Add support for using filesystem caps instead of setuid w/unix_chkpwd; fix by Samuel Tan via Chromium OS.

Package-Manager: portage-2.2.20/cvs/Linux x86_64
Manifest-Sign-Key: 0xD2E96200

3 files changed, 224 insertions, 15 deletions

diff --git a/sys-libs/pam/ChangeLog b/sys-libs/pam/ChangeLog
index ed7501a5262b..9c7495ec02d5 100644
--- a/sys-libs/pam/ChangeLog
+++ b/sys-libs/pam/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for sys-libs/pam
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/ChangeLog,v 1.353 2015/07/07 07:38:18 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/ChangeLog,v 1.354 2015/07/13 05:03:16 vapier Exp $
+
+*pam-1.2.1-r1 (13 Jul 2015)
+
+  13 Jul 2015; Mike Frysinger <vapier@gentoo.org> +pam-1.2.1-r1.ebuild:
+  Add support for using filesystem caps instead of setuid w/unix_chkpwd; fix by
+  Samuel Tan via Chromium OS.
 
 *pam-1.2.1 (07 Jul 2015)
 
diff --git a/sys-libs/pam/Manifest b/sys-libs/pam/Manifest
index 242152ac8ca3..007cdd8b76c6 100644
--- a/sys-libs/pam/Manifest
+++ b/sys-libs/pam/Manifest
@@ -23,23 +23,24 @@ EBUILD pam-1.1.8-r2.ebuild 6095 SHA256 f5f145b929656d0015c9882a6666393b227dd27c3
 EBUILD pam-1.1.8-r3.ebuild 6085 SHA256 9955ba3b4829628f47bd15e9283531977136f736d3bc9e64199434d84ac23c73 SHA512 c46935f611d4dffef13ba3ad93117816c96c9e208209c4900d4615ab04ec6b3b3da2ba4c517daf4dafe266a11ba69ad5b7f7f0320f6f8c2176e890d46e1523b1 WHIRLPOOL 0147bb5d218ae619a8268410a6416c98fb4ec41388e03835db41d0222c2991f47521280f3e0128d400709677e479303d82f9da81c219f57d0b046ff9596054ba
 EBUILD pam-1.1.8.ebuild 5539 SHA256 ecdf9732665c07a34df1c3ac87d396eb2e7082220af131ac3947a424280739b7 SHA512 ac45550b530443c529f6ce3d247779c3519b14097cb747e2096e1e359d859ab5279ea5d27f030fff136c91d1821abadec9d3e0e7a6226b2957e661fcda4237bb WHIRLPOOL 26a7d83d5e1621c5912d7715eaaceaf8d6a96f77eeede157edd482456022fa9f238294083ee6004a6fb8e6bf0aabcd81a81c4baf4e5e795644bc72fa59512705
 EBUILD pam-1.2.0.ebuild 5970 SHA256 b0a27f4e527d50e244e48d000d79b6b894743516f2e40fb79a88f61f2073d0b3 SHA512 e17d9652abc79fcc370e10a9baf5970373115e7133ecd023e7bad89ef54fa0b37ecfb51a9f256a7c1515a6cc64be9af76c8af68d5584a47115ba70f3fcb52321 WHIRLPOOL 9209cde603999d8f91e96a0ae0c0ba803e4fee1520a0c61a87933fd884ecc594a178f2e2271b4c8c544817d82a1a24305d564bd3a45f58abf03fd300373f4f59
+EBUILD pam-1.2.1-r1.ebuild 6297 SHA256 2617f2dca45007af5feba8d42bf4e3b11b69fb016d9f878ab7dee2788024dc22 SHA512 a0631d1caec6e05d19d6a10b330540b2ac05a9b113b0110877a7e6b602795626789e3f51279a8163025c2fa33105adad7ee30aca7f4d94cfb12b4aff9cb5da36 WHIRLPOOL 402714497806d4933b032125478327065b7f6f75691a2476b64300f97097b131844978c5d26b77c4ade238a23adf6ed5b0539fac035bda84d6aa9d4815008b34
 EBUILD pam-1.2.1.ebuild 6183 SHA256 ae7e55982b279ac42ce6fb145db7c60b88cbd7471ae0903a182e6d7820feffd2 SHA512 481c657756b73bcc57c5272e66afaf03e51f96e438e800eadaa73d84f3a8caaafcc4e37a7f3d419e1c1a6c16d468546bde726dd95b93e76dec18cbfb4a1d1d1c WHIRLPOOL cbfeb92a9fa2245e953acf2a912fed582685052f7fcf4a17adcefa79d72826951c1c23b8806f512fc76695bf3854ce0362ae11c3e3bfdab153650867763ec131
