On 6/1/18 4:41 AM, Richard Leitner wrote: > Add version 11 of the pam-plugin-ccreds with the debian patches applied. >
I see QA errors like below ERROR: pam-plugin-ccreds-11-r0 do_package_qa: QA Issue: non -dev/-dbg/nativesdk- package contains symlink .so: pam-plugin-ccreds path '/work/core2-64-bec-linux-musl/pam-plugin-ccreds/11-r0/packages-split/pam-plugin-ccreds/lib/security/pam_ccreds.so' [dev-so] > Signed-off-by: Richard Leitner <[email protected]> > --- > ...ke-sure-we-don-t-overflow-the-data-buffer.patch | 29 +++++++ > .../0002-add-minimum_uid-option.patch | 97 > ++++++++++++++++++++++ > ...TENSION_SO-also-for-linux-gnueabi-targets.patch | 29 +++++++ > .../recipes-extended/pam/pam-plugin-ccreds_11.bb | 27 ++++++ > 4 files changed, 182 insertions(+) > create mode 100644 > meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch > create mode 100644 > meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch > create mode 100644 > meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch > create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb > > diff --git > a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch > > b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch > new file mode 100644 > index 000000000..d7f8f5a96 > --- /dev/null > +++ > b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch > @@ -0,0 +1,29 @@ > +From 59a95494002ce57ace17d676544101e88a55265d Mon Sep 17 00:00:00 2001 > +From: Nicolas Boullis <[email protected]> > +Date: Mon, 23 Mar 2009 10:46:44 +0100 > +Subject: [PATCH 1/3] make sure we don't overflow the data buffer > + > +This patch was taken from Debian's libpam-ccreds v10-6 source: > + 0001-make-sure-we-don-t-overflow-the-data-buffer.patch > + > +Reviewed-by: Richard Leitner <[email protected]> > +--- > + cc_db.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/cc_db.c b/cc_db.c > +index c0e0488..9371c4d 100644 > +--- a/cc_db.c > ++++ b/cc_db.c > +@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t > keylength, > + return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : > PAM_SERVICE_ERR; > + } > + > +- if (val.size < *size) { > ++ if (val.size > *size) { > + return PAM_BUF_ERR; > + } > + > +-- > +2.11.0 > + > diff --git > a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch > > b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch > new file mode 100644 > index 000000000..adc464924 > --- /dev/null > +++ > b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch > @@ -0,0 +1,97 @@ > +From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <[email protected]> > +Date: Thu, 13 May 2010 12:36:26 +0200 > +Subject: [PATCH 2/3] add minimum_uid option > + > +Closes: #580037 > + > +This patch was taken from Debian's libpam-ccreds v10-6 source: > + 0002-add-minimum_uid-option.patch > + > +Reviewed-by: Richard Leitner <[email protected]> > +--- > + cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++ > + 1 file changed, 39 insertions(+) > + > +diff --git a/cc_pam.c b/cc_pam.c > +index d096117..56776aa 100644 > +--- a/cc_pam.c > ++++ b/cc_pam.c > +@@ -20,6 +20,7 @@ > + #include <errno.h> > + #include <limits.h> > + #include <syslog.h> > ++#include <pwd.h> > + > + #include "cc_private.h" > + > +@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, > + int flags, int argc, const char **argv); > + #endif > + > ++ > ++/* > ++ * Given the PAM arguments and the user we're authenticating, see if we > should > ++ * ignore that user because they're root or have a low-numbered UID and we > ++ * were configured to ignore such users. Returns true if we should ignore > ++ * them, false otherwise. > ++ */ > ++static int > ++_pamcc_should_ignore(const char *username, int minimum_uid) > ++{ > ++ struct passwd *pwd; > ++ > ++ if (minimum_uid > 0) { > ++ pwd = getpwnam(username); > ++ if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) { > ++ syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)", > ++ (unsigned long) pwd->pw_uid, minimum_uid); > ++ return 1; > ++ } > ++ } > ++ return 0; > ++} > ++ > ++ > + static int _pam_sm_interact(pam_handle_t *pamh, > + int flags, > + const char **authtok) > +@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, > + unsigned int sm_flags = 0, sm_action = 0; > + const char *ccredsfile = NULL; > + const char *action = NULL; > ++ const char *name = NULL; > + int (*selector)(pam_handle_t *, int, unsigned int, const char *); > ++ int minimum_uid = 0; > + > + for (i = 0; i < argc; i++) { > + if (strcmp(argv[i], "use_first_pass") == 0) > +@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, > + sm_flags |= SM_FLAGS_TRY_FIRST_PASS; > + else if (strcmp(argv[i], "service_specific") == 0) > + sm_flags |= SM_FLAGS_SERVICE_SPECIFIC; > ++ else if (strncmp(argv[i], "minimum_uid=", > sizeof("minimum_uid=") - 1) == 0) > ++ minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - > 1); > + else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") > - 1) == 0) > + ccredsfile = argv[i] + sizeof("ccredsfile=") - 1; > + else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == > 0) > +@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, > + syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action); > + } > + > ++ rc = pam_get_user(pamh, &name, NULL); > ++ if (rc != PAM_SUCCESS || name == NULL) { > ++ if (rc == PAM_CONV_AGAIN) > ++ return PAM_INCOMPLETE; > ++ else > ++ return PAM_SERVICE_ERR; > ++ } > ++ if (_pamcc_should_ignore(name, minimum_uid)) > ++ return PAM_USER_UNKNOWN; > ++ > + switch (sm_action) { > + case SM_ACTION_VALIDATE_CCREDS: > + selector = _pam_sm_validate_cached_credentials; > +-- > +2.11.0 > + > diff --git > a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch > > b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch > new file mode 100644 > index 000000000..4f203f1a3 > --- /dev/null > +++ > b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch > @@ -0,0 +1,29 @@ > +From 12d9bb59284bd01a9fcc3b9280698ffc23ef2ddc Mon Sep 17 00:00:00 2001 > +From: Richard Leitner <[email protected]> > +Date: Fri, 1 Jun 2018 13:24:15 +0200 > +Subject: [PATCH 3/3] Set EXTENSION_SO also for linux-gnueabi targets > + > +As EXTENSION_SO gets already set for linux and linux-gnu targets we > +should set it also for linux-gnueabi targets. > + > +Signed-off-by: Richard Leitner <[email protected]> > +--- > + configure.in | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/configure.in b/configure.in > +index 0dbdf79..a434208 100644 > +--- a/configure.in > ++++ b/configure.in > +@@ -43,7 +43,7 @@ AC_SUBST(pam_ccreds_so_LD) > + AC_SUBST(pam_ccreds_so_LDFLAGS) > + > + AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD") > +-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = > "linux-gnu") > ++AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = > "linux-gnu" -o "$target_os" = "linux-gnueabi") > + AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX") > + > + if test -z "$use_gcrypt"; then > +-- > +2.11.0 > + > diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb > b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb > new file mode 100644 > index 000000000..ded51e3a0 > --- /dev/null > +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb > @@ -0,0 +1,27 @@ > +SUMMARY = "PAM cached credentials module" > +HOMEPAGE = "https://www.padl.com/OSS/pam_ccreds.html"; > +SECTION = "libs" > +LICENSE = "GPLv2" > +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" > + > +DEPENDS = "libpam openssl db" > + > +inherit distro_features_check > +REQUIRED_DISTRO_FEATURES = "pam" > + > +SRCREV = "376bb189ceb3a113954f1012c45be7ff09e148ba" > + > +SRC_URI = " \ > + git://github.com/PADL/pam_ccreds \ > + file://0001-make-sure-we-don-t-overflow-the-data-buffer.patch \ > + file://0002-add-minimum_uid-option.patch \ > + file://0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch \ > +" > + > +S = "${WORKDIR}/git" > + > +inherit autotools > + > +EXTRA_OECONF += "--libdir=${base_libdir} " > + > +FILES_${PN} += "${base_libdir}/security/pam*" >
signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
