From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 192EB158064 for ; Fri, 3 May 2024 08:21:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4E38FE2A32; Fri, 3 May 2024 08:21:58 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3148EE2A32 for ; Fri, 3 May 2024 08:21:58 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 60A2D343088 for ; Fri, 3 May 2024 08:21:57 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id CA72993E for ; Fri, 3 May 2024 08:21:55 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1714723972.d95186284e3334576810a06047ffc4922c98e838.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-libs/pam/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-libs/pam/Manifest sys-libs/pam/pam-1.6.1.ebuild X-VCS-Directories: sys-libs/pam/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: d95186284e3334576810a06047ffc4922c98e838 X-VCS-Branch: master Date: Fri, 3 May 2024 08:21:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 806f4d58-0c9a-41ba-9406-b713967e0979 X-Archives-Hash: 469b787f9e626e5c8e64236bd7067fea commit: d95186284e3334576810a06047ffc4922c98e838 Author: Christopher Fore posteo net> AuthorDate: Mon Apr 22 21:27:03 2024 +0000 Commit: Sam James gentoo org> CommitDate: Fri May 3 08:12:52 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9518628 sys-libs/pam: add 1.6.1, security bump - Remove patch that is now included in 1.6.1 - Tests pass [sam: Add USE=examples.] Bug: https://bugs.gentoo.org/922397 Signed-off-by: Christopher Fore posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36365 Signed-off-by: Sam James gentoo.org> sys-libs/pam/Manifest | 2 + sys-libs/pam/pam-1.6.1.ebuild | 150 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 152 insertions(+) diff --git a/sys-libs/pam/Manifest b/sys-libs/pam/Manifest index 8ff63cd068f0..626b3811412f 100644 --- a/sys-libs/pam/Manifest +++ b/sys-libs/pam/Manifest @@ -1,2 +1,4 @@ DIST Linux-PAM-1.5.3-docs.tar.xz 466340 BLAKE2B 6bade3c63ebe6b6ca7a86d7385850bb87bf1d6526add3ac5aad140533516c1d27b594a17d09c4127ff985c42e6c571618785d6b2a2913e6575678c4dcf947dc0 SHA512 a9082823da88e0054d74e13aef872519ced5fbef25c8cc1a7e3a99160f835aa09c9ef701b6ec507acd3b540da0019288424bb4c8ebd828181ea90450db1494a9 DIST Linux-PAM-1.5.3.tar.xz 1020076 BLAKE2B 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb SHA512 af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a +DIST Linux-PAM-1.6.1-docs.tar.xz 465516 BLAKE2B c39dfba2e327120edc1f30be6ea7f8e6cf20d1f4dd17752cc34e0ae1c0bd22b3d19b94ab665bf3df5bd6ecc7fc358dbbedd8a3069df95ff6189580e538aa3547 SHA512 c6054ec6832f604c0654cf074e4e241c44037fd41cd37cca7da94abe008ff72adc4466d31bd254517eda083c7ec3f6aefd37785b3ee3d0d4553250bd29963855 +DIST Linux-PAM-1.6.1.tar.xz 1054152 BLAKE2B 649b4ff892fbd3eb90adcbd9ccc5b3f5df51bf1c79b9084c7a1613c432587b13b81761d1eb4f31ef12d58843d16af24a3c441d0b6f5d2f2a1db9c8da15a61e2f SHA512 ddb5a5f296f564b76925324550d29f15d342841a97815336789c7bb922a8663e831edeb54f3dcd1eaf297e3325c9e2e6c14b8740def5c43cf3f160a8a14fa2ea diff --git a/sys-libs/pam/pam-1.6.1.ebuild b/sys-libs/pam/pam-1.6.1.ebuild new file mode 100644 index 000000000000..846b63350901 --- /dev/null +++ b/sys-libs/pam/pam-1.6.1.ebuild @@ -0,0 +1,150 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +MY_P="Linux-${PN^^}-${PV}" + +# Avoid QA warnings +# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979 +TMPFILES_OPTIONAL=1 + +inherit db-use fcaps flag-o-matic toolchain-funcs multilib-minimal + +DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)" +HOMEPAGE="https://github.com/linux-pam/linux-pam" +SRC_URI=" + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}.tar.xz + https://github.com/linux-pam/linux-pam/releases/download/v${PV}/${MY_P}-docs.tar.xz +" +S="${WORKDIR}/${MY_P}" + +LICENSE="|| ( BSD GPL-2 )" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" +IUSE="audit berkdb examples debug nis selinux" + +BDEPEND=" + app-alternatives/yacc + dev-libs/libxslt + app-alternatives/lex + sys-devel/gettext + virtual/pkgconfig +" +DEPEND=" + virtual/libcrypt:=[${MULTILIB_USEDEP}] + >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] + audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ) + berkdb? ( >=sys-libs/db-4.8.30-r1:=[${MULTILIB_USEDEP}] ) + selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] ) + nis? ( + net-libs/libnsl:=[${MULTILIB_USEDEP}] + >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}] + ) +" +RDEPEND="${DEPEND}" +PDEPEND=">=sys-auth/pambase-20200616" + +src_prepare() { + default + touch ChangeLog || die +} + +multilib_src_configure() { + # Do not let user's BROWSER setting mess us up, bug #549684 + unset BROWSER + + # This whole weird has_version libxcrypt block can go once + # musl systems have libxcrypt[system] if we ever make + # that mandatory. See bug #867991. + if use elibc_musl && ! has_version sys-libs/libxcrypt[system] ; then + # Avoid picking up symbol-versioned compat symbol on musl systems + export ac_cv_search_crypt_gensalt_rn=no + + # Need to avoid picking up the libxcrypt headers which define + # CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY. + cp "${ESYSROOT}"/usr/include/crypt.h "${T}"/crypt.h || die + append-cppflags -I"${T}" + fi + + local myconf=( + CC_FOR_BUILD="$(tc-getBUILD_CC)" + --with-db-uniquename=-$(db_findver sys-libs/db) + --with-xml-catalog="${EPREFIX}"/etc/xml/catalog + --enable-securedir="${EPREFIX}"/$(get_libdir)/security + --includedir="${EPREFIX}"/usr/include/security + --libdir="${EPREFIX}"/usr/$(get_libdir) + --enable-pie + --enable-unix + --disable-prelude + --disable-doc + --disable-regenerate-docu + --disable-static + --disable-Werror + # TODO: wire this up now it's more useful as of 1.5.3 + --disable-econf + + # TODO: add elogind support + # lastlog is enabled again for now by us until logind support + # is handled. Even then, disabling lastlog will probably need + # a news item. + --disable-logind + --enable-lastlog + + $(use_enable audit) + $(multilib_native_use_enable examples) + $(use_enable berkdb db) + $(use_enable debug) + $(use_enable nis) + $(use_enable selinux) + --enable-isadir='.' # bug #464016 + ) + ECONF_SOURCE="${S}" econf "${myconf[@]}" +} + +multilib_src_compile() { + emake sepermitlockdir="/run/sepermit" +} + +multilib_src_install() { + emake DESTDIR="${D}" install \ + sepermitlockdir="/run/sepermit" +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + + # tmpfiles.eclass is impossible to use because + # there is the pam -> tmpfiles -> systemd -> pam dependency loop + dodir /usr/lib/tmpfiles.d + + cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_ + d /run/faillock 0755 root root + _EOF_ + use selinux && cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-selinux.conf <<-_EOF_ + d /run/sepermit 0755 root root + _EOF_ + + local page + + for page in doc/man/*.{3,5,8} modules/*/*.{5,8} ; do + doman ${page} + done +} + +pkg_postinst() { + ewarn "Some software with pre-loaded PAM libraries might experience" + ewarn "warnings or failures related to missing symbols and/or versions" + ewarn "after any update. While unfortunate this is a limit of the" + ewarn "implementation of PAM and the software, and it requires you to" + ewarn "restart the software manually after the update." + ewarn "" + ewarn "You can get a list of such software running a command like" + ewarn " lsof / | grep -E -i 'del.*libpam\\.so'" + ewarn "" + ewarn "Alternatively, simply reboot your system." + + # The pam_unix module needs to check the password of the user which requires + # read access to /etc/shadow only. + fcaps cap_dac_override sbin/unix_chkpwd +}