Accepting request 725009 from home:kukuk:etc

Add /usr/etc/pam.d directory and read from it. OBS-URL: https://build.opensuse.org/request/show/725009 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=192
2019-08-21 11:20:26 +00:00 · 2019-08-21 11:20:26 +00:00 · 8952f5370e
commit 8952f5370e
parent 78441ed37b
3 changed files with 172 additions and 94 deletions
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,8 @@
 -------------------------------------------------------------------
 Mon Aug 19 14:45:43 CEST 2019 - kukuk@suse.de
 - usr-etc-support.patch: Add support for /usr/etc/pam.d
 -------------------------------------------------------------------
 Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de
--- a/pam.spec
+++ b/pam.spec
@ -18,43 +18,17 @@
 #
 %define enable_selinux 1
 Name:           pam
 Url:            http://www.linux-pam.org/
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
 BuildRequires:  flex
 %if 0%{?suse_version} > 1320
 BuildRequires:  libdb-4_8-devel
 BuildRequires:  xz
 BuildRequires:  pkgconfig(libnsl)
 BuildRequires:  pkgconfig(libtirpc)
 %endif
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
 %define libpam_so_version 0.84.2
 %define libpam_misc_so_version 0.82.1
 %define libpamc_so_version 0.82.1
 Name:           pam
 #
 Version:        1.3.1+git20190807.e31dd6c
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
 Group:          System/Libraries
-PreReq:         permissions
+URL:            http://www.linux-pam.org/
 %if 0%{?suse_version} >= 1330
 Requires(pre):  group(shadow)
 Requires(pre):  user(root)
 %endif
 # All login.defs variables require support from shadow side.
 # Upgrade this symbol version only if new variables appear!
 # Verify by shadow-login_defs-check.sh from shadow source package.
 # Recent symbol includes variable from encryption_method_nis.diff.
 Requires:       login_defs-support-for-pam >= 1.3.1
 #DL-URL:	https://fedorahosted.org/releases/l/i/linux-pam/
 Source:         linux-pam-%{version}.tar.xz
 Source1:        Linux-PAM-1.3.1-docs.tar.xz
 Source2:        linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
@ -72,20 +46,40 @@ Patch0:         fix-man-links.dif
 Patch2:         pam-limit-nproc.patch
 Patch4:         pam-hostnames-in-access_conf.patch
 Patch5:         use-correct-IP-address.patch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Patch6:         usr-etc-support.patch
-BuildRequires:  libdb-4_8-devel
+BuildRequires:  audit-devel
 # Remove with next version update:
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
 BuildRequires:  flex
 BuildRequires:  libdb-4_8-devel
 BuildRequires:  libtool
 # All login.defs variables require support from shadow side.
 # Upgrade this symbol version only if new variables appear!
 # Verify by shadow-login_defs-check.sh from shadow source package.
 Requires:       login_defs-support-for-pam >= 1.3.1
 Requires(post): permissions
 %if 0%{?suse_version} > 1320
 BuildRequires:  libdb-4_8-devel
 BuildRequires:  xz
 BuildRequires:  pkgconfig(libnsl)
 BuildRequires:  pkgconfig(libtirpc)
 %endif
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
 %if 0%{?suse_version} >= 1330
 Requires(pre):  group(shadow)
 Requires(pre):  user(root)
 %endif
 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
 allows system administrators to set authentication policies without
 having to recompile programs that do authentication.
 %package doc
 Summary:        Documentation for Pluggable Authentication Modules
 Group:          Documentation/HTML
@ -100,8 +94,6 @@ having to recompile programs that do authentication.
 This package contains the documentation.
 %package devel
 Summary:        Include Files and Libraries for PAM-Development
 Group:          Development/Libraries/C and C++
@ -116,24 +108,23 @@ having to recompile programs which do authentication.
 This package contains header files and static libraries used for
 building both PAM-aware applications and modules for use with PAM.
