slackware-current/source/a/pam/pam.SlackBuild
Patrick J Volkerding aaa6bb3264 Fri May 19 18:59:24 UTC 2023
a/pam-1.5.3-x86_64-1.txz:  Upgraded.
ap/cups-filters-1.28.17-x86_64-2.txz:  Rebuilt.
  [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x.
  With execv() command line arguments are passed as separate strings and
  not the full command line in a single string. This prevents arbitrary
  command execution by escaping the quoting of the arguments in a job
  with forged job title.
  Thanks to marav.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-24805
  (* Security fix *)
ap/vim-9.0.1569-x86_64-1.txz:  Upgraded.
xap/vim-gvim-9.0.1569-x86_64-1.txz:  Upgraded.
2023-05-19 21:40:53 +02:00

231 lines
8.4 KiB
Bash
Executable file

#!/bin/sh
# Copyright 2010 Vincent Batts, vbatts@hashbangbash.com
# Copyright 2010, 2011 Patrick J. Volkerding, Sebeka, Minnesota, USA
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
cd $(dirname $0) ; CWD=$(pwd)
SRCNAM=Linux-PAM
PKGNAM=pam
PAMRHVER=${PAMRHVER:-$(echo pam-redhat-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
BUILD=${BUILD:-1}
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
i?86) export ARCH=i586 ;;
arm*) export ARCH=arm ;;
# Unless $ARCH is already set, use uname -m for all other archs:
*) export ARCH=$( uname -m ) ;;
esac
fi
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
# the name of the created package would be, and then exit. This information
# could be useful to other scripts.
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
exit 0
fi
NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
if [ "$ARCH" = "i586" ]; then
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "s390" ]; then
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
LIBDIRSUFFIX="64"
else
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
TMP=${TMP:-/tmp}
PKG=$TMP/package-$PKGNAM
rm -rf $PKG
mkdir -p $TMP $PKG
cd $TMP
rm -rf $SRCNAM-$VERSION
tar xvf $CWD/$SRCNAM-$VERSION.tar.?z || exit 1
cd $SRCNAM-$VERSION || exit 1
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
-exec chmod 755 {} \+ -o \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \+
# Better take the Red Hat added modules and patches, because that's very
# likely to be the most standard as far as PAM goes:
tar xvf $CWD/pam-redhat-$PAMRHVER.tar.?z || exit 1
for file in CHANGELOG COPYING README ; do
mv pam-redhat-$PAMRHVER/${file}* ./${file}.pam-redhat
done
# Add additional PAM modules from Red Hat:
for file in pam-redhat-$PAMRHVER/* ; do
if [ ! -d modules/$(basename $file) ]; then
echo "Moving module directory $(basename $file)."
mv $file modules
else
echo "$(basename $file) already exists in modules/, not moving!"
fi
done
# NOTE: Linux-PAM-1.4.0 already ships with most of these applied:
#zcat $CWD/fedora-patches/pam-1.3.1-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.4.0-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
zcat $CWD/fedora-patches/pam-1.5.0-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-noflex.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1
zcat $CWD/fedora-patches/pam-1.1.6-limits-user.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.1.8-full-relro.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.0-pwhistory-helper.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.1.8-audit-user-mgmt.patch.gz | patch -p1 --verbose || exit 1
zcat $CWD/fedora-patches/pam-1.3.0-unix-nomsg.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-coverity.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-unix-yescrypt.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-unix-no-fallback.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-motd-multiple-paths.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
#zcat $CWD/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
# Improve the comments in /etc/environment:
zcat $CWD/patches/pam.etc.environment.better.comments.diff.gz | patch -p1 --verbose || exit 1
autoreconf -ivf || exit 1
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
--prefix=/ \
--libdir=/lib${LIBDIRSUFFIX} \
--sysconfdir=/etc \
--includedir=/usr/include/security \
--enable-securedir=/lib${LIBDIRSUFFIX}/security \
--datarootdir=/usr/share \
--localstatedir=/var \
--mandir=/usr/man \
--docdir=/usr/doc/$PKGNAM-$VERSION \
--disable-regenerate-docu \
--disable-audit \
--disable-prelude \
--disable-rpath \
--disable-selinux \
--disable-static \
--enable-lastlog \
--build=$ARCH-slackware-linux || exit 1
# Make these man pages or the build falls over later
xmlto man modules/pam_faillock/faillock.8.xml -o modules/pam_faillock/
xmlto man modules/pam_faillock/pam_faillock.8.xml -o modules/pam_faillock/
xmlto man modules/pam_pwhistory/pwhistory_helper.8.xml -o modules/pam_pwhistory/
make -C po update-gmo
make $NUMJOBS || make || exit 1
make install DESTDIR=$PKG || exit 1
# Don't ship .la files:
rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la
# The ones in /lib${LIBDIRSUFFIX}/security can also go:
rm -f $PKG/lib${LIBDIRSUFFIX}/security/*.la
# Add extra symlinks added by pam.spec:
( cd $PKG/lib${LIBDIRSUFFIX}/security
for type in acct auth passwd session ; do
ln -sf pam_unix.so pam_unix_${type}.so
done
)
# This is a pam helper that can only be called from pam
chown root:root $PKG/sbin/unix_chkpwd
chmod 6755 $PKG/sbin/unix_chkpwd
# This package can own the /etc/pam.d/ directory
mkdir -p $PKG/etc/pam.d
# Strip binaries:
( cd $PKG
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
)
# Don't clobber config files:
find $PKG/etc -type f -exec mv {} {}.new \;
# Compress and if needed symlink the man pages:
if [ -d $PKG/usr/man ]; then
( cd $PKG/usr/man
for manpagedir in $(find . -type d -name "man*") ; do
( cd $manpagedir
for eachpage in $( find . -type l -maxdepth 1) ; do
ln -s $( readlink $eachpage ).gz $eachpage.gz
rm $eachpage
done
gzip -9 *.?
)
done
)
fi
mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
cp -a \
AUTHORS COPYING* Copyright NEWS README* \
$PKG/usr/doc/$PKGNAM-$VERSION
# If there's a ChangeLog, installing at least part of the recent history
# is useful, but don't let it get totally out of control:
if [ -r ChangeLog ]; then
DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
touch -r ChangeLog $DOCSDIR/ChangeLog
fi
if [ -r CHANGELOG ]; then
DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
cat CHANGELOG | head -n 1000 > $DOCSDIR/CHANGELOG
touch -r CHANGELOG $DOCSDIR/CHANGELOG
fi
rm -f $PKG/usr/doc/$PKGNAM-$VERSION/index.html
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
# Append config statements to the install/doinst.sh:
( cd $PKG
for i in $(find etc -type f -name "*.new") ; do
echo "config $i" >> $PKG/install/doinst.sh ;
done
)
cd $PKG
/sbin/makepkg -p -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz