From bcf69ee55070470a8872fe01794837b163adb331 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Wed, 4 Mar 2020 12:22:40 +0100 Subject: [PATCH] authselect-1.2-1: rebase to 1.2 --- .gitignore | 1 + ...li-fix-auto-backup-when-force-is-set.patch | 31 ----- ...n-existing-files-when-restoring-non-.patch | 49 -------- ...thselect.conf-when-restoring-non-aut.patch | 27 ----- ...o-not-unlink-dangerous-missing-files.patch | 108 ------------------ ...rn-empty-array-if-directory-does-not.patch | 29 ----- authselect.spec | 23 ++-- sources | 2 +- 8 files changed, 16 insertions(+), 254 deletions(-) delete mode 100644 0001-cli-fix-auto-backup-when-force-is-set.patch delete mode 100644 0002-backup-remove-non-existing-files-when-restoring-non-.patch delete mode 100644 0003-backup-remove-authselect.conf-when-restoring-non-aut.patch delete mode 100644 0004-backup-do-not-unlink-dangerous-missing-files.patch delete mode 100644 0005-backup-list-return-empty-array-if-directory-does-not.patch diff --git a/.gitignore b/.gitignore index 34c8866..06f9e51 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /authselect-1.0.2.tar.gz /authselect-1.0.3.tar.gz /authselect-1.1.tar.gz +/authselect-1.2.tar.gz diff --git a/0001-cli-fix-auto-backup-when-force-is-set.patch b/0001-cli-fix-auto-backup-when-force-is-set.patch deleted file mode 100644 index 781689b..0000000 --- a/0001-cli-fix-auto-backup-when-force-is-set.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fbbe095c15233f0411fdd7218e9021125c93a807 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 15 Jan 2020 14:00:20 +0100 -Subject: [PATCH] cli: fix auto backup when --force is set - -3e2e51df4d145daed2ed9b57ebec468cde2ddd52 adds backup ability to -multiple functions, unfortunately it introduced a regression -that backup is not performed automatically when --force is set. - -Resolves: -https://github.com/pbrezina/authselect/issues/192 ---- - src/cli/main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/cli/main.c b/src/cli/main.c -index 6caa0435de5dd1b61284dc973042bddc77d82d64..a5e9c877755763285c53570c8f540255c3c82489 100644 ---- a/src/cli/main.c -+++ b/src/cli/main.c -@@ -189,7 +189,7 @@ static errno_t activate(struct cli_cmdline *cmdline) - } - - if (backup || backup_name != NULL || (enforce && !nobackup)) { -- ret = perform_backup(quiet, backup, backup_name); -+ ret = perform_backup(quiet, 1, backup_name); - if (ret != EOK) { - goto done; - } --- -2.20.1 - diff --git a/0002-backup-remove-non-existing-files-when-restoring-non-.patch b/0002-backup-remove-non-existing-files-when-restoring-non-.patch deleted file mode 100644 index 9859284..0000000 --- a/0002-backup-remove-non-existing-files-when-restoring-non-.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 348dda6eb3da39748c43d89caf5e7bb4eb284b70 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 12 Feb 2020 12:35:30 +0100 -Subject: [PATCH 1/4] backup: remove non-existing files when restoring - non-authselect configuration - -Configuration that was not previously generated by authselect may not contain all -the files (usually dconf configuration). This should not be treated as error -but rather the files should be unlinked from the file system. - -Resolves: -https://github.com/pbrezina/authselect/issues/197 ---- - src/lib/util/selinux.