Upgrade to linux-pam-1.5.3-r1 #2049
Conversation
|
To help you, here are our relevant changes. --- /dev/fd/63 2024-06-24 12:13:12.434175945 +0100
+++ /home/chewi/Projects/flatcar/scripts/repos/flatcar-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild 2024-06-23 19:14:56.550235722 +0100
@@ -7,7 +7,7 @@
# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
TMPFILES_OPTIONAL=1
-inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal
+inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal
GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a"
DOC_SNAPSHOT="20210610"
@@ -47,6 +47,7 @@
S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}"
PATCHES=(
+ "${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
"${FILESDIR}"/${PN}-1.5.1-musl.patch
)
@@ -91,18 +93,24 @@
multilib_src_install() {
emake DESTDIR="${D}" install \
sepermitlockdir="/run/sepermit"
-
- gen_usr_ldscript -a pam pam_misc pamc
}
multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die
+ # Flatcar: The pam_unix module needs to check the password of
+ # the user which requires read access to /etc/shadow
+ # only. Make it suid instead of using CAP_DAC_OVERRIDE to
+ # avoid a pam -> libcap -> pam dependency loop.
+ fperms 4711 /sbin/unix_chkpwd
+
# tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d
+ rm "${D}/etc/environment"
+ cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
d /run/faillock 0755 root root
_EOF_
@@ -128,8 +136,4 @@
ewarn " lsof / | grep -E -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
-
- # The pam_unix module needs to check the password of the user which requires
- # read access to /etc/shadow only.
- fcaps cap_dac_override sbin/unix_chkpwd
} |
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/9709243417 |
|
@chewi I noticed there is an issue for upgrading linux pam to It looks like upstream that it is still masked though. https://github.com/gentoo/gentoo/blob/master/sys-libs/pam/pam-1.6.1.ebuild Not sure how we want to handle this? Should we upgrade to 1.6.1 in this PR or wait until upstream unmasks it? |
markafarrell
force-pushed
the
feature/update-linux-pam-1.5.3
branch
3 times, most recently
from
3a484bd
to
a4a4c60
Compare
Fixed |
|
musl patch is no longer required as it was fixed by linux-pam/linux-pam#433 The fix is present in |
markafarrell
force-pushed
the
feature/update-linux-pam-1.5.3
branch
from
a4a4c60
to
6e3dd16
Compare
markafarrell
force-pushed
the
feature/update-linux-pam-1.5.3
branch
from
6e3dd16
to
6737ee8
Compare
markafarrell
force-pushed
the
feature/update-linux-pam-1.5.3
branch
2 times, most recently
from
af54101
to
8d029df
Compare
markafarrell
force-pushed
the
feature/update-linux-pam-1.5.3
branch
from
8d029df
to
01e9516
Compare
markafarrell
force-pushed
the
feature/update-linux-pam-1.5.3
branch
from
4b64796
to
d5833e2
Compare
|
CI is failing on multiple tests for |
|
Ok that git-hash appears to correspond to b79b816 I think this (https://github.com/flatcar/flatcar-dev-util/blob/flatcar-master/emerge-gitclone#L14) is trying to checkout https://github.com/flatcar/scripts.git at that commit (b79b816) but is failing because that commit is on my fork not in a branch. Is it possible for CI to run successfully for a PR from a fork? Or am I missing something here? |
|
@markafarrell thanks again for your contribution! I already seen this CI failure in the past, I think it's not related to these changes. |
Update linux-pam to version 1.5.3-r1
Fixes: flatcar/Flatcar#1474
Update linux-pam to version 1.5.3-r1 and enable the use of
vendordirVendor dir allows us to install config into
/usr/lib/pam/security.pam modules will first look for configuration in
/etc/securityand if they are not found there will fallback to/usr/lib/pam/securityPreviously we had
sconfigdirset to/usr/lib/pamwhich resulted in configuration being installed to/usr/lib/pambut left us unable to configure pam modules (as the pam modules used this path as their only source of configuration)How to use
Confirm that ulimit is has changed to 515
Testing done
[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.