From 60e01874711bcb65a81d21b4647cb160645e3920 Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyich@gmail.com>
Date: Sat, 11 Nov 2023 09:36:12 +0000
Subject: pam: fix pam_unix autohentication failures when ran as user

Commit d0c42dfa "pam: bind Linux-PAM locales from pam-specific folder
(upstream patch)" added autoreconfHook269 into one of the postPatch
phases.

This clobbered the change applied by `suid-wrapper-path.patch` as it was
patching Makefile.in.

As a result `nixosTests.sway` test started failing as:

    check pass; user unknown

Running `swaylock` on real system exhibited the same result.

As `suid-wrapper-path.patch` is clobbered we were running non-suid
version of `unix_chkpwd`:

    /nix/store/...-linux-pam-1.5.2/sbin/unix_chkpwd

instead of SUID-wrapped

    /run/wrappers/bin/unix_chkpw

The fix is trivial: move the patch from auto-generated file to
`Makefile.am`.

Discovered-by: Yureka
---
 pkgs/os-specific/linux/pam/default.nix             | 3 ++-
 pkgs/os-specific/linux/pam/suid-wrapper-path.patch | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

(limited to 'pkgs/os-specific/linux/pam')

diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index 9a0b2161ce4..a35f40be595 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -29,7 +29,8 @@ stdenv.mkDerivation rec {
   outputs = [ "out" "doc" "man" /* "modules" */ ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  # autoreconfHook269 is needed for `bind-locales.patch` above
+  # autoreconfHook269 is needed for `suid-wrapper-path.patch` and
+  # `bind-locales.patch` above.
   # pkg-config-unwrapped is needed for `AC_CHECK_LIB` and `AC_SEARCH_LIBS`
   nativeBuildInputs = [ flex autoreconfHook269 pkg-config-unwrapped ]
     ++ lib.optional stdenv.buildPlatform.isDarwin gettext;
diff --git a/pkgs/os-specific/linux/pam/suid-wrapper-path.patch b/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
index 71533c51a19..a427ccf3881 100644
--- a/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
+++ b/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
@@ -1,6 +1,6 @@
 It needs the SUID version during runtime, and that can't be in /nix/store/**
---- a/modules/pam_unix/Makefile.in
-+++ b/modules/pam_unix/Makefile.in
-@@ -651 +651 @@
+--- a/modules/pam_unix/Makefile.am
++++ b/modules/pam_unix/Makefile.am
+@@ -21 +21 @@
 -	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
 +	-DCHKPWD_HELPER=\"/run/wrappers/bin/unix_chkpwd\" \
-- 
cgit 1.4.1