Patchwork [1/1] base-passwd: disable problematic login.defs options

login
register
mail settings
Submitter Scott Garman
Date June 16, 2011, 6:50 p.m.
Message ID <3a0dd72238fb6dbdbfc9ff1f0230f310fde0fff9.1308249837.git.scott.a.garman@intel.com>
Download mbox | patch
Permalink /patch/6029/
State New, archived
Headers show

Comments

Scott Garman - June 16, 2011, 6:50 p.m.
This resolves the following runtime errors when various shadow-utils
binaries are run:

configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
configuration error - unknown item 'OBSCURE_CHECKS_ENAB' (notify administrator)
configuration error - unknown item 'PORTTIME_CHECKS_ENAB' (notify administrator)
configuration error - unknown item 'QUOTAS_ENAB' (notify administrator)
configuration error - unknown item 'MOTD_FILE' (notify administrator)
configuration error - unknown item 'FTMP_FILE' (notify administrator)
configuration error - unknown item 'NOLOGINS_FILE' (notify administrator)
configuration error - unknown item 'ENV_HZ' (notify administrator)
configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
configuration error - unknown item 'SU_WHEEL_ONLY' (notify administrator)
configuration error - unknown item 'CRACKLIB_DICTPATH' (notify administrator)
configuration error - unknown item 'PASS_CHANGE_TRIES' (notify administrator)
configuration error - unknown item 'PASS_ALWAYS_WARN' (notify administrator)
configuration error - unknown item 'CHFN_AUTH' (notify administrator)
configuration error - unknown item 'ENVIRON_FILE' (notify administrator)

This fixes bug [YOCTO #1170]

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
---
 .../base-passwd/base-passwd-3.5.22/login.defs      |   32 ++++++++++----------
 .../recipes-core/base-passwd/base-passwd_3.5.22.bb |    2 +-
 2 files changed, 17 insertions(+), 17 deletions(-)
Khem Raj - June 16, 2011, 11:54 p.m.
On 06/16/2011 11:50 AM, Scott Garman wrote:
> This resolves the following runtime errors when various shadow-utils
> binaries are run:
>
> configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
> configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
> configuration error - unknown item 'OBSCURE_CHECKS_ENAB' (notify administrator)
> configuration error - unknown item 'PORTTIME_CHECKS_ENAB' (notify administrator)
> configuration error - unknown item 'QUOTAS_ENAB' (notify administrator)
> configuration error - unknown item 'MOTD_FILE' (notify administrator)
> configuration error - unknown item 'FTMP_FILE' (notify administrator)
> configuration error - unknown item 'NOLOGINS_FILE' (notify administrator)
> configuration error - unknown item 'ENV_HZ' (notify administrator)
> configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
> configuration error - unknown item 'SU_WHEEL_ONLY' (notify administrator)
> configuration error - unknown item 'CRACKLIB_DICTPATH' (notify administrator)
> configuration error - unknown item 'PASS_CHANGE_TRIES' (notify administrator)
> configuration error - unknown item 'PASS_ALWAYS_WARN' (notify administrator)
> configuration error - unknown item 'CHFN_AUTH' (notify administrator)
> configuration error - unknown item 'ENVIRON_FILE' (notify administrator)
>
> This fixes bug [YOCTO #1170]
>
> Signed-off-by: Scott Garman<scott.a.garman@intel.com>
> ---
>   .../base-passwd/base-passwd-3.5.22/login.defs      |   32 ++++++++++----------
>   .../recipes-core/base-passwd/base-passwd_3.5.22.bb |    2 +-
>   2 files changed, 17 insertions(+), 17 deletions(-)
>
> diff --git a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
> index 1d392ac..2708eb6 100644
> --- a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
> +++ b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs

I wonder if login.defs should be provided at all by base-passwd package.
It should come from shadow isnt it ?
Koen Kooi - June 17, 2011, 10:11 a.m.
Op 16 jun 2011, om 20:50 heeft Scott Garman het volgende geschreven:

