From 5ebef531ea10dc271eafa683962399af9669fac3 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Feb 2024 16:30:36 +0100 Subject: [PATCH 1/8] overlay coreos/user-patches: Add a user patch for sys-libs/pam It's a patch for adding the account locking functionality. --- .../pam/0001-Add-account-locking.patch | 28 +++++++++++++++++++ .../user-patches/sys-libs/pam/README.md | 5 ++++ 2 files changed, 33 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch new file mode 100644 index 00000000000..702497a0bb6 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch @@ -0,0 +1,28 @@ +From a2f4387b53591c666a6364cafe7cfa2d8907e0f5 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 5 Apr 2016 22:15:56 -0700 +Subject: [PATCH] Add account locking + +A leading exclamation mark in the password field in /etc/shadow +indicates a locked account. +--- + modules/pam_unix/support.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index 043273d2..37091020 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -834,6 +834,9 @@ _unix_verify_user(pam_handle_t *pamh, + return retval; + } + ++ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') ++ return PAM_PERM_DENIED; ++ + if (retval == PAM_SUCCESS && spent == NULL) + return PAM_SUCCESS; + +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md new file mode 100644 index 00000000000..c220fff8e21 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md @@ -0,0 +1,5 @@ +The patch adds some locking behavior. Upstream didn't want it: +https://github.com/linux-pam/linux-pam/issues/261. + +Possibly it should be dropped in favor of `chage -E 0`, as mentioned +in the issue. From c9886ab9cd2f047b3fc5d9c2b93a9b464fe8cf7c Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Feb 2024 16:44:08 +0100 Subject: [PATCH 2/8] coreos-base/misc-files: Install pam compatibility symlinks --- ...isc-files-0-r4.ebuild => misc-files-0-r5.ebuild} | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/{misc-files-0-r4.ebuild => misc-files-0-r5.ebuild} (92%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r5.ebuild similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r5.ebuild index e0688455e71..49184a89f8b 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r5.ebuild @@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/' LICENSE='Apache-2.0' SLOT='0' KEYWORDS='amd64 arm64' -IUSE="audit ntp openssh policycoreutils" +IUSE="audit ntp openssh pam policycoreutils" # No source directory. S="${WORKDIR}" @@ -33,6 +33,7 @@ RDEPEND=" >=app-shells/bash-5.2_p15-r2 ntp? ( >=net-misc/ntp-4.2.8_p17 ) policycoreutils? ( >=sys-apps/policycoreutils-3.6 ) + pam? ( >=sys-libs/pam-1.5.3-r1 ) audit? ( >=sys-process/audit-3.1.1 ) " @@ -119,6 +120,16 @@ src_install() { ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf' ) fi + if use pam; then + compat_symlinks+=( + ['/usr/lib/pam/access.conf']='/usr/share/flatcar/etc/security/access.conf' + ['/usr/lib/pam/group.conf']='/usr/share/flatcar/etc/security/group.conf' + ['/usr/lib/pam/limits.conf']='/usr/share/flatcar/etc/security/limits.conf' + ['/usr/lib/pam/namespace.conf']='/usr/share/flatcar/etc/security/namespace.conf' + ['/usr/lib/pam/pam_env.conf']='/usr/share/flatcar/etc/security/pam_env.conf' + ['/usr/lib/pam/time.conf']='/usr/share/flatcar/etc/security/time.conf' + ) + fi local link target for link in "${!compat_symlinks[@]}"; do From f1b5efe7df9cdcf45cff5cfef863f9170e2d7081 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 27 Feb 2024 10:34:45 +0100 Subject: [PATCH 3/8] overlay profiles: Enable pam modifications in coreos-base/misc-files --- .../profiles/coreos/targets/generic/package.use | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index 44fb7c95888..940e3838330 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -7,10 +7,11 @@ app-editors/vim minimal -crypt # minimal: Don't pull app-vim/gentoo-syntax app-editors/vim-core minimal -# Install our modifications and compatibility symlinks for ssh and ntp +# Install our modifications and compatibility symlinks for audit, ntp, +# pam and ssh. # # Install a SELinux policy directory symlink -coreos-base/misc-files audit ntp openssh policycoreutils +coreos-base/misc-files audit ntp openssh pam policycoreutils dev-lang/python gdbm