---
debian/libpam-modules-bin.install | 3 -
debian/patches/hurd-fix.patch | 276 ++++++++++++++++++++++++++++++
debian/patches/hurd_no_setfsuid | 84 ---------
debian/patches/series | 3 +-
4 files changed, 277 insertions(+), 89 deletions(-)
create mode 100644 debian/patches/hurd-fix.patch
delete mode 100644 debian/patches/hurd_no_setfsuid
diff --git a/debian/libpam-modules-bin.install
b/debian/libpam-modules-bin.install
index 3c70ef6f..2e6001b8 100644
--- a/debian/libpam-modules-bin.install
+++ b/debian/libpam-modules-bin.install
@@ -1,8 +1,5 @@
usr/sbin/unix_chkpwd
-usr/sbin/unix_update
usr/sbin/mkhomedir_helper
-usr/sbin/pam_namespace_helper
usr/sbin/pwhistory_helper
usr/sbin/pam_timestamp_check
usr/sbin/faillock
-usr/lib/systemd/system/pam_namespace.service
diff --git a/debian/patches/hurd-fix.patch b/debian/patches/hurd-fix.patch
new file mode 100644
index 00000000..bab0717c
--- /dev/null
+++ b/debian/patches/hurd-fix.patch
@@ -0,0 +1,276 @@
+diff --git a/examples/tty_conv.c b/examples/tty_conv.c
+index 59bbb3b3..0a7af97c 100644
+--- a/examples/tty_conv.c
++++ b/examples/tty_conv.c
+@@ -8,7 +8,6 @@
+ #include <unistd.h>
+ #include <termios.h>
+ #include <security/pam_appl.h>
+-#include <sys/ioctl.h>
+
+ /***************************************
+ * @brief echo off/on
+@@ -18,7 +17,7 @@
+ static void echoOff(int fd, int off)
+ {
+ struct termios tty;
+- if (ioctl(fd, TCGETA, &tty) < 0)
++ if (tcgetattr(fd, &tty) < 0)
+ {
+ fprintf(stderr, "TCGETA failed: %s\n", strerror(errno));
+ return;
+@@ -27,7 +26,7 @@ static void echoOff(int fd, int off)
+ if (off)
+ {
+ tty.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
+- if (ioctl(fd, TCSETAF, &tty) < 0)
++ if (tcsetattr(fd, TCSAFLUSH, &tty) < 0)
+ {
+ fprintf(stderr, "TCSETAF failed: %s\n", strerror(errno));
+ }
+@@ -35,7 +34,7 @@ static void echoOff(int fd, int off)
+ else
+ {
+ tty.c_lflag |= (ECHO | ECHOE | ECHOK | ECHONL);
+- if (ioctl(fd, TCSETAW, &tty) < 0)
++ if (tcsetattr(fd, TCSADRAIN, &tty) < 0)
+ {
+ fprintf(stderr, "TCSETAW failed: %s\n", strerror(errno));
+ }
+diff --git a/libpam/include/pam_hurd_max_stub.h
b/libpam/include/pam_hurd_max_stub.h
+new file mode 100644
+index 00000000..c3c9b510
+--- /dev/null
++++ b/libpam/include/pam_hurd_max_stub.h
+@@ -0,0 +1,11 @@
++#ifndef PAM_HURD_MAX_STUB_H
++#define PAM_HURD_MAX_STUB_H
++
++/*
++ * Define PATH_MAX if not available
++ */
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
++
++#endif
+diff --git a/libpam/pam_modutil_priv.c b/libpam/pam_modutil_priv.c
+index a463e06a..7df6e6b1 100644
+--- a/libpam/pam_modutil_priv.c
++++ b/libpam/pam_modutil_priv.c
+@@ -14,7 +14,9 @@
+ #include <syslog.h>
+ #include <pwd.h>
+ #include <grp.h>
++#ifdef HAVE_SYS_FSUID_H
+ #include <sys/fsuid.h>
++#endif /* HAVE_SYS_FSUID_H */
+
+ /*
+ * Two setfsuid() calls in a row are necessary to check
+@@ -22,17 +24,55 @@
+ */
+ static int change_uid(uid_t uid, uid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ uid_t tmp = setfsuid(uid);
+ if (save)
+ *save = tmp;
+ return (uid_t) setfsuid(uid) == uid ? 0 : -1;
++#else
++ uid_t euid = geteuid();
++ uid_t ruid = getuid();
++ if (save)
++ *save = ruid;
++ if (ruid == uid && uid != 0)
++ if (setreuid(euid, uid))
++ return -1;
++ else {
++ setreuid(0, -1);
++ if (setreuid(-1, uid)) {
++ setreuid(-1, 0);
++ setreuid(0, -1);
++ if (setreuid(-1, uid))
++ return -1;
++ }
++ }
++#endif
+ }
+ static int change_gid(gid_t gid, gid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ gid_t tmp = setfsgid(gid);
+ if (save)
+ *save = tmp;
+ return (gid_t) setfsgid(gid) == gid ? 0 : -1;
++#else
++ gid_t egid = getegid();
++ gid_t rgid = getgid();
++ if (save)
