@ -84,7 +84,7 @@ UMASK		022
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+ # home directories.
+ # If HOME_MODE is not set, the value of UMASK is used to create the mode.
+-#HOME_MODE	0700
++HOME_MODE	0700
+
+ #
+ # Password aging controls:
+@@ -103,7 +103,7 @@ PASS_WARN_AGE	7
+ UID_MIN			 1000
+ UID_MAX			60000
+ # System accounts
+-SYS_UID_MIN		  101
++SYS_UID_MIN		  500
+ SYS_UID_MAX		  999
+ # Extra per user uids
+ SUB_UID_MIN		   100000
+@@ -116,7 +116,7 @@ SUB_UID_COUNT		    65536
+ GID_MIN			 1000
+ GID_MAX			60000
+ # System accounts
+-SYS_GID_MIN		  101
++SYS_GID_MIN		  500
+ SYS_GID_MAX		  999
+ # Extra per user group ids
+ SUB_GID_MIN		   100000
+@@ -152,7 +152,7 @@ CHFN_RESTRICT		rwh
+ # Note: If you use PAM, it is recommended to use a value consistent with
+ # the PAM modules configuration.
+ #
+-#ENCRYPT_METHOD DES
++ENCRYPT_METHOD YESCRYPT
+
+ #
+ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+-- 
+2.50.0
+

LICENSE

@@ -0,0 +1,12 @@
+Copyright Arch Linux Contributors
+
+Permission to use, copy, modify, and/or distribute this software for
+any purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
+WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
+FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
+DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

