sys-libs/pam: Sync with Gentoo

It's from Gentoo commit 197e3931b76a596e0df99bd22809d1db04ec5131. Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
2026-03-06 14:01:07 +01:00 · 2025-10-16 16:59:08 +02:00 · 2025-10-16 16:59:08 +02:00 · 5e7e0957bf
commit 5e7e0957bf
parent 1973743a18
11 changed files with 662 additions and 242 deletions
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest
@ -1,4 +1,3 @@
-DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb87bf1d6526add3ac5aad140533516c1d27b594a17d09c4127ff985c42e6c571618785d6b2a2913e6575678c4dcf947dc0 SHA512 a9082823da88e0054d74e13aef872519ced5fbef25c8cc1a7e3a99160f835aa09c9ef701b6ec507acd3b540da0019288424bb4c8ebd828181ea90450db1494a9
-DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a
-DIST Linux-PAM-1.6.1-docs.tar.xz 465516 BLAKE2B c39dfba2e327120edc1f30be6ea7f8e6cf20d1f4dd17752cc34e0ae1c0bd22b3d19b94ab665bf3df5bd6ecc7fc358dbbedd8a3069df95ff6189580e538aa3547 SHA512 c6054ec6832f604c0654cf074e4e241c44037fd41cd37cca7da94abe008ff72adc4466d31bd254517eda083c7ec3f6aefd37785b3ee3d0d4553250bd29963855
-DIST Linux-PAM-1.6.1.tar.xz 1054152 BLAKE2B 649b4ff892fbd3eb90adcbd9ccc5b3f5df51bf1c79b9084c7a1613c432587b13b81761d1eb4f31ef12d58843d16af24a3c441d0b6f5d2f2a1db9c8da15a61e2f SHA512 ddb5a5f296f564b76925324550d29f15d342841a97815336789c7bb922a8663e831edeb54f3dcd1eaf297e3325c9e2e6c14b8740def5c43cf3f160a8a14fa2ea
+DIST Linux-PAM-1.7.1.tar.xz 510828 BLAKE2B 0a64d7dbf6bb7e3d2c36ea1f29c3217d3e43a1cc0ba8adf2ee8a117946a53bd26634ebd70ff3b99a72f7373df6694ee054dc7eddab04e43bbc8f5b0e9e56b3bc SHA512 0724c3636c10e2c7d98c9325bb9c20eb3e59b7cbc2f8fa7636b77af497524afe595b895386d7e6723fdb89247b94f6db6f179d552015ac78469beaa33e0413f0
+DIST Linux-PAM-1.7.1.tar.xz.asc 801 BLAKE2B 566123f49e26862ffc2261db38e35914dd91175c9f66a4756b9a473808dfeda2a4dad25337afa5121ca68a2411a26249b0d40556a22385f4494d355d6c3b4047 SHA512 7d559895e7988ea815955a4788925597073f1a66204dc9f437de306e1b7a77f2f2a9f1bdb2827aba03444500c790fa03e4bba2c94a2089b23bdd6505f9c3601f
+DIST pam-1.7.0_p20241230.gh.tar.gz 719108 BLAKE2B c37daabae380ce75c630a0af1b9960676bc973c773025bc7f65ae87aebff4ca3b667e16ec9635c7677e8a00e6b26eb590f84b798529c3340cdc2c262e7e5649e SHA512 d9d53ddd420fe754c76303b99c37e5cc2eca3d4af9f64043f3f9e69c3abfc3c05d5a1efdbbdfb39ad46a301a0df7a18425d0e8c110c1d76bad3e62dfa97b61ef
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/README.md
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/README.md
@ -1,21 +0,0 @@
-This is a fork of gentoo's sys-libs/pam package. The main reasons
-for having our fork seem to be:
-
-1. We add a locked account functionality. If the account in
-   `/etc/shadow` has an exclamation mark (`!`) as a first character in
-   the password field, then the account is blocked.
-
-2. We install configuration in `/usr/lib/pam`, so the configuration in
-   `/etc` provided by administration can override the config we
-   install.
-
-3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc
-   pamc` from the recipe.
