When building freeradius I ran into the following problem: when building the rlm_unix dynamic module (trace follows) it tries to link with -lshadow, there is no libshadow.so (i'll get into that a bit later.) so libtool will make that a "-Wl,--whole-archive /usr/lib/libshadow.a -Wl,--no-whole-archive" sequence. rlm_unix is dynamic, but libshadow.a IS NOT compiled with -fPIC therefore the following errors are logged: ---8<--- /usr/lib/gcc-lib/alphaev56-unknown-linux-gnu/3.3.2/../../../../alphaev56-unknown-linux-gnu/bin/ld: /usr/lib/libshadow.a(pwauth.o): gp-relative relocation against dynamic symbol wipe_clear_pass /usr/lib/gcc-lib/alphaev56-unknown-linux-gnu/3.3.2/../../../../alphaev56-unknown-linux-gnu/bin/ld: /usr/lib/libshadow.a(pwauth.o): gp-relative relocation against dynamic symbol clear_pass /usr/lib/gcc-lib/alphaev56-unknown-linux-gnu/3.3.2/../../../../alphaev56-unknown-linux-gnu/bin/ld: /usr/lib/libshadow.a(pwauth.o): gp-relative relocation against dynamic symbol wipe_clear_pass /usr/lib/gcc-lib/alphaev56-unknown-linux-gnu/3.3.2/../../../../alphaev56-unknown-linux-gnu/bin/ld: /usr/lib/libshadow.a(pwauth.o): gp-relative relocation against dynamic symbol clear_pass ---8<--- hinting that libshadow.a should be compiled with -fPIC. If a libshadow.so were existent all would have gone well, as -dynamic modeles get built with -fPIC. Trying to build shadow-4.0.3-r9 it shows it DOES NOT BUILD .so libraries it even says in the release notes they are deleted. Building it will show that dynamic building fails because of a missing -lpam -lpam_misc library during linking. The problem seems to be related to the makefile, the LIBS= assignment is empty if that assignment is LIB="-lpam -lpam_misc" then linking works. This does prevent freeradius from being built.
Nico, what do you mean by "it even says in the release notes they are deleted"?
Thanks Nico, this is fixed in shadow-4.0.3-r10
I found some references to it in the NEWS file within the package... shadow-980626 => shadow-980724 - security: login no longer gives you a root shell if setgid() or initgroups() or setuid() fails for any reason, discovered by Ted Hickman <thickman@sy.net> - remove libshadow.so -> libshadow.so.x.x symlink after install - a few int -> uid_t type cleanups - fail immediately (don't retry) in *_lock() if euid != 0 - added sample PAM config files etc/pam.d/{passwd,su} - preliminary PAM support in su (untested - use at your own risk, comments and patches welcome!) - cleanup and more comments in OPIE code (Algis Rudys) - added support for TCFS (Transparent Cryptographic File System) (use ./configure --with-libtcfs, see http://tcfs.dia.unisa.it/ for more info), thanks to Aniello Del Sorbo ... I'll test the package when it arrives...
It compiled without troubles for me now, i'll use parts of it in the coming week to verify it still works... ;-)
reviewing the shado build the following struck me.... everything except /bin/su & /bin/groups are in /usr/bin or /usr/sbin... the libraries are in /usr/lib this means that su & groups won't work when /usr isn't mounted! (they also use libcrypt & libcrack ) maybe the libshadow.so and libmisc.so need to be on the /lib directory..? or su and groups can move to /usr/bin? groups is in the /usr/bin directory on redhat. su is in /bin there. Redhat doesn't use the crypt & crack libraries in the shadow-utils. Also pam isn't used there....
