diff --git a/0001-main-Drop-an-unnecessary-NULL-check-before-free.patch b/0001-main-Drop-an-unnecessary-NULL-check-before-free.patch new file mode 100644 index 0000000..276cf38 --- /dev/null +++ b/0001-main-Drop-an-unnecessary-NULL-check-before-free.patch @@ -0,0 +1,36 @@ +From 46386b75fb90ce91ede80093ce73e99fde53ba3b Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Tue, 4 Jan 2022 18:33:30 -0500 +Subject: [PATCH 01/11] main: Drop an unnecessary `NULL` check before `free()` + +From `man free()`: + +``` +The free() function frees the memory space pointed to by ptr ... If ptr is NULL, no operation is performed. +``` + +Obviously there are *tons* of these in the codebase; just doing +this one as a preliminary PR; if accepted I may do some more, or +others can. Or we could try a coccinelle semantic patch. +--- + src/cli/main.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/cli/main.c b/src/cli/main.c +index 4b8ab8573470c55891d35f50fc9c20d7459776ba..575e56f00edfc35ab4b5368ee40a497016d68cc3 100644 +--- a/src/cli/main.c ++++ b/src/cli/main.c +@@ -231,9 +231,7 @@ done: + free(requirements); + authselect_array_free(maps); + authselect_profile_free(profile); +- if (features != NULL) { +- free(features); +- } ++ free(features); + + return ret; + } +-- +2.34.1 + diff --git a/0002-lib-drop-strict-change-detection.patch b/0002-lib-drop-strict-change-detection.patch new file mode 100644 index 0000000..ac24217 --- /dev/null +++ b/0002-lib-drop-strict-change-detection.patch @@ -0,0 +1,376 @@ +From 4c4730ea760ddfed94de55769682356c7f95fd21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 Jan 2022 11:30:23 +0100 +Subject: [PATCH 02/11] lib: drop strict change detection + +One of the main authselect features is to refuse to overwrite user +changes to the configuration. To do so, it used to validate files and +directory structure and also files contents. + +This however allowed to have a mixed configuration on the system, that +was created by authselect but then modified by user. This is no longer +possible and the behavior has changed in a way that any user changes +made to configuration created by authselect are overwritten without +requiring the *--force* parameter (files contents are no longer +validated). + +This will make the configuration consistent - users either use +authselect or not, nothing in between. It also makes authselect work +on ostree server side, where it is not possible to write to /var. +--- + Makefile.am | 2 -- + rpm/authselect.spec.in | 8 ----- + src/conf_macros.m4 | 4 --- + src/lib/Makefile.am | 2 -- + src/lib/authselect.c | 27 ++++----------- + src/lib/files/config.c | 1 - + src/lib/files/system.c | 62 ++------------------------------- + src/lib/paths.h | 78 ++++++++++++++++++------------------------ + 8 files changed, 41 insertions(+), 143 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 0277c6ef6d43e60ea330c465535a88ae405c8630..1c9b88d47f809cb218d19887734769f12b944bb4 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -35,7 +35,6 @@ authselect_custom_dir=@AUTHSELECT_CUSTOM_DIR@ + authselect_dconf_dir=@AUTHSELECT_DCONF_DIR@ + authselect_pam_dir=@AUTHSELECT_PAM_DIR@ + authselect_backup_dir=@AUTHSELECT_BACKUP_DIR@ +-authselect_state_dir=@AUTHSELECT_STATE_DIR@ + + install-exec-hook: + $(MKDIR_P) $(DESTDIR)$/$(authselect_config_dir) +@@ -45,7 +44,6 @@ install-exec-hook: + $(MKDIR_P) $(DESTDIR)$/$(authselect_dconf_dir)/locks + $(MKDIR_P) $(DESTDIR)$/$(authselect_pam_dir) + $(MKDIR_P) $(DESTDIR)$/$(authselect_backup_dir) +- $(MKDIR_P) $(DESTDIR)$/$(authselect_state_dir) + + # Build RPMs + RPMBUILD ?= $(PWD)/rpmbuild +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index c05c010c916ac095ba021adf87dd6b985c9661a6..9f36d0dcf001f953b8384d54f60af25d71ef0321 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -184,14 +184,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %endif + %dir %{_localstatedir}/lib/authselect + %ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/ +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth + %ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created + %dir %{_datadir}/authselect + %dir %{_datadir}/authselect/vendor +diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 +index 68d8885c0c2d637ae8aaa02e4bd15fab70af5841..17c1629723066b0c4e354051366ce209428af6c1 100644 +--- a/src/conf_macros.m4 ++++ b/src/conf_macros.m4 +@@ -58,10 +58,6 @@ CONFIGURABLE_VALUE(backup-dir, backup_dir, AUTHSELECT_BACKUP_DIR, DIR, + [Directory where configuration backups should be stored], + $localstatedir/lib/authselect/backups) + +-CONFIGURABLE_VALUE(state-dir, state_dir, AUTHSELECT_STATE_DIR, DIR, +- [Directory where authselect state should be stored], +- $localstatedir/lib/authselect) +- + CONFIGURABLE_VALUE(pythonbin, pythonbin, PYTHON_BIN, PATH, + [Path to the python interpreter], + $bindir/python3) +diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am +index c0bc1cc1439c64c2e096e03020f4464496992878..88411ac51bd8d7c219c3097542e16fa99e0a38a2 100644 +--- a/src/lib/Makefile.am ++++ b/src/lib/Makefile.am +@@ -43,7 +43,6 @@ authselect_dconf_dir=@AUTHSELECT_DCONF_DIR@ + authselect_dconf_file=@AUTHSELECT_DCONF_FILE@ + authselect_dconf_bin=@AUTHSELECT_DCONF_BIN@ + authselect_backup_dir=@AUTHSELECT_BACKUP_DIR@ +-authselect_state_dir=@AUTHSELECT_STATE_DIR@ + + libauthselect_la_SOURCES = \ + authselect.c \ +@@ -84,7 +83,6 @@ libauthselect_la_CFLAGS = \ + -DAUTHSELECT_DCONF_FILE=\"$(authselect_dconf_file)\" \ + -DAUTHSELECT_DCONF_BIN=\"$(authselect_dconf_bin)\" \ + -DAUTHSELECT_BACKUP_DIR=\"$(authselect_backup_dir)\" \ +- -DAUTHSELECT_STATE_DIR=\"$(authselect_state_dir)\" \ + $(NULL) + libauthselect_la_LDFLAGS = \ + -Wl,--version-script=$(srcdir)/authselect.exports \ +diff --git a/src/lib/authselect.c b/src/lib/authselect.c +index a901e02719713bd13d5a4fab606ee713b3d6ddca..b84aa73351448dc5caf802ae7282ebd9aa1c27d7 100644 +--- a/src/lib/authselect.c ++++ b/src/lib/authselect.c +@@ -103,32 +103,17 @@ authselect_activate(const char *profile_id, + goto done; + } + +- /* First, check that current configuration is valid. */ ++ /* Require force if authselect.conf is missing or invalid but otherwise ++ * ignore user changes. */ + ret = authselect_validate_configuration(&is_valid); +- if (ret != EOK && ret != ENOENT) { +- ERROR("Unable to check configuration [%d]: %s", ret, strerror(ret)); +- goto done; +- } +- +- if (!is_valid) { +- ERROR("Unexpected changes to the configuration were detected."); +- ERROR("Refusing to activate profile unless those changes are removed " +- "or overwrite is requested."); ++ if (ret != EOK) { ++ ERROR("%s is missing or unreadable, system was not properly configured " ++ "by authselect.", PATH_CONFIG_FILE); ++ ERROR("Refusing to activate profile unless overwrite is requested."); + ret = EEXIST; + goto done; + } + +- /* If no configuration is present, check for existing files. */ +- if (ret == ENOENT) { +- if (!authselect_symlinks_location_available()) { +- ERROR("File that needs to be overwritten was found"); +- ERROR("Refusing to activate profile unless this file is removed " +- "or overwrite is requested."); +- ret = EEXIST; +- goto done; +- } +- } +- + ret = authselect_profile_activate(profile, features); + + done: +diff --git a/src/lib/files/config.c b/src/lib/files/config.c +index 2d95a1223220888a71e103fa0face84fd1c89dbb..8a10ef8c4c4ccd1a047b39b3ff6399fe31d17c73 100644 +--- a/src/lib/files/config.c ++++ b/src/lib/files/config.c +@@ -142,7 +142,6 @@ authselect_config_locations_writable() + { + struct authselect_symlink files[] = { + {PATH_CONFIG_FILE, NULL, false}, +- {PATH_COPY_SYSTEM, NULL, false}, + SYMLINK_FILES + }; + bool result = true; +diff --git a/src/lib/files/system.c b/src/lib/files/system.c +index b121fc4aa5f0e1482bbbb46055274298c0d6447e..e830942c629f462b3b187a7591a1b9b2c248d9da 100644 +--- a/src/lib/files/system.c ++++ b/src/lib/files/system.c +@@ -213,19 +213,11 @@ authselect_system_write(const char **features, + + struct authselect_generated generated[] = GENERATED_FILES(files); + char *tmp_files[sizeof(generated)/sizeof(struct authselect_generated)] = {NULL}; +- char *tmp_copies[sizeof(generated)/sizeof(struct authselect_generated)] = {NULL}; + + /* First, write content into temporary files, so we can safely fail + * on error. */ + now = time(NULL); + for (i = 0; generated[i].path != NULL; i++) { +- ret = authselect_system_write_temp(generated[i].copy_path, +- generated[i].content, +- now, &tmp_copies[i]); +- if (ret != EOK) { +- goto done; +- } +- + ret = authselect_system_write_temp(generated[i].path, + generated[i].content, + now, &tmp_files[i]); +@@ -241,14 +233,6 @@ authselect_system_write(const char **features, + * can fail is EIO which we can not do anything about and we can not + * even recover from it. + */ +- for (i = 0; generated[i].copy_path != NULL; i++) { +- ret = authselect_system_rename_temp(&tmp_copies[i], +- generated[i].copy_path); +- if (ret != EOK) { +- goto done; +- } +- } +- + for (i = 0; generated[i].path != NULL; i++) { + ret = authselect_system_rename_temp(&tmp_files[i], generated[i].path); + if (ret != EOK) { +@@ -261,12 +245,6 @@ authselect_system_write(const char **features, + done: + if (ret != EOK) { + for (i = 0; generated[i].path != NULL; i++) { +- if (tmp_copies[i] != NULL) { +- unlink(tmp_copies[i]); +- free(tmp_copies[i]); +- tmp_copies[i] = NULL; +- } +- + if (tmp_files[i] != NULL) { + unlink(tmp_files[i]); + free(tmp_files[i]); +@@ -280,46 +258,12 @@ done: + } + + static bool +-authselect_system_validate_file(const char *path, +- const char *copy_path, +- const char *expected) ++authselect_system_validate_file(const char *path) + { +- char *content; +- char *copy_content; + errno_t ret; + bool bret; + + INFO("Validating file [%s]", path); +- expected = expected == NULL ? "" : expected; +- +- ret = textfile_read(path, AUTHSELECT_FILE_SIZE_LIMIT, &content); +- if (ret == ENOENT) { +- ERROR("[%s] does not exist!", path); +- return false; +- } else if (ret == EACCES) { +- ERROR("Unable to read [%s] [%d]: %s", path, ret, strerror(ret)); +- return false; +- } else if (ret != EOK) { +- ERROR("Unable to validate file [%s] [%d]: %s", path, ret, strerror(ret)); +- return false; +- } +- +- ret = textfile_read(copy_path, AUTHSELECT_FILE_SIZE_LIMIT, ©_content); +- if (ret == EOK) { +- /* Compare against copy of the originally generated files. */ +- INFO("Comparing content against [%s]", copy_path); +- bret = strcmp(content, copy_content) == 0; +- free(copy_content); +- } else { +- INFO("Comparing content against current profile"); +- bret = template_validate_written_content(content, expected); +- } +- +- free(content); +- if (!bret) { +- ERROR("[%s] has unexpected content!", path); +- return false; +- } + + ret = file_is_regular(path, AUTHSELECT_UID, AUTHSELECT_GID, + S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH, &bret); +@@ -341,9 +285,7 @@ authselect_system_validate(struct authselect_files *files) + int i; + + for (i = 0; generated[i].path != NULL; i++) { +- bret = authselect_system_validate_file(generated[i].path, +- generated[i].copy_path, +- generated[i].content); ++ bret = authselect_system_validate_file(generated[i].path); + result &= bret; + if (!bret) { + WARN("File [%s] was modified outside authselect!", +diff --git a/src/lib/paths.h b/src/lib/paths.h +index e6f7b32013a901d35d9d385a3a50dc4868b80d70..ca30b784f8bc63150f46ef08a26ec2bc5bcb3d67 100644 +--- a/src/lib/paths.h ++++ b/src/lib/paths.h +@@ -56,17 +56,6 @@ + /* Path to files that can be modified by user. */ + #define PATH_USER_NSSWITCH AUTHSELECT_CONFIG_DIR "/user-nsswitch.conf" + +-/* Paths to copy generated system files. Used to check changes +- * in configuration. */ +-#define PATH_COPY_SYSTEM AUTHSELECT_STATE_DIR "/" FILE_SYSTEM +-#define PATH_COPY_PASSWORD AUTHSELECT_STATE_DIR "/" FILE_PASSWORD +-#define PATH_COPY_FINGERPRINT AUTHSELECT_STATE_DIR "/" FILE_FINGERPRINT +-#define PATH_COPY_SMARTCARD AUTHSELECT_STATE_DIR "/" FILE_SMARTCARD +-#define PATH_COPY_POSTLOGIN AUTHSELECT_STATE_DIR "/" FILE_POSTLOGIN +-#define PATH_COPY_NSSWITCH AUTHSELECT_STATE_DIR "/" FILE_NSSWITCH +-#define PATH_COPY_DCONF_DB AUTHSELECT_STATE_DIR "/" FILE_DCONF_DB +-#define PATH_COPY_DCONF_LOCK AUTHSELECT_STATE_DIR "/" FILE_DCONF_LOCK +- + /* Names of symbolic links that points to generated files. */ + #define PATH_SYMLINK_SYSTEM AUTHSELECT_PAM_DIR "/" FILE_SYSTEM + #define PATH_SYMLINK_PASSWORD AUTHSELECT_PAM_DIR "/" FILE_PASSWORD +@@ -86,47 +75,46 @@ + * @see GENERATED_FILES, GENERATED_FILES_PATHS */ + struct authselect_generated { + const char *path; +- const char *copy_path; + const char *content; + }; + +-#define GENERATED_FILES(files) \ +-{ \ +- {PATH_SYSTEM, PATH_COPY_SYSTEM, (files)->systemauth}, \ +- {PATH_PASSWORD, PATH_COPY_PASSWORD, (files)->passwordauth}, \ +- {PATH_FINGERPRINT, PATH_COPY_FINGERPRINT, (files)->fingerprintauth}, \ +- {PATH_SMARTCARD, PATH_COPY_SMARTCARD, (files)->smartcardauth}, \ +- {PATH_POSTLOGIN, PATH_COPY_POSTLOGIN, (files)->postlogin}, \ +- {PATH_NSSWITCH, PATH_COPY_NSSWITCH, (files)->nsswitch}, \ +- {PATH_DCONF_DB, PATH_COPY_DCONF_DB, (files)->dconfdb}, \ +- {PATH_DCONF_LOCK, PATH_COPY_DCONF_LOCK, (files)->dconflock}, \ +- {NULL, NULL, NULL} \ ++#define GENERATED_FILES(files) \ ++{ \ ++ {PATH_SYSTEM, (files)->systemauth}, \ ++ {PATH_PASSWORD, (files)->passwordauth}, \ ++ {PATH_FINGERPRINT, (files)->fingerprintauth}, \ ++ {PATH_SMARTCARD, (files)->smartcardauth}, \ ++ {PATH_POSTLOGIN, (files)->postlogin}, \ ++ {PATH_NSSWITCH, (files)->nsswitch}, \ ++ {PATH_DCONF_DB, (files)->dconfdb}, \ ++ {PATH_DCONF_LOCK, (files)->dconflock}, \ ++ {NULL, NULL} \ + } + +-#define GENERATED_FILES_PATHS \ +-{ \ +- {PATH_SYSTEM, NULL, NULL}, \ +- {PATH_PASSWORD, NULL, NULL}, \ +- {PATH_FINGERPRINT, NULL, NULL}, \ +- {PATH_SMARTCARD, NULL, NULL}, \ +- {PATH_POSTLOGIN, NULL, NULL}, \ +- {PATH_NSSWITCH, NULL, NULL}, \ +- {PATH_DCONF_DB, NULL, NULL}, \ +- {PATH_DCONF_LOCK, NULL, NULL}, \ +- {NULL, NULL, NULL} \ ++#define GENERATED_FILES_PATHS \ ++{ \ ++ {PATH_SYSTEM, NULL}, \ ++ {PATH_PASSWORD, NULL}, \ ++ {PATH_FINGERPRINT, NULL}, \ ++ {PATH_SMARTCARD, NULL}, \ ++ {PATH_POSTLOGIN, NULL}, \ ++ {PATH_NSSWITCH, NULL}, \ ++ {PATH_DCONF_DB, NULL}, \ ++ {PATH_DCONF_LOCK, NULL}, \ ++ {NULL, NULL} \ + } + +-#define PROFILE_FILES(files) \ +-{ \ +- {FILE_SYSTEM, NULL, (files)->systemauth}, \ +- {FILE_PASSWORD, NULL, (files)->passwordauth}, \ +- {FILE_FINGERPRINT, NULL, (files)->fingerprintauth}, \ +- {FILE_SMARTCARD, NULL, (files)->smartcardauth}, \ +- {FILE_POSTLOGIN, NULL, (files)->postlogin}, \ +- {FILE_NSSWITCH, NULL, (files)->nsswitch}, \ +- {FILE_DCONF_DB, NULL, (files)->dconfdb}, \ +- {FILE_DCONF_LOCK, NULL, (files)->dconflock}, \ +- {NULL, NULL, NULL} \ ++#define PROFILE_FILES(files) \ ++{ \ ++ {FILE_SYSTEM, (files)->systemauth}, \ ++ {FILE_PASSWORD, (files)->passwordauth}, \ ++ {FILE_FINGERPRINT, (files)->fingerprintauth}, \ ++ {FILE_SMARTCARD, (files)->smartcardauth}, \ ++ {FILE_POSTLOGIN, (files)->postlogin}, \ ++ {FILE_NSSWITCH, (files)->nsswitch}, \ ++ {FILE_DCONF_DB, (files)->dconfdb}, \ ++ {FILE_DCONF_LOCK, (files)->dconflock}, \ ++ {NULL, NULL} \ + } + + /* Structure to hold information about symbolic link names and destinations. +-- +2.34.1 + diff --git a/0003-lib-let-authselect_uninstall-delete-files-from-etc-a.patch b/0003-lib-let-authselect_uninstall-delete-files-from-etc-a.patch new file mode 100644 index 0000000..43b5b30 --- /dev/null +++ b/0003-lib-let-authselect_uninstall-delete-files-from-etc-a.patch @@ -0,0 +1,92 @@ +From 87a19680be527ebc8035afc850078ca10000ba7b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 Jan 2022 11:58:57 +0100 +Subject: [PATCH 03/11] lib: let authselect_uninstall delete files from + /etc/authselect + +This is to ensure