clifford & fake:

20 years ago · 3780dd42a8
8 changed files with 24 additions and 736 deletions
--- a/package/base/pam/cvs-fixes.patch
+++ b/package/base/pam/cvs-fixes.patch
@ -1,527 +0,0 @@
 # --- ROCK-COPYRIGHT-NOTE-BEGIN ---
 # 
 # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
 # Please add additional copyright information _after_ the line containing
 # the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by
 # the ./scripts/Create-CopyPatch script. Do not edit this copyright text!
 # 
 # ROCK Linux: rock-src/package/base/pam/cvs-fixes.patch
 # ROCK Linux is Copyright (C) 1998 - 2004 Clifford Wolf
 # 
 # This patch file is dual-licensed. It is available under the license the
 # patched project is licensed under, as long as it is an OpenSource license
 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
 # of the GNU General Public License as published by the Free Software
 # Foundation; either version 2 of the License, or (at your option) any later
 # version.
 # 
 # --- ROCK-COPYRIGHT-NOTE-END ---


 Some fixes from PAM cvs (checked out at 2003-05-03).

 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/Makefile Linux-PAM/modules/pam_unix/Makefile
 --- Linux-PAM-0.77/modules/pam_unix/Makefile	2001-02-11 07:33:53.000000000 +0100
 +++ Linux-PAM/modules/pam_unix/Makefile	2003-01-14 06:43:07.000000000 +0100
@@ -41,8 +41,10 @@
 
 ########################################################################
 
 -CFLAGS += $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF) $(EXTRAS)
 -LDLIBS = $(EXTRALS)
 +CFLAGS += $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF) $(EXTRAS) \
 +	 -I../pammodutil/include
 +
 +LDLIBS = $(EXTRALS) -L../pammodutil -lpammodutil
 
 ifdef USE_CRACKLIB
 CRACKLIB = -lcrack
 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c Linux-PAM/modules/pam_unix/pam_unix_passwd.c
 --- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c	2002-07-09 06:44:18.000000000 +0200
 +++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c	2003-01-14 06:43:07.000000000 +0100
@@ -88,7 +88,7 @@
  */
 
 #ifdef NEED_LCKPWDF
 -#include "./lckpwdf.-c"
 +# include "./lckpwdf.-c"
 #endif
 
 extern char *bigcrypt(const char *key, const char *salt);
@@ -471,10 +471,7 @@
 
 	D(("called"));
 
 -	setpwent();
 	pwd = getpwnam(forwho);
 -	endpwent();
 -
 	if (pwd == NULL)
 		return PAM_AUTHTOK_ERR;
 
@@ -544,6 +541,24 @@
 	if (save_old_password(forwho, fromwhat, remember)) {
 		return PAM_AUTHTOK_ERR;
 	}
 +
 +#ifdef USE_LCKPWDF
 +	/*
 +	 * These values for the number of attempts and the sleep time
 +	 * are, of course, completely arbitrary.
 +	 *
 +	 * My reading of the PAM docs is that, once pam_chauthtok()
 +	 * has been called with PAM_UPDATE_AUTHTOK, we are obliged to
 +	 * take any reasonable steps to make sure the token is
 +	 * updated; so retrying for 1/10 sec. isn't overdoing it.
 +	 */
 +
 +	retval = lckpwdf();
 +	if (retval != 0) {
 +	    return PAM_AUTHTOK_LOCK_BUSY;
 +	}
 +#endif /* def USE_LCKPWDF */
 +	
 	if (on(UNIX_SHADOW, ctrl) || (strcmp(pwd->pw_passwd, "x") == 0)) {
 		retval = _update_shadow(forwho, towhat);
 		if (retval == PAM_SUCCESS)
@@ -552,6 +567,10 @@
 		retval = _update_passwd(pamh, forwho, towhat);
 	}
 
 +#ifdef USE_LCKPWDF
 +	ulckpwdf();
 +#endif /* def USE_LCKPWDF */
 +
 	return retval;
 }
 
@@ -563,9 +582,7 @@
 	int retval = PAM_SUCCESS;
 
