diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-extended/pam')
18 files changed, 1516 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/0001-Add-support-for-defining-missing-funcitonality.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/0001-Add-support-for-defining-missing-funcitonality.patch new file mode 100644 index 000000000..c55b64813 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/0001-Add-support-for-defining-missing-funcitonality.patch @@ -0,0 +1,68 @@ +From 45d1ed58927593968faead7dbb295f3922f41a2f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 8 Aug 2015 14:16:43 -0700 +Subject: [PATCH] Add support for defining missing funcitonality + +In order to support alternative libc on linux ( musl, bioninc ) etc we +need to check for glibc-only features and provide alternatives, in this +list strndupa is first one, when configure detects that its not included +in system C library then the altrnative implementation from missing.h is +used + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- +Upstream-Status: Pending + + configure.ac | 3 +++ + libpam/include/missing.h | 12 ++++++++++++ + modules/pam_exec/pam_exec.c | 1 + + 3 files changed, 16 insertions(+) + create mode 100644 libpam/include/missing.h + +diff --git a/configure.ac b/configure.ac +index 9e1257f..cbed979 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -599,6 +599,9 @@ dnl + AC_CHECK_DECL(__NR_keyctl, [have_key_syscalls=1],[have_key_syscalls=0],[#include <sys/syscall.h>]) + AC_CHECK_DECL(ENOKEY, [have_key_errors=1],[have_key_errors=0],[#include <errno.h>]) + ++# musl and bionic don't have strndupa ++AC_CHECK_DECLS_ONCE([strndupa]) ++ + HAVE_KEY_MANAGEMENT=0 + if test $have_key_syscalls$have_key_errors = 11 + then +diff --git a/libpam/include/missing.h b/libpam/include/missing.h +new file mode 100644 +index 0000000..3cf011c +--- /dev/null ++++ b/libpam/include/missing.h +@@ -0,0 +1,12 @@ ++#pragma once ++ ++#if !HAVE_DECL_STRNDUPA ++#define strndupa(s, n) \ ++ ({ \ ++ const char *__old = (s); \ ++ size_t __len = strnlen(__old, (n)); \ ++ char *__new = alloca(__len + 1); \ ++ __new[__len] = '\0'; \ ++ memcpy(__new, __old, __len); \ ++ }) ++#endif +diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c +index 17ba6ca..3aa2694 100644 +--- a/modules/pam_exec/pam_exec.c ++++ b/modules/pam_exec/pam_exec.c +@@ -59,6 +59,7 @@ + #include <security/pam_modutil.h> + #include <security/pam_ext.h> + #include <security/_pam_macros.h> ++#include <missing.h> + + #define ENV_ITEM(n) { (n), #n } + static struct { +-- +2.1.4 + diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/99_pam b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/99_pam new file mode 100644 index 000000000..97e990d10 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/99_pam @@ -0,0 +1 @@ +d root root 0755 /var/run/sepermit none diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/crypt_configure.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/crypt_configure.patch new file mode 100644 index 000000000..bec82a5f1 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/crypt_configure.patch @@ -0,0 +1,31 @@ +This patch fixes a case where it find crypt defined in libc (musl) but +not in specified libraries then it ends up assigning + +LIBCRYPT="-l" which then goes into makefile cause all sort of problems +e.g. + +ld: cannot find -l-m32 +| collect2: error: ld returned 1 exit status + +The reason is that -l appears on commandline with out any library and +compiler treats the next argument as library name whatever it is. + + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +Index: Linux-PAM-1.1.6/configure.in +=================================================================== +--- Linux-PAM-1.1.6.org/configure.ac ++++ Linux-PAM-1.1.6/configure.ac +@@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = + [crypt_libs="crypt"]) + + BACKUP_LIBS=$LIBS +-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="") ++AC_SEARCH_LIBS([crypt],[$crypt_libs], ++ [test "$ac_cv_search_crypt" = "none required" || ++ LIBCRYPT="$ac_cv_search_crypt"]) + AC_CHECK_FUNCS(crypt_r crypt_gensalt_r) + LIBS=$BACKUP_LIBS + AC_SUBST(LIBCRYPT) diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/fixsepbuild.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/fixsepbuild.patch new file mode 100644 index 000000000..8a9c3b2fa --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/fixsepbuild.patch @@ -0,0 +1,24 @@ +Fix the build error when a separate build directory is used: + +Making install in xtestsmake[1]: Entering directory `/media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/build/xtests'/usr/bin/install -c -d /media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/image/usr/share/Linux-PAM/xtestsfor file in run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd tst-pam_dispatch5.pamd tst-pam_cracklib1.pamd tst-pam_cracklib2.pamd tst-pam_unix1.pamd tst-pam_unix2.pamd tst-pam_unix3.pamd tst-pam_unix4.pamd tst-pam_unix1.sh tst-pam_unix2.sh tst-pam_unix3.sh tst-pam_unix4.sh access.conf tst-pam_access1.pamd tst-pam_access1.sh tst-pam_access2.pamd tst-pam_access2.sh tst-pam_access3.pamd tst-pam_access3.sh tst-pam_access4.pamd tst-pam_access4.sh limits.conf tst-pam_limits1.pamd tst-pam_limits1.sh tst-pam_succeed_if1.pamd tst-pam_succeed_if1.sh group.conf tst-pam_group1.pamd tst-pam_group1.sh tst-pam_authfail.pamd tst-pam_authsucceed.pamd tst-pam_substack1.pamd tst-pam_substack1a.pamd tst-pam_substack1.sh tst-pam_substack2.pamd tst-pam_substack2a.pamd tst-pam_substack2.sh tst-pam_substack3.pamd tst-pam_substack3a.pamd tst-pam_substack3.sh tst-pam_substack4.pamd tst-pam_substack4a.pamd tst-pam_substack4.sh tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh tst-pam_time1.pamd time.conf ; do \/usr/bin/install -c $file /media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/image/usr/share/Linux-PAM/xtests ; \ done +/usr/bin/install: cannot stat `run-xtests.sh': No such file or directory +/usr/bin/install: cannot stat `tst-pam_dispatch1.pamd': No such file or directory +/usr/bin/install: cannot stat `tst-pam_dispatch2.pamd': No such file or directory + +Upstream-Status: Pending + +RP 2013/03/21 + +Index: Linux-PAM-1.1.6/xtests/Makefile.am +=================================================================== +--- Linux-PAM-1.1.6.orig/xtests/Makefile.am 2013-03-08 12:26:30.360266000 +0000 ++++ Linux-PAM-1.1.6/xtests/Makefile.am 2013-03-21 11:39:58.557166650 +0000 +@@ -59,7 +59,7 @@ + install_xtests: + $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests + for file in $(EXTRA_DIST) ; do \ +- $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \ ++ $(INSTALL) $(srcdir)/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ + done + for file in $(XTESTS); do \ + $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/include_paths_header.