This package includes the necessary programs for converting plain
password files to the shadow password format and to manage user and
group accounts.
Provides
Requires
License
BSD-3-Clause AND GPL-2.0-or-later
Changelog
* Sun Mar 24 2024 mvetter@suse.com
- Update to 4.15.1:
* Fix a bug that caused spurious error messages about unknown
login.defs configuration options #967
* Adding checks for fd omission #964
* Use temporary stat buffer #974
* Fix wrong french translation #975
- Drop shadow-4.15.0-fix-definition.patch
* Thu Mar 21 2024 mvetter@suse.com
- Add shadow-4.15.0-fix-definition.patch:
Fix error messages about config options.
See gh/shadow-maint/shadow#967
* Sun Mar 10 2024 mvetter@suse.com
- Update to 4.15.0
* libshadow:
+ Use utmpx instead of utmp. This fixes a regression introduced
in 4.14.0.
+ Fix build error (parameter name omitted).
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
+ Merge libshadow and libmisc into a single libshadow. This fixes
problems in the linker, which were reported at least in Gentoo.
+ Fix build with musl libc.
+ Support out of tree builds
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
- Update Serge Hallyns GPG key
- Update shadow-login_defs-unused-by-pam.patch
* Sun Mar 03 2024 mvetter@suse.com
- Update to 4.14.6:
* login(1):
+ Fix off-by-one bugs.
* passwd(1):
+ Don't silently truncate passwords of length >= 200 characters.
Instead, accept a length of PASS_MAX, and reject longer ones.
* libshadow:
+ Fix calculation in strtoday(), which caused a wrong half-day
offset in some cases (bsc#1176006)
+ Fix parsing of dates in get_date() (bsc#1176006)
+ Use utmpx instead of utmp. This fixes a regression introduced in
4.14.0.
* Tue Feb 13 2024 mvetter@suse.com
- Update to 4.14.5:
* Build system:
+ Fix regression introduced in 4.14.4, due to a typo. chgpasswd had
been deleted from a Makefile variable, but it should have been
chpasswd.
- Remove shadow-4.14.4-chgpasswd-typo.patch
* Mon Feb 12 2024 mvetter@suse.com
- Update to 4.14.4:
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
* libshadow:
+ Fix build error (parameter name omitted).
+ Fix off-by-one bug.
+ Remove warning.
- Add shadow-4.14.4-chgpasswd-typo.patch: to fix build. See #926
- Update patch macro `patchN` -> `patch -P N`
* Tue Jan 16 2024 mvetter@suse.com
- Update to 4.14.3:
* libshadow:
+ Avoid null pointer dereference (#904)
* Tue Jan 09 2024 mvetter@suse.com
- bsc#1199026 bsc#1203823:
Remove pam_keyinit from PAM configuration.
This was introduced for bsc#1144060.
* Mon Oct 30 2023 mvetter@suse.com
- Update to 4.14.2:
* libshadow:
+ Fix build with musl libc.
+ Avoid NULL dereference.
+ Update utmp at an initial login
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
* Manual:
+ Document --prefix in chage(1), chpasswd(8), and passwd(1)
- Drop upstreamed shadow-4.14.0-selinux-labels.patch
* Fri Oct 06 2023 mvetter@suse.com
- Update to 4.14.1:
Build system: Merge libshadow and libmisc into a single libshadow.
This fixes problems in the linker, which were reported at least
in Gentoo. #791
- Add Alejandro Colomar (new stable branch maintainer) to shadow.keyring
* Tue Sep 26 2023 jsegitz@suse.com
- Add shadow-4.14.0-selinux-labels.patch:
Set proper SELinux labels for new homedirs.
See gh/shadow-maint/shadow#812.
* Thu Aug 17 2023 mvetter@suse.com
- Remove dependency on libbsd:
On Tumbleweed we have glibc 2.38 already thus string functions
like strlcpy will be present and won't be needed from libbsd.
`readpassphrase()` is then the only function from libbsd not present.
Upstream shadow has an in tree copy of it, that is used when the
`--without-libbsd` flag is passed along.
By relying on glibc 2.38 we don't need to add libbsd and libmd
to our ring0 but can't easily upgrade on SLE.
