rpms
/
authselect
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import authselect-1.0-13.el8

This commit is contained in:
CentOS Sources 2019-05-07 06:06:39 -04:00 committed by Andrew Lukoshko
commit 5ba59e8849
43 changed files with 4068 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.authselect.metadata Normal file
View File

@ -0,0 +1,2 @@
816e7213fea7653c5b4a7dde804287b310e9df9a SOURCES/authselect-1.0.tar.gz
c858c61f42ad793d0fe8f619429866c6df23511b SOURCES/translations-1.0-12.tar.gz

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/authselect-1.0.tar.gz
SOURCES/translations-1.0-12.tar.gz

30
SOURCES/0001-lib-fix-profile-origin-debug-message.patch Normal file
View File

@ -0,0 +1,30 @@
From 607235797f0503178f81b5a2074803fdddd84071 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 4 Sep 2018 12:33:21 +0200
Subject: [PATCH 01/16] lib: fix profile origin debug message
Previously, we failed to match the location and always print that
the selected profile is a default profile.
---
src/lib/profiles/read.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/profiles/read.c b/src/lib/profiles/read.c
index 002329090cec29eee7969a5f04634ba1bb214a4c..a3a3e62788a3b3ae493a22a8b8e10170d572fc6f 100644
--- a/src/lib/profiles/read.c
+++ b/src/lib/profiles/read.c
@@ -125,9 +125,9 @@ authselect_profile_open(const char *id,
return ret;
}
- if (strcmp(location, DIR_CUSTOM_PROFILES) == 0) {
+ if (strcmp(locations[i], DIR_CUSTOM_PROFILES) == 0) {
INFO("Profile [%s] is a custom profile", id);
- } else if (strcmp(location, DIR_VENDOR_PROFILES) == 0) {
+ } else if (strcmp(locations[i], DIR_VENDOR_PROFILES) == 0) {
INFO("Profile [%s] is a vendor profile", id);
} else {
INFO("Profile [%s] is a default profile", id);
--
2.17.1

24
SOURCES/0002-man-remove-duplicate-of-with-pamaccess.patch Normal file
View File

@ -0,0 +1,24 @@
From 3b6ba3c895dfc7a3c6b3fa43d2c76070e45b0d94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 4 Sep 2018 12:39:16 +0200
Subject: [PATCH 02/16] man: remove duplicate of with-pamaccess
---
src/man/authselect-migration.7.adoc | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 47544a53efd70b55a75d68d5bcbf3c89f875d7e7..35ba484d576ab8a3d923a124f6b1577085deedd4 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -85,7 +85,6 @@ configuration file for required services.
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
|--enablewinbindkrb5 |with-krb5
-|--enablepamaccess |with-pamaccess
|==================================================
.Examples
--
2.17.1

49
SOURCES/0003-Don-t-write-options-without-value-to-pwquality-conf-.patch Normal file
View File

@ -0,0 +1,49 @@
From bf05c4a72237eacf649b09888bdf536e0b7721a5 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Tue, 28 Aug 2018 11:49:35 -0700
Subject: [PATCH 03/16] Don't write options without value to pwquality conf
(#1618865)
Per https://bugzilla.redhat.com/show_bug.cgi?id=1618865 , it is
incorrect to write lines like this in a pwquality config file:
minlen=
minclass=
maxrepeat=
maxclassrepeat=
There should either be an actual integer value, or the line
should be omitted entirely. Including the option with no value
is wrong and breaks pwquality. This should fix the problem by
only writing the lines if the option is actually set.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
src/compat/authcompat.py.in.in | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index abe1e585954ccd5ac555339f23c175e941c76ea3..1b4f531b021c1e2e8fd99bd081094da365c0c64e 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -319,10 +319,13 @@ class Configuration:
def write(self):
config = EnvironmentFile(Path.System('pwquality.conf'))
- config.set("minlen", self.get("passminlen"))
- config.set("minclass", self.get("passminclass"))
- config.set("maxrepeat", self.get("passmaxrepeat"))
- config.set("maxclassrepeat", self.get("passmaxclassrepeat"))
+ # for each if these options, we want to write a line to the config
+ # *only if* it is set to an actual value, see
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1618865
+ for pwval in ["minlen", "minclass", "maxrepeat", "maxclassrepeat"]:
+ if self.isset("pass{0}".format(pwval)):
+ config.set(pwval, self.get("pass{0}".format(pwval)))
+
config.set("lcredit", self.getBoolAsValue("reqlower", -1, 0))
config.set("ucredit", self.getBoolAsValue("requpper", -1, 0))
config.set("dcredit", self.getBoolAsValue("reqdigit", -1, 0))
--
2.17.1

72
SOURCES/0004-compat-write-only-options-set-on-command-line-to-pwq.patch Normal file
View File

@ -0,0 +1,72 @@
From 474404051fe461a1be5d175b3f13da54ddbe0a37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 4 Sep 2018 11:36:43 +0200
Subject: [PATCH 04/16] compat: write only options set on command line to
pwquality.conf
This will not overwrite pwquality.conf if for exapmle "authconfig --update"
is called. Without this patch the values would get overriden with empty
values.
---
src/compat/authcompat.py.in.in | 36 ++++++++++++++++++++++------------
1 file changed, 24 insertions(+), 12 deletions(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 1b4f531b021c1e2e8fd99bd081094da365c0c64e..4fa9a6afc1d62aa9dde41b525d473168e6dc2901 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -166,7 +166,10 @@ class Configuration:
def getBool(self, name):
return self.options.getBool(name)
- def getBoolAsValue(self, name, if_true, if_false):
+ def getBoolAsValue(self, name, if_true, if_false, AllowNone=False):
+ if AllowNone and not self.isset(name):
+ return None
+
value = self.getBool(name)
if value:
return if_true
@@ -318,19 +321,28 @@ class Configuration:
def write(self):
config = EnvironmentFile(Path.System('pwquality.conf'))
+ value_set = False
- # for each if these options, we want to write a line to the config
- # *only if* it is set to an actual value, see
- # https://bugzilla.redhat.com/show_bug.cgi?id=1618865
- for pwval in ["minlen", "minclass", "maxrepeat", "maxclassrepeat"]:
- if self.isset("pass{0}".format(pwval)):
- config.set(pwval, self.get("pass{0}".format(pwval)))
+ pwopts = {
+ "minlen" : self.get("passminlen"),
+ "minclass" : self.get("passminclass"),
+ "maxrepeat" : self.get("passmaxrepeat"),
+ "maxclassrepeat" : self.get("passmaxclassrepeat"),
+ "lcredit" : self.getBoolAsValue("reqlower", -1, 0, AllowNone=True),
+ "ucredit" : self.getBoolAsValue("requpper", -1, 0, AllowNone=True),
+ "dcredit" : self.getBoolAsValue("reqdigit", -1, 0, AllowNone=True),
+ "ocredit" : self.getBoolAsValue("reqother", -1, 0, AllowNone=True)
+ }
- config.set("lcredit", self.getBoolAsValue("reqlower", -1, 0))
- config.set("ucredit", self.getBoolAsValue("requpper", -1, 0))
- config.set("dcredit", self.getBoolAsValue("reqdigit", -1, 0))
- config.set("ocredit", self.getBoolAsValue("reqother", -1, 0))
- config.write()
+ # Write options only if their are actually set
+ for opt, value in pwopts.items():
+ if value is not None:
+ print(opt + "=" + str(value))
+ config.set(opt, value)
+ value_set = True
+
+ if value_set:
+ config.write()
class MakeHomedir(Base):
def __init__(self, options):
--
2.17.1

31
SOURCES/0005-compat-fix-regular-expression-for-environment-files.patch Normal file
View File

@ -0,0 +1,31 @@
From 8e735cff141bb080409f71b15f31f2aea2ef182e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 4 Sep 2018 11:38:38 +0200
Subject: [PATCH 05/16] compat: fix regular expression for environment files
Any word character (\w) was not enough as it does not accept e.g. '-'.
Therefore line like 'ocredit=-1' was incorrectly parse returning only
'1' as value instead of '-1'.
---
src/compat/authcompat_EnvironmentFile.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/compat/authcompat_EnvironmentFile.py b/src/compat/authcompat_EnvironmentFile.py
index 529497e61903b3fb89f560b8e0ac0bb38111b46a..5738c6cafaf75109a5c1dbb9d3f040686a4945e1 100644
--- a/src/compat/authcompat_EnvironmentFile.py
+++ b/src/compat/authcompat_EnvironmentFile.py
@@ -34,9 +34,9 @@ class EnvironmentFile:
self.environment = []
delimiter_re = delimiter_re if delimiter_re is not None else delimiter
- self.pattern = re.compile('^(\s*)(\S*)([^\n\w]*)(' +
+ self.pattern = re.compile('^(\s*)(\S*)([^\n\S]*)(' +
delimiter_re +
- ')([^\n\w]*)(.*)$',
+ ')([^\n\S]*)(.*)$',
re.MULTILINE)
self.read()
--
2.17.1

28
SOURCES/0006-compat-fix-typo-in-compat-tool-that-produces-TypeErr.patch Normal file
View File

@ -0,0 +1,28 @@
From b2c1f2874b08a0002bbdfac71b7631da1c3f3322 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 24 Sep 2018 12:10:42 +0200
Subject: [PATCH 06/16] compat: fix typo in compat tool that produces
"TypeError: 'int' object is not callable"
Resolves:
https://github.com/pbrezina/authselect/issues/92
---
src/compat/authcompat_EnvironmentFile.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/compat/authcompat_EnvironmentFile.py b/src/compat/authcompat_EnvironmentFile.py
index 5738c6cafaf75109a5c1dbb9d3f040686a4945e1..9c12f7c675fe29a76161f83e7fcaa06b3a3fab35 100644
--- a/src/compat/authcompat_EnvironmentFile.py
+++ b/src/compat/authcompat_EnvironmentFile.py
@@ -204,7 +204,7 @@ class EnvironmentFile:
i = value.find("\\", i)
if i < 0:
break
- if i + 1 >= length(value):
+ if i + 1 >= len(value):
value = value[0:i]
break
--
2.17.1

119
SOURCES/0007-compat-use-current-configuration-unless-other-profil.patch Normal file
View File

@ -0,0 +1,119 @@
From 313ccd75397ae3a1801e1532f460519c657adae6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 11 Sep 2018 11:03:36 +0200
Subject: [PATCH 07/16] compat: use current configuration unless other profile
is selected
This makes sure that 'authconfig --updateall' or 'authconfig --enablexyz --updateall'
will not override current authselect profile if /etc/authconfig/sysconfig does not
exist.
Resolves:
https://github.com/pbrezina/authselect/issues/82
---
src/compat/authcompat.py.in.in | 61 ++++++++++++++++++++++++++++------
1 file changed, 50 insertions(+), 11 deletions(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 4fa9a6afc1d62aa9dde41b525d473168e6dc2901..96b2c69ce2c10afe6b689a8c4b64aa1e83245b34 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -39,9 +39,11 @@ def eprint(*args, **kwargs):
class Command:
TEST = False
- def __init__(self, command, args, input=None):
+ def __init__(self, command, args, input=None, check=True):
self.args = [command] + args
self.input = input.encode() if input is not None else None
+ self.check = check
+ self.result = None
def run(self):
print(_("Executing: %s") % ' '.join(self.args))
@@ -49,10 +51,10 @@ class Command:
if self.TEST:
return
- subprocess.run(self.args, check=True,
- input=self.input,
- stdout=subprocess.PIPE,
- stderr=subprocess.PIPE)
+ self.result = subprocess.run(self.args, check=self.check,
+ input=self.input,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
class Service:
def __init__(self, name):
@@ -506,24 +508,61 @@ class AuthCompat:
'winbindkrb5' : 'with-krb5'
}
- profile = "sssd"
- if self.options.getBool("nis"):
+ # Read current configuration first.
+ (profile, features) = self.getCurrentAuthselectConfig()
+
+ # Change profile if requested.
+ if (self.options.getBool("ldap") or self.options.getBool("ldapauth") or
+ self.options.getBool("sssd") or self.options.getBool("sssdauth")):
+ profile = "sssd"
+ elif self.options.getBool("nis"):
profile = "nis"
elif self.options.getBool("winbind"):
profile = "winbind"
+ # Default to sssd
+ if profile is None:
+ profile = "sssd"
+
+ # Add enabled and remove disabled features.
+ for option, feature in map.items():
+ if not self.options.isset(option):
+ continue
+
+ enabled = self.options.getBool(option)
+ if enabled:
+ features.append(feature)
+ else:
+ while feature in features:
+ features.remove(feature)
+
+ # Remove duplicates. The order is not kept but that does not matter.
+ features = list(set(features))
+
# Always run with --force. This is either first call of authconfig
# in installation script or it is run on already configured system.
# We want to use authselect in both cases anyway, since authconfig
# would change the configuration either way.
- args = ["select", profile, "--force"]
- for option, feature in map.items():
- if self.options.getBool(option):
- args.append(feature)
+ args = ["select", profile]
+ args.extend(features)
+ args.append("--force")
cmd = Command(Path.System('cmd-authselect'), args)
cmd.run()
+ def getCurrentAuthselectConfig(self):
+ cmd = Command(Path.System('cmd-authselect'), ['check'], check=False)
+ cmd.run()
+
+ if cmd.result.returncode != 0:
+ return (None, [])
+
+ cmd = Command(Path.System('cmd-authselect'), ['current', '--raw'])
+ cmd.run()
+
+ current = cmd.result.stdout.decode("utf-8").split()
+ return (current[0], current[1:])
+
def writeConfiguration(self):
configs = [
Configuration.LDAP(self.options),
--
2.17.1

