summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris PeBenito <pebenito@gentoo.org>2005-10-26 14:05:31 +0000
committerChris PeBenito <pebenito@gentoo.org>2005-10-26 14:05:31 +0000
commit54cb1ea7c6f11ed19e0d10e364e54d061fa171ae (patch)
treea1f0555cce036705a98192e9c0623706de472a90
parentremoved --enable-visualize b/c of too much trouble with it. (diff)
downloadgentoo-2-54cb1ea7c6f11ed19e0d10e364e54d061fa171ae.tar.gz
gentoo-2-54cb1ea7c6f11ed19e0d10e364e54d061fa171ae.tar.bz2
gentoo-2-54cb1ea7c6f11ed19e0d10e364e54d061fa171ae.zip
Add fix for CAN-2005-2977. See bug #109485.
(Portage version: 2.0.53_rc6)
-rw-r--r--sys-libs/pam/ChangeLog8
-rw-r--r--sys-libs/pam/files/digest-pam-0.78-r34
-rw-r--r--sys-libs/pam/pam-0.78-r3.ebuild388
3 files changed, 399 insertions, 1 deletions
diff --git a/sys-libs/pam/ChangeLog b/sys-libs/pam/ChangeLog
index a16db149fc47..9891c669f37f 100644
--- a/sys-libs/pam/ChangeLog
+++ b/sys-libs/pam/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for sys-libs/pam
# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/ChangeLog,v 1.94 2005/10/09 23:11:41 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/ChangeLog,v 1.95 2005/10/26 14:05:31 pebenito Exp $
+
+*pam-0.78-r3 (26 Oct 2005)
+
+ 26 Oct 2005; Chris PeBenito <pebenito@gentoo.org> +pam-0.78-r3.ebuild:
+ Add fix for CAN-2005-2977. This is specific to the SELinux users. See bug
+ #109485.
09 Oct 2005; Diego Pettenò <flameeyes@gentoo.org> metadata.xml:
Add pam-bugs email address as maintainer.
diff --git a/sys-libs/pam/files/digest-pam-0.78-r3 b/sys-libs/pam/files/digest-pam-0.78-r3
new file mode 100644
index 000000000000..be3a66827628
--- /dev/null
+++ b/sys-libs/pam/files/digest-pam-0.78-r3
@@ -0,0 +1,4 @@
+MD5 58cd055892e97648651d5a318888f3a0 Linux-PAM-0.78.tar.gz 488936
+MD5 fcc481d52c3b80e20a328f8c0cb042bd db-4.3.27.tar.gz 5921872
+MD5 777d2e34a60edad28319207b576cda91 glib-2.6.5.tar.bz2 2357089
+MD5 c7b9d6d52902ead5f4c10c277e441f30 pam-0.78-patches-1.3.tar.bz2 87223
diff --git a/sys-libs/pam/pam-0.78-r3.ebuild b/sys-libs/pam/pam-0.78-r3.ebuild
new file mode 100644
index 000000000000..f22861f5a825
--- /dev/null
+++ b/sys-libs/pam/pam-0.78-r3.ebuild
@@ -0,0 +1,388 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/pam-0.78-r3.ebuild,v 1.1 2005/10/26 14:05:31 pebenito Exp $
+
+FORCE_SYSTEMAUTH_UPDATE="no"
+
+# BDB is internalized to get a non-threaded lib for pam_userdb.so to
+# be built with. The runtime-only dependency on BDB suggests the user
+# will use the system-installed db_load to create pam_userdb databases.
+# PWDB is internalized because it is specifically designed to work
+# with Linux-PAM. I'm not really certain how pervasive the Radius
+# and NIS services of PWDB are at this point.
