sys-libs/pam: Apply Flatcar patches

2025-08-07 21:16:57 +02:00 · 2024-06-27 09:01:09 +10:00 · 2024-06-27 09:01:09 +10:00 · d5833e210f
commit d5833e210f
parent cc8dd25640
5 changed files with 55 additions and 154 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
@ -0,0 +1,21 @@
+This is a fork of gentoo's sys-libs/pam package. The main reasons
+for having our fork seem to be:
+
+1. We add a locked account functionality. If the account in
+   `/etc/shadow` has an exclamation mark (`!`) as a first character in
+   the password field, then the account is blocked.
+
+2. We install configuration in `/usr/lib/pam`, so the configuration in
+   `/etc` provided by administration can override the config we
+   install.
+
+3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc
+   pamc` from the recipe.
+
+4. We make the `/sbin/unix_chkpwd` binary a suid one instead of
+   overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop
+   between pam and libcap. The binary needs to be able to read
+   /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should
+   work. A suid binary is strictly less secure than capability
+   override, so in long-term we would prefer to avoid having this
+   hack. On the other hand - this is what we had so far.
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
@ -0,0 +1,13 @@
+diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c
+--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c	2020-08-18 20:50:27.226355628 +0200
+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c	2020-08-18 20:51:20.456212931 +0200
+@@ -847,6 +847,9 @@
+         return retval;
+     }
+ 
+    if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
+        return PAM_PERM_DENIED;
+
+     if (retval == PAM_SUCCESS && spent == NULL)
+         return PAM_SUCCESS;
+ 
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
@ -0,0 +1,11 @@
+d /etc/pam.d			0755 root root	-	-
+d /etc/security			0755 root root	-	-
+d /etc/security/limits.d	0755 root root	-	-
+d /etc/security/namespace.d	0755 root root	-	-
+f /etc/environment		0755 root root	-	-
+L /etc/security/access.conf	-    -	  -	-	../../usr/lib/pam/security/access.conf
+L /etc/security/group.conf	-    - 	  - 	-	../../usr/lib/pam/security/group.conf
+L /etc/security/limits.conf	-    -	  -	-	../../usr/lib/pam/security/limits.conf
+L /etc/security/namespace.conf	-    -	  -	-	../../usr/lib/pam/security/namespace.conf
+L /etc/security/pam_env.conf	-    -	  -	-	../../usr/lib/pam/security/pam_env.conf
+L /etc/security/time.conf	-    -	  -	-	../../usr/lib/pam/security/time.conf
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild
@ -46,6 +46,7 @@ RDEPEND="${DEPEND}"
 PDEPEND=">=sys-auth/pambase-20200616"

 PATCHES=(
+	"${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
 	"${FILESDIR}/${P}-termios.patch"
 )

@ -101,6 +102,7 @@ multilib_src_configure() {
 		$(use_enable nis)
 		$(use_enable selinux)
 		--enable-isadir='.' # bug #464016
+		--enable-vendordir="/usr/lib/pam/"
 	)
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
@ -117,10 +119,18 @@ multilib_src_install() {
 multilib_src_install_all() {
 	find "${ED}" -type f -name '*.la' -delete || die

+	# Flatcar: The pam_unix module needs to check the password of
+	# the user which requires read access to /etc/shadow
+	# only. Make it suid instead of using CAP_DAC_OVERRIDE to
+	# avoid a pam -> libcap -> pam dependency loop.
+	fperms 4711 /sbin/unix_chkpwd
+
 	# tmpfiles.eclass is impossible to use because
 	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
 	dodir /usr/lib/tmpfiles.d

