%define major 0
%define libname %mklibname %{name} %{major}
%define libnamec %mklibname %{name}c %{major}
%define libname_misc %mklibname %{name}_misc %{major}
%define devname %mklibname %{name} -d

%bcond_with prelude

%bcond_with bootstrap

%bcond_without selinux

%define pam_redhat_version 1.1.4

Summary:	A security tool which provides authentication for applications
Name:		pam
Version:	1.6.0
Release:	1
Epoch:		1
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
License:	BSD and GPLv2+
Group:		System/Libraries
Url:		http://www.kernel.org/pub/linux/libs/pam/index.html
Source0:	https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz
Source2:	https://releases.pagure.org/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2
Source5:	other.pamd
Source6:	system-auth.pamd
Source7:	config-util.pamd
Source8:	dlopen.sh
Source9:	system-auth.5
Source10:	config-util.5
Source11:	postlogin.pamd
Source12:	postlogin.5
Source13:	pamtmp.conf
Source14:	90-nproc.conf
Source15:	password-auth.pamd
Source16:	smartcard-auth.pamd
#add missing documentation
Source501:	pam_tty_audit.8
Source502:	README

# RedHat patches
Patch1:		pam-1.6.0-redhat-modules.patch
Patch9:		pam-1.6.0-noflex.patch

# Upstreamed partially
Patch33:	https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.0-unix-nomsg.patch
# OpenMandriva specific sources/patches

# (fl) fix infinite loop
Patch507:	pam-0.74-loop.patch
# (fc) 0.75-29mdk don't complain when / is owned by root.adm
Patch508:	Linux-PAM-0.99.3.0-pamtimestampadm.patch
Patch509:	Linux-PAM-0.99.3.0-pbuild-rh.patch
# (fl) pam_xauth: set extra groups because in high security levels
#	access to /usr/X11R6/bin dir is controlled by a group
Patch512:	Linux-PAM-1.6.0-xauth-groups.patch

Patch700:	pam_fix_static_pam_console.patch
# (proyvind): add missing constant that went with rpc removal from glibc 2.14
Patch702:	Linux-PAM-1.6.0-add-now-missing-nis-constant.patch
# (akdengi> add user to default group users which need for Samba
Patch801:	Linux-PAM-1.1.4-group_add_users.patch

%if %{with selinux}
BuildRequires:	selinux-devel >= 2.1.6-7
%endif
BuildRequires:	bison
BuildRequires:	flex
%if %{without bootstrap}
# this pulls in the mega texlive load
BuildRequires:	linuxdoc-tools
%endif
BuildRequires:	cracklib-devel
BuildRequires:	libaudit-devel
BuildRequires:	db_nss-devel
BuildRequires:	gettext-devel
BuildRequires:	pkgconfig(libtirpc)
BuildRequires:	db-devel
BuildRequires:	html2text
BuildRequires:	docbook-dtd412-xml
BuildRequires:	docbook-dtd43-xml
BuildRequires:	docbook-dtd44-xml
BuildRequires:	docbook-style-xsl
BuildRequires:	docbook-dtds
BuildRequires:	xsltproc
%if %{with prelude}
BuildRequires:	prelude-devel >= 0.9.0
%else
BuildConflicts:	pkgconfig(libprelude)
%endif
Requires:	cracklib-dicts
Requires:	setup >= 2.7.12-2
Requires(post):	coreutils >= 8.12-7.2
Requires:	libpwquality >= 0.9.9