+
+PATCH_LEVEL="1.3"
+BDB_VER="4.3.27"
+BDB_VER2="4.1.25"
+GLIB_VER="2.6.5"
+PAM_REDHAT_VER="0.78-3"
+
+HOMEPAGE="http://www.kernel.org/pub/linux/libs/pam/"
+DESCRIPTION="Pluggable Authentication Modules"
+
+S="${WORKDIR}/Linux-PAM-${PV}"
+S2="${WORKDIR}/pam-${PV}-patches"
+SRC_URI="http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-${PV}.tar.gz
+ mirror://gentoo/pam-${PV}-patches-${PATCH_LEVEL}.tar.bz2
+ berkdb? ( http://downloads.sleepycat.com/db-${BDB_VER}.tar.gz )
+ pam_console? ( ftp://ftp.gtk.org/pub/gtk/v2.6/glib-${GLIB_VER}.tar.bz2 )"
+
+LICENSE="PAM"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
+IUSE="berkdb pwdb selinux pam_chroot pam_console pam_timestamp nis"
+
+RDEPEND=">=sys-libs/cracklib-2.8.3
+ selinux? ( sys-libs/libselinux )
+ berkdb? ( >=sys-libs/db-${BDB_VER2} )
+ pwdb? ( >=sys-libs/pwdb-0.62 )"
+
+# Note that we link to static versions of glib (pam_console.so)
+# and pwdb (pam_pwdb.so), so we need glib-2.6.2-r1 or later ...
+DEPEND="${RDEPEND}
+ dev-lang/perl
+ dev-util/pkgconfig
+ >=sys-devel/autoconf-2.59
+ >=sys-devel/automake-1.6
+ >=sys-devel/flex-2.5.4a-r5
+ pwdb? ( >=sys-libs/pwdb-0.62 )"
+
+# Have python sandbox issues currently ...
+# doc? ( app-text/sgmltools-lite )
+
+PROVIDE="virtual/pam"
+
+#inherit needs to be after DEPEND definition to protect RDEPEND
+inherit toolchain-funcs eutils flag-o-matic gnuconfig pam
+
+apply_pam_patches() {
+ local x=
+ local y=
+ local patches="${T}/patches.$$"
+
+ for x in redhat gentoo; do
+ rm -f "${patches}"
+
+ # Need to be a '| while read x', as some lines may have spaces ...
+ grep -v '^#' "${S2}/list.${x}-patches" | grep -v '^$' | while read y; do
+ # Remove the 'Patch[0-9]*: ' from the redhat list
+ echo "${y}" | sed -e 's|^Patch.*: \(.*\)|\1|' >> "${patches}"
+ done
+ for y in $(cat "${patches}"); do
+ epatch "${S2}/${x}-patches/${y}"
+ done
+ done
+}
+
+pkg_setup() {
+ local x=
+
+ #if use pwdb; then
+ # for x in libpwdb.a libcrack.a; do
+ # if [ ! -f "${ROOT}/usr/$(get_libdir)/${x}" ]; then
+ # eerror "Could not find /usr/$(get_libdir)/${x} needed to build Linux-PAM!"
+ # die "Could not find /usr/$(get_libdir)/${x} needed to build Linux-PAM!"
+ # fi
+ # done
+ #fi
+ #if use pam_console; then
+ # x="libglib-2.0.a"
+ # if [ ! -f "${ROOT}/usr/$(get_libdir)/${x}" ]; then
+ # eerror "Could not find /usr/$(get_libdir)/${x} needed to build Linux-PAM!"
+ # eerror "Please remerge glib-2.6.* to make sure you have static changes."
+ # die "Could not find /usr/$(get_libdir)/${x} needed to build Linux-PAM!"
