sys-libs/pam: Reset to vanilla ebuild

2025-08-15 08:56:58 +02:00 · 2022-12-06 15:03:29 +01:00 · 2022-12-06 15:03:29 +01:00 · ef09c88d70
commit ef09c88d70
parent eec5d85328
4 changed files with 7 additions and 56 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
@ -1,21 +0,0 @@
-This is a fork of gentoo's sys-libs/pam package. The main reasons
-for having our fork seem to be:
-
-1. We add a locked account functionality. If the account in
-   `/etc/shadow` has an exclamation mark (`!`) as a first character in
-   the password field, then the account is blocked.
-
-2. We install configuration in `/usr/lib/pam`, so the configuration in
-   `/etc` provided by administration can override the config we
-   install.
-
-3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc
-   pamc` from the recipe.
-
-4. We make the `/sbin/unix_chkpwd` binary a suid one instead of
-   overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop
-   between pam and libcap. The binary needs to be able to read
-   /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should
-   work. A suid binary is strictly less secure than capability
-   override, so in long-term we would prefer to avoid having this
-   hack. On the other hand - this is what we had so far.
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
@ -1,13 +0,0 @@
-diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c
--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c	2020-08-18 20:50:27.226355628 +0200
-+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c	2020-08-18 20:51:20.456212931 +0200
-@@ -847,6 +847,9 @@
-         return retval;
-     }
- 
-+    if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
-+        return PAM_PERM_DENIED;
-+
-     if (retval == PAM_SUCCESS && spent == NULL)
-         return PAM_SUCCESS;
- 
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
@ -1,11 +0,0 @@
-d /etc/pam.d			0755 root root	-	-
-d /etc/security			0755 root root	-	-
-d /etc/security/limits.d	0755 root root	-	-
-d /etc/security/namespace.d	0755 root root	-	-
-f /etc/environment		0755 root root	-	-
-L /etc/security/access.conf	-    -	  -	-	../../usr/lib/pam/access.conf
-L /etc/security/group.conf	-    - 	  - 	-	../../usr/lib/pam/group.conf
-L /etc/security/limits.conf	-    -	  -	-	../../usr/lib/pam/limits.conf
-L /etc/security/namespace.conf	-    -	  -	-	../../usr/lib/pam/namespace.conf
-L /etc/security/pam_env.conf	-    -	  -	-	../../usr/lib/pam/pam_env.conf
-L /etc/security/time.conf	-    -	  -	-	../../usr/lib/pam/time.conf
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild
@ -7,7 +7,7 @@ EAPI=7
 # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
 TMPFILES_OPTIONAL=1

-inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal
+inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal

 GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a"
 DOC_SNAPSHOT="20210610"
@ -47,7 +47,6 @@ PDEPEND=">=sys-auth/pambase-20200616"
 S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}"

 PATCHES=(
-	"${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
 	"${FILESDIR}"/${PN}-1.5.1-musl.patch
 )

@ -81,7 +80,6 @@ multilib_src_configure() {
 		$(use_enable nis)
 		$(use_enable selinux)
 		--enable-isadir='.' #464016
-		--enable-sconfigdir="/usr/lib/pam/"
 		)
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
@ -93,24 +91,18 @@ multilib_src_compile() {
 multilib_src_install() {
 	emake DESTDIR="${D}" install \
 		sepermitlockdir="/run/sepermit"
+
+	gen_usr_ldscript -a pam pam_misc pamc
 }

 multilib_src_install_all() {
 	find "${ED}" -type f -name '*.la' -delete || die

-	# Flatcar: The pam_unix module needs to check the password of
-	# the user which requires read access to /etc/shadow
-	# only. Make it suid instead of using CAP_DAC_OVERRIDE to
-	# avoid a pam -> libcap -> pam dependency loop.
-	fperms 4711 /sbin/unix_chkpwd
-
 	# tmpfiles.eclass is impossible to use because
 	# there is the pam -> tmpfiles -> systemd -> pam dependency loop

 	dodir /usr/lib/tmpfiles.d

-	rm "${D}/etc/environment"
-	cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
 	cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
 		d /run/faillock 0755 root root
 	_EOF_
@ -136,4 +128,8 @@ pkg_postinst() {
 	ewarn "  lsof / | egrep -i 'del.*libpam\\.so'"
 	ewarn ""
 	ewarn "Alternatively, simply reboot your system."
+
+	# The pam_unix module needs to check the password of the user which requires
+	# read access to /etc/shadow only.
+	fcaps cap_dac_override sbin/unix_chkpwd
 }