Package init

0001-Disable-pylint-tests.patch

@@ -0,0 +1,31 @@
+From 5e4ef70a1fda792d7ca32311ecc29302c7b13ca5 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Sun, 1 Apr 2018 10:40:13 +0200
+Subject: [PATCH 1/2] Disable pylint tests
+
+---
+ tests/Makefile.am | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 0a7854eec62520014919ad3983db70c78be483e2..8c742a78e3ce8e822fbd7bd9d5735a010e2f0f80 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -22,9 +22,11 @@ TESTS = test_dict test_set test_tio test_expr test_getpeercred test_cfg \
+         test_attmap test_myldap.sh test_common test_nsscmds.sh \
+         test_pamcmds.sh test_manpages.sh test_clock \
+         test_tio_timeout
+-if HAVE_PYTHON
+-  TESTS += test_pycompile.sh test_pylint.sh
+-endif
++
++#if HAVE_PYTHON
++#  TESTS += test_pycompile.sh test_pylint.sh
++#endif
++
+ if ENABLE_PYNSLCD
+   TESTS += test_pynslcd_cache.py test_doctest.sh
+ endif
+-- 
+2.14.3
+

0002-Watch-for-uint32_t-overflows.patch

@@ -0,0 +1,96 @@
+From ae0a9312c562985838fdd9845ef95fe61e8aa3de Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Sun, 1 Apr 2018 10:57:22 +0200
+Subject: [PATCH 2/2] Watch for uint32_t overflows
+
+Always use a function that we know will catch out-of-range values for UIDs and
+GIDs, which are currently unsigned 32-bit numbers everywhere, and which won't
+produce a result that'll silently be truncated if we store the result in a
+uid_t or gid_t.
+---
+ nslcd/common.c | 28 ++++++++++++++++------------
+ nslcd/common.h | 27 +++------------------------
+ 2 files changed, 19 insertions(+), 36 deletions(-)
+
+diff --git a/nslcd/common.c b/nslcd/common.c
+index 60be7773d2c809f3177744ced0dd0ba90c86e820..de640b47806757e0bb2e704b3b79f1ecb18bbc45 100644
+--- a/nslcd/common.c
++++ b/nslcd/common.c
+@@ -338,19 +338,23 @@ unsigned long int binsid2id(const char *binsid)
+          ((((unsigned long int)binsid[i + 3]) & 0xff) << 24);
+ }
+ 
+-#ifdef WANT_STRTOUI
+-/* provide a strtoui() implementation, similar to strtoul() but returning
+-   an range-checked unsigned int instead */
+-unsigned int strtoui(const char *nptr, char **endptr, int base)
++/* provide a strtoid() implementation, similar to strtoul() but returning
++   an range-checked uint32_t instead */
++unsigned int strtoid(const char *nptr,char **endptr,int base)
+ {
+-  unsigned long val;
+-  val = strtoul(nptr, endptr, base);
+-  if (val > UINT_MAX)
++  long long val;
++  /* use the fact that long long is 64-bit, even on 32-bit systems */
++  val=strtoll(nptr,endptr,base);
++  if (val>UINT32_MAX)
+   {
+-    errno = ERANGE;
+-    return UINT_MAX;
++    errno=ERANGE;
++    return UINT32_MAX;
+   }
+-  /* If errno was set by strtoul, we'll pass it back as-is */
+-  return (unsigned int)val;
++  else if (val < 0)
++  {
++    errno=EINVAL;
++    return UINT32_MAX;
++  }
++  /* If errno was set, we'll pass it back as-is */
++  return (uint32_t)val;
+ }
+-#endif /* WANT_STRTOUI */
+diff --git a/nslcd/common.h b/nslcd/common.h
+index 26fcf48ae2a6dc50bc97fab238ecc9a1879342ce..97d386eaf1f6881182729c5d8e46ce30d2d28eba 100644
+--- a/nslcd/common.h
++++ b/nslcd/common.h
+@@ -161,31 +161,10 @@ void invalidator_do(enum ldap_map_selector map);
+ #define BUFLEN_HOSTNAME     256  /* host names or FQDN (and safe version) */
+ #define BUFLEN_MESSAGE     1024  /* message strings */
+ 
+-/* provide strtouid() function alias */
+-#if SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_INT
+-#define strtouid (uid_t)strtoul
+-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_LONG_INT
+-#define strtouid (uid_t)strtoull
+-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_INT
+-#define WANT_STRTOUI 1
+-#define strtouid (uid_t)strtoui
+-#else
+-#error unable to find implementation for strtouid()
+-#endif
+ 
+-/* provide strtogid() function alias */
+-#if SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_INT
+-#define strtogid (gid_t)strtoul
+-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_LONG_INT
+-#define strtogid (gid_t)strtoull
+-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_INT
+-#ifndef WANT_STRTOUI
+-#define WANT_STRTOUI 1
+-#endif
+-#define strtogid (gid_t)strtoui
+-#else
+-#error unable to find implementation for strtogid()
+-#endif
++uint32_t strtoid(const char *nptr,char **endptr,int base);
++#define strtouid (uid_t)strtoid
++#define strtogid (gid_t)strtoid
+ 
+ #ifdef WANT_STRTOUI
+ /* provide a strtoui() if it is needed */
+-- 
+2.14.3
+

