commit 3768ad3640ee7fd859f7d8571b4b69520f6c5c05 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 11:10:14 2019 -0400 Package init diff --git a/0001-Disable-pylint-tests.patch b/0001-Disable-pylint-tests.patch new file mode 100644 index 0000000..dd1c390 --- /dev/null +++ b/0001-Disable-pylint-tests.patch @@ -0,0 +1,31 @@ +From 5e4ef70a1fda792d7ca32311ecc29302c7b13ca5 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 1 Apr 2018 10:40:13 +0200 +Subject: [PATCH 1/2] Disable pylint tests + +--- + tests/Makefile.am | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 0a7854eec62520014919ad3983db70c78be483e2..8c742a78e3ce8e822fbd7bd9d5735a010e2f0f80 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -22,9 +22,11 @@ TESTS = test_dict test_set test_tio test_expr test_getpeercred test_cfg \ + test_attmap test_myldap.sh test_common test_nsscmds.sh \ + test_pamcmds.sh test_manpages.sh test_clock \ + test_tio_timeout +-if HAVE_PYTHON +- TESTS += test_pycompile.sh test_pylint.sh +-endif ++ ++#if HAVE_PYTHON ++# TESTS += test_pycompile.sh test_pylint.sh ++#endif ++ + if ENABLE_PYNSLCD + TESTS += test_pynslcd_cache.py test_doctest.sh + endif +-- +2.14.3 + diff --git a/0002-Watch-for-uint32_t-overflows.patch b/0002-Watch-for-uint32_t-overflows.patch new file mode 100644 index 0000000..8ae83a1 --- /dev/null +++ b/0002-Watch-for-uint32_t-overflows.patch @@ -0,0 +1,96 @@ +From ae0a9312c562985838fdd9845ef95fe61e8aa3de Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 1 Apr 2018 10:57:22 +0200 +Subject: [PATCH 2/2] Watch for uint32_t overflows + +Always use a function that we know will catch out-of-range values for UIDs and +GIDs, which are currently unsigned 32-bit numbers everywhere, and which won't +produce a result that'll silently be truncated if we store the result in a +uid_t or gid_t. +--- + nslcd/common.c | 28 ++++++++++++++++------------ + nslcd/common.h | 27 +++------------------------ + 2 files changed, 19 insertions(+), 36 deletions(-) + +diff --git a/nslcd/common.c b/nslcd/common.c +index 60be7773d2c809f3177744ced0dd0ba90c86e820..de640b47806757e0bb2e704b3b79f1ecb18bbc45 100644 +--- a/nslcd/common.c ++++ b/nslcd/common.c +@@ -338,19 +338,23 @@ unsigned long int binsid2id(const char *binsid) + ((((unsigned long int)binsid[i + 3]) & 0xff) << 24); + } + +-#ifdef WANT_STRTOUI +-/* provide a strtoui() implementation, similar to strtoul() but returning +- an range-checked unsigned int instead */ +-unsigned int strtoui(const char *nptr, char **endptr, int base) ++/* provide a strtoid() implementation, similar to strtoul() but returning ++ an range-checked uint32_t instead */ ++unsigned int strtoid(const char *nptr,char **endptr,int base) + { +- unsigned long val; +- val = strtoul(nptr, endptr, base); +- if (val > UINT_MAX) ++ long long val; ++ /* use the fact that long long is 64-bit, even on 32-bit systems */ ++ val=strtoll(nptr,endptr,base); ++ if (val>UINT32_MAX) + { +- errno = ERANGE; +- return UINT_MAX; ++ errno=ERANGE; ++ return UINT32_MAX; + } +- /* If errno was set by strtoul, we'll pass it back as-is */ +- return (unsigned int)val; ++ else if (val < 0) ++ { ++ errno=EINVAL; ++ return UINT32_MAX; ++ } ++ /* If errno was set, we'll pass it back as-is */ ++ return (uint32_t)val; + } +-#endif /* WANT_STRTOUI */ +diff --git a/nslcd/common.h b/nslcd/common.h +index 26fcf48ae2a6dc50bc97fab238ecc9a1879342ce..97d386eaf1f6881182729c5d8e46ce30d2d28eba 100644 +--- a/nslcd/common.h ++++ b/nslcd/common.h +@@ -161,31 +161,10 @@ void invalidator_do(enum ldap_map_selector map); + #define BUFLEN_HOSTNAME 256 /* host names or FQDN (and safe version) */ + #define BUFLEN_MESSAGE 1024 /* message strings */ + +-/* provide strtouid() function alias */ +-#if SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_INT +-#define strtouid (uid_t)strtoul +-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_LONG_INT +-#define strtouid (uid_t)strtoull +-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_INT +-#define WANT_STRTOUI 1 +-#define strtouid (uid_t)strtoui +-#else +-#error unable to find implementation for