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/include_paths_header.patch new file mode 100644 index 000000000..e4eb95669 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/include_paths_header.patch @@ -0,0 +1,59 @@ +This patch adds missing include for paths.h which should provide +_PATH_LASTLOG definition + +Upstream-Status: Pending + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Index: Linux-PAM-1.1.6/modules/pam_lastlog/pam_lastlog.c +=================================================================== +--- Linux-PAM-1.1.6.orig/modules/pam_lastlog/pam_lastlog.c ++++ Linux-PAM-1.1.6/modules/pam_lastlog/pam_lastlog.c +@@ -23,9 +23,11 @@ + #include <stdarg.h> + #include <stdio.h> + #include <string.h> ++#include <sys/file.h> + #include <sys/types.h> + #include <syslog.h> + #include <unistd.h> ++#include <paths.h> + + #if defined(hpux) || defined(sunos) || defined(solaris) + # ifndef _PATH_LASTLOG +@@ -332,6 +334,23 @@ last_login_read(pam_handle_t *pamh, int + return retval; + } + ++#ifndef __GLIBC__ ++static void logwtmp(const char * line, const char * name, const char * host) ++{ ++ struct utmp u; ++ memset(&u, 0, sizeof(u)); ++ ++ u.ut_pid = getpid(); ++ u.ut_type = name[0] ? USER_PROCESS : DEAD_PROCESS; ++ strncpy(u.ut_line, line, sizeof(u.ut_line)); ++ strncpy(u.ut_name, name, sizeof(u.ut_name)); ++ strncpy(u.ut_host, host, sizeof(u.ut_host)); ++ gettimeofday(&(u.ut_tv), NULL); ++ ++ updwtmp(_PATH_WTMP, &u); ++} ++#endif /* __GLIBC__ */ ++ + static int + last_login_write(pam_handle_t *pamh, int announce, int last_fd, + uid_t uid, const char *user) +Index: Linux-PAM-1.1.6/modules/Makefile.am +=================================================================== +--- Linux-PAM-1.1.6.orig/modules/Makefile.am ++++ Linux-PAM-1.1.6/modules/Makefile.am +@@ -7,7 +7,7 @@ SUBDIRS = pam_access pam_cracklib pam_de + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ + pam_mkhomedir pam_motd pam_namespace pam_nologin \ +- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ ++ pam_permit pam_pwhistory pam_rootok pam_securetty \ + pam_selinux pam_sepermit pam_shells pam_stress \ + pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ + pam_tty_audit pam_umask \ diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch new file mode 100644 index 000000000..680029ae0 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch @@ -0,0 +1,226 @@ +From 555407ff6e2f742df64ae93859f14a0fc1397829 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Fri, 12 Sep 2014 05:35:05 -0400 +Subject: [PATCH] libpam/xtests: remove bash dependency + +There's not bash specific syntax in the xtest scripts: + + # after below patches applied: + $ cd Linux-PAM-1.1.6/xtests + $ checkbashisms *.sh + No output + +Just remove the runtime dependency to bash. + +Upstream-Status: Pending + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +--- + xtests/run-xtests.sh | 2 +- + xtests/tst-pam_access1.sh | 2 +- + xtests/tst-pam_access2.sh | 2 +- + xtests/tst-pam_access3.sh | 2 +- + xtests/tst-pam_access4.sh | 2 +- + xtests/tst-pam_assemble_line1.sh | 2 +- + xtests/tst-pam_group1.sh | 2 +- + xtests/tst-pam_limits1.sh | 2 +- + xtests/tst-pam_pwhistory1.sh | 2 +- + xtests/tst-pam_substack1.sh | 2 +- + xtests/tst-pam_substack2.sh | 2 +- + xtests/tst-pam_substack3.sh | 2 +- + xtests/tst-pam_substack4.sh | 2 +- + xtests/tst-pam_substack5.sh | 2 +- + xtests/tst-pam_succeed_if1.sh | 2 +- + xtests/tst-pam_unix1.sh | 2 +- + xtests/tst-pam_unix2.sh | 2 +- + xtests/tst-pam_unix3.sh | 2 +- + xtests/tst-pam_unix4.sh | 2 +- + 19 files changed, 19 insertions(+), 19 deletions(-) + +diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh +index 3a89057..1cf8684 100755 +--- a/xtests/run-xtests.sh ++++ b/xtests/run-xtests.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + SRCDIR=$1 + shift 1 +diff --git a/xtests/tst-pam_access1.sh b/xtests/tst-pam_access1.sh +index 180d256..70521d2 100755 +--- a/xtests/tst-pam_access1.sh ++++ b/xtests/tst-pam_access1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/groupadd tstpamaccess + /usr/sbin/useradd -G tstpamaccess -p '!!' tstpamaccess1 +diff --git a/xtests/tst-pam_access2.sh b/xtests/tst-pam_access2.sh +index 0a30275..7e3e60f 100755 +--- a/xtests/tst-pam_access2.sh ++++ b/xtests/tst-pam_access2.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/groupadd tstpamaccess + /usr/sbin/useradd -p '!!' tstpamaccess2 +diff --git a/xtests/tst-pam_access3.sh b/xtests/tst-pam_access3.sh +index 348e0c3..3630e2e 100755 +--- a/xtests/tst-pam_access3.sh ++++ b/xtests/tst-pam_access3.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamaccess3 + ./tst-pam_access3 +diff --git a/xtests/tst-pam_access4.sh b/xtests/tst-pam_access4.sh +index 61e7b44..4538df4 100755 +--- a/xtests/tst-pam_access4.sh ++++ b/xtests/tst-pam_access4.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamaccess4 + ./tst-pam_access4 +diff --git a/xtests/tst-pam_assemble_line1.sh b/xtests/tst-pam_assemble_line1.sh +index 248d47e..dc2a675 100755 +--- a/xtests/tst-pam_assemble_line1.sh ++++ b/xtests/tst-pam_assemble_line1.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authfail tst-pam_assemble_line1 +diff --git a/xtests/tst-pam_group1.sh b/xtests/tst-pam_group1.sh +index b76377f..44faca9 100755 +--- a/xtests/tst-pam_group1.sh ++++ b/xtests/tst-pam_group1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/groupadd tstpamgrpg + /usr/sbin/useradd -p '!!' tstpamgrp +diff --git a/xtests/tst-pam_limits1.sh b/xtests/tst-pam_limits1.sh +index 4faa822..32c021d 100755 +--- a/xtests/tst-pam_limits1.sh ++++ b/xtests/tst-pam_limits1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamlimits + ./tst-pam_limits1 +diff --git a/xtests/tst-pam_pwhistory1.sh b/xtests/tst-pam_pwhistory1.sh +index ddb3b8b..0f212e2 100644 +--- a/xtests/tst-pam_pwhistory1.sh ++++ b/xtests/tst-pam_pwhistory1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd tstpampwhistory + ./tst-pam_pwhistory1 +diff --git a/xtests/tst-pam_substack1.sh b/xtests/tst-pam_substack1.sh +index 5260175..f1b72a7 100755 +--- a/xtests/tst-pam_substack1.sh ++++ b/xtests/tst-pam_substack1.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authfail tst-pam_substack1 +diff --git a/xtests/tst-pam_substack2.sh b/xtests/tst-pam_substack2.sh +index c02f597..3804fa7 100755 +--- a/xtests/tst-pam_substack2.sh ++++ b/xtests/tst-pam_substack2.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authsucceed tst-pam_substack2 +diff --git a/xtests/tst-pam_substack3.sh b/xtests/tst-pam_substack3.sh +index 0e572aa..aa48e8e 100755 +--- a/xtests/tst-pam_substack3.sh ++++ b/xtests/tst-pam_substack3.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authsucceed tst-pam_substack3 +diff --git a/xtests/tst-pam_substack4.sh b/xtests/tst-pam_substack4.sh +index a3ef08a..958a07a 100755 +--- a/xtests/tst-pam_substack4.sh ++++ b/xtests/tst-pam_substack4.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authsucceed tst-pam_substack4 +diff --git a/xtests/tst-pam_substack5.sh b/xtests/tst-pam_substack5.sh +index e2714fd..7e0da74 100755 +--- a/xtests/tst-pam_substack5.sh ++++ b/xtests/tst-pam_substack5.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authfail tst-pam_substack5 +diff --git a/xtests/tst-pam_succeed_if1.sh b/xtests/tst-pam_succeed_if1.sh +index a643b2e..58e57b4 100755 +--- a/xtests/tst-pam_succeed_if1.sh ++++ b/xtests/tst-pam_succeed_if1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamtest + /usr/sbin/useradd -p '!!' pamtest +diff --git a/xtests/tst-pam_unix1.sh b/xtests/tst-pam_unix1.sh +index f75bd84..72deac0 100755 +--- a/xtests/tst-pam_unix1.sh ++++ b/xtests/tst-pam_unix1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamunix + ./tst-pam_unix1 +diff --git a/xtests/tst-pam_unix2.sh b/xtests/tst-pam_unix2.sh +index 7093155..c04d6e6 100755 +--- a/xtests/tst-pam_unix2.sh ++++ b/xtests/tst-pam_unix2.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # pamunix0 = 0aXKZztA.d1KY + /usr/sbin/useradd -p 0aXKZztA.d1KY tstpamunix +diff --git a/xtests/tst-pam_unix3.sh b/xtests/tst-pam_unix3.sh +index ef4a07c..b52db2b 100755 +--- a/xtests/tst-pam_unix3.sh ++++ b/xtests/tst-pam_unix3.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # pamunix01 = 0aXKZztA.d1KYIuFXArmd2jU + /usr/sbin/useradd -p 0aXKZztA.d1KYIuFXArmd2jU tstpamunix +diff --git a/xtests/tst-pam_unix4.sh b/xtests/tst-pam_unix4.sh +index 787c2f9..e7976fd 100755 +--- a/xtests/tst-pam_unix4.sh ++++ b/xtests/tst-pam_unix4.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # pamunix01 = 0aXKZztA.d1KYIuFXArmd2jU + /usr/sbin/useradd -p 0aXKZztA.d1KYIuFXArmd2jU tstpamunix +-- +1.7.9.5 + diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/libpam-xtests.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/libpam-xtests.patch new file mode 100644 index 000000000..be687457f --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/libpam-xtests.patch @@ -0,0 +1,35 @@ +This patch is used to create a new sub package libpam-xtests to do more checks. + +Upstream-Status: Pending + +Signed-off-by: Kang Kai <kai.kang@windriver.com> +--- Linux-PAM-1.1.4/xtests/Makefile.am.orig 2011-07-19 17:00:09.619980001 +0800 ++++ Linux-PAM-1.1.4/xtests/Makefile.am 2011-07-19 16:54:00.229979998 +0800 +@@ -7,7 +7,7 @@ + AM_LDFLAGS = -L$(top_builddir)/libpam -lpam \ + -L$(top_builddir)/libpam_misc -lpam_misc + +-CLEANFILES = *~ $(XTESTS) ++CLEANFILES = *~ + + EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ + tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \ +@@ -51,3 +51,18 @@ + + xtests: $(XTESTS) run-xtests.sh + "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS} ++ ++all: $(XTESTS) ++ ++install: install_xtests ++ ++install_xtests: ++ $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests ++ for file in $(EXTRA_DIST) ; do \ ++ $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \ ++ done ++ for file in $(XTESTS); do \ ++ $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ ++ done ++ ++.PHONY: all install_xtests diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch new file mode 100644 index 000000000..5e551ac48 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch @@ -0,0 +1,97 @@ +innetgr may not be there so make sure that when innetgr is not present +then we inform about it and not use it. + +-Khem + +Upstream-Status: Pending + +Signed-off-by: Scott Garman <scott.a.garman@intel.com> + +Index: Linux-PAM-1.1.3/modules/pam_group/pam_group.c +=================================================================== +--- Linux-PAM-1.1.3.orig/modules/pam_group/pam_group.c ++++ Linux-PAM-1.1.3/modules/pam_group/pam_group.c +@@ -659,7 +659,11 @@ static int check_account(pam_handle_t *p + } + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') +- good &= innetgr (&buffer[1], NULL, user, NULL); ++#ifdef HAVE_INNETGR ++ good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); ++#endif + /* otherwise, if the buffer starts with %, it's a UNIX group */ + else if (buffer[0] == '%') + good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); +Index: Linux-PAM-1.1.3/modules/pam_time/pam_time.c +=================================================================== +--- Linux-PAM-1.1.3.orig/modules/pam_time/pam_time.c ++++ Linux-PAM-1.1.3/modules/pam_time/pam_time.c +@@ -555,9 +555,13 @@ check_account(pam_handle_t *pamh, const + } + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') +- good &= innetgr (&buffer[1], NULL, user, NULL); ++#ifdef HAVE_INNETGR ++ good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); ++#endif + else +- good &= logic_field(pamh, user, buffer, count, is_same); ++ good &= logic_field(pamh, user, buffer, count, is_same); + D(("with user: %s", good ? "passes":"fails" )); + + /* here we get the time field */ +Index: Linux-PAM-1.1.3/modules/pam_succeed_if/pam_succeed_if.c +=================================================================== +--- Linux-PAM-1.1.3.orig/modules/pam_succeed_if/pam_succeed_if.c ++++ Linux-PAM-1.1.3/modules/pam_succeed_if/pam_succeed_if.c +@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, + } + /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ + static int +-evaluate_innetgr(const char *host, const char *user, const char *group) ++evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 1) + return PAM_SUCCESS; ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); ++#endif ++ + return PAM_AUTH_ERR; + } + /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ + static int +-evaluate_notinnetgr(const char *host, const char *user, const char *group) ++evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 0) + return PAM_SUCCESS; ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); ++#endif + return PAM_AUTH_ERR; + } + +@@ -361,14 +370,14 @@ evaluate(pam_handle_t *pamh, int debug, + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; +- return evaluate_innetgr(rhost, user, right); ++ return evaluate_innetgr(pamh, rhost, user, right); + } + /* (Rhost, user) is not in this group. */ + if (strcasecmp(qual, "notinnetgr") == 0) { + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; +- return evaluate_notinnetgr(rhost, user, right); ++ return evaluate_notinnetgr(pamh, rhost, user, right); + } + /* Fail closed. */ + return PAM_SERVICE_ERR; diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch new file mode 100644 index 000000000..f1834f6ce --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch @@ -0,0 +1,200 @@ +Description: extract the securetty logic for use with the "nullok_secure" option + introduced in the "055_pam_unix_nullok_secure" patch. + +Upstream-Status: Pending + +Signed-off-by: Ming Liu <ming.liu@windriver.com> +=================================================================== +diff -urpN a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am +--- a/modules/pam_securetty/Makefile.am 2013-07-05 11:08:23.224483237 +0800 ++++ b/modules/pam_securetty/Makefile.am 2013-07-05 11:15:21.304486456 +0800 +@@ -24,6 +24,10 @@ endif + securelib_LTLIBRARIES = pam_securetty.la + pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam + ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_securetty.8.xml +diff -urpN a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c +--- a/modules/pam_securetty/pam_securetty.c 2013-07-05 11:07:50.064483568 +0800 ++++ b/modules/pam_securetty/pam_securetty.c 2013-07-05 11:12:23.994483344 +0800 +@@ -1,7 +1,5 @@ + /* pam_securetty module */ + +-#define SECURETTY_FILE "/etc/securetty" +-#define TTY_PREFIX "/dev/" + #define CMDLINE_FILE "/proc/cmdline" + #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + +@@ -40,6 +38,9 @@ + #include <security/pam_modutil.h> + #include <security/pam_ext.h> + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + #define PAM_DEBUG_ARG 0x0001 + #define PAM_NOCONSOLE_ARG 0x0002 + +@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p + const char *username; + const char *uttyname; + const void *void_uttyname; +- char ttyfileline[256]; +- char ptname[256]; +- struct stat ttyfileinfo; + struct passwd *user_pwd; +- FILE *ttyfile; + + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { +@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p + return PAM_SERVICE_ERR; + } + +- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ +- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { +- uttyname += sizeof(TTY_PREFIX)-1; +- } +- +- if (stat(SECURETTY_FILE, &ttyfileinfo)) { +- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); +- return PAM_SUCCESS; /* for compatibility with old securetty handling, +- this needs to succeed. But we still log the +- error. */ +- } +- +- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { +- /* If the file is world writable or is not a +- normal file, return error */ +- pam_syslog(pamh, LOG_ERR, +- "%s is either world writable or not a normal file", +- SECURETTY_FILE); +- return PAM_AUTH_ERR; +- } +- +- ttyfile = fopen(SECURETTY_FILE,"r"); +- if (ttyfile == NULL) { /* Check that we opened it successfully */ +- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); +- return PAM_SERVICE_ERR; +- } +- +- if (isdigit(uttyname[0])) { +- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); +- } else { +- ptname[0] = '\0'; +- } +- +- retval = 1; +- +- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) +- && retval) { +- if (ttyfileline[strlen(ttyfileline) - 1] == '\n') +- ttyfileline[strlen(ttyfileline) - 1] = '\0'; +- +- retval = ( strcmp(ttyfileline, uttyname) +- && (!ptname[0] || strcmp(ptname, uttyname)) ); +- } +- fclose(ttyfile); ++ retval = _pammodutil_tty_secure(pamh, uttyname); + + if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { + FILE *cmdlinefile; +diff -urpN a/modules/pam_securetty/tty_secure.c b/modules/pam_securetty/tty_secure.c +--- a/modules/pam_securetty/tty_secure.c 1970-01-01 08:30:00.000000000 +0830 ++++ b/modules/pam_securetty/tty_secure.c 2013-07-05 11:14:21.534482900 +0800 +@@ -0,0 +1,90 @@ ++/* ++ * A function to determine if a particular line is in /etc/securetty ++ */ ++ ++ ++#define SECURETTY_FILE "/etc/securetty" ++#define TTY_PREFIX "/dev/" ++ ++/* This function taken out of pam_securetty by Sam Hartman ++ * <hartmans@debian.org>*/ ++/* ++ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. ++ * July 25, 1996. ++ * Slight modifications AGM. 1996/12/3 ++ */ ++ ++#include <unistd.