mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 10:27:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-libs/pam: Import pam 1.5.1 from gentoo

Browse Source 
Import sys-libs/pam 1.5.1 from upstream Gentoo, mainly to address
CVE-2020-27780, a flaw in the way it handles empty passwords for
non-existing users. When the user doesn't exist PAM try to authenticate
with root and in the case of an empty password it successfully
authenticate.

https://github.com/linux-pam/linux-pam/issues/284
https://github.com/linux-pam/linux-pam/pull/300
This commit is contained in:
Krzesimir Nowak 2020-08-18 20:23:24 +02:00 committed by Kai Lüke
parent f940214eff
commit 8a585bd57a
8 changed files with 160 additions and 1856 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/ChangeLog vendored
View File

@ -1,126 +0,0 @@
# ChangeLog for sys-libs/pam
# Copyright 1999-2016 Gentoo Foundation; Distributed under the GPL v2
# (auto-generated from git log)
*pam-1.2.1-r1 (09 Aug 2015)
*pam-1.2.1 (09 Aug 2015)
*pam-1.2.0 (09 Aug 2015)
*pam-1.1.8-r3 (09 Aug 2015)
*pam-1.1.8-r2 (09 Aug 2015)
*pam-1.1.8-r1 (09 Aug 2015)
*pam-1.1.8 (09 Aug 2015)
*pam-1.1.6-r2 (09 Aug 2015)
*pam-1.1.5 (09 Aug 2015)
09 Aug 2015; Robin H. Johnson <robbat2@gentoo.org>
+files/Linux-PAM-1.1.5+glibc-2.16.patch,
+files/Linux-PAM-1.1.6+glibc-2.16.patch,
+files/Linux-PAM-1.1.6-destdir.patch, +files/pam-1.1.8-CVE-2013-7041.patch,
+files/pam-1.1.8-CVE-2014-2583.patch, +files/pam-1.1.8-doc-install.patch,
+metadata.xml, +pam-1.1.5.ebuild, +pam-1.1.6-r2.ebuild, +pam-1.1.8.ebuild,
+pam-1.1.8-r1.ebuild, +pam-1.1.8-r2.ebuild, +pam-1.1.8-r3.ebuild,
+pam-1.2.0.ebuild, +pam-1.2.1.ebuild, +pam-1.2.1-r1.ebuild:
proj/gentoo: Initial commit
This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.
This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.
Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration
tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this
project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo
developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve
cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014
work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on
the bikeshed
19 Aug 2015; Mike Frysinger <vapier@gentoo.org> pam-1.2.1.ebuild:
mark 1.2.1 stable for arm64/m68k/s390/sh
19 Aug 2015; Mike Frysinger <vapier@gentoo.org> pam-1.2.1.ebuild,
pam-1.2.1-r1.ebuild:
require pkgconfig only when USE=nis
The only library pam uses pkg-config to look up is libtirpc, and we
use that only when USE=nis. Depend on pkg-config only when that is
enabled to avoid circular dependencies (especially when bootstrapping).
24 Aug 2015; Justin Lecher <jlec@gentoo.org> metadata.xml, pam-1.1.5.ebuild,
pam-1.1.6-r2.ebuild, pam-1.1.8.ebuild, pam-1.1.8-r1.ebuild,
pam-1.1.8-r2.ebuild, pam-1.1.8-r3.ebuild, pam-1.2.0.ebuild,
pam-1.2.1.ebuild, pam-1.2.1-r1.ebuild:
Use https by default
Convert all URLs for sites supporting encrypted connections from http to
https
Signed-off-by: Justin Lecher <jlec@gentoo.org>
24 Aug 2015; Justin Lecher <jlec@gentoo.org> pam-1.1.5.ebuild,
pam-1.1.6-r2.ebuild, pam-1.1.8.ebuild, pam-1.1.8-r1.ebuild,
pam-1.1.8-r2.ebuild, pam-1.1.8-r3.ebuild, pam-1.2.0.ebuild,
pam-1.2.1.ebuild, pam-1.2.1-r1.ebuild:
Use https by default
Convert all URLs for sites supporting encrypted connections from http to
https
Signed-off-by: Justin Lecher <jlec@gentoo.org>
24 Aug 2015; Mike Gilbert <floppym@gentoo.org> metadata.xml:
Revert DOCTYPE SYSTEM https changes in metadata.xml
repoman does not yet accept the https version.
This partially reverts eaaface92ee81f30a6ac66fe7acbcc42c00dc450.
Bug: https://bugs.gentoo.org/552720
08 Oct 2015; Markos Chandras <hwoarang@gentoo.org> metadata.xml:
audit: Switch to global 'audit' use flag where appropriate
Link: https://archives.gentoo.org/gentoo-
dev/message/32b1e333faa627491baa3c7492d64956
23 Dec 2015; Mike Frysinger <vapier@gentoo.org> pam-1.2.1-r1.ebuild:
avoid regenerating docs #569338
Since we're using the old doc tarball, the timestamps are older than
the new source tarball, so the code tries to rebuild everything.
24 Jan 2016; Michał Górny <mgorny@gentoo.org> metadata.xml:
Replace all herds with appropriate projects (GLEP 67)
Replace all uses of herd with appropriate project maintainers, or no
maintainers in case of herds requested to be disbanded.
24 Jan 2016; Michał Górny <mgorny@gentoo.org> metadata.xml:
Set appropriate maintainer types in metadata.xml (GLEP 67)
30 Mar 2016; Mike Frysinger <vapier@gentoo.org>
-files/Linux-PAM-1.1.5+glibc-2.16.patch,
-files/Linux-PAM-1.1.6+glibc-2.16.patch,
-files/Linux-PAM-1.1.6-destdir.patch, -files/pam-1.1.8-CVE-2013-7041.patch,
-files/pam-1.1.8-CVE-2014-2583.patch, -files/pam-1.1.8-doc-install.patch,
-pam-1.1.5.ebuild, -pam-1.1.6-r2.ebuild, -pam-1.1.8.ebuild,
-pam-1.1.8-r1.ebuild, -pam-1.1.8-r2.ebuild, -pam-1.1.8-r3.ebuild,
-pam-1.2.0.ebuild:
drop old <1.2.1 versions

