summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/pam
diff options
context:
space:
mode:
authorAlexander Kanavin <alex.kanavin@gmail.com>2020-12-28 21:04:25 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-12-31 11:53:26 +0000
commitb0384720a46fb25c4ad180e3f256ffdeb53dc8a6 (patch)
treecdd8ae2541d6492d07d833cd9c27472b44741a98 /meta/recipes-extended/pam
parent8df315fcf67270572891dec9c4aa94fbacdf58bd (diff)
downloadpoky-b0384720a46fb25c4ad180e3f256ffdeb53dc8a6.tar.gz
libpam: update 1.3.1 -> 1.5.1
Remove crypt_configure.patch, issue fixed upstream. Remove pam-security-abstract-securetty-handling.patch and pam-unix-nullok-secure.patch, patches coming from debian, difficult to rebase, and their purpose is unclear. Disable doc generation, as libpam messes up native and target compiler options. Adjust dependencies and packaging. (From OE-Core rev: 43e3d014748b1ccff25c232b1e6d9345859c0f29) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/pam')
-rw-r--r--meta/recipes-extended/pam/libpam/0001-modules-pam_namespace-Makefile.am-correctly-install-.patch28
-rw-r--r--meta/recipes-extended/pam/libpam/crypt_configure.patch40
-rw-r--r--meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch203
-rw-r--r--meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch195
-rw-r--r--meta/recipes-extended/pam/libpam_1.5.1.bb (renamed from meta/recipes-extended/pam/libpam_1.3.1.bb)17
5 files changed, 35 insertions, 448 deletions
diff --git a/meta/recipes-extended/pam/libpam/0001-modules-pam_namespace-Makefile.am-correctly-install-.patch b/meta/recipes-extended/pam/libpam/0001-modules-pam_namespace-Makefile.am-correctly-install-.patch
new file mode 100644
index 0000000000..b41d1e5962
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/0001-modules-pam_namespace-Makefile.am-correctly-install-.patch
@@ -0,0 +1,28 @@
1From e2db4082f6b988f1d5803028e9e47aee5f3519ac Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Sun, 27 Dec 2020 00:30:45 +0100
4Subject: [PATCH] modules/pam_namespace/Makefile.am: correctly install systemd
5 unit file
6
7Upstream-Status: Pending
8Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
9---
10 modules/pam_namespace/Makefile.am | 2 +-
11 1 file changed, 1 insertion(+), 1 deletion(-)
12
13diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am
14index 21e1b33..ddd5fc0 100644
15--- a/modules/pam_namespace/Makefile.am
16+++ b/modules/pam_namespace/Makefile.am
17@@ -18,7 +18,7 @@ TESTS = $(dist_check_SCRIPTS)
18 securelibdir = $(SECUREDIR)
19 secureconfdir = $(SCONFIGDIR)
20 namespaceddir = $(SCONFIGDIR)/namespace.d
21-servicedir = $(prefix)/lib/systemd/system
22+servicedir = /lib/systemd/system
23
24 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
25 -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS)
26--
272.24.0
28
diff --git a/meta/recipes-extended/pam/libpam/crypt_configure.patch b/meta/recipes-extended/pam/libpam/crypt_configure.patch
deleted file mode 100644
index 917a8af64d..0000000000
--- a/meta/recipes-extended/pam/libpam/crypt_configure.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1From b86575ab4a0df07da160283459da270e1c0372a0 Mon Sep 17 00:00:00 2001
2From: "Maxin B. John" <maxin.john@intel.com>
3Date: Tue, 24 May 2016 14:11:09 +0300
4Subject: [PATCH] crypt_configure
5
6This patch fixes a case where it find crypt defined in libc (musl) but
7not in specified libraries then it ends up assigning
8LIBCRYPT="-l" which then goes into makefile cause all sort of problems
9e.g.
10
11ld: cannot find -l-m32
12| collect2: error: ld returned 1 exit status
13The reason is that -l appears on commandline with
14out any library and compiler treats the next argument as library name
15whatever it is.