that there are no left overs. +--- + src/lib/authselect.c | 10 ++++++++++ + src/lib/files/files.h | 6 ++++++ + src/lib/files/system.c | 30 ++++++++++++++++++++++++++++++ + 3 files changed, 46 insertions(+) + +diff --git a/src/lib/authselect.c b/src/lib/authselect.c +index b84aa73351448dc5caf802ae7282ebd9aa1c27d7..62a0fde47d122cea21f3738e7badc2fdb6a7c78b 100644 +--- a/src/lib/authselect.c ++++ b/src/lib/authselect.c +@@ -142,6 +142,16 @@ authselect_uninstall(void) + + INFO("Symbolic links were successfully removed"); + ++ /* Remove files from /etc/authselect */ ++ ret = authselect_files_uninstall(); ++ if (ret != EOK) { ++ ERROR("Unable to remove authselect configuration [%d]: %s", ++ ret, strerror(ret)); ++ return ret; ++ } ++ ++ INFO("Authselect configuration was successfully removed"); ++ + return EOK; + } + +diff --git a/src/lib/files/files.h b/src/lib/files/files.h +index d91e80e176ebead21fa24acea5eccc97838bb2a5..9a551b3c0c3da3b241cdd9bd88ed550e1e60c72a 100644 +--- a/src/lib/files/files.h ++++ b/src/lib/files/files.h +@@ -229,6 +229,12 @@ authselect_symlinks_location_available(void); + errno_t + authselect_symlinks_uninstall(); + ++/** ++ * Remove files from authselect directory. ++ */ ++errno_t ++authselect_files_uninstall(void); ++ + /** + * List all profile directories in a sorted NULL-terminated string array. + * +diff --git a/src/lib/files/system.c b/src/lib/files/system.c +index e830942c629f462b3b187a7591a1b9b2c248d9da..0cbe2d0a495a98ec24f822b0bd64b7538887f047 100644 +--- a/src/lib/files/system.c ++++ b/src/lib/files/system.c +@@ -319,3 +319,33 @@ authselect_system_validate_missing() + + return result; + } ++ ++errno_t ++authselect_files_uninstall() ++{ ++ struct authselect_generated generated[] = GENERATED_FILES_PATHS; ++ errno_t ret; ++ int iret; ++ int i; ++ ++ errno = 0; ++ iret = unlink(PATH_CONFIG_FILE); ++ if (iret != 0 && errno != ENOENT) { ++ ret = errno; ++ ERROR("Unable to delete [%s] [%d]: %s", PATH_CONFIG_FILE, ++ ret, strerror(ret)); ++ return ret; ++ } ++ ++ for (i = 0; generated[i].path != NULL; i++) { ++ /* We can ignore errors here. */ ++ iret = unlink(generated[i].path); ++ if (iret != 0 && errno != ENOENT) { ++ ret = errno; ++ WARN("Unable to delete [%s] [%d]: %s", generated[i].path, ++ ret, strerror(ret)); ++ } ++ } ++ ++ return EOK; ++} +-- +2.34.1 + diff --git a/0004-cli-add-opt-out-command.patch b/0004-cli-add-opt-out-command.patch new file mode 100644 index 0000000..f669987 --- /dev/null +++ b/0004-cli-add-opt-out-command.patch @@ -0,0 +1,107 @@ +From f337c17c359c7264395804e6d15e1c294e458dbe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 Jan 2022 12:00:00 +0100 +Subject: [PATCH 04/11] cli: add opt-out command + +To opt-out from authselect managed configuration. +--- + rpm/authselect.spec.in | 2 +- + src/cli/authselect-completion.sh | 2 +- + src/cli/main.c | 4 +++- + src/lib/authselect.c | 6 ++++++ + src/man/authselect.8.adoc | 14 ++++++++++++++ + 5 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index 9f36d0dcf001f953b8384d54f60af25d71ef0321..6e178b88bc2f19cb17692b029430e3eca13dfbef 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -264,7 +264,7 @@ if [ $1 == 0 ] ; then + # deleted safely. If this fail, the uninstallation must fail to avoid + # breaking the system by removing PAM files. However, the command can + # only fail if it can not write to the file system. +- %{_bindir}/authselect uninstall ++ %{_bindir}/authselect opt-out + fi + + %pre libs +diff --git a/src/cli/authselect-completion.sh b/src/cli/authselect-completion.sh +index 84a63c9ec9278417720f6bde270c498a700ca48d..8f03aee850a088cdf77bf3dda3a2cf017e257709 100644 +--- a/src/cli/authselect-completion.sh ++++ b/src/cli/authselect-completion.sh +@@ -191,7 +191,7 @@ _authselect_completions() + + COMMANDS=(select apply-changes list list-features show requirements current + check test enable-feature disable-feature create-profile +- backup-list backup-remove backup-restore) ++ backup-list backup-remove backup-restore opt-out) + + possibleopts="$(get_option_params)" + if [[ "$possibleopts" != "" ]]; then +diff --git a/src/cli/main.c b/src/cli/main.c +index 575e56f00edfc35ab4b5368ee40a497016d68cc3..db5f6dc2de6f4f58273f0719f8bb77122edfafe5 100644 +--- a/src/cli/main.c ++++ b/src/cli/main.c +@@ -967,7 +967,9 @@ int main(int argc, const char **argv) + CLI_TOOL_COMMAND("backup-list", "List available backups", CLI_CMD_NONE, backup_list), + CLI_TOOL_COMMAND("backup-remove", "Remove backup", CLI_CMD_REQUIRE_ROOT, backup_remove), + CLI_TOOL_COMMAND("backup-restore", "Restore from backup", CLI_CMD_REQUIRE_ROOT, backup_restore), +- CLI_TOOL_COMMAND("uninstall", "Uninstall authselect configuration", CLI_CMD_REQUIRE_ROOT | CLI_CMD_HIDDEN, uninstall), ++ CLI_TOOL_DELIMITER("Other:"), ++ CLI_TOOL_COMMAND("opt-out", "Opt-out from authselect managed configuration", CLI_CMD_REQUIRE_ROOT, uninstall), ++ /* Hidden commands */ + CLI_TOOL_COMMAND("version", "Print authselect version", CLI_CMD_HIDDEN, version), + CLI_TOOL_LAST + }; +diff --git a/src/lib/authselect.c b/src/lib/authselect.c +index 62a0fde47d122cea21f3738e7badc2fdb6a7c78b..6b8edf32a50a06fdaa583146c1b8a549ba17130a 100644 +--- a/src/lib/authselect.c ++++ b/src/lib/authselect.c +@@ -114,6 +114,12 @@ authselect_activate(const char *profile_id, + goto done; + } + ++ if (!is_valid) { ++ ERROR("Changes to the authselect configuration were detected. " ++ "These changes will be overwritten. Please call " ++ "'authselect opt-out' in order to keep them."); ++ } ++ + ret = authselect_profile_activate(profile, features); + + done: +diff --git a/src/man/authselect.8.adoc b/src/man/authselect.8.adoc +index ff6dc1e234580061e059316451a1ed293cd1502e..47e04106543825a4c0995a22c336bd7d2d1f9c81 100644 +--- a/src/man/authselect.8.adoc ++++ b/src/man/authselect.8.adoc +@@ -37,6 +37,12 @@ automatically generate a backup of your current configuration so if you wish + to go back you can restore it with *authselect backup-restore* command + (see description below). + ++OPT-OUT FROM AUTHSELECT ++----------------------- ++To stop authselect from managing your configuration, run *authselect opt-out*. ++This will remove all authselect configuration from your system and you can then ++modify your configuration manually. ++ + AVAILABLE COMMANDS + ------------------ + To list all available commands run *authselect* without any parameters. +@@ -232,6 +238,14 @@ These commands can be used to manage backed up configurations. + Restore configuration from backup named _BACKUP_. *Note:* this will + overwrite current configuration. + ++OTHER COMMANDS ++-------------- ++ ++*opt-out*:: ++ Remove authselect configuration. This will restore nsswitch and PAM ++ configuration under its system location and authselect will no longer ++ manage it. Run *authselect select* to opt-in again. ++ + COMMON OPTIONS + -------------- + These options are available with all commands. +-- +2.34.1 + diff --git a/0005-lib-make-preambule-more-descriptive.patch b/0005-lib-make-preambule-more-descriptive.patch new file mode 100644 index 0000000..eb6bf04 --- /dev/null +++ b/0005-lib-make-preambule-more-descriptive.patch @@ -0,0 +1,27 @@ +From 4f6f91cf8098053dd855d6b8a1c20fcb8815a90c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 Jan 2022 12:00:29 +0100 +Subject: [PATCH 05/11] lib: make preambule more descriptive + +--- + src/lib/util/template.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/lib/util/template.c b/src/lib/util/template.c +index 17513dc733016e8b59df5d33fc25794122677211..8ecb0428634ea487e3f6454ec243ebffc7d0fec2 100644 +--- a/src/lib/util/template.c ++++ b/src/lib/util/template.c +@@ -567,7 +567,9 @@ template_generate_preamble(time_t timestamp) + } + + preamble = format("# Generated by authselect on %s\n" +- "# Do not modify this file manually.\n\n", ++ "# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.\n" ++ "# You can stop authselect from managing your configuration by calling 'authselect opt-out'.\n" ++ "# See authselect(8) for more details.\n\n", + trimmed); + free(trimmed); + if (preamble == NULL) { +-- +2.34.1 + diff --git a/0006-spec-own-user-nsswitch-created-only-if-with_user_nss.patch b/0006-spec-own-user-nsswitch-created-only-if-with_user_nss.patch new file mode 100644 index 0000000..edac15f --- /dev/null +++ b/0006-spec-own-user-nsswitch-created-only-if-with_user_nss.patch @@ -0,0 +1,33 @@ +From 4c08cf7b01ea2c219de30f944b08f50663974104 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 Jan 2022 12:15:35 +0100 +Subject: [PATCH 06/11] spec: own user-nsswitch-created only if + with_user_nsswitch + +--- + rpm/authselect.spec.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index 6e178b88bc2f19cb17692b029430e3eca13dfbef..781d0193c02c9c4c9fa18596caeebe7e02a25a12 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -179,12 +179,12 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth + %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth + %endif +-%if %{with_user_nsswitch} +-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf +-%endif + %dir %{_localstatedir}/lib/authselect + %ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/ ++%if %{with_user_nsswitch} ++%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf + %ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created ++%endif + %dir %{_datadir}/authselect + %dir %{_datadir}/authselect/vendor + %dir %{_datadir}/authselect/default +-- +2.34.1 + diff --git a/0007-cli-check-command-return-6-if-no-configuration-is-de.patch b/0007-cli-check-command-return-6-if-no-configuration-is-de.patch new file mode 100644 index 0000000..fb71f3f --- /dev/null +++ b/0007-cli-check-command-return-6-if-no-configuration-is-de.patch @@ -0,0 +1,256 @@ +From 3a3df3b409d599682de3936374fc6de9c7163373 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 Jan 2022 12:37:37 +0100 +Subject: [PATCH 07/11] cli: check command return 6 if no configuration is + detected + +If no configuration is detected at all (no files in /etc/authselect +and no system configuration is present either) the check command now +returns 6. This can be used to detect fresh installation. +--- + include/authselect.h | 5 +++-- + src/cli/cli_tool.c | 2 ++ + src/cli/main.c | 10 ++++++++-- + src/lib/authselect.c | 13 ++++++++---- + src/lib/files/config.c | 36 ++++++++++++++++++++++++++++++--- + src/lib/files/files.h | 42 +++++++++++++++++++++++++-------------- + src/man/authselect.8.adoc | 1 + + 7 files changed, 83 insertions(+), 26 deletions(-) + +diff --git