mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-11-14 15:12:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1706 from flatcar/krnowak/pam

Browse Source 
Move sys-libs/pam to portage-stable
This commit is contained in:
Krzesimir Nowak 2025-11-12 18:07:23 +01:00 committed by GitHub
commit 5d493904b6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
56 changed files with 1774 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/portage-stable-packages-list vendored
View File

@ -179,6 +179,7 @@ app-shells/gentoo-bashcomp
app-text/asciidoc
app-text/build-docbook-catalog
app-text/docbook-xml-dtd
app-text/docbook-xsl-ns-stylesheets
app-text/docbook-xsl-stylesheets
app-text/mandoc
app-text/manpager
@ -318,8 +319,8 @@ dev-python/fastjsonschema
dev-python/flit-core
dev-python/gentoo-common
dev-python/gpep517
dev-python/hatchling
dev-python/hatch-vcs
dev-python/hatchling
dev-python/idna
dev-python/installer
dev-python/jaraco-collections
@ -504,8 +505,8 @@ licenses
media-libs/libpng
net-analyzer/openbsd-netcat
net-analyzer/netperf
net-analyzer/openbsd-netcat
net-analyzer/tcpdump
net-analyzer/traceroute
@ -633,6 +634,7 @@ sys-apps/util-linux
sys-apps/which
sys-apps/zram-generator
sys-auth/pambase
sys-auth/polkit
sys-auth/sssd
@ -705,6 +707,7 @@ sys-libs/libunwind
sys-libs/liburing
sys-libs/libxcrypt
sys-libs/ncurses
sys-libs/pam
sys-libs/readline
sys-libs/talloc
sys-libs/tdb

12
build_library/prod_image_util.sh
View File

@ -158,10 +158,14 @@ create_prod_image() {
L+ /etc/ld.so.conf - - - - ../usr/lib/ld.so.conf
EOF
# Move the PAM configuration into /usr
sudo mkdir -p ${root_fs_dir}/usr/lib/pam.d
sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/
sudo rmdir ${root_fs_dir}/etc/pam.d
local -a bad_pam_files
mapfile -t -d '' bad_pam_files < <(find "${root_fs_dir}"/etc/security "${root_fs_dir}"/etc/pam.d ! -type d ! -name '.keep*' -print0)
if [[ ${#bad_pam_files[@]} -gt 0 ]]; then
error "Found following PAM config files: ${bad_pam_files[@]#"${root_fs_dir}"}"
error "Expected them to be either removed or, better, vendored (/etc/pam.d files should be in /usr/lib/pam, /etc/security files should be in /usr/lib/pam/security)."
error "Vendoring can be done with vendorize_pam_files inside a post_src_install hook for the package that installed the config file."
die "PAM config errors spotted"
fi
# Remove source locale data, only need to ship the compiled archive.
sudo rm -rf ${root_fs_dir}/usr/share/i18n/

7
build_packages
View File

@ -266,13 +266,18 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then
# lvm2[udev] -> virtual/udev -> systemd[cryptsetup] -> cryptsetup -> lvm2
# lvm2[systemd] -> systemd[cryptsetup] -> cryptsetup -> lvm2
# systemd[cryptsetup] -> cryptsetup[udev] -> virtual/udev -> systemd
# systemd[tpm] -> tpm2-tss -> util-linux[udev] -> virtual/udev -> systemd
# curl[http2] -> nghttp2[systemd] -> systemd[curl] -> curl
# sys-libs/pam[systemd] -> sys-apps/system[pam] -> sys-libs/pam
# not dropping pam from sys-apps/systemd, otherwise we would need
# to drop pam from sys-auth/pambase
break_dep_loop sys-apps/util-linux udev,systemd,cryptsetup \
sys-fs/cryptsetup udev \
sys-fs/lvm2 udev,systemd \
sys-apps/systemd cryptsetup,tpm \
net-misc/curl http2 \
net-libs/nghttp2 systemd
net-libs/nghttp2 systemd \
sys-libs/pam systemd
fi
if [[ "${FLAGS_only_resolve_circular_deps}" -eq "${FLAGS_TRUE}" ]]; then

1
changelog/security/2025-10-29-pam.md Normal file
View File

@ -0,0 +1 @@
- pam ([CVE-2024-22365](https://nvd.nist.gov/vuln/detail/CVE-2024-22365), [CVE-2024-10041](https://nvd.nist.gov/vuln/detail/CVE-2024-10041), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-6020](https://nvd.nist.gov/vuln/detail/CVE-2025-6020))

2
changelog/updates/2025-10-29-pam.md Normal file
View File

@ -0,0 +1,2 @@
- base, dev: pam ([1.7.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.1) (includes [1.7.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.0), [1.6.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.1), [1.6.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0)))
- base, dev: pambase ([20251013](https://gitweb.gentoo.org/proj/pambase.git/log/?h=pambase-20251013))

2
sdk_container/src/third_party/coreos-overlay/coreos-base/oem-vmware/files/manglefs.sh vendored
View File

@ -8,8 +8,6 @@ cd "${rootfs}"
# Move stuff out of /etc. The systemd unit files are patched to create
# symlinks from /etc to those directories.
mkdir -p usr/lib/pam.d
mv etc/pam.d/vmtoolsd usr/lib/pam.d/vmtoolsd
mkdir -p usr/share/flatcar/oem-vmware
mv etc/vmware-tools usr/share/flatcar/oem-vmware/vmware-tools

9
sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo vendored
View File

@ -1,9 +1,12 @@
cros_post_src_install_keep_etc_sudoers_d() {
# Flatcar: Build system installs /etc/sudoers.d, let's make
# sure we keep having it.
cros_post_src_install_flatcar_modifications() {
# Build system installs /etc/sudoers.d, let's make sure we keep
# having it.
#
# Upstream PR: https://github.com/gentoo/gentoo/pull/37397
keepdir /etc/sudoers.d
# Move pam files to /usr.
vendorize_pam_files
}
# We don't ship OpenLDAP schemas (why?) and we provide sudo.conf

3
sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-emulation/open-vm-tools vendored Normal file
View File

@ -0,0 +1,3 @@
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

4
sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/cyrus-sasl vendored
View File

@ -3,3 +3,7 @@
# obviously won't work in case of cross-compilation, so we state up
# front that SPNEGO is supported.
export ac_cv_gssapi_supports_spnego=yes
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

3
sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/libpwquality vendored Normal file
View File

@ -0,0 +1,3 @@
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

3
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/samba vendored
View File

@ -31,4 +31,7 @@ cros_post_src_install_samba_flatcar_modifications() {
rm -rf "${ED}/usr/$(get_libdir)/perl"*
rm -rf "${ED}/usr/$(get_libdir)/python"*
rm -rf "${ED}/var"
# Move pam files to /usr.
vendorize_pam_files
}

4
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh vendored
View File

@ -8,3 +8,7 @@ if [[ $(flatcar_target) != 'sdk' ]] ; then
INSTALL_MASK+="${openssh_mask}"
unset openssh_mask
fi
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

3
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/kbd vendored Normal file
View File

@ -0,0 +1,3 @@
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

4
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/policycoreutils vendored
View File

@ -14,3 +14,7 @@ cros_post_src_install_set_up_var_lib_selinux() {
mv "${ED}/var/lib/selinux" "${ED}/usr/lib/selinux/policy"
dosym -r /usr/lib/selinux/policy /var/lib/selinux
}
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

3
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/shadow vendored
View File

@ -72,4 +72,7 @@ ttyS0
${devs}
EOF
# Move pam files to /usr.
vendorize_pam_files
}

29
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd vendored
View File

@ -9,9 +9,6 @@ flatcar_systemd_meson_args_array=(
-Dsystem-gid-max=999
-Dsystem-uid-max=999
# PAM config directory.
-Dpamconfdir="${EPREFIX}/usr/share/pam.d"
# The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by timesyncd
# as a sanity check for the minimum acceptable time. Explicitly
# set to avoid using the current build time.
@ -85,16 +82,24 @@ flatcar_systemctl_preset() {
}
cros_post_src_install_flatcar_stuff() {
# We provide our own systemd-user config file in baselayout.
#
# This one is installed by systemd build system regardless of
# USE=pam (the ebuild ought to pass -Dpamconfdir=no to disable the
# installation).
rm "${ED}/usr/share/pam.d/systemd-user" || die
# This one is installed by Gentoo's systemd ebuild only if USE=pam
# is enabled.
# Drop systemd PAM config files installed by systemd build
# system. We will replace them below with our own configs if we
# have pam enabled.
rm "${ED}"/usr/lib/pam.d/systemd-{user,run0} || die
if use pam; then
rm "${ED}/etc/pam.d/systemd-user" || die
# Clobber systemd-user config file installed by the ebuild
# with our own.
newpamd - "systemd-user" <<'EOF'
account include system-auth
session include system-login
EOF
newpamd - "systemd-run0" <<'EOF'
account include system-auth
session include system-login
EOF
# And move them to /usr.
vendorize_pam_files
fi
# Ensure journal directory has correct ownership/mode in inital

4
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/util-linux vendored
View File

@ -1,3 +1,7 @@
# New mount API does not work very well for mounting overlayfs when we
# are building sysexts.
export EXTRA_ECONF="--disable-libmount-mountfd-support"
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

3
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/pambase vendored Normal file
View File

