sys-libs/pam: Update to 1.5.1__p20210622

gentoo sync ref: a9be6b639c Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
2025-08-17 09:56:59 +02:00 · 2022-03-17 13:29:55 +05:30 · 2022-03-17 13:29:55 +05:30 · e1dfbe9862
commit e1dfbe9862
parent 6e4062fe24
7 changed files with 51 additions and 99 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest
@ -1,2 +1,2 @@
-DIST Linux-PAM-1.5.1-docs.tar.xz 441632 BLAKE2B 1b3ad1b5167936b8c38977b5328ee11c7d280eb905a0f444e555d24f9d5332583f7e0ce0a758242292ff1244bc082b73d661935647e583e2ebcd8d5058df413e SHA512 95f0b0225e96386f06f5f869203163a201af3ac5c1a4fa8bd30779b9f55290e1a5b63fa49e2efafa1a51476bad1acf258b1f37f56a4bdc3935f9fe5928cbc1f7
-DIST Linux-PAM-1.5.1.tar.xz 972964 BLAKE2B a1714569587a383fa8211b23765c66b08b18dc2808c1521a904171dc2886cced56e9afa27408e8a9d5eec6226b31390dc8f14434071370f4e1147c77ce8b36ac SHA512 1db091fc43b934dde220f1b85f35937fbaa0a3feec699b2e597e2cdf0c3ce11c17d36d2286d479c9eed24e8ca3ca6233214e4dff256db47249e358c01d424837
+DIST pam-1.5.1_p20210622.tar.gz 783068 BLAKE2B c8f13c2ccef73ad367d4fac9a7d1d0d3f3d0e4f1c8eea877d2ab467411cf17cc32c6c9c89e98d94090481d7d7746723175031ba8713a8fb0c3e1976e2854e58b SHA512 5b7a84b9de2d0b0c39cb33e9b8d24aeedca670b998536d74dc497eb7af31cb1f3157f196a01712c4ae273634b51ddad2062f207534b35b1d1a1e790816c8dc1b
+DIST pam-doc-1.5.1_p20210610.tar.xz 62308 BLAKE2B b3311e704ddc840b7fd28ea7764e8a0d3fdf508e2e37405acbfa26462a188c480859b3b21bd4a4b4acea70928e68650c216e8fb2d2b6f11ba33f54c6692cf3a2 SHA512 89b88f8ebf0c46f6b25dc0c5f39383ecbef0b12d6ffab388d92026066ee986f9068819cdbf38baaa1e341cd6cc84b1e8d3ad02db121aaf0ddad27e4e6efe26e7
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
@ -1,21 +0,0 @@
-This is a fork of gentoo's sys-libs/pam package. The main reasons
-for having our fork seem to be:
-
-1. We add a locked account functionality. If the account in
-   `/etc/shadow` has an exclamation mark (`!`) as a first character in
-   the password field, then the account is blocked.
-
-2. We install configuration in `/usr/lib/pam`, so the configuration in
-   `/etc` provided by administration can override the config we
-   install.
-
-3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc
-   pamc` from the recipe.
-
-4. We make the `/sbin/unix_chkpwd` binary a suid one instead of
-   overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop
-   between pam and libcap. The binary needs to be able to read
-   /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should
-   work. A suid binary is strictly less secure than capability
-   override, so in long-term we would prefer to avoid having this
-   hack. On the other hand - this is what we had so far.
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
@ -1,13 +0,0 @@
-diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c
--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c	2020-08-18 20:50:27.226355628 +0200
-+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c	2020-08-18 20:51:20.456212931 +0200
-@@ -847,6 +847,9 @@
-         return retval;
-     }
- 
-+    if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
-+        return PAM_PERM_DENIED;
-+
-     if (retval == PAM_SUCCESS && spent == NULL)
-         return PAM_SUCCESS;
- 
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch
@ -0,0 +1,15 @@
+Fix undefined reference to `libintl_dgettext` on musl
+Bug: https://bugs.gentoo.org/832573
+Upstream: https://github.com/linux-pam/linux-pam/pull/433
+
+--- a/libpam/Makefile.am
+++ b/libpam/Makefile.am
+@@ -21,7 +21,7 @@ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
+ 		include/pam_inline.h include/test_assert.h
+ 
+ libpam_la_LDFLAGS = -no-undefined -version-info 85:1:85
+-libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@
+libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ @LTLIBINTL@
+ 
+ if HAVE_VERSIONING
+   libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
@ -1,11 +0,0 @@
-d /etc/pam.d			0755 root root	-	-
-d /etc/security			0755 root root	-	-
-d /etc/security/limits.d	0755 root root	-	-
-d /etc/security/namespace.d	0755 root root	-	-
-f /etc/environment		0755 root root	-	-	
-L /etc/security/access.conf	-    -	  -	-	../../usr/lib/pam/access.conf
-L /etc/security/group.conf	-    - 	  - 	-	../../usr/lib/pam/group.conf
-L /etc/security/limits.conf	-    -	  -	-	../../usr/lib/pam/limits.conf
-L /etc/security/namespace.conf	-    -	  -	-	../../usr/lib/pam/namespace.conf
-L /etc/security/pam_env.conf	-    -	  -	-	../../usr/lib/pam/pam_env.conf
-L /etc/security/time.conf	-    -	  -	-	../../usr/lib/pam/time.conf
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 <maintainer type="person">
 	<email>zlogene@gentoo.org</email>
@ -13,18 +13,9 @@
 		provided by <pkg>sys-libs/db</pkg>) installed in /usr/lib and
 		will thus not work for boot-critical services authentication.
 	</flag>
-
-	<flag name="cracklib">
-		Build the pam_cracklib module, that allows to verify the chosen
-		passwords' strength through the use of
-		<pkg>sys-libs/cracklib</pkg>. Please note that simply enabling
-		the USE flag on this package will not make use of pam_cracklib
-		by default, you should also enable it in
-		<pkg>sys-auth/pambase</pkg> as well as update your configuration
-		files.
-		</flag>
 		</use>
 <upstream>
+	<remote-id type="github">linux-pam/linux-pam</remote-id>
 	<remote-id type="cpe">cpe:/a:kernel:linux-pam</remote-id>
 </upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild
@ -1,26 +1,27 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

