[meta-oe][PATCH] pam-plugin-ccreds: add recipe

[meta-oe][PATCH] pam-plugin-ccreds: add recipe

[Richard Leitner]

Add version 11 of the pam-plugin-ccreds with the debian patches applied.

Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
---
 ...ke-sure-we-don-t-overflow-the-data-buffer.patch | 29 +++++++
 .../0002-add-minimum_uid-option.patch              | 97 ++++++++++++++++++++++
 ...TENSION_SO-also-for-linux-gnueabi-targets.patch | 29 +++++++
 .../recipes-extended/pam/pam-plugin-ccreds_11.bb   | 27 ++++++
 4 files changed, 182 insertions(+)
 create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
 create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
 create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
 create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb

diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
new file mode 100644
index 000000000..d7f8f5a96
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
@@ -0,0 +1,29 @@
+From 59a95494002ce57ace17d676544101e88a55265d Mon Sep 17 00:00:00 2001
+From: Nicolas Boullis <nicolas.boullis@ecp.fr>
+Date: Mon, 23 Mar 2009 10:46:44 +0100
+Subject: [PATCH 1/3] make sure we don't overflow the data buffer
+
+This patch was taken from Debian's libpam-ccreds v10-6 source:
+	0001-make-sure-we-don-t-overflow-the-data-buffer.patch
+
+Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
+---
+ cc_db.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cc_db.c b/cc_db.c
+index c0e0488..9371c4d 100644
+--- a/cc_db.c
++++ b/cc_db.c
+@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength,
+ 		return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR;
+ 	}
+ 
+-	if (val.size < *size) {
++	if (val.size > *size) {
+ 		return PAM_BUF_ERR;
+ 	}
+ 
+-- 
+2.11.0
+
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
new file mode 100644
index 000000000..adc464924
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
@@ -0,0 +1,97 @@
+From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 13 May 2010 12:36:26 +0200
+Subject: [PATCH 2/3] add minimum_uid option
+
+Closes: #580037
+
+This patch was taken from Debian's libpam-ccreds v10-6 source:
+	0002-add-minimum_uid-option.patch
+
+Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
+---
+ cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/cc_pam.c b/cc_pam.c
+index d096117..56776aa 100644
+--- a/cc_pam.c
++++ b/cc_pam.c
+@@ -20,6 +20,7 @@
+ #include <errno.h>
+ #include <limits.h>
+ #include <syslog.h>
++#include <pwd.h>
+ 
+ #include "cc_private.h"
+ 
+@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
+ 				int flags, int argc, const char **argv);
+ #endif
+ 
++
++/*
++ * Given the PAM arguments and the user we're authenticating, see if we should
++ * ignore that user because they're root or have a low-numbered UID and we
++ * were configured to ignore such users.  Returns true if we should ignore
++ * them, false otherwise.
++ */
++static int
++_pamcc_should_ignore(const char *username, int minimum_uid)
++{
++	struct passwd *pwd;
++
++	if (minimum_uid > 0) {
++		pwd = getpwnam(username);
++		if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
++			syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
++				(unsigned long) pwd->pw_uid, minimum_uid);
++			return 1;
++		}
++	}
++	return 0;
++}
++
++
+ static int _pam_sm_interact(pam_handle_t *pamh,
+ 			    int flags,
+ 			    const char **authtok)
