From 77518afb47f8371268bbf0b3b7ec889b3b65ca4b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 17 May 2022 06:36:20 -0400 Subject: [PATCH] import authselect-1.2.3-7.el9 --- .authselect.metadata | 1 + .gitignore | 1 + ...g-uninitialized-variable-in-authsele.patch | 31 ++ ...tion-of-Fedora-Change-page-in-compat.patch | 25 + .../9002-rhel9-remove-ecryptfs-support.patch | 283 +++++++++++ ...lt-to-files-first-for-users-and-grou.patch | 58 +++ ...hel9-remove-support-for-for-resolved.patch | 44 ++ SOURCES/9005-rhel9-remove-nis-support.patch | 435 +++++++++++++++++ SPECS/authselect.spec | 451 ++++++++++++++++++ 9 files changed, 1329 insertions(+) create mode 100644 .authselect.metadata create mode 100644 .gitignore create mode 100644 SOURCES/0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch create mode 100644 SOURCES/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch create mode 100644 SOURCES/9002-rhel9-remove-ecryptfs-support.patch create mode 100644 SOURCES/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch create mode 100644 SOURCES/9004-rhel9-remove-support-for-for-resolved.patch create mode 100644 SOURCES/9005-rhel9-remove-nis-support.patch create mode 100644 SPECS/authselect.spec diff --git a/.authselect.metadata b/.authselect.metadata new file mode 100644 index 0000000..d08bc58 --- /dev/null +++ b/.authselect.metadata @@ -0,0 +1 @@ +3f004c30e9f07c0dd259403f1cd9f13c5ec297ce SOURCES/authselect-1.2.3.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..00d9be7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/authselect-1.2.3.tar.gz diff --git a/SOURCES/0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch b/SOURCES/0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch new file mode 100644 index 0000000..091d8f7 --- /dev/null +++ b/SOURCES/0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch @@ -0,0 +1,31 @@ +From 6924b8f8d82ecd32e897cf5f441e5c87f8816859 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 22 Jul 2021 11:29:20 +0200 +Subject: [PATCH] lib: avoid freeing uninitialized variable in + authselect_apply_changes() + +If authselect_profile() fails, we goto done and try to free uninitialized +variable. + +Resolves: +https://github.com/authselect/authselect/issues/265 +--- + src/lib/authselect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/authselect.c b/src/lib/authselect.c +index 0f43e12202c16769dfc6ac7dee41812159cc1d3a..a901e02719713bd13d5a4fab606ee713b3d6ddca 100644 +--- a/src/lib/authselect.c ++++ b/src/lib/authselect.c +@@ -163,7 +163,7 @@ authselect_uninstall(void) + _PUBLIC_ int + authselect_apply_changes(void) + { +- struct authselect_profile *profile; ++ struct authselect_profile *profile = NULL; + char **supported = NULL; + char *profile_id; + char **features; +-- +2.31.1 + diff --git a/SOURCES/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch b/SOURCES/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch new file mode 100644 index 0000000..007679c --- /dev/null +++ b/SOURCES/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch @@ -0,0 +1,25 @@ +From 2e2a7143cbfa719905cb130a5e67313c65bf3b65 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 30 Oct 2018 14:08:12 +0100 +Subject: [PATCH 1/3] rhel9: remove mention of Fedora Change page in compat + tool + +--- + src/compat/authcompat.py.in.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index f879e08eb94e9620dfc28f245b0ea5815df7e4f2..e4b8c05c6a11a215529ba66f8b36b72a6ac18448 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -468,7 +468,6 @@ class AuthCompat: + "It does not provide all capabilities of authconfig.\n")) + print(_("IMPORTANT: authconfig is replaced by authselect, " + "please update your scripts.")) +- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault")) + print(_("See man authselect-migration(7) to help you with migration to authselect")) + + options = self.options.getSetButUnsupported() +-- +2.29.2 + diff --git a/SOURCES/9002-rhel9-remove-ecryptfs-support.patch b/SOURCES/9002-rhel9-remove-ecryptfs-support.patch new file mode 100644 index 0000000..9a43bca --- /dev/null +++ b/SOURCES/9002-rhel9-remove-ecryptfs-support.patch @@ -0,0 +1,283 @@ +From 6de7d2e033d67f23b33620a2b80f5a6c106bd6f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 10 Jun 2019 10:53:15 +0200 +Subject: [PATCH 2/3] rhel9: remove ecryptfs support + +--- + profiles/nis/README | 3 --- + profiles/nis/fingerprint-auth | 1 - + profiles/nis/password-auth | 1 - + profiles/nis/postlogin | 4 ---- + profiles/nis/system-auth | 1 - + profiles/sssd/README | 3 --- + profiles/sssd/fingerprint-auth | 1 - + profiles/sssd/password-auth | 1 - + profiles/sssd/postlogin | 4 ---- + profiles/sssd/smartcard-auth | 1 - + profiles/sssd/system-auth | 1 - + profiles/winbind/README | 3 --- + profiles/winbind/fingerprint-auth | 1 - + profiles/winbind/password-auth | 1 - + profiles/winbind/postlogin | 4 ---- + profiles/winbind/system-auth | 1 - + src/compat/authcompat.py.in.in | 1 - + src/compat/authcompat_Options.py | 2 +- + src/man/authselect-migration.7.adoc | 5 ++--- + 19 files changed, 3 insertions(+), 36 deletions(-) + +diff --git a/profiles/nis/README b/profiles/nis/README +index 5dbb9b49fb7708ef3b073aff7e1883e3f9a0bd06..cac3428bf844b0a9d251015988583f4c1b15c3c9 100644 +--- a/profiles/nis/README ++++ b/profiles/nis/README +@@ -21,9 +21,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth +index 756993cf1b2095f505208df19dd739dcaed1af31..eebec6d0d6edeae6a3eb224f0ff284016b0fc642 100644 +--- a/profiles/nis/fingerprint-auth ++++ b/profiles/nis/fingerprint-auth +@@ -13,7 +13,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth +index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..9a8ae9cde644a4ac981f4b9553af2f0f428bfebb 100644 +--- a/profiles/nis/password-auth ++++ b/profiles/nis/password-auth +@@ -17,7 +17,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/nis/postlogin ++++ b/profiles/nis/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth +index 057b31e074f29c46b492fa310a954e281631800e..2e7462983d35e4a2f5cef8151ed53baaf7e5c790 100644 +--- a/profiles/nis/system-auth ++++ b/profiles/nis/system-auth +@@ -18,7 +18,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/README b/profiles/sssd/README +index 95ef5dc785ed0530122837b5e08d03590ed1ada5..ac063e8d065d0488279dc2381bdd7f8ac361bfcb 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -40,9 +40,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-smartcard:: + Enable authentication with smartcards through SSSD. Please note that + smartcard support must be also explicitly enabled within +diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth +index fe3cac7a976845017d034ac1158a38f889926ce8..ad0a95440ebd006ff88264177598c77afc472dda 100644 +--- a/profiles/sssd/fingerprint-auth ++++ b/profiles/sssd/fingerprint-auth +@@ -18,7 +18,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth +index d6953428cca7d6518f63c3fdbaabc4746c35f91b..6d87cbe0a805bf5d3ab2a6192d570b9e5c6dc143 100644 +--- a/profiles/sssd/password-auth ++++ b/profiles/sssd/password-auth +@@ -27,7 +27,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/sssd/postlogin ++++ b/profiles/sssd/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth +index 230269c42508a50ad5b4677ab6514b9afe4d5fbf..874ffaca1b2c15c81adc4ca130c15834154bdc0e 100644 +--- a/profiles/sssd/smartcard-auth ++++ b/profiles/sssd/smartcard-auth +@@ -16,7 +16,6 @@ account required pam_permit.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth +index 6f914ea91eb7782d60959ced56112f9cc1365347..dfc53b4ce55a0d575dc4fe68004a846f43360ccc 100644 +--- a/profiles/sssd/system-auth ++++ b/profiles/sssd/system-auth +@@ -32,7 +32,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/README b/profiles/winbind/README +index 40a1a459355d2ee8ab98e31d2868cb24261e2c17..0e80bb697f8050ac8eb3c78d4f41945b9bcbba29 100644 +--- a/profiles/winbind/README ++++ b/profiles/winbind/README +@@ -33,9 +33,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth +index c4b8261ca45d4f6b9eda03ea96850bb32d605d30..6262549af2ca8aed540e7a7e1d97e0ba3b2ef088 100644 +--- a/profiles/winbind/fingerprint-auth ++++ b/profiles/winbind/fingerprint-auth +@@ -17,7 +17,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth +index bbeca057d49102889e3eeee040ea256dbd751eef..aef4d5ce6a6ec9496deabc1010cde0370a3ecba7 100644 +--- a/profiles/winbind/password-auth ++++ b/profiles/winbind/password-auth +@@ -24,7 +24,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/winbind/postlogin ++++ b/profiles/winbind/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth +index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..e4bdd0bf1c315c86cc8064625b80161baa5c455f 100644 +--- a/profiles/winbind/system-auth ++++ b/profiles/winbind/system-auth +@@ -25,7 +25,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -520,7 +520,6 @@ class AuthCompat: + 'smartcard' : 'with-smartcard', + 'requiresmartcard' : 'with-smartcard-required', + 'fingerprint' : 'with-fingerprint', +- 'ecryptfs' : 'with-ecryptfs', + 'mkhomedir' : 'with-mkhomedir', + 'faillock' : 'with-faillock', + 'pamaccess' : 'with-pamaccess', +diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py +index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644 +--- a/src/compat/authcompat_Options.py ++++ b/src/compat/authcompat_Options.py +@@ -93,7 +93,6 @@ class Options: + Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")), + Option.Feature("requiresmartcard",_("require smart card for authentication by default")), + Option.Feature("fingerprint", _("authentication with fingerprint readers by default")), +- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")), + Option.Feature("krb5", _("Kerberos authentication by default")), + Option.Valued ("krb5kdc", _(""), _("default Kerberos KDC")), + Option.Valued ("krb5adminserver", _(""), _("default Kerberos admin server")), +@@ -141,6 +140,7 @@ class Options: + # layers and will produce warning when used. They will not affect + # the system. + Option.UnsupportedFeature("cache"), ++ Option.UnsupportedFeature("ecryptfs"), + Option.UnsupportedFeature("shadow"), + Option.UnsupportedSwitch ("useshadow"), + Option.UnsupportedFeature("md5"), +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -80,7 +80,6 @@ configuration file for required services. + |*Authconfig options* |*Authselect profile feature* + |--enablesmartcard |with-smartcard + |--enablefingerprint |with-fingerprint +-|--enableecryptfs |with-ecryptfs + |--enablemkhomedir |with-mkhomedir + |--enablefaillock |with-faillock + |--enablepamaccess |with-pamaccess +@@ -95,8 +94,8 @@ authselect select sssd with-faillock + authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall + authselect select sssd with-smartcard + +-authconfig --enableecryptfs --enablepamaccess --updateall +-authselect select sssd with-ecryptfs with-pamaccess ++authconfig --enablepamaccess --updateall ++authselect select sssd with-pamaccess + + authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall + realm join -U Administrator --client-software=winbind WINBINDDOMAIN +-- +2.29.2 + diff --git a/SOURCES/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch b/SOURCES/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch new file mode 100644 index 0000000..1d8c8fa --- /dev/null +++ b/SOURCES/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch @@ -0,0 +1,58 @@ +From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 18 Feb 2021 13:38:53 +0100 +Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups + +The passwd and group databases will now default to files first. +The order "sss files" can be enabled with "with-files-provider" +feature. +--- + profiles/sssd/README | 5 +++++ + profiles/sssd/REQUIREMENTS | 4 ++++ + profiles/sssd/nsswitch.conf | 4 ++-- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/profiles/sssd/README b/profiles/sssd/README +index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -76,6 +76,11 @@ with-sudo:: + with-pamaccess:: + Check access.conf during account authorization. + ++with-files-domain:: ++ If set, SSSD will be contacted before "files" when resolving users and ++ groups. The order in nsswitch.conf will be set to "sss files" instead of ++ "files sss" for passwd and group maps. ++ + with-files-access-provider:: + If set, account management for local users is handled also by pam_sss. This + is needed if there is an explicitly configured domain with id_provider=files +diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS +index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644 +--- a/profiles/sssd/REQUIREMENTS ++++ b/profiles/sssd/REQUIREMENTS +@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo + - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} + is present and oddjobd service is enabled and active {include if "with-mkhomedir"} + - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} ++ {include if "with-files-domain"} ++- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"} ++ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"} ++ - or create a custom domain with id_provider=files {include if "with-files-domain"} +\ No newline at end of file +diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf +index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644 +--- a/profiles/sssd/nsswitch.conf ++++ b/profiles/sssd/nsswitch.conf +@@ -1,5 +1,5 @@ +-passwd: sss files systemd {exclude if "with-custom-passwd"} +-group: sss files systemd {exclude if "with-custom-group"} ++passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} ++group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} + netgroup: sss files {exclude if "with-custom-netgroup"} + automount: sss files {exclude if "with-custom-automount"} + services: sss files {exclude if "with-custom-services"} +-- +2.29.2 + diff --git a/SOURCES/9004-rhel9-remove-support-for-for-resolved.patch b/SOURCES/9004-rhel9-remove-support-for-for-resolved.patch new file mode 100644 index 0000000..a009f8d --- /dev/null +++ b/SOURCES/9004-rhel9-remove-support-for-for-resolved.patch @@ -0,0 +1,44 @@ +From 259e4e50a97a5196436e3d7ed42d2ecf0be3203f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 May 2021 15:42:49 +0200 +Subject: [PATCH] rhel9: remove support for for resolved + +systemd-resolved is an experimental feature at this point and it +should not be enabled by default. Steps to switch this feature on +will be documented in RHEL guide. + +This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54. +--- + profiles/minimal/nsswitch.conf | 2 +- + profiles/nis/nsswitch.conf | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf +index a9e4bc79a1090304542ccd8b43d1107eeb5304df..a39e4d32ebf79e8bf05f2db5753b01596222dc35 100644 +--- a/profiles/minimal/nsswitch.conf ++++ b/profiles/minimal/nsswitch.conf +@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom + automount: files {exclude if "with-custom-automount"} + ethers: files {exclude if "with-custom-ethers"} + group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"} +-hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"} ++hosts: files dns myhostname {exclude if "with-custom-hosts"} + initgroups: files {exclude if "with-custom-initgroups"} + netgroup: files {exclude if "with-custom-netgroup"} + networks: files {exclude if "with-custom-networks"} +diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf +index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644 +--- a/profiles/nis/nsswitch.conf ++++ b/profiles/nis/nsswitch.conf +@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"} + automount: files nis {exclude if "with-custom-automount"} + ethers: files nis {exclude if "with-custom-ethers"} + group: files nis systemd {exclude if "with-custom-group"} +-hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"} ++hosts: files nis dns myhostname {exclude if "with-custom-hosts"} + initgroups: files nis {exclude if "with-custom-initgroups"} + netgroup: files nis {exclude if "with-custom-netgroup"} + networks: files nis {exclude if "with-custom-networks"} +-- +2.31.1 + diff --git a/SOURCES/9005-rhel9-remove-nis-support.patch b/SOURCES/9005-rhel9-remove-nis-support.patch new file mode 100644 index 0000000..6fe3cdb --- /dev/null +++ b/SOURCES/9005-rhel9-remove-nis-support.patch @@ -0,0 +1,435 @@ +From 7236f7a303215805de7195a8fdef7567543e8b0b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 9 Jun 2021 13:59:01 +0200 +Subject: [PATCH] rhel9: remove nis support + +NIS is no longer supported in RHEL9. +--- + profiles/Makefile.am | 13 ---- + profiles/nis/README | 111 ---------------------------- + profiles/nis/REQUIREMENTS | 13 ---- + profiles/nis/dconf-db | 3 - + profiles/nis/dconf-locks | 2 - + profiles/nis/nsswitch.conf | 14 ---- + profiles/nis/postlogin | 4 - + rpm/authselect.spec.in | 10 --- + src/compat/authcompat.py.in.in | 95 ------------------------ + src/compat/authcompat_Options.py | 8 +- + src/man/authselect-migration.7.adoc | 2 +- + 11 files changed, 6 insertions(+), 269 deletions(-) + delete mode 100644 profiles/nis/README + delete mode 100644 