@ -0,0 +1,3 @@
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

14
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/sssd vendored
View File

@ -2,14 +2,10 @@
# plugin, even if sssd is not running.
export EXTRA_ECONF="--enable-sss-default-nss-plugin"
# We haven't switched to having pam config in /etc, so move the files
# to /usr.
cros_post_src_install_move_pamd() {
mkdir -p "${ED}/usr/share/"
mv "${ED}/etc/pam.d" "${ED}/usr/share/pam.d"
}
cros_post_src_install_flatcar_modifications() {
# This is to make sure that some sssd config is always in place.
cp -a "${ED}"/etc/sssd/sssd{-example,}.conf
# This is to make sure that some sssd config is always in place.
cros_post_src_set_initial_config() {
cp -a "${ED}"/etc/sssd/sssd{-example,}.conf
# Move pam files to /usr.
vendorize_pam_files
}

3
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/libcap vendored Normal file
View File

@ -0,0 +1,3 @@
cros_post_src_install_vendorize_pam() {
vendorize_pam_files
}

16
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/pam vendored Normal file
View File

@ -0,0 +1,16 @@
flatcar_pam_meson_args_array=(
'-Dvendordir=/usr/lib/pam'
)
export MYMESONARGS=${flatcar_pam_meson_args_array[*]@Q}
unset 'flatcar_pam_meson_args_array'
cros_post_src_install_stuff_in_etc() {
# Keep empty pam.d and security directories in /etc. In theory we
# could omit creating them, but 1. some kola tests rely on them to
# exist and 2. empty directories are probably less confusing to
# users then no directories at all. For the latter reason, create
# also the symlink to the environment file.
keepdir /etc/pam.d
keepdir /etc/security
dosym /usr/lib/pam/environment /etc/environment
}

167
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch vendored Normal file
View File

@ -0,0 +1,167 @@
From 3eb1fea6104cd4bbc978e11974f337549edaf2e4 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Thu, 9 Oct 2025 17:32:38 +0200
Subject: [PATCH 1/2] Reorganize the login sessions
- Move selinux parts from system-login to separate a system-selinux
file. It is conditionally included by system-local-login and
system-remote-login if selinux is enabled. This makes
"pam_selinux.so close" and "pam_selinux.so open" as first rules to
be called in the session. This more or less follows what systemd and
Fedora is doing in its systemd-user PAM config (Fedora seems to be
sandwiching loginuid between the pam_selinux rules, but it should
not matter, since pam_selinux actions affects the process after
execve). This also drops the "multiple" option from "pam_selinux.so
open" rule, because this flag was dropped from the module in 2007.
- Move the "not minimal" parts from system-login to
system-postlogin. This file gets included by system-remote-login and
system-local-login conditionally, like it used to be in
system-login.
- Add pam_namespace.so and pam_keyinit.so to system-login.
- Add pam_umask.so to system-session.
With these changes, the session part of the systemd-user PAM config in
sys-apps/systemd FILESDIR can be simplified to something like
(assuming that pambase was installed with USE=systemd):
session pam_selinux.so close
session pam_selinux.so open nottys
session include system-login
In the selinux-disabled variant of the systemd-user PAM config, the
pam_selinux.so lines would be absent.
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
---
pambase.py | 2 ++
templates/system-local-login.tpl | 9 +++++++++
templates/system-login.tpl | 17 +++--------------
templates/system-postlogin.tpl | 3 +++
templates/system-remote-login.tpl | 7 +++++++
templates/system-selinux.tpl | 2 ++
templates/system-session.tpl | 1 +
7 files changed, 27 insertions(+), 14 deletions(-)
create mode 100644 templates/system-postlogin.tpl
create mode 100644 templates/system-selinux.tpl
diff --git a/pambase.py b/pambase.py
index 4180cbb..0c7450d 100755
--- a/pambase.py
+++ b/pambase.py
@@ -105,6 +105,8 @@ def parse_templates(processed_args):
"su",
"system-auth",
"system-login",
+ "system-postlogin",
+ "system-selinux",
"system-services",
]
diff --git a/templates/system-local-login.tpl b/templates/system-local-login.tpl
index 5e01090..34d8459 100644
--- a/templates/system-local-login.tpl
+++ b/templates/system-local-login.tpl
@@ -2,12 +2,21 @@ auth include system-login
{% if gnome_keyring %}
auth optional pam_gnome_keyring.so
{% endif %}
+
account include system-login
+
password include system-login
{% if gnome_keyring %}
password optional pam_gnome_keyring.so use_authtok
{% endif %}
+
+{% if selinux %}
+session include system-selinux
+{% endif %}
{% if gnome_keyring %}
session optional pam_gnome_keyring.so auto_start
{% endif %}
session include system-login
+{% if not minimal %}
+session include system-postlogin
+{% endif %}
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 77926b7..58018f7 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -10,23 +10,12 @@ account required pam_time.so
account include system-auth
password include system-auth
-session optional pam_loginuid.so
-{% if selinux %}
-session required pam_selinux.so close
-{% endif %}
+session optional pam_loginuid.so
session required pam_env.so envfile=/etc/profile.env {{ debug }}
+session required pam_namespace.so
+session optional pam_keyinit.so force revoke
session include system-auth
-{% if selinux %}
-# Note: modules that run in the user's context must come after this line.
-session required pam_selinux.so multiple open
-{% endif %}
-
-{% if not minimal %}
-session optional pam_motd.so motd=/etc/motd
-session optional pam_lastlog.so never showfailed {{ debug }}
-session optional pam_mail.so
-{% endif %}
{% if systemd %}
-session optional pam_systemd.so
diff --git a/templates/system-postlogin.tpl b/templates/system-postlogin.tpl
new file mode 100644
index 0000000..06e30cd
--- /dev/null
+++ b/templates/system-postlogin.tpl
@@ -0,0 +1,3 @@
+session optional pam_motd.so motd=/etc/motd
+session optional pam_lastlog.so never showfailed {{ debug }}
+session optional pam_mail.so
diff --git a/templates/system-remote-login.tpl b/templates/system-remote-login.tpl
index 2f415ed..7a06341 100644
--- a/templates/system-remote-login.tpl
+++ b/templates/system-remote-login.tpl
@@ -1,4 +1,11 @@
auth include system-login
account include system-login
password include system-login
+
+{% if selinux %}
+session include system-selinux
+{% endif %}
session include system-login
+{% if not minimal %}
+session include system-postlogin
+{% endif %}
diff --git a/templates/system-selinux.tpl b/templates/system-selinux.tpl
new file mode 100644
index 0000000..c094c88
--- /dev/null
+++ b/templates/system-selinux.tpl
@@ -0,0 +1,2 @@
+session required pam_selinux.so close
+session required pam_selinux.so open
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 150061f..690396f 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -12,6 +12,7 @@ session [success=1 default=ignore] pam_krb5.so {{ debug }} ignore_root try_firs
session [success=1 default=ignore] pam_systemd_home.so
{% endif %}
+session optional pam_umask.so {% if debug %}debug{% else %}silent{% endif +%}
session required pam_unix.so {{ debug }}
{% if sssd %}
--
2.51.0

52
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch vendored Normal file
View File

@ -0,0 +1,52 @@
From 55c811bb55334a9c5ba19e5c7ec61a9ede365a37 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 10 Oct 2025 11:47:43 +0200
Subject: [PATCH 2/2] Flatcar modifications
---
templates/system-auth.tpl | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 905d04f..c78f9d6 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -9,11 +9,15 @@ auth [default={{ 3 + homed + (sssd * 3) }}] pam_permit.so
{% endif %}
{% if sssd %}
-auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
-auth [default=3 ignore=ignore success=ok] pam_localuser.so
+# FLATCAR: Removed. We aren't limiting login to regular users.
+# auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+# FLATCAR: Removed. We have some users and groups in
+# /usr/share/baselayout/passwd, not only in /etc/passwd.
+# auth [default=3 ignore=ignore success=ok] pam_localuser.so
{% endif %}
-auth requisite pam_faillock.so preauth
+# FLATCAR: Added deny, unlock_time and fail_interval to override defaults.
+auth requisite pam_faillock.so preauth preauth deny=5 unlock_time=60 fail_interval=120
{% if homed %}
auth [success=2 default=ignore] pam_systemd_home.so
@@ -45,9 +49,13 @@ account [success={{ 2 if sssd else 1 }} default=ignore] pam_systemd_home.so
account required pam_unix.so {{ debug }}
account required pam_faillock.so
{% if sssd %}
-account sufficient pam_localuser.so
-account sufficient pam_usertype.so issystem
-account [default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug }}
+# FLATCAR: Removed. We have some users and groups in
+# /usr/share/baselayout/passwd, not only in /etc/passwd.
+# account sufficient pam_localuser.so
+# FLATCAR: Removed. Maybe we could keep it?
+# account sufficient pam_usertype.so issystem
+# FLATCAR: Added ignore when sssd is not running
+account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so {{ debug }}
account required pam_permit.so
{% endif %}
--
2.51.0

6
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md vendored Normal file
View File

@ -0,0 +1,6 @@
The `0001-Reorganize-the-login-sessions.patch` is something we could
try to upstream if it is proven to work.
The `0002-Flatcar-modifications.patch` is just some Flatcar-specific
changes. Not sure if all them are necessary, but it is trying to
more-or-less match the config files from old baselayout.

