Patchwork Fixing linux-pam build failures

login
register
mail settings
Submitter Stefan Fröberg
Date Sept. 8, 2012, 11:28 a.m.
Message ID <504B2BD3.5080205@petroprogram.com>
Download mbox | patch
Permalink /patch/182537/
State New
Headers show

Comments

Stefan Fröberg - Sept. 8, 2012, 11:28 a.m.
Hi Dmitry!

Your work on this pam support looks good.

I have attached in this message my very quick, unpolished & very very
very dirty pam (version 1.1.5) hack
(it doesn't bother to even check for if pam is enabled in busybox and it
assumes that pam.d stuff is already in fs/skeleton/etc )

I can't even remember when I did this ugly hack.

Got it somehow working with the help of :
http://www.linuxfromscratch.org/blfs/view/svn/postlfs/linux-pam.html
http://www.linuxfromscratch.org/blfs/view/svn/postlfs/shadow.html
and
http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cracklib.html

Those Linux From Scratch pages are really great starting templates for
any new buildroot package!
:)

Also, those three patches mentioned in this attached file are from
openwrt project witch also
uses buildroot  stuff (???).

https://dev.openwrt.org/browser/packages/libs/libpam

If you find something usefull for your work then by all means salvage
what you need from it.

I just want to get quickly rid of my dirty pam hack as soon as official
support lands on buildroot.

Stefan

P.S:

Your work for v86d ( http://patchwork.ozlabs.org/patch/157286/ )
is working wonderfully in my distro !
Thanks!


8.9.2012 7:32, Dmitry Golubovsky kirjoitti:
> Hi,
>
> My initial assumption about the failures of linux-pam building in
> autobuilder was not correct: the problem was in BerkeleyDB
> configuration.
>
> When BerkeleyDB is not built, the pam_userdb module is not built
> either (via linux-pam configure). In this failed autobuilder
> configuration Berkeley DB was selected. But dbm functionality was not
> enabled in BerkeleyDB configure options. Thus the pam_userdb module
> was attempted to build, but it failed due to the absence of dbm
> functions in Berkeley DB, and this showed up in the build log.
>
> I have submitted a series of patches which address the problem:
>
> * if linux-pam is built, --enable-dbm is added to BerkeleyDB configure options
> * BerkeleyDB is autoselected when linux-pam is selected, and
> BerkeleyDB is now a dependency of linux-pam
>
> I also included my two other patches (since linux-pam is being patched anyway):
>
> * Provide dummy PAM config files to allow password-less logons via busybox login
> * New configuration option for PAM support has been added to the
> Busybox configuration menu.
>
> Any suggestions are welcome.
>
> Thanks.
>
From 768273cb86e195280da74f1ac471871b9ba3036f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20Fr=C3=B6berg?= <stefan.froberg@petroprogram.com>
Date: Sat, 8 Sep 2012 14:04:40 +0300
Subject: [PATCH 10/10] pam: quick & dirty Linux-PAM support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit


Signed-off-by: Stefan Fröberg <stefan.froberg@petroprogram.com>
---
 fs/skeleton/etc/pam.d/chage           |   15 ++++++
 fs/skeleton/etc/pam.d/login           |   47 ++++++++++++++++++
 fs/skeleton/etc/pam.d/passwd          |    6 ++
 fs/skeleton/etc/pam.d/su              |   17 +++++++
 fs/skeleton/etc/pam.d/system-account  |    6 ++
 fs/skeleton/etc/pam.d/system-auth     |    6 ++
 fs/skeleton/etc/pam.d/system-password |    8 +++
 fs/skeleton/etc/pam.d/system-session  |    6 ++
 package/pam/Config.in                 |    6 ++
 package/pam/pam.000-no-innetgr.patch  |   85 +++++++++++++++++++++++++++++++++
 package/pam/pam.002-no_yywrap.patch   |   26 ++++++++++
 package/pam/pam.003-no_doc.patch      |   36 ++++++++++++++
 package/pam/pam.mk                    |   30 ++++++++++++
 13 files changed, 294 insertions(+), 0 deletions(-)
 create mode 100644 fs/skeleton/etc/pam.d/chage
 create mode 100644 fs/skeleton/etc/pam.d/login
 create mode 100644 fs/skeleton/etc/pam.d/passwd
 create mode 100644 fs/skeleton/etc/pam.d/su
 create mode 100644 fs/skeleton/etc/pam.d/system-account
 create mode 100644 fs/skeleton/etc/pam.d/system-auth
 create mode 100644 fs/skeleton/etc/pam.d/system-password
 create mode 100644 fs/skeleton/etc/pam.d/system-session
 create mode 100644 package/pam/Config.in
 create mode 100644 package/pam/pam.000-no-innetgr.patch
 create mode 100644 package/pam/pam.002-no_yywrap.patch
 create mode 100644 package/pam/pam.003-no_doc.patch
 create mode 100644 package/pam/pam.mk
Dimitry Golubovsky - Sept. 8, 2012, 12:54 p.m.
Stefan,

