From bcf2bb0b772cf03eab872f956782f80b72b17900 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Thu, 17 Mar 2022 16:33:30 +0530
Subject: [PATCH] sys-libs/pam: Apply Flatcar patches

-  sys-libs/pam: Make /sbin/unix_chkpwd suid

This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.

-  sys-libs/pam: Install configuration into /usr

Also provide a tmpfiles fragment to bring it back.

- sys-libs/pam: Locked accounts functionality

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../coreos-overlay/sys-libs/pam/README.md     | 26 +++++++++++++++++++
 .../pam/files/pam-1.5.0-locked-accounts.patch | 13 ++++++++++
 .../sys-libs/pam/files/tmpfiles.d/pam.conf    | 11 ++++++++
 .../pam/pam-1.5.1_p20210622-r1.ebuild         | 20 ++++++++------
 4 files changed, 62 insertions(+), 8 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
new file mode 100644
index 0000000000..d4e1d3a149
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
@@ -0,0 +1,26 @@
+This is a fork of gentoo's sys-libs/pam package. The main reasons
+for having our fork seem to be:
+
+1. We add a locked account functionality. If the account in
+   `/etc/shadow` has an exclamation mark (`!`) as a first character in
+   the password field, then the account is blocked.
+
+2. We install configuration in `/usr/lib/pam`, so the configuration in
+   `/etc` provided by administration can override the config we
+   install.
+
+3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc
+   pamc` from the recipe.
+
+4. We make the `/sbin/unix_chkpwd` binary a suid one instead of
+   overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop
+   between pam and libcap. The binary needs to be able to read
+   /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should
+   work. A suid binary is strictly less secure than capability
+   override, so in long-term we would prefer to avoid having this
+   hack. On the other hand - this is what we had so far.
+
+5. We replace the dependency on `virtual/yacc` with
+   `app-alternatives/yacc`. The former was renamed to the latter in
+   Gentoo, so this modification will be gone next time we update this
+   package.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
new file mode 100644
index 0000000000..a58d3eb28c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
@@ -0,0 +1,13 @@
+diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c
+--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c	2020-08-18 20:50:27.226355628 +0200
++++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c	2020-08-18 20:51:20.456212931 +0200
+@@ -847,6 +847,9 @@
+         return retval;
+     }
+ 
++    if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
++        return PAM_PERM_DENIED;
++
+     if (retval == PAM_SUCCESS && spent == NULL)
+         return PAM_SUCCESS;
+ 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
new file mode 100644
index 0000000000..6b8ebb4377
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
@@ -0,0 +1,11 @@
+d /etc/pam.d			0755 root root	-	-
+d /etc/security			0755 root root	-	-
+d /etc/security/limits.d	0755 root root	-	-
+d /etc/security/namespace.d	0755 root root	-	-
+f /etc/environment		0755 root root	-	-
+L /etc/security/access.conf	-    -	  -	-	../../usr/lib/pam/access.conf
+L /etc/security/group.conf	-    - 	  - 	-	../../usr/lib/pam/group.conf
+L /etc/security/limits.conf	-    -	  -	-	../../usr/lib/pam/limits.conf
+L /etc/security/namespace.conf	-    -	  -	-	../../usr/lib/pam/namespace.conf
+L /etc/security/pam_env.conf	-    -	  -	-	../../usr/lib/pam/pam_env.conf
+L /etc/security/time.conf	-    -	  -	-	../../usr/lib/pam/time.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild
index 98f33edbb6..d91874ac48 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild
@@ -7,7 +7,7 @@ EAPI=7
 # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
 TMPFILES_OPTIONAL=1
 
-inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal
+inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal
 
 GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a"
 DOC_SNAPSHOT="20210610"
@@ -24,11 +24,11 @@ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 s
 IUSE="audit berkdb debug nis selinux"
 
 BDEPEND="
+	app-alternatives/yacc
 	dev-libs/libxslt
 	sys-devel/flex
 	sys-devel/gettext
 	virtual/pkgconfig
-	virtual/yacc
 "
 
 DEPEND="
@@ -47,6 +47,7 @@ PDEPEND=">=sys-auth/pambase-20200616"
 S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}"
 
 PATCHES=(
+	"${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
 	"${FILESDIR}"/${PN}-1.5.1-musl.patch
 )
 
@@ -80,6 +81,7 @@ multilib_src_configure() {
 		$(use_enable nis)
 		$(use_enable selinux)
 		--enable-isadir='.' #464016
+		--enable-sconfigdir="/usr/lib/pam/"
 		)
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
@@ -91,18 +93,24 @@ multilib_src_compile() {
 multilib_src_install() {
 	emake DESTDIR="${D}" install \
 		sepermitlockdir="/run/sepermit"
-
-	gen_usr_ldscript -a pam pam_misc pamc
 }
 
 multilib_src_install_all() {
 	find "${ED}" -type f -name '*.la' -delete || die
 
+	# Flatcar: The pam_unix module needs to check the password of
+	# the user which requires read access to /etc/shadow
+	# only. Make it suid instead of using CAP_DAC_OVERRIDE to
+	# avoid a pam -> libcap -> pam dependency loop.
+	fperms 4711 /sbin/unix_chkpwd
+
 	# tmpfiles.eclass is impossible to use because
 	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
 
 	dodir /usr/lib/tmpfiles.d
 
+	rm "${D}/etc/environment"
+	cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
 	cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
 		d /run/faillock 0755 root root
 	_EOF_
@@ -128,8 +136,4 @@ pkg_postinst() {
 	ewarn "  lsof / | egrep -i 'del.*libpam\\.so'"
 	ewarn ""
 	ewarn "Alternatively, simply reboot your system."
-
-	# The pam_unix module needs to check the password of the user which requires
-	# read access to /etc/shadow only.
-	fcaps cap_dac_override sbin/unix_chkpwd
 }