diff --git a/.gitignore b/.gitignore index 2454293..87b4cda 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ /authselect-0.3.1.tar.gz /authselect-0.3.2.tar.gz /authselect-0.4.tar.gz +/authselect-1.0.tar.gz diff --git a/0001-Don-t-disable-oddjobd.service.patch b/0001-Don-t-disable-oddjobd.service.patch deleted file mode 100644 index 00b9402..0000000 --- a/0001-Don-t-disable-oddjobd.service.patch +++ /dev/null @@ -1,38 +0,0 @@ -From fb7477d0a9e5077adf328163fb83bb8aad8242ca Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Wed, 25 Apr 2018 15:59:22 +0200 -Subject: [PATCH] Don't disable oddjobd.service - -authselect disables oddjobd.service unless the mkhomedir option is -supplied. This breaks other services that depend on oddjobd, e.g. -FreeIPA. - -Enable oddjobd.service with mkhomedir. Don't touch oddjobd.service -otherwise. - -See: https://pagure.io/freeipa/issue/7465 -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1571844 -Signed-off-by: Christian Heimes ---- - src/compat/authcompat.py.in.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in -index e83c36e..95fd07f 100755 ---- a/src/compat/authcompat.py.in.in -+++ b/src/compat/authcompat.py.in.in -@@ -437,10 +437,10 @@ class AuthCompat: - config.cleanup() - self.disableService(config.service) - -+ # Enable oddjobd for mkhomedir, but don't disable the service in -+ # case it's already running. - if self.options.getBool("mkhomedir"): - self.enableService("oddjobd") -- else: -- self.disableService("oddjobd") - - - def main(): --- -2.14.3 diff --git a/0002-sssd-disable-sudo-by-default.patch b/0002-sssd-disable-sudo-by-default.patch deleted file mode 100644 index 861da2c..0000000 --- a/0002-sssd-disable-sudo-by-default.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 4b1981a67216f56e67cff3887fe38ee8063ee0b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 9 May 2018 14:27:56 +0200 -Subject: [PATCH] sssd: disable sudo by default - -SSSD's sudo responder is not enabled by default on Fedora systems, -therefore having it enabled in nsswitch.conf produced warnings in -logs or sudo mails. ---- - profiles/sssd/README | 3 +++ - profiles/sssd/nsswitch.conf | 2 +- - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/profiles/sssd/README b/profiles/sssd/README -index d2e104f80ce1c1993c683f5c5331f09e8afa1ee9..a7e6e640eefa1268586169b7349e8ed6d062066f 100644 ---- a/profiles/sssd/README -+++ b/profiles/sssd/README -@@ -50,6 +50,9 @@ with-fingerprint:: - with-silent-lastlog:: - Do not produce pam_lastlog message during login. - -+with-sudo:: -+ Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers. -+ - EXAMPLES - -------- - -diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf -index fa5d76a9594dca9b9e192af7774600451557e5c5..cde7964a8531ae2b5e28ed6bf5428731b80b6ece 100644 ---- a/profiles/sssd/nsswitch.conf -+++ b/profiles/sssd/nsswitch.conf -@@ -3,7 +3,7 @@ group: sss files - netgroup: sss files - automount: sss files - services: sss files --sudoers: files sss -+sudoers: files {if "with-sudo":sss} - - shadow: files - ethers: files --- -2.14.3 - diff --git a/authselect.spec b/authselect.spec index 37b8c68..39856d1 100644 --- a/authselect.spec +++ b/authselect.spec @@ -1,15 +1,12 @@ Name: authselect -Version: 0.4 -Release: 5%{?dist} +Version: 1.0 +Release: 1%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/pbrezina/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz -Patch1: 0001-Don-t-disable-oddjobd.service.patch -Patch2: 0002-sssd-disable-sudo-by-default.patch - BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -18,6 +15,7 @@ BuildRequires: gcc BuildRequires: pkgconfig BuildRequires: pkgconfig(popt) BuildRequires: gettext-devel +BuildRequires: po4a BuildRequires: %{_bindir}/a2x BuildRequires: libcmocka-devel >= 1.0.0 Requires: authselect-libs%{?_isa} = %{version}-%{release} @@ -74,8 +72,6 @@ you develop a front-end for the authselect library. %prep %setup -q -%patch1 -p1 -%patch2 -p1 %build @@ -89,20 +85,40 @@ autoreconf -if %install %make_install +# Find translations +%find_lang %{name} +%find_lang %{name} %{name}.8.lang --with-man +%find_lang %{name}-migration %{name}-migration.7.lang --with-man +%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man + +# We want this file to contain only manual page translations +sed -i '/LC_MESSAGES/d' %{name}.8.lang + # Remove .la and .a files created by libtool find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; find $RPM_BUILD_ROOT -name "*.a" -exec rm -f {} \; %ldconfig_scriptlets libs -%files libs +%files libs -f %{name}.lang -f %{name}-profiles.5.lang %dir %{_sysconfdir}/authselect %dir %{_sysconfdir}/authselect/custom +%dir %{_localstatedir}/lib/authselect %dir %{_datadir}/authselect %dir %{_datadir}/authselect/vendor %dir %{_datadir}/authselect/default +%dir %{_datadir}/authselect/default/nis/ %dir %{_datadir}/authselect/default/sssd/ %dir %{_datadir}/authselect/default/winbind/ +%{_datadir}/authselect/default/nis/dconf-db +%{_datadir}/authselect/default/nis/dconf-locks +%{_datadir}/authselect/default/nis/fingerprint-auth +%{_datadir}/authselect/default/nis/nsswitch.conf +%{_datadir}/authselect/default/nis/password-auth +%{_datadir}/authselect/default/nis/postlogin +%{_datadir}/authselect/default/nis/README +%{_datadir}/authselect/default/nis/REQUIREMENTS +%{_datadir}/authselect/default/nis/system-auth %{_datadir}/authselect/default/sssd/dconf-db %{_datadir}/authselect/default/sssd/dconf-locks %{_datadir}/authselect/default/sssd/fingerprint-auth @@ -110,6 +126,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec rm -f {} \; %{_datadir}/authselect/default/sssd/password-auth %{_datadir}/authselect/default/sssd/postlogin %{_datadir}/authselect/default/sssd/README +%{_datadir}/authselect/default/sssd/REQUIREMENTS %{_datadir}/authselect/default/sssd/smartcard-auth %{_datadir}/authselect/default/sssd/system-auth %{_datadir}/authselect/default/winbind/dconf-db @@ -119,6 +136,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec rm -f {} \; %{_datadir}/authselect/default/winbind/password-auth %{_datadir}/authselect/default/winbind/postlogin %{_datadir}/authselect/default/winbind/README +%{_datadir}/authselect/default/winbind/REQUIREMENTS %{_datadir}/authselect/default/winbind/system-auth %{_libdir}/libauthselect.so.* %{_mandir}/man5/authselect-profiles.5* @@ -136,47 +154,75 @@ find $RPM_BUILD_ROOT -name "*.a" -exec rm -f {} \; %{_libdir}/libauthselect.so %{_libdir}/pkgconfig/authselect.pc -%files +%files -f %{name}.8.lang -f %{name}-migration.7.lang %{_bindir}/authselect %{_mandir}/man8/authselect.8* %{_mandir}/man7/authselect-migration.7* -%global updatefile %{_localstatedir}/lib/rpm-state/%{name}.update-profile +%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid %pre libs -rm -f "%{updatefile}" +rm -f %{validfile} if [ $1 -gt 1 ] ; then - # Check that authselect cli is installed, otherwise there is nothing to do. - rpm -q %{name} &> /dev/null - if [ $? -ne 0 ] ; then - exit 0 - fi - - # This is an upgrade. Check that the current configuration is valid - # and store the information for later use in posttrans. The check must - # be done here (before profiles are updated), otherwise it would return - # an error if the new profile is different from the old one but selected. + # Remember if the current configuration is valid %{_bindir}/authselect check &> /dev/null if [ $? -eq 0 ]; then - touch "%{updatefile}" + touch %{validfile} fi fi exit 0 %posttrans libs -if [ -f "%{updatefile}" ]; then - # This is an upgrade. Update current profile if possible. - PROFILE=`%{_bindir}/authselect current --raw` - if [ $? -eq 0 ]; then - %{_bindir}/authselect select $PROFILE --force &> /dev/null +# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created +if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then + cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null + touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null + + # If we are upgrading from older version, we want to remove these comments. + sed -i '/^# Generated by authselect on .*$/{$!{ + N;N # Read also next two lines + /# Generated by authselect on .*\n# Do not modify this file manually.\n/d + }}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null +fi + +# If the configuration is valid and we are upgrading from older version +# we need to create these files since they were added in 1.0. +if [ -f %{validfile} ]; then + FILES="nsswitch.conf system-auth password-auth fingerprint-auth \ + smartcard-auth postlogin dconf-db dconf-locks" + + for FILE in $FILES ; do + cp -n %{_sysconfdir}/authselect/$FILE \ + %{_localstatedir}/lib/authselect/$FILE &> /dev/null + done + + rm -f %{validfile} +fi + +# Apply any changes to profiles (validates configuration first internally) +%{_bindir}/authselect apply-changes &> /dev/null + +# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111 +CURRENT=`%{_bindir}/authselect current --raw` +if [ $? -eq 0 ]; then + PROFILE=`echo $CURRENT | awk '{print $1;}'` + + if [ $PROFILE == "sssd" ] ; then + if grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then + %{_bindir}/authselect enable-feature with-sudo + elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then + %{_bindir}/authselect enable-feature with-sudo + fi fi - rm -f "%{updatefile}" fi exit 0 %changelog +* Mon Aug 13 2018 Pavel Březina - 1.0-1 +- Rebase to 1.0 + * Thu Jul 12 2018 Fedora Release Engineering - 0.4-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/sources b/sources index b336ef7..da2bf8c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (authselect-0.4.tar.gz) = 5d2ed1080943f270dcfe9825f3d81bf471860648846729ca2b0847f659fbc84558abaab0570a600a9dc8d896832404da94058085237c8ee9be1fcf5a6e4fd212 +SHA512 (authselect-1.0.tar.gz) = d5463a1b854d9c18bd687a43d3c2822302f872d4b35c16b671d22aec78131f99ab08c96184e50778cea322bb04a1991b59f845dba55bb408634cb333bfb2d2fc