 %prep
 %setup -q -n linux-pam-%{version} -b 1 -a 2
 cp -av ../Linux-PAM-1.3.1/* .
-cp -a %{S:12} .
+cp -a %{SOURCE12} .
 %patch0 -p1
 %patch2 -p1
-%patch4 -p0
+%patch4
 %patch5 -p1
 %patch6
 %build
 bash ./pam-login_defs-check.sh
 ./autogen.sh
-export CFLAGS="%optflags -DNDEBUG"
+export CFLAGS="%{optflags} -DNDEBUG"
 %configure \
 	--sbindir=/sbin \
-	--includedir=%_includedir/security \
+	--includedir=%{_includedir}/security \
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
@ -141,62 +132,63 @@ export CFLAGS="%optflags -DNDEBUG"
 	--enable-isadir=../../%{_lib}/security \
        --enable-securedir=/%{_lib}/security
 make %{?_smp_mflags}
-%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/linux-pam-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/linux-pam-%{version}/libpam/.libs/ -lpam
+gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/linux-pam-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/linux-pam-%{version}/libpam/.libs/ -lpam
 %check
 make %{?_smp_mflags} check
 %install
-mkdir -p $RPM_BUILD_ROOT/etc/pam.d
+mkdir -p %{buildroot}%{_sysconfdir}/pam.d
-mkdir -p $RPM_BUILD_ROOT/usr/include/security
+mkdir -p %{buildroot}%{_prefix}%{_sysconfdir}/pam.d
-mkdir -p $RPM_BUILD_ROOT/%{_lib}/security
+mkdir -p %{buildroot}%{_includedir}/security
-mkdir -p $RPM_BUILD_ROOT/sbin
+mkdir -p %{buildroot}/%{_lib}/security
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_libdir}
+mkdir -p %{buildroot}/sbin
-make DESTDIR=$RPM_BUILD_ROOT install
+mkdir -p -m 755 %{buildroot}%{_libdir}
-/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
+%make_install
 /sbin/ldconfig -n %{buildroot}/%{_lib}
 # Install documentation
-make -C doc install DESTDIR=$RPM_BUILD_ROOT
+make -C doc install DESTDIR=%{buildroot}
 # install securetty
-install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc
+install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}
 %ifarch s390 s390x
-echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty
+echo "ttyS0" >> %{buildroot}%{_sysconfdir}/securetty
-echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty
+echo "ttyS1" >> %{buildroot}%{_sysconfdir}/securetty
-echo "hvc0" >> $RPM_BUILD_ROOT/etc/securetty
+echo "hvc0" >> %{buildroot}%{_sysconfdir}/securetty
-echo "hvc1" >> $RPM_BUILD_ROOT/etc/securetty
+echo "hvc1" >> %{buildroot}%{_sysconfdir}/securetty
-echo "hvc2" >> $RPM_BUILD_ROOT/etc/securetty
+echo "hvc2" >> %{buildroot}%{_sysconfdir}/securetty
-echo "hvc3" >> $RPM_BUILD_ROOT/etc/securetty
+echo "hvc3" >> %{buildroot}%{_sysconfdir}/securetty
-echo "hvc4" >> $RPM_BUILD_ROOT/etc/securetty
+echo "hvc4" >> %{buildroot}%{_sysconfdir}/securetty
-echo "hvc5" >> $RPM_BUILD_ROOT/etc/securetty
+echo "hvc5" >> %{buildroot}%{_sysconfdir}/securetty
-echo "hvc6" >> $RPM_BUILD_ROOT/etc/securetty
+echo "hvc6" >> %{buildroot}%{_sysconfdir}/securetty
-echo "hvc7" >> $RPM_BUILD_ROOT/etc/securetty
+echo "hvc7" >> %{buildroot}%{_sysconfdir}/securetty
-echo "sclp_line0" >> $RPM_BUILD_ROOT/etc/securetty
+echo "sclp_line0" >> %{buildroot}%{_sysconfdir}/securetty
-echo "ttysclp0" >> $RPM_BUILD_ROOT/etc/securetty
+echo "ttysclp0" >> %{buildroot}%{_sysconfdir}/securetty
 %endif
 # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
-install -d $RPM_BUILD_ROOT%{_sysconfdir}/security/namespace.d
+install -d %{buildroot}%{_sysconfdir}/security/namespace.d
 # install other.pamd and common-*.pamd
-install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/other
