From 0af09206acbf3b9cde581088e4430f1e8dc3bf2e Mon Sep 17 00:00:00 2001 From: Yu Ke Date: Mon, 28 Feb 2011 19:34:45 +0800 Subject: shadow: upgrade to 4.1.4.3 to fix security vulnerability For CVE-2011-0721: http://lists.debian.org/debian-security-announce/2011/msg00030.html Signed-off-by: Yu Ke --- .../shadow/shadow-4.1.4.2/pam.d/chfn | 14 ---- .../shadow/shadow-4.1.4.2/pam.d/chpasswd | 4 - .../shadow/shadow-4.1.4.2/pam.d/chsh | 19 ----- .../shadow/shadow-4.1.4.2/pam.d/login | 91 ---------------------- .../shadow/shadow-4.1.4.2/pam.d/newusers | 4 - .../shadow/shadow-4.1.4.2/pam.d/passwd | 5 -- .../shadow/shadow-4.1.4.2/pam.d/su | 60 -------------- 7 files changed, 197 deletions(-) delete mode 100644 meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chfn delete mode 100644 meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chpasswd delete mode 100644 meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chsh delete mode 100644 meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/login delete mode 100644 meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/newusers delete mode 100644 meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/passwd delete mode 100644 meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/su (limited to 'meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d') diff --git a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chfn b/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chfn deleted file mode 100644 index baf7698bb..000000000 --- a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chfn +++ /dev/null @@ -1,14 +0,0 @@ -# -# The PAM configuration file for the Shadow `chfn' service -# - -# This allows root to change user infomation without being -# prompted for a password -auth sufficient pam_rootok.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session diff --git a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chpasswd b/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chpasswd deleted file mode 100644 index 9e3efa68b..000000000 --- a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chpasswd +++ /dev/null @@ -1,4 +0,0 @@ -# The PAM configuration file for the Shadow 'chpasswd' service -# - -password include common-password diff --git a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chsh b/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chsh deleted file mode 100644 index 8fb169f64..000000000 --- a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/chsh +++ /dev/null @@ -1,19 +0,0 @@ -# -# The PAM configuration file for the Shadow `chsh' service -# - -# This will not allow a user to change their shell unless -# their current one is listed in /etc/shells. This keeps -# accounts with special shells from changing them. -auth required pam_shells.so - -# This allows root to change user shell without being -# prompted for a password -auth sufficient pam_rootok.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session diff --git a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/login b/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/login deleted file mode 100644 index e41eb04ec..000000000 --- a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/login +++ /dev/null @@ -1,91 +0,0 @@ -# -# The PAM configuration file for the Shadow `login' service -# - -# Enforce a minimal delay in case of failure (in microseconds). -# (Replaces the `FAIL_DELAY' setting from login.defs) -# Note that other modules may require another minimal delay. (for example, -# to disable any delay, you should add the nodelay option to pam_unix) -auth optional pam_faildelay.so delay=3000000 - -# Outputs an issue file prior to each login prompt (Replaces the -# ISSUE_FILE option from login.defs). Uncomment for use -# auth required pam_issue.so issue=/etc/issue - -# Disallows root logins except on tty's listed in /etc/securetty -# (Replaces the `CONSOLE' setting from login.defs) -# Note that it is included as a "requisite" module. No password prompts will -# be displayed if this module fails to avoid having the root password -# transmitted on unsecure ttys. -# You can change it to a "required" module if you think it permits to -# guess valid user names of your system (invalid user names are considered -# as possibly being root). -auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so - -# Disallows other than root logins when /etc/nologin exists -# (Replaces the `NOLOGINS_FILE' option from login.defs) -auth requisite pam_nologin.so - -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without out this it is possible -# that a module could execute code in the wrong domain. -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 -# locale variables are also kept into /etc/default/locale in etch -# reading this file *in addition to /etc/environment* does not hurt -session required pam_env.so readenv=1 envfile=/etc/default/locale - -# Standard Un*x authentication. -auth include common-auth - -# This allows certain extra groups to be granted to a user -# based on things like time of day, tty, service, and user. -# Please edit /etc/security/group.conf to fit your needs -# (Replaces the `CONSOLE_GROUPS' option in login.defs) -auth optional pam_group.so - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on logins. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# Uncomment and edit /etc/security/access.conf if you need to -# set access limits. -# (Replaces /etc/login.access file) -# account required pam_access.so - -# Sets up user limits according to /etc/security/limits.conf -# (Replaces the use of /etc/limits in old login) -session required pam_limits.so - -# Prints the last login info upon succesful login -# (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so - -# Prints the motd upon succesful login -# (Replaces the `MOTD_FILE' option in login.defs) -session optional pam_motd.so - -# Prints the status of the user's mailbox upon succesful login -# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). -# -# This also defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -session optional pam_mail.so standard - -# Standard Un*x account and session -account include common-account -password include common-password -session include common-session diff --git a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/newusers b/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/newusers deleted file mode 100644 index 4aa3dde48..000000000 --- a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/newusers +++ /dev/null @@ -1,4 +0,0 @@ -# The PAM configuration file for the Shadow 'newusers' service -# - -password include common-password diff --git a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/passwd b/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/passwd deleted file mode 100644 index f53499243..000000000 --- a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/passwd +++ /dev/null @@ -1,5 +0,0 @@ -# -# The PAM configuration file for the Shadow `passwd' service -# - -password include common-password diff --git a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/su b/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/su deleted file mode 100644 index 8e35137f3..000000000 --- a/meta/recipes-extended/shadow/shadow-4.1.4.2/pam.d/su +++ /dev/null @@ -1,60 +0,0 @@ -# -# The PAM configuration file for the Shadow `su' service -# - -# This allows root to su without passwords (normal operation) -auth sufficient pam_rootok.so - -# Uncomment this to force users to be a member of group root -# before they can use `su'. You can also add "group=foo" -# to the end of this line if you want to use a group other -# than the default "root" (but this may have side effect of -# denying "root" user, unless she's a member of "foo" or explicitly -# permitted earlier by e.g. "sufficient pam_rootok.so"). -# (Replaces the `SU_WHEEL_ONLY' option from login.defs) -# auth required pam_wheel.so - -# Uncomment this if you want wheel members to be able to -# su without a password. -# auth sufficient pam_wheel.so trust - -# Uncomment this if you want members of a specific group to not -# be allowed to use su at all. -# auth required pam_wheel.so deny group=nosu - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on su usage. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 -# locale variables are also kept into /etc/default/locale in etch -# reading this file *in addition to /etc/environment* does not hurt -session required pam_env.so readenv=1 envfile=/etc/default/locale - -# Defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -# -# "nopen" stands to avoid reporting new mail when su'ing to another user -session optional pam_mail.so nopen - -# Sets up user limits, please uncomment and read /etc/security/limits.conf -# to enable this functionality. -# (Replaces the use of /etc/limits in old login) -# session required pam_limits.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session -- cgit v1.2.3