-MISC ChangeLog 55772 SHA256 f31913c5d5e90ff20964e480bdeb020a372e04eeafeb0e2daf121af9a21c8107 SHA512 fb70df37287b993a8448df5df29c9566f14370988dcad27f061179bc1722aa445495b5348d546ff164c67cf5f01ebb7e6010797d89edc5bf308e6475252a91bf WHIRLPOOL 1ae05e8c6609f286a735fef888012b3c999cfeb5c155d8c4ed0965a58cdbf346556578852d0e5df10d33f3b1add12e0039a4113c0e7cd42b68f5ad3ae6aceab5
+MISC ChangeLog 55984 SHA256 d98c23c5d4963951ab4af93581c2883d8ceb85309b8d59579ff76be613a9793e SHA512 b81786c09a7d3e0f5849383cb1c9ba42f9805428592ac8e78484ee7c0062304bc71cca2cfdbcc87cebd29b451dd0ebef815ce8ac64cb259b01ddec29dae48011 WHIRLPOOL f03879269fa8c32b5a05b7425c908c2a83b4d6edaf39c6869e2fa399bb4e2939d3cabb01027d58c7550cc1c16551954c465fe83bdd27d18535cc1487a5107216
 MISC metadata.xml 1218 SHA256 9ea95e669c343b7e7184d3fb3b1bbad013493bfdca0e8f184ddf4728e6b5e884 SHA512 60ae70d605f654867e4c444c7489ecd76083c286039febd71ffd18a9e120b151a47488df925ec97e6768c62e5e48068abb864a6b978abd67623fb0b6c414f248 WHIRLPOOL a96d70fd81604dd265f15672183b793d0c3f48508b317f973481c460d56ea05d917a446fd60998536f7a3d811407ca3573554f9dcdc8f45ab88dbbf7875985ab
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
-iQIcBAEBCAAGBQJVm4HqAAoJEPGu1DbS6WIAChoP/i3GchaN6olYMo5GgZvulN+j
-9EZflpJQyV94ombLdsWk5/SWWB+fI2tCeqPJJKPFpXn+PNpNkXoRR8JLSSHnI7FR
-nWnhnxoOj/vgCu7YwFXtTPp3zKkJRjd86hZxtcq3jTuTTkS9lwTPN8rGq8fL9b/D
-3KOVVuT61DcuSyWlrVR7zUlZZvwk8Kv/Ln12xJTpzjYZysjVUqHGHS4rBpcq1QZn
-cL5zYCIyEj43gMngBUentvZjq7rQw0J+umHVSP27D2W6hSqZPYE0bhjYifIJBP8M
-vMuK7089VLKg++MBxwaAtkUsuL7bl3Wx3FSVJhoKmL7hRMWtbSA+/eGLss3rS7vK
-WB94+9McbR31tRe4j+j9C/UrqeJ8pM34f1en44G5L7PXliaO/UumLKh7jaqz2BL6
-svVdZMnco2VnyjWSGIN/UY+PJwqjancbMilB5YFbCqsOX6agnTsNOsnx32s0PFkf
-Ie90sKdCsJ9mH/hJcAHt9Fdk+NSlF7KBgaNwQR18aM51LYQNNJtCUUCAqginwzbC
-fejQgTU2kGFhZ5WvLk20ToDpBXMxCCxKFGzccQ0dwNBwkwjSU53Om4Ph+yIG0ag8
-9n2J86vDJfuB81VQwjsNZ5EvNRDnTXbX4Lp8C0WisNXMzpm8eeMPSQAQ6TiI4OWM
-IDAmT12rAIz3jyJ6k5op
-=9kVe
+iQIcBAEBCAAGBQJVo0aVAAoJEPGu1DbS6WIAzUgP/2xF+mKrzeYcZAad7RM+ctoi
++0c//5FjVzwi9oxakcLxdN0leg2W9IduhNFWJZFI0/pf2KbSXeKa5lbP78r4mDqV
+i//fhQcX9pfrluX8hrOHlGYOFm4OwFCz3gczzA3AXdU5fKu7H1JRVm7PIw6yepEp
+kry9wr9w+NmYk9XuqV9czCgOW2HmXW3W/inppz8JwVsRKbHDdeeaXEn/0PvJ2uCU
+430zCAKOHtzLjvVPwsKmO19QTNV2nwaJj/Rlz7mOkmkXJxmkD4ZaZeZEK/lshef2
+K4ODlGJ3VoPMZbz7LlcHNWQyCTSaLCXBA72xZ5cbbymIri7taDCACx07+WU8kp/E
+N7IP9F7jo2nOmJyKQxV9cjBEe6tlghgu1DrBm0BJKEpX4Qt6uGE4/hlmSrUoFLxg
+3Pjfab71XxdL1FhZ2XRwkHhvyWkh8iDO4Z1JomDAsfETWuTprByF8F2+hWOWw3AE
+ASVyq/9aya0PplnBeSvCOWARcPPbN4USoxVtM1teQtRblx/Iz5Iek7JWooh/1z4b
+9GFI3JH5g49PWhpXXHG2pGO4+vy+jSCwYFALpHgadbNpSw7YO/cenWWWmSXCs9Kl
+f6b/COXtnEjpkV4D8mNrXdiE9OOvUu9Av6FAcpZh1Aw4IG/nWQpVyfEHpNXZCzvG
+4spXloYKXaJqHJq/iz2X
+=6nIb
 -----END PGP SIGNATURE-----
diff --git a/sys-libs/pam/pam-1.2.1-r1.ebuild b/sys-libs/pam/pam-1.2.1-r1.ebuild