PKGBUILD

@@ -0,0 +1,113 @@
+# Maintainer: Yukari Chiba <[email protected]>
+
+pkgname=shadow
+pkgver=4.18.0
+pkgrel=1
+pkgdesc="Password and account management tool suite with support for shadow files and PAM"
+arch=(x86_64 aarch64 riscv64 loongarch64)
+url="https://github.com/shadow-maint/shadow"
+license=(
+  0BSD
+  BSD-3-Clause
+)
+depends=(
+  musl
+)
+makedepends=(
+  acl
+  attr
+  docbook-xsl
+  git
+  itstool
+  libcap
+  libxcrypt
+  libxslt
+  linux-headers
+  pam
+)
+backup=(
+  etc/default/useradd
+  etc/login.defs
+  etc/pam.d/chpasswd
+  etc/pam.d/groupmems
+  etc/pam.d/newusers
+  etc/pam.d/passwd
+)
+options=(!emptydirs)
+# NOTE: distribution patches are taken from https://gitlab.archlinux.org/archlinux/packaging/upstream/shadow/-/commits/4.18.0.arch1
+source=(
+  git+$url.git#tag=$pkgver
+  0001-Disable-replaced-tools-their-man-pages-and-PAM-integ.patch
+  0002-Adapt-login.defs-for-PAM-and-util-linux.patch
+  0003-Add-Arch-Linux-defaults-for-login.defs.patch
+  shadow.{sysusers,tmpfiles}
+  useradd.defaults
+  LICENSE
+)
+sha512sums=('14275673ac2a7eecf13079cb8896eb49293d5bc5504f7900f359e0f21a107848d207aaf5c43d39cf96c0ee9e289929d1e53d2ecfbb39cfcc8175a86d85337eb8'
+            '127948d66a3be0874d7118e674afc7a15eb9047ea943f7feca81922376ca9bdf52000ad48dca7cb4c32b8f9bd4558eeff4f0701e4944aedc1b1779c35ef26c47'
+            '5e47fef33ccd0cf5ce92a049f8cedc7c8d720740f0407e3f281b294d9538edf17714769c990698320a8c27efc63dce56682d2857b8d7f2108909d66fd314974a'
+            '90f46612970f324f60ab5d997ec202b53a829f1c802ea10c16b8ebd075529f5193eee3aca842a03504a9a492d23e763208ad82904c05e274a02be1b5edd2bd12'
+            '5afac4a96b599b0b8ed7be751e7160037c3beb191629928c6520bfd3f2adcd1c55c31029c92c2ff8543e6cd9e37e2cd515ba4e1789c6d66f9c93b4e7f209ee7a'
+            '97a6a57c07502e02669dc1a91bffc447dba7d98d208b798d80e07de0d2fdf9d23264453978d2d3d1ba6652ca1f2e22cdadc4309c7b311e83fa71b00ad144f877'
+            '706ba6e7fa8298475f2605a28daffef421c9fa8d269cbd5cbcf7f7cb795b40a24d52c20e8d0b73e29e6cd35cd7226b3e9738dc513703e87dde04c1d24087a69c'
+            'a33658d9271e5c537ccd41bf540b463ad2a5eca4a060c80486ff42a736f0aa042d10436e7177c34d792177cb11285243dee1f31c4df54fb0bfaabbc306406930')
+
+prepare() {
+  _patch_ $pkgname
+  cd $pkgname
+  autoreconf -fiv
+}
+
+build() {
+  local configure_options=(
+    --bindir=/usr/bin
+    --disable-account-tools-setuid  # no setuid for chgpasswd, chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod
+    --enable-man
+    --libdir=/usr/lib
+    --mandir=/usr/share/man
+    --prefix=/usr
+    --sbindir=/usr/bin
+    --sysconfdir=/etc
+    --without-audit
+    --with-fcaps  # use capabilities instead of setuid for setuidmap and setgidmap
+    --with-group-name-max-length=32
+    --with-libpam  # PAM integration for chpasswd, groupmems, newusers, passwd
+    --with-yescrypt
+    --without-bcrypt
+    --without-libbsd  # shadow can use internal implementation for getting passphrase
+    --without-nscd  # we do not ship nscd anymore
+    --without-selinux
+    --without-su  # su is provided by util-linux
+  )
+
+  cd $pkgname
+  # add extra check, preventing accidental deletion of other user's home dirs when using `userdel -r <user with home in />`
+  export CFLAGS="$CFLAGS -DEXTRA_CHECK_HOME_DIR"
+  ./configure "${configure_options[@]}"
+  make
+}
+
+package() {
+  depends+=(
+    acl attr libxcrypt pam
+  )
+
+  cd $pkgname
+
+  make DESTDIR="$pkgdir" install
+  make DESTDIR="$pkgdir" -C man install
+
+  # license
+  install -vDm 644 COPYING -t "$pkgdir/usr/share/licenses/$pkgname/"
+  install -vDm 644 ../LICENSE "$pkgdir/usr/share/licenses/$pkgname/0BSD.txt"
+
+  # custom useradd(8) defaults (not provided by upstream)
+  install -vDm 600 ../useradd.defaults "$pkgdir/etc/default/useradd"
+
+  install -vDm 644 ../$pkgname.sysusers "$pkgdir/usr/lib/sysusers.d/$pkgname.conf"
+  install -vDm 644 ../$pkgname.tmpfiles "$pkgdir/usr/lib/tmpfiles.d/$pkgname.conf"
+
+  # adapt executables to match the modes used by tmpfiles.d, so that pacman does not complain:
+  chmod 750 "$pkgdir/usr/bin/groupmems"
+}

shadow.sysusers

@@ -0,0 +1 @@
+g groups - -

shadow.tmpfiles

@@ -0,0 +1 @@
+z /usr/bin/groupmems 2750 root groups - -

useradd.defaults

@@ -0,0 +1,27 @@
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+SHELL=/usr/bin/bash
+
+# The default group for users
+GROUP=users
+
+# The default home directory.
+HOME=/home
+
+# The number of days after a password expires until the account is permanently
+# disabled
+INACTIVE=-1
+
+# The default expire date
+EXPIRE=
+
+# The SKEL variable specifies the directory containing "skeletal" user files;
+# in other words, files such as a sample .profile that will be copied to the
+# new user's home directory when it is created.
+SKEL=/etc/skel
+
+# Defines whether the mail spool should be created while
+# creating the account
+CREATE_MAIL_SPOOL=no