diff --git a/changelog/updates/2024-06-27-linux-pam-1.5.3-update.md b/changelog/updates/2024-06-27-linux-pam-1.5.3-update.md new file mode 100644 index 00000000000..b2751de7289 --- /dev/null +++ b/changelog/updates/2024-06-27-linux-pam-1.5.3-update.md @@ -0,0 +1 @@ +- linux-pam ([1.5.3](https://github.com/linux-pam/linux-pam/releases/tag/v1.5.3)) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest index 5ab7f61b2a7..626b3811412 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/Manifest @@ -1,2 +1,4 @@ -DIST pam-1.5.1_p20210622.tar.gz 783068 BLAKE2B c8f13c2ccef73ad367d4fac9a7d1d0d3f3d0e4f1c8eea877d2ab467411cf17cc32c6c9c89e98d94090481d7d7746723175031ba8713a8fb0c3e1976e2854e58b SHA512 5b7a84b9de2d0b0c39cb33e9b8d24aeedca670b998536d74dc497eb7af31cb1f3157f196a01712c4ae273634b51ddad2062f207534b35b1d1a1e790816c8dc1b -DIST pam-doc-1.5.1_p20210610.tar.xz 62308 BLAKE2B b3311e704ddc840b7fd28ea7764e8a0d3fdf508e2e37405acbfa26462a188c480859b3b21bd4a4b4acea70928e68650c216e8fb2d2b6f11ba33f54c6692cf3a2 SHA512 89b88f8ebf0c46f6b25dc0c5f39383ecbef0b12d6ffab388d92026066ee986f9068819cdbf38baaa1e341cd6cc84b1e8d3ad02db121aaf0ddad27e4e6efe26e7 +DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb87bf1d6526add3ac5aad140533516c1d27b594a17d09c4127ff985c42e6c571618785d6b2a2913e6575678c4dcf947dc0 SHA512 a9082823da88e0054d74e13aef872519ced5fbef25c8cc1a7e3a99160f835aa09c9ef701b6ec507acd3b540da0019288424bb4c8ebd828181ea90450db1494a9 +DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a +DIST Linux-PAM-1.6.1-docs.tar.xz 465516 BLAKE2B c39dfba2e327120edc1f30be6ea7f8e6cf20d1f4dd17752cc34e0ae1c0bd22b3d19b94ab665bf3df5bd6ecc7fc358dbbedd8a3069df95ff6189580e538aa3547 SHA512 c6054ec6832f604c0654cf074e4e241c44037fd41cd37cca7da94abe008ff72adc4466d31bd254517eda083c7ec3f6aefd37785b3ee3d0d4553250bd29963855 +DIST Linux-PAM-1.6.1.tar.xz 1054152 BLAKE2B 649b4ff892fbd3eb90adcbd9ccc5b3f5df51bf1c79b9084c7a1613c432587b13b81761d1eb4f31ef12d58843d16af24a3c441d0b6f5d2f2a1db9c8da15a61e2f SHA512 ddb5a5f296f564b76925324550d29f15d342841a97815336789c7bb922a8663e831edeb54f3dcd1eaf297e3325c9e2e6c14b8740def5c43cf3f160a8a14fa2ea diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md index d4e1d3a149c..9500945b402 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md @@ -19,8 +19,3 @@ for having our fork seem to be: work. A suid binary is strictly less secure than capability override, so in long-term we would prefer to avoid having this hack. On the other hand - this is what we had so far. - -5. We replace the dependency on `virtual/yacc` with - `app-alternatives/yacc`. The former was renamed to the latter in - Gentoo, so this modification will be gone next time we update this - package. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch deleted file mode 100644 index a1d5b1543da..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.1-musl.patch +++ /dev/null @@ -1,15 +0,0 @@ -Fix undefined reference to `libintl_dgettext` on musl -Bug: https://bugs.gentoo.org/832573 -Upstream: https://github.com/linux-pam/linux-pam/pull/433 - ---- a/libpam/Makefile.am -+++ b/libpam/Makefile.am -@@ -21,7 +21,7 @@ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ - include/pam_inline.h include/test_assert.h - - libpam_la_LDFLAGS = -no-undefined -version-info 85:1:85 --libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ -+libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ @LTLIBINTL@ - - if HAVE_VERSIONING - libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.3-termios.