pyrox.dev / nixpkgs
lol
fork atom

linux-pam: 1.6.1 -> 1.7.1 (#418255)

authored by K900 and committed by GitHub 48a82c85 801b363a

+111 -76
unified split
+8 -3
pkgs/by-name/kb/kbd/package.nix
··· 15 xz, 16 zstd, 17 gitUpdater, 18 }: 19 20 stdenv.mkDerivation rec { ··· 30 # reduces closure size for most use cases. 31 outputs = [ 32 "out" 33 - "vlock" 34 "dev" 35 "scripts" 36 "man" 37 ]; 38 39 configureFlags = [ 40 "--enable-optional-progs" 41 "--enable-libkeymap" 42 "--disable-nls" 43 ] 44 ++ lib.optionals (!lib.systems.equals stdenv.buildPlatform stdenv.hostPlatform) [ 45 "ac_cv_func_malloc_0_nonnull=yes" ··· 89 90 buildInputs = [ 91 check 92 - pam 93 bash 94 - ]; 95 NIX_LDFLAGS = lib.optional stdenv.hostPlatform.isStatic "-laudit"; 96 nativeBuildInputs = [ 97 autoreconfHook
··· 15 xz, 16 zstd, 17 gitUpdater, 18 + withVlock ? true, 19 }: 20 21 stdenv.mkDerivation rec { ··· 31 # reduces closure size for most use cases. 32 outputs = [ 33 "out" 34 "dev" 35 "scripts" 36 "man" 37 + ] 38 + ++ lib.optionals withVlock [ 39 + "vlock" 40 ]; 41 42 configureFlags = [ 43 "--enable-optional-progs" 44 "--enable-libkeymap" 45 "--disable-nls" 46 + (lib.enableFeature withVlock "vlock") 47 ] 48 ++ lib.optionals (!lib.systems.equals stdenv.buildPlatform stdenv.hostPlatform) [ 49 "ac_cv_func_malloc_0_nonnull=yes" ··· 93 94 buildInputs = [ 95 check 96 bash 97 + ] 98 + ++ lib.optionals withVlock [ pam ]; 99 + 100 NIX_LDFLAGS = lib.optional stdenv.hostPlatform.isStatic "-laudit"; 101 nativeBuildInputs = [ 102 autoreconfHook
+72 -57
pkgs/by-name/li/linux-pam/package.nix
··· 2 lib, 3 stdenv, 4 buildPackages, 5 - fetchurl, 6 - fetchpatch, 7 flex, 8 db4, 9 gettext, 10 audit, 11 libxcrypt, 12 nixosTests, 13 - autoreconfHook269, 14 - pkg-config-unwrapped, 15 }: 16 17 - stdenv.mkDerivation rec { 18 pname = "linux-pam"; 19 - version = "1.6.1"; 20 21 - src = fetchurl { 22 - url = "https://github.com/linux-pam/linux-pam/releases/download/v${version}/Linux-PAM-${version}.tar.xz"; 23 - hash = "sha256-+JI8dAFZBS1xnb/CovgZQtaN00/K9hxwagLJuA/u744="; 24 }; 25 26 - patches = [ 27 - ./suid-wrapper-path.patch 28 - # required for fixing CVE-2025-6020 29 - (fetchpatch { 30 - url = "https://github.com/linux-pam/linux-pam/commit/10b80543807e3fc5af5f8bcfd8bb6e219bb3cecc.patch"; 31 - hash = "sha256-VS3D3wUbDxDXRriIuEvvgeZixzDA58EfiLygfFeisGg="; 32 - }) 33 - # Manually cherry-picked from 475bd60c552b98c7eddb3270b0b4196847c0072e 34 - ./CVE-2025-6020.patch 35 - ]; 36 - 37 - # Case-insensitivity workaround for https://github.com/linux-pam/linux-pam/issues/569 38 - postPatch = 39 - lib.optionalString (stdenv.buildPlatform.isDarwin && stdenv.buildPlatform != stdenv.hostPlatform) 40 - '' 41 - rm CHANGELOG 42 - touch ChangeLog 43 - ''; 44 45 outputs = [ 46 "out" 47 "doc" 48 - "man" # "modules" 49 ]; 50 51 depsBuildBuild = [ buildPackages.stdenv.cc ]; 52 - # autoreconfHook269 is needed for `suid-wrapper-path.patch` above. 