I have a number of near-identical machines that are updated from binary packages built on a single "master". The latest update bricked the machine I tested on - all the emerge steps went through fine but PAM was broken. I found that the PAM libraries are linked against libnsl.so.2 - which exists on the master as a dependency of a dependency of something, but is not declared as a dependency of PAM so wasn't installed. Admittedly I'm probably triggering an obscure corner case but, as I understand it, if package A links against package B, ever, then it should have some declared (possibly conditional) dependency. Reproducible: Always Steps to Reproduce: 1. Build PAM on a machine with libnsl 2. Remove libnsl 3. emerge --emptytree from the prebuilt packages that worked absolutely fine before Actual Results: System bricked - cannot log in - PAM fails every time Expected Results: It ought to work fine! $ equery uses pam [ Legend : U - final flag setting for installation] [ : I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for sys-libs/pam-1.3.0-r2: U I - - audit : Enable support for Linux audit subsystem using sys-process/audit + + berkdb : Build the pam_userdb module, that allows to authenticate users against a Berkeley DB file. Please note that enabling this USE flag will create a PAM module that links to the Berkeley DB (as provided by sys-libs/db) installed in /usr/lib and will thus not work for boot-critical services authentication. + + cracklib : Build the pam_cracklib module, that allows to verify the chosen passwords' strength through the use of sys-libs/cracklib. Please note that simply enabling the USE flag on this package will not make use of pam_cracklib by default, you should also enable it in sys-auth/pambase as well as update your configuration files. - - debug : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gen too.org/wiki/Project:Quality_Assurance/Backtraces + + filecaps : Use Linux file capabilities to control privilege rather than set*id (this is orthogonal to USE=caps which uses capabilities at runtime e.g. libcap) + + nis : Support for NIS/YP services + + nls : Add Native Language Support (using gettext - GNU locale utilities) + + pie : Build programs as Position Independent Executables (a security hardening technique) - - test : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) - - vim-syntax : Pulls in related vim syntax scripts
Please post the "emerge --info sys-libs/pam" output from your "master" machine.
This can not be done for the number of reasons: 1.) libnsl installed by glibc and net-libs/libnsl are different, they can not replace each other. 2.) both have different installation PATHs glibc's one is /lib64 while net-libs/libnsl's one is /usr/lib64, taking into account linker's searching order once you are at glibc-based system you are going to use glibc's implementation. 3.) pam upstream does not recommend libc other than glibc, as even musl is not supported officially. That said, I fail to see where this change could be applied.
Created attachment 603440 [details] Output of emerge --info sys-libs/pam
With USE="-nis", /lib64/security/pam_unix.so is linked against: libpam.so.0,libcrypt.so.1,libc.so.6 With USE="nis" and net-libs/libnsl installed, /lib64/security/pam_unix.so is linked against: libpam.so.0,libcrypt.so.1,libnsl.so.2,libtirpc.so.3,libc.so.6 configure.ac contains: https://github.com/linux-pam/linux-pam/blob/v1.3.1/configure.ac#L452-L483 『 AS_IF([test "x$enable_nis" != "xno"], [ ... PKG_CHECK_MODULES([NSL], [libnsl], [], [AC_CHECK_LIB([nsl],[yp_match],[NSL_LIBS="-lnsl"],[NSL_LIBS=""])]) CFLAGS="$CFLAGS $NSL_CFLAGS" CPPFLAGS="$CPPFLAGS $NSL_CFLAGS" LIBS="$LIBS $NSL_LIBS" AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind]) AC_CHECK_FUNCS([getrpcport rpcb_getaddr]) AC_CHECK_HEADERS([rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h]) AC_CHECK_DECLS([getrpcport], , , [ #if HAVE_RPC_RPC_H # include <rpc/rpc.h> #endif ]) 』 yp_get_default_domain, yperr_string, yp_master, yp_bind, yp_match, yp_unbind are functions from net-libs/libnsl. rpcsvc/ypclnt.h and rpcsvc/yp_prot.h are headers from net-libs/libnsl. modules/pam_unix/Makefile.am contains: https://github.com/linux-pam/linux-pam/blob/v1.3.1/modules/pam_unix/Makefile.am#L19-L33 『 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ -DUPDATE_HELPER=\"$(sbindir)/unix_update\" \ @TIRPC_CFLAGS@ @NSL_CFLAGS@ ... pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ 』 modules/pam_unix/pam_unix_passwd.c contains: https://github.com/linux-pam/linux-pam/blob/v1.3.1/modules/pam_unix/pam_unix_passwd.c#L160-L165 『 #ifdef HAVE_YP_GET_DEFAULT_DOMAIN if ((err = yp_get_default_domain(&domainname)) != 0) { pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s", yperr_string(err)); return NULL; } 』 https://github.com/linux-pam/linux-pam/blob/v1.3.1/modules/pam_unix/pam_unix_passwd.c#L181 『 if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) { 』 modules/pam_unix/support.c contains: https://github.com/linux-pam/linux-pam/blob/v1.3.1/modules/pam_unix/support.c#L399-L421 『 #if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND) if (!matched && nis) { char *userinfo = NULL, *domain = NULL; int len = 0, i; len = yp_get_default_domain(&domain); if (len == YPERR_SUCCESS) { len = yp_bind(domain); } if (len == YPERR_SUCCESS) { i = yp_match(domain, "passwd.byname", name, strlen(name), &userinfo, &len); yp_unbind(domain); if ((i == YPERR_SUCCESS) && ((size_t)len < sizeof(buf))) { strncpy(buf, userinfo, sizeof(buf) - 1); buf[sizeof(buf) - 1] = '\0'; matched = 1; } } } #else /* we don't have NIS support, make compiler happy. */ nis = 0; #endif 』 Solution is to make sys-libs/pam[nis] depend on both net-libs/libnsl[${MULTILIB_USEDEP}] and net-libs/libtirpc[${MULTILIB_USEDEP}].
Thanks, Arfrever, that's what I suspected. For now, I will patch locally as you propose, and await a proper fix in due course.
Created attachment 603444 [details, diff] Patch
Comment on attachment 603444 [details, diff] Patch This way libtirpc dependency is pointless.
(In reply to Mikle Kolyada from comment #7) > Comment on attachment 603444 [details, diff] [details, diff] > Patch > > This way libtirpc dependency is pointless. What do you mean? pam_unix.so is linked against both libnsl.so.2 and libtirpc.so.3 libraries, and uses functions from both of them. https://github.com/linux-pam/linux-pam/blob/v1.3.1/modules/pam_unix/pam_unix_passwd.c#L186-L217 uses rpcb_getaddr from libtirpc. So getNISserver() function firstly uses yp_get_default_domain(&domainname) (from libnsl) to fill domainname variable (char *), next uses yp_master(domainname, "passwd.byname", &master) (from libnsl) to fill master variable (char *), next uses rpcb_getaddr(YPPASSWDPROG, YPPASSWDPROC_UPDATE, nconf, &svcaddr, master) (from libtirpc) to fill svcaddr variable (struct netbuf). Clearly both libnsl and libtirpc are needed for full functionality.
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #8) > (In reply to Mikle Kolyada from comment #7) > > Comment on attachment 603444 [details, diff] [details, diff] [details, diff] > > Patch > > > > This way libtirpc dependency is pointless. > > What do you mean? I'm guessing he means that the explicit dependency on libtirpc could be dropped "without effect", since libnsl also depends on it. However, that's not a good argument. As you rightly say, pam links to both and therefore should depend on both. The only question is whether it's correct to drop the minimum version for libtirpc?
I talkedto upstream recently in person, not a bug as per their consideration.
I beg your pardon, Mikle? How do you make that out? And how do you figure "upstream" even give a damn about the Gentoo ebuild? This is a REAL BUG and it's a BUG IN THE EBUILD - it's not appropriate to reject it just because "upstream" don't understand or care about that. I reject your rejection.
There is no bug ijn the ebuild. What you suggest is incorrect in anyway.
Automagic dependency is clearly a bug. https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Automagic_dependencies sys-libs/pam-1.3.1_p20200128[nis] is still affected.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc0acfdf76a4be94e175bf683674f1af13551631 commit dc0acfdf76a4be94e175bf683674f1af13551631 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2020-08-29 12:45:24 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2020-08-29 12:47:04 +0000 sys-libs/pam: take new snapshot Now pam_unix.so can be made optional Closes: https://bugs.gentoo.org/705532 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> sys-libs/pam/Manifest | 1 + sys-libs/pam/pam-1.4.0_p20200829.ebuild | 132 ++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+)
