From 5a947a7afb4595c8c1c8806bc6e34b41e7c33972 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Wed, 18 Jan 2023 14:43:08 +0000 Subject: [PATCH 1/3] sys-apps/shadow: Sync with Gentoo Upstream commit a0436405ad053f94ac5f28111452bb9ba301bea5 --- .../coreos-overlay/sys-apps/shadow/Manifest | 4 +- .../files/shadow-4.13-configure-clang16.patch | 38 +++++++++++ ...ow-4.12.3.ebuild => shadow-4.13-r1.ebuild} | 63 ++++++++----------- 3 files changed, 67 insertions(+), 38 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch rename sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/{shadow-4.12.3.ebuild => shadow-4.13-r1.ebuild} (79%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest index 55f12ced77..ca3ab73585 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest @@ -1,2 +1,2 @@ -DIST shadow-4.12.3.tar.xz 1747620 BLAKE2B 63b10d75a11d419156a996b8acf1bebbfab28999c2ab796e6625c028882073d4021806d8b56224190886c076a1205955e7797cb6f797ef73af3a8a33ac34bf2f SHA512 0529889258f54e7634762dc154aa680d55f8c5f1654afadd1b7431cfbb890a3b1ba27c7ff4b7c45986e4ee2289946db2e420b23ed13e4e5b15800a1fb3a013bc -DIST shadow-4.12.3.tar.xz.asc 488 BLAKE2B b23525c3303f78df9d046c0225ed3ee1715cb000650630daae8b41fb71413daa45b5fe39a98fc640aaafa0f219fbaf9e065afa6b44f051373fb1967358ccc43d SHA512 d3f294d86c0e2174c88809810a801737c01cd01f9cadbe7b1ae382b2745d86e2e30c0718fa6489c2abb65500ed94c8ac1961d05243b5a1800c966384c69281c9 +DIST shadow-4.13.tar.xz 1762908 BLAKE2B 315ab8a7e598aeefb50c11293e20cfa0982c3c3ae21c35ae243d09a4facf97a13c1d672990876e74ef94f5284402acf14997663743e2aaefa6cfc4369b7d24dc SHA512 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e +DIST shadow-4.13.tar.xz.asc 488 BLAKE2B de1f8285c5713a772343a2a7c638d1d13429dd4fa867d4f91d4922aa0d083b4a3110d38e8a8ab82137fdf4fecb12ba3677f3fb235401fc6438ae663fbd9bfbd2 SHA512 f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch new file mode 100644 index 0000000000..4e703db93a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch @@ -0,0 +1,38 @@ +https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef +https://github.com/shadow-maint/shadow/pull/595 + +From a281f241b592aec636d1b93a99e764499d68c7ef Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 21 Nov 2022 11:52:45 +0100 +Subject: [PATCH] Fix HAVE_SHADOWGRP configure check + +The missing #include causes the configure check to fail +spuriously, resulting in HAVE_SHADOWGRP not being defined even +on systems that actually have sgetsgent (such as current glibc). +--- a/configure.ac ++++ b/configure.ac +@@ -116,6 +116,10 @@ if test "$ac_cv_header_shadow_h" = "yes"; then + ac_cv_libc_shadowgrp, + AC_RUN_IFELSE([AC_LANG_SOURCE([ + #include ++ #ifdef HAVE_GSHADOW_H ++ #include ++ #endif ++ int + main() + { + struct sgrp *sg = sgetsgent("test:x::"); + +--- a/configure ++++ b/configure +@@ -15684,6 +15684,10 @@ else $as_nop + /* end confdefs.h. */ + + #include ++ #ifdef HAVE_GSHADOW_H ++ #include ++ #endif ++ int + main() + { + struct sgrp *sg = sgetsgent("test:x::"); diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.12.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.13-r1.ebuild similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.12.3.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.13-r1.ebuild index fc15f6f3df..720470a1b8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.12.3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.13-r1.ebuild @@ -1,11 +1,14 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 -TMPFILES_OPTIONAL=1 +# Upstream sometimes pushes releases as pre-releases before marking them +# official. Don't keyword the pre-releases! +# Check https://github.com/shadow-maint/shadow/releases. + VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sergehallyn.asc -inherit libtool pam verify-sig systemd tmpfiles +inherit libtool pam verify-sig DESCRIPTION="Utilities to deal with user