diff options
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/pam')
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/pam/default.nix | 72 | ||||
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch | 33 |
2 files changed, 105 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/pam/default.nix b/nixpkgs/pkgs/os-specific/linux/pam/default.nix new file mode 100644 index 000000000000..e4429cc3bd7c --- /dev/null +++ b/nixpkgs/pkgs/os-specific/linux/pam/default.nix @@ -0,0 +1,72 @@ +{ stdenv, buildPackages, fetchurl, fetchpatch, flex, cracklib, db4 }: + +stdenv.mkDerivation rec { + pname = "linux-pam"; + version = "1.3.1"; + + src = fetchurl { + url = "https://github.com/linux-pam/linux-pam/releases/download/v1.3.1/Linux-PAM-${version}.tar.xz"; + sha256 = "1nyh9kdi3knhxcbv5v4snya0g3gff0m671lnvqcbygw3rm77mx7g"; + }; + + patches = stdenv.lib.optionals (stdenv.hostPlatform.libc == "musl") [ + (fetchpatch { + url = "https://git.alpinelinux.org/cgit/aports/plain/main/linux-pam/fix-compat.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc"; + sha256 = "1h5yp5h2mqp1fcwiwwklyfpa69a3i03ya32pivs60fd7g5bqa7sf"; + }) + (fetchpatch { + url = "https://git.alpinelinux.org/cgit/aports/plain/main/linux-pam/libpam-fix-build-with-eglibc-2.16.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc"; + sha256 = "1ib6shhvgzinjsc603k2x1lxh9dic6qq449fnk110gc359m23j81"; + }) + # From adelie's package repo, using local copy since it seems to be currently offline. + # (we previously used similar patch from void, but stopped working with update to 1.3.1) + ./musl-fix-pam_exec.patch + ]; + + outputs = [ "out" "doc" "man" /* "modules" */ ]; + + depsBuildBuild = [ buildPackages.stdenv.cc ]; + nativeBuildInputs = [ flex ]; + + buildInputs = [ cracklib db4 ]; + + enableParallelBuilding = true; + + postInstall = '' + mv -v $out/sbin/unix_chkpwd{,.orig} + ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd + ''; /* + rm -rf $out/etc + mkdir -p $modules/lib + mv $out/lib/security $modules/lib/ + '';*/ + # don't move modules, because libpam needs to (be able to) find them, + # which is done by dlopening $out/lib/security/pam_foo.so + # $out/etc was also missed: pam_env(login:session): Unable to open config file + + preConfigure = stdenv.lib.optionalString (stdenv.hostPlatform.libc == "musl") '' + # export ac_cv_search_crypt=no + # (taken from Alpine linux, apparently insecure but also doesn't build O:)) + # disable insecure modules + # sed -e 's/pam_rhosts//g' -i modules/Makefile.am + sed -e 's/pam_rhosts//g' -i modules/Makefile.in + ''; + + configureFlags = [ + "--includedir=${placeholder "out"}/include/security" + "--enable-sconfigdir=/etc/security" + ]; + + installFlags = [ + "SCONFIGDIR=${placeholder "out"}/etc/security" + ]; + + doCheck = false; # fails + + meta = with stdenv.lib; { + homepage = http://www.linux-pam.org/; + description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user"; + platforms = platforms.linux; + license = licenses.bsd3; + }; +} diff --git a/nixpkgs/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch b/nixpkgs/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch new file mode 100644 index 000000000000..194e47b9e5b0 --- /dev/null +++ b/nixpkgs/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch @@ -0,0 +1,33 @@ +--- ./modules/pam_exec/pam_exec.c.orig ++++ ./modules/pam_exec/pam_exec.c +@@ -103,11 +103,14 @@ + int optargc; + const char *logfile = NULL; + const char *authtok = NULL; ++ char authtok_buf[PAM_MAX_RESP_SIZE+1]; ++ + pid_t pid; + int fds[2]; + int stdout_fds[2]; + FILE *stdout_file = NULL; + ++ memset(authtok_buf, 0, sizeof(authtok_buf)); + if (argc < 1) { + pam_syslog (pamh, LOG_ERR, + "This module needs at least one argument"); +@@ -180,12 +183,12 @@ + if (resp) + { + pam_set_item (pamh, PAM_AUTHTOK, resp); +- authtok = strndupa (resp, PAM_MAX_RESP_SIZE); ++ authtok = strncpy(authtok_buf, resp, sizeof(authtok_buf)); + _pam_drop (resp); + } + } + else +- authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); ++ authtok = strncpy(authtok_buf, void_pass, sizeof(authtok_buf)); + + if (pipe(fds) != 0) + { + |