28
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch vendored Normal file
View File

@ -0,0 +1,28 @@
From 15730679e629a4f70b98e11accfcaa43e769bbef Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 5 Apr 2016 22:15:56 -0700
Subject: [PATCH] Add account locking
A leading exclamation mark in the password field in /etc/shadow
indicates a locked account.
---
modules/pam_unix/support.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index b95f95e6..947525ce 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -877,6 +877,9 @@ _unix_verify_user(pam_handle_t *pamh,
return retval;
}
+ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
+ return PAM_PERM_DENIED;
+
if (retval == PAM_SUCCESS && spent == NULL)
return PAM_SUCCESS;
--
2.51.0

5
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md vendored Normal file
View File

@ -0,0 +1,5 @@
The patch adds some locking behavior. Upstream didn't want it:
https://github.com/linux-pam/linux-pam/issues/261.
Possibly it should be dropped in favor of `chage -E 0`, as mentioned
in the issue.

4
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use vendored
View File

@ -194,3 +194,7 @@ dev-lang/rust -system-llvm
# disable mpfr in gawk, this ends up being pulled into initrd, making
# it grow by another 2mb
sys-apps/gawk -mpfr
# We never had passwdqc stuff in old pam sys configs, so disable it
# for now. Maybe this is something to enable later.
sys-auth/pambase securetty -passwdqc

17
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc vendored
View File

@ -134,6 +134,23 @@ cros_pre_pkg_postinst_no_modifications_of_users() {
export ACCT_USER_NO_MODIFY=x
}
# Move pam files from /etc to /usr. It is a no-op for SDK builds.
#
# Invoke this in post_src_install hook.
vendorize_pam_files() {
if [[ ${FLATCAR_TYPE} = 'sdk' ]]; then
# We don't care about PAM inside SDK.
return 0
fi
mkdir -p "${ED}/usr/lib/pam/security"
tar --create --remove-files --directory "${ED}/etc/security" . | \
tar --extract --directory "${ED}/usr/lib/pam/security"
tar --create --remove-files --directory "${ED}/etc/pam.d" . | \
tar --extract --directory "${ED}/usr/lib/pam"
}
# Source hooks for SLSA build provenance report generation
source "${BASH_SOURCE[0]}.slsa-provenance"

2
sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/Manifest vendored
View File

@ -1 +1 @@
DIST flatcar-baselayout-79d3a0c3595dbbea207592dbd9fc2156349764f2.tar.gz 38379 BLAKE2B 74bc041d68c8681c01ce3214f1e18aa67b3ca4d138948a9427dc0c74253c82c8abb9c34f921588f0f8118b5d78a1e2a6cf6f2a75f1e861c2a6fc4a9cbb850b3b SHA512 777512acad0d91f2d4ee575809b1a730f06f7380650dc08c11f4dd4d4f53ce0289868016623a03442f2f1b38f8110751fff0900df74c9d1806d0f6fb7c9e5882
DIST flatcar-baselayout-ffce3a727a152a5f627063325acda62ba3c9463f.tar.gz 37648 BLAKE2B 7b81bc17305698cb5c4d07452dd92c6a6eeb44c1e93b7b946c30d3dc4b26927c4f0699cca9b3b603ea2081b4b335b7dadcb397cfccd3ab9d84237038c1c8d36c SHA512 a995bcf4936c9d9b3c2e3fbb12dbad29b31e15bb2b2c9d7af73e0ccd94904710bcda7af25d16c10aed41218b83d54c3910baeba58e6ff55fa47ff5f611df2685

0
sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r18.ebuild → sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r19.ebuild vendored
View File

13
sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild vendored
View File

@ -8,7 +8,7 @@ if [[ "${PV}" == 9999 ]]; then
inherit git-r3
KEYWORDS="~amd64 ~arm64"
else
EGIT_COMMIT="79d3a0c3595dbbea207592dbd9fc2156349764f2" # flatcar-master
EGIT_COMMIT="ffce3a727a152a5f627063325acda62ba3c9463f" # flatcar-master
SRC_URI="https://github.com/flatcar/baselayout/archive/${EGIT_COMMIT}.tar.gz -> flatcar-${PN}-${EGIT_COMMIT}.tar.gz"
S="${WORKDIR}/${PN}-${EGIT_COMMIT}"
KEYWORDS="amd64 arm64"
@ -49,12 +49,6 @@ src_prepare() {
rm -f lib/tmpfiles.d/baselayout-etc-issue.conf || die
fi
# sssd not yet building on arm64
if use arm64; then
sed -i -e 's/ sss//' share/baselayout/nsswitch.conf || die
sed -i -e '/pam_sss.so/d' lib/pam.d/* || die
fi
# handle multilib paths. do it here because we want this behavior
# regardless of the C library that you're using. we do explicitly
# list paths which the native ldconfig searches, but this isn't
@ -126,6 +120,11 @@ pkg_postinst() {
# Also create the directory to avoid having dangling
# symlinks.
mkdir -p "${ROOT}/oem"
# pam situation was messed up big time, create some
# symlinks to point to just a single place
ln -snfT "pam" "${ROOT}/usr/lib/pam.d"
ln -snfT "../lib/pam" "${ROOT}/usr/share/pam.d"
fi
# The default passwd/group files must exist for some ebuilds

10
sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/README.md vendored
View File

@ -1,10 +0,0 @@
This is a not-really-a-fork of gentoo's `sys-auth/pambase`
package. The main reasons for having it in `coreos-overlay` are:
1. The `sys-apps/baselayout` package replaced it, so this package
became a stub.
2. The stub is needed for compatibility with gentoo packages that
depend on pambase. When updating some package that depends on a
greater version of pambase than this stub provides, simply bump the
version of the the stub, so the dependency can be satisfied.

7
sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/metadata.xml vendored
View File

@ -1,7 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<upstream>
<remote-id type="github">flatcar/baselayout</remote-id>
</upstream>
</pkgmetadata>

14
sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20220214.ebuild vendored
View File

@ -1,14 +0,0 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=8
DESCRIPTION="Compatibility ebuild stub for Flatcar"
HOMEPAGE="https://github.com/flatcar/baselayout"
LICENSE="metapackage"
SLOT="0"
KEYWORDS="amd64 arm arm64 x86"
RDEPEND=">=sys-apps/baselayout-3.6
>=sys-libs/pam-1.4"

4
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest vendored
View File

@ -1,4 +0,0 @@
DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb87bf1d6526add3ac5aad140533516c1d27b594a17d09c4127ff985c42e6c571618785d6b2a2913e6575678c4dcf947dc0 SHA512 a9082823da88e0054d74e13aef872519ced5fbef25c8cc1a7e3a99160f835aa09c9ef701b6ec507acd3b540da0019288424bb4c8ebd828181ea90450db1494a9
DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a
DIST Linux-PAM-1.6.1-docs.tar.xz 465516 BLAKE2B c39dfba2e327120edc1f30be6ea7f8e6cf20d1f4dd17752cc34e0ae1c0bd22b3d19b94ab665bf3df5bd6ecc7fc358dbbedd8a3069df95ff6189580e538aa3547 SHA512 c6054ec6832f604c0654cf074e4e241c44037fd41cd37cca7da94abe008ff72adc4466d31bd254517eda083c7ec3f6aefd37785b3ee3d0d4553250bd29963855
DIST Linux-PAM-1.6.1.tar.xz 1054152 BLAKE2B 649b4ff892fbd3eb90adcbd9ccc5b3f5df51bf1c79b9084c7a1613c432587b13b81761d1eb4f31ef12d58843d16af24a3c441d0b6f5d2f2a1db9c8da15a61e2f SHA512 ddb5a5f296f564b76925324550d29f15d342841a97815336789c7bb922a8663e831edeb54f3dcd1eaf297e3325c9e2e6c14b8740def5c43cf3f160a8a14fa2ea

21
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md vendored
View File

@ -1,21 +0,0 @@
This is a fork of gentoo's sys-libs/pam package. The main reasons
for having our fork seem to be:
1. We add a locked account functionality. If the account in
`/etc/shadow` has an exclamation mark (`!`) as a first character in
the password field, then the account is blocked.
2. We install configuration in `/usr/lib/pam`, so the configuration in
`/etc` provided by administration can override the config we
install.
3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc
pamc` from the recipe.
4. We make the `/sbin/unix_chkpwd` binary a suid one instead of
overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop
between pam and libcap. The binary needs to be able to read
/etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should
work. A suid binary is strictly less secure than capability
override, so in long-term we would prefer to avoid having this
hack. On the other hand - this is what we had so far.

