Djam/pam
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/pam.git synced 2025-02-23 08:22:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
pam/pam.spec
Mikhail Novosyolov 79e1fb33a4 Pick fixes of defects found by ASAN sanitizer
2024-05-28 04:43:18 +03:00

382 lines
12 KiB
RPMSpec
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

%define major 0
%define libname %mklibname %{name} %{major}
%define libnamec %mklibname %{name}c %{major}
%define libname_misc %mklibname %{name}_misc %{major}
%define devname %mklibname %{name} -d
%bcond_with prelude
%bcond_with bootstrap
%bcond_without selinux
%define pam_redhat_version 1.1.4
Summary: A security tool which provides authentication for applications
Name: pam
Version: 1.5.1
Release: 6
Epoch: 1
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
License: BSD and GPLv2+
Group: System/Libraries
Url: http://www.kernel.org/pub/linux/libs/pam/index.html
Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz
Source2: https://releases.pagure.org/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2
Source5: other.pamd
Source6: system-auth.pamd
Source7: config-util.pamd
Source8: dlopen.sh
Source9: system-auth.5
Source10: config-util.5
Source11: postlogin.pamd
Source12: postlogin.5
Source13: pamtmp.conf
Source14: 90-nproc.conf
Source15: password-auth.pamd
Source16: smartcard-auth.pamd
#add missing documentation
Source501: pam_tty_audit.8
Source502: README
# RedHat patches
Patch1: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.5.0-redhat-modules.patch
Patch9: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.5.0-noflex.patch
# Upstreamed partially
Patch33: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.0-unix-nomsg.patch
# OpenMandriva specific sources/patches
# https://github.com/linux-pam/linux-pam/pull/597
Patch41: 9facab2134a9e1142ab3c614e72eb25aaafd0dec.patch
Patch42: cee08b7a6ea5d48f8527e3497735466e44445b66.patch
Patch43: 4fbed4be20377e5b1a6e71f572eb28ed049ed3fe.patch
Patch44: 4e8af9027dab25ebff3fa1b6e5542640611778c9.patch
# (fl) fix infinite loop
Patch507: pam-0.74-loop.patch
# (fc) 0.75-29mdk don't complain when / is owned by root.adm
Patch508: Linux-PAM-0.99.3.0-pamtimestampadm.patch
Patch509: Linux-PAM-0.99.3.0-pbuild-rh.patch
# (fl) pam_xauth: set extra groups because in high security levels
# access to /usr/X11R6/bin dir is controlled by a group
Patch512: Linux-PAM-1.1.3-xauth-groups.patch
Patch700: pam_fix_static_pam_console.patch
# (proyvind): add missing constant that went with rpc removal from glibc 2.14
Patch702: Linux-PAM-1.1.4-add-now-missing-nis-constant.patch
# (akdengi> add user to default group users which need for Samba
Patch801: Linux-PAM-1.1.4-group_add_users.patch
Patch1000: CVE-2024-22365.patch
%if %{with selinux}
BuildRequires: selinux-devel >= 2.1.6-7
%endif
BuildRequires: bison
BuildRequires: flex
%if %{without bootstrap}
# this pulls in the mega texlive load
BuildRequires: linuxdoc-tools
%endif
BuildRequires: cracklib-devel
BuildRequires: libaudit-devel
BuildRequires: db_nss-devel
BuildRequires: gettext-devel
BuildRequires: pkgconfig(libtirpc)
BuildRequires: db-devel
BuildRequires: html2text
BuildRequires: docbook-dtd412-xml
BuildRequires: docbook-dtd43-xml
BuildRequires: docbook-dtd44-xml
BuildRequires: docbook-style-xsl
BuildRequires: docbook-dtds
BuildRequires: xsltproc
%if %{with prelude}
BuildRequires: prelude-devel >= 0.9.0
%else
BuildConflicts: pkgconfig(libprelude)
%endif
Requires: cracklib-dicts
Requires: setup >= 2.7.12-2
Requires(post): coreutils >= 8.12-7.2
Conflicts: %{_lib}pam0 < 1.1.4-5
Requires: libpwquality >= 0.9.9
%description
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.
