1 files changed, 25 insertions, 20 deletions

diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index fb993699494..a35f40be595 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -1,40 +1,45 @@
-{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext
+{ lib, stdenv, buildPackages, fetchurl
+, fetchpatch
+, flex, cracklib, db4, gettext, audit, libxcrypt
 , nixosTests
-, withLibxcrypt ? false, libxcrypt
+, autoreconfHook269, pkg-config-unwrapped
 }:
 
 stdenv.mkDerivation rec {
   pname = "linux-pam";
-  version = "1.5.1";
+  version = "1.5.2";
 
   src = fetchurl {
     url    = "https://github.com/linux-pam/linux-pam/releases/download/v${version}/Linux-PAM-${version}.tar.xz";
-    sha256 = "sha256-IB1AcwsRNbGzzeoJ8sKKxjTXMYHM0Bcs7d7jZJxXkvw=";
+    sha256 = "sha256-5OxxMakdpEUSV0Jo9JPG2MoQXIcJFpG46bVspoXU+U0=";
   };
 
+  patches = [
+    ./suid-wrapper-path.patch
+    # Pull support for localization on non-default --prefix:
+    #   https://github.com/NixOS/nixpkgs/issues/249010
+    #   https://github.com/linux-pam/linux-pam/pull/604
+    (fetchpatch {
+      name = "bind-locales.patch";
+      url = "https://github.com/linux-pam/linux-pam/commit/77bd338125cde583ecdfb9fd69619bcd2baf15c2.patch";
+      hash = "sha256-tlc9RcLZpEH315NFD4sdN9yOco8qhC6+bszl4OHm+AI=";
+    })
+  ];
+
   outputs = [ "out" "doc" "man" /* "modules" */ ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ flex ]
+  # autoreconfHook269 is needed for `suid-wrapper-path.patch` and
+  # `bind-locales.patch` above.
+  # pkg-config-unwrapped is needed for `AC_CHECK_LIB` and `AC_SEARCH_LIBS`
+  nativeBuildInputs = [ flex autoreconfHook269 pkg-config-unwrapped ]
     ++ lib.optional stdenv.buildPlatform.isDarwin gettext;
 
-  buildInputs = [ cracklib db4 ]
-    ++ lib.optional withLibxcrypt libxcrypt;
+  buildInputs = [ cracklib db4 libxcrypt ]
+    ++ lib.optional stdenv.buildPlatform.isLinux audit;
 
   enableParallelBuilding = true;
 
-  postInstall = ''
-    mv -v $out/sbin/unix_chkpwd{,.orig}
-    ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd
-  ''; /*
-    rm -rf $out/etc
-    mkdir -p $modules/lib
-    mv $out/lib/security $modules/lib/
-  '';*/
-  # don't move modules, because libpam needs to (be able to) find them,
-  # which is done by dlopening $out/lib/security/pam_foo.so
-  # $out/etc was also missed: pam_env(login:session): Unable to open config file
-
   preConfigure = lib.optionalString (stdenv.hostPlatform.libc == "musl") ''
       # export ac_cv_search_crypt=no
       # (taken from Alpine linux, apparently insecure but also doesn't build O:))
@@ -55,7 +60,7 @@ stdenv.mkDerivation rec {
   doCheck = false; # fails
 
   passthru.tests = {
-    inherit (nixosTests) pam-oath-login pam-u2f shadow;
+    inherit (nixosTests) pam-oath-login pam-u2f shadow sssd-ldap;
   };
 
   meta = with lib; {