53 - # pkg-config-unwrapped is needed for `AC_CHECK_LIB` and `AC_SEARCH_LIBS` 54 nativeBuildInputs = [ 55 flex 56 - autoreconfHook269 57 - pkg-config-unwrapped 58 - ] 59 - ++ lib.optional stdenv.buildPlatform.isDarwin gettext; 60 61 buildInputs = [ 62 db4 63 libxcrypt 64 ] 65 - ++ lib.optional stdenv.buildPlatform.isLinux audit; 66 67 enableParallelBuilding = true; 68 69 - configureFlags = [ 70 - "--includedir=${placeholder "out"}/include/security" 71 - "--enable-sconfigdir=/etc/security" 72 - # The module is deprecated. We re-enable it explicitly until NixOS 73 - # module stops using it. 74 - "--enable-lastlog" 75 - ]; 76 - 77 - installFlags = [ 78 - "SCONFIGDIR=${placeholder "out"}/etc/security" 79 ]; 80 81 doCheck = false; # fails 82 83 - passthru.tests = { 84 - inherit (nixosTests) 85 - pam-oath-login 86 - pam-u2f 87 - pam-lastlog 88 - shadow 89 - sssd-ldap 90 - ; 91 }; 92 93 - meta = with lib; { 94 homepage = "https://github.com/linux-pam/linux-pam"; 95 description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user"; 96 - platforms = platforms.linux; 97 - license = licenses.bsd3; 98 }; 99 - }
··· 2 lib, 3 stdenv, 4 buildPackages, 5 + fetchFromGitHub, 6 flex, 7 db4, 8 gettext, 9 + ninja, 10 audit, 11 libxcrypt, 12 nixosTests, 13 + meson, 14 + pkg-config, 15 + systemdLibs, 16 + docbook5, 17 + libxslt, 18 + libxml2, 19 + w3m-batch, 20 + findXMLCatalogs, 21 + docbook_xsl_ns, 22 + nix-update-script, 23 }: 24 25 + stdenv.mkDerivation (finalAttrs: { 26 pname = "linux-pam"; 27 + version = "1.7.1"; 28 29 + src = fetchFromGitHub { 30 + owner = "linux-pam"; 31 + repo = "linux-pam"; 32 + tag = "v${finalAttrs.version}"; 33 + hash = "sha256-kANcwxifQz2tYPSrSBSFiYNTm51Gr10L/zroCqm8ZHQ="; 34 }; 35 36 + # patching unix_chkpwd is required as the nix store entry does not have the necessary bits 37 + postPatch = '' 38 + substituteInPlace modules/module-meson.build \ 39 + --replace-fail "sbindir / 'unix_chkpwd'" "'/run/wrappers/bin/unix_chkpwd'" 40 + ''; 41 42 outputs = [ 43 "out" 44 "doc" 45 + "man" 46 + # "modules" 47 ]; 48 49 depsBuildBuild = [ buildPackages.stdenv.cc ]; 50 nativeBuildInputs = [ 51 flex 52 + meson 53 + ninja 54 + pkg-config 55 + gettext 56 + 57 + libxslt 58 + libxml2 59 + w3m-batch 60 + findXMLCatalogs 61 + docbook_xsl_ns 62 + docbook5 63 + ]; 64 65 buildInputs = [ 66 db4 67 libxcrypt 68 ] 69 + ++ lib.optionals stdenv.buildPlatform.isLinux [ 70 + audit 71 + systemdLibs 72 + ]; 73 74 enableParallelBuilding = true; 75 76 + mesonAutoFeatures = "auto"; 77 + mesonFlags = [ 78 + (lib.mesonEnable "logind" stdenv.buildPlatform.isLinux) 79 + (lib.mesonEnable "audit" stdenv.buildPlatform.isLinux) 80 + (lib.mesonEnable "pam_lastlog" (!stdenv.hostPlatform.isMusl)) # TODO: switch to pam_lastlog2, pam_lastlog is deprecated and broken on musl 81 + (lib.mesonEnable "pam_unix" true) 82 + # (lib.mesonBool "pam-debug" true) # warning: slower execution due to debug makes VM tests fail! 83 + (lib.mesonOption "sysconfdir" "etc") # relative to meson prefix, which is $out 84 + (lib.mesonEnable "elogind" false) 85 + (lib.mesonEnable "econf" false) 86 + (lib.mesonEnable "selinux" false) 87 + (lib.mesonEnable "nis" false) 88 + (lib.mesonBool "xtests" false) 89 + (lib.mesonBool "examples" false) 90 ]; 91 92 doCheck = false; # fails 93 94 + passthru = { 95 + tests = { 96 + inherit (nixosTests) 97 + pam-oath-login 98 + pam-u2f 99 + pam-lastlog 100 + shadow 101 + sssd-ldap 102 + ; 103 + }; 104 + updateScript = nix-update-script { }; 105 }; 106 107 + meta = { 108 + changelog = "https://github.com/linux-pam/linux-pam/releases/tag/${finalAttrs.src.tag}"; 109 homepage = "https://github.com/linux-pam/linux-pam"; 110 description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user"; 111 + platforms = lib.platforms.linux; 112 + license = lib.licenses.bsd3; 113 }; 114 + })
-6
pkgs/by-name/li/linux-pam/suid-wrapper-path.patch
··· 1 - It needs the SUID version during runtime, and that can't be in /nix/store/** 2 - --- a/modules/pam_unix/Makefile.am 3 - +++ b/modules/pam_unix/Makefile.am 4 - @@ -21 +21 @@ 5 - - -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ 6 - + -DCHKPWD_HELPER=\"/run/wrappers/bin/unix_chkpwd\" \
···
+31 -10
pkgs/os-specific/linux/systemd/default.nix
··· 138 withLogind ? true, 139 withMachined ? true, 140 withNetworkd ? true, 141 withNss ? !stdenv.hostPlatform.isMusl, 142 withOomd ? true, 143 withOpenSSL ? true, ··· 203 # $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \ 204 # jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime' 205 releaseTimestamp = "1734643670"; 206 in 207 stdenv.mkDerivation (finalAttrs: { 208 inherit pname version; ··· 253 ./0019-meson-Don-t-link-ssh-dropins.patch 254 255 ./0020-install-unit_file_exists_full-follow-symlinks.patch 256 ] 257 ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [ 258 ./0021-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch ··· 364 ninja 365 meson 366 glibcLocales 367 - getent 368 m4 369 autoPatchelfHook 370 ··· 396 397 buildInputs = [ 398 libxcrypt 399 - libcap 400 libuuid 401 linuxHeaders 402 bashInteractive # for patch shebangs ··· 485 (lib.mesonOption "pkgconfigdatadir" "${placeholder "dev"}/share/pkgconfig") 486 487 # Keyboard 488 - (lib.mesonOption "loadkeys-path" "${kbd}/bin/loadkeys") 489 - (lib.mesonOption "setfont-path" "${kbd}/bin/setfont") 490 491 # SBAT 492 (lib.mesonOption "sbat-distro" "nixos") ··· 583 (lib.mesonEnable "gnutls" false) 584 (lib.mesonEnable "xkbcommon" false) 585 (lib.mesonEnable "man" true) 586 587 (lib.mesonBool "analyze" withAnalyze) 588 (lib.mesonBool "logind" withLogind) ··· 631 # build fails with an error message. 632 binaryReplacements = [ 633 { 634 - search = "/usr/bin/getent"; 635 - replacement = "${getent}/bin/getent"; 636 - where = [ "src/nspawn/nspawn-setuid.c" ]; 637 - } 638 - { 639 search = "/sbin/mkswap"; 640 replacement = "${lib.getBin util-linux}/sbin/mkswap"; 641 where = [ ··· 680 search = "/usr/lib/systemd/systemd-fsck"; 681 replacement = "$out/lib/systemd/systemd-fsck"; 682 where = [ "man/systemd-fsck@.service.xml" ]; 683 } 684 ] 685 ++ lib.optionals withImportd [ ··· 923 withUtmp 924 util-linux 925 kmod 926 - kbd 927 ; 928 929 # Many TPM2-related units are only installed if this trio of features are 930 # enabled. See https://github.com/systemd/systemd/blob/876ee10e0eb4bbb0920bdab7817a9f06cc34910f/units/meson.build#L521
