summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDiego Elio Pettenò <flameeyes@gentoo.org>2011-06-13 23:40:02 +0000
committerDiego Elio Pettenò <flameeyes@gentoo.org>2011-06-13 23:40:02 +0000
commite33984f659e0ee691c2820492d314c0bc93ceb61 (patch)
tree2309c6cdde145c46524c2fce55f3d41afd4a8fe7 /sys-libs
parentVersion bump (diff)
downloadgentoo-2-e33984f659e0ee691c2820492d314c0bc93ceb61.tar.gz
gentoo-2-e33984f659e0ee691c2820492d314c0bc93ceb61.tar.bz2
gentoo-2-e33984f659e0ee691c2820492d314c0bc93ceb61.zip
Patch Linux-PAM to implement --disable-nis; wire it to the nis USE flag (disabled by default), and make sure that if using glibc, either libtirpc (preferred) or an older glibc is used with that USE flag; note that selinux support seems to require rpc support as well (needs to be tested, forcing the requirement to avoid breaking setup for now).
(Portage version: 2.2.0_alpha40/cvs/Linux x86_64)
Diffstat (limited to 'sys-libs')
-rw-r--r--sys-libs/pam/ChangeLog12
-rw-r--r--sys-libs/pam/files/Linux-PAM-1.1.3-nis.patch254
-rw-r--r--sys-libs/pam/pam-1.1.3-r1.ebuild191
3 files changed, 456 insertions, 1 deletions
diff --git a/sys-libs/pam/ChangeLog b/sys-libs/pam/ChangeLog
index 6d1dce81e2d1..c2fb0fc4f0aa 100644
--- a/sys-libs/pam/ChangeLog
+++ b/sys-libs/pam/ChangeLog
@@ -1,6 +1,16 @@
# ChangeLog for sys-libs/pam
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/ChangeLog,v 1.291 2011/04/07 05:50:56 ulm Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/ChangeLog,v 1.292 2011/06/13 23:40:01 flameeyes Exp $
+
+*pam-1.1.3-r1 (13 Jun 2011)
+
+ 13 Jun 2011; Diego E. Pettenò <flameeyes@gentoo.org> +pam-1.1.3-r1.ebuild,
+ +files/Linux-PAM-1.1.3-nis.patch:
+ Patch Linux-PAM to implement --disable-nis; wire it to the nis USE flag
+ (disabled by default), and make sure that if using glibc, either libtirpc
+ (preferred) or an older glibc is used with that USE flag; note that selinux
+ support seems to require rpc support as well (needs to be tested, forcing the
+ requirement to avoid breaking setup for now).
07 Apr 2011; Ulrich Mueller <ulm@gentoo.org> pam-1.1.3.ebuild:
Don't PROVIDE virtual/pam and add blocker against openpam, bug 358903.
diff --git a/sys-libs/pam/files/Linux-PAM-1.1.3-nis.patch b/sys-libs/pam/files/Linux-PAM-1.1.3-nis.patch
new file mode 100644
index 000000000000..f063204eb36f
--- /dev/null
+++ b/sys-libs/pam/files/Linux-PAM-1.1.3-nis.patch
@@ -0,0 +1,254 @@
+Index: Linux-PAM-1.1.3/configure.in
+===================================================================
+--- Linux-PAM-1.1.3.orig/configure.in
++++ Linux-PAM-1.1.3/configure.in
+@@ -441,12 +441,39 @@ fi
+ AC_SUBST(LIBDB)
+ AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"])
+
+-AC_CHECK_LIB([nsl],[yp_get_default_domain], LIBNSL="-lnsl", LIBNSL="")
+-BACKUP_LIBS=$LIBS
+-LIBS="$LIBS $LIBNSL"
+-AC_CHECK_FUNCS(yp_get_default_domain getdomainname innetgr yperr_string yp_master yp_bind yp_match yp_unbind)
+-LIBS=$BACKUP_LIBS
+-AC_SUBST(LIBNSL)
++AC_ARG_ENABLE([nis],
++ AS_HELP_STRING([-disable-nis], [Disable building NIS/YP support in pam_unix and pam_access]))
++
++AS_IF([test "x$enable_nis" != "xno"], [
++ CFLAGS=$old_CFLAGS
++ LIBS=$old_LIBS
++
++ dnl if there's libtirpc available, prefer that over the system
++ dnl implementation.
