Source: pam Version: 1.5.2-9.1 Severity: normal Tags: patch User: helm...@debian.org Usertags: dep17m2 X-Debbugs-CC: helm...@debian.org
Please find a patch attached to have PAM install its files into /usr/{lib,sbin}, instead of /{lib,sbin}, for the currently ongoing Debian UsrMerge effort [1]. src:pam is relevant now because its part of the "bootstrap set", and needs to be converted before base-files can be modified, which we'd like to do soon. The patch also adds two simple, superficial autopkgtests to compile and link a PAM module and a PAM client. They seemed helpful in validating the change. Please upload to experimental at your earliest convenience, to give this a wider audience. Additional reviews and tests are obviously also welcome. If during the trixie cycle your package will undergo structural changes or any other file moves, please also see the wiki and upload to experimental first when these changes are done. Chris [1] https://wiki.debian.org/UsrMerge
diff -Nru pam-1.5.2/debian/changelog pam-1.5.2/debian/changelog --- pam-1.5.2/debian/changelog 2023-10-24 19:38:53.000000000 +0200 +++ pam-1.5.2/debian/changelog 2024-01-06 12:57:21.000000000 +0100 @@ -1,3 +1,14 @@ +pam (1.5.2-9.2) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Install into /usr/{lib,sbin} instead of /{lib,sbin}. Assumes + usrmerge aliasing symlinks are in place since bookworm to keep + compatibility with PAM modules still installing into /lib. + (DEP17 M2) (Closes: #-1). + * Update lintian override for setgid binary. + + -- Chris Hofstaedtler <z...@debian.org> Sat, 06 Jan 2024 12:57:21 +0100 + pam (1.5.2-9.1) unstable; urgency=medium * Non-maintainer upload acked by Sam Hartman. diff -Nru pam-1.5.2/debian/libpam0g-dev.install pam-1.5.2/debian/libpam0g-dev.install --- pam-1.5.2/debian/libpam0g-dev.install 2023-10-24 17:19:43.000000000 +0200 +++ pam-1.5.2/debian/libpam0g-dev.install 2024-01-06 12:57:21.000000000 +0100 @@ -1,4 +1,4 @@ #!/usr/bin/dh-exec usr/include/security/* -lib/${DEB_HOST_MULTIARCH}/*.a usr/lib/${DEB_HOST_MULTIARCH} -lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig +usr/lib/${DEB_HOST_MULTIARCH}/*.a usr/lib/${DEB_HOST_MULTIARCH} +usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig diff -Nru pam-1.5.2/debian/libpam0g-dev.links pam-1.5.2/debian/libpam0g-dev.links --- pam-1.5.2/debian/libpam0g-dev.links 2023-10-24 17:19:43.000000000 +0200 +++ pam-1.5.2/debian/libpam0g-dev.links 2024-01-06 12:57:21.000000000 +0100 @@ -1,4 +1,4 @@ #!/usr/bin/dh-exec -/lib/${DEB_HOST_MULTIARCH}/libpam.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpam.so -/lib/${DEB_HOST_MULTIARCH}/libpamc.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpamc.so -/lib/${DEB_HOST_MULTIARCH}/libpam_misc.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpam_misc.so +/usr/lib/${DEB_HOST_MULTIARCH}/libpam.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpam.so +/usr/lib/${DEB_HOST_MULTIARCH}/libpamc.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpamc.so +/usr/lib/${DEB_HOST_MULTIARCH}/libpam_misc.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpam_misc.so diff -Nru pam-1.5.2/debian/libpam0g.install pam-1.5.2/debian/libpam0g.install --- pam-1.5.2/debian/libpam0g.install 2023-10-24 17:19:43.000000000 +0200 +++ pam-1.5.2/debian/libpam0g.install 2024-01-06 12:57:21.000000000 +0100 @@ -1 +1 @@ -lib/*/lib*.so.* +usr/lib/*/lib*.so.* diff -Nru pam-1.5.2/debian/libpam-modules-bin.install pam-1.5.2/debian/libpam-modules-bin.install --- pam-1.5.2/debian/libpam-modules-bin.install 2023-10-24 17:19:43.000000000 +0200 +++ pam-1.5.2/debian/libpam-modules-bin.install 2024-01-06 12:57:21.000000000 +0100 @@ -1,9 +1,9 @@ -sbin/unix_chkpwd sbin -sbin/unix_update sbin -sbin/mkhomedir_helper sbin -sbin/pam_namespace_helper -sbin/pwhistory_helper -sbin/pam_timestamp_check usr/sbin -sbin/faillock usr/sbin +usr/sbin/unix_chkpwd +usr/sbin/unix_update +usr/sbin/mkhomedir_helper +usr/sbin/pam_namespace_helper +usr/sbin/pwhistory_helper +usr/sbin/pam_timestamp_check +usr/sbin/faillock modules/pam_faillock/faillock.8 usr/share/man/man8 usr/lib/systemd/system/pam_namespace.service