Changeset 4f406ea for postlfs/security/shadow.xml

Timestamp:

11/17/2022 07:58:32 AM (18 months ago)

Author:

Pierre Labastie <pierre.labastie@…>

Branches:

11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, xry111/llvm18, xry111/xf86-video-removal

Children:

11c62aa

Parents:

41f908a (diff), 84f972c1 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge branch 'trunk' into plabs/python-mods

File:

• postlfs/security/shadow.xml (modified) (5 diffs)

postlfs/security/shadow.xml

@@ -7 +7 @@
   <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
   <!ENTITY shadow-download-ftp  " ">
-  <!ENTITY shadow-md5sum        "710bcc89c39683609aacfef9f08bd854">
+  <!ENTITY shadow-md5sum        "b1ab01b5462ddcf43588374d57bec123">
   <!ENTITY shadow-size          "1.7 MB">
-  <!ENTITY shadow-buildsize     "36 MB">
+  <!ENTITY shadow-buildsize     "45 MB">
   <!ENTITY shadow-time          "0.2 SBU">
 ]>
@@ -139 +139 @@
 
 sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
+    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\1000@'      \
     -e 's@/var/spool/mail@/var/mail@'                 \
     -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                \
@@ -188 +189 @@
     <para>
       <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
-      's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
-      -i etc/login.defs</command>: Instead of using
-      the default 'DES' method, this command modifies the installation to use
-      the more secure 'SHA512' method of hashing passwords, which also allows
-      passwords longer than eight characters. It also changes the obsolete
-      <filename class="directory">/var/spool/mail</filename> location for user
-      mailboxes that <application>Shadow</application> uses by default to the
-      <filename class="directory">/var/mail</filename> location. It also
-      changes the default path to be consistent with that set in LFS.
+        's@#SHA_CRYPT_..._ROUNDS 5000@&amp;000@' -e
+        's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
+        -i etc/login.defs</command>: Instead of using the default 'DES'
+      method, this command modifies the installation to use the more secure
+      'SHA512' method of hashing passwords, which also allows passwords
+      longer than eight characters. The number of rounds is also increased
+      to prevent brute force pasword attacks. The command also changes the
+      obsolete <filename class="directory">/var/spool/mail</filename> location
+      for user mailboxes that <application>Shadow</application> uses by
+      default to the <filename class="directory">/var/mail</filename>
+      location. It also changes the default path to be consistent with that
+      set in LFS.
     </para>
 <!--
@@ -554 +558 @@
           <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
         </indexterm>
-
-<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
+<!-- to editors: it is a common belief that:
+        if <condition>; then <command>; fi
+     is equivalent to:
+        <condition> && <command>
+     This is not true in bash; try:
+        ([ 0 = 1 ] && echo not reachable); echo $? # echoes 1
+     vs
+        (if [ 0 = 1 ]; then echo not reachable; fi); echo $? # echoes 0
+     So in scripts that may call subshells (for example through sudo) and
+     that need error reporting, the outcome _is_ different. In all
+     cases, for bash, the "if" form should be preferred.-->
+<screen role="root"><userinput>if [ -f /etc/login.access ]; then mv -v /etc/login.access{,.NOUSE}; fi</userinput></screen>
       </sect4>
 
@@ -574 +588 @@
         </indexterm>
 
-<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
+<screen role="root"><userinput>if [ -f /etc/limits ]; then mv -v /etc/limits{,.NOUSE}; fi</userinput></screen>
 
         <caution>