diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md new file mode 100644 index 0000000000..9500945b40 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md @@ -0,0 +1,21 @@ +This is a fork of gentoo's sys-libs/pam package. The main reasons +for having our fork seem to be: + +1. We add a locked account functionality. If the account in + `/etc/shadow` has an exclamation mark (`!`) as a first character in + the password field, then the account is blocked. + +2. We install configuration in `/usr/lib/pam`, so the configuration in + `/etc` provided by administration can override the config we + install. + +3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc + pamc` from the recipe. + +4. We make the `/sbin/unix_chkpwd` binary a suid one instead of + overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop + between pam and libcap. The binary needs to be able to read + /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should + work. A suid binary is strictly less secure than capability + override, so in long-term we would prefer to avoid having this + hack. On the other hand - this is what we had so far. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch new file mode 100644 index 0000000000..a58d3eb28c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch @@ -0,0 +1,13 @@ +diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c +--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c 2020-08-18 20:50:27.226355628 +0200 ++++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c 2020-08-18 20:51:20.456212931 +0200 +@@ -847,6 +847,9 @@ + return retval; + } + ++ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') ++ return PAM_PERM_DENIED; ++ + if (retval == PAM_SUCCESS && spent == NULL) + return PAM_SUCCESS; + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf new file mode 100644 index 0000000000..3880b4cbda --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf @@ -0,0 +1,11 @@ +d /etc/pam.d 0755 root root - - +d /etc/security 0755 root root - - +d /etc/security/limits.d 0755 root root - - +d /etc/security/namespace.d 0755 root root - - +f /etc/environment 0755 root root - - +L /etc/security/access.conf - - - - ../../usr/lib/pam/security/access.conf +L /etc/security/group.conf - - - - ../../usr/lib/pam/security/group.conf +L /etc/security/limits.conf - - - - ../../usr/lib/pam/security/limits.conf +L /etc/security/namespace.conf - - - - ../../usr/lib/pam/security/namespace.conf +L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/security/pam_env.conf +L /etc/security/time.conf - - - - ../../usr/lib/pam/security/time.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild index db88b6e802..d53050dfc1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild @@ -46,6 +46,7 @@ RDEPEND="${DEPEND}" PDEPEND=">=sys-auth/pambase-20200616" PATCHES=( + "${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch "${FILESDIR}/${P}-termios.patch" ) @@ -101,6 +102,7 @@ multilib_src_configure() { $(use_enable nis) $(use_enable selinux) --enable-isadir='.' # bug #464016 + --enable-vendordir="/usr/lib/pam/" ) ECONF_SOURCE="${S}" econf "${myconf[@]}" } @@ -117,10 +119,18 @@ multilib_src_install() { multilib_src_install_all() { find "${ED}" -type f -name '*.la' -delete || die + # Flatcar: The pam_unix module needs to check the password of + # the user which requires read access to /etc/shadow + # only. Make it suid instead of using CAP_DAC_OVERRIDE to + # avoid a pam -> libcap -> pam dependency loop. + fperms 4711 /sbin/unix_chkpwd + # tmpfiles.eclass is impossible to use because # there is the pam -> tmpfiles -> systemd -> pam dependency loop dodir /usr/lib/tmpfiles.d + rm "${D}/etc/environment" + cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ d /run/faillock 0755 root root _EOF_ @@ -146,8 +156,4 @@ pkg_postinst() { ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" ewarn "" ewarn "Alternatively, simply reboot your system." - - # The pam_unix module needs to check the password of the user which requires - # read access to /etc/shadow only. - fcaps cap_dac_override sbin/unix_chkpwd } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.6.