++ *save = rgid;
++ if (rgid == gid)
++ if (setregid(egid, gid))
++ return -1;
++ else {
++ setregid(0, -1);
++ if (setregid(-1, gid)) {
++ setregid(-1, 0);
++ setregid(0, -1);
++ if (setregid(-1, gid))
++ return -1;
++ }
++ }
++#endif
+ }
+
+ static int cleanup(struct pam_modutil_privs *p)
+diff --git a/modules/pam_debug/tst-pam_debug-retval.c
b/modules/pam_debug/tst-pam_debug-retval.c
+index e83c89d5..ae5772a3 100644
+--- a/modules/pam_debug/tst-pam_debug-retval.c
++++ b/modules/pam_debug/tst-pam_debug-retval.c
+@@ -11,6 +11,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_debug"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_deny/tst-pam_deny-retval.c
b/modules/pam_deny/tst-pam_deny-retval.c
+index 665fcef4..3fa29591 100644
+--- a/modules/pam_deny/tst-pam_deny-retval.c
++++ b/modules/pam_deny/tst-pam_deny-retval.c
+@@ -11,6 +11,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_deny"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_echo/tst-pam_echo-retval.c
b/modules/pam_echo/tst-pam_echo-retval.c
+index 8264cb0e..acceffd0 100644
+--- a/modules/pam_echo/tst-pam_echo-retval.c
++++ b/modules/pam_echo/tst-pam_echo-retval.c
+@@ -11,6 +11,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_echo"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_faildelay/tst-pam_faildelay-retval.c
b/modules/pam_faildelay/tst-pam_faildelay-retval.c
+index 72b16ef9..a73876ad 100644
+--- a/modules/pam_faildelay/tst-pam_faildelay-retval.c
++++ b/modules/pam_faildelay/tst-pam_faildelay-retval.c
+@@ -11,6 +11,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_faildelay"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_localuser/tst-pam_localuser-retval.c
b/modules/pam_localuser/tst-pam_localuser-retval.c
+index f6c22f97..1f576ab4 100644
+--- a/modules/pam_localuser/tst-pam_localuser-retval.c
++++ b/modules/pam_localuser/tst-pam_localuser-retval.c
+@@ -12,6 +12,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_localuser"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c
b/modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c
+index 282c5cd0..ada30f9b 100644
+--- a/modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c
++++ b/modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c
+@@ -14,6 +14,7 @@
+ #include <pwd.h>
+ #include <sys/stat.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_mkhomedir"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_nologin/tst-pam_nologin-retval.c
b/modules/pam_nologin/tst-pam_nologin-retval.c
+index 4d44a380..47e3f2d1 100644
+--- a/modules/pam_nologin/tst-pam_nologin-retval.c
++++ b/modules/pam_nologin/tst-pam_nologin-retval.c
+@@ -12,6 +12,7 @@
+ #include <unistd.h>
+ #include <pwd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_nologin"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_permit/tst-pam_permit-retval.c
b/modules/pam_permit/tst-pam_permit-retval.c
+index aacdedba..a129bb82 100644
+--- a/modules/pam_permit/tst-pam_permit-retval.c
++++ b/modules/pam_permit/tst-pam_permit-retval.c
+@@ -11,6 +11,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_permit"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_rootok/tst-pam_rootok-retval.c
b/modules/pam_rootok/tst-pam_rootok-retval.c
+index 990ee126..bb05a195 100644
+--- a/modules/pam_rootok/tst-pam_rootok-retval.c
++++ b/modules/pam_rootok/tst-pam_rootok-retval.c
+@@ -11,6 +11,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_rootok"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_warn/tst-pam_warn-retval.c
b/modules/pam_warn/tst-pam_warn-retval.c
+index 48b1f311..83bf2aad 100644
+--- a/modules/pam_warn/tst-pam_warn-retval.c
++++ b/modules/pam_warn/tst-pam_warn-retval.c