Create-var-run-nslcd-socket-after-dropping-privilege.patch

@@ -0,0 +1,50 @@
+From 3760b43241b579406242961c551b9fb25b0c673b Mon Sep 17 00:00:00 2001
+From: Arthur de Jong <arthur@arthurdejong.org>
+Date: Sat, 21 Jul 2018 11:14:08 +0200
+Subject: [PATCH 01/10] Create /var/run/nslcd/socket after dropping privileges
+
+This is needed to avoid a problem where a call to initgroups() can
+result in NSS lookups. If nscd is configured the mechanism to avoid
+loopback lookups using nss_ldap_enablelookups will not work and cause
+for delays on start-up.
+
+Note that this changes ownership of the socket to the user running
+nslcd.
+---
+ nslcd/nslcd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c
+index 82c09ab..be14ac9 100644
+--- a/nslcd/nslcd.c
++++ b/nslcd/nslcd.c
+@@ -2,7 +2,7 @@
+    nslcd.c - ldap local connection daemon
+ 
+    Copyright (C) 2006 West Consulting
+-   Copyright (C) 2006-2017 Arthur de Jong
++   Copyright (C) 2006-2018 Arthur de Jong
+ 
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+@@ -769,8 +769,6 @@ int main(int argc, char *argv[])
+     exit(EXIT_FAILURE);
+   }
+   adjust_oom_score();
+-  /* create socket */
+-  nslcd_serversocket = create_socket(NSLCD_SOCKET);
+   /* start subprocess to do invalidating if reconnect_invalidate is set */
+   for (i = 0; i < LM_NONE; i++)
+     if (nslcd_cfg->reconnect_invalidate[i])
+@@ -825,6 +823,8 @@ int main(int argc, char *argv[])
+     }
+     log_log(LOG_DEBUG, "setuid(%lu) done", (unsigned long int)nslcd_cfg->uid);
+   }
++  /* create socket */
++  nslcd_serversocket = create_socket(NSLCD_SOCKET);
+   /* start worker threads */
+   log_log(LOG_INFO, "accepting connections");
+   nslcd_threads = (pthread_t *)malloc(nslcd_cfg->threads * sizeof(pthread_t));
+-- 
+2.19.1
+

Fix-crash-in-chsh.ldap.patch

@@ -0,0 +1,32 @@
+From bfcf0025b6ba264e6c0c1899d9de2bad8f39ee1a Mon Sep 17 00:00:00 2001
+From: Mizunashi Mana <mizunashi-mana@noreply.git>
+Date: Wed, 5 Sep 2018 20:06:31 +0900
+Subject: [PATCH 09/10] Fix crash in chsh.ldap
+
+Specify result type of getusershell.
+
+Closes https://github.com/arthurdejong/nss-pam-ldapd/pull/31
+---
+ utils/shells.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/utils/shells.py b/utils/shells.py
+index dcabfaf..92dba2f 100644
+--- a/utils/shells.py
++++ b/utils/shells.py
+@@ -28,9 +28,11 @@ import sys
+ def list_shells():
+     """List the shells from /etc/shells."""
+     libc = ctypes.CDLL(ctypes.util.find_library("c"))
++    getusershell = libc.getusershell
++    getusershell.restype = ctypes.c_char_p
+     libc.setusershell()
+     while True:
+-        shell = ctypes.c_char_p(libc.getusershell()).value
++        shell = getusershell()
+         if not shell:
+             break
+         yield shell
+-- 
+2.19.1
+

nslcd.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Naming services LDAP client daemon.
+After=syslog.target network.target named.service dirsrv.target slapd.service
+Documentation=man:nslcd(8) man:nslcd.conf(5)
+
+[Service]
+Type=forking
+PIDFile=/var/run/nslcd/nslcd.pid
+ExecStart=/usr/sbin/nslcd
+RestartSec=10s
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