++ PKG_CHECK_MODULES([libtirpc], [libtirpc], [
++ CFLAGS="$CFLAGS $libtirpc_CFLAGS"
++ LIBS="$LIBS $libtirpc_LIBS"
++ ], [:;])
++
++ AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
++
++ AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind])
++ AC_CHECK_HEADERS([rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h])
++ AC_CHECK_DECLS([getrpcport], , , [
++ #if HAVE_RPC_RPC_H
++ # include <rpc/rpc.h>
++ #endif
++ ])
++
++ NIS_CFLAGS="${CFLAGS%${old_CFLAGS}}"
++ NIS_LIBS="${LIBS%${old_LIBS}}"
++
++ CFLAGS="$old_CFLAGS"
++ LIBS="$old_LIBS"
++])
++
++AC_SUBST([NIS_CFLAGS])
++AC_SUBST([NIS_LIBS])
+
+ AC_ARG_ENABLE([selinux],
+ AS_HELP_STRING([--disable-selinux],[do not use SELinux]),
+@@ -471,7 +498,7 @@ dnl Checks for header files.
+ AC_HEADER_DIRENT
+ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+-AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h)
++AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h)
+
+ dnl For module/pam_lastlog
+ AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h)
+@@ -491,11 +518,11 @@ AC_TYPE_GETGROUPS
+ AC_PROG_GCC_TRADITIONAL
+ AC_FUNC_MEMCMP
+ AC_FUNC_VPRINTF
+-AC_CHECK_FUNCS(fseeko gethostname gettimeofday lckpwdf mkdir select)
++AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir select)
+ AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
+ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
+ AC_CHECK_FUNCS(getgrouplist getline getdelim)
+-AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af)
++AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+
+ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
+ AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
+Index: Linux-PAM-1.1.3/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- Linux-PAM-1.1.3.orig/modules/pam_unix/pam_unix_passwd.c
++++ Linux-PAM-1.1.3/modules/pam_unix/pam_unix_passwd.c
+@@ -54,13 +54,6 @@
+ #include <ctype.h>
+ #include <sys/time.h>
+ #include <sys/stat.h>
+-#include <rpc/rpc.h>
+-#ifdef HAVE_RPCSVC_YP_PROT_H
+-#include <rpcsvc/yp_prot.h>
+-#endif
+-#ifdef HAVE_RPCSVC_YPCLNT_H
+-#include <rpcsvc/ypclnt.h>
+-#endif
+
+ #include <signal.h>
+ #include <errno.h>
+@@ -76,16 +69,33 @@
+ #include <security/pam_ext.h>
+ #include <security/pam_modutil.h>
+
+-#include "yppasswd.h"
+ #include "md5.h"
+ #include "support.h"
+ #include "passverify.h"
+ #include "bigcrypt.h"
+
+-#if !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1))
++#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
++# define HAVE_NIS
++#endif
++
++#ifdef HAVE_NIS
++# include "yppasswd.h"
++
++# include <rpc/rpc.h>
++
++# if HAVE_RPCSVC_YP_PROT_H
++# include <rpcsvc/yp_prot.h>
++# endif
++
++# if HAVE_RPCSVC_YPCLNT_H
++# include <rpcsvc/ypclnt.h>
++# endif
++
++# if !HAVE_DECL_GETRPCPORT
+ extern int getrpcport(const char *host, unsigned long prognum,
+ unsigned long versnum, unsigned int proto);
+-#endif /* GNU libc 2.1 */
++# endif /* GNU libc 2.1 */
++#endif
+
+ /*
+ How it works:
+@@ -102,9 +112,9 @@ extern int getrpcport(const char *host,
+
+ #define MAX_PASSWD_TRIES 3
+
++#if HAVE_NIS
+ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
+ {