Azarah, would you mind commenting on this? I see the following comment in the Makefile.am: # XXX why are login and su in /bin anyway (other than for # historical reasons)? # # if the system is screwed so badly that it can't mount /usr, # you can (hopefully) boot single user, and then you're root # so you don't need these programs for recovery. # # also /lib/libshadow.so.x.xx (if any) could be moved to /usr/lib # and installation would be much simpler (just two directories, # $prefix/bin and $prefix/sbin, no install-data hacks...) It seems to me that we have three options, and I would like you to tell me which one would be best in your opinion (Az): 1. Move /bin/su, /bin/login and /bin/groups to /usr/bin based on the Makefile.am comment above. This means that libshadow.so and libmisc.so could stay in /usr/lib 2. Move /usr/lib/libshadow.so and /usr/lib/libmisc.so to /lib 3. Revert the ebuild to --disable-shared so that only libmisc.a and libshadow.a are built, but add -fPIC to the ebuild so that shared objects can link against these archives. Do you see any other options? What is your opinion? Presently -r9 builds only the static libs, and that is the stable version. -r10 builds the shared objs and installs them in /usr/lib, and is the ~arch version.
Either way I do not have an issue. I think there was issues with shared libshadow (anyone tried a bootstrap && emerge system with -r10 yet?), but I wont swear by it. You might run into issues with / bloat fanatics if you move the libs to /lib. If you however decide on .so's in /lib, please look at gen_usr_ldscript() in eutils.eclass ... BTW, does both pam 0.76 and 0.77 build with the shared libs?
Btw, /bin/login is hardcoded into agetty, so either we need another symlink, or the /lib/*.so is the best bet.
Or -fPIC I guess. It will be the smallest one (no extra files/libs/symlinks) ...
Az, I think the first thing I'll try is option 1 in comment 6. That's moving the binaries to /usr/bin. It's the most likely option to have problems, but on the other hand, if it works then we have removed three binaries from the root partition. I'll look into fixing agetty to use /usr/bin/login (and search for other programs/scripts that would need to be fixed). In order for this to happen, I'll package.mask -r10 for now and I'll test a bootstrap.
Re comment #10 login belongs in /bin please don't try to move it to /usr/bin
I go for -fPIC then. Aron, is it Ok to just add 'add-flags -fPIC' to the ebuild, or do you guys do it another way?
AFAICT, /bin/login doesn't use libshadow.so so that is not an issue for this one...
It will if you remerge pam with the shared libshadow around ...
fixed in shadow-4.0.4.1-r1 by adding -fPIC
Okay, I'll bite. But just because noone else does (even though they were going to more than a year ago..) <extra_quiet> THAT'S WRONG WRONG WRONG! </extra_quiet> libshadow, as well as libmisc, are internal to the shadow package and are not supposed to be in /usr/lib. In linux, shadow support is in libc5, well, ever since there are shadow passwords in linux, and in glibc2 forever. Just look what other distributions are doing. Why do you want to punish all the innocent shadow binaries with -fPIC? Way too cruel for my taste! BAM!
on 64 bit (risk-)architectures a lot of the code/data is only reached when base pointers to datastructures are used. That is because there is no place to store 64bit pointers inside an instruction (for risk at most 32bits wide) For static programs of fairly small sizes this is an academic issue. On 32 bit architectures that can reference memory directly from an struction the same... In my case freeradius is dynamicaly linked and it uses the shadow libraries to verify passwords. Because the shadow libraries were not -fPIC compiled they were preventing freeradius from building on 64bit architectures. Thats why sometimes -fPIC IS needed... As far as I'm concerned freeradius now build with the current options. Thanks.
Yes, that'd all be correct if freeradius really needed to link to libshadow; in that case it would be wrong to link non-pic objects into a shared lib on ALL arches. And it's still wrong to link pic objects into executables on ALL arches. BUT; what gentoo maintainers seem to forget is: (1) freeradius does NOT NEED libshadow. (2) libshadow and libmisc are internal libs to the shadow suite and should NOT EXIST in /usr/lib. It's just another example of 'If something unrelated breaks, -fPIC will cure it.' So let's start a little quiz: 1. What header file declares types and functions exported from libshadow? The shadow ebuild certainly does not install any headers. 2. Name the .deb, .tgz, or .rpm that provides libshadow.a in Deb/Slac/SuSE. 3. What function(s) does freeradius (really) need from libshadow? (4. I'll ask this Q later because it would give away the answers to 1.-3.)