* Thu Aug 17 2023 mvetter@suse.com
- Update to 4.14.0:
* configure: add with-libbsd option
* Code cleanup
* Replace utmp interface #757
* new option enable-logind #674
* shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh
* chsh: warn if root sets a shell not listed in /etc/shells #535
* newgrp: fix potential string injection
* lastlog: fix alignment of Latest header
* Fix yescrypt support #748
* chgpasswd: Fix segfault in command-line options
* gpasswd: Fix password leak
* Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
* usermod: fix off-by-one issues #701
* ch(g)passwd: Check selinux permissions upon startup #675
* sub_[ug]id_{add,remove}: fix return values
* chsh: Verify that login shell path is absolute #730
* process_prefix_flag: Drop privileges
* run_parts for groupadd and groupdel #706
* newgrp/useradd: always set SIGCHLD to default
* useradd/usermod: add --selinux-range argument #698
* sssd: skip flushing if executable does not exist #699
* semanage: Do not set default SELinux range #676
* Add control character check #687
* usermod: respect --prefix for --gid option
* Fix null dereference in basename
* newuidmap and newgidmap: support passing pid as fd
* Prevent out of boundary access #633
* Explicitly override only newlines #633
* Correctly handle illegal system file in tz #633
* Supporting vendor given -shells- configuration file #599
* Warn if failed to read existing /etc/nsswitch.conf
* chfn: new_fields: fix wrong fields printed
* Allow supplementary groups to be added via config file #586
* useradd: check if subid range exists for user #592 (rh#2012929)
- Refresh useradd-default.patch
- Remove upstreamed patches:
* useradd-userkeleton.patch
* shadow-audit-no-id.patch
* shadow-fix-print-login-timeout.patch
* shadow-CVE-2023-29383.patch
- Dont build lastlog (lastlog.legacy) anymore since we
use lastlog2 by default now.
- This release depends either on libbsd or on glibc >= 2.38
which only recently got released. libbsd (and libmd) would be
new packages in our ring0
* Tue Apr 18 2023 mvetter@suse.com
- bsc#1210507 (CVE-2023-29383):
Check for control characters
- Add shadow-CVE-2023-29383.patch
* Wed Apr 12 2023 kukuk@suse.com
- Rename lastlog to lastlog.legacy to be able to switch to
Y2038 safe lastlog2 as default [jsc#PED-3144]
* Thu Feb 16 2023 mvetter@suse.com
- Update shadow-fix-print-login-timeout.patch
- Reorder source files and patches
* Wed Feb 15 2023 lnussel@suse.de
- Remove scripts that claim to be config but are in /usr (boo#1191578)
* userdel-script.patch
* useradd-script.patch
* useradd.local
* userdel-post.local
* userdel-pre.local
* Fri Jan 13 2023 mvetter@suse.com
- Add shadow-fix-print-login-timeout.patch:
Fix printing full login timeout message
See gh/shadow-maint/shadow#621
* Fri Dec 16 2022 mvetter@suse.com
- bsc#1205502: Fix useradd audit event logging of ID field
* Add shadow-audit-no-id.patch
See gh/shadow-maint/shadow#606
* Tue Nov 08 2022 mvetter@suse.com
- Update to 4.13:
* useradd.8: fix default group ID
* Revert drop of subid_init()
* Georgian translation
* useradd: Avoid taking unneeded space: do not reset non-existent data
in lastlog
* relax username restrictions
* selinux: check MLS enabled before setting serange
* copy_tree: use fchmodat instead of chmod
* copy_tree: don't block on FIFOs
* add shell linter
* copy_tree: carefully treat permissions
* lib/commonio: make lock failures more detailed
* lib: use strzero and memzero where applicable
* Update Dutch translation
* Don't test for NULL before calling free
* Use libc MAX() and MIN()
* chage: Fix regression in print_date
* usermod: report error if homedir does not exist
* libmisc: minimum id check for system accounts
* fix usermod -rG x y wrongly adding a group
* man: add missing space in useradd.8.xml
* lastlog: check for localtime() return value
* Raise limit for passwd and shadow entry length
* Remove adduser-old.c
* useradd: Fix buffer overflow when using a prefix
* Don't warn when failed to open /etc/nsswitch.conf
- Remove patches we took from upstream pre-release:
* shadow-copytree-usermod-fifo.patch
* shadow-chage-format.patch
* shadow-prefix-overflow.patch
- Remove chkname-regex.patch:
Upstream now also relaxed the use