pyrox.dev / nixpkgs
lol
fork atom

linux-pam: 1.6.1 -> 1.7.1 (#418255)

authored by K900 and committed by GitHub 48a82c85 801b363a

+111 -76
unified split
+8 -3
pkgs/by-name/kb/kbd/package.nix
··· 15 15 xz, 16 16 zstd, 17 17 gitUpdater, 18 + withVlock ? true, 18 19 }: 19 20 20 21 stdenv.mkDerivation rec { ··· 30 31 # reduces closure size for most use cases. 31 32 outputs = [ 32 33 "out" 33 - "vlock" 34 34 "dev" 35 35 "scripts" 36 36 "man" 37 + ] 38 + ++ lib.optionals withVlock [ 39 + "vlock" 37 40 ]; 38 41 39 42 configureFlags = [ 40 43 "--enable-optional-progs" 41 44 "--enable-libkeymap" 42 45 "--disable-nls" 46 + (lib.enableFeature withVlock "vlock") 43 47 ] 44 48 ++ lib.optionals (!lib.systems.equals stdenv.buildPlatform stdenv.hostPlatform) [ 45 49 "ac_cv_func_malloc_0_nonnull=yes" ··· 89 93 90 94 buildInputs = [ 91 95 check 92 - pam 93 96 bash 94 - ]; 97 + ] 98 + ++ lib.optionals withVlock [ pam ]; 99 + 95 100 NIX_LDFLAGS = lib.optional stdenv.hostPlatform.isStatic "-laudit"; 96 101 nativeBuildInputs = [ 97 102 autoreconfHook
+72 -57
pkgs/by-name/li/linux-pam/package.nix
··· 2 2 lib, 3 3 stdenv, 4 4 buildPackages, 5 - fetchurl, 6 - fetchpatch, 5 + fetchFromGitHub, 7 6 flex, 8 7 db4, 9 8 gettext, 9 + ninja, 10 10 audit, 11 11 libxcrypt, 12 12 nixosTests, 13 - autoreconfHook269, 14 - pkg-config-unwrapped, 13 + meson, 14 + pkg-config, 15 + systemdLibs, 16 + docbook5, 17 + libxslt, 18 + libxml2, 19 + w3m-batch, 20 + findXMLCatalogs, 21 + docbook_xsl_ns, 22 + nix-update-script, 15 23 }: 16 24 17 - stdenv.mkDerivation rec { 25 + stdenv.mkDerivation (finalAttrs: { 18 26 pname = "linux-pam"; 19 - version = "1.6.1"; 27 + version = "1.7.1"; 20 28 21 - src = fetchurl { 22 - url = "https://github.com/linux-pam/linux-pam/releases/download/v${version}/Linux-PAM-${version}.tar.xz"; 23 - hash = "sha256-+JI8dAFZBS1xnb/CovgZQtaN00/K9hxwagLJuA/u744="; 29 + src = fetchFromGitHub { 30 + owner = "linux-pam"; 31 + repo = "linux-pam"; 32 + tag = "v${finalAttrs.version}"; 33 + hash = "sha256-kANcwxifQz2tYPSrSBSFiYNTm51Gr10L/zroCqm8ZHQ="; 24 34 }; 25 35 26 - patches = [ 27 - ./suid-wrapper-path.patch 28 - # required for fixing CVE-2025-6020 29 - (fetchpatch { 30 - url = "https://github.com/linux-pam/linux-pam/commit/10b80543807e3fc5af5f8bcfd8bb6e219bb3cecc.patch"; 31 - hash = "sha256-VS3D3wUbDxDXRriIuEvvgeZixzDA58EfiLygfFeisGg="; 32 - }) 33 - # Manually cherry-picked from 475bd60c552b98c7eddb3270b0b4196847c0072e 34 - ./CVE-2025-6020.patch 35 - ]; 36 - 37 - # Case-insensitivity workaround for https://github.com/linux-pam/linux-pam/issues/569 38 - postPatch = 39 - lib.optionalString (stdenv.buildPlatform.isDarwin && stdenv.buildPlatform != stdenv.hostPlatform) 40 - '' 41 - rm CHANGELOG 42 - touch ChangeLog 43 - ''; 36 + # patching unix_chkpwd is required as the nix store entry does not have the necessary bits 37 + postPatch = '' 38 + substituteInPlace modules/module-meson.build \ 39 + --replace-fail "sbindir / 'unix_chkpwd'" "'/run/wrappers/bin/unix_chkpwd'" 40 + ''; 44 41 45 42 outputs = [ 46 43 "out" 47 44 "doc" 48 - "man" # "modules" 45 + "man" 46 + # "modules" 49 47 ]; 50 48 51 49 depsBuildBuild = [ buildPackages.stdenv.cc ]; 52 - # autoreconfHook269 is needed for `suid-wrapper-path.patch` above. 