+-#if (defined(HAVE_YP_GET_DEFAULT_DOMAIN) || defined(HAVE_GETDOMAINNAME)) && defined(HAVE_YP_MASTER)
+ char *master;
+ char *domainname;
+ int port, err;
+@@ -151,14 +161,8 @@ static char *getNISserver(pam_handle_t *
+ master, port);
+ }
+ return master;
+-#else
+- if (on(UNIX_DEBUG, ctrl)) {
+- pam_syslog(pamh, LOG_DEBUG, "getNISserver: No NIS support available");
+- }
+-
+- return NULL;
+-#endif
+ }
++#endif
+
+ #ifdef WITH_SELINUX
+
+@@ -326,6 +330,7 @@ static int _do_setpass(pam_handle_t* pam
+ }
+
+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
++#if HAVE_NIS
+ if ((master=getNISserver(pamh, ctrl)) != NULL) {
+ struct timeval timeout;
+ struct yppasswd yppwd;
+@@ -391,6 +396,13 @@ static int _do_setpass(pam_handle_t* pam
+ } else {
+ retval = PAM_TRY_AGAIN;
+ }
++#else
++ if (on(UNIX_DEBUG, ctrl)) {
++ pam_syslog(pamh, LOG_DEBUG, "No NIS support available");
++ }
++
++ retval = PAM_TRY_AGAIN;
++#endif
+ }
+
+ if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
+Index: Linux-PAM-1.1.3/modules/pam_unix/yppasswd_xdr.c
+===================================================================
+--- Linux-PAM-1.1.3.orig/modules/pam_unix/yppasswd_xdr.c
++++ Linux-PAM-1.1.3/modules/pam_unix/yppasswd_xdr.c
+@@ -12,6 +12,8 @@
+
+ #include "config.h"
+
++#ifdef HAVE_RPC_RPC_H
++
+ #include <rpc/rpc.h>
+ #include "yppasswd.h"
+
+@@ -34,3 +36,5 @@ xdr_yppasswd(XDR * xdrs, yppasswd * objp
+ return xdr_string(xdrs, &objp->oldpass, ~0)
+ && xdr_xpasswd(xdrs, &objp->newpw);
+ }
++
++#endif
+Index: Linux-PAM-1.1.3/libpam/Makefile.am
+===================================================================
+--- Linux-PAM-1.1.3.orig/libpam/Makefile.am
++++ Linux-PAM-1.1.3/libpam/Makefile.am
+@@ -25,7 +25,8 @@ libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELU
+
+ if STATIC_MODULES
+ libpam_la_LIBADD += $(shell ls ../modules/pam_*/*.lo) \
+- @LIBDB@ @LIBCRYPT@ @LIBNSL@ @LIBCRACK@ -lutil
++ @LIBDB@ @LIBCRYPT@ $(NIS_LIBS) @LIBCRACK@ -lutil
++ AM_CFLAGS += $(NIS_CFLAGS)
+ endif
+ if HAVE_VERSIONING
+ libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map
+Index: Linux-PAM-1.1.3/modules/pam_access/Makefile.am
+===================================================================
+--- Linux-PAM-1.1.3.orig/modules/pam_access/Makefile.am
++++ Linux-PAM-1.1.3/modules/pam_access/Makefile.am
+@@ -15,14 +15,14 @@ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+- -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\"
++ -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" $(NIS_CFLAGS)
+ AM_LDFLAGS = -no-undefined -avoid-version -module
+ if HAVE_VERSIONING
+ AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+
+ securelib_LTLIBRARIES = pam_access.la
+-pam_access_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBNSL@
++pam_access_la_LIBADD = -L$(top_builddir)/libpam -lpam $(NIS_LIBS)
+
+ secureconf_DATA = access.conf
+
+Index: Linux-PAM-1.1.3/modules/pam_unix/Makefile.am
+===================================================================
+--- Linux-PAM-1.1.3.orig/modules/pam_unix/Makefile.am
++++ Linux-PAM-1.1.3/modules/pam_unix/Makefile.am
+@@ -18,7 +18,8 @@ secureconfdir = $(SCONFIGDIR)
+
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