 	/* UNIX passwords area */
 -	setpwent();
 	pwd = getpwnam(user);	/* Get password file entry... */
 -	endpwent();
 	if (pwd == NULL)
 		return PAM_AUTHINFO_UNAVAIL;	/* We don't need to do the rest... */
 
@@ -679,7 +696,7 @@
 				int argc, const char **argv)
 {
 	unsigned int ctrl, lctrl;
 -	int retval, i;
 +	int retval;
 	int remember = -1;
 
 	/* <DO NOT free() THESE> */
@@ -689,33 +706,12 @@
 
 	D(("called."));
 
 -#ifdef USE_LCKPWDF
 -	/* our current locking system requires that we lock the
 -	   entire password database.  This avoids both livelock
 -	   and deadlock. */
 -	/* These values for the number of attempts and the sleep time
 -	   are, of course, completely arbitrary.
 -	   My reading of the PAM docs is that, once pam_chauthtok() has been
 -	   called with PAM_UPDATE_AUTHTOK, we are obliged to take any
 -	   reasonable steps to make sure the token is updated; so retrying
 -	   for 1/10 sec. isn't overdoing it.
 -	   The other possibility is to call lckpwdf() on the first
 -	   pam_chauthtok() pass, and hold the lock until released in the
 -	   second pass--but is this guaranteed to work? -SRL */
 -	i=0;
 -	while((retval = lckpwdf()) != 0 && i < 100) {
 -		usleep(1000);
 -	}
 -	if(retval != 0) {
 -		return PAM_AUTHTOK_LOCK_BUSY;
 -	}
 -#endif
 	ctrl = _set_ctrl(pamh, flags, &remember, argc, argv);
 
 	/*
 	 * First get the name of a user
 	 */
 -	retval = pam_get_user(pamh, &user, "Username: ");
 +	retval = pam_get_user(pamh, &user, NULL);
 	if (retval == PAM_SUCCESS) {
 		/*
 		 * Various libraries at various times have had bugs related to
@@ -725,9 +721,6 @@
 		 */
 		if (user == NULL || !isalnum(*user)) {
 			_log_err(LOG_ERR, pamh, "bad username [%s]", user);
 -#ifdef USE_LCKPWDF
 -			ulckpwdf();
 -#endif
 			return PAM_USER_UNKNOWN;
 		}
 		if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
@@ -737,9 +730,6 @@
 		if (on(UNIX_DEBUG, ctrl))
 			_log_err(LOG_DEBUG, pamh,
 			         "password - could not identify user");
 -#ifdef USE_LCKPWDF
 -		ulckpwdf();
 -#endif
 		return retval;
 	}
 
@@ -761,9 +751,6 @@
 		D(("prelim check"));
 
 		if (_unix_blankpasswd(ctrl, user)) {
 -#ifdef USE_LCKPWDF
 -			ulckpwdf();
 -#endif
 			return PAM_SUCCESS;
 		} else if (off(UNIX__IAMROOT, ctrl)) {
 
@@ -773,9 +760,6 @@
 			if (Announce == NULL) {
 				_log_err(LOG_CRIT, pamh,
 				         "password - out of memory");
 -#ifdef USE_LCKPWDF
 -				ulckpwdf();
 -#endif
 				return PAM_BUF_ERR;
 			}
 			(void) strcpy(Announce, greeting);
@@ -795,9 +779,6 @@
 			if (retval != PAM_SUCCESS) {
 				_log_err(LOG_NOTICE, pamh
 				 ,"password - (old) token not obtained");
 -#ifdef USE_LCKPWDF
 -				ulckpwdf();
 -#endif
 				return retval;
 			}
 			/* verify that this is the password for this user */
@@ -812,9 +793,6 @@
 		if (retval != PAM_SUCCESS) {
 			D(("Authentication failed"));
 			pass_old = NULL;
 -#ifdef USE_LCKPWDF
 -			ulckpwdf();
 -#endif
 			return retval;
 		}
 		retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
@@ -867,17 +845,11 @@
 