accounts" HOMEPAGE="https://github.com/shadow-maint/shadow" @@ -15,7 +18,7 @@ SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/downloa LICENSE="BSD GPL-2" # Subslot is for libsubid's SONAME. SLOT="0/4" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr" # Taken from the man/Makefile.am file. LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) @@ -58,7 +61,7 @@ BDEPEND=" " PATCHES=( - "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" + "${FILESDIR}"/${P}-configure-clang16.patch ) src_prepare() { @@ -104,14 +107,14 @@ set_login_opt() { comment="#" sed -i \ -e "/^${opt}\>/s:^:#:" \ - "${ED}"/usr/share/shadow/login.defs || die + "${ED}"/etc/login.defs || die else sed -i -r \ -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED}"/usr/share/shadow/login.defs + "${ED}"/etc/login.defs fi - local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs) - einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}" + local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) + einfo "${res:-Unable to find ${opt} in /etc/login.defs}" } src_install() { @@ -122,41 +125,29 @@ src_install() { find "${ED}" -name '*.la' -type f -delete || die - # Remove files from /etc, they will be symlinks to /usr instead. - rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd} - - # CoreOS: break shadow.conf into two files so that we only have to apply - # etc-shadow.conf in the initrd. - dotmpfiles "${FILESDIR}"/tmpfiles.d/etc-shadow.conf - dotmpfiles "${FILESDIR}"/tmpfiles.d/var-shadow.conf - # Package the symlinks for the SDK and containers. - systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/* - - insinto /usr/share/shadow + insinto /etc if ! use pam ; then insopts -m0600 doins etc/login.access etc/limits fi - # Using a securetty with devfs device names added - # (compat names kept for non-devfs compatibility) - insopts -m0600 ; doins "${FILESDIR}"/securetty - # Output arch-specific cruft - local devs - case $(tc-arch) in - ppc*) devs="hvc0 hvsi0 ttyPSC0";; - hppa) devs="ttyB0";; - arm) devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";; - sh) devs="ttySC0 ttySC1";; - amd64|x86) devs="hvc0";; - esac - if [[ -n ${devs} ]]; then - printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty - fi # needed for 'useradd -D' + insinto /etc/default insopts -m0600 doins "${FILESDIR}"/default/useradd + if use split-usr ; then + # move passwd to / to help recover broke systems #64441 + # We cannot simply remove this or else net-misc/scponly + # and other tools will break because of hardcoded passwd + # location + dodir /bin + mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die + dosym ../../bin/passwd /usr/bin/passwd + fi + + cd "${S}" || die + insinto /etc insopts -m0644 newins etc/login.defs login.defs @@ -210,7 +201,7 @@ src_install() { -e 'b exit' \ -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ -e ': exit' \ - "${ED}"/usr/share/shadow/login.defs || die + "${ED}"/etc/login.defs || die # Remove manpages that pam will install for us # and/or don't apply when using pam From 87dca7c2fd03176c09b2585907e5a40252f19ff9 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Wed, 18 Jan 2023 14:43:08 +0000 Subject: [PATCH 2/3] sys-apps/shadow: Apply Flatcar modifications to shadow-4.13 - Carry over our custom tmpfiles and securetty files - Remove /etc files and install them to /usr, use tmpfiles - Switch /etc/login.defs edits to /usr/share/shadow/login.defs - Drop moving passwd out of /usr since we don't have split-usr - Drop pkg_postinst --- .../sys-apps/shadow/shadow-4.13-r1.ebuild | 58 ++++++++++++------- 1 file changed, 38 insertions(+), 20 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.13-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.13-r1.ebuild index 720470a1b8..682625ab58 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.13-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.13-r1.ebuild @@ -7,8 +7,11 @@ EAPI=8 # official. Don't keyword the pre-releases! # Check https://github.com/shadow-maint/shadow/releases. +# Flatcar: +TMPFILES_OPTIONAL=1 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sergehallyn.asc -inherit libtool pam verify-sig +# Flatcar: install systemd units and tmpfiles +inherit libtool pam verify-sig systemd tmpfiles DESCRIPTION="Utilities to deal with user accounts" HOMEPAGE="https://github.com/shadow-maint/shadow" @@ -102,19 +105,20 @@ src_configure() { } set_login_opt() { + # Flatcar: /etc/login.defs becomes /usr/share/shadow/login.defs local comment="" opt=${1} val=${2} if [[ -z ${val} ]]; then comment="#" sed -i \ -e "/^${opt}\>/s:^:#:" \ - "${ED}"/etc/login.defs || die + "${ED}"/usr/share/shadow/login.defs || die else sed -i -r \ -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ - "${ED}"/etc/login.defs + "${ED}"/usr/share/shadow/login.defs fi - local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) - einfo "${res:-Unable to find ${opt} in /etc/login.defs}" + local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs) + einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}" } src_install() { @@ -125,29 +129,43 @@ src_install() { find "${ED}" -name '*.la' -type f -delete || die - insinto /etc + # Flatcar: + # Remove files from /etc, they will be symlinks to /usr instead. + rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd} + + # CoreOS: break shadow.conf into two files so that we only have to apply + # etc-shadow.conf in the initrd. + dotmpfiles "${FILESDIR}"/tmpfiles.d/etc-shadow.conf + dotmpfiles "${FILESDIR}"/tmpfiles.d/var-shadow.conf + # Package the symlinks for the SDK and containers. + systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/* + + insinto /usr/share/shadow if ! use pam ; then insopts -m0600 doins etc/login.access etc/limits fi + # Flatcar: + # Using a securetty with devfs device names added + # (compat names kept for non-devfs compatibility) + insopts -m0600 ; doins "${FILESDIR}"/securetty + # Output arch-specific cruft + local devs + case $(tc-arch) in + ppc*) devs="hvc0 hvsi0 ttyPSC0";; + hppa) devs="ttyB0";; + arm) devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";; + sh) devs="ttySC0 ttySC1";; + amd64|x86) devs="hvc0";; + esac + if [[ -n ${devs} ]]; then + printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty + fi # needed for 'useradd -D' - insinto /etc/default insopts -m0600 doins "${FILESDIR}"/default/useradd - if use split-usr ; then - # move passwd to / to help recover broke systems #64441 - # We cannot simply remove this or else net-misc/scponly - # and other tools will break because of hardcoded passwd - # location - dodir /bin - mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die - dosym ../../bin/passwd /usr/bin/passwd - fi - - cd "${S}" || die - insinto /etc insopts -m0644 newins etc/login.defs login.defs @@ -201,7 +219,7 @@ src_install() { -e 'b exit' \ -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ -e ': exit' \ - "${ED}"/etc/login.defs || die + "${ED}"/usr/share/shadow/login.defs || die # Remove manpages that pam will install for us # and/or don't apply when using pam From 35e3a0f19e8f8ea92d826f9e9a0a72bb5bd5c702 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Wed, 18 Jan 2023 15:07:56 +0000 Subject: [PATCH 3/3] changelog: add entry for shadow-4.13 --- .../coreos-overlay/changelog/updates/2023-01-18-shadow-4.13.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-01-18-shadow-4.13.md diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-01-18-shadow-4.13.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-01-18-shadow-4.13.md new file mode 100644 index 0000000000..f2df123b59 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-01-18-shadow-4.13.md @@ -0,0 +1 @@ +- shadow ([4.13](https://github.com/shadow-maint/shadow/releases/tag/4.13))