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <security/pam_modules.h> ++#include <stdarg.h> ++#include <syslog.h> ++#include <sys/syslog.h> ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <ctype.h> ++#include <security/pam_modutil.h> ++#include <security/pam_ext.h> ++ ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ ++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) ++{ ++ int retval = PAM_AUTH_ERR; ++ char ttyfileline[256]; ++ char ptname[256]; ++ struct stat ttyfileinfo; ++ FILE *ttyfile; ++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ ++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) ++ uttyname += sizeof(TTY_PREFIX)-1; ++ ++ if (stat(SECURETTY_FILE, &ttyfileinfo)) { ++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", ++ SECURETTY_FILE); ++ return PAM_SUCCESS; /* for compatibility with old securetty handling, ++ this needs to succeed. But we still log the ++ error. */ ++ } ++ ++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { ++ /* If the file is world writable or is not a ++ normal file, return error */ ++ pam_syslog(pamh, LOG_ERR, ++ "%s is either world writable or not a normal file", ++ SECURETTY_FILE); ++ return PAM_AUTH_ERR; ++ } ++ ++ ttyfile = fopen(SECURETTY_FILE,"r"); ++ if(ttyfile == NULL) { /* Check that we opened it successfully */ ++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (isdigit(uttyname[0])) { ++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); ++ } else { ++ ptname[0] = '\0'; ++ } ++ ++ retval = 1; ++ ++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) ++ && retval) { ++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ++ ttyfileline[strlen(ttyfileline) - 1] = '\0'; ++ retval = ( strcmp(ttyfileline,uttyname) ++ && (!ptname[0] || strcmp(ptname, uttyname)) ); ++ } ++ fclose(ttyfile); ++ ++ if(retval) { ++ retval = PAM_AUTH_ERR; ++ } ++ ++ return retval; ++} diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch new file mode 100644 index 000000000..3241e8295 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch @@ -0,0 +1,240 @@ +From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001 +From: Amarnath Valluri <amarnath.valluri@intel.com> +Date: Wed, 15 Jul 2015 13:07:20 +0300 +Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix, + which accepts users with null passwords only when the applicant is connected + from a tty listed in /etc/securetty. + +Authors: Sam Hartman <hartmans@debian.org>, + Steve Langasek <vorlon@debian.org> + +Upstream-Status: Pending + +Signed-off-by: Ming Liu <ming.liu@windriver.com> + +v2: + - Forward ported from v1.1.6 to v1.2.1 + +Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> +--- + modules/pam_unix/Makefile.am | 3 ++- + modules/pam_unix/README | 11 ++++++++++- + modules/pam_unix/pam_unix.8 | 9 ++++++++- + modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++- + modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++----- + modules/pam_unix/support.h | 8 ++++++-- + 6 files changed, 79 insertions(+), 11 deletions(-) + +diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am +index 56ed591..9a372ac 100644 +--- a/modules/pam_unix/Makefile.am ++++ b/modules/pam_unix/Makefile.am +@@ -30,7 +30,8 @@ if HAVE_VERSIONING + pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ +- @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) ++ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \ ++ ../pam_securetty/tty_secure.lo + + securelib_LTLIBRARIES = pam_unix.la + +diff --git a/modules/pam_unix/README b/modules/pam_unix/README +index 3935dba..7880d91 100644 +--- a/modules/pam_unix/README ++++ b/modules/pam_unix/README +@@ -67,7 +67,16 @@ nullok + + The default action of this module is to not permit the user access to a + service if their official password is blank. The nullok argument overrides +- this default. ++ this default and allows any user with a blank password to access the ++ service. ++ ++nullok_secure ++ ++ The default action of this module is to not permit the user access to a ++ service if their official password is blank. The nullok_secure argument ++ overrides this default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of the values ++ found in /etc/securetty. + + try_first_pass + +diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 +index 339178b..a4bd906 100644 +--- a/modules/pam_unix/pam_unix.8 ++++ b/modules/pam_unix/pam_unix.8 +@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi + .RS 4 + The default action of this module is to not permit the user access to a service if their official password is blank\&. The + \fBnullok\fR +-argument overrides this default\&. ++argument overrides this default and allows any user with a blank password to access the service\&. ++.RE ++.PP ++\fBnullok_secure\fR ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\&. The ++\fBnullok_secure\fR ++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. + .RE + .PP + \fBtry_first_pass\fR +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index a8b64bb..1ced6f4 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -159,7 +159,24 @@ + <para> + The default action of this module is to not permit the + user access to a service if their official password is blank. +- The <option>nullok</option> argument overrides this default. ++ The <option>nullok</option> argument overrides this default ++ and allows any user with a blank password to access the ++ service. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>nullok_secure</option> ++ </term> ++ <listitem> ++ <para> ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The <option>nullok_secure</option> argument overrides this ++ default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of ++ the values found in /etc/securetty. + </para> + </listitem> + </varlistentry> +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index abccd82..2361957 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, + /* now parse the arguments to this module */ + + for (; argc-- > 0; ++argv) { ++ int sl; + + D(("pam_unix arg: %s", *argv)); + + for (j = 0; j < UNIX_CTRLS_; ++j) { +- if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { +- break; ++ if (unix_args[j].token) { ++ sl = strlen(unix_args[j].token); ++ if (unix_args[j].token[sl-1] == '=') { ++ /* exclude argument from comparison */ ++ if (!strncmp(*argv, unix_args[j].token, sl)) ++ break; ++ } else { ++ /* compare full strings */ ++ if (!strcmp(*argv, unix_args[j].token)) ++ break; ++ } + } + } + +@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + if (child == 0) { + static char *envp[] = { NULL }; + const char *args[] = { NULL, NULL, NULL, NULL }; ++ int nullok = off(UNIX__NONULL, ctrl); + + /* XXX - should really tidy up PAM here too */ + +@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + /* exec binary helper */ + args[0] = CHKPWD_HELPER; + args[1] = user; +- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ const void *uttyname; ++ retval = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval != PAM_SUCCESS || uttyname == NULL ++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) { ++ nullok = 0; ++ } ++ } ++ ++ if (nullok) { + args[2]="nullok"; + } else { + args[2]="nonull"; +@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) + if (on(UNIX__NONULL, ctrl)) + return 0; /* will fail but don't let on yet */ + ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ int retval2; ++ const void *uttyname; ++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval2 != PAM_SUCCESS || uttyname == NULL) ++ return 0; ++ ++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ return 0; ++ } ++ + /* UNIX passwords area */ + + retval = get_pwd_hash(pamh, name, &pwd, &salt); +@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name + } + } + } else { +- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); ++ retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name)); + } + + if (retval == PAM_SUCCESS) { +diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h +index 3729ce0..43cdbea 100644 +--- a/modules/pam_unix/support.h ++++ b/modules/pam_unix/support.h +@@ -99,8 +99,9 @@ typedef struct { + #define UNIX_MIN_PASS_LEN 27 /* min length for password */ + #define UNIX_QUIET 28 /* Don't print informational messages */ + #define UNIX_DES 29 /* DES, default */ ++#define UNIX_NULLOK_SECURE 30 /* NULL passwords allowed only on secure ttys */ + /* -------------- */ +-#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) + +@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0}, + /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, + /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0}, + /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, + /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, + /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, + /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, + /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh + ,const char *prompt2 + ,const char *data_name + ,const void **pass); ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); + + extern int _unix_run_verify_binary(pam_handle_t *pamh, + unsigned int ctrl, const char *user, int *daysleft); +-- +2.1.4 + diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-account b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-account new file mode 100644 index 000000000..316b17337 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-auth b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-auth new file mode 100644 index 000000000..460b69f19 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-auth @@ -0,0 +1,18 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-password b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-password new file mode 100644 index 000000000..389605732 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-password @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-session b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-session new file mode 100644 index 000000000..a4a551f71 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-session @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive new file mode 100644 index 000000000..b110bb2b4 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/other b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/other new file mode 100644 index 000000000..ec970ecbe --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam.d/other @@ -0,0 +1,24 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. + +# We use pam_warn.so to generate syslog notes that the 'other' +#fallback rules are being used (as a hint to suggest you should setup +#specific PAM rules for the service and aid to debugging). Then to be +#secure, deny access to all services by default. + +auth required pam_warn.so +auth required pam_deny.so + +account required pam_warn.so +account required pam_deny.so + +password required pam_warn.so +password required pam_deny.so + +session required pam_warn.so +session required pam_deny.so diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/use-utmpx.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/use-utmpx.patch new file mode 100644 index 000000000..dd04bbb84 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/use-utmpx.patch @@ -0,0 +1,233 @@ +utmp() may not be configured in and use posix compliant utmpx always +UTMP is SVID legacy, UTMPX is mandated by POSIX + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Index: Linux-PAM-1.2.1/libpam/pam_modutil_getlogin.c +=================================================================== +--- Linux-PAM-1.2.1.orig/libpam/pam_modutil_getlogin.c ++++ Linux-PAM-1.2.1/libpam/pam_modutil_getlogin.c +@@ -10,8 +10,7 @@ + + #include <stdlib.h> + #include <unistd.h> +-#include <utmp.h> +- ++#include <utmpx.h> + #define _PAMMODUTIL_GETLOGIN "_pammodutil_getlogin" + + const char * +@@ -22,7 +21,7 @@ pam_modutil_getlogin(pam_handle_t *pamh) + const void *void_curr_tty; + const char *curr_tty; + char *curr_user; +- struct