1487
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/ChangeLog-2015 vendored
View File

File diff suppressed because it is too large Load Diff

9
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest vendored
View File

@ -1,7 +1,2 @@
DIST Linux-PAM-1.2.0-docs.tar.bz2 490586 SHA256 3bc9ae398f759e372dbf4065ceed2df8b1ac5ab62c6688cb5f7849ce773df2c3 SHA512 028b7f9d6b0a5cf38f063e0f82ac3d0955e1e41d77c9f3fc803363d9ea710d71366e0a91f31b418cac397bb6639442de908fa00f02cd94cf612496d1b43c7e4c WHIRLPOOL 9a329b610d840c904050b2261e5ce34ac54232b0c7d51c12ee45c9e758ab6659ea8562e032fa9815c2beab0cfa1ea455dbfbf3cdef39d30d299a8bc5286f7a14
DIST Linux-PAM-1.2.1.tar.bz2 1279523 SHA256 342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9 SHA512 4572aa1eaf5a1312410c74b5ed055b2592c5efe2bb82f59981da4e9e93555ad40aee3a89f446d9dc6c6af79efc04c33f739f66db9edc07e02479475a14e426da WHIRLPOOL 562917945b3b3a407955cc5bf5cd251ff7e257a94055d7cfbf06d5c2619b58d61624f16848de3512ddf61636ad8618315de3f7bd8e4e51b3b7d109adfa212c8a
EBUILD pam-1.2.1-r1.ebuild 6323 SHA256 65bba979d3e102c5ca299c5aa5fff77a4a3f6a2cef282672f0cd82a8e7d3da6f SHA512 aa78e3401a56c4441034e4126ac5499fb49453db8eaa95c4ad34b10f10f22ba524379490e2b3a78cc3b04295d423badb39049f7bdfc3d6d8f6f5b0ea7d24ecda WHIRLPOOL 71cfc86112ea6edc53486ceebd951122f6b3b9e0312c7aa671e48500e1dbf21bf9a4618ee75ed6f3b50281b76adee7bf7837130a0e183800a0be77a9764bf4c0
EBUILD pam-1.2.1.ebuild 6085 SHA256 cc149ab1519f76c03ada1b5dd183b6dfc1391ac1da3e3c07274e7f8c80371c0a SHA512 e9014ef4a54949c8fa1d744e4385fefd55a15bae24a6fa470fc8da830733068e681982adc779da55e39cef78bff34660834c228ac9cde51ceddae7bd7ecc3177 WHIRLPOOL 93b1096e752eb8687afd5b236d4c03d4de9d65f3f4aab5657ea126d18845ac13f128ab39074118ab1a3a70b96394e025f909831d15a66a77d02ba679a65f599e
MISC ChangeLog 5004 SHA256 775004eeff9257c2a4e3a01f73b5ba6234b9cbcde581dc4857c55fe32274a7fd SHA512 d277eba55a22629e7a6d678c0a32cf77d1ab266477f156685c8c9dbd1a40a8863038cd5c814b45bb145e84a95c3d6c9521c66b1ab2c12369d2959fb3e091cf2a WHIRLPOOL 77c44285398cda118dbcbbbe9b97ee12e262423141dd22a36ab9acbf6c0dafb54aa810c748d0adfea22d70f6712b3cb2fee392804d32b8be271c1c0f206f70e2
MISC ChangeLog-2015 56879 SHA256 1d6672e1e44f22c74a18b024729d90402209f412b7f24e5e87511bd720cb4073 SHA512 01b442a6401e1992ef563b52745ba90724a1d291e3572497d3b5dbf8fa756dc6d220ad61e55c9fe6139e7e4e64ee3b380e457153725fa9d0516113b3ee3914d7 WHIRLPOOL 88ef69921a8811210393f045f61742b7cf3c3fec051d83d28d9dcc0eb60373c488a31c44d9d216e06b5c890cdf357c83cb17df0ed395f5372c5a8e3904ad7bdb
MISC metadata.xml 1135 SHA256 19e87cb2aa29dcd1b12d3fd5a001a7fe08fcb9153cc80045d0b95a88c4cad3d7 SHA512 de2a617918085c4e6a7a1976447ed2c0bcdb8eb257d28351e095b29ea219382ce8964206ba0fcdefe9b69db9ab17a52556371cfbee3ed4d5c5293c8d21738d55 WHIRLPOOL abf1d986d9fb8a6654db2ecb982ef50a4aea376c5386f3b68baec1faa19811a6b58f1a08e617711737879f173db729e34d92c8be29ee4acb47f2a0deec5241fc
DIST Linux-PAM-1.5.1-docs.tar.xz 441632 BLAKE2B 1b3ad1b5167936b8c38977b5328ee11c7d280eb905a0f444e555d24f9d5332583f7e0ce0a758242292ff1244bc082b73d661935647e583e2ebcd8d5058df413e SHA512 95f0b0225e96386f06f5f869203163a201af3ac5c1a4fa8bd30779b9f55290e1a5b63fa49e2efafa1a51476bad1acf258b1f37f56a4bdc3935f9fe5928cbc1f7
DIST Linux-PAM-1.5.1.tar.xz 972964 BLAKE2B a1714569587a383fa8211b23765c66b08b18dc2808c1521a904171dc2886cced56e9afa27408e8a9d5eec6226b31390dc8f14434071370f4e1147c77ce8b36ac SHA512 1db091fc43b934dde220f1b85f35937fbaa0a3feec699b2e597e2cdf0c3ce11c17d36d2286d479c9eed24e8ca3ca6233214e4dff256db47249e358c01d424837

13
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.2.1-locked-accounts.patch vendored
View File

@ -1,13 +0,0 @@
diff -ur Linux-PAM-1.2.1.orig/modules/pam_unix/pam_unix_acct.c Linux-PAM-1.2.1/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.2.1.orig/modules/pam_unix/pam_unix_acct.c 2015-03-24 05:02:32.000000000 -0700
+++ Linux-PAM-1.2.1/modules/pam_unix/pam_unix_acct.c 2016-04-05 12:48:08.344913637 -0700
@@ -219,6 +219,9 @@
return retval;
}
+ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
+ return PAM_PERM_DENIED;
+
if (retval == PAM_SUCCESS && spent == NULL)
return PAM_SUCCESS;