> This resolves the following runtime errors when various shadow-utils
> binaries are run:
> 
> configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
> configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
> configuration error - unknown item 'OBSCURE_CHECKS_ENAB' (notify administrator)
> configuration error - unknown item 'PORTTIME_CHECKS_ENAB' (notify administrator)
> configuration error - unknown item 'QUOTAS_ENAB' (notify administrator)
> configuration error - unknown item 'MOTD_FILE' (notify administrator)
> configuration error - unknown item 'FTMP_FILE' (notify administrator)
> configuration error - unknown item 'NOLOGINS_FILE' (notify administrator)
> configuration error - unknown item 'ENV_HZ' (notify administrator)
> configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
> configuration error - unknown item 'SU_WHEEL_ONLY' (notify administrator)
> configuration error - unknown item 'CRACKLIB_DICTPATH' (notify administrator)
> configuration error - unknown item 'PASS_CHANGE_TRIES' (notify administrator)
> configuration error - unknown item 'PASS_ALWAYS_WARN' (notify administrator)
> configuration error - unknown item 'CHFN_AUTH' (notify administrator)
> configuration error - unknown item 'ENVIRON_FILE' (notify administrator)
> 
> This fixes bug [YOCTO #1170]
> 
> Signed-off-by: Scott Garman <scott.a.garman@intel.com>

Fix confirmed:

Acked-by: Koen Kooi <koen@dominion.thruhere.net>
Scott Garman - June 17, 2011, 4:34 p.m.
On 06/16/2011 04:54 PM, Khem Raj wrote:
> On 06/16/2011 11:50 AM, Scott Garman wrote:
>> This resolves the following runtime errors when various shadow-utils
>> binaries are run:
>>
>> configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
>> configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
>> configuration error - unknown item 'OBSCURE_CHECKS_ENAB' (notify
>> administrator)
>> configuration error - unknown item 'PORTTIME_CHECKS_ENAB' (notify
>> administrator)
>> configuration error - unknown item 'QUOTAS_ENAB' (notify administrator)
>> configuration error - unknown item 'MOTD_FILE' (notify administrator)
>> configuration error - unknown item 'FTMP_FILE' (notify administrator)
>> configuration error - unknown item 'NOLOGINS_FILE' (notify administrator)
>> configuration error - unknown item 'ENV_HZ' (notify administrator)
>> configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
>> configuration error - unknown item 'SU_WHEEL_ONLY' (notify administrator)
>> configuration error - unknown item 'CRACKLIB_DICTPATH' (notify
>> administrator)
>> configuration error - unknown item 'PASS_CHANGE_TRIES' (notify
>> administrator)
>> configuration error - unknown item 'PASS_ALWAYS_WARN' (notify
>> administrator)
>> configuration error - unknown item 'CHFN_AUTH' (notify administrator)
>> configuration error - unknown item 'ENVIRON_FILE' (notify administrator)
>>
>> This fixes bug [YOCTO #1170]
>>
>> Signed-off-by: Scott Garman<scott.a.garman@intel.com>
>> ---
>> .../base-passwd/base-passwd-3.5.22/login.defs | 32 ++++++++++----------
>> .../recipes-core/base-passwd/base-passwd_3.5.22.bb | 2 +-
>> 2 files changed, 17 insertions(+), 17 deletions(-)
>>
>> diff --git
>> a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>> b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>> index 1d392ac..2708eb6 100644
>> --- a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>> +++ b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>
> I wonder if login.defs should be provided at all by base-passwd package.
> It should come from shadow isnt it ?

Hi Khem,

The reason for including the login.defs file with base-passwd has to do 
with the new useradd.bbclass that I developed (Richard is still holding 
it for code review, but we should see it here soon). The way it works is 
custom users/groups get added to the passwd/group files in the target 
machine's sysroot. The shadow utils require a login.defs in order to 
work. Thus, a default login.defs needs to be shipped with base-passwd now.

As a side note, my first iteration on this design used a 
base-passwd-cross recipe instead. Richard suggested that maintaining a 
separate -cross recipe was not necessary, and to integrate the target 
sysroot changes into the base-passwd recipe (given that otherwise there 
were no meaningful differences).

If anyone feels strongly about this, now would be the time to make your 
case.