13
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch vendored
View File

@ -1,13 +0,0 @@
diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c
--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c 2020-08-18 20:50:27.226355628 +0200
+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c 2020-08-18 20:51:20.456212931 +0200
@@ -847,6 +847,9 @@
return retval;
}
+ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
+ return PAM_PERM_DENIED;
+
if (retval == PAM_SUCCESS && spent == NULL)
return PAM_SUCCESS;

34
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.3-termios.patch vendored
View File

@ -1,34 +0,0 @@
Replace System V termio.h with POSIX termios.h for musl
Upstream: https://github.com/linux-pam/linux-pam/pull/576
Bug: https://bugs.gentoo.org/906137
From 5658105b04ad4df212baf302898ee2cca99516a6 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Thu, 11 May 2023 10:27:53 -0400
Subject: [PATCH] fix build on musl
--- a/examples/tty_conv.c
+++ b/examples/tty_conv.c
@@ -6,8 +6,9 @@
#include <string.h>
#include <errno.h>
#include <unistd.h>
-#include <termio.h>
+#include <termios.h>
#include <security/pam_appl.h>
+#include <sys/ioctl.h>
/***************************************
* @brief echo off/on
@@ -16,7 +17,7 @@
***************************************/
static void echoOff(int fd, int off)
{
- struct termio tty;
+ struct termios tty;
if (ioctl(fd, TCGETA, &tty) < 0)
{
fprintf(stderr, "TCGETA failed: %s\n", strerror(errno));
--
2.40.1

11
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf vendored
View File

@ -1,11 +0,0 @@
d /etc/pam.d 0755 root root - -
d /etc/security 0755 root root - -
d /etc/security/limits.d 0755 root root - -
d /etc/security/namespace.d 0755 root root - -
f /etc/environment 0755 root root - -
L /etc/security/access.conf - - - - ../../usr/lib/pam/security/access.conf
L /etc/security/group.conf - - - - ../../usr/lib/pam/security/group.conf
L /etc/security/limits.conf - - - - ../../usr/lib/pam/security/limits.conf
L /etc/security/namespace.conf - - - - ../../usr/lib/pam/security/namespace.conf
L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/security/pam_env.conf
L /etc/security/time.conf - - - - ../../usr/lib/pam/security/time.conf

159
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild vendored
View File

@ -1,159 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
MY_P="Linux-${PN^^}-${PV}"
# Avoid QA warnings
# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
TMPFILES_OPTIONAL=1
inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal
DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
HOMEPAGE="https://github.com/linux-pam/linux-pam"
SRC_URI="
https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz
"
S="${WORKDIR}/${MY_P}"
LICENSE="|| ( BSD GPL-2 )"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux"
IUSE="audit berkdb debug nis selinux"
BDEPEND="
app-alternatives/yacc
dev-libs/libxslt
app-alternatives/lex
sys-devel/gettext
virtual/pkgconfig
"
DEPEND="
virtual/libcrypt:=[${MULTILIB_USEDEP}]
>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
nis? (
net-libs/libnsl:=[${MULTILIB_USEDEP}]
>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
)
"
RDEPEND="${DEPEND}"
PDEPEND=">=sys-auth/pambase-20200616"
PATCHES=(
"${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
"${FILESDIR}/${P}-termios.patch"
)
src_prepare() {
default
touch ChangeLog || die
}
multilib_src_configure() {
# Do not let user's BROWSER setting mess us up, bug #549684
unset BROWSER
# This whole weird has_version libxcrypt block can go once
# musl systems have libxcrypt[system] if we ever make
# that mandatory. See bug #867991.
if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
# Avoid picking up symbol-versioned compat symbol on musl systems
export ac_cv_search_crypt_gensalt_rn=no
# Need to avoid picking up the libxcrypt headers which define
# CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
append-cppflags -I"${T}"
fi
local myconf=(
CC_FOR_BUILD="$(tc-getBUILD_CC)"
--with-db-uniquename=-$(db_findver sys-libs/db)
--with-xml-catalog="${EPREFIX}"/etc/xml/catalog
--enable-securedir="${EPREFIX}"/$(get_libdir)/security
--includedir="${EPREFIX}"/usr/include/security
--libdir="${EPREFIX}"/usr/$(get_libdir)
--enable-pie
--enable-unix
--disable-prelude
--disable-doc
--disable-regenerate-docu
--disable-static
--disable-Werror
# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
--disable-econf
# TODO: add elogind support (bug #931115)
# lastlog is enabled again for now by us until logind support
# is handled. Even then, disabling lastlog will probably need
# a news item.
--disable-logind
--enable-lastlog
$(use_enable audit)
$(use_enable berkdb db)
$(use_enable debug)
$(use_enable nis)
$(use_enable selinux)
--enable-isadir='.' # bug #464016
--enable-vendordir="/usr/lib/pam/"
)
ECONF_SOURCE="${S}" econf "${myconf[@]}"
}
multilib_src_compile() {
emake sepermitlockdir="/run/sepermit"
}
multilib_src_install() {
emake DESTDIR="${D}" install \
sepermitlockdir="/run/sepermit"
}
multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die
# Flatcar: The pam_unix module needs to check the password of
# the user which requires read access to /etc/shadow
# only. Make it suid instead of using CAP_DAC_OVERRIDE to
# avoid a pam -> libcap -> pam dependency loop.
fperms 4711 /sbin/unix_chkpwd
# tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d
rm "${D}/etc/environment"
cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
d /run/faillock 0755 root root
_EOF_
use selinux && cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
d /run/sepermit 0755 root root
_EOF_
local page
for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do
doman ${page}
done
}
pkg_postinst() {
ewarn "Some software with pre-loaded PAM libraries might experience"
ewarn "warnings or failures related to missing symbols and/or versions"
ewarn "after any update. While unfortunate this is a limit of the"
ewarn "implementation of PAM and the software, and it requires you to"
ewarn "restart the software manually after the update."
ewarn ""
ewarn "You can get a list of such software running a command like"
ewarn " lsof / | grep -E -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
}

1
sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/Manifest vendored Normal file
View File

@ -0,0 +1 @@
DIST docbook-xsl-ns-1.79.1.tar.bz2 21962317 BLAKE2B a68cc31ea8cb98fc07e198fe55f242c6438284d6fa75d4920a9ca7b5038732f966cc6653e058d7fafb26c0ff49f2039025a48a0f8c0392ee892951723703bce3 SHA512 23fd06870bd5afe4efcd08c8ad679821c202a62442b50657c093cbe9cd71b585a3c56a5534a0d41119f58bf98b1f9014a53ff2e48ab59075ec1827e7363980e9

82
sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/docbook-xsl-ns-stylesheets-1.79.1.ebuild vendored Normal file
View File

@ -0,0 +1,82 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
DOCBOOKDIR="/usr/share/sgml/${PN/-//}"
MY_PN="${PN%-stylesheets}"
MY_P="${MY_PN}-${PV}"
DESCRIPTION="XSL Stylesheets for Docbook"
HOMEPAGE="https://github.com/docbook/wiki/wiki"
SRC_URI="https://downloads.sourceforge.net/docbook/${MY_P}.tar.bz2"
LICENSE="BSD"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86"
IUSE="ruby"
RDEPEND=">=app-text/build-docbook-catalog-1.4
ruby? ( dev-lang/ruby )"
DEPEND=""
S="${WORKDIR}/${MY_P}"
# Makefile is broken since 1.76.0
RESTRICT=test
# The makefile runs tests, not builds.
src_compile() { :; }
src_test() {
emake check
}
src_install() {
# The changelog is now zipped, and copied as the RELEASE-NOTES, so we
# don't need to install it
dodoc AUTHORS BUGS NEWS README RELEASE-NOTES.txt TODO
insinto ${DOCBOOKDIR}
doins VERSION VERSION.xsl
local i
for i in $(find . -maxdepth 1 -mindepth 1 -type d -exec basename {} \;); do
[[ "${i}" == "epub" ]] && ! use ruby && continue
cd "${S}"/${i}
for doc in ChangeLog README; do
if [[ -e "${doc}" ]] ; then
mv ${doc} ${doc}.${i} || die
dodoc ${doc}.${i}
rm ${doc}.${i} || die
fi
done
doins -r "${S}"/${i}
done
if use ruby; then
local cmd="dbtoepub${MY_PN#docbook-xsl}"
# we can't use a symlink or it'll look for the library in the
# wrong path.
dodir /usr/bin
cat - > "${ED}"/usr/bin/${cmd} <<EOF
#!/usr/bin/env ruby
load "${DOCBOOKDIR}/epub/bin/dbtoepub"
EOF
fperms 0755 /usr/bin/${cmd}
fi
}
pkg_postinst() {
# See bug #816303 for rationale behind die
build-docbook-catalog || die "Failed to regenerate docbook catalog. Is /run mounted?"
}
pkg_postrm() {
# See bug #816303 for rationale behind die
build-docbook-catalog || die "Failed to regenerate docbook catalog. Is /run mounted?"
}

16
sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/metadata.xml vendored Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<!--maintainer-needed-->
<use>
<flag name="ruby">
Install the Ruby-based dbtoepub script; requires an interpreter
compatible with <pkg>app-eselect/eselect-ruby</pkg>.
</flag>
</use>
<stabilize-allarches/>
<upstream>
<remote-id type="sourceforge">docbook</remote-id>
<remote-id type="github">docbook/wiki</remote-id>
</upstream>
</pkgmetadata>

3
sdk_container/src/third_party/portage-stable/sys-auth/pambase/Manifest vendored Normal file
View File

@ -0,0 +1,3 @@
DIST pambase-20250826.tar.bz2 4925 BLAKE2B c6929aa506b94b9215bd2c686fd9965d6c3a77f36c7a2d114ca5b2c39a30e2209a84408ee855559837d54161e359723889b89bb9c048bb36b00c7156495968fc SHA512 c9bc07ac617891ddab6f2a8358b10899462d9b54fcc3642d222dd2402914f24225854103b6c581aa2041fb0feb0f94688e07aad10ab94c3a629b4cd2937bd785
DIST pambase-20250906.tar.bz2 4972 BLAKE2B b65da13a265d5a3df1e84546a8f6e1447d7ea5a40fe4a44488691c4a182cf4b3d13d20ce85778f549d217ebf4b4511e71f5f285b34edf9e9e18bab50b0d22c82 SHA512 639d87169fafb0e44401104ade7dfaa7a5d6bd473d9e4e3c35a0fb87aaf73a383d406ee05944a3190750e55e59decd867ab3f773664f9fb787f40acc05826d1c
DIST pambase-20251013.tar.bz2 4963 BLAKE2B c2eb355819c28a6b41e8aea843c176769fa53519cb357239712165f0bf507bc21132d732fd2600d9354e2031e55da30beb676f1da854ce4bda687b8de006641a SHA512 968d82e817b209d66ea1719493539ff363a844795efd8584690a4ca9b5f932f5f5a9e8352747b590ae6ffba332a9a7d8e2a224af26bc3a6bdf012736daca9e6c

