Merge pull request #203916 from Izorkin/init-tcb

tcb: init at 1.2

pkgs/tools/security/tcb/default.nix

@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config
+, linux-pam, libxcrypt
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tcb";
+  version = "1.2";
+
+  src = fetchFromGitHub {
+    owner = "openwall";
+    repo = pname;
+    rev = "070cf4aa784de13c52788ac22ff611d7cbca0854";
+    sha256 = "sha256-Sp5u7iTEZZnAqKQXoPO8eWpSkZeBzQqZI82wRQmgU9A=";
+  };
+
+  outputs = [ "out" "bin" "dev" "man" ];
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [ linux-pam libxcrypt ];
+
+  patches = [ ./fix-makefiles.patch ];
+
+  postPatch = ''
+    substituteInPlace Make.defs \
+      --replace "PREFIX = /usr" "PREFIX = $out" \
+      --replace "SBINDIR = /sbin" "SBINDIR = $bin/bin" \
+      --replace "INCLUDEDIR = \$(PREFIX)/include" "INCLUDEDIR = $dev/include"
+  '';
+
+  meta = with lib; {
+    description = "Alternative password shadowing scheme";
+    longDescription = ''
+      The tcb package contains core components of our tcb suite implementing the alternative
+      password shadowing scheme on Openwall GNU Linux (Owl). It is being made available
+      separately from Owl primarily for use by other distributions.
+
+      The package consists of three components: pam_tcb, libnss_tcb, and libtcb.
+
+      pam_tcb is a PAM module which supersedes pam_unix. It also implements the tcb password
+      shadowing scheme. The tcb scheme allows many core system utilities (passwd(1) being
+      the primary example) to operate with little privilege. libnss_tcb is the accompanying
+      NSS module. libtcb contains code shared by the PAM and NSS modules and is also used
+      by user management tools on Owl due to our shadow suite patches.
+    '';
+    homepage = "https://www.openwall.com/tcb/";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ izorkin ];
+  };
+}

pkgs/tools/security/tcb/fix-makefiles.patch

@@ -0,0 +1,52 @@
+diff --git a/Make.defs b/Make.defs
+index a961f7d..9e8d59b 100644
+--- a/Make.defs
++++ b/Make.defs
+@@ -19,7 +19,7 @@ LDFLAGS += $(DBGFLAG) -L../libs
+
+ PREFIX = /usr
+ SBINDIR = /sbin
+-SLIBDIR = /lib
++SLIBDIR = $(PREFIX)/lib
+ INCLUDEDIR = $(PREFIX)/include
+ LIBDIR = $(PREFIX)/lib
+ LIBEXECDIR = $(PREFIX)/libexec
+diff --git a/libs/Makefile b/libs/Makefile
+index 0083b13..27238f6 100644
+--- a/libs/Makefile
++++ b/libs/Makefile
+@@ -7,7 +7,7 @@ LIBTCB_A = libtcb.a
+ LIB_MAP = libtcb.map
+ NSS_MAP = libnss_tcb.map
+
+-all: $(LIBTCB_LONG) $(LIBNSS) $(LIBTCB_A)
++all: $(LIBTCB_LONG) $(LIBNSS)
+
+ $(LIBTCB_A): libtcb_a.o
+ 	ar -cr $@ $<
+@@ -36,9 +36,8 @@ install:
+ 	$(MKDIR) -p -m 755 $(DESTDIR)$(LIBDIR)
+ 	$(INSTALL) -m $(SHLIBMODE) $(LIBTCB_LONG) $(DESTDIR)$(SLIBDIR)/
+ 	ln -sf $(LIBTCB_LONG) $(DESTDIR)$(SLIBDIR)/$(LIBTCB)
+-	ln -sf ../..$(SLIBDIR)/$(LIBTCB) $(DESTDIR)$(LIBDIR)/libtcb.so
++	ln -sf $(LIBTCB) $(DESTDIR)$(LIBDIR)/libtcb.so
+ 	$(INSTALL) -m $(SHLIBMODE) $(LIBNSS) $(DESTDIR)$(SLIBDIR)/
+-	$(INSTALL) -m 644 $(LIBTCB_A) $(DESTDIR)$(LIBDIR)/
+
+ clean:
+ 	rm -f *.o *~ $(LIBTCB)* libtcb.so $(LIBNSS) *.a
+diff --git a/progs/Makefile b/progs/Makefile
+index c3a6879..e24f74b 100644
+--- a/progs/Makefile
++++ b/progs/Makefile
+@@ -23,8 +23,8 @@ install-non-root: install-common
+ 	$(INSTALL) -m 700 $(CHKPWD) $(DESTDIR)$(LIBEXECDIR)/chkpwd/
+
+ install: install-common
+-	$(INSTALL) -d -o root -g chkpwd -m 710 $(DESTDIR)$(LIBEXECDIR)/chkpwd
+-	$(INSTALL) -m 2711 -o root -g shadow $(CHKPWD) \
++	$(INSTALL) -d $(DESTDIR)$(LIBEXECDIR)/chkpwd
++	$(INSTALL) $(CHKPWD) \
+ 		$(DESTDIR)$(LIBEXECDIR)/chkpwd/
+
+ install-common:

pkgs/top-level/all-packages.nix

@@ -12057,6 +12057,8 @@ with pkgs;
 
   tayga = callPackage ../tools/networking/tayga { };
 
+  tcb = callPackage ../tools/security/tcb { };
+
   tcpcrypt = callPackage ../tools/security/tcpcrypt { };
 
   tcptraceroute = callPackage ../tools/networking/tcptraceroute { };