-# Flatcar: Based on pam-1.5.1.ebuild from commit
-# 6acd106320ca6adf73a4a6607e4daa2b5cea8e30 in gentoo repo (see
-# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-libs/pam/pam-1.5.1.ebuild?id=6acd106320ca6adf73a4a6607e4daa2b5cea8e30).
-
 EAPI=7

-MY_P="Linux-${PN^^}-${PV}"
+# Avoid QA warnings
+# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
+TMPFILES_OPTIONAL=1

-inherit autotools db-use toolchain-funcs multilib-minimal
+inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal
+
+GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a"
+DOC_SNAPSHOT="20210610"

 DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
 HOMEPAGE="https://github.com/linux-pam/linux-pam"

-SRC_URI="https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
-	https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz"
+SRC_URI="https://github.com/linux-pam/linux-pam/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz
+	https://dev.gentoo.org/~zlogene/distfiles/${CATEGORY}/${PN}/${PN}-doc-${PV%_p*}_p${DOC_SNAPSHOT}.tar.xz"

 LICENSE="|| ( BSD GPL-2 )"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux"
-IUSE="audit berkdb debug nis +pie selinux"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="audit berkdb debug nis selinux"

 BDEPEND="
 	dev-libs/libxslt
@ -36,18 +37,18 @@ DEPEND="
 	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
 	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
 	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
-	nis? ( net-libs/libnsl[${MULTILIB_USEDEP}]
-	>=net-libs/libtirpc-0.2.4-r2[${MULTILIB_USEDEP}] )"
+	nis? ( net-libs/libnsl:=[${MULTILIB_USEDEP}]
+	>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] )"

 RDEPEND="${DEPEND}"

 PDEPEND=">=sys-auth/pambase-20200616"

-PATCHES=(
-	"${FILESDIR}"/pam-1.5.0-locked-accounts.patch
-)
+S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}"

-S="${WORKDIR}/${MY_P}"
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.5.1-musl.patch
+)

 src_prepare() {
 	default
@ -59,20 +60,14 @@ multilib_src_configure() {
 	# Do not let user's BROWSER setting mess us up. #549684
 	unset BROWSER

-	# Disable automatic detection of libxcrypt; we _don't_ want the
-	# user to link libxcrypt in by default, since we won't track the
-	# dependency and allow to break PAM this way.
-
-	export ac_cv_header_xcrypt_h=no
-
 	local myconf=(
 		CC_FOR_BUILD="$(tc-getBUILD_CC)"
 		--with-db-uniquename=-$(db_findver sys-libs/db)
-		--with-xml-catalog="${EPREFIX}"/etc/xml/catalog
-		--enable-securedir="${EPREFIX}"/$(get_libdir)/security
-		--includedir="${EPREFIX}"/usr/include/security
-		--libdir="${EPREFIX}"/usr/$(get_libdir)
-		--exec-prefix="${EPREFIX}"
+		--with-xml-catalog=/etc/xml/catalog
+		--enable-securedir=/$(get_libdir)/security
+		--includedir=/usr/include/security
+		--libdir=/usr/$(get_libdir)
+		--enable-pie
 		--enable-unix
 		--disable-prelude
 		--disable-doc
@ -83,39 +78,31 @@ multilib_src_configure() {
 		$(use_enable berkdb db)
 		$(use_enable debug)
 		$(use_enable nis)
-		$(use_enable pie)
 		$(use_enable selinux)
 		--enable-isadir='.' #464016
-		--enable-sconfigdir="/usr/lib/pam/"
 		)
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }

 multilib_src_compile() {
-	emake sepermitlockdir="${EPREFIX}/run/sepermit"
+	emake sepermitlockdir="/run/sepermit"
 }

 multilib_src_install() {
 	emake DESTDIR="${D}" install \
-		sepermitlockdir="${EPREFIX}/run/sepermit"
+		sepermitlockdir="/run/sepermit"
+
+	gen_usr_ldscript -a pam pam_misc pamc
 }

 multilib_src_install_all() {
 	find "${ED}" -type f -name '*.la' -delete || die

-	# Flatcar: The pam_unix module needs to check the password of
-	# the user which requires read access to /etc/shadow
-	# only. Make it suid instead of using CAP_DAC_OVERRIDE to
-	# avoid a pam -> libcap -> pam dependency loop.
-	fperms 4711 /sbin/unix_chkpwd
-
 	# tmpfiles.eclass is impossible to use because
 	# there is the pam -> tmpfiles -> systemd -> pam dependency loop

 	dodir /usr/lib/tmpfiles.d

-	rm "${D}/etc/environment"
-	cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
 	cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
 		d /run/faillock 0755 root root
 	_EOF_
@ -125,7 +112,7 @@ multilib_src_install_all() {

 	local page

-	for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do
+	for page in "${WORKDIR}"/man/*.{3,5,8} ; do
 		doman ${page}
 	done
 }
@ -141,4 +128,8 @@ pkg_postinst() {
 	ewarn "  lsof / | egrep -i 'del.*libpam\\.so'"
 	ewarn ""
 	ewarn "Alternatively, simply reboot your system."
+
+	# The pam_unix module needs to check the password of the user which requires
+	# read access to /etc/shadow only.
+	fcaps cap_dac_override sbin/unix_chkpwd
 }