Before the change the login into users without passwords was failing:
https://github.com/NixOS/nixpkgs/issues/297920
It used to work when `linux-pam` used direct `shadow` access when ran as
root. The switch to external helper have broken that use case.
Let's pull accepted upstream fix to restore empty password handling.
Without the chnage login fails at least in VM tests as:
$ nix build --no-link -f. gjs.tests -L
...
vm-test-run-gjs> machine # [ 6.331514] lightdm[1069]: PAM unable to dlopen(/nix/store/9p9ya5n7zi0smc3fb95ck2yvjma26dn5-linux-pam-1.5.3/lib/security/pam_lastlog.so): /nix/store/9p9ya5n7zi0smc3fb95ck2yvjma26dn5-linux-pam-1.5.3/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
vm-test-run-gjs> machine # [ 6.332529] lightdm[1069]: PAM adding faulty module: /nix/store/9p9ya5n7zi0smc3fb95ck2yvjma26dn5-linux-pam-1.5.3/lib/security/pam_lastlog.so
Commit d0c42dfa "pam: bind Linux-PAM locales from pam-specific folder
(upstream patch)" added autoreconfHook269 into one of the postPatch
phases.
This clobbered the change applied by `suid-wrapper-path.patch` as it was
patching Makefile.in.
As a result `nixosTests.sway` test started failing as:
check pass; user unknown
Running `swaylock` on real system exhibited the same result.
As `suid-wrapper-path.patch` is clobbered we were running non-suid
version of `unix_chkpwd`:
/nix/store/...-linux-pam-1.5.2/sbin/unix_chkpwd
instead of SUID-wrapped
/run/wrappers/bin/unix_chkpw
The fix is trivial: move the patch from auto-generated file to
`Makefile.am`.
Discovered-by: Yureka
Without the change `pam` packa looks up locales already registered via
`bindtextdomain()`:
- shadow: /nix/store/ymcln55n92xm25sk2pipqbcp5xghwc3j-shadow-4.13/share/locale/
- glibc: /nix/store/ibp4camsx1mlllwzh32yyqcq2r2xsy1a-glibc-2.37-8/share/locale
Note that there is no `pam` pne in the list.
The change adds extra lookup location:
- linux-pam: /nix/store/k1lvsb3vyw2ijk9naamnay5nwc4mibda-linux-pam-1.5.2/share/locale
Before the change:
$ LANGUAGE=fi su
Password:
su: Authentication failure
After the change:
$ LANGUAGE=fi ./result-su/bin/su
Salasana:
su: Tunnistautumisvirhe
audit requires running linux-specific code during the build,
so it cannot be cross-compiled from darwin hosts. So we can only
enable audit support in pam when the buildPlatform is linux.
it looks like this build wasn't tested with musl-libc after upgrading to
1.5.1, and has been broken in this configuration since, as the removed
patch does not apply cleanly. the good news is it's been fixed upstream,
rendering it unnecessary.
So users don’t need to override the $out/etc/security files, we need
to manually set this to /etc. Override it in the install phase so that
we still get the example $out/etc/security files .
Fixes#76713
It turns out none of this stuff is needed. The docs aren't evenly built
properly anyways so the build trivially succeeds either way, due to what
looks like upstream misunderstanding automake. If I try to build the
docs manually in a cross shell (before and after this change), there's a
make rule error such that some HTML files aren't even attempted to be
built and then a copy fails.
Even if this was all fixed, these been a good number of cross fixes
upstream getting them to use CC_FOR_BUILD and other good stuff, so I
doubt such hacks would be needed.
Progress towards #40531 and #33302.