profiles/nis/REQUIREMENTS + delete mode 100644 profiles/nis/dconf-db + delete mode 100644 profiles/nis/dconf-locks + delete mode 100644 profiles/nis/nsswitch.conf + delete mode 100644 profiles/nis/postlogin + +diff --git a/profiles/Makefile.am b/profiles/Makefile.am +index 95e27147b2b0a229a76a293884d605484d3fa841..c658521de01130f19f669fe0a6cb86c11043a406 100644 +--- a/profiles/Makefile.am ++++ b/profiles/Makefile.am +@@ -13,19 +13,6 @@ dist_profile_minimal_DATA = \ + $(top_srcdir)/profiles/minimal/dconf-locks \ + $(NULL) + +-profile_nisdir = $(authselect_profile_dir)/nis +-dist_profile_nis_DATA = \ +- $(top_srcdir)/profiles/nis/nsswitch.conf \ +- $(top_srcdir)/profiles/nis/password-auth \ +- $(top_srcdir)/profiles/nis/postlogin \ +- $(top_srcdir)/profiles/nis/README \ +- $(top_srcdir)/profiles/nis/REQUIREMENTS \ +- $(top_srcdir)/profiles/nis/system-auth \ +- $(top_srcdir)/profiles/nis/fingerprint-auth \ +- $(top_srcdir)/profiles/nis/dconf-db \ +- $(top_srcdir)/profiles/nis/dconf-locks \ +- $(NULL) +- + profile_sssddir = $(authselect_profile_dir)/sssd + dist_profile_sssd_DATA = \ + $(top_srcdir)/profiles/sssd/nsswitch.conf \ +diff --git a/profiles/nis/README b/profiles/nis/README +deleted file mode 100644 +index cac3428bf844b0a9d251015988583f4c1b15c3c9..0000000000000000000000000000000000000000 +--- a/profiles/nis/README ++++ /dev/null +@@ -1,111 +0,0 @@ +-Enable NIS for system authentication +-==================================== +- +-Selecting this profile will enable Network Information Services as the source +-of identity and authentication providers. +- +-NIS CONFIGURATION +------------------ +- +-Authselect does not touch NIS configuration. Please, read NIS' documentation +-to see how to configure it manually. +- +-AVAILABLE OPTIONAL FEATURES +---------------------------- +- +-with-faillock:: +- Enable account locking in case of too many consecutive +- authentication failures. +- +-with-mkhomedir:: +- Enable automatic creation of home directories for users on their +- first login. +- +-with-fingerprint:: +- Enable authentication with fingerprint reader through *pam_fprintd*. +- +-with-pam-u2f:: +- Enable authentication via u2f dongle through *pam_u2f*. +- +-with-pam-u2f-2fa:: +- Enable 2nd factor authentication via u2f dongle through *pam_u2f*. +- +-without-pam-u2f-nouserok:: +- Module argument nouserok is omitted if also with-pam-u2f-2fa is used. +- *WARNING*: Omitting nouserok argument means that users without pam-u2f +- authentication configured will not be able to log in *INCLUDING* root. +- Make sure you are able to log in before losing root privileges. +- +-with-silent-lastlog:: +- Do not produce pam_lastlog message during login. +- +-with-pamaccess:: +- Check access.conf during account authorization. +- +-with-nispwquality:: +- If this option is set pam_pwquality module will check password quality +- for NIS users as well as local users during password change. Without this +- option only local users passwords are checked. +- +-without-nullok:: +- Do not add nullok parameter to pam_unix. +- +-DISABLE SPECIFIC NSSWITCH DATABASES +------------------------------------ +- +-Normally, nsswitch databases set by the profile overwrites values set in +-user-nsswitch.conf. The following options can force authselect to +-ignore value set by the profile and use the one set in user-nsswitch.conf +-instead. +- +-with-custom-aliases:: +-Ignore "aliases" map set by the profile. +- +-with-custom-automount:: +-Ignore "automount" map set by the profile. +- +-with-custom-ethers:: +-Ignore "ethers" map set by the profile. +- +-with-custom-group:: +-Ignore "group" map set by the profile. +- +-with-custom-hosts:: +-Ignore "hosts" map set by the profile. +- +-with-custom-initgroups:: +-Ignore "initgroups" map set by the profile. +- +-with-custom-netgroup:: +-Ignore "netgroup" map set by the profile. +- +-with-custom-networks:: +-Ignore "networks" map set by the profile. +- +-with-custom-passwd:: +-Ignore "passwd" map set by the profile. +- +-with-custom-protocols:: +-Ignore "protocols" map set by the profile. +- +-with-custom-publickey:: +-Ignore "publickey" map set by the profile. +- +-with-custom-rpc:: +-Ignore "rpc" map set by the profile. +- +-with-custom-services:: +-Ignore "services" map set by the profile. +- +-with-custom-shadow:: +-Ignore "shadow" map set by the profile. +- +-EXAMPLES +--------- +-* Enable NIS with no additional modules +- +- authselect select nis +- +-* Enable NIS and create home directories for users on their first login +- +- authselect select nis with-mkhomedir +diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS +deleted file mode 100644 +index c58aa2789f4ef064b7904cacf4fc3158dce7ad41..0000000000000000000000000000000000000000 +--- a/profiles/nis/REQUIREMENTS ++++ /dev/null +@@ -1,13 +0,0 @@ +-Make sure that NIS service is configured and enabled. See NIS documentation for more information. +- {include if "with-fingerprint"} +-- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} +- {include if "with-pam-u2f"} +-- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} +- - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} +- {include if "with-pam-u2f-2fa"} +-- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} +- - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} +- {include if "with-mkhomedir"} +-- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} +- is present and oddjobd service is enabled and active {include if "with-mkhomedir"} +- - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} +diff --git a/profiles/nis/dconf-db b/profiles/nis/dconf-db +deleted file mode 100644 +index bd32b2819f66acdc75ab0fc522ec85673d10ed72..0000000000000000000000000000000000000000 +--- a/profiles/nis/dconf-db ++++ /dev/null +@@ -1,3 +0,0 @@ +-[org/gnome/login-screen] +-enable-smartcard-authentication=false +-enable-fingerprint-authentication={if "with-fingerprint":true|false} +diff --git a/profiles/nis/dconf-locks b/profiles/nis/dconf-locks +deleted file mode 100644 +index 8a36fa9568344338272786394aece872185d0ab3..0000000000000000000000000000000000000000 +--- a/profiles/nis/dconf-locks ++++ /dev/null +@@ -1,2 +0,0 @@ +-/org/gnome/login-screen/enable-smartcard-authentication +-/org/gnome/login-screen/enable-fingerprint-authentication +diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf +deleted file mode 100644 +index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..0000000000000000000000000000000000000000 +--- a/profiles/nis/nsswitch.conf ++++ /dev/null +@@ -1,14 +0,0 @@ +-aliases: files nis {exclude if "with-custom-aliases"} +-automount: files nis {exclude if "with-custom-automount"} +-ethers: files nis {exclude if "with-custom-ethers"} +-group: files nis systemd {exclude if "with-custom-group"} +-hosts: files nis dns myhostname {exclude if "with-custom-hosts"} +-initgroups: files nis {exclude if "with-custom-initgroups"} +-netgroup: files nis {exclude if "with-custom-netgroup"} +-networks: files nis {exclude if "with-custom-networks"} +-passwd: files nis systemd {exclude if "with-custom-passwd"} +-protocols: files nis {exclude if "with-custom-protocols"} +-publickey: files nis {exclude if "with-custom-publickey"} +-rpc: files nis {exclude if "with-custom-rpc"} +-services: files nis {exclude if "with-custom-services"} +-shadow: files nis {exclude if "with-custom-shadow"} +diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin +deleted file mode 100644 +index 04a11f049bc1e220c9064fba7b46eb243ddd4996..0000000000000000000000000000000000000000 +--- a/profiles/nis/postlogin ++++ /dev/null +@@ -1,4 +0,0 @@ +-session optional pam_umask.so silent +-session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +-session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +-session optional pam_lastlog.so silent noupdate showfailed +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index 628d6c91e9b3b4448787915fc1f9ac42f445bfc6..a0d508a716603771878781a62168fe0a71207f66 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -155,7 +155,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %dir %{_datadir}/authselect/vendor + %dir %{_datadir}/authselect/default + %dir %{_datadir}/authselect/default/minimal/ +-%dir %{_datadir}/authselect/default/nis/ + %dir %{_datadir}/authselect/default/sssd/ + %dir %{_datadir}/authselect/default/winbind/ + %{_datadir}/authselect/default/minimal/nsswitch.conf +@@ -164,15 +163,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %{_datadir}/authselect/default/minimal/README + %{_datadir}/authselect/default/minimal/REQUIREMENTS + %{_datadir}/authselect/default/minimal/system-auth +-%{_datadir}/authselect/default/nis/dconf-db +-%{_datadir}/authselect/default/nis/dconf-locks +-%{_datadir}/authselect/default/nis/fingerprint-auth +-%{_datadir}/authselect/default/nis/nsswitch.conf +-%{_datadir}/authselect/default/nis/password-auth +-%{_datadir}/authselect/default/nis/postlogin +-%{_datadir}/authselect/default/nis/README +-%{_datadir}/authselect/default/nis/REQUIREMENTS +-%{_datadir}/authselect/default/nis/system-auth + %{_datadir}/authselect/default/sssd/dconf-db + %{_datadir}/authselect/default/sssd/dconf-locks + %{_datadir}/authselect/default/sssd/fingerprint-auth +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90da8e217e 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -240,20 +240,6 @@ class Configuration: + + config.write(keys) + +- class Network(Base): +- def __init__(self, options): +- super(Configuration.Network, self).__init__(options) +- +- def write(self): +- nisdomain = self.get("nisdomain") +- config = EnvironmentFile(Path.System('network')) +- +- if nisdomain is None: +- return +- +- config.set("NISDOMAIN", nisdomain) +- config.write() +- + class SSSD(Base): + def __init__(self, options): + super(Configuration.SSSD, self).__init__(options, ServiceName="sssd") +@@ -375,83 +361,6 @@ class Configuration: + # other applications may depend on it. + return + +- class NIS(Base): +- def __init__(self, options): +- super(Configuration.NIS, self).__init__(options) +- self.rpcbind = Service("rpcbind") +- self.ypbind = Service("ypbind") +- +- def isEnabled(self): +- if not self.isset("nis"): +- return None +- +- return self.getBool("nis") +- +- def enableService(self, nostart): +- if not self.isset("nisdomain"): +- return +- +- nisdom = self.get("nisdomain") +- +- if not nostart: +- cmd = Command(Path.System('cmd-domainname'), [nisdom]) +- cmd.run() +- +- cmd = Command(Path.System('cmd-setsebool'), +- ['-P', 'allow_ypbind', '1']) +- cmd.run() +- +- self.rpcbind.enable() +- self.ypbind.enable() +- +- if not nostart: +- self.rpcbind.start(Restart=False) +- self.ypbind.start() +- +- def disableService(self, nostop): +- if not nostop: +- cmd = Command(Path.System('cmd-domainname'), ["(none)"]) +- cmd.run() +- +- cmd = Command(Path.System('cmd-setsebool'), +- ['-P', 'allow_ypbind', '0']) +- cmd.run() +- +- self.rpcbind.disable() +- self.ypbind.disable() +- +- if not nostop: +- self.rpcbind.stop() +- self.ypbind.stop() +- +- def write(self): +- if not self.isset("nisdomain"): +- return +- +- output = "domain " + self.get("nisdomain") +- +- additional_servers = [] +- if self.isset("nisserver"): +- servers = self.get("nisserver").split(",") +- additional_servers = servers[1:] +- output += " server " + servers[0] + "\n" +- else: +- output += " broadcast\n" +- +- for server in