# When bootstrapping, we omit the verification of the source # tarball with GnuPG. %bcond_with bootstrap # Do we want to replace UNIX shadow file with the # tcb password shadowing scheme? %bcond_with replace_shadow # Do we want to replace the pam_unix module with pam_tcb? %if %{with replace_shadow} %bcond_without replace_pam_unix %else %bcond_with replace_pam_unix %endif # Build with -Werror enabled? %bcond_without werror # Explicit SONAME version to avoid accidental bumps. %global tcb_sover 0 %global tcb_sover_full %{tcb_sover}.9.8 %global tcbnss_sover 2 # Macros for shorthand. %global _fipsdir %{_libdir}/fipscheck %global git_url https://github.com/openwall/%{name} # Additional CFLAGS for build. %global tcb_cflags -DENABLE_SETFSUGID -DENABLE_NLS -DNLS_PACKAGE=\\\\\\"Linux-PAM\\\\\\" # Fail linking if there are undefined symbols. %global _ld_strict_symbol_defs 1 # Add generation of HMAC checksums of the final stripped binaries. # %%define with lazy expansion is used here intentionally, as some # of the macros needed in here are only defined when this macro will # be expanded by rpm after the %%install stage in the spec file. %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ libdir="%{buildroot}%{_libdir}" \ fipsdir="%{buildroot}%{_fipsdir}" \ pamdir="%{buildroot}%{_pam_moduledir}" \ chkpwddir="%{buildroot}%{_libexecdir}/chkpwd" \ sbindir="%{buildroot}%{_sbindir}" \ mkdir -p -m 0755 $fipsdir \ fipshmac -d $fipsdir \\\ $libdir/lib%{name}.{a,so.%{tcb_sover_full}} \\\ $libdir/libnss_%{name}.so.%{tcbnss_sover} \\\ $pamdir/pam_%{name}.so \\\ $chkpwddir/%{name}_chkpwd \\\ $sbindir/%{name}_{,un}convert \ ln -s lib%{name}.so.%{tcb_sover_full}.hmac \\\ $fipsdir/lib%{name}.so.%{tcb_sover}.hmac \ if [ %{with replace_pam_unix} -eq 1 ]; then \ for pammod in pwdb unix unix_acct unix_auth \\\ unix_passwd unix_session; do \ ln -s pam_%{name}.so.hmac \\\ $fipsdir/pam_$pammod.so.hmac \ done \ fi \ %{nil} Name: tcb Version: 1.2 Release: 0.4%{?dist} Summary: Implementation of the %{name} password shadowing scheme License: BSD or GPL+ URL: https://www.openwall.com/%{name} Source0: https://download.openwall.net/pub/projects/%{name}/%{name}-%{version}.tar.gz Source1: https://download.openwall.net/pub/projects/%{name}/%{name}-%{version}.tar.gz.sign Source2: https://www.openwall.com/signatures/openwall-offline-signatures.asc # From upstream. Patch0: %{git_url}/commit/0991c9c74d29.patch#/%{name}-1.2-README_libxcrypt.patch Patch1: %{git_url}/commit/893946eeb309.patch#/%{name}-1.2-whitespace.patch Patch2: %{git_url}/commit/0d364a4223c6.patch#/%{name}-1.2-gitignore_new_file.patch Patch3: %{git_url}/commit/713b2268a97d.patch#/%{name}-1.2-CI.patch Patch4: %{git_url}/commit/67df835063c9.patch#/%{name}-1.2-pam_tcb_fix_autoprefix.patch Patch5: %{git_url}/commit/31680980473a.patch#/%{name}-1.2-libnss_tcb_soname.patch Patch6: %{git_url}/commit/78e5db1de7b2.patch#/%{name}-1.2-libnss_tcb_no_LIBNSL.patch Patch7: %{git_url}/commit/10ab0c566b75.patch#/%{name}-1.2-Makefile_mkdir_install.patch Patch8: %{git_url}/commit/72ef702a886c.patch#/%{name}-1.2-libnss_tcb_readdir.patch Patch9: %{git_url}/commit/9ca829209098.patch#/%{name}-1.2-fix_email.patch Patch10: %{git_url}/commit/6b4fdb4dab18.patch#/%{name}-1.2-pam_tcb_PAM_SO_SUFFIX.patch Patch11: %{git_url}/commit/8d1ae6f3ecd8.patch#/%{name}-1.2-pam_tcb_SONAME.patch Patch12: %{git_url}/commit/85d29f483205.patch#/%{name}-1.2-gitignore_PAM_SO_SUFFIX.patch Patch13: %{git_url}/commit/f46ca812c6cf.patch#/%{name}-1.2-pam_tcb_Wpedantic.patch Patch14: %{git_url}/commit/f74cc9dab2f7.patch#/%{name}-1.2-Make_defs_Wextra_Werror.patch Patch15: %{git_url}/commit/13fa8a45069a.patch#/%{name}-1.2-CI_Werror.patch Patch16: %{git_url}/commit/70d37e2956be.patch#/%{name}-1.2-misc_sysusers.patch Patch17: %{git_url}/commit/acccd4165147.patch#/%{name}-1.2-misc_pkgconfig.patch Patch18: %{git_url}/commit/070cf4aa784d.patch#/%{name}-1.2-Make_defs_MANDIR.patch Patch19: %{git_url}/pull/10.patch#/%{name}-1.2-pam_tcb_SELinux_userauth.patch BuildRequires: fipscheck BuildRequires: gcc %if %{without bootstrap} BuildRequires: gnupg2 %endif BuildRequires: make BuildRequires: libxcrypt-devel BuildRequires: pam-devel BuildRequires: systemd-rpm-macros # For keeping the system-groups and filesystem locations available. Requires: %{name}-common = %{version}-%{release} %description The %{name} package consists of three components: pam_%{name}, libnss_%{name}, and lib%{name}. pam_%{name} is a PAM module which supersedes pam_unix and pam_pwdb. It also implements the %{name} password shadowing scheme (see %{name}(5) for details). The %{name} scheme allows many core system utilities (passwd(1) being the primary example) to operate with little privilege. libnss_%{name} is the accompanying NSS module. lib%{name} contains code shared by the PAM and NSS modules and is also used by programs from the shadow-utils package. %package common Summary: Common files needed for %{name} BuildArch: noarch Requires: %{name} = %{version}-%{release} # Needed to run groupadd during %%pre. Requires(pre): shadow-utils %description common This package owns the directories used by the %{name} password shadowing scheme, and also contains the presets used by systemd-sysusers. %package devel Summary: Development files for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} %description devel This package contains the development files needed for building %{name}-aware applications. %package static Summary: Static library for -static linking with %{name} Requires: %{name}%{?_isa} = %{version}-%{release} Requires: %{name}-devel%{?_isa} = %{version}-%{release} %description static This package contains the lib%{name} static library for -static linking. You don't need this package, unless you want to link statically, which is highly discouraged. %package utils Summary: Utility programs for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} # To have the needed system groups created before # a possible conversion is performed during %%post. Requires(post): %{name}-common = %{version}-%{release} # For recent /etc/login.defs file. Requires(post): shadow-utils # Needed for rm and mv. Requires(post): coreutils %description utils This package contains the utility programs for %{name}. They are needed for conversions from UNIX shadow file to the %{name} password shadowing scheme, and vice-versa. %package -n nss-%{name} Summary: NSS module for interfacing with the %{name} password shadowing scheme Requires: %{name}%{?_isa} = %{version}-%{release} %if %{with replace_shadow} && !(0%{?fedora} > 40 || 0%{?rhel} > 13) # No need to keep this forever as the utility programs are just needed # to convert existing installations of the operating system using a UNIX # shadow file to tcb password shadowing scheme during system-upgrade. # Also intentionally no archful dependency here, so the (already present) # package with the native system architecture will be enough to statisfy # the requirement on multi-arch installations of the pam_tcb module. Requires: %{name}-utils = %{version}-%{release} %endif Provides: nss_%{name} = %{version}-%{release} Provides: nss_%{name}%{?_isa} = %{version}-%{release} %description -n nss-%{name} The nss_%{name} Name Service Switch module is needed to obtain data of local system users and to authenticate them, when the %{name} password shadowing scheme (see %{name}(5) for details) is used on the system. %package -n pam-%{name} Summary: PAM module for authentication with the %{name} password shadowing scheme Requires: %{name}%{?_isa} = %{version}-%{release} Requires: nss-%{name}%{?_isa} = %{version}-%{release} # To create the needed system groups before the packaged files # are being installed. Requires(pre): %{name}-common = %{version}-%{release} %if %{with replace_shadow} && !(0%{?fedora} > 40 || 0%{?rhel} > 13) # No need to keep this forever as the utility programs are just needed # to convert existing installations of the operating system using a UNIX # shadow file to tcb password shadowing scheme during system-upgrade. # Also intentionally no archful dependency here, so the (already present) # package with the native system architecture will be enough to statisfy # the requirement on multi-arch installations of the pam_tcb module. Requires: %{name}-utils = %{version}-%{release} %endif %if %{with replace_pam_unix} Conflicts: pam < 0.0.1-0 %endif Provides: pam_%{name} = %{version}-%{release} Provides: pam_%{name}%{?_isa} = %{version}-%{release} %description -n pam-%{name} The pam_%{name} Pluggable Authentication Module supersedes pam_unix and pam_pwdb. It is needed for authentication of local system users with the %{name} password shadowing scheme (see %{name}(5) for details). %prep %if %{without bootstrap} # Omitted during bootstrap. %{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %endif %autosetup -p 1 %build CFLAGS="%{?build_cflags} %{tcb_cflags}" \ LDFLAGS="%{?build_ldflags}" \ %make_build \ %if %{with werror} WERROR=1 \ %endif ; %install # %% make_install does not work here. make \ install-non-root \ %if %{with replace_pam_unix} install-pam_pwdb \ install-pam_unix \ %endif install-sysusers \ install-sysusers-auth \ DESTDIR=%{buildroot} \ INCLUDEDIR=%{_includedir} \ MANDIR=%{_mandir} \ LIBDIR=%{_libdir} \ LIBEXECDIR=%{_libexecdir} \ PKGCONFIGDIR=%{_libdir}/pkgconfig \ PREFIX=%{_prefix} \ SBINDIR=%{_sbindir} \ SLIBDIR=%{_libdir} \ SYSUSERSDIR=%{_sysusersdir} \ INSTALL="install -p" \ MKDIR="mkdir" # Directory holding the tcb password shadowing scheme. mkdir -p -m 0710 %{buildroot}%{_sysconfdir}/%{name} # Documentation files. mkdir -p -m 0755 %{buildroot}%{_pkgdocdir} install -pm 0644 README ChangeLog %{buildroot}%{_pkgdocdir} %pre common # Try to create the needed groups, if not existing already, in old fashion # best-effort way, as we need them to be present instantly within the same # transaction, and the sysusers preset files would get evaluated during # %%posttrans, which is by far too late. Also invoking sysusers directly # here would result in a too heavy dependency chain for having these groups # available as early as possible during e.g. running a system-upgrade. # Try to create the group with its FPC-assigned soft-static preallocated # gid first, if that fails, create the group with the next dynamic gid # available. See: https://pagure.io/packaging-committee/issue/1107. getent group shadow >/dev/null || \ groupadd -g 101 -r shadow || \ groupadd -r shadow getent group chkpwd >/dev/null || \ groupadd -g 121 -r chkpwd || \ groupadd -r chkpwd getent group auth >/dev/null || \ groupadd -g 197 -r auth || \ groupadd -r auth exit 0 %if %{with replace_shadow} %post utils # Convert shadow to tcb on first installation / system-upgrade. if [ $1 -eq 1 -a ! -e %{_sysconfdir}/%{name} -a -e %{_sysconfdir}/shadow ] then %{_sbindir}/%{name}_convert %if %{with replace_pam_unix} # Move the unused UNIX shadow file and it's tempfile out of the way. rm -f %{_sysconfdir}/shadow{,~} %endif fi exit 0 %endif %files %dir %{_fipsdir} %dir %{_pkgdocdir} %doc %{_pkgdocdir}/README %license LICENSE %{_fipsdir}/lib%{name}.so.%{tcb_sover_full}.hmac %{_fipsdir}/lib%{name}.so.%{tcb_sover}.hmac %{_libdir}/lib%{name}.so.%{tcb_sover_full} %{_libdir}/lib%{name}.so.%{tcb_sover} %{_mandir}/man5/%{name}.5* %files common %attr(0710,root,chkpwd) %dir %{_libexecdir}/chkpwd %attr(0710,root,shadow) %ghost %{_sysconfdir}/%{name} %{_sysusersdir}/%{name}-auth.conf %{_sysusersdir}/%{name}.conf %files devel %doc %{_pkgdocdir}/ChangeLog %{_includedir}/%{name}.h %{_libdir}/lib%{name}.so %{_libdir}/pkgconfig/%{name}.pc %files static %{_fipsdir}/lib%{name}.a.hmac %{_libdir}/lib%{name}.a %files utils %{_fipsdir}/%{name}_convert.hmac %{_fipsdir}/%{name}_unconvert.hmac %{_mandir}/man8/%{name}_convert.8* %{_mandir}/man8/%{name}_unconvert.8* %{_sbindir}/%{name}_convert %{_sbindir}/%{name}_unconvert %files -n nss-%{name} %{_fipsdir}/libnss_%{name}.so.%{tcbnss_sover}.hmac %{_libdir}/libnss_%{name}.so.%{tcbnss_sover} %files -n pam-%{name} %{_fipsdir}/%{name}_chkpwd.hmac %{_fipsdir}/pam_%{name}.so.hmac %attr(2711,root,shadow) %{_libexecdir}/chkpwd/%{name}_chkpwd %{_mandir}/man8/pam_%{name}.8* %{_pam_moduledir}/pam_%{name}.so %if %{with replace_pam_unix} %{_fipsdir}/pam_pwdb.so.hmac %{_fipsdir}/pam_unix.so.hmac %{_fipsdir}/pam_unix_acct.so.hmac %{_fipsdir}/pam_unix_auth.so.hmac %{_fipsdir}/pam_unix_passwd.so.hmac %{_fipsdir}/pam_unix_session.so.hmac %{_mandir}/man8/pam_pwdb.8* %{_mandir}/man8/pam_unix.8* %{_pam_moduledir}/pam_pwdb.so %{_pam_moduledir}/pam_unix.so %{_pam_moduledir}/pam_unix_acct.so %{_pam_moduledir}/pam_unix_auth.so %{_pam_moduledir}/pam_unix_passwd.so %{_pam_moduledir}/pam_unix_session.so %endif %changelog * Tue Oct 12 2021 Björn Esser - 1.2-0.4 - Add patch for user authentication with SELinux in enforcing mode * Tue Oct 05 2021 Björn Esser - 1.2-0.3 - Add soft-static group allocation preferring the gids as assigned by FPC - Merge the filesystem and sysusers sub-packages into common sub-package * Mon Oct 04 2021 Björn Esser - 1.2-0.2 - Remove archful requirements in noarch packages * Mon Oct 04 2021 Björn Esser - 1.2-0.1 - Initial package