Hans, I appreciate the expertise you bring to the table. Regarding shadow and freeradius, neither one is my area of expertise, I'm just helping out in an area that needs the help. If you want to provide some help, that's quite appreciated, but you might consider offering patches instead of quizzes. I'll re-open this bug in anticipation of your follow-up.
functions reference in the link errors are: 1) I didn't study libshadow and it's surroundings, just tried to get freeradius working. (a mail is underway on freeradius about this...) 2) No idea, don't use debian,Suse,Slacware I used to run Redhat 9 but that was announce to be scrapped about now, so I converted to something else..... here comes Gentoo 3) And the nominees are: - wipe_clear_pass - clear_pass as used in the rlm_unix module. Couldn't find a reference to those in glibc
appearantly the whole discussion is moot now, the rlm_unix module can link without -lshadow.... The make file still names the library though
easy to explain: src/modules/rlm_unix first checks for getspnam in libc: AC_CHECK_FUNCS(getspnam getusershell) checking for getspnam... yes checking for getusershell... yes next test is getspnam in libshadow: AC_CHECK_LIB(shadow, getspnam, [ unix_ldflags="${unix_ldflags} -lshadow" AC_DEFINE(HAVE_GETSPNAM) ] ) checking for getspnam in -lshadow... (result doesn't matter at this pt.) whether the test succeeds or not; doesn't matter; the first test already has found getspnam in libc and add HAVE_GETSPNAM in config.h; no effect on the generated code; only difference is: libshadow !found: nothing libshadow found: append -lshadow to ldflags probably because whoever wrote these tests did not expect shadow functions in more than one place. ^L Best fix that does not need modifications to other packages is simply to not install libshadow. Quoting from shadow-4.0.3/doc/README.linux: "Currently, libshadow.a is for internal use only, so if you see -lshadow in a Makefile of some other package, it is safe to remove it." But such Makefiles are rare, most configure scripts never put -lshadow in Makefiles if there is no libshadow. ___Debian___ simply skips libshadow and libmisc when moving files to their individual sub-packages. ___SuSE___ does this: ./configure [...] --disable-shared [...] make install DESTDIR=$RPM_BUILD_ROOT rm $RPM_BUILD_ROOT/lib/lib{misc,shadow}.{a,la} Slackware and RedHat may be doing the same or something completely different, but with the same result. so how about this::: --------8<--------8<--------8<--------8<--------8<--------8<--------8<-------- --- shadow-4.0.3/lib/Makefile.am~ Sat Oct 6 21:53:20 2001 +++ shadow-4.0.3/lib/Makefile.am Wed May 12 19:33:52 2004 @@ -4,7 +4,7 @@ DEFS = INCLUDES = -I$(top_srcdir) -lib_LTLIBRARIES = libshadow.la +noinst_LTLIBRARIES = libshadow.la libshadow_la_LDFLAGS = -version-info 0:0:0 libshadow_la_LIBADD = $(INTLLIBS) $(LIBCRYPT) $(LIBTCFS) $(LIBSKEY) $(LIBMD) \ --- shadow-4.0.3/libmisc/Makefile.am~ Sun Mar 10 08:11:55 2002 +++ shadow-4.0.3/libmisc/Makefile.am Wed May 12 19:34:43 2004 @@ -5,7 +5,7 @@ INCLUDES = -I$(top_srcdir) -I$(top_srcdir)/lib -lib_LTLIBRARIES = libmisc.la +noinst_LTLIBRARIES = libmisc.la libmisc_la_SOURCES = \ addgrps.c \ -------->8-------->8-------->8-------->8-------->8-------->8-------->8-------- ???
Hans, I still haven't forgotten this... just back from vacation and digging into bugs :-)
Thanks Hans! I used the Suse approach and removed the libraries instead of patching Makefile.am. That way I don't need to add an autoconf dep to the shadow package for now. Finally fixed. Please let me know if you spot something I did wrong.
