- sys-libs/pam: Make /sbin/unix_chkpwd suid
This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.
- sys-libs/pam: Install configuration into /usr
Also provide a tmpfiles fragment to bring it back.
- sys-libs/pam: Locked accounts functionality
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
As sys-apps/shadow has its own su binary, sys-apps/util-linux should
not have its own su binary. Otherwise, build will simply fail.
Disable su USE flag for util-linux.
Sync meson and keep only the current stable ebuild (0.60.3).
Upstream commit 83cf9e2749be378ca4bb12096c2a33093a0af998
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The lib64/systemd location only happened to work through the used
symlink on Flatcar. The standard location is lib/systemd.
Use the standard location as we now want to split the libs folders.
The split of /usr/lib64 into /usr/lib and /usr/lib64 means that paths
to /usr/lib64/X that worked before now wouldn't.
Therefore, create compatibility symlinks.
The profile Flatcar is on had SYMLINK_LIB set for amd64 which set up
(/usr)/lib as symlink to (/usr)/lib64. This is not the case for arm64
nor common in other recent distributions and causes systemd-sysext
loading to fail.
Disable SYMLINK_LIB for the amd64 board for now, leaving the SDK as is
but we could also set it for the SDK, too. A future profile update will
also bring this change.
The /lib symlink does not point to /usr/lib but instead points to
/usr/lib64 on current releases which have a single /usr/lib64 folder
and a symlink from /usr/lib to it. This means that when they update to
a release with a split lib vs. lib64 setup, the kernel modules are not
found because /lib/modules does not exist (because /lib still points
to /usr/lib64 instead of /usr/lib).
Force link recreation to match the new layout. The system will still be
able to rollback because the link to /usr/lib is still valid because
/usr/lib is itself a link that forwards to /usr/lib64.
The os-release file was not only accessible through /usr/lib/ but
also through /usr/lib64 because "lib" was just a symlink.
Now that we split them up into two directories, add a compatibility
symlink in case /usr/lib64 was used to access os-release. A check
is added to also work without the split which is useful if the split
is not done for the SDK at the same time.
The standard location is /usr/lib/modules but on Flatcar "lib" was a
symlink to "lib64". Now this is going to be split up in separate
directories but with compatibility symlinks.
Add the new location to the ignore list.
In our CI most uses of run_sdk_container pass the '-C image' flag, which broke
with the last change, due to unbound docker_sdk_vernum variable. Skip fetching
the image when custom_image is passed.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