115
SOURCES/0008-compat-do-not-disable-service-if-its-option-is-not-s.patch Normal file
View File

@ -0,0 +1,115 @@
From 0f4fec2cf1f4a2430e97a44209de27dd18332c1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 Sep 2018 11:15:05 +0200
Subject: [PATCH 08/16] compat: do not disable service if its option is not set
If we run 'authconfig --updateall' with empty /etc/sysconfig/authconfig
file we may actually end up disabling services that were started by user.
This patch makes sure that if a service was not explicitly disabled on
command line or in sysconfig file we do not touch its state.
Resolves:
https://github.com/pbrezina/authselect/issues/82
---
src/compat/authcompat.py.in.in | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 96b2c69ce2c10afe6b689a8c4b64aa1e83245b34..532227b69f3bb3d124078915bd846009bee7df7a 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -208,9 +208,16 @@ class Configuration:
super(Configuration.Kerberos, self).__init__(options)
def isEnabled(self):
- return self.isset("krb5realm") or self.isset("krb5realmdns")
+ if not self.isset("krb5realm") and not self.isset("krb5realmdns"):
+ return None
+
+ return self.get("krb5realm") != "" or self.getBool("krb5realmdns")
def cleanup(self):
+ # Do not remove the file if these options are not set
+ if not self.isset("krb5realm") and not self.isset("krb5realmdns"):
+ return
+
self.removeFile(Path.System('krb5.conf'))
def write(self):
@@ -240,7 +247,7 @@ class Configuration:
nisdomain = self.get("nisdomain")
config = EnvironmentFile(Path.System('network'))
- if nisdomain is None and config.get("NISDOMAIN") is None:
+ if nisdomain is None:
return
config.set("NISDOMAIN", nisdomain)
@@ -251,6 +258,9 @@ class Configuration:
super(Configuration.SSSD, self).__init__(options, ServiceName="sssd")
def isEnabled(self):
+ if not self.isset("ldap") and not self.isset("sssd"):
+ return None
+
return self.getBool("ldap") or self.getBool("sssd")
def cleanup(self):
@@ -288,6 +298,9 @@ class Configuration:
super(Configuration.Winbind, self).__init__(options, ServiceName="winbind")
def isEnabled(self):
+ if not self.isset("winbind") and not self.isset("winbindauth"):
+ return None
+
return self.getBool("winbind") or self.getBool("winbindauth")
def write(self):
@@ -351,6 +364,9 @@ class Configuration:
super(Configuration.MakeHomedir, self).__init__(options, ServiceName="oddjobd")
def isEnabled(self):
+ if not self.isset("mkhomedir"):
+ return None
+
return self.getBool("mkhomedir")
def disableService(self, nostop):
@@ -365,6 +381,9 @@ class Configuration:
self.ypbind = Service("ypbind")
def isEnabled(self):
+ if not self.isset("nis"):
+ return None
+
return self.getBool("nis")
def enableService(self, nostart):
@@ -554,7 +573,7 @@ class AuthCompat:
cmd = Command(Path.System('cmd-authselect'), ['check'], check=False)
cmd.run()
- if cmd.result.returncode != 0:
+ if cmd.result is None or cmd.result.returncode != 0:
return (None, [])
cmd = Command(Path.System('cmd-authselect'), ['current', '--raw'])
@@ -582,7 +601,13 @@ class AuthCompat:
# Enable or disable service if needed
nostart = self.options.getBool("nostart")
try:
- if config.isEnabled():
+ enabled = config.isEnabled()
+
+ # Skip service management if it can not be decided
+ if enabled is None:
+ continue
+
+ if enabled:
config.enableService(nostart)
else:
config.disableService(nostart)
--
2.17.1

37
SOURCES/0009-nis-add-all-maps-supported-by-nss_nis.patch Normal file
View File

@ -0,0 +1,37 @@
From 65fb0c895d2e3f19c8a080407813cf67231340e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 Sep 2018 12:25:05 +0200
Subject: [PATCH 09/16] nis: add all maps supported by nss_nis
Resolves:
https://github.com/pbrezina/authselect/issues/86
---
profiles/nis/nsswitch.conf | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index decf6204090c0cc60679d8760de8fbe6fb3ba3b7..20bcea11342b23b2eef7f2c93a912046dc00ec3d 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -1,6 +1,14 @@
-passwd: files nis
-group: files nis
-shadow: files nis
-netgroup: files nis
+aliases: files nis
automount: files nis
+ethers: files nis
+group: files nis
hosts: files nis dns myhostname
+initgroups: files nis
+netgroup: files nis
+networks: files nis
+passwd: files nis
+protocols: files nis
+publickey: files nis
+rpc: files nis
+services: files nis
+shadow: files nis
--
2.17.1

33
SOURCES/0010-nis-add-systemd-module-to-nsswitch.conf.patch Normal file
View File

@ -0,0 +1,33 @@
From 03635249198389f51417dfc89de37487b25a4171 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 Sep 2018 12:25:46 +0200
Subject: [PATCH 10/16] nis: add systemd module to nsswitch.conf
Resolves:
https://github.com/pbrezina/authselect/issues/89
---
profiles/nis/nsswitch.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 20bcea11342b23b2eef7f2c93a912046dc00ec3d..4397deb1ef347d5cb8798926f553c373f8c15649 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -1,12 +1,12 @@
aliases: files nis
automount: files nis
ethers: files nis
-group: files nis
+group: files nis systemd
hosts: files nis dns myhostname
initgroups: files nis
netgroup: files nis
networks: files nis
-passwd: files nis
+passwd: files nis systemd
protocols: files nis
publickey: files nis
rpc: files nis
--
2.17.1

43
SOURCES/0011-nis-add-nis-option-to-pam_unix-in-password-phase.patch Normal file
View File

@ -0,0 +1,43 @@
From 9764ce2873a05ec9e81c6979177122f9846a9ee2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 Sep 2018 14:30:55 +0200
Subject: [PATCH 11/16] nis: add nis option to pam_unix in password phase
This option will allow nis users to change their passwords with 'passwd'.
Resolves:
https://github.com/pbrezina/authselect/issues/87
---
profiles/nis/password-auth | 2 +-
profiles/nis/system-auth | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 8f18616eb2d2c228880989ea4cce86b6588b2190..78028e19bbad3965f5232c6b6177d8780d7e1c04 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -14,7 +14,7 @@ account sufficient pam_succeed_if.so uid <
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index e0bc4ef2fb4efc825927d13c0ff4b0083e5134ea..2909a546a49f991128c48285fa90a1937fa03513 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -15,7 +15,7 @@ account sufficient pam_succeed_if.so uid <
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
--
2.17.1

59
SOURCES/0012-nis-with-nispwquality-will-enable-pwquality-for-nis-.patch Normal file
View File

@ -0,0 +1,59 @@
From 9f3ec1c3a6aa0670479668355c11fd9e7cb4bb7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 Sep 2018 14:37:57 +0200
Subject: [PATCH 12/16] nis: with-nispwquality will enable pwquality for nis
users
Resolves:
https://github.com/pbrezina/authselect/issues/88
---
profiles/nis/README | 5 +++++
profiles/nis/password-auth | 2 +-
profiles/nis/system-auth | 2 +-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 6335fcfb051f01b7acdd4fde689de0d77c0d43a1..b4ffb8b56d8f9930ee5b70f34d0ba7a2dc35dae0 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -33,6 +33,11 @@ with-silent-lastlog::
with-pamaccess::
Check access.conf during account authorization.
+with-nispwquality::
+ If this option is set pam_pwquality module will check password quality
+ for NIS users as well as local users during password change. Without this
+ option only local users passwords are checked.
+
EXAMPLES
--------
* Enable NIS with no additional modules
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 78028e19bbad3965f5232c6b6177d8780d7e1c04..159da35740cfdf1396a8bc8a97c397919f056797 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -13,7 +13,7 @@ account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
+password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
password required pam_deny.so
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 2909a546a49f991128c48285fa90a1937fa03513..5f941f264b6adf2ca5cdc67685ed227ecc180ac7 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -14,7 +14,7 @@ account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
+password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
password required pam_deny.so
--
2.17.1

196
SOURCES/0013-profiles-add-without-nullok.patch Normal file
View File

@ -0,0 +1,196 @@
From 325b2f075e57c8495aa040542265fbcbf0f6ff64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 18 Sep 2018 14:04:46 +0200
Subject: [PATCH 13/16] profiles: add without-nullok
Resolves:
https://github.com/pbrezina/authselect/issues/94
---
profiles/nis/README | 3 +++
profiles/nis/password-auth | 4 ++--
profiles/nis/system-auth | 4 ++--
profiles/sssd/README | 3 +++
profiles/sssd/password-auth | 4 ++--
profiles/sssd/system-auth | 4 ++--
profiles/winbind/README | 3 +++
profiles/winbind/password-auth | 4 ++--
profiles/winbind/system-auth | 4 ++--
9 files changed, 21 insertions(+), 12 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index b4ffb8b56d8f9930ee5b70f34d0ba7a2dc35dae0..34789b1e7643f0df082d40e0e87cb3d0823bba56 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -38,6 +38,9 @@ with-nispwquality::
for NIS users as well as local users during password change. Without this
option only local users passwords are checked.
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
EXAMPLES
--------
* Enable NIS with no additional modules
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 159da35740cfdf1396a8bc8a97c397919f056797..615544d16f7fc8551cb06a221825526f12cbfc64 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
auth required pam_deny.so
@@ -14,7 +14,7 @@ account sufficient pam_succeed_if.so uid <
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 5f941f264b6adf2ca5cdc67685ed227ecc180ac7..a41828d8972537b1b24d0ff21cd52976fba6646d 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -2,7 +2,7 @@ auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
auth required pam_deny.so
@@ -15,7 +15,7 @@ account sufficient pam_succeed_if.so uid <
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 34693ba3c02b1005c5cca889316ccc0958c94eef..a2fbf66323f4893391474de49f323c06123a2ebf 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -56,6 +56,9 @@ with-sudo::
with-pamaccess::
Check access.conf during account authorization.
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
EXAMPLES
--------
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 82082b03e3223010b5d3f3eff348b2e3882fcfc4..e35c8d6943b8289d8b65d7a47b2dad8143b6132b 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -18,7 +18,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 00a360d034a363f9d29f1281a502e11939f00836..02922b16903372598052e36f3713ca5c3f4c8418 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -19,7 +19,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/README b/profiles/winbind/README
index fe3f879f4e76ecc877053c63ed9b0da93a12afa8..a824c7e78954bafffa6500e45a6e826835fd2b58 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -48,6 +48,9 @@ with-silent-lastlog::
with-pamaccess::
Check access.conf during account authorization.
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
EXAMPLES
--------
* Enable winbind with no additional modules
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index c7498f06f0ddaab4804444a213454b0ef56886e4..c984d817c537c48a358c644083a4f8979181dd1d 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -16,7 +16,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 4d433ae6ec7782203f240ce66c6e6a7551bb42d6..33dc491c2125c7fe06d6475369f1654a900c7050 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -2,7 +2,7 @@ auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -17,7 +17,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
--
2.17.1

210
SOURCES/0014-profiles-add-options-to-exclude-lines-from-nsswitch..patch Normal file
View File

@ -0,0 +1,210 @@
From be3cea05e06cbfcfbd684b46c49fcdc8f8f5b880 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 18 Sep 2018 14:28:18 +0200
Subject: [PATCH 14/16] profiles: add options to exclude lines from
nsswitch.conf
There is a common use case that users want to change lines in nsswitch.conf
but do not want to create a whole custom profile. This applies especially
to nis profile as it sets all nsswitch databases and thus renders recently
added user-nsswitch.conf useless.
For distributing company wide configuration, custom profiles should be used though.
Resolves:
https://github.com/pbrezina/authselect/issues/95
---
profiles/nis/README | 50 ++++++++++++++++++++++++++++++++++
profiles/nis/nsswitch.conf | 28 +++++++++----------
profiles/sssd/README | 26 ++++++++++++++++++
profiles/sssd/nsswitch.conf | 12 ++++----
profiles/winbind/README | 14 ++++++++++
profiles/winbind/nsswitch.conf | 4 +--
6 files changed, 112 insertions(+), 22 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 34789b1e7643f0df082d40e0e87cb3d0823bba56..3911959c59287d2d5425ef304f744ff4cd5b408d 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -41,6 +41,56 @@ with-nispwquality::
without-nullok::
Do not add nullok parameter to pam_unix.
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-aliases::
+Ignore "aliases" map set by the profile.
+
+with-custom-automount::
+Ignore "automount" map set by the profile.
+
+with-custom-ethers::
+Ignore "ethers" map set by the profile.
+
+with-custom-group::
+Ignore "group" map set by the profile.
+
+with-custom-hosts::
+Ignore "hosts" map set by the profile.
+
+with-custom-initgroups::
+Ignore "initgroups" map set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" map set by the profile.
+
+with-custom-networks::
+Ignore "networks" map set by the profile.
+
+with-custom-passwd::
+Ignore "passwd" map set by the profile.
+
+with-custom-protocols::
+Ignore "protocols" map set by the profile.
+
+with-custom-publickey::
+Ignore "publickey" map set by the profile.
+
+with-custom-rpc::
+Ignore "rpc" map set by the profile.
+
+with-custom-services::
+Ignore "services" map set by the profile.
+
+with-custom-shadow::
+Ignore "shadow" map set by the profile.
+
EXAMPLES
--------
* Enable NIS with no additional modules
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 4397deb1ef347d5cb8798926f553c373f8c15649..f5451657f3d8b988b633304d549a3242257715d3 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -1,14 +1,14 @@
-aliases: files nis
-automount: files nis
-ethers: files nis
-group: files nis systemd
-hosts: files nis dns myhostname
-initgroups: files nis
-netgroup: files nis
-networks: files nis
-passwd: files nis systemd
-protocols: files nis
-publickey: files nis
-rpc: files nis
-services: files nis
-shadow: files nis
+aliases: files nis {exclude if "with-custom-aliases"}
+automount: files nis {exclude if "with-custom-automount"}
+ethers: files nis {exclude if "with-custom-ethers"}
+group: files nis systemd {exclude if "with-custom-group"}
+hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
+initgroups: files nis {exclude if "with-custom-initgroups"}
+netgroup: files nis {exclude if "with-custom-netgroup"}
+networks: files nis {exclude if "with-custom-networks"}
+passwd: files nis systemd {exclude if "with-custom-passwd"}
+protocols: files nis {exclude if "with-custom-protocols"}
+publickey: files nis {exclude if "with-custom-publickey"}
+rpc: files nis {exclude if "with-custom-rpc"}
+services: files nis {exclude if "with-custom-services"}
+shadow: files nis {exclude if "with-custom-shadow"}
\ No newline at end of file
diff --git a/profiles/sssd/README b/profiles/sssd/README
index a2fbf66323f4893391474de49f323c06123a2ebf..42293ab39c628c285921b8b47c4a763fd0215472 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -59,6 +59,32 @@ with-pamaccess::
without-nullok::
Do not add nullok parameter to pam_unix.
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" database set by the profile.
+
+with-custom-automount::
+Ignore "automount" database set by the profile.
+
+with-custom-services::
+Ignore "services" database set by the profile.
+
+with-custom-sudoers::
+Ignore "sudoers" database set by the profile.
+
EXAMPLES
--------
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 5d05102ee8836f5bbce5f0527b87b1559fbe664e..9734bbbe68e7cf73a4a560e3573162d353e551e8 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,6 +1,6 @@
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-sudoers: files sss {include if "with-sudo"}
+passwd: sss files systemd {exclude if "with-custom-passwd"}
+group: sss files systemd {exclude if "with-custom-group"}
+netgroup: sss files {exclude if "with-custom-netgroup"}
+automount: sss files {exclude if "with-custom-automount"}
+services: sss files {exclude if "with-custom-services"}
+sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/README b/profiles/winbind/README
index a824c7e78954bafffa6500e45a6e826835fd2b58..cd1606800d77eeb93be918f17fe47c2586b2519d 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -51,6 +51,20 @@ with-pamaccess::
without-nullok::
Do not add nullok parameter to pam_unix.
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
EXAMPLES
--------
* Enable winbind with no additional modules
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index 3018a7526ece30236969ce69dce729998c9a57de..8a23bd71935eb26c5093e4b2080b1d91b6de5582 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -1,2 +1,2 @@
-passwd: files winbind systemd
-group: files winbind systemd
+passwd: files winbind systemd {exclude if "with-custom-passwd"}
+group: files winbind systemd {exclude if "with-custom-group"}
--
2.17.1

