Merge pull request #2049 from markafarrell/feature/update-linux-pam-1…

….5.3

Upgrade to linux-pam-1.5.3-r1

changelog/updates/2024-06-27-linux-pam-1.5.3-update.md

@@ -0,0 +1 @@
+- linux-pam ([1.5.3](https://github.com/linux-pam/linux-pam/releases/tag/v1.5.3))

sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest

@@ -1,2 +1,4 @@
-DIST pam-1.5.1_p20210622.tar.gz 783068 BLAKE2B c8f13c2ccef73ad367d4fac9a7d1d0d3f3d0e4f1c8eea877d2ab467411cf17cc32c6c9c89e98d94090481d7d7746723175031ba8713a8fb0c3e1976e2854e58b SHA512 5b7a84b9de2d0b0c39cb33e9b8d24aeedca670b998536d74dc497eb7af31cb1f3157f196a01712c4ae273634b51ddad2062f207534b35b1d1a1e790816c8dc1b
-DIST pam-doc-1.5.1_p20210610.tar.xz 62308 BLAKE2B b3311e704ddc840b7fd28ea7764e8a0d3fdf508e2e37405acbfa26462a188c480859b3b21bd4a4b4acea70928e68650c216e8fb2d2b6f11ba33f54c6692cf3a2 SHA512 89b88f8ebf0c46f6b25dc0c5f39383ecbef0b12d6ffab388d92026066ee986f9068819cdbf38baaa1e341cd6cc84b1e8d3ad02db121aaf0ddad27e4e6efe26e7
+DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb87bf1d6526add3ac5aad140533516c1d27b594a17d09c4127ff985c42e6c571618785d6b2a2913e6575678c4dcf947dc0 SHA512 a9082823da88e0054d74e13aef872519ced5fbef25c8cc1a7e3a99160f835aa09c9ef701b6ec507acd3b540da0019288424bb4c8ebd828181ea90450db1494a9
+DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a
+DIST Linux-PAM-1.6.1-docs.tar.xz 465516 BLAKE2B c39dfba2e327120edc1f30be6ea7f8e6cf20d1f4dd17752cc34e0ae1c0bd22b3d19b94ab665bf3df5bd6ecc7fc358dbbedd8a3069df95ff6189580e538aa3547 SHA512 c6054ec6832f604c0654cf074e4e241c44037fd41cd37cca7da94abe008ff72adc4466d31bd254517eda083c7ec3f6aefd37785b3ee3d0d4553250bd29963855
+DIST Linux-PAM-1.6.1.tar.xz 1054152 BLAKE2B 649b4ff892fbd3eb90adcbd9ccc5b3f5df51bf1c79b9084c7a1613c432587b13b81761d1eb4f31ef12d58843d16af24a3c441d0b6f5d2f2a1db9c8da15a61e2f SHA512 ddb5a5f296f564b76925324550d29f15d342841a97815336789c7bb922a8663e831edeb54f3dcd1eaf297e3325c9e2e6c14b8740def5c43cf3f160a8a14fa2ea

sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md

@@ -19,8 +19,3 @@ for having our fork seem to be:
    work. A suid binary is strictly less secure than capability
    override, so in long-term we would prefer to avoid having this
    hack. On the other hand - this is what we had so far.
-
-5. We replace the dependency on `virtual/yacc` with
-   `app-alternatives/yacc`. The former was renamed to the latter in
-   Gentoo, so this modification will be gone next time we update this
-   package.

sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.3-termios.patch

@@ -0,0 +1,34 @@
+Replace System V termio.h with POSIX termios.h for musl
+Upstream: https://github.com/linux-pam/linux-pam/pull/576
+Bug: https://bugs.gentoo.org/906137
+
+From 5658105b04ad4df212baf302898ee2cca99516a6 Mon Sep 17 00:00:00 2001
+From: Violet Purcell <[email protected]>
+Date: Thu, 11 May 2023 10:27:53 -0400
+Subject: [PATCH] fix build on musl
+
+--- a/examples/tty_conv.c
++++ b/examples/tty_conv.c
+@@ -6,8 +6,9 @@
+ #include <string.h>
+ #include <errno.h>
+ #include <unistd.h>
+-#include <termio.h>
++#include <termios.h>
+ #include <security/pam_appl.h>
++#include <sys/ioctl.h>
+
+ /***************************************
+  * @brief echo off/on
+@@ -16,7 +17,7 @@
+  ***************************************/
+ static void echoOff(int fd, int off)
+ {
+-    struct termio tty;
++    struct termios tty;
+     if (ioctl(fd, TCGETA, &tty) < 0)
+     {
+         fprintf(stderr, "TCGETA failed: %s\n", strerror(errno));
+-- 
+2.40.1
+

sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf

@@ -3,9 +3,9 @@ d /etc/security			0755 root root	-	-
 d /etc/security/limits.d	0755 root root	-	-
 d /etc/security/namespace.d	0755 root root	-	-
 f /etc/environment		0755 root root	-	-
-L /etc/security/access.conf	-    -	  -	-	../../usr/lib/pam/access.conf
-L /etc/security/group.conf	-    - 	  - 	-	../../usr/lib/pam/group.conf
-L /etc/security/limits.conf	-    -	  -	-	../../usr/lib/pam/limits.conf
-L /etc/security/namespace.conf	-    -	  -	-	../../usr/lib/pam/namespace.conf
-L /etc/security/pam_env.conf	-    -	  -	-	../../usr/lib/pam/pam_env.conf
-L /etc/security/time.conf	-    -	  -	-	../../usr/lib/pam/time.conf
+L /etc/security/access.conf	-    -	  -	-	../../usr/lib/pam/security/access.conf
+L /etc/security/group.conf	-    - 	  - 	-	../../usr/lib/pam/security/group.conf
+L /etc/security/limits.conf	-    -	  -	-	../../usr/lib/pam/security/limits.conf
+L /etc/security/namespace.conf	-    -	  -	-	../../usr/lib/pam/security/namespace.conf
+L /etc/security/pam_env.conf	-    -	  -	-	../../usr/lib/pam/security/pam_env.conf
+L /etc/security/time.conf	-    -	  -	-	../../usr/lib/pam/security/time.conf

sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml

@@ -1,21 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-<maintainer type="person">
-	<email>[email protected]</email>
-	<name>Mikle Kolyada</name>
-</maintainer>
-<use>
-	<flag name="berkdb">
-		Build the pam_userdb module, that allows to authenticate users
-		against a Berkeley DB file. Please note that enabling this USE
-		flag will create a PAM module that links to the Berkeley DB (as
-		provided by <pkg>sys-libs/db</pkg>) installed in /usr/lib and
-		will thus not work for boot-critical services authentication.
-	</flag>
+	<maintainer type="project">
+		<email>[email protected]</email>
+	</maintainer>
+	<maintainer type="person">
+		<email>[email protected]</email>
+		<name>Sam James</name>
+	</maintainer>
+	<use>
+		<flag name="berkdb">
+			Build the pam_userdb module, that allows to authenticate users
+			against a Berkeley DB file. Please note that enabling this USE
+			flag will create a PAM module that links to the Berkeley DB (as
+			provided by <pkg>sys-libs/db</pkg>) installed in /usr/lib and
+			will thus not work for boot-critical services authentication.
+		</flag>
 		</use>
-<upstream>
-	<remote-id type="github">linux-pam/linux-pam</remote-id>
-	<remote-id type="cpe">cpe:/a:kernel:linux-pam</remote-id>
-</upstream>
+	<upstream>
+		<remote-id type="github">linux-pam/linux-pam</remote-id>
+		<remote-id type="cpe">cpe:/a:kernel:linux-pam</remote-id>
+	</upstream>
 </pkgmetadata>

sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild → sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild

@@ -1,88 +1,109 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
+
+MY_P="Linux-${PN^^}-${PV}"
 
 # Avoid QA warnings
 # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
 TMPFILES_OPTIONAL=1
 
-inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal
-
-GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a"
-DOC_SNAPSHOT="20210610"
+inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal
 
 DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
 HOMEPAGE="https://github.com/linux-pam/linux-pam"
-
-SRC_URI="https://github.com/linux-pam/linux-pam/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz
-	https://dev.gentoo.org/~zlogene/distfiles/${CATEGORY}/${PN}/${PN}-doc-${PV%_p*}_p${DOC_SNAPSHOT}.tar.xz"
+SRC_URI="
+	https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz
+	https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz
+"
+S="${WORKDIR}/${MY_P}"
 