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/other
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/pam.d/common-auth
+install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/common-auth
-install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/common-account
+install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/common-account
-install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/common-password
+install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/common-password
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc/pam.d/common-session
+install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/common-session
-rm $RPM_BUILD_ROOT/%{_lib}/libpam.so
+rm %{buildroot}/%{_lib}/libpam.so
-ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam.so
+ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} %{buildroot}%{_libdir}/libpam.so
-rm $RPM_BUILD_ROOT/%{_lib}/libpamc.so
+rm %{buildroot}/%{_lib}/libpamc.so
-ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpamc.so
+ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} %{buildroot}%{_libdir}/libpamc.so
-rm $RPM_BUILD_ROOT/%{_lib}/libpam_misc.so
+rm %{buildroot}/%{_lib}/libpam_misc.so
-ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam_misc.so
+ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %{buildroot}%{_libdir}/libpam_misc.so
 #
 # Remove crap
 #
-rm -rf $RPM_BUILD_ROOT/%{_lib}/*.la $RPM_BUILD_ROOT/%{_lib}/security/*.la
+find %{buildroot} -type f -name "*.la" -delete -print
 for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
-  ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so
+  ln -f %{buildroot}/%{_lib}/security/pam_unix.so %{buildroot}/%{_lib}/security/$x.so
 done
 #
 # Install READMEs of PAM modules
 #
-DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam
+DOC=%{buildroot}%{_defaultdocdir}/pam
 mkdir -p $DOC/modules
 (
  cd modules;
@ -207,15 +199,15 @@ mkdir -p $DOC/modules
 #
 # pam_tally is deprecated since ages
 #
-rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
+rm -f %{buildroot}/%{_lib}/security/pam_tally.so
-rm -f $RPM_BUILD_ROOT/sbin/pam_tally
+rm -f %{buildroot}/sbin/pam_tally
-rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
+rm -f %{buildroot}%{_mandir}/man8/pam_tally.8*
-rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally
+rm -f %{buildroot}%{_defaultdocdir}/pam/modules/README.pam_tally
 # Install unix2_chkpwd
-install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/
+install -m 755 $RPM_BUILD_DIR/unix2_chkpwd %{buildroot}/sbin/
-install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 %{buildroot}%{_mandir}/man8/
 # Create filelist with translatins
-%{find_lang} Linux-PAM
+%find_lang Linux-PAM
 %verifyscript
 %verify_permissions -e /sbin/unix_chkpwd
@ -229,8 +221,8 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 %postun -p /sbin/ldconfig
 %files -f Linux-PAM.lang
 %defattr(-,root,root)
 %dir %{_sysconfdir}/pam.d
 %dir %{_prefix}%{_sysconfdir}/pam.d
 %dir %{_sysconfdir}/security
 %dir %{_sysconfdir}/security/limits.d
 %dir %{_defaultdocdir}/pam
@ -251,10 +243,10 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 %dir %{_sysconfdir}/security/namespace.d
 %doc NEWS
 %license COPYING
-%doc %{_mandir}/man5/environment.5*
+%{_mandir}/man5/environment.5%{?ext_man}
-%doc %{_mandir}/man5/*.conf.5*
+%{_mandir}/man5/*.conf.5%{?ext_man}
-%doc %{_mandir}/man5/pam.d.5*
