lib/45877: openpam modules are not installed root but are required to be at runtime

[gcw%primenet.com.au@localhost]

>Number:         45877
>Category:       lib
>Synopsis:       openpam modules are not installed root but are required to be 
>at runtime
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 27 07:00:00 +0000 2012
>Originator:     Geoff C. Wing
>Release:        NetBSD 5.99.60
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 5.99.60 NetBSD 5.99.60 (G) #0: Thu Jan 19 
17:36:04 EST 2012 
gcw%g.primenet.com.au@localhost:/usr/netbsd/src/sys/arch/i386/compile/G i386
Architecture: i386
Machine: i386
>Description:
        Files in /usr/lib/security are required by
        openpam_check_path_owner_perms() to be owned by root and
        not writable by group/other.  If this is not true, then
        pam will fail (and you can't login).

        (See external/bsd/openpam/dist/lib/openpam_check_owner_perms.c)

        They are not explicitly installed as root, which can give a
        installation which won't allow any authentication, etc.

>How-To-Repeat:
        Use "BINOWN?=somethingelse" in your /etc/mk.conf (or set otherwise)
>Fix:
        
Index: lib/libpam/Makefile.inc
===================================================================
RCS file: /cvsroot/src/lib/libpam/Makefile.inc,v
retrieving revision 1.14
diff -u -r1.14 Makefile.inc
--- lib/libpam/Makefile.inc     27 Dec 2011 16:53:24 -0000      1.14
+++ lib/libpam/Makefile.inc     27 Jan 2012 01:59:21 -0000
@@ -50,3 +50,6 @@
 # version, and we need these variables early for module install rules.
 SHLIB_MAJOR=   3
 SHLIB_MINOR=   0
+
+# openpam requires the files to be owned by root
+BINOWN=        root