 		if (retval != PAM_SUCCESS) {
 			_log_err(LOG_NOTICE, pamh, "user not authenticated");
 -#ifdef USE_LCKPWDF
 -			ulckpwdf();
 -#endif
 			return retval;
 		}
 		retval = _unix_verify_shadow(user, ctrl);
 		if (retval != PAM_SUCCESS) {
 			_log_err(LOG_NOTICE, pamh, "user not authenticated 2");
 -#ifdef USE_LCKPWDF
 -			ulckpwdf();
 -#endif
 			return retval;
 		}
 		D(("get new password now"));
@@ -908,9 +880,6 @@
 						 ,"password - new password not obtained");
 				}
 				pass_old = NULL;	/* tidy up */
 -#ifdef USE_LCKPWDF
 -				ulckpwdf();
 -#endif
 				return retval;
 			}
 			D(("returned to _unix_chauthtok"));
@@ -931,9 +900,6 @@
 			_log_err(LOG_NOTICE, pamh,
 			         "new password not acceptable");
 			pass_new = pass_old = NULL;	/* tidy up */
 -#ifdef USE_LCKPWDF
 -			ulckpwdf();
 -#endif
 			return retval;
 		}
 		/*
@@ -974,9 +940,6 @@
 					_log_err(LOG_CRIT, pamh,
 					         "out of memory for password");
 					pass_new = pass_old = NULL;	/* tidy up */
 -#ifdef USE_LCKPWDF
 -					ulckpwdf();
 -#endif
 					return PAM_BUF_ERR;
 				}
 				/* copy first 8 bytes of password */
@@ -998,6 +961,7 @@
 
 		retval = _do_setpass(pamh, user, pass_old, tpass, ctrl,
 		                     remember);
 +
 		_pam_delete(tpass);
 		pass_old = pass_new = NULL;
 	} else {		/* something has broken with the module */
@@ -1008,9 +972,6 @@
 
 	D(("retval was %d", retval));
 
 -#ifdef USE_LCKPWDF
 -	ulckpwdf();
 -#endif
 	return retval;
 }
 
 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/pam_unix_sess.c Linux-PAM/modules/pam_unix/pam_unix_sess.c
 --- Linux-PAM-0.77/modules/pam_unix/pam_unix_sess.c	2000-12-20 06:15:05.000000000 +0100
 +++ Linux-PAM/modules/pam_unix/pam_unix_sess.c	2003-01-14 06:43:07.000000000 +0100
@@ -53,6 +53,7 @@
 
 #include <security/_pam_macros.h>
 #include <security/pam_modules.h>
 +#include <security/_pam_modutil.h>
 
 #ifndef LINUX_PAM
 #include <security/pam_appl.h>
@@ -71,6 +72,7 @@
 	char *user_name, *service;
 	unsigned int ctrl;
 	int retval;
 +    const char *login_name;
 
 	D(("called."));
 
@@ -89,9 +91,12 @@
 		         "open_session - error recovering service");
 		return PAM_SESSION_ERR;
 	}
 -	_log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)"
 -		 ,user_name
 -		 ,PAM_getlogin() == NULL ? "" : PAM_getlogin(), getuid());
 +	login_name = _pammodutil_getlogin(pamh);
 +	if (login_name == NULL) {
 +	    login_name = "";
 +	}
 +	_log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)",
 +		 user_name, login_name, getuid());
 
 	return PAM_SUCCESS;
 }
 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/support.c Linux-PAM/modules/pam_unix/support.c
 --- Linux-PAM-0.77/modules/pam_unix/support.c	2002-09-23 19:33:22.000000000 +0200
 +++ Linux-PAM/modules/pam_unix/support.c	2003-01-14 06:43:07.000000000 +0100
@@ -20,6 +20,7 @@
 
 #include <security/_pam_macros.h>
 #include <security/pam_modules.h>
 +#include <security/_pam_modutil.h>
 
