flatcar-scripts

mirror of https://github.com/flatcar/scripts.git synced 2025-08-15 08:56:58 +02:00

History

Sayan Chowdhury bcf2bb0b77 sys-libs/pam: Apply Flatcar patches - sys-libs/pam: Make /sbin/unix_chkpwd suid This is to avoid importing fcaps eclass which adds a dependency on sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of this conundrum, we could specify a "-filecaps" use flag for sys-libs/pam. Problem with this solution would be no capability override for the binary making it unable to read /etc/shadow. Thus we make the binary suid. This is strictly less secure than overriding its capabilities, but I have no idea how to solve it in a less hacky way. - sys-libs/pam: Install configuration into /usr Also provide a tmpfiles fragment to bring it back. - sys-libs/pam: Locked accounts functionality Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>	2022-12-06 15:06:47 +01:00
..
src/third_party/coreos-overlay	sys-libs/pam: Apply Flatcar patches	2022-12-06 15:06:47 +01:00

Sayan Chowdhury bcf2bb0b77 sys-libs/pam: Apply Flatcar patches

-  sys-libs/pam: Make /sbin/unix_chkpwd suid

This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.

-  sys-libs/pam: Install configuration into /usr

Also provide a tmpfiles fragment to bring it back.

- sys-libs/pam: Locked accounts functionality

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>

2022-12-06 15:06:47 +01:00

src/third_party/coreos-overlay

sys-libs/pam: Apply Flatcar patches

2022-12-06 15:06:47 +01:00