utmp *ut, line; ++ struct utmpx *ut, line; + + status = pam_get_data(pamh, _PAMMODUTIL_GETLOGIN, &logname); + if (status == PAM_SUCCESS) { +@@ -48,10 +47,10 @@ pam_modutil_getlogin(pam_handle_t *pamh) + } + logname = NULL; + +- setutent(); ++ setutxent(); + strncpy(line.ut_line, curr_tty, sizeof(line.ut_line)); + +- if ((ut = getutline(&line)) == NULL) { ++ if ((ut = getutxline(&line)) == NULL) { + goto clean_up_and_go_home; + } + +@@ -74,7 +73,7 @@ pam_modutil_getlogin(pam_handle_t *pamh) + + clean_up_and_go_home: + +- endutent(); ++ endutxent(); + + return logname; + } +Index: Linux-PAM-1.2.1/modules/pam_issue/pam_issue.c +=================================================================== +--- Linux-PAM-1.2.1.orig/modules/pam_issue/pam_issue.c ++++ Linux-PAM-1.2.1/modules/pam_issue/pam_issue.c +@@ -25,7 +25,7 @@ + #include <string.h> + #include <unistd.h> + #include <sys/utsname.h> +-#include <utmp.h> ++#include <utmpx.h> + #include <time.h> + #include <syslog.h> + +@@ -246,13 +246,13 @@ read_issue_quoted(pam_handle_t *pamh, FI + case 'U': + { + unsigned int users = 0; +- struct utmp *ut; +- setutent(); +- while ((ut = getutent())) { ++ struct utmpx *ut; ++ setutxent(); ++ while ((ut = getutxent())) { + if (ut->ut_type == USER_PROCESS) + ++users; + } +- endutent(); ++ endutxent(); + if (c == 'U') + snprintf (buf, sizeof buf, "%u %s", users, + (users == 1) ? "user" : "users"); +Index: Linux-PAM-1.2.1/modules/pam_lastlog/pam_lastlog.c +=================================================================== +--- Linux-PAM-1.2.1.orig/modules/pam_lastlog/pam_lastlog.c ++++ Linux-PAM-1.2.1/modules/pam_lastlog/pam_lastlog.c +@@ -15,8 +15,9 @@ + #include <errno.h> + #ifdef HAVE_UTMP_H + # include <utmp.h> +-#else +-# include <lastlog.h> ++#endif ++#ifdef HAVE_UTMPX_H ++# include <utmpx.h> + #endif + #include <pwd.h> + #include <stdlib.h> +@@ -27,6 +28,12 @@ + #include <syslog.h> + #include <unistd.h> + ++#ifndef HAVE_UTMP_H ++#define UT_LINESIZE 32 ++#define UT_HOSTSIZE 32 ++#define UT_NAMESIZE 256 ++#endif ++ + #if defined(hpux) || defined(sunos) || defined(solaris) + # ifndef _PATH_LASTLOG + # define _PATH_LASTLOG "/usr/adm/lastlog" +@@ -38,7 +45,7 @@ + # define UT_LINESIZE 12 + # endif /* UT_LINESIZE */ + #endif +-#if defined(hpux) ++#if defined(hpux) || !defined HAVE_UTMP_H + struct lastlog { + time_t ll_time; + char ll_line[UT_LINESIZE]; +@@ -447,8 +454,8 @@ last_login_failed(pam_handle_t *pamh, in + { + int retval; + int fd; +- struct utmp ut; +- struct utmp utuser; ++ struct utmpx ut; ++ struct utmpx utuser; + int failed = 0; + char the_time[256]; + char *date = NULL; +Index: Linux-PAM-1.2.1/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM-1.2.1.orig/modules/pam_limits/pam_limits.c ++++ Linux-PAM-1.2.1/modules/pam_limits/pam_limits.c +@@ -33,7 +33,7 @@ + #include <sys/resource.h> + #include <limits.h> + #include <glob.h> +-#include <utmp.h> ++#include <utmpx.h> + #ifndef UT_USER /* some systems have ut_name instead of ut_user */ + #define UT_USER ut_user + #endif +@@ -227,7 +227,7 @@ static int + check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, + struct pam_limit_s *pl) + { +- struct utmp *ut; ++ struct utmpx *ut; + int count; + + if (ctrl & PAM_DEBUG_ARG) { +@@ -242,7 +242,7 @@ check_logins (pam_handle_t *pamh, const + return LOGIN_ERR; + } + +- setutent(); ++ setutxent(); + + /* Because there is no definition about when an application + actually adds a utmp entry, some applications bizarrely do the +@@ -260,7 +260,7 @@ check_logins (pam_handle_t *pamh, const + count = 1; + } + +- while((ut = getutent())) { ++ while((ut = getutxent())) { + #ifdef USER_PROCESS + if (ut->ut_type != USER_PROCESS) { + continue; +@@ -296,7 +296,7 @@ check_logins (pam_handle_t *pamh, const + break; + } + } +- endutent(); ++ endutxent(); + if (count > limit) { + if (name) { + pam_syslog(pamh, LOG_WARNING, +Index: Linux-PAM-1.2.1/modules/pam_timestamp/pam_timestamp.c +=================================================================== +--- Linux-PAM-1.2.1.orig/modules/pam_timestamp/pam_timestamp.c ++++ Linux-PAM-1.2.1/modules/pam_timestamp/pam_timestamp.c +@@ -56,7 +56,7 @@ + #include <time.h> + #include <sys/time.h> + #include <unistd.h> +-#include <utmp.h> ++#include <utmpx.h> + #include <syslog.h> + #include <paths.h> + #include "hmacsha1.h" +@@ -197,15 +197,15 @@ timestamp_good(time_t then, time_t now, + static int + check_login_time(const char *ruser, time_t timestamp) + { +- struct utmp utbuf, *ut; ++ struct utmpx utbuf, *ut; + time_t oldest_login = 0; + +- setutent(); ++ setutxent(); + while( + #ifdef HAVE_GETUTENT_R +- !getutent_r(&utbuf, &ut) ++ !getutxent_r(&utbuf, &ut) + #else +- (ut = getutent()) != NULL ++ (ut = getutxent()) != NULL + #endif + ) { + if (ut->ut_type != USER_PROCESS) { +@@ -218,7 +218,7 @@ check_login_time(const char *ruser, time + oldest_login = ut->ut_tv.tv_sec; + } + } +- endutent(); ++ endutxent(); + if(oldest_login == 0 || timestamp < oldest_login) { + return PAM_AUTH_ERR; + } +Index: Linux-PAM-1.2.1/modules/pam_unix/support.c +=================================================================== +--- Linux-PAM-1.2.1.orig/modules/pam_unix/support.c ++++ Linux-PAM-1.2.1/modules/pam_unix/support.c +@@ -13,7 +13,6 @@ + #include <pwd.h> + #include <shadow.h> + #include <limits.h> +-#include <utmp.h> + #include <errno.h> + #include <signal.h> + #include <ctype.h> diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam_1.2.1.bb b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam_1.2.1.bb new file mode 100644 index 000000000..341ea2411 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam_1.2.1.bb @@ -0,0 +1,171 @@ +SUMMARY = "Linux-PAM (Pluggable Authentication Modules)" +DESCRIPTION = "Linux-PAM (Pluggable Authentication Modules for Linux), a flexible mechanism for authenticating users" +HOMEPAGE = "https://fedorahosted.org/linux-pam/" +BUGTRACKER = "https://fedorahosted.org/linux-pam/newticket" +SECTION = "base" +# PAM is dual licensed under GPL and BSD. +# /etc/pam.d