[ptxdist] [RFC 0/2] PAM

[ptxdist] [RFC 0/2] PAM

[Ladislav Michl]

Hi there!

Recently I found that for some projects the only remaining utility
I'm using from busybox is login. And that there is no alternative.
Until now...

But as util-linux' login needs PAM and PAM is pretty complex comparing
to busybox login I suggest incremental approach. You can find basic
support in two patches (well RFCs) sent as a reply to this mail.
Later we can introduce GLOBAL_PAM_OPTION (similar to
GLOBAL_SELINUX_OPTION) and make packages use it - brief list is:
cifs-utils, cups, ecryptfs-utils, inetutils, libcgroup, lighttpd,
lxc, monit, openssh, openvpn, policycoreutils, postgresql, proftpd,
pureftpd, samba, strongswan, sudo, systemd, weston and xorg-app-xdm.

Comments welcome.

Ladislav Michl (2):
  pam: new package
  util-linux: enable login

 rules/libuuid.in         |  4 +-
 rules/pam.in             | 11 ++++++
 rules/pam.make           | 85 ++++++++++++++++++++++++++++++++++++++++
 rules/util-linux-ng.in   | 11 ++++++
 rules/util-linux-ng.make |  5 ++-
 5 files changed, 113 insertions(+), 3 deletions(-)
 create mode 100644 rules/pam.in
 create mode 100644 rules/pam.make

-- 
2.24.0

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [RFC 1/2] pam: new package

[Ladislav Michl]

---
 rules/pam.in   | 11 +++++++
 rules/pam.make | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 rules/pam.in
 create mode 100644 rules/pam.make

diff --git a/rules/pam.in b/rules/pam.in
new file mode 100644
index 000000000..4af292030
--- /dev/null
+++ b/rules/pam.in
@@ -0,0 +1,11 @@
+## SECTION=security
+
+config PAM
+	tristate
+	prompt "pam"
+	select LIBC_CRYPT
+	select LIBSELINUX	if GLOBAL_SELINUX
+	help
+	  Linux-PAM (Pluggable Authentication Modules for Linux) is a suite
+	  of shared libraries that enable the local system administrator to
+	  choose how applications authenticate users.
diff --git a/rules/pam.make b/rules/pam.make
new file mode 100644
index 000000000..3b3eafc19
--- /dev/null
+++ b/rules/pam.make
@@ -0,0 +1,85 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Ladislav Michl <ladis@linux-mips.org>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_PAM) += pam
+
+#
+# Paths and names
+#
+PAM_VERSION	:= 1.3.1
+PAM_MD5		:= 558ff53b0fc0563ca97f79e911822165
+PAM		:= Linux-PAM-$(PAM_VERSION)
+PAM_SUFFIX	:= tar.xz
+PAM_URL		:= https://github.com/linux-pam/linux-pam/releases/download/v$(PAM_VERSION)/$(PAM).$(PAM_SUFFIX)
+PAM_SOURCE	:= $(SRCDIR)/$(PAM).$(PAM_SUFFIX)
+PAM_DIR		:= $(BUILDDIR)/$(PAM)
+PAM_LICENSE	:= unknown
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# autoconf
+#
+PAM_CONF_TOOL	:= autoconf
+PAM_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	$(GLOBAL_LARGE_FILE_OPTION) \
+	--disable-lckpwdf \
+	--disable-cracklib \
+	--disable-audit \
+	--enable-db=no \
+	--disable-nis \
+	$(GLOBAL_SELINUX_OPTION) \
+	--disable-regenerate-docu \
+	--disable-nls \
+	--disable-rpath
+
+# ----------------------------------------------------------------------------
+# Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/pam.install:
+	@$(call targetinfo)
+	@$(call world/install, PAM)
+	@install -vD -m 0644 $(PAM_DIR)/conf/pam.conf \
+		$(PAM_PKGDIR)/etc/pam.conf
+	@$(call touch)
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/pam.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, pam)
+	@$(call install_fixup, pam,PRIORITY,optional)
+	@$(call install_fixup, pam,SECTION,base)
+	@$(call install_fixup, pam,AUTHOR,"Ladislav Michl <ladis@linux-mips.org>")
+	@$(call install_fixup, pam,DESCRIPTION,missing)
+
+	@$(call install_lib, pam, 0, 0, 0644, libpamc)
+	@$(call install_lib, pam, 0, 0, 0644, libpam_misc)
+	@$(call install_lib, pam, 0, 0, 0644, libpam)
+
+	@$(call install_tree, pam, 0, 0, -, /usr/lib/security)
+
+	@$(call install_alternative, pam, 0, 0, 0644, /etc/pam.conf)
+	@$(call install_alternative, pam, 0, 0, 0644, /etc/environment)
+	@$(call install_alternative_tree, pam, 0, 0, /etc/security)
+
+	@$(call install_finish, pam)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.24.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [RFC 2/2] util-linux: enable login

[Ladislav Michl]

...that circular UTIL_LINUX_NG dependency needs to be yet solved...