Scott
Khem Raj - June 17, 2011, 4:43 p.m.
On Fri, Jun 17, 2011 at 9:34 AM, Scott Garman <scott.a.garman@intel.com> wrote:
> On 06/16/2011 04:54 PM, Khem Raj wrote:
>>
>> On 06/16/2011 11:50 AM, Scott Garman wrote:
>>>
>>> This resolves the following runtime errors when various shadow-utils
>>> binaries are run:
>>>
>>> configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
>>> configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
>>> configuration error - unknown item 'OBSCURE_CHECKS_ENAB' (notify
>>> administrator)
>>> configuration error - unknown item 'PORTTIME_CHECKS_ENAB' (notify
>>> administrator)
>>> configuration error - unknown item 'QUOTAS_ENAB' (notify administrator)
>>> configuration error - unknown item 'MOTD_FILE' (notify administrator)
>>> configuration error - unknown item 'FTMP_FILE' (notify administrator)
>>> configuration error - unknown item 'NOLOGINS_FILE' (notify administrator)
>>> configuration error - unknown item 'ENV_HZ' (notify administrator)
>>> configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
>>> configuration error - unknown item 'SU_WHEEL_ONLY' (notify administrator)
>>> configuration error - unknown item 'CRACKLIB_DICTPATH' (notify
>>> administrator)
>>> configuration error - unknown item 'PASS_CHANGE_TRIES' (notify
>>> administrator)
>>> configuration error - unknown item 'PASS_ALWAYS_WARN' (notify
>>> administrator)
>>> configuration error - unknown item 'CHFN_AUTH' (notify administrator)
>>> configuration error - unknown item 'ENVIRON_FILE' (notify administrator)
>>>
>>> This fixes bug [YOCTO #1170]
>>>
>>> Signed-off-by: Scott Garman<scott.a.garman@intel.com>
>>> ---
>>> .../base-passwd/base-passwd-3.5.22/login.defs | 32 ++++++++++----------
>>> .../recipes-core/base-passwd/base-passwd_3.5.22.bb | 2 +-
>>> 2 files changed, 17 insertions(+), 17 deletions(-)
>>>
>>> diff --git
>>> a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>>> b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>>> index 1d392ac..2708eb6 100644
>>> --- a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>>> +++ b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>>
>> I wonder if login.defs should be provided at all by base-passwd package.
>> It should come from shadow isnt it ?
>
> Hi Khem,
>
> The reason for including the login.defs file with base-passwd has to do with
> the new useradd.bbclass that I developed (Richard is still holding it for
> code review, but we should see it here soon). The way it works is custom
> users/groups get added to the passwd/group files in the target machine's
> sysroot. The shadow utils require a login.defs in order to work.

hence it should come from shadow isnt it ? why from base-passwd ?
if someone is not using using shadow this file will be useless for
him/her isnt it ?

-Khem
Scott Garman - June 17, 2011, 5:19 p.m.
On 06/17/2011 09:43 AM, Khem Raj wrote:
> On Fri, Jun 17, 2011 at 9:34 AM, Scott Garman<scott.a.garman@intel.com>  wrote:
>> On 06/16/2011 04:54 PM, Khem Raj wrote:
>>>
>>> On 06/16/2011 11:50 AM, Scott Garman wrote:
>>>>
>>>> This resolves the following runtime errors when various shadow-utils
>>>> binaries are run:
>>>>
>>>> configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
>>>> configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
>>>> configuration error - unknown item 'OBSCURE_CHECKS_ENAB' (notify
>>>> administrator)
>>>> configuration error - unknown item 'PORTTIME_CHECKS_ENAB' (notify
>>>> administrator)
>>>> configuration error - unknown item 'QUOTAS_ENAB' (notify administrator)
>>>> configuration error - unknown item 'MOTD_FILE' (notify administrator)
>>>> configuration error - unknown item 'FTMP_FILE' (notify administrator)
>>>> configuration error - unknown item 'NOLOGINS_FILE' (notify administrator)
>>>> configuration error - unknown item 'ENV_HZ' (notify administrator)
>>>> configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
>>>> configuration error - unknown item 'SU_WHEEL_ONLY' (notify administrator)
>>>> configuration error - unknown item 'CRACKLIB_DICTPATH' (notify
>>>> administrator)
>>>> configuration error - unknown item 'PASS_CHANGE_TRIES' (notify
>>>> administrator)
>>>> configuration error - unknown item 'PASS_ALWAYS_WARN' (notify
>>>> administrator)
>>>> configuration error - unknown item 'CHFN_AUTH' (notify administrator)
>>>> configuration error - unknown item 'ENVIRON_FILE' (notify administrator)
>>>>
>>>> This fixes bug [YOCTO #1170]
>>>>
>>>> Signed-off-by: Scott Garman<scott.a.garman@intel.com>
>>>> ---
>>>> .../base-passwd/base-passwd-3.5.22/login.defs | 32 ++++++++++----------
>>>> .../recipes-core/base-passwd/base-passwd_3.5.22.bb | 2 +-
>>>> 2 files changed, 17 insertions(+), 17 deletions(-)
>>>>
>>>> diff --git
>>>> a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>>>> b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>>>> index 1d392ac..2708eb6 100644
>>>> --- a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>>>> +++ b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
>>>
>>> I wonder if login.defs should be provided at all by base-passwd package.
>>> It should come from shadow isnt it ?
>>
>> Hi Khem,
>>
>> The reason for including the login.defs file with base-passwd has to do with
>> the new useradd.bbclass that I developed (Richard is still holding it for
>> code review, but we should see it here soon). The way it works is custom
>> users/groups get added to the passwd/group files in the target machine's
>> sysroot. The shadow utils require a login.defs in order to work.
>
> hence it should come from shadow isnt it ? why from base-passwd ?
> if someone is not using using shadow this file will be useless for
> him/her isnt it ?

