diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 8b1b330ba4..d74f49d833 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -179,6 +179,7 @@ app-shells/gentoo-bashcomp app-text/asciidoc app-text/build-docbook-catalog app-text/docbook-xml-dtd +app-text/docbook-xsl-ns-stylesheets app-text/docbook-xsl-stylesheets app-text/mandoc app-text/manpager @@ -318,8 +319,8 @@ dev-python/fastjsonschema dev-python/flit-core dev-python/gentoo-common dev-python/gpep517 -dev-python/hatchling dev-python/hatch-vcs +dev-python/hatchling dev-python/idna dev-python/installer dev-python/jaraco-collections @@ -504,8 +505,8 @@ licenses media-libs/libpng -net-analyzer/openbsd-netcat net-analyzer/netperf +net-analyzer/openbsd-netcat net-analyzer/tcpdump net-analyzer/traceroute @@ -633,6 +634,7 @@ sys-apps/util-linux sys-apps/which sys-apps/zram-generator +sys-auth/pambase sys-auth/polkit sys-auth/sssd @@ -705,6 +707,7 @@ sys-libs/libunwind sys-libs/liburing sys-libs/libxcrypt sys-libs/ncurses +sys-libs/pam sys-libs/readline sys-libs/talloc sys-libs/tdb diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 9beaf7f433..7463f26d40 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -158,10 +158,14 @@ create_prod_image() { L+ /etc/ld.so.conf - - - - ../usr/lib/ld.so.conf EOF - # Move the PAM configuration into /usr - sudo mkdir -p ${root_fs_dir}/usr/lib/pam.d - sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/ - sudo rmdir ${root_fs_dir}/etc/pam.d + local -a bad_pam_files + mapfile -t -d '' bad_pam_files < <(find "${root_fs_dir}"/etc/security "${root_fs_dir}"/etc/pam.d ! -type d ! -name '.keep*' -print0) + if [[ ${#bad_pam_files[@]} -gt 0 ]]; then + error "Found following PAM config files: ${bad_pam_files[@]#"${root_fs_dir}"}" + error "Expected them to be either removed or, better, vendored (/etc/pam.d files should be in /usr/lib/pam, /etc/security files should be in /usr/lib/pam/security)." + error "Vendoring can be done with vendorize_pam_files inside a post_src_install hook for the package that installed the config file." + die "PAM config errors spotted" + fi # Remove source locale data, only need to ship the compiled archive. sudo rm -rf ${root_fs_dir}/usr/share/i18n/ diff --git a/build_packages b/build_packages index 99f5543afd..d300edff82 100755 --- a/build_packages +++ b/build_packages @@ -266,13 +266,18 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then # lvm2[udev] -> virtual/udev -> systemd[cryptsetup] -> cryptsetup -> lvm2 # lvm2[systemd] -> systemd[cryptsetup] -> cryptsetup -> lvm2 # systemd[cryptsetup] -> cryptsetup[udev] -> virtual/udev -> systemd + # systemd[tpm] -> tpm2-tss -> util-linux[udev] -> virtual/udev -> systemd # curl[http2] -> nghttp2[systemd] -> systemd[curl] -> curl + # sys-libs/pam[systemd] -> sys-apps/system[pam] -> sys-libs/pam + # not dropping pam from sys-apps/systemd, otherwise we would need + # to drop pam from sys-auth/pambase break_dep_loop sys-apps/util-linux udev,systemd,cryptsetup \ sys-fs/cryptsetup udev \ sys-fs/lvm2 udev,systemd \ sys-apps/systemd cryptsetup,tpm \ net-misc/curl http2 \ - net-libs/nghttp2 systemd + net-libs/nghttp2 systemd \ + sys-libs/pam systemd fi if [[ "${FLAGS_only_resolve_circular_deps}" -eq "${FLAGS_TRUE}" ]]; then diff --git a/changelog/security/2025-10-29-pam.md b/changelog/security/2025-10-29-pam.md new file mode 100644 index 0000000000..7dd7a6e606 --- /dev/null +++ b/changelog/security/2025-10-29-pam.md @@ -0,0 +1 @@ +- pam ([CVE-2024-22365](https://nvd.nist.gov/vuln/detail/CVE-2024-22365), [CVE-2024-10041](https://nvd.nist.gov/vuln/detail/CVE-2024-10041), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-6020](https://nvd.nist.gov/vuln/detail/CVE-2025-6020)) diff --git a/changelog/updates/2025-10-29-pam.md b/changelog/updates/2025-10-29-pam.md new file mode 100644 index 0000000000..f167f253a3 --- /dev/null +++ b/changelog/updates/2025-10-29-pam.md @@ -0,0 +1,2 @@ +- base, dev: pam ([1.7.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.1) (includes [1.7.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.0), [1.6.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.1), [1.6.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0))) +- base, dev: pambase ([20251013](https://gitweb.gentoo.org/proj/pambase.git/log/?h=pambase-20251013)) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-vmware/files/manglefs.sh b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-vmware/files/manglefs.sh index a0e17ca6ec..71b3db54e1 100755 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-vmware/files/manglefs.sh +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-vmware/files/manglefs.sh @@ -8,8 +8,6 @@ cd "${rootfs}" # Move stuff out of /etc. The systemd unit files are patched to create # symlinks from /etc to those directories. -mkdir -p usr/lib/pam.d -mv etc/pam.d/vmtoolsd usr/lib/pam.d/vmtoolsd mkdir -p usr/share/flatcar/oem-vmware mv etc/vmware-tools usr/share/flatcar/oem-vmware/vmware-tools diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo index 89bd428736..3bd9e65f86 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo @@ -1,9 +1,12 @@ -cros_post_src_install_keep_etc_sudoers_d() { - # Flatcar: Build system installs /etc/sudoers.d, let's make - # sure we keep having it. +cros_post_src_install_flatcar_modifications() { + # Build system installs /etc/sudoers.d, let's make sure we keep + # having it. # # Upstream PR: https://github.com/gentoo/gentoo/pull/37397 keepdir /etc/sudoers.d + + # Move pam files to /usr. + vendorize_pam_files } # We don't ship OpenLDAP schemas (why?) and we provide sudo.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-emulation/open-vm-tools b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-emulation/open-vm-tools new file mode 100644 index 0000000000..36c7a9887d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-emulation/open-vm-tools @@ -0,0 +1,3 @@ +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/cyrus-sasl b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/cyrus-sasl index f730ae0878..ca25efa7fb 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/cyrus-sasl +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/cyrus-sasl @@ -3,3 +3,7 @@ # obviously won't work in case of cross-compilation, so we state up # front that SPNEGO is supported. export ac_cv_gssapi_supports_spnego=yes + +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/libpwquality b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/libpwquality new file mode 100644 index 0000000000..36c7a9887d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/libpwquality @@ -0,0 +1,3 @@ +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/samba b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/samba index dda472eea0..96510ff3dc 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/samba +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/samba @@ -31,4 +31,7 @@ cros_post_src_install_samba_flatcar_modifications() { rm -rf "${ED}/usr/$(get_libdir)/perl"* rm -rf "${ED}/usr/$(get_libdir)/python"* rm -rf "${ED}/var" + + # Move pam files to /usr. + vendorize_pam_files } diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh index 3a8ef725d0..77a32cfa39 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh @@ -8,3 +8,7 @@ if [[ $(flatcar_target) != 'sdk' ]] ; then INSTALL_MASK+="${openssh_mask}" unset openssh_mask fi + +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/kbd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/kbd new file mode 100644 index 0000000000..36c7a9887d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/kbd @@ -0,0 +1,3 @@ +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/policycoreutils b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/policycoreutils index 756358188e..8b6c1ef2cd 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/policycoreutils +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/policycoreutils @@ -14,3 +14,7 @@ cros_post_src_install_set_up_var_lib_selinux() { mv "${ED}/var/lib/selinux" "${ED}/usr/lib/selinux/policy" dosym -r /usr/lib/selinux/policy /var/lib/selinux } + +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/shadow b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/shadow index f3da0f6627..4d362da703 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/shadow +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/shadow @@ -72,4 +72,7 @@ ttyS0 ${devs} EOF + + # Move pam files to /usr. + vendorize_pam_files } diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd index 11b7f0ce0d..defe7e8d0b 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd @@ -9,9 +9,6 @@ flatcar_systemd_meson_args_array=( -Dsystem-gid-max=999 -Dsystem-uid-max=999 - # PAM config directory. - -Dpamconfdir="${EPREFIX}/usr/share/pam.d" - # The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by timesyncd # as a sanity check for the minimum acceptable time. Explicitly # set to avoid using the current build time. @@ -85,16 +82,24 @@ flatcar_systemctl_preset() { } cros_post_src_install_flatcar_stuff() { - # We provide our own systemd-user config file in baselayout. - # - # This one is installed by systemd build system regardless of - # USE=pam (the ebuild ought to pass -Dpamconfdir=no to disable the - # installation). - rm "${ED}/usr/share/pam.d/systemd-user" || die - # This one is installed by Gentoo's systemd ebuild only if USE=pam - # is enabled. + # Drop systemd PAM config files installed by systemd build + # system. We will replace them below with our own configs if we + # have pam enabled. + rm "${ED}"/usr/lib/pam.d/systemd-{user,run0} || die if use pam; then - rm "${ED}/etc/pam.d/systemd-user" || die + # Clobber systemd-user config file installed by the ebuild + # with our own. + newpamd - "systemd-user" <<'EOF' +account include system-auth +session include system-login +EOF + newpamd - "systemd-run0" <<'EOF' +account include system-auth +session include system-login +EOF + + # And move them to /usr. + vendorize_pam_files fi # Ensure journal directory has correct ownership/mode in inital diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/util-linux b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/util-linux