diff -Nru pam-1.5.2/debian/libpam-modules-bin.lintian-overrides pam-1.5.2/debian/libpam-modules-bin.lintian-overrides --- pam-1.5.2/debian/libpam-modules-bin.lintian-overrides 2023-10-24 17:19:43.000000000 +0200 +++ pam-1.5.2/debian/libpam-modules-bin.lintian-overrides 2024-01-06 12:57:21.000000000 +0100 @@ -1,2 +1,2 @@ # yes, we know it's sgid, that's the whole point... -libpam-modules-bin: setgid-binary *sbin/unix_chkpwd* 2755 root/shadow +libpam-modules-bin: elevated-privileges 2755 root/shadow [usr/sbin/unix_chkpwd] diff -Nru pam-1.5.2/debian/libpam-modules.install pam-1.5.2/debian/libpam-modules.install --- pam-1.5.2/debian/libpam-modules.install 2023-10-24 17:19:43.000000000 +0200 +++ pam-1.5.2/debian/libpam-modules.install 2024-01-06 12:57:21.000000000 +0100 @@ -1,3 +1,3 @@ etc/security/* etc/security -lib/*/security/*.so +usr/lib/*/security/*.so debian/pam-configs/mkhomedir usr/share/pam-configs/ diff -Nru pam-1.5.2/debian/libpam-modules.lintian-overrides pam-1.5.2/debian/libpam-modules.lintian-overrides --- pam-1.5.2/debian/libpam-modules.lintian-overrides 2023-10-24 17:19:43.000000000 +0200 +++ pam-1.5.2/debian/libpam-modules.lintian-overrides 2024-01-06 12:57:21.000000000 +0100 @@ -2,13 +2,13 @@ # fortifying. Since we know we have hardening turned on globally, suppress # them. If we ever see this warning again for *other* modules, then we know # there's a real problem. -libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_echo.so* -libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_filter.so* -libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_group.so* -libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_localuser.so* -libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_shells.so* -libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_wheel.so* +libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_echo.so* +libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_filter.so* +libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_group.so* +libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_localuser.so* +libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_shells.so* +libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_wheel.so* # pam_deny.so does not use any symbol from libc. -libpam-modules: shared-lib-without-dependency-information *lib/*/security/pam_deny.so* +libpam-modules: shared-lib-without-dependency-information *usr/lib/*/security/pam_deny.so* # lintian doesn't know what to do with manpages for pam modules libpam-modules: spare-manual-page * diff -Nru pam-1.5.2/debian/not-installed pam-1.5.2/debian/not-installed --- pam-1.5.2/debian/not-installed 2023-10-24 17:19:43.000000000 +0200 +++ pam-1.5.2/debian/not-installed 2024-01-06 12:57:21.000000000 +0100 @@ -1,8 +1,8 @@ -lib/*/security/*.a -lib/*/security/*.la -lib/*/*.la -lib/*/*.so +usr/lib/*/security/*.a +usr/lib/*/security/*.la +usr/lib/*/*.la +usr/lib/*/*.so usr/share/man/man8/pam.8 etc/environment # sample filter, do not install -lib/*/security/pam_filter/upperLOWER +usr/lib/*/security/pam_filter/upperLOWER diff -Nru pam-1.5.2/debian/rules pam-1.5.2/debian/rules --- pam-1.5.2/debian/rules 2023-10-24 19:38:53.000000000 +0200 +++ pam-1.5.2/debian/rules 2024-01-06 12:57:21.000000000 +0100 @@ -33,9 +33,11 @@ endif override_dh_auto_configure: + # Explicitly set libdir, sbindir to avoid upstream's override logic. dh_auto_configure -- --enable-static --enable-shared \ - --libdir=/lib/$(DEB_HOST_MULTIARCH) \ - --enable-isadir=/lib/security \ + --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --sbindir=/usr/sbin \ + --enable-isadir=/usr/lib/security \ --with-systemdunitdir=/usr/lib/systemd/system \ --disable-nis \ $(CONFIGURE_OPTS) @@ -72,8 +74,8 @@ override_dh_fixperms: dh_fixperms ifneq (,$(findstring libpam-modules, $(shell dh_listpackages))) - chgrp shadow $(d)/libpam-modules-bin/sbin/unix_chkpwd - chmod 02755 $(d)/libpam-modules-bin/sbin/unix_chkpwd + chgrp shadow $(d)/libpam-modules-bin/usr/sbin/unix_chkpwd + chmod 02755 $(d)/libpam-modules-bin/usr/sbin/unix_chkpwd endif override_dh_installchangelogs: