This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".
The branch, master has been updated via 04234719e1568717577e73bcc4399d00282d9ca9 (commit) via 6679571b01afe178deaf72e5623639cbcae1e95c (commit) via 6a5dfeb8f1647fece9f9e2fe6db99856326303e5 (commit) from 9ec1bac1b89043e19d8c07d66507616147919533 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 04234719e1568717577e73bcc4399d00282d9ca9 Merge: 6679571 6a5dfeb Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jun 19 13:55:05 2011 +0200
Merge remote-tracking branch 'stevee/systemd'
commit 6679571b01afe178deaf72e5623639cbcae1e95c Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jun 19 13:53:59 2011 +0200
nss_ldap: Update to 265.
commit 6a5dfeb8f1647fece9f9e2fe6db99856326303e5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Jun 19 13:40:54 2011 +0200
systemd: Move pam file to /lib/security.
-----------------------------------------------------------------------
Summary of changes: pkgs/nss_ldap/nss_ldap.nm | 57 ++++- pkgs/nss_ldap/patches/nss_ldap-254-soname.patch | 12 + pkgs/nss_ldap/patches/nss_ldap-257-mozldap.patch | 287 ++++++++++++++++++++ pkgs/nss_ldap/patches/nss_ldap-259-res_init.patch | 146 ++++++++++ pkgs/nss_ldap/patches/nss_ldap-264-checkcase.patch | 192 +++++++++++++ pkgs/nss_ldap/patches/nss_ldap-264-cloexec.patch | 11 + pkgs/nss_ldap/patches/nss_ldap-265-depth.patch | 186 +++++++++++++ .../patches/nss_ldap-265-ent_internal.patch | 102 +++++++ pkgs/nss_ldap/patches/nss_ldap-265-erange.patch | 17 ++ .../nss_ldap/patches/nss_ldap-265-fix-uninit.patch | 10 + .../nss_ldap-265-initgroups-minimum_uid.patch | 190 +++++++++++++ .../patches/nss_ldap-265-local_users.patch | 17 ++ .../patches/nss_ldap-265-padl-bug-418.patch | 36 +++ .../patches/nss_ldap-265-setnetgrent.patch | 11 + pkgs/systemd/systemd.nm | 4 +- 15 files changed, 1268 insertions(+), 10 deletions(-) create mode 100644 pkgs/nss_ldap/patches/nss_ldap-254-soname.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-257-mozldap.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-259-res_init.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-264-checkcase.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-264-cloexec.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-265-depth.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-265-ent_internal.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-265-erange.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-265-fix-uninit.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-265-local_users.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-265-padl-bug-418.patch create mode 100644 pkgs/nss_ldap/patches/nss_ldap-265-setnetgrent.patch
Difference in files: diff --git a/pkgs/nss_ldap/nss_ldap.nm b/pkgs/nss_ldap/nss_ldap.nm index 53a0160..d859997 100644 --- a/pkgs/nss_ldap/nss_ldap.nm +++ b/pkgs/nss_ldap/nss_ldap.nm @@ -25,7 +25,7 @@ include $(PKGROOT)/Include
PKG_NAME = nss_ldap -PKG_VER = 262 +PKG_VER = 265 PKG_REL = 1
PKG_MAINTAINER = @@ -34,7 +34,7 @@ PKG_URL = http://www.padl.com/ PKG_LICENSE = LGPLv2+ PKG_SUMMARY = NSS library and PAM module for LDAP.
-PKG_BUILD_DEPS+= cyrus-sasl-devel openldap-devel +PKG_BUILD_DEPS+= autoconf automake cyrus-sasl-devel openldap-devel
define PKG_DESCRIPTION This package includes two LDAP access clients: nss_ldap and \ @@ -46,17 +46,58 @@ endef
PKG_TARBALL = $(THISAPP).tar.gz
-CONFIGURE_OPTIONS = \ - --prefix=/ \ - --libdir=/usr/lib \ +PKG_PATCHES = \ + nss_ldap-265-depth.patch \ + nss_ldap-254-soname.patch \ + nss_ldap-257-mozldap.patch \ + nss_ldap-259-res_init.patch \ + nss_ldap-264-checkcase.patch \ + nss_ldap-265-ent_internal.patch \ + nss_ldap-264-cloexec.patch \ + nss_ldap-265-local_users.patch \ + nss_ldap-265-erange.patch \ + nss_ldap-265-initgroups-minimum_uid.patch \ + nss_ldap-265-fix-uninit.patch \ + nss_ldap-265-padl-bug-418.patch \ + nss_ldap-265-setnetgrent.patch + +CONFIGURE_OPTIONS += \ --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --with-ldap=openldap \ - --enable-schema-mapping + --libdir=/lib \ + --with-ldap-lib=openldap \ + --enable-rfc2307bis \ + --with-ldap-conf-file=/etc/nss_ldap.conf \ + --with-ldap-secret-file=/etc/nss_ldap.secret + +define STAGE_PREPARE_CMDS + cd $(DIR_APP) && sed -i -e 's,^ldap.conf$$,nss_ldap.conf,g' *.5 + cd $(DIR_APP) && sed -i -e 's,^/etc/ldap.,/etc/nss_ldap.,g' *.5 + cd $(DIR_APP) && sed -i -e 's,ldap.secret,nss_ldap.secret,g' *.5 + cd $(DIR_APP) && sed -i -e 's,(ldap.conf),(nss_ldap.conf),g' *.5 + + # Fix call for vers_string. + cd $(DIR_APP) && sed -e "s/vers_string/./&/g" -i Makefile* + + cd $(DIR_APP) && autoreconf -vfi +endef + +STAGE_BUILD_TARGETS += LDFLAGS="-Wl,-z,nodelete" + +STAGE_INSTALL_TARGETS += LIBC_VERS=$(PKG_VER)
define STAGE_INSTALL_CMDS # Remove awkward directory rm -rvf $(BUILDROOT)/usr/usr
+ mv -v $(BUILDROOT)/lib/* $(BUILDROOT)/usr/lib + rm -rvf $(BUILDROOT)/lib + ln -svf libnss_ldap-$(PKG_VER).so $(BUILDROOT)/usr/lib/libnss_ldap.so + + rm -vf $(BUILDROOT)/etc/nsswitch.ldap + + cd $(DIR_APP) && sed 's|dc=padl|dc=example|g' ldap.conf > \ + $(BUILDROOT)/etc/nss_ldap.conf + touch $(BUILDROOT)/etc/nss_ldap.secret + ln -svf libnss_ldap.so.2 $(BUILDROOT)/usr/lib/libnss_ldap.so endef diff --git a/pkgs/nss_ldap/patches/nss_ldap-254-soname.patch b/pkgs/nss_ldap/patches/nss_ldap-254-soname.patch new file mode 100644 index 0000000..e832c2f --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-254-soname.patch @@ -0,0 +1,12 @@ +Set the soname which glibc expects us to have. +--- nss_ldap-254/configure.in 2007-02-26 16:40:53.000000000 -0500 ++++ nss_ldap-254/configure.in 2007-02-26 16:40:47.000000000 -0500 +@@ -92,7 +92,7 @@ + nss_ldap_so_LDFLAGS="-b -dynamic -G `cat exports.hpux`" + CPPFLAGS="$CPPFLAGS -I. -DHPUX" + TARGET_OS=HPUX ;; +-linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,$(srcdir)/exports.linux" ;; ++linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,$(srcdir)/exports.linux -Wl,-soname=libnss_ldap.so.2" ;; + *) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic" ;; + esac + diff --git a/pkgs/nss_ldap/patches/nss_ldap-257-mozldap.patch b/pkgs/nss_ldap/patches/nss_ldap-257-mozldap.patch new file mode 100644 index 0000000..acb16df --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-257-mozldap.patch @@ -0,0 +1,287 @@ +Go back to using AC_TRY_COMPILE to detect <ldap_ssl.h>, which requires +that <ldap.h> be included before it. + +Use the draft-specified value "0" instead of a preprocessor define which +mozldap doesn't provide (LDAP_OPT_SUCCESS). + +Don't fail to compile if libldap doesn't provide ldap_create_control(), +just fail at run-time if we try to use it. + +Only try to set non-portable options that the libldap which is being used +supports. + +Don't depend on ldap_alloc_ber_with_options() being there; fall back to +either ber_alloc_t() or the deprecated der_alloc(). + +Learn about Mozilla LDAP 6. + +Prefer </usr/include/nss.h> to <nss.h>, because <nss.h> can also be the +security toolkit used by Mozilla's LDAP SDK rather than libc's nsswitch +header, and if we've set the include path, we could be screwed. + +Strip off any '/' which appears in our hostname before passing it to +ldap_init(). + +diff -up nss_ldap/configure.in nss_ldap/configure.in +--- nss_ldap/configure.in 2007-11-14 14:21:54.000000000 -0500 ++++ nss_ldap/configure.in 2007-11-14 15:01:32.000000000 -0500 +@@ -41,7 +41,7 @@ dnl + AC_ARG_ENABLE(configurable-krb5-ccname-env, [ --enable-configurable-krb5-ccname-env enable configurable Kerberos V credentials cache name (putenv method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_ENV)]) + AC_ARG_ENABLE(configurable-krb5-ccname-gssapi, [ --enable-configurable-krb5-ccname-gssapi enable configurable Kerberos V credentials cache name (gssapi method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_GSSAPI)]) + +-AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]]) ++AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|mozilla|netscape5|netscape4|netscape3|umich|openldap]]) + AC_ARG_WITH(ldap-dir, [ --with-ldap-dir=DIR base directory of LDAP SDK]) + AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file], + [ NSS_LDAP_PATH_CONF="$with_ldap_conf_file" ], +@@ -132,17 +132,18 @@ AC_SUBST(NSS_LDAP_LDFLAGS) + + AC_CHECK_HEADERS(lber.h) + AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>)) +-AC_CHECK_HEADERS(ldap_ssl.h) ++dnl AC_CHECK_HEADERS(ldap_ssl.h) + +-dnl AC_MSG_CHECKING(for ldap_ssl.h) +-dnl AC_TRY_COMPILE([#include <sys/types.h> +-dnl #include <ldap.h> +-dnl #include <ldap_ssl.h>], , +-dnl [ +-dnl AC_MSG_RESULT(yes), +-dnl AC_DEFINE(HAVE_LDAP_SSL_H, 1) +-dnl ], +-dnl AC_MSG_RESULT(no)) ++AC_MSG_CHECKING(for ldap_ssl.h) ++AC_TRY_COMPILE([ ++ #include <sys/types.h> ++ #include <ldap.h> ++ #include <ldap_ssl.h>],[], ++ [ ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(HAVE_LDAP_SSL_H,1,[Define if you have <ldap_ssl.h>.]) ++ ], ++ AC_MSG_RESULT(no)) + + # For HP-UX and AIX we use private API, the headers for which + # are included locally. We need to do something to stop both +@@ -150,7 +151,8 @@ dnl AC_MSG_RESULT(no)) + case "$target_os" in + aix*) AC_CHECK_HEADERS(irs.h usersec.h) ;; + hpux*) AC_CHECK_HEADERS(nsswitch.h) ;; +- *) AC_CHECK_HEADERS(nss.h) ++ *) AC_CHECK_HEADERS(/usr/include/nss.h) ++ AC_CHECK_HEADERS(nss.h) + AC_CHECK_HEADERS(nsswitch.h) + AC_CHECK_HEADERS(irs.h) ;; + esac +@@ -297,6 +299,9 @@ if test -z "$found_ldap_lib" -a ( $with + AC_CHECK_LIB(lber, main) + AC_CHECK_LIB(ldap, main, [LIBS="-lldap $LIBS" found_ldap_lib=yes],,$LIBS) + fi ++if test -z "$found_ldap_lib" -a ( $with_ldap_lib = auto -o $with_ldap_lib = mozilla ); then ++AC_CHECK_LIB(ldap60, main, LIBS="-lssldap60 -lprldap60 -lldap60 -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) ++fi + if test -z "$found_ldap_lib" -a ( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 ); then + AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) + fi +@@ -331,6 +336,7 @@ AC_CHECK_FUNCS(ldap_init ldap_get_lderrn + AC_CHECK_FUNCS(ldap_ld_free ldap_explode_rdn ldap_set_option ldap_get_option) + AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext) + AC_CHECK_FUNCS(ldap_create_control ldap_create_page_control ldap_parse_page_control) ++AC_CHECK_FUNCS(ldap_alloc_ber_with_options ber_alloc_t der_alloc) + if test "$enable_ssl" != "no"; then + AC_CHECK_FUNCS(ldapssl_client_init ldap_start_tls_s ldap_pvt_tls_set_option ldap_start_tls) + fi +diff -up nss_ldap/ldap-nss.h nss_ldap/ldap-nss.h +--- nss_ldap/ldap-nss.h 2007-11-14 14:21:54.000000000 -0500 ++++ nss_ldap/ldap-nss.h 2007-11-14 15:05:57.000000000 -0500 +@@ -58,6 +58,8 @@ + #include <nss_common.h> + #include <nss_dbdefs.h> + #include <nsswitch.h> ++#elif defined(HAVE__USR_INCLUDE_NSS_H) ++#include </usr/include/nss.h> + #elif defined(HAVE_NSS_H) + #include <nss.h> + #elif defined(HAVE_IRS_H) +diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c +--- nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500 ++++ nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500 +@@ -1069,6 +1069,23 @@ do_init_session (LDAP ** ld, const char + defport = atoi (p + 1); + uri = uribuf; + } ++ else ++ { ++ size_t urilen = strlen(uri); ++ ++ if (urilen >= sizeof (uribuf)) ++ { ++ return NSS_UNAVAIL; ++ } ++ ++ memcpy (uribuf, uri, urilen); ++ uribuf[urilen] = '\0'; ++ ++ if ((urilen > 0) && (uribuf[urilen - 1] == '/')) ++ uribuf[urilen - 1] = '\0'; ++ ++ uri = uribuf; ++ } + + # ifdef HAVE_LDAP_INIT + *ld = ldap_init (uri, defport); +@@ -1537,7 +1554,7 @@ do_open (void) + + if (ldap_get_option + (__session.ls_conn, LDAP_OPT_PROTOCOL_VERSION, +- &version) == LDAP_OPT_SUCCESS) ++ &version) == 0) + { + if (version < LDAP_VERSION3) + { +@@ -1697,6 +1714,7 @@ do_ssl_options (ldap_config_t * cfg) + } + #endif /* LDAP_OPT_X_TLS_RANDOM_FILE */ + ++#ifdef LDAP_OPT_X_TLS_CACERTFILE + if (cfg->ldc_tls_cacertfile != NULL) + { + /* ca cert file */ +@@ -1709,7 +1727,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_CACERTDIR + if (cfg->ldc_tls_cacertdir != NULL) + { + /* ca cert directory */ +@@ -1722,7 +1742,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + /* require cert? */ + if (cfg->ldc_tls_checkpeer > -1) + { +@@ -1735,7 +1757,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE + if (cfg->ldc_tls_ciphers != NULL) + { + /* set cipher suite, certificate and private key: */ +@@ -1748,7 +1772,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_CERTFILE + if (cfg->ldc_tls_cert != NULL) + { + rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE, cfg->ldc_tls_cert); +@@ -1759,7 +1785,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_CERTFILE + if (cfg->ldc_tls_key != NULL) + { + rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE, cfg->ldc_tls_key); +@@ -1770,6 +1798,7 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + + debug ("<== do_ssl_options"); + +diff -up nss_ldap/pagectrl.c nss_ldap/pagectrl.c +--- nss_ldap/pagectrl.c 2007-08-03 00:51:09.000000000 -0400 ++++ nss_ldap/pagectrl.c 2007-11-14 14:21:54.000000000 -0500 +@@ -38,6 +38,17 @@ static char rcsId[] = "$Id: pagectrl.c,v + #define LDAP_CONTROL_PAGE_OID "1.2.840.113556.1.4.319" + #endif + ++#ifndef HAVE_LDAP_CREATE_CONTROL ++#define ldap_create_control _nss_ldap_fail_to_create_control ++static int ++ldap_create_control(const char *oid, BerElement *value, ++ int iscritical, LDAPControl ** ctrlp) ++{ ++ *ctrlp = NULL; ++ return LDAP_ENCODING_ERROR; ++} ++#endif ++ + #ifndef HAVE_LDAP_CREATE_PAGE_CONTROL + /*--- + ldap_create_page_control +@@ -78,9 +89,6 @@ static char rcsId[] = "$Id: pagectrl.c,v + + ---*/ + +-#ifndef HAVE_LDAP_CREATE_CONTROL +-#error LDAP client library does not support ldap_create_control() +-#else + int + ldap_create_page_control (LDAP * ld, + unsigned long pagesize, +@@ -97,10 +105,24 @@ ldap_create_page_control (LDAP * ld, + return (LDAP_PARAM_ERROR); + } + ++#ifdef HAVE_LDAP_ALLOC_BER_WITH_OPTIONS + if ((ber = ldap_alloc_ber_with_options (ld)) == NULL) + { + return (LDAP_NO_MEMORY); + } ++#elif defined(HAVE_BER_ALLOC_T) && defined(LBER_USE_DER) ++ if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) ++ { ++ return (LDAP_NO_MEMORY); ++ } ++#elif defined(HAVE_DER_ALLOC) ++ if ((ber = der_alloc()) == NULL) ++ { ++ return (LDAP_NO_MEMORY); ++ } ++#else ++ return (LDAP_NO_MEMORY); ++#endif + + tag = ber_printf (ber, "{i", pagesize); + if (tag == LBER_ERROR) +@@ -126,7 +148,6 @@ exit: + ber_free (ber, 1); + return (LDAP_ENCODING_ERROR); + } +-#endif /* HAVE_LDAP_CREATE_CONTROL */ + #endif /* HAVE_LDAP_CREATE_PAGE_CONTROL */ + + #ifndef HAVE_LDAP_PARSE_PAGE_CONTROL +@@ -154,9 +175,6 @@ exit: + + ---*/ + +-#ifndef HAVE_LDAP_CREATE_CONTROL +-#error LDAP client library does not support ldap_create_control() +-#else + int + ldap_parse_page_control (LDAP * ld, + LDAPControl ** ctrls, +@@ -222,5 +240,4 @@ foundPageControl: + + return (LDAP_SUCCESS); + } +-#endif /* HAVE_LDAP_CREATE_CONTROL */ + #endif /* HAVE_LDAP_PARSE_PAGE_CONTROL */ diff --git a/pkgs/nss_ldap/patches/nss_ldap-259-res_init.patch b/pkgs/nss_ldap/patches/nss_ldap-259-res_init.patch new file mode 100644 index 0000000..aed010d --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-259-res_init.patch @@ -0,0 +1,146 @@ +Workaround for a NetworkManager/Upstart combination making things +interesting. When an application starts before the network is up, +/etc/resolv.conf is empty, causing the application to attempt to use a +local resolver. When the network comes up later, /etc/resolv.conf gets +populated with nameserver addresses, but the application doesn't re-read +it. This screws nss_ldap later on, because the LDAP client library +needs to be able to resolve the directory server's address, but it can't +without a local resolver which is probably not started. + +diff -up nss_ldap-259/configure.in nss_ldap-259/configure.in +--- nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400 ++++ nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400 +@@ -176,6 +176,7 @@ AC_CHECK_HEADERS(alignof.h) + AC_CHECK_HEADERS(rpc/rpcent.h) + AC_CHECK_HEADERS(sys/byteorder.h) + AC_CHECK_HEADERS(sys/un.h) ++AC_CHECK_HEADERS(sys/stat.h) + AC_CHECK_HEADERS(libc-lock.h) + AC_CHECK_HEADERS(bits/libc-lock.h) + AC_CHECK_HEADERS(sasl.h sasl/sasl.h) +diff -up nss_ldap-259/ldap-nss.c nss_ldap-259/ldap-nss.c +--- nss_ldap-259/ldap-nss.c 2008-04-16 10:42:15.000000000 -0400 ++++ nss_ldap-259/ldap-nss.c 2008-04-16 10:48:02.000000000 -0400 +@@ -44,10 +44,16 @@ static char rcsId[] = + #include <syslog.h> + #include <signal.h> + #include <fcntl.h> ++#ifdef HAVE_SYS_STAT_H ++#include <sys/stat.h> ++#endif + #include <sys/time.h> + #include <sys/socket.h> + #include <sys/param.h> + #include <errno.h> ++#ifdef HAVE_RESOLV_H ++#include <resolv.h> ++#endif + #ifdef HAVE_SYS_UN_H + #include <sys/un.h> + #endif +@@ -1021,8 +1027,31 @@ _nss_ldap_close (void) + do_close (); + } + ++static void ++_nss_ldap_res_init (const char *uri) ++{ ++ if (strncmp(uri, "ldapi://", 8) != 0) ++ { ++ struct stat st; ++ static time_t last_mtime = (time_t) -1; ++#if defined(HAVE_RESOLV_H) && defined(_PATH_RESCONF) ++ NSS_LDAP_DEFINE_LOCK (_nss_ldap_res_init_lock); ++ NSS_LDAP_LOCK (_nss_ldap_res_init_lock); ++ if (stat(_PATH_RESCONF, &st) == 0) ++ { ++ if (last_mtime != st.st_mtime) ++ { ++ last_mtime = st.st_mtime; ++ res_init(); ++ } ++ } ++ NSS_LDAP_UNLOCK (_nss_ldap_res_init_lock); ++#endif ++ } ++} ++ + static NSS_STATUS +-do_init_session (LDAP ** ld, const char *uri, int defport) ++do_init_session (LDAP ** ld, const char *uri, int defport, int res_init_hack) + { + int rc; + int ldaps; +@@ -1050,6 +1079,8 @@ do_init_session (LDAP ** ld, const char + uri = uribuf; + } + ++ if (res_init_hack) ++ _nss_ldap_res_init(uri); + rc = ldap_initialize (ld, uri); + #else + if (strncasecmp (uri, "ldap://", sizeof ("ldap://") - 1) != 0) +@@ -1075,6 +1106,8 @@ do_init_session (LDAP ** ld, const char + defport = atoi (p + 1); + uri = uribuf; + } ++ if (res_init_hack) ++ _nss_ldap_res_init(NULL); + # ifdef HAVE_LDAP_INIT + *ld = ldap_init (uri, defport); + # else +@@ -1346,7 +1379,8 @@ do_init (void) + + stat = do_init_session (&__session.ls_conn, + cfg->ldc_uris[__session.ls_current_uri], +- cfg->ldc_port); ++ cfg->ldc_port, ++ cfg->ldc_resolv_conf_res_init_hack); + if (stat != NSS_SUCCESS) + { + debug ("<== do_init (failed to initialize LDAP session)"); +diff -up nss_ldap-259/ldap-nss.h nss_ldap-259/ldap-nss.h +--- nss_ldap-259/ldap-nss.h 2008-04-16 10:45:49.000000000 -0400 ++++ nss_ldap-259/ldap-nss.h 2008-04-16 10:45:52.000000000 -0400 +@@ -400,6 +400,9 @@ struct ldap_config + time_t ldc_mtime; + + char **ldc_initgroups_ignoreusers; ++ ++ /* disable the do-res_init()-on-resolv.conf-changes hack */ ++ unsigned int ldc_resolv_conf_res_init_hack; + }; + + typedef struct ldap_config ldap_config_t; +diff -up nss_ldap-259/util.c nss_ldap-259/util.c +--- nss_ldap-259/util.c 2008-04-16 10:48:08.000000000 -0400 ++++ nss_ldap-259/util.c 2008-04-16 10:50:14.000000000 -0400 +@@ -680,6 +680,8 @@ NSS_STATUS _nss_ldap_init_config (ldap_c + } + } + ++ result->ldc_resolv_conf_res_init_hack = 1; ++ + return NSS_SUCCESS; + } + +@@ -1204,6 +1206,19 @@ _nss_ldap_readconfig (ldap_config_t ** p + { + t = &result->ldc_srv_domain; + } ++ else if (!strcasecmp (k, "nss_resolv_conf_res_init_hack")) ++ { ++ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes") ++ || !strcasecmp (v, "true")) ++ { ++ result->ldc_resolv_conf_res_init_hack = 1; ++ } ++ else if (!strcasecmp (v, "off") || !strcasecmp (v, "no") ++ || !strcasecmp (v, "false")) ++ { ++ result->ldc_resolv_conf_res_init_hack = 0; ++ } ++ } + else + { + /* diff --git a/pkgs/nss_ldap/patches/nss_ldap-264-checkcase.patch b/pkgs/nss_ldap/patches/nss_ldap-264-checkcase.patch new file mode 100644 index 0000000..3a09db8 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-264-checkcase.patch @@ -0,0 +1,192 @@ +Search attribute which are not case-sensitive in a directory, but which +are in local files on a glibc-based system: + + posixAccount.uid: struct passwd.pw_name + shadowAccount.uid: struct shadow.sp_namp + posixGroup.cn: struct group.gr_name + ipService.cn,ipServiceProtocol: struct servent.s_name,s_proto + ipProtocol.cn: struct protoent.p_name + ipHost.cn: OK, actually not case-sensitive in local files + ipNetwork.cn: OK, actually not case-sensitive in local files + rfc822MailAlias.cn: OK, actually not case-sensitive in local files + oncRpc.cn: struct rpcent.r_name + nisNetgroup.cn: N/A + nisMap.nisMapName: N/A + nisObject.nisMapName: N/A + nisObject.cn: N/A + ieee802Device: N/A + bootableDevice: N/A + automount.automountKey: no defined structure + +This patch adds additional logic to reject the result of a search if the +field in the result which corresponds to the original request differs +by case from the actual request (for example, when a search for a group +named "bob" turns up a group named "Bob"), but currently only covers +glibc-style systems. Upstream #399. + +diff -ur nss_ldap-264/ldap-grp.c nss_ldap-264/ldap-grp.c +--- nss_ldap-264/ldap-grp.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-grp.c 2009-07-02 10:57:37.000000000 -0400 +@@ -1201,7 +1201,8 @@ + char *buffer, size_t buflen, int *errnop) + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getgrnam, +- LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP); ++ LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP) ++ AND_REQUIRE_MATCH(name, result->gr_name); + } + #elif defined(HAVE_NSSWITCH_H) + static NSS_STATUS +diff -ur nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c +--- nss_ldap-264/ldap-nss.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-nss.c 2009-07-02 10:46:39.000000000 -0400 +@@ -4300,4 +4300,17 @@ + return lderrno; + } + ++NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result, ++ const char *requested_name, ++ const char *actual_name) ++{ ++ if ((result == NSS_SUCCESS) && ++ (requested_name != NULL) && ++ (actual_name != NULL) && ++ (strcasecmp(requested_name, actual_name) == 0) && ++ (strcmp(requested_name, actual_name) != 0)) { ++ return NSS_NOTFOUND; ++ } ++ return result; ++} + +diff -ur nss_ldap-264/ldap-nss.h nss_ldap-264/ldap-nss.h +--- nss_ldap-264/ldap-nss.h 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-nss.h 2009-07-02 10:28:59.000000000 -0400 +@@ -911,4 +911,8 @@ + #ifdef CONFIGURE_KRB5_KEYTAB + int do_init_krb5_cache(ldap_config_t *config); + #endif /* CONFIGURE_KRB5_KEYTAB */ ++NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result, ++ const char *requested_name, ++ const char *actual_name); ++ + #endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */ +diff -ur nss_ldap-264/ldap-parse.h nss_ldap-264/ldap-parse.h +--- nss_ldap-264/ldap-parse.h 2006-09-13 02:42:08.000000000 -0400 ++++ nss_ldap-264/ldap-parse.h 2009-07-02 10:56:54.000000000 -0400 +@@ -94,6 +94,7 @@ + + #define LOOKUP_NAME(name, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \ + ldap_args_t a; \ ++ NSS_STATUS s; \ + if (buflen < req_buflen) { \ + *errnop = ERANGE; \ + return NSS_TRYAGAIN; \ +@@ -101,7 +102,8 @@ + LA_INIT(a); \ + LA_STRING(a) = name; \ + LA_TYPE(a) = LA_TYPE_STRING; \ +- return _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser); ++ s = _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser); \ ++ return s + #define LOOKUP_NUMBER(number, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \ + ldap_args_t a; \ + if (buflen < req_buflen) { \ +@@ -199,4 +201,7 @@ + + #endif /* HAVE_NSSWITCH_H */ + ++#define AND_REQUIRE_MATCH(name,field) \ ++ == NSS_SUCCESS ? _nss_ldap_expect_name(s,name,field) : s ++ + #endif /* _LDAP_NSS_LDAP_LDAP_PARSE_H */ +diff -ur nss_ldap-264/ldap-proto.c nss_ldap-264/ldap-proto.c +--- nss_ldap-264/ldap-proto.c 2006-09-13 02:42:08.000000000 -0400 ++++ nss_ldap-264/ldap-proto.c 2009-07-02 10:58:25.000000000 -0400 +@@ -113,7 +113,8 @@ + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, + _nss_ldap_filt_getprotobyname, LM_PROTOCOLS, +- _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT); ++ _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT) ++ AND_REQUIRE_MATCH(name, result->p_name); + } + #endif + +diff -ur nss_ldap-264/ldap-pwd.c nss_ldap-264/ldap-pwd.c +--- nss_ldap-264/ldap-pwd.