diff mbox series

[v1] util-linux: backport pam_lastlog2 libpam linking fix

Message ID 20260625090231.2575081-1-sivakumar.bs@gmail.com
State Under Review
Headers show
Series [v1] util-linux: backport pam_lastlog2 libpam linking fix | expand

Commit Message

Siva Balasubramanian June 25, 2026, 9:02 a.m. UTC 
pam_lastlog2.so uses pam_syslog() and other libpam symbols but the
autotools build did not link the module against libpam. With the
linker default of --as-needed, libpam was discarded and did not end
up in the module's ELF NEEDED entries. The module then fails to load
via dlopen() in processes that do not themselves link libpam (e.g.
systemd on recent Fedora, or weston on journald-based systems without
syslog):

  PAM unable to dlopen(/usr/lib/security/pam_lastlog2.so): undefined symbol: pam_syslog
  PAM adding faulty module: /usr/lib/security/pam_lastlog2.so

Backport the upstream fix (in 2.41.5) that moves -lpam into LIBADD so
it is placed after the object files and retained as a NEEDED entry.
Against 2.41.3 only the LIBADD line needs changing.

[YOCTO #16320]

Signed-off-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
---
Verified by building util-linux with pam in DISTRO_FEATURES (qemux86-64):
without the patch the resulting pam_lastlog2.so has no libpam in its ELF
NEEDED entries; with the patch readelf -d reports libpam.so.0, matching
the upstream fix and resolving the dlopen() failure from the bug report.

This is also a candidate for the stable 6.0.x branch (per the bug
report), which also ships util-linux 2.41.3; the same single-hunk
backport applies.

 meta/recipes-core/util-linux/util-linux.inc   |  1 +
 ...ix-libpam-linking-in-autotools-build.patch | 51 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-core/util-linux/util-linux/0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch

Comments

Mathieu Dubois-Briand June 25, 2026, 12:55 p.m. UTC | #1 
On Thu Jun 25, 2026 at 11:02 AM CEST, Siva Balasubramanian via lists.openembedded.org wrote:
> pam_lastlog2.so uses pam_syslog() and other libpam symbols but the
> autotools build did not link the module against libpam. With the
> linker default of --as-needed, libpam was discarded and did not end
> up in the module's ELF NEEDED entries. The module then fails to load
> via dlopen() in processes that do not themselves link libpam (e.g.
> systemd on recent Fedora, or weston on journald-based systems without
> syslog):
>
>   PAM unable to dlopen(/usr/lib/security/pam_lastlog2.so): undefined symbol: pam_syslog
>   PAM adding faulty module: /usr/lib/security/pam_lastlog2.so
>
> Backport the upstream fix (in 2.41.5) that moves -lpam into LIBADD so
> it is placed after the object files and retained as a NEEDED entry.
> Against 2.41.3 only the LIBADD line needs changing.
>
> [YOCTO #16320]
>
> Signed-off-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
> ---
> Verified by building util-linux with pam in DISTRO_FEATURES (qemux86-64):
> without the patch the resulting pam_lastlog2.so has no libpam in its ELF
> NEEDED entries; with the patch readelf -d reports libpam.so.0, matching
> the upstream fix and resolving the dlopen() failure from the bug report.
>
> This is also a candidate for the stable 6.0.x branch (per the bug
> report), which also ships util-linux 2.41.3; the same single-hunk
> backport applies.

Hi Siva,

Thanks for the patch.

We already have a pending patch for master, upgrading to 2.42.2 [1]. So
I believe this patch won't be needed for master. It probably still makes
sense for stable branches.

[1]: https://lore.kernel.org/openembedded-core/20260619083305.3505156-2-alex.kanavin@gmail.com/

Thanks,
Mathieu
diff mbox series

Patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 0235862666..3cdc1e2c0f 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -21,6 +21,7 @@  SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
            file://0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch \
            file://0001-tests-script-Disable-size-option-test.patch \
            file://0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch \
+           file://0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch \
            "
 
 SRC_URI[sha256sum] = "3330d873f0fceb5560b89a7dc14e4f3288bbd880e96903ed9b50ec2b5799e58b"
diff --git a/meta/recipes-core/util-linux/util-linux/0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch b/meta/recipes-core/util-linux/util-linux/0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch
new file mode 100644
index 0000000000..9aaa56e7b4
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/0001-pam_lastlog2-fix-libpam-linking-in-autotools-build.patch
@@ -0,0 +1,51 @@ 
+From c8d0af0421f6491ab1cb2301d2e197315289d34c Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 19 May 2026 10:54:57 +0200
+Subject: [PATCH] pam_lastlog2: fix libpam linking in autotools build
+
+The pam_lastlog2 module uses pam_syslog() and other libpam symbols but
+the autotools build did not link the module against libpam. With the
+linker default of --as-needed (and -lpam previously only in LDFLAGS,
+before the object files), libpam was discarded and did not appear in the
+module's ELF NEEDED entries.
+
+The module then fails to load with dlopen() if the calling process does
+not itself link against libpam (e.g. systemd on recent Fedora, or weston
+on journald-based systems without syslog):
+
+  PAM unable to dlopen(/usr/lib/security/pam_lastlog2.so): undefined symbol: pam_syslog
+  PAM adding faulty module: /usr/lib/security/pam_lastlog2.so
+
+Move -lpam into pam_lastlog2_la_LIBADD so it is placed after the object
+files on the link line and is retained in the NEEDED entries. The meson
+build already links libpam correctly via cc.find_library('pam').
+
+Note for this backport: against 2.41.3 only the LIBADD line needs to
+change. The upstream commit also removes -lpam from LDFLAGS, but that
+LDFLAGS reference was added after 2.41.3 and is not present here, so the
+net change is the single LIBADD hunk below.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2453457
+
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/c8d0af0421f6491ab1cb2301d2e197315289d34c]
+Signed-off-by: Karel Zak <kzak@redhat.com>
+Signed-off-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
+---
+ pam_lastlog2/src/Makemodule.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pam_lastlog2/src/Makemodule.am b/pam_lastlog2/src/Makemodule.am
+index 40d597c58..876171e9f 100644
+--- a/pam_lastlog2/src/Makemodule.am
++++ b/pam_lastlog2/src/Makemodule.am
+@@ -11,7 +11,7 @@ pam_lastlog2_la_CFLAGS = \
+ 	 $(SOLIB_CFLAGS) \
+ 	 -I$(ul_liblastlog2_incdir)
+
+-pam_lastlog2_la_LIBADD = liblastlog2.la
++pam_lastlog2_la_LIBADD = liblastlog2.la -lpam
+
+ pam_lastlog2_la_LDFLAGS = $(SOLIB_LDFLAGS) -module -avoid-version -shared
+ if HAVE_VSCRIPT
+--
+2.43.0