105
sdk_container/src/third_party/portage-stable/sys-auth/pambase/metadata.xml vendored Normal file
View File

@ -0,0 +1,105 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
</maintainer>
<maintainer type="person">
<email>sam@gentoo.org</email>
<name>Sam James</name>
</maintainer>
<use>
<flag name="elogind">
Use pam_elogind module to register user sessions with elogind.
</flag>
<flag name="systemd">
Use pam_systemd module to register user sessions in the systemd
control group hierarchy.
</flag>
<flag name="homed">
Use pam_systemd_home module to manage home directories with
the systemd-homed service
</flag>
<flag name="debug">
Enable debug information logging on syslog(3) for all the
modules supporting this in the system authentication and system
login stacks.
</flag>
<flag name="passwdqc">
Enable pam_passwdqc module on system auth stack for password
quality validation. This module produces warnings, rejecting
or providing example passwords when changing your system password.
It is used by default by OpenWall GNU/*/Linux and by FreeBSD.
</flag>
<flag name="pwhistory">
Enable pam_pwhistory module on system auth stack to save
the last passwords for each user in order to force password
change history and keep the user from alternating between
the same password too frequently.
</flag>
<flag name="pwquality">
Enable pam_pwquality module on system auth stack for passwd
quality validation. It is used by default by Fedora GNU/*/Linux.
</flag>
<flag name="mktemp">
Enable pam_mktemp module on system auth stack for session
handling. This module creates a private temporary directory for
the user, and sets TMP and TMPDIR accordingly.
</flag>
<flag name="pam_ssh">
Enable pam_ssh module on system auth stack for authentication
and session handling. This module will accept as password the
passphrase of a private SSH key (one of ~/.ssh/id_rsa,
~/.ssh/id_dsa or ~/.ssh/identity), and will spawn an ssh-agent
instance to cache the open key.
</flag>
<flag name="sha512">
Switch Linux-PAM's pam_unix module to use sha512 for passwords
hashes rather than MD5. This option requires
<pkg>sys-libs/pam</pkg> version 1.0.1 built against
<pkg>sys-libs/glibc</pkg> version 2.7, if it's built against an
earlier version, it will silently be ignored, and MD5 hashes
will be used. All the passwords changed after this USE flag is
enabled will be saved to the shadow file hashed using SHA512
function. The password previously saved will be left
untouched. Please note that while SHA512-hashed passwords will
still be recognised if the USE flag is removed, the shadow file
will not be compatible with systems using an earlier glibc
version.
</flag>
<flag name="sssd">
Add System Security Services Daemon (<pkg>sys-auth/sssd</pkg>) support
via pam_sss.
</flag>
<flag name="yescrypt">
Switch Linux-PAM's pam_unix module to use yescrypt for passwords hashes rather than MD5
</flag>
<flag name="pam_krb5">
Enable pam_krb5 module on system auth stack, as an alternative
to pam_unix. If Kerberos authentication succeeds, only pam_unix
will be ignorde, and all the other modules will proceed as usual,
including Gnome Keyring and other session modules. It requires
<pkg>sys-libs/pam</pkg> as PAM implementation.
</flag>
<flag name="minimal">
Disables the standard PAM modules that provide extra information
to users on login; this includes pam_lastlog, pam_motd, pam_mail
and other similar modules. This might not be a good idea on
a multi-user system but could reduce slightly the overhead on
single-user non-networked systems.
</flag>
<flag name="nullok">
Enable the nullok option with the pam_unix module. This allows
people to login with blank passwords.
</flag>
<flag name="securetty">
Enable pam_securetty module in the login stack. Not generally
relevant anymore as the login stack only refers to local logins
and local terminals imply secure access in the first place.
</flag>
</use>
<upstream>
<remote-id type="gentoo">proj/pambase</remote-id>
<remote-id type="github">gentoo/pambase</remote-id>
</upstream>
</pkgmetadata>

129
sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250826.ebuild vendored Normal file
View File

@ -0,0 +1,129 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
PYTHON_COMPAT=( python3_{11..13} )
inherit edo pam python-any-r1 readme.gentoo-r1
DESCRIPTION="PAM base configuration files"
HOMEPAGE="https://github.com/gentoo/pambase"
if [[ ${PV} == *9999 ]]; then
inherit git-r3
EGIT_REPO_URI="
https://anongit.gentoo.org/git/proj/pambase.git
https://github.com/gentoo/pambase.git
"
else
SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86"
fi
LICENSE="MIT"
SLOT="0"
IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt"
RESTRICT="binchecks"
REQUIRED_USE="
?? ( elogind systemd )
?? ( passwdqc pwquality )
?? ( sha512 yescrypt )
pwhistory? ( || ( passwdqc pwquality ) )
homed? ( !pam_krb5 )
pam_krb5? ( !homed )
"
MIN_PAM_REQ=1.4.0
RDEPEND="
>=sys-libs/pam-${MIN_PAM_REQ}
elogind? ( sys-auth/elogind[pam] )
gnome-keyring? ( gnome-base/gnome-keyring[pam] )
mktemp? ( sys-auth/pam_mktemp )
pam_krb5? (
>=sys-libs/pam-${MIN_PAM_REQ}
sys-auth/pam_krb5
)
caps? ( sys-libs/libcap[pam] )
pam_ssh? ( sys-auth/pam_ssh )
passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 )
pwquality? ( dev-libs/libpwquality[pam] )
selinux? ( sys-libs/pam[selinux] )
sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
homed? ( sys-apps/systemd[homed] )
systemd? ( sys-apps/systemd[pam] )
yescrypt? ( sys-libs/libxcrypt[system] )
sssd? ( sys-auth/sssd )
"
BDEPEND="
$(python_gen_any_dep '
dev-python/jinja2[${PYTHON_USEDEP}]
')
"
python_check_deps() {
python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]"
}
src_configure() {
local crypt=md5
# TODO: sha256, blowfish, gost_yescrypt
use sha512 && crypt=sha512
use yescrypt && crypt=yescrypt
local pamargs=(
# Not all 'upstream' options are (currently) wired up
# in the ebuild.
#
# TODO: pam_shells
$(usev caps '--caps')
$(usev debug '--debug')
$(usev elogind '--elogind')
$(usev gnome-keyring '--gnome-keyring')
$(usev homed '--homed')
$(usev minimal '--minimal')
$(usev mktemp '--mktemp')
$(usev nullok '--nullok')
$(usev pam_krb5 '--krb5')
$(usev pam_ssh '--pam-ssh')
$(usev passwdqc '--passwdqc')
$(usev pwhistory '--pwhistory')
$(usev pwquality '--pwquality')
$(usev securetty '--securetty')
$(usev selinux '--selinux')
$(usex systemd '--systemd' '--openrc')
$(usev sssd '--sssd')
--encrypt=${crypt}
)
edo ${EPYTHON} ./${PN}.py "${pamargs[@]}"
}
src_test() { :; }
src_install() {
local DOC_CONTENTS
if use passwdqc; then
DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf
page and then edit the /etc/security/passwdqc.conf file"
fi
if use pwquality; then
DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf
page and then edit the /etc/security/pwquality.conf file"
fi
{ use passwdqc || use pwquality; } && readme.gentoo_create_doc
dopamd -r stack/.
}
pkg_postinst() {
{ use passwdqc || use pwquality; } && readme.gentoo_print_elog
}

129
sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250906.ebuild vendored Normal file
View File