%description
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

%files -f Linux-PAM.lang
%doc NEWS
%docdir %{_docdir}/%{name}
%attr(0644,root,shadow) %config(noreplace) %{_sysconfdir}/pam.d/system-auth
%attr(0644,root,shadow) %config(noreplace) %{_sysconfdir}/pam.d/system-auth-default
%attr(0700,root,root) %{_sbindir}/unix_update
%attr(0755,root,root) %{_sbindir}/mkhomedir_helper
%attr(0755,root,root) %{_sbindir}/pam_namespace_helper
%attr(0755,root,root) %{_sbindir}/pwhistory_helper
%attr(4755,root,root) %{_sbindir}/pam_timestamp_check
%attr(4755,root,root) %{_sbindir}/unix_chkpwd
%attr(755,root,root) %config(noreplace) %{_sysconfdir}/security/namespace.init
%config(noreplace) %{_sysconfdir}/environment
%config(noreplace) %{_sysconfdir}/security/access.conf
%config(noreplace) %{_sysconfdir}/security/chroot.conf
%config(noreplace) %{_sysconfdir}/security/console.handlers
%config(noreplace) %{_sysconfdir}/security/console.perms
%config(noreplace) %{_sysconfdir}/security/faillock.conf
%config(noreplace) %{_sysconfdir}/security/group.conf
%config(noreplace) %{_sysconfdir}/security/limits.conf
%config(noreplace) %{_sysconfdir}/security/limits.d/90-nproc.conf
%config(noreplace) %{_sysconfdir}/security/namespace.conf
%config(noreplace) %{_sysconfdir}/security/opasswd
%config(noreplace) %{_sysconfdir}/security/pam_env.conf
%if %{with selinux}
%config(noreplace) %{_sysconfdir}/security/sepermit.conf
%endif
%config(noreplace) %{_sysconfdir}/security/time.conf
%config %{_sysconfdir}/pam.d/config-util
%config %{_sysconfdir}/pam.d/other
%config %{_sysconfdir}/pam.d/password-auth
%config %{_sysconfdir}/pam.d/postlogin
%config %{_sysconfdir}/pam.d/smartcard-auth
%dir %{_libdir}/security
%dir %{_sysconfdir}/pam.d
%dir %{_sysconfdir}/security/console.apps
%dir %{_sysconfdir}/security/console.perms.d
%dir %{_sysconfdir}/security/limits.d
%ghost %dir /var/run/console
%ghost /var/log/tallylog
%{_libdir}/security/pam_filter
%{_libdir}/security/*.so
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_prefix}/lib/systemd/system/pam_namespace.service
%{_prefix}/lib/tmpfiles.d/pam.conf
%{_sbindir}/faillock
%{_sbindir}/pam_console_apply

%posttrans
# (cg) Ensure that the pam_systemd.so is included for user ACLs under systemd
# Note: Only affects upgrades, but does no harm so always update if needed.
if ! grep -q "pam_systemd\.so" /etc/pam.d/system-auth; then
	echo "-session	optional	pam_systemd.so" >>/etc/pam.d/system-auth
fi

if [ ! -a /var/log/tallylog ] ; then
	install -m 600 /dev/null /var/log/tallylog
fi

#----------------------------------------------------------------------------

%package doc
Summary:	Additional documentation for %{name}
Group:		Documentation
Requires:	%{name} = %{EVRD}

%description doc
This is the documentation package of %{name}.

%files doc
%doc doc/txts doc/specs/rfc86.0.txt Copyright
%doc %{_docdir}/%{name}/*

#----------------------------------------------------------------------------

%package -n %{libname}
Summary:	Library for %{name}
Group:		System/Libraries
Conflicts:	pam < 1.1.4-5

%description -n %{libname}
This package contains the library libpam for %{name}.

%files -n %{libname}
%{_libdir}/libpam.so.%{major}*

#----------------------------------------------------------------------------

%package -n %{libnamec}
Summary:	Library for %{name}
Group:		System/Libraries
Conflicts:	%{_lib}pam0 < 1.1.4-5

%description -n %{libnamec}
This package contains the library libpamc for %{name}.

%files -n %{libnamec}
%{_libdir}/libpamc.so.%{major}*

#----------------------------------------------------------------------------

%package -n %{libname_misc}
Summary:	Library for %{name}
Group:		System/Libraries
Conflicts:	%{_lib}pam0 < 1.1.4-5

%description -n %{libname_misc}
This package contains the library libpam_misc for %{name}.

%files -n %{libname_misc}
%{_libdir}/libpam_misc.so.%{major}*

#----------------------------------------------------------------------------

%package -n %{devname}
Summary:	Development headers and libraries for %{name}
Group:		Development/Other
Requires:	%{libname} = %{EVRD}
Requires:	%{libnamec} = %{EVRD}
Requires:	%{libname_misc} = %{EVRD}
Provides:	%{name}-devel = %{EVRD}

%description -n %{devname}
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

This package contains the development libraries for %{name}.

%files -n %{devname}
%doc Copyright
%{_libdir}/libpam.so
%{_libdir}/libpam_misc.so
%{_libdir}/libpamc.so
%{_includedir}/security/*.h
%{_mandir}/man3/*

#----------------------------------------------------------------------------

%prep
%setup -q -n Linux-PAM-%{version} -a 2

# Add custom modules.
mv pam-redhat-%{pam_redhat_version}/* modules

%autopatch -p1
sed -i 's!$(prefix)/lib/systemd/system!%{_prefix}/lib/systemd/system!g' modules/pam_namespace/Makefile.*
# replace /var/run with /run
find . -type f -exec sed -i 's!/var/run!/run!g' {} \;

install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/

# We have non upstream translation for version 1.3.0
# Replace original po/ru.po with our fork.
# Ported to upstream git master:
# https://github.com/linux-pam/linux-pam/pull/152
rm -rf doc/txts/README.pam_tally*
rm -rf doc/sag/html/*pam_tally*

touch ChangeLog # to make autoreconf happy
autoreconf -fi -I m4

%build
autoreconf -fi
export BROWSER=""
%configure	\
	--disable-static			\
	--docdir=%{_docdir}/%{name}		\
	--enable-audit				\
	--enable-cracklib			\
	--enable-docu --enable-regenerate-docu	\
%if %{with prelude}
	--enable-prelude	\
%else
	--disable-prelude	\
%endif
%if %{with selinux}
	--enable-selinux	\
%else
	--disable-selinux	\
%endif
	--includedir=%{_includedir}/security	\
	--libdir=%{_libdir}			\
	--sbindir=%{_sbindir}			\
	--with-db-uniquename=_nss
%make_build

