[Pkg-shadow-devel] Announce: shadow 4.1.0

Nicolas François nicolas.francois at centraliens.net
Tue Dec 11 00:26:33 UTC 2007


The shadow tool suite 4.1.0 has been released and new tar balls are
available on:


Here are the changes since
shadow- -> shadow-4.1.0                                 09-12-2008

*** security:
- chgpasswd
  When compiled with PAM support, it used the chpasswd policy file instead
  of the chgpasswd policy file. If an administrator added some restriction
  to the chgpasswd policy file, they were not taken into account.

*** general:
- Add support for SHA256 and SHA512 encrypt methods (supported by new
- useradd: Allow non numerical group identifier to be specified with
  useradd's -g option.
- chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow.
- newgrp: Do not give an indication that the group has no password. Ask
  for the password, as if there were a password.
- The permissions of the suid binaries is now configurable in
  src/Makefile.am. Note that changing the permissions is not recommended.
- newgrp.c: Declare the child and pid variable at the beginning of a block.
  This fixes a compilation issue with gcc 2.95.
- login_nopam: Add support for systems with no innetgr().  On those
  systems, username with an @ will be treated like any other username
  (i.e. lookup in the local database for an user with an @). Thanks to
  Mike Frysinger for the patch.
- Add support for uClibc with no l64a().
- userdel, usermod: Fix infinite loop caused by erroneous group file
  containing two entries with the same name. (The fix strategy differs
- userdel: Abort if an error is detected while updating the passwd or group
  databases. The passwd or group files will not be written.
- usermod: Update the group database before flushing the nscd caches.
- usermod: Make sure the group modifications will be allowed before
  writing the passwd files.
- Flush the nscd tables using nscd -i instead of the private glibc socket.
- usermod: Make usermod options independent of the argument order.
- newgrp: Do not request a password when a user uses newgrp to switch to
  her primary group.
- passwd: -l/-u options: edit the shadow account expiry field *in
  addition* to editing the password field.
- pwck: Remove the SHADOWPWD preprocessor check. Some check for /etc/shadow
  were always missing.
- su: Avoid terminating the PAM library in the forked child. This is done
  later in the parent after closing the PAM session.
- userdel: Fix the homedir prefix checking.
- passwd, usermod: Refuse to unlock an account when it would result in a
  passwordless account.
- Full review of the usage of getpwnam(), getpwuid(), getgrnam(),
  getgrgid(), and getspnam(). There should be no functional changes.
- gpasswd: Only read information from the local file group database. It
  writes the changes in /etc/group and/or /etc/gshadow, but used to read
  information from getgrnam (hence possibly from another group database).
- New login.defs variable: MAX_MEMBERS_PER_GROUP. It should provide a
  better support for split groups. Be careful when using this variable:
  not all tools support well split groups (in or out of the shadow
  tool suite). It fixes gpasswd and chgpasswd when split groups are used.
  SHA_CRYPT_MAX_ROUNDS to define the default encryption algorithm for the
- chpaswd, chgpasswd, newusers: New options -c/--crypt-method and
  -s/--sha-rounds to supersede the system default encryption algorithm.
- chpaswd, chgpasswd, newusers: DES is no more the default algorithm. They
  will respect the system default configured in /etc/login.defs

*** documentation:
- Generate the translated manpages from PO at build time.
- The generated manpages will change depending on the configure options.
  If you use different options than the one used for the distributed
  archive, you should re-generate the manpages.
- login.defs should now describe all the variables.
- The tools' documentation details the login.defs variables they use.

Best Regards,

More information about the Pkg-shadow-devel mailing list