---
 rules/libuuid.in         |  4 ++--
 rules/util-linux-ng.in   | 11 +++++++++++
 rules/util-linux-ng.make |  5 ++++-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/rules/libuuid.in b/rules/libuuid.in
index f14106044..022e4b39e 100644
--- a/rules/libuuid.in
+++ b/rules/libuuid.in
@@ -3,8 +3,8 @@
 config LIBUUID
 	tristate
 	select VIRTUAL
-	select UTIL_LINUX_NG
-	select UTIL_LINUX_NG_LIBUUID
+#	select UTIL_LINUX_NG
+#	select UTIL_LINUX_NG_LIBUUID
 	help
 	  Helper to select the target packet containing a recent libuuid.so
 	  library and its header.
diff --git a/rules/util-linux-ng.in b/rules/util-linux-ng.in
index 4f230bc60..81e11b287 100644
--- a/rules/util-linux-ng.in
+++ b/rules/util-linux-ng.in
@@ -7,6 +7,7 @@ menuconfig UTIL_LINUX_NG
 	select UTIL_LINUX_NG_LIBBLKID
 	select UTIL_LINUX_NG_LIBUUID		if UTIL_LINUX_NG_MKSWAP_UUID
 	select NCURSES				if UTIL_LINUX_NG_USES_NCURSES
+	select PAM				if UTIL_LINUX_NG_LOGIN
 
 if UTIL_LINUX_NG
 
@@ -441,4 +442,14 @@ config UTIL_LINUX_NG_LSCPU
 	help
 	  lscpu shows information about the CPU architecture
 
+config UTIL_LINUX_NG_LOGIN
+	bool
+	depends on !BUSYBOX_LOGIN || ALLYES
+	prompt "login"
+	help
+	  ...
+
+comment "BusyBox' login is selected!"
+	depends on BUSYBOX_LOGIN
+
 endif
diff --git a/rules/util-linux-ng.make b/rules/util-linux-ng.make
index cda06a4a6..cc09e13d3 100644
--- a/rules/util-linux-ng.make
+++ b/rules/util-linux-ng.make
@@ -115,7 +115,7 @@ UTIL_LINUX_NG_CONF_OPT	:= \
 	--disable-chfn-chsh-password \
 	--disable-chfn-chsh \
 	--disable-chsh-only-listed \
-	--disable-login \
+	--$(call ptx/endis, PTXCONF_UTIL_LINUX_NG_LOGIN)-login \
 	--disable-login-chown-vcs \
 	--disable-login-stat-mail \
 	--disable-nologin \
@@ -312,6 +312,9 @@ endif
 ifdef PTXCONF_UTIL_LINUX_NG_LSCPU
 	@$(call install_copy, util-linux-ng, 0, 0, 0755, -, /usr/bin/lscpu)
 endif
+ifdef PTXCONF_UTIL_LINUX_NG_LOGIN
+	@$(call install_copy, util-linux-ng, 0, 0, 0755, -, /usr/bin/login)
+endif
 
 	@$(call install_finish, util-linux-ng)
 
-- 
2.24.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [RFC 1/2] pam: new package

[Michael Olbrich]

