[oe] [meta-oe][PATCH] pam-plugin-ccreds: add recipe

Khem Raj raj.khem at gmail.com
Fri Jun 1 17:40:13 UTC 2018 

On 6/1/18 4:41 AM, Richard Leitner wrote:
> Add version 11 of the pam-plugin-ccreds with the debian patches applied.
> 

I see QA errors like below

ERROR: pam-plugin-ccreds-11-r0 do_package_qa: QA Issue: non
-dev/-dbg/nativesdk- package contains symlink .so: pam-plugin-ccreds
path
'/work/core2-64-bec-linux-musl/pam-plugin-ccreds/11-r0/packages-split/pam-plugin-ccreds/lib/security/pam_ccreds.so'
[dev-so]


> Signed-off-by: Richard Leitner <richard.leitner at skidata.com>
> ---
>  ...ke-sure-we-don-t-overflow-the-data-buffer.patch | 29 +++++++
>  .../0002-add-minimum_uid-option.patch              | 97 ++++++++++++++++++++++
>  ...TENSION_SO-also-for-linux-gnueabi-targets.patch | 29 +++++++
>  .../recipes-extended/pam/pam-plugin-ccreds_11.bb   | 27 ++++++
>  4 files changed, 182 insertions(+)
>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
> 
> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
> new file mode 100644
> index 000000000..d7f8f5a96
> --- /dev/null
> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
> @@ -0,0 +1,29 @@
> +From 59a95494002ce57ace17d676544101e88a55265d Mon Sep 17 00:00:00 2001
> +From: Nicolas Boullis <nicolas.boullis at ecp.fr>
> +Date: Mon, 23 Mar 2009 10:46:44 +0100
> +Subject: [PATCH 1/3] make sure we don't overflow the data buffer
> +
> +This patch was taken from Debian's libpam-ccreds v10-6 source:
> +	0001-make-sure-we-don-t-overflow-the-data-buffer.patch
> +
> +Reviewed-by: Richard Leitner <richard.leitner at skidata.com>
> +---
> + cc_db.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/cc_db.c b/cc_db.c
> +index c0e0488..9371c4d 100644
> +--- a/cc_db.c
> ++++ b/cc_db.c
> +@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength,
> + 		return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR;
> + 	}
> + 
> +-	if (val.size < *size) {
> ++	if (val.size > *size) {
> + 		return PAM_BUF_ERR;
> + 	}
> + 
> +-- 
> +2.11.0
> +
> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
> new file mode 100644
> index 000000000..adc464924
> --- /dev/null
> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
> @@ -0,0 +1,97 @@
> +From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx at sigxcpu.org>
> +Date: Thu, 13 May 2010 12:36:26 +0200
> +Subject: [PATCH 2/3] add minimum_uid option
> +
> +Closes: #580037
> +
> +This patch was taken from Debian's libpam-ccreds v10-6 source:
> +	0002-add-minimum_uid-option.patch
> +
> +Reviewed-by: Richard Leitner <richard.leitner at skidata.com>
> +---
> + cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++
> + 1 file changed, 39 insertions(+)
> +
> +diff --git a/cc_pam.c b/cc_pam.c
> +index d096117..56776aa 100644
> +--- a/cc_pam.c
> ++++ b/cc_pam.c
> +@@ -20,6 +20,7 @@
> + #include <errno.h>
> + #include <limits.h>
> + #include <syslog.h>
> ++#include <pwd.h>
> + 
> + #include "cc_private.h"
> + 
> +@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
> + 				int flags, int argc, const char **argv);
> + #endif
> + 
> ++
> ++/*
> ++ * Given the PAM arguments and the user we're authenticating, see if we should
> ++ * ignore that user because they're root or have a low-numbered UID and we
> ++ * were configured to ignore such users.  Returns true if we should ignore
> ++ * them, false otherwise.
> ++ */
> ++static int
> ++_pamcc_should_ignore(const char *username, int minimum_uid)
> ++{
> ++	struct passwd *pwd;
> ++
> ++	if (minimum_uid > 0) {
> ++		pwd = getpwnam(username);
> ++		if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
> ++			syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
> ++				(unsigned long) pwd->pw_uid, minimum_uid);
> ++			return 1;
> ++		}
> ++	}
> ++	return 0;
> ++}
> ++
> ++
> + static int _pam_sm_interact(pam_handle_t *pamh,
> + 			    int flags,
> + 			    const char **authtok)