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.3-termios.patch new file mode 100644 index 00000000000..8f7baf76fee --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.3-termios.patch @@ -0,0 +1,34 @@ +Replace System V termio.h with POSIX termios.h for musl +Upstream: https://github.com/linux-pam/linux-pam/pull/576 +Bug: https://bugs.gentoo.org/906137 + +From 5658105b04ad4df212baf302898ee2cca99516a6 Mon Sep 17 00:00:00 2001 +From: Violet Purcell +Date: Thu, 11 May 2023 10:27:53 -0400 +Subject: [PATCH] fix build on musl + +--- a/examples/tty_conv.c ++++ b/examples/tty_conv.c +@@ -6,8 +6,9 @@ + #include + #include + #include +-#include ++#include + #include ++#include + + /*************************************** + * @brief echo off/on +@@ -16,7 +17,7 @@ + ***************************************/ + static void echoOff(int fd, int off) + { +- struct termio tty; ++ struct termios tty; + if (ioctl(fd, TCGETA, &tty) < 0) + { + fprintf(stderr, "TCGETA failed: %s\n", strerror(errno)); +-- +2.40.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf index 6b8ebb43777..3880b4cbda9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf @@ -3,9 +3,9 @@ d /etc/security 0755 root root - - d /etc/security/limits.d 0755 root root - - d /etc/security/namespace.d 0755 root root - - f /etc/environment 0755 root root - - -L /etc/security/access.conf - - - - ../../usr/lib/pam/access.conf -L /etc/security/group.conf - - - - ../../usr/lib/pam/group.conf -L /etc/security/limits.conf - - - - ../../usr/lib/pam/limits.conf -L /etc/security/namespace.conf - - - - ../../usr/lib/pam/namespace.conf -L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/pam_env.conf -L /etc/security/time.conf - - - - ../../usr/lib/pam/time.conf +L /etc/security/access.conf - - - - ../../usr/lib/pam/security/access.conf +L /etc/security/group.conf - - - - ../../usr/lib/pam/security/group.conf +L /etc/security/limits.conf - - - - ../../usr/lib/pam/security/limits.conf +L /etc/security/namespace.conf - - - - ../../usr/lib/pam/security/namespace.conf +L /etc/security/pam_env.conf - - - - ../../usr/lib/pam/security/pam_env.conf +L /etc/security/time.conf - - - - ../../usr/lib/pam/security/time.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml index 3b9be27ff8f..1abda7583cd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/metadata.xml @@ -1,21 +1,24 @@ - - zlogene@gentoo.org - Mikle Kolyada - - - - Build the pam_userdb module, that allows to authenticate users - against a Berkeley DB file. Please note that enabling this USE - flag will create a PAM module that links to the Berkeley DB (as - provided by sys-libs/db) installed in /usr/lib and - will thus not work for boot-critical services authentication. - + + base-system@gentoo.org + + + sam@gentoo.org + Sam James + + + + Build the pam_userdb module, that allows to authenticate users + against a Berkeley DB file. Please note that enabling this USE + flag will create a PAM module that links to the Berkeley DB (as + provided by sys-libs/db) installed in /usr/lib and + will thus not work for boot-critical services authentication. + - - linux-pam/linux-pam - cpe:/a:kernel:linux-pam - + + linux-pam/linux-pam + cpe:/a:kernel:linux-pam + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild similarity index 60% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild index d91874ac486..d53050dfc1b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild @@ -1,73 +1,84 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 + +MY_P="Linux-${PN^^}-${PV}" # Avoid QA warnings # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 TMPFILES_OPTIONAL=1 -inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal - -GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a" -DOC_SNAPSHOT="20210610" +inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" HOMEPAGE="https://github.com/linux-pam/linux-pam" - -SRC_URI="https://github.com/linux-pam/linux-pam/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz - https://dev.gentoo.org/~zlogene/distfiles/${CATEGORY}/${PN}/${PN}-doc-${PV%_p*}_p${DOC_SNAPSHOT}.tar.xz" +SRC_URI=" + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz +" +S="${WORKDIR}/${MY_P}" LICENSE="|| ( BSD GPL-2 )" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux" IUSE="audit berkdb debug nis selinux" BDEPEND=" app-alternatives/yacc dev-libs/libxslt - sys-devel/flex + app-alternatives/lex sys-devel/gettext virtual/pkgconfig " - DEPEND=" virtual/libcrypt:=[${MULTILIB_USEDEP}] >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) - nis? ( net-libs/libnsl:=[${MULTILIB_USEDEP}] - >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] )" - + nis? ( + net-libs/libnsl:=[${MULTILIB_USEDEP}] + >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] + ) +" RDEPEND="${DEPEND}" - PDEPEND=">=sys-auth/pambase-20200616" -S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}" - PATCHES=( "${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch - "${FILESDIR}"/${PN}-1.5.1-musl.patch + "${FILESDIR}/${P}-termios.patch" ) src_prepare() { default touch ChangeLog || die - eautoreconf } multilib_src_configure() { - # Do not let user's BROWSER setting mess us up. #549684 + # Do not let user's BROWSER setting mess us up, bug #549684 unset BROWSER + # This whole weird has_version libxcrypt block can go once + # musl systems have libxcrypt[system] if we ever make + # that mandatory. See bug #867991. + if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then + # Avoid picking up symbol-versioned compat symbol on musl systems + export ac_cv_search_crypt_gensalt_rn=no + + # Need to avoid picking up the libxcrypt headers which define + # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. + cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die + append-cppflags -I"${T}" + fi + local myconf=( CC_FOR_BUILD="$(tc-getBUILD_CC)" --with-db-uniquename=-$(db_findver sys-libs/db) - --with-xml-catalog=/etc/xml/catalog - --enable-securedir=/$(get_libdir)/security - --includedir=/usr/include/security - --libdir=/usr/$(get_libdir) + --with-xml-catalog="${EPREFIX}"/etc/xml/catalog + --enable-securedir="${EPREFIX}"/$(get_libdir)/security + --includedir="${EPREFIX}"/usr/include/security + --libdir="${EPREFIX}"/usr/$(get_libdir) --enable-pie --enable-unix --disable-prelude @@ -75,14 +86,24 @@ multilib_src_configure() { --disable-regenerate-docu --disable-static --disable-Werror + # TODO: wire this up now it's more useful as of 1.5.3 (bug #931117) + --disable-econf + + # TODO: add elogind support (bug #931115) + # lastlog is enabled again for now by us until logind support + # is handled. Even then, disabling lastlog will probably need + # a news item. + --disable-logind + --enable-lastlog + $(use_enable audit) $(use_enable berkdb db) $(use_enable debug) $(use_enable nis) $(use_enable selinux) - --enable-isadir='.' #464016 - --enable-sconfigdir="/usr/lib/pam/" - ) + --enable-isadir='.' # bug #464016 + --enable-vendordir="/usr/lib/pam/" + ) ECONF_SOURCE="${S}" econf "${myconf[@]}" } @@ -106,7 +127,6 @@ multilib_src_install_all() { # tmpfiles.eclass is impossible to use because # there is the pam -> tmpfiles -> systemd -> pam dependency loop - dodir /usr/lib/tmpfiles.d rm "${D}/etc/environment" @@ -120,7 +140,7 @@ multilib_src_install_all() { local page - for page in "${WORKDIR}"/man/*.{3,5,8} ; do + for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do doman ${page} done } @@ -133,7 +153,7 @@ pkg_postinst() { ewarn "restart the software manually after the update." ewarn "" ewarn "You can get a list of such software running a command like" - ewarn " lsof / | egrep -i 'del.*libpam\\.so'" + ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" ewarn "" ewarn "Alternatively, simply reboot your system." }