strtouid() +-#endif + +-/* provide strtogid() function alias */ +-#if SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_INT +-#define strtogid (gid_t)strtoul +-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_LONG_INT +-#define strtogid (gid_t)strtoull +-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_INT +-#ifndef WANT_STRTOUI +-#define WANT_STRTOUI 1 +-#endif +-#define strtogid (gid_t)strtoui +-#else +-#error unable to find implementation for strtogid() +-#endif ++uint32_t strtoid(const char *nptr,char **endptr,int base); ++#define strtouid (uid_t)strtoid ++#define strtogid (gid_t)strtoid + + #ifdef WANT_STRTOUI + /* provide a strtoui() if it is needed */ +-- +2.14.3 + diff --git a/Create-var-run-nslcd-socket-after-dropping-privilege.patch b/Create-var-run-nslcd-socket-after-dropping-privilege.patch new file mode 100644 index 0000000..0873ccb --- /dev/null +++ b/Create-var-run-nslcd-socket-after-dropping-privilege.patch @@ -0,0 +1,50 @@ +From 3760b43241b579406242961c551b9fb25b0c673b Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sat, 21 Jul 2018 11:14:08 +0200 +Subject: [PATCH 01/10] Create /var/run/nslcd/socket after dropping privileges + +This is needed to avoid a problem where a call to initgroups() can +result in NSS lookups. If nscd is configured the mechanism to avoid +loopback lookups using nss_ldap_enablelookups will not work and cause +for delays on start-up. + +Note that this changes ownership of the socket to the user running +nslcd. +--- + nslcd/nslcd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c +index 82c09ab..be14ac9 100644 +--- a/nslcd/nslcd.c ++++ b/nslcd/nslcd.c +@@ -2,7 +2,7 @@ + nslcd.c - ldap local connection daemon + + Copyright (C) 2006 West Consulting +- Copyright (C) 2006-2017 Arthur de Jong ++ Copyright (C) 2006-2018 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -769,8 +769,6 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + adjust_oom_score(); +- /* create socket */ +- nslcd_serversocket = create_socket(NSLCD_SOCKET); + /* start subprocess to do invalidating if reconnect_invalidate is set */ + for (i = 0; i < LM_NONE; i++) + if (nslcd_cfg->reconnect_invalidate[i]) +@@ -825,6 +823,8 @@ int main(int argc, char *argv[]) + } + log_log(LOG_DEBUG, "setuid(%lu) done", (unsigned long int)nslcd_cfg->uid); + } ++ /* create socket */ ++ nslcd_serversocket = create_socket(NSLCD_SOCKET); + /* start worker threads */ + log_log(LOG_INFO, "accepting connections"); + nslcd_threads = (pthread_t *)malloc(nslcd_cfg->threads * sizeof(pthread_t)); +-- +2.19.1 + diff --git a/Fix-crash-in-chsh.ldap.patch b/Fix-crash-in-chsh.ldap.patch new file mode 100644 index 0000000..efe4156 --- /dev/null +++ b/Fix-crash-in-chsh.ldap.patch @@ -0,0 +1,32 @@ +From bfcf0025b6ba264e6c0c1899d9de2bad8f39ee1a Mon Sep 17 00:00:00 2001 +From: Mizunashi Mana +Date: Wed, 5 Sep 2018 20:06:31 +0900 +Subject: [PATCH 09/10] Fix crash in chsh.ldap + +Specify result type of getusershell. + +Closes https://github.com/arthurdejong/nss-pam-ldapd/pull/31 +--- + utils/shells.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/utils/shells.py b/utils/shells.py +index dcabfaf..92dba2f 100644 +--- a/utils/shells.py ++++ b/utils/shells.py +@@ -28,9 +28,11 @@ import sys + def list_shells(): + """List the shells from /etc/shells.""" + libc = ctypes.CDLL(ctypes.util.find_library("c")) ++ getusershell = libc.getusershell ++ getusershell.restype = ctypes.c_char_p + libc.setusershell() + while True: +- shell = ctypes.c_char_p(libc.getusershell()).value ++ shell = getusershell() + if not shell: + break + yield shell +-- +2.19.1 + diff --git a/nslcd.service b/nslcd.service new file mode 100644 index 0000000..61ae1fd --- /dev/null +++ b/nslcd.service @@ -0,0 +1,14 @@ +[Unit] +Description=Naming services LDAP client daemon. +After=syslog.target network.target named.service dirsrv.target slapd.service +Documentation=man:nslcd(8) man:nslcd.conf(5) + +[Service] +Type=forking +PIDFile=/var/run/nslcd/nslcd.pid +ExecStart=/usr/sbin/nslcd +RestartSec=10s +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/nslcd.tmpfiles