-
-4. We make the `/sbin/unix_chkpwd` binary a suid one instead of
-   overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop
-   between pam and libcap. The binary needs to be able to read
-   /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should
-   work. A suid binary is strictly less secure than capability
-   override, so in long-term we would prefer to avoid having this
-   hack. On the other hand - this is what we had so far.
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
@ -1,13 +0,0 @@
-diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c
--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c	2020-08-18 20:50:27.226355628 +0200
-+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c	2020-08-18 20:51:20.456212931 +0200
-@@ -847,6 +847,9 @@
-         return retval;
-     }
- 
-+    if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
-+        return PAM_PERM_DENIED;
-+
-     if (retval == PAM_SUCCESS && spent == NULL)
-         return PAM_SUCCESS;
- 
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.3-termios.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.3-termios.patch
@ -1,34 +0,0 @@
-Replace System V termio.h with POSIX termios.h for musl
-Upstream: https://github.com/linux-pam/linux-pam/pull/576
-Bug: https://bugs.gentoo.org/906137
-
-From 5658105b04ad4df212baf302898ee2cca99516a6 Mon Sep 17 00:00:00 2001
-From: Violet Purcell <vimproved@inventati.org>
-Date: Thu, 11 May 2023 10:27:53 -0400
-Subject: [PATCH] fix build on musl
-
--- a/examples/tty_conv.c
-+++ b/examples/tty_conv.c
-@@ -6,8 +6,9 @@
- #include <string.h>
- #include <errno.h>
- #include <unistd.h>
-#include <termio.h>
-+#include <termios.h>
- #include <security/pam_appl.h>
-+#include <sys/ioctl.h>
- 
- /***************************************
-  * @brief echo off/on
-@@ -16,7 +17,7 @@
-  ***************************************/
- static void echoOff(int fd, int off)
- {
-    struct termio tty;
-+    struct termios tty;
-     if (ioctl(fd, TCGETA, &tty) < 0)
-     {
-         fprintf(stderr, "TCGETA failed: %s\n", strerror(errno));
-- 
-2.40.1
-
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-lastlog.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-lastlog.patch
@ -0,0 +1,37 @@
+https://github.com/linux-pam/linux-pam/commit/4176cf25a3ae8b5fd2956b41b068221b39932c3a
+
+From 4176cf25a3ae8b5fd2956b41b068221b39932c3a Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@strace.io>
+Date: Tue, 17 Jun 2025 13:00:00 +0000
+Subject: [PATCH] pam_lastlog: fix compilation warning on some of 32-bit
+ architectures
+
+On those of 32-bit architectures where glibc defines
+__WORDSIZE_TIME64_COMPAT32, struct utmp.ut_tv.tv_sec is unsigned,
+while time_t is signed, causing the following compiler diagnostics:
+
+  pam_lastlog.c: In function 'last_login_failed':
+  pam_lastlog.c:572:29: warning: comparison of integer expressions of different signedness: '__uint32_t' {aka 'unsigned int'} and 'time_t' {aka 'long int'} [-Wsign-compare]
+  572 |         if (ut.ut_tv.tv_sec >= lltime && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) {
+
+Given that by its nature these values are treated as unsigned, fix this
+by zero-extending both values to unsigned long long before the comparison.
+---
+ modules/pam_lastlog/pam_lastlog.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
+index 01545a696..c68b5fb04 100644
+--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
+@@ -569,7 +569,8 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
+ 
+     while ((retval=pam_modutil_read(fd, (void *)&ut,
+ 			 sizeof(ut))) == sizeof(ut)) {
+-	if (ut.ut_tv.tv_sec >= lltime && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) {
+	if (zero_extend_signed_to_ull(ut.ut_tv.tv_sec) >= zero_extend_signed_to_ull(lltime)
+	    && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) {
+ 	    memcpy(&utuser, &ut, sizeof(utuser));
+ 	    failed++;
+ 	}
+
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-timestamp.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.7.1-32-bit-timestamp.patch
@ -0,0 +1,37 @@
+https://github.com/linux-pam/linux-pam/commit/e3b66a60e4209e019cf6a45f521858cec2dbefa1
+
+From e3b66a60e4209e019cf6a45f521858cec2dbefa1 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@strace.io>
+Date: Tue, 17 Jun 2025 13:00:00 +0000
+Subject: [PATCH] pam_timestamp: fix compilation warning on some of 32-bit
+ architectures
+
+On those of 32-bit architectures where glibc defines
+__WORDSIZE_TIME64_COMPAT32, struct utmp.ut_tv.tv_sec is unsigned,
+while time_t is signed, causing the following compiler diagnostics:
+
+  pam_timestamp.c: In function 'check_login_time':
+  pam_timestamp.c:247:55: warning: comparison of integer expressions of different signedness: 'time_t' {aka 'long int'} and '__uint32_t' {aka 'unsigned int'} [-Wsign-compare]
+  247 |                 if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) {
+
+Given that by its nature these values are treated as unsigned, fix this
+by zero-extending both values to unsigned long long before the comparison.