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/lib/util/selinux.c b/src/lib/util/selinux.c -index aed0b475703959447cb37da3711e5f412d80dc50..468634dcc8993dca1cd715a5c39a2d91659c0f6b 100644 ---- a/src/lib/util/selinux.c -+++ b/src/lib/util/selinux.c -@@ -369,6 +369,12 @@ selinux_copy_files_safely(struct selinux_safe_copy *table, - /* First, write content into temporary files, so we can safely fail - * on error without overwriting destination files. */ - for (i = 0; table[i].source != NULL; i++) { -+ if (file_exists(table[i].source) == ENOENT) { -+ INFO("File [%s] does not exist", table[i].source); -+ tmpfiles[i] = NULL; -+ continue; -+ } -+ - INFO("Writing temporary file for [%s]", table[i].destination); - ret = selinux_mkstemp_copy(table[i].source, dirs[i], names[i], - dir_mode, &tmpfiles[i]); -@@ -385,6 +391,12 @@ selinux_copy_files_safely(struct selinux_safe_copy *table, - * even recover from it. - */ - for (i = 0; table[i].source != NULL; i++) { -+ if (tmpfiles[i] == NULL) { -+ INFO("Removing [%s]", table[i].destination); -+ unlink(table[i].destination); -+ continue; -+ } -+ - INFO("Renaming [%s] to [%s]", tmpfiles[i], table[i].destination); - ret = rename(tmpfiles[i], table[i].destination); - if (ret != 0) { --- -2.24.1 - diff --git a/0003-backup-remove-authselect.conf-when-restoring-non-aut.patch b/0003-backup-remove-authselect.conf-when-restoring-non-aut.patch deleted file mode 100644 index 307ead3..0000000 --- a/0003-backup-remove-authselect.conf-when-restoring-non-aut.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3327fb6346f076c67897e51598b7576e1be4110a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 12 Feb 2020 12:36:11 +0100 -Subject: [PATCH 2/4] backup: remove authselect.conf when restoring - non-authselect configuration - -Non-authselect configuration does not contain authselect.conf so this file -should be of course removed. ---- - src/lib/authselect_backup.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/lib/authselect_backup.c b/src/lib/authselect_backup.c -index 68fca2721c64f7bbb3f04d69800b2d29f49ad1f6..58529626da9adb112a64a662c6bcc60b036a9a2d 100644 ---- a/src/lib/authselect_backup.c -+++ b/src/lib/authselect_backup.c -@@ -236,6 +236,7 @@ static errno_t - authselect_restore_system_configuration(const char *path) - { - struct selinux_safe_copy table[] = { -+ {FILE_CONFIG, PATH_CONFIG_FILE}, - {FILE_SYSTEM, PATH_SYMLINK_SYSTEM}, - {FILE_PASSWORD, PATH_SYMLINK_PASSWORD}, - {FILE_FINGERPRINT, PATH_SYMLINK_FINGERPRINT}, --- -2.24.1 - diff --git a/0004-backup-do-not-unlink-dangerous-missing-files.patch b/0004-backup-do-not-unlink-dangerous-missing-files.patch deleted file mode 100644 index c86f754..0000000 --- a/0004-backup-do-not-unlink-dangerous-missing-files.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 3b4ad2849ba29c80f83cad9c0224bd8a744a7089 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 12 Feb 2020 12:42:28 +0100 -Subject: [PATCH 3/4] backup: do not unlink dangerous missing files - -/etc/pam.d/system-auth and /etc/pam.d/postlogin should always exist -so the user is able to login at least through terminal. If by any -chance the backup files are missing, we must not remove these two, -otherwise we would effectively lock out the system. ---- - src/lib/authselect_backup.c | 40 ++++++++++++++++++------------------- - src/lib/util/selinux.c | 7 +++++++ - src/lib/util/selinux.h | 3 +++ - 3 files changed, 30 insertions(+), 20 deletions(-) - -diff --git a/src/lib/authselect_backup.c b/src/lib/authselect_backup.c -index 58529626da9adb112a64a662c6bcc60b036a9a2d..e9bb9af35d70e058010acb7b469b8c03b9d7a049 100644 ---- a/src/lib/authselect_backup.c -+++ b/src/lib/authselect_backup.c -@@ -236,16 +236,16 @@ static