53 - # pkg-config-unwrapped is needed for `AC_CHECK_LIB` and `AC_SEARCH_LIBS` 54 50 nativeBuildInputs = [ 55 51 flex 56 - autoreconfHook269 57 - pkg-config-unwrapped 58 - ] 59 - ++ lib.optional stdenv.buildPlatform.isDarwin gettext; 52 + meson 53 + ninja 54 + pkg-config 55 + gettext 56 + 57 + libxslt 58 + libxml2 59 + w3m-batch 60 + findXMLCatalogs 61 + docbook_xsl_ns 62 + docbook5 63 + ]; 60 64 61 65 buildInputs = [ 62 66 db4 63 67 libxcrypt 64 68 ] 65 - ++ lib.optional stdenv.buildPlatform.isLinux audit; 69 + ++ lib.optionals stdenv.buildPlatform.isLinux [ 70 + audit 71 + systemdLibs 72 + ]; 66 73 67 74 enableParallelBuilding = true; 68 75 69 - configureFlags = [ 70 - "--includedir=${placeholder "out"}/include/security" 71 - "--enable-sconfigdir=/etc/security" 72 - # The module is deprecated. We re-enable it explicitly until NixOS 73 - # module stops using it. 74 - "--enable-lastlog" 75 - ]; 76 - 77 - installFlags = [ 78 - "SCONFIGDIR=${placeholder "out"}/etc/security" 76 + mesonAutoFeatures = "auto"; 77 + mesonFlags = [ 78 + (lib.mesonEnable "logind" stdenv.buildPlatform.isLinux) 79 + (lib.mesonEnable "audit" stdenv.buildPlatform.isLinux) 80 + (lib.mesonEnable "pam_lastlog" (!stdenv.hostPlatform.isMusl)) # TODO: switch to pam_lastlog2, pam_lastlog is deprecated and broken on musl 81 + (lib.mesonEnable "pam_unix" true) 82 + # (lib.mesonBool "pam-debug" true) # warning: slower execution due to debug makes VM tests fail! 83 + (lib.mesonOption "sysconfdir" "etc") # relative to meson prefix, which is $out 84 + (lib.mesonEnable "elogind" false) 85 + (lib.mesonEnable "econf" false) 86 + (lib.mesonEnable "selinux" false) 87 + (lib.mesonEnable "nis" false) 88 + (lib.mesonBool "xtests" false) 89 + (lib.mesonBool "examples" false) 79 90 ]; 80 91 81 92 doCheck = false; # fails 82 93 83 - passthru.tests = { 84 - inherit (nixosTests) 85 - pam-oath-login 86 - pam-u2f 87 - pam-lastlog 88 - shadow 89 - sssd-ldap 90 - ; 94 + passthru = { 95 + tests = { 96 + inherit (nixosTests) 97 + pam-oath-login 98 + pam-u2f 99 + pam-lastlog 100 + shadow 101 + sssd-ldap 102 + ; 103 + }; 104 + updateScript = nix-update-script { }; 91 105 }; 92 106 93 - meta = with lib; { 107 + meta = { 108 + changelog = "https://github.com/linux-pam/linux-pam/releases/tag/${finalAttrs.src.tag}"; 94 109 homepage = "https://github.com/linux-pam/linux-pam"; 95 110 description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user"; 96 - platforms = platforms.linux; 97 - license = licenses.bsd3; 111 + platforms = lib.platforms.linux; 112 + license = lib.licenses.bsd3; 98 113 }; 99 - } 114 + })
-6
pkgs/by-name/li/linux-pam/suid-wrapper-path.patch
··· 1 - It needs the SUID version during runtime, and that can't be in /nix/store/** 2 - --- a/modules/pam_unix/Makefile.am 3 - +++ b/modules/pam_unix/Makefile.am 4 - @@ -21 +21 @@ 5 - - -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ 6 - + -DCHKPWD_HELPER=\"/run/wrappers/bin/unix_chkpwd\" \
+31 -10
pkgs/os-specific/linux/systemd/default.nix