On Tue, Nov 26, 2019 at 11:45:30PM +0100, Ladislav Michl wrote:
> ---
>  rules/pam.in   | 11 +++++++
>  rules/pam.make | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 96 insertions(+)
>  create mode 100644 rules/pam.in
>  create mode 100644 rules/pam.make
> 
> diff --git a/rules/pam.in b/rules/pam.in
> new file mode 100644
> index 000000000..4af292030
> --- /dev/null
> +++ b/rules/pam.in
> @@ -0,0 +1,11 @@
> +## SECTION=security
> +
> +config PAM
> +	tristate
> +	prompt "pam"
> +	select LIBC_CRYPT
> +	select LIBSELINUX	if GLOBAL_SELINUX
> +	help
> +	  Linux-PAM (Pluggable Authentication Modules for Linux) is a suite
> +	  of shared libraries that enable the local system administrator to
> +	  choose how applications authenticate users.
> diff --git a/rules/pam.make b/rules/pam.make
> new file mode 100644
> index 000000000..3b3eafc19
> --- /dev/null
> +++ b/rules/pam.make
> @@ -0,0 +1,85 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Ladislav Michl <ladis@linux-mips.org>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_PAM) += pam
> +
> +#
> +# Paths and names
> +#
> +PAM_VERSION	:= 1.3.1
> +PAM_MD5		:= 558ff53b0fc0563ca97f79e911822165
> +PAM		:= Linux-PAM-$(PAM_VERSION)
> +PAM_SUFFIX	:= tar.xz
> +PAM_URL		:= https://github.com/linux-pam/linux-pam/releases/download/v$(PAM_VERSION)/$(PAM).$(PAM_SUFFIX)
> +PAM_SOURCE	:= $(SRCDIR)/$(PAM).$(PAM_SUFFIX)
> +PAM_DIR		:= $(BUILDDIR)/$(PAM)
> +PAM_LICENSE	:= unknown

Real license?

> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# autoconf
> +#
> +PAM_CONF_TOOL	:= autoconf
> +PAM_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	$(GLOBAL_LARGE_FILE_OPTION) \
> +	--disable-lckpwdf \
> +	--disable-cracklib \
> +	--disable-audit \
> +	--enable-db=no \

	--disable-db ?

> +	--disable-nis \
> +	$(GLOBAL_SELINUX_OPTION) \
> +	--disable-regenerate-docu \
> +	--disable-nls \
> +	--disable-rpath
> +
> +# ----------------------------------------------------------------------------
> +# Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/pam.install:
> +	@$(call targetinfo)
> +	@$(call world/install, PAM)
> +	@install -vD -m 0644 $(PAM_DIR)/conf/pam.conf \
> +		$(PAM_PKGDIR)/etc/pam.conf
> +	@$(call touch)
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/pam.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, pam)
> +	@$(call install_fixup, pam,PRIORITY,optional)
> +	@$(call install_fixup, pam,SECTION,base)
> +	@$(call install_fixup, pam,AUTHOR,"Ladislav Michl <ladis@linux-mips.org>")
> +	@$(call install_fixup, pam,DESCRIPTION,missing)
> +
> +	@$(call install_lib, pam, 0, 0, 0644, libpamc)
> +	@$(call install_lib, pam, 0, 0, 0644, libpam_misc)
> +	@$(call install_lib, pam, 0, 0, 0644, libpam)
> +
> +	@$(call install_tree, pam, 0, 0, -, /usr/lib/security)
> +
> +	@$(call install_alternative, pam, 0, 0, 0644, /etc/pam.conf)
> +	@$(call install_alternative, pam, 0, 0, 0644, /etc/environment)
> +	@$(call install_alternative_tree, pam, 0, 0, /etc/security)

Hmmm, I'm not sure if install_alternative_tree is a good idea. I think it
would be useful, if the files there can be replaced individually.
So I think they should be installed individually.

Michael

> +
> +	@$(call install_finish, pam)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make
> -- 
> 2.24.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [RFC 2/2] util-linux: enable login

[Michael Olbrich]

On Tue, Nov 26, 2019 at 11:47:30PM +0100, Ladislav Michl wrote:
> ...that circular UTIL_LINUX_NG dependency needs to be yet solved...

Maybe drop the selinux support in PAM for now? That should help. All
selinux stuff is in staging anyways right now and horribly outdated.