index d7da140d7a..4afa621f87 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/util-linux +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/util-linux @@ -1,3 +1,7 @@ # New mount API does not work very well for mounting overlayfs when we # are building sysexts. export EXTRA_ECONF="--disable-libmount-mountfd-support" + +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/pambase b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/pambase new file mode 100644 index 0000000000..36c7a9887d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/pambase @@ -0,0 +1,3 @@ +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/sssd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/sssd index 6477bc4921..c2b8bd82df 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/sssd +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/sssd @@ -2,14 +2,10 @@ # plugin, even if sssd is not running. export EXTRA_ECONF="--enable-sss-default-nss-plugin" -# We haven't switched to having pam config in /etc, so move the files -# to /usr. -cros_post_src_install_move_pamd() { - mkdir -p "${ED}/usr/share/" - mv "${ED}/etc/pam.d" "${ED}/usr/share/pam.d" -} +cros_post_src_install_flatcar_modifications() { + # This is to make sure that some sssd config is always in place. + cp -a "${ED}"/etc/sssd/sssd{-example,}.conf -# This is to make sure that some sssd config is always in place. -cros_post_src_set_initial_config() { - cp -a "${ED}"/etc/sssd/sssd{-example,}.conf + # Move pam files to /usr. + vendorize_pam_files } diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/libcap b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/libcap new file mode 100644 index 0000000000..36c7a9887d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/libcap @@ -0,0 +1,3 @@ +cros_post_src_install_vendorize_pam() { + vendorize_pam_files +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/pam b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/pam new file mode 100644 index 0000000000..83d7f0bf60 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/pam @@ -0,0 +1,16 @@ +flatcar_pam_meson_args_array=( + '-Dvendordir=/usr/lib/pam' +) +export MYMESONARGS=${flatcar_pam_meson_args_array[*]@Q} +unset 'flatcar_pam_meson_args_array' + +cros_post_src_install_stuff_in_etc() { + # Keep empty pam.d and security directories in /etc. In theory we + # could omit creating them, but 1. some kola tests rely on them to + # exist and 2. empty directories are probably less confusing to + # users then no directories at all. For the latter reason, create + # also the symlink to the environment file. + keepdir /etc/pam.d + keepdir /etc/security + dosym /usr/lib/pam/environment /etc/environment +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch new file mode 100644 index 0000000000..8a8a7f8f49 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch @@ -0,0 +1,167 @@ +From 3eb1fea6104cd4bbc978e11974f337549edaf2e4 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Thu, 9 Oct 2025 17:32:38 +0200 +Subject: [PATCH 1/2] Reorganize the login sessions + +- Move selinux parts from system-login to separate a system-selinux + file. It is conditionally included by system-local-login and + system-remote-login if selinux is enabled. This makes + "pam_selinux.so close" and "pam_selinux.so open" as first rules to + be called in the session. This more or less follows what systemd and + Fedora is doing in its systemd-user PAM config (Fedora seems to be + sandwiching loginuid between the pam_selinux rules, but it should + not matter, since pam_selinux actions affects the process after + execve). This also drops the "multiple" option from "pam_selinux.so + open" rule, because this flag was dropped from the module in 2007. + +- Move the "not minimal" parts from system-login to + system-postlogin. This file gets included by system-remote-login and + system-local-login conditionally, like it used to be in + system-login. + +- Add pam_namespace.so and pam_keyinit.so to system-login. + +- Add pam_umask.so to system-session. + +With these changes, the session part of the systemd-user PAM config in +sys-apps/systemd FILESDIR can be simplified to something like +(assuming that pambase was installed with USE=systemd): + +session pam_selinux.so close +session pam_selinux.so open nottys +session include system-login + +In the selinux-disabled variant of the systemd-user PAM config, the +pam_selinux.so lines would be absent. + +Signed-off-by: Krzesimir Nowak +--- + pambase.py | 2 ++ + templates/system-local-login.tpl | 9 +++++++++ + templates/system-login.tpl | 17 +++-------------- + templates/system-postlogin.tpl | 3 +++ + templates/system-remote-login.tpl | 7 +++++++ + templates/system-selinux.tpl | 2 ++ + templates/system-session.tpl | 1 + + 7 files changed, 27 insertions(+), 14 deletions(-) + create mode 100644 templates/system-postlogin.tpl + create mode 100644 templates/system-selinux.tpl + +diff --git a/pambase.py b/pambase.py +index 4180cbb..0c7450d 100755 +--- a/pambase.py ++++ b/pambase.py +@@ -105,6 +105,8 @@ def parse_templates(processed_args): + "su", + "system-auth", + "system-login", ++ "system-postlogin", ++ "system-selinux", + "system-services", + ] + +diff --git a/templates/system-local-login.tpl b/templates/system-local-login.tpl +index 5e01090..34d8459 100644 +--- a/templates/system-local-login.tpl ++++ b/templates/system-local-login.tpl +@@ -2,12 +2,21 @@ auth include system-login + {% if gnome_keyring %} + auth optional pam_gnome_keyring.so + {% endif %} ++ + account include system-login ++ + password include system-login + {% if gnome_keyring %} + password optional pam_gnome_keyring.so use_authtok + {% endif %} ++ ++{% if selinux %} ++session include system-selinux ++{% endif %} + {% if gnome_keyring %} + session optional pam_gnome_keyring.so auto_start + {% endif %} + session include system-login ++{% if not minimal %} ++session include system-postlogin ++{% endif %} +diff --git a/templates/system-login.tpl b/templates/system-login.tpl +index 77926b7..58018f7 100644 +--- a/templates/system-login.tpl ++++ b/templates/system-login.tpl +@@ -10,23 +10,12 @@ account required pam_time.so + account include system-auth + + password include system-auth +-session optional pam_loginuid.so +-{% if selinux %} +-session required pam_selinux.so close +-{% endif %} + ++session optional pam_loginuid.so + session required pam_env.so envfile=/etc/profile.env {{ debug }} ++session required pam_namespace.so ++session optional pam_keyinit.so force revoke + session include system-auth +-{% if selinux %} +-# Note: modules that run in the user's context must come after this line. +-session required pam_selinux.so multiple open +-{% endif %} +- +-{% if not minimal %} +-session optional pam_motd.so motd=/etc/motd +-session optional pam_lastlog.so never showfailed {{ debug }} +-session optional pam_mail.so +-{% endif %} + + {% if systemd %} + -session optional pam_systemd.so +diff --git a/templates/system-postlogin.tpl b/templates/system-postlogin.tpl +new file mode 100644 +index 0000000..06e30cd +--- /dev/null ++++ b/templates/system-postlogin.tpl +@@ -0,0 +1,3 @@ ++session optional pam_motd.so motd=/etc/motd ++session optional pam_lastlog.so never showfailed {{ debug }} ++session optional pam_mail.so +diff --git a/templates/system-remote-login.tpl b/templates/system-remote-login.tpl +index 2f415ed..7a06341 100644 +--- a/templates/system-remote-login.tpl ++++ b/templates/system-remote-login.tpl +@@ -1,4 +1,11 @@ + auth include system-login + account include system-login + password include system-login ++ ++{% if selinux %} ++session include system-selinux ++{% endif %} + session include system-login ++{% if not minimal %} ++session include system-postlogin ++{% endif %} +diff --git a/templates/system-selinux.tpl b/templates/system-selinux.tpl +new file mode 100644 +index 0000000..c094c88 +--- /dev/null ++++ b/templates/system-selinux.tpl +@@ -0,0 +1,2 @@ ++session required pam_selinux.so close ++session required pam_selinux.so open +diff --git a/templates/system-session.tpl b/templates/system-session.tpl +index 150061f..690396f 100644 +--- a/templates/system-session.tpl ++++ b/templates/system-session.tpl +@@ -12,6 +12,7 @@ session [success=1 default=ignore] pam_krb5.so {{ debug }} ignore_root try_firs + session [success=1 default=ignore] pam_systemd_home.so + {% endif %} + ++session optional pam_umask.so {% if debug %}debug{% else %}silent{% endif +%} + session required pam_unix.so {{ debug }} + + {% if sssd %} +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch new file mode 100644 index 0000000000..7776e58d0a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch @@ -0,0 +1,52 @@ +From 55c811bb55334a9c5ba19e5c7ec61a9ede365a37 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Fri, 10 Oct 2025 11:47:43 +0200 +Subject: [PATCH 2/2] Flatcar modifications + +--- + templates/system-auth.tpl | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl +index 905d04f..c78f9d6 100644 +--- a/templates/system-auth.tpl ++++ b/templates/system-auth.tpl +@@ -9,11 +9,15 @@ auth [default={{ 3 + homed + (sssd * 3) }}] pam_permit.so + {% endif %} + + {% if sssd %} +-auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +-auth [default=3 ignore=ignore success=ok] pam_localuser.so ++# FLATCAR: Removed. We aren't limiting login to regular users. ++# auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular ++# FLATCAR: Removed. We have some users and groups in ++# /usr/share/baselayout/passwd, not only in /etc/passwd. ++# auth [default=3 ignore=ignore success=ok] pam_localuser.so + {% endif %} + +-auth requisite pam_faillock.so preauth ++# FLATCAR: Added deny, unlock_time and fail_interval to override defaults. ++auth requisite pam_faillock.so preauth preauth deny=5 unlock_time=60 fail_interval=120 + + {% if homed %} + auth [success=2 default=ignore] pam_systemd_home.so +@@ -45,9 +49,13 @@ account [success={{ 2 if sssd else 1 }} default=ignore] pam_systemd_home.so + account required pam_unix.so {{ debug }} + account required pam_faillock.so + {% if sssd %} +-account sufficient pam_localuser.so +-account sufficient pam_usertype.so issystem +-account [default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug }} ++# FLATCAR: Removed. We have some users and groups in ++# /usr/share/baselayout/passwd, not only in /etc/passwd. ++# account sufficient pam_localuser.so ++# FLATCAR: Removed. Maybe we could keep it? ++# account sufficient pam_usertype.so issystem ++# FLATCAR: Added ignore when sssd is not running ++account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so {{ debug }} + account required pam_permit.so + {% endif %} + +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md new file mode 100644 index 0000000000..b36dac0439 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md @@ -0,0 +1,6 @@ +The `0001-Reorganize-the-login-sessions.patch` is something we could +try to upstream if it is proven to work. + +The `0002-Flatcar-modifications.patch` is just some Flatcar-specific +changes. Not sure if all them are necessary, but it is trying to +more-or-less match the config files from old baselayout. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch new file mode 100644 index 0000000000..ccb4e8280f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch @@ -0,0 +1,28 @@ +From 15730679e629a4f70b98e11accfcaa43e769bbef Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 5 Apr 2016 22:15:56 -0700 +Subject: [PATCH] Add account locking + +A leading exclamation mark in the password field in /etc/shadow +indicates a locked account. +--- + modules/pam_unix/support.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index b95f95e6..947525ce 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -877,6 +877,9 @@ _unix_verify_user(pam_handle_t *pamh, + return retval; + } + ++ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') ++ return PAM_PERM_DENIED; ++ + if (retval == PAM_SUCCESS && spent == NULL) + return PAM_SUCCESS; + +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md new file mode 100644 index 0000000000..c220fff8e2 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md @@ -0,0 +1,5 @@ +The patch adds some locking behavior. Upstream didn't want it: +https://github.com/linux-pam/linux-pam/issues/261. + +Possibly it should be dropped in favor of `chage -E 0`, as mentioned +in the issue. diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 037ffd9faf..54e103e8f2 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -194,3 +194,7 @@ dev-lang/rust -system-llvm # disable mpfr in gawk, this ends up being pulled into initrd, making # it grow by another 2mb sys-apps/gawk -mpfr + +# We never had passwdqc stuff in old pam sys configs, so disable it +# for now. Maybe this is something to enable later. +sys-auth/pambase securetty -passwdqc diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc index 3e89f0fb61..6165f45d05 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc @@ -134,6 +134,23 @@ cros_pre_pkg_postinst_no_modifications_of_users() { export ACCT_USER_NO_MODIFY=x } +# Move pam files from /etc to /usr. It is a no-op for SDK builds. +# +# Invoke this in post_src_install hook. +vendorize_pam_files() { + if [[ ${FLATCAR_TYPE} = 'sdk' ]]; then + # We don't care about PAM inside SDK. + return 0 + fi + + mkdir -p "${ED}/usr/lib/pam/security" + + tar --create --remove-files --directory "${ED}/etc/security" . | \ + tar --extract --directory "${ED}/usr/lib/pam/security" + tar --create --remove-files --directory "${ED}/etc/pam.d" . | \ + tar --extract --directory "${ED}/usr/lib/pam" +} + # Source hooks for SLSA build provenance report generation source "${BASH_SOURCE[0]}.slsa-provenance" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/Manifest index 92c4fa4eae..c5b9971807 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/Manifest @@ -1 +1 @@ -DIST flatcar-baselayout-79d3a0c3595dbbea207592dbd9fc2156349764f2.tar.gz 38379 BLAKE2B 74bc041d68c8681c01ce3214f1e18aa67b3ca4d138948a9427dc0c74253c82c8abb9c34f921588f0f8118b5d78a1e2a6cf6f2a75f1e861c2a6fc4a9cbb850b3b SHA512 777512acad0d91f2d4ee575809b1a730f06f7380650dc08c11f4dd4d4f53ce0289868016623a03442f2f1b38f8110751fff0900df74c9d1806d0f6fb7c9e5882 +DIST flatcar-baselayout-ffce3a727a152a5f627063325acda62ba3c9463f.tar.gz 37648 BLAKE2B 7b81bc17305698cb5c4d07452dd92c6a6eeb44c1e93b7b946c30d3dc4b26927c4f0699cca9b3b603ea2081b4b335b7dadcb397cfccd3ab9d84237038c1c8d36c SHA512 a995bcf4936c9d9b3c2e3fbb12dbad29b31e15bb2b2c9d7af73e0ccd94904710bcda7af25d16c10aed41218b83d54c3910baeba58e6ff55fa47ff5f611df2685 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r18.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r19.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r18.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r19.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild index f24bb40075..854e191335 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild @@ -8,7 +8,7 @@ if [[ "${PV}" == 9999 ]]; then inherit git-r3 KEYWORDS="~amd64 ~arm64" else - EGIT_COMMIT="79d3a0c3595dbbea207592dbd9fc2156349764f2" # flatcar-master + EGIT_COMMIT="ffce3a727a152a5f627063325acda62ba3c9463f" # flatcar-master SRC_URI="https://github.com/flatcar/baselayout/archive/${EGIT_COMMIT}.tar.gz -> flatcar-${PN}-${EGIT_COMMIT}.tar.gz" S="${WORKDIR}/${PN}-${EGIT_COMMIT}" KEYWORDS="amd64 arm64" @@ -49,12 +49,6 @@ src_prepare() { rm -f lib/tmpfiles.d/baselayout-etc-issue.conf || die fi - # sssd not yet building on arm64 - if use arm64; then - sed -i -e 's/ sss//' share/baselayout/nsswitch.conf || die - sed -i -e '/pam_sss.so/d' lib/pam.d/* || die - fi - # handle multilib paths. do it here because we want this behavior # regardless of the C library that you're using. we do explicitly # list paths which the native ldconfig searches, but this isn't @@ -126,6 +120,11 @@ pkg_postinst() { # Also create the directory to avoid having dangling # symlinks. mkdir -p "${ROOT}/oem" + + # pam situation was messed up big time, create some + # symlinks to point to just a single place + ln -snfT "pam" "${ROOT}/usr/lib/pam.d" + ln -snfT "../lib/pam" "${ROOT}/usr/share/pam.d" fi # The default passwd/group files must exist for some ebuilds diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/README.md b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/README.md deleted file mode 100644 index 4b3cb979e1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/README.md +++ /dev/null @@ -1,10 +0,0 @@ -This is a not-really-a-fork of gentoo's `sys-auth/pambase` -package. The main reasons for having it in `coreos-overlay` are: - -1. The `sys-apps/baselayout` package replaced it, so this package - became a stub. - -2. The stub is needed for compatibility with gentoo packages that - depend on pambase. When updating some package that depends on a - greater version of pambase than this stub provides, simply bump the - version of the the stub, so the dependency can be satisfied. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/metadata.xml deleted file mode 100644 index db98702ec2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/metadata.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - flatcar/baselayout - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20220214.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20220214.ebuild deleted file mode 100644 index 86c3cef520..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20220214.ebuild +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 1999-2014 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DESCRIPTION="Compatibility ebuild stub for Flatcar" -HOMEPAGE="https://github.com/flatcar/baselayout" - -LICENSE="metapackage" -SLOT="0" -KEYWORDS="amd64 arm arm64 x86" - -RDEPEND=">=sys-apps/baselayout-3.6 - >=sys-libs/pam-1.4" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest deleted file mode 100644 index 626b381141..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest +++ /dev/null @@ -1,4 +0,0 @@ -DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb87bf1d6526add3ac5aad140533516c1d27b594a17d09c4127ff985c42e6c571618785d6b2a2913e6575678c4dcf947dc0 SHA512 a9082823da88e0054d74e13aef872519ced5fbef25c8cc1a7e3a99160f835aa09c9ef701b6ec507acd3b540da0019288424bb4c8ebd828181ea90450db1494a9 -DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a -DIST Linux-PAM-1.6.1-docs.tar.xz 465516 BLAKE2B c39dfba2e327120edc1f30be6ea7f8e6cf20d1f4dd17752cc34e0ae1c0bd22b3d19b94ab665bf3df5bd6ecc7fc358dbbedd8a3069df95ff6189580e538aa3547 SHA512 c6054ec6832f604c0654cf074e4e241c44037fd41cd37cca7da94abe008ff72adc4466d31bd254517eda083c7ec3f6aefd37785b3ee3d0d4553250bd29963855 -DIST Linux-PAM-1.6.1.tar.xz 1054152 BLAKE2B 649b4ff892fbd3eb90adcbd9ccc5b3f5df51bf1c79b9084c7a1613c432587b13b81761d1eb4f31ef12d58843d16af24a3c441d0b6f5d2f2a1db9c8da15a61e2f SHA512 ddb5a5f296f564b76925324550d29f15d342841a97815336789c7bb922a8663e831edeb54f3dcd1eaf297e3325c9e2e6c14b8740def5c43cf3f160a8a14fa2ea diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md deleted file mode 100644 index 9500945b40..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md +++ /dev/null @@ -1,21 +0,0 @@ -This is a fork of gentoo's sys-libs/pam package. The main reasons -for having our fork seem to be: - -1. We add a locked account functionality. If the account in - `/etc/shadow` has an exclamation mark (`!`) as a first character in - the password field, then the account is blocked. - -2. We install configuration in `/usr/lib/pam`, so the configuration in - `/etc` provided by administration can override the config we - install. - -3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc - pamc` from the recipe. - -4. We make the `/sbin/unix_chkpwd` binary a suid one instead of - overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop - between pam and libcap. The binary needs to be able to read - /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should - work. A suid binary is strictly less secure than capability - override, so in long-term we would prefer to avoid having this - hack. On the other hand - this is what we had so far. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch deleted file mode 100644 index a58d3eb28c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c ---- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c 2020-08-18 20:50:27.226355628 +0200 -+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c 2020-08-18 20:51:20.456212931 +0200 -@@ -847,6 +847,9 @@ - return retval; - } - -+ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') -+ return PAM_PERM_DENIED; -+ - if (retval == PAM_SUCCESS && spent == NULL) - return PAM_SUCCESS; - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.3-termios.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.3-termios.patch deleted file mode 100644 index 8f7baf76fe..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.3-termios.patch +++ /dev/null @@ -1,34 +0,0 @@ -Replace System V termio.h with POSIX termios.h for musl -Upstream: https://github.com/linux-pam/linux-pam/pull/576 -Bug: https://bugs.gentoo.org/906137 - -From 5658105b04ad4df212baf302898ee2cca99516a6 Mon Sep 17 00:00:00 2001 -From: Violet Purcell -Date: Thu, 11 May 2023 10:27:53 -0400 -Subject: [PATCH] fix build on musl - ---- a/examples/tty_conv.c -+++ b/examples/tty_conv.c -@@ -6,8 +6,9 @@ - #include - #include - #include --#include -+#include - #include -+#include - - /*************************************** - * @brief echo off/on -@@ -16,7 +17,7 @@ - ***************************************/ - static void echoOff(int fd, int off) - { -- struct termio tty; -+ struct termios tty; - if (ioctl(fd, TCGETA, &tty) < 0) - { - fprintf(stderr, "TCGETA failed: %s\n", strerror(errno)); --- -2.40.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf deleted file mode 100644 index 3880b4cbda..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf +++ /dev/null @@ -1,11 +0,0 @@ -d /etc/pam.d 0755 root root - - -d /etc/security 0755 root root - - -d /etc/security/limits.d 0755 root root - - -d /etc/security/namespace.d 0755 root root - - -f /etc/environment 0755 root root - - -L /etc/security/access.conf - - - - ../../usr/lib/pam/security/access.conf -L /etc/security/group.conf - - - - ../../usr/lib/pam/security/group.conf -L /etc/security/limits.conf - - - - ../../usr/lib/pam/security/limits.conf -L /etc/security/namespace.conf - - - - ../../usr/lib/pam/security/namespace.conf -L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/security/pam_env.conf -L /etc/security/time.conf - - - - ../../usr/lib/pam/security/time.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild deleted file mode 100644 index d53050dfc1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild +++ /dev/null @@ -1,159 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -MY_P="Linux-${PN^^}-${PV}" - -# Avoid QA warnings -# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 -TMPFILES_OPTIONAL=1 - -inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal - -DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" -HOMEPAGE="https://github.com/linux-pam/linux-pam" -SRC_URI=" - https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz - https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz -" -S="${WORKDIR}/${MY_P}" - -LICENSE="|| ( BSD GPL-2 )" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux" -IUSE="audit berkdb debug nis selinux" - -BDEPEND=" - app-alternatives/yacc - dev-libs/libxslt - app-alternatives/lex - sys-devel/gettext - virtual/pkgconfig -" -DEPEND=" - virtual/libcrypt:=[${MULTILIB_USEDEP}] - >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] - audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) - berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) - selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) - nis? ( - net-libs/libnsl:=[${MULTILIB_USEDEP}] - >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] - ) -" -RDEPEND="${DEPEND}" -PDEPEND=">=sys-auth/pambase-20200616" - -PATCHES=( - "${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch - "${FILESDIR}/${P}-termios.patch" -) - -src_prepare() { - default - touch ChangeLog || die -} - -multilib_src_configure() { - # Do not let user's BROWSER setting mess us up, bug #549684 - unset BROWSER - - # This whole weird has_version libxcrypt block can go once - # musl systems have libxcrypt[system] if we ever make - # that mandatory. See bug #867991. - if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then - # Avoid picking up symbol-versioned compat symbol on musl systems - export ac_cv_search_crypt_gensalt_rn=no - - # Need to avoid picking up the libxcrypt headers which define - # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. - cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die - append-cppflags -I"${T}" - fi - - local myconf=( - CC_FOR_BUILD="$(tc-getBUILD_CC)" - --with-db-uniquename=-$(db_findver sys-libs/db) - --with-xml-catalog="${EPREFIX}"/etc/xml/catalog - --enable-securedir="${EPREFIX}"/$(get_libdir)/security - --includedir="${EPREFIX}"/usr/include/security - --libdir="${EPREFIX}"/usr/$(get_libdir) - --enable-pie - --enable-unix - --disable-prelude - --disable-doc - --disable-regenerate-docu - --disable-static - --disable-Werror - # TODO: wire this up now it's more useful as of 1.5.3 (bug #931117) - --disable-econf - - # TODO: add elogind support (bug #931115) - # lastlog is enabled again for now by us until logind support - # is handled. Even then, disabling lastlog will probably need - # a news item. - --disable-logind - --enable-lastlog - - $(use_enable audit) - $(use_enable berkdb db) - $(use_enable debug) - $(use_enable nis) - $(use_enable selinux) - --enable-isadir='.' # bug #464016 - --enable-vendordir="/usr/lib/pam/" - ) - ECONF_SOURCE="${S}" econf "${myconf[@]}" -} - -multilib_src_compile() { - emake sepermitlockdir="/run/sepermit" -} - -multilib_src_install() { - emake DESTDIR="${D}" install \ - sepermitlockdir="/run/sepermit" -} - -multilib_src_install_all() { - find "${ED}" -type f -name '*.la' -delete || die - - # Flatcar: The pam_unix module needs to check the password of - # the user which requires read access to /etc/shadow - # only. Make it suid instead of using CAP_DAC_OVERRIDE to - # avoid a pam -> libcap -> pam dependency loop. - fperms 4711 /sbin/unix_chkpwd - - # tmpfiles.eclass is impossible to use because - # there is the pam -> tmpfiles -> systemd -> pam dependency loop - dodir /usr/lib/tmpfiles.d - - rm "${D}/etc/environment" - cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf - cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ - d /run/faillock 0755 root root - _EOF_ - use selinux && cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_ - d /run/sepermit 0755 root root - _EOF_ - - local page - - for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do - doman ${page} - done -} - -pkg_postinst() { - ewarn "Some software with pre-loaded PAM libraries might experience" - ewarn "warnings or failures related to missing symbols and/or versions" - ewarn "after any update. While unfortunate this is a limit of the" - ewarn "implementation of PAM and the software, and it requires you to" - ewarn "restart the software manually after the update." - ewarn "" - ewarn "You can get a list of such software running a command like" - ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" - ewarn "" - ewarn "Alternatively, simply reboot your system." -} diff --git a/sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/Manifest b/sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/Manifest new file mode 100644 index 0000000000..bb3c6b9bdb --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/Manifest @@ -0,0 +1 @@ +DIST docbook-xsl-ns-1.79.1.tar.bz2 21962317 BLAKE2B a68cc31ea8cb98fc07e198fe55f242c6438284d6fa75d4920a9ca7b5038732f966cc6653e058d7fafb26c0ff49f2039025a48a0f8c0392ee892951723703bce3 SHA512 23fd06870bd5afe4efcd08c8ad679821c202a62442b50657c093cbe9cd71b585a3c56a5534a0d41119f58bf98b1f9014a53ff2e48ab59075ec1827e7363980e9 diff --git a/sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/docbook-xsl-ns-stylesheets-1.79.1.ebuild b/sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/docbook-xsl-ns-stylesheets-1.79.1.ebuild new file mode 100644 index 0000000000..39ee587c37 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-text/docbook-xsl-ns-stylesheets/docbook-xsl-ns-stylesheets-1.79.1.ebuild @@ -0,0 +1,82 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +DOCBOOKDIR="/usr/share/sgml/${PN/-//}" +MY_PN="${PN%-stylesheets}" +MY_P="${MY_PN}-${PV}" + +DESCRIPTION="XSL Stylesheets for Docbook" +HOMEPAGE="https://github.com/docbook/wiki/wiki" +SRC_URI="https://downloads.sourceforge.net/docbook/${MY_P}.tar.bz2" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" +IUSE="ruby" + +RDEPEND=">=app-text/build-docbook-catalog-1.4 + ruby? ( dev-lang/ruby )" +DEPEND="" + +S="${WORKDIR}/${MY_P}" + +# Makefile is broken since 1.76.0 +RESTRICT=test + +# The makefile runs tests, not builds. +src_compile() { :; } + +src_test() { + emake check +} + +src_install() { + # The changelog is now zipped, and copied as the RELEASE-NOTES, so we + # don't need to install it + dodoc AUTHORS BUGS NEWS README RELEASE-NOTES.txt TODO + + insinto ${DOCBOOKDIR} + doins VERSION VERSION.xsl + + local i + for i in $(find . -maxdepth 1 -mindepth 1 -type d -exec basename {} \;); do + [[ "${i}" == "epub" ]] && ! use ruby && continue + + cd "${S}"/${i} + for doc in ChangeLog README; do + if [[ -e "${doc}" ]] ; then + mv ${doc} ${doc}.${i} || die + dodoc ${doc}.${i} + rm ${doc}.