+@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 	unsigned int sm_flags = 0, sm_action = 0;
+ 	const char *ccredsfile = NULL;
+ 	const char *action = NULL;
++	const char *name = NULL;
+ 	int (*selector)(pam_handle_t *, int, unsigned int, const char *);
++	int minimum_uid = 0;
+ 
+ 	for (i = 0; i < argc; i++) {
+ 		if (strcmp(argv[i], "use_first_pass") == 0)
+@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 			sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
+ 		else if (strcmp(argv[i], "service_specific") == 0)
+ 			sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
++		else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
++			minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
+ 		else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
+ 			ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
+ 		else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
+@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 		syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
+ 	}
+ 
++	rc = pam_get_user(pamh, &name, NULL);
++	if (rc != PAM_SUCCESS || name == NULL) {
++		if (rc == PAM_CONV_AGAIN)
++			return PAM_INCOMPLETE;
++		else
++			return PAM_SERVICE_ERR;
++	}
++	if (_pamcc_should_ignore(name, minimum_uid))
++		return PAM_USER_UNKNOWN;
++
+ 	switch (sm_action) {
+ 	case SM_ACTION_VALIDATE_CCREDS:
+ 		selector = _pam_sm_validate_cached_credentials;
+-- 
+2.11.0
+
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
new file mode 100644
index 000000000..4f203f1a3
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
@@ -0,0 +1,29 @@
+From 12d9bb59284bd01a9fcc3b9280698ffc23ef2ddc Mon Sep 17 00:00:00 2001
+From: Richard Leitner <richard.leitner@skidata.com>
+Date: Fri, 1 Jun 2018 13:24:15 +0200
+Subject: [PATCH 3/3] Set EXTENSION_SO also for linux-gnueabi targets
+
+As EXTENSION_SO gets already set for linux and linux-gnu targets we
+should set it also for linux-gnueabi targets.
+
+Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
+---
+ configure.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.in b/configure.in
+index 0dbdf79..a434208 100644
+--- a/configure.in
++++ b/configure.in
+@@ -43,7 +43,7 @@ AC_SUBST(pam_ccreds_so_LD)
+ AC_SUBST(pam_ccreds_so_LDFLAGS)
+ 
+ AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD")
+-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu")
++AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu" -o "$target_os" = "linux-gnueabi")
+ AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX")
+ 
+ if test -z "$use_gcrypt"; then
+-- 
+2.11.0
+
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
new file mode 100644
index 000000000..ded51e3a0
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
@@ -0,0 +1,27 @@
+SUMMARY = "PAM cached credentials module"
+HOMEPAGE = "https://www.padl.com/OSS/pam_ccreds.html"
+SECTION = "libs"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+DEPENDS = "libpam openssl db"
+
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES = "pam"
+
+SRCREV = "376bb189ceb3a113954f1012c45be7ff09e148ba"
+
+SRC_URI = " \
+    git://github.com/PADL/pam_ccreds \
+    file://0001-make-sure-we-don-t-overflow-the-data-buffer.patch \
+    file://0002-add-minimum_uid-option.patch \
+    file://0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch \
+"
+
+S = "${WORKDIR}/git"
+
+inherit autotools
+
+EXTRA_OECONF += "--libdir=${base_libdir} "
+
+FILES_${PN} += "${base_libdir}/security/pam*"
-- 
2.11.0

