login-utils: Enable building util-linux against OpenPAM

login-utils: Enable building util-linux against OpenPAM

[Will Johansson]

Hello,

I recently experimented with cross-compiling for embedded devices, and
sought to try out util-linux with OpenPAM instead of Linux-PAM because
OpenPAM was simpler to cross-compile. Unfortunately for me, it did not
work out of the box, so I decided to try to patch util-linux to support
compiling against OpenPAM. Turned out to be a fairly simple exercise.

This is the fruit of my efforts. There is a caveat, which I will
be happy to address if it's a problem. The patch's configuration does
not support building if you happen to have both Linux-PAM and OpenPAM
in your build paths. I could update it to prefer Linux-PAM by default.
I'm not sure how it'd would work if OpenPAM libraries is also in the
search path, as -lpam is used by both Linux-PAM and OpenPAM (probably
undefined behavior).

Either way, it should compile fine against Linux-PAM and OpenPAM.
There are some unused variables in login.c, but seems to have to do
with _HAVE_UT_TV, which is not the case in my configuration. I'm
more than happy to provide a separate patch to wrap the unused
variables with an #ifdef _HAVE_UT_TV.

Warm regards,

Will Johansson

[PATCH] login-utils: Enable building util-linux against OpenPAM

[Will Johansson]

OpenPAM is compatible with util-linux, with a few changes, namely
using OpenPAM's conversation function, openpam_ttyconv.

We check for Linux-PAM by querying for security/pam_misc.h, and OpenPAM
by querying for security/openpam.h.

Signed-off-by: Will Johansson <will.johansson@gmail.com>
---
 configure.ac              | 29 ++++++++++++++++++++++-------
 include/pamfail.h         |  6 +++++-
 login-utils/Makemodule.am | 22 +++++++++++++++++-----
 login-utils/auth.c        |  5 ++++-
 login-utils/login.c       | 17 +++++++++++++----
 login-utils/su-common.c   | 11 +++++++++--
 6 files changed, 70 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index b3b6b9f..8eaa0ec 100644
--- a/configure.ac
+++ b/configure.ac
@@ -206,7 +206,7 @@ AC_CHECK_HEADERS([ \
 	netinet/in.h \
 	paths.h \
 	pty.h \
-	security/pam_misc.h \
+	security/pam_appl.h \
 	stdint.h \
 	stdio_ext.h \
 	stdlib.h \
@@ -235,6 +235,20 @@ AC_CHECK_HEADERS([ \
 	unistd.h \
 ])
 
+AC_CHECK_HEADERS([security/pam_misc.h],
+		[AM_CONDITIONAL([HAVE_LINUXPAM], [true])],
+		[AM_CONDITIONAL([HAVE_LINUXPAM], [false])], [
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+])
+
+AC_CHECK_HEADERS([security/openpam.h], [], [], [
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+])
+
 AC_CHECK_HEADERS([langinfo.h],
 		[AM_CONDITIONAL([HAVE_LANGINFO], [true])],
 		[AM_CONDITIONAL([HAVE_LANGINFO], [false])])
@@ -244,8 +258,9 @@ dnl
 have_linux_raw_h=$ac_cv_header_linux_raw_h
 have_linux_securebits_h=$ac_cv_header_linux_securebits_h
 have_linux_watchdog_h=$ac_cv_header_linux_watchdog_h
+have_security_pam_appl_h=$ac_cv_header_security_pam_appl_h
 have_security_pam_misc_h=$ac_cv_header_security_pam_misc_h
-
+have_security_openpam_h=$ac_cv_header_security_openpam_h
 
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <time.h>
@@ -659,7 +674,6 @@ AC_ARG_WITH([ncurses],
   [], [with_ncurses=auto]
 )
 AM_CONDITIONAL([HAVE_NCURSES], [false])
-
 AS_IF([test "x$with_ncurses" != xno], [
   have_ncurses=no
 
