+libnss-mysql-bg (1.5-3) unstable; urgency=low
+
+ * Add patch from Harald Weidner to follow the Debian policy in the way shadow
+ passwords are handled (make use of group shadow) (closes: #641404)
+
+ -- Emmanuel Lacour <elacour@home-dn.net> Tue, 08 Nov 2011 17:13:42 +0100
+
libnss-mysql-bg (1.5-2) unstable; urgency=low
* debian/rules: add binary-indep target (closes: #395712)
case "$1" in
configure)
- # Make sur /etc/libnss-mysql-root.cfg isn't world/group readable
- [ -f /etc/libnss-mysql-root.cfg ] && chmod 0600 /etc/libnss-mysql-root.cfg
+ # Make sur /etc/libnss-mysql-root.cfg is only root:shadow readable
+ if [ -f /etc/libnss-mysql-root.cfg ]
+ then
+ chmod 0640 /etc/libnss-mysql-root.cfg
+ chown root:shadow /etc/libnss-mysql-root.cfg
+ fi
;;
--- /dev/null
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_shadow.dpatch by <elacour@home-dn.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add check for egid to properly works like "shadow" enabled authentications
+
+@DPATCH@
+--- libnss-mysql-bg-1.5/src/lookup.c 2011-09-13 09:28:30.000000000 +0200
++++ libnss-mysql-bg-1.5/src/lookup.c 2011-09-13 09:47:16.000000000 +0200
+@@ -21,6 +21,8 @@
+ #include "nss_mysql.h"
+ #include <stdio.h> /* snprintf () */
+ #include <string.h> /* strcpy () */
++#include <sys/types.h>
++#include <grp.h>
+
+ extern conf_t conf;
+
+@@ -131,12 +133,22 @@
+ int attempts = MAX_QUERY_ATTEMPTS; /* Attempt # (countdown) */
+ static uid_t euid = -1; /* Last known euid for change detect */
+ uid_t cur_euid; /* CURRENT euid */
++ gid_t cur_egid; /* CURRENT egid */
++ gid_t shadow_gid; /* gid for group shadow (usually 42 on Debian) */
+
+ DENTER
+
+ cur_euid = geteuid ();
++
++ /* Get shadow gid, if needed */
++ if(cur_euid != 0) {
++ cur_egid = getegid ();
++ struct group *grp = getgrnam("shadow");
++ shadow_gid = (grp ? grp->gr_gid : -1);
++ }
++
+ D ("%s: restricted = %d, cur_euid = %u", FUNCNAME, restricted, cur_euid);
+- if (restricted == ntrue && cur_euid != 0)
++ if (restricted == ntrue && cur_euid != 0 && (shadow_gid == -1 || cur_egid != shadow_gid))
+ DSRETURN (NSS_NOTFOUND)
+
+ /* Make sure euid hasn't changed, thus changing our access abilities */