+- -DUPDATE_HELPER=\"$(sbindir)/unix_update\"
++ -DUPDATE_HELPER=\"$(sbindir)/unix_update\" \
++ $(NIS_CFLAGS)
+
+ if HAVE_LIBSELINUX
+ AM_CFLAGS += -D"WITH_SELINUX"
+@@ -28,7 +29,7 @@ pam_unix_la_LDFLAGS = -no-undefined -avo
+ if HAVE_VERSIONING
+ pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+-pam_unix_la_LIBADD = @LIBNSL@ -L$(top_builddir)/libpam -lpam \
++pam_unix_la_LIBADD = $(NIS_LIBS) -L$(top_builddir)/libpam -lpam \
+ @LIBCRYPT@ @LIBSELINUX@
+
+ securelib_LTLIBRARIES = pam_unix.la
diff --git a/sys-libs/pam/pam-1.1.3-r1.ebuild b/sys-libs/pam/pam-1.1.3-r1.ebuild
new file mode 100644
index 000000000000..9bc53ab33f20
--- /dev/null
+++ b/sys-libs/pam/pam-1.1.3-r1.ebuild
@@ -0,0 +1,191 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/pam-1.1.3-r1.ebuild,v 1.1 2011/06/13 23:40:01 flameeyes Exp $
+
+EAPI="4"
+
+inherit libtool multilib eutils pam toolchain-funcs flag-o-matic db-use autotools
+
+MY_PN="Linux-PAM"
+MY_P="${MY_PN}-${PV}"
+
+HOMEPAGE="http://www.kernel.org/pub/linux/libs/pam/"
+DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
+
+SRC_URI="mirror://kernel/linux/libs/pam/library/${MY_P}.tar.bz2
+ mirror://kernel/linux/libs/pam/documentation/${MY_P}-docs.tar.bz2"
+
+LICENSE="|| ( BSD GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~ia64-linux ~x86-linux"
+IUSE="cracklib nls elibc_FreeBSD selinux vim-syntax audit test elibc_glibc debug berkdb nis"
+
+REQUIRED_USE="selinux? ( nis )"
+
+RDEPEND="nls? ( virtual/libintl )
+ cracklib? ( >=sys-libs/cracklib-2.8.3 )
+ audit? ( sys-process/audit )
+ selinux? ( >=sys-libs/libselinux-1.28 )
+ berkdb? ( sys-libs/db )
+ elibc_glibc? (
+ >=sys-libs/glibc-2.7
+ nis? ( || ( >=net-libs/libtirpc-0.2.2-r1 <sys-libs/glibc-2.14 ) )
+ )"
+DEPEND="${RDEPEND}
+ >=sys-devel/libtool-2
+ sys-devel/flex
+ nls? ( sys-devel/gettext )
+ dev-util/pkgconfig"
+PDEPEND="sys-auth/pambase
+ vim-syntax? ( app-vim/pam-syntax )"
+RDEPEND="${RDEPEND}
+ !sys-auth/openpam
+ !sys-auth/pam_userdb"
+
+S="${WORKDIR}/${MY_P}"
+
+check_old_modules() {
+ local retval="0"
+
+ if sed -e 's:#.*::' "${EROOT}"/etc/pam.d/* 2>/dev/null | fgrep -q pam_stack.so; then
+ eerror ""
+ eerror "Your current setup is using the pam_stack module."
+ eerror "This module is deprecated and no longer supported, and since version"
+ eerror "0.99 is no longer installed, nor provided by any other package."
+ eerror "The package will be built (to allow binary package builds), but will"
+ eerror "not be installed."
+ eerror "Please replace pam_stack usage with proper include directive usage,"
+ eerror "following the PAM Upgrade guide at the following URL"
+ eerror " http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml"
+ eerror ""
+
+ retval=1
+ fi
+
+ if sed -e 's:#.*::' "${EROOT}"/etc/pam.d/* 2>/dev/null | egrep -q 'pam_(pwdb|console)'; then
+ eerror ""
+ eerror "Your current setup is using one or more of the following modules,"
+ eerror "that are not built or supported anymore:"
+ eerror "pam_pwdb, pam_console"
+ eerror "If you are in real need for these modules, please contact the maintainers"
+ eerror "of PAM through http://bugs.gentoo.org/ providing information about its"
+ eerror "use cases."