 #include "md5.h"
 #include "support.h"
@@ -107,36 +108,6 @@
 	return retval;
 }
 
 -  /*
 -   * Beacause getlogin() is braindead and sometimes it just
 -   * doesn't work, we reimplement it here.
 -   */
 -char *PAM_getlogin(void)
 -{
 -	struct utmp *ut, line;
 -	char *curr_tty, *retval;
 -	static char curr_user[sizeof(ut->ut_user) + 4];
 -
 -	retval = NULL;
 -
 -	curr_tty = ttyname(0);
 -	if (curr_tty != NULL) {
 -		D(("PAM_getlogin ttyname: %s", curr_tty));
 -		curr_tty += 5;
 -		setutent();
 -		strncpy(line.ut_line, curr_tty, sizeof(line.ut_line));
 -		if ((ut = getutline(&line)) != NULL) {
 -			strncpy(curr_user, ut->ut_user, sizeof(ut->ut_user));
 -			curr_user[sizeof(curr_user) - 1] = '\0';
 -			retval = curr_user;
 -		}
 -		endutent();
 -	}
 -	D(("PAM_getlogin retval: %s", retval));
 -
 -	return retval;
 -}
 -
 /*
  * set the control flags for the UNIX module.
  */
@@ -668,10 +639,17 @@
 
 			if (new != NULL) {
 
 -				new->user = x_strdup(name ? name : "");
 +			    const char *login_name;
 +
 +			    login_name = _pammodutil_getlogin(pamh);
 +			    if (login_name == NULL) {
 +				login_name = "";
 +			    }
 +
 +			        new->user = x_strdup(name ? name : "");
 				new->uid = getuid();
 				new->euid = geteuid();
 -				new->name = x_strdup(PAM_getlogin()? PAM_getlogin() : "");
 +				new->name = x_strdup(login_name);
 
 				/* any previous failures for this user ? */
 				pam_get_data(pamh, data_name, (const void **) &old);
 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/support.h Linux-PAM/modules/pam_unix/support.h
 --- Linux-PAM-0.77/modules/pam_unix/support.h	2002-07-11 07:43:51.000000000 +0200
 +++ Linux-PAM/modules/pam_unix/support.h	2003-01-14 06:43:07.000000000 +0100
@@ -125,7 +125,6 @@
 	_pam_drop(xx);		\
 }
 
 -extern char *PAM_getlogin(void);
 extern void _log_err(int err, pam_handle_t *pamh, const char *format,...);
 extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
 		       ,int type, const char *text);
 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_wheel/pam_wheel.c Linux-PAM/modules/pam_wheel/pam_wheel.c
 --- Linux-PAM-0.77/modules/pam_wheel/pam_wheel.c	2002-07-13 07:48:19.000000000 +0200
 +++ Linux-PAM/modules/pam_wheel/pam_wheel.c	2003-01-14 06:43:07.000000000 +0100
@@ -43,6 +43,7 @@
 #define PAM_SM_ACCOUNT
 
 #include <security/pam_modules.h>
 +#include <security/_pam_modutil.h>
 
 /* some syslogging */
 
@@ -110,7 +111,7 @@
 			 const char *use_group)
 {
     const char *username = NULL;
 -    char *fromsu;
 +    const char *fromsu;
     struct passwd *pwd, *tpwd;
     struct group *grp;
     int retval = PAM_AUTH_ERR;
@@ -142,7 +143,7 @@
 	}
 	fromsu = tpwd->pw_name;
     } else {
 -	fromsu = getlogin();
 +	fromsu = _pammodutil_getlogin(pamh);
 	if (fromsu) {
 	    tpwd = getpwnam(fromsu);
 	}
 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pammodutil/Makefile Linux-PAM/modules/pammodutil/Makefile
 --- Linux-PAM-0.77/modules/pammodutil/Makefile	2001-12-09 23:15:12.000000000 +0100
 +++ Linux-PAM/modules/pammodutil/Makefile	2003-01-14 06:43:07.000000000 +0100
@@ -18,7 +18,8 @@
   -DLIBPAM_VERSION_MINOR=$(MINOR_REL)
 
 # all the object files we care about
 -LIBOBJECTS = modutil_cleanup.o modutil_getpwnam.o modutil_getpwuid.o
 +LIBOBJECTS = modutil_cleanup.o modutil_getpwnam.o modutil_getpwuid.o \
 +	modutil_getlogin.o
 