new file mode 100644
index 000000000000..cfaff3b51bb3
--- /dev/null
+++ b/sys-libs/pam/pam-1.2.1-r1.ebuild
@@ -0,0 +1,202 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/pam/pam-1.2.1-r1.ebuild,v 1.1 2015/07/13 05:03:16 vapier Exp $
+
+EAPI=5
+
+inherit libtool multilib multilib-minimal eutils pam toolchain-funcs flag-o-matic db-use fcaps
+
+MY_PN="Linux-PAM"
+MY_P="${MY_PN}-${PV}"
+
+DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
+HOMEPAGE="http://www.linux-pam.org/ https://fedorahosted.org/linux-pam/"
+SRC_URI="http://www.linux-pam.org/library/${MY_P}.tar.bz2
+	http://www.linux-pam.org/documentation/${MY_PN}-1.2.0-docs.tar.bz2"
+
+LICENSE="|| ( BSD GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~ia64-linux ~x86-linux"
+IUSE="audit berkdb cracklib debug nis nls +pie selinux test vim-syntax"
+
+RDEPEND="nls? ( >=virtual/libintl-0-r1[${MULTILIB_USEDEP}] )
+	cracklib? ( >=sys-libs/cracklib-2.9.1-r1[${MULTILIB_USEDEP}] )
+	audit? ( >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] )
+	selinux? ( >=sys-libs/libselinux-2.2.2-r4[${MULTILIB_USEDEP}] )
+	berkdb? ( >=sys-libs/db-4.8.30-r1[${MULTILIB_USEDEP}] )
+	nis? ( >=net-libs/libtirpc-0.2.4-r2[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=sys-devel/libtool-2
+	>=sys-devel/flex-2.5.39-r1[${MULTILIB_USEDEP}]
+	nls? ( sys-devel/gettext )
+	>=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]"
+PDEPEND="sys-auth/pambase
+	vim-syntax? ( app-vim/pam-syntax )"
+RDEPEND="${RDEPEND}
+	!<sys-apps/openrc-0.11.8
+	!sys-auth/openpam
+	!sys-auth/pam_userdb
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r7
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+
+S="${WORKDIR}/${MY_P}"
+
+check_old_modules() {
+	local retval="0"
+
+	if sed -e 's:#.*::' "${EROOT}"/etc/pam.d/* 2>/dev/null | fgrep -q pam_stack.so; then
+		eerror ""
+		eerror "Your current setup is using the pam_stack module."
+		eerror "This module is deprecated and no longer supported, and since version"
+		eerror "0.99 is no longer installed, nor provided by any other package."
+		eerror "The package will be built (to allow binary package builds), but will"
+		eerror "not be installed."
+		eerror "Please replace pam_stack usage with proper include directive usage,"
+		eerror "following the PAM Upgrade guide at the following URL"
+		eerror "  http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml"
+		eerror ""
+
+		retval=1
+	fi
+
+	if sed -e 's:#.*::' "${EROOT}"/etc/pam.d/* 2>/dev/null | egrep -q 'pam_(pwdb|console)'; then
+		eerror ""
+		eerror "Your current setup is using one or more of the following modules,"
+		eerror "that are not built or supported anymore:"
+		eerror "pam_pwdb, pam_console"
+		eerror "If you are in real need for these modules, please contact the maintainers"
+		eerror "of PAM through http://bugs.gentoo.org/ providing information about its"
+		eerror "use cases."