16
17Upstream-Status: Pending
18
19Signed-off-by: Khem Raj <raj.khem@gmail.com>
20Signed-off-by: Maxin B. John <maxin.john@intel.com>
21---
22 configure.ac | 2 +-
23 1 file changed, 1 insertion(+), 1 deletion(-)
24
25diff --git a/configure.ac b/configure.ac
26index df39d07..e68d856 100644
27--- a/configure.ac
28+++ b/configure.ac
29@@ -401,7 +401,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
30 [crypt_libs="crypt"])
31
32 BACKUP_LIBS=$LIBS
33-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
34+AC_SEARCH_LIBS([crypt],[$crypt_libs], [test "$ac_cv_search_crypt" = "none required" || LIBCRYPT="$ac_cv_search_crypt"])
35 AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
36 LIBS=$BACKUP_LIBS
37 AC_SUBST(LIBCRYPT)
38--
392.4.0
40
diff --git a/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
deleted file mode 100644
index 9b8d4c2975..0000000000
--- a/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
+++ /dev/null
@@ -1,203 +0,0 @@
1Description: extract the securetty logic for use with the "nullok_secure" option
2 introduced in the "055_pam_unix_nullok_secure" patch.
3
4Upstream-Status: Pending
5
6Signed-off-by: Ming Liu <ming.liu@windriver.com>
7===================================================================
8Index: Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am
9===================================================================
10--- Linux-PAM-1.3.0.orig/modules/pam_securetty/Makefile.am
11+++ Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am
12@@ -24,6 +24,10 @@ endif
13 securelib_LTLIBRARIES = pam_securetty.la
14 pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la
15
16+pam_securetty_la_SOURCES = \
17+ pam_securetty.c \
18+ tty_secure.c
19+
20 if ENABLE_REGENERATE_MAN
21 noinst_DATA = README
22 README: pam_securetty.8.xml
23Index: Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c
24===================================================================
25--- Linux-PAM-1.3.0.orig/modules/pam_securetty/pam_securetty.c
26+++ Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c
27@@ -1,7 +1,5 @@
28 /* pam_securetty module */
29
30-#define SECURETTY_FILE "/etc/securetty"
31-#define TTY_PREFIX "/dev/"
32 #define CMDLINE_FILE "/proc/cmdline"
33 #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
34
35@@ -40,6 +38,9 @@
36 #include <security/pam_modutil.h>
37 #include <security/pam_ext.h>
38
39+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
40+ const char *uttyname);
41+
42 #define PAM_DEBUG_ARG 0x0001
43 #define PAM_NOCONSOLE_ARG 0x0002
44
45@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p
46 const char *username;
47 const char *uttyname;
48 const void *void_uttyname;
49- char ttyfileline[256];
50- char ptname[256];
51- struct stat ttyfileinfo;
52 struct passwd *user_pwd;
53- FILE *ttyfile;
54
55 /* log a trail for debugging */
56 if (ctrl & PAM_DEBUG_ARG) {
57@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p
58 return PAM_SERVICE_ERR;
59 }
60
61- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
62- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
63- uttyname += sizeof(TTY_PREFIX)-1;
64- }
65-
66- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
67- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
68- return PAM_SUCCESS; /* for compatibility with old securetty handling,
69- this needs to succeed. But we still log the
70- error. */
71- }
72-
73- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
74- /* If the file is world writable or is not a
75- normal file, return error */
76- pam_syslog(pamh, LOG_ERR,
77- "%s is either world writable or not a normal file",
78- SECURETTY_FILE);
79- return PAM_AUTH_ERR;
80- }
81-
82- ttyfile = fopen(SECURETTY_FILE,"r");
83- if (ttyfile == NULL) { /* Check that we opened it successfully */
84- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
85- return PAM_SERVICE_ERR;
86- }
87-
88- if (isdigit(uttyname[0])) {
89- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
90- } else {
91- ptname[0] = '\0';
92- }
93-
94- retval = 1;
95-
96- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
97- && retval) {
98- if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
99- ttyfileline[strlen(ttyfileline) - 1] = '\0';
100-
101- retval = ( strcmp(ttyfileline, uttyname)
102- && (!ptname[0] || strcmp(ptname, uttyname)) );
103- }
104- fclose(ttyfile);
105+ retval = _pammodutil_tty_secure(pamh, uttyname);
106
107 if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
108 FILE *cmdlinefile;
109Index: Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c
110===================================================================
111--- /dev/null
112+++ Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c
113@@ -0,0 +1,90 @@
114+/*
115+ * A function to determine if a particular line is in /etc/securetty
116+ */
117+
118+
119+#define SECURETTY_FILE "/etc/securetty"
120+#define TTY_PREFIX "/dev/"
121+
122+/* This function taken out of pam_securetty by Sam Hartman
123+ * <hartmans@debian.org>*/
124+/*
125+ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
126+ * July 25, 1996.
127+ * Slight modifications AGM. 1996/12/3
128+ */
129+
130+#include <unistd.h>
131+#include <sys/types.h>
132+#include <sys/stat.h>
133+#include <security/pam_modules.h>
134+#include <stdarg.h>
135+#include <syslog.h>
136+#include <sys/syslog.h>
137+#include <stdio.h>
138+#include <string.h>
139+#include <stdlib.h>
140+#include <ctype.h>
141+#include <security/pam_modutil.h>
142+#include <security/pam_ext.h>
143+
144+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
145+ const char *uttyname);
146+
147+int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname)
148+{
149+ int retval = PAM_AUTH_ERR;
150+ char ttyfileline[256];
151+ char ptname[256];
152+ struct stat ttyfileinfo;
153+ FILE *ttyfile;
154+ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
155+ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
156+ uttyname += sizeof(TTY_PREFIX)-1;
157+
158+ if (stat(SECURETTY_FILE, &ttyfileinfo)) {
159+ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
160+ SECURETTY_FILE);
161+ return PAM_SUCCESS; /* for compatibility with old securetty handling,
162+ this needs to succeed. But we still log the
163+ error. */
164+ }
165+
166+ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
167+ /* If the file is world writable or is not a
168+ normal file, return error */
169+ pam_syslog(pamh, LOG_ERR,
170+ "%s is either world writable or not a normal file",
171+ SECURETTY_FILE);
172+ return PAM_AUTH_ERR;
173+ }
174+
175+ ttyfile = fopen(SECURETTY_FILE,"r");
176+ if(ttyfile == NULL) { /* Check that we opened it successfully */
177+ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
178+ return PAM_SERVICE_ERR;
179+ }
180+
181+ if (isdigit(uttyname[0])) {
182+ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
183+ } else {
184+ ptname[0] = '\0';
185+ }
186+
187+ retval = 1;
188+
189+ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
190+ && retval) {
191+ if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
192+ ttyfileline[strlen(ttyfileline) - 1] = '\0';
193+ retval = ( strcmp(ttyfileline,uttyname)
194+ && (!ptname[0] || strcmp(ptname, uttyname)) );
195+ }
196+ fclose(ttyfile);
197+
198+ if(retval) {
199+ retval = PAM_AUTH_ERR;
200+ }
201+
202+ return retval;
203+}
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
deleted file mode 100644
index d2cc66882e..0000000000
--- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
+++ /dev/null
@@ -1,195 +0,0 @@
1From b6545b83f94c5fb7aec1478b8d458a1393f479c8 Mon Sep 17 00:00:00 2001
2From: "Maxin B. John" <maxin.john@intel.com>
3Date: Wed, 25 May 2016 14:12:25 +0300
4Subject: [PATCH] pam_unix: support 'nullok_secure' option
5
6Debian patch to add a new 'nullok_secure' option to pam_unix,
7which accepts users with null passwords only when the applicant is
8connected from a tty listed in /etc/securetty.
9
10Authors: Sam Hartman <hartmans@debian.org>,
11 Steve Langasek <vorlon@debian.org>
12
13Upstream-Status: Pending
14
15Signed-off-by: Ming Liu <ming.liu@windriver.com>
16Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
17Signed-off-by: Maxin B. John <maxin.john@intel.com>
18---
19 modules/pam_unix/Makefile.am | 3 ++-
20 modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++-
21 modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++-----
22 modules/pam_unix/support.h | 8 ++++++--
23 4 files changed, 61 insertions(+), 9 deletions(-)
24
25diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
26index 56df178..2bba460 100644
27--- a/modules/pam_unix/Makefile.am
28+++ b/modules/pam_unix/Makefile.am
29@@ -30,7 +30,8 @@ if HAVE_VERSIONING
30 pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
31 endif
32 pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
33- @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@
34+ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \
35+ ../pam_securetty/tty_secure.lo
36
37 securelib_LTLIBRARIES = pam_unix.la
38
39diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
40index 1b318f1..be0330e 100644
41--- a/modules/pam_unix/pam_unix.8.xml
42+++ b/modules/pam_unix/pam_unix.8.xml
43@@ -159,7 +159,24 @@
44 <para>
45 The default action of this module is to not permit the
46 user access to a service if their official password is blank.
47- The <option>nullok</option> argument overrides this default.