 # static library name
 LIBSTATIC = $(LIBNAME).a
 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pammodutil/include/security/_pam_modutil.h Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h
 --- Linux-PAM-0.77/modules/pammodutil/include/security/_pam_modutil.h	2001-12-09 23:15:12.000000000 +0100
 +++ Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h	2003-01-14 06:43:08.000000000 +0100
@@ -15,7 +15,7 @@
  * On systems that simply can't support thread safe programming, these
  * functions don't support it either - sorry.
  *
 - * Copyright (c) 2001 Andrew Morgan <morgan@kernel.org>
 + * Copyright (c) 2001-2002 Andrew Morgan <morgan@kernel.org>
  */
 
 #include <pwd.h>
@@ -30,4 +30,6 @@
 extern void _pammodutil_cleanup(pam_handle_t *pamh, void *data,
 				int error_status);
 
 +extern const char *_pammodutil_getlogin(pam_handle_t *pamh);
 +
 #endif /* _PAM_MODUTIL_H */
 diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pammodutil/modutil_getlogin.c Linux-PAM/modules/pammodutil/modutil_getlogin.c
 --- Linux-PAM-0.77/modules/pammodutil/modutil_getlogin.c	1970-01-01 01:00:00.000000000 +0100
 +++ Linux-PAM/modules/pammodutil/modutil_getlogin.c	2003-01-14 06:43:08.000000000 +0100
@@ -0,0 +1,71 @@
 +/*
 + * $Id: cvs-fixes.patch,v 1.3 2003/05/18 06:06:14 clifford Exp $
 + *
 + * A central point for invoking getlogin(). Hopefully, this is a
 + * little harder to spoof than all the other versions that are out
 + * there.
 + */
 +
 +#include <stdlib.h>
 +#include <unistd.h>
 +#include <utmp.h>
 +
 +#include "pammodutil.h"
 +
 +#define _PAMMODUTIL_GETLOGIN "_pammodutil_getlogin"
 +
 +const char *_pammodutil_getlogin(pam_handle_t *pamh)
 +{
 +    int status;
 +    const char *logname, *curr_tty;
 +    char *curr_user;
 +    struct utmp *ut, line;
 +
 +    status = pam_get_data(pamh, _PAMMODUTIL_GETLOGIN,
 +			  (const void **) &logname);
 +    if (status == PAM_SUCCESS) {
 +	return logname;
 +    }
 +
 +    status = pam_get_item(pamh, PAM_TTY, (const void **) &curr_tty);
 +    if ((status != PAM_SUCCESS) || (curr_tty == NULL)) {
 +	curr_tty = ttyname(0);
 +    }
 +
 +    if ((curr_tty == NULL) || memcmp(curr_tty, "/dev/", 5)) {
 +	return NULL;
 +    }
 +
 +    curr_tty += 5;  /* strlen("/dev/") */
 +    logname = NULL;
 +
 +    setutent();
 +    strncpy(line.ut_line, curr_tty, sizeof(line.ut_line));
 +
 +    if ((ut = getutline(&line)) == NULL) {
 +	goto clean_up_and_go_home;
 +    }
 +
 +    curr_user = calloc(sizeof(line.ut_user)+1, 1);
 +    if (curr_user == NULL) {
 +	goto clean_up_and_go_home;
 +    }
 +
 +    strncpy(curr_user, ut->ut_user, sizeof(ut->ut_user));
 +    curr_user[sizeof(line.ut_user)] = '\0';
 +
 +    status = pam_set_data(pamh, _PAMMODUTIL_GETLOGIN, logname,
 +			  _pammodutil_cleanup);
 +    if (status != PAM_SUCCESS) {
 +	free(curr_user);
 +	goto clean_up_and_go_home;
 +    }
 +
 +    logname = curr_user;
 +
 +clean_up_and_go_home:
 +
 +    endutent();
 +
 +    return logname;
 +}
--- a/package/base/pam/etc_pamd_shadow.txt
+++ b/package/base/pam/etc_pamd_shadow.txt
@ -1,11 +0,0 @@
 #
 # PAM Configuration for all shadow utils like:
 # chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod.
 #
 # Some documentation on this file format can be found at:
 # http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html
 #

