#!/bin/sh
#
# Copyright 2005 Paul Blazejowski and Zach Borgerding <zborgerd@gmail.com>
# Copyright 2007 Dagmar d'Surreal
# Available under the terms of the GNU GPL.
#

NAME="pam"
VERSION="1.1.1"
REVISION="1"

PKG_SOURCEURL='http://www.kernel.org/pub/linux/libs/pam/library/Linux-PAM-$VERSION.tar.bz2'

PKG_PATCH[0]="pam-1.1.0-cracklib-authtok.patch"
PKG_PATCH[1]="pam-1.0.90-redhat-modules.patch"
PKG_PATCH[2]="pam-1.0.1-dropline-50-default.perms.patch"
# Not really "patches" here.  Just keeping the extra build stuff in the package.
PKG_PATCH[3]="config-util.5"
PKG_PATCH[4]="config-util.pamd"
PKG_PATCH[5]="dlopen.sh"
PKG_PATCH[6]="other.pamd"
PKG_PATCH[7]="pam-redhat-0.99.10-1.tar.bz2"
PKG_PATCH[8]="system-auth.5"
PKG_PATCH[9]="system-auth.pamd"
PKG_PATCH[10]='rc.removestalelocks'

mkdir /etc/pam.d 2>/dev/null
if [ ! -e /etc/pam.d/other ]; then
    cat << EOF > /etc/pam.d/other
#%PAM-1.0
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so
EOF
fi

. $DLG_ROOT/config
. $DLG_ROOT/SCRIPTS/dropline-functions.sh

PKG_DISABLESMP="This is yet another package with questionable makefiles."
PKG_NEEDSTATIC="It goes without saying since we are building static binaries."

PKG_OPTLEVEL="${PKG_OPTLEVEL:+$PKG_OPTLEVEL }-fstack-protector-all"

cflags
cxxflags
prepare

# This adds the extra modules that RedHat created, particularly pam_console
spewdo "cd $PKG_SRCROOT"
findpatch filename ${PKG_PATCH[7]}
spewdo "tar xjf $filename"
spewdo "mv pam-redhat-0.99.10-1/* modules/"

#applypatch 0 1
applypatch 1 1
applypatch 2 1

# Let's copy the PAM module README files to /usr/doc/pam-$VERSION/
mkdir -p $PKG_STAGEROOT$PKG_PREFIX/doc/pam-$VERSION/
for readme in modules/pam_*/README ; do
        cp -f ${readme} $PKG_STAGEROOT$PKG_PREFIX/doc/pam-$VERSION/README.`dirname ${readme} | sed -e 's|^modules/||'`
done

analyzesource

PKG_TMPLIBS=$PKG_WORKROOT/tmplibs
# Non threaded build of BDB just to get the static libdb.a for PAM linkage
(

createdir $PKG_TMPLIBS/lib$LIBSUFFIX
PKG_BUILDDIR="build_unix"
PKG_SRCREL="../dist"

# This is subtly wrong but I don't have time to fix it now. --Dagmar
NAME="db"
VERSION="4.7.25"
PKG_SOURCEURL='http://download.oracle.com/berkeley-db/db-$VERSION.NC.tar.gz'

. $DLG_ROOT/config
. $DLG_ROOT/SCRIPTS/dropline-functions.sh

cflags
cxxflags
prepare
analyzesource
configure -C \
	--disable-cryptography \
	--disable-compat185 \
        --disable-cxx \
        --disable-diagnostic \
        --disable-dump185 \
        --disable-java \
        --disable-tcl \
        --disable-rpc \
        --disable-shared \
        --with-pic \
        --with-mutex="UNIX/fcntl" \
        --prefix=$PKG_TMPLIBS \
        --includedir=$PKG_TMPLIBS/include \
        --libdir=$PKG_TMPLIBS/lib$LIBSUFFIX	
make
makecheck
PKG_DESTDIRVAR=$PKG_TMPLIBS
makeinstall
# If we weren't already doing something else incorrectly, this would really
# screw some things up for us.
cleanup
) || exit 1

# And finally we're building PAM, yay!
export CPPFLAGS=-I$PKG_TMPLIBS/include
export LDFLAGS=-L$PKG_TMPLIBS/lib$LIBSUFFIX
export LIBNAME="lib$LIBSUFFIX"
# autoconf is needed due to our pacheroos
autoreconf
configure --libdir=/lib$LIBSUFFIX \
	  --disable-selinux \
	  --disable-prelude \
	  --disable-audit \
	  --enable-static-libpam \
	  --enable-fakeroot=$PKG_STAGEROOT \
	  --enable-isadir=../../lib$LIBSUFFIX/security
        
# Python stuff in docs gives sandbox problems
sed -i -e 's|modules doc examples|modules|' Makefile
	
sed -i -e "s:^HAVE_NDBM_H=yes:HAVE_NDBM_H=no:" \
	-e "s:^HAVE_LIBNDBM=yes:HAVE_LIBNDBM=no:" \
	Make.Rules
make

