rpms
/
authselect
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merged update from upstream sources 

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/authselect.git#565893483d3c97065effbce23efc2883ea0f62c2
This commit is contained in:
DistroBaker 2021-03-12 00:51:30 +00:00
parent 5548b9643d
commit fe0de896be
8 changed files with 503 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch Normal file
View File

@ -0,0 +1,61 @@
From b75a468d38598920833762a7227b06d73be20709 Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Tue, 9 Mar 2021 14:34:22 +0100
Subject: [PATCH] fingerprint: Retain error code returned by pam_fprintd.so
pam_fprintd.so will return PAM_AUTHINFO_UNAVAIL in some situations. It
is important that the fingerprint-auth stack returns this error code, so
that users (i.e. GDM) can tell the difference between an authentication
failure vs. an immediate return because no fingers are enrolled.
Fix this by changing sufficient to required (i.e. default=bad rather
than default=ignore) in order to ensure that the pam_fprintd.so error
code is returned.
---
profiles/nis/fingerprint-auth | 2 +-
profiles/sssd/fingerprint-auth | 2 +-
profiles/winbind/fingerprint-auth | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 756993c..f312974 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -1,7 +1,7 @@
{continue if "with-fingerprint"}
auth required pam_env.so
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_fprintd.so
+auth required pam_fprintd.so
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index fe3cac7..5ec1673 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -2,7 +2,7 @@
auth required pam_env.so
auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_fprintd.so
+auth required pam_fprintd.so
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index c4b8261..07fca0f 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -1,7 +1,7 @@
{continue if "with-fingerprint"}
auth required pam_env.so
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_fprintd.so
+auth required pam_fprintd.so
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
--
2.29.2

49
0001-minimal-add-dconf-settings-to-explicitly-disable-fpr.patch Normal file
View File

@ -0,0 +1,49 @@
From 41197d567e0ef15cdd50b9e7658e9a0b205e6683 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 4 Mar 2021 11:59:37 +0100
Subject: [PATCH] minimal: add dconf settings to explicitly disable fprint and
smartcard authentication
Resolves:
https://github.com/authselect/authselect/issues/237
---
profiles/Makefile.am | 2 ++
profiles/minimal/dconf-db | 3 +++
profiles/minimal/dconf-locks | 2 ++
3 files changed, 7 insertions(+)
create mode 100644 profiles/minimal/dconf-db
create mode 100644 profiles/minimal/dconf-locks
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
index 5dfab8047fc956babe47180601a0336c0a55d15f..95e27147b2b0a229a76a293884d605484d3fa841 100644
--- a/profiles/Makefile.am
+++ b/profiles/Makefile.am
@@ -9,6 +9,8 @@ dist_profile_minimal_DATA = \
$(top_srcdir)/profiles/minimal/README \
$(top_srcdir)/profiles/minimal/REQUIREMENTS \
$(top_srcdir)/profiles/minimal/system-auth \
+ $(top_srcdir)/profiles/minimal/dconf-db \
+ $(top_srcdir)/profiles/minimal/dconf-locks \
$(NULL)
profile_nisdir = $(authselect_profile_dir)/nis
diff --git a/profiles/minimal/dconf-db b/profiles/minimal/dconf-db
new file mode 100644
index 0000000000000000000000000000000000000000..a3868b794bdf9d8d6edf8363b15cb918539b8926
--- /dev/null
+++ b/profiles/minimal/dconf-db
@@ -0,0 +1,3 @@
+[org/gnome/login-screen]
+enable-smartcard-authentication=false
+enable-fingerprint-authentication=false
diff --git a/profiles/minimal/dconf-locks b/profiles/minimal/dconf-locks
new file mode 100644
index 0000000000000000000000000000000000000000..8a36fa9568344338272786394aece872185d0ab3
--- /dev/null
+++ b/profiles/minimal/dconf-locks
@@ -0,0 +1,2 @@
+/org/gnome/login-screen/enable-smartcard-authentication
+/org/gnome/login-screen/enable-fingerprint-authentication
--
2.29.2