11
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf vendored
View File

@ -1,11 +0,0 @@
d /etc/pam.d 0755 root root - -
d /etc/security 0755 root root - -
d /etc/security/limits.d 0755 root root - -
d /etc/security/namespace.d 0755 root root - -
f /etc/environment 0755 root root - -
L /etc/security/access.conf - - - - ../../usr/lib/pam/access.conf
L /etc/security/group.conf - - - - ../../usr/lib/pam/group.conf
L /etc/security/limits.conf - - - - ../../usr/lib/pam/limits.conf
L /etc/security/namespace.conf - - - - ../../usr/lib/pam/namespace.conf
L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/pam_env.conf
L /etc/security/time.conf - - - - ../../usr/lib/pam/time.conf

49
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml vendored
View File

@ -1,29 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>pam-bugs@gentoo.org</email>
</maintainer>
<use>
<flag name="berkdb">
Build the pam_userdb module, that allows to authenticate users
against a Berkeley DB file. Please note that enabling this USE
flag will create a PAM module that links to the Berkeley DB (as
provided by <pkg>sys-libs/db</pkg>) installed in /usr/lib and
will thus not work for boot-critical services authentication.
</flag>
<maintainer type="person">
<email>zlogene@gentoo.org</email>
<name>Mikle Kolyada</name>
</maintainer>
<use>
<flag name="berkdb">
Build the pam_userdb module, that allows to authenticate users
against a Berkeley DB file. Please note that enabling this USE
flag will create a PAM module that links to the Berkeley DB (as
provided by <pkg>sys-libs/db</pkg>) installed in /usr/lib and
will thus not work for boot-critical services authentication.
</flag>
<flag name="cracklib">
Build the pam_cracklib module, that allows to verify the chosen
passwords' strength through the use of
<pkg>sys-libs/cracklib</pkg>. Please note that simply enabling
the USE flag on this package will not make use of pam_cracklib
by default, you should also enable it in
<pkg>sys-auth/pambase</pkg> as well as update your configuration
files.
</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:kernel:linux-pam</remote-id>
</upstream>
<flag name="cracklib">
Build the pam_cracklib module, that allows to verify the chosen
passwords' strength through the use of
<pkg>sys-libs/cracklib</pkg>. Please note that simply enabling
the USE flag on this package will not make use of pam_cracklib
by default, you should also enable it in
<pkg>sys-auth/pambase</pkg> as well as update your configuration
files.
</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:kernel:linux-pam</remote-id>
</upstream>
</pkgmetadata>

188
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.2.1-r1.ebuild vendored
View File