+---
+ modules/pam_timestamp/pam_timestamp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
+index 0172d1ef9..030fa2b8f 100644
+--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
+@@ -244,7 +244,9 @@ check_login_time(
+ 		if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user)) != 0) {
+ 			continue;
+ 		}
+-		if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) {
+		if (oldest_login == 0 ||
+		    zero_extend_signed_to_ull(oldest_login)
+		    > zero_extend_signed_to_ull(ut->ut_tv.tv_sec)) {
+ 			oldest_login = ut->ut_tv.tv_sec;
+ 		}
+ 	}
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/tmpfiles.d/pam.conf
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/tmpfiles.d/pam.conf
@ -1,11 +0,0 @@
-d /etc/pam.d			0755 root root	-	-
-d /etc/security			0755 root root	-	-
-d /etc/security/limits.d	0755 root root	-	-
-d /etc/security/namespace.d	0755 root root	-	-
-f /etc/environment		0755 root root	-	-
-L /etc/security/access.conf	-    -	  -	-	../../usr/lib/pam/security/access.conf
-L /etc/security/group.conf	-    - 	  - 	-	../../usr/lib/pam/security/group.conf
-L /etc/security/limits.conf	-    -	  -	-	../../usr/lib/pam/security/limits.conf
-L /etc/security/namespace.conf	-    -	  -	-	../../usr/lib/pam/security/namespace.conf
-L /etc/security/pam_env.conf	-    -	  -	-	../../usr/lib/pam/security/pam_env.conf
-L /etc/security/time.conf	-    -	  -	-	../../usr/lib/pam/security/time.conf
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3-r1.ebuild
@ -1,159 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-MY_P="Linux-${PN^^}-${PV}"
-
-# Avoid QA warnings
-# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
-TMPFILES_OPTIONAL=1
-
-inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal
-
-DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
-HOMEPAGE="https://github.com/linux-pam/linux-pam"
-SRC_URI="
-	https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
-	https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz
-"
-S="${WORKDIR}/${MY_P}"
-
-LICENSE="|| ( BSD GPL-2 )"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux"
-IUSE="audit berkdb debug nis selinux"
-
-BDEPEND="
-	app-alternatives/yacc
-	dev-libs/libxslt
-	app-alternatives/lex
-	sys-devel/gettext
-	virtual/pkgconfig
-"
-DEPEND="
-	virtual/libcrypt:=[${MULTILIB_USEDEP}]
-	>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
-	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
-	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
-	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
-	nis? (
-		net-libs/libnsl:=[${MULTILIB_USEDEP}]
-		>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
-	)
-"
-RDEPEND="${DEPEND}"
-PDEPEND=">=sys-auth/pambase-20200616"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
-	"${FILESDIR}/${P}-termios.patch"
-)
-
-src_prepare() {
-	default
-	touch ChangeLog || die
-}
-
-multilib_src_configure() {
-	# Do not let user's BROWSER setting mess us up, bug #549684
-	unset BROWSER
-
-	# This whole weird has_version libxcrypt block can go once
-	# musl systems have libxcrypt[system] if we ever make
-	# that mandatory. See bug #867991.