@@ -1472,7 +1486,7 @@ AC_ARG_ENABLE([chfn-chsh],
 UL_BUILD_INIT([chfn_chsh])
 
 AS_IF([test "x$enable_chfn_chsh_password" = xyes -o "x$have_user" = xyes], [
-  UL_REQUIRES_HAVE([chfn_chsh], [security_pam_misc_h], [PAM header file])
+  UL_REQUIRES_HAVE([chfn_chsh], [security_pam_appl_h], [PAM header file])
   AC_DEFINE([CHFN_CHSH_PASSWORD], [1], [Should chfn and chsh require the user to enter the password?])
 ])
 AM_CONDITIONAL([BUILD_CHFN_CHSH], [test "x$build_chfn_chsh" = xyes])
@@ -1493,7 +1507,8 @@ AC_ARG_ENABLE([login],
   [], [UL_DEFAULT_ENABLE([login], [check])]
 )
 UL_BUILD_INIT([login])
-UL_REQUIRES_HAVE([login], [security_pam_misc_h], [PAM header file])
+UL_REQUIRES_HAVE([login], [security_pam_appl_h], [PAM header file])
+UL_REQUIRES_HAVE([login], [security_pam_misc_h, security_openpam_h], [PAM conversation functions])
 AM_CONDITIONAL([BUILD_LOGIN], [test "x$build_login" = xyes])
 
 AC_ARG_ENABLE([login-chown-vcs],
@@ -1536,7 +1551,7 @@ AC_ARG_ENABLE([su],
   [], [UL_DEFAULT_ENABLE([su], [check])]
 )
 UL_BUILD_INIT([su])
-UL_REQUIRES_HAVE([su], [security_pam_misc_h], [PAM header file])
+UL_REQUIRES_HAVE([su], [security_pam_appl_h], [PAM header file])
 AM_CONDITIONAL([BUILD_SU], [test "x$build_su" = xyes])
 
 
@@ -1545,7 +1560,7 @@ AC_ARG_ENABLE([runuser],
   [], [UL_DEFAULT_ENABLE([runuser], [check])]
 )
 UL_BUILD_INIT([runuser])
-UL_REQUIRES_HAVE([runuser], [security_pam_misc_h], [PAM header file])
+UL_REQUIRES_HAVE([runuser], [security_pam_appl_h], [PAM header file])
 AM_CONDITIONAL([BUILD_RUNUSER], [test "x$build_runuser" = xyes])
 
 
diff --git a/include/pamfail.h b/include/pamfail.h
index e102df2..bb83b94 100644
--- a/include/pamfail.h
+++ b/include/pamfail.h
@@ -6,7 +6,11 @@
  */
 #ifndef UTIL_LINUX_PAMFAIL_H
 #include <security/pam_appl.h>
-#include <security/pam_misc.h>
+#ifdef HAVE_SECURITY_PAM_MISC_H
+# include <security/pam_misc.h>
+#elif defined(HAVE_SECURITY_OPENPAM_H)
+# include <security/openpam.h>
+#endif
 #include "c.h"
 
 static inline int
diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am
index 34c5fb4..47291af 100644
--- a/login-utils/Makemodule.am
+++ b/login-utils/Makemodule.am
@@ -50,7 +50,10 @@ login_SOURCES = \
 	login-utils/login.c \
 	login-utils/logindefs.c \
 	login-utils/logindefs.h
-login_LDADD = $(LDADD) libcommon.la -lpam -lpam_misc
+login_LDADD = $(LDADD) libcommon.la -lpam
+if HAVE_LINUXPAM
+login_LDADD += -lpam_misc
+endif
 if HAVE_AUDIT
 login_LDADD += -laudit
 endif
@@ -86,11 +89,14 @@ chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS)
 chfn_chsh_ldadd = libcommon.la
 