+@@ -11,6 +11,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <security/pam_appl.h>
++#include <pam_hurd_max_stub.h>
+
+ #define MODULE_NAME "pam_warn"
+ #define TEST_NAME "tst-" MODULE_NAME "-retval"
+diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
+index 5e80b312..6c70b3f7 100644
+--- a/modules/pam_xauth/pam_xauth.c
++++ b/modules/pam_xauth/pam_xauth.c
+@@ -67,6 +67,10 @@
+ #include "pam_cc_compat.h"
+ #include "pam_inline.h"
+
++#ifndef HOST_NAME_MAX
++#define HOST_NAME_MAX 255
++#endif
++
+ #define DATANAME "pam_xauth_cookie_file"
+ #define XAUTHENV "XAUTHORITY"
+ #define HOMEENV "HOME"
+diff --git a/tests/tst-dlopen.c b/tests/tst-dlopen.c
+index cba3e9a8..118091ad 100644
+--- a/tests/tst-dlopen.c
++++ b/tests/tst-dlopen.c
+@@ -14,9 +14,7 @@
+ #include <limits.h>
+ #include <sys/stat.h>
+
+-#ifndef PATH_MAX
+-# define PATH_MAX 4096
+-#endif
++#include <pam_hurd_max_stub.h>
+
+ /* Simple program to see if dlopen() would succeed. */
+ int main(int argc, char **argv)
diff --git a/debian/patches/hurd_no_setfsuid b/debian/patches/hurd_no_setfsuid
deleted file mode 100644
index 16d8ba54..00000000
--- a/debian/patches/hurd_no_setfsuid
+++ /dev/null
@@ -1,84 +0,0 @@
-From: Sam Hartman <hartm...@debian.org>
-Date: Mon, 11 Sep 2023 14:00:42 -0600
-Subject: hurd_no_setfsuid
-
-On systems without setfsuid(), use setreuid() instead.
-
-Authors: Steve Langasek <vor...@debian.org>
-
-Upstream status: to be forwarded, now that pam_modutil_{drop,regain}_priv
- are implemented
----
- libpam/pam_modutil_priv.c | 40 ++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 40 insertions(+)
-
-diff --git a/libpam/pam_modutil_priv.c b/libpam/pam_modutil_priv.c
-index a463e06..7df6e6b 100644
---- a/libpam/pam_modutil_priv.c
-+++ b/libpam/pam_modutil_priv.c
-@@ -14,7 +14,9 @@
- #include <syslog.h>
- #include <pwd.h>
- #include <grp.h>
-+#ifdef HAVE_SYS_FSUID_H
- #include <sys/fsuid.h>
-+#endif /* HAVE_SYS_FSUID_H */
-
- /*
- * Two setfsuid() calls in a row are necessary to check
-@@ -22,17 +24,55 @@
- */
- static int change_uid(uid_t uid, uid_t *save)
- {
-+#ifdef HAVE_SYS_FSUID_H
- uid_t tmp = setfsuid(uid);
- if (save)
- *save = tmp;
- return (uid_t) setfsuid(uid) == uid ? 0 : -1;
-+#else
-+ uid_t euid = geteuid();
-+ uid_t ruid = getuid();
-+ if (save)
-+ *save = ruid;
-+ if (ruid == uid && uid != 0)
-+ if (setreuid(euid, uid))
-+ return -1;
-+ else {
-+ setreuid(0, -1);
-+ if (setreuid(-1, uid)) {
-+ setreuid(-1, 0);
-+ setreuid(0, -1);
-+ if (setreuid(-1, uid))
-+ return -1;
-+ }
-+ }
-+#endif
- }
- static int change_gid(gid_t gid, gid_t *save)
- {
-+#ifdef HAVE_SYS_FSUID_H
- gid_t tmp = setfsgid(gid);
- if (save)
- *save = tmp;
- return (gid_t) setfsgid(gid) == gid ? 0 : -1;
-+#else
-+ gid_t egid = getegid();
-+ gid_t rgid = getgid();
-+ if (save)
-+ *save = rgid;
-+ if (rgid == gid)
-+ if (setregid(egid, gid))
-+ return -1;
-+ else {
-+ setregid(0, -1);
-+ if (setregid(-1, gid)) {
-+ setregid(-1, 0);
-+ setregid(0, -1);
-+ if (setregid(-1, gid))
-+ return -1;
-+ }
-+ }
-+#endif
- }
-
- static int cleanup(struct pam_modutil_privs *p)
diff --git a/debian/patches/series b/debian/patches/series
index 1745a718..bc06b462 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,11 +10,10 @@ pam-limits-nofile-fd-setsize-cap
008_modules_pam_limits_chroot
040_pam_limits_log_failure
045_pam_dispatch_jump_is_ignore
-# Broken after meson.build ; see #1095194
-# hurd_no_setfsuid
PAM-manpage-section
update-motd
lib_security_multiarch_compat
nullok_secure-compat.patch
pam_mkhomedir_stat_before_opendir
0018-Libpam-is-both-shared-and-static.patch
+hurd-fix.patch
--
Yuqian Yang <crup...@crupest.life>