> +@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
> + 	unsigned int sm_flags = 0, sm_action = 0;
> + 	const char *ccredsfile = NULL;
> + 	const char *action = NULL;
> ++	const char *name = NULL;
> + 	int (*selector)(pam_handle_t *, int, unsigned int, const char *);
> ++	int minimum_uid = 0;
> + 
> + 	for (i = 0; i < argc; i++) {
> + 		if (strcmp(argv[i], "use_first_pass") == 0)
> +@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
> + 			sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
> + 		else if (strcmp(argv[i], "service_specific") == 0)
> + 			sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
> ++		else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
> ++			minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
> + 		else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
> + 			ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
> + 		else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
> +@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
> + 		syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
> + 	}
> + 
> ++	rc = pam_get_user(pamh, &name, NULL);
> ++	if (rc != PAM_SUCCESS || name == NULL) {
> ++		if (rc == PAM_CONV_AGAIN)
> ++			return PAM_INCOMPLETE;
> ++		else
> ++			return PAM_SERVICE_ERR;
> ++	}
> ++	if (_pamcc_should_ignore(name, minimum_uid))
> ++		return PAM_USER_UNKNOWN;
> ++
> + 	switch (sm_action) {
> + 	case SM_ACTION_VALIDATE_CCREDS:
> + 		selector = _pam_sm_validate_cached_credentials;
> +-- 
> +2.11.0
> +
> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
> new file mode 100644
> index 000000000..4f203f1a3
> --- /dev/null
> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
> @@ -0,0 +1,29 @@
> +From 12d9bb59284bd01a9fcc3b9280698ffc23ef2ddc Mon Sep 17 00:00:00 2001
> +From: Richard Leitner <richard.leitner at skidata.com>
> +Date: Fri, 1 Jun 2018 13:24:15 +0200
> +Subject: [PATCH 3/3] Set EXTENSION_SO also for linux-gnueabi targets
> +
> +As EXTENSION_SO gets already set for linux and linux-gnu targets we
> +should set it also for linux-gnueabi targets.
> +
> +Signed-off-by: Richard Leitner <richard.leitner at skidata.com>
> +---
> + configure.in | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/configure.in b/configure.in
> +index 0dbdf79..a434208 100644
> +--- a/configure.in
> ++++ b/configure.in
> +@@ -43,7 +43,7 @@ AC_SUBST(pam_ccreds_so_LD)
> + AC_SUBST(pam_ccreds_so_LDFLAGS)
> + 
> + AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD")
> +-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu")
> ++AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu" -o "$target_os" = "linux-gnueabi")
> + AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX")
> + 
> + if test -z "$use_gcrypt"; then
> +-- 
> +2.11.0
> +
> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
> new file mode 100644
> index 000000000..ded51e3a0
> --- /dev/null
> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
> @@ -0,0 +1,27 @@
> +SUMMARY = "PAM cached credentials module"
> +HOMEPAGE = "https://www.padl.com/OSS/pam_ccreds.html"
> +SECTION = "libs"
> +LICENSE = "GPLv2"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
> +
> +DEPENDS = "libpam openssl db"
> +
> +inherit distro_features_check
> +REQUIRED_DISTRO_FEATURES = "pam"
> +
> +SRCREV = "376bb189ceb3a113954f1012c45be7ff09e148ba"
> +
> +SRC_URI = " \
> +    git://github.com/PADL/pam_ccreds \
> +    file://0001-make-sure-we-don-t-overflow-the-data-buffer.patch \
> +    file://0002-add-minimum_uid-option.patch \
> +    file://0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch \
> +"
> +
> +S = "${WORKDIR}/git"
> +
> +inherit autotools
> +
> +EXTRA_OECONF += "--libdir=${base_libdir} "
> +
> +FILES_${PN} += "${base_libdir}/security/pam*"
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20180601/4f452ab8/attachment-0002.sig>

More information about the Openembedded-devel mailing list