#!/bin/sh # Copyright 2005-2012 Patrick J. Volkerding, Sebeka, Minnesota, USA # Copyright 2013 Bart van der Hall, Istanbul, TR # All rights reserved. # # Redistribution and use of this script, with or without modification, is # permitted provided that the following conditions are met: # # 1. Redistributions of this script must retain the above copyright # notice, this list of conditions and the following disclaimer. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO # EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PKGNAM=shadow VERSION=${VERSION:-4.5} BUILD=${BUILD:-1} TAG=${TAG:-_dlack} # Set to NO to disable pam support SBO_PAM=${SBO_PAM:-YES} # Set to YES to add /etc/limits file with max processes from SB_LIMITSMAX (shellbomb protection) SBO_LIMITS=${SB_LIMITS:-YES} SBO_LIMITSMAX=${SB_LIMITSMAX:-400} # Set to YES to enable SHA512 encrypt method (more CPU intensive) SBO_SHA512=${SB_SHA512:-YES} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then case "$( uname -m )" in i?86) export ARCH=i586 ;; arm*) export ARCH=arm ;; # Unless $ARCH is already set, use uname -m for all other archs: *) export ARCH=$( uname -m ) ;; esac fi NUMJOBS=${NUMJOBS:--j6} CWD=$(pwd) TMP=${TMP:-/tmp/dlackware} PKG=$TMP/package-$PKGNAM OUTPUT=${OUTPUT:-/var/cache/dlackware} if [ "$ARCH" = "i586" ]; then SLKCFLAGS="-O2 -march=i586 -mtune=i686" elif [ "$ARCH" = "i686" ]; then SLKCFLAGS="-O2 -march=i686 -mtune=i686" elif [ "$ARCH" = "x86_64" ]; then SLKCFLAGS="-O2 -fPIC" else SLKCFLAGS="-O2" fi rm -rf $PKG mkdir -p $TMP $PKG $OUTPUT cd $TMP rm -rf shadow-$VERSION tar xvf $CWD/shadow-$VERSION.tar.?z* || exit 1 cd shadow-$VERSION SBO_PAMD_DIR=${CWD}/pamd # Relax the restrictions on "su -c" when it is used to become root. # It's not likely that root is going to try to inject commands back into # the user's shell to hack it, and the unnecessary restriction is causing # breakage: cat $CWD/shadow.CVE-2005-4890.relax.diff | patch -p1 --verbose || exit 1 chown -R root:root . find . \ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ -exec chmod 755 {} \; -o \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \; # add the pam_ck_connector # and not requiring users to be in the 'wheel' group, in order to use `su` cat $CWD/pamd_settings.patch | patch -p2 unset SBO_AUTOGEN if [ -r ${CWD}/apply-patches.sh ]; then . ${CWD}/apply-patches.sh fi sed -i -e '/^GROUP=/s|=.*$|=100|g' etc/useradd || exit 1 sed -i -e '//a#include ' libmisc/copydir.c || exit 1 if [ "${SBO_LIMITS}" = "YES" ] && [ "${SBO_PAM}" != "YES" ] ; then echo >> etc/limits || exit 1 echo '# Limit user process number to prevent shellbomb' >> etc/limits || exit 1 echo "* U ${SBO_LIMITSMAX}" >> etc/limits || exit 1 fi rm -f etc/login.defs cp -f ${CWD}/login.defs etc/login.defs || exit 1 if [ "${SBO_SHA512}" = "YES" ] || [ "${SBO_PAM}" = "YES" ] ;then sed -i -e '/^ENCRYPT_METHOD /s|^.