 auth		sufficient	pam_rootok.so
 account		required	pam_permit.so
 password	required	pam_permit.so
--- a/package/base/pam/etc_pamd_su.txt
+++ b/package/base/pam/etc_pamd_su.txt
@ -1,18 +0,0 @@
 #
 # PAM Configuration for 'su'. The only difference to the 'other' config
 # ist the 'pam_rootok.so' entry for 'auth'.
 #
 # Some documentation on this file format can be found at:
 # http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html
 #

 auth		sufficient	pam_rootok.so
 auth		required	pam_unix.so	nullok

 account		required	pam_unix.so

 session		required	pam_unix.so

 password	required	pam_cracklib.so
 password	required	pam_unix.so	use_authtok md5

--- a/package/base/pam/pam.conf
+++ b/package/base/pam/pam.conf
@ -28,18 +28,11 @@ libdir="$root/lib"

 install_pam_configs() {
 	mkdir -p $root/etc/pam.d
 	for x in other su shadow; do
 		if [ ! -f $root/etc/pam.d/$x ]; then
 			cp -v $confdir/etc_pamd_$x.txt $root/etc/pam.d/$x
 		else
 			touch $root/etc/pam.d/$x
 		fi
 	done
 	for x in useradd chage; do
 		if [ ! -f $root/etc/pam.d/$x ]; then
 			ln -s shadow $root/etc/pam.d/$x
 		fi
 	done
 	if [ ! -f $root/etc/pam.d/other ]; then
 		cp -v $confdir/etc_pamd_other.txt $root/etc/pam.d/other
 	else
 		touch $root/etc/pam.d/other
 	fi
 }

 # Install default pam.d/* files (without them,
--- a/package/base/pam/pam.desc
+++ b/package/base/pam/pam.desc
@ -33,15 +33,14 @@

 [A] Andrew Morgan <morgan@kernel.org>
 [M] Clifford Wolf <clifford@clifford.at>
 [M] Chris Hamilton <chris@ambigc.com>

 [C] base/library
 [F] CORE

 [L] GPL
 [S] Stable
 [V] 0.77
 [V] 0.78
 [P] X -?-3-----9 178.700

 [D] 1107552607 Linux-PAM-0.77.tar.bz2 http://www.kernel.org/pub/linux/libs/pam/pre/library/
 [D] 2736585773 Linux-PAM-0.78.tar.bz2 http://www.kernel.org/pub/linux/libs/pam/pre/library/

--- a/package/base/pam/pic-and-linker.patch
+++ b/package/base/pam/pic-and-linker.patch
@ -1,165 +0,0 @@
 # --- ROCK-COPYRIGHT-NOTE-BEGIN ---
 # 
 # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
 # Please add additional copyright information _after_ the line containing
 # the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by
 # the ./scripts/Create-CopyPatch script. Do not edit this copyright text!
 # 
 # ROCK Linux: rock-src/package/base/pam/pic-and-linker.patch
 # ROCK Linux is Copyright (C) 1998 - 2004 Clifford Wolf
 # 
 # This patch file is dual-licensed. It is available under the license the
 # patched project is licensed under, as long as it is an OpenSource license
 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
 # of the GNU General Public License as published by the Free Software
 # Foundation; either version 2 of the License, or (at your option) any later
 # version.
 # 
 # --- ROCK-COPYRIGHT-NOTE-END ---