@ -1,188 +0,0 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI=5
inherit libtool multilib multilib-minimal eutils pam toolchain-funcs flag-o-matic db-use systemd
MY_PN="Linux-PAM"
MY_P="${MY_PN}-${PV}"
DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
HOMEPAGE="http://www.linux-pam.org/ https://fedorahosted.org/linux-pam/"
SRC_URI="http://www.linux-pam.org/library/${MY_P}.tar.bz2
http://www.linux-pam.org/documentation/${MY_PN}-1.2.0-docs.tar.bz2"
LICENSE="|| ( BSD GPL-2 )"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-linux ~ia64-linux ~x86-linux"
IUSE="audit berkdb cracklib debug nis nls +pie selinux test vim-syntax"
RDEPEND="nls? ( >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] )
cracklib? ( >=sys-libs/cracklib-2.9.1-r1[${MULTILIB_USEDEP}] )
audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
berkdb? ( >=sys-libs/db-4.8.30-r1[${MULTILIB_USEDEP}] )
nis? ( >=net-libs/libtirpc-0.2.4-r2[${MULTILIB_USEDEP}] )"
DEPEND="${RDEPEND}
>=sys-devel/libtool-2
>=sys-devel/flex-2.5.39-r1[${MULTILIB_USEDEP}]
nls? ( sys-devel/gettext )
nis? ( >=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}] )"
PDEPEND="sys-auth/pambase
vim-syntax? ( app-vim/pam-syntax )"
RDEPEND="${RDEPEND}
!<sys-apps/openrc-0.11.8
!sys-auth/openpam
!sys-auth/pam_userdb
abi_x86_32? (
!<=app-emulation/emul-linux-x86-baselibs-20140508-r7
!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
)"
S="${WORKDIR}/${MY_P}"
check_old_modules() {
local retval="0"
if sed -e 's:#.*::' "${EROOT}"/etc/pam.d/* 2>/dev/null | fgrep -q pam_stack.so; then
eerror ""
eerror "Your current setup is using the pam_stack module."
eerror "This module is deprecated and no longer supported, and since version"
eerror "0.99 is no longer installed, nor provided by any other package."
eerror "The package will be built (to allow binary package builds), but will"
eerror "not be installed."
eerror "Please replace pam_stack usage with proper include directive usage,"
eerror "following the PAM Upgrade guide at the following URL"
eerror " https://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml"
eerror ""
retval=1
fi
if sed -e 's:#.*::' "${EROOT}"/etc/pam.d/* 2>/dev/null | egrep -q 'pam_(pwdb|console)'; then
eerror ""
eerror "Your current setup is using one or more of the following modules,"
eerror "that are not built or supported anymore:"
eerror "pam_pwdb, pam_console"
eerror "If you are in real need for these modules, please contact the maintainers"
eerror "of PAM through https://bugs.gentoo.org/ providing information about its"
eerror "use cases."
eerror "Please also make sure to read the PAM Upgrade guide at the following URL:"
eerror " https://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml"
eerror ""
retval=1
fi
return ${retval}
}