Sorry, I forgot to mention that shadow-utils-native is what is used to 
modify the passwd/group files in the target sysroot. It seems that 
having a -native recipe install files into a target sysroot would be 
worse than including an optional file with base-passwd that may or may 
not be used in target systems.

Scott
Otavio Salvador - June 17, 2011, 5:22 p.m.
On Fri, Jun 17, 2011 at 17:19, Scott Garman <scott.a.garman@intel.com> wrote:
> Sorry, I forgot to mention that shadow-utils-native is what is used to
> modify the passwd/group files in the target sysroot. It seems that having a
> -native recipe install files into a target sysroot would be worse than
> including an optional file with base-passwd that may or may not be used in
> target systems.

Why not make an shadow-target package with this?
Scott Garman - June 17, 2011, 6:10 p.m.
On 06/17/2011 10:22 AM, Otavio Salvador wrote:
> On Fri, Jun 17, 2011 at 17:19, Scott Garman<scott.a.garman@intel.com>  wrote:
>> Sorry, I forgot to mention that shadow-utils-native is what is used to
>> modify the passwd/group files in the target sysroot. It seems that having a
>> -native recipe install files into a target sysroot would be worse than
>> including an optional file with base-passwd that may or may not be used in
>> target systems.
>
> Why not make an shadow-target package with this?

To just install a login.defs file? I'm open to it if a few more people 
think this is a better idea.

Scott
Mark Hatle - June 20, 2011, 2:13 a.m.
On 6/17/11 1:10 PM, Scott Garman wrote:
> On 06/17/2011 10:22 AM, Otavio Salvador wrote:
>> On Fri, Jun 17, 2011 at 17:19, Scott Garman<scott.a.garman@intel.com>  wrote:
>>> Sorry, I forgot to mention that shadow-utils-native is what is used to
>>> modify the passwd/group files in the target sysroot. It seems that having a
>>> -native recipe install files into a target sysroot would be worse than
>>> including an optional file with base-passwd that may or may not be used in
>>> target systems.
>>
>> Why not make an shadow-target package with this?
> 
> To just install a login.defs file? I'm open to it if a few more people 
> think this is a better idea.

The file is needed in order for the utilities that add, remove and modify
users/groups to function properly.  The full version from shadow utils is used
so we are sure we can dead with both shadow-less and shadowed filesystem images.
 (It's also more full featured then busybox, yet busybox is still compatible
with it.)

As for the separate package, that should be fine.. but remember this is a very
small file, so is it worth "another" package?  (If so, then base-files likely
should depend on it for build-time, but not run-time.)

