# When bootstrapping, we omit the verification of the source # tarball with GnuPG, and the fipscheck stage. %bcond_with bootstrap # Do we want to replace UNIX shadow file with the # tcb password shadowing scheme? %bcond_with replace_shadow # Do we want to replace the pam_unix module with pam_tcb? %if %{with replace_shadow} %bcond_without replace_pam_unix %else %bcond_with replace_pam_unix %endif # Build with -Werror enabled? %bcond_without werror # Explicit SONAME version to avoid accidental bumps. %global tcb_sover 0 %global tcb_sover_full %{tcb_sover}.9.8 %global tcbnss_sover 2 # Macros for shorthand. %global _fipsdir %{_libdir}/fipscheck %global git_url https://github.com/openwall/%{name} # Additional CFLAGS for build. %global tcb_cflags -DENABLE_NLS -DNLS_PACKAGE=\\\\\\"Linux-PAM\\\\\\" # Fail linking if there are undefined symbols. %global _ld_strict_symbol_defs 1 %if %{without bootstrap} # Add generation of HMAC checksums of the final stripped binaries. # %%define with lazy expansion is used here intentionally, as some # of the macros needed in here are only defined when this macro will # be expanded by rpm after the %%install stage in the spec file. %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ libdir="%{buildroot}%{_libdir}" \ fipsdir="%{buildroot}%{_fipsdir}" \ chkpwddir="%{buildroot}%{_libexecdir}/chkpwd" \ sbindir="%{buildroot}%{_sbindir}" \ mkdir -p -m 0755 $fipsdir \ fipshmac -d $fipsdir \\\ $libdir/lib%{name}.so.%{tcb_sover_full} \\\ $chkpwddir/* $sbindir/* \ %{nil} %endif Name: tcb Version: 1.2 Release: 0.6%{?dist} Summary: The alternative scheme to /etc/shadow License: BSD-3-Clause OR GPL-1.0-or-later URL: https://www.openwall.com/%{name} Source0: https://download.openwall.net/pub/projects/%{name}/%{name}-%{version}.tar.gz Source1: https://download.openwall.net/pub/projects/%{name}/%{name}-%{version}.tar.gz.sign Source2: https://www.openwall.com/signatures/openwall-offline-signatures.asc # Patch 0000: Changes commited on main branch since last release. Patch0000: %{git_url}/compare/tcb-1.2...main.patch#/%{name}-1.2-main_commits.patch # Patches 0001 - 2000: Cherry-picked commits from upstream. # Patches 2001 - 3000: Submitted for review. Patch2001: %{git_url}/pull/10.patch#/%{name}-1.2-SELinux.patch Patch2002: %{git_url}/pull/31.patch#/%{name}-1.2-NSS_interfaces.patch # Patches 3001 - 4000: Downstream patches (upstreamable). # Patches 4001 - 5000: Downstream patches (vendor specific). BuildRequires: gcc, make BuildRequires: pkgconfig(libxcrypt) %if %{without bootstrap} BuildRequires: fipscheck, gnupg2 BuildRequires: pkgconfig(pam) %endif Provides: nss_%{name} = %{version}-%{release} Provides: nss_%{name}%{?_isa} = %{version}-%{release} Provides: nss-%{name} = %{version}-%{release} Provides: nss-%{name}%{?_isa} = %{version}-%{release} # For keeping the system-groups and filesystem locations available. Requires(pre): group(auth), group(shadow) %description The %{name} package consists of three components: pam_%{name}, libnss_%{name}, and lib%{name}. pam_%{name} is a PAM module which supersedes pam_unix and pam_pwdb. It also implements the %{name} password shadowing scheme (see %{name}(5) for details). The %{name} scheme allows many core system utilities (passwd(1) being the primary example) to operate with little privilege. libnss_%{name} is the accompanying NSS module. lib%{name} contains code shared by the PAM and NSS modules, and is also used by programs from the shadow-utils package. %package devel Summary: Development files for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} %description devel This package contains the development files needed for building %{name}-aware applications. %package utils Summary: Utility programs for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} # For keeping the system-groups and filesystem locations available. Requires(pre): group(chkpwd), group(shadow) # Needed for rm and mv. Requires(post): coreutils Requires(post): shadow-utils %description utils This package contains the utility programs for %{name}. They are needed for conversions from UNIX shadow file to the %{name} password shadowing scheme, and vice-versa. %if %{without bootstrap} %package -n pam-%{name} Summary: PAM module for authentication with the %{name} password shadowing scheme Requires: %{name}%{?_isa} = %{version}-%{release} Requires: %{name}-utils = %{version}-%{release} %if %{with replace_pam_unix} Conflicts: pam < 0.0.1-0 %endif Provides: pam_%{name} = %{version}-%{release} Provides: pam_%{name}%{?