Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[Solved] Question about building shadow package on Debian

Programming languages, Coding, Executables, Package Creation, and Scripting.
Post Reply
Message
Author
p_linux
Posts: 9
Joined: 2020-12-31 12:52

[Solved] Question about building shadow package on Debian

#1 Post by p_linux »

Hi debian team,

I am on a Debian 10.4 system. I am trying to compile the shadow-4.5 package due to changes in the source code.
Here is my procedure:

Code: Select all

$ apt-get source shadow/stable
$ apt-get build-dep shadow
$ export QUILT_PATCHES=debian/patches
$ export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index"
$ quilt push -a
$ quilt new xxx_test_patch
$ quilt add <file_changed>
$ < here my source code modifications ... >
$ quilt refresh
$ quilt pop -a
And, finally change version number and build my package :

Code: Select all

$ dch --local test
$ debuild -b -us -uc 
My package is built without problem but the binaries contained in the generated .deb files do not contain my modifications.
However, when I manually compile the binaries (with configure and make), the binaries generated in the src directory of my source tree do contain my changes.
I have the impression that the package is not recompiled with "debuild".
I would like to generate the exact debian package (.deb) with just my modifications in addition using the tool recommended by debian "debuild".

I don't know if I forgot or did something wrong.

Thanks in advance for your answers.
P.
Last edited by p_linux on 2021-01-06 21:04, edited 2 times in total.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Question about building shadow package on Debian

#2 Post by Head_on_a_Stick »

Did you change into the package directory? I can't see it in your command list but I suppose you must have if dch & debuild worked. I also can't find a "shadow" package in Debian, can you elaborate?

Anyway, here's a simpler method:

Code: Select all

apt-get source shadow/stable
apt-get build-dep shadow
cd shadow*
< edit source code >
dpkg-source --commit
< edit patch name & description >
dch --local test
debuild -us -uc
I just use dpkg-source these days so I can't really remember how to use quilt properly but have you seen https://www.debian.org/doc/manuals/debm ... uilt-setup?

And finally:
p_linux wrote:I am on a Debian 10.4
You really should update your system:

Code: Select all

$ cat /etc/debian_version                                                    
10.7
$
deadbang

p_linux
Posts: 9
Joined: 2020-12-31 12:52

Re: Question about building shadow package on Debian

#3 Post by p_linux »

Thanks for your answer.

I have changed directory because otherwise the "debuild" command would not work.
Detail about shadow : https://packages.debian.org/source/buster/shadow

I try with dpkg-source but it's the same result.
I use this link for quilt procedure : https://wiki.debian.org/UsingQuilt

It's for a 10.4 version but I think that the functional procedure will be portable on 10.7.

I can put my exact changes in source code if you want to try.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Question about building shadow package on Debian

#4 Post by Head_on_a_Stick »

p_linux wrote:It's for a 10.4 version but I think that the functional procedure will be portable on 10.7
Yes, of course, my observation was incidental to the problem in hand.
p_linux wrote:I can put my exact changes in source code if you want to try.
Yes please.
deadbang

p_linux
Posts: 9
Joined: 2020-12-31 12:52

Re: Question about building shadow package on Debian

#5 Post by p_linux »

First of all, happy new year.

I'm particularly interested for the passwd binary from the shadow package :

Code: Select all

$ ls -al /usr/bin/passwd
-rwsr-xr-x 1 root root 63736 Jul 27  2018 /usr/bin/passwd
Here is my exhaustive edit / recompile procedure :