+		eerror "Please also make sure to read the PAM Upgrade guide at the following URL:"
+		eerror "  http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml"
+		eerror ""
+
+		retval=1
+	fi
+
+	return ${retval}
+}
+
+pkg_pretend() {
+	# do not error out, this is just a warning, one could build a binpkg
+	# with old modules enabled.
+	check_old_modules
+}
+
+src_unpack() {
+	# Upstream didn't release a new doc tarball (since nothing changed?).
+	unpack ${MY_PN}-1.2.0-docs.tar.bz2
+	mv Linux-PAM-1.2.{0,1} || die
+	unpack ${MY_P}.tar.bz2
+}
+
+src_prepare() {
+	elibtoolize
+}
+
+multilib_src_configure() {
+	# Do not let user's BROWSER setting mess us up. #549684
+	unset BROWSER
+
+	# Disable automatic detection of libxcrypt; we _don't_ want the
+	# user to link libxcrypt in by default, since we won't track the
+	# dependency and allow to break PAM this way.
+	export ac_cv_header_xcrypt_h=no
+
+	local myconf=(
+		--docdir='$(datarootdir)'/doc/${PF}
+		--htmldir='$(docdir)/html'
+		--libdir='$(prefix)'/$(get_libdir)
+		--enable-securedir="${EPREFIX}"/$(get_libdir)/security
+		--enable-isadir='.' #464016
+		$(use_enable nls)
+		$(use_enable selinux)
+		$(use_enable cracklib)
+		$(use_enable audit)
+		$(use_enable debug)
+		$(use_enable berkdb db)
+		$(use_enable nis)
+		$(use_enable pie)
+		--with-db-uniquename=-$(db_findver sys-libs/db)
+		--disable-prelude
+	)
+
+	ECONF_SOURCE=${S} \
+	econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+	emake sepermitlockdir="${EPREFIX}/run/sepermit"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install \
+		sepermitlockdir="${EPREFIX}/run/sepermit"
+
+	local prefix
+	if multilib_is_native_abi; then
+		prefix=
+		gen_usr_ldscript -a pam pamc pam_misc
+	else
+		prefix=/usr
+	fi
+
+	# create extra symlinks just in case something depends on them...
+	local lib
+	for lib in pam pamc pam_misc; do
+		if ! [[ -f "${ED}"${prefix}/$(get_libdir)/lib${lib}$(get_libname) ]]; then
+			dosym lib${lib}$(get_libname 0) ${prefix}/$(get_libdir)/lib${lib}$(get_libname)
+		fi
+	done
+}
+
+DOCS=( CHANGELOG ChangeLog README AUTHORS Copyright NEWS )
+
+multilib_src_install_all() {
+	einstalldocs
+	prune_libtool_files --all
+
+	docinto modules
+	local dir
+	for dir in modules/pam_*; do
+		newdoc "${dir}"/README README."$(basename "${dir}")"
+	done
+
+	if use selinux; then
+		dodir /usr/lib/tmpfiles.d
+		cat - > "${D}"/usr/lib/tmpfiles.d/${CATEGORY}:${PN}:${SLOT}.conf <<EOF
+d /run/sepermit 0755 root root
+EOF
+	fi
+}
+
+pkg_preinst() {
+	check_old_modules || die "deprecated PAM modules still used"
+}
+
+pkg_postinst() {
+	ewarn "Some software with pre-loaded PAM libraries might experience"
+	ewarn "warnings or failures related to missing symbols and/or versions"
+	ewarn "after any update. While unfortunate this is a limit of the"
+	ewarn "implementation of PAM and the software, and it requires you to"
+	ewarn "restart the software manually after the update."
+	ewarn ""
+	ewarn "You can get a list of such software running a command like"
+	ewarn "  lsof / | egrep -i 'del.*libpam\\.so'"
+	ewarn ""
+	ewarn "Alternatively, simply reboot your system."
+	if [[ -x "${EROOT}"/var/log/tallylog ]] ; then
+		elog ""
+		elog "Because of a bug present up to version 1.1.1-r2, you have"
+		elog "an executable /var/log/tallylog file. You can safely"
+		elog "correct it by running the command"
+		elog "  chmod -x /var/log/tallylog"
+		elog ""
+	fi
+
+	# The pam_unix module needs to check the password of the user which requires
+	# read access to /etc/shadow only.
+	fcaps cap_dac_override sbin/unix_chkpwd
+}