-	if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
-		# Avoid picking up symbol-versioned compat symbol on musl systems
-		export ac_cv_search_crypt_gensalt_rn=no
-
-		# Need to avoid picking up the libxcrypt headers which define
-		# CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
-		cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
-		append-cppflags -I"${T}"
-	fi
-
-	local myconf=(
-		CC_FOR_BUILD="$(tc-getBUILD_CC)"
-		--with-db-uniquename=-$(db_findver sys-libs/db)
-		--with-xml-catalog="${EPREFIX}"/etc/xml/catalog
-		--enable-securedir="${EPREFIX}"/$(get_libdir)/security
-		--includedir="${EPREFIX}"/usr/include/security
-		--libdir="${EPREFIX}"/usr/$(get_libdir)
-		--enable-pie
-		--enable-unix
-		--disable-prelude
-		--disable-doc
-		--disable-regenerate-docu
-		--disable-static
-		--disable-Werror
-		# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
-		--disable-econf
-
-		# TODO: add elogind support (bug #931115)
-		# lastlog is enabled again for now by us until logind support
-		# is handled. Even then, disabling lastlog will probably need
-		# a news item.
-		--disable-logind
-		--enable-lastlog
-
-		$(use_enable audit)
-		$(use_enable berkdb db)
-		$(use_enable debug)
-		$(use_enable nis)
-		$(use_enable selinux)
-		--enable-isadir='.' # bug #464016
-		--enable-vendordir="/usr/lib/pam/"
-	)
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_compile() {
-	emake sepermitlockdir="/run/sepermit"
-}
-
-multilib_src_install() {
-	emake DESTDIR="${D}" install \
-		sepermitlockdir="/run/sepermit"
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	# Flatcar: The pam_unix module needs to check the password of
-	# the user which requires read access to /etc/shadow
-	# only. Make it suid instead of using CAP_DAC_OVERRIDE to
-	# avoid a pam -> libcap -> pam dependency loop.
-	fperms 4711 /sbin/unix_chkpwd
-
-	# tmpfiles.eclass is impossible to use because
-	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
-	dodir /usr/lib/tmpfiles.d
-
-	rm "${D}/etc/environment"
-	cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
-	cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
-		d /run/faillock 0755 root root
-	_EOF_
-	use selinux && cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
-		d /run/sepermit 0755 root root
-	_EOF_
-
-	local page
-
-	for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do
-		doman ${page}
-	done
-}
-
-pkg_postinst() {
-	ewarn "Some software with pre-loaded PAM libraries might experience"
-	ewarn "warnings or failures related to missing symbols and/or versions"
-	ewarn "after any update. While unfortunate this is a limit of the"
-	ewarn "implementation of PAM and the software, and it requires you to"
-	ewarn "restart the software manually after the update."
-	ewarn ""
-	ewarn "You can get a list of such software running a command like"
-	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
-	ewarn ""
-	ewarn "Alternatively, simply reboot your system."
-}
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.0_p20241230-r3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.0_p20241230-r3.ebuild
@ -0,0 +1,192 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MY_P="Linux-${PN^^}-${PV}"
+
+# Avoid QA warnings
+# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
+TMPFILES_OPTIONAL=1
+
+inherit db-use fcaps flag-o-matic meson-multilib toolchain-funcs
+
+DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
+HOMEPAGE="https://github.com/linux-pam/linux-pam"
+
+if [[ ${PV} == *_p* ]] ; then
+	PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332"
+	SRC_URI="
+		https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz
+	"
+	S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT}
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc
+	inherit verify-sig
+
+	SRC_URI="
+		https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
+		verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc )
+	"
+	S="${WORKDIR}/${MY_P}"
+
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )"
+fi
+
+LICENSE="|| ( BSD GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux"
+IUSE="audit berkdb elogind examples debug nis nls selinux systemd"
+REQUIRED_USE="?? ( elogind systemd )"
+
+# meson.build specifically checks for bison and then byacc
+# also requires xsltproc
+BDEPEND+="
+	|| ( sys-devel/bison dev-util/byacc )
+	app-text/docbook-xsl-ns-stylesheets
+	dev-libs/libxslt
+	sys-devel/flex
+	virtual/pkgconfig
+	nls? ( sys-devel/gettext )
+"
+DEPEND="
+	virtual/libcrypt:=[${MULTILIB_USEDEP}]
+	>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
+	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
+	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
+	!berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] )
+	elogind? ( >=sys-auth/elogind-254 )
+	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
+	systemd? ( >=sys-apps/systemd-254:= )
+	nis? (
+		net-libs/libnsl:=[${MULTILIB_USEDEP}]
+		>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
+	)
+"
+RDEPEND="${DEPEND}"
+PDEPEND=">=sys-auth/pambase-20200616"
+
+src_configure() {
+	# meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get:
+	#  cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found
+	append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
+
+	# Do not let user's BROWSER setting mess us up, bug #549684
+	unset BROWSER
+
+	meson-multilib_src_configure
+}
+
+multilib_src_configure() {
+	local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local"
+	# Workaround for docbook5 not being packaged (bug #913087#c4)
+	# It's only used for validation of output, so stub it out.