Re: [meta-oe][PATCH] pam-plugin-ccreds: add recipe

[Khem Raj]

[-- Attachment #1.1: Type: text/plain, Size: 9102 bytes --]

On 6/1/18 4:41 AM, Richard Leitner wrote:
> Add version 11 of the pam-plugin-ccreds with the debian patches applied.
> 

I see QA errors like below

ERROR: pam-plugin-ccreds-11-r0 do_package_qa: QA Issue: non
-dev/-dbg/nativesdk- package contains symlink .so: pam-plugin-ccreds
path
'/work/core2-64-bec-linux-musl/pam-plugin-ccreds/11-r0/packages-split/pam-plugin-ccreds/lib/security/pam_ccreds.so'
[dev-so]


> Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
> ---
>  ...ke-sure-we-don-t-overflow-the-data-buffer.patch | 29 +++++++
>  .../0002-add-minimum_uid-option.patch              | 97 ++++++++++++++++++++++
>  ...TENSION_SO-also-for-linux-gnueabi-targets.patch | 29 +++++++
>  .../recipes-extended/pam/pam-plugin-ccreds_11.bb   | 27 ++++++
>  4 files changed, 182 insertions(+)
>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
> 
> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
> new file mode 100644
> index 000000000..d7f8f5a96
> --- /dev/null
> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
> @@ -0,0 +1,29 @@
> +From 59a95494002ce57ace17d676544101e88a55265d Mon Sep 17 00:00:00 2001
> +From: Nicolas Boullis <nicolas.boullis@ecp.fr>
> +Date: Mon, 23 Mar 2009 10:46:44 +0100
> +Subject: [PATCH 1/3] make sure we don't overflow the data buffer
> +
> +This patch was taken from Debian's libpam-ccreds v10-6 source:
> +	0001-make-sure-we-don-t-overflow-the-data-buffer.patch
> +
> +Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
> +---
> + cc_db.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/cc_db.c b/cc_db.c
> +index c0e0488..9371c4d 100644
> +--- a/cc_db.c
> ++++ b/cc_db.c
> +@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength,
> + 		return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR;
> + 	}
> + 
> +-	if (val.size < *size) {
> ++	if (val.size > *size) {
> + 		return PAM_BUF_ERR;
> + 	}
> + 
> +-- 
> +2.11.0
> +
> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
> new file mode 100644
> index 000000000..adc464924
> --- /dev/null
> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
> @@ -0,0 +1,97 @@
> +From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
> +Date: Thu, 13 May 2010 12:36:26 +0200
> +Subject: [PATCH 2/3] add minimum_uid option
> +
> +Closes: #580037
> +
> +This patch was taken from Debian's libpam-ccreds v10-6 source:
> +	0002-add-minimum_uid-option.patch
> +
> +Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
> +---
> + cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++
> + 1 file changed, 39 insertions(+)
> +
> +diff --git a/cc_pam.c b/cc_pam.c
> +index d096117..56776aa 100644
> +--- a/cc_pam.c
> ++++ b/cc_pam.c
> +@@ -20,6 +20,7 @@
> + #include <errno.h>
> + #include <limits.h>
> + #include <syslog.h>
> ++#include <pwd.h>
> + 
> + #include "cc_private.h"
> + 
> +@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
> + 				int flags, int argc, const char **argv);
> + #endif
> + 
> ++
> ++/*
> ++ * Given the PAM arguments and the user we're authenticating, see if we should
> ++ * ignore that user because they're root or have a low-numbered UID and we
> ++ * were configured to ignore such users.  Returns true if we should ignore
> ++ * them, false otherwise.
> ++ */
> ++static int
> ++_pamcc_should_ignore(const char *username, int minimum_uid)
> ++{
> ++	struct passwd *pwd;
> ++
> ++	if (minimum_uid > 0) {
> ++		pwd = getpwnam(username);
> ++		if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
> ++			syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
> ++				(unsigned long) pwd->pw_uid, minimum_uid);
> ++			return 1;
> ++		}
> ++	}
> ++	return 0;
> ++}
> ++
> ++
> + static int _pam_sm_interact(pam_handle_t *pamh,
> + 			    int flags,