43
SOURCES/0015-compat-do-not-stop-rpcbind-only-start-it.patch Normal file
View File

@ -0,0 +1,43 @@
From c8456ad275ce96648927e9146de23ee73e334f09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 25 Sep 2018 10:58:50 +0200
Subject: [PATCH 15/16] compat: do not stop rpcbind, only start it
Stopping rpcbind on a nis server will also stop ypserv as it depends
on rpcbind. There is no need to actually restart this service so we
only make sure that it is up and running.
Resolves:
https://github.com/pbrezina/authselect/issues/100
---
src/compat/authcompat.py.in.in | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 532227b69f3bb3d124078915bd846009bee7df7a..0be644222a44185cb08ff696afad5adf05995093 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -80,8 +80,9 @@ class Service:
cmd = Command(Path.System("cmd-systemctl"), ["disable", self.name])
self.runsystemd(cmd, False, 1)
- def start(self):
- self.stop()
+ def start(self, Restart=True):
+ if Restart:
+ self.stop()
cmd = Command(Path.System("cmd-systemctl"), ["start", self.name])
self.runsystemd(cmd, True, 5)
@@ -404,7 +405,7 @@ class Configuration:
self.ypbind.enable()
if not nostart:
- self.rpcbind.start()
+ self.rpcbind.start(Restart=False)
self.ypbind.start()
def disableService(self, nostop):
--
2.17.1

43
SOURCES/0016-sssd-document-that-this-profile-can-be-used-also-wit.patch Normal file
View File

@ -0,0 +1,43 @@
From 766fb1c67f0b0cef0734756704d603df7d322a4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 26 Sep 2018 13:32:31 +0200
Subject: [PATCH 16/16] sssd: document that this profile can be used also with
sssd disabled
https://github.com/pbrezina/authselect/issues/99
---
profiles/sssd/README | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 42293ab39c628c285921b8b47c4a763fd0215472..c597afecff112e8af7905de9b6a8db77d5c3227c 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -1,5 +1,5 @@
-Enable SSSD for system authentication
-=====================================
+Enable SSSD for system authentication (also for local users only)
+=================================================================
Selecting this profile will enable SSSD as the source of identity
and authentication providers.
@@ -12,6 +12,16 @@ to connect to multiple different account sources.
More information about SSSD can be found on its project page:
https://pagure.io/SSSD/sssd
+By default, local users are served from SSSD rather then local files if SSSD
+is enabled (however they authenticate via pam_unix). This have a performance
+benefit since SSSD caches the files content in fast in-memory cache and thus
+reduces number of disk operations.
+
+However, if you do not want to keep SSSD running on your machine, you can
+keep this profile selected and just disable SSSD service. The resulting
+configuration will still work correctly even with SSSD disabled and local users
+and groups will be read from local files directly.
+
SSSD CONFIGURATION
------------------
--
2.17.1

30
SOURCES/0017-sssd-add-support-for-local-users-authentication-via-.patch Normal file
View File

@ -0,0 +1,30 @@
From 088a2b92742cab5e1d8f71452c2ae0c0f183a6fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 8 Oct 2018 12:34:09 +0200
Subject: [PATCH 1/2] sssd: add support for local users authentication via
smart card
Resolves:
https://github.com/pbrezina/authselect/issues/23
---
profiles/sssd/system-auth | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 02922b16903372598052e36f3713ca5c3f4c8418..a3d351cd5c37fb065892a0b71ec5323fd13a957d 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -3,7 +3,9 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
-auth [default=1 ignore=ignore success=ok] pam_localuser.so
+auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
+auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
+auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
--
2.17.1

81
SOURCES/0018-sssd-add-with-smartcard-required-feature.patch Normal file
View File

@ -0,0 +1,81 @@
From 396089c2acc76bef59040d22c4170673ac4009bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 8 Oct 2018 12:58:41 +0200
Subject: [PATCH 2/2] sssd: add with-smartcard-required feature
Resolves:
https://github.com/pbrezina/authselect/issues/104
---
profiles/sssd/README | 6 ++++++
profiles/sssd/dconf-db | 1 +
profiles/sssd/fingerprint-auth | 1 +
profiles/sssd/password-auth | 1 +
profiles/sssd/system-auth | 1 +
5 files changed, 10 insertions(+)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index c597afecff112e8af7905de9b6a8db77d5c3227c..acbb635729c2b4a69a91cafe4bec76b030967967 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -53,6 +53,12 @@ with-smartcard::
with-smartcard-lock-on-removal::
Lock screen when a smartcard is removed.
+ Note: "with-smartcard" must be set as well.
+
+with-smartcard-required::
+ Smartcard authentication is required. No other means of authentication
+ (including password) will be enabled.
+ Note: "with-smartcard" must be set as well.
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/sssd/dconf-db b/profiles/sssd/dconf-db
index cf22698fcc8a292c1bf68466f943595ca54c7b27..b24f783eb700713386d66857de2532482d15ce7c 100644
--- a/profiles/sssd/dconf-db
+++ b/profiles/sssd/dconf-db
@@ -1,6 +1,7 @@
[org/gnome/login-screen]
enable-smartcard-authentication={if "with-smartcard":true|false}
enable-fingerprint-authentication={if "with-fingerprint":true|false}
+enable-password-authentication={if "with-smartcard-required":false|true}
[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"}
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 01a5d21748f8e84acde23a0926782cf817fefc79..01b70f3533149d00700859f3e0a1c3f2abb33a8a 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -1,5 +1,6 @@
{continue if "with-fingerprint"}
auth required pam_env.so
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth sufficient pam_fprintd.so
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index e35c8d6943b8289d8b65d7a47b2dad8143b6132b..3205f261dd8c898baf292c252ebdb346fcb779bb 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -1,5 +1,6 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index a3d351cd5c37fb065892a0b71ec5323fd13a957d..982cada1f774e6d53dd75c9f5dbc0603337cd70b 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -1,6 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
--
2.17.1

28
SOURCES/0019-sssd-remove-with-sudo-duplicate-from-readme.patch Normal file
View File

@ -0,0 +1,28 @@
From ea730381abb2bd5e7a33ed5e3a71e19ce939b32f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 12 Nov 2018 12:10:21 +0100
Subject: [PATCH 01/15] sssd: remove with-sudo duplicate from readme
Resolves:
https://github.com/pbrezina/authselect/issues/108
---
profiles/sssd/README | 3 ---
1 file changed, 3 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index acbb635729c2b4a69a91cafe4bec76b030967967..016f2019cd60aef1194a1cfa740955b51cfe0b24 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -43,9 +43,6 @@ with-mkhomedir::
with-ecryptfs::
Enable automatic per-user ecryptfs.
-with-sudo::
- Use SSSD as a source of sudo rules.
-
with-smartcard::
Enable authentication with smartcards through SSSD. Please note that
smartcard support must be also explicitly enabled within
--
2.17.2

45
SOURCES/0020-profiles-end-all-files-with-new-line.patch Normal file
View File

@ -0,0 +1,45 @@
From 9cb658e150fc3fc55187ad0487d16963473547ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 12 Nov 2018 12:17:39 +0100
Subject: [PATCH 02/15] profiles: end all files with new line
Resolves:
https://github.com/pbrezina/authselect/issues/103
---
profiles/nis/dconf-locks | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/winbind/dconf-locks | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/profiles/nis/dconf-locks b/profiles/nis/dconf-locks
index 7a03033ec33e99ce86e7520103c3da9db570edd6..8a36fa9568344338272786394aece872185d0ab3 100644
--- a/profiles/nis/dconf-locks
+++ b/profiles/nis/dconf-locks
@@ -1,2 +1,2 @@
/org/gnome/login-screen/enable-smartcard-authentication
-/org/gnome/login-screen/enable-fingerprint-authentication
\ No newline at end of file
+/org/gnome/login-screen/enable-fingerprint-authentication
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index f5451657f3d8b988b633304d549a3242257715d3..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -11,4 +11,4 @@ protocols: files nis {exclude if "with-custom-protocols"}
publickey: files nis {exclude if "with-custom-publickey"}
rpc: files nis {exclude if "with-custom-rpc"}
services: files nis {exclude if "with-custom-services"}
-shadow: files nis {exclude if "with-custom-shadow"}
\ No newline at end of file
+shadow: files nis {exclude if "with-custom-shadow"}
diff --git a/profiles/winbind/dconf-locks b/profiles/winbind/dconf-locks
index 7a03033ec33e99ce86e7520103c3da9db570edd6..8a36fa9568344338272786394aece872185d0ab3 100644
--- a/profiles/winbind/dconf-locks
+++ b/profiles/winbind/dconf-locks
@@ -1,2 +1,2 @@
/org/gnome/login-screen/enable-smartcard-authentication
-/org/gnome/login-screen/enable-fingerprint-authentication
\ No newline at end of file
+/org/gnome/login-screen/enable-fingerprint-authentication
--
2.17.2

71
SOURCES/0021-compat-add-support-for-with-smartcard-required-enabl.patch Normal file
View File

@ -0,0 +1,71 @@
From c939585dc440e2b2ccaeea82ce3cf42c990dbe23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 12 Nov 2018 12:49:39 +0100
Subject: [PATCH 03/15] compat: add support for with-smartcard-required
(--enablerequiresmartcard)
Resolves:
https://github.com/pbrezina/authselect/issues/109
---
src/compat/authcompat.py.in.in | 15 ++++++++-------
src/compat/authcompat_Options.py | 4 ++--
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 42cc6f3c0e38d8e14d62bd5acdc171176a6cb51f..accb3385ade908c07451ee4824d6b62b012ea317 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -518,13 +518,14 @@ class AuthCompat:
def runAuthselect(self):
map = {
- 'smartcard' : 'with-smartcard',
- 'fingerprint' : 'with-fingerprint',
- 'ecryptfs' : 'with-ecryptfs',
- 'mkhomedir' : 'with-mkhomedir',
- 'faillock' : 'with-faillock',
- 'pamaccess' : 'with-pamaccess',
- 'winbindkrb5' : 'with-krb5'
+ 'smartcard' : 'with-smartcard',
+ 'requiresmartcard' : 'with-smartcard-required',
+ 'fingerprint' : 'with-fingerprint',
+ 'ecryptfs' : 'with-ecryptfs',
+ 'mkhomedir' : 'with-mkhomedir',
+ 'faillock' : 'with-faillock',
+ 'pamaccess' : 'with-pamaccess',
+ 'winbindkrb5' : 'with-krb5'
}
# Read current configuration first.
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index e77b4407c7cd385b66a8a97795cece7f33571ff6..c8f52ab6773c4cd5371f32121dba8053f3443261 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -13,7 +13,7 @@
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU General Public License for morerequi details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
@@ -91,6 +91,7 @@ class Options:
Option.Feature("rfc2307bis", _("use of RFC-2307bis schema for LDAP user information lookups")),
Option.Feature("smartcard", _("authentication with smart card by default")),
Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
+ Option.Feature("requiresmartcard",_("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
@@ -146,7 +147,6 @@ class Options:
Option.UnsupportedSwitch ("usemd5"),
Option.UnsupportedValued ("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512>")),
Option.UnsupportedValued ("ldaploadcacert", _("<URL>")),
- Option.UnsupportedFeature("requiresmartcard"),
Option.UnsupportedValued ("smartcardmodule", _("<module>")),
Option.UnsupportedValued ("smbsecurity", _("<user|server|domain|ads>")),
Option.UnsupportedValued ("smbrealm", _("<realm>")),
--
2.17.2

33
SOURCES/0022-compat-support-with-smartcard-lock-on-removal-smartc.patch Normal file
View File

@ -0,0 +1,33 @@
From 0556b44eabdc9be59eb4fb4a72fc4e644b657ea1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 12 Nov 2018 12:51:55 +0100
Subject: [PATCH 04/15] compat: support with-smartcard-lock-on-removal
(--smartcardaction=0)
Resolves:
https://github.com/pbrezina/authselect/issues/110
---
src/compat/authcompat.py.in.in | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index accb3385ade908c07451ee4824d6b62b012ea317..666dcd0df57962a789a8882c26535d95d3e75cf2 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -556,6 +556,13 @@ class AuthCompat:
while feature in features:
features.remove(feature)
+ # Add lock-on-smartcard-removal if requested
+ if self.options.isset("smartcardaction"):
+ if int(self.options.get("smartcardaction")) == 0:
+ features.append("with-smartcard-lock-on-removal")
+ else:
+ features.remove("with-smartcard-lock-on-removal")
+
# Remove duplicates. The order is not kept but that does not matter.
features = list(set(features))
--
2.17.2

58
SOURCES/0023-profiles-mention-pam_oddjob_mkhomedir-in-requirement.patch Normal file
View File

@ -0,0 +1,58 @@
From 5f1615d85c038b98b631d808c70e3557264b8a56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 12 Nov 2018 13:05:50 +0100
Subject: [PATCH 05/15] profiles: mention pam_oddjob_mkhomedir in requirements
Resolves:
https://github.com/pbrezina/authselect/issues/111
---
profiles/nis/REQUIREMENTS | 3 ++-
profiles/sssd/REQUIREMENTS | 3 ++-
profiles/winbind/REQUIREMENTS | 3 ++-
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
index 920d57eb1374633776c379eea75d8a9632abe4b3..12b5879e8530a8c0bc3dfb4dc3c29dc38c4dcc07 100644
--- a/profiles/nis/REQUIREMENTS
+++ b/profiles/nis/REQUIREMENTS
@@ -2,6 +2,7 @@ Make sure that NIS service is configured and enabled. See NIS documentation for
{include if "with-fingerprint"}
- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
{include if "with-mkhomedir"}
-- with-mkhomedir is selected, make sure oddjobd service is enabled {include if "with-mkhomedir"}
+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
+ is present and oddjobd service is enabled {include if "with-mkhomedir"}
- systemctl enable oddjobd.service {include if "with-mkhomedir"}
- systemctl start oddjobd.service {include if "with-mkhomedir"}
\ No newline at end of file
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index 2516ac35796cd4b38842b2269938b37aea7a845c..7fcfed9cccae346faa0f4dace1873a772453ddc0 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -5,6 +5,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
{include if "with-fingerprint"}
- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
{include if "with-mkhomedir"}
-- with-mkhomedir is selected, make sure oddjobd service is enabled {include if "with-mkhomedir"}
+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
+ is present and oddjobd service is enabled {include if "with-mkhomedir"}
- systemctl enable oddjobd.service {include if "with-mkhomedir"}
- systemctl start oddjobd.service {include if "with-mkhomedir"}
\ No newline at end of file
diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS
index f3bad76114c6ae996e62d4088dc7d70113d12fe6..786538caf83104d114820f56516bf3e68dce86fe 100644
--- a/profiles/winbind/REQUIREMENTS
+++ b/profiles/winbind/REQUIREMENTS
@@ -2,6 +2,7 @@ Make sure that winbind service is configured and enabled. See winbind documentat
{include if "with-fingerprint"}
- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
{include if "with-mkhomedir"}
-- with-mkhomedir is selected, make sure oddjobd service is enabled {include if "with-mkhomedir"}
+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
+ is present and oddjobd service is enabled {include if "with-mkhomedir"}
- systemctl enable oddjobd.service {include if "with-mkhomedir"}
- systemctl start oddjobd.service {include if "with-mkhomedir"}
\ No newline at end of file
--
2.17.2

