tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
1{
2 lib,
3 stdenv,
4 fetchFromGitHub,
5 nixosTests,
6 autoreconfHook,
7 bison,
8 flex,
9 docbook_xml_dtd_45,
10 docbook_xsl,
11 itstool,
12 libxml2,
13 libxslt,
14 libxcrypt,
15 pkg-config,
16 glibc ? null,
17 pam ? null,
18 withLibbsd ? lib.meta.availableOn stdenv.hostPlatform libbsd,
19 libbsd,
20 withTcb ? lib.meta.availableOn stdenv.hostPlatform tcb,
21 tcb,
22 cmocka,
23}:
24let
25 glibc' =
26 if stdenv.hostPlatform != stdenv.buildPlatform then
27 glibc
28 else
29 assert stdenv.hostPlatform.libc == "glibc";
30 stdenv.cc.libc;
31
32in
33
34stdenv.mkDerivation (finalAttrs: {
35 pname = "shadow";
36 version = "4.19.2";
37
38 src = fetchFromGitHub {
39 owner = "shadow-maint";
40 repo = "shadow";
41 tag = finalAttrs.version;
42 hash = "sha256-MtZq5+4CilIpCwJs1a5ZCnPclQgkYSOeYXG2XSUmkJE=";
43 };
44
45 outputs = [
46 "out"
47 "su"
48 "dev"
49 "man"
50 ];
51
52 nativeBuildInputs = [
53 autoreconfHook
54 bison
55 flex
56 docbook_xml_dtd_45
57 docbook_xsl
58 itstool
59 libxml2
60 libxslt
61 pkg-config
62 ];
63
64 buildInputs = [
65 libxcrypt
66 ]
67 ++ lib.optional (pam != null && (lib.meta.availableOn stdenv.hostPlatform pam)) pam
68 ++ lib.optional withLibbsd libbsd
69 ++ lib.optional withTcb tcb;
70
71 patches = [
72 # Don't set $PATH to /bin:/usr/bin but inherit the $PATH of the caller.
73 ./keep-path.patch
74 # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
75 ./respect-xml-catalog-files-var.patch
76 # Avoid a chown during install to fix installation with tcb enabled
77 # Would have to be done as part of the NixOS modules,
78 # see https://github.com/NixOS/nixpkgs/issues/109457
79 ./fix-install-with-tcb.patch
80 ];
81
82 postPatch = ''
83 # The nix daemon often forbids even creating set[ug]id files
84 sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
85
86 # The default shell is not defined at build time of the package. It is
87 # decided at build time of the NixOS configration. Thus, don't decide this
88 # here but just point to the location of the shell on the system.
89 substituteInPlace configure.ac --replace-fail '$SHELL' /bin/sh
90 '';
91
92 # `AC_FUNC_SETPGRP' is not cross-compilation capable.
93 preConfigure = ''
94 export ac_cv_func_setpgrp_void=${lib.boolToYesNo (!stdenv.hostPlatform.isBSD)}
95 export shadow_cv_logdir=/var/log
96 '';
97
98 configureFlags = [
99 "--enable-man"
100 "--with-group-name-max-length=32"
101 "--with-bcrypt"
102 "--with-yescrypt"
103 "--disable-logind" # needs systemd, which causes infinite recursion
104 (lib.withFeature withLibbsd "libbsd")
105 ]
106 ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd"
107 ++ lib.optional withTcb "--with-tcb";
108
109 preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc") ''
110 substituteInPlace lib/nscd.c --replace /usr/sbin/nscd ${glibc'.bin}/bin/nscd
111 '';
112
113 doCheck = true;
114 nativeCheckInputs = [
115 cmocka
116 ];
117
118 postInstall = ''
119 # Move the su binary into the su package
120 mkdir -p $su/bin
121 mv $out/bin/su $su/bin
122 '';
123
124 enableParallelBuilding = true;
125
126 disallowedReferences = lib.optional (
127 stdenv.buildPlatform != stdenv.hostPlatform
128 ) stdenv.shellPackage;
129
130 meta = {
131 homepage = "https://github.com/shadow-maint/shadow";
132 description = "Suite containing authentication-related tools such as passwd and su";
133 license = lib.licenses.bsd3;
134 maintainers = with lib.maintainers; [ mdaniels5757 ];
135 platforms = lib.platforms.linux;
136 };
137
138 passthru = {
139 shellPath = "/bin/nologin";
140 # TODO: Run system tests: https://github.com/shadow-maint/shadow/blob/master/doc/contributions/tests.md#system-tests
141 tests = { inherit (nixosTests) shadow; };
142 };
143})