pam/pam.spec

%define major 0
%define libname %mklibname %{name} %{major}
%define libnamec %mklibname %{name}c %{major}
%define libname_misc %mklibname %{name}_misc %{major}
%define devname %mklibname %{name} -d

%bcond_with prelude

%bcond_with bootstrap

%bcond_without selinux

%define pam_redhat_version 0.99.10-1

Epoch:      1

Summary:    A security tool which provides authentication for applications
Name:       pam
Version:    1.1.8
Release:    26
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
License:    BSD and GPLv2+
Group:      System/Libraries
Url:        http://www.kernel.org/pub/linux/libs/pam/index.html
Source0:    ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
Source2:    pam-redhat-%{pam_redhat_version}.tar.bz2
Source5:    other.pamd
Source6:    system-auth.pamd
Source7:    config-util.pamd
Source8:    dlopen.sh
Source9:    system-auth.5
Source10:   config-util.5
Source11:   postlogin.pamd
Source12:   postlogin.5
Source13:   pamtmp.conf
Source14:   90-nproc.conf
Source15:   password-auth.pamd
Source16:   smartcard-auth.pamd
#add missing documentation
Source501:  pam_tty_audit.8
Source502:  README

# RedHat patches
Patch1:  pam-1.0.90-redhat-modules.patch
Patch2:  pam-1.1.6-std-noclose.patch
Patch4:  pam-1.1.0-console-nochmod.patch
Patch5:  pam-1.1.0-notally.patch
Patch7:  pam-1.1.0-console-fixes.patch
Patch9:  pam-1.1.6-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch13: pam-1.1.5-limits-user.patch
Patch14: pam-1.1.1-faillock.patch
Patch22: pam-1.1.7-unix-build.patch
Patch32: pam-1.1.7-tty-audit-init.patch
Patch33: pam-1.1.8-audit-grantor.patch
Patch34: pam-1.1.8-audit-user-mgmt.patch
Patch35: pam-1.1.8-canonicalize-username.patch
Patch36: pam-1.1.8-full-relro.patch
Patch37: pam-1.1.8-lastlog-uninitialized.patch
Patch38: pam-1.1.8-limits-check-process.patch
Patch39: pam-1.1.8-limits-docfix.patch
Patch40: pam-1.1.8-loginuid-container.patch
Patch41: pam-1.1.8-man-dbsuffix.patch
Patch42: pam-1.1.8-opasswd-tolerant.patch
Patch43: pam-1.1.8-pwhistory-helper.patch

# ROSA specific sources/patches
# (fl) fix infinite loop
Patch507:   pam-0.74-loop.patch
# (fc) 0.75-29mdk don't complain when / is owned by root.adm
Patch508:   Linux-PAM-0.99.3.0-pamtimestampadm.patch
# (fl) pam_xauth: set extra groups because in high security levels
#      access to /usr/X11R6/bin dir is controlled by a group
##Patch512: Linux-PAM-1.1.1-xauth-groups.patch
# (tv/blino) add defaults for nice/rtprio in /etc/security/limits.conf
Patch517:   Linux-PAM-0.99.3.0-enable_rt.patch

Patch700:   pam_fix_static_pam_console.patch
# (fc) do not output error when no file is in /etc/security/console.perms.d/
Patch701:   pam-1.1.0-console-nopermsd.patch
# (proyvind): add missing constant that went with rpc removal from glibc 2.14
Patch702:   Linux-PAM-1.1.4-add-now-missing-nis-constant.patch

# (akdengi) add user to default group users which need for Samba
Patch801:   Linux-PAM-1.1.4-group_add_users.patch
Patch802:   pam-CVE-2014-2583.patch
Patch803:   pam-CVE-2013-7041.patch

Patch804:   pam-1.1.8-pbuild.patch 
# (din) use html2text instead of w3m
Patch805:   pam-1.1.8-browser.patch

%if %{with selinux}
BuildRequires:  selinux-devel >= 2.1.6-7
%endif
BuildRequires:  bison
BuildRequires:  flex
%if %{without bootstrap}
# this pulls in the mega texlive load
BuildRequires:  linuxdoc-tools
%endif
BuildRequires:  cracklib-devel
BuildRequires:  libaudit-devel
BuildRequires:  db_nss-devel
BuildRequires:  gettext-devel
BuildRequires:  pkgconfig(libtirpc)
BuildRequires:  db-devel
BuildRequires:  html2text
BuildRequires:  docbook-dtd412-xml
BuildRequires:  docbook-dtd43-xml
BuildRequires:  docbook-dtd44-xml
BuildRequires:  docbook-style-xsl
BuildRequires:  xsltproc
%if %{with prelude}
BuildRequires:  prelude-devel >= 0.9.0
%else
BuildConflicts: pkgconfig(libprelude)
%endif
Requires:       cracklib-dicts
Requires:       setup >= 2.7.12-2
Requires(pre):  rpm-helper
Requires(post): coreutils >= 8.12-7.2
Conflicts:      %{_lib}pam0 < 1.1.4-5
Requires:       libpwquality >= 0.9.9