nslcd.tmpfiles

@@ -0,0 +1,2 @@
+# nslcd needs a directory in /var/run to store its pid file and socket
+d /var/run/nslcd 0775 nslcd root

nss-pam-ldapd.spec

@@ -0,0 +1,115 @@
+%define _hardened_build 1
+
+Name:           nss-pam-ldapd
+Version:        0.9.9
+Release:        5
+Summary:        NSS and PAM libraries for name lookups and authentication using LDAP
+License:        LGPLv2+
+URL:            http://arthurdejong.org/nss-pam-ldapd/
+Source0:        http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz
+Source1:        http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz.sig
+Source3:        nslcd.tmpfiles
+Source4:        nslcd.service
+
+Patch0001:      0001-Disable-pylint-tests.patch
+Patch0002:      0002-Watch-for-uint32_t-overflows.patch
+
+Patch9001:      Create-var-run-nslcd-socket-after-dropping-privilege.patch
+Patch9002:      Fix-crash-in-chsh.ldap.patch
+
+BuildRequires:  gcc, openldap-devel, krb5-devel, autoconf, automake, pam-devel, systemd-units
+%{?systemd_requires}
+
+Recommends:     nscd
+
+Provides:       nss-ldapd = %{version}-%{release}
+Provides:       nss_ldap = 265-12
+Provides:       pam_ldap = 185-15
+
+Obsoletes:      nss-ldapd < 0.7
+Obsoletes:      nss_ldap < 265-11
+Obsoletes:      pam_ldap < 185-15
+
+%description
+The nss-pam-ldapd package provides a Name Service Switch (NSS, nsswitch) module
+that allows your LDAP server to provide user account, group, host name, alias,
+netgroup, and basically any other information that you would normally get from
+/etc flat files or NIS. It also provides a Pluggable Authentication Module (PAM)
+to do identity and authentication management with an LDAP server on unix systems.
+
+%package help
+Summary: The help package for nss-pam-ldapd
+
+%description help
+This is the help package of nss-pam-ldapd which includes the man docs.
+
+%prep
+%autosetup -p1
+autoreconf -f -i
+
+%build
+%configure --libdir=/%{_lib} \
+           --disable-utils \
+           --with-pam-seclib-dir=/%{_lib}/security
+%make_build
+
+%check
+make check
+
+%install
+rm -rf $RPM_BUILD_ROOT
+%make_install
+mkdir -p $RPM_BUILD_ROOT/{%{_libdir},%{_unitdir}}
+install -p -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/
+
+ln -s libnss_ldap.so.2 $RPM_BUILD_ROOT/%{_lib}/libnss_ldap.so
+
+sed -i -e 's,^uid.*,uid nslcd,g' -e 's,^gid.*,gid ldap,g' \
+$RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf
+touch -r nslcd.conf $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf
+mkdir -p -m 0755 $RPM_BUILD_ROOT/var/run/nslcd
+mkdir -p -m 0755 $RPM_BUILD_ROOT/%{_tmpfilesdir}
+install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_tmpfilesdir}/%{name}.conf
+
+%pre
+getent group  ldap  > /dev/null || \
+/usr/sbin/groupadd -r -g 55 ldap
+getent passwd nslcd > /dev/null || \
+/usr/sbin/useradd -r -g ldap -c 'LDAP Client User' \
+    -u 65 -d / -s /sbin/nologin nslcd 2> /dev/null || :
+
+%post
+/sbin/ldconfig
+%systemd_post nslcd.service
+
+%preun
+%systemd_preun nslcd.service
+
+%postun
+/sbin/ldconfig
+%systemd_postun_with_restart nslcd.service
+
+%files
+%doc AUTHORS ChangeLog COPYING HACKING NEWS README TODO
+%{_sbindir}/*
+/%{_lib}/*.so*
+/%{_lib}/security/pam_ldap.so
+%attr(0600,root,root) %config(noreplace) %verify(not md5 size mtime) /etc/nslcd.conf
+%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf
+%{_unitdir}/nslcd.service
+%attr(0775,nslcd,root) /var/run/nslcd
+
+%files help
+%{_mandir}/*/*
+
+%changelog
+* Mon Apr 08 2019 yanghua<yanghua21@huawei.com> - 0.9.9-5
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:Create /var/run/nslcd/socket after dropping privileges
+       Fix crash in chsh.ldap
+
+* Fri Mar 01 2019 openEuler Buildteam<buildteam@openeuler.org> - 0.9.9-4
+- Package init
+