a/include/authselect.h b/include/authselect.h +index 5b6cad122257e3ae9509d5799a02668c6705e978..bf04aace4607f765a5b46185a4e9ef70867f73f6 100644 +--- a/include/authselect.h ++++ b/include/authselect.h +@@ -192,8 +192,9 @@ authselect_feature_disable(const char *feature); + * @return + * - 0 if there is an existing authselect configuration, the result of + * validation is returned in @_is_valid output variable. +- * - ENOENT if there is no existing authselect configuration, the result of +- * validation is returned in @_is_valid output variable. ++ * - ENOENT if there is no existing configuration ++ * - EEXIST if there is existing configuration, not created by authselect, ++ * the result of validation is returned in @_is_valid output variable. + * - Other errno code on generic error. + */ + int +diff --git a/src/cli/cli_tool.c b/src/cli/cli_tool.c +index 64807af3cb0c3aeb70ff652962dca62a3b99c431..83bc1ef339bdc5e610c930ccb605946f0096fb1a 100644 +--- a/src/cli/cli_tool.c ++++ b/src/cli/cli_tool.c +@@ -445,6 +445,8 @@ int cli_tool_main(int argc, const char **argv, + return 4; + case EACCES: + return 5; ++ case ENODEV: ++ return 6; + } + + /* Generic error. */ +diff --git a/src/cli/main.c b/src/cli/main.c +index db5f6dc2de6f4f58273f0719f8bb77122edfafe5..afe10097612a06b78f0aa45738dc4f9cc3a4f9c9 100644 +--- a/src/cli/main.c ++++ b/src/cli/main.c +@@ -349,7 +349,7 @@ static errno_t check(struct cli_cmdline *cmdline) + } + + ret = authselect_validate_configuration(&is_valid); +- if (ret != EOK && ret != ENOENT) { ++ if (ret != EOK && ret != ENOENT && ret != EEXIST) { + ERROR("Unable to test current configuration [%d]: %s", + ret, strerror(ret)); + +@@ -367,12 +367,18 @@ static errno_t check(struct cli_cmdline *cmdline) + puts(_("Current configuration is valid.")); + break; + case ENOENT: ++ puts(_("No configuration detected.")); ++ ret = ENODEV; ++ break; ++ case EEXIST: + puts(_("System was not configured with authselect.")); ++ ret = ENOENT; /* for backwards compatibility */ + break; + } + + /* EOK = existing configuration is valid, +- * ENOENT = non-existing configuration is valid */ ++ * ENODEV = no configuration detected, ++ * ENOENT = non-authselet configuration is valid */ + return ret; + } + +diff --git a/src/lib/authselect.c b/src/lib/authselect.c +index 6b8edf32a50a06fdaa583146c1b8a549ba17130a..bcb53f03c67c6b822480ad3557919ca75f045949 100644 +--- a/src/lib/authselect.c ++++ b/src/lib/authselect.c +@@ -271,14 +271,19 @@ authselect_validate_configuration(bool *_is_valid) + + ret = authselect_config_read(&profile_id, &features); + if (ret == ENOENT) { +- *_is_valid = authselect_config_validate_non_existing(); +- return ENOENT; ++ *_is_valid = authselect_config_validate_user(); ++ ++ if (*_is_valid && authselect_config_validate_missing()) { ++ return ENOENT; ++ } ++ ++ return EEXIST; + } if (ret != EOK) { + return ret; + } + +- *_is_valid = authselect_config_validate_existing(profile_id, +- (const char **)features); ++ *_is_valid = authselect_config_validate_authselect(profile_id, ++ (const char **)features); + + free(profile_id); + string_array_free(features); +diff --git a/src/lib/files/config.c b/src/lib/files/config.c +index 8a10ef8c4c4ccd1a047b39b3ff6399fe31d17c73..c841860e347d08bcfb14ca51c0630b453d186d00 100644 +--- a/src/lib/files/config.c ++++ b/src/lib/files/config.c +@@ -183,8 +183,8 @@ authselect_config_locations_writable() + } + + bool +-authselect_config_validate_existing(const char *profile_id, +- const char **features) ++authselect_config_validate_authselect(const char *profile_id, ++ const char **features) + { + struct authselect_files *files; + bool result = true; +@@ -209,7 +209,7 @@ authselect_config_validate_existing(const char *profile_id, + } + + bool +-authselect_config_validate_non_existing() ++authselect_config_validate_user() + { + bool result = true; + +@@ -218,3 +218,33 @@ authselect_config_validate_non_existing() + + return result; + } ++ ++bool ++authselect_config_validate_missing() ++{ ++ struct authselect_generated generated[] = GENERATED_FILES_PATHS; ++ struct authselect_symlink symlinks[] = {SYMLINK_FILES}; ++ errno_t ret; ++ int i; ++ ++ ret = file_exists(PATH_CONFIG_FILE); ++ if (ret != ENOENT) { ++ return false; ++ } ++ ++ for (i = 0; generated[i].path != NULL; i++) { ++ ret = file_exists(generated[i].path); ++ if (ret != ENOENT) { ++ return false; ++ } ++ } ++ ++ for (i = 0; symlinks[i].name != NULL; i++) { ++ ret = file_exists(symlinks[i].name); ++ if (ret != ENOENT) { ++ return false; ++ } ++ } ++ ++ return true; ++} +diff --git a/src/lib/files/files.h b/src/lib/files/files.h +index 9a551b3c0c3da3b241cdd9bd88ed550e1e60c72a..5eeca3ebf58e730c586d6bf6bf18e22a67218067 100644 +--- a/src/lib/files/files.h ++++ b/src/lib/files/files.h +@@ -71,7 +71,7 @@ bool + authselect_config_locations_writable(void); + + /** +- * Validate existing configuration. ++ * Validate existing authselect configuration. + * + * Check that all files are created, readable and with correct content + * and that all symbolic links exist. +@@ -79,8 +79,31 @@ authselect_config_locations_writable(void); + * @return True if the configuration is valid, false otherwise. + */ + bool +-authselect_config_validate_existing(const char *profile_id, +- const char **features); ++authselect_config_validate_authselect(const char *profile_id, ++ const char **features); ++ ++/** ++ * Validate existing non-authselect configuration. ++ * ++ * Check that there are no left overs from previous authselect configuration. ++ * All generated files must be removed and all symbolic links must either not ++ * exists, point to different location or must be other file or directory. ++ * ++ * @return True if the are no left overs, false otherwise. ++ */ ++bool ++authselect_config_validate_user(void); ++ ++/** ++ * Validate missing configuration. ++ * ++ * Check that there is no configuration at all (there are no authselect and ++ * no system files present). ++ * ++ * @return True if there is no configuration, false otherwise. ++ */ ++bool ++authselect_config_validate_missing(void); + + /** + * Generate contents of nsswitch.conf. +@@ -108,18 +131,6 @@ errno_t + authselect_nsswitch_find_maps(char *content, + char ***_maps); + +-/** +- * Validate non-existing configuration. +- * +- * Check that there are no left overs from previous authselect configuration. +- * All generated files must be removed and all symbolic links must either not +- * exists, point to different location or must be other file or directory. +- * +- * @return True if the are no left overs, false otherwise. +- */ +-bool +-authselect_config_validate_non_existing(); +- + /** + * Read system files templates and return them in files structure. + * +@@ -235,6 +246,7 @@ authselect_symlinks_uninstall(); + errno_t + authselect_files_uninstall(void); + ++ + /** + * List all profile directories in a sorted NULL-terminated string array. + * +diff --git a/src/man/authselect.8.adoc b/src/man/authselect.8.adoc +index 47e04106543825a4c0995a22c336bd7d2d1f9c81..9295701619332f23db74c8560b8ac2003a0b6c4d 100644 +--- a/src/man/authselect.8.adoc ++++ b/src/man/authselect.8.adoc +@@ -363,6 +363,7 @@ The *authselect* can return these exit codes: + * 3: Current configuration is not valid, it was edited without authselect. + * 4: System configuration must be overwritten to activate an authselect profile, --force parameter is needed. + * 5: Executed command must be run as root. ++* 6: No configuration was detected. + + GENERATED FILES + --------------- +-- +2.34.1 + diff --git a/0008-spec-do-not-backup-non-existing-configuration-on-fre.patch b/0008-spec-do-not-backup-non-existing-configuration-on-fre.patch new file mode 100644 index 0000000..1e7ac35 --- /dev/null +++ b/0008-spec-do-not-backup-non-existing-configuration-on-fre.patch @@ -0,0 +1,36 @@ +From 919ffffe831d361c1575899ac17c30a428536714 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 Jan 2022 12:43:28 +0100 +Subject: [PATCH 08/11] spec: do not backup non-existing configuration on fresh + install + +Freshly installed system does not have any configuration files to +backup. +--- + rpm/authselect.spec.in | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index 781d0193c02c9c4c9fa18596caeebe7e02a25a12..dc21389fdc91db3d115699f1db16eb8dc906ac8c 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -312,10 +312,15 @@ if %__grep "OSTREE_VERSION=" /etc/os-release &> /dev/null; then + done + fi + ++%{_bindir}/authselect check &> /dev/null ++if [ $? -eq 6 ]; then ++ NOBACKUP="--nobackup" ++fi ++ + # If we are upgrading from pre authselect-1.3.0 or this is a new installation + # select the default configuration. + if [ -f %{forcefile} ]; then +- %{_bindir}/authselect select %{default_profile} --force &> /dev/null ++ %{_bindir}/authselect select %{default_profile} --force $NOBACKUP &> /dev/null + %__rm -f %{forcefile} + fi + +-- +2.34.1 + diff --git a/0009-lib-bump-soname-version-to-4-3-1.patch b/0009-lib-bump-soname-version-to-4-3-1.patch new file mode 100644 index 0000000..0dfe13d --- /dev/null +++ b/0009-lib-bump-soname-version-to-4-3-1.patch @@ -0,0 +1,27 @@ +From 66e06017494ff092e56373c88787e728ade3d361 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 31 Jan 2022 12:58:55 +0100 +Subject: [PATCH 09/11] lib: bump soname version to 4:3:1 + +Algorithm used: +https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html +--- + src/lib/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am +index 88411ac51bd8d7c219c3097542e16fa99e0a38a2..365da957a3ee8cd2e5abebc2a5190844f47d4879 100644 +--- a/src/lib/Makefile.am ++++ b/src/lib/Makefile.am +@@ -86,7 +86,7 @@ libauthselect_la_CFLAGS = \ + $(NULL) + libauthselect_la_LDFLAGS = \ + -Wl,--version-script=$(srcdir)/authselect.exports \ +- -version-info 4:2:1 ++ -version-info 4:3:1 + + pkgconfigdir = $(libdir)/pkgconfig + pkgconfig_DATA = \ +-- +2.34.1 + diff --git a/0010-spec-fix-detection-of-ostree-system.patch b/0010-spec-fix-detection-of-ostree-system.patch new file mode 100644 index 0000000..a6f7089 --- /dev/null +++ b/0010-spec-fix-detection-of-ostree-system.patch @@ -0,0 +1,28 @@ +From e12f91ecaf437315c02d74aef9d08a5def140d6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 1 Feb 2022 09:57:01 +0100 +Subject: [PATCH 10/11] spec: fix detection of ostree system + +The information in /etc/os-release may not be available if the system +has not yet been mutated into ostree. This may happen during initial +compose. +--- + rpm/authselect.spec.