dev-libs/dbus-glib tools From c2466d3cfd46d2f5c9707b57021c854e955ea23c Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 27 Feb 2024 10:01:30 +0100 Subject: [PATCH 4/8] overlay profiles: Add accept keywords for sys-libs/pam --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 9d0d5c2c06b..f4cc288da98 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -96,6 +96,9 @@ # Needed to fix CVE-2023-29491. =sys-libs/ncurses-6.4_p20230527 ~amd64 ~arm64 +# Drops the use of usr-ldscript eclass. +=sys-libs/pam-1.5.3-r1 ~amd64 ~arm64 + # A dependency of app-shells/bash version that we need for security # fixes. =sys-libs/readline-8.2_p7-r1 ~amd64 ~arm64 From fe98ce102bca57c587f1bec2c7e34d86fc9a4a4b Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 27 Feb 2024 10:04:47 +0100 Subject: [PATCH 5/8] overlay sys-libs/pam: Move to portage-stable --- .../{coreos-overlay => portage-stable}/sys-libs/pam/Manifest | 0 .../{coreos-overlay => portage-stable}/sys-libs/pam/README.md | 0 .../sys-libs/pam/files/pam-1.5.0-locked-accounts.patch | 0 .../sys-libs/pam/files/pam-1.5.1-musl.patch | 0 .../sys-libs/pam/files/tmpfiles.d/pam.conf | 0 .../{coreos-overlay => portage-stable}/sys-libs/pam/metadata.xml | 0 .../sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/pam/Manifest (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/pam/README.md (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/pam/files/pam-1.5.1-musl.patch (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/pam/files/tmpfiles.d/pam.conf (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/pam/metadata.xml (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest b/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/portage-stable/sys-libs/pam/README.md similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.1-musl.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.1-musl.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/tmpfiles.d/pam.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/files/tmpfiles.d/pam.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild From 243bd2e2006ac260772345d891e51f3e7b37ed35 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 27 Feb 2024 10:04:52 +0100 Subject: [PATCH 6/8] sys-libs/pam: Sync with Gentoo It's from Gentoo commit 72d0c560a13563ebd6e7b010cc5ab169fb2efc8b. --- .../portage-stable/sys-libs/pam/Manifest | 4 +- .../portage-stable/sys-libs/pam/README.md | 26 --- .../pam/files/pam-1.5.0-locked-accounts.patch | 13 -- .../sys-libs/pam/files/pam-1.5.1-musl.patch | 15 -- .../pam/files/pam-1.5.3-termios.patch | 34 ++++ .../sys-libs/pam/files/tmpfiles.d/pam.conf | 11 -- .../portage-stable/sys-libs/pam/metadata.xml | 35 ++-- ...20210622-r1.ebuild => pam-1.5.3-r1.ebuild} | 94 ++++++----- .../sys-libs/pam/pam-1.5.3.ebuild | 155 ++++++++++++++++++ 9 files changed, 264 insertions(+), 123 deletions(-) delete mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/pam/README.md delete mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch delete mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.1-musl.patch create mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.3-termios.patch delete mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/pam/files/tmpfiles.d/pam.conf rename sdk_container/src/third_party/portage-stable/sys-libs/pam/{pam-1.5.1_p20210622-r1.ebuild => pam-1.5.3-r1.ebuild} (54%) create mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3.ebuild diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest b/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest index 5ab7f61b2a7..8ff63cd068f 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/Manifest @@ -1,2 +1,2 @@ -DIST pam-1.5.1_p20210622.tar.gz 783068 BLAKE2B c8f13c2ccef73ad367d4fac9a7d1d0d3f3d0e4f1c8eea877d2ab467411cf17cc32c6c9c89e98d94090481d7d7746723175031ba8713a8fb0c3e1976e2854e58b SHA512 5b7a84b9de2d0b0c39cb33e9b8d24aeedca670b998536d74dc497eb7af31cb1f3157f196a01712c4ae273634b51ddad2062f207534b35b1d1a1e790816c8dc1b -DIST pam-doc-1.5.1_p20210610.tar.xz 62308 BLAKE2B b3311e704ddc840b7fd28ea7764e8a0d3fdf508e2e37405acbfa26462a188c480859b3b21bd4a4b4acea70928e68650c216e8fb2d2b6f11ba33f54c6692cf3a2 SHA512 89b88f8ebf0c46f6b25dc0c5f39383ecbef0b12d6ffab388d92026066ee986f9068819cdbf38baaa1e341cd6cc84b1e8d3ad02db121aaf0ddad27e4e6efe26e7 +DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb87bf1d6526add3ac5aad140533516c1d27b594a17d09c4127ff985c42e6c571618785d6b2a2913e6575678c4dcf947dc0 SHA512 a9082823da88e0054d74e13aef872519ced5fbef25c8cc1a7e3a99160f835aa09c9ef701b6ec507acd3b540da0019288424bb4c8ebd828181ea90450db1494a9 +DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/README.md b/sdk_container/src/third_party/portage-stable/sys-libs/pam/README.md deleted file mode 100644 index d4e1d3a149c..00000000000 --- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/README.md +++ /dev/null @@ -1,26 +0,0 @@ -This is a fork of gentoo's sys-libs/pam package. The main reasons -for having our fork seem to be: - -1. We add a locked account functionality. If the account in - `/etc/shadow` has an exclamation mark (`!`) as a first character in - the password field, then the account is blocked. - -2. We install configuration in `/usr/lib/pam`, so the configuration in - `/etc` provided by administration can override the config we - install. - -3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc - pamc` from the recipe. - -4. We make the `/sbin/unix_chkpwd` binary a suid one instead of - overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop - between pam and libcap. The binary needs to be able to read - /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should - work. A suid binary is strictly less secure than capability - override, so in long-term we would prefer to avoid having this - hack. On the other hand - this is what we had so far. - -5. We replace the dependency on `virtual/yacc` with - `app-alternatives/yacc`. The former was renamed to the latter in - Gentoo, so this modification will be gone next time we update this - package. diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch deleted file mode 100644 index a58d3eb28c0..00000000000 --- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c ---- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c 2020-08-18 20:50:27.226355628 +0200 -+++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c 2020-08-18 20:51:20.456212931 +0200 -@@ -847,6 +847,9 @@ - return retval; - } - -+ if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!') -+ return PAM_PERM_DENIED; -+ - if (retval == PAM_SUCCESS && spent == NULL) - return PAM_SUCCESS; - diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.1-musl.patch b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.1-musl.patch deleted file mode 100644 index a1d5b1543da..00000000000 --- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.1-musl.patch +++ /dev/null @@ -1,15 +0,0 @@ -Fix undefined reference to `libintl_dgettext` on musl -Bug: https://bugs.gentoo.org/832573 -Upstream: https://github.com/linux-pam/linux-pam/pull/433 - ---- a/libpam/Makefile.am -+++ b/libpam/Makefile.am -@@ -21,7 +21,7 @@ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ - include/pam_inline.h include/test_assert.h - - libpam_la_LDFLAGS = -no-undefined -version-info 85:1:85 --libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ -+libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ @LTLIBINTL@ - - if HAVE_VERSIONING - libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.3-termios.patch b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.3-termios.patch new file mode 100644 index 00000000000..8f7baf76fee --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/pam-1.5.3-termios.patch @@ -0,0 +1,34 @@ +Replace System V termio.h with POSIX termios.h for musl +Upstream: https://github.com/linux-pam/linux-pam/pull/576 +Bug: https://bugs.gentoo.org/906137 + +From 5658105b04ad4df212baf302898ee2cca99516a6 Mon Sep 17 00:00:00 2001 +From: Violet Purcell +Date: Thu, 11 May 2023 10:27:53 -0400 +Subject: [PATCH] fix build on musl + +--- a/examples/tty_conv.c ++++ b/examples/tty_conv.c +@@ -6,8 +6,9 @@ + #include + #include + #include +-#include ++#include + #include ++#include + + /*************************************** + * @brief echo off/on +@@ -16,7 +17,7 @@ + ***************************************/ + static void echoOff(int fd, int off) + { +- struct termio tty; ++ struct termios tty; + if (ioctl(fd, TCGETA, &tty) < 