libpam: Update to 1.3.0

Removed upstreamed patches. Signed-off-by: Rosen Penev <rosenp@gmail.com>
6 years ago · eed77a988b
--- a/libs/libpam/Makefile
+++ b/libs/libpam/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libpam
 PKG_VERSION:=1.2.0
 PKG_RELEASE:=2
 PKG_VERSION:=1.3.0
 PKG_RELEASE:=1

 PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.linux-pam.org/library/
 PKG_HASH:=cd8beac5961e942e9c73b32a3cd1a3457755f8fb35d07c9ec64511e19e135ea4
 PKG_HASH:=241aed1ef522f66ed672719ecf2205ec513fd0075ed80cda8e086a5b1a01d1bb
 PKG_INSTALL:=1
 PKG_FIXUP:=autoreconf
 PKG_MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
--- a/libs/libpam/patches/0001-build-always-use-lib-instead-of-lib64.patch
+++ b/libs/libpam/patches/0001-build-always-use-lib-instead-of-lib64.patch
@ -20,7 +20,7 @@ index fd0e310..306b6e2 100644
         fi
 -	if test ${libdir} = '${exec_prefix}/lib'
 -	then
 -		case "`uname -m`" in
 -		case "$host_cpu" in
 -		    x86_64|ppc64|s390x|sparc64)
 -			libdir="/lib64" ;;
 -		    *)
--- a/libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch
+++ b/libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch
@ -19,7 +19,7 @@ diff --git a/configure.ac b/configure.ac
 index 306b6e2..084071a 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -534,7 +534,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
@@ -524,7 +524,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
 AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
 AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
 AC_CHECK_FUNCS(getgrouplist getline getdelim)
--- a/libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch
+++ b/libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch
@ -16,7 +16,7 @@ diff --git a/configure.ac b/configure.ac
 index 084071a..ca4bf5b 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -536,8 +536,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
@@ -526,8 +526,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
 AC_CHECK_FUNCS(getgrouplist getline getdelim)
 AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
 AC_CHECK_FUNCS([ruserok_af ruserok], [break])
--- a/libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch
+++ b/libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch
@ -1,28 +0,0 @@
 From a35daea1b8be768d1b0be6eae157fbf3e5380f92 Mon Sep 17 00:00:00 2001
 From: Yousong Zhou <yszhou4tech@gmail.com>
 Date: Wed, 17 Jun 2015 18:22:31 +0800
 Subject: [PATCH 4/7] build: fix build when crypt() is not part of crypt_libs.

 * configure.ac: ditto.

 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
 ---
 configure.ac |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/configure.ac b/configure.ac
 index ca4bf5b..6553c78 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -408,7 +408,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
   [crypt_libs="crypt"])
 
 BACKUP_LIBS=$LIBS
 -AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
 +AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
 AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
 LIBS=$BACKUP_LIBS
 AC_SUBST(LIBCRYPT)
 -- 
 1.7.10.4

--- a/libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch
+++ b/libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch
@ -15,7 +15,7 @@ diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_pass
 index 2d330e5..970724a 100644
 --- a/modules/pam_unix/pam_unix_passwd.c
 +++ b/modules/pam_unix/pam_unix_passwd.c
@@ -336,7 +336,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
@@ -410,7 +410,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
 	}
 
 	if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
--- a/libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch
+++ b/libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch
@ -1,106 +0,0 @@
 From c681bd104627139eac2f40fe303e1f67676233e8 Mon Sep 17 00:00:00 2001
 From: Yousong Zhou <yszhou4tech@gmail.com>
 Date: Wed, 17 Jun 2015 15:33:43 +0800
 Subject: [PATCH 7/7] Check if innetgr is available at compile time.

 innetgr may not be there so make sure that when innetgr is not present
 then we inform about it and not use it.

 * modules/pam_group/pam_group.c: ditto
 * modules/pam_succeed_if/pam_succeed_if.c: ditto
 * modules/pam_time/pam_time.c: ditto

 Signed-off-by: Khem Raj <raj.khem at gmail.com>
 Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
 ---
 modules/pam_group/pam_group.c           |    4 ++++
 modules/pam_succeed_if/pam_succeed_if.c |   17 +++++++++++++----
 modules/pam_time/pam_time.c             |    4 ++++
 3 files changed, 21 insertions(+), 4 deletions(-)

 diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
 index be5f20f..6a065ca 100644
 --- a/modules/pam_group/pam_group.c
 +++ b/modules/pam_group/pam_group.c
@@ -656,7 +656,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
 	}
 	/* If buffer starts with @, we are using netgroups */
 	if (buffer[0] == '@')
 +#ifdef HAVE_INNETGR
 	  good &= innetgr (&buffer[1], NULL, user, NULL);
 +#else
 +	  pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
 +#endif
 	/* otherwise, if the buffer starts with %, it's a UNIX group */
 	else if (buffer[0] == '%')
           good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
 diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
 index aa828fc..c0c68a0 100644
 --- a/modules/pam_succeed_if/pam_succeed_if.c
 +++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
 }
 /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
 static int
 -evaluate_innetgr(const char *host, const char *user, const char *group)
 +evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
 {
 +#ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 1)
 		return PAM_SUCCESS;
 +#else
 +	pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
 +#endif
 +
 	return PAM_AUTH_ERR;
 }
 /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
 static int
 -evaluate_notinnetgr(const char *host, const char *user, const char *group)
 +evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
 {
 +#ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 0)
 		return PAM_SUCCESS;
 +#else
 +	pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
 +#endif
 	return PAM_AUTH_ERR;
 }
 
@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug,
 		const void *rhost;
 		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
 			rhost = NULL;
 -		return evaluate_innetgr(rhost, user, right);
 +		return evaluate_innetgr(pamh, rhost, user, right);
 	}
 	/* (Rhost, user) is not in this group. */
 	if (strcasecmp(qual, "notinnetgr") == 0) {
 		const void *rhost;
 		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
 			rhost = NULL;
 -		return evaluate_notinnetgr(rhost, user, right);
 +		return evaluate_notinnetgr(pamh, rhost, user, right);
 	}
 	/* Fail closed. */
 	return PAM_SERVICE_ERR;
 diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
 index c94737c..0b34a14 100644
 --- a/modules/pam_time/pam_time.c
 +++ b/modules/pam_time/pam_time.c
@@ -555,7 +555,11 @@ check_account(pam_handle_t *pamh, const char *service,
 	  }
 	  /* If buffer starts with @, we are using netgroups */
 	  if (buffer[0] == '@')
 +#ifdef HAVE_INNETGR
 	    good &= innetgr (&buffer[1], NULL, user, NULL);
 +#else
 +	    pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
 +#endif
 	  else
 	    good &= logic_field(pamh, user, buffer, count, is_same);
 	  D(("with user: %s", good ? "passes":"fails" ));
 -- 
 1.7.10.4

--- a/libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch
+++ b/libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch
@ -0,0 +1,74 @@
 From 9f23ba5a40b42acf4463b593bffd73caee8b527c Mon Sep 17 00:00:00 2001
 From: Rosen Penev <rosenp@gmail.com>
 Date: Sun, 15 Jul 2018 20:43:44 -0700
 Subject: [PATCH] Replace strndupa with strcpy

 glibc only. A static string is better.

 Signed-off-by: Rosen Penev <rosenp@gmail.com>
 ---
 modules/pam_exec/pam_exec.c | 31 +++++++++++--------------------
 1 file changed, 11 insertions(+), 20 deletions(-)

 diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
 index 0ab6548..2fbab4f 100644
 --- a/modules/pam_exec/pam_exec.c
 +++ b/modules/pam_exec/pam_exec.c
@@ -102,7 +102,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
   int use_stdout = 0;
   int optargc;
   const char *logfile = NULL;
 -  const char *authtok = NULL;
 +  char authtok[PAM_MAX_RESP_SIZE];
   pid_t pid;
   int fds[2];
   int stdout_fds[2];
@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 		}
 
 	      pam_set_item (pamh, PAM_AUTHTOK, resp);
 -	      authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
 +	      strcpy (authtok, resp);
 	      _pam_drop (resp);
 	    }
 	  else
 -	    authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
 +	    strcpy (authtok, void_pass);
 
 	  if (pipe(fds) != 0)
 	    {
@@ -222,23 +222,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 
       if (expose_authtok) /* send the password to the child */
 	{
 -	  if (authtok != NULL)
 -	    {            /* send the password to the child */
 -	      if (debug)
 -		pam_syslog (pamh, LOG_DEBUG, "send password to child");
 -	      if (write(fds[1], authtok, strlen(authtok)+1) == -1)
 -		pam_syslog (pamh, LOG_ERR,
 -			    "sending password to child failed: %m");
 -	      authtok = NULL;
 -	    }
 -	  else
 -	    {
 -	      if (write(fds[1], "", 1) == -1)   /* blank password */
 -		pam_syslog (pamh, LOG_ERR,
 -			    "sending password to child failed: %m");
 -	    }
 -        close(fds[0]);       /* close here to avoid possible SIGPIPE above */
 -        close(fds[1]);
 +	  if (debug)
 +	    pam_syslog (pamh, LOG_DEBUG, "send password to child");
 +	  if (write(fds[1], authtok, strlen(authtok)) == -1)
 +	    pam_syslog (pamh, LOG_ERR,
 +			      "sending password to child failed: %m");
 +
 +          close(fds[0]);       /* close here to avoid possible SIGPIPE above */
 +          close(fds[1]);
 	}
 
       if (use_stdout)
 -- 
 2.19.1