264
0001-utils-correctly-remove-the-whole-line-if-str-does-no.patch
View File

@ -1,264 +0,0 @@
From 4b913748e413314b69c315c314c3d07e10471712 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 13 Jul 2020 13:43:03 +0200
Subject: [PATCH 1/2] utils: correctly remove the whole line if `str` does not
point to its beginning
The following scenario triggers a bug when the line is not removed completely
and the two lines are merged instead.
```
BEGINNING {if "condition":true|false} END {include if "condition"}
NEXT LINE
->
BEGINNING falseNEXT LINE
```
This is because `match_string` points after the first condition and we
only remove the line to this point. Therefore we need to interate
before `match_string` so we can find the real line start.
Resolves:
https://github.com/authselect/authselect/issues/218
---
src/lib/files/system.c | 2 +-
src/lib/util/string.c | 10 ++--
src/lib/util/string.h | 3 +-
src/lib/util/template.c | 16 ++++---
src/tests/test_util_template.c | 84 ++++++++++++++++++++++++++++++++++
5 files changed, 103 insertions(+), 12 deletions(-)
diff --git a/src/lib/files/system.c b/src/lib/files/system.c
index 453e2f4d6fc42ffd2e9bdfc773a38972802c1cb2..ef354b7583914cec07ff3c017394daa5b6cc27e1 100644
--- a/src/lib/files/system.c
+++ b/src/lib/files/system.c
@@ -178,7 +178,7 @@ authselect_system_nsswitch_delete_maps(char **maps,
map_len = m[1].rm_eo - m[1].rm_so;
for (i = 0; maps[i] != NULL; i++) {
if (strncmp(map_name, maps[i], map_len) == 0) {
- string_remove_line(match_string, m[1].rm_so);
+ string_remove_line(content, match_string, m[1].rm_so);
break;
}
}
diff --git a/src/lib/util/string.c b/src/lib/util/string.c
index 0f3936681c6c8af1be940f92a21dfc15dafe4e42..e53a81c250711e5caab8e5f4f751371c332e6b92 100644
--- a/src/lib/util/string.c
+++ b/src/lib/util/string.c
@@ -272,17 +272,21 @@ string_replace_position(char *str, size_t start, size_t end, const char *with)
}
void
-string_remove_line(char *str, size_t inner_position)
+string_remove_line(char *beginning, char *str, size_t inner_position)
{
char *left;
- for (left = str + inner_position; left != str; left--) {
+ /* str may not be the beginning of the line so we need to refer
+ * to iterate until we reach the beginning */
+ for (left = str + inner_position; left != beginning; left--) {
if (*(left - 1) == '\n') {
break;
}
}
- for (; *left != '\0'; left++) {
+ /* Remove the whole line that is in front of our string and then iterate
+ * to the line end or string end. */
+ for (; left < str || *left != '\0'; left++) {
if (*left == '\n') {
*left = '\0';
break;
diff --git a/src/lib/util/string.h b/src/lib/util/string.h
index e550d853d3fa0699909b84cc9febdae9d5884b9f..724460e771389ac3c015806111d6052ffbfa7566 100644
--- a/src/lib/util/string.h
+++ b/src/lib/util/string.h
@@ -142,11 +142,12 @@ string_replace_position(char *str, size_t start, size_t end, const char *with);
* When all replacements are done, call @string_replace_shake() to create
* the final string.
*
+ * @param beginning Pointer to the left most character of the string.
* @param str Destination string.
* @param inner_position Position inside the line the will be removed.
*/
void
-string_remove_line(char *str, size_t inner_position);
+string_remove_line(char *beginning, char *str, size_t inner_position);
/**
* Remove string from @from (including) to @to (excluding).
diff --git a/src/lib/util/template.c b/src/lib/util/template.c
index f86a26a8344f1c140861f1572b74614604624dd5..12324aa9c16b500f481739a46652f65f98863fed 100644
--- a/src/lib/util/template.c
+++ b/src/lib/util/template.c
@@ -211,6 +211,7 @@ template_match_get_values(const char *match_string,
static errno_t
template_match_replace(char ***features,
+ char *beginning,
char *match_string,
regmatch_t *match,
enum template_operator op,