 LICENSE="|| ( BSD GPL-2 )"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux"
 IUSE="audit berkdb debug nis selinux"
 
 BDEPEND="
 	app-alternatives/yacc
 	dev-libs/libxslt
-	sys-devel/flex
+	app-alternatives/lex
 	sys-devel/gettext
 	virtual/pkgconfig
 "
-
 DEPEND="
 	virtual/libcrypt:=[${MULTILIB_USEDEP}]
 	>=virtual/libintl-0-r1[${MULTILIB_USEDEP}]
 	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
 	berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] )
 	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
-	nis? ( net-libs/libnsl:=[${MULTILIB_USEDEP}]
-	>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] )"
-
+	nis? (
+		net-libs/libnsl:=[${MULTILIB_USEDEP}]
+		>=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
+	)
+"
 RDEPEND="${DEPEND}"
-
 PDEPEND=">=sys-auth/pambase-20200616"
 
-S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}"
-
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
-	"${FILESDIR}"/${PN}-1.5.1-musl.patch
+	"${FILESDIR}/${P}-termios.patch"
 )
 
 src_prepare() {
 	default
 	touch ChangeLog || die
-	eautoreconf
 }
 
 multilib_src_configure() {
-	# Do not let user's BROWSER setting mess us up. #549684
+	# Do not let user's BROWSER setting mess us up, bug #549684
 	unset BROWSER
 
+	# This whole weird has_version libxcrypt block can go once
+	# musl systems have libxcrypt[system] if we ever make
+	# that mandatory. See bug #867991.
+	if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then
+		# Avoid picking up symbol-versioned compat symbol on musl systems
+		export ac_cv_search_crypt_gensalt_rn=no
+
+		# Need to avoid picking up the libxcrypt headers which define
+		# CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY.
+		cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die
+		append-cppflags -I"${T}"
+	fi
+
 	local myconf=(
 		CC_FOR_BUILD="$(tc-getBUILD_CC)"
 		--with-db-uniquename=-$(db_findver sys-libs/db)
-		--with-xml-catalog=/etc/xml/catalog
-		--enable-securedir=/$(get_libdir)/security
-		--includedir=/usr/include/security
-		--libdir=/usr/$(get_libdir)
+		--with-xml-catalog="${EPREFIX}"/etc/xml/catalog
+		--enable-securedir="${EPREFIX}"/$(get_libdir)/security
+		--includedir="${EPREFIX}"/usr/include/security
+		--libdir="${EPREFIX}"/usr/$(get_libdir)
 		--enable-pie
 		--enable-unix
 		--disable-prelude
 		--disable-doc
 		--disable-regenerate-docu
 		--disable-static
 		--disable-Werror
+		# TODO: wire this up now it's more useful as of 1.5.3 (bug #931117)
+		--disable-econf
+
+		# TODO: add elogind support (bug #931115)
+		# lastlog is enabled again for now by us until logind support
+		# is handled. Even then, disabling lastlog will probably need
+		# a news item.
+		--disable-logind
+		--enable-lastlog
+
 		$(use_enable audit)
 		$(use_enable berkdb db)
 		$(use_enable debug)
 		$(use_enable nis)
 		$(use_enable selinux)
-		--enable-isadir='.' #464016
-		--enable-sconfigdir="/usr/lib/pam/"
-		)
+		--enable-isadir='.' # bug #464016
+		--enable-vendordir="/usr/lib/pam/"
+	)
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
 
@@ -106,7 +127,6 @@ multilib_src_install_all() {
 
 	# tmpfiles.eclass is impossible to use because
 	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
-
 	dodir /usr/lib/tmpfiles.d
 
 	rm "${D}/etc/environment"
@@ -120,7 +140,7 @@ multilib_src_install_all() {
 
 	local page
 
-	for page in "${WORKDIR}"/man/*.{3,5,8} ; do
+	for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do
 		doman ${page}
 	done
 }
@@ -133,7 +153,7 @@ pkg_postinst() {
 	ewarn "restart the software manually after the update."
 	ewarn ""
 	ewarn "You can get a list of such software running a command like"
-	ewarn "  lsof / | egrep -i 'del.*libpam\\.so'"
+	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
 	ewarn ""
 	ewarn "Alternatively, simply reboot your system."
 }