additional_servers: +- output += "ypserver " + server + "\n" +- +- filename = Path.System('yp.conf') +- if self.getBool("test-call"): +- print("========== BEGIN Content of [%s] ==========" % filename) +- print(output) +- print("========== END Content of [%s] ==========\n" % filename) +- return +- +- with open(filename, "w") as f: +- f.write(output) +- +- + class AuthCompat: + def __init__(self): + self.sysconfig = EnvironmentFile(Path.System('authconfig')) +@@ -533,8 +442,6 @@ class AuthCompat: + if (self.options.getBool("ldap") or self.options.getBool("ldapauth") or + self.options.getBool("sssd") or self.options.getBool("sssdauth")): + profile = "sssd" +- elif self.options.getBool("nis"): +- profile = "nis" + elif self.options.getBool("winbind"): + profile = "winbind" + +@@ -591,13 +498,11 @@ class AuthCompat: + def writeConfiguration(self): + configs = [ + Configuration.LDAP(self.options), +- Configuration.Network(self.options), + Configuration.Kerberos(self.options), + Configuration.SSSD(self.options), + Configuration.Winbind(self.options), + Configuration.PWQuality(self.options), + Configuration.MakeHomedir(self.options), +- Configuration.NIS(self.options) + ] + + for config in configs: +diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py +index 433a3340bac29739174e78928701214c08ec6f3c..2712d85a377ee92c7816e3d2284302307084b0c4 100644 +--- a/src/compat/authcompat_Options.py ++++ b/src/compat/authcompat_Options.py +@@ -79,9 +79,6 @@ class Options: + # However, they will just make sure that an authentication against + # expected service is working. They may not result in the exact same + # configuration as authconfig would generate. +- Option.Feature("nis", _("NIS for user information by default")), +- Option.Valued ("nisdomain", _(""), _("default NIS domain")), +- Option.Valued ("nisserver", _(""), _("default NIS server")), + Option.Feature("ldap", _("LDAP for user information by default")), + Option.Feature("ldapauth", _("LDAP for authentication by default")), + Option.Valued ("ldapserver", _(""), _("default LDAP server hostname or URI")), +@@ -164,6 +161,11 @@ class Options: + Option.UnsupportedFeature("locauthorize"), + Option.UnsupportedFeature("sysnetauth"), + Option.UnsupportedValued ("faillockargs", _("")), ++ ++ # NIS is no longer supported ++ Option.UnsupportedFeature("nis"), ++ Option.UnsupportedValued ("nisdomain", _("")), ++ Option.UnsupportedValued ("nisserver", _("")), + ] + + Map = { +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index a27af036738274d8d392f7fe1f7d59c89e9c4ffb..515104b160d956d04b9ec8cacd25d166983e02d5 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -72,7 +72,7 @@ configuration file for required services. + |--enablesssd --enablesssdauth |sssd + |--enablekrb5 |sssd + |--enablewinbind --enablewinbindauth |winbind +-|--enablenis |nis ++|--enablenis |none + |========================================================= + + .Relation of authconfig options to authselect profile features +-- +2.20.1 + diff --git a/SPECS/authselect.spec b/SPECS/authselect.spec new file mode 100644 index 0000000..9c7ecbb --- /dev/null +++ b/SPECS/authselect.spec @@ -0,0 +1,451 @@ +# Do not terminate build if language files are empty. +%define _empty_manifest_terminate_build 0 + +Name: authselect +Version: 1.2.3 +Release: 7%{?dist} +Summary: Configures authentication and identity sources from supported profiles +URL: https://github.com/authselect/authselect + +License: GPLv3+ +Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + +Patch0001: 0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch + +### Downstream Patches ### +%if 0%{?rhel} +Patch9001: 9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch +Patch9002: 9002-rhel9-remove-ecryptfs-support.patch +Patch9003: 9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch +Patch9004: 9004-rhel9-remove-support-for-for-resolved.patch +Patch0005: 9005-rhel9-remove-nis-support.patch +%endif + +%global makedir %{_builddir}/%{name}-%{version} + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: findutils +BuildRequires: libtool +BuildRequires: m4 +BuildRequires: gcc +BuildRequires: pkgconfig +BuildRequires: pkgconfig(popt) +BuildRequires: gettext-devel +BuildRequires: po4a +BuildRequires: %{_bindir}/a2x +BuildRequires: libcmocka-devel >= 1.0.0 +BuildRequires: libselinux-devel +Requires: authselect-libs%{?_isa} = %{version}-%{release} +Suggests: sssd +Suggests: samba-winbind +Suggests: fprintd-pam +Suggests: oddjob-mkhomedir + +%description +Authselect is designed to be a replacement for authconfig but it takes +a different approach to configure the system. Instead of letting +the administrator build the PAM stack with a tool (which may potentially +end up with a broken configuration), it would ship several tested stacks +(profiles) that solve a use-case and are well tested and supported. +At the same time, some obsolete features of authconfig are not +supported by authselect. + +%package libs +Summary: Utility library used by the authselect tool +# Required by scriptlets +Requires: coreutils +Requires: findutils +Requires: gawk +Requires: grep +Requires: sed +Requires: systemd +Requires: pam >= 1.3.1-23 + +%description libs +Common library files for authselect. This package is used by the authselect +command line tool and any other potential front-ends. + +%package compat +Summary: Tool to provide minimum backwards compatibility with authconfig +Obsoletes: authconfig < 7.0.1-6 +Provides: authconfig +BuildRequires: python3-devel +BuildRequires: make +Requires: authselect%{?