%description
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

%files -f Linux-PAM.lang
%doc NEWS
%docdir %{_docdir}/%{name}
%dir %{_sysconfdir}/pam.d
%config(noreplace) %{_sysconfdir}/environment
%config %{_sysconfdir}/pam.d/other
%attr(0644,root,shadow) %config(noreplace) %{_sysconfdir}/pam.d/system-auth
%attr(0644,root,shadow) %config(noreplace) %{_sysconfdir}/pam.d/system-auth-default
%config %{_sysconfdir}/pam.d/config-util
%config %{_sysconfdir}/pam.d/postlogin
%config %{_sysconfdir}/pam.d/password-auth
%config %{_sysconfdir}/pam.d/smartcard-auth
/sbin/pam_console_apply
/sbin/pam_tally2
/sbin/faillock
%attr(4755,root,root) /sbin/pam_timestamp_check
%attr(0755,root,root) /sbin/pwhistory_helper
%attr(4755,root,root) /sbin/unix_chkpwd
%attr(0700,root,root) /sbin/unix_update
%attr(0755,root,root) /sbin/mkhomedir_helper
%config(noreplace) %{_sysconfdir}/security/access.conf
%config(noreplace) %{_sysconfdir}/security/chroot.conf
%config(noreplace) %{_sysconfdir}/security/console.perms
%config(noreplace) %{_sysconfdir}/security/console.handlers
%config(noreplace) %{_sysconfdir}/security/group.conf
%config(noreplace) %{_sysconfdir}/security/limits.conf
%config(noreplace) %{_sysconfdir}/security/namespace.conf
%attr(755,root,root) %config(noreplace) %{_sysconfdir}/security/namespace.init
%config(noreplace) %{_sysconfdir}/security/pam_env.conf
%config(noreplace) %{_sysconfdir}/security/time.conf
%config(noreplace) %{_sysconfdir}/security/opasswd
%config(noreplace) %{_sysconfdir}/security/limits.d/90-nproc.conf
%if %{with selinux}
%config(noreplace) %{_sysconfdir}/security/sepermit.conf
%endif
%dir %{_sysconfdir}/security/console.apps
%dir %{_sysconfdir}/security/console.perms.d
%dir /%{_lib}/security
/%{_lib}/security/*.so
/%{_lib}/security/pam_filter
/usr/lib/tmpfiles.d/pam.conf
%ghost %dir /var/run/console
%ghost /var/log/tallylog
%{_mandir}/man5/*
%{_mandir}/man8/*

%posttrans
# (cg) Ensure that the pam_systemd.so is included for user ACLs under systemd
# Note: Only affects upgrades, but does no harm so always update if needed.
if ! grep -q "pam_systemd\.so" /etc/pam.d/system-auth; then
        echo "-session    optional      pam_systemd.so" >>/etc/pam.d/system-auth
fi

if [ ! -a /var/log/tallylog ] ; then
       install -m 600 /dev/null /var/log/tallylog
fi

#----------------------------------------------------------------------------

%package doc
Summary:    Additional documentation for %{name}
Group:      Documentation
Requires:   %{name} = %{EVRD}

%description doc
This is the documentation package of %{name}.

%files doc
%doc doc/txts doc/specs/rfc86.0.txt Copyright

#----------------------------------------------------------------------------

%package -n %{libname}
Summary:    Library for %{name}
Group:      System/Libraries
Conflicts:  pam < 1.1.4-5

%description -n %{libname}
This package contains the library libpam for %{name}.

%files -n %{libname}
/%{_lib}/libpam.so.%{major}*

#----------------------------------------------------------------------------

%package -n %{libnamec}
Summary:    Library for %{name}
Group:      System/Libraries
Conflicts:  %{_lib}pam0 < 1.1.4-5

%description -n %{libnamec}
This package contains the library libpamc for %{name}.

%files -n %{libnamec}
/%{_lib}/libpamc.so.%{major}*

#----------------------------------------------------------------------------

%package -n %{libname_misc}
Summary:    Library for %{name}
Group:      System/Libraries
Conflicts:  %{_lib}pam0 < 1.1.4-5

%description -n %{libname_misc}
This package contains the library libpam_misc for %{name}.

