Bug#1060160: pam: install into /usr (DEP17 M2)

Sat, 06 Jan 2024 08:57:16 -0800 

Source: pam
Version: 1.5.2-9.1
Severity: normal
Tags: patch
User: helm...@debian.org
Usertags: dep17m2
X-Debbugs-CC: helm...@debian.org

Please find a patch attached to have PAM install its files into
/usr/{lib,sbin}, instead of /{lib,sbin}, for the currently ongoing
Debian UsrMerge effort [1].
src:pam is relevant now because its part of the "bootstrap set", and
needs to be converted before base-files can be modified, which we'd
like to do soon.

The patch also adds two simple, superficial autopkgtests to compile
and link a PAM module and a PAM client. They seemed helpful in
validating the change.

Please upload to experimental at your earliest convenience, to give
this a wider audience. Additional reviews and tests are obviously
also welcome.

If during the trixie cycle your package will undergo structural
changes or any other file moves, please also see the wiki and upload
to experimental first when these changes are done.

Chris

[1] https://wiki.debian.org/UsrMerge

diff -Nru pam-1.5.2/debian/changelog pam-1.5.2/debian/changelog
--- pam-1.5.2/debian/changelog	2023-10-24 19:38:53.000000000 +0200
+++ pam-1.5.2/debian/changelog	2024-01-06 12:57:21.000000000 +0100
@@ -1,3 +1,14 @@
+pam (1.5.2-9.2) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Install into /usr/{lib,sbin} instead of /{lib,sbin}. Assumes
+    usrmerge aliasing symlinks are in place since bookworm to keep
+    compatibility with PAM modules still installing into /lib.
+    (DEP17 M2) (Closes: #-1).
+  * Update lintian override for setgid binary.
+
+ -- Chris Hofstaedtler <z...@debian.org>  Sat, 06 Jan 2024 12:57:21 +0100
+
 pam (1.5.2-9.1) unstable; urgency=medium
 