29
SOURCES/0024-lib-fix-memory-leak-in-authselect_profile_free.patch Normal file
View File

@ -0,0 +1,29 @@
From 6445037ae9ba55abd1bd7ca2f0028081c26c0b16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 20 Nov 2018 12:18:49 +0100
Subject: [PATCH 06/15] lib: fix memory leak in authselect_profile_free
Resolves:
https://github.com/pbrezina/authselect/issues/116
---
src/lib/authselect_profile.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/lib/authselect_profile.c b/src/lib/authselect_profile.c
index 6f949a4ef6fb4159f89038a9cd705de475b5cf22..8a12a082802fbc4f3c8cb3af7379ad26372dcc0c 100644
--- a/src/lib/authselect_profile.c
+++ b/src/lib/authselect_profile.c
@@ -130,6 +130,10 @@ authselect_profile_free(struct authselect_profile *profile)
free(profile->path);
}
+ if (profile->name != NULL) {
+ free(profile->name);
+ }
+
if (profile->description != NULL) {
free(profile->description);
}
--
2.17.2

28
SOURCES/0025-lib-fix-memory-leak-in-authselect_config_validate_ex.patch Normal file
View File

@ -0,0 +1,28 @@
From 91f35e84a9051b709fb7cf1b0ec02a8434258dd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 20 Nov 2018 12:25:01 +0100
Subject: [PATCH 07/15] lib: fix memory leak in
authselect_config_validate_existing
Resolves:
https://github.com/pbrezina/authselect/issues/115
---
src/lib/files/config.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib/files/config.c b/src/lib/files/config.c
index 14434a819acc0bf3246c51be7090133d868a9571..e2859b04d3aeb40d510c0e87dc251adb1ff38b47 100644
--- a/src/lib/files/config.c
+++ b/src/lib/files/config.c
@@ -201,6 +201,8 @@ authselect_config_validate_existing(const char *profile_id,
/* Check that symlinks exist and point to generated files. */
result &= authselect_symlinks_validate();
+ authselect_files_free(files);
+
return result;
}
--
2.17.2

157
SOURCES/0026-profiles-make-session-pam_systemd-required.patch Normal file
View File

@ -0,0 +1,157 @@
From de0168f1ebb871b80c2552f1ef8dd8f145dacf29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 20 Nov 2018 13:07:19 +0100
Subject: [PATCH 08/15] profiles: make session pam_systemd required
There was a time when pam_systemd was optional but today
if pam_systemd fails to register a session it's catastrophic
and we should just fail the whole pam conversation.
Resolves:
https://github.com/pbrezina/authselect/issues/118
---
profiles/nis/fingerprint-auth | 2 +-
profiles/nis/password-auth | 2 +-
profiles/nis/system-auth | 2 +-
profiles/sssd/fingerprint-auth | 2 +-
profiles/sssd/password-auth | 2 +-
profiles/sssd/smartcard-auth | 2 +-
profiles/sssd/system-auth | 2 +-
profiles/winbind/fingerprint-auth | 2 +-
profiles/winbind/password-auth | 2 +-
profiles/winbind/system-auth | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 278487b2a0f9ce103afebb0809ffffa2cfbbba7e..dc9e53ba28974eb75828220d9b80d626106b9652 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -17,7 +17,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 615544d16f7fc8551cb06a221825526f12cbfc64..d22dcef9529ca51a1812ae0733b543d13f6ae235 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -20,7 +20,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index a41828d8972537b1b24d0ff21cd52976fba6646d..d394d3e1200755d2233d4f86e3866620539fc18d 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -21,7 +21,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 01b70f3533149d00700859f3e0a1c3f2abb33a8a..3bdaf3e71ba7afc66864f9c2acbf584c0b77a82d 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -19,7 +19,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 3205f261dd8c898baf292c252ebdb346fcb779bb..1e529184cdc04a94fb4f2b52f733cf6df73b7fda 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -26,7 +26,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index b16ba0f44ca4c896c1980a292cf78f12d7f2f06d..b89a23a111560877785c9d17fd65c0bfd3f3ae22 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -16,7 +16,7 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 982cada1f774e6d53dd75c9f5dbc0603337cd70b..22dba5b2d3db23855724ddb05528e5013c63c5af 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -29,7 +29,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index 0beff74eba83f12c4ad5a6147a6194608cd047e3..92649461564dd4e6f78f467dc1be455f29edfe08 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -18,7 +18,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index c984d817c537c48a358c644083a4f8979181dd1d..fb59e295c3a220acfdf633f69a0204328150a5c3 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -23,7 +23,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 33dc491c2125c7fe06d6475369f1654a900c7050..bb75c327db3315c22a22f375a5cc633e33c30c19 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -24,7 +24,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
--
2.17.2

305
SOURCES/0027-lib-add-authselect_profile_features-to-list-supporte.patch Normal file
View File

@ -0,0 +1,305 @@
From 3935dd9f2ac3aab9027783e45f499401476f52cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 19 Nov 2018 15:04:42 +0100
Subject: [PATCH 09/15] lib: add authselect_profile_features to list supported
features
The feature list is automatically obtained from profile's template files.
Related to:
https://github.com/pbrezina/authselect/issues/107
---
include/authselect.h | 12 +++++
src/lib/authselect_profile.c | 51 ++++++++++++++++++++++
src/lib/util/string_array.c | 36 +++++++++++++++
src/lib/util/string_array.h | 20 +++++++++
src/lib/util/template.c | 85 ++++++++++++++++++++++++++++++++++--
src/lib/util/template.h | 11 +++++
6 files changed, 211 insertions(+), 4 deletions(-)
diff --git a/include/authselect.h b/include/authselect.h
index d52d460e38132cf81e8a03b88a530c634a2c8937..462f54291e8283d5778005ac1747dd03258584be 100644
--- a/include/authselect.h
+++ b/include/authselect.h
@@ -273,6 +273,18 @@ char **
authselect_profile_nsswitch_maps(const struct authselect_profile *profile,
const char **features);
+/**
+ * List features supported by the profile.
+ *
+ * It is necessary to free the returned pointer with @authselect_array_free.
+ *
+ * @param profile Pointer to structure obtained by @authselect_profile.
+ *
+ * @return NULL-terminated array of supported features, NULL on error.
+ */
+char **
+authselect_profile_features(const struct authselect_profile *profile);
+
/**
* Free authconfig_profile structure obtained by @authselect_profile.
*
diff --git a/src/lib/authselect_profile.c b/src/lib/authselect_profile.c
index 8a12a082802fbc4f3c8cb3af7379ad26372dcc0c..d0cf17b8b7a414a41427c88039687725dcf1a560 100644
--- a/src/lib/authselect_profile.c
+++ b/src/lib/authselect_profile.c
@@ -115,6 +115,57 @@ authselect_profile_nsswitch_maps(const struct authselect_profile *profile,
return maps;
}
+_PUBLIC_ char **
+authselect_profile_features(const struct authselect_profile *profile)
+{
+ char **features;
+ char **array;
+ errno_t ret;
+ int i;
+
+ if (profile == NULL) {
+ return NULL;
+ }
+
+ features = string_array_create(10);
+ if (features == NULL) {
+ ERROR("Unable to create array (out of memory)");
+ return NULL;
+ }
+
+ struct authselect_generated files[] = PROFILE_FILES(profile->files);
+
+ for (i = 0; files[i].path != NULL; i++) {
+ array = template_list_features(files[i].content);
+ if (array == NULL) {
+ ERROR("Unable to obtain feature list (out of memory)");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ features = string_array_concat(features, array, true);
+ string_array_free(array);
+
+ if (features == NULL) {
+ ERROR("Unable to obtain feature list (out of memory)");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ string_array_sort(features);
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ string_array_free(features);
+ return NULL;
+ }
+
+ return features;
+}
+
_PUBLIC_ void
authselect_profile_free(struct authselect_profile *profile)
{
diff --git a/src/lib/util/string_array.c b/src/lib/util/string_array.c
index a074e23ee504792da7f1a9262e15c549de5747d3..43e30d0008b5709f97da9c43f8f2c28ef2475df5 100644
--- a/src/lib/util/string_array.c
+++ b/src/lib/util/string_array.c
@@ -159,3 +159,39 @@ string_array_del_value(char **array, const char *value)
return array;
}
+
+char **
+string_array_concat(char **to, char **items, bool unique)
+{
+ int i;
+
+ if (items == NULL) {
+ return to;
+ }
+
+ for (i = 0; items[i] != NULL; i++) {
+ to = string_array_add_value(to, items[i], unique);
+ if (to == NULL) {
+ return NULL;
+ }
+ }
+
+ return to;
+}
+
+static int
+string_array_sort_callback(const void *a, const void *b)
+{
+ return strcmp(*(char* const*)a, *(char* const*)b);
+}
+
+void
+string_array_sort(char **array)
+{
+ if (array == NULL) {
+ return;
+ }
+
+ qsort(array, string_array_count(array), sizeof(char *),
+ string_array_sort_callback);
+}
diff --git a/src/lib/util/string_array.h b/src/lib/util/string_array.h
index 9545685b2553228a109ab51e7c6a0fd16698fa3e..06aa46c008058163e5557d51e18258fa4e9a1523 100644
--- a/src/lib/util/string_array.h
+++ b/src/lib/util/string_array.h
@@ -118,4 +118,24 @@ string_array_add_value(char **array, const char *value, bool unique);
char **
string_array_del_value(char **array, const char *value);
+/**
+ * Concatenate two array. Array @items values will be appended to arra @to.
+ *
+ * @param to NULL-terminated destination array.
+ * @param items NULL-terminated array to be appended into @to.
+ * @param unique If true, value will not be added if it is already present.
+ *
+ * @return Array or NULL if reallocation fails.
+ */
+char **
+string_array_concat(char **to, char **items, bool unique);
+
+/**
+ * Alphabetically sort a NULL-terminated string array.
+ *
+ * @param array NULL-terminated string array.
+ */
+void
+string_array_sort(char **array);
+
#endif /* _STRING_ARRAY_H_ */
diff --git a/src/lib/util/template.c b/src/lib/util/template.c
index e38d1d7f1db2c90f1281e97f3ebbdd9d9d1a935d..fb373c0fd83e04c6c78d5f57d3d8e50e54c0377b 100644
--- a/src/lib/util/template.c
+++ b/src/lib/util/template.c
@@ -325,10 +325,27 @@ template_process_matches(const char *match_string,
return ret;
}
- *_op = op;
- *_feature = feature;
- *_if_true = if_true;
- *_if_false = if_false;
+ if (_op != NULL) {
+ *_op = op;
+ }
+
+ if (_feature != NULL) {
+ *_feature = feature;
+ } else {
+ free(feature);
+ }
+
+ if (_if_true != NULL) {
+ *_if_true = if_true;
+ } else {
+ free(if_true);
+ }
+
+ if (_if_false != NULL) {
+ *_if_false = if_false;
+ } else {
+ free(if_false);
+ }
return EOK;
}
@@ -478,6 +495,66 @@ template_generate_preamble()
return preamble;
}
+char **
+template_list_features(const char *template)
+{
+ regmatch_t m[RE_MATCHES];
+ const char *match_string;
+ char **features;
+ char *feature;
+ regex_t regex;
+ errno_t ret;
+ int reret;
+
+ features = string_array_create(10);
+ if (features == NULL) {
+ return NULL;
+ }
+
+ if (template == NULL) {
+ return features;
+ }
+
+ reret = regcomp(&regex, OP_RE, REG_EXTENDED | REG_NEWLINE);
+ if (reret != REG_NOERROR) {
+ ERROR("Unable to compile regular expression: regex error %d", reret);
+ ret = EFAULT;
+ goto done;
+ }
+
+ match_string = template;
+ while ((reret = regexec(&regex, match_string, RE_MATCHES, m, 0)) == REG_NOERROR) {
+ ret = template_process_matches(match_string, m, NULL, &feature,
+ NULL, NULL);
+ if (ret != EOK) {
+ ERROR("Unable to process match [%d]: %s", ret, strerror(ret));
+ goto done;
+ }
+
+ features = string_array_add_value(features, feature, true);
+ free(feature);
+
+ match_string += m[0].rm_eo;
+ }
+
+ if (reret != REG_NOMATCH) {
+ ERROR("Unable to search string: regex error %d", reret);
+ ret = EFAULT;
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ string_array_free(features);
+ return NULL;
+ }
+
+ regfree(&regex);
+ return features;
+}
+
errno_t
template_write(const char *filepath,
const char *content,
diff --git a/src/lib/util/template.h b/src/lib/util/template.h
index 57e076c257a8cdcbc9c2c8f4f5266b4c21f27941..1c412dcf15a7f0d5a5897b78b8b52ff67b7c3f95 100644
--- a/src/lib/util/template.h
+++ b/src/lib/util/template.h
@@ -37,6 +37,17 @@ char *
template_generate(const char *template,
const char **features);
+/**
+ * Find all features available withint the @template and return them in
+ * NULL-terminated array.
+ *
+ * @param template Template.
+ *
+ * @return List of features in NULL-terminated array or NULL on error.
+ */
+char **
+template_list_features(const char *template);
+
/**
* Write generated file preamble together with its content to a file.
* If the file does not exist, it is created, otherwise its content
--
2.17.2

239
SOURCES/0028-lib-refuse-to-activate-profile-if-unsupported-featur.patch Normal file
View File

@ -0,0 +1,239 @@
From 85bbc387c3f7bcfd094b78e2fc2779e27aca348f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 20 Nov 2018 11:56:09 +0100
Subject: [PATCH 10/15] lib: refuse to activate profile if unsupported feature
was selected
Resolves:
https://github.com/pbrezina/authselect/issues/107
---
include/authselect.h | 1 +
src/lib/authselect.c | 44 +++++++++++++++++++++++++++++++++++++
src/lib/util/string.c | 40 +++++++++++++++++++++++++++++++++
src/lib/util/string.h | 6 +++++
src/lib/util/string_array.c | 30 +++++++++++++++++++++++++
src/lib/util/string_array.h | 15 +++++++++++++
src/tests/Makefile.am | 1 +
7 files changed, 137 insertions(+)
diff --git a/include/authselect.h b/include/authselect.h
index 462f54291e8283d5778005ac1747dd03258584be..110f22a864157f898541be573e800ed7d6c38e0a 100644
--- a/include/authselect.h
+++ b/include/authselect.h
@@ -70,6 +70,7 @@ enum authselect_profile_type {
* authselect and @force_overwrite must be set to true to force
* overwrite the existing files.
* - ENOENT if the profile was not found.
+ * - EINVAL if unsupported feature was provided.
* - Other errno code on generic error.
*/
int
diff --git a/src/lib/authselect.c b/src/lib/authselect.c
index 3148f63b60534480b05b1ddb5587e4ed09aaa84a..1b4337e2e0eae4f298e59f90cc9c8659891e23f3 100644
--- a/src/lib/authselect.c
+++ b/src/lib/authselect.c
@@ -29,6 +29,45 @@
#include "lib/files/files.h"
#include "lib/profiles/profiles.h"
+static bool
+authselect_check_features(const struct authselect_profile *profile,
+ const char **features)
+{
+ const char *similar;
+ bool result = true;
+ char **supported;
+ int i;
+
+ if (features == NULL) {
+ return true;
+ }
+
+ supported = authselect_profile_features(profile);
+ if (supported == NULL) {
+ ERROR("Unable to obtain supported features");
+ return false;
+ }
+
+ for (i = 0; features[i] != NULL; i++) {
+ if (string_array_has_value(supported, features[i])) {
+ continue;
+ }
+
+ result = false;
+ similar = string_array_find_similar(features[i], supported, 5);
+ if (similar != NULL) {
+ ERROR("Unknown profile feature [%s], did you mean [%s]?",
+ features[i], similar);
+ } else {
+ ERROR("Unknown profile feature [%s]", features[i]);
+ }
+ }
+
+ string_array_free(supported);
+
+ return result;
+}
+
_PUBLIC_ void
authselect_set_debug_fn(authselect_debug_fn fn, void *pvt)
{
@@ -53,6 +92,11 @@ authselect_activate(const char *profile_id,
return ret;
}
+ if (!authselect_check_features(profile, features)) {
+ ret = EINVAL;
+ goto done;
+ }
+
if (force_overwrite) {
INFO("Enforcing activation!");
ret = authselect_profile_activate(profile, features);
diff --git a/src/lib/util/string.c b/src/lib/util/string.c
index 73ae778663bd8db024620a58987833ede60307d1..e6803bcd4e41adc05eaa623089009b17ccd4f49b 100644
--- a/src/lib/util/string.c
+++ b/src/lib/util/string.c
@@ -329,3 +329,43 @@ string_replace_shake(char *str, size_t original_length)
str[pos] = '\0';
}
}
+
+static int
+min3(unsigned int a, unsigned int b, unsigned int c)
+{
+ if (a < b && a < c) {
+ return a;
+ } else if (b < a && b < c) {
+ return b;
+ }
+
+ return c;
+}
+
+int
+string_levenshtein(const char *a, const char *b)
+{
+ unsigned int len_a = strlen(a);
+ unsigned int len_b = strlen(b);
+ unsigned int x;
+ unsigned int y;
+ unsigned int last_diag;
+ unsigned int old_diag;
+ unsigned int column[len_a + 1];
+
+ for (y = 1; y <= len_a; y++) {
+ column[y] = y;
+ }
+
+ for (x = 1; x <= len_b; x++) {
+ column[0] = x;
+ for (y = 1, last_diag = x - 1; y <= len_a; y++) {
+ old_diag = column[y];
+ column[y] = min3(column[y] + 1, column[y - 1] + 1,
+ last_diag + (a[y - 1] == b[x - 1] ? 0 : 1));
+ last_diag = old_diag;
+ }
+ }
+
+ return column[len_a];
+}
diff --git a/src/lib/util/string.h b/src/lib/util/string.h
index d7ca04491e5ceff20bd1d6e136ea151166156546..e550d853d3fa0699909b84cc9febdae9d5884b9f 100644
--- a/src/lib/util/string.h
+++ b/src/lib/util/string.h
@@ -179,4 +179,10 @@ string_remove_remainder(char *str, size_t from);
void
string_replace_shake(char *str, size_t original_length);
+/**
+ * Compute Levenshtein distance of two strings.
+ */
+int
+string_levenshtein(const char *a, const char *b);
+
#endif /* _STRING_H_ */
diff --git a/src/lib/util/string_array.c b/src/lib/util/string_array.c
index 43e30d0008b5709f97da9c43f8f2c28ef2475df5..e56d66bdcce7c8a1cf99f9b91068614c4b8d3d81 100644
--- a/src/lib/util/string_array.c
+++ b/src/lib/util/string_array.c
@@ -25,6 +25,7 @@
#include "common/common.h"
#include "lib/util/string_array.h"
+#include "lib/util/string.h"
char **
string_array_create(size_t num_items)
@@ -195,3 +196,32 @@ string_array_sort(char **array)
qsort(array, string_array_count(array), sizeof(char *),
string_array_sort_callback);
}
+
+const char *
+string_array_find_similar(const char *value, char **array, int max_distance)
+{
+ const char *word = NULL;
+ int current;
+ int best;
+ int i;
+
+ for (i = 0; array[i] != NULL; i++) {
+ current = string_levenshtein(value, array[i]);
+ if (word == NULL) {
+ best = current;
+ word = array[i];
+ continue;
+ }
+
+ if (current < best) {
+ best = current;
+ word = array[i];
+ }
+ }
+
+ if (best > max_distance) {
+ return NULL;
+ }
+
+ return word;
+}
diff --git a/src/lib/util/string_array.h b/src/lib/util/string_array.h
index 06aa46c008058163e5557d51e18258fa4e9a1523..ba9760b5d66a9619ca8edea5e3418c5cfbbec929 100644
--- a/src/lib/util/string_array.h
+++ b/src/lib/util/string_array.h
@@ -138,4 +138,19 @@ string_array_concat(char **to, char **items, bool unique);
void
string_array_sort(char **array);
+/**
+ * Find similar word inside a NULL-terminated array, based on Levenshtein
+ * distance algorithm.
+ *
+ * @param value Value to search in @array.
+ * @param array NULL-terminated string array.
+ * @param max_distance Maximum distance between two strings. If the real
+ * distance is greater then this value, those string
+ * are not considered as similar.
+ *
+ * @return Most similar word that was found or NULL if non was found.
+ */
+const char *
+string_array_find_similar(const char *value, char **array, int max_distance);
+
#endif /* _STRING_ARRAY_H_ */
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 1cfebeab6bf3b36e760372b05482fd9f322feab1..e1505e6b5787a669065e5ea3c7acf55ea110c4da 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -23,6 +23,7 @@ check_PROGRAMS = $(TESTS)
test_util_string_array_SOURCES = \
test_util_string_array.c \
../lib/util/string_array.c \
+ ../lib/util/string.c \
$(NULL)
test_util_string_array_CFLAGS = \
$(AM_CFLAGS)
--
2.17.2

69
SOURCES/0029-lib-remove-no-longer-supported-features-in-apply-cha.patch Normal file
View File

@ -0,0 +1,69 @@
From 62746460cce0620a8f2150971019f0c535caa360 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 20 Nov 2018 12:07:22 +0100
Subject: [PATCH 11/15] lib: remove no longer supported features in
apply-changes
Resolves:
https://github.com/pbrezina/authselect/issues/107
---
src/lib/authselect.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/src/lib/authselect.c b/src/lib/authselect.c
index 1b4337e2e0eae4f298e59f90cc9c8659891e23f3..e0b8b1246b0e7139494d90cca4e0ebed3eb66376 100644
--- a/src/lib/authselect.c
+++ b/src/lib/authselect.c
@@ -145,17 +145,49 @@ done:
_PUBLIC_ int
authselect_apply_changes(void)
{
+ struct authselect_profile *profile;
char *profile_id;
char **features;
+ char **supported;
errno_t ret;
+ int i;
ret = authselect_current_configuration(&profile_id, &features);
if (ret != EOK) {
return ret;
}
+ ret = authselect_profile(profile_id, &profile);
+ if (ret != EOK) {
+ ERROR("Unable to find profile [%s] [%d]: %s",
+ profile_id, ret, strerror(ret));
+ goto done;
+ }
+
+ supported = authselect_profile_features(profile);
+ if (supported == NULL) {
+ ERROR("Unable to obtain supported features");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (i = 0; features[i] != NULL; i++) {
+ if (string_array_has_value(supported, features[i])) {
+ continue;
+ }
+
+ WARN("Profile feature [%s] is no longer supported, removing it...",
+ features[i]);
+
+ features = string_array_del_value(features, features[i]);
+ i--;
+ }
+
ret = authselect_activate(profile_id, (const char **)features, false);
+done:
+ authselect_profile_free(profile);
+ string_array_free(supported);
string_array_free(features);
free(profile_id);
--
2.17.2

53
SOURCES/0030-compat-write-to-sysconfig-after-all-changes-are-done.patch Normal file
View File

@ -0,0 +1,53 @@
From 644b46d3f301ac1b237818b8dc59f178c8fe14fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Sat, 24 Nov 2018 13:01:28 +0100
Subject: [PATCH 12/15] compat: write to sysconfig after all changes are done
Before this patch we were writing to sysconfig before we check that
authconfig is run as root. This produce following traceback:
Truncated backtrace:
authcompat_EnvironmentFile.py:77:write:PermissionError: [Errno 13] Permission denied: '/etc/sysconfig/authconfig'
Traceback (most recent call last):
File "/usr/sbin/authconfig", line 650, in <module>
main()
File "/usr/sbin/authconfig", line 629, in main
authcompat = AuthCompat()
File "/usr/sbin/authconfig", line 463, in __init__
self.sysconfig.write()
File "/usr/lib/python3.7/site-packages/authselect/authcompat_EnvironmentFile.py", line 77, in write
with open(self.filename, "w") as f:
PermissionError: [Errno 13] Permission denied: '/etc/sysconfig/authconfig'
Now we write to sysconfig after writing all changes.
Resolves:
https://github.com/pbrezina/authselect/issues/119
---
src/compat/authcompat.py.in.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 666dcd0df57962a789a8882c26535d95d3e75cf2..e4b8c05c6a11a215529ba66f8b36b72a6ac18448 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -460,7 +460,6 @@ class AuthCompat:
self.options.parse()
self.options.applysysconfig(self.sysconfig)
self.options.updatesysconfig(self.sysconfig)
- self.sysconfig.write()
def printWarning(self):
print(_("Running authconfig compatibility tool."))
@@ -646,6 +645,7 @@ def main():
try:
authcompat.runAuthselect()
authcompat.writeConfiguration()
+ authcompat.sysconfig.write()
except subprocess.CalledProcessError as result:
eprint(_("Command [%s] failed with %d, stderr:")
% (' '.join(result.cmd), result.returncode))
--
2.17.2

222
SOURCES/0031-util-remove-duplicate-values-correctly-in-string_arr.patch Normal file
View File

@ -0,0 +1,222 @@
From 85933ccfa7a1068f16fde557fe825c750899659a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 28 Nov 2018 13:45:33 +0100
Subject: [PATCH 13/15] util: remove duplicate values correctly in
string_array_del_value
---
src/lib/util/string_array.c | 27 ++++--
src/tests/test_util_string_array.c | 146 ++++++++++++++++++++++++++++-
2 files changed, 163 insertions(+), 10 deletions(-)
diff --git a/src/lib/util/string_array.c b/src/lib/util/string_array.c
index e56d66bdcce7c8a1cf99f9b91068614c4b8d3d81..a8afa5ab8edbb26d6f946619f9ce0b83c511bb8c 100644
--- a/src/lib/util/string_array.c
+++ b/src/lib/util/string_array.c
@@ -140,24 +140,33 @@ string_array_add_value(char **array, const char *value, bool unique)
char **
string_array_del_value(char **array, const char *value)
{
- bool found = false;
- int i;
+ size_t count;
+ size_t pos;
+ size_t i;
- if (!string_array_has_value(array, value)) {
- return array;
+ if (array == NULL) {
+ return NULL;
}
- for (i = 0; array[i] != NULL; i++) {
- if (strcmp(value, array[i]) == 0) {
+ count = string_array_count(array);
+ for (i = 0; i < count; i++) {
+ if (strcmp(array[i], value) == 0) {
free(array[i]);
- found = true;
+ array[i] = NULL;
}
+ }
- if (found) {
- array[i] = array[i + 1];
+ for (i = 0, pos = 0; i < count; i++) {
+ if (array[i] != NULL) {
+ array[pos] = array[i];
+ pos++;
}
}
+ for (; pos < count; pos++) {
+ array[pos] = NULL;
+ }
+
return array;
}
diff --git a/src/tests/test_util_string_array.c b/src/tests/test_util_string_array.c
index 4f6812e9396f04bbbfb72bda8a9022501f074faf..249cb96acea3c4feac910702572cafb1025d9496 100644
--- a/src/tests/test_util_string_array.c
+++ b/src/tests/test_util_string_array.c
@@ -32,11 +32,155 @@ void test_string_array_create(void **state)
string_array_free(array);
}
+void test_string_array_del_value__single(void **state)
+{
+ char **array;
+ const char *values[] = {"1", "2", "3", "4", "5", NULL};
+ const char *expected[] = {"1", "3", "4", "5", NULL};
+ int i;
+
+ array = string_array_create(10);
+ assert_non_null(array);
+
+ /* Fill array. */
+ for (i = 0; values[i] != NULL; i++) {
+ array = string_array_add_value(array, values[i], false);
+ assert_non_null(array);
+ assert_non_null(array[i]);
+ }
+ assert_null(array[i]);
+
+ /* Delete value. */
+ array = string_array_del_value(array, "2");
+ assert_non_null(array);
+
+ /* Test values. */
+ for (i = 0; expected[i] != NULL; i++) {
+ assert_non_null(array[i]);
+ assert_string_equal(array[i], expected[i]);
+ }
+ assert_null(array[i]);
+
+ string_array_free(array);
+}
+
+void test_string_array_del_value__single_repeated(void **state)
+{
+ char **array;
+ const char *values[] = {"1", "2", "2", "3", "2", "4", "2", "5", NULL};
+ const char *expected[] = {"1", "3", "4", "5", NULL};
+ int i;
+
+ array = string_array_create(10);
+ assert_non_null(array);
+
+ /* Fill array. */
+ for (i = 0; values[i] != NULL; i++) {
+ array = string_array_add_value(array, values[i], false);
+ assert_non_null(array);
+ assert_non_null(array[i]);
+ }
+ assert_null(array[i]);
+
+ /* Delete value. */
+ array = string_array_del_value(array, "2");
+ assert_non_null(array);
+
+ /* Test values. */
+ for (i = 0; expected[i] != NULL; i++) {
+ assert_non_null(array[i]);
+ assert_string_equal(array[i], expected[i]);
+ }
+ assert_null(array[i]);
+
+ string_array_free(array);
+}
+
+void test_string_array_del_value__multiple(void **state)
+{
+ char **array;
+ const char *values[] = {"1", "2", "3", "4", "5", NULL};
+ const char *expected[] = {"1", "4", NULL};
+ int i;
+
+ array = string_array_create(10);
+ assert_non_null(array);
+
+ /* Fill array. */
+ for (i = 0; values[i] != NULL; i++) {
+ array = string_array_add_value(array, values[i], false);
+ assert_non_null(array);
+ assert_non_null(array[i]);
+ }
+ assert_null(array[i]);
+
+ /* Delete value. */
+ array = string_array_del_value(array, "2");
+ assert_non_null(array);
+
+ array = string_array_del_value(array, "3");
+ assert_non_null(array);
+
+ array = string_array_del_value(array, "5");
+ assert_non_null(array);
+
+ /* Test values. */
+ for (i = 0; expected[i] != NULL; i++) {
+ assert_non_null(array[i]);
+ assert_string_equal(array[i], expected[i]);
+ }
+ assert_null(array[i]);
+
+ string_array_free(array);
+}
+
+void test_string_array_del_value__multiple_repeated(void **state)
+{
+ char **array;
+ const char *values[] = {"1", "2", "2", "3", "3", "2", "4", "2", "5", "5", NULL};
+ const char *expected[] = {"1", "4", NULL};
+ int i;
+
+ array = string_array_create(10);
+ assert_non_null(array);
+
+ /* Fill array. */
+ for (i = 0; values[i] != NULL; i++) {
+ array = string_array_add_value(array, values[i], false);
+ assert_non_null(array);
+ assert_non_null(array[i]);
+ }
+ assert_null(array[i]);
+
+ /* Delete value. */
+ array = string_array_del_value(array, "2");
+ assert_non_null(array);
+
+ array = string_array_del_value(array, "3");
+ assert_non_null(array);
+
+ array = string_array_del_value(array, "5");
+ assert_non_null(array);
+
+ /* Test values. */
+ for (i = 0; expected[i] != NULL; i++) {
+ assert_non_null(array[i]);
+ assert_string_equal(array[i], expected[i]);
+ }
+ assert_null(array[i]);
+
+ string_array_free(array);
+}
+
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
- cmocka_unit_test(test_string_array_create)
+ cmocka_unit_test(test_string_array_create),
+ cmocka_unit_test(test_string_array_del_value__single),
+ cmocka_unit_test(test_string_array_del_value__single_repeated),
+ cmocka_unit_test(test_string_array_del_value__multiple),
+ cmocka_unit_test(test_string_array_del_value__multiple_repeated)
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.17.2