%install
mkdir -p doc/txts
for readme in modules/pam_*/README ; do
	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
done

mkdir -p %{buildroot}%{_includedir}/security
mkdir -p %{buildroot}%{_libdir}/security
%make_install LDCONFIG=:
install -d -m 755 %{buildroot}/etc/pam.d
install -m 644 %{SOURCE5} %{buildroot}/etc/pam.d/other
install -m 644 %{SOURCE6} %{buildroot}/etc/pam.d/system-auth
install -m 644 %{SOURCE7} %{buildroot}/etc/pam.d/config-util
install -m 644 %{SOURCE11} %{buildroot}/etc/pam.d/postlogin
install -m 644 %{SOURCE15} %{buildroot}/etc/pam.d/password-auth
install -m 644 %{SOURCE16} %{buildroot}/etc/pam.d/smartcard-auth
install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd
install -d -m 755 %{buildroot}/var/log
install -m 600 /dev/null %{buildroot}/var/log/tallylog
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/security/limits.d/90-nproc.conf

# Install man pages.
install -m 644 %{SOURCE9} %{SOURCE10} %{SOURCE12} %{buildroot}%{_mandir}/man5/

# no longer needed, handled by ACL in udev
for phase in auth acct passwd session ; do
	ln -sf pam_unix.so %{buildroot}%{_libdir}/security/pam_unix_${phase}.so
done

# cleanup
rm -f %{buildroot}%{_libdir}/security/*.la
rm -f %{buildroot}%{_libdir}/*.la

#Set suid bit for /usr/sbin/unix_chkpwd (bug #3169)
chmod u+s %{buildroot}%{_sbindir}/unix_chkpwd

# Install the file for autocreation of /var/run subdirectories on boot
mkdir -p %{buildroot}%{_prefix}/lib/tmfiles.d/
install -m644 -D %{SOURCE13} %{buildroot}%{_prefix}/lib/tmpfiles.d/pam.conf

# For drakauth copy system-auth to system-auth-default
cp -f %{buildroot}/etc/pam.d/system-auth %{buildroot}/etc/pam.d/system-auth-default

# Localize format of last login time (shown by pam_latslog in e.g. gdm)
# These are arguements of strftime(). Here "Пт дек 9 11:31:43 MSK 2022"
# is changed to "Пт, 9 декабря 11:32" (ask Survolog@, I (mikhailnov@) do not understand)
# https://bugzilla.rosalinux.ru/show_bug.cgi?id=13004
pushd %{buildroot}%{_datadir}/locale/ru/LC_MESSAGES
	msgunfmt Linux-PAM.mo -o Linux-PAM.po
	rm -f Linux-PAM.mo
	# \x25 - symbol %%, info about %%a, %%e, %%B etc. in man date.
	sed -i "/msgstr/ s/ \x25a \x25b \x25e \x25H:\x25M:\x25S \x25Z \x25Y/ \x25a, \x25e \x25B \x25H:\x25M/" Linux-PAM.po
	sed -i "/msgstr/ s/Последний вход в систему:/Последний вход:/" Linux-PAM.po
	msgfmt Linux-PAM.po -o Linux-PAM.mo
	rm -f Linux-PAM.po
popd

%find_lang Linux-PAM

%check
EXCEPT=''
%if %{without selinux}
	EXCEPT='pam_selinux'
%endif
for dir in modules/pam_* ; do
	if ! [[ ${dir} =~ "${except}" ]]; then
		if ! ls -1 %{buildroot}%{_libdir}/security/`basename ${dir}`*.so ; then
			echo ERROR `basename ${dir}` did not build a module.
			exit 1
		fi
	fi
done

# Check for module problems. Specifically, check that every module we just
# installed can actually be loaded by a minimal PAM-aware application.
%{_sbindir}/ldconfig -n %{buildroot}%{_libdir}
for module in %{buildroot}%{_libdir}/security/pam*.so ; do
	if ! env LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
		sh %{SOURCE8} -ldb -ldl -lpam -L%{buildroot}%{_libdir} ${module} ; then
		echo ERROR module: ${module} cannot be loaded.
		exit 1
	fi
done