diff options
| author | Thomas Orgis | 2007-02-06 20:01:19 +0100 |
|---|---|---|
| committer | Jeremy Blosser | 2007-02-07 15:11:17 -0600 |
| commit | 36af02e07ff80b93e887c9033653cb1129fff2aa (patch) | |
| tree | 36bb44a9cc07c087de1e6cd6a6ed36539fd1359b | |
| parent | e7edf05898322c67df7fea3e79dcc764b7851157 (diff) | |
shadow: fixing the unpleasant result of saying n to the account files conversion but still having pwunconv in PRE_REMOVE
(cherry picked from commit fe545c4b24abdeb7177efbab4a650469f4d6a284)
| -rwxr-xr-x | security/shadow/CONFIGURE | 22 | ||||
| -rwxr-xr-x | security/shadow/DETAILS | 2 | ||||
| -rwxr-xr-x | security/shadow/FINAL | 2 | ||||
| -rw-r--r-- | security/shadow/HISTORY | 12 | ||||
| -rwxr-xr-x | security/shadow/PRE_REMOVE | 9 | ||||
| -rwxr-xr-x | security/shadow/REPAIR^acad95bdda57e3a157ee57a47035a0d5^PRE_REMOVE | 8 |
6 files changed, 47 insertions, 8 deletions
diff --git a/security/shadow/CONFIGURE b/security/shadow/CONFIGURE index 6c97b30251..b5e0ef1a33 100755 --- a/security/shadow/CONFIGURE +++ b/security/shadow/CONFIGURE @@ -1,5 +1,23 @@ -config_query SHADOW_CONV "Attempt to convert/fix accounts (with installed shadow utils)" n && -if [[ "$SHADOW_CONV" == y ]]; then +# There's a bug introduced by the solution of bug 8834: +# if you said "n" to $SHADOW_CONV, you ended up with the state pw/grpunconv +# left on dispelling old shadow. +# Introducing a new var $SHADOW_NEWCONV for the query to be able to re-ask +# the question. + +conv_default=n && +if [[ "$SHADOW_CONV" == "y" ]]; then conv_default=y; fi && +# if we haven't yet an answer on the new question and the old answer was not y +if [[ -z "$SHADOW_NEWCONV" ]] && [[ $conv_default == n ]]; then + message "Checking passwd for shadowness (there could have been an unwanted run of pwunconv/grpunconv)." && + if ! grep -q '^root:x:' "$INSTALL_ROOT/etc/passwd"; then + message "Your passwd file contains password hashes, suggesting (re)conversion to shadow." && + message "You can still say n to the upcoming query but make sure then to run pwconv / grpconv yourself if you want existing passwords shadowed." && + conv_default=y + fi +fi && + +config_query SHADOW_NEWCONV "Attempt to convert/fix accounts (with installed shadow utils)" $conv_default && +if [[ "$SHADOW_NEWCONV" == y ]]; then message "OK, checking your user and group accounts" && grpck -r "$INSTALL_ROOT/etc/group" "$INSTALL_ROOT/etc/gshadow" || { diff --git a/security/shadow/DETAILS b/security/shadow/DETAILS index 223eace661..797de76055 100755 --- a/security/shadow/DETAILS +++ b/security/shadow/DETAILS @@ -7,7 +7,7 @@ SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION WEB_SITE=http://shadow.pld.org.pl/ ENTERED=20050303 PATCHLEVEL=3 - SECURITY_PATCH=1 + SECURITY_PATCH=2 KEYWORDS="security password" SHORT="Shadow password file utilities" diff --git a/security/shadow/FINAL b/security/shadow/FINAL index eca5bd2d18..05402f7095 100755 --- a/security/shadow/FINAL +++ b/security/shadow/FINAL @@ -1,4 +1,4 @@ -if [ "$SHADOW_CONV" == y ]; then +if [ "$SHADOW_NEWCONV" == y ]; then #Create or update necessary files for shadow message "running pwconv and grpconv" && ${INSTALL_ROOT}/usr/sbin/pwconv && diff --git a/security/shadow/HISTORY b/security/shadow/HISTORY index 1e09e8e8a0..54989a3daf 100644 --- a/security/shadow/HISTORY +++ b/security/shadow/HISTORY @@ -1,3 +1,11 @@ +2007-02-06 Thomas Orgis <sobukus@sourcemage.org> + * CONFIGURE,PRE_REMOVE, REPAIR^...^PRE_REMOVE, FINAL: I made the pwconv + optional, but there still was unconditional pwunconv in + PRE_REMOVE - now the mess had to be cleaned up: no pwunconv, ever! + (see bug 8834) + * DETAILS: SECURITY_PATCH++ as there can be a state of password hashes + in passwd files + 2007-01-22 Thomas Orgis <sobukus@sourcemage.org> * CONFIGURE: default the answer to "n" by default, making the account modification opt-in as it should be @@ -9,8 +17,8 @@ 2007-01-20 Thomas Orgis <sobukus@sourcemage.org> * pam.d/su: move that to coreutils as the su binary comes from there now - * DETAILS: a patchlevel can't hurt for having changed install - footprint + * DETAILS: a patchlevel can't hurt for having changed install + footprint 2006-07-15 Flavien Bridault <vlaaad@sourcemage.org> * BUILD: do not install default /etc/pam.d/* files from the tarball diff --git a/security/shadow/PRE_REMOVE b/security/shadow/PRE_REMOVE index 58e91bd693..580de53c77 100755 --- a/security/shadow/PRE_REMOVE +++ b/security/shadow/PRE_REMOVE @@ -1,3 +1,8 @@ +message "I will NOT put your passwords back into passwd/group!" && +message "You'd need to run pwunconv/grpunconv before dispel for having a workable system without shadow." +# do not do this unasked and on every upgrade cast +# you normally never dispel shadow for good unless you are +# curious to see what happens... #Restore /etc/passwd when dispelling shadow -${INSTALL_ROOT}/usr/sbin/pwunconv && -${INSTALL_ROOT}/usr/sbin/grpunconv +#${INSTALL_ROOT}/usr/sbin/pwunconv && +#${INSTALL_ROOT}/usr/sbin/grpunconv diff --git a/security/shadow/REPAIR^acad95bdda57e3a157ee57a47035a0d5^PRE_REMOVE b/security/shadow/REPAIR^acad95bdda57e3a157ee57a47035a0d5^PRE_REMOVE new file mode 100755 index 0000000000..580de53c77 --- /dev/null +++ b/security/shadow/REPAIR^acad95bdda57e3a157ee57a47035a0d5^PRE_REMOVE @@ -0,0 +1,8 @@ +message "I will NOT put your passwords back into passwd/group!" && +message "You'd need to run pwunconv/grpunconv before dispel for having a workable system without shadow." +# do not do this unasked and on every upgrade cast +# you normally never dispel shadow for good unless you are +# curious to see what happens... +#Restore /etc/passwd when dispelling shadow +#${INSTALL_ROOT}/usr/sbin/pwunconv && +#${INSTALL_ROOT}/usr/sbin/grpunconv |