 diff -durN Linux-PAM-0.77-orig/configure.in Linux-PAM-0.77/configure.in
 --- Linux-PAM-0.77-orig/configure.in	2002-07-09 08:17:13.000000000 +0200
 +++ Linux-PAM-0.77/configure.in	2004-11-19 11:22:20.614688504 +0100
@@ -309,8 +309,9 @@
 		WARNINGS="$GCC_WARNINGS"
 		PIC="-fPIC"
 		DYNTYPE=so
 -		LD=ld				
 -		LD_L="$LD -x -shared"
 +		LD=gcc
 +		LD_L="$LD -shared -Xlinker -x"
 +		SOSWITCH="-Xlinker -soname -Xlinker"
 		RANLIB=ranlib
 		STRIP=strip
 		CC_STATIC="-Xlinker -export-dynamic"
 diff -durN Linux-PAM-0.77-orig/configure Linux-PAM-0.77/configure
 --- Linux-PAM-0.77-orig/configure	2002-07-09 08:17:13.000000000 +0200
 +++ Linux-PAM-0.77/configure	2004-11-19 11:22:20.616688200 +0100
@@ -2479,8 +2479,9 @@
 		WARNINGS="$GCC_WARNINGS"
 		PIC="-fPIC"
 		DYNTYPE=so
 -		LD=ld				
 -		LD_L="$LD -x -shared"
 +		LD=gcc
 +		LD_L="$LD -shared -Xlinker -x"
 +		SOSWITCH="-Xlinker -soname -Xlinker"
 		RANLIB=ranlib
 		STRIP=strip
 		CC_STATIC="-Xlinker -export-dynamic"
 diff -durN Linux-PAM-0.77-orig/libpam/Makefile Linux-PAM-0.77/libpam/Makefile
 --- Linux-PAM-0.77-orig/libpam/Makefile	2001-12-09 22:44:58.000000000 +0100
 +++ Linux-PAM-0.77/libpam/Makefile	2004-11-19 11:22:20.616688200 +0100
@@ -84,7 +84,7 @@
 endif
 
 dynamic/%.o : %.c
 -	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 +	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) $(PIC) -c $< -o $@
 
 static/%.o : %.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 diff -durN Linux-PAM-0.77-orig/libpamc/Makefile Linux-PAM-0.77/libpamc/Makefile
 --- Linux-PAM-0.77-orig/libpamc/Makefile	2001-02-10 08:17:53.000000000 +0100
 +++ Linux-PAM-0.77/libpamc/Makefile	2004-11-19 11:22:20.617688048 +0100
@@ -51,7 +51,7 @@
 endif
 
 dynamic/%.o : %.c
 -	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 +	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) $(PIC) -c $< -o $@
 
 static/%.o : %.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 diff -durN Linux-PAM-0.77-orig/libpam_misc/Makefile Linux-PAM-0.77/libpam_misc/Makefile
 --- Linux-PAM-0.77-orig/libpam_misc/Makefile	2002-06-27 06:04:54.000000000 +0200
 +++ Linux-PAM-0.77/libpam_misc/Makefile	2004-11-19 11:22:20.617688048 +0100
@@ -52,7 +52,7 @@
 endif
 
 dynamic/%.o : %.c
 -	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 +	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) $(PIC) -c $< -o $@
 
 static/%.o : %.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 diff -durN Linux-PAM-0.77-orig/modules/pam_filter/Makefile Linux-PAM-0.77/modules/pam_filter/Makefile
 --- Linux-PAM-0.77-orig/modules/pam_filter/Makefile	2001-11-11 08:43:54.000000000 +0100
 +++ Linux-PAM-0.77/modules/pam_filter/Makefile	2004-11-19 11:22:39.087880152 +0100
@@ -29,7 +29,7 @@
 LIBOBJS = $(addprefix static/,$(LIBOBJ))
 
 dynamic/%.o : %.c
 -	$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 +	$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) $(PIC) -c $< -o $@
 
 static/%.o : %.c
 	$(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 diff -durN Linux-PAM-0.77-orig/modules/pam_tally/Makefile Linux-PAM-0.77/modules/pam_tally/Makefile
 --- Linux-PAM-0.77-orig/modules/pam_tally/Makefile	2001-06-27 08:20:43.000000000 +0200
 +++ Linux-PAM-0.77/modules/pam_tally/Makefile	2004-11-19 11:22:39.087880152 +0100
@@ -27,7 +27,7 @@
 APPOBJS = $(addprefix static/,$(APPOBJ))
     
 dynamic/%.o : %.c
 -	$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 +	$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) $(PIC) -c $< -o $@
 
 static/%.o : %.c
 	$(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 diff -durN Linux-PAM-0.77-orig/modules/pam_unix/Makefile Linux-PAM-0.77/modules/pam_unix/Makefile
 --- Linux-PAM-0.77-orig/modules/pam_unix/Makefile	2001-02-11 07:33:53.000000000 +0100
 +++ Linux-PAM-0.77/modules/pam_unix/Makefile	2004-11-19 11:22:39.087880152 +0100
@@ -72,7 +72,7 @@
 all: dirs info $(PLUS) $(LIBSHARED) $(LIBSTATIC) $(CHKPWD) register
 
 dynamic/%.o : %.c
 -	$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 +	$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) $(PIC) -c $< -o $@
 
 static/%.o: %.c
 	$(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
@@ -125,21 +125,27 @@
 unix_chkpwd.o: unix_chkpwd.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
 
