[gentoo-dev] [PATCH 2/4] sys-libs/pam: wire up shadow group

Sat, 18 Oct 2025 10:24:56 -0700 

Signed-off-by: Mike Gilbert <[email protected]>
---
 ...am-1.7.1-r1.ebuild => pam-1.7.1-r2.ebuild} | 23 ++++++++++++++-----
 1 file changed, 17 insertions(+), 6 deletions(-)
 rename sys-libs/pam/{pam-1.7.1-r1.ebuild => pam-1.7.1-r2.ebuild} (92%)

diff --git a/sys-libs/pam/pam-1.7.1-r1.ebuild b/sys-libs/pam/pam-1.7.1-r2.ebuild
similarity index 92%
rename from sys-libs/pam/pam-1.7.1-r1.ebuild
rename to sys-libs/pam/pam-1.7.1-r2.ebuild
index d580d7da9dff..9f36e29ce99b 100644
--- a/sys-libs/pam/pam-1.7.1-r1.ebuild
+++ b/sys-libs/pam/pam-1.7.1-r2.ebuild
@@ -9,7 +9,7 @@ MY_P="Linux-${PN^^}-${PV}"
 # Can reconsider w/ EAPI 8 and IDEPEND, bug #810979
 TMPFILES_OPTIONAL=1
 
-inherit db-use fcaps flag-o-matic meson-multilib
+inherit db-use flag-o-matic meson-multilib user-info
 
 DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
 HOMEPAGE="https://github.com/linux-pam/linux-pam";
@@ -42,6 +42,7 @@ REQUIRED_USE="?? ( elogind systemd )"
 # meson.build specifically checks for bison and then byacc
 # also requires xsltproc
 BDEPEND+="
+       acct-group/shadow
        || ( sys-devel/bison dev-util/byacc )
        app-text/docbook-xsl-ns-stylesheets
        dev-libs/libxslt
@@ -63,7 +64,9 @@ DEPEND="
                >=net-libs/libtirpc-0.2.4-r2:=[${MULTILIB_USEDEP}]
        )
 "
-RDEPEND="${DEPEND}"
+RDEPEND="${DEPEND}
+       acct-group/shadow
+"
 PDEPEND=">=sys-auth/pambase-20200616"
 
 PATCHES=(
@@ -161,6 +164,9 @@ multilib_src_configure() {
 multilib_src_install_all() {
        find "${ED}" -type f -name '*.la' -delete || die
 
+       fowners :shadow /sbin/unix_chkpwd
+       fperms g+s /sbin/unix_chkpwd
+
        # tmpfiles.eclass is impossible to use because
        # there is the pam -> tmpfiles -> systemd -> pam dependency loop
        dodir /usr/lib/tmpfiles.d
@@ -174,6 +180,15 @@ multilib_src_install_all() {
 }
 
 pkg_postinst() {
+       if [[ -n ${ROOT} ]]; then
+               # Portage does not currently update the gid on installed files
+               # based on ${EROOT}/etc/group.
+               local gid=$(egetent group shadow | cut -d: -f3)
+               if [[ -n ${gid} ]]; then
+                       chgrp "${gid}" "${EROOT}/sbin/unix_chkpwd" &&
+                       chmod g+s "${EROOT}/sbin/unix_chkpwd"
+               fi
+       fi
        ewarn "Some software with pre-loaded PAM libraries might experience"
        ewarn "warnings or failures related to missing symbols and/or versions"
        ewarn "after any update. While unfortunate this is a limit of the"
@@ -184,8 +199,4 @@ pkg_postinst() {
        ewarn "  lsof / | grep -E -i 'del.*libpam\\.so'"
        ewarn ""
        ewarn "Alternatively, simply reboot your system."
-
-       # The pam_unix module needs to check the password of the user which 
requires
-       # read access to /etc/shadow only.
-       fcaps -m u+s cap_dac_read_search sbin/unix_chkpwd
 }
-- 
2.51.0

Reply via email to