Merge pull request #1706 from flatcar/krnowak/pam

Move sys-libs/pam to portage-stable

Author: krnowak

.github/workflows/portage-stable-packages-list

@@ -179,6 +179,7 @@ app-shells/gentoo-bashcomp
 app-text/asciidoc
 app-text/build-docbook-catalog
 app-text/docbook-xml-dtd
+app-text/docbook-xsl-ns-stylesheets
 app-text/docbook-xsl-stylesheets
 app-text/mandoc
 app-text/manpager
@@ -318,8 +319,8 @@ dev-python/fastjsonschema
 dev-python/flit-core
 dev-python/gentoo-common
 dev-python/gpep517
-dev-python/hatchling
 dev-python/hatch-vcs
+dev-python/hatchling
 dev-python/idna
 dev-python/installer
 dev-python/jaraco-collections
@@ -504,8 +505,8 @@ licenses
 
 media-libs/libpng
 
-net-analyzer/openbsd-netcat
 net-analyzer/netperf
+net-analyzer/openbsd-netcat
 net-analyzer/tcpdump
 net-analyzer/traceroute
 
@@ -633,6 +634,7 @@ sys-apps/util-linux
 sys-apps/which
 sys-apps/zram-generator
 
+sys-auth/pambase
 sys-auth/polkit
 sys-auth/sssd
 
@@ -705,6 +707,7 @@ sys-libs/libunwind
 sys-libs/liburing
 sys-libs/libxcrypt
 sys-libs/ncurses
+sys-libs/pam
 sys-libs/readline
 sys-libs/talloc
 sys-libs/tdb

build_library/prod_image_util.sh

@@ -158,10 +158,14 @@ create_prod_image() {
 L+  /etc/ld.so.conf     -   -   -   -   ../usr/lib/ld.so.conf
 EOF
 
-  # Move the PAM configuration into /usr
-  sudo mkdir -p ${root_fs_dir}/usr/lib/pam.d
-  sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/
-  sudo rmdir ${root_fs_dir}/etc/pam.d
+  local -a bad_pam_files
+  mapfile -t -d '' bad_pam_files < <(find "${root_fs_dir}"/etc/security "${root_fs_dir}"/etc/pam.d ! -type d ! -name '.keep*' -print0)
+  if [[ ${#bad_pam_files[@]} -gt 0 ]]; then
+    error "Found following PAM config files: ${bad_pam_files[@]#"${root_fs_dir}"}"
+    error "Expected them to be either removed or, better, vendored (/etc/pam.d files should be in /usr/lib/pam, /etc/security files should be in /usr/lib/pam/security)."
+    error "Vendoring can be done with vendorize_pam_files inside a post_src_install hook for the package that installed the config file."
+    die "PAM config errors spotted"
+  fi
 
   # Remove source locale data, only need to ship the compiled archive.
   sudo rm -rf ${root_fs_dir}/usr/share/i18n/

build_packages

@@ -266,13 +266,18 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then
   # lvm2[udev] -> virtual/udev -> systemd[cryptsetup] -> cryptsetup -> lvm2
   # lvm2[systemd] -> systemd[cryptsetup] -> cryptsetup -> lvm2
   # systemd[cryptsetup] -> cryptsetup[udev] -> virtual/udev -> systemd
+  # systemd[tpm] -> tpm2-tss -> util-linux[udev] -> virtual/udev -> systemd
   # curl[http2] -> nghttp2[systemd] -> systemd[curl] -> curl
+  # sys-libs/pam[systemd] -> sys-apps/system[pam] -> sys-libs/pam
+  #   not dropping pam from sys-apps/systemd, otherwise we would need
+  #   to drop pam from sys-auth/pambase
   break_dep_loop sys-apps/util-linux udev,systemd,cryptsetup \
                  sys-fs/cryptsetup udev \
                  sys-fs/lvm2 udev,systemd \
                  sys-apps/systemd cryptsetup,tpm \
                  net-misc/curl http2 \
-                 net-libs/nghttp2 systemd
+                 net-libs/nghttp2 systemd \
+                 sys-libs/pam systemd
 fi
 
 if [[ "${FLAGS_only_resolve_circular_deps}" -eq "${FLAGS_TRUE}" ]]; then

changelog/security/2025-10-29-pam.md

@@ -0,0 +1 @@
+- pam ([CVE-2024-22365](https://nvd.nist.gov/vuln/detail/CVE-2024-22365), [CVE-2024-10041](https://nvd.nist.gov/vuln/detail/CVE-2024-10041), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-6020](https://nvd.nist.gov/vuln/detail/CVE-2025-6020))

changelog/updates/2025-10-29-pam.md

@@ -0,0 +1,2 @@
+- base, dev: pam ([1.7.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.1) (includes [1.7.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.0), [1.6.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.1), [1.6.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0)))
+- base, dev: pambase ([20251013](https://gitweb.gentoo.org/proj/pambase.git/log/?h=pambase-20251013))

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-vmware/files/manglefs.sh

@@ -8,8 +8,6 @@ cd "${rootfs}"
 
 # Move stuff out of /etc. The systemd unit files are patched to create
 # symlinks from /etc to those directories.
-mkdir -p usr/lib/pam.d
-mv etc/pam.d/vmtoolsd usr/lib/pam.d/vmtoolsd
 mkdir -p usr/share/flatcar/oem-vmware
 mv etc/vmware-tools usr/share/flatcar/oem-vmware/vmware-tools
 

sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/sudo

@@ -1,9 +1,12 @@
-cros_post_src_install_keep_etc_sudoers_d() {
-    # Flatcar: Build system installs /etc/sudoers.d, let's make
-    # sure we keep having it.
+cros_post_src_install_flatcar_modifications() {
+    # Build system installs /etc/sudoers.d, let's make sure we keep
+    # having it.
     #
     # Upstream PR: https://github.com/gentoo/gentoo/pull/37397
     keepdir /etc/sudoers.d
+
+    # Move pam files to /usr.
+    vendorize_pam_files
 }
 
 # We don't ship OpenLDAP schemas (why?) and we provide sudo.conf

sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-emulation/open-vm-tools

@@ -0,0 +1,3 @@
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}

sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/cyrus-sasl

@@ -3,3 +3,7 @@
 # obviously won't work in case of cross-compilation, so we state up
 # front that SPNEGO is supported.
 export ac_cv_gssapi_supports_spnego=yes
+
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}

sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/libpwquality

@@ -0,0 +1,3 @@
+cros_post_src_install_vendorize_pam() {
+    vendorize_pam_files
+}