M7350v1_en_gpl

This commit is contained in:
T
2024-09-09 08:52:07 +00:00
commit f9cc65cfda
65988 changed files with 26357421 additions and 0 deletions
@@ -0,0 +1 @@
d root root 0755 /var/run/sepermit none
@@ -0,0 +1,35 @@
This patch is used to create a new sub package libpam-xtests to do more checks.
Upstream-Status: Pending
Signed-off-by: Kang Kai <kai.kang@windriver.com>
--- Linux-PAM-1.1.4/xtests/Makefile.am.orig 2011-07-19 17:00:09.619980001 +0800
+++ Linux-PAM-1.1.4/xtests/Makefile.am 2011-07-19 16:54:00.229979998 +0800
@@ -7,7 +7,7 @@
AM_LDFLAGS = -L$(top_builddir)/libpam -lpam \
-L$(top_builddir)/libpam_misc -lpam_misc
-CLEANFILES = *~ $(XTESTS)
+CLEANFILES = *~
EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \
@@ -51,3 +51,18 @@
xtests: $(XTESTS) run-xtests.sh
"$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS}
+
+all: $(XTESTS)
+
+install: install_xtests
+
+install_xtests:
+ $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests
+ for file in $(EXTRA_DIST) ; do \
+ $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \
+ done
+ for file in $(XTESTS); do \
+ $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \
+ done
+
+.PHONY: all install_xtests
@@ -0,0 +1,97 @@
innetgr may not be there so make sure that when innetgr is not present
then we inform about it and not use it.
-Khem
Upstream-Status: Pending
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Index: Linux-PAM-1.1.3/modules/pam_group/pam_group.c
===================================================================
--- Linux-PAM-1.1.3.orig/modules/pam_group/pam_group.c
+++ Linux-PAM-1.1.3/modules/pam_group/pam_group.c
@@ -659,7 +659,11 @@ static int check_account(pam_handle_t *p
}
/* If buffer starts with @, we are using netgroups */
if (buffer[0] == '@')
- good &= innetgr (&buffer[1], NULL, user, NULL);
+#ifdef HAVE_INNETGR
+ good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
+#endif
/* otherwise, if the buffer starts with %, it's a UNIX group */
else if (buffer[0] == '%')
good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
Index: Linux-PAM-1.1.3/modules/pam_time/pam_time.c
===================================================================
--- Linux-PAM-1.1.3.orig/modules/pam_time/pam_time.c
+++ Linux-PAM-1.1.3/modules/pam_time/pam_time.c
@@ -555,9 +555,13 @@ check_account(pam_handle_t *pamh, const
}
/* If buffer starts with @, we are using netgroups */
if (buffer[0] == '@')
- good &= innetgr (&buffer[1], NULL, user, NULL);
+#ifdef HAVE_INNETGR
+ good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
+#endif
else
- good &= logic_field(pamh, user, buffer, count, is_same);
+ good &= logic_field(pamh, user, buffer, count, is_same);
D(("with user: %s", good ? "passes":"fails" ));
/* here we get the time field */
Index: Linux-PAM-1.1.3/modules/pam_succeed_if/pam_succeed_if.c
===================================================================
--- Linux-PAM-1.1.3.orig/modules/pam_succeed_if/pam_succeed_if.c
+++ Linux-PAM-1.1.3/modules/pam_succeed_if/pam_succeed_if.c
@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh,
}
/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
static int
-evaluate_innetgr(const char *host, const char *user, const char *group)
+evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 1)
return PAM_SUCCESS;
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
+#endif
+
return PAM_AUTH_ERR;
}
/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
static int
-evaluate_notinnetgr(const char *host, const char *user, const char *group)
+evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 0)
return PAM_SUCCESS;
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
+#endif
return PAM_AUTH_ERR;
}
@@ -361,14 +370,14 @@ evaluate(pam_handle_t *pamh, int debug,
const void *rhost;
if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
rhost = NULL;
- return evaluate_innetgr(rhost, user, right);
+ return evaluate_innetgr(pamh, rhost, user, right);
}
/* (Rhost, user) is not in this group. */
if (strcasecmp(qual, "notinnetgr") == 0) {
const void *rhost;
if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
rhost = NULL;
- return evaluate_notinnetgr(rhost, user, right);
+ return evaluate_notinnetgr(pamh, rhost, user, right);
}
/* Fail closed. */
return PAM_SERVICE_ERR;
@@ -0,0 +1,25 @@
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
@@ -0,0 +1,18 @@
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
@@ -0,0 +1,26 @@
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# here are the per-package modules (the "Primary" block)
password [success=1 default=ignore] pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
@@ -0,0 +1,19 @@
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
@@ -0,0 +1,19 @@
#
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of all non-interactive sessions.
#
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
@@ -0,0 +1,27 @@
#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used.