> + 			    const char **authtok)
> +@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
> + 	unsigned int sm_flags = 0, sm_action = 0;
> + 	const char *ccredsfile = NULL;
> + 	const char *action = NULL;
> ++	const char *name = NULL;
> + 	int (*selector)(pam_handle_t *, int, unsigned int, const char *);
> ++	int minimum_uid = 0;
> + 
> + 	for (i = 0; i < argc; i++) {
> + 		if (strcmp(argv[i], "use_first_pass") == 0)
> +@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
> + 			sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
> + 		else if (strcmp(argv[i], "service_specific") == 0)
> + 			sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
> ++		else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
> ++			minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
> + 		else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
> + 			ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
> + 		else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
> +@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
> + 		syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
> + 	}
> + 
> ++	rc = pam_get_user(pamh, &name, NULL);
> ++	if (rc != PAM_SUCCESS || name == NULL) {
> ++		if (rc == PAM_CONV_AGAIN)
> ++			return PAM_INCOMPLETE;
> ++		else
> ++			return PAM_SERVICE_ERR;
> ++	}
> ++	if (_pamcc_should_ignore(name, minimum_uid))
> ++		return PAM_USER_UNKNOWN;
> ++
> + 	switch (sm_action) {
> + 	case SM_ACTION_VALIDATE_CCREDS:
> + 		selector = _pam_sm_validate_cached_credentials;
> +-- 
> +2.11.0
> +
> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
> new file mode 100644
> index 000000000..4f203f1a3
> --- /dev/null
> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
> @@ -0,0 +1,29 @@
> +From 12d9bb59284bd01a9fcc3b9280698ffc23ef2ddc Mon Sep 17 00:00:00 2001
> +From: Richard Leitner <richard.leitner@skidata.com>
> +Date: Fri, 1 Jun 2018 13:24:15 +0200
> +Subject: [PATCH 3/3] Set EXTENSION_SO also for linux-gnueabi targets
> +
> +As EXTENSION_SO gets already set for linux and linux-gnu targets we
> +should set it also for linux-gnueabi targets.
> +
> +Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
> +---
> + configure.in | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/configure.in b/configure.in
> +index 0dbdf79..a434208 100644
> +--- a/configure.in
> ++++ b/configure.in
> +@@ -43,7 +43,7 @@ AC_SUBST(pam_ccreds_so_LD)
> + AC_SUBST(pam_ccreds_so_LDFLAGS)
> + 
> + AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD")
> +-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu")
> ++AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu" -o "$target_os" = "linux-gnueabi")
> + AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX")
> + 
> + if test -z "$use_gcrypt"; then
> +-- 
> +2.11.0
> +
> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
> new file mode 100644
> index 000000000..ded51e3a0
> --- /dev/null
> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
> @@ -0,0 +1,27 @@
> +SUMMARY = "PAM cached credentials module"
> +HOMEPAGE = "https://www.padl.com/OSS/pam_ccreds.html"
> +SECTION = "libs"
> +LICENSE = "GPLv2"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
> +
> +DEPENDS = "libpam openssl db"
> +
> +inherit distro_features_check
> +REQUIRED_DISTRO_FEATURES = "pam"
> +
> +SRCREV = "376bb189ceb3a113954f1012c45be7ff09e148ba"
> +
> +SRC_URI = " \
> +    git://github.com/PADL/pam_ccreds \
> +    file://0001-make-sure-we-don-t-overflow-the-data-buffer.patch \
> +    file://0002-add-minimum_uid-option.patch \
> +    file://0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch \
> +"
> +
> +S = "${WORKDIR}/git"
> +
> +inherit autotools
> +
> +EXTRA_OECONF += "--libdir=${base_libdir} "
> +
> +FILES_${PN} += "${base_libdir}/security/pam*"
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]