--Mark

> Scott
>
Khem Raj - June 20, 2011, 2:41 a.m.
On Sun, Jun 19, 2011 at 7:13 PM, Mark Hatle <mark.hatle@windriver.com> wrote:
> On 6/17/11 1:10 PM, Scott Garman wrote:
>> On 06/17/2011 10:22 AM, Otavio Salvador wrote:
>>> On Fri, Jun 17, 2011 at 17:19, Scott Garman<scott.a.garman@intel.com>  wrote:
>>>> Sorry, I forgot to mention that shadow-utils-native is what is used to
>>>> modify the passwd/group files in the target sysroot. It seems that having a
>>>> -native recipe install files into a target sysroot would be worse than
>>>> including an optional file with base-passwd that may or may not be used in
>>>> target systems.
>>>
>>> Why not make an shadow-target package with this?
>>
>> To just install a login.defs file? I'm open to it if a few more people
>> think this is a better idea.
>
> The file is needed in order for the utilities that add, remove and modify
> users/groups to function properly.  The full version from shadow utils is used
> so we are sure we can dead with both shadow-less and shadowed filesystem images.
>  (It's also more full featured then busybox, yet busybox is still compatible
> with it.)
>
Will shadow be able to override this file ?
one thing I see is that it wont get any updates that shadow might
do to this file in future.

> As for the separate package, that should be fine.. but remember this is a very
> small file, so is it worth "another" package?  (If so, then base-files likely
> should depend on it for build-time, but not run-time.)
>
> --Mark
>
>> Scott
>>
>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
>
Scott Garman - June 20, 2011, 3:33 a.m.
On 06/19/2011 07:41 PM, Khem Raj wrote:
> On Sun, Jun 19, 2011 at 7:13 PM, Mark Hatle<mark.hatle@windriver.com>  wrote:
>> On 6/17/11 1:10 PM, Scott Garman wrote:
>>> On 06/17/2011 10:22 AM, Otavio Salvador wrote:
>>>> On Fri, Jun 17, 2011 at 17:19, Scott Garman<scott.a.garman@intel.com>    wrote:
>>>>> Sorry, I forgot to mention that shadow-utils-native is what is used to
>>>>> modify the passwd/group files in the target sysroot. It seems that having a
>>>>> -native recipe install files into a target sysroot would be worse than
>>>>> including an optional file with base-passwd that may or may not be used in
>>>>> target systems.
>>>>
>>>> Why not make an shadow-target package with this?
>>>
>>> To just install a login.defs file? I'm open to it if a few more people
>>> think this is a better idea.
>>
>> The file is needed in order for the utilities that add, remove and modify
>> users/groups to function properly.  The full version from shadow utils is used
>> so we are sure we can dead with both shadow-less and shadowed filesystem images.
>>   (It's also more full featured then busybox, yet busybox is still compatible
>> with it.)
>>
> Will shadow be able to override this file ?
> one thing I see is that it wont get any updates that shadow might
> do to this file in future.

Now that I think of it, the reason Koen ran into the error messages was 
that the login.defs I shipped with base-passwd had various variables 
uncommented that the shadow recipe comments out (there's a sed script 
included with shadow which does this). Which means that his image, which 
had shadow installed, was *not* overriding the login.defs from base-passwd.

I'm now convinced that creating a shadow-cross package which just ships 
a login.defs file is the right thing to do, and to remove it from 
base-passwd. Thanks everyone for the feedback thus far.

I will be away at a conference for most of this coming week, but will 
try to squeeze this in on Monday.

Scott

Patch

diff --git a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
index 1d392ac..2708eb6 100644
--- a/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
+++ b/meta/recipes-core/base-passwd/base-passwd-3.5.22/login.defs
@@ -14,7 +14,7 @@  FAIL_DELAY		3
 #
 # Enable logging and display of /var/log/faillog login failure info.
 #
-FAILLOG_ENAB		yes
+#FAILLOG_ENAB		yes
 
 #
 # Enable display of unknown usernames when login failures are recorded.
@@ -29,7 +29,7 @@  LOG_OK_LOGINS		no
 #
 # Enable logging and display of /var/log/lastlog login time info.
 #
-LASTLOG_ENAB		yes
+#LASTLOG_ENAB		yes
 