 if CHFN_CHSH_PASSWORD
-chfn_chsh_ldadd += -lpam -lpam_misc
+chfn_chsh_ldadd += -lpam
+if HAVE_LINUXPAM
+chfn_chsh_ldadd += -lpam_misc
+endif
 chfn_chsh_sources += \
 	login-utils/auth.c \
 	login-utils/auth.h
-endif
+endif # CHFN_CHSH_PASSWORD
 
 if HAVE_USER
 chfn_chsh_ldflags += $(LIBUSER_LIBS)
@@ -136,8 +142,11 @@ su_SOURCES = \
 	login-utils/logindefs.h
 su_CFLAGS = $(SUID_CFLAGS) $(AM_CFLAGS)
 su_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS)
-su_LDADD = $(LDADD) libcommon.la -lpam -lpam_misc
+su_LDADD = $(LDADD) libcommon.la -lpam
+if HAVE_LINUXPAM
+su_LDADD += -lpam_misc
 endif
+endif # BUILD_SU
 
 
 if BUILD_RUNUSER
@@ -149,8 +158,11 @@ runuser_SOURCES = \
 	login-utils/su-common.h \
 	login-utils/logindefs.c \
 	login-utils/logindefs.h
-runuser_LDADD = $(LDADD) libcommon.la -lpam -lpam_misc
+runuser_LDADD = $(LDADD) libcommon.la -lpam
+if HAVE_LINUXPAM
+runuser_LDADD += -lpam_misc
 endif
+endif # BUILD_RUNUSER
 
 
 if BUILD_NEWGRP
diff --git a/login-utils/auth.c b/login-utils/auth.c
index 18312d4..aaf6c53 100644
--- a/login-utils/auth.c
+++ b/login-utils/auth.c
@@ -7,7 +7,6 @@
  *   there is no warranty.
  *
  */
-
 #include "auth.h"
 #include "pamfail.h"
 
@@ -15,7 +14,11 @@ int auth_pam(const char *service_name, uid_t uid, const char *username)
 {
 	if (uid != 0) {
 		pam_handle_t *pamh = NULL;
+#ifdef HAVE_SECURITY_PAM_MISC_H
 		struct pam_conv conv = { misc_conv, NULL };
+#elif defined(HAVE_SECURITY_OPENPAM_H)
+		struct pam_conv conv = { openpam_ttyconv, NULL };
+#endif
 		int retcode;
 
 		retcode = pam_start(service_name, username, &conv, &pamh);
diff --git a/login-utils/login.c b/login-utils/login.c
index 5546435..540554e 100644
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -55,7 +55,11 @@
 #include <netdb.h>
 #include <lastlog.h>
 #include <security/pam_appl.h>
-#include <security/pam_misc.h>
+#ifdef HAVE_SECURITY_PAM_MISC_H
+# include <security/pam_misc.h>
+#elif defined(HAVE_SECURITY_OPENPAM_H)
+# include <security/openpam.h>
+#endif
 #include <sys/sendfile.h>
 
 #ifdef HAVE_LIBAUDIT
@@ -1124,9 +1128,14 @@ int main(int argc, char **argv)
 	struct passwd *pwd = NULL, _pwd;
 
 	struct login_context cxt = {
-		.tty_mode = TTY_MODE,		/* tty chmod() */
-		.pid = getpid(),		/* PID */
-		.conv = { misc_conv, NULL }	/* PAM conversation function */
+		.tty_mode = TTY_MODE,		  /* tty chmod() */
+		.pid = getpid(),		  /* PID */
+#ifdef HAVE_SECURITY_PAM_MISC_H
+		.conv = { misc_conv, NULL }	  /* Linux-PAM conversation function */
+#elif defined(HAVE_SECURITY_OPENPAM_H)
+		.conv = { openpam_ttyconv, NULL } /* OpenPAM conversation function */
+#endif
+
 	};
 