Re: [meta-oe][PATCH] pam-plugin-ccreds: add recipe

[Andre McCurdy]

On Fri, Jun 1, 2018 at 10:40 AM, Khem Raj <raj.khem@gmail.com> wrote:
> On 6/1/18 4:41 AM, Richard Leitner wrote:
>> Add version 11 of the pam-plugin-ccreds with the debian patches applied.
>
> I see QA errors like below
>
> ERROR: pam-plugin-ccreds-11-r0 do_package_qa: QA Issue: non
> -dev/-dbg/nativesdk- package contains symlink .so: pam-plugin-ccreds
> path
> '/work/core2-64-bec-linux-musl/pam-plugin-ccreds/11-r0/packages-split/pam-plugin-ccreds/lib/security/pam_ccreds.so'
> [dev-so]

According to OE's sanity checks, a .so plug-in should not be a symlink.

See the do_install_append() in the libcgroup recipe in oe-core for an
example of how to fix the issue.

>> Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
>> ---
>>  ...ke-sure-we-don-t-overflow-the-data-buffer.patch | 29 +++++++
>>  .../0002-add-minimum_uid-option.patch              | 97 ++++++++++++++++++++++
>>  ...TENSION_SO-also-for-linux-gnueabi-targets.patch | 29 +++++++
>>  .../recipes-extended/pam/pam-plugin-ccreds_11.bb   | 27 ++++++
>>  4 files changed, 182 insertions(+)
>>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
>>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
>>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>>  create mode 100644 meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
>>
>> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
>> new file mode 100644
>> index 000000000..d7f8f5a96
>> --- /dev/null
>> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
>> @@ -0,0 +1,29 @@
>> +From 59a95494002ce57ace17d676544101e88a55265d Mon Sep 17 00:00:00 2001
>> +From: Nicolas Boullis <nicolas.boullis@ecp.fr>
>> +Date: Mon, 23 Mar 2009 10:46:44 +0100
>> +Subject: [PATCH 1/3] make sure we don't overflow the data buffer
>> +
>> +This patch was taken from Debian's libpam-ccreds v10-6 source:
>> +     0001-make-sure-we-don-t-overflow-the-data-buffer.patch
>> +
>> +Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
>> +---
>> + cc_db.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/cc_db.c b/cc_db.c
>> +index c0e0488..9371c4d 100644
>> +--- a/cc_db.c
>> ++++ b/cc_db.c
>> +@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength,
>> +             return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR;
>> +     }
>> +
>> +-    if (val.size < *size) {
>> ++    if (val.size > *size) {
>> +             return PAM_BUF_ERR;
>> +     }
>> +
>> +--
>> +2.11.0
>> +
>> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
>> new file mode 100644
>> index 000000000..adc464924
>> --- /dev/null
>> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
>> @@ -0,0 +1,97 @@
>> +From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001
>> +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
>> +Date: Thu, 13 May 2010 12:36:26 +0200
>> +Subject: [PATCH 2/3] add minimum_uid option
>> +
>> +Closes: #580037
>> +
>> +This patch was taken from Debian's libpam-ccreds v10-6 source:
>> +     0002-add-minimum_uid-option.patch
>> +
>> +Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
>> +---
>> + cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++
>> + 1 file changed, 39 insertions(+)
>> +
>> +diff --git a/cc_pam.c b/cc_pam.c
>> +index d096117..56776aa 100644
>> +--- a/cc_pam.c
>> ++++ b/cc_pam.c
>> +@@ -20,6 +20,7 @@
>> + #include <errno.h>
>> + #include <limits.h>
>> + #include <syslog.h>
>> ++#include <pwd.h>
>> +
>> + #include "cc_private.h"
>> +
>> +@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
>> +                             int flags, int argc, const char **argv);
>> + #endif
>> +
>> ++
>> ++/*
>> ++ * Given the PAM arguments and the user we're authenticating, see if we should
>> ++ * ignore that user because they're root or have a low-numbered UID and we
>> ++ * were configured to ignore such users.  Returns true if we should ignore
>> ++ * them, false otherwise.
>> ++ */
>> ++static int
>> ++_pamcc_should_ignore(const char *username, int minimum_uid)
>> ++{
>> ++    struct passwd *pwd;
>> ++
>> ++    if (minimum_uid > 0) {
>> ++            pwd = getpwnam(username);
>> ++            if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
>> ++                    syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
>> ++                            (unsigned long) pwd->pw_uid, minimum_uid);
