[OpenAFS-devel] Current pthread PAM patch for Debian
Russ Allbery
rra@stanford.edu
Fri, 26 Aug 2005 15:17:41 -0700
For any who might be interested, this is the patch I'm currently using
(against 1.4rc1) for building pthread PAM modules on Debian. Yes, I know
the build hackery is ugly; I'm avoiding linking directly with the shared
libraries due to worries about stable ABIs. I'm not proposing this for
inclusion in the mainline source, and note that these PAM modules will
leak threads if you use the nofork option with a long-running daemon.
Note that this should work on other platforms besides Linux, but you'll
need to copy the Linux changes into the case sections for your local
platform.
--- openafs-1.3.87.orig/src/pam/Makefile.in
+++ openafs-1.3.87/src/pam/Makefile.in
@@ -25,7 +25,17 @@
afs_pam_msg.o afs_message.o AFS_component_version_number.o
OBJS = $(SHOBJS) test_pam.o
INCLUDES=-I${TOP_OBJDIR}/src/config -I${TOP_INCDIR}
-CFLAGS = ${DEBUG} ${INCLUDES} ${PAM_CFLAGS}
+CFLAGS = ${DEBUG} ${INCLUDES} ${PAM_CFLAGS} ${MT_CFLAGS}
+
+# For Debian, we link directly with the object files that would have gone
+# into the libafsrpc and libafsauthent shared libraries. The shared libraries
+# themselves cannot be used because the interface isn't stable and they have
+# no SONAME, but this is the easiest way of getting PIC objects built with the
+# pthread API.
+SHLIB_OBJS := `ls ../shlibafsauthent/*.o | grep -v version_num` \
+ `ls ../shlibafsrpc/*.o | grep -v version_num`
+KRB_SHLIB_OBJS := `ls ../shlibafsauthent/*.o | egrep -v 'version_num|ktc.o'` \
+ `ls ../shlibafsrpc/*.o | grep -v version_num`
all: test_pam ${TOP_LIBDIR}/pam_afs.so.1 ${TOP_LIBDIR}/pam_afs.krb.so.1
@@ -39,14 +49,18 @@
${CC} ${CFLAGS} -c ${srcdir}/afs_auth.c -o afs_auth.o
afs_auth_krb.o: afs_auth.c afs_pam_msg.h afs_message.h afs_util.h
- ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_auth.c -o afs_auth_krb.o
+ ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_auth.c -o afs_auth_krb.o
afs_util.o: afs_util.c afs_pam_msg.h afs_message.h afs_util.h
${CC} ${CFLAGS} -c ${srcdir}/afs_util.c -o afs_util.o
+
afs_util_krb.o: afs_util.c afs_pam_msg.h afs_message.h afs_util.h
${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_util.c -o afs_util_krb.o
+ktc.o: ${srcdir}/../auth/ktc.c
+ ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/../auth/ktc.c
+
pam_afs.so.1: $(SHOBJS) afs_setcred.o afs_auth.o afs_util.o
set -x; \
case "$(SYS_NAME)" in \
@@ -59,8 +73,9 @@
afs_setcred.o afs_auth.o afs_util.o \
$(SHOBJS) $(LIBS) ;; \
*linux*) \
- $(CC) $(LDFLAGS) -o $@ afs_setcred.o \
- afs_auth.o afs_util.o $(SHOBJS) $(LIBS) ;;\
+ $(CC) $(LDFLAGS) $(PAM_CFLAGS) -o $@ afs_setcred.o \
+ afs_auth.o afs_util.o $(SHOBJS) $(SHLIB_OBJS) \
+ $(MT_LIBS) -lpam -lresolv;;\
*fbsd*| *nbsd*) \
$(CC) $(LDFLAGS) -o $@ afs_setcred.o \
afs_auth.o afs_util.o $(SHOBJS) $(LIBS) ;;\
@@ -68,7 +83,7 @@
echo No link line for system $(SYS_NAME). ;; \
esac
-pam_afs.krb.so.1: $(SHOBJS) afs_setcred_krb.o afs_auth_krb.o afs_util_krb.o
+pam_afs.krb.so.1: $(SHOBJS) afs_setcred_krb.o afs_auth_krb.o afs_util_krb.o ktc.o
set -x; \
case "$(SYS_NAME)" in \
hp_ux* | ia64_hpux*) \
@@ -81,7 +96,8 @@
$(SHOBJS) $(LDFLAGS) $(KLIBS) ;; \
*linux*) \
$(CC) $(LDFLAGS) -o $@ afs_setcred_krb.o \
- afs_auth_krb.o afs_util_krb.o $(SHOBJS) $(KLIBS) ;;\
+ afs_auth_krb.o afs_util_krb.o ktc.o $(SHOBJS) \
+ $(KRB_SHLIB_OBJS) $(MT_LIBS) -lpam -lresolv;;\
*fbsd*| *nbsd*) \
$(CC) $(LDFLAGS) -o $@ afs_setcred_krb.o \
afs_auth_krb.o afs_util_krb.o $(SHOBJS) $(KLIBS) ;;\
--- openafs-1.3.87.orig/src/pam/afs_setcred.c
+++ openafs-1.3.87/src/pam/afs_setcred.c
@@ -52,7 +52,7 @@
int refresh_token = 0;
int set_expires = 0; /* the default is to not to set the env variable */
int use_klog = 0;
- int i;
+ int i, code;
struct pam_conv *pam_convp = NULL;
char my_password_buf[256];
char *cell_ptr = NULL;
@@ -281,6 +281,11 @@
#endif
}
+ if ((code = rx_Init(0)) != 0) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+ RET(PAM_AUTH_ERR);
+ }
+
if (flags & PAM_REFRESH_CRED) {
if (use_klog) {
auth_ok = !do_klog(user, password, "00:00:01", cell_ptr);
--- openafs-1.3.87.orig/src/pam/afs_auth.c
+++ openafs-1.3.87/src/pam/afs_auth.c
@@ -314,6 +314,10 @@
if (cpid <= 0) { /* The child process */
if (logmask && LOG_MASK(LOG_DEBUG))
syslog(LOG_DEBUG, "in child");
+ if ((code = rx_Init(0)) != 0) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+ exit(0);
+ }
if (refresh_token || set_token)
code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user, /* kerberos name */
NULL, /* instance */
@@ -363,6 +367,10 @@
pam_afs_syslog(LOG_ERR, PAMAFS_PAMERROR, errno);
}
} else { /* dont_fork, used by httpd */
+ if ((code = rx_Init(0)) != 0) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+ RET(PAM_AUTH_ERR);
+ }
if (logmask && LOG_MASK(LOG_DEBUG))
syslog(LOG_DEBUG, "dont_fork");
if (refresh_token || set_token)
--- openafs-1.3.87.orig/Makefile.in
+++ openafs-1.3.87/Makefile.in
@@ -507,8 +507,6 @@
# pthread based user space RX library
shlibafsrpc: rx rxkad des
case ${SYS_NAME} in \
- amd64_linux24) \
- echo Skipping shlibafsrpc for amd64_linux24 ;; \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
${COMPILE_PART1} shlibafsrpc ${COMPILE_PART2} ;; \
*) \
@@ -517,8 +515,6 @@
shlibafsauthent: ubik auth kauth shlibafsrpc
case ${SYS_NAME} in \
- amd64_linux24) \
- echo Skipping shlibafsauthent for amd64_linux24 ;; \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
${COMPILE_PART1} shlibafsauthent ${COMPILE_PART2} ;; \
*) \
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>