--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/linux-pam/linux-pam.sh	Mon Apr 01 20:10:00 2019 +0200
@@ -0,0 +1,91 @@
+#!/bin/sh
+#
+# Copyright (c) 2019 David Demelier <markand@malikania.fr>
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+
+PKGNAME=linux-pam
+PKGVERSION=1.3.1
+PKGREVISION=1
+PKGLICENSE="BSD"
+PKGSUMMARY="pluggable authentication modules"
+PKGDOWNLOAD="https://github.com/linux-pam/linux-pam/releases/download/v$PKGVERSION/Linux-PAM-$PKGVERSION.tar.xz"
+PKGOPTIONS="NLS SELINUX"
+PKGPROTECT="etc/environment
+            etc/security/access.conf
+            etc/security/group.conf
+            etc/security/limits.conf
+            etc/security/namespace.conf
+            etc/security/namespace.init
+            etc/security/pam_env.conf
+            etc/security/time.conf"
+
+: ${CHOST:=$(uname -m)-linux-musl}
+: ${CBUILD:=$(uname -m)-linux-musl}
+: ${CC:=clang}
+: ${CFLAGS:=-O2}
+: ${LDFLAGS:=}
+: ${LIBS:=}
+: ${NLS:=yes}
+: ${SELINUX:=no}
+
+if [ "$NLS" = "yes" ]; then
+	PKGDEPENDS="core/gettext $PKGDEPENDS"
+	with_nls="--enable-nls"
+else
+	with_nls="--disable-nls"
+fi
+
+if [ "$SELINUX" = "yes" ]; then
+	with_selinux="--enable-selinux"
+else
+	with_selinux="--disable-selinux"
+fi
+
+build()
+{
+	rm -rf Linux-PAM-$PKGVERSION
+	tar xvaf Linux-PAM-$PKGVERSION.tar.xz
+	pushd Linux-PAM-$PKGVERSION
+
+	# https://git.alpinelinux.org/aports/tree/main/linux-pam/APKBUILD#n32
+	sed -i -e 's/pam_rhosts//g' modules/Makefile.am
+
+	# https://git.alpinelinux.org/aports/plain/main/linux-pam/musl-fix-pam_exec.patch
+	# https://git.alpinelinux.org/aports/plain/main/linux-pam/fix-compat.patch
+	patch -p0 < ../musl.patch
+
+	autoreconf -vif
+	CC="$CC" \
+	CFLAGS="$CFLAGS" \
+	LDFLAGS="$LDFLAGS" \
+	LIBS="$LIBS" \
+	./configure \
+		--build=$CBUILD \
+		--host=$CHOST \
+		--prefix=/usr \
+		--sbindir=/usr/sbin \
+		--disable-db \
+		--libdir=/usr/lib \
+		--docdir=/usr/share/doc/linux-pam \
+		$with_nls \
+		$with_selinux
+	make
+	make install DESTDIR=$DESTDIR
+	rm -f $DESTDIR/usr/lib/libpam{,c,_misc}.la
+	rm -f $DESTDIR/usr/lib/security/pam*.la
+
+	popd
+	rm -rf Linux-PAM-$PKGVERSION
+}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/linux-pam/musl.patch	Mon Apr 01 20:10:00 2019 +0200
@@ -0,0 +1,53 @@
+--- modules/pam_exec/pam_exec.c.orig
++++ modules/pam_exec/pam_exec.c
+@@ -103,11 +103,14 @@
+   int optargc;
+   const char *logfile = NULL;
+   const char *authtok = NULL;
++  char authtok_buf[PAM_MAX_RESP_SIZE+1];
++
+   pid_t pid;
+   int fds[2];
+   int stdout_fds[2];
+   FILE *stdout_file = NULL;
+ 
++  memset(authtok_buf, 0, sizeof(authtok_buf));
+   if (argc < 1) {
+     pam_syslog (pamh, LOG_ERR,
+ 		"This module needs at least one argument");
+@@ -180,12 +183,12 @@
+ 	      if (resp)
+ 		{
+ 		  pam_set_item (pamh, PAM_AUTHTOK, resp);
+-		  authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
++		  authtok = strncpy (authtok_buf, resp, sizeof (authtok_buf));
+ 		  _pam_drop (resp);
+ 		}
+ 	    }
+ 	  else
+-	    authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
++	    authtok = strncpy (authtok_buf, void_pass, sizeof (authtok_buf));
+ 
+ 	  if (pipe(fds) != 0)
+ 	    {
+--- modules/pam_lastlog/pam_lastlog.c.orig
++++ modules/pam_lastlog/pam_lastlog.c
+@@ -10,6 +10,7 @@
+ 
+ #include "config.h"
+ 
++#include <paths.h>
+ #include <fcntl.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -48,6 +49,10 @@
+ 
+ #ifndef _PATH_BTMP
+ # define _PATH_BTMP "/var/log/btmp"
++#endif
++
++#ifndef __GLIBC__
++#define logwtmp(args...)
+ #endif
+ 
+ /* XXX - time before ignoring lock. Is 1 sec enough? */