 	timeout = (unsigned int)getlogindefs_num("LOGIN_TIMEOUT", LOGIN_TIMEOUT);
diff --git a/login-utils/su-common.c b/login-utils/su-common.c
index eb3b844..57038ce 100644
--- a/login-utils/su-common.c
+++ b/login-utils/su-common.c
@@ -50,7 +50,11 @@ enum
 #include <pwd.h>
 #include <grp.h>
 #include <security/pam_appl.h>
-#include <security/pam_misc.h>
+#ifdef HAVE_SECURITY_PAM_MISC_H
+# include <security/pam_misc.h>
+#elif defined(HAVE_SECURITY_OPENPAM_H)
+# include <security/openpam.h>
+#endif
 #include <signal.h>
 #include <sys/wait.h>
 #include <syslog.h>
@@ -220,8 +224,11 @@ static int su_pam_conv(int num_msg, const struct pam_message **msg,
 	    && msg
 	    && msg[0]->msg_style == PAM_TEXT_INFO)
 		return PAM_SUCCESS;
-
+#ifdef HAVE_SECURITY_PAM_MISC_H
 	return misc_conv(num_msg, msg, resp, appdata_ptr);
+#elif defined(HAVE_SECURITY_OPENPAM_H)
+	return openpam_ttyconv(num_msg, msg, resp, appdata_ptr);
+#endif
 }
 
 static struct pam_conv conv =
-- 
1.8.3.1

Re: login-utils: Enable building util-linux against OpenPAM

[Karel Zak]

On Tue, Dec 09, 2014 at 06:40:30PM -0800, Will Johansson wrote:
> I recently experimented with cross-compiling for embedded devices, and
> sought to try out util-linux with OpenPAM instead of Linux-PAM because
> OpenPAM was simpler to cross-compile. Unfortunately for me, it did not
> work out of the box, so I decided to try to patch util-linux to support
> compiling against OpenPAM. Turned out to be a fairly simple exercise.
> 
> This is the fruit of my efforts. There is a caveat, which I will

 Applied, thanks.

> be happy to address if it's a problem. The patch's configuration does
> not support building if you happen to have both Linux-PAM and OpenPAM
> in your build paths. I could update it to prefer Linux-PAM by default.
> I'm not sure how it'd would work if OpenPAM libraries is also in the
> search path, as -lpam is used by both Linux-PAM and OpenPAM (probably
> undefined behavior).
> 
> Either way, it should compile fine against Linux-PAM and OpenPAM.
> There are some unused variables in login.c, but seems to have to do
> with _HAVE_UT_TV, which is not the case in my configuration. I'm
> more than happy to provide a separate patch to wrap the unused
> variables with an #ifdef _HAVE_UT_TV.

 I don't have OpenPAM, so I'm not able to verify usability, but it
 would be nice to have build without warnings.

    Karel


-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: login-utils: Enable building util-linux against OpenPAM

[Will Johansson]

[-- Attachment #1: Type: text/plain, Size: 1950 bytes --]

Hi Karel,

Thanks for applying. I have a small patch for _HAVE_UT_TV incoming in a few
minutes.

Turns out it was because musl-libc doesn't define _HAVE_UT_TV, even though
musl-libc's utmp struct does have a ut_tv field. There are two options: 1.)
I could patch upstream musl-libc to define _HAVE_UT_TV or 2.) detect
musl-libc somehow. I think I prefer the first option.