Michael

> 
> ---
>  rules/libuuid.in         |  4 ++--
>  rules/util-linux-ng.in   | 11 +++++++++++
>  rules/util-linux-ng.make |  5 ++++-
>  3 files changed, 17 insertions(+), 3 deletions(-)
> 
> diff --git a/rules/libuuid.in b/rules/libuuid.in
> index f14106044..022e4b39e 100644
> --- a/rules/libuuid.in
> +++ b/rules/libuuid.in
> @@ -3,8 +3,8 @@
>  config LIBUUID
>  	tristate
>  	select VIRTUAL
> -	select UTIL_LINUX_NG
> -	select UTIL_LINUX_NG_LIBUUID
> +#	select UTIL_LINUX_NG
> +#	select UTIL_LINUX_NG_LIBUUID
>  	help
>  	  Helper to select the target packet containing a recent libuuid.so
>  	  library and its header.
> diff --git a/rules/util-linux-ng.in b/rules/util-linux-ng.in
> index 4f230bc60..81e11b287 100644
> --- a/rules/util-linux-ng.in
> +++ b/rules/util-linux-ng.in
> @@ -7,6 +7,7 @@ menuconfig UTIL_LINUX_NG
>  	select UTIL_LINUX_NG_LIBBLKID
>  	select UTIL_LINUX_NG_LIBUUID		if UTIL_LINUX_NG_MKSWAP_UUID
>  	select NCURSES				if UTIL_LINUX_NG_USES_NCURSES
> +	select PAM				if UTIL_LINUX_NG_LOGIN
>  
>  if UTIL_LINUX_NG
>  
> @@ -441,4 +442,14 @@ config UTIL_LINUX_NG_LSCPU
>  	help
>  	  lscpu shows information about the CPU architecture
>  
> +config UTIL_LINUX_NG_LOGIN
> +	bool
> +	depends on !BUSYBOX_LOGIN || ALLYES
> +	prompt "login"
> +	help
> +	  ...
> +
> +comment "BusyBox' login is selected!"
> +	depends on BUSYBOX_LOGIN
> +
>  endif
> diff --git a/rules/util-linux-ng.make b/rules/util-linux-ng.make
> index cda06a4a6..cc09e13d3 100644
> --- a/rules/util-linux-ng.make
> +++ b/rules/util-linux-ng.make
> @@ -115,7 +115,7 @@ UTIL_LINUX_NG_CONF_OPT	:= \
>  	--disable-chfn-chsh-password \
>  	--disable-chfn-chsh \
>  	--disable-chsh-only-listed \
> -	--disable-login \
> +	--$(call ptx/endis, PTXCONF_UTIL_LINUX_NG_LOGIN)-login \
>  	--disable-login-chown-vcs \
>  	--disable-login-stat-mail \
>  	--disable-nologin \
> @@ -312,6 +312,9 @@ endif
>  ifdef PTXCONF_UTIL_LINUX_NG_LSCPU
>  	@$(call install_copy, util-linux-ng, 0, 0, 0755, -, /usr/bin/lscpu)
>  endif
> +ifdef PTXCONF_UTIL_LINUX_NG_LOGIN
> +	@$(call install_copy, util-linux-ng, 0, 0, 0755, -, /usr/bin/login)
> +endif
>  
>  	@$(call install_finish, util-linux-ng)
>  
> -- 
> 2.24.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [RFC 2/2] util-linux: enable login

[Ladislav Michl]

On Mon, Jan 06, 2020 at 11:34:08AM +0100, Michael Olbrich wrote:
> On Tue, Nov 26, 2019 at 11:47:30PM +0100, Ladislav Michl wrote:
> > ...that circular UTIL_LINUX_NG dependency needs to be yet solved...
> 
> Maybe drop the selinux support in PAM for now? That should help. All
> selinux stuff is in staging anyways right now and horribly outdated.

Well, I actually did that in later revision. But as I also updated
selinux to recent version, this question bumped up again :)

Also note, that all those patches - even their later versions sent
to the list are still experimental - unfinished and released to
get more feedback. Consider them as ask for a usecase.

	ladis

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [RFC 2/2] util-linux: enable login

[Michael Olbrich]

On Mon, Jan 06, 2020 at 11:57:42AM +0100, Ladislav Michl wrote:
> On Mon, Jan 06, 2020 at 11:34:08AM +0100, Michael Olbrich wrote:
> > On Tue, Nov 26, 2019 at 11:47:30PM +0100, Ladislav Michl wrote:
> > > ...that circular UTIL_LINUX_NG dependency needs to be yet solved...
> > 
> > Maybe drop the selinux support in PAM for now? That should help. All
> > selinux stuff is in staging anyways right now and horribly outdated.
> 
> Well, I actually did that in later revision. But as I also updated
> selinux to recent version, this question bumped up again :)

I just noticed that myself. I'm still catching up with my mail backlog...

> Also note, that all those patches - even their later versions sent
> to the list are still experimental - unfinished and released to
> get more feedback. Consider them as ask for a usecase.

ok.

Michael

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de