150
SOURCES/0032-util-do-not-return-value-from-string_array_del_value.patch Normal file
View File

@ -0,0 +1,150 @@
From 67b5d7778cad682bf8046973900caf2fa3353d0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 28 Nov 2018 13:59:51 +0100
Subject: [PATCH 14/15] util: do not return value from string_array_del_value
It is not needed.
---
src/lib/authselect.c | 9 ++-------
src/lib/util/string_array.c | 6 +++---
src/lib/util/string_array.h | 2 +-
src/tests/test_util_string_array.c | 28 ++++++++--------------------
4 files changed, 14 insertions(+), 31 deletions(-)
diff --git a/src/lib/authselect.c b/src/lib/authselect.c
index e0b8b1246b0e7139494d90cca4e0ebed3eb66376..0f8d4a8b6d0b0faef81daf176486108ed0ea74db 100644
--- a/src/lib/authselect.c
+++ b/src/lib/authselect.c
@@ -179,7 +179,7 @@ authselect_apply_changes(void)
WARN("Profile feature [%s] is no longer supported, removing it...",
features[i]);
- features = string_array_del_value(features, features[i]);
+ string_array_del_value(features, features[i]);
i--;
}
@@ -247,15 +247,10 @@ authselect_feature_disable(const char *feature)
return ret;
}
- features = string_array_del_value(features, feature);
- if (features == NULL) {
- ret = ENOMEM;
- goto done;
- }
+ string_array_del_value(features, feature);
ret = authselect_activate(profile_id, (const char **)features, false);
-done:
string_array_free(features);
free(profile_id);
diff --git a/src/lib/util/string_array.c b/src/lib/util/string_array.c
index a8afa5ab8edbb26d6f946619f9ce0b83c511bb8c..e8871dc067fbf3d461d1ee9579813ddc81eef676 100644
--- a/src/lib/util/string_array.c
+++ b/src/lib/util/string_array.c
@@ -137,7 +137,7 @@ string_array_add_value(char **array, const char *value, bool unique)
return string_array_add_value_safe(array, value, strlen(value), unique);
}
-char **
+void
string_array_del_value(char **array, const char *value)
{
size_t count;
@@ -145,7 +145,7 @@ string_array_del_value(char **array, const char *value)
size_t i;
if (array == NULL) {
- return NULL;
+ return;
}
count = string_array_count(array);
@@ -167,7 +167,7 @@ string_array_del_value(char **array, const char *value)
array[pos] = NULL;
}
- return array;
+ return;
}
char **
diff --git a/src/lib/util/string_array.h b/src/lib/util/string_array.h
index ba9760b5d66a9619ca8edea5e3418c5cfbbec929..5842db174563982528e20354138ef5792346fb37 100644
--- a/src/lib/util/string_array.h
+++ b/src/lib/util/string_array.h
@@ -115,7 +115,7 @@ string_array_add_value(char **array, const char *value, bool unique);
*
* @return Array without the value.
*/
-char **
+void
string_array_del_value(char **array, const char *value);
/**
diff --git a/src/tests/test_util_string_array.c b/src/tests/test_util_string_array.c
index 249cb96acea3c4feac910702572cafb1025d9496..ad76f8b190b823210b5e30ae828dce6518596e3b 100644
--- a/src/tests/test_util_string_array.c
+++ b/src/tests/test_util_string_array.c
@@ -51,8 +51,7 @@ void test_string_array_del_value__single(void **state)
assert_null(array[i]);
/* Delete value. */
- array = string_array_del_value(array, "2");
- assert_non_null(array);
+ string_array_del_value(array, "2");
/* Test values. */
for (i = 0; expected[i] != NULL; i++) {
@@ -83,8 +82,7 @@ void test_string_array_del_value__single_repeated(void **state)
assert_null(array[i]);
/* Delete value. */
- array = string_array_del_value(array, "2");
- assert_non_null(array);
+ string_array_del_value(array, "2");
/* Test values. */
for (i = 0; expected[i] != NULL; i++) {
@@ -115,14 +113,9 @@ void test_string_array_del_value__multiple(void **state)
assert_null(array[i]);
/* Delete value. */
- array = string_array_del_value(array, "2");
- assert_non_null(array);
-
- array = string_array_del_value(array, "3");
- assert_non_null(array);
-
- array = string_array_del_value(array, "5");
- assert_non_null(array);
+ string_array_del_value(array, "2");
+ string_array_del_value(array, "3");
+ string_array_del_value(array, "5");
/* Test values. */
for (i = 0; expected[i] != NULL; i++) {
@@ -153,14 +146,9 @@ void test_string_array_del_value__multiple_repeated(void **state)
assert_null(array[i]);
/* Delete value. */
- array = string_array_del_value(array, "2");
- assert_non_null(array);
-
- array = string_array_del_value(array, "3");
- assert_non_null(array);
-
- array = string_array_del_value(array, "5");
- assert_non_null(array);
+ string_array_del_value(array, "2");
+ string_array_del_value(array, "3");
+ string_array_del_value(array, "5");
/* Test values. */
for (i = 0; expected[i] != NULL; i++) {
--
2.17.2

27
SOURCES/0033-util-fix-buffer-error-in-textfile_copy.patch Normal file
View File

@ -0,0 +1,27 @@
From b2c0ab76560757296ce387f6ff2c43c983e8961d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 30 Nov 2018 11:51:38 +0100
Subject: [PATCH 15/15] util: fix buffer error in textfile_copy()
Resolves:
https://github.com/pbrezina/authselect/issues/123
---
src/lib/util/textfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/util/textfile.c b/src/lib/util/textfile.c
index 7ee5df677b519f2433d9dfa235ad72551f7ded67..3394042eaf0db9508675cbd0aedc0cc13ea6546c 100644
--- a/src/lib/util/textfile.c
+++ b/src/lib/util/textfile.c
@@ -249,7 +249,7 @@ textfile_copy(const char *source,
/* eof not error */
}
- bytes_written = fwrite(buf, sizeof(char), sizeof(buf), fdest);
+ bytes_written = fwrite(buf, sizeof(char), bytes_read, fdest);
if (bytes_written != bytes_read) {
if (ferror(fdest) != 0) {
ret = EIO;
--
2.17.2

73
SOURCES/0034-lib-fix-coverity-warnings.patch Normal file
View File

@ -0,0 +1,73 @@
From d770acde179d2cb2a9318f36405433737065169a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 4 Dec 2018 11:09:04 +0100
Subject: [PATCH] lib: fix coverity warnings
Resolves:
https://github.com/pbrezina/authselect/issues/126
---
src/lib/authselect.c | 2 +-
src/lib/util/string.c | 2 ++
src/lib/util/string_array.c | 2 +-
src/lib/util/template.c | 4 ++--
4 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/lib/authselect.c b/src/lib/authselect.c
index 0f8d4a8b6d0b0faef81daf176486108ed0ea74db..ce34d2a44d1a59cb574331733929d551c5aec075 100644
--- a/src/lib/authselect.c
+++ b/src/lib/authselect.c
@@ -146,9 +146,9 @@ _PUBLIC_ int
authselect_apply_changes(void)
{
struct authselect_profile *profile;
+ char **supported = NULL;
char *profile_id;
char **features;
- char **supported;
errno_t ret;
int i;
diff --git a/src/lib/util/string.c b/src/lib/util/string.c
index e6803bcd4e41adc05eaa623089009b17ccd4f49b..0f3936681c6c8af1be940f92a21dfc15dafe4e42 100644
--- a/src/lib/util/string.c
+++ b/src/lib/util/string.c
@@ -353,6 +353,8 @@ string_levenshtein(const char *a, const char *b)
unsigned int old_diag;
unsigned int column[len_a + 1];
+ memset(column, 0, (len_a + 1) * sizeof(unsigned int));
+
for (y = 1; y <= len_a; y++) {
column[y] = y;
}
diff --git a/src/lib/util/string_array.c b/src/lib/util/string_array.c
index e8871dc067fbf3d461d1ee9579813ddc81eef676..dcf667e2e6e0c918a0c4eacad2486fdc182d8cf6 100644
--- a/src/lib/util/string_array.c
+++ b/src/lib/util/string_array.c
@@ -228,7 +228,7 @@ string_array_find_similar(const char *value, char **array, int max_distance)
}
}
- if (best > max_distance) {
+ if (word == NULL || best > max_distance) {
return NULL;
}
diff --git a/src/lib/util/template.c b/src/lib/util/template.c
index fb373c0fd83e04c6c78d5f57d3d8e50e54c0377b..0eedd2b04146f201a5c37f45c1d08f01c079d61f 100644
--- a/src/lib/util/template.c
+++ b/src/lib/util/template.c
@@ -130,8 +130,8 @@ template_match_get_values(const char *match_string,
char **_if_true,
char **_if_false)
{
- regmatch_t *m_true;
- regmatch_t *m_false;
+ regmatch_t *m_true = NULL;
+ regmatch_t *m_false = NULL;
char *if_true;
char *if_false;
--
2.17.2

