sys-libs/pam: Apply Flatcar patches

flatcar · Jun 26, 2024 · d5833e2 · d5833e2
1 parent cc8dd25
commit d5833e2
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 154 deletions.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/README.md
@@ -0,0 +1,21 @@
+This is a fork of gentoo's sys-libs/pam package. The main reasons
+for having our fork seem to be:
+
+1. We add a locked account functionality. If the account in
+   `/etc/shadow` has an exclamation mark (`!`) as a first character in
+   the password field, then the account is blocked.
+
+2. We install configuration in `/usr/lib/pam`, so the configuration in
+   `/etc` provided by administration can override the config we
+   install.
+
+3. For an unknown reason we drop `gen_usr_ldscript -a pam pam_misc
+   pamc` from the recipe.
+
+4. We make the `/sbin/unix_chkpwd` binary a suid one instead of
+   overriding giving it a CAP_DAC_OVERRIDE to avoid a dependency loop
+   between pam and libcap. The binary needs to be able to read
+   /etc/shadow, so either suid or CAP_DAC_OVERRIDE capability should
+   work. A suid binary is strictly less secure than capability
+   override, so in long-term we would prefer to avoid having this
+   hack. On the other hand - this is what we had so far.
diff --git a/...ntainer/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch b/...ntainer/src/third_party/coreos-overlay/sys-libs/pam/files/pam-1.5.0-locked-accounts.patch
@@ -0,0 +1,13 @@
+diff -ur linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c
+--- linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16.orig/modules/pam_unix/support.c	2020-08-18 20:50:27.226355628 +0200
++++ linux-pam-d5cb4409ab6b04a6ed7c00245e2c9a430f352b16/modules/pam_unix/support.c	2020-08-18 20:51:20.456212931 +0200
+@@ -847,6 +847,9 @@
+         return retval;
+     }
+
++    if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
++        return PAM_PERM_DENIED;
++
+     if (retval == PAM_SUCCESS && spent == NULL)
+         return PAM_SUCCESS;
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf
@@ -0,0 +1,11 @@
+d /etc/pam.d			0755 root root	-	-
+d /etc/security			0755 root root	-	-
+d /etc/security/limits.d	0755 root root	-	-
+d /etc/security/namespace.d	0755 root root	-	-
+f /etc/environment		0755 root root	-	-
+L /etc/security/access.conf	-    -	  -	-	../../usr/lib/pam/security/access.conf
+L /etc/security/group.conf	-    - 	  - 	-	../../usr/lib/pam/security/group.conf
+L /etc/security/limits.conf	-    -	  -	-	../../usr/lib/pam/security/limits.conf
+L /etc/security/namespace.conf	-    -	  -	-	../../usr/lib/pam/security/namespace.conf
+L /etc/security/pam_env.conf	-    -	  -	-	../../usr/lib/pam/security/pam_env.conf
+L /etc/security/time.conf	-    -	  -	-	../../usr/lib/pam/security/time.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.3-r1.ebuild
@@ -46,6 +46,7 @@ RDEPEND="${DEPEND}"
 PDEPEND=">=sys-auth/pambase-20200616"
 
 PATCHES=(
+	"${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
 	"${FILESDIR}/${P}-termios.patch"
 )
 
@@ -101,6 +102,7 @@ multilib_src_configure() {
 		$(use_enable nis)
 		$(use_enable selinux)
 		--enable-isadir='.' # bug #464016
+		--enable-vendordir="/usr/lib/pam/"
 	)
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
@@ -117,10 +119,18 @@ multilib_src_install() {
 multilib_src_install_all() {
 	find "${ED}" -type f -name '*.la' -delete || die
 
+	# Flatcar: The pam_unix module needs to check the password of
+	# the user which requires read access to /etc/shadow
+	# only. Make it suid instead of using CAP_DAC_OVERRIDE to
+	# avoid a pam -> libcap -> pam dependency loop.
+	fperms 4711 /sbin/unix_chkpwd
+
 	# tmpfiles.eclass is impossible to use because
 	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
 	dodir /usr/lib/tmpfiles.d
 
+	rm "${D}/etc/environment"
+	cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
 	cat ->>  "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
 		d /run/faillock 0755 root root
 	_EOF_
@@ -146,8 +156,4 @@ pkg_postinst() {
 	ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
 	ewarn ""
 	ewarn "Alternatively, simply reboot your system."
-
-	# The pam_unix module needs to check the password of the user which requires
-	# read access to /etc/shadow only.
-	fcaps cap_dac_override sbin/unix_chkpwd
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.6.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.6.1.ebuild