${i} || die + fi + done + + doins -r "${S}"/${i} + done + + if use ruby; then + local cmd="dbtoepub${MY_PN#docbook-xsl}" + + # we can't use a symlink or it'll look for the library in the + # wrong path. + dodir /usr/bin + cat - > "${ED}"/usr/bin/${cmd} < + + + + + + Install the Ruby-based dbtoepub script; requires an interpreter + compatible with app-eselect/eselect-ruby. + + + + + docbook + docbook/wiki + + diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/Manifest b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/Manifest new file mode 100644 index 0000000000..6d0c6d611d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/Manifest @@ -0,0 +1,3 @@ +DIST pambase-20250826.tar.bz2 4925 BLAKE2B c6929aa506b94b9215bd2c686fd9965d6c3a77f36c7a2d114ca5b2c39a30e2209a84408ee855559837d54161e359723889b89bb9c048bb36b00c7156495968fc SHA512 c9bc07ac617891ddab6f2a8358b10899462d9b54fcc3642d222dd2402914f24225854103b6c581aa2041fb0feb0f94688e07aad10ab94c3a629b4cd2937bd785 +DIST pambase-20250906.tar.bz2 4972 BLAKE2B b65da13a265d5a3df1e84546a8f6e1447d7ea5a40fe4a44488691c4a182cf4b3d13d20ce85778f549d217ebf4b4511e71f5f285b34edf9e9e18bab50b0d22c82 SHA512 639d87169fafb0e44401104ade7dfaa7a5d6bd473d9e4e3c35a0fb87aaf73a383d406ee05944a3190750e55e59decd867ab3f773664f9fb787f40acc05826d1c +DIST pambase-20251013.tar.bz2 4963 BLAKE2B c2eb355819c28a6b41e8aea843c176769fa53519cb357239712165f0bf507bc21132d732fd2600d9354e2031e55da30beb676f1da854ce4bda687b8de006641a SHA512 968d82e817b209d66ea1719493539ff363a844795efd8584690a4ca9b5f932f5f5a9e8352747b590ae6ffba332a9a7d8e2a224af26bc3a6bdf012736daca9e6c diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/metadata.xml new file mode 100644 index 0000000000..526e8b5c34 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/metadata.xml @@ -0,0 +1,105 @@ + + + + + base-system@gentoo.org + + + sam@gentoo.org + Sam James + + + + Use pam_elogind module to register user sessions with elogind. + + + Use pam_systemd module to register user sessions in the systemd + control group hierarchy. + + + Use pam_systemd_home module to manage home directories with + the systemd-homed service + + + Enable debug information logging on syslog(3) for all the + modules supporting this in the system authentication and system + login stacks. + + + Enable pam_passwdqc module on system auth stack for password + quality validation. This module produces warnings, rejecting + or providing example passwords when changing your system password. + It is used by default by OpenWall GNU/*/Linux and by FreeBSD. + + + Enable pam_pwhistory module on system auth stack to save + the last passwords for each user in order to force password + change history and keep the user from alternating between + the same password too frequently. + + + Enable pam_pwquality module on system auth stack for passwd + quality validation. It is used by default by Fedora GNU/*/Linux. + + + Enable pam_mktemp module on system auth stack for session + handling. This module creates a private temporary directory for + the user, and sets TMP and TMPDIR accordingly. + + + Enable pam_ssh module on system auth stack for authentication + and session handling. This module will accept as password the + passphrase of a private SSH key (one of ~/.ssh/id_rsa, + ~/.ssh/id_dsa or ~/.ssh/identity), and will spawn an ssh-agent + instance to cache the open key. + + + Switch Linux-PAM's pam_unix module to use sha512 for passwords + hashes rather than MD5. This option requires + sys-libs/pam version 1.0.1 built against + sys-libs/glibc version 2.7, if it's built against an + earlier version, it will silently be ignored, and MD5 hashes + will be used. All the passwords changed after this USE flag is + enabled will be saved to the shadow file hashed using SHA512 + function. The password previously saved will be left + untouched. Please note that while SHA512-hashed passwords will + still be recognised if the USE flag is removed, the shadow file + will not be compatible with systems using an earlier glibc + version. + + + Add System Security Services Daemon (sys-auth/sssd) support + via pam_sss. + + + Switch Linux-PAM's pam_unix module to use yescrypt for passwords hashes rather than MD5 + + + Enable pam_krb5 module on system auth stack, as an alternative + to pam_unix. If Kerberos authentication succeeds, only pam_unix + will be ignorde, and all the other modules will proceed as usual, + including Gnome Keyring and other session modules. It requires + sys-libs/pam as PAM implementation. + + + Disables the standard PAM modules that provide extra information + to users on login; this includes pam_lastlog, pam_motd, pam_mail + and other similar modules. This might not be a good idea on + a multi-user system but could reduce slightly the overhead on + single-user non-networked systems. + + + Enable the nullok option with the pam_unix module. This allows + people to login with blank passwords. + + + Enable pam_securetty module in the login stack. Not generally + relevant anymore as the login stack only refers to local logins + and local terminals imply secure access in the first place. + + + + proj/pambase + gentoo/pambase + + diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250826.ebuild b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250826.ebuild new file mode 100644 index 0000000000..a56107d0f7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250826.ebuild @@ -0,0 +1,129 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..13} ) + +inherit edo pam python-any-r1 readme.gentoo-r1 + +DESCRIPTION="PAM base configuration files" +HOMEPAGE="https://github.com/gentoo/pambase" + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI=" + https://anongit.gentoo.org/git/proj/pambase.git + https://github.com/gentoo/pambase.git + " +else + SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2" + + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" +fi + +LICENSE="MIT" +SLOT="0" +IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt" + +RESTRICT="binchecks" + +REQUIRED_USE=" + ?? ( elogind systemd ) + ?? ( passwdqc pwquality ) + ?? ( sha512 yescrypt ) + pwhistory? ( || ( passwdqc pwquality ) ) + homed? ( !pam_krb5 ) + pam_krb5? ( !homed ) +" + +MIN_PAM_REQ=1.4.0 + +RDEPEND=" + >=sys-libs/pam-${MIN_PAM_REQ} + elogind? ( sys-auth/elogind[pam] ) + gnome-keyring? ( gnome-base/gnome-keyring[pam] ) + mktemp? ( sys-auth/pam_mktemp ) + pam_krb5? ( + >=sys-libs/pam-${MIN_PAM_REQ} + sys-auth/pam_krb5 + ) + caps? ( sys-libs/libcap[pam] ) + pam_ssh? ( sys-auth/pam_ssh ) + passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 ) + pwquality? ( dev-libs/libpwquality[pam] ) + selinux? ( sys-libs/pam[selinux] ) + sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} ) + homed? ( sys-apps/systemd[homed] ) + systemd? ( sys-apps/systemd[pam] ) + yescrypt? ( sys-libs/libxcrypt[system] ) + sssd? ( sys-auth/sssd ) +" +BDEPEND=" + $(python_gen_any_dep ' + dev-python/jinja2[${PYTHON_USEDEP}] + ') +" + +python_check_deps() { + python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]" +} + +src_configure() { + local crypt=md5 + # TODO: sha256, blowfish, gost_yescrypt + use sha512 && crypt=sha512 + use yescrypt && crypt=yescrypt + + local pamargs=( + # Not all 'upstream' options are (currently) wired up + # in the ebuild. + # + # TODO: pam_shells + $(usev caps '--caps') + $(usev debug '--debug') + $(usev elogind '--elogind') + $(usev gnome-keyring '--gnome-keyring') + $(usev homed '--homed') + $(usev minimal '--minimal') + $(usev mktemp '--mktemp') + $(usev nullok '--nullok') + $(usev pam_krb5 '--krb5') + $(usev pam_ssh '--pam-ssh') + $(usev passwdqc '--passwdqc') + $(usev pwhistory '--pwhistory') + $(usev pwquality '--pwquality') + $(usev securetty '--securetty') + $(usev selinux '--selinux') + $(usex systemd '--systemd' '--openrc') + $(usev sssd '--sssd') + + --encrypt=${crypt} + ) + + edo ${EPYTHON} ./${PN}.py "${pamargs[@]}" +} + +src_test() { :; } + +src_install() { + local DOC_CONTENTS + + if use passwdqc; then + DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf + page and then edit the /etc/security/passwdqc.conf file" + fi + + if use pwquality; then + DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf + page and then edit the /etc/security/pwquality.conf file" + fi + + { use passwdqc || use pwquality; } && readme.gentoo_create_doc + + dopamd -r stack/. +} + +pkg_postinst() { + { use passwdqc || use pwquality; } && readme.gentoo_print_elog +} diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250906.ebuild b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250906.ebuild new file mode 100644 index 0000000000..2d64418812 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20250906.ebuild @@ -0,0 +1,129 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..14} ) + +inherit edo pam python-any-r1 readme.gentoo-r1 + +DESCRIPTION="PAM base configuration files" +HOMEPAGE="https://github.com/gentoo/pambase" + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI=" + https://anongit.gentoo.org/git/proj/pambase.git + https://github.com/gentoo/pambase.git + " +else + SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2" + + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" +fi + +LICENSE="MIT" +SLOT="0" +IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt" + +RESTRICT="binchecks" + +REQUIRED_USE=" + ?? ( elogind systemd ) + ?? ( passwdqc pwquality ) + ?? ( sha512 yescrypt ) + pwhistory? ( || ( passwdqc pwquality ) ) + homed? ( !pam_krb5 ) + pam_krb5? ( !homed ) +" + +MIN_PAM_REQ=1.4.0 + +RDEPEND=" + >=sys-libs/pam-${MIN_PAM_REQ} + elogind? ( sys-auth/elogind[pam] ) + gnome-keyring? ( gnome-base/gnome-keyring[pam] ) + mktemp? ( sys-auth/pam_mktemp ) + pam_krb5? ( + >=sys-libs/pam-${MIN_PAM_REQ} + sys-auth/pam_krb5 + ) + caps? ( sys-libs/libcap[pam] ) + pam_ssh? ( sys-auth/pam_ssh ) + passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 ) + pwquality? ( dev-libs/libpwquality[pam] ) + selinux? ( sys-libs/pam[selinux] ) + sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} ) + homed? ( sys-apps/systemd[homed] ) + systemd? ( sys-apps/systemd[pam] ) + yescrypt? ( sys-libs/libxcrypt[system] ) + sssd? ( sys-auth/sssd ) +" +BDEPEND=" + $(python_gen_any_dep ' + dev-python/jinja2[${PYTHON_USEDEP}] + ') +" + +python_check_deps() { + python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]" +} + +src_configure() { + local crypt=md5 + # TODO: sha256, blowfish, gost_yescrypt + use sha512 && crypt=sha512 + use yescrypt && crypt=yescrypt + + local pamargs=( + # Not all 'upstream' options are (currently) wired up + # in the ebuild. + # + # TODO: pam_shells + $(usev caps '--caps') + $(usev debug '--debug') + $(usev elogind '--elogind') + $(usev gnome-keyring '--gnome-keyring') + $(usev homed '--homed') + $(usev minimal '--minimal') + $(usev mktemp '--mktemp') + $(usev nullok '--nullok') + $(usev pam_krb5 '--krb5') + $(usev pam_ssh '--pam-ssh') + $(usev passwdqc '--passwdqc') + $(usev pwhistory '--pwhistory') + $(usev pwquality '--pwquality') + $(usev securetty '--securetty') + $(usev selinux '--selinux') + $(usex systemd '--systemd' '--openrc') + $(usev sssd '--sssd') + + --encrypt=${crypt} + ) + + edo ${EPYTHON} ./${PN}.py "${pamargs[@]}" +} + +src_test() { :; } + +src_install() { + local DOC_CONTENTS + + if use passwdqc; then + DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf + page and then edit the /etc/security/passwdqc.conf file" + fi + + if use pwquality; then + DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf + page and then edit the /etc/security/pwquality.conf file" + fi + + { use passwdqc || use pwquality; } && readme.gentoo_create_doc + + dopamd -r stack/. +} + +pkg_postinst() { + { use passwdqc || use pwquality; } && readme.gentoo_print_elog +} diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20251013.ebuild b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20251013.ebuild new file mode 100644 index 0000000000..2d64418812 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-20251013.ebuild @@ -0,0 +1,129 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..14} ) + +inherit edo pam python-any-r1 readme.gentoo-r1 + +DESCRIPTION="PAM base configuration files" +HOMEPAGE="https://github.com/gentoo/pambase" + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI=" + https://anongit.gentoo.org/git/proj/pambase.git + https://github.com/gentoo/pambase.git + " +else + SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2" + + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" +fi + +LICENSE="MIT" +SLOT="0" +IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt" + +RESTRICT="binchecks" + +REQUIRED_USE=" + ?? ( elogind systemd ) + ?? ( passwdqc pwquality ) + ?? ( sha512 yescrypt ) + pwhistory? ( || ( passwdqc pwquality ) ) + homed? ( !pam_krb5 ) + pam_krb5? ( !homed ) +" + +MIN_PAM_REQ=1.4.0 + +RDEPEND=" + >=sys-libs/pam-${MIN_PAM_REQ} + elogind? ( sys-auth/elogind[pam] ) + gnome-keyring? ( gnome-base/gnome-keyring[pam] ) + mktemp? ( sys-auth/pam_mktemp ) + pam_krb5? ( + >=sys-libs/pam-${MIN_PAM_REQ} + sys-auth/pam_krb5 + ) + caps? ( sys-libs/libcap[pam] ) + pam_ssh? ( sys-auth/pam_ssh ) + passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 ) + pwquality? ( dev-libs/libpwquality[pam] ) + selinux? ( sys-libs/pam[selinux] ) + sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} ) + homed? ( sys-apps/systemd[homed] ) + systemd? ( sys-apps/systemd[pam] ) + yescrypt? ( sys-libs/libxcrypt[system] ) + sssd? ( sys-auth/sssd ) +" +BDEPEND=" + $(python_gen_any_dep ' + dev-python/jinja2[${PYTHON_USEDEP}] + ') +" + +python_check_deps() { + python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]" +} + +src_configure() { + local crypt=md5 + # TODO: sha256, blowfish, gost_yescrypt + use sha512 && crypt=sha512 + use yescrypt && crypt=yescrypt + + local pamargs=( + # Not all 'upstream' options are (currently) wired up + # in the ebuild. + # + # TODO: pam_shells + $(usev caps '--caps') + $(usev debug '--debug') + $(usev elogind '--elogind') + $(usev gnome-keyring '--gnome-keyring') + $(usev homed '--homed') + $(usev minimal '--minimal') + $(usev mktemp '--mktemp') + $(usev nullok '--nullok') + $(usev pam_krb5 '--krb5') + $(usev pam_ssh '--pam-ssh') + $(usev passwdqc '--passwdqc') + $(usev pwhistory '--pwhistory') + $(usev pwquality '--pwquality') + $(usev securetty '--securetty') + $(usev selinux '--selinux') + $(usex systemd '--systemd' '--openrc') + $(usev sssd '--sssd') + + --encrypt=${crypt} + ) + + edo ${EPYTHON} ./${PN}.py "${pamargs[@]}" +} + +src_test() { :; } + +src_install() { + local DOC_CONTENTS + + if use passwdqc; then + DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf + page and then edit the /etc/security/passwdqc.conf file" + fi + + if use pwquality; then + DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf + page and then edit the /etc/security/pwquality.conf file" + fi + + { use passwdqc || use pwquality; } && readme.gentoo_create_doc + + dopamd -r stack/. +} + +pkg_postinst() { + { use passwdqc || use pwquality; } && readme.gentoo_print_elog +} diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-999999999.ebuild b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-999999999.ebuild new file mode 100644 index 0000000000..8b358020ca --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-auth/pambase/pambase-999999999.ebuild @@ -0,0 +1,129 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..14} ) + +inherit edo pam python-any-r1 readme.gentoo-r1 + +DESCRIPTION="PAM base configuration files" +HOMEPAGE="https://github.com/gentoo/pambase" + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI=" + https://anongit.gentoo.org/git/proj/pambase.git + https://github.com/gentoo/pambase.git + " +else + SRC_URI="https://gitweb.gentoo.org/proj/pambase.git/snapshot/${P}.tar.bz2" + + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +fi + +LICENSE="MIT" +SLOT="0" +IUSE="caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 sssd systemd yescrypt" + +RESTRICT="binchecks" + +REQUIRED_USE=" + ?? ( elogind systemd ) + ?? ( passwdqc pwquality ) + ?? ( sha512 yescrypt ) + pwhistory? ( || ( passwdqc pwquality ) ) + homed? ( !pam_krb5 ) + pam_krb5? ( !homed ) +" + +MIN_PAM_REQ=1.4.0 + +RDEPEND=" + >=sys-libs/pam-${MIN_PAM_REQ} + elogind? ( sys-auth/elogind[pam] ) + gnome-keyring? ( gnome-base/gnome-keyring[pam] ) + mktemp? ( sys-auth/pam_mktemp ) + pam_krb5? ( + >=sys-libs/pam-${MIN_PAM_REQ} + sys-auth/pam_krb5 + ) + caps? ( sys-libs/libcap[pam] ) + pam_ssh? ( sys-auth/pam_ssh ) + passwdqc? ( >=sys-auth/passwdqc-1.4.0-r1 ) + pwquality? ( dev-libs/libpwquality[pam] ) + selinux? ( sys-libs/pam[selinux] ) + sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} ) + homed? ( sys-apps/systemd[homed] ) + systemd? ( sys-apps/systemd[pam] ) + yescrypt? ( sys-libs/libxcrypt[system] ) + sssd? ( sys-auth/sssd ) +" +BDEPEND=" + $(python_gen_any_dep ' + dev-python/jinja2[${PYTHON_USEDEP}] + ') +" + +python_check_deps() { + python_has_version "dev-python/jinja2[${PYTHON_USEDEP}]" +} + +src_configure() { + local crypt=md5 + # TODO: sha256, blowfish, gost_yescrypt + use sha512 && crypt=sha512 + use yescrypt && crypt=yescrypt + + local pamargs=( + # Not all 'upstream' options are (currently) wired up + # in the ebuild. + # + # TODO: pam_shells + $(usev caps '--caps') + $(usev debug '--debug') + $(usev elogind '--elogind') + $(usev gnome-keyring '--gnome-keyring') + $(usev homed '--homed') + $(usev minimal '--minimal') + $(usev mktemp '--mktemp') + $(usev nullok '--nullok') + $(usev pam_krb5 '--krb5') + $(usev pam_ssh '--pam-ssh') + $(usev passwdqc '--passwdqc') + $(usev pwhistory '--pwhistory') + $(usev pwquality '--pwquality') + $(usev securetty '--securetty') + $(usev selinux '--selinux') + $(usex systemd '--systemd' '--openrc') + $(usev sssd '--sssd') + + --encrypt=${crypt} + ) + + edo ${EPYTHON} ./${PN}.py "${pamargs[@]}" +} + +src_test() { :; } + +src_install() { + local DOC_CONTENTS + + if use passwdqc; then + DOC_CONTENTS="To amend the existing password policy please see the man 5 passwdqc.conf + page and then edit the /etc/security/passwdqc.conf file" + fi + + if use pwquality; then + DOC_CONTENTS="To amend the existing password policy please see the man 5 pwquality.conf + page and then edit the /etc/security/pwquality.conf file" + fi + + { use passwdqc || use pwquality; } && readme.gentoo_create_doc + + dopamd -r stack/. +} + +pkg_postinst() { + { use passwdqc || use pwquality; } && readme.gentoo_print_elog +} diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest b/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest new file mode 100644 index 0000000000..3f78818310 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest @@ -0,0 +1,3 @@ +DIST Linux-PAM-1.7.1.tar.xz 510828 BLAKE2B 0a64d7dbf6bb7e3d2c36ea1f29c3217d3e43a1cc0ba8adf2ee8a117946a53bd26634ebd70ff3b99a72f7373df6694ee054dc7eddab04e43bbc8f5b0e9e56b3bc SHA512 0724c3636c10e2c7d98c9325bb9c20eb3e59b7cbc2f8fa7636b77af497524afe595b895386d7e6723fdb89247b94f6db6f179d552015ac78469beaa33e0413f0 +DIST Linux-PAM-1.7.1.tar.xz.asc 801 BLAKE2B 566123f49e26862ffc2261db38e35914dd91175c9f66a4756b9a473808dfeda2a4dad25337afa5121ca68a2411a26249b0d40556a22385f4494d355d6c3b4047 SHA512 7d559895e7988ea815955a4788925597073f1a66204dc9f437de306e1b7a77f2f2a9f1bdb2827aba03444500c790fa03e4bba2c94a2089b23bdd6505f9c3601f +DIST pam-1.7.0_p20241230.gh.tar.gz 719108 BLAKE2B c37daabae380ce75c630a0af1b9960676bc973c773025bc7f65ae87aebff4ca3b667e16ec9635c7677e8a00e6b26eb590f84b798529c3340cdc2c262e7e5649e SHA512 d9d53ddd420fe754c76303b99c37e5cc2eca3d4af9f64043f3f9e69c3abfc3c05d5a1efdbbdfb39ad46a301a0df7a18425d0e8c110c1d76bad3e62dfa97b61ef diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-lastlog.patch b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-lastlog.patch new file mode 100644 index 0000000000..c27f9a6459 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-lastlog.patch @@ -0,0 +1,37 @@ +https://github.com/linux-pam/linux-pam/commit/4176cf25a3ae8b5fd2956b41b068221b39932c3a + +From 4176cf25a3ae8b5fd2956b41b068221b39932c3a Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Tue, 17 Jun 2025 13:00:00 +0000 +Subject: [PATCH] pam_lastlog: fix compilation warning on some of 32-bit + architectures + +On those of 32-bit architectures where glibc defines +__WORDSIZE_TIME64_COMPAT32, struct utmp.ut_tv.tv_sec is unsigned, +while time_t is signed, causing the following compiler diagnostics: + + pam_lastlog.c: In function 'last_login_failed': + pam_lastlog.c:572:29: warning: comparison of integer expressions of different signedness: '__uint32_t' {aka 'unsigned int'} and 'time_t' {aka 'long int'} [-Wsign-compare] + 572 | if (ut.ut_tv.tv_sec >= lltime && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) { + +Given that by its nature these values are treated as unsigned, fix this +by zero-extending both values to unsigned long long before the comparison. +--- + modules/pam_lastlog/pam_lastlog.