48+ The <option>nullok</option> argument overrides this default
49+ and allows any user with a blank password to access the
50+ service.
51+ </para>
52+ </listitem>
53+ </varlistentry>
54+ <varlistentry>
55+ <term>
56+ <option>nullok_secure</option>
57+ </term>
58+ <listitem>
59+ <para>
60+ The default action of this module is to not permit the
61+ user access to a service if their official password is blank.
62+ The <option>nullok_secure</option> argument overrides this
63+ default and allows any user with a blank password to access
64+ the service as long as the value of PAM_TTY is set to one of
65+ the values found in /etc/securetty.
66 </para>
67 </listitem>
68 </varlistentry>
69diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
70index fc8595e..29e3341 100644
71--- a/modules/pam_unix/support.c
72+++ b/modules/pam_unix/support.c
73@@ -183,13 +183,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
74 /* now parse the arguments to this module */
75
76 for (; argc-- > 0; ++argv) {
77+ int sl;
78
79 D(("pam_unix arg: %s", *argv));
80
81 for (j = 0; j < UNIX_CTRLS_; ++j) {
82- if (unix_args[j].token
83- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
84- break;
85+ if (unix_args[j].token) {
86+ sl = strlen(unix_args[j].token);
87+ if (unix_args[j].token[sl-1] == '=') {
88+ /* exclude argument from comparison */
89+ if (!strncmp(*argv, unix_args[j].token, sl))
90+ break;
91+ } else {
92+ /* compare full strings */
93+ if (!strcmp(*argv, unix_args[j].token))
94+ break;
95+ }
96 }
97 }
98
99@@ -560,6 +569,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
100 if (child == 0) {
101 static char *envp[] = { NULL };
102 const char *args[] = { NULL, NULL, NULL, NULL };
103+ int nullok = off(UNIX__NONULL, ctrl);
104
105 /* XXX - should really tidy up PAM here too */
106
107@@ -587,7 +597,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
108 /* exec binary helper */
109 args[0] = CHKPWD_HELPER;
110 args[1] = user;
111- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
112+ if (on(UNIX_NULLOK_SECURE, ctrl)) {
113+ const void *uttyname;
114+ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
115+ if (retval != PAM_SUCCESS || uttyname == NULL
116+ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) {
117+ nullok = 0;
118+ }
119+ }
120+
121+ if (nullok) {
122 args[2]="nullok";
123 } else {
124 args[2]="nonull";
125@@ -672,6 +691,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
126 if (on(UNIX__NONULL, ctrl))
127 return 0; /* will fail but don't let on yet */
128
129+ if (on(UNIX_NULLOK_SECURE, ctrl)) {
130+ int retval2;
131+ const void *uttyname;
132+ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname);
133+ if (retval2 != PAM_SUCCESS || uttyname == NULL)
134+ return 0;
135+
136+ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
137+ return 0;
138+ }
139+
140 /* UNIX passwords area */
141
142 retval = get_pwd_hash(pamh, name, &pwd, &salt);
143@@ -758,7 +788,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
144 }
145 }
146 } else {
147- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
148+ retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name));
149 }
150
151 if (retval == PAM_SUCCESS) {
152diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
153index b4c279c..8da4a8e 100644
154--- a/modules/pam_unix/support.h
155+++ b/modules/pam_unix/support.h
156@@ -98,8 +98,9 @@ typedef struct {
157 #define UNIX_QUIET 28 /* Don't print informational messages */
158 #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
159 #define UNIX_DES 30 /* DES, default */
160+#define UNIX_NULLOK_SECURE 31 /* NULL passwords allowed only on secure ttys */
161 /* -------------- */
162-#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
163+#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */
164
165 #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
166
167@@ -117,7 +118,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
168 /* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
169 /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
170 /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
171-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
172+/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0},
173 /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
174 /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
175 /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