Code: Select all

$ apt-get source shadow/stable
$ apt-get build-dep shadow
$ cd shadow-4.5
$ export QUILT_PATCHES=debian/patches
$ export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index"
$ quilt push -a
$ quilt new xxx_test_patch
$ quilt add lib/commonio.c
$ quilt add lib/defines.h
$ sed -i 's/\/etc\/passwd/\/etc\/test\/passwd/g' lib/defines.h
$ sed -i 's/\/etc\/group/\/etc\/test\/group/g' lib/defines.h
$ sed -i 's/\/etc\/shadow/\/etc\/test\/shadow/g' lib/defines.h
$ sed -i 's/\/etc\/gshadow/\/etc\/test\/gshadow/g' lib/defines.h
$ quilt refresh
$ quilt pop -a
$ dch --local test
$ debuild -b -uc -us
I have my patch which appears in the shadow-4.5/debian/patches/ directory as well as in the shadow-4.5/debian/patches/series file.
However, when I extract the binaries from the .deb I get the same binary as the original :

Code: Select all

$ cd ..
$ dpkg --extract passwd_4.5-1.1test1_amd64.deb .
$ ls -al ./usr/bin/passwd
-rwsr-xr-x 1 debian debian 63736 Jan  1 10:20 ./usr/bin/passwd
Normally, the password change should be done in the /etc/test directory and not /etc/ (confirming the path via strace).

Code: Select all

$ sudo chown root: ./usr/bin/passwd
$ sudo ./usr/bin/passwd user_test
New password:
Retype new password:
passwd: password updated successfully
It works perfectly when it shouldn't.

Whereas, if I don't go through quilt and compile without debuild, it works :

Code: Select all

$ apt-get source shadow/stable
$ apt-get build-dep shadow
$ cd shadow-4.5
$ sed -i 's/\/etc\/passwd/\/etc\/test\/passwd/g' lib/defines.h
$ sed -i 's/\/etc\/group/\/etc\/test\/group/g' lib/defines.h
$ sed -i 's/\/etc\/shadow/\/etc\/test\/shadow/g' lib/defines.h
$ sed -i 's/\/etc\/gshadow/\/etc\/test\/gshadow/g' lib/defines.h
$ autogen.sh
$ make
$ sudo ./src/passwd user_test
Changing password for user_test
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Re-enter new password:
passwd: /etc/test/passwd.1276: No such file or directory
passwd: cannot lock /etc/test/passwd; try again later.
But I don't think it compiles with the same build options, I really need the exact debian package with just my changes.

I'm sorry for the length of the post but I had to be as descriptive as possible.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Question about building shadow package on Debian

#6 Post by Head_on_a_Stick »

At a guess the problem arises because debian/rules is over-riding the autogen.sh settings and so rendering your patch irrelevant.

I would investigate more but this is actually an XY problem: https://packages.debian.org/buster/libpam-pwquality ← install that package and edit /etc/pam.d/common-password

See also https://www.linuxtechi.com/enforce-pass ... tu-centos/
deadbang

p_linux
Posts: 9
Joined: 2020-12-31 12:52

Re: Question about building shadow package on Debian

#7 Post by p_linux »

I don't want to make passwords more complex, for that the libpam-cracklib module does the trick very well :)

This is to change the directory to access the shadow password files that the passwd binary uses the /etc/test/shadow file rather than /etc/shadow.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Question about building shadow package on Debian

#8 Post by Head_on_a_Stick »

Why do you want to do that?
deadbang

p_linux
Posts: 9
Joined: 2020-12-31 12:52

Re: Question about building shadow package on Debian

#9 Post by p_linux »

I need this workaround because it is a read-only filesystem and I can't do an overlay on /etc/.

I really want to fix this problem with recompiling the shadow package (with debuild).
I know very well that this is not necessarily the right solution but this is the one I need.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Question about building shadow package on Debian

#10 Post by stevepusser »

Your build output should show what patches are being applied and unapplied during the build. If you use debuild from devscripts, you should get that in a .build text file. That's usually easier to search than in a terminal.
MX Linux packager and developer

p_linux
Posts: 9
Joined: 2020-12-31 12:52

Re: Question about building shadow package on Debian

#11 Post by p_linux »

When i use the "quilt pop -a" command at the end, I have lines that say "unapplied patches" and so the patches are ignored.
And when i use the "quilt push -a" command at the end, I don't have specific indications in the .build ... but the binaries in producted .deb do not contain my modification.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Question about building shadow package on Debian

#12 Post by stevepusser »

I specifically said the build command, not "quilt".

Look, I mean something like the output I just got from building obs-studio 26.1.0 on MX 17 testing (Stretch with a load of backports) using pbuilder:

Code: Select all

dpkg-checkbuilddeps: error: Unmet build dependencies: cmake libasound2-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libcurl4-gnutls-dev | libcurl-dev libdbus-1-dev libfontconfig-dev libfreetype6-dev libjack-jackd2-dev libjansson-dev (>= 2.5) libluajit-5.1-dev libmbedtls-dev libpulse-dev libqt5svg5-dev libqt5x11extras5-dev libsimde-dev libspeexdsp-dev libswresample-dev libswscale-dev libudev-dev libv4l-dev libvlc-dev libx11-xcb-dev libx264-dev libxcb-randr0-dev libxcb-shm0-dev libxcb-xfixes0-dev libxcb-xinerama0-dev libxcb-xinput-dev libxcomposite-dev libxinerama-dev python3-dev swig
[1;33mW: Unmet build-dependency in source[0m
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying 0001-Use-common-license.patch
dpkg-source: info: applying 0002-Hide-internal-symbols.patch
dpkg-source: info: applying 0003-Use-path-in-usr-lib.patch
dpkg-source: info: applying 0004-Link-with-libm-and-libdl-to-fix-underlinking.patch
dpkg-source: info: applying 0005-Link-with-xcb-and-X-libraries-to-fix-underlinking.patch
dpkg-source: info: applying 0006-Add-SONAME.patch
dpkg-source: info: applying 0007-Do-not-build-with-SSE2-enabled-on-i386.patch
dpkg-source: info: applying 0008-Use-the-simd-everywhere-headers-from-libsimde-dev.patch
...
debuild should provide you something similar.
MX Linux packager and developer

p_linux
Posts: 9
Joined: 2020-12-31 12:52

Re: Question about building shadow package on Debian

#13 Post by p_linux »

Yes, debuild command returns something like that.
But the output is different in if the patches are unloaded (quilt pop -a) :

Code: Select all

dpkg-deb: building package 'passwd-dbgsym' in '../passwd-dbgsym_4.5-5_amd64.deb'.
dpkg-deb: building package 'passwd' in '../passwd_4.5-5_amd64.deb'.
dh_gencontrol -plogin
dh_md5sums -plogin
dh_builddeb -plogin
dpkg-deb: building package 'login-dbgsym' in '../login-dbgsym_4.5-5_amd64.deb'.
dpkg-deb: building package 'login' in '../login_4.5-5_amd64.deb'.
dh_gencontrol -puidmap
dh_md5sums -puidmap
dh_builddeb -puidmap
dpkg-deb: building package 'uidmap-dbgsym' in '../uidmap-dbgsym_4.5-5_amd64.deb'.
dpkg-deb: building package 'uidmap' in '../uidmap_4.5-5_amd64.deb'.
dpkg-genbuildinfo
dpkg-genchanges  >../shadow_4.5-5_amd64.changes
dpkg-genchanges: info: pas d'inclusion du code source original dans l'envoi (« upload »)
dpkg-source --after-build .
dpkg-source: info: retrait de 600_test_patch
dpkg-source: info: retrait de 501_commonio_group_shadow
dpkg-source: info: retrait de 505_useradd_recommend_adduser
dpkg-source: info: retrait de 508_nologin_in_usr_sbin
dpkg-source: info: retrait de 463_login_delay_obeys_to_PAM
dpkg-source: info: retrait de 542_useradd-O_option
dpkg-source: info: retrait de 506_relaxed_usernames
dpkg-source: info: retrait de 402_cppw_selinux
dpkg-source: info: retrait de 401_cppw_src.dpatch
dpkg-source: info: retrait de 429_login_FAILLOG_ENAB
dpkg-source: info: retrait de 008_login_log_failure_in_FTMP
dpkg-source: info: retrait de 503_shadowconfig.8
dpkg-buildpackage: info: envoi d'un binaire et du fichier de différences (aucune inclusion du code source d'origine)
Or, if the patches are loaded (quilt push -a) :

