From fd8f6de4b8415fe4dcea3a9cbb9ab9eebd37b53a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <v@cunat.cz>
Date: Thu, 27 Jan 2022 10:10:23 +0100
Subject: [PATCH] linux-pam: make it use SUID wrapped version of unix_ckpwd

---
 pkgs/os-specific/linux/pam/default.nix             | 2 ++
 pkgs/os-specific/linux/pam/suid-wrapper-path.patch | 6 ++++++
 2 files changed, 8 insertions(+)
 create mode 100644 pkgs/os-specific/linux/pam/suid-wrapper-path.patch

diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index 33ab4f784fcb..65bf01aa4cfc 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-IB1AcwsRNbGzzeoJ8sKKxjTXMYHM0Bcs7d7jZJxXkvw=";
   };
 
+  patches = [ ./suid-wrapper-path.patch ];
+
   outputs = [ "out" "doc" "man" /* "modules" */ ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
diff --git a/pkgs/os-specific/linux/pam/suid-wrapper-path.patch b/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
new file mode 100644
index 000000000000..71533c51a190
--- /dev/null
+++ b/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
@@ -0,0 +1,6 @@
+It needs the SUID version during runtime, and that can't be in /nix/store/**
+--- a/modules/pam_unix/Makefile.in
++++ b/modules/pam_unix/Makefile.in
+@@ -651 +651 @@
+-	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
++	-DCHKPWD_HELPER=\"/run/wrappers/bin/unix_chkpwd\" \