 +yppasswd_xdr.o: yppasswd_xdr.c
 +	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) $(PIC) -c $< -o $@
 +
 +bigcrypt.o: bigcrypt.c
 +	$(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) $(PIC) -c $< -o $@
 +
 md5_good.o: md5.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) -DHIGHFIRST -D'MD5Name(x)=Good##x' \
 -		$(TARGET_ARCH) -c $< -o $@
 +		$(TARGET_ARCH) $(PIC) -c $< -o $@
 
 md5_broken.o: md5.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Broken##x' \
 -		$(TARGET_ARCH) -c $< -o $@
 +		$(TARGET_ARCH) $(PIC) -c $< -o $@
 
 md5_crypt_good.o: md5_crypt.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Good##x' \
 -		$(TARGET_ARCH) -c $< -o $@
 +		$(TARGET_ARCH) $(PIC) -c $< -o $@
 
 md5_crypt_broken.o: md5_crypt.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) -D'MD5Name(x)=Broken##x' \
 -		$(TARGET_ARCH) -c $< -o $@
 +		$(TARGET_ARCH) $(PIC) -c $< -o $@
 
 install: all
 	mkdir -p $(FAKEROOT)$(SECUREDIR)
 diff -durN Linux-PAM-0.77-orig/modules/Simple.Rules Linux-PAM-0.77/modules/Simple.Rules
 --- Linux-PAM-0.77-orig/modules/Simple.Rules	2001-12-09 23:15:11.000000000 +0100
 +++ Linux-PAM-0.77/modules/Simple.Rules	2004-11-19 11:22:20.617688048 +0100
@@ -35,7 +35,7 @@
 all: dirs $(LIBSHARED) $(LIBSTATIC) register
 
 dynamic/%.o : %.c
 -	$(CC) $(CFLAGS) $(INCLUDE_PAMMODUTILS) $(DYNAMIC) $(TARGET_ARCH) -c $< -o $@
 +	$(CC) $(CFLAGS) $(INCLUDE_PAMMODUTILS) $(DYNAMIC) $(TARGET_ARCH) $(PIC) -c $< -o $@
 
 static/%.o : %.c
 	$(CC) $(CFLAGS) $(INCLUDE_PAMMODUTILS) $(STATIC) $(TARGET_ARCH) -c $< -o $@
--- a/package/base/shadow/pamd-userdel.patch
+++ b/package/base/shadow/pamd-userdel.patch
@ -0,0 +1,8 @@
 --- ./etc/pam.d/userdel.orig	2004-12-22 20:15:47.894472968 +0100
 +++ ./etc/pam.d/userdel	2004-12-22 20:15:23.889122336 +0100
@@ -0,0 +1,5 @@
 +#%PAM-1.0 
 +# /etc/pam.d/userdel
 +auth		sufficient	pam_rootok.so
 +auth		required	pam_unix.so
 +account		required	pam_permit.so
--- a/package/base/shadow/shadow.conf
+++ b/package/base/shadow/shadow.conf
@ -28,6 +28,15 @@ pc_shadow() {
 pm_shadow() {
 	cp etc/limits etc/login.access $root/etc/
 	cp etc/login.defs.linux $root/etc/login.defs
 	if [ -d $root/etc/pam.d ]; then
 		for x in etc/pam.d/[a-z]*; do
 			if [ -f $root/$x ]; then
 				touch $root/$x
 			else
 				cp $x $root/$x
 			fi
 		done
 	fi
 	touch $root/var/log/lastlog $root/var/log/faillog
 	[ -f $root/usr/bin/login ] && mv $root/usr/bin/login  $root/bin/
 	[ -f $root/usr/bin/su    ] && mv $root/usr/bin/su     $root/bin/