From patchwork Sat Sep 8 11:28:19 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Stefan_Fr=C3=B6berg?= X-Patchwork-Id: 182537 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from hemlock.osuosl.org (hemlock.osuosl.org [140.211.166.133]) by ozlabs.org (Postfix) with ESMTP id 53C472C007B for ; Sat, 8 Sep 2012 21:28:41 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id A4033A028D; Sat, 8 Sep 2012 11:28:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHrec0k8DCEp; Sat, 8 Sep 2012 11:28:35 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 389E1A027A; Sat, 8 Sep 2012 11:28:35 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (whitealder.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 04DD68F74B for ; Sat, 8 Sep 2012 11:28:34 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 073EC8B1D8 for ; Sat, 8 Sep 2012 11:28:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKBANYRAkaI2 for ; Sat, 8 Sep 2012 11:28:30 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail.petroprogram.com (mail.petroprogram.com [194.89.34.74]) by whitealder.osuosl.org (Postfix) with ESMTPS id CAAF18B194 for ; Sat, 8 Sep 2012 11:28:29 +0000 (UTC) Received: from [127.0.0.1] (193-64-23-189-nat.elisa-mobile.fi [193.64.23.189]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: stefan.froberg@petroprogram.com) by mail.petroprogram.com (Postfix) with ESMTPSA id E384742E10; Sat, 8 Sep 2012 14:17:20 +0300 (EEST) Message-ID: <504B2BD3.5080205@petroprogram.com> Date: Sat, 08 Sep 2012 14:28:19 +0300 From: =?ISO-8859-1?Q?Stefan_Fr=F6berg?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: Dmitry Golubovsky References: In-Reply-To: X-Enigmail-Version: 1.4.4 Cc: buildroot@busybox.net Subject: Re: [Buildroot] Fixing linux-pam build failures X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: buildroot-bounces@busybox.net Hi Dmitry! Your work on this pam support looks good. I have attached in this message my very quick, unpolished & very very very dirty pam (version 1.1.5) hack (it doesn't bother to even check for if pam is enabled in busybox and it assumes that pam.d stuff is already in fs/skeleton/etc ) I can't even remember when I did this ugly hack. Got it somehow working with the help of : http://www.linuxfromscratch.org/blfs/view/svn/postlfs/linux-pam.html http://www.linuxfromscratch.org/blfs/view/svn/postlfs/shadow.html and http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cracklib.html Those Linux From Scratch pages are really great starting templates for any new buildroot package! :) Also, those three patches mentioned in this attached file are from openwrt project witch also uses buildroot stuff (???). https://dev.openwrt.org/browser/packages/libs/libpam If you find something usefull for your work then by all means salvage what you need from it. I just want to get quickly rid of my dirty pam hack as soon as official support lands on buildroot. Stefan P.S: Your work for v86d ( http://patchwork.ozlabs.org/patch/157286/ ) is working wonderfully in my distro ! Thanks! 8.9.2012 7:32, Dmitry Golubovsky kirjoitti: > Hi, > > My initial assumption about the failures of linux-pam building in > autobuilder was not correct: the problem was in BerkeleyDB > configuration. > > When BerkeleyDB is not built, the pam_userdb module is not built > either (via linux-pam configure). In this failed autobuilder > configuration Berkeley DB was selected. But dbm functionality was not > enabled in BerkeleyDB configure options. Thus the pam_userdb module > was attempted to build, but it failed due to the absence of dbm > functions in Berkeley DB, and this showed up in the build log. > > I have submitted a series of patches which address the problem: > > * if linux-pam is built, --enable-dbm is added to BerkeleyDB configure options > * BerkeleyDB is autoselected when linux-pam is selected, and > BerkeleyDB is now a dependency of linux-pam > > I also included my two other patches (since linux-pam is being patched anyway): > > * Provide dummy PAM config files to allow password-less logons via busybox login > * New configuration option for PAM support has been added to the > Busybox configuration menu. > > Any suggestions are welcome. > > Thanks. > From 768273cb86e195280da74f1ac471871b9ba3036f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20Fr=C3=B6berg?= Date: Sat, 8 Sep 2012 14:04:40 +0300 Subject: [PATCH 10/10] pam: quick & dirty Linux-PAM support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stefan Fröberg --- fs/skeleton/etc/pam.d/chage | 15 ++++++ fs/skeleton/etc/pam.d/login | 47 ++++++++++++++++++ fs/skeleton/etc/pam.d/passwd | 6 ++ fs/skeleton/etc/pam.d/su | 17 +++++++ fs/skeleton/etc/pam.d/system-account | 6 ++ fs/skeleton/etc/pam.d/system-auth | 6 ++ fs/skeleton/etc/pam.d/system-password | 8 +++ fs/skeleton/etc/pam.d/system-session | 6 ++ package/pam/Config.in | 6 ++ package/pam/pam.000-no-innetgr.patch | 85 +++++++++++++++++++++++++++++++++ package/pam/pam.002-no_yywrap.patch | 26 ++++++++++ package/pam/pam.003-no_doc.patch | 36 ++++++++++++++ package/pam/pam.mk | 30 ++++++++++++ 13 files changed, 294 insertions(+), 0 deletions(-) create mode 100644 fs/skeleton/etc/pam.d/chage create mode 100644 fs/skeleton/etc/pam.d/login create mode 100644 fs/skeleton/etc/pam.d/passwd create mode 100644 fs/skeleton/etc/pam.d/su create mode 100644 fs/skeleton/etc/pam.d/system-account create mode 100644 fs/skeleton/etc/pam.d/system-auth create mode 100644 fs/skeleton/etc/pam.d/system-password create mode 100644 fs/skeleton/etc/pam.d/system-session create mode 100644 package/pam/Config.in create mode 100644 package/pam/pam.000-no-innetgr.patch create mode 100644 package/pam/pam.002-no_yywrap.patch create mode 100644 package/pam/pam.003-no_doc.patch create mode 100644 package/pam/pam.mk diff --git a/fs/skeleton/etc/pam.d/chage b/fs/skeleton/etc/pam.d/chage new file mode 100644 index 0000000..a740151 --- /dev/null +++ b/fs/skeleton/etc/pam.d/chage @@ -0,0 +1,15 @@ +# Begin /etc/pam.d/chage + +# always allow root +auth sufficient pam_rootok.so + +# include system defaults for auth account and session +auth include system-auth +account include system-account +session include system-session + +# Always permit for authentication updates +password required pam-permit.so + +# End /etc/pam.d/chage + diff --git a/fs/skeleton/etc/pam.d/login b/fs/skeleton/etc/pam.d/login new file mode 100644 index 0000000..61eec97 --- /dev/null +++ b/fs/skeleton/etc/pam.d/login @@ -0,0 +1,47 @@ +# Begin /etc/pam.d/login + +# Set failure delay before next prompt to 3 seconds +auth optional pam_faildelay.so delay=3000000 + +# Check to make sure that the user is allowed to login +auth requisite pam_nologin.so + +# Check to make sure that root is allowed to login +# Disabled by default. You will need to create /etc/securetty +# file for this module to function. See man 5 securetty +auth required pam_securetty.so + +# Additional group memberships - disaled by default +# auth optional pam_group.so + +# include the default auth settings +auth include system-auth + +# check access for the user +account required pam_access.so + +# include the default account settings +account include system-account + +# Set default environment variables for the user +session required pam_env.so + +# Set resource limits for the user +session required pam_limits.so + +# Display date of last login +session optional pam_lastlog.so + +# Display the message of the day - Disabled by default +# session optional pam_motd.so + +# Check user's mail - Disabled by default +# session optional pam_mail.so standard quiet + +# include the default session and password settings +session include system-session +password include system-password + +# End /etc/pam.d/login + + diff --git a/fs/skeleton/etc/pam.d/passwd b/fs/skeleton/etc/pam.d/passwd new file mode 100644 index 0000000..7d5d6ea --- /dev/null +++ b/fs/skeleton/etc/pam.d/passwd @@ -0,0 +1,6 @@ +# Begin /etc/pam.d/passwd + +password include system-password + +# End /etc/pam.d/passwd + diff --git a/fs/skeleton/etc/pam.d/su b/fs/skeleton/etc/pam.d/su new file mode 100644 index 0000000..1368159 --- /dev/null +++ b/fs/skeleton/etc/pam.d/su @@ -0,0 +1,17 @@ +# Begin /etc/pam.d/su + +# always allow root +auth sufficient pam_rootok.so +auth include system-auth + +# include the default account settings +account include system-account + +# Set default environment variables for the service user +session required pam_env.so + +# include system session defaults +session include system-session + +# End /etc/pam.d/su + diff --git a/fs/skeleton/etc/pam.d/system-account b/fs/skeleton/etc/pam.d/system-account new file mode 100644 index 0000000..91fb0cb --- /dev/null +++ b/fs/skeleton/etc/pam.d/system-account @@ -0,0 +1,6 @@ +# Begin /etc/pam.d/system-account + +account required pam_unix.so + +# End /etc/pam.d/system-account + diff --git a/fs/skeleton/etc/pam.d/system-auth b/fs/skeleton/etc/pam.d/system-auth new file mode 100644 index 0000000..14a174f --- /dev/null +++ b/fs/skeleton/etc/pam.d/system-auth @@ -0,0 +1,6 @@ +# Begin /etc/pam.d/system-auth + +auth required pam_unix.so + +# End /etc/pam.d/system-auth + diff --git a/fs/skeleton/etc/pam.d/system-password b/fs/skeleton/etc/pam.d/system-password new file mode 100644 index 0000000..6de3c98 --- /dev/null +++ b/fs/skeleton/etc/pam.d/system-password @@ -0,0 +1,8 @@ +# Begin /etc/pam.d/system-password + +# use sha512 hash for encryption, use shadow, and try to use any previously +# defined authentication token (chosen password) set by any prior module +password required pam_unix.so sha512 shadow try_first_pass + +# End /etc/pam.d/system-password + diff --git a/fs/skeleton/etc/pam.d/system-session b/fs/skeleton/etc/pam.d/system-session new file mode 100644 index 0000000..c51de85 --- /dev/null +++ b/fs/skeleton/etc/pam.d/system-session @@ -0,0 +1,6 @@ +# Begin /etc/pam.d/system-session + +session required pam_unix.so + +# End /etc/pam.d/system-session + diff --git a/package/pam/Config.in b/package/pam/Config.in new file mode 100644 index 0000000..cd3fb2a --- /dev/null +++ b/package/pam/Config.in @@ -0,0 +1,6 @@ +config BR2_PACKAGE_PAM + bool "pam" + help + Linux-PAM. + + diff --git a/package/pam/pam.000-no-innetgr.patch b/package/pam/pam.000-no-innetgr.patch new file mode 100644 index 0000000..45babfc --- /dev/null +++ b/package/pam/pam.000-no-innetgr.patch @@ -0,0 +1,85 @@ +innetgr may not be there so make sure that when innetgr is not present +then we inform about it and not use it. + +-Khem +--- a/modules/pam_group/pam_group.c ++++ b/modules/pam_group/pam_group.c +@@ -659,7 +659,11 @@ static int check_account(pam_handle_t *p + } + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') ++#ifdef HAVE_INNETGR + good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); ++#endif + /* otherwise, if the buffer starts with %, it's a UNIX group */ + else if (buffer[0] == '%') + good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); +--- a/modules/pam_time/pam_time.c ++++ b/modules/pam_time/pam_time.c +@@ -555,9 +555,13 @@ check_account(pam_handle_t *pamh, const + } + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') +- good &= innetgr (&buffer[1], NULL, user, NULL); ++#ifdef HAVE_INNETGR ++ good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); ++#endif + else +- good &= logic_field(pamh, user, buffer, count, is_same); ++ good &= logic_field(pamh, user, buffer, count, is_same); + D(("with user: %s", good ? "passes":"fails" )); + + /* here we get the time field */ +--- a/modules/pam_succeed_if/pam_succeed_if.c ++++ b/modules/pam_succeed_if/pam_succeed_if.c +@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, + } + /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ + static int +-evaluate_innetgr(const char *host, const char *user, const char *group) ++evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 1) + return PAM_SUCCESS; ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); ++#endif ++ + return PAM_AUTH_ERR; + } + /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ + static int +-evaluate_notinnetgr(const char *host, const char *user, const char *group) ++evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 0) + return PAM_SUCCESS; ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); ++#endif + return PAM_AUTH_ERR; + } + +@@ -361,14 +370,14 @@ evaluate(pam_handle_t *pamh, int debug, + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; +- return evaluate_innetgr(rhost, user, right); ++ return evaluate_innetgr(pamh, rhost, user, right); + } + /* (Rhost, user) is not in this group. */ + if (strcasecmp(qual, "notinnetgr") == 0) { + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; +- return evaluate_notinnetgr(rhost, user, right); ++ return evaluate_notinnetgr(pamh, rhost, user, right); + } + /* Fail closed. */ + return PAM_SERVICE_ERR; diff --git a/package/pam/pam.002-no_yywrap.patch b/package/pam/pam.002-no_yywrap.patch new file mode 100644 index 0000000..0d73e4b --- /dev/null +++ b/package/pam/pam.002-no_yywrap.patch @@ -0,0 +1,26 @@ +--- a/conf/pam_conv1/pam_conv_l.c ++++ b/conf/pam_conv1/pam_conv_l.c +@@ -534,7 +534,9 @@ void yyset_lineno (int line_number ); + #ifdef __cplusplus + extern "C" int yywrap (void ); + #else +-extern int yywrap (void ); ++int yywrap (void ) { ++ return 1; ++} + #endif + #endif + +--- a/doc/specs/parse_l.c ++++ b/doc/specs/parse_l.c +@@ -520,7 +520,9 @@ void yyset_lineno (int line_number ); + #ifdef __cplusplus + extern "C" int yywrap (void ); + #else +-extern int yywrap (void ); ++int yywrap (void ) { ++ return 1; ++} + #endif + #endif + diff --git a/package/pam/pam.003-no_doc.patch b/package/pam/pam.003-no_doc.patch new file mode 100644 index 0000000..020f74d --- /dev/null +++ b/package/pam/pam.003-no_doc.patch @@ -0,0 +1,36 @@ +--- a/Makefile.am ++++ b/Makefile.am +@@ -5,9 +5,9 @@ + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + + if STATIC_MODULES +-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests ++SUBDIRS = modules libpam libpamc libpam_misc tests po conf examples xtests + else +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests + endif + + CLEANFILES = *~ +--- a/Makefile.in ++++ b/Makefile.in +@@ -74,7 +74,7 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-re + distclean-recursive maintainer-clean-recursive + ETAGS = etags + CTAGS = ctags +-DIST_SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc \ ++DIST_SUBDIRS = libpam tests libpamc libpam_misc modules po conf \ + examples xtests + DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) + distdir = $(PACKAGE)-$(VERSION) +@@ -253,8 +253,8 @@ top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news +-@STATIC_MODULES_FALSE@SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests +-@STATIC_MODULES_TRUE@SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests ++@STATIC_MODULES_FALSE@SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests ++@STATIC_MODULES_TRUE@SUBDIRS = modules libpam libpamc libpam_misc tests po conf examples xtests + CLEANFILES = *~ + M4_FILES = m4/gettext.m4 m4/iconv.m4 m4/intlmacosx.m4 \ + m4/japhar_grep_cflags.m4 m4/jh_path_xml_catalog.m4 \ diff --git a/package/pam/pam.mk b/package/pam/pam.mk new file mode 100644 index 0000000..1924594 --- /dev/null +++ b/package/pam/pam.mk @@ -0,0 +1,30 @@ +############################################################# +# +# Linux-PAM +# +############################################################# +PAM_VERSION = 1.1.5 +PAM_SOURCE = Linux-PAM-$(PAM_VERSION).tar.bz2 +PAM_SITE = https://fedorahosted.org/releases/l/i/linux-pam/ +PAM_INSTALL_STAGING = YES +PAM_INSTALL_TARGET = YES +#PAM_DEPENDENCIES = $(if $(BR2_NEEDS_GETTEXT_IF_LOCALE),gettext) +PAM_CONF_OPT = --disable-nls --enable-shared --sbindir=/lib/security --docdir=/usr/share/doc/Linux-PAM-1.1.5 --disable-nis --enable-read-both-confs + +define PAM_POST_INSTALL_TARGET_FIXUP + +# The unix_chkpwd password-helper program must be setuid +# so that non-root processes can access the shadow-password file. + + chmod -v 4755 $(TARGET_DIR)/lib/security/unix_chkpwd + +# The pam_tally program is designed to be run by the system administrator, +# possibly in single-user mode, so it is moved to the appropriate directory. + + mv -v $(TARGET_DIR)/lib/security/pam_tally $(TARGET_DIR)/sbin + +endef + +PAM_POST_INSTALL_TARGET_HOOKS += PAM_POST_INSTALL_TARGET_FIXUP + +$(eval $(call AUTOTARGETS,package,pam))