#If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.
# We use pam_warn.so to generate syslog notes that the 'other'
#fallback rules are being used (as a hint to suggest you should setup
#specific PAM rules for the service and aid to debugging). We then
#fall back to the system default in /etc/pam.d/common-*
auth required pam_warn.so
auth include common-auth
account required pam_warn.so
account include common-account
password required pam_warn.so
password include common-password
session required pam_warn.so
session include common-session
@@ -0,0 +1,94 @@
SUMMARY = "Linux-PAM (Pluggable Authentication Modules)"
DESCRIPTION = "Linux-PAM (Pluggable Authentication Modules for Linux), a flexible mechanism for authenticating users"
HOMEPAGE = "https://fedorahosted.org/linux-pam/"
BUGTRACKER = "https://fedorahosted.org/linux-pam/newticket"
SECTION = "base"
# PAM is dual licensed under GPL and BSD.
# /etc/pam.d comes from Debian libpam-runtime in 2009-11 (at that time
# libpam-runtime-1.0.1 is GPLv2+), by openembedded
LICENSE = "GPLv2+ | BSD"
LIC_FILES_CHKSUM = "file://COPYING;md5=ca0395de9a86191a078b8b79302e3083"
PR = "r0"
SRC_URI = "https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-${PV}.tar.bz2 \
file://99_pam \
file://pam.d/* \
file://libpam-xtests.patch"
SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch"
SRC_URI[md5sum] = "927ee5585bdec5256c75117e9348aa47"
SRC_URI[sha256sum] = "65def4df04254dc4c5156859d36c34ad6d7afbcf3adbf2780530ebc4dbf2a116"
DEPENDS = "bison flex flex-native cracklib"
EXTRA_OECONF = "--with-db-uniquename=_pam \
--includedir=${includedir}/security \
--libdir=${base_libdir} \
--disable-regenerate-docu"
CFLAGS_append = " -fPIC "
S = "${WORKDIR}/Linux-PAM-${PV}"
inherit autotools gettext
PACKAGES += "${PN}-runtime ${PN}-xtests"
FILES_${PN} = "${base_libdir}/lib*${SOLIBS}"
FILES_${PN}-dbg += "${base_libdir}/security/.debug \
${base_libdir}/security/pam_filter/.debug \
${datadir}/Linux-PAM/xtests/.debug"
FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}"
FILES_${PN}-runtime = "${sysconfdir}"
FILES_${PN}-xtests = "${datadir}/Linux-PAM/xtests"
PACKAGES_DYNAMIC += " pam-plugin-*"
RDEPENDS_${PN}-runtime = "libpam pam-plugin-deny pam-plugin-permit pam-plugin-warn pam-plugin-unix"
RDEPENDS_${PN}-xtests = "libpam pam-plugin-access pam-plugin-debug pam-plugin-cracklib pam-plugin-pwhistory pam-plugin-succeed-if pam-plugin-time coreutils"
RRECOMMENDS_${PN} = "libpam-runtime"
python populate_packages_prepend () {
import os.path
def pam_plugin_append_file(pn, dir, file):
nf = os.path.join(dir, file)
of = d.getVar('FILES_' + pn, True)
if of:
nf = of + " " + nf
d.setVar('FILES_' + pn, nf)
dvar = bb.data.expand('${WORKDIR}/package', d, True)
pam_libdir = bb.data.expand('${base_libdir}/security', d)
pam_sbindir = bb.data.expand('${sbindir}', d)
pam_filterdir = bb.data.expand('${base_libdir}/security/pam_filter', d)
do_split_packages(d, pam_libdir, '^pam(.*)\.so$', 'pam-plugin%s', 'PAM plugin for %s', extra_depends='')
pam_plugin_append_file('pam-plugin-unix', pam_sbindir, 'unix_chkpwd')
pam_plugin_append_file('pam-plugin-unix', pam_sbindir, 'unix_update')
pam_plugin_append_file('pam-plugin-tally', pam_sbindir, 'pam_tally')
pam_plugin_append_file('pam-plugin-tally2', pam_sbindir, 'pam_tally2')
pam_plugin_append_file('pam-plugin-timestamp', pam_sbindir, 'pam_timestamp_check')
pam_plugin_append_file('pam-plugin-mkhomedir', pam_sbindir, 'mkhomedir_helper')
do_split_packages(d, pam_filterdir, '^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='')
}
do_install() {
autotools_do_install
# don't install /var/run when populating rootfs. Do it through volatile
rm -rf ${D}/var
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/99_pam ${D}/etc/default/volatiles
install -d ${D}${sysconfdir}/pam.d/
install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
}
pkg_postinst_pam-plugin-unix () {
# below is necessary to allow unix_chkpwd get user info from shadow file
# on lsb images
chmod 4755 ${sbindir}/unix_chkpwd
}