errno_t - authselect_restore_system_configuration(const char *path) - { - struct selinux_safe_copy table[] = { -- {FILE_CONFIG, PATH_CONFIG_FILE}, -- {FILE_SYSTEM, PATH_SYMLINK_SYSTEM}, -- {FILE_PASSWORD, PATH_SYMLINK_PASSWORD}, -- {FILE_FINGERPRINT, PATH_SYMLINK_FINGERPRINT}, -- {FILE_SMARTCARD, PATH_SYMLINK_SMARTCARD}, -- {FILE_POSTLOGIN, PATH_SYMLINK_POSTLOGIN}, -- {FILE_NSSWITCH, PATH_SYMLINK_NSSWITCH}, -- {FILE_DCONF_DB, PATH_SYMLINK_DCONF_DB}, -- {FILE_DCONF_LOCK, PATH_SYMLINK_DCONF_LOCK}, -- {NULL, NULL}, -+ {FILE_CONFIG, PATH_CONFIG_FILE, true}, -+ {FILE_SYSTEM, PATH_SYMLINK_SYSTEM, false}, -+ {FILE_PASSWORD, PATH_SYMLINK_PASSWORD, true}, -+ {FILE_FINGERPRINT, PATH_SYMLINK_FINGERPRINT, true}, -+ {FILE_SMARTCARD, PATH_SYMLINK_SMARTCARD, true}, -+ {FILE_POSTLOGIN, PATH_SYMLINK_POSTLOGIN, false}, -+ {FILE_NSSWITCH, PATH_SYMLINK_NSSWITCH, true}, -+ {FILE_DCONF_DB, PATH_SYMLINK_DCONF_DB, true}, -+ {FILE_DCONF_LOCK, PATH_SYMLINK_DCONF_LOCK, true}, -+ {NULL, NULL, false}, - }; - errno_t ret; - int i; -@@ -274,16 +274,16 @@ static errno_t - authselect_restore_authselect_configuration(const char *path) - { - struct selinux_safe_copy table[] = { -- {FILE_CONFIG, PATH_CONFIG_FILE}, -- {FILE_SYSTEM, PATH_SYSTEM}, -- {FILE_PASSWORD, PATH_PASSWORD}, -- {FILE_FINGERPRINT, PATH_FINGERPRINT}, -- {FILE_SMARTCARD, PATH_SMARTCARD}, -- {FILE_POSTLOGIN, PATH_POSTLOGIN}, -- {FILE_NSSWITCH, PATH_NSSWITCH}, -- {FILE_DCONF_DB, PATH_DCONF_DB}, -- {FILE_DCONF_LOCK, PATH_DCONF_LOCK}, -- {NULL, NULL}, -+ {FILE_CONFIG, PATH_CONFIG_FILE, false}, -+ {FILE_SYSTEM, PATH_SYSTEM, false}, -+ {FILE_PASSWORD, PATH_PASSWORD, false}, -+ {FILE_FINGERPRINT, PATH_FINGERPRINT, false}, -+ {FILE_SMARTCARD, PATH_SMARTCARD, false}, -+ {FILE_POSTLOGIN, PATH_POSTLOGIN, false}, -+ {FILE_NSSWITCH, PATH_NSSWITCH, false}, -+ {FILE_DCONF_DB, PATH_DCONF_DB, false}, -+ {FILE_DCONF_LOCK, PATH_DCONF_LOCK, false}, -+ {NULL, NULL, false}, - }; - errno_t ret; - int i; -diff --git a/src/lib/util/selinux.c b/src/lib/util/selinux.c -index 468634dcc8993dca1cd715a5c39a2d91659c0f6b..899512710a71b3b111e17623e35a4dd2fe3d992c 100644 ---- a/src/lib/util/selinux.c -+++ b/src/lib/util/selinux.c -@@ -370,6 +370,13 @@ selinux_copy_files_safely(struct selinux_safe_copy *table, - * on error without overwriting destination files. */ - for (i = 0; table[i].source != NULL; i++) { - if (file_exists(table[i].source) == ENOENT) { -+ if (!table[i].can_unlink) { -+ ERROR("File [%s] should exist but is missing. It is not safe to " -+ "delete [%s]. Aborting.", table[i].source, -+ table[i].destination); -+ ret = EPERM; -+ goto done; -+ } - INFO("File [%s] does not exist", table[i].source); - tmpfiles[i] = NULL; - continue; -diff --git a/src/lib/util/selinux.h b/src/lib/util/selinux.h -index f9cf070d05675f181f33eb5ac718ef9378954e14..76fcce7e3d71e036108ff6cd7f1d47e9c54e3fb9 100644 ---- a/src/lib/util/selinux.h -+++ b/src/lib/util/selinux.h -@@ -82,6 +82,9 @@ struct selinux_safe_copy { - - /* Destination file name. */ - const char *destination; -+ -+ /* Unlink destination if source file does not exist. */ -+ bool can_unlink; - }; - - /** --- -2.24.1 - diff --git a/0005-backup-list-return-empty-array-if-directory-does-not.patch b/0005-backup-list-return-empty-array-if-directory-does-not.patch deleted file mode 100644 index 05bb63d..0000000 --- a/0005-backup-list-return-empty-array-if-directory-does-not.patch +++ /dev/null @@ -1,29 +0,0 @@ -From be2c69f4a47bd754299c2b4212fcd796b94098a9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 12 Feb 2020 13:44:28 +0100 -Subject: [PATCH 4/4] backup-list: return empty array if directory does not - exist - ---- - src/lib/authselect_backup.