2 files changed, 105 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/pam/default.nix b/nixpkgs/pkgs/os-specific/linux/pam/default.nix
new file mode 100644
index 000000000000..e4429cc3bd7c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam/default.nix
@@ -0,0 +1,72 @@
+{ stdenv, buildPackages, fetchurl, fetchpatch, flex, cracklib, db4 }:
+
+stdenv.mkDerivation rec {
+  pname = "linux-pam";
+  version = "1.3.1";
+
+  src = fetchurl {
+    url    = "https://github.com/linux-pam/linux-pam/releases/download/v1.3.1/Linux-PAM-${version}.tar.xz";
+    sha256 = "1nyh9kdi3knhxcbv5v4snya0g3gff0m671lnvqcbygw3rm77mx7g";
+  };
+
+  patches = stdenv.lib.optionals (stdenv.hostPlatform.libc == "musl") [
+    (fetchpatch {
+      url = "https://git.alpinelinux.org/cgit/aports/plain/main/linux-pam/fix-compat.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc";
+      sha256 = "1h5yp5h2mqp1fcwiwwklyfpa69a3i03ya32pivs60fd7g5bqa7sf";
+    })
+    (fetchpatch {
+      url = "https://git.alpinelinux.org/cgit/aports/plain/main/linux-pam/libpam-fix-build-with-eglibc-2.16.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc";
+      sha256 = "1ib6shhvgzinjsc603k2x1lxh9dic6qq449fnk110gc359m23j81";
+    })
+    # From adelie's package repo, using local copy since it seems to be currently offline.
+    # (we previously used similar patch from void, but stopped working with update to 1.3.1)
+    ./musl-fix-pam_exec.patch
+  ];
+
+  outputs = [ "out" "doc" "man" /* "modules" */ ];
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ flex ];
+
+  buildInputs = [ cracklib db4 ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    mv -v $out/sbin/unix_chkpwd{,.orig}
+    ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd
+  ''; /*
+    rm -rf $out/etc
+    mkdir -p $modules/lib
+    mv $out/lib/security $modules/lib/
+  '';*/
+  # don't move modules, because libpam needs to (be able to) find them,
+  # which is done by dlopening $out/lib/security/pam_foo.so
+  # $out/etc was also missed: pam_env(login:session): Unable to open config file
+
+  preConfigure = stdenv.lib.optionalString (stdenv.hostPlatform.libc == "musl") ''
+      # export ac_cv_search_crypt=no
+      # (taken from Alpine linux, apparently insecure but also doesn't build O:))
+      # disable insecure modules
+      # sed -e 's/pam_rhosts//g' -i modules/Makefile.am
+      sed -e 's/pam_rhosts//g' -i modules/Makefile.in
+  '';
+
+  configureFlags = [
+    "--includedir=${placeholder "out"}/include/security"
+    "--enable-sconfigdir=/etc/security"
+  ];
+
+  installFlags = [
+    "SCONFIGDIR=${placeholder "out"}/etc/security"
+  ];
+
+  doCheck = false; # fails
+
+  meta = with stdenv.lib; {
+    homepage = http://www.linux-pam.org/;
+    description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user";
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch b/nixpkgs/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch
new file mode 100644
index 000000000000..194e47b9e5b0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch
@@ -0,0 +1,33 @@
+--- ./modules/pam_exec/pam_exec.c.orig
++++ ./modules/pam_exec/pam_exec.c
+@@ -103,11 +103,14 @@
+   int optargc;
+   const char *logfile = NULL;
+   const char *authtok = NULL;
++  char authtok_buf[PAM_MAX_RESP_SIZE+1];
++
+   pid_t pid;
+   int fds[2];
+   int stdout_fds[2];
+   FILE *stdout_file = NULL;
+ 
++  memset(authtok_buf, 0, sizeof(authtok_buf));
+   if (argc < 1) {
+     pam_syslog (pamh, LOG_ERR,
+ 		"This module needs at least one argument");
+@@ -180,12 +183,12 @@
+ 	      if (resp)
+ 		{
+ 		  pam_set_item (pamh, PAM_AUTHTOK, resp);
+-		  authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
++		  authtok = strncpy(authtok_buf, resp, sizeof(authtok_buf));
+ 		  _pam_drop (resp);
+ 		}
+ 	    }
+ 	  else
+-	    authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
++	    authtok = strncpy(authtok_buf, void_pass, sizeof(authtok_buf));
+ 
+ 	  if (pipe(fds) != 0)
+ 	    {
+