··· 138 withLogind ? true, 139 withMachined ? true, 140 withNetworkd ? true, 141 + withNspawn ? !buildLibsOnly, 142 withNss ? !stdenv.hostPlatform.isMusl, 143 withOomd ? true, 144 withOpenSSL ? true, ··· 204 # $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \ 205 # jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime' 206 releaseTimestamp = "1734643670"; 207 + 208 + kbd' = if withPam then kbd else kbd.override { withVlock = false; }; 209 in 210 stdenv.mkDerivation (finalAttrs: { 211 inherit pname version; ··· 256 ./0019-meson-Don-t-link-ssh-dropins.patch 257 258 ./0020-install-unit_file_exists_full-follow-symlinks.patch 259 + 260 + # add nspawn build option flag 261 + # required to disable nspawn for systemdLibs to avoid dependency on getent 262 + # https://github.com/systemd/systemd/pull/36876, remove for systemd 258 263 + (fetchpatch { 264 + # required for the actual patch to apply 265 + url = "https://github.com/systemd/systemd/commit/b1fb2d971c810e0bdf9ff0ae567a1c6c230e4e5d.patch"; 266 + hash = "sha256-JBheazg1OFkx8vUl2l8+34BoEPVURBQJHxqntOBYB60="; 267 + includes = [ "src/nspawn/meson.build" ]; 268 + }) 269 + (fetchpatch { 270 + url = "https://github.com/systemd/systemd/commit/d95818f5221d9b9b19648cffa0cb2407f023b27e.patch"; 271 + hash = "sha256-FTpWGec5ivlkyEEDMCPaLE+BH91e7JI0kH8pS88bBDY="; 272 + excludes = [ "test/fuzz/meson.build" ]; 273 + }) 274 ] 275 ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [ 276 ./0021-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch ··· 382 ninja 383 meson 384 glibcLocales 385 m4 386 autoPatchelfHook 387 ··· 413 414 buildInputs = [ 415 libxcrypt 416 + (if withPam then libcap else libcap.override { usePam = false; }) 417 libuuid 418 linuxHeaders 419 bashInteractive # for patch shebangs ··· 502 (lib.mesonOption "pkgconfigdatadir" "${placeholder "dev"}/share/pkgconfig") 503 504 # Keyboard 505 + (lib.mesonOption "loadkeys-path" "${kbd'}/bin/loadkeys") 506 + (lib.mesonOption "setfont-path" "${kbd'}/bin/setfont") 507 508 # SBAT 509 (lib.mesonOption "sbat-distro" "nixos") ··· 600 (lib.mesonEnable "gnutls" false) 601 (lib.mesonEnable "xkbcommon" false) 602 (lib.mesonEnable "man" true) 603 + (lib.mesonEnable "nspawn" withNspawn) 604 605 (lib.mesonBool "analyze" withAnalyze) 606 (lib.mesonBool "logind" withLogind) ··· 649 # build fails with an error message. 650 binaryReplacements = [ 651 { 652 search = "/sbin/mkswap"; 653 replacement = "${lib.getBin util-linux}/sbin/mkswap"; 654 where = [ ··· 693 search = "/usr/lib/systemd/systemd-fsck"; 694 replacement = "$out/lib/systemd/systemd-fsck"; 695 where = [ "man/systemd-fsck@.service.xml" ]; 696 + } 697 + ] 698 + ++ lib.optionals withNspawn [ 699 + { 700 + search = "/usr/bin/getent"; 701 + replacement = "${getent}/bin/getent"; 702 + where = [ "src/nspawn/nspawn-setuid.c" ]; 703 } 704 ] 705 ++ lib.optionals withImportd [ ··· 943 withUtmp 944 util-linux 945 kmod 946 ; 947 + 948 + kbd = kbd'; 949 950 # Many TPM2-related units are only installed if this trio of features are 951 # enabled. See https://github.com/systemd/systemd/blob/876ee10e0eb4bbb0920bdab7817a9f06cc34910f/units/meson.build#L521