%files -f Linux-PAM.lang
%doc NEWS
%docdir %{_docdir}/%{name}
%dir %{_sysconfdir}/pam.d
%config(noreplace) %{_sysconfdir}/environment
%config %{_sysconfdir}/pam.d/other
%attr(0644,root,shadow) %config(noreplace) %{_sysconfdir}/pam.d/system-auth
%attr(0644,root,shadow) %config(noreplace) %{_sysconfdir}/pam.d/system-auth-default
%config %{_sysconfdir}/pam.d/config-util
%config %{_sysconfdir}/pam.d/postlogin
%config %{_sysconfdir}/pam.d/password-auth
%config %{_sysconfdir}/pam.d/smartcard-auth
/sbin/pam_console_apply
/sbin/faillock
%attr(4755,root,root) /sbin/pam_timestamp_check
%attr(0755,root,root) /sbin/pwhistory_helper
%attr(4755,root,root) /sbin/unix_chkpwd
%attr(0700,root,root) /sbin/unix_update
%attr(0755,root,root) /sbin/mkhomedir_helper
%attr(0755,root,root) /sbin/pam_namespace_helper
%config(noreplace) %{_sysconfdir}/security/access.conf
%config(noreplace) %{_sysconfdir}/security/chroot.conf
%config(noreplace) %{_sysconfdir}/security/console.perms
%config(noreplace) %{_sysconfdir}/security/console.handlers
%config(noreplace) %{_sysconfdir}/security/faillock.conf
%config(noreplace) %{_sysconfdir}/security/group.conf
%config(noreplace) %{_sysconfdir}/security/limits.conf
%config(noreplace) %{_sysconfdir}/security/namespace.conf
%attr(755,root,root) %config(noreplace) %{_sysconfdir}/security/namespace.init
%config(noreplace) %{_sysconfdir}/security/pam_env.conf
%config(noreplace) %{_sysconfdir}/security/time.conf
%config(noreplace) %{_sysconfdir}/security/opasswd
%config(noreplace) %{_sysconfdir}/security/limits.d/90-nproc.conf
%if %{with selinux}
%config(noreplace) %{_sysconfdir}/security/sepermit.conf
%endif
%dir %{_sysconfdir}/security/console.apps
%dir %{_sysconfdir}/security/console.perms.d
%dir /%{_lib}/security
/%{_lib}/security/*.so
/%{_lib}/security/pam_filter
/usr/lib/tmpfiles.d/pam.conf
%{_unitdir}/pam_namespace.service
%ghost %dir /var/run/console
%ghost /var/log/tallylog
%{_mandir}/man5/*
%{_mandir}/man8/*
%posttrans
# (cg) Ensure that the pam_systemd.so is included for user ACLs under systemd
# Note: Only affects upgrades, but does no harm so always update if needed.
if ! grep -q "pam_systemd\.so" /etc/pam.d/system-auth; then
echo "-session optional pam_systemd.so" >>/etc/pam.d/system-auth
fi
if [ ! -a /var/log/tallylog ] ; then
install -m 600 /dev/null /var/log/tallylog
fi
#----------------------------------------------------------------------------
%package doc
Summary: Additional documentation for %{name}
Group: Documentation
Requires: %{name} = %{EVRD}
%description doc
This is the documentation package of %{name}.
%files doc
%doc doc/txts doc/specs/rfc86.0.txt Copyright
%doc %{_docdir}/%{name}/*
#----------------------------------------------------------------------------
%package -n %{libname}
Summary: Library for %{name}
Group: System/Libraries
Conflicts: pam < 1.1.4-5
%description -n %{libname}
This package contains the library libpam for %{name}.
%files -n %{libname}
/%{_lib}/libpam.so.%{major}*
#----------------------------------------------------------------------------
%package -n %{libnamec}
Summary: Library for %{name}
Group: System/Libraries
Conflicts: %{_lib}pam0 < 1.1.4-5
%description -n %{libnamec}
This package contains the library libpamc for %{name}.
%files -n %{libnamec}
/%{_lib}/libpamc.so.%{major}*
#----------------------------------------------------------------------------
%package -n %{libname_misc}
Summary: Library for %{name}
Group: System/Libraries
Conflicts: %{_lib}pam0 < 1.1.4-5
%description -n %{libname_misc}
This package contains the library libpam_misc for %{name}.
%files -n %{libname_misc}
/%{_lib}/libpam_misc.so.%{major}*
#----------------------------------------------------------------------------
%package -n %{devname}
Summary: Development headers and libraries for %{name}
Group: Development/Other
Requires: %{libname} = %{EVRD}
Requires: %{libnamec} = %{EVRD}
Requires: %{libname_misc} = %{EVRD}
Provides: %{name}-devel = %{EVRD}
%description -n %{devname}
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.
This package contains the development libraries for %{name}.
%files -n %{devname}
%doc Copyright
/%{_lib}/libpam.so
/%{_lib}/libpam_misc.so
/%{_lib}/libpamc.so
%{_includedir}/security/*.h
%{_mandir}/man3/*
#----------------------------------------------------------------------------
%prep
%setup -q -n Linux-PAM-%{version} -a 2
# Add custom modules.
mv pam-redhat-%{pam_redhat_version}/* modules
%autopatch -p1
sed -i 's!$(prefix)/lib/systemd/system!%{_unitdir}!g' modules/pam_namespace/Makefile.*
# replace /var/run with /run
find . -type f -exec sed -i 's!/var/run!/run!g' {} \;