+ # fi
+ #fi
+
+ return 0
+}
+
+src_unpack() {
+ local x=
+
+ unpack ${A} || die "Couldn't unpack ${A}"
+
+ cd ${S} || die
+ tar --no-same-owner -zxf ${S2}/pam-redhat-${PAM_REDHAT_VER}.tar.gz \
+ || die "Couldn't unpack pam-redhat-${PAM_REDHAT_VER}.tar.gz"
+ # These ones we do not want, or do not work with non RH
+ rm -rf ${S}/modules/{pam_rps,pam_postgresok}
+
+ apply_pam_patches
+
+ if use selinux; then
+ epatch ${S2}/gentoo-patches/pam-0.78-selinux.patch
+ epatch ${S2}/gentoo-patches/pam-0.77-selinux-CAN-2005-2977.patch
+ fi
+
+ # Check which extra modules should be built
+ # (Do this after apply_pam_patches(), else some may fail)
+ for x in pam_chroot pam_console pam_timestamp; do
+ use "${x}" || rm -rf "${S}/modules/${x}"
+ done
+ use berkdb || rm -rf "${S}/modules/pam_userdb"
+ use pwdb || rm -rf "${S}/modules/pam_pwdb"
+ use pwdb || rm -rf "${S}/modules/pam_radius"
+
+ for x in $(find ${S} -type f -name 'Makefile*'); do
+ use nis || sed -i -e 's: -DNIS::g' "${x}"
+ done
+ # NIS patch is broken for now
+ use nis && echo 'NIS=yes' >> "${S}/Make.Rules.in"
+
+ # Fixup libdir for 64bit arches
+ sed -ie "s:@get_libdir:$(get_libdir):" ${S}/configure.in
+
+ for readme in modules/pam_*/README; do
+ cp -f "${readme}" doc/txts/README.$(dirname "${readme}" | \
+ sed -e 's|^modules/||')
+ done
+
+ # Bug #80604 (If install-sh do not exist, touch it)
+ cp /usr/share/automake/install-sh ${S}/ 2>/dev/null || touch install-sh
+ export WANT_AUTOCONF=2.5
+ autoconf || die
+}
+
+src_compile() {
+ local BDB_DIR="${WORKDIR}/db-${BDB_VER}"
+ local GLIB_DIR="${WORKDIR}/glib-${GLIB_VER}"
+
+ # Bug #70471 (Compile issues with other locales)
+ export LANG=C LC_ALL=C
+
+ if use berkdb ; then
+ einfo "Building Berkley DB ${BDB_VER}..."
+ cd "${BDB_DIR}/build_unix" || die
+
+ # Pam uses berkdb, which db-4.1.x series can't detect mips64, so we fix it
+ if use mips ; then
+ einfo "Updating BDB config.{guess,sub} for mips"
+ S="${BDB_DIR}/dist" \
+ gnuconfig_update
+ fi
+
+ #echo db_cv_mutex=UNIX/fcntl > config.cache
+ #./s_config
+ CFLAGS="${CFLAGS} -fPIC" \
+ ../dist/configure \
+ --host=${CHOST} \
+ --cache-file=config.cache \
+ --disable-compat185 \
+ --disable-cxx \
+ --disable-diagnostic \
+ --disable-dump185 \
+ --disable-java \
+ --disable-rpc \
+ --disable-tcl \
+ --disable-shared \
+ --disable-o_direct \
+ --with-pic \
+ --with-uniquename=_pam \
+ --with-mutex="UNIX/fcntl" \
+ --prefix="${S}" \
+ --includedir="${S}/include" \
+ --libdir="${S}/lib" || die "Bad BDB ./configure"
+
+ # XXX: hack out O_DIRECT support in db4 for now.
+ # (Done above now with --disable-o_direct now)
+
+ make CC="$(tc-getCC)" || die "BDB build failed"
+ make install || die
+ fi
+
+ if use pam_console ; then
+ einfo "Building GLIB ${GLIB_VER}..."