>> ++                    return 1;
>> ++            }
>> ++    }
>> ++    return 0;
>> ++}
>> ++
>> ++
>> + static int _pam_sm_interact(pam_handle_t *pamh,
>> +                         int flags,
>> +                         const char **authtok)
>> +@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
>> +     unsigned int sm_flags = 0, sm_action = 0;
>> +     const char *ccredsfile = NULL;
>> +     const char *action = NULL;
>> ++    const char *name = NULL;
>> +     int (*selector)(pam_handle_t *, int, unsigned int, const char *);
>> ++    int minimum_uid = 0;
>> +
>> +     for (i = 0; i < argc; i++) {
>> +             if (strcmp(argv[i], "use_first_pass") == 0)
>> +@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
>> +                     sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
>> +             else if (strcmp(argv[i], "service_specific") == 0)
>> +                     sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
>> ++            else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
>> ++                    minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
>> +             else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
>> +                     ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
>> +             else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
>> +@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
>> +             syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
>> +     }
>> +
>> ++    rc = pam_get_user(pamh, &name, NULL);
>> ++    if (rc != PAM_SUCCESS || name == NULL) {
>> ++            if (rc == PAM_CONV_AGAIN)
>> ++                    return PAM_INCOMPLETE;
>> ++            else
>> ++                    return PAM_SERVICE_ERR;
>> ++    }
>> ++    if (_pamcc_should_ignore(name, minimum_uid))
>> ++            return PAM_USER_UNKNOWN;
>> ++
>> +     switch (sm_action) {
>> +     case SM_ACTION_VALIDATE_CCREDS:
>> +             selector = _pam_sm_validate_cached_credentials;
>> +--
>> +2.11.0
>> +
>> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>> new file mode 100644
>> index 000000000..4f203f1a3
>> --- /dev/null
>> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>> @@ -0,0 +1,29 @@
>> +From 12d9bb59284bd01a9fcc3b9280698ffc23ef2ddc Mon Sep 17 00:00:00 2001
>> +From: Richard Leitner <richard.leitner@skidata.com>
>> +Date: Fri, 1 Jun 2018 13:24:15 +0200
>> +Subject: [PATCH 3/3] Set EXTENSION_SO also for linux-gnueabi targets
>> +
>> +As EXTENSION_SO gets already set for linux and linux-gnu targets we
>> +should set it also for linux-gnueabi targets.
>> +
>> +Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
>> +---
>> + configure.in | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/configure.in b/configure.in
>> +index 0dbdf79..a434208 100644
>> +--- a/configure.in
>> ++++ b/configure.in
>> +@@ -43,7 +43,7 @@ AC_SUBST(pam_ccreds_so_LD)
>> + AC_SUBST(pam_ccreds_so_LDFLAGS)
>> +
>> + AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD")
>> +-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu")
>> ++AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu" -o "$target_os" = "linux-gnueabi")
>> + AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX")
>> +
>> + if test -z "$use_gcrypt"; then
>> +--
>> +2.11.0
>> +
>> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
>> new file mode 100644
>> index 000000000..ded51e3a0
>> --- /dev/null
>> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
>> @@ -0,0 +1,27 @@
>> +SUMMARY = "PAM cached credentials module"
>> +HOMEPAGE = "https://www.padl.com/OSS/pam_ccreds.html"
>> +SECTION = "libs"
>> +LICENSE = "GPLv2"
>> +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
>> +
>> +DEPENDS = "libpam openssl db"
>> +
>> +inherit distro_features_check
>> +REQUIRED_DISTRO_FEATURES = "pam"
>> +
>> +SRCREV = "376bb189ceb3a113954f1012c45be7ff09e148ba"
>> +
>> +SRC_URI = " \
>> +    git://github.com/PADL/pam_ccreds \
>> +    file://0001-make-sure-we-don-t-overflow-the-data-buffer.patch \
>> +    file://0002-add-minimum_uid-option.patch \
>> +    file://0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch \
>> +"
>> +
>> +S = "${WORKDIR}/git"
>> +
>> +inherit autotools
>> +
>> +EXTRA_OECONF += "--libdir=${base_libdir} "
>> +
>> +FILES_${PN} += "${base_libdir}/security/pam*"
>>
>
>
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>