+	# Also, stub out elinks+w3m which are only used for an index.
+	cat >> "${machine_file}" <<-EOF || die
+	[binaries]
+	xmlcatalog='true'
+	xmllint='true'
+	elinks='true'
+	w3m='true'
+	EOF
+
+	local emesonargs=()
+
+	if tc-is-cross-compiler; then
+		emesonargs+=( --cross-file "${machine_file}" )
+	else
+		emesonargs+=( --native-file "${machine_file}" )
+	fi
+
+	emesonargs+=(
+		$(meson_feature audit)
+		$(meson_native_use_bool examples)
+		$(meson_use debug pam-debug)
+		$(meson_feature nis)
+		$(meson_feature nls i18n)
+		$(meson_feature selinux)
+
+		-Disadir='.'
+		-Dxml-catalog="${BROOT}"/etc/xml/catalog
+		-Dsbindir="${EPREFIX}"/sbin
+		-Dsecuredir="${EPREFIX}"/$(get_libdir)/security
+		-Ddocdir="${EPREFIX}"/usr/share/doc/${PF}
+		-Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html
+		-Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf
+
+		$(meson_native_enabled docs)
+
+		-Dpam_unix=enabled
+
+		# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
+		-Deconf=disabled
+
+		# TODO: lastlog is enabled again for now by us as elogind support
+		# wasn't available at first. Even then, disabling lastlog will
+		# probably need a news item.
+		$(meson_native_use_feature systemd logind)
+		$(meson_native_use_feature elogind)
+		$(meson_feature !elibc_musl pam_lastlog)
+	)
+
+	if use berkdb; then
+		local dbver
+		dbver="$(db_findver sys-libs/db)" || die "could not find db version"
+		local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")"
+		emesonargs+=(
+			-Ddb=db
+			-Ddb-uniquename="-${dbver}"
+		)
+	else
+		emesonargs+=(
+			-Ddb=gdbm
+		)
+	fi
+
+	# This whole weird has_version libxcrypt block can go once
+	# musl systems have libxcrypt[system] if we ever make
+	# that mandatory. See bug #867991.
+	#if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
+	#	# Avoid picking up symbol-versioned compat symbol on musl systems
+	#	export ac_cv_search_crypt_gensalt_rn=no
+	#
+	#	# Need to avoid picking up the libxcrypt headers which define
+	#	# CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
+	#	cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
+	#	append-cppflags -I"${T}"
+	#fi
+
+	meson_src_configure
+}
+
+multilib_src_install_all() {
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	# tmpfiles.eclass is impossible to use because
+	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
+	dodir /usr/lib/tmpfiles.d
+
+	cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
+		d /run/faillock 0755 root root
+	_EOF_
+	use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
+		d /run/sepermit 0755 root root
+	_EOF_
+}
+
+pkg_postinst() {
+	ewarn "Some software with pre-loaded PAM libraries might experience"
+	ewarn "warnings or failures related to missing symbols and/or versions"
+	ewarn "after any update. While unfortunate this is a limit of the"
+	ewarn "implementation of PAM and the software, and it requires you to"
+	ewarn "restart the software manually after the update."
+	ewarn ""
+	ewarn "You can get a list of such software running a command like"
+	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
+	ewarn ""
+	ewarn "Alternatively, simply reboot your system."
+
+	# The pam_unix module needs to check the password of the user which requires
+	# read access to /etc/shadow only.