@ -0,0 +1,129 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
PYTHON_COMPAT=( python3_{11..14} )
inherit edo pam python-any-r1 readme.gentoo-r1
DESCRIPTION="PAM base configuration files"
HOMEPAGE="https://github.com/gentoo/pambase"
if [[ ${PV} == *9999 ]]; then
inherit git-r3
EGIT_REPO_URI="
https://anongit.gentoo.org/git/proj/pambase.git
https://github.com/gentoo/pambase.git
"
else
SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86"
fi
LICENSE="MIT"
SLOT="0"
IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt"
RESTRICT="binchecks"
REQUIRED_USE="
?? ( elogind systemd )
?? ( passwdqc pwquality )
?? ( sha512 yescrypt )
pwhistory? ( || ( passwdqc pwquality ) )
homed? ( !pam_krb5 )
pam_krb5? ( !homed )
"
MIN_PAM_REQ=1.4.0
RDEPEND="
>=sys-libs/pam-${MIN_PAM_REQ}
elogind? ( sys-auth/elogind[pam] )
gnome-keyring? ( gnome-base/gnome-keyring[pam] )
mktemp? ( sys-auth/pam_mktemp )
pam_krb5? (
>=sys-libs/pam-${MIN_PAM_REQ}
sys-auth/pam_krb5
)
caps? ( sys-libs/libcap[pam] )
pam_ssh? ( sys-auth/pam_ssh )
passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 )
pwquality? ( dev-libs/libpwquality[pam] )
selinux? ( sys-libs/pam[selinux] )
sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
homed? ( sys-apps/systemd[homed] )
systemd? ( sys-apps/systemd[pam] )
yescrypt? ( sys-libs/libxcrypt[system] )
sssd? ( sys-auth/sssd )
"
BDEPEND="
$(python_gen_any_dep '
dev-python/jinja2[${PYTHON_USEDEP}]
')
"
python_check_deps() {
python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]"
}
src_configure() {
local crypt=md5
# TODO: sha256, blowfish, gost_yescrypt
use sha512 && crypt=sha512
use yescrypt && crypt=yescrypt
local pamargs=(
# Not all 'upstream' options are (currently) wired up
# in the ebuild.
#
# TODO: pam_shells
$(usev caps '--caps')
$(usev debug '--debug')
$(usev elogind '--elogind')
$(usev gnome-keyring '--gnome-keyring')
$(usev homed '--homed')
$(usev minimal '--minimal')
$(usev mktemp '--mktemp')
$(usev nullok '--nullok')
$(usev pam_krb5 '--krb5')
$(usev pam_ssh '--pam-ssh')
$(usev passwdqc '--passwdqc')
$(usev pwhistory '--pwhistory')
$(usev pwquality '--pwquality')
$(usev securetty '--securetty')
$(usev selinux '--selinux')
$(usex systemd '--systemd' '--openrc')
$(usev sssd '--sssd')
--encrypt=${crypt}
)
edo ${EPYTHON} ./${PN}.py "${pamargs[@]}"
}
src_test() { :; }
src_install() {
local DOC_CONTENTS
if use passwdqc; then
DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf
page and then edit the /etc/security/passwdqc.conf file"
fi
if use pwquality; then
DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf
page and then edit the /etc/security/pwquality.conf file"
fi
{ use passwdqc || use pwquality; } && readme.gentoo_create_doc
dopamd -r stack/.
}
pkg_postinst() {
{ use passwdqc || use pwquality; } && readme.gentoo_print_elog
}

129
sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20251013.ebuild vendored Normal file
View File

@ -0,0 +1,129 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
PYTHON_COMPAT=( python3_{11..14} )
inherit edo pam python-any-r1 readme.gentoo-r1
DESCRIPTION="PAM base configuration files"
HOMEPAGE="https://github.com/gentoo/pambase"
if [[ ${PV} == *9999 ]]; then
inherit git-r3
EGIT_REPO_URI="
https://anongit.gentoo.org/git/proj/pambase.git
https://github.com/gentoo/pambase.git
"
else
SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86"
fi
LICENSE="MIT"
SLOT="0"
IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt"
RESTRICT="binchecks"
REQUIRED_USE="
?? ( elogind systemd )
?? ( passwdqc pwquality )
?? ( sha512 yescrypt )
pwhistory? ( || ( passwdqc pwquality ) )
homed? ( !pam_krb5 )
pam_krb5? ( !homed )
"
MIN_PAM_REQ=1.4.0
RDEPEND="
>=sys-libs/pam-${MIN_PAM_REQ}
elogind? ( sys-auth/elogind[pam] )
gnome-keyring? ( gnome-base/gnome-keyring[pam] )
mktemp? ( sys-auth/pam_mktemp )
pam_krb5? (
>=sys-libs/pam-${MIN_PAM_REQ}
sys-auth/pam_krb5
)
caps? ( sys-libs/libcap[pam] )
pam_ssh? ( sys-auth/pam_ssh )
passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 )
pwquality? ( dev-libs/libpwquality[pam] )
selinux? ( sys-libs/pam[selinux] )
sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
homed? ( sys-apps/systemd[homed] )
systemd? ( sys-apps/systemd[pam] )
yescrypt? ( sys-libs/libxcrypt[system] )
sssd? ( sys-auth/sssd )
"
BDEPEND="
$(python_gen_any_dep '
dev-python/jinja2[${PYTHON_USEDEP}]
')
"
python_check_deps() {
python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]"
}
src_configure() {
local crypt=md5
# TODO: sha256, blowfish, gost_yescrypt
use sha512 && crypt=sha512
use yescrypt && crypt=yescrypt
local pamargs=(
# Not all 'upstream' options are (currently) wired up
# in the ebuild.
#
# TODO: pam_shells
$(usev caps '--caps')
$(usev debug '--debug')
$(usev elogind '--elogind')
$(usev gnome-keyring '--gnome-keyring')
$(usev homed '--homed')
$(usev minimal '--minimal')
$(usev mktemp '--mktemp')
$(usev nullok '--nullok')
$(usev pam_krb5 '--krb5')
$(usev pam_ssh '--pam-ssh')
$(usev passwdqc '--passwdqc')
$(usev pwhistory '--pwhistory')
$(usev pwquality '--pwquality')
$(usev securetty '--securetty')
$(usev selinux '--selinux')
$(usex systemd '--systemd' '--openrc')
$(usev sssd '--sssd')
--encrypt=${crypt}
)
edo ${EPYTHON} ./${PN}.py "${pamargs[@]}"
}
src_test() { :; }
src_install() {
local DOC_CONTENTS
if use passwdqc; then
DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf
page and then edit the /etc/security/passwdqc.conf file"
fi
if use pwquality; then
DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf
page and then edit the /etc/security/pwquality.conf file"
fi
{ use passwdqc || use pwquality; } && readme.gentoo_create_doc
dopamd -r stack/.
}
pkg_postinst() {
{ use passwdqc || use pwquality; } && readme.gentoo_print_elog
}

129
sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-999999999.ebuild vendored Normal file
View File

@ -0,0 +1,129 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
PYTHON_COMPAT=( python3_{11..14} )
inherit edo pam python-any-r1 readme.gentoo-r1
DESCRIPTION="PAM base configuration files"
HOMEPAGE="https://github.com/gentoo/pambase"
if [[ ${PV} == *9999 ]]; then
inherit git-r3
EGIT_REPO_URI="
https://anongit.gentoo.org/git/proj/pambase.git
https://github.com/gentoo/pambase.git
"
else
SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi
LICENSE="MIT"
SLOT="0"
IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt"
RESTRICT="binchecks"
REQUIRED_USE="
?? ( elogind systemd )
?? ( passwdqc pwquality )
?? ( sha512 yescrypt )
pwhistory? ( || ( passwdqc pwquality ) )
homed? ( !pam_krb5 )
pam_krb5? ( !homed )
"
MIN_PAM_REQ=1.4.0
RDEPEND="
>=sys-libs/pam-${MIN_PAM_REQ}
elogind? ( sys-auth/elogind[pam] )
gnome-keyring? ( gnome-base/gnome-keyring[pam] )
mktemp? ( sys-auth/pam_mktemp )
pam_krb5? (
>=sys-libs/pam-${MIN_PAM_REQ}
sys-auth/pam_krb5
)
caps? ( sys-libs/libcap[pam] )
pam_ssh? ( sys-auth/pam_ssh )
passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 )
pwquality? ( dev-libs/libpwquality[pam] )
selinux? ( sys-libs/pam[selinux] )
sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
homed? ( sys-apps/systemd[homed] )
systemd? ( sys-apps/systemd[pam] )
yescrypt? ( sys-libs/libxcrypt[system] )
sssd? ( sys-auth/sssd )
"
BDEPEND="
$(python_gen_any_dep '
dev-python/jinja2[${PYTHON_USEDEP}]
')
"
python_check_deps() {
python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]"
}
src_configure() {
local crypt=md5
# TODO: sha256, blowfish, gost_yescrypt
use sha512 && crypt=sha512
use yescrypt && crypt=yescrypt
local pamargs=(
# Not all 'upstream' options are (currently) wired up
# in the ebuild.
#
# TODO: pam_shells
$(usev caps '--caps')
$(usev debug '--debug')
$(usev elogind '--elogind')
$(usev gnome-keyring '--gnome-keyring')
$(usev homed '--homed')
$(usev minimal '--minimal')
$(usev mktemp '--mktemp')
$(usev nullok '--nullok')
$(usev pam_krb5 '--krb5')
$(usev pam_ssh '--pam-ssh')
$(usev passwdqc '--passwdqc')
$(usev pwhistory '--pwhistory')
$(usev pwquality '--pwquality')
$(usev securetty '--securetty')
$(usev selinux '--selinux')
$(usex systemd '--systemd' '--openrc')
$(usev sssd '--sssd')
--encrypt=${crypt}
)
edo ${EPYTHON} ./${PN}.py "${pamargs[@]}"
}
src_test() { :; }
src_install() {
local DOC_CONTENTS
if use passwdqc; then
DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf
page and then edit the /etc/security/passwdqc.conf file"
fi
if use pwquality; then
DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf
page and then edit the /etc/security/pwquality.conf file"
fi
{ use passwdqc || use pwquality; } && readme.gentoo_create_doc
dopamd -r stack/.
}
pkg_postinst() {
{ use passwdqc || use pwquality; } && readme.gentoo_print_elog
}

3
sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest vendored Normal file
View File