_isa} = %{version}-%{release} +Recommends: oddjob-mkhomedir +Suggests: sssd +Suggests: realmd +Suggests: samba-winbind +# Required by scriptlets +Requires: sed + +%description compat +This package will replace %{_sbindir}/authconfig with a tool that will +translate some of the authconfig calls into authselect calls. It provides +only minimum backward compatibility and users are encouraged to migrate +to authselect completely. + +%package devel +Summary: Development libraries and headers for authselect +Requires: authselect-libs%{?_isa} = %{version}-%{release} + +%description devel +System header files and development libraries for authselect. Useful if +you develop a front-end for the authselect library. + + +%prep +%setup -q + +for p in %patches ; do + %__patch -p1 -i $p +done + +%build +autoreconf -if +%configure --with-pythonbin="%{__python3}" +%make_build + +%check +%make_build check + +%install +%make_install + +# Find translations +%find_lang %{name} +%find_lang %{name} %{name}.8.lang --with-man +%find_lang %{name}-migration %{name}-migration.7.lang --with-man +%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man + +# We want this file to contain only manual page translations +%__sed -i '/LC_MESSAGES/d' %{name}.8.lang + +# Remove .la and .a files created by libtool +find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \; +find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + +%ldconfig_scriptlets libs + +%files libs -f %{name}.lang -f %{name}-profiles.5.lang +%dir %{_sysconfdir}/authselect +%dir %{_sysconfdir}/authselect/custom +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf +%dir %{_localstatedir}/lib/authselect +%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/ +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created +%dir %{_datadir}/authselect +%dir %{_datadir}/authselect/vendor +%dir %{_datadir}/authselect/default +%dir %{_datadir}/authselect/default/minimal/ +%dir %{_datadir}/authselect/default/sssd/ +%dir %{_datadir}/authselect/default/winbind/ +%{_datadir}/authselect/default/minimal/dconf-db +%{_datadir}/authselect/default/minimal/dconf-locks +%{_datadir}/authselect/default/minimal/nsswitch.conf +%{_datadir}/authselect/default/minimal/password-auth +%{_datadir}/authselect/default/minimal/postlogin +%{_datadir}/authselect/default/minimal/README +%{_datadir}/authselect/default/minimal/REQUIREMENTS +%{_datadir}/authselect/default/minimal/system-auth +%{_datadir}/authselect/default/sssd/dconf-db +%{_datadir}/authselect/default/sssd/dconf-locks +%{_datadir}/authselect/default/sssd/fingerprint-auth +%{_datadir}/authselect/default/sssd/nsswitch.conf +%{_datadir}/authselect/default/sssd/password-auth +%{_datadir}/authselect/default/sssd/postlogin +%{_datadir}/authselect/default/sssd/README +%{_datadir}/authselect/default/sssd/REQUIREMENTS +%{_datadir}/authselect/default/sssd/smartcard-auth +%{_datadir}/authselect/default/sssd/system-auth +%{_datadir}/authselect/default/winbind/dconf-db +%{_datadir}/authselect/default/winbind/dconf-locks +%{_datadir}/authselect/default/winbind/fingerprint-auth +%{_datadir}/authselect/default/winbind/nsswitch.conf +%{_datadir}/authselect/default/winbind/password-auth +%{_datadir}/authselect/default/winbind/postlogin +%{_datadir}/authselect/default/winbind/README +%{_datadir}/authselect/default/winbind/REQUIREMENTS +%{_datadir}/authselect/default/winbind/system-auth +%{_libdir}/libauthselect.so.* +%{_mandir}/man5/authselect-profiles.5* +%{_datadir}/doc/authselect/COPYING +%{_datadir}/doc/authselect/README.md +%license COPYING +%doc README.md + +%files compat +%{_sbindir}/authconfig +%{python3_sitelib}/authselect/ + +%files devel +%{_includedir}/authselect.h +%{_libdir}/libauthselect.so +%{_libdir}/pkgconfig/authselect.pc + +%files -f %{name}.8.lang -f %{name}-migration.7.lang +%{_bindir}/authselect +%{_mandir}/man8/authselect.8* +%{_mandir}/man7/authselect-migration.7* +%{_sysconfdir}/bash_completion.d/authselect-completion.sh + +%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid + +%preun +if [ $1 == 0 ] ; then + # Remove authselect symbolic links so all authselect files can be + # deleted safely. If this fail, the uninstallation must fail to avoid + # breaking the system by removing PAM files. However, the command can + # only fail if it can not write to the file system. + %{_bindir}/authselect uninstall +fi + +%pre libs +%__rm -f %{validfile} +if [ $1 -gt 1 ] ; then + # Remember if the current configuration is valid + %{_bindir}/authselect check &> /dev/null + if [ $? -eq 0 ]; then + touch %{validfile} + fi +fi + +exit 0 + +%posttrans libs +# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created +if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then + %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null + touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null + + # If we are upgrading from older version, we want to remove these comments. + %__sed -i '/^# Generated by authselect on .*$/{$!{ + N;N # Read also next two lines + /# Generated by authselect on .*\n# Do not modify this file manually.