··· 138 138 withLogind ? true, 139 139 withMachined ? true, 140 140 withNetworkd ? true, 141 + withNspawn ? !buildLibsOnly, 141 142 withNss ? !stdenv.hostPlatform.isMusl, 142 143 withOomd ? true, 143 144 withOpenSSL ? true, ··· 203 204 # $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \ 204 205 # jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime' 205 206 releaseTimestamp = "1734643670"; 207 + 208 + kbd' = if withPam then kbd else kbd.override { withVlock = false; }; 206 209 in 207 210 stdenv.mkDerivation (finalAttrs: { 208 211 inherit pname version; ··· 253 256 ./0019-meson-Don-t-link-ssh-dropins.patch 254 257 255 258 ./0020-install-unit_file_exists_full-follow-symlinks.patch 259 + 260 + # add nspawn build option flag 261 + # required to disable nspawn for systemdLibs to avoid dependency on getent 262 + # https://github.com/systemd/systemd/pull/36876, remove for systemd 258 263 + (fetchpatch { 264 + # required for the actual patch to apply 265 + url = "https://github.com/systemd/systemd/commit/b1fb2d971c810e0bdf9ff0ae567a1c6c230e4e5d.patch"; 266 + hash = "sha256-JBheazg1OFkx8vUl2l8+34BoEPVURBQJHxqntOBYB60="; 267 + includes = [ "src/nspawn/meson.build" ]; 268 + }) 269 + (fetchpatch { 270 + url = "https://github.com/systemd/systemd/commit/d95818f5221d9b9b19648cffa0cb2407f023b27e.patch"; 271 + hash = "sha256-FTpWGec5ivlkyEEDMCPaLE+BH91e7JI0kH8pS88bBDY="; 272 + excludes = [ "test/fuzz/meson.build" ]; 273 + }) 256 274 ] 257 275 ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [ 258 276 ./0021-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch ··· 364 382 ninja 365 383 meson 366 384 glibcLocales 367 - getent 368 385 m4 369 386 autoPatchelfHook 370 387 ··· 396 413 397 414 buildInputs = [ 398 415 libxcrypt 399 - libcap 416 + (if withPam then libcap else libcap.override { usePam = false; }) 400 417 libuuid 401 418 linuxHeaders 402 419 bashInteractive # for patch shebangs ··· 485 502 (lib.mesonOption "pkgconfigdatadir" "${placeholder "dev"}/share/pkgconfig") 486 503 487 504 # Keyboard 488 - (lib.mesonOption "loadkeys-path" "${kbd}/bin/loadkeys") 489 - (lib.mesonOption "setfont-path" "${kbd}/bin/setfont") 505 + (lib.mesonOption "loadkeys-path" "${kbd'}/bin/loadkeys") 506 + (lib.mesonOption "setfont-path" "${kbd'}/bin/setfont") 490 507 491 508 # SBAT 492 509 (lib.mesonOption "sbat-distro" "nixos") ··· 583 600 (lib.mesonEnable "gnutls" false) 584 601 (lib.mesonEnable "xkbcommon" false) 585 602 (lib.mesonEnable "man" true) 603 + (lib.mesonEnable "nspawn" withNspawn) 586 604 587 605 (lib.mesonBool "analyze" withAnalyze) 588 606 (lib.mesonBool "logind" withLogind) ··· 631 649 # build fails with an error message. 632 650 binaryReplacements = [ 633 651 { 634 - search = "/usr/bin/getent"; 635 - replacement = "${getent}/bin/getent"; 636 - where = [ "src/nspawn/nspawn-setuid.c" ]; 637 - } 638 - { 639 652 search = "/sbin/mkswap"; 640 653 replacement = "${lib.getBin util-linux}/sbin/mkswap"; 641 654 where = [ ··· 680 693 search = "/usr/lib/systemd/systemd-fsck"; 681 694 replacement = "$out/lib/systemd/systemd-fsck"; 682 695 where = [ "man/systemd-fsck@.service.xml" ]; 696 + } 697 + ] 698 + ++ lib.optionals withNspawn [ 699 + { 700 + search = "/usr/bin/getent"; 701 + replacement = "${getent}/bin/getent"; 702 + where = [ "src/nspawn/nspawn-setuid.c" ]; 683 703 } 684 704 ] 685 705 ++ lib.optionals withImportd [ ··· 923 943 withUtmp 924 944 util-linux 925 945 kmod 926 - kbd 927 946 ; 947 + 948 + kbd = kbd'; 928 949 929 950 # Many TPM2-related units are only installed if this trio of features are 930 951 # enabled. See https://github.com/systemd/systemd/blob/876ee10e0eb4bbb0920bdab7817a9f06cc34910f/units/meson.build#L521