From 4d35ef82992ff93452a42b69ffbbaf0d50a1369c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 5 Apr 2016 22:15:56 -0700 Subject: [PATCH] Modify PAM build Include a patch that incorporates our existing account locking behaviour - a leading exclamation mark in the password field in /etc/shadow indicates a locked account. Also install configuration into /usr and provide a tmpfiles fragment to bring it back. --- .../pam/files/pam-1.2.1-locked-accounts.patch | 13 +++++++++++ .../sys-libs/pam/files/tmpfiles.d/pam.conf | 10 ++++++++ .../sys-libs/pam/pam-1.2.1.ebuild | 23 ++++--------------- 3 files changed, 28 insertions(+), 18 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.2.1-locked-accounts.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.2.1-locked-accounts.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.2.1-locked-accounts.patch new file mode 100644 index 0000000000..455b7bfb85 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.2.1-locked-accounts.patch @@ -0,0 +1,13 @@ +diff -ur Linux-PAM-1.2.1.orig/modules/pam_unix/pam_unix_acct.c Linux-PAM-1.2.1/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.2.1.orig/modules/pam_unix/pam_unix_acct.c 2015-03-24 05:02:32.000000000 -0700 ++++ Linux-PAM-1.2.1/modules/pam_unix/pam_unix_acct.c 2016-04-05 12:48:08.344913637 -0700 +@@ -219,6 +219,9 @@ + return retval; + } + ++ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') ++ return PAM_PERM_DENIED; ++ + if (retval == PAM_SUCCESS && spent == NULL) + return PAM_SUCCESS; + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf new file mode 100644 index 0000000000..8c2657390b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf @@ -0,0 +1,10 @@ +d /etc/security 0755 root root - - +d /etc/security/limits.d 0755 root root - - +d /etc/security/namespace.d 0755 root root - - +f /etc/environment 0755 root root - - +L /etc/security/access.conf - - - - ../../usr/lib/pam/access.conf +L /etc/security/group.conf - - - - ../../usr/lib/pam/group.conf +L /etc/security/limits.conf - - - - ../../usr/lib/pam/limits.conf +L /etc/security/namespace.conf - - - - ../../usr/lib/pam/namespace.conf +L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/pam_env.conf +L /etc/security/time.conf - - - - ../../usr/lib/pam/time.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.2.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.2.1.ebuild index 8309dda36a..dfc9a84d29 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.2.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.2.1.ebuild @@ -4,7 +4,7 @@ EAPI=5 -inherit libtool multilib multilib-minimal eutils pam toolchain-funcs flag-o-matic db-use +inherit libtool multilib multilib-minimal eutils pam toolchain-funcs flag-o-matic db-use systemd MY_PN="Linux-PAM" MY_P="${MY_PN}-${PV}" @@ -93,6 +93,7 @@ src_unpack() { } src_prepare() { + epatch "${FILESDIR}"/pam-1.2.1-locked-accounts.patch elibtoolize } @@ -132,24 +133,10 @@ multilib_src_compile() { } multilib_src_install() { - emake DESTDIR="${D}" install \ + emake SCONFIGDIR="/usr/lib/pam/" DESTDIR="${D}" install \ sepermitlockdir="${EPREFIX}/run/sepermit" - - local prefix - if multilib_is_native_abi; then - prefix= - gen_usr_ldscript -a pam pamc pam_misc - else - prefix=/usr - fi - - # create extra symlinks just in case something depends on them... - local lib - for lib in pam pamc pam_misc; do - if ! [[ -f "${ED}"${prefix}/$(get_libdir)/lib${lib}$(get_libname) ]]; then - dosym lib${lib}$(get_libname 0) ${prefix}/$(get_libdir)/lib${lib}$(get_libname) - fi - done + rm "${D}/etc/environment" + systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/pam.conf" } DOCS=( CHANGELOG ChangeLog README AUTHORS Copyright NEWS )