+	fcaps -m u+s cap_dac_override sbin/unix_chkpwd
+}
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r1.ebuild
@ -0,0 +1,191 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MY_P="Linux-${PN^^}-${PV}"
+
+# Avoid QA warnings
+# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
+TMPFILES_OPTIONAL=1
+
+inherit db-use fcaps flag-o-matic meson-multilib
+
+DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
+HOMEPAGE="https://github.com/linux-pam/linux-pam"
+
+if [[ ${PV} == *_p* ]] ; then
+	PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332"
+	SRC_URI="
+		https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz
+	"
+	S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT}
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc
+	inherit verify-sig
+
+	SRC_URI="
+		https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
+		verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc )
+	"
+	S="${WORKDIR}/${MY_P}"
+
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )"
+fi
+
+LICENSE="|| ( BSD GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux"
+IUSE="audit berkdb elogind examples debug nis nls selinux systemd"
+REQUIRED_USE="?? ( elogind systemd )"
+
+# meson.build specifically checks for bison and then byacc
+# also requires xsltproc
+BDEPEND+="
+	|| ( sys-devel/bison dev-util/byacc )
+	app-text/docbook-xsl-ns-stylesheets
+	dev-libs/libxslt
+	sys-devel/flex
+	virtual/pkgconfig
+	nls? ( sys-devel/gettext )
+"
+DEPEND="
+	virtual/libcrypt:=[${MULTILIB_USEDEP}]
+	>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
+	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
+	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
+	!berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] )
+	elogind? ( >=sys-auth/elogind-254 )
+	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
+	systemd? ( >=sys-apps/systemd-254:= )
+	nis? (
+		net-libs/libnsl:=[${MULTILIB_USEDEP}]
+		>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
+	)
+"
+RDEPEND="${DEPEND}"
+PDEPEND=">=sys-auth/pambase-20200616"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-32-bit-lastlog.patch
+	"${FILESDIR}"/${P}-32-bit-timestamp.patch
+)
+
+src_configure() {
+	# meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get:
+	#  cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found
+	append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
+
+	# Do not let user's BROWSER setting mess us up, bug #549684
+	unset BROWSER
+
+	meson-multilib_src_configure
+}
+
+multilib_src_configure() {
+	local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local"
+	# Workaround for docbook5 not being packaged (bug #913087#c4)
+	# It's only used for validation of output, so stub it out.
+	# Also, stub out elinks+w3m which are only used for an index.
+	cat >> "${machine_file}" <<-EOF || die
+	[binaries]
+	xmlcatalog='true'
+	xmllint='true'
+	elinks='true'
+	w3m='true'
+	EOF
+
+	local emesonargs=(
+		--native-file "${machine_file}"
+
+		$(meson_feature audit)
+		$(meson_native_use_bool examples)
+		$(meson_use debug pam-debug)
+		$(meson_feature nis)
+		$(meson_feature nls i18n)
+		$(meson_feature selinux)
+
+		-Disadir='.'
+		-Dxml-catalog="${BROOT}"/etc/xml/catalog
+		-Dsbindir="${EPREFIX}"/sbin
+		-Dsecuredir="${EPREFIX}"/$(get_libdir)/security
+		-Ddocdir="${EPREFIX}"/usr/share/doc/${PF}
+		-Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html
+		-Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf
+
+		$(meson_native_enabled docs)
+
+		-Dpam_unix=enabled
+
+		# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
+		-Deconf=disabled
+
+		# TODO: lastlog is enabled again for now by us as elogind support
+		# wasn't available at first. Even then, disabling lastlog will
+		# probably need a news item.
+		$(meson_native_use_feature systemd logind)
+		$(meson_native_use_feature elogind)
+		$(meson_feature !elibc_musl pam_lastlog)
+	)
+
+	if use berkdb; then
+		local dbver
+		dbver="$(db_findver sys-libs/db)" || die "could not find db version"
+		local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")"
+		emesonargs+=(
+			-Ddb=db
+			-Ddb-uniquename="-${dbver}"
+		)
+	else
+		emesonargs+=(
+			-Ddb=gdbm
+		)
+	fi
+
+	# This whole weird has_version libxcrypt block can go once
+	# musl systems have libxcrypt[system] if we ever make
+	# that mandatory. See bug #867991.