@ -0,0 +1,3 @@
DIST Linux-PAM-1.7.1.tar.xz 510828 BLAKE2B 0a64d7dbf6bb7e3d2c36ea1f29c3217d3e43a1cc0ba8adf2ee8a117946a53bd26634ebd70ff3b99a72f7373df6694ee054dc7eddab04e43bbc8f5b0e9e56b3bc SHA512 0724c3636c10e2c7d98c9325bb9c20eb3e59b7cbc2f8fa7636b77af497524afe595b895386d7e6723fdb89247b94f6db6f179d552015ac78469beaa33e0413f0
DIST Linux-PAM-1.7.1.tar.xz.asc 801 BLAKE2B 566123f49e26862ffc2261db38e35914dd91175c9f66a4756b9a473808dfeda2a4dad25337afa5121ca68a2411a26249b0d40556a22385f4494d355d6c3b4047 SHA512 7d559895e7988ea815955a4788925597073f1a66204dc9f437de306e1b7a77f2f2a9f1bdb2827aba03444500c790fa03e4bba2c94a2089b23bdd6505f9c3601f
DIST pam-1.7.0_p20241230.gh.tar.gz 719108 BLAKE2B c37daabae380ce75c630a0af1b9960676bc973c773025bc7f65ae87aebff4ca3b667e16ec9635c7677e8a00e6b26eb590f84b798529c3340cdc2c262e7e5649e SHA512 d9d53ddd420fe754c76303b99c37e5cc2eca3d4af9f64043f3f9e69c3abfc3c05d5a1efdbbdfb39ad46a301a0df7a18425d0e8c110c1d76bad3e62dfa97b61ef

37
sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-lastlog.patch vendored Normal file
View File

@ -0,0 +1,37 @@
https://github.com/linux-pam/linux-pam/commit/4176cf25a3ae8b5fd2956b41b068221b39932c3a
From 4176cf25a3ae8b5fd2956b41b068221b39932c3a Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Jun 2025 13:00:00 +0000
Subject: [PATCH] pam_lastlog: fix compilation warning on some of 32-bit
architectures
On those of 32-bit architectures where glibc defines
__WORDSIZE_TIME64_COMPAT32, struct utmp.ut_tv.tv_sec is unsigned,
while time_t is signed, causing the following compiler diagnostics:
pam_lastlog.c: In function 'last_login_failed':
pam_lastlog.c:572:29: warning: comparison of integer expressions of different signedness: '__uint32_t' {aka 'unsigned int'} and 'time_t' {aka 'long int'} [-Wsign-compare]
572 | if (ut.ut_tv.tv_sec >= lltime && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) {
Given that by its nature these values are treated as unsigned, fix this
by zero-extending both values to unsigned long long before the comparison.
---
modules/pam_lastlog/pam_lastlog.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 01545a696..c68b5fb04 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -569,7 +569,8 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
while ((retval=pam_modutil_read(fd, (void *)&ut,
sizeof(ut))) == sizeof(ut)) {
- if (ut.ut_tv.tv_sec >= lltime && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) {
+ if (zero_extend_signed_to_ull(ut.ut_tv.tv_sec) >= zero_extend_signed_to_ull(lltime)
+ && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) {
memcpy(&utuser, &ut, sizeof(utuser));
failed++;
}

37
sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-timestamp.patch vendored Normal file
View File

@ -0,0 +1,37 @@
https://github.com/linux-pam/linux-pam/commit/e3b66a60e4209e019cf6a45f521858cec2dbefa1
From e3b66a60e4209e019cf6a45f521858cec2dbefa1 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 17 Jun 2025 13:00:00 +0000
Subject: [PATCH] pam_timestamp: fix compilation warning on some of 32-bit
architectures
On those of 32-bit architectures where glibc defines
__WORDSIZE_TIME64_COMPAT32, struct utmp.ut_tv.tv_sec is unsigned,
while time_t is signed, causing the following compiler diagnostics:
pam_timestamp.c: In function 'check_login_time':
pam_timestamp.c:247:55: warning: comparison of integer expressions of different signedness: 'time_t' {aka 'long int'} and '__uint32_t' {aka 'unsigned int'} [-Wsign-compare]
247 | if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) {
Given that by its nature these values are treated as unsigned, fix this
by zero-extending both values to unsigned long long before the comparison.
---
modules/pam_timestamp/pam_timestamp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index 0172d1ef9..030fa2b8f 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -244,7 +244,9 @@ check_login_time(
if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user)) != 0) {
continue;
}
- if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) {
+ if (oldest_login == 0 ||
+ zero_extend_signed_to_ull(oldest_login)
+ > zero_extend_signed_to_ull(ut->ut_tv.tv_sec)) {
oldest_login = ut->ut_tv.tv_sec;
}
}

0
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml → sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml vendored
View File

192
sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.0_p20241230-r3.ebuild vendored Normal file
View File

@ -0,0 +1,192 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
MY_P="Linux-${PN^^}-${PV}"
# Avoid QA warnings
# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
TMPFILES_OPTIONAL=1
inherit db-use fcaps flag-o-matic meson-multilib toolchain-funcs
DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
HOMEPAGE="https://github.com/linux-pam/linux-pam"
if [[ ${PV} == *_p* ]] ; then
PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332"
SRC_URI="
https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz
"
S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT}
else
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc
inherit verify-sig
SRC_URI="
https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc )
"
S="${WORKDIR}/${MY_P}"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )"
fi
LICENSE="|| ( BSD GPL-2 )"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux"
IUSE="audit berkdb elogind examples debug nis nls selinux systemd"
REQUIRED_USE="?? ( elogind systemd )"
# meson.build specifically checks for bison and then byacc
# also requires xsltproc
BDEPEND+="
|| ( sys-devel/bison dev-util/byacc )
app-text/docbook-xsl-ns-stylesheets
dev-libs/libxslt
sys-devel/flex
virtual/pkgconfig
nls? ( sys-devel/gettext )
"
DEPEND="
virtual/libcrypt:=[${MULTILIB_USEDEP}]
>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
!berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] )
elogind? ( >=sys-auth/elogind-254 )
selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
systemd? ( >=sys-apps/systemd-254:= )
nis? (
net-libs/libnsl:=[${MULTILIB_USEDEP}]
>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
)
"
RDEPEND="${DEPEND}"
PDEPEND=">=sys-auth/pambase-20200616"
src_configure() {
# meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get:
# cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found
append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
# Do not let user's BROWSER setting mess us up, bug #549684
unset BROWSER
meson-multilib_src_configure
}
multilib_src_configure() {
local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local"
# Workaround for docbook5 not being packaged (bug #913087#c4)
# It's only used for validation of output, so stub it out.
# Also, stub out elinks+w3m which are only used for an index.
cat >> "${machine_file}" <<-EOF || die
[binaries]
xmlcatalog='true'
xmllint='true'
elinks='true'
w3m='true'
EOF
local emesonargs=()
if tc-is-cross-compiler; then
emesonargs+=( --cross-file "${machine_file}" )
else
emesonargs+=( --native-file "${machine_file}" )
fi
emesonargs+=(
$(meson_feature audit)
$(meson_native_use_bool examples)
$(meson_use debug pam-debug)
$(meson_feature nis)
$(meson_feature nls i18n)
$(meson_feature selinux)
-Disadir='.'
-Dxml-catalog="${BROOT}"/etc/xml/catalog
-Dsbindir="${EPREFIX}"/sbin
-Dsecuredir="${EPREFIX}"/$(get_libdir)/security
-Ddocdir="${EPREFIX}"/usr/share/doc/${PF}
-Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html
-Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf
$(meson_native_enabled docs)
-Dpam_unix=enabled
# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
-Deconf=disabled
# TODO: lastlog is enabled again for now by us as elogind support
# wasn't available at first. Even then, disabling lastlog will
# probably need a news item.
$(meson_native_use_feature systemd logind)
$(meson_native_use_feature elogind)
$(meson_feature !elibc_musl pam_lastlog)
)
if use berkdb; then
local dbver
dbver="$(db_findver sys-libs/db)" || die "could not find db version"
local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")"
emesonargs+=(
-Ddb=db
-Ddb-uniquename="-${dbver}"
)
else
emesonargs+=(
-Ddb=gdbm
)
fi
# This whole weird has_version libxcrypt block can go once
# musl systems have libxcrypt[system] if we ever make
# that mandatory. See bug #867991.
#if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
# # Avoid picking up symbol-versioned compat symbol on musl systems
# export ac_cv_search_crypt_gensalt_rn=no
#
# # Need to avoid picking up the libxcrypt headers which define
# # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
# cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
# append-cppflags -I"${T}"
#fi
meson_src_configure
}
multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die
# tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d
cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
d /run/faillock 0755 root root
_EOF_
use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
d /run/sepermit 0755 root root
_EOF_
}
pkg_postinst() {
ewarn "Some software with pre-loaded PAM libraries might experience"
ewarn "warnings or failures related to missing symbols and/or versions"
ewarn "after any update. While unfortunate this is a limit of the"
ewarn "implementation of PAM and the software, and it requires you to"
ewarn "restart the software manually after the update."
ewarn ""
ewarn "You can get a list of such software running a command like"
ewarn " lsof / | grep -E -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
# The pam_unix module needs to check the password of the user which requires
# read access to /etc/shadow only.
fcaps -m u+s cap_dac_override sbin/unix_chkpwd
}

191
sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r1.ebuild vendored Normal file
View File