\n/d + }}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null +fi + +# If the configuration is valid and we are upgrading from older version +# we need to create these files since they were added in 1.0. +if [ -f %{validfile} ]; then + FILES="nsswitch.conf system-auth password-auth fingerprint-auth \ + smartcard-auth postlogin dconf-db dconf-locks" + + for FILE in $FILES ; do + %__cp -n %{_sysconfdir}/authselect/$FILE \ + %{_localstatedir}/lib/authselect/$FILE &> /dev/null + done + + %__rm -f %{validfile} +fi + +# Add nss-altfiles if we are on Silverblue +if %__grep -i silverblue /etc/os-release &> /dev/null; then + for PROFILE in `ls %{_datadir}/authselect/default`; do + %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null + %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null + done +fi + +# Apply any changes to profiles (validates configuration first internally) +%{_bindir}/authselect apply-changes &> /dev/null + +# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111 +CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null` +if [ $? -eq 0 ]; then + PROFILE=`echo $CURRENT | %__awk '{print $1;}'` + + if [ $PROFILE == "sssd" ] ; then + if %__grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then + %{_bindir}/authselect enable-feature with-sudo &> /dev/null + elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then + %{_bindir}/authselect enable-feature with-sudo &> /dev/null + fi + fi +fi + +exit 0 + +%posttrans compat +# Fix for RHBZ#1618865 +# Remove invalid lines from pwquality.conf generated by authconfig compat tool +# - previous version could write some options without value, which is invalid +# - we delete all options without value from existing file +%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null +exit 0 + +%changelog +* Thu Aug 26 2021 Pavel Březina - 1.2.3-7 +- Avoid freeing uninitialized variable in authselect_apply_changes (rhbz#1970871) + +* Mon Aug 09 2021 Mohan Boddu - 1.2.3-6 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 9 2021 Pavel Březina - 1.2.3-5 +- Remove nis support (rhbz#1968396) + +* Wed Jun 9 2021 Pavel Březina - 1.2.3-4 +- Remove nis support (rhbz#1968396) + +* Tue Jun 1 2021 Pavel Březina - 1.2.3-3 +- Remove systemd-resolved support (rhbz#1966484) + +* Thu Apr 15 2021 Mohan Boddu - 1.2.3-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Mar 31 2021 Pavel Březina - 1.2.3-1 +- Rebase to 1.2.3 + +* Mon Mar 29 2021 Benjamin Berg - 1.2.2-7 +- Fix fingerprint-auth success result + The previous patch had an issue breaking fingerprint login + +* Tue Mar 09 2021 Benjamin Berg - 1.2.2-6 +- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors + Resolves: #1935331 + +* Thu Mar 4 2021 Pavel Březina - 1.2.2-5 +- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication + +* Wed Feb 24 2021 Pavel Březina - 1.2.2-4 +- Prepare authselect for RHEL-9, add downstream-only patches that will be synced + +* Fri Feb 19 2021 Pavel Březina - 1.2.2-3 +- Add RHEL9 only patch + +* Tue Jan 26 2021 Fedora Release Engineering - 1.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Nov 25 2020 Pavel Březina - 1.2.2-1 +- Rebase to 1.2.2 +- Add nss-altfiles to profiles on Fedora Silverblue + +* Mon Jul 27 2020 Fedora Release Engineering - 1.2.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 22 2020 Pavel Březina - 1.2.1-3 +- Add resolved by default to nis and minimal profiles +- Fix parsing of multiple conditionals on the same line + +* Tue May 26 2020 Miro Hrončok - 1.2.1-2 +- Rebuilt for Python 3.9 + +* Mon May 11 2020 Pavel Březina - 1.2.1-1 +- Rebase to 1.2.1 + +* Wed Mar 4 2020 Pavel Březina - 1.2-1 +- Rebase to 1.2 + +* Mon Feb 17 2020 Pavel Březina - 1.1-7 +- fix restoring non-authselect configuration from backup + +* Wed Jan 29 2020 Pavel Březina - 1.1-6 +- cli: fix auto backup when --force is set + +* Tue Jan 28 2020 Fedora Release Engineering - 1.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Oct 03 2019 Miro Hrončok - 1.1-4 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Mon Aug 19 2019 Miro Hrončok - 1.1-3 +- Rebuilt for Python 3.8 + +* Wed Jul 24 2019 Fedora Release Engineering - 1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jun 13 2019 Pavel Březina - 1.1-1 +- Rebase to 1.1 + +* Tue Feb 26 2019 Pavel Březina - 1.0.3-1 +- Rebase to 1.0.3 + +* Tue Feb 26 2019 Igor Gnatenko - 1.0.2-4 +- Use %ghost for files owned by authselect + +* Thu Jan 31 2019 Fedora Release Engineering - 1.0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Dec 3 2018 Pavel Březina - 1.0.2-2 +- Resolves rhbz#1655025 (invalid backup). + +* Fri Nov 23 2018 Pavel Březina - 1.0.2-1 +- Rebase to 1.0.2 + +* Thu Sep 27 2018 Pavel Březina - 1.0.1-2 +- Require systemd instead of systemctl + +* Thu Sep 27 2018 Pavel Březina - 1.0.1-1 +- Rebase to 1.0.1 + +* Fri Sep 14 2018 Pavel Březina - 1.0-3 +- Scriptlets should no produce any error messages (RHBZ #1622272) +- Provide fix for pwquality configuration (RHBZ #1618865) + +* Thu Aug 30 2018 Adam Williamson - 1.0-2 +- Backport PR #78 to fix broken pwquality config (RHBZ #1618865) + +* Mon Aug 13 2018 Pavel Březina - 1.0-1 +- Rebase to 1.0 + +* Thu Jul 12 2018 Fedora Release Engineering - 0.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro Hrončok - 0.4-4 +- Rebuilt for Python 3.7 + +* Mon May 14 2018 Pavel Březina - 0.4-3 +- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403) + +* Wed Apr 25 2018 Christian Heimes - 0.4-2 +- Don't disable oddjobd.service (RHBZ #1571844) + +* Mon Apr 9 2018 Pavel Březina - 0.4-1 +- rebasing to 0.4 + +* Tue Mar 6 2018 Pavel Březina - 0.3.2-1 +- rebasing to 0.3.2 +- authselect-compat now only suggests packages, not recommends + +* Mon Mar 5 2018 Pavel Březina - 0.3.1-1 +- rebasing to 0.3.1 + +* Tue Feb 20 2018 Igor Gnatenko - 0.3-3 +- Provide authconfig + +* Tue Feb 20 2018 Igor Gnatenko - 0.3-2 +- Properly own all appropriate directories +- Remove unneeded %%defattr +- Remove deprecated Group tag +- Make Obsoletes versioned +- Remove unneeded ldconfig scriptlets + +* Tue Feb 20 2018 Pavel Březina - 0.3-1 +- rebasing to 0.3 +* Wed Feb 07 2018 Fedora Release Engineering - 0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild +* Wed Jan 10 2018 Pavel Březina - 0.2-2 +- fix rpmlint errors +* Wed Jan 10 2018 Pavel Březina - 0.2-1 +- rebasing to 0.2 +* Mon Jul 31 2017 Jakub Hrozek - 0.1-1 +- initial packaging