install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/
# We have non upstream translation for version 1.3.0
# Replace original po/ru.po with our fork.
# Ported to upstream git master:
# https://github.com/linux-pam/linux-pam/pull/152
rm -rf doc/txts/README.pam_tally*
rm -rf doc/sag/html/*pam_tally*
touch ChangeLog # to make autoreconf happy
autoreconf -fi -I m4
%build
autoreconf -fi
export BROWSER=""
%configure \
--sbindir=/sbin \
--libdir=/%{_lib} \
--includedir=%{_includedir}/security \
--with-db-uniquename=_nss \
--docdir=%{_docdir}/%{name} \
--disable-static \
--enable-cracklib \
--enable-docu --enable-regenerate-docu \
%if %{with prelude}
--enable-prelude \
%else
--disable-prelude \
%endif
%if %{with selinux}
--enable-selinux \
%else
--disable-selinux \
%endif
--enable-audit
%make_build
%install
mkdir -p doc/txts
for readme in modules/pam_*/README ; do
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
done
mkdir -p %{buildroot}%{_includedir}/security
mkdir -p %{buildroot}/%{_lib}/security
%make_install LDCONFIG=:
install -d -m 755 %{buildroot}/etc/pam.d
install -m 644 %{SOURCE5} %{buildroot}/etc/pam.d/other
install -m 644 %{SOURCE6} %{buildroot}/etc/pam.d/system-auth
install -m 644 %{SOURCE7} %{buildroot}/etc/pam.d/config-util
install -m 644 %{SOURCE11} %{buildroot}/etc/pam.d/postlogin
install -m 644 %{SOURCE15} %{buildroot}/etc/pam.d/password-auth
install -m 644 %{SOURCE16} %{buildroot}/etc/pam.d/smartcard-auth
install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd
install -d -m 755 %{buildroot}/var/log
install -m 600 /dev/null %{buildroot}/var/log/tallylog
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/security/limits.d/90-nproc.conf
# Install man pages.
install -m 644 %{SOURCE9} %{SOURCE10} %{SOURCE12} %{buildroot}%{_mandir}/man5/
# no longer needed, handled by ACL in udev
for phase in auth acct passwd session ; do
ln -sf pam_unix.so %{buildroot}/%{_lib}/security/pam_unix_${phase}.so
done
# cleanup
rm -f %{buildroot}/%{_lib}/security/*.la
rm -f %{buildroot}/%{_lib}/*.la
#Set suid bit for /sbin/unix_chkpwd (bug #3169)
chmod u+s %{buildroot}/sbin/unix_chkpwd
# Install the file for autocreation of /var/run subdirectories on boot
mkdir -p %{buildroot}%{_prefix}/lib/tmfiles.d/
install -m644 -D %{SOURCE13} %{buildroot}%{_prefix}/lib/tmpfiles.d/pam.conf
# For drakauth copy system-auth to system-auth-default
cp -f %{buildroot}/etc/pam.d/system-auth %{buildroot}/etc/pam.d/system-auth-default
# Localize format of last login time (shown by pam_latslog in e.g. gdm)
# These are arguements of strftime(). Here "Пт дек 9 11:31:43 MSK 2022"
# is changed to "Пт, 9 декабря 11:32" (ask Survolog@, I (mikhailnov@) do not understand)
# https://bugzilla.rosalinux.ru/show_bug.cgi?id=13004
pushd %{buildroot}%{_datadir}/locale/ru/LC_MESSAGES
msgunfmt Linux-PAM.mo -o Linux-PAM.po
rm -f Linux-PAM.mo
# \x25 - symbol %%, info about %%a, %%e, %%B etc. in man date.
sed -i "/msgstr/ s/ \x25a \x25b \x25e \x25H:\x25M:\x25S \x25Z \x25Y/ \x25a, \x25e \x25B \x25H:\x25M/" Linux-PAM.po
sed -i "/msgstr/ s/Последний вход в систему:/Последний вход:/" Linux-PAM.po
msgfmt Linux-PAM.po -o Linux-PAM.mo
rm -f Linux-PAM.po
popd
%find_lang Linux-PAM
%check
EXCEPT=''
%if %{without selinux}
EXCEPT='pam_selinux'
%endif
for dir in modules/pam_* ; do
if ![[ ${dir} =~ "${except}" ]]; then
if ! ls -1 %{buildroot}/%{_lib}/security/`basename ${dir}`*.so ; then
echo ERROR `basename ${dir}` did not build a module.
exit 1
fi
fi
done
# Check for module problems. Specifically, check that every module we just
# installed can actually be loaded by a minimal PAM-aware application.
/sbin/ldconfig -n %{buildroot}/%{_lib}
for module in %{buildroot}/%{_lib}/security/pam*.so ; do
if ! env LD_LIBRARY_PATH=%{buildroot}/%{_lib} \
sh %{SOURCE8} -ldb -ldl -lpam -L%{buildroot}/%{_lib} ${module} ; then
echo ERROR module: ${module} cannot be loaded.
exit 1
fi
done
Reference in a new issue View git blame Copy permalink