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.6.1.ebuild deleted file mode 100644 index 06b8b9406e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.6.1.ebuild +++ /dev/null @@ -1,150 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -MY_P="Linux-${PN^^}-${PV}" - -# Avoid QA warnings -# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 -TMPFILES_OPTIONAL=1 - -inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal - -DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" -HOMEPAGE="https://github.com/linux-pam/linux-pam" -SRC_URI=" - https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz - https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz -" -S="${WORKDIR}/${MY_P}" - -LICENSE="|| ( BSD GPL-2 )" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" -IUSE="audit berkdb examples debug nis selinux" - -BDEPEND=" - app-alternatives/yacc - dev-libs/libxslt - app-alternatives/lex - sys-devel/gettext - virtual/pkgconfig -" -DEPEND=" - virtual/libcrypt:=[${MULTILIB_USEDEP}] - >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] - audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) - berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) - selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) - nis? ( - net-libs/libnsl:=[${MULTILIB_USEDEP}] - >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] - ) -" -RDEPEND="${DEPEND}" -PDEPEND=">=sys-auth/pambase-20200616" - -src_prepare() { - default - touch ChangeLog || die -} - -multilib_src_configure() { - # Do not let user's BROWSER setting mess us up, bug #549684 - unset BROWSER - - # This whole weird has_version libxcrypt block can go once - # musl systems have libxcrypt[system] if we ever make - # that mandatory. See bug #867991. - if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then - # Avoid picking up symbol-versioned compat symbol on musl systems - export ac_cv_search_crypt_gensalt_rn=no - - # Need to avoid picking up the libxcrypt headers which define - # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. - cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die - append-cppflags -I"${T}" - fi - - local myconf=( - CC_FOR_BUILD="$(tc-getBUILD_CC)" - --with-db-uniquename=-$(db_findver sys-libs/db) - --with-xml-catalog="${EPREFIX}"/etc/xml/catalog - --enable-securedir="${EPREFIX}"/$(get_libdir)/security - --includedir="${EPREFIX}"/usr/include/security - --libdir="${EPREFIX}"/usr/$(get_libdir) - --enable-pie - --enable-unix - --disable-prelude - --disable-doc - --disable-regenerate-docu - --disable-static - --disable-Werror - # TODO: wire this up now it's more useful as of 1.5.3 (bug #931117) - --disable-econf - - # TODO: add elogind support (bug #931115) - # lastlog is enabled again for now by us until logind support - # is handled. Even then, disabling lastlog will probably need - # a news item. - --disable-logind - --enable-lastlog - - $(use_enable audit) - $(multilib_native_use_enable examples) - $(use_enable berkdb db) - $(use_enable debug) - $(use_enable nis) - $(use_enable selinux) - --enable-isadir='.' # bug #464016 - ) - ECONF_SOURCE="${S}" econf "${myconf[@]}" -} - -multilib_src_compile() { - emake sepermitlockdir="/run/sepermit" -} - -multilib_src_install() { - emake DESTDIR="${D}" install \ - sepermitlockdir="/run/sepermit" -} - -multilib_src_install_all() { - find "${ED}" -type f -name '*.la' -delete || die - - # tmpfiles.eclass is impossible to use because - # there is the pam -> tmpfiles -> systemd -> pam dependency loop - dodir /usr/lib/tmpfiles.d - - cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ - d /run/faillock 0755 root root - _EOF_ - use selinux && cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_ - d /run/sepermit 0755 root root - _EOF_ - - local page - - for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do - doman ${page} - done -} - -pkg_postinst() { - ewarn "Some software with pre-loaded PAM libraries might experience" - ewarn "warnings or failures related to missing symbols and/or versions" - ewarn "after any update. While unfortunate this is a limit of the" - ewarn "implementation of PAM and the software, and it requires you to" - ewarn "restart the software manually after the update." - ewarn "" - ewarn "You can get a list of such software running a command like" - ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" - ewarn "" - ewarn "Alternatively, simply reboot your system." - - # The pam_unix module needs to check the password of the user which requires - # read access to /etc/shadow only. - fcaps cap_dac_override sbin/unix_chkpwd -}