+	#if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
+	#	# Avoid picking up symbol-versioned compat symbol on musl systems
+	#	export ac_cv_search_crypt_gensalt_rn=no
+	#
+	#	# Need to avoid picking up the libxcrypt headers which define
+	#	# CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
+	#	cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
+	#	append-cppflags -I"${T}"
+	#fi
+
+	meson_src_configure
+}
+
+multilib_src_install_all() {
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	# tmpfiles.eclass is impossible to use because
+	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
+	dodir /usr/lib/tmpfiles.d
+
+	cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
+		d /run/faillock 0755 root root
+	_EOF_
+	use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
+		d /run/sepermit 0755 root root
+	_EOF_
+}
+
+pkg_postinst() {
+	ewarn "Some software with pre-loaded PAM libraries might experience"
+	ewarn "warnings or failures related to missing symbols and/or versions"
+	ewarn "after any update. While unfortunate this is a limit of the"
+	ewarn "implementation of PAM and the software, and it requires you to"
+	ewarn "restart the software manually after the update."
+	ewarn ""
+	ewarn "You can get a list of such software running a command like"
+	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
+	ewarn ""
+	ewarn "Alternatively, simply reboot your system."
+
+	# The pam_unix module needs to check the password of the user which requires
+	# read access to /etc/shadow only.
+	fcaps -m u+s cap_dac_read_search sbin/unix_chkpwd
+}
--- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.7.1-r2.ebuild
@ -0,0 +1,202 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MY_P="Linux-${PN^^}-${PV}"
+
+# Avoid QA warnings
+# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
+TMPFILES_OPTIONAL=1
+
+inherit db-use flag-o-matic meson-multilib user-info
+
+DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
+HOMEPAGE="https://github.com/linux-pam/linux-pam"
+
+if [[ ${PV} == *_p* ]] ; then
+	PAM_COMMIT="e634a3a9be9484ada6e93970dfaf0f055ca17332"
+	SRC_URI="
+		https://github.com/linux-pam/linux-pam/archive/${PAM_COMMIT}.tar.gz -> ${P}.gh.tar.gz
+	"
+	S="${WORKDIR}"/linux-${PN}-${PAM_COMMIT}
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/strace.asc
+	inherit verify-sig
+
+	SRC_URI="
+		https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
+		verify-sig? ( https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz.asc )
+	"
+	S="${WORKDIR}/${MY_P}"
+
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-strace )"
+fi
+
+LICENSE="|| ( BSD GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
+IUSE="audit berkdb elogind examples debug nis nls selinux systemd"
+REQUIRED_USE="?? ( elogind systemd )"
+
+# meson.build specifically checks for bison and then byacc
+# also requires xsltproc
+BDEPEND+="
+	acct-group/shadow
+	|| ( sys-devel/bison dev-util/byacc )
+	app-text/docbook-xsl-ns-stylesheets
+	dev-libs/libxslt
+	sys-devel/flex
+	virtual/pkgconfig
+	nls? ( sys-devel/gettext )
+"
+DEPEND="
+	virtual/libcrypt:=[${MULTILIB_USEDEP}]
+	>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
+	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
+	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
+	!berkdb? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] )
+	elogind? ( >=sys-auth/elogind-254 )
+	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
+	systemd? ( >=sys-apps/systemd-254:= )
+	nis? (
+		net-libs/libnsl:=[${MULTILIB_USEDEP}]
+		>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
+	)
+"
+RDEPEND="${DEPEND}
+	acct-group/shadow
+"
+PDEPEND=">=sys-auth/pambase-20200616"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-32-bit-lastlog.patch
+	"${FILESDIR}"/${P}-32-bit-timestamp.patch
+)
+
+src_configure() {
+	# meson.build sets -Wl,--fatal-warnings and with e.g. mold, we get:
+	#  cannot assign version `global` to symbol `pam_sm_open_session`: symbol not found
+	append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
+
+	# Do not let user's BROWSER setting mess us up, bug #549684
+	unset BROWSER
+
+	meson-multilib_src_configure
+}
+
+multilib_src_configure() {
+	local machine_file="${T}/meson.${CHOST}.${ABI}.ini.local"
+	# Workaround for docbook5 not being packaged (bug #913087#c4)
+	# It's only used for validation of output, so stub it out.