+%{_mandir}/man5/pam.d.5%{?ext_man}
-%doc %{_mandir}/man8/*
+%{_mandir}/man8/*
 /%{_lib}/libpam.so.0
 /%{_lib}/libpam.so.%{libpam_so_version}
 /%{_lib}/libpamc.so.0
@ -330,9 +322,9 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 %files devel
 %defattr(644,root,root,755)
-%dir /usr/include/security
+%dir %{_includedir}/security
-%doc %{_mandir}/man3/pam*
+%{_mandir}/man3/pam*
-%doc %{_mandir}/man3/misc_conv.3*
+%{_mandir}/man3/misc_conv.3%{?ext_man}
 %{_includedir}/security/*.h
 %{_libdir}/libpam.so
 %{_libdir}/libpamc.so
--- a/usr-etc-support.patch
+++ b/usr-etc-support.patch
@ -0,0 +1,81 @@
 --- doc/man/pam.8.xml
 +++ doc/man/pam.8.xml	2019/08/16 13:37:44
@@ -53,11 +53,13 @@
     <para>
       Vendor-supplied PAM configuration files might be installed in
 -      the system directory <filename>/usr/lib/pam.d/</filename> instead
 +      the system directory <filename>/usr/lib/pam.d/</filename> or
 +      <filename>/usr/etc/pam.d/</filename> instead
       of the machine configuration directory <filename>/etc/pam.d/</filename>.
       If no machine configuration file is found, the vendor-supplied file
       is used. All files in <filename>/etc/pam.d/</filename> override
 -      files with the same name in <filename>/usr/lib/pam.d/</filename>.
 +      files with the same name in <filename>/usr/lib/pam.d/</filename>,
 +      which override files with the same name in <filename>/usr/etc/pam.d/</filename>.
     </para>
 <para>From the point of view of the system administrator, for whom this
@@ -157,6 +159,16 @@
           </para>
         </listitem>
       </varlistentry>
 +      <term><filename>/usr/etc/pam.d</filename></term>
 +        <listitem>
 +          <para>
 +            the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration
 +	    directory. Files in <filename>/etc/pam.d</filename> and
 +	    <filename>/usr/lib/pam.d</filename> override files with the same
 +	    name in this directory.
 +          </para>
 +        </listitem>
 +      </varlistentry>
     </variablelist>
   </refsect1>
 --- libpam/pam_handlers.c
 +++ libpam/pam_handlers.c	2019/08/16 13:35:31
@@ -329,6 +329,21 @@
 	    *file = f;
 	    return PAM_SUCCESS;
     }
 +
 +    /* System Configuration /usr/etc/pam.d/ */
 +    _pam_drop(p);
 +    if (asprintf (&p, PAM_CONFIG_DIST2_DF, service) < 0) {
 +        pam_syslog(pamh, LOG_CRIT, "asprintf failed");
 +        return PAM_BUF_ERR;
 +    }
 +    D(("opening %s", p));
 +    f = fopen(p, "r");
 +    if (f != NULL) {
 +            *path = p;
 +            *file = f;
 +            return PAM_SUCCESS;
 +    }
 +
     _pam_drop(p);
     return PAM_ABORT;
@@ -447,7 +462,8 @@
 	/* Is there a PAM_CONFIG_D directory? */
 	if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
 -	    (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
 +	    (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
 +	    (stat(PAM_CONFIG_DIST2_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
 	    char *path = NULL;
 	    int read_something=0;
 --- libpam/pam_private.h
 +++ libpam/pam_private.h	2019/08/16 13:33:04
@@ -29,6 +29,9 @@
 #define PAM_CONFIG_DF      "/etc/pam.d/%s"
 #define PAM_CONFIG_DIST_D  "/usr/lib/pam.d"
 #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s"
 +#define PAM_CONFIG_DIST2_D  "/usr/etc/pam.d"
 +#define PAM_CONFIG_DIST2_DF "/usr/etc/pam.d/%s"
 +
 #define PAM_DEFAULT_SERVICE        "other"     /* lower case */