On Sat, Sep 8, 2012 at 7:28 AM, Stefan Fröberg
<stefan.froberg@petroprogram.com> wrote:
> Hi Dmitry!
>
> Your work on this pam support looks good.
>
> I have attached in this message my very quick, unpolished & very very
> very dirty pam (version 1.1.5) hack
> (it doesn't bother to even check for if pam is enabled in busybox and it
> assumes that pam.d stuff is already in fs/skeleton/etc )

Thanks. However I'd rather let finalize the 1.1.4 integration (the
patches I just submitted will do) and then to upgrade to 1.1.5.

Another thing in your patch, and I was asked not to do so, is PAM
configs in the fs skeleton. I moved them to the Buildroot package
area, and honestly I would not provide any more configs with Buildroot
itself. For example, in my project PAM config for login does not
resemble the standard one at all, etc. these configs are just for
compatibility with PAM-less setup.

>
> If you find something usefull for your work then by all means salvage
> what you need from it.

Sure, once 1.1.4 is done.

> Your work for v86d ( http://patchwork.ozlabs.org/patch/157286/ )
> is working wonderfully in my distro !

Thanks for testing. The patchwork entry you mentioned also captures
the discussion we had regarding non-standard use of C flags: the way
Makefile is written in v86d does not capture them from the build
environment, and they have to be pushed harder down via redefinition
of $(CC) rather than via an environment variable.

I thnk eventually I'll try to reintroduce the v86d patch: may I take
your e-mail as a supporting vote? ;)

Thanks.
Stefan Fröberg - Sept. 8, 2012, 2:40 p.m.
Hi Dmitry

8.9.2012 15:54, Dmitry Golubovsky kirjoitti:
>
>> Your work for v86d ( http://patchwork.ozlabs.org/patch/157286/ )
>> is working wonderfully in my distro !
> Thanks for testing. The patchwork entry you mentioned also captures
> the discussion we had regarding non-standard use of C flags: the way
> Makefile is written in v86d does not capture them from the build
> environment, and they have to be pushed harder down via redefinition
> of $(CC) rather than via an environment variable.
>
> I thnk eventually I'll try to reintroduce the v86d patch: may I take
> your e-mail as a supporting vote? ;)
>
> Thanks.
>
Of course.
I will be glad to :)