+ cd "${GLIB_DIR}" || die
+
+ # The __attribute__((visibility("hidden"))) causes TEXTREL issues
+ sed -i -s 's:G_GNUC_INTERNAL::g' "${GLIB_DIR}/glib"/*.c
+
+ CFLAGS="${CFLAGS} -fPIC" \
+ ./configure \
+ --host=${CHOST} \
+ --enable-static \
+ --disable-shared \
+ --with-pic \
+ --disable-threads \
+ --with-threads=none \
+ --prefix="${S}" \
+ --includedir="${S}/include" \
+ --libdir="${S}/lib" || die "Bad GLIB ./configure"
+
+ # Do not need to build the whole shebang
+ cd "${GLIB_DIR}/glib" || die
+ make CC="$(tc-getCC)" || die "GLIB build failed"
+ make install || die
+ # Install pkg-config stuff and needed headers
+ cd "${GLIB_DIR}" || die
+ make install-pkgconfigDATA install-exec-local || die
+ fi
+
+ if use berkdb || use pam_console ; then
+ # Make sure out static libs are used
+ export CFLAGS="-I${S}/include -Wl,-L${S}/lib ${CFLAGS}"
+ export LDFLAGS="-L${S}/lib ${LDFLAGS}"
+ export LIBNAME="lib"
+ # Make sure pkg-config can find glib even if not installed in system
+ export PKG_CONFIG_PATH="${S}/lib/pkgconfig:${PKG_CONFIG_PATH}"
+ fi
+
+ einfo "Building Linux-PAM ${PV}..."
+ cd ${S}
+ econf --enable-static-libpam \
+ --enable-fakeroot="${D}" \
+ --libdir="/$(get_libdir)" \
+ --enable-isadir="../../$(get_libdir)/security" \
+ || die
+
+ # Python stuff in docs gives sandbox problems
+ sed -i -e 's|modules doc examples|modules|' Makefile
+
+ # Fix warnings for gcc-2.95.3
+ if [[ $(gcc-version) = "2.95" ]] ; then
+ sed -i -e "s:-Wpointer-arith::" Make.Rules
+ fi
+
+ if ! use berkdb ; then
+ # Do not build pam_userdb.so ...
+ sed -i -e "s:^HAVE_NDBM_H=yes:HAVE_NDBM_H=no:" \
+ -e "s:^HAVE_LIBNDBM=yes:HAVE_LIBNDBM=no:" \
+ -e "s:^HAVE_LIBDB=yes:HAVE_LIBDB=no:" \
+ Make.Rules
+
+ # Also edit the configuration file else the wrong include files
+ # get used
+ sed -i -e "s:^#define HAVE_NDBM_H.*$:/* #undef HAVE_NDBM_H */:" \
+ -e "s:^#define HAVE_DB_H.*$:/* #undef HAVE_DB_H */:" \
+ _pam_aconf.h
+
+ else
+ # Do not link pam_userdb.so to db-1.85 ...
+ sed -i -e "s:^HAVE_NDBM_H=yes:HAVE_NDBM_H=no:" \
+ -e "s:^HAVE_LIBNDBM=yes:HAVE_LIBNDBM=no:" \
+ Make.Rules
+
+ # Also edit the configuration file else the wrong include files
+ # get used
+ sed -i -e "s:^#define HAVE_NDBM_H.*$:/* #undef HAVE_NDBM_H */:" \
+ _pam_aconf.h
+ fi
+
+ make CC="$(tc-getCC)" || die "PAM build failed"
+}
+
+src_install() {
+ local x=
+
+ einfo "Installing Linux-PAM ${PV}..."
+ make FAKEROOT=${D} \
+ LDCONFIG="" \
+ install || die
+
+ # Make sure every module built.
+ # Do not remove this, as some module can fail to build
+ # and effectively lock the user out of his system.
+ einfo "Checking if all modules were built..."
+ for x in ${S}/modules/pam_*; do
+ if [[ -d ${x} ]] ; then
+ local mod_name=$(basename "${x}")
+ local sec_dir="${D}/$(get_libdir)/security"
+
+ if ! ls -1 "${sec_dir}/${mod_name}"*.so &> /dev/null ; then
+ echo
+ eerror "ERROR: ${mod_name} module did not build."