_isa} = %{version}-%{release} %description -n pam-%{name} The pam_%{name} Pluggable Authentication Module supersedes pam_unix and pam_pwdb. It is needed for authentication of local system users with the %{name} password shadowing scheme (see %{name}(5) for details). %endif %prep %if %{without bootstrap} # Omitted during bootstrap. %{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %endif %autosetup -p 1 %build export CFLAGS="%{?build_cflags} %{tcb_cflags}" export LDFLAGS="%{?build_ldflags}" %make_build \ %if %{with bootstrap} OMIT_PAM_MODULE=1 \ %endif %if %{with werror} WERROR=1 \ %endif ; %install # %% make_install does not work here. make \ install-non-root \ %if %{without bootstrap} %if %{with replace_pam_unix} install-pam_pwdb \ install-pam_unix \ %endif %else OMIT_PAM_MODULE=1 \ %endif DESTDIR=%{buildroot} \ INCLUDEDIR=%{_includedir} \ MANDIR=%{_mandir} \ LIBDIR=%{_libdir} \ LIBEXECDIR=%{_libexecdir} \ PKGCONFIGDIR=%{_libdir}/pkgconfig \ PREFIX=%{_prefix} \ SBINDIR=%{_sbindir} \ SLIBDIR=%{_libdir} \ SYSUSERSDIR=%{_sysusersdir} \ INSTALL="install -p" \ MKDIR="mkdir" # Documentation files. mkdir -p %{buildroot}%{_pkgdocdir} install -pm 0644 README ChangeLog %{buildroot}%{_pkgdocdir} %pre -p -- This scriptlet was written in lua, intentionally, to avoid the requirement -- on the bash shell interpreter to be already present, as this package should -- be installable as early as possible within the transaction. -- -- Ensure the auth, chkpwd, and shadow groups are really existing on the system -- before the installation of this package starts, as we have special %%attr. -- This should have been done by the setup package itself already, but just in -- case to play it safe. if posix.access('/usr/bin/systemd-sysusers', 'x') then if rpm.spawn ~= nil then rpm.spawn({'/usr/bin/systemd-sysusers'}, {stderr='/dev/null'}) else local pid = posix.fork() if pid == 0 then posix.redirect2null(2) posix.exec('/usr/bin/systemd-sysusers') elseif pid > 0 then posix.wait(pid) end end end %pre utils -p -- Same as above, but for tcb-utils. if posix.access('/usr/bin/systemd-sysusers', 'x') then if rpm.spawn ~= nil then rpm.spawn({'/usr/bin/systemd-sysusers'}, {stderr='/dev/null'}) else local pid = posix.fork() if pid == 0 then posix.redirect2null(2) posix.exec('/usr/bin/systemd-sysusers') elseif pid > 0 then posix.wait(pid) end end end %if %{with replace_shadow} %post utils # Convert shadow to tcb on first installation / system-upgrade. if [ $1 -eq 1 -a ! -e %{_sysconfdir}/%{name} -a -e %{_sysconfdir}/shadow ] then %{_sbindir}/%{name}_convert # Move the unused UNIX shadow file and it's tempfile out of the way. rm -f %{_sysconfdir}/shadow{,-,~} fi exit 0 %endif %files %doc %{_pkgdocdir}/README %license LICENSE %dir %{_pkgdocdir} %exclude %{_libdir}/lib%{name}.a %if %{without bootstrap} %dir %{_fipsdir} %{_fipsdir}/lib%{name}.so.%{tcb_sover_full}.hmac %endif %{_libdir}/libnss_%{name}.so.%{tcbnss_sover} %{_libdir}/lib%{name}.so.%{tcb_sover_full} %{_libdir}/lib%{name}.so.%{tcb_sover} %{_mandir}/man5/%{name}.5* %files devel %doc %{_pkgdocdir}/ChangeLog %{_includedir}/%{name}.h %{_libdir}/lib%{name}.so %{_libdir}/pkgconfig/%{name}.pc %files utils %attr(0710,root,chkpwd) %dir %{_libexecdir}/chkpwd %if %{without bootstrap} %{_fipsdir}/%{name}_chkpwd.hmac %{_fipsdir}/%{name}_convert.hmac %{_fipsdir}/%{name}_unconvert.hmac %endif %attr(2711,root,shadow) %{_libexecdir}/chkpwd/%{name}_chkpwd %{_mandir}/man8/%{name}_convert.8* %{_mandir}/man8/%{name}_unconvert.8* %{_sbindir}/%{name}_convert %{_sbindir}/%{name}_unconvert %if %{without bootstrap} %files -n pam-%{name} %{_mandir}/man8/pam_%{name}.8* %{_pam_moduledir}/pam_%{name}.so %if %{with replace_pam_unix} %{_mandir}/man8/pam_pwdb.8* %{_mandir}/man8/pam_unix.8* %{_pam_moduledir}/pam_pwdb.so %{_pam_moduledir}/pam_unix.so %{_pam_moduledir}/pam_unix_acct.so %{_pam_moduledir}/pam_unix_auth.so %{_pam_moduledir}/pam_unix_passwd.so %{_pam_moduledir}/pam_unix_session.so %endif %endif %changelog * Sun Dec 22 2024 Björn Esser - 1.2-0.6 - Drop hard requires on group dependencies * Sat Dec 21 2024 Björn Esser - 1.2-0.5 - Consolidate all upstream commits into one patch - Move tcb_chkpwd to utils package * Wed Dec 18 2024 Björn Esser - 1.2-0.4 - Drop the common package, the nss-tcb package, and the static library - Minimize dependencies for bootstrap builds - Update Summary and License fields - Add needed group dependencies - Rewrite %%pre scripts in lua to omit bash dependency - Do not %%ghost-own /etc/tcb/* * Tue Oct 05 2021 Björn Esser - 1.2-0.3 - Add soft-static group allocation preferring the gids as assigned by FPC - Merge the filesystem and sysusers sub-packages into common sub-package * Mon Oct 04 2021 Björn Esser - 1.2-0.2 - Remove archful requirements in noarch packages * Mon Oct 04 2021 Björn Esser - 1.2-0.1 - Initial package (rhbz#2010528)