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c +index 01545a696..c68b5fb04 100644 +--- a/modules/pam_lastlog/pam_lastlog.c ++++ b/modules/pam_lastlog/pam_lastlog.c +@@ -569,7 +569,8 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt + + while ((retval=pam_modutil_read(fd, (void *)&ut, + sizeof(ut))) == sizeof(ut)) { +- if (ut.ut_tv.tv_sec >= lltime && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) { ++ if (zero_extend_signed_to_ull(ut.ut_tv.tv_sec) >= zero_extend_signed_to_ull(lltime) ++ && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) { + memcpy(&utuser, &ut, sizeof(utuser)); + failed++; + } + diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-timestamp.patch b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-timestamp.patch new file mode 100644 index 0000000000..e0e12cc313 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-timestamp.patch @@ -0,0 +1,37 @@ +https://github.com/linux-pam/linux-pam/commit/e3b66a60e4209e019cf6a45f521858cec2dbefa1 + +From e3b66a60e4209e019cf6a45f521858cec2dbefa1 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Tue, 17 Jun 2025 13:00:00 +0000 +Subject: [PATCH] pam_timestamp: fix compilation warning on some of 32-bit + architectures + +On those of 32-bit architectures where glibc defines +__WORDSIZE_TIME64_COMPAT32, struct utmp.ut_tv.tv_sec is unsigned, +while time_t is signed, causing the following compiler diagnostics: + + pam_timestamp.c: In function 'check_login_time': + pam_timestamp.c:247:55: warning: comparison of integer expressions of different signedness: 'time_t' {aka 'long int'} and '__uint32_t' {aka 'unsigned int'} [-Wsign-compare] + 247 | if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) { + +Given that by its nature these values are treated as unsigned, fix this +by zero-extending both values to unsigned long long before the comparison. +--- + modules/pam_timestamp/pam_timestamp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c +index 0172d1ef9..030fa2b8f 100644 +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -244,7 +244,9 @@ check_login_time( + if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user)) != 0) { + continue; + } +- if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) { ++ if (oldest_login == 0 || ++ zero_extend_signed_to_ull(oldest_login) ++ > zero_extend_signed_to_ull(ut->ut_tv.tv_sec)) { + oldest_login = ut->ut_tv.tv_sec; + } + } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.0_p20241230-r3.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.0_p20241230-r3.ebuild new file mode 100644 index 0000000000..9ebdadc2a4 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.0_p20241230-r3.ebuild @@ -0,0 +1,192 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +MY_P="Linux-${PN^^}-${PV}" + +# Avoid QA warnings +# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 +TMPFILES_OPTIONAL=1 + +inherit db-use fcaps flag-o-matic meson-multilib toolchain-funcs + +DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" +HOMEPAGE="https://github.com/linux-pam/linux-pam" + +if [[ ${PV} == *_p* ]] ; then + PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332" + SRC_URI=" + https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz + " + S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT} +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc + inherit verify-sig + + SRC_URI=" + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz + verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc ) + " + S="${WORKDIR}/${MY_P}" + + BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )" +fi + +LICENSE="|| ( BSD GPL-2 )" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux" +IUSE="audit berkdb elogind examples debug nis nls selinux systemd" +REQUIRED_USE="?? ( elogind systemd )" + +# meson.build specifically checks for bison and then byacc +# also requires xsltproc +BDEPEND+=" + || ( sys-devel/bison dev-util/byacc ) + app-text/docbook-xsl-ns-stylesheets + dev-libs/libxslt + sys-devel/flex + virtual/pkgconfig + nls? ( sys-devel/gettext ) +" +DEPEND=" + virtual/libcrypt:=[${MULTILIB_USEDEP}] + >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] + audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) + berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) + !berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] ) + elogind? ( >=sys-auth/elogind-254 ) + selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) + systemd? ( >=sys-apps/systemd-254:= ) + nis? ( + net-libs/libnsl:=[${MULTILIB_USEDEP}] + >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] + ) +" +RDEPEND="${DEPEND}" +PDEPEND=">=sys-auth/pambase-20200616" + +src_configure() { + # meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get: + # cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found + append-ldflags $(test-flags-CCLD -Wl,--undefined-version) + + # Do not let user's BROWSER setting mess us up, bug #549684 + unset BROWSER + + meson-multilib_src_configure +} + +multilib_src_configure() { + local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local" + # Workaround for docbook5 not being packaged (bug #913087#c4) + # It's only used for validation of output, so stub it out. + # Also, stub out elinks+w3m which are only used for an index. + cat >> "${machine_file}" <<-EOF || die + [binaries] + xmlcatalog='true' + xmllint='true' + elinks='true' + w3m='true' + EOF + + local emesonargs=() + + if tc-is-cross-compiler; then + emesonargs+=( --cross-file "${machine_file}" ) + else + emesonargs+=( --native-file "${machine_file}" ) + fi + + emesonargs+=( + $(meson_feature audit) + $(meson_native_use_bool examples) + $(meson_use debug pam-debug) + $(meson_feature nis) + $(meson_feature nls i18n) + $(meson_feature selinux) + + -Disadir='.' + -Dxml-catalog="${BROOT}"/etc/xml/catalog + -Dsbindir="${EPREFIX}"/sbin + -Dsecuredir="${EPREFIX}"/$(get_libdir)/security + -Ddocdir="${EPREFIX}"/usr/share/doc/${PF} + -Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html + -Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf + + $(meson_native_enabled docs) + + -Dpam_unix=enabled + + # TODO: wire this up now it's more useful as of 1.5.3 (bug #931117) + -Deconf=disabled + + # TODO: lastlog is enabled again for now by us as elogind support + # wasn't available at first. Even then, disabling lastlog will + # probably need a news item. + $(meson_native_use_feature systemd logind) + $(meson_native_use_feature elogind) + $(meson_feature !elibc_musl pam_lastlog) + ) + + if use berkdb; then + local dbver + dbver="$(db_findver sys-libs/db)" || die "could not find db version" + local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")" + emesonargs+=( + -Ddb=db + -Ddb-uniquename="-${dbver}" + ) + else + emesonargs+=( + -Ddb=gdbm + ) + fi + + # This whole weird has_version libxcrypt block can go once + # musl systems have libxcrypt[system] if we ever make + # that mandatory. See bug #867991. + #if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then + # # Avoid picking up symbol-versioned compat symbol on musl systems + # export ac_cv_search_crypt_gensalt_rn=no + # + # # Need to avoid picking up the libxcrypt headers which define + # # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. + # cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die + # append-cppflags -I"${T}" + #fi + + meson_src_configure +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + + # tmpfiles.eclass is impossible to use because + # there is the pam -> tmpfiles -> systemd -> pam dependency loop + dodir /usr/lib/tmpfiles.d + + cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ + d /run/faillock 0755 root root + _EOF_ + use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_ + d /run/sepermit 0755 root root + _EOF_ +} + +pkg_postinst() { + ewarn "Some software with pre-loaded PAM libraries might experience" + ewarn "warnings or failures related to missing symbols and/or versions" + ewarn "after any update. While unfortunate this is a limit of the" + ewarn "implementation of PAM and the software, and it requires you to" + ewarn "restart the software manually after the update." + ewarn "" + ewarn "You can get a list of such software running a command like" + ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" + ewarn "" + ewarn "Alternatively, simply reboot your system." + + # The pam_unix module needs to check the password of the user which requires + # read access to /etc/shadow only. + fcaps -m u+s cap_dac_override sbin/unix_chkpwd +} diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r1.ebuild new file mode 100644 index 0000000000..d580d7da9d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r1.ebuild @@ -0,0 +1,191 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +MY_P="Linux-${PN^^}-${PV}" + +# Avoid QA warnings +# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 +TMPFILES_OPTIONAL=1 + +inherit db-use fcaps flag-o-matic meson-multilib + +DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" +HOMEPAGE="https://github.com/linux-pam/linux-pam" + +if [[ ${PV} == *_p* ]] ; then + PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332" + SRC_URI=" + https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz + " + S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT} +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc + inherit verify-sig + + SRC_URI=" + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz + verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc ) + " + S="${WORKDIR}/${MY_P}" + + BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )" +fi + +LICENSE="|| ( BSD GPL-2 )" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux" +IUSE="audit berkdb elogind examples debug nis nls selinux systemd" +REQUIRED_USE="?? ( elogind systemd )" + +# meson.build specifically checks for bison and then byacc +# also requires xsltproc +BDEPEND+=" + || ( sys-devel/bison dev-util/byacc ) + app-text/docbook-xsl-ns-stylesheets + dev-libs/libxslt + sys-devel/flex + virtual/pkgconfig + nls? ( sys-devel/gettext ) +" +DEPEND=" + virtual/libcrypt:=[${MULTILIB_USEDEP}] + >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] + audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) + berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) + !berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] ) + elogind? ( >=sys-auth/elogind-254 ) + selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) + systemd? ( >=sys-apps/systemd-254:= ) + nis? ( + net-libs/libnsl:=[${MULTILIB_USEDEP}] + >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] + ) +" +RDEPEND="${DEPEND}" +PDEPEND=">=sys-auth/pambase-20200616" + +PATCHES=( + "${FILESDIR}"/${P}-32-bit-lastlog.patch + "${FILESDIR}"/${P}-32-bit-timestamp.patch +) + +src_configure() { + # meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get: + # cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found + append-ldflags $(test-flags-CCLD -Wl,--undefined-version) + + # Do not let user's BROWSER setting mess us up, bug #549684 + unset BROWSER + + meson-multilib_src_configure +} + +multilib_src_configure() { + local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local" + # Workaround for docbook5 not being packaged (bug #913087#c4) + # It's only used for validation of output, so stub it out. + # Also, stub out elinks+w3m which are only used for an index. + cat >> "${machine_file}" <<-EOF || die + [binaries] + xmlcatalog='true' + xmllint='true' + elinks='true' + w3m='true' + EOF + + local emesonargs=( + --native-file "${machine_file}" + + $(meson_feature audit) + $(meson_native_use_bool examples) + $(meson_use debug pam-debug) + $(meson_feature nis) + $(meson_feature nls i18n) + $(meson_feature selinux) + + -Disadir='.' + -Dxml-catalog="${BROOT}"/etc/xml/catalog + -Dsbindir="${EPREFIX}"/sbin + -Dsecuredir="${EPREFIX}"/$(get_libdir)/security + -Ddocdir="${EPREFIX}"/usr/share/doc/${PF} + -Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html + -Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf + + $(meson_native_enabled docs) + + -Dpam_unix=enabled + + # TODO: wire this up now it's more useful as of 1.5.3 (bug #931117) + -Deconf=disabled + + # TODO: lastlog is enabled again for now by us as elogind support + # wasn't available at first. Even then, disabling lastlog will + # probably need a news item. + $(meson_native_use_feature systemd logind) + $(meson_native_use_feature elogind) + $(meson_feature !elibc_musl pam_lastlog) + ) + + if use berkdb; then + local dbver + dbver="$(db_findver sys-libs/db)" || die "could not find db version" + local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")" + emesonargs+=( + -Ddb=db + -Ddb-uniquename="-${dbver}" + ) + else + emesonargs+=( + -Ddb=gdbm + ) + fi + + # This whole weird has_version libxcrypt block can go once + # musl systems have libxcrypt[system] if we ever make + # that mandatory. See bug #867991. + #if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then + # # Avoid picking up symbol-versioned compat symbol on musl systems + # export ac_cv_search_crypt_gensalt_rn=no + # + # # Need to avoid picking up the libxcrypt headers which define + # # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. + # cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die + # append-cppflags -I"${T}" + #fi + + meson_src_configure +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + + # tmpfiles.eclass is impossible to use because + # there is the pam -> tmpfiles -> systemd -> pam dependency loop + dodir /usr/lib/tmpfiles.d + + cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ + d /run/faillock 0755 root root + _EOF_ + use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_ + d /run/sepermit 0755 root root + _EOF_ +} + +pkg_postinst() { + ewarn "Some software with pre-loaded PAM libraries might experience" + ewarn "warnings or failures related to missing symbols and/or versions" + ewarn "after any update. While unfortunate this is a limit of the" + ewarn "implementation of PAM and the software, and it requires you to" + ewarn "restart the software manually after the update." + ewarn "" + ewarn "You can get a list of such software running a command like" + ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" + ewarn "" + ewarn "Alternatively, simply reboot your system." + + # The pam_unix module needs to check the password of the user which requires + # read access to /etc/shadow only. + fcaps -m u+s cap_dac_read_search sbin/unix_chkpwd +} diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r2.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r2.ebuild new file mode 100644 index 0000000000..fe66631ff3 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r2.ebuild @@ -0,0 +1,202 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +MY_P="Linux-${PN^^}-${PV}" + +# Avoid QA warnings +# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 +TMPFILES_OPTIONAL=1 + +inherit db-use flag-o-matic meson-multilib user-info + +DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" +HOMEPAGE="https://github.com/linux-pam/linux-pam" + +if [[ ${PV} == *_p* ]] ; then + PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332" + SRC_URI=" + https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz + " + S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT} +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc + inherit verify-sig + + SRC_URI=" + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz + verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc ) + " + S="${WORKDIR}/${MY_P}" + + BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )" +fi + +LICENSE="|| ( BSD GPL-2 )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" +IUSE="audit berkdb elogind examples debug nis nls selinux systemd" +REQUIRED_USE="?? ( elogind systemd )" + +# meson.build specifically checks for bison and then byacc +# also requires xsltproc +BDEPEND+=" + acct-group/shadow + || ( sys-devel/bison dev-util/byacc ) + app-text/docbook-xsl-ns-stylesheets + dev-libs/libxslt + sys-devel/flex + virtual/pkgconfig + nls? ( sys-devel/gettext ) +" +DEPEND=" + virtual/libcrypt:=[${MULTILIB_USEDEP}] + >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] + audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) + berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) + !berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] ) + elogind? ( >=sys-auth/elogind-254 ) + selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) + systemd? ( >=sys-apps/systemd-254:= ) + nis? ( + net-libs/libnsl:=[${MULTILIB_USEDEP}] + >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] + ) +" +RDEPEND="${DEPEND} + acct-group/shadow +" +PDEPEND=">=sys-auth/pambase-20200616" + +PATCHES=( + "${FILESDIR}"/${P}-32-bit-lastlog.patch + "${FILESDIR}"/${P}-32-bit-timestamp.patch +) + +src_configure() { + # meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get: + # cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found + append-ldflags $(test-flags-CCLD -Wl,--undefined-version) + + # Do not let user's BROWSER setting mess us up, bug #549684 + unset BROWSER + + meson-multilib_src_configure +} + +multilib_src_configure() { + local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local" + # Workaround for docbook5 not being packaged (bug #913087#c4) + # It's only used for validation of output, so stub it out. + # Also, stub out elinks+w3m which are only used for an index. + cat >> "${machine_file}" <<-EOF || die + [binaries] + xmlcatalog='true' + xmllint='true' + elinks='true' + w3m='true' + EOF + + local emesonargs=( + --native-file "${machine_file}" + + $(meson_feature audit) + $(meson_native_use_bool examples) + $(meson_use debug pam-debug) + $(meson_feature nis) + $(meson_feature nls i18n) + $(meson_feature selinux) + + -Disadir='.' + -Dxml-catalog="${BROOT}"/etc/xml/catalog + -Dsbindir="${EPREFIX}"/sbin + -Dsecuredir="${EPREFIX}"/$(get_libdir)/security + -Ddocdir="${EPREFIX}"/usr/share/doc/${PF} + -Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html + -Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf + + $(meson_native_enabled docs) + + -Dpam_unix=enabled + + # TODO: wire this up now it's more useful as of 1.5.3 (bug #931117) + -Deconf=disabled + + # TODO: lastlog is enabled again for now by us as elogind support + # wasn't available at first. Even then, disabling lastlog will + # probably need a news item. + $(meson_native_use_feature systemd logind) + $(meson_native_use_feature elogind) + $(meson_feature !elibc_musl pam_lastlog) + ) + + if use berkdb; then + local dbver + dbver="$(db_findver sys-libs/db)" || die "could not find db version" + local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")" + emesonargs+=( + -Ddb=db + -Ddb-uniquename="-${dbver}" + ) + else + emesonargs+=( + -Ddb=gdbm + ) + fi + + # This whole weird has_version libxcrypt block can go once + # musl systems have libxcrypt[system] if we ever make + # that mandatory. See bug #867991. + #if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then + # # Avoid picking up symbol-versioned compat symbol on musl systems + # export ac_cv_search_crypt_gensalt_rn=no + # + # # Need to avoid picking up the libxcrypt headers which define + # # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. + # cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die + # append-cppflags -I"${T}" + #fi + + meson_src_configure +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + + fowners :shadow /sbin/unix_chkpwd + fperms g+s /sbin/unix_chkpwd + + # tmpfiles.eclass is impossible to use because + # there is the pam -> tmpfiles -> systemd -> pam dependency loop + dodir /usr/lib/tmpfiles.d + + cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ + d /run/faillock 0755 root root + _EOF_ + use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_ + d /run/sepermit 0755 root root + _EOF_ +} + +pkg_postinst() { + if [[ -n ${ROOT} ]]; then + # Portage does not currently update the gid on installed files + # based on ${EROOT}/etc/group. + local gid=$(egetent group shadow | cut -d: -f3) + if [[ -n ${gid} ]]; then + chgrp "${gid}" "${EROOT}/sbin/unix_chkpwd" && + chmod g+s "${EROOT}/sbin/unix_chkpwd" + fi + fi + ewarn "Some software with pre-loaded PAM libraries might experience" + ewarn "warnings or failures related to missing symbols and/or versions" + ewarn "after any update. While unfortunate this is a limit of the" + ewarn "implementation of PAM and the software, and it requires you to" + ewarn "restart the software manually after the update." + ewarn "" + ewarn "You can get a list of such software running a command like" + ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" + ewarn "" + ewarn "Alternatively, simply reboot your system." +}