-add DESTDIR support, from Blair Sadewitz

 (I didn't adopt the libtool change for now because it is not clear for
 be whether that PAM modules is useful for non-NetBSD.)
-block SIGCHLD while the forked helper process is running, so that a
 calling process with a SIGCHLD handler won't steal the exit status
 which is used to report success of the authentication.
 This makes the "dropbear" ssh server usable if started with user
 privileges.
bump revision to 1.1

2 files changed, 36 insertions, 12 deletions

diff --git a/security/pam-pwauth_suid/Makefile b/security/pam-pwauth_suid/Makefile
index 82aac71fc73..947e07fd54d 100644
--- a/security/pam-pwauth_suid/Makefile
+++ b/security/pam-pwauth_suid/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.2 2007/03/24 19:21:31 joerg Exp $
+# $NetBSD: Makefile,v 1.3 2007/09/05 20:29:05 drochner Exp $
 
-DISTNAME=	pam-pwauth_suid-1.0
+DISTNAME=	pam-pwauth_suid-1.1
 CATEGORIES=	security
 DISTFILES=	# empty
 
@@ -9,7 +9,10 @@ COMMENT=	PAM authentication module for unprivileged users
 
 NO_CHECKSUM=	yes
 WRKSRC=		${WRKDIR}
-CFLAGS+=	-DPATH_HELPER=\"${PREFIX}/libexec/pwauth_suid_helper\"
+
+HLPDEF+= -DPATH_HELPER=\"${DESTDIR}${PREFIX}/libexec/pwauth_suid_helper\"
+
+PKG_DESTDIR_SUPPORT=	user-destdir
 
 INSTALLATION_DIRS=	lib/security libexec
 
@@ -19,13 +22,18 @@ do-extract:
 
 do-build:
 	(cd ${WRKSRC} && \
-	 ${CC} ${CFLAGS} -shared pam_pwauth_suid.c -o pam_pwauth_suid.so.0 && \
+	 ${CC} ${CFLAGS} -c -fPIC ${HLPDEF} pam_pwauth_suid.c && \
+	 ${LD} -shared pam_pwauth_suid.o -o pam_pwauth_suid.so.0 && \
 	 ${CC} ${CFLAGS} pwauth_suid_helper.c -o pwauth_suid_helper -lcrypt)
 
 do-install:
-	${INSTALL_DATA} ${WRKSRC}/pam_pwauth_suid.so.0 ${PREFIX}/lib/security
-	${INSTALL_PROGRAM} ${WRKSRC}/pwauth_suid_helper ${PREFIX}/libexec
-	${CHMOD} 04555 ${PREFIX}/libexec/pwauth_suid_helper
+	${INSTALL_DATA_DIR} ${DESTDIR}${PREFIX}/lib/security
+	${INSTALL_DATA} ${WRKSRC}/pam_pwauth_suid.so.0 \
+		${DESTDIR}${PREFIX}/lib/security
+	${INSTALL_PROGRAM_DIR} ${DESTDIR}${PREFIX}/libexec
+	${INSTALL_PROGRAM} ${WRKSRC}/pwauth_suid_helper \
+		${DESTDIR}${PREFIX}/libexec
+	${CHMOD} 04555 ${DESTDIR}${PREFIX}/libexec/pwauth_suid_helper
 
 .include "../../mk/pam.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/pam-pwauth_suid/files/pam_pwauth_suid.c b/security/pam-pwauth_suid/files/pam_pwauth_suid.c
index 0cd0643e140..4144a263a78 100644
--- a/security/pam-pwauth_suid/files/pam_pwauth_suid.c
+++ b/security/pam-pwauth_suid/files/pam_pwauth_suid.c
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_pwauth_suid.c,v 1.1.1.1 2007/01/08 18:39:44 drochner Exp $ */
+/* $NetBSD: pam_pwauth_suid.c,v 1.2 2007/09/05 20:29:05 drochner Exp $ */
 
 #include <sys/types.h>
 #include <security/pam_appl.h>
@@ -8,23 +8,32 @@
 #include <string.h>
 #include <sys/wait.h>
 #include <errno.h>
+#include <signal.h>
 
 static int
 askhelper(const char *user, const char *pass)
 {
 	int fd[2];
+	sigset_t chldsig, omask;
 	pid_t pid, rpid;
 	ssize_t res;
 	size_t pwlen;
-	int s;
+	int err, s;
 
 	if (pipe(fd) < 0)
 		return errno;
 
+	/* make sure only we get the exit status of the helper */
+	sigemptyset(&chldsig);
+	sigaddset(&chldsig, SIGCHLD);
+	if (sigprocmask(SIG_BLOCK, &chldsig, &omask) < 0)
+		return errno;
+
 	pid = vfork();
 	switch (pid) {
 		case -1:
-			return errno;
+			err = errno;
+			goto error;
 		case 0: /* child, feed it through its stdin */
 			(void)dup2(fd[0], STDIN_FILENO);
 			(void)close(fd[0]);
@@ -38,18 +47,25 @@ askhelper(const char *user, const char *pass)
 
 	pwlen = strlen(pass);
 	res = write(fd[1], pass, pwlen);
-	if (res != pwlen)
-		return (res == -1 ? errno : EIO);
+	if (res != pwlen) {
+		err = (res == -1 ? errno : EIO);
+		goto error;
+	}
 
 	(void)close(fd[1]); /* now child gets an EOF */
 
 	rpid = waitpid(pid, &s, 0);
+	sigprocmask(SIG_SETMASK, &omask, 0);
 	if (rpid != pid)
 		return errno;
 	if (!WIFEXITED(s) || WEXITSTATUS(s))
 		return EAUTH;
 
 	return 0;
+
+error:
+	sigprocmask(SIG_SETMASK, &omask, 0);
+	return err;
 }
 
 PAM_EXTERN int