comes from Debian libpam-runtime in 2009-11 (at that time +# libpam-runtime-1.0.1 is GPLv2+), by openembedded +LICENSE = "GPLv2+ | BSD" +LIC_FILES_CHKSUM = "file://COPYING;md5=7eb5c1bf854e8881005d673599ee74d3" + +SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ + file://99_pam \ + file://pam.d/common-account \ + file://pam.d/common-auth \ + file://pam.d/common-password \ + file://pam.d/common-session \ + file://pam.d/common-session-noninteractive \ + file://pam.d/other \ + file://libpam-xtests.patch \ + file://fixsepbuild.patch \ + file://pam-security-abstract-securetty-handling.patch \ + file://pam-unix-nullok-secure.patch \ + file://libpam-xtests-remove-bash-dependency.patch \ + file://crypt_configure.patch \ + " + +SRC_URI[md5sum] = "9dc53067556d2dd567808fd509519dd6" +SRC_URI[sha256sum] = "342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9" + +SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch \ + file://use-utmpx.patch" + +SRC_URI_append_libc-musl = " file://pam-no-innetgr.patch \ + file://0001-Add-support-for-defining-missing-funcitonality.patch \ + file://include_paths_header.patch \ + " + +DEPENDS = "bison flex flex-native cracklib" + +EXTRA_OECONF = "--with-db-uniquename=_pam \ + --includedir=${includedir}/security \ + --libdir=${base_libdir} \ + --disable-nis \ + --disable-regenerate-docu \ + --disable-prelude" + +CFLAGS_append = " -fPIC " + +PR = "r5" + +S = "${WORKDIR}/Linux-PAM-${PV}" + +inherit autotools gettext pkgconfig + +PACKAGECONFIG[audit] = "--enable-audit,--disable-audit,audit," + +PACKAGES += "${PN}-runtime ${PN}-xtests" +FILES_${PN} = "${base_libdir}/lib*${SOLIBS}" +FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}" +FILES_${PN}-runtime = "${sysconfdir}" +FILES_${PN}-xtests = "${datadir}/Linux-PAM/xtests" + +PACKAGES_DYNAMIC += "^${MLPREFIX}pam-plugin-.*" + +def get_multilib_bit(d): + baselib = d.getVar('baselib', True) or '' + return baselib.replace('lib', '') + +libpam_suffix = "suffix${@get_multilib_bit(d)}" + +RPROVIDES_${PN} += "${PN}-${libpam_suffix}" +RPROVIDES_${PN}-runtime += "${PN}-runtime-${libpam_suffix}" + +RDEPENDS_${PN}-runtime = "${PN}-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-deny-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-permit-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-warn-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-unix-${libpam_suffix} \ + " +RDEPENDS_${PN}-xtests = "${PN}-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-access-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-debug-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-cracklib-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \ + ${MLPREFIX}pam-plugin-time-${libpam_suffix} \ + coreutils" + +# FIXME: Native suffix breaks here, disable it for now +RRECOMMENDS_${PN} = "${PN}-runtime-${libpam_suffix}" +RRECOMMENDS_${PN}_class-native = "" + +python populate_packages_prepend () { + def pam_plugin_append_file(pn, dir, file): + nf = os.path.join(dir, file) + of = d.getVar('FILES_' + pn, True) + if of: + nf = of + " " + nf + d.setVar('FILES_' + pn, nf) + + def pam_plugin_hook(file, pkg, pattern, format, basename): + pn = d.getVar('PN', True) + libpam_suffix = d.getVar('libpam_suffix', True) + + rdeps = d.getVar('RDEPENDS_' + pkg, True) + if rdeps: + rdeps = rdeps + " " + pn + "-" + libpam_suffix + else: + rdeps = pn + "-" + libpam_suffix + d.setVar('RDEPENDS_' + pkg, rdeps) + + provides = d.getVar('RPROVIDES_' + pkg, True) + if provides: + provides = provides + " " + pkg + "-" + libpam_suffix + else: + provides = pkg + "-" + libpam_suffix + d.setVar('RPROVIDES_' + pkg, provides) + + mlprefix = d.getVar('MLPREFIX', True) or '' + dvar = bb.data.expand('${WORKDIR}/package', d, True) + pam_libdir = d.expand('${base_libdir}/security') + pam_sbindir = d.expand('${sbindir}') + pam_filterdir = d.expand('${base_libdir}/security/pam_filter') + pam_pkgname = mlprefix + 'pam-plugin%s' + + do_split_packages(d, pam_libdir, '^pam(.*)\.so$', pam_pkgname, + 'PAM plugin for %s', hook=pam_plugin_hook, extra_depends='') + pam_plugin_append_file('%spam-plugin-unix' % mlprefix, pam_sbindir, 'unix_chkpwd') + pam_plugin_append_file('%spam-plugin-unix' % mlprefix, pam_sbindir, 'unix_update') + pam_plugin_append_file('%spam-plugin-tally' % mlprefix, pam_sbindir, 'pam_tally') + pam_plugin_append_file('%spam-plugin-tally2' % mlprefix, pam_sbindir, 'pam_tally2') + pam_plugin_append_file('%spam-plugin-timestamp' % mlprefix, pam_sbindir, 'pam_timestamp_check') + pam_plugin_append_file('%spam-plugin-mkhomedir' % mlprefix, pam_sbindir, 'mkhomedir_helper') + pam_plugin_append_file('%spam-plugin-console' % mlprefix, pam_sbindir, 'pam_console_apply') + do_split_packages(d, pam_filterdir, '^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='') +} + +do_install() { + autotools_do_install + + # don't install /var/run when populating rootfs. Do it through volatile + rm -rf ${D}${localstatedir} + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/99_pam ${D}${sysconfdir}/default/volatiles + + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + + # The lsb requires unix_chkpwd has setuid permission + chmod 4755 ${D}${sbindir}/unix_chkpwd + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + echo "session optional pam_systemd.so" >> ${D}${sysconfdir}/pam.d/common-session + fi +} + +python do_pam_sanity () { + if not bb.utils.contains('DISTRO_FEATURES', 'pam', True, False, d): + bb.warn("Building libpam but 'pam' isn't in DISTRO_FEATURES, PAM won't work correctly") +} +addtask pam_sanity before do_configure + +BBCLASSEXTEND = "nativesdk native" + +CONFFILES_${PN}-runtime += "${sysconfdir}/pam.d/common-session" +CONFFILES_${PN}-runtime += "${sysconfdir}/pam.d/common-auth" +CONFFILES_${PN}-runtime += "${sysconfdir}/pam.d/common-password" +CONFFILES_${PN}-runtime += "${sysconfdir}/pam.d/common-session-noninteractive" +CONFFILES_${PN}-runtime += "${sysconfdir}/pam.d/common-account" +CONFFILES_${PN}-runtime += "${sysconfdir}/security/limits.conf" |