# Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/sys-apps/shadow/shadow-4.0.4.1-r1.ebuild,v 1.5 2004/09/03 21:03:24 pvdabeel Exp $ inherit eutils libtool gnuconfig 64-bit flag-o-matic FORCE_SYSTEMAUTH_UPDATE="no" SELINUX_PATCH="shadow-4.0.4.1-selinux.diff" HOMEPAGE="http://shadow.pld.org.pl/" DESCRIPTION="Utilities to deal with user accounts" SRC_URI="ftp://ftp.pld.org.pl/software/shadow/${P}.tar.bz2" LICENSE="BSD" SLOT="0" KEYWORDS="~x86 ppc ~sparc ~mips alpha arm ~mips ~hppa ~amd64 ~ia64 ~ppc64 s390" IUSE="pam selinux nls" DEPEND=">=sys-libs/cracklib-2.7-r3 pam? ( >=sys-libs/pam-0.75-r4 ) nls? ( sys-devel/gettext ) selinux? ( sys-libs/libselinux )" RDEPEND=">=sys-libs/cracklib-2.7-r3 pam? ( >=sys-libs/pam-0.75-r4 ) selinux? ( sys-libs/libselinux )" pkg_preinst() { rm -f ${ROOT}/etc/pam.d/system-auth.new } src_unpack() { unpack ${A} cd ${S} use selinux && epatch ${FILESDIR}/${SELINUX_PATCH} # Get su to call pam_open_session(), and also set DISPLAY and XAUTHORITY, # else the session entries in /etc/pam.d/su never get executed, and # pam_xauth for one, is then never used. This should close bug #8831. # # (19 Oct 2002) use pam && epatch ${FILESDIR}/${P}-su-pam_open_session.patch # If su should not simulate a login shell, use '/bin/sh' as shell to enable # running of commands as user with /bin/false as shell, closing bug #15015. # # (23 Feb 2003) # This one could be a security hole ... # cd ${S}; epatch ${FILESDIR}/${P}-nologin-run-sh.patch # Patch the useradd manpage to be a bit more clear, closing bug #13203. # Thanks to Guy . epatch ${FILESDIR}/${P}-useradd-manpage-update.patch # Patch to correct the definition if malloc, so that shadow can compile # using gcc 3.4. see bug #47455 for more information epatch ${FILESDIR}/${P}-gcc34-xmalloc.patch } src_compile() { # Allows shadow configure detect mips systems properly gnuconfig_update elibtoolize # Fix this library for 64-bit systems that need -fPIC to link the # libshadow.a into freeradius shared objects. Normally we'd # just fix it for everybody but don't want to hurt performance for # other arches. See bug 35736 (06 May 2004 agriffis) 64-bit && append-flags -fPIC local myconf use pam \ && myconf="${myconf} --with-libpam --with-libcrack" \ || myconf="${myconf} --without-libpam" ./configure --disable-desrpc \ --with-libcrypt \ --with-libcrack \ --enable-shared=no \ --enable-static=yes \ --host=${CHOST} \ `use_enable nls` \ ${myconf} || die "bad configure" # Parallel make fails sometimes emake -j1 || die "compile problem" } src_install() { dodir /etc/default /etc/skel make prefix=${D}/usr \ exec_prefix=${D} \ mandir=${D}/usr/share/man \ install || die "install problem" # Do not install this login, but rather the one from # pam-login, as this one have a serious root exploit # with pam_limits in use. use pam && rm ${D}/bin/login mv ${D}/lib ${D}/usr dosed "s:/lib':/usr/lib':g" /usr/lib/libshadow.la dosed "s:/lib/:/usr/lib/:g" /usr/lib/libshadow.la dosed "s:/lib':/usr/lib':g" /usr/lib/libmisc.la dosed "s:/lib/:/usr/lib/:g" /usr/lib/libmisc.la dosym newgrp /usr/bin/sg dosym useradd /usr/sbin/adduser dosym vipw /usr/sbin/vigr # Remove dead links rm -f ${D}/bin/{sg,vipw,vigr} insinto /etc # Using a securetty with devfs device names added # (compat names kept for non-devfs compatibility) insopts -m0600 ; doins ${FILESDIR}/securetty insopts -m0600 ; doins ${S}/etc/login.access insopts -m0644 ; doins ${S}/etc/limits # needed for 'adduser -D' insinto /etc/default insopts -m0600 doins ${FILESDIR}/default/useradd # From sys-apps/pam-login now # insopts -m0644 ; doins ${FILESDIR}/login.defs if use pam ; then insinto /etc/pam.d ; insopts -m0644 for x in ${FILESDIR}/pam.d/* do [ -f ${x} ] && doins ${x} done cd ${FILESDIR}/pam.d # Make sure /etc/pam.d/system-auth is the new version .. mv ${D}/etc/pam.d/system-auth-1.1 ${D}/etc/pam.d/system-auth newins system-auth-1.1 system-auth.new || die newins shadow chage newins shadow chsh newins shadow chfn newins shadow useradd newins shadow groupadd fi cd ${S} # The manpage install is beyond my comprehension, and # also broken. Just do it over. rm -rf ${D}/usr/share/man/* rm -f man/id.1 man/getspnam.3 man/passwd.5 for x in man/*.[0-9] do [ -f ${x} ] && doman ${x} done if ! use pam ; then # Dont install the manpage, since we dont use # login with shadow rm -f ${D}/usr/share/man/man1/login.* # We use pam, so this is not applicable. rm -f ${D}/usr/share/man/man5/suauth.* fi cd ${S}/doc dodoc ANNOUNCE INSTALL LICENSE README WISHLIST docinto txt dodoc HOWTO LSM README.* *.txt # Fix sparc serial console if [ "${ARCH}" = "sparc" ] then # ttyS0 and its devfsd counterpart (Sparc serial port "A") dosed 's:\(vc/1\)$:tts/0\n\1:' /etc/securetty dosed 's:\(tty1\)$:ttyS0\n\1:' /etc/securetty fi # fix hppa serial console if [ "${ARCH}" = "hppa" ] then # ttyB0 is the PDC software console dosed 's:\(vc/1\)$:tts/0\n\1:' /etc/securetty dosed 's:\(tty1\)$:ttyS0\n\1:' /etc/securetty dosed 's:\(tty1\)$:ttyB0\n\1:' /etc/securetty fi } pkg_postinst() { use pam || return 0; local CHECK1="$(md5sum ${ROOT}/etc/pam.d/system-auth | cut -d ' ' -f 1)" local CHECK2="$(md5sum ${ROOT}/etc/pam.d/system-auth.new | cut -d ' ' -f 1)" if [ "${CHECK1}" != "${CHECK2}" -a "${FORCE_SYSTEMAUTH_UPDATE}" = "yes" ] then ewarn "Due to a security issue, ${ROOT}etc/pam.d/system-auth " ewarn "is being updated automatically. Your old " ewarn "system-auth will be backed up as:" ewarn ewarn " ${ROOT}etc/pam.d/system-auth.bak" echo cp -a ${ROOT}/etc/pam.d/system-auth \ ${ROOT}/etc/pam.d/system-auth.bak; mv -f ${ROOT}/etc/pam.d/system-auth.new \ ${ROOT}/etc/pam.d/system-auth rm -f ${ROOT}/etc/pam.d/._cfg????_system-auth else rm -f ${ROOT}/etc/pam.d/system-auth.new fi }