+ eerror "Please also make sure to read the PAM Upgrade guide at the following URL:"
+ eerror " http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml"
+ eerror ""
+
+ retval=1
+ fi
+
+ return $retval
+}
+
+pkg_setup() {
+ check_old_modules
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/Linux-PAM-1.1.3-nis.patch
+
+ rm -rf m4/libtool.m4 # old libtool-1
+
+ eautoreconf
+ elibtoolize
+}
+
+src_configure() {
+ local myconf
+
+ if use hppa || use elibc_FreeBSD; then
+ myconf="${myconf} --disable-pie"
+ fi
+
+ # Disable automatic detection of libxcrypt; we _don't_ want the
+ # user to link libxcrypt in by default, since we won't track the
+ # dependency and allow to break PAM this way.
+ export ac_cv_header_xcrypt_h=no
+
+ econf \
+ --disable-dependency-tracking \
+ --enable-fast-install \
+ --libdir="${EPREFIX}"/usr/$(get_libdir) \
+ --docdir="${EPREFIX}"/usr/share/doc/${PF} \
+ --htmldir="${EPREFIX}"/usr/share/doc/${PF}/html \
+ --enable-securedir="${EPREFIX}"/$(get_libdir)/security \
+ --enable-isadir="${EPREFIX}"/$(get_libdir)/security \
+ $(use_enable nls) \
+ $(use_enable selinux) \
+ $(use_enable cracklib) \
+ $(use_enable audit) \
+ $(use_enable debug) \
+ $(use_enable berkdb db) \
+ $(use_enable nis) \
+ --with-db-uniquename=-$(db_findver sys-libs/db) \
+ --disable-prelude \
+ ${myconf}
+}
+
+src_compile() {
+ emake sepermitlockdir="${EPREFIX}/var/run/sepermit" || die "emake failed"
+}
+
+src_test() {
+ # explicitly allow parallel-build during testing
+ emake sepermitlockdir="${EPREFIX}/var/run/sepermit" check || die "emake check failed"
+}
+
+src_install() {
+ local lib
+
+ emake DESTDIR="${D}" install \
+ sepermitlockdir="${EPREFIX}/var/run/sepermit" || die "make install failed"
+
+ # Need to be suid
+ fperms u+s /sbin/unix_chkpwd
+
+ gen_usr_ldscript -a pam pamc pam_misc
+
+ # create extra symlinks just in case something depends on them...
+ for lib in pam pamc pam_misc; do
+ if ! [[ -f "${ED}"/$(get_libdir)/lib${lib}$(get_libname) ]]; then
+ dosym lib${lib}$(get_libname 0) /$(get_libdir)/lib${lib}$(get_libname)
+ fi
+ done
+
+ dodoc CHANGELOG ChangeLog README AUTHORS Copyright NEWS
+
+ docinto modules
+ for dir in modules/pam_*; do
+ newdoc "${dir}"/README README."$(basename "${dir}")"
+ done
+
+ # Get rid of the .la files. We certainly don't need them for PAM
+ # modules, and libpam is installed as a shared object only, so we
+ # don't need them for static linking either.
+ find "${D}" -name '*.la' -delete
+}
+
+pkg_preinst() {
+ check_old_modules || die "deprecated PAM modules still used"
+}
+
+pkg_postinst() {
+ ewarn "Some software with pre-loaded PAM libraries might experience"
+ ewarn "warnings or failures related to missing symbols and/or versions"
+ ewarn "after any update. While unfortunate this is a limit of the"
+ ewarn "implementation of PAM and the software, and it requires you to"
+ ewarn "restart the software manually after the update."
+ ewarn ""
+ ewarn "You can get a list of such software running a command like"
+ ewarn " lsof / | egrep -i 'del.*libpam\\.so'"
+ ewarn ""
+ ewarn "Alternatively, simply reboot your system."
+ if [ -x "${ROOT}"/var/log/tallylog ] ; then
+ elog ""
+ elog "Because of a bug present up to version 1.1.1-r2, you have"
+ elog "an executable /var/log/tallylog file. You can safely"
+ elog "correct it by running the command"
+ elog " chmod -x /var/log/tallylog"
+ elog ""
+ fi
+}