@ -0,0 +1,191 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
MY_P="Linux-${PN^^}-${PV}"
# Avoid QA warnings
# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
TMPFILES_OPTIONAL=1
inherit db-use fcaps flag-o-matic meson-multilib
DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
HOMEPAGE="https://github.com/linux-pam/linux-pam"
if [[ ${PV} == *_p* ]] ; then
PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332"
SRC_URI="
https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz
"
S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT}
else
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc
inherit verify-sig
SRC_URI="
https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc )
"
S="${WORKDIR}/${MY_P}"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )"
fi
LICENSE="|| ( BSD GPL-2 )"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux"
IUSE="audit berkdb elogind examples debug nis nls selinux systemd"
REQUIRED_USE="?? ( elogind systemd )"
# meson.build specifically checks for bison and then byacc
# also requires xsltproc
BDEPEND+="
|| ( sys-devel/bison dev-util/byacc )
app-text/docbook-xsl-ns-stylesheets
dev-libs/libxslt
sys-devel/flex
virtual/pkgconfig
nls? ( sys-devel/gettext )
"
DEPEND="
virtual/libcrypt:=[${MULTILIB_USEDEP}]
>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
!berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] )
elogind? ( >=sys-auth/elogind-254 )
selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
systemd? ( >=sys-apps/systemd-254:= )
nis? (
net-libs/libnsl:=[${MULTILIB_USEDEP}]
>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
)
"
RDEPEND="${DEPEND}"
PDEPEND=">=sys-auth/pambase-20200616"
PATCHES=(
"${FILESDIR}"/${P}-32-bit-lastlog.patch
"${FILESDIR}"/${P}-32-bit-timestamp.patch
)
src_configure() {
# meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get:
# cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found
append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
# Do not let user's BROWSER setting mess us up, bug #549684
unset BROWSER
meson-multilib_src_configure
}
multilib_src_configure() {
local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local"
# Workaround for docbook5 not being packaged (bug #913087#c4)
# It's only used for validation of output, so stub it out.
# Also, stub out elinks+w3m which are only used for an index.
cat >> "${machine_file}" <<-EOF || die
[binaries]
xmlcatalog='true'
xmllint='true'
elinks='true'
w3m='true'
EOF
local emesonargs=(
--native-file "${machine_file}"
$(meson_feature audit)
$(meson_native_use_bool examples)
$(meson_use debug pam-debug)
$(meson_feature nis)
$(meson_feature nls i18n)
$(meson_feature selinux)
-Disadir='.'
-Dxml-catalog="${BROOT}"/etc/xml/catalog
-Dsbindir="${EPREFIX}"/sbin
-Dsecuredir="${EPREFIX}"/$(get_libdir)/security
-Ddocdir="${EPREFIX}"/usr/share/doc/${PF}
-Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html
-Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf
$(meson_native_enabled docs)
-Dpam_unix=enabled
# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
-Deconf=disabled
# TODO: lastlog is enabled again for now by us as elogind support
# wasn't available at first. Even then, disabling lastlog will
# probably need a news item.
$(meson_native_use_feature systemd logind)
$(meson_native_use_feature elogind)
$(meson_feature !elibc_musl pam_lastlog)
)
if use berkdb; then
local dbver
dbver="$(db_findver sys-libs/db)" || die "could not find db version"
local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")"
emesonargs+=(
-Ddb=db
-Ddb-uniquename="-${dbver}"
)
else
emesonargs+=(
-Ddb=gdbm
)
fi
# This whole weird has_version libxcrypt block can go once
# musl systems have libxcrypt[system] if we ever make
# that mandatory. See bug #867991.
#if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
# # Avoid picking up symbol-versioned compat symbol on musl systems
# export ac_cv_search_crypt_gensalt_rn=no
#
# # Need to avoid picking up the libxcrypt headers which define
# # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
# cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
# append-cppflags -I"${T}"
#fi
meson_src_configure
}
multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die
# tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d
cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
d /run/faillock 0755 root root
_EOF_
use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
d /run/sepermit 0755 root root
_EOF_
}
pkg_postinst() {
ewarn "Some software with pre-loaded PAM libraries might experience"
ewarn "warnings or failures related to missing symbols and/or versions"
ewarn "after any update. While unfortunate this is a limit of the"
ewarn "implementation of PAM and the software, and it requires you to"
ewarn "restart the software manually after the update."
ewarn ""
ewarn "You can get a list of such software running a command like"
ewarn " lsof / | grep -E -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
# The pam_unix module needs to check the password of the user which requires
# read access to /etc/shadow only.
fcaps -m u+s cap_dac_read_search sbin/unix_chkpwd
}

202
sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r2.ebuild vendored Normal file
View File

@ -0,0 +1,202 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
MY_P="Linux-${PN^^}-${PV}"
# Avoid QA warnings
# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
TMPFILES_OPTIONAL=1
inherit db-use flag-o-matic meson-multilib user-info
DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
HOMEPAGE="https://github.com/linux-pam/linux-pam"
if [[ ${PV} == *_p* ]] ; then
PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332"
SRC_URI="
https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz
"
S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT}
else
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc
inherit verify-sig
SRC_URI="
https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc )
"
S="${WORKDIR}/${MY_P}"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )"
fi
LICENSE="|| ( BSD GPL-2 )"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
IUSE="audit berkdb elogind examples debug nis nls selinux systemd"
REQUIRED_USE="?? ( elogind systemd )"
# meson.build specifically checks for bison and then byacc
# also requires xsltproc
BDEPEND+="
acct-group/shadow
|| ( sys-devel/bison dev-util/byacc )
app-text/docbook-xsl-ns-stylesheets
dev-libs/libxslt
sys-devel/flex
virtual/pkgconfig
nls? ( sys-devel/gettext )
"
DEPEND="
virtual/libcrypt:=[${MULTILIB_USEDEP}]
>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
!berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] )
elogind? ( >=sys-auth/elogind-254 )
selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
systemd? ( >=sys-apps/systemd-254:= )
nis? (
net-libs/libnsl:=[${MULTILIB_USEDEP}]
>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
)
"
RDEPEND="${DEPEND}
acct-group/shadow
"
PDEPEND=">=sys-auth/pambase-20200616"
PATCHES=(
"${FILESDIR}"/${P}-32-bit-lastlog.patch
"${FILESDIR}"/${P}-32-bit-timestamp.patch
)
src_configure() {
# meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get:
# cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found
append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
# Do not let user's BROWSER setting mess us up, bug #549684
unset BROWSER
meson-multilib_src_configure
}
multilib_src_configure() {
local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local"
# Workaround for docbook5 not being packaged (bug #913087#c4)
# It's only used for validation of output, so stub it out.
# Also, stub out elinks+w3m which are only used for an index.
cat >> "${machine_file}" <<-EOF || die
[binaries]
xmlcatalog='true'
xmllint='true'
elinks='true'
w3m='true'
EOF
local emesonargs=(
--native-file "${machine_file}"
$(meson_feature audit)
$(meson_native_use_bool examples)
$(meson_use debug pam-debug)
$(meson_feature nis)
$(meson_feature nls i18n)
$(meson_feature selinux)
-Disadir='.'
-Dxml-catalog="${BROOT}"/etc/xml/catalog
-Dsbindir="${EPREFIX}"/sbin
-Dsecuredir="${EPREFIX}"/$(get_libdir)/security
-Ddocdir="${EPREFIX}"/usr/share/doc/${PF}
-Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html
-Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf
$(meson_native_enabled docs)
-Dpam_unix=enabled
# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
-Deconf=disabled
# TODO: lastlog is enabled again for now by us as elogind support
# wasn't available at first. Even then, disabling lastlog will
# probably need a news item.
$(meson_native_use_feature systemd logind)
$(meson_native_use_feature elogind)
$(meson_feature !elibc_musl pam_lastlog)
)
if use berkdb; then
local dbver
dbver="$(db_findver sys-libs/db)" || die "could not find db version"
local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")"
emesonargs+=(
-Ddb=db
-Ddb-uniquename="-${dbver}"
)
else
emesonargs+=(
-Ddb=gdbm
)
fi
# This whole weird has_version libxcrypt block can go once
# musl systems have libxcrypt[system] if we ever make
# that mandatory. See bug #867991.
#if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
# # Avoid picking up symbol-versioned compat symbol on musl systems
# export ac_cv_search_crypt_gensalt_rn=no
#
# # Need to avoid picking up the libxcrypt headers which define
# # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
# cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
# append-cppflags -I"${T}"
#fi
meson_src_configure
}
multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die
fowners :shadow /sbin/unix_chkpwd
fperms g+s /sbin/unix_chkpwd
# tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d
cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
d /run/faillock 0755 root root
_EOF_
use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
d /run/sepermit 0755 root root
_EOF_
}
pkg_postinst() {
if [[ -n ${ROOT} ]]; then
# Portage does not currently update the gid on installed files
# based on ${EROOT}/etc/group.
local gid=$(egetent group shadow | cut -d: -f3)
if [[ -n ${gid} ]]; then
chgrp "${gid}" "${EROOT}/sbin/unix_chkpwd" &&
chmod g+s "${EROOT}/sbin/unix_chkpwd"
fi
fi
ewarn "Some software with pre-loaded PAM libraries might experience"
ewarn "warnings or failures related to missing symbols and/or versions"
ewarn "after any update. While unfortunate this is a limit of the"
ewarn "implementation of PAM and the software, and it requires you to"
ewarn "restart the software manually after the update."
ewarn ""
ewarn "You can get a list of such software running a command like"
ewarn " lsof / | grep -E -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
}