Code: Select all

dpkg-deb: building package 'passwd-dbgsym' in '../passwd-dbgsym_4.5-1.1_amd64.deb'.
dpkg-deb: building package 'passwd' in '../passwd_4.5-1.1_amd64.deb'.
dh_gencontrol -plogin
dh_md5sums -plogin
dh_builddeb -plogin
dpkg-deb: building package 'login-dbgsym' in '../login-dbgsym_4.5-1.1_amd64.deb'.
dpkg-deb: building package 'login' in '../login_4.5-1.1_amd64.deb'.
dh_gencontrol -puidmap
dh_md5sums -puidmap
dh_builddeb -puidmap
dpkg-deb: building package 'uidmap-dbgsym' in '../uidmap-dbgsym_4.5-1.1_amd64.deb'.
dpkg-deb: building package 'uidmap' in '../uidmap_4.5-1.1_amd64.deb'.
dpkg-genbuildinfo
dpkg-genchanges  >../shadow_4.5-1.1_amd64.changes
dpkg-genchanges: info: pas d'inclusion du code source original dans l'envoi (« upload »)
dpkg-source --after-build .
dpkg-buildpackage: info: envoi d'un binaire et du fichier de différences (aucune inclusion du code source d'origine)
In the first case, the patches are not applied, and in the second, there is no mention of the application of the patches as in your example.
[*]Sorry for the french returns of terminal command

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Question about building shadow package on Debian

#14 Post by stevepusser »

You have no reason to use quilt any longer, it's been built into dpkg since version 7.0.50. Please use "dpkg-source --commit" to convert your source code changes to a patch as HOAS said. You're making this a lot more difficult than it needs to be with your insistence on using quilt.
MX Linux packager and developer

p_linux
Posts: 9
Joined: 2020-12-31 12:52

Re: Question about building shadow package on Debian

#15 Post by p_linux »

I have tried with dpkg --commit and get the same result.
However, after modifying the version (with dch command), we can see that the package has been recompiled because the date of binary is up to date :

Code: Select all

$ dpkg --contents passwd_4.5-1.2_amd64.deb | grep bin/passwd
-rwsr-xr-x root/root     63736 2021-01-05 11:16 ./usr/bin/passwd
At each recompilation, I get the same binary which is the same size (63736) and which does not contain any modifications

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Question about building shadow package on Debian

#16 Post by stevepusser »

Why can't you paste the build output showing what's going with the patches, then? Like I can?
MX Linux packager and developer

p_linux
Posts: 9
Joined: 2020-12-31 12:52

Re: Question about building shadow package on Debian

#17 Post by p_linux »

Hi,

I think I found the solution.

I didn't think of using "strings" to check the contents of the binary, I validated or not the good functioning of my binary with "strace".
This allowed me to see that my modified string (/etc/test/passwd) was present in the binary compiled.

I also noticed that the binary compiled "by hand" didn't load the PAM module during the build unlike the build done with "debuild".
After some research, I saw that these same absolute paths (/etc/{passwd, shadow}) are also present in the shared libraries of the libpam-modules package :

Code: Select all

$ strings /lib/x86_64-linux-gnu/security/pam_* | grep "shadow\|passwd"
I think that's why the hand-compiled binary works, because it doesn't use the paths present in the shared libraries.
The "strace" of the binary made with debuild always returns the old paths (/etc/{passwd, shadow}) because they are overloaded by the PAM module.

The solution is to also recompile the libpam-modules package, but it's a complex solution because the modifications are not easiest (code + dependencies).

Thanks for your help.
P.

Post Reply