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index dc21389fdc91db3d115699f1db16eb8dc906ac8c..fa01d4508b34023ad36d7bbfc6ffb05c517a9198 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -301,7 +301,7 @@ fi + + # Keep nss-altfiles for all rpm-ostree based systems. + # See https://github.com/authselect/authselect/issues/48 +-if %__grep "OSTREE_VERSION=" /etc/os-release &> /dev/null; then ++if test -e /run/ostree-booted; then + for PROFILE in `ls %{_datadir}/authselect/default`; do + %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null + %if %{with_user_nsswitch} +-- +2.34.1 + diff --git a/0011-spec-remove-unnecessary-dependencies.patch b/0011-spec-remove-unnecessary-dependencies.patch new file mode 100644 index 0000000..cb897a3 --- /dev/null +++ b/0011-spec-remove-unnecessary-dependencies.patch @@ -0,0 +1,39 @@ +From 33230db31309b08a4e332fc5ee49f440871b7ee8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 1 Feb 2022 09:58:29 +0100 +Subject: [PATCH 11/11] spec: remove unnecessary dependencies + +- gawk, findutils and grep are no longer needed in scriptlets +- systemd does not have to be required + +PAM and nsswitch.conf from shipped profiles references several +systemd modules. However if those modules are not installed, +they are simply ignored, therefore this dependency can be +omitted. + +systemd is usually installed anyway, but it is not necessary to +pull it in on cases when it is not desired, such as in containers. +--- + rpm/authselect.spec.in | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index fa01d4508b34023ad36d7bbfc6ffb05c517a9198..c11dfa510307e951ec6f9aa15dfe2dd4b19cd2f9 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -72,11 +72,8 @@ supported by authselect. + Summary: Utility library used by the authselect tool + # Required by scriptlets + Requires: coreutils +-Requires: findutils +-Requires: gawk +-Requires: grep + Requires: sed +-Requires: systemd ++Suggests: systemd + %if %{enforce_authselect} + # authselect now owns nsswitch.conf (glibc) and pam files + Conflicts: pam < 1.5.2-8 +-- +2.34.1 + diff --git a/authselect.spec b/authselect.spec index 6659df0..b986b08 100644 --- a/authselect.spec +++ b/authselect.spec @@ -3,13 +3,25 @@ Name: authselect Version: 1.3.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/authselect/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz +Patch0001: 0001-main-Drop-an-unnecessary-NULL-check-before-free.patch +Patch0002: 0002-lib-drop-strict-change-detection.patch +Patch0003: 0003-lib-let-authselect_uninstall-delete-files-from-etc-a.patch +Patch0004: 0004-cli-add-opt-out-command.patch +Patch0005: 0005-lib-make-preambule-more-descriptive.patch +Patch0006: 0006-spec-own-user-nsswitch-created-only-if-with_user_nss.patch +Patch0007: 0007-cli-check-command-return-6-if-no-configuration-is-de.patch +Patch0008: 0008-spec-do-not-backup-non-existing-configuration-on-fre.patch +Patch0009: 0009-lib-bump-soname-version-to-4-3-1.patch +Patch0010: 0010-spec-fix-detection-of-ostree-system.patch +Patch0011: 0011-spec-remove-unnecessary-dependencies.patch + %global makedir %{_builddir}/%{name}-%{version} %if 0%{?fedora} >= 35 || 0%{?rhel} >= 10 @@ -176,20 +188,12 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth %endif -%if %{with_user_nsswitch} -%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf -%endif %dir %{_localstatedir}/lib/authselect %ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/ -%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db -%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks -%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth -%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf -%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth -%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin -%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth -%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth +%if %{with_user_nsswitch} +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf %ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created +%endif %dir %{_datadir}/authselect %dir %{_datadir}/authselect/vendor %dir %{_datadir}/authselect/default @@ -269,7 +273,7 @@ if [ $1 == 0 ] ; then # deleted safely. If this fail, the uninstallation must fail to avoid # breaking the system by removing PAM files. However, the command can # only fail if it can not write to the file system. - %{_bindir}/authselect uninstall + %{_bindir}/authselect opt-out fi %if %{enforce_authselect} @@ -331,10 +335,15 @@ if test -e /run/ostree-booted; then done fi +%{_bindir}/authselect check &> /dev/null +if [ $? -eq 6 ]; then + NOBACKUP="--nobackup" +fi + # If we are upgrading from pre authselect-1.3.0 or this is a new installation # select the default configuration. if [ -f %{forcefile} ]; then - %{_bindir}/authselect select %{default_profile} --force &> /dev/null + %{_bindir}/authselect select %{default_profile} --force $NOBACKUP &> /dev/null %__rm -f %{forcefile} fi @@ -344,6 +353,10 @@ fi exit 0 %changelog +* Thu Feb 3 2022 Pavel Březina - 1.3.0-9 +- Make authselect compatible with ostree (#2034360) +- Authselect now requires explicit opt-out if users don't want to use it (#2051545) + * Wed Jan 19 2022 Fedora Release Engineering - 1.3.0-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild