summaryrefslogtreecommitdiff
path: root/system/linux-pam
diff options
context:
space:
mode:
Diffstat (limited to 'system/linux-pam')
-rw-r--r--system/linux-pam/APKBUILD91
-rw-r--r--system/linux-pam/base-account.pamd3
-rw-r--r--system/linux-pam/base-auth.pamd5
-rw-r--r--system/linux-pam/base-password.pamd3
-rw-r--r--system/linux-pam/base-session-noninteractive.pamd4
-rw-r--r--system/linux-pam/base-session.pamd4
-rw-r--r--system/linux-pam/fix-compat.patch21
-rw-r--r--system/linux-pam/libpam-fix-build-with-eglibc-2.16.patch10
-rw-r--r--system/linux-pam/musl-fix-pam_exec.patch31
-rw-r--r--system/linux-pam/other.pamd6
-rw-r--r--system/linux-pam/su.pamd6
11 files changed, 184 insertions, 0 deletions
diff --git a/system/linux-pam/APKBUILD b/system/linux-pam/APKBUILD
new file mode 100644
index 000000000..f55963c5c
--- /dev/null
+++ b/system/linux-pam/APKBUILD
@@ -0,0 +1,91 @@
+# Contributor: William Pitcock <nenolod@dereferenced.org>
+# Maintainer: William Pitcock <nenolod@dereferenced.org>
+pkgname=linux-pam
+pkgver=1.3.0
+pkgrel=1
+pkgdesc="pluggable authentication modules for linux"
+url="http://www.kernel.org/pub/linux/libs/pam"
+arch="all"
+license="BSD"
+depends_dev="gettext-dev"
+makedepends_host="$depends_dev"
+makedepends_build="$depends_dev bison flex-dev autoconf automake libtool"
+makedepends="$makedepends_host $makedepends_build"
+options="suid !check"
+subpackages="$pkgname-dev $pkgname-doc"
+source="http://linux-pam.org/library/Linux-PAM-$pkgver.tar.bz2
+ fix-compat.patch
+ libpam-fix-build-with-eglibc-2.16.patch
+ musl-fix-pam_exec.patch
+
+ base-auth.pamd
+ base-account.pamd
+ base-password.pamd
+ base-session.pamd
+ base-session-noninteractive.pamd
+ other.pamd
+ su.pamd
+ "
+
+builddir="$srcdir"/Linux-PAM-$pkgver
+prepare() {
+ cd "$builddir"
+ default_prepare
+ # disable insecure modules
+ sed -e 's/pam_rhosts//g' -i modules/Makefile.am
+}
+
+build() {
+ cd "$builddir"
+ autoreconf -vif
+ [ "$CLIBC" = "musl" ] && export ac_cv_search_crypt=no
+ ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --libdir=/lib \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ --localstatedir=/var \
+ --disable-nls \
+ --disable-db
+ make
+}
+
+package() {
+ cd "$builddir"
+ make DESTDIR="$pkgdir" install
+
+ # do not install pam.d files bundled with the source, they could be broken
+ rm -rf "$pkgdir"/etc/pam.d
+
+ # install our pam.d files
+ mkdir "$pkgdir"/etc/pam.d
+ for i in $source; do
+ case $i in
+ *.pamd)
+ basename=$(echo $i | cut -d. -f1)
+ cp "$srcdir"/$i "$pkgdir"/etc/pam.d/"$basename"
+ # ensure users can use PAM services without SUID
+ chmod 644 "$pkgdir"/etc/pam.d/"$basename"
+ ;;
+ esac
+ done
+
+ # delete pointless libtool archives.
+ chgrp shadow "$pkgdir"/sbin/unix_chkpwd \
+ && chmod g+s "$pkgdir"/sbin/unix_chkpwd
+}
+
+sha512sums="4a89ca4b6f4676107aca4018f7c11addf03495266b209cb11c913f8b5d191d9a1f72197715dcf2a69216b4036de88780bcbbb5a8652e386910d71ba1b6282e42 Linux-PAM-1.3.0.tar.bz2
+52b97e23084f7b835ce1fa441663f91a50ea797cb38ba2c6662bcdaf0d25ba487118442674ac347fb17353af126dd6b3b696612faa56cac428dd842d14e1c90d fix-compat.patch
+f49edf3876cc6bcb87bbea4e7beaeb0a382d596898c755f5fbaf6c2ed4e0c8f082b2cd16dde8a74af82bb09a1334f463e07a4bb5b8a48f023ff90a67ad2fdd44 libpam-fix-build-with-eglibc-2.16.patch
+bc443d2a9b1d90b81959ce6fa154042365d5e7840f8696f847a145bbaaeffcbe1e9cd2b8ba76131a7b48737929e281f4fe864582fa4fc40315f2d10c650e0cd9 musl-fix-pam_exec.patch
+0672ab21adb969af2a0082e2559f1196d8a4f8b1cff2836f97e5f24edb03b6aed156c61cf335a4df978e423dcd9934ffee8cb5784ed5dde704d7e5ddec4ba9f6 base-auth.pamd
+85462201a4044c7e170e617d39b0eceb4790abc6c0504999117548030a16d80a9d2078d1ad97690d7d346e6374201f0c52e792ccb08ce2b1c4bbf0cc2be96f5b base-account.pamd
+8223b815148c3b9b874d2c283840f6428c266e56c7cf49ce8fc508c4945ae31c837bef96dab17f64a60812d1c9cd0055cf0a50d7951d23070b69bd2e5bb9666d base-password.pamd
+b0138f662715974bd865d755c5e7d403faf5b9ad1b7e2b1d1598ad7eb5764a9ff407f1a5e6ce7f16db9fc10f8d643323b494563416fd6a654032529b52213c5b base-session.pamd
+444e20046843057b17c0aac14d2b71a68923b989b3d8b478bbf684698673683186e928e5ca2e6cb9a1c76abc4248044a0e10ef6b06b3f51857106796ecce250d base-session-noninteractive.pamd
+d103ba06b2c4929171e09c845f9866539220cd20d8d56a03d25850342ef5eabe281e958dfe1eaefd550c00f9440e8700c1d74c88c3001f933134ca6fd7cb9b7b other.pamd
+b512d691f2a6b11fc329bf91dd05ca9c589bbd444308b27d3c87c75262dedf6afc68a9739229249a4bd3d0c43cb1f871eecbb93c4fe559e0f38bdabbffd06ad7 su.pamd"
diff --git a/system/linux-pam/base-account.pamd b/system/linux-pam/base-account.pamd
new file mode 100644
index 000000000..591092944
--- /dev/null
+++ b/system/linux-pam/base-account.pamd
@@ -0,0 +1,3 @@
+# basic PAM configuration for Alpine.
+
+account required pam_unix.so
diff --git a/system/linux-pam/base-auth.pamd b/system/linux-pam/base-auth.pamd
new file mode 100644
index 000000000..012445aa3
--- /dev/null
+++ b/system/linux-pam/base-auth.pamd
@@ -0,0 +1,5 @@
+# basic PAM configuration for Alpine.
+
+auth required pam_env.so
+auth required pam_unix.so nullok_secure
+auth required pam_nologin.so successok
diff --git a/system/linux-pam/base-password.pamd b/system/linux-pam/base-password.pamd
new file mode 100644
index 000000000..a146a93fe
--- /dev/null
+++ b/system/linux-pam/base-password.pamd
@@ -0,0 +1,3 @@
+# basic PAM configuration for Alpine.
+
+password required pam_unix.so nullok obscure md5 sha512
diff --git a/system/linux-pam/base-session-noninteractive.pamd b/system/linux-pam/base-session-noninteractive.pamd
new file mode 100644
index 000000000..85e07d594
--- /dev/null
+++ b/system/linux-pam/base-session-noninteractive.pamd
@@ -0,0 +1,4 @@
+# basic PAM configuration for Alpine.
+
+session required pam_limits.so
+session required pam_unix.so
diff --git a/system/linux-pam/base-session.pamd b/system/linux-pam/base-session.pamd
new file mode 100644
index 000000000..bf5bcb734
--- /dev/null
+++ b/system/linux-pam/base-session.pamd
@@ -0,0 +1,4 @@
+# basic PAM configuration for Alpine.
+
+session include base-session-noninteractive
+session required pam_motd.so
diff --git a/system/linux-pam/fix-compat.patch b/system/linux-pam/fix-compat.patch
new file mode 100644
index 000000000..4096c3a47
--- /dev/null
+++ b/system/linux-pam/fix-compat.patch
@@ -0,0 +1,21 @@
+--- Linux-PAM-1.1.6.orig/modules/pam_lastlog/pam_lastlog.c
++++ Linux-PAM-1.1.6/modules/pam_lastlog/pam_lastlog.c
+@@ -10,6 +10,7 @@
+
+ #include "config.h"
+
++#include <paths.h>
+ #include <fcntl.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -48,6 +49,10 @@
+
+ #ifndef _PATH_BTMP
+ # define _PATH_BTMP "/var/log/btmp"
++#endif
++
++#ifndef __GLIBC__
++#define logwtmp(args...)
+ #endif
+
+ /* XXX - time before ignoring lock. Is 1 sec enough? */
diff --git a/system/linux-pam/libpam-fix-build-with-eglibc-2.16.patch b/system/linux-pam/libpam-fix-build-with-eglibc-2.16.patch
new file mode 100644
index 000000000..1a0716598
--- /dev/null
+++ b/system/linux-pam/libpam-fix-build-with-eglibc-2.16.patch
@@ -0,0 +1,10 @@
+--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.orig
++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c
+@@ -47,6 +47,7 @@
+ #include <time.h> /* for time() */
+ #include <errno.h>
+ #include <sys/wait.h>
++#include <sys/resource.h>
+
+ #include <security/_pam_macros.h>
+
diff --git a/system/linux-pam/musl-fix-pam_exec.patch b/system/linux-pam/musl-fix-pam_exec.patch
new file mode 100644
index 000000000..b6b999fae
--- /dev/null
+++ b/system/linux-pam/musl-fix-pam_exec.patch
@@ -0,0 +1,31 @@
+--- ./modules/pam_exec/pam_exec.c.orig
++++ ./modules/pam_exec/pam_exec.c
+@@ -103,11 +103,14 @@
+ int optargc;
+ const char *logfile = NULL;
+ const char *authtok = NULL;
++ char authtok_buf[PAM_MAX_RESP_SIZE+1];
++
+ pid_t pid;
+ int fds[2];
+ int stdout_fds[2];
+ FILE *stdout_file = NULL;
+
++ memset(authtok_buf, 0, sizeof(authtok_buf));
+ if (argc < 1) {
+ pam_syslog (pamh, LOG_ERR,
+ "This module needs at least one argument");
+@@ -178,11 +181,11 @@
+ }
+
+ pam_set_item (pamh, PAM_AUTHTOK, resp);
+- authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
++ authtok = strncpy(authtok_buf, resp, sizeof(authtok_buf));
+ _pam_drop (resp);
+ }
+ else
+- authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
++ authtok = strncpy(authtok_buf, void_pass, sizeof(authtok_buf));
+
+ if (pipe(fds) != 0)
+ {
diff --git a/system/linux-pam/other.pamd b/system/linux-pam/other.pamd
new file mode 100644
index 000000000..8c9797e71
--- /dev/null
+++ b/system/linux-pam/other.pamd
@@ -0,0 +1,6 @@
+# basic PAM configuration for Alpine.
+
+auth include base-auth
+account include base-account
+password include base-password
+session include base-session-noninteractive
diff --git a/system/linux-pam/su.pamd b/system/linux-pam/su.pamd
new file mode 100644
index 000000000..84f2ae7ea
--- /dev/null
+++ b/system/linux-pam/su.pamd
@@ -0,0 +1,6 @@
+# basic PAM configuration for Alpine.
+auth sufficient pam_rootok.so
+auth include base-auth
+account include base-account
+password include base-password
+session include base-session-noninteractive