%files -n %{libname_misc}
/%{_lib}/libpam_misc.so.%{major}*

#----------------------------------------------------------------------------

%package -n %{devname}
Summary:    Development headers and libraries for %{name}
Group:      Development/Other
Requires:   %{libname} = %{EVRD}
Requires:   %{libnamec} = %{EVRD}
Requires:   %{libname_misc} = %{EVRD}
Provides:   %{name}-devel = %{EVRD}

%description -n %{devname}
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.

This package contains the development libraries for %{name}.

%files -n %{devname}
%doc Copyright
/%{_lib}/libpam.so
/%{_lib}/libpam_misc.so
/%{_lib}/libpamc.so
%{_includedir}/security/*.h
%{_mandir}/man3/*

#----------------------------------------------------------------------------

%prep
%setup -q -n Linux-PAM-%{version} -a 2

# Add custom modules.
mv pam-redhat-%{pam_redhat_version}/* modules

%apply_patches

install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/

%build
autoreconf -i
%configure2_5x \
        --sbindir=/sbin \
        --libdir=/%{_lib} \
        --includedir=%{_includedir}/security \
        --with-db-uniquename=_nss \
        --docdir=%{_docdir}/%{name} \
        --disable-static \
        --enable-cracklib \
%if %{with prelude}
        --enable-prelude \
%else
        --disable-prelude \
%endif
%if %{with selinux}
        --enable-selinux \
%else
        --disable-selinux \
%endif
        --enable-audit 
%make

%install
mkdir -p doc/txts
for readme in modules/pam_*/README ; do
        cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
done

mkdir -p %{buildroot}%{_includedir}/security
mkdir -p %{buildroot}/%{_lib}/security
%makeinstall_std LDCONFIG=:
install -d -m 755 %{buildroot}/etc/pam.d
install -m 644 %{SOURCE5} %{buildroot}/etc/pam.d/other
install -m 644 %{SOURCE6} %{buildroot}/etc/pam.d/system-auth
install -m 644 %{SOURCE7} %{buildroot}/etc/pam.d/config-util
install -m 644 %{SOURCE11} %{buildroot}/etc/pam.d/postlogin
install -m 644 %{SOURCE15} %{buildroot}/etc/pam.d/password-auth
install -m 644 %{SOURCE16} %{buildroot}/etc/pam.d/smartcard-auth
install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd
install -d -m 755 %{buildroot}/var/log
install -m 600 /dev/null %{buildroot}/var/log/tallylog
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/security/limits.d/90-nproc.conf

# Install man pages.
install -m 644 %{SOURCE9} %{SOURCE10} %{SOURCE12} %{buildroot}%{_mandir}/man5/

# no longer needed, handled by ACL in udev
for phase in auth acct passwd session ; do
        ln -sf pam_unix.so %{buildroot}/%{_lib}/security/pam_unix_${phase}.so
done

# cleanup
rm -f %{buildroot}/%{_lib}/security/*.la
rm -f %{buildroot}/%{_lib}/*.la

#Set suid bit for /sbin/unix_chkpwd (bug #3169)
chmod u+s %{buildroot}/sbin/unix_chkpwd

# Install the file for autocreation of /var/run subdirectories on boot
mkdir -p %{buildroot}%{_prefix}/lib/tmfiles.d/
install -m644 -D %{SOURCE13} %{buildroot}%{_prefix}/lib/tmpfiles.d/pam.conf

# For drakauth copy system-auth to system-auth-default
cp -f %{buildroot}/etc/pam.d/system-auth %{buildroot}/etc/pam.d/system-auth-default

%find_lang Linux-PAM

%check
EXCEPT=''
%if %{without selinux}
    EXCEPT='pam_selinux'
%endif
for dir in modules/pam_* ; do
    if ![[ ${dir} =~ "${except}" ]]; then
        if ! ls -1 %{buildroot}/%{_lib}/security/`basename ${dir}`*.so ; then
            echo ERROR `basename ${dir}` did not build a module.
            exit 1
        fi
    fi
done

# Check for module problems.  Specifically, check that every module we just
# installed can actually be loaded by a minimal PAM-aware application.
/sbin/ldconfig -n %{buildroot}/%{_lib}
for module in %{buildroot}/%{_lib}/security/pam*.so ; do
    if ! env LD_LIBRARY_PATH=%{buildroot}/%{_lib} \
        sh %{SOURCE8} -ldb -ldl -lpam -L%{buildroot}/%{_lib} ${module} ; then
        echo ERROR module: ${module} cannot be loaded.
        exit 1
    fi
done

%changelog