mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-16 01:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-libs/pam: Reset to vanilla ebuild

Browse Source
This commit is contained in:
Krzesimir Nowak 2022-12-06 15:03:29 +01:00
parent eec5d85328
commit ef09c88d70
4 changed files with 7 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md vendored
View File

@ -1,21 +0,0 @@
This is a fork of gentoo's sys-libs/pam package. The main reasons
for having our fork seem to be:
1. We add a locked account functionality. If the account in
`/etc/shadow` has an exclamation mark (`!`) as a first character in
the password field, then the account is blocked.
2. We install configuration in `/usr/lib/pam`, so the configuration in
`/etc` provided by administration can override the config we
install.
3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc
pamc` from the recipe.
4. We make the `/sbin/unix_chkpwd` binary a suid one instead of
overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop
between pam and libcap. The binary needs to be able to read
/etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should
work. A suid binary is strictly less secure than capability
override, so in long-term we would prefer to avoid having this
hack. On the other hand - this is what we had so far.

13
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch vendored
View File

@ -1,13 +0,0 @@
diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c
--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c 2020-08-18 20:50:27.226355628 +0200
+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c 2020-08-18 20:51:20.456212931 +0200
@@ -847,6 +847,9 @@
return retval;
}
+ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
+ return PAM_PERM_DENIED;
+
if (retval == PAM_SUCCESS && spent == NULL)
return PAM_SUCCESS;

11
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf vendored
View File

@ -1,11 +0,0 @@
d /etc/pam.d 0755 root root - -
d /etc/security 0755 root root - -
d /etc/security/limits.d 0755 root root - -
d /etc/security/namespace.d 0755 root root - -
f /etc/environment 0755 root root - -
L /etc/security/access.conf - - - - ../../usr/lib/pam/access.conf
L /etc/security/group.conf - - - - ../../usr/lib/pam/group.conf
L /etc/security/limits.conf - - - - ../../usr/lib/pam/limits.conf
L /etc/security/namespace.conf - - - - ../../usr/lib/pam/namespace.conf
L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/pam_env.conf
L /etc/security/time.conf - - - - ../../usr/lib/pam/time.conf

18
sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild vendored
View File

@ -7,7 +7,7 @@ EAPI=7
# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
TMPFILES_OPTIONAL=1 TMPFILES_OPTIONAL=1
inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal
GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a" GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a"
DOC_SNAPSHOT="20210610" DOC_SNAPSHOT="20210610"
@ -47,7 +47,6 @@ PDEPEND=">=sys-auth/pambase-20200616"
S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}" S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}"
PATCHES=( PATCHES=(
"${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
"${FILESDIR}"/${PN}-1.5.1-musl.patch "${FILESDIR}"/${PN}-1.5.1-musl.patch
) )
@ -81,7 +80,6 @@ multilib_src_configure() {
$(use_enable nis) $(use_enable nis)
$(use_enable selinux) $(use_enable selinux)
--enable-isadir='.' #464016 --enable-isadir='.' #464016
--enable-sconfigdir="/usr/lib/pam/"
) )
ECONF_SOURCE="${S}" econf "${myconf[@]}" ECONF_SOURCE="${S}" econf "${myconf[@]}"
} }
@ -93,24 +91,18 @@ multilib_src_compile() {
multilib_src_install() { multilib_src_install() {
emake DESTDIR="${D}" install \ emake DESTDIR="${D}" install \
sepermitlockdir="/run/sepermit" sepermitlockdir="/run/sepermit"
gen_usr_ldscript -a pam pam_misc pamc
} }
multilib_src_install_all() { multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die find "${ED}" -type f -name '*.la' -delete || die
# Flatcar: The pam_unix module needs to check the password of
# the user which requires read access to /etc/shadow
# only. Make it suid instead of using CAP_DAC_OVERRIDE to
# avoid a pam -> libcap -> pam dependency loop.
fperms 4711 /sbin/unix_chkpwd
# tmpfiles.eclass is impossible to use because # tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop # there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d dodir /usr/lib/tmpfiles.d
rm "${D}/etc/environment"
cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
d /run/faillock 0755 root root d /run/faillock 0755 root root
_EOF_ _EOF_
@ -136,4 +128,8 @@ pkg_postinst() {
ewarn " lsof / | egrep -i 'del.*libpam\\.so'" ewarn " lsof / | egrep -i 'del.*libpam\\.so'"
ewarn "" ewarn ""
ewarn "Alternatively, simply reboot your system." ewarn "Alternatively, simply reboot your system."
# The pam_unix module needs to check the password of the user which requires
# read access to /etc/shadow only.
fcaps cap_dac_override sbin/unix_chkpwd
} }