# On the first time build you need to disable makecheck as it will fail to do the tests.
# Install those libraries and then rebuild the package with makecheck step enabled.
# If it passes all tests the pam should be ok.
#makecheck

make install DESTDIR=$PKG_STAGEROOT LDCONFIG=""

# Throw away the modules that we're simply not interested in.
for filename in chroot tally2 postgresok rps selinux sepermit tty_audit; do
  rm -rf $PKG_SRCROOT/modules/pam_$filename
done
# ...which means we no longer need this
spewdo "rm -rf $PKG_STAGEROOT/var/lib/run/sepermit/"

# Forcibly strip binaries.
spewdo "strip -g $PKG_STAGEROOT/sbin/*"

# /sbin/unix_chkpwd has to be set setgid shadow, or else apps that use
# it, like xscreensaver, cannot auth when checking the password.
spewdo "chown root.shadow $PKG_STAGEROOT/sbin/unix_chkpwd"
spewdo "chmod 2755 $PKG_STAGEROOT/sbin/unix_chkpwd"

# /sbin/pam_timestamp_check needs to be setuid root, or it throws errors.
spewdo "chown root.root $PKG_STAGEROOT/sbin/pam_timestamp_check"
spewdo "chmod 4755 $PKG_STAGEROOT/sbin/pam_timestamp_check"

createdir $PKG_STAGEROOT/etc/pam.d
findpatch filename other.pamd
spewdo "cp $filename $PKG_STAGEROOT/etc/pam.d/other"

findpatch filename system-auth.pamd
spewdo "cp $filename $PKG_STAGEROOT/etc/pam.d/system-auth"

# Install man pages.
install -d -m 755 $PKG_STAGEROOT$PKG_PREFIX/man/man{3,5,8}
install -m 644 doc/man/*.3 $PKG_STAGEROOT$PKG_PREFIX/man/man3
install -m 644 doc/man/*.5 $PKG_STAGEROOT$PKG_PREFIX/man/man5
install -m 644 doc/man/*.8 $PKG_STAGEROOT$PKG_PREFIX/man/man8

# We'll make all of this prettier later on...  Copying over the module
# manfiles as well... There are no module man3's, so we won't bother.
install -m 644 modules/pam_*/*.5 $PKG_STAGEROOT$PKG_PREFIX/man/man5
install -m 644 modules/pam_*/*.8 $PKG_STAGEROOT$PKG_PREFIX/man/man8

# And a few we use for pam.d configs.
install -m 644 $DLG_COREREPOS/$NAME/*.5 $PKG_STAGEROOT$PKG_PREFIX/man/man5

# Make sure every module subdirectory gave us a module.  Yes, this is hackish.
for dir in modules/pam_* ; do
if [ -d ${dir} ] ; then
        if ! ls -1 $PKG_STAGEROOT/lib$LIBSUFFIX/security/`basename ${dir}`*.so ; then
		echo ERROR `basename ${dir}` did not build a module.
                die "Module missing"
        fi
fi
done

# Kill duplicate doc file sets.
spewdo "rm -fr $PKG_STAGEROOT$PKG_PREFIX/doc/Linux-PAM $PKG_STAGEROOT$PKG_PREFIX/share/doc/pam"
                                                                                
# NOTE: This manual dlopen() test is redundant since PAM's own make check will 
# perform this very same tewst for the very same reason.

# Check for module problems.  Specifically, check that every module we just
# installed can actually be loaded by a minimal PAM-aware application.
for module in $PKG_STAGEROOT/lib$LIBSUFFIX/security/pam*.so ; do
  if ! LD_LIBRARY_PATH=$PKG_STAGEROOT/lib$LIBSUFFIX $DLG_COREREPOS/$NAME/dlopen.sh -L$PKG_STAGEROOT/lib$LIBSUFFIX/ -lpam -ldl ${module} ; 
then
    die "Could not load module"
  fi
# And for good measure, make sure that none of the modules pull in threading
# libraries, which if loaded in a non-threaded application, can cause Very
# Bad Things to happen.
  if env LD_PRELOAD=$PKG_STAGEROOT/lib$LIBSUFFIX/libpam.so ldd -r ${module} | fgrep -q libpthread ; then
    die "Module pulled in threading lib"
  fi
done
# Drop in the sysvinit script that will erase any stale lock files.
findpatch initscript rc.removestalelocks
sysvinitsetup $initscript 345 00
chmod 755 $PKG_STAGEROOT$PKG_SYSCONFDIR/rc.d/rc.removestalelocks
# Remove the resulting kill links, since they're pointless.
rm -f $PKG_STAGEROOT$PKG_SYSCONFDIR/rc.d/rc?.d/K*

tidydocumentation
analyzebinaries
finalizepackage
packagize
removedir $PKG_TMPLIBS
cleanup