b/nslcd.tmpfiles new file mode 100644 index 0000000..9e48805 --- /dev/null +++ b/nslcd.tmpfiles @@ -0,0 +1,2 @@ +# nslcd needs a directory in /var/run to store its pid file and socket +d /var/run/nslcd 0775 nslcd root diff --git a/nss-pam-ldapd-0.9.9.tar.gz b/nss-pam-ldapd-0.9.9.tar.gz new file mode 100644 index 0000000..b63b26c Binary files /dev/null and b/nss-pam-ldapd-0.9.9.tar.gz differ diff --git a/nss-pam-ldapd-0.9.9.tar.gz.sig b/nss-pam-ldapd-0.9.9.tar.gz.sig new file mode 100644 index 0000000..0113179 Binary files /dev/null and b/nss-pam-ldapd-0.9.9.tar.gz.sig differ diff --git a/nss-pam-ldapd.spec b/nss-pam-ldapd.spec new file mode 100644 index 0000000..7f48d4b --- /dev/null +++ b/nss-pam-ldapd.spec @@ -0,0 +1,115 @@ +%define _hardened_build 1 + +Name: nss-pam-ldapd +Version: 0.9.9 +Release: 5 +Summary: NSS and PAM libraries for name lookups and authentication using LDAP +License: LGPLv2+ +URL: http://arthurdejong.org/nss-pam-ldapd/ +Source0: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz +Source1: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz.sig +Source3: nslcd.tmpfiles +Source4: nslcd.service + +Patch0001: 0001-Disable-pylint-tests.patch +Patch0002: 0002-Watch-for-uint32_t-overflows.patch + +Patch9001: Create-var-run-nslcd-socket-after-dropping-privilege.patch +Patch9002: Fix-crash-in-chsh.ldap.patch + +BuildRequires: gcc, openldap-devel, krb5-devel, autoconf, automake, pam-devel, systemd-units +%{?systemd_requires} + +Recommends: nscd + +Provides: nss-ldapd = %{version}-%{release} +Provides: nss_ldap = 265-12 +Provides: pam_ldap = 185-15 + +Obsoletes: nss-ldapd < 0.7 +Obsoletes: nss_ldap < 265-11 +Obsoletes: pam_ldap < 185-15 + +%description +The nss-pam-ldapd package provides a Name Service Switch (NSS, nsswitch) module +that allows your LDAP server to provide user account, group, host name, alias, +netgroup, and basically any other information that you would normally get from +/etc flat files or NIS. It also provides a Pluggable Authentication Module (PAM) +to do identity and authentication management with an LDAP server on unix systems. + +%package help +Summary: The help package for nss-pam-ldapd + +%description help +This is the help package of nss-pam-ldapd which includes the man docs. + +%prep +%autosetup -p1 +autoreconf -f -i + +%build +%configure --libdir=/%{_lib} \ + --disable-utils \ + --with-pam-seclib-dir=/%{_lib}/security +%make_build + +%check +make check + +%install +rm -rf $RPM_BUILD_ROOT +%make_install +mkdir -p $RPM_BUILD_ROOT/{%{_libdir},%{_unitdir}} +install -p -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/ + +ln -s libnss_ldap.so.2 $RPM_BUILD_ROOT/%{_lib}/libnss_ldap.so + +sed -i -e 's,^uid.*,uid nslcd,g' -e 's,^gid.*,gid ldap,g' \ +$RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf +touch -r nslcd.conf $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf +mkdir -p -m 0755 $RPM_BUILD_ROOT/var/run/nslcd +mkdir -p -m 0755 $RPM_BUILD_ROOT/%{_tmpfilesdir} +install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_tmpfilesdir}/%{name}.conf + +%pre +getent group ldap > /dev/null || \ +/usr/sbin/groupadd -r -g 55 ldap +getent passwd nslcd > /dev/null || \ +/usr/sbin/useradd -r -g ldap -c 'LDAP Client User' \ + -u 65 -d / -s /sbin/nologin nslcd 2> /dev/null || : + +%post +/sbin/ldconfig +%systemd_post nslcd.service + +%preun +%systemd_preun nslcd.service + +%postun +/sbin/ldconfig +%systemd_postun_with_restart nslcd.service + +%files +%doc AUTHORS ChangeLog COPYING HACKING NEWS README TODO +%{_sbindir}/* +/%{_lib}/*.so* +/%{_lib}/security/pam_ldap.so +%attr(0600,root,root) %config(noreplace) %verify(not md5 size mtime) /etc/nslcd.conf +%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf +%{_unitdir}/nslcd.service +%attr(0775,nslcd,root) /var/run/nslcd + +%files help +%{_mandir}/*/* + +%changelog +* Mon Apr 08 2019 yanghua - 0.9.9-5 +- Type:bugfix +- ID:NA +- SUG:restart +- DESC:Create /var/run/nslcd/socket after dropping privileges + Fix crash in chsh.ldap + +* Fri Mar 01 2019 openEuler Buildteam - 0.9.9-4 +- Package init +