+	# Also, stub out elinks+w3m which are only used for an index.
+	cat >> "${machine_file}" <<-EOF || die
+	[binaries]
+	xmlcatalog='true'
+	xmllint='true'
+	elinks='true'
+	w3m='true'
+	EOF
+
+	local emesonargs=(
+		--native-file "${machine_file}"
+
+		$(meson_feature audit)
+		$(meson_native_use_bool examples)
+		$(meson_use debug pam-debug)
+		$(meson_feature nis)
+		$(meson_feature nls i18n)
+		$(meson_feature selinux)
+
+		-Disadir='.'
+		-Dxml-catalog="${BROOT}"/etc/xml/catalog
+		-Dsbindir="${EPREFIX}"/sbin
+		-Dsecuredir="${EPREFIX}"/$(get_libdir)/security
+		-Ddocdir="${EPREFIX}"/usr/share/doc/${PF}
+		-Dhtmldir="${EPREFIX}"/usr/share/doc/${PF}/html
+		-Dpdfdir="${EPREFIX}"/usr/share/doc/${PF}/pdf
+
+		$(meson_native_enabled docs)
+
+		-Dpam_unix=enabled
+
+		# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
+		-Deconf=disabled
+
+		# TODO: lastlog is enabled again for now by us as elogind support
+		# wasn't available at first. Even then, disabling lastlog will
+		# probably need a news item.
+		$(meson_native_use_feature systemd logind)
+		$(meson_native_use_feature elogind)
+		$(meson_feature !elibc_musl pam_lastlog)
+	)
+
+	if use berkdb; then
+		local dbver
+		dbver="$(db_findver sys-libs/db)" || die "could not find db version"
+		local -x CPPFLAGS="${CPPFLAGS} -I$(db_includedir "${dbver}")"
+		emesonargs+=(
+			-Ddb=db
+			-Ddb-uniquename="-${dbver}"
+		)
+	else
+		emesonargs+=(
+			-Ddb=gdbm
+		)
+	fi
+
+	# This whole weird has_version libxcrypt block can go once
+	# musl systems have libxcrypt[system] if we ever make
+	# that mandatory. See bug #867991.
+	#if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
+	#	# Avoid picking up symbol-versioned compat symbol on musl systems
+	#	export ac_cv_search_crypt_gensalt_rn=no
+	#
+	#	# Need to avoid picking up the libxcrypt headers which define
+	#	# CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
+	#	cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
+	#	append-cppflags -I"${T}"
+	#fi
+
+	meson_src_configure
+}
+
+multilib_src_install_all() {
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	fowners :shadow /sbin/unix_chkpwd
+	fperms g+s /sbin/unix_chkpwd
+
+	# tmpfiles.eclass is impossible to use because
+	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
+	dodir /usr/lib/tmpfiles.d
+
+	cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
+		d /run/faillock 0755 root root
+	_EOF_
+	use selinux && cat ->> "${ED}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
+		d /run/sepermit 0755 root root
+	_EOF_
+}
+
+pkg_postinst() {
+	if [[ -n ${ROOT} ]]; then
+		# Portage does not currently update the gid on installed files
+		# based on ${EROOT}/etc/group.
+		local gid=$(egetent group shadow | cut -d: -f3)
+		if [[ -n ${gid} ]]; then
+			chgrp "${gid}" "${EROOT}/sbin/unix_chkpwd" &&
+			chmod g+s "${EROOT}/sbin/unix_chkpwd"
+		fi
+	fi
+	ewarn "Some software with pre-loaded PAM libraries might experience"
+	ewarn "warnings or failures related to missing symbols and/or versions"
+	ewarn "after any update. While unfortunate this is a limit of the"
+	ewarn "implementation of PAM and the software, and it requires you to"
+	ewarn "restart the software manually after the update."
+	ewarn ""
+	ewarn "You can get a list of such software running a command like"
+	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
+	ewarn ""
+	ewarn "Alternatively, simply reboot your system."
+}