 #
 # Enable checking and display of mailbox status upon login.
@@ -42,17 +42,17 @@  LASTLOG_ENAB		yes
 #
 # Enable additional checks upon password changes.
 #
-OBSCURE_CHECKS_ENAB	yes
+#OBSCURE_CHECKS_ENAB	yes
 
 #
 # Enable checking of time restrictions specified in /etc/porttime.
 #
-PORTTIME_CHECKS_ENAB	yes
+#PORTTIME_CHECKS_ENAB	yes
 
 #
 # Enable setting of ulimit, umask, and niceness from passwd gecos field.
 #
-QUOTAS_ENAB		yes
+#QUOTAS_ENAB		yes
 
 #
 # Enable "syslog" logging of su activity - in addition to sulog file logging.
@@ -78,7 +78,7 @@  CONSOLE		/etc/securetty
 # If defined, ":" delimited list of "message of the day" files to
 # be displayed upon login.
 #
-MOTD_FILE	/etc/motd
+#MOTD_FILE	/etc/motd
 #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
 
 #
@@ -96,14 +96,14 @@  MOTD_FILE	/etc/motd
 # If defined, login failures will be logged here in a utmp format.
 # last, when invoked as lastb, will read /var/log/btmp, so...
 #
-FTMP_FILE	/var/log/btmp
+#FTMP_FILE	/var/log/btmp
 
 #
 # If defined, name of file whose presence which will inhibit non-root
 # logins.  The contents of this file should be a message indicating
 # why logins are inhibited.
 #
-NOLOGINS_FILE	/etc/nologin
+#NOLOGINS_FILE	/etc/nologin
 
 #
 # If defined, the command name to display when running "su -".  For
@@ -141,7 +141,7 @@  HUSHLOGIN_FILE	.hushlogin
 # If defined, an HZ environment parameter spec.
 #
 # for Linux/x86
-ENV_HZ		HZ=100
+#ENV_HZ		HZ=100
 # For Linux/Alpha...
 #ENV_HZ		HZ=1024
 
@@ -201,7 +201,7 @@  UMASK		022
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
-PASS_MIN_LEN	5
+#PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 
 #
@@ -210,12 +210,12 @@  PASS_WARN_AGE	7
 # to uid 0 accounts.  If the group doesn't exist or is empty, no one
 # will be able to "su" to uid 0.
 #
-SU_WHEEL_ONLY	no
+#SU_WHEEL_ONLY	no
 
 #
 # If compiled with cracklib support, where are the dictionaries
 #
-CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
+#CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
 
 #
 # Min/max values for automatic uid selection in useradd
@@ -248,12 +248,12 @@  LOGIN_TIMEOUT		60
 #
 # Maximum number of attempts to change password if rejected (too easy)
 #
-PASS_CHANGE_TRIES	5
+#PASS_CHANGE_TRIES	5
 
 #
 # Warn about weak passwords (but still allow them) if you are root.
 #
-PASS_ALWAYS_WARN	yes
+#PASS_ALWAYS_WARN	yes
 
 #
 # Number of significant characters in the password for crypt().
@@ -265,7 +265,7 @@  PASS_ALWAYS_WARN	yes
 #
 # Require password before chfn/chsh can make any changes.
 #
-CHFN_AUTH		yes
+#CHFN_AUTH		yes
 
 #
 # Which fields may be changed by regular users using chfn - use
@@ -347,7 +347,7 @@  DEFAULT_HOME	yes
 # If this file exists and is readable, login environment will be
 # read from it.  Every line should be in the form name=value.
 #
-ENVIRON_FILE	/etc/environment
+#ENVIRON_FILE	/etc/environment
 
 #
 # If defined, this command is run when removing a user.
diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.22.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.22.bb
index 3315c68..614c431 100644
--- a/meta/recipes-core/base-passwd/base-passwd_3.5.22.bb
+++ b/meta/recipes-core/base-passwd/base-passwd_3.5.22.bb
@@ -1,7 +1,7 @@ 
 SUMMARY = "Base system master password/group files."
 DESCRIPTION = "The master copies of the user database files (/etc/passwd and /etc/group).  The update-passwd tool is also provided to keep the system databases synchronized with these master files."
 SECTION = "base"
-PR = "r2"
+PR = "r3"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"