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-pwd.c 2009-07-02 10:57:15.000000000 -0400 +@@ -243,7 +243,8 @@ + char *buffer, size_t buflen, int *errnop) + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam, +- LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT); ++ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT) ++ AND_REQUIRE_MATCH(name, result->pw_name); + } + #elif defined(HAVE_NSSWITCH_H) + static NSS_STATUS +diff -ur nss_ldap-264/ldap-rpc.c nss_ldap-264/ldap-rpc.c +--- nss_ldap-264/ldap-rpc.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-rpc.c 2009-07-02 10:58:01.000000000 -0400 +@@ -123,7 +123,8 @@ + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, + _nss_ldap_filt_getrpcbyname, LM_RPC, _nss_ldap_parse_rpc, +- LDAP_NSS_BUFLEN_DEFAULT); ++ LDAP_NSS_BUFLEN_DEFAULT) ++ AND_REQUIRE_MATCH(name, result->r_name); + } + #endif + +diff -ur nss_ldap-264/ldap-service.c nss_ldap-264/ldap-service.c +--- nss_ldap-264/ldap-service.c 2009-07-02 15:44:14.000000000 -0400 ++++ nss_ldap-264/ldap-service.c 2009-07-02 15:45:07.000000000 -0400 +@@ -230,16 +230,20 @@ + char *buffer, size_t buflen, int *errnop) + { + ldap_args_t a; ++ NSS_STATUS s; + + LA_INIT (a); + LA_STRING (a) = name; + LA_TYPE (a) = (proto == NULL) ? LA_TYPE_STRING : LA_TYPE_STRING_AND_STRING; + LA_STRING2 (a) = proto; + +- return _nss_ldap_getbyname (&a, result, buffer, buflen, errnop, +- ((proto == NULL) ? _nss_ldap_filt_getservbyname +- : _nss_ldap_filt_getservbynameproto), +- LM_SERVICES, _nss_ldap_parse_serv); ++ s = _nss_ldap_getbyname (&a, result, buffer, buflen, errnop, ++ ((proto == NULL) ? _nss_ldap_filt_getservbyname ++ : _nss_ldap_filt_getservbynameproto), ++ LM_SERVICES, _nss_ldap_parse_serv); ++ s = _nss_ldap_expect_name(s, name, result->s_name); ++ s = _nss_ldap_expect_name(s, proto, result->s_proto); ++ return s; + } + #endif + +diff -ur nss_ldap-264/ldap-spwd.c nss_ldap-264/ldap-spwd.c +--- nss_ldap-264/ldap-spwd.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-spwd.c 2009-07-02 10:58:50.000000000 -0400 +@@ -149,7 +149,8 @@ + char *buffer, size_t buflen, int *errnop) + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getspnam, +- LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT); ++ LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT) ++ AND_REQUIRE_MATCH (name, result->sp_namp); + } + #elif defined(HAVE_NSSWITCH_H) + static NSS_STATUS +--- nss_ldap-264/ldap-automount.c 2009-07-02 16:03:30.000000000 -0400 ++++ nss_ldap-264/ldap-automount.c 2009-07-02 16:03:48.000000000 -0400 +@@ -384,7 +384,7 @@ + _nss_ldap_filt_getautomntbyname, + LM_AUTOMOUNT, + _nss_ldap_parse_automount); +- ++ stat = _nss_ldap_expect_name(stat, key, canon_key ? *canon_key : NULL); + if (stat != NSS_NOTFOUND) + { + break; /* on success or error other than not found */ diff --git a/pkgs/nss_ldap/patches/nss_ldap-264-cloexec.patch b/pkgs/nss_ldap/patches/nss_ldap-264-cloexec.patch new file mode 100644 index 0000000..acdbea0 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-264-cloexec.patch @@ -0,0 +1,11 @@ +diff -up nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c +--- nss_ldap-264/ldap-nss.c 2009-07-23 18:55:15.290388484 -0400 ++++ nss_ldap-264/ldap-nss.c 2009-07-23 19:01:33.328398737 -0400 +@@ -896,6 +896,7 @@ do_drop_connection(int sd, int closeSd) + /* we must let dup2 close sd for us to avoid race conditions + * in multithreaded code. + */ ++ fcntl (dummyfd, F_SETFD, 1L); + do_dupfd (dummyfd, sd); + do_closefd (dummyfd); + } diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-depth.patch b/pkgs/nss_ldap/patches/nss_ldap-265-depth.patch new file mode 100644 index 0000000..a1bd07f --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-depth.patch @@ -0,0 +1,186 @@ +Check if we can use thread-local storage, and if we can, use one to avoid a +self-deadlock if we recurse into our own host resolution routines from inside +of another lookup attempt. Revised from patch originally submitted for #340. + +diff -up nss_ldap-265/config.h.in nss_ldap-265/config.h.in +--- nss_ldap-265/config.h.in 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/config.h.in 2010-01-08 17:29:49.000000000 -0500 +@@ -304,6 +304,11 @@ + /* Define to 1 if you have the <thread.h> header file. */ + #undef HAVE_THREAD_H + ++/* Define if your toolchain supports thread-local storage, which can be used ++ for detecting self- and mutual-recursion problems when performing ++ host/address lookups. */ ++#undef HAVE_THREAD_LOCAL_STORAGE ++ + /* Define to 1 if you have the <unistd.h> header file. */ + #undef HAVE_UNISTD_H + +diff -up nss_ldap-265/configure.in nss_ldap-265/configure.in +--- nss_ldap-265/configure.in 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/configure.in 2010-01-08 17:29:49.000000000 -0500 +@@ -27,6 +27,14 @@ dnl + + AC_ARG_ENABLE(debugging, [ --enable-debugging enable debug code ], [AC_DEFINE(DEBUG)]) + ++AC_MSG_CHECKING(for thread-local storage) ++AC_TRY_COMPILE([],[static __thread int _nss_ldap_recursion_count;], ++ [ ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(HAVE_THREAD_LOCAL_STORAGE,1,[Define if your toolchain supports thread-local storage, which can be used for detecting self- and mutual-recursion problems when performing host/address lookups.]) ++ ], ++ AC_MSG_RESULT(no)) ++ + dnl + dnl --enable-paged-results is now deprecated; if this option is set, + dnl then paged results will be enabled by default. However, it can +diff -up nss_ldap-265/depth.c nss_ldap-265/depth.c +--- nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500 ++++ nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500 +@@ -0,0 +1,24 @@ ++#include "config.h" ++#include "depth.h" ++ ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++static __thread int depth = 0; ++ ++int ++_nss_ldap_get_depth (void) ++{ ++ return depth; ++} ++ ++int ++_nss_ldap_inc_depth (void) ++{ ++ return ++depth; ++} ++ ++int ++_nss_ldap_dec_depth (void) ++{ ++ return --depth; ++} ++#endif +diff -up nss_ldap-265/depth.h nss_ldap-265/depth.h +--- nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500 ++++ nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500 +@@ -0,0 +1,3 @@ ++int _nss_ldap_get_depth (void); ++int _nss_ldap_inc_depth (void); ++int _nss_ldap_dec_depth (void); +diff -up nss_ldap-265/ldap-hosts.c nss_ldap-265/ldap-hosts.c +--- nss_ldap-265/ldap-hosts.c 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/ldap-hosts.c 2010-01-08 17:33:38.000000000 -0500 +@@ -66,6 +66,7 @@ static char rcsId[] = + #include "ldap-nss.h" + #include "ldap-hosts.h" + #include "util.h" ++#include "depth.h" + + #ifdef HAVE_PORT_AFTER_H + #include <port_after.h> +@@ -280,6 +281,11 @@ _nss_ldap_gethostbyname2_r (const char * + } + #endif + ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + LA_INIT (a); + LA_STRING (a) = name; + LA_TYPE (a) = LA_TYPE_STRING; +@@ -355,6 +361,11 @@ _nss_ldap_gethostbyaddr_r (struct in_add + NSS_STATUS status; + ldap_args_t a; + ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + /* if querying by IPv6 address, make sure the address is "normalized" -- + * it should contain no leading zeros and all components of the address. + * still we can't fit an IPv6 address in an int, so who cares for now. +@@ -391,6 +402,11 @@ _nss_ldap_sethostent_r (nss_backend_t * + #endif + #if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H) + { ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + LOOKUP_SETENT (hosts_context); + } + #endif +@@ -403,6 +419,11 @@ _nss_ldap_endhostent_r (nss_backend_t * + #endif + #if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H) + { ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + LOOKUP_ENDENT (hosts_context); + } + #endif +@@ -435,6 +456,11 @@ _nss_ldap_gethostent_r (struct hostent * + { + NSS_STATUS status; + ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + status = _nss_ldap_getent (&hosts_context, + result, + buffer, +diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c +--- nss_ldap-265/ldap-nss.c 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/ldap-nss.c 2010-01-08 17:29:49.000000000 -0500 +@@ -93,6 +93,7 @@ static char rcsId[] = + #include "util.h" + #include "dnsconfig.h" + #include "pagectrl.h" ++#include "depth.h" + + #if defined(HAVE_THREAD_H) && !defined(_AIX) + #ifdef HAVE_PTHREAD_ATFORK +@@ -578,6 +579,9 @@ _nss_ldap_enter (void) + debug ("==> _nss_ldap_enter"); + + NSS_LDAP_LOCK (__lock); ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ _nss_ldap_inc_depth(); ++#endif + + /* + * Patch for Debian Bug 130006: +@@ -623,6 +627,9 @@ _nss_ldap_leave (void) + } + #endif /* HAVE_SIGACTION */ + ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ _nss_ldap_dec_depth(); ++#endif + NSS_LDAP_UNLOCK (__lock); + + debug ("<== _nss_ldap_leave"); +diff -up nss_ldap-265/Makefile.am nss_ldap-265/Makefile.am +--- nss_ldap-265/Makefile.am 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/Makefile.am 2010-01-08 17:31:45.000000000 -0500 +@@ -23,7 +23,7 @@ nss_ldap_so_SOURCES = ldap-nss.c ldap-pw + ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \ + ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \ + dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c \ +- vers.c ++ vers.c depth.c + + nss_ldap_so_LDFLAGS = @nss_ldap_so_LDFLAGS@ + diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-ent_internal.patch b/pkgs/nss_ldap/patches/nss_ldap-265-ent_internal.patch new file mode 100644 index 0000000..c4592da --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-ent_internal.patch @@ -0,0 +1,102 @@ +Distinguish between contexts that are somewhat persistent and one-offs +which are used to fulfill part of a larger request. Proposed for #322. + +diff -up nss_ldap-265/ldap-grp.c nss_ldap-265/ldap-grp.c +--- nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500 ++++ nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500 +@@ -859,7 +859,7 @@ ng_chase (const char *dn, ldap_initgroup + LA_STRING (a) = dn; + LA_TYPE (a) = LA_TYPE_STRING; + +- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL) ++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL) + { + return NSS_UNAVAIL; + } +@@ -931,7 +931,7 @@ ng_chase_backlink (const char ** members + LA_STRING_LIST (a) = filteredMembersOf; + LA_TYPE (a) = LA_TYPE_STRING_LIST_OR; + +- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL) ++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL) + { + free (filteredMembersOf); + return NSS_UNAVAIL; +diff -up nss_ldap-265/ldap-netgrp.c nss_ldap-265/ldap-netgrp.c +--- nss_ldap-265/ldap-netgrp.c 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/ldap-netgrp.c 2010-01-08 17:38:38.000000000 -0500 +@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t * + LA_TYPE (a) = LA_TYPE_STRING; + LA_STRING (a) = nested; /* memberNisNetgroup */ + +- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL) ++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL) + { + debug ("<== do_innetgr_nested: failed to initialize context"); + return NSS_UNAVAIL; +diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c +--- nss_ldap-265/ldap-nss.c 2010-01-08 17:38:38.000000000 -0500 ++++ nss_ldap-265/ldap-nss.c 2010-01-08 17:40:37.000000000 -0500 +@@ -2043,6 +2043,7 @@ _nss_ldap_ent_context_init_locked (ent_c + debug ("<== _nss_ldap_ent_context_init_locked"); + return NULL; + } ++ ctx->ec_internal = 0; + *pctx = ctx; + } + else +@@ -2104,7 +2105,8 @@ do_context_release (ent_context_t * ctx, + + LS_INIT (ctx->ec_state); + +- if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT)) ++ if (!ctx->ec_internal && ++ _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT)) + { + do_close (); + } +@@ -2113,6 +2115,16 @@ do_context_release (ent_context_t * ctx, + free (ctx); + } + ++ent_context_t * ++_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx) ++{ ++ ent_context_t *ctx; ++ ctx = _nss_ldap_ent_context_init_locked (pctx); ++ if (ctx != NULL) ++ ctx->ec_internal = 1; ++ return ctx; ++} ++ + /* + * Clears a given context; we require the caller + * to acquire the lock. +diff -up nss_ldap-265/ldap-nss.h nss_ldap-265/ldap-nss.h +--- nss_ldap-265/ldap-nss.h 2010-01-08 17:38:38.000000000 -0500 ++++ nss_ldap-265/ldap-nss.h 2010-01-08 17:42:34.000000000 -0500 +@@ -574,6 +574,8 @@ struct ent_context + ldap_state_t ec_state; /* eg. for services */ + int ec_msgid; /* message ID */ + LDAPMessage *ec_res; /* result chain */ ++ int ec_internal; /* this context is just a part of a larger ++ * query for information */ + ldap_service_search_descriptor_t *ec_sd; /* current sd */ + struct berval *ec_cookie; /* cookie for paged searches */ + int ec_eof; /* reached notional end of file */ +@@ -769,6 +771,15 @@ ent_context_t *_nss_ldap_ent_context_ini + ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **); + + /* ++ * _nss_ldap_ent_context_init_internal_locked() has the same ++ * behaviour, except it marks the context as one that's being ++ * used to fetch additional data used in answering a request, i.e. ++ * that this isn't the "main" context ++ */ ++ ++ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **); ++ ++/* + * _nss_ldap_ent_context_release() is used to manually free a context + */ + void _nss_ldap_ent_context_release (ent_context_t **); diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-erange.patch b/pkgs/nss_ldap/patches/nss_ldap-265-erange.patch new file mode 100644 index 0000000..0bdfe5a --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-erange.patch @@ -0,0 +1,17 @@ +If we were supposed to set ERANGE, do so again, in case do_close() or +_nss_ldap_leave() overwrote errno with some other value. Upstream #421. + +diff -up nss_ldap-265/ldap-nss.ce nss_ldap-265/ldap-nss.c +--- nss_ldap-265/ldap-nss.ce 2010-07-08 16:17:07.000000000 -0400 ++++ nss_ldap-265/ldap-nss.c 2010-07-08 16:17:03.000000000 -0400 +@@ -3572,6 +3572,10 @@ _nss_ldap_getbyname (ldap_args_t * args, + + debug ("<== _nss_ldap_getbyname"); + ++ /* at least for the cases where we know we have to return ERANGE */ ++ if (stat == NSS_TRYAGAIN) ++ do_map_errno(stat, errnop); ++ + return stat; + } + diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-fix-uninit.patch b/pkgs/nss_ldap/patches/nss_ldap-265-fix-uninit.patch new file mode 100644 index 0000000..f0f8793 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-fix-uninit.patch @@ -0,0 +1,10 @@ +--- nss_ldap-265/ldap-nss.c.orig 2010-10-18 22:11:18.112108167 +1100 ++++ nss_ldap-265/ldap-nss.c 2010-10-18 22:13:20.030169868 +1100 +@@ -3449,6 +3449,7 @@ + + debug ("==> _nss_ldap_getbyname"); + ++ memset(&ctx, 0, sizeof(ent_context_t)); + ctx.ec_msgid = -1; + ctx.ec_cookie = NULL; + ctx.ec_eof = 0; diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch b/pkgs/nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch new file mode 100644 index 0000000..44f454c --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch @@ -0,0 +1,190 @@ +This builds off of the recursion checking introduced by -depth to avoid +a deadlock if/when we recurse into ourselves while looking up the user's +UID to compare it to the configured value. Revision for upstream #341. + +diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c +--- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400 +@@ -34,6 +34,7 @@ + #endif + + #include <assert.h> ++#include <pwd.h> + #include <stdlib.h> + #include <unistd.h> + #include <string.h> +@@ -4356,20 +4357,55 @@ + int + _nss_ldap_test_initgroups_ignoreuser (const char *user) + { +- char **p; ++ char **p, *buf; ++ size_t buflen; ++ struct passwd pwd, *passwd; + +- if (__config == NULL) +- return 0; +- +- if (__config->ldc_initgroups_ignoreusers == NULL) +- return 0; +- +- for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++) ++ if (__config != NULL) + { +- if (strcmp (*p, user) == 0) +- return 1; ++ if (__config->ldc_initgroups_ignoreusers != NULL) ++ for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++) ++ { ++ if (strcmp (*p, user) == 0) ++ return 1; ++ } ++ if (__config->ldc_initgroups_minimum_uid >= 0) ++ { ++ memset (&pwd, 0, sizeof(pwd)); ++ buflen = 0x100; ++ buf = malloc(buflen); ++ if (buf != NULL) ++ { ++ passwd = NULL; ++ while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) && ++ (passwd != &pwd)) ++ { ++ switch (errno) ++ { ++ case ERANGE: ++ buflen *= 2; ++ free(buf); ++ if (buflen > 0x100000) ++ buf = NULL; ++ else ++ buf = malloc(buflen); ++ break; ++ case EINTR: ++ continue; ++ break; ++ default: ++ free(buf); ++ buf = NULL; ++ break; ++ } ++ if (buf == NULL) ++ break; ++ } ++ } ++ if ((passwd == &pwd) && (passwd->pw_uid < 1000)) ++ return 1; ++ } + } +- + return 0; + } + +diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h +--- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400 +@@ -400,6 +400,7 @@ + time_t ldc_mtime; + + char **ldc_initgroups_ignoreusers; ++ int ldc_initgroups_minimum_uid; + + /* disable the do-res_init()-on-resolv.conf-changes hack */ + unsigned int ldc_resolv_conf_res_init_hack; +diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c +--- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400 +@@ -49,6 +49,7 @@ + #include "ldap-nss.h" + #include "ldap-pwd.h" + #include "util.h" ++#include "depth.h" + + #ifdef HAVE_PORT_AFTER_H + #include <port_after.h> +@@ -242,6 +243,10 @@ + struct passwd * result, + char *buffer, size_t buflen, int *errnop) + { ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif + LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam, + LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT) + AND_REQUIRE_MATCH(name, result->pw_name); +@@ -261,6 +266,10 @@ + struct passwd *result, + char *buffer, size_t buflen, int *errnop) + { ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif + LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid, + LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT); + } +diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5 +--- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400 +@@ -445,6 +445,14 @@ + to return NSS_STATUS_NOTFOUND if called with a listed users as + its argument. + .TP ++.B nss_initgroups_minimum_uid <uid> ++This option directs the ++.B nss_ldap ++implementation of ++.BR initgroups(3) ++to return NSS_STATUS_NOTFOUND if called with a user whose UID is ++below the value given as the argument. ++.TP + .B nss_getgrent_skipmembers <yes|no> + Specifies whether or not to populate the members list in + the group structure for group lookups. If very large groups +diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c +--- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400 +@@ -669,6 +669,7 @@ + result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME; + result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES; + result->ldc_initgroups_ignoreusers = NULL; ++ result->ldc_initgroups_minimum_uid = -1; + + for (i = 0; i <= LM_NONE; i++) + { +@@ -1180,6 +1181,10 @@ + break; + } + } ++ else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID)) ++ { ++ result->ldc_initgroups_minimum_uid = atoi(v); ++ } + else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS)) + { + if (!strcasecmp (v, "on") || !strcasecmp (v, "yes") +diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h +--- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400 +@@ -92,6 +92,7 @@ + #define NSS_LDAP_KEY_PAGESIZE "pagesize" + #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups" + #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers" ++#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid" + #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers" + + /* more reconnect policy fine-tuning */ +--- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400 ++++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500 +@@ -177,8 +177,8 @@ + #nss_base_aliases ou=Aliases,dc=padl,dc=com?one + #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + +-# Just assume that there are no supplemental groups for these named users +-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody ++# Just assume that there are no supplemental groups for system users. ++nss_initgroups_minimum_uid 500 + + # attribute/objectclass mapping + # Syntax: diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-local_users.patch b/pkgs/nss_ldap/patches/nss_ldap-265-local_users.patch new file mode 100644 index 0000000..2978ce1 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-local_users.patch @@ -0,0 +1,17 @@ +Configure by default to fail, quickly, requests for supplemental group +information for "root", "ldap", and assorted other users as whom services +run or who are mentioned by the DBus configuration. This patch will never +be pretty. + +--- pam_ldap-180/ldap.conf 2005-08-17 18:35:13.000000000 -0400 ++++ pam_ldap-180/ldap.conf 2006-02-09 14:14:05.000000000 -0500 +@@ -177,6 +177,9 @@ + #nss_base_aliases ou=Aliases,dc=padl,dc=com?one + #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + ++# Just assume that there are no supplemental groups for these named users ++nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody ++ + # attribute/objectclass mapping + # Syntax: + #nss_map_attribute rfc2307attribute mapped_attribute diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-padl-bug-418.patch b/pkgs/nss_ldap/patches/nss_ldap-265-padl-bug-418.patch new file mode 100644 index 0000000..120377d --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-padl-bug-418.patch @@ -0,0 +1,36 @@ +diff -up nss_ldap-253/ldap-nss.c.padl418 nss_ldap-253/ldap-nss.c +--- nss_ldap-253/ldap-nss.c.padl418 2010-11-17 14:08:24.000000000 +0000 ++++ nss_ldap-253/ldap-nss.c 2010-11-18 00:34:22.000000000 +0000 +@@ -1272,9 +1272,14 @@ do_init (void) + } + } + +- __session.ls_conn = NULL; ++ /* looks like a problem. could be initialized, but not connected */ ++ if (__session.ls_state != LS_UNINITIALIZED) ++ { ++ debug ("<== do_init (already initialized)"); ++ goto initialized; ++ } ++ + __session.ls_timestamp = 0; +- __session.ls_state = LS_UNINITIALIZED; + + #if defined(HAVE_PTHREAD_ONCE) && defined(HAVE_PTHREAD_ATFORK) + if (pthread_once (&__once, do_atfork_setup) != 0) +@@ -1394,6 +1399,7 @@ do_init (void) + + debug ("<== do_init (initialized session)"); + ++initialized: + return NSS_SUCCESS; + } + +@@ -1614,6 +1620,7 @@ do_open (void) + } + else + { ++ syslog(LOG_ERR, "nss-ldap: do_open: do_start_tls failed:stat=%d", stat); + do_close (); + debug ("<== do_open (TLS startup failed)"); + return stat; diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-setnetgrent.patch b/pkgs/nss_ldap/patches/nss_ldap-265-setnetgrent.patch new file mode 100644 index 0000000..e17345a --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-setnetgrent.patch @@ -0,0 +1,11 @@ +--- nss_ldap/ldap-netgrp.c ++++ nss_ldap/ldap-netgrp.c +@@ -372,7 +372,7 @@ _nss_ldap_setnetgrent (char *group, stru + _nss_ldap_filt_getnetgrent, LM_NETGROUP, + _nss_ldap_load_netgr); + +- if (stat == NSS_NOTFOUND) ++ if (stat != NSS_SUCCESS) + return stat; + + LOOKUP_SETENT (_ngbe); diff --git a/pkgs/systemd/systemd.nm b/pkgs/systemd/systemd.nm index 13001ba..843845d 100644 --- a/pkgs/systemd/systemd.nm +++ b/pkgs/systemd/systemd.nm @@ -26,7 +26,7 @@ include $(PKGROOT)/Include
PKG_NAME = systemd PKG_VER = 28 -PKG_REL = 2 +PKG_REL = 3
PKG_MAINTAINER = Stefan Schantl stefan.schantl@ipfire.org PKG_GROUPS = System/Base @@ -72,7 +72,7 @@ CONFIGURE_OPTIONS += \ --with-sysvinit-path= \ --with-sysvrcd-path= \ --with-udevrulesdir=/lib/udev/rules.d/ \ - --with-pamlibdir=/etc/pam.d + --with-pamlibdir=/lib/security
define STAGE_PREPARE_CMDS cd $(DIR_APP) && ./autogen.sh ac
hooks/post-receive -- IPFire 3.x development tree