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/lib/authselect_backup.c b/src/lib/authselect_backup.c -index e9bb9af35d70e058010acb7b469b8c03b9d7a049..07c609861b0ef97e8041dd82c96feb6bec527e6a 100644 ---- a/src/lib/authselect_backup.c -+++ b/src/lib/authselect_backup.c -@@ -201,7 +201,10 @@ authselect_backup_list(void) - ret = dir_list(AUTHSELECT_BACKUP_DIR, - DIR_LIST_DIRS | DIR_LIST_SORT_BY_CTIME, - &names, NULL); -- if (ret != EOK) { -+ if (ret == ENOENT) { -+ INFO(AUTHSELECT_BACKUP_DIR " does not exist."); -+ return string_array_create(0); -+ } else if (ret != EOK) { - ERROR("Unable to list directory [%s] [%d]: %s", - AUTHSELECT_BACKUP_DIR, ret, strerror(ret)); - return NULL; --- -2.24.1 - diff --git a/authselect.spec b/authselect.spec index 3984fa0..39d8d4f 100644 --- a/authselect.spec +++ b/authselect.spec @@ -2,10 +2,10 @@ %define _empty_manifest_terminate_build 0 Name: authselect -Version: 1.1 -Release: 7%{?dist} +Version: 1.2 +Release: 1%{?dist} Summary: Configures authentication and identity sources from supported profiles -URL: https://github.com/pbrezina/authselect +URL: https://github.com/authselect/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz @@ -13,12 +13,6 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz Source1: translations.tar.gz %endif -Patch0001: 0001-cli-fix-auto-backup-when-force-is-set.patch -Patch0002: 0002-backup-remove-non-existing-files-when-restoring-non-.patch -Patch0003: 0003-backup-remove-authselect.conf-when-restoring-non-aut.patch -Patch0004: 0004-backup-do-not-unlink-dangerous-missing-files.patch -Patch0005: 0005-backup-list-return-empty-array-if-directory-does-not.patch - %global makedir %{_builddir}/%{name}-%{version} BuildRequires: autoconf @@ -58,6 +52,7 @@ Requires: gawk Requires: grep Requires: sed Requires: systemd +Requires: pam >= 1.3.1-23 %description libs Common library files for authselect. This package is used by the authselect @@ -149,9 +144,16 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %dir %{_datadir}/authselect %dir %{_datadir}/authselect/vendor %dir %{_datadir}/authselect/default +%dir %{_datadir}/authselect/default/minimal/ %dir %{_datadir}/authselect/default/nis/ %dir %{_datadir}/authselect/default/sssd/ %dir %{_datadir}/authselect/default/winbind/ +%{_datadir}/authselect/default/minimal/nsswitch.conf +%{_datadir}/authselect/default/minimal/password-auth +%{_datadir}/authselect/default/minimal/postlogin +%{_datadir}/authselect/default/minimal/README +%{_datadir}/authselect/default/minimal/REQUIREMENTS +%{_datadir}/authselect/default/minimal/system-auth %{_datadir}/authselect/default/nis/dconf-db %{_datadir}/authselect/default/nis/dconf-locks %{_datadir}/authselect/default/nis/fingerprint-auth @@ -271,6 +273,9 @@ exit 0 exit 0 %changelog +* Wed Mar 4 2020 Pavel Březina - 1.2-1 +- Rebase to 1.2 + * Mon Feb 17 2020 Pavel Březina - 1.1-7 - fix restoring non-authselect configuration from backup diff --git a/sources b/sources index f2bdea2..08d901c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (authselect-1.1.tar.gz) = 118b308a7a72e56915ca758070174ef47a909ac4609275250ad837d2af8e3c38e7ecab561bcfd955814efcd17bf5bd761c915b6f57f03a78bde2c1040a2a75e4 +SHA512 (authselect-1.2.tar.gz) = 07a7ba4a5b660098aa40f3fd3191ba5f66ac9c3a52e84905b9eb02d56e5dcd589eec8b7d2816e987565f5a1b51eaed53fa04a3e6db061b6e5bd125c5bd5d4415