Stefan

Patch

diff --git a/fs/skeleton/etc/pam.d/chage b/fs/skeleton/etc/pam.d/chage
new file mode 100644
index 0000000..a740151
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/chage
@@ -0,0 +1,15 @@ 
+# Begin /etc/pam.d/chage
+
+# always allow root
+auth	sufficient	pam_rootok.so
+
+# include system defaults for auth account and session
+auth		include		system-auth
+account		include		system-account
+session		include		system-session
+
+# Always permit for authentication updates
+password	required	pam-permit.so
+
+# End /etc/pam.d/chage
+
diff --git a/fs/skeleton/etc/pam.d/login b/fs/skeleton/etc/pam.d/login
new file mode 100644
index 0000000..61eec97
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/login
@@ -0,0 +1,47 @@ 
+# Begin /etc/pam.d/login
+
+# Set failure delay before next prompt to 3 seconds
+auth	optional	pam_faildelay.so	delay=3000000
+
+# Check to make sure that the user is allowed to login
+auth	requisite	pam_nologin.so
+
+# Check to make sure that root is allowed to login
+# Disabled by default. You will need to create /etc/securetty
+# file for this module to function. See man 5 securetty
+auth	required	pam_securetty.so
+
+# Additional group memberships - disaled by default
+# auth	optional	pam_group.so
+
+# include the default auth settings
+auth	include		system-auth
+
+# check access for the user
+account	required	pam_access.so
+
+# include the default account settings
+account	include		system-account
+
+# Set default environment variables for the user
+session	required	pam_env.so
+
+# Set resource limits for the user
+session	required	pam_limits.so
+
+# Display date of last login
+session	optional	pam_lastlog.so
+
+# Display the message of the day - Disabled by default
+# session	optional	pam_motd.so
+
+# Check user's mail - Disabled by default
+# session	optional	pam_mail.so	standard quiet
+
+# include the default session and password settings
+session		include		system-session
+password	include		system-password
+
+# End /etc/pam.d/login
+
+
diff --git a/fs/skeleton/etc/pam.d/passwd b/fs/skeleton/etc/pam.d/passwd
new file mode 100644
index 0000000..7d5d6ea
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/passwd
@@ -0,0 +1,6 @@ 
+# Begin /etc/pam.d/passwd
+
+password	include		system-password
+
+# End /etc/pam.d/passwd
+
diff --git a/fs/skeleton/etc/pam.d/su b/fs/skeleton/etc/pam.d/su
new file mode 100644
index 0000000..1368159
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/su
@@ -0,0 +1,17 @@ 
+# Begin /etc/pam.d/su
+
+# always allow root
+auth	sufficient	pam_rootok.so
+auth	include		system-auth
+
+# include the default account settings
+account	include		system-account
+
+# Set default environment variables for the service user
+session	required	pam_env.so
+
+# include system session defaults
+session	include		system-session
+
+# End /etc/pam.d/su
+
diff --git a/fs/skeleton/etc/pam.d/system-account b/fs/skeleton/etc/pam.d/system-account
new file mode 100644
index 0000000..91fb0cb
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/system-account
@@ -0,0 +1,6 @@ 
+# Begin /etc/pam.d/system-account
+
+account		required	pam_unix.so
+
+# End /etc/pam.d/system-account
+
diff --git a/fs/skeleton/etc/pam.d/system-auth b/fs/skeleton/etc/pam.d/system-auth
new file mode 100644
index 0000000..14a174f
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/system-auth
@@ -0,0 +1,6 @@ 
+# Begin /etc/pam.d/system-auth
+
+auth	required	pam_unix.so
+
+# End /etc/pam.d/system-auth
+
diff --git a/fs/skeleton/etc/pam.d/system-password b/fs/skeleton/etc/pam.d/system-password
new file mode 100644
index 0000000..6de3c98
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/system-password
@@ -0,0 +1,8 @@ 
+# Begin /etc/pam.d/system-password
+
+# use sha512 hash for encryption, use shadow, and try to use any previously