+ echo
+ die "${mod_name} module did not build."
+ fi
+ if [[ -n $(ldd "${sec_dir}/${mod_name}"*.so 2>&1 | \
+ grep "/usr/lib/" | \
+ grep "/usr/$(get_libdir)/" | \
+ grep -v "/usr/lib/gcc" | \
+ grep -v "/usr/$(get_libdir)/gcc" | \
+ grep -v "libsandbox") ]] ; then
+ echo
+ eerror "ERROR: ${mod_name} have dependencies in /usr."
+ echo
+ die "${mod_name} have dependencies in /usr."
+ fi
+ fi
+ done
+
+ dodir /usr/$(get_libdir)
+ cd ${D}/$(get_libdir)
+ for x in pam pamc pam_misc; do
+ rm lib${x}.so
+ ln -s lib${x}.so.${PV} lib${x}.so
+ ln -s lib${x}.so.${PV} lib${x}.so.0
+ mv lib${x}.a ${D}/usr/$(get_libdir)
+ # See bug #4411
+ gen_usr_ldscript lib${x}.so
+ done
+
+ cd ${S}
+
+ # need this for pam_console
+ keepdir /var/run/console
+
+ for x in ${FILESDIR}/pam.d/*; do
+ [[ -f ${x} ]] && dopamd ${x}
+ done
+
+ # Only add this one if needed.
+ if [[ ${FORCE_SYSTEMAUTH_UPDATE} = "yes" ]] ; then
+ newpamd ${FILESDIR}/pam.d/system-auth system-auth.new || \
+ die "Failed to install system-auth.new!"
+ fi
+
+ insinto /etc/security
+ doins ${FILESDIR}/pam_env.conf
+ doman doc/man/*.[0-9]
+
+ dodoc CHANGELOG Copyright README
+ docinto modules ; dodoc modules/README ; dodoc doc/txts/README.*
+ # Install our own README.pam_console
+ docinto ; dodoc ${FILESDIR}/README.pam_console
+ docinto txt ; dodoc doc/specs/*.txt #doc/txts/*.txt
+# docinto print ; dodoc doc/ps/*.ps
+
+# docinto html
+# dohtml -r doc/html/
+}
+
+pkg_postinst() {
+ echo
+ einfo "If you have sshd running, please restart it to avoid possible login issues."
+ echo
+ ebeep
+ sleep 3
+
+ if [[ ${FORCE_SYSTEMAUTH_UPDATE} = "yes" ]] ; then
+ local CHECK1=$(md5sum ${ROOT}/etc/pam.d/system-auth | cut -d ' ' -f 1)
+ local CHECK2=$(md5sum ${ROOT}/etc/pam.d/system-auth.new | cut -d ' ' -f 1)
+
+ if [[ ${CHECK1} != "${CHECK2}" ]] ; then
+ ewarn "Due to a security issue, ${ROOT}etc/pam.d/system-auth "
+ ewarn "is being updated automatically. Your old "
+ ewarn "system-auth will be backed up as:"
+ ewarn
+ ewarn " ${ROOT}etc/pam.d/system-auth.bak"
+ echo
+
+ cp -pPR ${ROOT}/etc/pam.d/system-auth \
+ ${ROOT}/etc/pam.d/system-auth.bak;
+ mv -f ${ROOT}/etc/pam.d/system-auth.new \
+ ${ROOT}/etc/pam.d/system-auth
+ rm -f ${ROOT}/etc/pam.d/._cfg????_system-auth
+ else
+ rm -f ${ROOT}/etc/pam.d/system-auth.new
+ fi
+ fi
+
+ if use pam_console; then
+ echo
+ einfo "If you want to enable the pam_console module, please follow"
+ einfo "the instructions in /usr/share/doc/${PF}/README.pam_console."
+ echo
+ fi
+}