-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to linux-pam-1.5.3-r1 #2049
Upgrade to linux-pam-1.5.3-r1 #2049
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've checked the upstream Gentoo diff between the old and new PAM versions and this lines up. I would prefer to see this vendor change upstream, but we already have our own custom changes. I'll look at upstreaming those another time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually cancel that, this undoes the Flatcar-specific permissions adjustment on /sbin/unix_chkpwd
. Please restore that.
To help you, here are our relevant changes. --- /dev/fd/63 2024-06-24 12:13:12.434175945 +0100
+++ /home/chewi/Projects/flatcar/scripts/repos/flatcar-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild 2024-06-23 19:14:56.550235722 +0100
@@ -7,7 +7,7 @@
# Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
TMPFILES_OPTIONAL=1
-inherit autotools db-use fcaps toolchain-funcs usr-ldscript multilib-minimal
+inherit autotools db-use toolchain-funcs usr-ldscript multilib-minimal
GIT_COMMIT="fe1307512fb8892b5ceb3d884c793af8dbd4c16a"
DOC_SNAPSHOT="20210610"
@@ -47,6 +47,7 @@
S="${WORKDIR}/linux-${PN}-${GIT_COMMIT}"
PATCHES=(
+ "${FILESDIR}"/${PN}-1.5.0-locked-accounts.patch
"${FILESDIR}"/${PN}-1.5.1-musl.patch
)
@@ -91,18 +93,24 @@
multilib_src_install() {
emake DESTDIR="${D}" install \
sepermitlockdir="/run/sepermit"
-
- gen_usr_ldscript -a pam pam_misc pamc
}
multilib_src_install_all() {
find "${ED}" -type f -name '*.la' -delete || die
+ # Flatcar: The pam_unix module needs to check the password of
+ # the user which requires read access to /etc/shadow
+ # only. Make it suid instead of using CAP_DAC_OVERRIDE to
+ # avoid a pam -> libcap -> pam dependency loop.
+ fperms 4711 /sbin/unix_chkpwd
+
# tmpfiles.eclass is impossible to use because
# there is the pam -> tmpfiles -> systemd -> pam dependency loop
dodir /usr/lib/tmpfiles.d
+ rm "${D}/etc/environment"
+ cp "${FILESDIR}/tmpfiles.d/pam.conf" "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}-config.conf
cat ->> "${D}"/usr/lib/tmpfiles.d/${CATEGORY}-${PN}.conf <<-_EOF_
d /run/faillock 0755 root root
_EOF_
@@ -128,8 +136,4 @@
ewarn " lsof / | grep -E -i 'del.*libpam\\.so'"
ewarn ""
ewarn "Alternatively, simply reboot your system."
-
- # The pam_unix module needs to check the password of the user which requires
- # read access to /etc/shadow only.
- fcaps cap_dac_override sbin/unix_chkpwd
} |
Build action triggered: https://github.com/flatcar/scripts/actions/runs/9709243417 |
@chewi I noticed there is an issue for upgrading linux pam to It looks like upstream that it is still masked though. https://github.com/gentoo/gentoo/blob/master/sys-libs/pam/pam-1.6.1.ebuild Not sure how we want to handle this? Should we upgrade to 1.6.1 in this PR or wait until upstream unmasks it? |
3a484bd
to
a4a4c60
Compare
Fixed |
musl patch is no longer required as it was fixed by linux-pam/linux-pam#433 The fix is present in |
a4a4c60
to
6e3dd16
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's better, thank you. There's little difference between the 1.5.3 and 1.6.1 ebuilds, so let's just take this for now.
6e3dd16
to
6737ee8
Compare
af54101
to
8d029df
Compare
8d029df
to
01e9516
Compare
4b64796
to
d5833e2
Compare
CI is failing on multiple tests for
|
Ok that git-hash appears to correspond to b79b816 I think this (https://github.com/flatcar/flatcar-dev-util/blob/flatcar-master/emerge-gitclone#L14) is trying to checkout https://github.com/flatcar/scripts.git at that commit (b79b816) but is failing because that commit is on my fork not in a branch. Is it possible for CI to run successfully for a PR from a fork? Or am I missing something here? |
@markafarrell thanks again for your contribution! I already seen this CI failure in the past, I think it's not related to these changes. |
Update linux-pam to version 1.5.3-r1
Fixes: flatcar/Flatcar#1474
Update linux-pam to version 1.5.3-r1 and enable the use of
vendordir
Vendor dir allows us to install config into
/usr/lib/pam/security
.pam modules will first look for configuration in
/etc/security
and if they are not found there will fallback to/usr/lib/pam/security
Previously we had
sconfigdir
set to/usr/lib/pam
which resulted in configuration being installed to/usr/lib/pam
but left us unable to configure pam modules (as the pam modules used this path as their only source of configuration)How to use
Confirm that ulimit is has changed to 515
Testing done
[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]
changelog/
directory (user-facing change, bug fix, security fix, update)/boot
and/usr
size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.