+	rm "${D}/etc/environment"
+	cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
 	cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
 		d /run/faillock 0755 root root
 	_EOF_
@ -146,8 +156,4 @@ pkg_postinst() {
 	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
 	ewarn ""
 	ewarn "Alternatively, simply reboot your system."
-
-	# The pam_unix module needs to check the password of the user which requires
-	# read access to /etc/shadow only.
-	fcaps cap_dac_override sbin/unix_chkpwd
 }
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.6.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.6.1.ebuild
@ -1,150 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-MY_P="Linux-${PN^^}-${PV}"
-
-# Avoid QA warnings
-# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
-TMPFILES_OPTIONAL=1
-
-inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal
-
-DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
-HOMEPAGE="https://github.com/linux-pam/linux-pam"
-SRC_URI="
-	https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
-	https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz
-"
-S="${WORKDIR}/${MY_P}"
-
-LICENSE="|| ( BSD GPL-2 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
-IUSE="audit berkdb examples debug nis selinux"
-
-BDEPEND="
-	app-alternatives/yacc
-	dev-libs/libxslt
-	app-alternatives/lex
-	sys-devel/gettext
-	virtual/pkgconfig
-"
-DEPEND="
-	virtual/libcrypt:=[${MULTILIB_USEDEP}]
-	>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
-	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
-	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
-	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
-	nis? (
-		net-libs/libnsl:=[${MULTILIB_USEDEP}]
-		>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
-	)
-"
-RDEPEND="${DEPEND}"
-PDEPEND=">=sys-auth/pambase-20200616"
-
-src_prepare() {
-	default
-	touch ChangeLog || die
-}
-
-multilib_src_configure() {
-	# Do not let user's BROWSER setting mess us up, bug #549684
-	unset BROWSER
-
-	# This whole weird has_version libxcrypt block can go once
-	# musl systems have libxcrypt[system] if we ever make
-	# that mandatory. See bug #867991.
-	if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
-		# Avoid picking up symbol-versioned compat symbol on musl systems
-		export ac_cv_search_crypt_gensalt_rn=no
-
-		# Need to avoid picking up the libxcrypt headers which define
-		# CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
-		cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
-		append-cppflags -I"${T}"
-	fi
-
-	local myconf=(
-		CC_FOR_BUILD="$(tc-getBUILD_CC)"
-		--with-db-uniquename=-$(db_findver sys-libs/db)
-		--with-xml-catalog="${EPREFIX}"/etc/xml/catalog
-		--enable-securedir="${EPREFIX}"/$(get_libdir)/security
-		--includedir="${EPREFIX}"/usr/include/security
-		--libdir="${EPREFIX}"/usr/$(get_libdir)
-		--enable-pie
-		--enable-unix
-		--disable-prelude
-		--disable-doc
-		--disable-regenerate-docu
-		--disable-static
-		--disable-Werror
-		# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
-		--disable-econf
-
-		# TODO: add elogind support (bug #931115)
-		# lastlog is enabled again for now by us until logind support
-		# is handled. Even then, disabling lastlog will probably need
-		# a news item.
-		--disable-logind
-		--enable-lastlog
-
-		$(use_enable audit)
-		$(multilib_native_use_enable examples)
-		$(use_enable berkdb db)
-		$(use_enable debug)
-		$(use_enable nis)
-		$(use_enable selinux)
-		--enable-isadir='.' # bug #464016
-	)
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_compile() {
-	emake sepermitlockdir="/run/sepermit"
-}
-
-multilib_src_install() {
-	emake DESTDIR="${D}" install \
-		sepermitlockdir="/run/sepermit"
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	# tmpfiles.eclass is impossible to use because
-	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
-	dodir /usr/lib/tmpfiles.d
-
-	cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
-		d /run/faillock 0755 root root
-	_EOF_
-	use selinux && cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_
-		d /run/sepermit 0755 root root
-	_EOF_
-
-	local page
-
-	for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do
-		doman ${page}
-	done
-}
-
-pkg_postinst() {
-	ewarn "Some software with pre-loaded PAM libraries might experience"
-	ewarn "warnings or failures related to missing symbols and/or versions"
-	ewarn "after any update. While unfortunate this is a limit of the"
-	ewarn "implementation of PAM and the software, and it requires you to"
-	ewarn "restart the software manually after the update."
-	ewarn ""
-	ewarn "You can get a list of such software running a command like"
-	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
-	ewarn ""
-	ewarn "Alternatively, simply reboot your system."
-
-	# The pam_unix module needs to check the password of the user which requires
-	# read access to /etc/shadow only.
-	fcaps cap_dac_override sbin/unix_chkpwd
-}