Re: [meta-oe][PATCH] pam-plugin-ccreds: add recipe

[Richard Leitner]

On 06/01/2018 08:01 PM, Andre McCurdy wrote:
> On Fri, Jun 1, 2018 at 10:40 AM, Khem Raj <raj.khem@gmail.com> wrote:
>> On 6/1/18 4:41 AM, Richard Leitner wrote:
>>> Add version 11 of the pam-plugin-ccreds with the debian patches applied.
>>
>> I see QA errors like below
>>
>> ERROR: pam-plugin-ccreds-11-r0 do_package_qa: QA Issue: non
>> -dev/-dbg/nativesdk- package contains symlink .so: pam-plugin-ccreds
>> path
>> '/work/core2-64-bec-linux-musl/pam-plugin-ccreds/11-r0/packages-split/pam-plugin-ccreds/lib/security/pam_ccreds.so'
>> [dev-so]

Thanks for that information.
Are other targets than "linux-musl" affected?

> 
> According to OE's sanity checks, a .so plug-in should not be a symlink.
> 
> See the do_install_append() in the libcgroup recipe in oe-core for an
> example of how to fix the issue.

IMHO in this case the better solution is to add the missing targets to
the following patch... Or does anybody know how to pass a wildcard like
linux* to AM_CONDITIONAL? Google wasn't very helpful here :-(


>>> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>>> new file mode 100644
>>> index 000000000..4f203f1a3
>>> --- /dev/null
>>> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>>> @@ -0,0 +1,29 @@
>>> +From 12d9bb59284bd01a9fcc3b9280698ffc23ef2ddc Mon Sep 17 00:00:00 2001
>>> +From: Richard Leitner <richard.leitner@skidata.com>
>>> +Date: Fri, 1 Jun 2018 13:24:15 +0200
>>> +Subject: [PATCH 3/3] Set EXTENSION_SO also for linux-gnueabi targets
>>> +
>>> +As EXTENSION_SO gets already set for linux and linux-gnu targets we
>>> +should set it also for linux-gnueabi targets.
>>> +
>>> +Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
>>> +---
>>> + configure.in | 2 +-
>>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>>> +
>>> +diff --git a/configure.in b/configure.in
>>> +index 0dbdf79..a434208 100644
>>> +--- a/configure.in
>>> ++++ b/configure.in
>>> +@@ -43,7 +43,7 @@ AC_SUBST(pam_ccreds_so_LD)
>>> + AC_SUBST(pam_ccreds_so_LDFLAGS)
>>> +
>>> + AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD")
>>> +-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu")
>>> ++AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu" -o "$target_os" = "linux-gnueabi")
>>> + AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX")
>>> +
>>> + if test -z "$use_gcrypt"; then
>>> +--
>>> +2.11.0

regards;Richard.L

[meta-oe][PATCH] pam-plugin-ccreds: add recipe

[Richard Leitner]

On 06/01/2018 08:01 PM, Andre McCurdy wrote:
> On Fri, Jun 1, 2018 at 10:40 AM, Khem Raj <raj.khem@gmail.com> wrote:
>> On 6/1/18 4:41 AM, Richard Leitner wrote:
>>> Add version 11 of the pam-plugin-ccreds with the debian patches applied.
>>
>> I see QA errors like below
>>
>> ERROR: pam-plugin-ccreds-11-r0 do_package_qa: QA Issue: non
>> -dev/-dbg/nativesdk- package contains symlink .so: pam-plugin-ccreds
>> path
>> '/work/core2-64-bec-linux-musl/pam-plugin-ccreds/11-r0/packages-split/pam-plugin-ccreds/lib/security/pam_ccreds.so'
>> [dev-so]

Thanks for that information.
Do you know if other targets than "linux-musl" are affected?

> 
> According to OE's sanity checks, a .so plug-in should not be a symlink.
> 
> See the do_install_append() in the libcgroup recipe in oe-core for an
> example of how to fix the issue.

IMHO in this case the better solution is to add the missing targets
to the following patch... Or does anybody know how to pass wildcards to
string comparisons in AM_CONDITIONAL? Google wasn't very helpful here...

>>> diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>>> new file mode 100644
>>> index 000000000..4f203f1a3
>>> --- /dev/null
>>> +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-also-for-linux-gnueabi-targets.patch
>>> @@ -0,0 +1,29 @@
>>> +From 12d9bb59284bd01a9fcc3b9280698ffc23ef2ddc Mon Sep 17 00:00:00 2001
>>> +From: Richard Leitner <richard.leitner@skidata.com>
>>> +Date: Fri, 1 Jun 2018 13:24:15 +0200
>>> +Subject: [PATCH 3/3] Set EXTENSION_SO also for linux-gnueabi targets
>>> +
>>> +As EXTENSION_SO gets already set for linux and linux-gnu targets we
>>> +should set it also for linux-gnueabi targets.
>>> +
>>> +Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
>>> +---
>>> + configure.in | 2 +-
>>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>>> +
>>> +diff --git a/configure.in b/configure.in
>>> +index 0dbdf79..a434208 100644
>>> +--- a/configure.in
>>> ++++ b/configure.in
>>> +@@ -43,7 +43,7 @@ AC_SUBST(pam_ccreds_so_LD)
>>> + AC_SUBST(pam_ccreds_so_LDFLAGS)
>>> +
>>> + AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD")
>>> +-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu")
>>> ++AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu" -o "$target_os" = "linux-gnueabi")
>>> + AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX")
>>> +
>>> + if test -z "$use_gcrypt"; then
>>> +--
>>> +2.11.0
>>> +

regards;Richard.L

Re: [meta-oe][PATCH] pam-plugin-ccreds: add recipe

[Andre McCurdy]