350
SOURCES/0035-lib-label-temporary-files-with-correct-selinux-conte.patch Normal file
View File

@ -0,0 +1,350 @@
From 721aa7e45ba56530c571743de4762605560f90cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 10 Jan 2019 13:26:49 +0100
Subject: [PATCH] lib: label temporary files with correct selinux context
Resolves:
https://github.com/pbrezina/authselect/issues/128
---
configure.ac | 1 +
rpm/authselect.spec.in | 1 +
src/build_macros.m4 | 13 +++
src/lib/Makefile.am | 3 +
src/lib/util/selinux.c | 143 +++++++++++++++++++++++++++++
src/lib/util/{util.h => selinux.h} | 37 +++++---
src/lib/util/template.c | 16 +---
src/lib/util/util.h | 1 +
8 files changed, 192 insertions(+), 23 deletions(-)
create mode 100644 src/lib/util/selinux.c
copy src/lib/util/{util.h => selinux.h} (50%)
diff --git a/configure.ac b/configure.ac
index 0ddb875439133d10a9ece8b92a2df1719065d349..667d41c1f67264850fd9e175598214d751078a7e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,6 +37,7 @@ m4_include(external/po4a.m4)
dnl Required libraries
REQUIRE_POPT
REQUIRE_CMOCKA
+REQUIRE_SELINUX
dnl Optional build dependencies - man pages generation
CHECK_ASCIIDOC_TOOLS
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index c56ad4e2e0e23c902471fbacdb8bc3742bd8fa2d..f47c77ac3768ccf9c049c9ba512209fad059e418 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -24,6 +24,7 @@ BuildRequires: gettext-devel
BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
+BuildRequires: libselinux-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
diff --git a/src/build_macros.m4 b/src/build_macros.m4
index 5da871ec8cadfa200630420b5fe932d8af0473a3..dfedd47fd84c7201cfad30621761a3c1c564bc18 100644
--- a/src/build_macros.m4
+++ b/src/build_macros.m4
@@ -28,3 +28,16 @@ AC_DEFUN([REQUIRE_CMOCKA],
)
AM_CONDITIONAL([HAVE_CMOCKA], [test x$have_cmocka = xyes])
])
+
+AC_DEFUN([REQUIRE_SELINUX],
+[
+ AC_CHECK_HEADERS(selinux/selinux.h,
+ [AC_CHECK_LIB(selinux, is_selinux_enabled,
+ [SELINUX_LIBS="-lselinux"],
+ [AC_MSG_ERROR([SELinux library is missing])]
+ )],
+ [AC_MSG_ERROR([SELinux headers are missing])]
+ )
+ AC_SUBST(SELINUX_LIBS)
+])
+
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
index 2726062c421f7836ebc69fbbc0f5410cf3d19803..6c1191c702efbf52d45c7204311e4e9d1e64de3b 100644
--- a/src/lib/Makefile.am
+++ b/src/lib/Makefile.am
@@ -15,6 +15,7 @@ noinst_HEADERS = \
files/files.h \
profiles/profiles.h \
util/file.h \
+ util/selinux.h \
util/string_array.h \
util/string.h \
util/template.h \
@@ -55,6 +56,7 @@ libauthselect_la_SOURCES = \
profiles/list.c \
profiles/read.c \
util/file.c \
+ util/selinux.c \
util/string_array.c \
util/string.c \
util/template.c \
@@ -62,6 +64,7 @@ libauthselect_la_SOURCES = \
$(NULL)
libauthselect_la_LIBADD = \
$(top_builddir)/src/common/libcommon.la \
+ $(SELINUX_LIBS) \
$(NULL)
libauthselect_la_CFLAGS = \
$(AM_CFLAGS) \
diff --git a/src/lib/util/selinux.c b/src/lib/util/selinux.c
new file mode 100644
index 0000000000000000000000000000000000000000..05c8d7b19b13e1eff6086faa58657c3e41a44cc0
--- /dev/null
+++ b/src/lib/util/selinux.c
@@ -0,0 +1,143 @@
+/*
+ Authors:
+ Pavel Březina <pbrezina@redhat.com>
+
+ Copyright (C) 2018 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+
+#include "common/common.h"
+
+errno_t
+selinux_get_default_context(const char *path,
+ char **_context)
+{
+ struct selabel_handle *handle;
+ char *context;
+ errno_t ret;
+
+ handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (handle == NULL) {
+ ret = errno;
+ ERROR("Unable to create selable context [%d]: %s", ret, strerror(ret));
+ return ret;
+ }
+
+ ret = selabel_lookup(handle, &context, path, 0);
+ if (ret != 0) {
+ ret = errno;
+ if (ret == ENOENT) {
+ return ENOENT;
+ }
+
+ ERROR("Unable to lookup selinux context [%d]: %s", ret, strerror(ret));
+ } else {
+ *_context = context;
+ ret = EOK;
+ }
+
+ selabel_close(handle);
+
+ return ret;
+}
+
+errno_t
+selinux_mkstemp_of(const char *filepath,
+ char **_tmpfile)
+{
+ char *original_context = NULL;
+ char *default_context = NULL;
+ char *tmpfile = NULL;
+ errno_t ret;
+ int seret;
+ int fd;
+
+ seret = getfscreatecon(&original_context);
+ if (seret != 0) {
+ ERROR("Unable to get current fscreate selinux context!");
+ return EIO;
+ }
+
+ tmpfile = format("%s.XXXXXX", filepath);
+ if (tmpfile == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = selinux_get_default_context(filepath, &default_context);
+ if (ret == ENOENT) {
+ default_context = NULL;
+ } else if (ret != EOK) {
+ ERROR("Unable to get default selinux context for [%s] [%d]: %s!",
+ filepath, ret, strerror(ret));
+ goto done;
+ }
+
+ seret = setfscreatecon(default_context);
+ if (seret != 0) {
+ ERROR("Unable to set fscreate selinux context!");
+ ret = EIO;
+ goto done;
+ }
+
+ fd = mkstemp(tmpfile);
+ if (fd == -1) {
+ ret = errno;
+
+ seret = setfscreatecon(original_context);
+ if (seret != 0) {
+ ERROR("Unable to restore fscreate selinux context!");
+ ret = EIO;
+ goto done;
+ }
+
+ goto done;
+ }
+
+ close(fd);
+
+ seret = setfscreatecon(original_context);
+ if (seret != 0) {
+ ERROR("Unable to restore fscreate selinux context!");
+ ret = EIO;
+ goto done;
+ }
+
+ *_tmpfile = tmpfile;
+
+ ret = EOK;
+
+done:
+ if (original_context != NULL) {
+ freecon(original_context);
+ }
+
+ if (default_context != NULL) {
+ freecon(default_context);
+ }
+
+ if (ret != EOK) {
+ free(tmpfile);
+ }
+
+ return ret;
+}
diff --git a/src/lib/util/util.h b/src/lib/util/selinux.h
similarity index 50%
copy from src/lib/util/util.h
copy to src/lib/util/selinux.h
index b81990722d62ccf466c0687454c82ea3ee171436..26f2374140562dd085145845ed3092a0ddcf924e 100644
--- a/src/lib/util/util.h
+++ b/src/lib/util/selinux.h
@@ -18,20 +18,33 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _UTIL_H_
-#define _UTIL_H_
+#ifndef _SELINUX_H_
+#define _SELINUX_H_
+
+#include "common/errno_t.h"
/**
- * Many of the utility functions are not as effective as they can be but
- * this is OK since authselect works only with small configuration files
- * therefore we can prefer clean and simple code over performance.
+ * Get default security context for @path.
+ *
+ * @param path Path to the file.
+ *
+ * @return EOK on success, ENOENT if context was not found, other errno code
+ * is returned on failure.
*/
+errno_t
+selinux_get_default_context(const char *path);
-#include "common/common.h"
-#include "lib/util/file.h"
-#include "lib/util/string.h"
-#include "lib/util/string_array.h"
-#include "lib/util/template.h"
-#include "lib/util/textfile.h"
+/**
+ * Create temporary file created on @filepath.XXXXXX with security context
+ * set to default security context of @filepath.
+ *
+ * @param filepath File for which a temporary file should be created.
+ * @param _tmpfile Create temporary file.
+ *
+ * @return EOK on success, other errno code on failure.
+ */
+errno_t
+selinux_mkstemp_of(const char *filepath,
+ char **_tmpfile);
-#endif /* _UTIL_H_ */
+#endif /* _SELINUX_H_ */
diff --git a/src/lib/util/template.c b/src/lib/util/template.c
index 0eedd2b04146f201a5c37f45c1d08f01c079d61f..9773dcbf1ecbde4fe2408f1b816dce129747806f 100644
--- a/src/lib/util/template.c
+++ b/src/lib/util/template.c
@@ -27,6 +27,7 @@
#include "common/common.h"
#include "lib/util/template.h"
#include "lib/util/textfile.h"
+#include "lib/util/selinux.h"
#include "lib/util/string.h"
#include "lib/util/string_array.h"
@@ -594,23 +595,16 @@ template_write_temporary(const char *filepath,
mode_t oldmask;
char *tmpfile;
errno_t ret;
- int fd;
-
- tmpfile = format("%s.XXXXXX", filepath);
- if (tmpfile == NULL) {
- return ENOMEM;
- }
oldmask = umask(mode);
- fd = mkstemp(tmpfile);;
- if (fd == -1) {
- ret = errno;
+ ret = selinux_mkstemp_of(filepath, &tmpfile);
+ if (ret != EOK) {
+ ERROR("Unable to create temporary file for [%s] [%d]: %s",
+ filepath, ret, strerror(ret));
goto done;
}
- close(fd);
-
ret = template_write(tmpfile, content, mode);
if (ret != EOK) {
goto done;
diff --git a/src/lib/util/util.h b/src/lib/util/util.h
index b81990722d62ccf466c0687454c82ea3ee171436..e75afaef316fc8f8fd4d2aabbab7be1aa24e9ac7 100644
--- a/src/lib/util/util.h
+++ b/src/lib/util/util.h
@@ -29,6 +29,7 @@
#include "common/common.h"
#include "lib/util/file.h"
+#include "lib/util/selinux.h"
#include "lib/util/string.h"
#include "lib/util/string_array.h"
#include "lib/util/template.h"
--
2.17.2

24
SOURCES/0036-authselect-fix-memory-leak-of-maps.patch Normal file
View File

@ -0,0 +1,24 @@
From 196b795ec659da30e6f59446227886062d29fe1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 10 Oct 2018 14:38:24 +0200
Subject: [PATCH 01/21] authselect: fix memory leak of maps
---
src/cli/main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cli/main.c b/src/cli/main.c
index 6179af6af5d727328c2dd452363035130ac82dd4..9d60db3da6f483bc42233341a1a01d0013a6a809 100644
--- a/src/cli/main.c
+++ b/src/cli/main.c
@@ -186,6 +186,7 @@ static errno_t activate(struct cli_cmdline *cmdline)
done:
free(requirements);
+ authselect_array_free(maps);
authselect_profile_free(profile);
if (features != NULL) {
free(features);
--
2.17.2

267
SOURCES/0037-lib-make-selinux-functions-work-with-selinux-disable.patch Normal file
View File

@ -0,0 +1,267 @@
From 29add823913b66e0637d27d962ad5c5f9c85de70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 28 Jan 2019 12:13:54 +0100
Subject: [PATCH] lib: make selinux functions work with selinux disabled
Resolves:
https://github.com/pbrezina/authselect/issues/133
---
src/lib/util/file.c | 38 +++++++++++++++++++++++++++++++++
src/lib/util/file.h | 13 +++++++++++-
src/lib/util/selinux.c | 47 ++++++++++++++++-------------------------
src/lib/util/selinux.h | 8 ++++---
src/lib/util/template.c | 23 ++++++--------------
5 files changed, 79 insertions(+), 50 deletions(-)
diff --git a/src/lib/util/file.c b/src/lib/util/file.c
index fa231f771a7d0cdd449b69c4bf7b00d93aefc375..2e23ce39ec04e6aaf79f16410f9ac08dc3f9d54c 100644
--- a/src/lib/util/file.c
+++ b/src/lib/util/file.c
@@ -329,3 +329,41 @@ file_make_path(const char *path, mode_t mode)
return EOK;
}
+
+errno_t
+file_mktmp_for(const char *path, mode_t mode, char **_tmpfile)
+{
+ mode_t oldmask;
+ char *tmpfile;
+ errno_t ret;
+ int fd;
+
+ oldmask = umask(mode);
+
+ tmpfile = format("%s.XXXXXX", path);
+ if (tmpfile == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ fd = mkstemp(tmpfile);
+ if (fd == -1) {
+ ret = errno;
+ goto done;
+ }
+
+ close(fd);
+
+ *_tmpfile = tmpfile;
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ free(tmpfile);
+ }
+
+ umask(oldmask);
+
+ return ret;
+}
diff --git a/src/lib/util/file.h b/src/lib/util/file.h
index 49ebef37443bf137439bad27fd75283c25c9c3e5..6d5823791bfcc581304200d0c2d37b41c3d7b95d 100644
--- a/src/lib/util/file.h
+++ b/src/lib/util/file.h
@@ -133,7 +133,7 @@ file_get_parent_directory(const char *filepath);
/**
* Create all directories in a path. Path must end with a directory not a file.
*
- * @param filename Path to the file whose directories should be created.
+ * @param path Path to the file whose directories should be created.
* @param mode Directory mode.
*
* @return EOK on success, other errno code on error.
@@ -141,4 +141,15 @@ file_get_parent_directory(const char *filepath);
errno_t
file_make_path(const char *path, mode_t mode);
+/**
+ * Make temporary file for @path so it can be first written and then safelly
+ * renamed to @path.
+ *
+ * @param path Path to the file whose directories should be created.
+ * @param mode Temporary file mode.
+ * @param _tmpfile Path to created temporary file.
+ */
+errno_t
+file_mktmp_for(const char *path, mode_t mode, char **_tmpfile);
+
#endif /* _FILE_H_ */
diff --git a/src/lib/util/selinux.c b/src/lib/util/selinux.c
index 9b0e0ff26b768d88f67a42985c5d5bafb8aa58ec..01b68087b265c0ef1c1087f626df8e20de086338 100644
--- a/src/lib/util/selinux.c
+++ b/src/lib/util/selinux.c
@@ -26,6 +26,7 @@
#include <selinux/label.h>
#include "common/common.h"
+#include "lib/util/file.h"
errno_t
selinux_get_default_context(const char *path,
@@ -61,15 +62,19 @@ selinux_get_default_context(const char *path,
}
errno_t
-selinux_mkstemp_of(const char *filepath,
- char **_tmpfile)
+selinux_mkstemp_for(const char *filepath,
+ mode_t mode,
+ char **_tmpfile)
{
char *original_context = NULL;
char *default_context = NULL;
- char *tmpfile = NULL;
+ char *tmpfile;
errno_t ret;
int seret;
- int fd;
+
+ if (is_selinux_enabled() != 1) {
+ return file_mktmp_for(filepath, mode, _tmpfile);
+ }
seret = getfscreatecon(&original_context);
if (seret != 0) {
@@ -77,12 +82,6 @@ selinux_mkstemp_of(const char *filepath,
return EIO;
}
- tmpfile = format("%s.XXXXXX", filepath);
- if (tmpfile == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
ret = selinux_get_default_context(filepath, &default_context);
if (ret == ENOENT) {
default_context = NULL;
@@ -92,6 +91,7 @@ selinux_mkstemp_of(const char *filepath,
goto done;
}
+ /* Set desired fs create context. */
seret = setfscreatecon(default_context);
if (seret != 0) {
ERROR("Unable to set fscreate selinux context!");
@@ -99,22 +99,9 @@ selinux_mkstemp_of(const char *filepath,
goto done;
}
- fd = mkstemp(tmpfile);
- if (fd == -1) {
- ret = errno;
-
- seret = setfscreatecon(original_context);
- if (seret != 0) {
- ERROR("Unable to restore fscreate selinux context!");
- ret = EIO;
- goto done;
- }
-
- goto done;
- }
-
- close(fd);
+ ret = file_mktmp_for(filepath, mode, &tmpfile);
+ /* Restore original fs create context. */
seret = setfscreatecon(original_context);
if (seret != 0) {
ERROR("Unable to restore fscreate selinux context!");
@@ -122,6 +109,12 @@ selinux_mkstemp_of(const char *filepath,
goto done;
}
+ /* Check result of file_mktmp_for() */
+ if (ret != EOK) {
+ free(tmpfile);
+ goto done;
+ }
+
*_tmpfile = tmpfile;
ret = EOK;
@@ -135,9 +128,5 @@ done:
freecon(default_context);
}
- if (ret != EOK) {
- free(tmpfile);
- }
-
return ret;
}
diff --git a/src/lib/util/selinux.h b/src/lib/util/selinux.h
index 26f2374140562dd085145845ed3092a0ddcf924e..8abfb3fb5d244b32570cc9e573b2e12df14177e1 100644
--- a/src/lib/util/selinux.h
+++ b/src/lib/util/selinux.h
@@ -39,12 +39,14 @@ selinux_get_default_context(const char *path);
* set to default security context of @filepath.
*
* @param filepath File for which a temporary file should be created.
- * @param _tmpfile Create temporary file.
+ * @param mode Temporary file mode.
+ * @param _tmpfile Created temporary file.
*
* @return EOK on success, other errno code on failure.
*/
errno_t
-selinux_mkstemp_of(const char *filepath,
- char **_tmpfile);
+selinux_mkstemp_for(const char *filepath,
+ mode_t mode,
+ char **_tmpfile);
#endif /* _SELINUX_H_ */
diff --git a/src/lib/util/template.c b/src/lib/util/template.c
index 9773dcbf1ecbde4fe2408f1b816dce129747806f..1f3464912d8fe7afe8a7f0920fe31eb5c2dfaba5 100644
--- a/src/lib/util/template.c
+++ b/src/lib/util/template.c
@@ -592,36 +592,25 @@ template_write_temporary(const char *filepath,
mode_t mode,
char **_tmpfile)
{
- mode_t oldmask;
char *tmpfile;
errno_t ret;
- oldmask = umask(mode);
-
- ret = selinux_mkstemp_of(filepath, &tmpfile);
+ ret = selinux_mkstemp_for(filepath, mode, &tmpfile);
if (ret != EOK) {
ERROR("Unable to create temporary file for [%s] [%d]: %s",
filepath, ret, strerror(ret));
- goto done;
+ return ret;
}
ret = template_write(tmpfile, content, mode);
- if (ret != EOK) {
- goto done;
- }
-
- *_tmpfile = tmpfile;
-
- ret = EOK;
-
-done:
- umask(oldmask);
-
if (ret != EOK) {
free(tmpfile);
+ return ret;
}
- return ret;
+ *_tmpfile = tmpfile;
+
+ return EOK;
}
bool
--
2.17.2