pkg_pretend() {
# do not error out, this is just a warning, one could build a binpkg
# with old modules enabled.
check_old_modules
}
src_unpack() {
# Upstream didn't release a new doc tarball (since nothing changed?).
unpack ${MY_PN}-1.2.0-docs.tar.bz2
mv Linux-PAM-1.2.{0,1} || die
unpack ${MY_P}.tar.bz2
}
src_prepare() {
epatch "${FILESDIR}"/pam-1.2.1-locked-accounts.patch
elibtoolize
}
multilib_src_configure() {
# Do not let user's BROWSER setting mess us up. #549684
unset BROWSER
# Disable automatic detection of libxcrypt; we _don't_ want the
# user to link libxcrypt in by default, since we won't track the
# dependency and allow to break PAM this way.
export ac_cv_header_xcrypt_h=no
local myconf=(
--docdir='$(datarootdir)'/doc/${PF}
--htmldir='$(docdir)/html'
--libdir='$(prefix)'/$(get_libdir)
--enable-securedir="${EPREFIX}"/$(get_libdir)/security
--enable-isadir='.' #464016
$(use_enable nls)
$(use_enable selinux)
$(use_enable cracklib)
$(use_enable audit)
$(use_enable debug)
$(use_enable berkdb db)
$(use_enable nis)
$(use_enable pie)
--with-db-uniquename=-$(db_findver sys-libs/db)
--disable-prelude
)
ECONF_SOURCE=${S} \
econf "${myconf[@]}"
}
multilib_src_compile() {
emake sepermitlockdir="${EPREFIX}/run/sepermit"
}
multilib_src_install() {
emake SCONFIGDIR="/usr/lib/pam/" DESTDIR="${D}" install \
sepermitlockdir="${EPREFIX}/run/sepermit"
rm "${D}/etc/environment"
systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/pam.conf"
}
DOCS=( CHANGELOG ChangeLog README AUTHORS Copyright NEWS )
multilib_src_install_all() {
einstalldocs
prune_libtool_files --all
# Need to be suid
fperms 4711 /sbin/unix_chkpwd
docinto modules
local dir
for dir in modules/pam_*; do
newdoc "${dir}"/README README."$(basename "${dir}")"
done
if use selinux; then
dodir /usr/lib/tmpfiles.d
cat - > "${D}"/usr/lib/tmpfiles.d/${CATEGORY}:${PN}:${SLOT}.conf <<EOF
d /run/sepermit 0755 root root
EOF
fi
}
pkg_preinst() {
check_old_modules || die "deprecated PAM modules still used"
}
pkg_postinst() {
ewarn "Some software with pre-loaded PAM libraries might experience"
ewarn "warnings or failures related to missing symbols and/or versions"
ewarn "after any update. While unfortunate this is a limit of the"
ewarn "implementation of PAM and the software, and it requires you to"
ewarn "restart the software manually after the update."
ewarn ""
ewarn "You can get a list of such software running a command like"
ewarn " lsof / | egrep -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
if [[ -x "${EROOT}"/var/log/tallylog ]] ; then
elog ""
elog "Because of a bug present up to version 1.1.1-r2, you have"
elog "an executable /var/log/tallylog file. You can safely"
elog "correct it by running the command"
elog " chmod -x /var/log/tallylog"
elog ""
fi
}