*$|ENCRYPT_METHOD SHA512|g' etc/login.defs || exit 1 fi unset SBO_PAMOPTS if [ "${SBO_PAM}" = "YES" ] ;then SBO_PAMOPTS='--with-libpam --with-libcrack' else SBO_PAMOPTS='--without-libpam --without-libcrack' fi #rm -f po/*.gmo #rm -f po/stamp-po if [ "${SBO_AUTOGEN}" = "YES" ] ;then autoreconf -ivf || exit $? fi CFLAGS="${SLKCFLAGS} -fpie" \ CXXFLAGS="${SLKCFLAGS}" \ LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now ${LDFLAGS}" \ ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/man \ --docdir=/usr/doc/shadow-$VERSION \ --disable-shared \ ${SBO_PAMOPTS} \ --without-selinux \ --without-audit \ --with-group-name-max-length=32 \ --build=$ARCH-slackware-linux make $NUMJOBS || make || exit 1 make install DESTDIR=$PKG || exit 1 # Fix user group = 100: cat $CWD/useradd > $PKG/etc/default/useradd # /bin/groups is provided by coreutils. rm -f $PKG/bin/groups find $PKG -name groups.1 -exec rm {} \; chmod 0750 ${PKG}/usr/sbin/{user,group}* ( cd ${PKG}/etc || exit 1 for file in login.defs default/useradd ; do mv ${file} ${file}.new || exit 1 done if [ "${SBO_PAM}" != "YES" ] ;then for file in limits login.access ; do mv ${file} ${file}.new || exit 1 done fi ) || exit 1 chmod 0600 ${PKG}/etc/default/useradd* # Add the friendly 'adduser' script: cat $CWD/adduser > $PKG/usr/sbin/adduser chmod 0755 $PKG/usr/sbin/adduser # Add sulogin to the package: cp -a src/sulogin $PKG/sbin ( cd $PKG/bin ; ln -s ../sbin/sulogin ) # Add the empty faillog log file: mkdir -p $PKG/var/log touch $PKG/var/log/faillog.new # Put some stuff back in "old" locations and make symlinks for compat ( cd $PKG/usr/bin mv faillog ../sbin mv lastlog ../sbin ln -s ../sbin/faillog ln -s ../sbin/lastlog ) # Use 4711 rather than 4755 permissions where setuid root is required: find $PKG -type f -perm 4755 -exec chmod 4711 "{}" \; mkdir -p $PKG/etc/pam.d/ if [ "${SBO_PAM}" = "YES" ] ; then for pamd in login passwd remote su su-l system-auth other; do cp -f ${SBO_PAMD_DIR}/${pamd}.pamd \ ${PKG}/etc/pam.d/${pamd} || exit 1 done for pamd in chfn chsh ; do cp -f ${SBO_PAMD_DIR}/chsh-chfn.pamd \ ${PKG}/etc/pam.d/${pamd} || exit 1 done for opt in \ CHFN_AUTH \ CRACKLIB_DICTPATH \ ENV_HZ \ ENVIRON_FILE \ FAILLOG_ENAB \ FTMP_FILE \ LASTLOG_ENAB \ MAIL_CHECK_ENAB \ MOTD_FILE \ NOLOGINS_FILE \ OBSCURE_CHECKS_ENAB \ PASS_ALWAYS_WARN \ PASS_CHANGE_TRIES \ PASS_MIN_LEN \ PORTTIME_CHECKS_ENAB \ QUOTAS_ENAB \ SU_WHEEL_ONLY do sed -i -r -e "/^#?${opt}/s|^|#|g" ${PKG}/etc/login.defs.new || exit 1 done fi # Compress and if needed symlink the man pages: if [ -d $PKG/usr/man ]; then ( cd $PKG/usr/man for manpagedir in $(find . -type d -name "man*") ; do ( cd $manpagedir for eachpage in $( find . -type l -maxdepth 1) ; do ln -s $( readlink $eachpage ).gz $eachpage.gz rm $eachpage done gzip -9 *.? ) done ) fi mkdir -p $PKG/usr/doc/shadow-$VERSION cp -a \ COPYING* NEWS README* TODO doc/{README*,HOWTO,WISHLIST,*.txt} \ $PKG/usr/doc/shadow-$VERSION # If there's a ChangeLog, installing at least part of the recent history # is useful, but don't let it get totally out of control: if [ -r ChangeLog ]; then DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION) cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog touch -r ChangeLog $DOCSDIR/ChangeLog fi mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc cat $CWD/doinst.sh > $PKG/install/doinst.sh cd $PKG /sbin/makepkg -l y -c n $OUTPUT/$PKGNAM-$VERSION-$ARCH-$BUILD$TAG.txz