On Sun, Jun 3, 2018 at 11:24 PM, Richard Leitner
<richard.leitner@skidata.com> wrote:
> On 06/01/2018 08:01 PM, Andre McCurdy wrote:
>> On Fri, Jun 1, 2018 at 10:40 AM, Khem Raj <raj.khem@gmail.com> wrote:
>>> On 6/1/18 4:41 AM, Richard Leitner wrote:
>>>> Add version 11 of the pam-plugin-ccreds with the debian patches applied.
>>>
>>> I see QA errors like below
>>>
>>> ERROR: pam-plugin-ccreds-11-r0 do_package_qa: QA Issue: non
>>> -dev/-dbg/nativesdk- package contains symlink .so: pam-plugin-ccreds
>>> path
>>> '/work/core2-64-bec-linux-musl/pam-plugin-ccreds/11-r0/packages-split/pam-plugin-ccreds/lib/security/pam_ccreds.so'
>>> [dev-so]
>
> Thanks for that information.
> Do you know if other targets than "linux-musl" are affected?
>
>>
>> According to OE's sanity checks, a .so plug-in should not be a symlink.
>>
>> See the do_install_append() in the libcgroup recipe in oe-core for an
>> example of how to fix the issue.
>
> IMHO in this case the better solution is to add the missing targets
> to the following patch... Or does anybody know how to pass wildcards to
> string comparisons in AM_CONDITIONAL? Google wasn't very helpful here...

Untested, but I guess something like this would work:

  AM_CONDITIONAL(EXTENSION_SO, case "$target_os" in linux*) true;; *)
false;; esac)

The approach in your patch also looks OK.

Re: [meta-oe][PATCH] pam-plugin-ccreds: add recipe

[Richard Leitner]

On 06/04/2018 09:34 PM, Andre McCurdy wrote:
> On Sun, Jun 3, 2018 at 11:24 PM, Richard Leitner
> <richard.leitner@skidata.com> wrote:
>> On 06/01/2018 08:01 PM, Andre McCurdy wrote:
>>> On Fri, Jun 1, 2018 at 10:40 AM, Khem Raj <raj.khem@gmail.com> wrote:
>>>> On 6/1/18 4:41 AM, Richard Leitner wrote:
>>>>> Add version 11 of the pam-plugin-ccreds with the debian patches applied.
>>>>
>>>> I see QA errors like below
>>>>
>>>> ERROR: pam-plugin-ccreds-11-r0 do_package_qa: QA Issue: non
>>>> -dev/-dbg/nativesdk- package contains symlink .so: pam-plugin-ccreds
>>>> path
>>>> '/work/core2-64-bec-linux-musl/pam-plugin-ccreds/11-r0/packages-split/pam-plugin-ccreds/lib/security/pam_ccreds.so'
>>>> [dev-so]
>>
>> Thanks for that information.
>> Do you know if other targets than "linux-musl" are affected?
>>
>>>
>>> According to OE's sanity checks, a .so plug-in should not be a symlink.
>>>
>>> See the do_install_append() in the libcgroup recipe in oe-core for an
>>> example of how to fix the issue.
>>
>> IMHO in this case the better solution is to add the missing targets
>> to the following patch... Or does anybody know how to pass wildcards to
>> string comparisons in AM_CONDITIONAL? Google wasn't very helpful here...
> 
> Untested, but I guess something like this would work:
> 
>   AM_CONDITIONAL(EXTENSION_SO, case "$target_os" in linux*) true;; *)
> false;; esac)

Thank you :-)

> 
> The approach in your patch also looks OK.
> 

Ok. Then I won't send a v3 for that and stay with v2.