0) + { + fprintf(stderr, "TCGETA failed: %s\n", strerror(errno)); +-- +2.40.1 + diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/tmpfiles.d/pam.conf deleted file mode 100644 index 6b8ebb43777..00000000000 --- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/files/tmpfiles.d/pam.conf +++ /dev/null @@ -1,11 +0,0 @@ -d /etc/pam.d 0755 root root - - -d /etc/security 0755 root root - - -d /etc/security/limits.d 0755 root root - - -d /etc/security/namespace.d 0755 root root - - -f /etc/environment 0755 root root - - -L /etc/security/access.conf - - - - ../../usr/lib/pam/access.conf -L /etc/security/group.conf - - - - ../../usr/lib/pam/group.conf -L /etc/security/limits.conf - - - - ../../usr/lib/pam/limits.conf -L /etc/security/namespace.conf - - - - ../../usr/lib/pam/namespace.conf -L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/pam_env.conf -L /etc/security/time.conf - - - - ../../usr/lib/pam/time.conf diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml index 3b9be27ff8f..1abda7583cd 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/metadata.xml @@ -1,21 +1,24 @@ - - zlogene@gentoo.org - Mikle Kolyada - - - - Build the pam_userdb module, that allows to authenticate users - against a Berkeley DB file. Please note that enabling this USE - flag will create a PAM module that links to the Berkeley DB (as - provided by sys-libs/db) installed in /usr/lib and - will thus not work for boot-critical services authentication. - + + base-system@gentoo.org + + + sam@gentoo.org + Sam James + + + + Build the pam_userdb module, that allows to authenticate users + against a Berkeley DB file. Please note that enabling this USE + flag will create a PAM module that links to the Berkeley DB (as + provided by sys-libs/db) installed in /usr/lib and + will thus not work for boot-critical services authentication. + - - linux-pam/linux-pam - cpe:/a:kernel:linux-pam - + + linux-pam/linux-pam + cpe:/a:kernel:linux-pam + diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3-r1.ebuild similarity index 54% rename from sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3-r1.ebuild index d91874ac486..8f176361a93 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3-r1.ebuild @@ -1,73 +1,83 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 + +MY_P="Linux-${PN^^}-${PV}" # Avoid QA warnings # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 TMPFILES_OPTIONAL=1 -inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal - -GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a" -DOC_SNAPSHOT="20210610" +inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" HOMEPAGE="https://github.com/linux-pam/linux-pam" - -SRC_URI="https://github.com/linux-pam/linux-pam/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz - https://dev.gentoo.org/~zlogene/distfiles/${CATEGORY}/${PN}/${PN}-doc-${PV%_p*}_p${DOC_SNAPSHOT}.tar.xz" +SRC_URI=" + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz +" +S="${WORKDIR}/${MY_P}" LICENSE="|| ( BSD GPL-2 )" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" IUSE="audit berkdb debug nis selinux" BDEPEND=" app-alternatives/yacc dev-libs/libxslt - sys-devel/flex + app-alternatives/lex sys-devel/gettext virtual/pkgconfig " - DEPEND=" virtual/libcrypt:=[${MULTILIB_USEDEP}] >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) - nis? ( net-libs/libnsl:=[${MULTILIB_USEDEP}] - >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] )" - + nis? ( + net-libs/libnsl:=[${MULTILIB_USEDEP}] + >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] + ) +" RDEPEND="${DEPEND}" - PDEPEND=">=sys-auth/pambase-20200616" -S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}" - PATCHES=( - "${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch - "${FILESDIR}"/${PN}-1.5.1-musl.patch + "${FILESDIR}/${P}-termios.patch" ) src_prepare() { default touch ChangeLog || die - eautoreconf } multilib_src_configure() { - # Do not let user's BROWSER setting mess us up. #549684 + # Do not let user's BROWSER setting mess us up, bug #549684 unset BROWSER + # This whole weird has_version libxcrypt block can go once + # musl systems have libxcrypt[system] if we ever make + # that mandatory. See bug #867991. + if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then + # Avoid picking up symbol-versioned compat symbol on musl systems + export ac_cv_search_crypt_gensalt_rn=no + + # Need to avoid picking up the libxcrypt headers which define + # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. + cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die + append-cppflags -I"${T}" + fi + local myconf=( CC_FOR_BUILD="$(tc-getBUILD_CC)" --with-db-uniquename=-$(db_findver sys-libs/db) - --with-xml-catalog=/etc/xml/catalog - --enable-securedir=/$(get_libdir)/security - --includedir=/usr/include/security - --libdir=/usr/$(get_libdir) + --with-xml-catalog="${EPREFIX}"/etc/xml/catalog + --enable-securedir="${EPREFIX}"/$(get_libdir)/security + --includedir="${EPREFIX}"/usr/include/security + --libdir="${EPREFIX}"/usr/$(get_libdir) --enable-pie --enable-unix --disable-prelude @@ -75,14 +85,23 @@ multilib_src_configure() { --disable-regenerate-docu --disable-static --disable-Werror + # TODO: wire this up now it's more useful as of 1.5.3 + --disable-econf + + # TODO: add elogind support + # lastlog is enabled again for now by us until logind support + # is handled. Even then, disabling lastlog will probably need + # a news item. + --disable-logind + --enable-lastlog + $(use_enable audit) $(use_enable berkdb db) $(use_enable debug) $(use_enable nis) $(use_enable selinux) - --enable-isadir='.' #464016 - --enable-sconfigdir="/usr/lib/pam/" - ) + --enable-isadir='.' # bug #464016 + ) ECONF_SOURCE="${S}" econf "${myconf[@]}" } @@ -98,19 +117,10 @@ multilib_src_install() { multilib_src_install_all() { find "${ED}" -type f -name '*.la' -delete || die - # Flatcar: The pam_unix module needs to check the password of - # the user which requires read access to /etc/shadow - # only. Make it suid instead of using CAP_DAC_OVERRIDE to - # avoid a pam -> libcap -> pam dependency loop. - fperms 4711 /sbin/unix_chkpwd - # tmpfiles.eclass is impossible to use because # there is the pam -> tmpfiles -> systemd -> pam dependency loop - dodir /usr/lib/tmpfiles.d - rm "${D}/etc/environment" - cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ d /run/faillock 0755 root root _EOF_ @@ -120,7 +130,7 @@ multilib_src_install_all() { local page - for page in "${WORKDIR}"/man/*.{3,5,8} ; do + for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do doman ${page} done } @@ -133,7 +143,11 @@ pkg_postinst() { ewarn "restart the software manually after the update." ewarn "" ewarn "You can get a list of such software running a command like" - ewarn " lsof / | egrep -i 'del.*libpam\\.so'" + ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" ewarn "" ewarn "Alternatively, simply reboot your system." + + # The pam_unix module needs to check the password of the user which requires + # read access to /etc/shadow only. + fcaps cap_dac_override sbin/unix_chkpwd } diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3.ebuild new file mode 100644 index 00000000000..2ddcf24b4f3 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/pam/pam-1.5.3.ebuild @@ -0,0 +1,155 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +MY_P="Linux-${PN^^}-${PV}" + +# Avoid QA warnings +# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 +TMPFILES_OPTIONAL=1 + +inherit db-use fcaps flag-o-matic toolchain-funcs usr-ldscript multilib-minimal + +DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" +HOMEPAGE="https://github.com/linux-pam/linux-pam" +SRC_URI=" + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz +" +S="${WORKDIR}/${MY_P}" + +LICENSE="|| ( BSD GPL-2 )" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux" +IUSE="audit berkdb debug nis selinux" + +BDEPEND=" + app-alternatives/yacc + dev-libs/libxslt + app-alternatives/lex + sys-devel/gettext + virtual/pkgconfig +" +DEPEND=" + virtual/libcrypt:=[${MULTILIB_USEDEP}] + >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] + audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) + berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) + selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) + nis? ( + net-libs/libnsl:=[${MULTILIB_USEDEP}] + >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] + ) +" +RDEPEND="${DEPEND}" +PDEPEND=">=sys-auth/pambase-20200616" + +PATCHES=( + "${FILESDIR}/${P}-termios.patch" +) + +src_prepare() { + default + touch ChangeLog || die +} + +multilib_src_configure() { + # Do not let user's BROWSER setting mess us up, bug #549684 + unset BROWSER + + # This whole weird has_version libxcrypt block can go once + # musl systems have libxcrypt[system] if we ever make + # that mandatory. See bug #867991. + if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then + # Avoid picking up symbol-versioned compat symbol on musl systems + export ac_cv_search_crypt_gensalt_rn=no + + # Need to avoid picking up the libxcrypt headers which define + # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. + cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die + append-cppflags -I"${T}" + fi + + local myconf=( + CC_FOR_BUILD="$(tc-getBUILD_CC)" + --with-db-uniquename=-$(db_findver sys-libs/db) + --with-xml-catalog="${EPREFIX}"/etc/xml/catalog + --enable-securedir="${EPREFIX}"/$(get_libdir)/security + --includedir="${EPREFIX}"/usr/include/security + --libdir="${EPREFIX}"/usr/$(get_libdir) + --enable-pie + --enable-unix + --disable-prelude + --disable-doc + --disable-regenerate-docu + --disable-static + --disable-Werror + # TODO: wire this up now it's more useful as of 1.5.3 + --disable-econf + + # TODO: add elogind support + # lastlog is enabled again for now by us until logind support + # is handled. Even then, disabling lastlog will probably need + # a news item. + --disable-logind + --enable-lastlog + + $(use_enable audit) + $(use_enable berkdb db) + $(use_enable debug) + $(use_enable nis) + $(use_enable selinux) + --enable-isadir='.' # bug #464016 + ) + ECONF_SOURCE="${S}" econf "${myconf[@]}" +} + +multilib_src_compile() { + emake sepermitlockdir="/run/sepermit" +} + +multilib_src_install() { + emake DESTDIR="${D}" install \ + sepermitlockdir="/run/sepermit" + + gen_usr_ldscript -a pam pam_misc pamc +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + + # tmpfiles.eclass is impossible to use because + # there is the pam -> tmpfiles -> systemd -> pam dependency loop + dodir /usr/lib/tmpfiles.d + + cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ + d /run/faillock 0755 root root + _EOF_ + use selinux && cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_ + d /run/sepermit 0755 root root + _EOF_ + + local page + + for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do + doman ${page} + done +} + +pkg_postinst() { + ewarn "Some software with pre-loaded PAM libraries might experience" + ewarn "warnings or failures related to missing symbols and/or versions" + ewarn "after any update. While unfortunate this is a limit of the" + ewarn "implementation of PAM and the software, and it requires you to" + ewarn "restart the software manually after the update." + ewarn "" + ewarn "You can get a list of such software running a command like" + ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" + ewarn "" + ewarn "Alternatively, simply reboot your system." + + # The pam_unix module needs to check the password of the user which requires + # read access to /etc/shadow only. + fcaps cap_dac_override sbin/unix_chkpwd +} From efcb0308bd0e32c1912bb4410ecceaadefe226ee Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 27 Feb 2024 10:08:04 +0100 Subject: [PATCH 7/8] .github: Add sys-libs/pam to automation --- .github/workflows/portage-stable-packages-list | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 1e521d54ff5..ce754ba6de7 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -558,6 +558,7 @@ sys-libs/libsepol sys-libs/libunwind sys-libs/liburing sys-libs/ncurses +sys-libs/pam sys-libs/readline sys-libs/talloc sys-libs/tdb From 385560e4ac514b6a69352c8ec78c0854cacf2b91 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 4 Mar 2024 11:03:40 +0100 Subject: [PATCH 8/8] changelog: Add an entry --- changelog/updates/2024-03-04-pam.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/updates/2024-03-04-pam.md diff --git a/changelog/updates/2024-03-04-pam.md b/changelog/updates/2024-03-04-pam.md new file mode 100644 index 00000000000..3f39063be04 --- /dev/null +++ b/changelog/updates/2024-03-04-pam.md @@ -0,0 +1 @@ +- pam ([1.5.3](https://github.com/linux-pam/linux-pam/releases/tag/v1.5.3))