Thanks again,

Will

On Mon, Dec 15, 2014 at 1:19 AM, Karel Zak <kzak@redhat.com> wrote:
>
> On Tue, Dec 09, 2014 at 06:40:30PM -0800, Will Johansson wrote:
> > I recently experimented with cross-compiling for embedded devices, and
> > sought to try out util-linux with OpenPAM instead of Linux-PAM because
> > OpenPAM was simpler to cross-compile. Unfortunately for me, it did not
> > work out of the box, so I decided to try to patch util-linux to support
> > compiling against OpenPAM. Turned out to be a fairly simple exercise.
> >
> > This is the fruit of my efforts. There is a caveat, which I will
>
>  Applied, thanks.
>
> > be happy to address if it's a problem. The patch's configuration does
> > not support building if you happen to have both Linux-PAM and OpenPAM
> > in your build paths. I could update it to prefer Linux-PAM by default.
> > I'm not sure how it'd would work if OpenPAM libraries is also in the
> > search path, as -lpam is used by both Linux-PAM and OpenPAM (probably
> > undefined behavior).
> >
> > Either way, it should compile fine against Linux-PAM and OpenPAM.
> > There are some unused variables in login.c, but seems to have to do
> > with _HAVE_UT_TV, which is not the case in my configuration. I'm
> > more than happy to provide a separate patch to wrap the unused
> > variables with an #ifdef _HAVE_UT_TV.
>
>  I don't have OpenPAM, so I'm not able to verify usability, but it
>  would be nice to have build without warnings.
>
>     Karel
>
>
> --
>  Karel Zak  <kzak@redhat.com>
>  http://karelzak.blogspot.com
>


-- 
Will Johansson

[-- Attachment #2: Type: text/html, Size: 2734 bytes --]

Re: login-utils: Enable building util-linux against OpenPAM

[Will Johansson]

Hi Karel,

Thanks for applying. I have a small patch for _HAVE_UT_TV incoming in
a few minutes.

Turns out it was because musl-libc doesn't define _HAVE_UT_TV, even
though musl-libc's utmp struct does have a ut_tv field. There are two
options: 1.) I could patch upstream musl-libc to define _HAVE_UT_TV or
2.) detect musl-libc somehow. I think I prefer the first option.

Thanks again,

Will

On Mon, Dec 15, 2014 at 1:19 AM, Karel Zak <kzak@redhat.com> wrote:
> On Tue, Dec 09, 2014 at 06:40:30PM -0800, Will Johansson wrote:
>> I recently experimented with cross-compiling for embedded devices, and
>> sought to try out util-linux with OpenPAM instead of Linux-PAM because
>> OpenPAM was simpler to cross-compile. Unfortunately for me, it did not
>> work out of the box, so I decided to try to patch util-linux to support
>> compiling against OpenPAM. Turned out to be a fairly simple exercise.
>>
>> This is the fruit of my efforts. There is a caveat, which I will
>
>  Applied, thanks.
>
>> be happy to address if it's a problem. The patch's configuration does
>> not support building if you happen to have both Linux-PAM and OpenPAM
>> in your build paths. I could update it to prefer Linux-PAM by default.
>> I'm not sure how it'd would work if OpenPAM libraries is also in the
>> search path, as -lpam is used by both Linux-PAM and OpenPAM (probably
>> undefined behavior).
>>
>> Either way, it should compile fine against Linux-PAM and OpenPAM.
>> There are some unused variables in login.c, but seems to have to do
>> with _HAVE_UT_TV, which is not the case in my configuration. I'm
>> more than happy to provide a separate patch to wrap the unused
>> variables with an #ifdef _HAVE_UT_TV.
>
>  I don't have OpenPAM, so I'm not able to verify usability, but it
>  would be nice to have build without warnings.
>
>     Karel
>
>
> --
>  Karel Zak  <kzak@redhat.com>
>  http://karelzak.blogspot.com



-- 
Will Johansson

Re: login-utils: Enable building util-linux against OpenPAM

[Karel Zak]

On Mon, Dec 15, 2014 at 03:46:55AM -0800, Will Johansson wrote:
> Hi Karel,
> 
> Thanks for applying. I have a small patch for _HAVE_UT_TV incoming in
> a few minutes.
> 
> Turns out it was because musl-libc doesn't define _HAVE_UT_TV, even
> though musl-libc's utmp struct does have a ut_tv field. There are two
> options: 1.) I could patch upstream musl-libc to define _HAVE_UT_TV or
> 2.) detect musl-libc somehow. I think I prefer the first option.

Well, you have to care about already released musl-libc -- it's easy to detect 
that by AC_CHECK_MEMBERS() in configure.ac. It would be nice to fix
the problem in util-linux code independently on your item 1).

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com