   * Non-maintainer upload acked by Sam Hartman.
diff -Nru pam-1.5.2/debian/libpam0g-dev.install pam-1.5.2/debian/libpam0g-dev.install
--- pam-1.5.2/debian/libpam0g-dev.install	2023-10-24 17:19:43.000000000 +0200
+++ pam-1.5.2/debian/libpam0g-dev.install	2024-01-06 12:57:21.000000000 +0100
@@ -1,4 +1,4 @@
 #!/usr/bin/dh-exec
 usr/include/security/*
-lib/${DEB_HOST_MULTIARCH}/*.a		usr/lib/${DEB_HOST_MULTIARCH}
-lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig
+usr/lib/${DEB_HOST_MULTIARCH}/*.a		usr/lib/${DEB_HOST_MULTIARCH}
+usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig
diff -Nru pam-1.5.2/debian/libpam0g-dev.links pam-1.5.2/debian/libpam0g-dev.links
--- pam-1.5.2/debian/libpam0g-dev.links	2023-10-24 17:19:43.000000000 +0200
+++ pam-1.5.2/debian/libpam0g-dev.links	2024-01-06 12:57:21.000000000 +0100
@@ -1,4 +1,4 @@
 #!/usr/bin/dh-exec
-/lib/${DEB_HOST_MULTIARCH}/libpam.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpam.so
-/lib/${DEB_HOST_MULTIARCH}/libpamc.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpamc.so
-/lib/${DEB_HOST_MULTIARCH}/libpam_misc.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpam_misc.so
+/usr/lib/${DEB_HOST_MULTIARCH}/libpam.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpam.so
+/usr/lib/${DEB_HOST_MULTIARCH}/libpamc.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpamc.so
+/usr/lib/${DEB_HOST_MULTIARCH}/libpam_misc.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpam_misc.so
diff -Nru pam-1.5.2/debian/libpam0g.install pam-1.5.2/debian/libpam0g.install
--- pam-1.5.2/debian/libpam0g.install	2023-10-24 17:19:43.000000000 +0200
+++ pam-1.5.2/debian/libpam0g.install	2024-01-06 12:57:21.000000000 +0100
@@ -1 +1 @@
-lib/*/lib*.so.*
+usr/lib/*/lib*.so.*
diff -Nru pam-1.5.2/debian/libpam-modules-bin.install pam-1.5.2/debian/libpam-modules-bin.install
--- pam-1.5.2/debian/libpam-modules-bin.install	2023-10-24 17:19:43.000000000 +0200
+++ pam-1.5.2/debian/libpam-modules-bin.install	2024-01-06 12:57:21.000000000 +0100
@@ -1,9 +1,9 @@
-sbin/unix_chkpwd	sbin
-sbin/unix_update	sbin
-sbin/mkhomedir_helper	sbin
-sbin/pam_namespace_helper
-sbin/pwhistory_helper
-sbin/pam_timestamp_check	usr/sbin
-sbin/faillock usr/sbin
+usr/sbin/unix_chkpwd
+usr/sbin/unix_update
+usr/sbin/mkhomedir_helper
+usr/sbin/pam_namespace_helper
+usr/sbin/pwhistory_helper
+usr/sbin/pam_timestamp_check
+usr/sbin/faillock
 modules/pam_faillock/faillock.8 usr/share/man/man8
 usr/lib/systemd/system/pam_namespace.service
diff -Nru pam-1.5.2/debian/libpam-modules-bin.lintian-overrides pam-1.5.2/debian/libpam-modules-bin.lintian-overrides
--- pam-1.5.2/debian/libpam-modules-bin.lintian-overrides	2023-10-24 17:19:43.000000000 +0200
+++ pam-1.5.2/debian/libpam-modules-bin.lintian-overrides	2024-01-06 12:57:21.000000000 +0100
@@ -1,2 +1,2 @@
 # yes, we know it's sgid, that's the whole point...
-libpam-modules-bin: setgid-binary *sbin/unix_chkpwd* 2755 root/shadow
+libpam-modules-bin: elevated-privileges 2755 root/shadow [usr/sbin/unix_chkpwd]
diff -Nru pam-1.5.2/debian/libpam-modules.install pam-1.5.2/debian/libpam-modules.install
--- pam-1.5.2/debian/libpam-modules.install	2023-10-24 17:19:43.000000000 +0200
+++ pam-1.5.2/debian/libpam-modules.install	2024-01-06 12:57:21.000000000 +0100
@@ -1,3 +1,3 @@
 etc/security/*		etc/security
-lib/*/security/*.so
+usr/lib/*/security/*.so
 debian/pam-configs/mkhomedir	usr/share/pam-configs/
diff -Nru pam-1.5.2/debian/libpam-modules.lintian-overrides pam-1.5.2/debian/libpam-modules.lintian-overrides
--- pam-1.5.2/debian/libpam-modules.lintian-overrides	2023-10-24 17:19:43.000000000 +0200
+++ pam-1.5.2/debian/libpam-modules.lintian-overrides	2024-01-06 12:57:21.000000000 +0100
@@ -2,13 +2,13 @@
 # fortifying.  Since we know we have hardening turned on globally, suppress
 # them.  If we ever see this warning again for *other* modules, then we know
 # there's a real problem.
-libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_echo.so*
-libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_filter.so*
-libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_group.so*
-libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_localuser.so*
-libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_shells.so*
-libpam-modules: hardening-no-fortify-functions *lib/*/security/pam_wheel.so*
+libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_echo.so*
+libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_filter.so*
+libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_group.so*
+libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_localuser.so*
+libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_shells.so*
+libpam-modules: hardening-no-fortify-functions *usr/lib/*/security/pam_wheel.so*
 # pam_deny.so does not use any symbol from libc.
-libpam-modules: shared-lib-without-dependency-information *lib/*/security/pam_deny.so*
+libpam-modules: shared-lib-without-dependency-information *usr/lib/*/security/pam_deny.so*
 # lintian doesn't know what to do with manpages for pam modules
 libpam-modules: spare-manual-page *
diff -Nru pam-1.5.2/debian/not-installed pam-1.5.2/debian/not-installed
--- pam-1.5.2/debian/not-installed	2023-10-24 17:19:43.000000000 +0200
+++ pam-1.5.2/debian/not-installed	2024-01-06 12:57:21.000000000 +0100
@@ -1,8 +1,8 @@
-lib/*/security/*.a
-lib/*/security/*.la
-lib/*/*.la
-lib/*/*.so
+usr/lib/*/security/*.a
+usr/lib/*/security/*.la
+usr/lib/*/*.la
+usr/lib/*/*.so
 usr/share/man/man8/pam.8
 etc/environment
 # sample filter, do not install
-lib/*/security/pam_filter/upperLOWER
+usr/lib/*/security/pam_filter/upperLOWER
diff -Nru pam-1.5.2/debian/rules pam-1.5.2/debian/rules
--- pam-1.5.2/debian/rules	2023-10-24 19:38:53.000000000 +0200
+++ pam-1.5.2/debian/rules	2024-01-06 12:57:21.000000000 +0100
@@ -33,9 +33,11 @@
 endif  
 
 override_dh_auto_configure:
+	# Explicitly set libdir, sbindir to avoid upstream's override logic.
 	dh_auto_configure -- --enable-static --enable-shared \
-		--libdir=/lib/$(DEB_HOST_MULTIARCH) \
-		--enable-isadir=/lib/security \
+		--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		--sbindir=/usr/sbin \
+		--enable-isadir=/usr/lib/security \
 		--with-systemdunitdir=/usr/lib/systemd/system \
 		--disable-nis \
 		$(CONFIGURE_OPTS)
@@ -72,8 +74,8 @@
 override_dh_fixperms:
 	dh_fixperms
 ifneq (,$(findstring libpam-modules, $(shell dh_listpackages)))
-	chgrp shadow $(d)/libpam-modules-bin/sbin/unix_chkpwd
-	chmod 02755 $(d)/libpam-modules-bin/sbin/unix_chkpwd
+	chgrp shadow $(d)/libpam-modules-bin/usr/sbin/unix_chkpwd
+	chmod 02755 $(d)/libpam-modules-bin/usr/sbin/unix_chkpwd
 endif
 
 override_dh_installchangelogs:

Reply via email to