diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest index 72cc79c6af..5ab7f61b2a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest @@ -1,2 +1,2 @@ -DIST Linux-PAM-1.5.1-docs.tar.xz 441632 BLAKE2B 1b3ad1b5167936b8c38977b5328ee11c7d280eb905a0f444e555d24f9d5332583f7e0ce0a758242292ff1244bc082b73d661935647e583e2ebcd8d5058df413e SHA512 95f0b0225e96386f06f5f869203163a201af3ac5c1a4fa8bd30779b9f55290e1a5b63fa49e2efafa1a51476bad1acf258b1f37f56a4bdc3935f9fe5928cbc1f7 -DIST Linux-PAM-1.5.1.tar.xz 972964 BLAKE2B a1714569587a383fa8211b23765c66b08b18dc2808c1521a904171dc2886cced56e9afa27408e8a9d5eec6226b31390dc8f14434071370f4e1147c77ce8b36ac SHA512 1db091fc43b934dde220f1b85f35937fbaa0a3feec699b2e597e2cdf0c3ce11c17d36d2286d479c9eed24e8ca3ca6233214e4dff256db47249e358c01d424837 +DIST pam-1.5.1_p20210622.tar.gz 783068 BLAKE2B c8f13c2ccef73ad367d4fac9a7d1d0d3f3d0e4f1c8eea877d2ab467411cf17cc32c6c9c89e98d94090481d7d7746723175031ba8713a8fb0c3e1976e2854e58b SHA512 5b7a84b9de2d0b0c39cb33e9b8d24aeedca670b998536d74dc497eb7af31cb1f3157f196a01712c4ae273634b51ddad2062f207534b35b1d1a1e790816c8dc1b +DIST pam-doc-1.5.1_p20210610.tar.xz 62308 BLAKE2B b3311e704ddc840b7fd28ea7764e8a0d3fdf508e2e37405acbfa26462a188c480859b3b21bd4a4b4acea70928e68650c216e8fb2d2b6f11ba33f54c6692cf3a2 SHA512 89b88f8ebf0c46f6b25dc0c5f39383ecbef0b12d6ffab388d92026066ee986f9068819cdbf38baaa1e341cd6cc84b1e8d3ad02db121aaf0ddad27e4e6efe26e7 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md deleted file mode 100644 index 9500945b40..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md +++ /dev/null @@ -1,21 +0,0 @@ -This is a fork of gentoo's sys-libs/pam package. The main reasons -for having our fork seem to be: - -1. We add a locked account functionality. If the account in - `/etc/shadow` has an exclamation mark (`!`) as a first character in - the password field, then the account is blocked. - -2. We install configuration in `/usr/lib/pam`, so the configuration in - `/etc` provided by administration can override the config we - install. - -3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc - pamc` from the recipe. - -4. We make the `/sbin/unix_chkpwd` binary a suid one instead of - overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop - between pam and libcap. The binary needs to be able to read - /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should - work. A suid binary is strictly less secure than capability - override, so in long-term we would prefer to avoid having this - hack. On the other hand - this is what we had so far. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch deleted file mode 100644 index a58d3eb28c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c ---- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c 2020-08-18 20:50:27.226355628 +0200 -+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c 2020-08-18 20:51:20.456212931 +0200 -@@ -847,6 +847,9 @@ - return retval; - } - -+ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') -+ return PAM_PERM_DENIED; -+ - if (retval == PAM_SUCCESS && spent == NULL) - return PAM_SUCCESS; - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch new file mode 100644 index 0000000000..a1d5b1543d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch @@ -0,0 +1,15 @@ +Fix undefined reference to `libintl_dgettext` on musl +Bug: https://bugs.gentoo.org/832573 +Upstream: https://github.com/linux-pam/linux-pam/pull/433 + +--- a/libpam/Makefile.am ++++ b/libpam/Makefile.am +@@ -21,7 +21,7 @@ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ + include/pam_inline.h include/test_assert.h + + libpam_la_LDFLAGS = -no-undefined -version-info 85:1:85 +-libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ ++libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ @LTLIBINTL@ + + if HAVE_VERSIONING + libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf deleted file mode 100644 index d37448107c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf +++ /dev/null @@ -1,11 +0,0 @@ -d /etc/pam.d 0755 root root - - -d /etc/security 0755 root root - - -d /etc/security/limits.d 0755 root root - - -d /etc/security/namespace.d 0755 root root - - -f /etc/environment 0755 root root - - -L /etc/security/access.conf - - - - ../../usr/lib/pam/access.conf -L /etc/security/group.conf - - - - ../../usr/lib/pam/group.conf -L /etc/security/limits.conf - - - - ../../usr/lib/pam/limits.conf -L /etc/security/namespace.conf - - - - ../../usr/lib/pam/namespace.conf -L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/pam_env.conf -L /etc/security/time.conf - - - - ../../usr/lib/pam/time.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml index c172b5d303..3b9be27ff8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml @@ -1,5 +1,5 @@ - + zlogene@gentoo.org @@ -13,18 +13,9 @@ provided by sys-libs/db) installed in /usr/lib and will thus not work for boot-critical services authentication. - - - Build the pam_cracklib module, that allows to verify the chosen - passwords' strength through the use of - sys-libs/cracklib. Please note that simply enabling - the USE flag on this package will not make use of pam_cracklib - by default, you should also enable it in - sys-auth/pambase as well as update your configuration - files. - + linux-pam/linux-pam cpe:/a:kernel:linux-pam diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild similarity index 57% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild index 94e79afec1..98f33edbb6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild @@ -1,26 +1,27 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -# Flatcar: Based on pam-1.5.1.ebuild from commit -# 6acd106320ca6adf73a4a6607e4daa2b5cea8e30 in gentoo repo (see -# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-libs/pam/pam-1.5.1.ebuild?id=6acd106320ca6adf73a4a6607e4daa2b5cea8e30). - EAPI=7 -MY_P="Linux-${PN^^}-${PV}" +# Avoid QA warnings +# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 +TMPFILES_OPTIONAL=1 -inherit autotools db-use toolchain-funcs multilib-minimal +inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal + +GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a" +DOC_SNAPSHOT="20210610" DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" HOMEPAGE="https://github.com/linux-pam/linux-pam" -SRC_URI="https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz - https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz" +SRC_URI="https://github.com/linux-pam/linux-pam/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz + https://dev.gentoo.org/~zlogene/distfiles/${CATEGORY}/${PN}/${PN}-doc-${PV%_p*}_p${DOC_SNAPSHOT}.tar.xz" LICENSE="|| ( BSD GPL-2 )" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux" -IUSE="audit berkdb debug nis +pie selinux" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" +IUSE="audit berkdb debug nis selinux" BDEPEND=" dev-libs/libxslt @@ -36,18 +37,18 @@ DEPEND=" audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) - nis? ( net-libs/libnsl[${MULTILIB_USEDEP}] - >=net-libs/libtirpc-0.2.4-r2[${MULTILIB_USEDEP}] )" + nis? ( net-libs/libnsl:=[${MULTILIB_USEDEP}] + >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] )" RDEPEND="${DEPEND}" PDEPEND=">=sys-auth/pambase-20200616" -PATCHES=( - "${FILESDIR}"/pam-1.5.0-locked-accounts.patch -) +S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}" -S="${WORKDIR}/${MY_P}" +PATCHES=( + "${FILESDIR}"/${PN}-1.5.1-musl.patch +) src_prepare() { default @@ -59,20 +60,14 @@ multilib_src_configure() { # Do not let user's BROWSER setting mess us up. #549684 unset BROWSER - # Disable automatic detection of libxcrypt; we _don't_ want the - # user to link libxcrypt in by default, since we won't track the - # dependency and allow to break PAM this way. - - export ac_cv_header_xcrypt_h=no - local myconf=( CC_FOR_BUILD="$(tc-getBUILD_CC)" --with-db-uniquename=-$(db_findver sys-libs/db) - --with-xml-catalog="${EPREFIX}"/etc/xml/catalog - --enable-securedir="${EPREFIX}"/$(get_libdir)/security - --includedir="${EPREFIX}"/usr/include/security - --libdir="${EPREFIX}"/usr/$(get_libdir) - --exec-prefix="${EPREFIX}" + --with-xml-catalog=/etc/xml/catalog + --enable-securedir=/$(get_libdir)/security + --includedir=/usr/include/security + --libdir=/usr/$(get_libdir) + --enable-pie --enable-unix --disable-prelude --disable-doc @@ -83,39 +78,31 @@ multilib_src_configure() { $(use_enable berkdb db) $(use_enable debug) $(use_enable nis) - $(use_enable pie) $(use_enable selinux) --enable-isadir='.' #464016 - --enable-sconfigdir="/usr/lib/pam/" ) ECONF_SOURCE="${S}" econf "${myconf[@]}" } multilib_src_compile() { - emake sepermitlockdir="${EPREFIX}/run/sepermit" + emake sepermitlockdir="/run/sepermit" } multilib_src_install() { emake DESTDIR="${D}" install \ - sepermitlockdir="${EPREFIX}/run/sepermit" + sepermitlockdir="/run/sepermit" + + gen_usr_ldscript -a pam pam_misc pamc } multilib_src_install_all() { find "${ED}" -type f -name '*.la' -delete || die - # Flatcar: The pam_unix module needs to check the password of - # the user which requires read access to /etc/shadow - # only. Make it suid instead of using CAP_DAC_OVERRIDE to - # avoid a pam -> libcap -> pam dependency loop. - fperms 4711 /sbin/unix_chkpwd - # tmpfiles.eclass is impossible to use because # there is the pam -> tmpfiles -> systemd -> pam dependency loop dodir /usr/lib/tmpfiles.d - rm "${D}/etc/environment" - cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ d /run/faillock 0755 root root _EOF_ @@ -125,7 +112,7 @@ multilib_src_install_all() { local page - for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do + for page in "${WORKDIR}"/man/*.{3,5,8} ; do doman ${page} done } @@ -141,4 +128,8 @@ pkg_postinst() { ewarn " lsof / | egrep -i 'del.*libpam\\.so'" ewarn "" ewarn "Alternatively, simply reboot your system." + + # The pam_unix module needs to check the password of the user which requires + # read access to /etc/shadow only. + fcaps cap_dac_override sbin/unix_chkpwd }