29
SOURCES/0038-sssd-require-smartcard-only-for-specific-services.patch Normal file
View File

@ -0,0 +1,29 @@
From c7f20a9d79ef8e9a681994b27554dcd5df1d36c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 4 Feb 2019 12:38:39 +0100
Subject: [PATCH 2/3] sssd: require smartcard only for specific services
Otherwise even services like su or sudo can not perform password authentication
which is not desired.
Resolves:
https://github.com/pbrezina/authselect/issues/134
---
profiles/sssd/system-auth | 1 +
1 file changed, 1 insertion(+)
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 22dba5b2d3db23855724ddb05528e5013c63c5af..c21d18ec855978d4f10abc3f1f95ac1cfb563d58 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -1,6 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
+auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
--
2.17.2

152
SOURCES/0039-Revert-profiles-make-session-pam_systemd-required.patch Normal file
View File

@ -0,0 +1,152 @@
From a21f75d8194df780f83aff0f36d270f56af7f182 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Mon, 25 Feb 2019 21:48:18 +0100
Subject: [PATCH] Revert "profiles: make session pam_systemd required"
This reverts commit 297f48d60dd9fe4ba3fd2bdd1bdd5276ffa557d6.
---
profiles/nis/fingerprint-auth | 2 +-
profiles/nis/password-auth | 2 +-
profiles/nis/system-auth | 2 +-
profiles/sssd/fingerprint-auth | 2 +-
profiles/sssd/password-auth | 2 +-
profiles/sssd/smartcard-auth | 2 +-
profiles/sssd/system-auth | 2 +-
profiles/winbind/fingerprint-auth | 2 +-
profiles/winbind/password-auth | 2 +-
profiles/winbind/system-auth | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index dc9e53b..278487b 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -17,7 +17,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 60781bb..2ce77fd 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -22,7 +22,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 3edbf34..d1f270a 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -23,7 +23,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 3bdaf3e..01b70f3 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -19,7 +19,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index fbd6647..c61630d 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -28,7 +28,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 5ec5e1d..82e82cc 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -16,7 +16,7 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 2879592..d70c7da 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,7 +32,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index 9264946..0beff74 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -18,7 +18,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index b694bed..455add4 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -25,7 +25,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 88e1c07..5b383f7 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -26,7 +26,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session required pam_systemd.so
+-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
--
2.19.2

24
SOURCES/0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch Normal file
View File

@ -0,0 +1,24 @@
From 009be0fc33866a590de8720cb0f3dab811e10059 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Oct 2018 14:08:12 +0100
Subject: [PATCH] rhel8: remove mention of Fedora Change page in compat tool
---
src/compat/authcompat.py.in.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 0be644222a44185cb08ff696afad5adf05995093..42cc6f3c0e38d8e14d62bd5acdc171176a6cb51f 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -469,7 +469,6 @@ class AuthCompat:
"It does not provide all capabilities of authconfig.\n"))
print(_("IMPORTANT: authconfig is replaced by authselect, "
"please update your scripts."))
- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault"))
print(_("See man authselect-migration(7) to help you with migration to authselect"))
options = self.options.getSetButUnsupported()
--
2.17.2

388
SPECS/authselect.spec Normal file
View File

@ -0,0 +1,388 @@
Name: authselect
Version: 1.0
Release: 13%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/pbrezina/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%if 0%{?rhel}
Source1: translations-1.0-12.tar.gz
%endif
%global makedir %{_builddir}/%{name}-%{version}
Patch0001: 0001-lib-fix-profile-origin-debug-message.patch
Patch0002: 0002-man-remove-duplicate-of-with-pamaccess.patch
Patch0003: 0003-Don-t-write-options-without-value-to-pwquality-conf-.patch
Patch0004: 0004-compat-write-only-options-set-on-command-line-to-pwq.patch
Patch0005: 0005-compat-fix-regular-expression-for-environment-files.patch
Patch0006: 0006-compat-fix-typo-in-compat-tool-that-produces-TypeErr.patch
Patch0007: 0007-compat-use-current-configuration-unless-other-profil.patch
Patch0008: 0008-compat-do-not-disable-service-if-its-option-is-not-s.patch
Patch0009: 0009-nis-add-all-maps-supported-by-nss_nis.patch
Patch0010: 0010-nis-add-systemd-module-to-nsswitch.conf.patch
Patch0011: 0011-nis-add-nis-option-to-pam_unix-in-password-phase.patch
Patch0012: 0012-nis-with-nispwquality-will-enable-pwquality-for-nis-.patch
Patch0013: 0013-profiles-add-without-nullok.patch
Patch0014: 0014-profiles-add-options-to-exclude-lines-from-nsswitch..patch
Patch0015: 0015-compat-do-not-stop-rpcbind-only-start-it.patch
Patch0016: 0016-sssd-document-that-this-profile-can-be-used-also-wit.patch
Patch0017: 0017-sssd-add-support-for-local-users-authentication-via-.patch
Patch0018: 0018-sssd-add-with-smartcard-required-feature.patch
Patch0019: 0019-sssd-remove-with-sudo-duplicate-from-readme.patch
Patch0020: 0020-profiles-end-all-files-with-new-line.patch
Patch0021: 0021-compat-add-support-for-with-smartcard-required-enabl.patch
Patch0022: 0022-compat-support-with-smartcard-lock-on-removal-smartc.patch
Patch0023: 0023-profiles-mention-pam_oddjob_mkhomedir-in-requirement.patch
Patch0024: 0024-lib-fix-memory-leak-in-authselect_profile_free.patch
Patch0025: 0025-lib-fix-memory-leak-in-authselect_config_validate_ex.patch
Patch0026: 0026-profiles-make-session-pam_systemd-required.patch
Patch0027: 0027-lib-add-authselect_profile_features-to-list-supporte.patch
Patch0028: 0028-lib-refuse-to-activate-profile-if-unsupported-featur.patch
Patch0029: 0029-lib-remove-no-longer-supported-features-in-apply-cha.patch
Patch0030: 0030-compat-write-to-sysconfig-after-all-changes-are-done.patch
Patch0031: 0031-util-remove-duplicate-values-correctly-in-string_arr.patch
Patch0032: 0032-util-do-not-return-value-from-string_array_del_value.patch
Patch0033: 0033-util-fix-buffer-error-in-textfile_copy.patch
Patch0034: 0034-lib-fix-coverity-warnings.patch
Patch0035: 0035-lib-label-temporary-files-with-correct-selinux-conte.patch
Patch0036: 0036-authselect-fix-memory-leak-of-maps.patch
Patch0037: 0037-lib-make-selinux-functions-work-with-selinux-disable.patch
Patch0038: 0038-sssd-require-smartcard-only-for-specific-services.patch
Patch0039: 0039-Revert-profiles-make-session-pam_systemd-required.patch
# Downstream only
Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: findutils
BuildRequires: libtool
BuildRequires: m4
BuildRequires: gcc
BuildRequires: pkgconfig
BuildRequires: pkgconfig(popt)
BuildRequires: gettext-devel
BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
%description
Authselect is designed to be a replacement for authconfig but it takes
a different approach to configure the system. Instead of letting
the administrator build the PAM stack with a tool (which may potentially
end up with a broken configuration), it would ship several tested stacks
(profiles) that solve a use-case and are well tested and supported.
At the same time, some obsolete features of authconfig are not
supported by authselect.
%package libs
Summary: Utility library used by the authselect tool
Requires: libselinux
# Required by scriptlets
Requires: coreutils
Requires: findutils
Requires: gawk
Requires: grep
Requires: sed
Requires: systemd
%description libs
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package compat
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
BuildRequires: python3-devel
Requires: authselect%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: realmd
Suggests: samba-winbind
Suggests: oddjob-mkhomedir
# Required by scriptlets
Requires: sed
%description compat
This package will replace %{_sbindir}/authconfig with a tool that will
translate some of the authconfig calls into authselect calls. It provides
only minimum backward compatibility and users are encouraged to migrate
to authselect completely.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
%description devel
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
%prep
%setup -q
for p in %patches ; do
%__patch -p1 -i $p
done
# Install RHEL translations
# It is not possible to use wildcards here so we need to use 'find'
%if 0%{?rhel}
find "%{makedir}/po" "%{makedir}/src/man/po" -name "*.po" -delete
%__rm "%{makedir}/po/LINGUAS"
%setup -T -D -a 1
%endif
%build
autoreconf -if
%configure --with-pythonbin="%{__python3}"
%make_build
%check
%make_build check
%install
%make_install
# Find translations
%find_lang %{name}
%find_lang %{name} %{name}.8.lang --with-man
%find_lang %{name}-migration %{name}-migration.7.lang --with-man
%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
# We want this file to contain only manual page translations
sed -i '/LC_MESSAGES/d' %{name}.8.lang
# Remove .la and .a files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
find $RPM_BUILD_ROOT -name "*.a" -exec rm -f {} \;
%ldconfig_scriptlets libs
%files libs -f %{name}.lang -f %{name}-profiles.5.lang
%dir %{_sysconfdir}/authselect
%dir %{_sysconfdir}/authselect/custom
%dir %{_localstatedir}/lib/authselect
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
%{_datadir}/authselect/default/nis/fingerprint-auth
%{_datadir}/authselect/default/nis/nsswitch.conf
%{_datadir}/authselect/default/nis/password-auth
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
%{_datadir}/authselect/default/sssd/nsswitch.conf
%{_datadir}/authselect/default/sssd/password-auth
%{_datadir}/authselect/default/sssd/postlogin
%{_datadir}/authselect/default/sssd/README
%{_datadir}/authselect/default/sssd/REQUIREMENTS
%{_datadir}/authselect/default/sssd/smartcard-auth
%{_datadir}/authselect/default/sssd/system-auth
%{_datadir}/authselect/default/winbind/dconf-db
%{_datadir}/authselect/default/winbind/dconf-locks
%{_datadir}/authselect/default/winbind/fingerprint-auth
%{_datadir}/authselect/default/winbind/nsswitch.conf
%{_datadir}/authselect/default/winbind/password-auth
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/system-auth
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
%{_datadir}/doc/authselect/README.md
%license COPYING
%doc README.md
%files compat
%{_sbindir}/authconfig
%{python3_sitelib}/authselect/
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
%{_mandir}/man7/authselect-migration.7*
%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid
%pre libs
rm -f %{validfile}
if [ $1 -gt 1 ] ; then
# Remember if the current configuration is valid
%{_bindir}/authselect check &> /dev/null
if [ $? -eq 0 ]; then
touch %{validfile}
fi
fi
exit 0
%posttrans libs
# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
# If we are upgrading from older version, we want to remove these comments.
sed -i '/^# Generated by authselect on .*$/{$!{
N;N # Read also next two lines
/# Generated by authselect on .*\n# Do not modify this file manually.\n/d
}}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
fi
# If the configuration is valid and we are upgrading from older version
# we need to create these files since they were added in 1.0.
if [ -f %{validfile} ]; then
FILES="nsswitch.conf system-auth password-auth fingerprint-auth \
smartcard-auth postlogin dconf-db dconf-locks"
for FILE in $FILES ; do
cp -n %{_sysconfdir}/authselect/$FILE \
%{_localstatedir}/lib/authselect/$FILE &> /dev/null
done
rm -f %{validfile}
fi
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111
CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null`
if [ $? -eq 0 ]; then
PROFILE=`echo $CURRENT | awk '{print $1;}'`
if [ $PROFILE == "sssd" ] ; then
if grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
fi
fi
fi
exit 0
%posttrans compat
# Fix for RHBZ#1618865
# Remove invalid lines from pwquality.conf generated by authconfig compat tool
# - previous version could write some options without value, which is invalid
# - we delete all options without value from existing file
sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
exit 0
%changelog
* Mon Feb 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-13
- Revert pam_systemd.so to be optional
- Resolves: #rhbz1643928 - pam_systemd shouldn't be optional in system-auth
* Mon Feb 4 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-12
- make authselect work with selinux disabled (RHBZ #1668025)
- require smartcard authentication only for specific services (RHBZ #1665058)
- update translations (RHBZ #1608286)
* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-11
- require libselinux needed by (RHBZ #1664650)
* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-10
- invalid selinux context for files under /etc/authselect (RHBZ #1664650)
* Tue Dec 4 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-9
- fix sources for official rhel translations (RHBZ #1608286)
- fix coverity warnings for authselect enable-features should error on unknown features (RHBZ #1651637)
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-8
- add official rhel translations (RHBZ #1608286)
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-7
- pam_systemd shouldn't be optional in system-auth (RHBZ #1643928)
- compat tool: support --enablerequiresmartcard (RHBZ #1649277)
- compat tool: support --smartcardaction=0 (RHBZ #1649279)
- remove ecryptfs from authselect since it is not present in rhel8 (RHBZ #1649282)
- authselect enable-features should error on unknown features (RHBZ #1651637)
* Wed Oct 31 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-6
- Remove mention of Fedora Change page from compat tool (RHBZ #1644309)
* Wed Oct 10 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-5
- Support for "require smartcard for login option" (RHBZ #1611012)
* Mon Oct 1 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-4
- add official rhel translations (RHBZ #1608286)
* Fri Sep 28 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
- scriptlet can fail if coreutils is not installed (RHBZ #1630896)
- fix typo (require systemd instead of systemctl)
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-2
- authconfig --update overwrites current profile (RHBZ #1628492)
- authselect profile nis enhancements (RHBZ #1628493)
- scriptlet can fail if coreutils is not installed (RHBZ #1630896)
- authconfig --update --enablenis stops ypserv (RHBZ #1632567)
- compat tool generates invalid pwquality configuration (RHBZ #1628491)
* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
- Rebase to 1.0 (RHBZ #1614235)
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.4-4
- Rebuild for platform-python
* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
- Don't disable oddjobd.service (RHBZ #1571844)
* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
- rebasing to 0.4
* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
- rebasing to 0.3.2
- authselect-compat now only suggests packages, not recommends
* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
- rebasing to 0.3.1
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
- Provide authconfig
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
- Properly own all appropriate directories
- Remove unneeded %%defattr
- Remove deprecated Group tag
- Make Obsoletes versioned
- Remove unneeded ldconfig scriptlets
* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
- rebasing to 0.3
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
- fix rpmlint errors
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
- rebasing to 0.2
* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
- initial packaging