133
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild vendored Normal file
View File

@ -0,0 +1,133 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
MY_P="Linux-${PN^^}-${PV}"
inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal
DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
HOMEPAGE="https://github.com/linux-pam/linux-pam"
SRC_URI="https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz"
LICENSE="|| ( BSD GPL-2 )"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux"
IUSE="audit berkdb debug nis +pie selinux"
BDEPEND="
dev-libs/libxslt
sys-devel/flex
sys-devel/gettext
virtual/pkgconfig
virtual/yacc
"
DEPEND="
virtual/libcrypt:=[${MULTILIB_USEDEP}]
>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
nis? ( net-libs/libnsl[${MULTILIB_USEDEP}]
>=net-libs/libtirpc-0.2.4-r2[${MULTILIB_USEDEP}] )"
RDEPEND="${DEPEND}"
PDEPEND=">=sys-auth/pambase-20200616"
S="${WORKDIR}/${MY_P}"
src_prepare() {
default
touch ChangeLog || die
eautoreconf
}
multilib_src_configure() {
# Do not let user's BROWSER setting mess us up. #549684
unset BROWSER
# Disable automatic detection of libxcrypt; we _don't_ want the
# user to link libxcrypt in by default, since we won't track the
# dependency and allow to break PAM this way.
export ac_cv_header_xcrypt_h=no
local myconf=(
CC_FOR_BUILD="$(tc-getBUILD_CC)"
--with-db-uniquename=-$(db_findver sys-libs/db)
--with-xml-catalog="${EPREFIX}"/etc/xml/catalog
--enable-securedir="${EPREFIX}"/$(get_libdir)/security
--includedir="${EPREFIX}"/usr/include/security
--libdir="${EPREFIX}"/usr/$(get_libdir)
--exec-prefix="${EPREFIX}"
--enable-unix
--disable-prelude
--disable-doc
--disable-regenerate-docu
--disable-static
--disable-Werror
$(use_enable audit)
$(use_enable berkdb db)
$(use_enable debug)
$(use_enable nis)
$(use_enable pie)
$(use_enable selinux)
--enable-isadir='.' #464016
)
ECONF_SOURCE="${S}" econf "${myconf[@]}"
}
multilib_src_compile() {
emake sepermitlockdir="${EPREFIX}/run/sepermit"
}
multilib_src_install() {
emake DESTDIR="${D}" install \
sepermitlockdir="${EPREFIX}/run/sepermit"
gen_usr_ldscript -a pam pam_misc pamc
}
multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die
# tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d
cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
d /run/faillock 0755 root root
_EOF_
use selinux && cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
d /run/sepermit 0755 root root
_EOF_
local page
for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do
doman ${page}
done
}
pkg_postinst() {
ewarn "Some software with pre-loaded PAM libraries might experience"
ewarn "warnings or failures related to missing symbols and/or versions"
ewarn "after any update. While unfortunate this is a limit of the"
ewarn "implementation of PAM and the software, and it requires you to"
ewarn "restart the software manually after the update."
ewarn ""
ewarn "You can get a list of such software running a command like"
ewarn " lsof / | egrep -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
# The pam_unix module needs to check the password of the user which requires
# read access to /etc/shadow only.
fcaps cap_dac_override sbin/unix_chkpwd
}