File shadow-login_defs.patch of Package shadow.8622

Index: etc/login.defs
===================================================================
--- etc/login.defs.orig
+++ etc/login.defs
@@ -1,8 +1,5 @@
 #
 # /etc/login.defs - Configuration control definitions for the shadow package.
-#
-#	$Id$
-#
 
 #
 # Delay in seconds before being allowed another attempt after a login failure
@@ -12,11 +9,6 @@
 FAIL_DELAY		3
 
 #
-# Enable logging and display of /var/log/faillog login(1) failure info.
-#
-FAILLOG_ENAB		yes
-
-#
 # Enable display of unknown usernames when login(1) failures are recorded.
 #
 LOG_UNKFAIL_ENAB	no
@@ -27,34 +19,6 @@ LOG_UNKFAIL_ENAB	no
 LOG_OK_LOGINS		no
 
 #
-# Enable logging and display of /var/log/lastlog login(1) time info.
-#
-LASTLOG_ENAB		yes
-
-#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB		yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB	yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB	yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
-#
-QUOTAS_ENAB		yes
-
-#
 # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
 # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
 #
@@ -82,75 +46,31 @@ MOTD_FILE	/etc/motd
 #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
 
 #
-# If defined, this file will be output before each login(1) prompt.
-#
-#ISSUE_FILE	/etc/issue
-
-#
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
 #
 #TTYTYPE_FILE	/etc/ttytype
 
 #
-# If defined, login(1) failures will be logged here in a utmp format.
-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
-#
-FTMP_FILE	/var/log/btmp
-
-#
-# If defined, name of file whose presence will inhibit non-root
-# logins.  The content of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE	/etc/nologin
-
-#
-# If defined, the command name to display when running "su -".  For
-# example, if this is defined as "su" then ps(1) will display the
-# command as "-su".  If not defined, then ps(1) will display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME		su
-
-#
-# *REQUIRED*
-#   Directory where mailboxes reside, _or_ name of file, relative to the
-#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR	/var/spool/mail
-#MAIL_FILE	.mail
-
-#
 # If defined, file which inhibits all the usual chatter during the login
 # sequence.  If a full pathname, then hushed mode will be enabled if the
 # user's name or shell are found in the file.  If not a full pathname, then
 # hushed mode will be enabled if the file exists in the user's home directory.
 #
-HUSHLOGIN_FILE	.hushlogin
-#HUSHLOGIN_FILE	/etc/hushlogins
-
-#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ		TZ=CST6CDT
-#ENV_TZ		/etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ		HZ=100
-# For Linux/Alpha...
-#ENV_HZ		HZ=1024
+# HUSHLOGIN_FILE	.hushlogin
+HUSHLOGIN_FILE	/etc/hushlogins
 
 #
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
 ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH	PATH=/bin:/usr/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin
+
+#
+# The default PATH settings for root (used by login):
+#
+ENV_ROOTPATH            /sbin:/bin:/usr/sbin:/usr/bin
 
 #
 # Terminal permissions
@@ -164,24 +84,20 @@ ENV_PATH	PATH=/bin:/usr/bin
 # set TTYPERM to either 622 or 600.
 #
 TTYGROUP	tty
-TTYPERM		0600
+TTYPERM		0620
 
 #
 # Login configuration initializations:
 #
 #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#	ULIMIT		Default "ulimit" value.
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
 #
 # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
 #
 ERASECHAR	0177
 KILLCHAR	025
-#ULIMIT		2097152
 
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -197,35 +113,25 @@ UMASK		022
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
 #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
-#	PASS_MIN_LEN	Minimum acceptable password length.
 #	PASS_WARN_AGE	Number of days warning given before a password expires.
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
-PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 
 #
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts.  If the group doesn't exist or is empty, no one
-# will be able to "su" to uid 0.
-#
-SU_WHEEL_ONLY	no
-
-#
-# If compiled with cracklib support, sets the path to the dictionaries
-#
-CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
-
-#
 # Min/max values for automatic uid selection in useradd(8)
 #
+# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
+# UIDs for dynamically allocated administrative and system accounts.
+# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
+# allocated user accounts.
+#
 UID_MIN			 1000
 UID_MAX			60000
 # System accounts
-SYS_UID_MIN		  101
-SYS_UID_MAX		  999
+SYS_UID_MIN		  100
+SYS_UID_MAX		  499
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
@@ -234,11 +140,16 @@ SUB_UID_COUNT		    65536
 #
 # Min/max values for automatic gid selection in groupadd(8)
 #
+# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
+# GIDs for dynamically allocated administrative and system groups.
+# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
+# allocated groups.
+#
 GID_MIN			 1000
 GID_MAX			60000
 # System accounts
-SYS_GID_MIN		  101
-SYS_GID_MAX		  999
+SYS_GID_MIN		  100
+SYS_GID_MAX		  499
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
@@ -247,7 +158,7 @@ SUB_GID_COUNT		    65536
 #
 # Max number of login(1) retries if password is bad
 #
-LOGIN_RETRIES		5
+LOGIN_RETRIES		3
 
 #
 # Max time in seconds for login(1)
@@ -255,28 +166,6 @@ LOGIN_RETRIES		5
 LOGIN_TIMEOUT		60
 
 #
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES	5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
-#
-PASS_ALWAYS_WARN	yes
-
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
-#
-#PASS_MAX_LEN		8
-
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH		yes
-
-#
 # Which fields may be changed by regular users using chfn(1) - use
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
@@ -285,28 +174,6 @@ CHFN_AUTH		yes
 CHFN_RESTRICT		rwh
 
 #
-# Password prompt (%s will be replaced by user name).
-#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING		"%s's Password: "
-
-#
-# Only works if compiled with MD5_CRYPT defined:
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm.  Default is "no".
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-#
-#MD5_CRYPT_ENAB	no
-
-#
 # Only works if compiled with ENCRYPTMETHOD_SELECT defined:
 # If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
@@ -317,7 +184,8 @@ CHFN_RESTRICT		rwh
 # Note: If you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
-#ENCRYPT_METHOD DES
+ENCRYPT_METHOD SHA512
+ENCRYPT_METHOD_NIS DES
 
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -353,16 +221,12 @@ CHFN_RESTRICT		rwh
 DEFAULT_HOME	yes
 
 #
-# If this file exists and is readable, login environment will be
-# read from it.  Every line should be in the form name=value.
-#
-ENVIRON_FILE	/etc/environment
-
-#
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by
 # the user to be removed (passed as the first argument).
 #
+# See USERDEL_PRECMD/POSTCMD below.
+#
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
@@ -372,7 +236,7 @@ ENVIRON_FILE	/etc/environment
 #
 # This also enables userdel(8) to remove user groups if no members exist.
 #
-USERGROUPS_ENAB yes
+USERGROUPS_ENAB no
 
 #
 # If set to a non-zero number, the shadow utilities will make sure that
@@ -391,10 +255,47 @@ USERGROUPS_ENAB yes
 # This option is overridden with the -M or -m flags on the useradd(8)
 # command-line.
 #
-#CREATE_HOME     yes
+CREATE_HOME     no
 
 #
 # Force use shadow, even if shadow passwd & shadow group files are
 # missing.
 #
-#FORCE_SHADOW    yes
+FORCE_SHADOW    no
+
+#
+# User/group names must match the following regex expression.
+# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
+# but be aware that the result could depend on the locale settings.
+#
+#CHARACTER_CLASS                [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
+CHARACTER_CLASS         [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
+
+#
+# If defined, this command is run when adding a group.
+# It should rebuild any NIS database etc. to add the
+# new created group.
+#
+GROUPADD_CMD             /usr/sbin/groupadd.local
+
+#
+# If defined, this command is run when adding a user.
+# It should rebuild any NIS database etc. to add the
+# new created account.
+#
+USERADD_CMD             /usr/sbin/useradd.local
+
+#
+# If defined, this command is run before removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed.
+#
+USERDEL_PRECMD          /usr/sbin/userdel-pre.local
+
+#
+# If defined, this command is run after removing a user.
+# It should rebuild any NIS database etc. to remove the
+# account from it.
+#
+USERDEL_POSTCMD         /usr/sbin/userdel-post.local
+