+# defined authentication token (chosen password) set by any prior module
+password	required	pam_unix.so	sha512 shadow try_first_pass
+
+# End /etc/pam.d/system-password
+
diff --git a/fs/skeleton/etc/pam.d/system-session b/fs/skeleton/etc/pam.d/system-session
new file mode 100644
index 0000000..c51de85
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/system-session
@@ -0,0 +1,6 @@ 
+# Begin /etc/pam.d/system-session
+
+session	required	pam_unix.so
+
+# End /etc/pam.d/system-session
+
diff --git a/package/pam/Config.in b/package/pam/Config.in
new file mode 100644
index 0000000..cd3fb2a
--- /dev/null
+++ b/package/pam/Config.in
@@ -0,0 +1,6 @@ 
+config BR2_PACKAGE_PAM
+	bool "pam"
+	help
+	  Linux-PAM.
+
+
diff --git a/package/pam/pam.000-no-innetgr.patch b/package/pam/pam.000-no-innetgr.patch
new file mode 100644
index 0000000..45babfc
--- /dev/null
+++ b/package/pam/pam.000-no-innetgr.patch
@@ -0,0 +1,85 @@ 
+innetgr may not be there so make sure that when innetgr is not present
+then we inform about it and not use it.
+
+-Khem
+--- a/modules/pam_group/pam_group.c
++++ b/modules/pam_group/pam_group.c
+@@ -659,7 +659,11 @@ static int check_account(pam_handle_t *p
+ 	}
+ 	/* If buffer starts with @, we are using netgroups */
+ 	if (buffer[0] == '@')
++#ifdef HAVE_INNETGR
+ 	  good &= innetgr (&buffer[1], NULL, user, NULL);
++#else
++	pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
++#endif
+ 	/* otherwise, if the buffer starts with %, it's a UNIX group */
+ 	else if (buffer[0] == '%')
+           good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
+--- a/modules/pam_time/pam_time.c
++++ b/modules/pam_time/pam_time.c
+@@ -555,9 +555,13 @@ check_account(pam_handle_t *pamh, const
+ 	  }
+ 	  /* If buffer starts with @, we are using netgroups */
+ 	  if (buffer[0] == '@')
+-	    good &= innetgr (&buffer[1], NULL, user, NULL);
++#ifdef HAVE_INNETGR
++	       good &= innetgr (&buffer[1], NULL, user, NULL);
++#else
++	       pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
++#endif
+ 	  else
+-	    good &= logic_field(pamh, user, buffer, count, is_same);
++	       good &= logic_field(pamh, user, buffer, count, is_same);
+ 	  D(("with user: %s", good ? "passes":"fails" ));
+ 
+ 	  /* here we get the time field */
+--- a/modules/pam_succeed_if/pam_succeed_if.c
++++ b/modules/pam_succeed_if/pam_succeed_if.c
+@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh,
+ }
+ /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
+ static int
+-evaluate_innetgr(const char *host, const char *user, const char *group)
++evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+ {
++#ifdef HAVE_INNETGR
+ 	if (innetgr(group, host, user, NULL) == 1)
+ 		return PAM_SUCCESS;
++#else
++        pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
++#endif
++
+ 	return PAM_AUTH_ERR;
+ }
+ /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
+ static int
+-evaluate_notinnetgr(const char *host, const char *user, const char *group)
++evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+ {
++#ifdef HAVE_INNETGR
+ 	if (innetgr(group, host, user, NULL) == 0)
+ 		return PAM_SUCCESS;
++#else
++	pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
++#endif
+ 	return PAM_AUTH_ERR;
+ }
+ 
+@@ -361,14 +370,14 @@ evaluate(pam_handle_t *pamh, int debug,
+ 		const void *rhost;
+ 		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+ 			rhost = NULL;
+-		return evaluate_innetgr(rhost, user, right);
++		return evaluate_innetgr(pamh, rhost, user, right);
+ 	}
+ 	/* (Rhost, user) is not in this group. */
+ 	if (strcasecmp(qual, "notinnetgr") == 0) {
+ 		const void *rhost;
+ 		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+ 			rhost = NULL;
+-		return evaluate_notinnetgr(rhost, user, right);
++		return evaluate_notinnetgr(pamh, rhost, user, right);
+ 	}
+ 	/* Fail closed. */
+ 	return PAM_SERVICE_ERR;
diff --git a/package/pam/pam.002-no_yywrap.patch b/package/pam/pam.002-no_yywrap.patch
new file mode 100644
index 0000000..0d73e4b
--- /dev/null
+++ b/package/pam/pam.002-no_yywrap.patch
@@ -0,0 +1,26 @@ 
+--- a/conf/pam_conv1/pam_conv_l.c
++++ b/conf/pam_conv1/pam_conv_l.c
+@@ -534,7 +534,9 @@ void yyset_lineno (int line_number  );
+ #ifdef __cplusplus
+ extern "C" int yywrap (void );
+ #else
+-extern int yywrap (void );
++int yywrap (void ) {
++	return 1;
++}
+ #endif
+ #endif
+ 
+--- a/doc/specs/parse_l.c
++++ b/doc/specs/parse_l.c
+@@ -520,7 +520,9 @@ void yyset_lineno (int line_number  );
+ #ifdef __cplusplus
+ extern "C" int yywrap (void );
+ #else
+-extern int yywrap (void );
++int yywrap (void ) {
++	return 1;
++}
+ #endif
+ #endif
+ 
diff --git a/package/pam/pam.003-no_doc.patch b/package/pam/pam.003-no_doc.patch
new file mode 100644
index 0000000..020f74d
--- /dev/null
+++ b/package/pam/pam.003-no_doc.patch
@@ -0,0 +1,36 @@ 
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -5,9 +5,9 @@
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
+ 
+ if STATIC_MODULES
+-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
++SUBDIRS = modules libpam libpamc libpam_misc tests po conf examples xtests
+ else
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
++SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+ endif
+ 
+ CLEANFILES = *~
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -74,7 +74,7 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-re
+   distclean-recursive maintainer-clean-recursive
+ ETAGS = etags
+ CTAGS = ctags
+-DIST_SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc \
++DIST_SUBDIRS = libpam tests libpamc libpam_misc modules po conf \
+ 	examples xtests
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ distdir = $(PACKAGE)-$(VERSION)
+@@ -253,8 +253,8 @@ top_build_prefix = @top_build_prefix@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
+-@STATIC_MODULES_FALSE@SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+-@STATIC_MODULES_TRUE@SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
++@STATIC_MODULES_FALSE@SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
++@STATIC_MODULES_TRUE@SUBDIRS = modules libpam libpamc libpam_misc tests po conf examples xtests
+ CLEANFILES = *~
+ M4_FILES = m4/gettext.m4 m4/iconv.m4 m4/intlmacosx.m4 \
+ 	m4/japhar_grep_cflags.m4 m4/jh_path_xml_catalog.m4 \
diff --git a/package/pam/pam.mk b/package/pam/pam.mk
new file mode 100644
index 0000000..1924594
--- /dev/null
+++ b/package/pam/pam.mk
@@ -0,0 +1,30 @@ 
+#############################################################
+#
+# Linux-PAM
+#
+#############################################################
+PAM_VERSION = 1.1.5
+PAM_SOURCE = Linux-PAM-$(PAM_VERSION).tar.bz2
+PAM_SITE = https://fedorahosted.org/releases/l/i/linux-pam/
+PAM_INSTALL_STAGING = YES
+PAM_INSTALL_TARGET = YES
+#PAM_DEPENDENCIES = $(if $(BR2_NEEDS_GETTEXT_IF_LOCALE),gettext)
+PAM_CONF_OPT = --disable-nls --enable-shared --sbindir=/lib/security --docdir=/usr/share/doc/Linux-PAM-1.1.5 --disable-nis --enable-read-both-confs
+
+define PAM_POST_INSTALL_TARGET_FIXUP
+
+# The unix_chkpwd password-helper program must be setuid
+#  so that non-root processes can access the shadow-password file. 
+
+	chmod -v 4755 $(TARGET_DIR)/lib/security/unix_chkpwd
+
+# The pam_tally program is designed to be run by the system administrator, 
+# possibly in single-user mode, so it is moved to the appropriate directory. 
+
+	mv -v $(TARGET_DIR)/lib/security/pam_tally $(TARGET_DIR)/sbin
+
+endef
+
+PAM_POST_INSTALL_TARGET_HOOKS += PAM_POST_INSTALL_TARGET_FIXUP
+
+$(eval $(call AUTOTARGETS,package,pam))