176@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
177 /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
178 /* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
179 /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
180+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0},
181 };
182
183 #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
184@@ -172,6 +174,8 @@ extern int _unix_read_password(pam_handle_t * pamh
185 ,const char *data_name
186 ,const void **pass);
187
188+extern int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname);
189+
190 extern int _unix_run_verify_binary(pam_handle_t *pamh,
191 unsigned int ctrl, const char *user, int *daysleft);
192 #endif /* _PAM_UNIX_SUPPORT_H */
193--
1942.4.0
195
diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.5.1.bb
index bc72afe6ad..6af1d43c60 100644
--- a/meta/recipes-extended/pam/libpam_1.3.1.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.1.bb
@@ -21,13 +21,10 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
21 file://pam.d/common-session-noninteractive \ 21 file://pam.d/common-session-noninteractive \
22 file://pam.d/other \ 22 file://pam.d/other \
23 file://libpam-xtests.patch \ 23 file://libpam-xtests.patch \
24 file://pam-security-abstract-securetty-handling.patch \ 24 file://0001-modules-pam_namespace-Makefile.am-correctly-install-.patch \
25 file://pam-unix-nullok-secure.patch \ 25 "
26 file://crypt_configure.patch \
27 "
28 26
29SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165" 27SRC_URI[sha256sum] = "201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc"
30SRC_URI[sha256sum] = "eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db"
31 28
32SRC_URI_append_libc-musl = " file://0001-Add-support-for-defining-missing-funcitonality.patch \ 29SRC_URI_append_libc-musl = " file://0001-Add-support-for-defining-missing-funcitonality.patch \
33 file://include_paths_header.patch \ 30 file://include_paths_header.patch \
@@ -39,13 +36,14 @@ EXTRA_OECONF = "--includedir=${includedir}/security \
39 --libdir=${base_libdir} \ 36 --libdir=${base_libdir} \
40 --disable-nis \ 37 --disable-nis \
41 --disable-regenerate-docu \ 38 --disable-regenerate-docu \
39 --disable-doc \
42 --disable-prelude" 40 --disable-prelude"
43 41
44CFLAGS_append = " -fPIC " 42CFLAGS_append = " -fPIC "
45 43
46S = "${WORKDIR}/Linux-PAM-${PV}" 44S = "${WORKDIR}/Linux-PAM-${PV}"
47 45
48inherit autotools gettext pkgconfig 46inherit autotools gettext pkgconfig systemd
49 47
50PACKAGECONFIG ??= "" 48PACKAGECONFIG ??= ""
51PACKAGECONFIG[audit] = "--enable-audit,--disable-audit,audit," 49PACKAGECONFIG[audit] = "--enable-audit,--disable-audit,audit,"
@@ -54,7 +52,7 @@ PACKAGECONFIG[userdb] = "--enable-db=db,--enable-db=no,db,"
54PACKAGES += "${PN}-runtime ${PN}-xtests" 52PACKAGES += "${PN}-runtime ${PN}-xtests"
55FILES_${PN} = "${base_libdir}/lib*${SOLIBS}" 53FILES_${PN} = "${base_libdir}/lib*${SOLIBS}"
56FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}" 54FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}"
57FILES_${PN}-runtime = "${sysconfdir}" 55FILES_${PN}-runtime = "${sysconfdir} ${sbindir} ${systemd_system_unitdir}"
58FILES_${PN}-xtests = "${datadir}/Linux-PAM/xtests" 56FILES_${PN}-xtests = "${datadir}/Linux-PAM/xtests"
59 57
60PACKAGES_DYNAMIC += "^${MLPREFIX}pam-plugin-.*" 58PACKAGES_DYNAMIC += "^${MLPREFIX}pam-plugin-.*"
@@ -77,11 +75,10 @@ RDEPENDS_${PN}-runtime = "${PN}-${libpam_suffix} \
77RDEPENDS_${PN}-xtests = "${PN}-${libpam_suffix} \ 75RDEPENDS_${PN}-xtests = "${PN}-${libpam_suffix} \
78 ${MLPREFIX}pam-plugin-access-${libpam_suffix} \ 76 ${MLPREFIX}pam-plugin-access-${libpam_suffix} \
79 ${MLPREFIX}pam-plugin-debug-${libpam_suffix} \ 77 ${MLPREFIX}pam-plugin-debug-${libpam_suffix} \
80 ${MLPREFIX}pam-plugin-cracklib-${libpam_suffix} \
81 ${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \ 78 ${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \
82 ${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \ 79 ${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \
83 ${MLPREFIX}pam-plugin-time-${libpam_suffix} \ 80 ${MLPREFIX}pam-plugin-time-${libpam_suffix} \
84 coreutils" 81 bash coreutils"
85 82
86# FIXME: Native suffix breaks here, disable it for now 83# FIXME: Native suffix breaks here, disable it for now
87RRECOMMENDS_${PN} = "${PN}-runtime-${libpam_suffix}" 84RRECOMMENDS_${PN} = "${PN}-runtime-${libpam_suffix}"