@@ -231,7 +232,7 @@ template_match_replace(char ***features,
switch (op) {
case OP_CONTINUE:
if (enabled) {
- string_remove_line(match_string, match->rm_so);
+ string_remove_line(beginning, match_string, match->rm_so);
break;
}
@@ -239,7 +240,7 @@ template_match_replace(char ***features,
break;
case OP_STOP:
if (!enabled) {
- string_remove_line(match_string, match->rm_so);
+ string_remove_line(beginning, match_string, match->rm_so);
break;
}
@@ -251,7 +252,7 @@ template_match_replace(char ***features,
break;
}
- string_remove_line(match_string, match->rm_so);
+ string_remove_line(beginning, match_string, match->rm_so);
break;
case OP_EXCLUDE:
if (!enabled) {
@@ -259,7 +260,7 @@ template_match_replace(char ***features,
break;
}
- string_remove_line(match_string, match->rm_so);
+ string_remove_line(beginning, match_string, match->rm_so);
break;
case OP_IMPLY:
if (enabled) {
@@ -269,7 +270,7 @@ template_match_replace(char ***features,
}
}
- string_remove_line(match_string, match->rm_so);
+ string_remove_line(beginning, match_string, match->rm_so);
break;
case OP_IF:
replacement = enabled ? if_true : if_false;
@@ -460,8 +461,9 @@ template_process_operators(const char **features,
goto done;
}
- ret = template_match_replace(&features_copy, match_string, &m[0], op,
- expression, if_true, if_false, value);
+ ret = template_match_replace(&features_copy, content, match_string,
+ &m[0], op, expression,
+ if_true, if_false, value);
if (expression != NULL) {
free(expression);
diff --git a/src/tests/test_util_template.c b/src/tests/test_util_template.c
index 90327ea68d0e09df98befde4835e90350f0c6238..fac3f4c94e3553c71ee538a5725fb0a734f89382 100644
--- a/src/tests/test_util_template.c
+++ b/src/tests/test_util_template.c
@@ -269,6 +269,86 @@ void test_template_imply_if(void **state)
free(result);
}
+void test_template_if_and_include__true(void **state)
+{
+ const char *myfeatures[] = {
+ "true",
+ NULL
+ };
+
+ const char *template =
+ "L1 {if \"f1\":T1|T2} T3 {include if \"true\"} \n"
+ "L2 \n"
+ "";
+ const char *expected =
+ "L1 T2 T3\n"
+ "L2\n"
+ "";
+
+ char *result = template_generate(template, myfeatures);
+ assert_string_equal(expected, result);
+ free(result);
+}
+
+void test_template_if_and_include__false(void **state)
+{
+ const char *myfeatures[] = {
+ NULL
+ };
+
+ const char *template =
+ "L1 {if \"f1\":T1|T2} T3 {include if \"true\"} \n"
+ "L2 \n"
+ "";
+ const char *expected =
+ "L2\n"
+ "";
+
+ char *result = template_generate(template, myfeatures);
+ assert_string_equal(expected, result);
+ free(result);
+}
+
+void test_template_if_and_exclude__true(void **state)
+{
+ const char *myfeatures[] = {
+ "true",
+ NULL
+ };
+
+ const char *template =
+ "L1 {if \"f1\":T1|T2} T3 {exclude if \"true\"} \n"
+ "L2 \n"
+ "";
+ const char *expected =
+ "L2\n"
+ "";
+
+ char *result = template_generate(template, myfeatures);
+ assert_string_equal(expected, result);
+ free(result);
+}
+
+void test_template_if_and_exclude__false(void **state)
+{
+ const char *myfeatures[] = {
+ NULL
+ };
+
+ const char *template =
+ "L1 {if \"f1\":T1|T2} T3 {exclude if \"true\"} \n"
+ "L2 \n"
+ "";
+ const char *expected =
+ "L1 T2 T3\n"
+ "L2\n"
+ "";
+
+ char *result = template_generate(template, myfeatures);
+ assert_string_equal(expected, result);
+ free(result);
+}
+
int main(int argc, const char *argv[])
{
@@ -281,6 +361,10 @@ int main(int argc, const char *argv[])
cmocka_unit_test(test_template_continue_if),
cmocka_unit_test(test_template_list_features),
cmocka_unit_test(test_template_imply_if),
+ cmocka_unit_test(test_template_if_and_include__true),
+ cmocka_unit_test(test_template_if_and_include__false),
+ cmocka_unit_test(test_template_if_and_exclude__true),
+ cmocka_unit_test(test_template_if_and_exclude__false),
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.25.4

48
0002-profiles-add-support-for-resolved.patch
View File

@ -1,48 +0,0 @@
From eb4ef2c111b3b439bda66cc0ac8764343e9d6d6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 20 Jul 2020 11:36:14 +0200
Subject: [PATCH 2/2] profiles: add support for resolved
Resolved is enabled by default since Fedora 33 so we need to reflect
this change in our profiles.
It should be OK to enabled it unconditionaly. The module is part of
systemd so it basically can not be uninstalled and it can be safely
disabled through `systemctl disable --now systemd-resolved.service`.
Resolves:
https://github.com/authselect/authselect/issues/221
---
profiles/minimal/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
index a39e4d32ebf79e8bf05f2db5753b01596222dc35..7df28821dbb03eaf986660a016a48051eb91d092 100644
--- a/profiles/minimal/nsswitch.conf
+++ b/profiles/minimal/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom
automount: files {exclude if "with-custom-automount"}
ethers: files {exclude if "with-custom-ethers"}
group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
-hosts: files dns myhostname {exclude if "with-custom-hosts"}
+hosts: resolve [!UNAVAIL=return] myhostname files dns {exclude if "with-custom-hosts"}
initgroups: files {exclude if "with-custom-initgroups"}
netgroup: files {exclude if "with-custom-netgroup"}
networks: files {exclude if "with-custom-networks"}
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..1aaa2d99eb004851eb2413e7722d971d2e3bc7eb 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"}
automount: files nis {exclude if "with-custom-automount"}
ethers: files nis {exclude if "with-custom-ethers"}
group: files nis systemd {exclude if "with-custom-group"}
-hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
+hosts: resolve [!UNAVAIL=return] myhostname files dns {exclude if "with-custom-hosts"}
initgroups: files nis {exclude if "with-custom-initgroups"}
netgroup: files nis {exclude if "with-custom-netgroup"}
networks: files nis {exclude if "with-custom-networks"}
--
2.25.4

25
9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch Normal file
View File

@ -0,0 +1,25 @@
From 2e2a7143cbfa719905cb130a5e67313c65bf3b65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Oct 2018 14:08:12 +0100
Subject: [PATCH 1/3] rhel9: remove mention of Fedora Change page in compat
tool
---
src/compat/authcompat.py.in.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index f879e08eb94e9620dfc28f245b0ea5815df7e4f2..e4b8c05c6a11a215529ba66f8b36b72a6ac18448 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -468,7 +468,6 @@ class AuthCompat:
"It does not provide all capabilities of authconfig.\n"))
print(_("IMPORTANT: authconfig is replaced by authselect, "
"please update your scripts."))
- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault"))
print(_("See man authselect-migration(7) to help you with migration to authselect"))
options = self.options.getSetButUnsupported()
--
2.29.2

283
9002-rhel9-remove-ecryptfs-support.patch Normal file
View File

@ -0,0 +1,283 @@
From 6de7d2e033d67f23b33620a2b80f5a6c106bd6f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 10 Jun 2019 10:53:15 +0200
Subject: [PATCH 2/3] rhel9: remove ecryptfs support
---
profiles/nis/README | 3 ---
profiles/nis/fingerprint-auth | 1 -
profiles/nis/password-auth | 1 -
profiles/nis/postlogin | 4 ----
profiles/nis/system-auth | 1 -
profiles/sssd/README | 3 ---
profiles/sssd/fingerprint-auth | 1 -
profiles/sssd/password-auth | 1 -
profiles/sssd/postlogin | 4 ----
profiles/sssd/smartcard-auth | 1 -
profiles/sssd/system-auth | 1 -
profiles/winbind/README | 3 ---
profiles/winbind/fingerprint-auth | 1 -
profiles/winbind/password-auth | 1 -
profiles/winbind/postlogin | 4 ----
profiles/winbind/system-auth | 1 -
src/compat/authcompat.py.in.in | 1 -
src/compat/authcompat_Options.py | 2 +-
src/man/authselect-migration.7.adoc | 5 ++---
19 files changed, 3 insertions(+), 36 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 5dbb9b49fb7708ef3b073aff7e1883e3f9a0bd06..cac3428bf844b0a9d251015988583f4c1b15c3c9 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -21,9 +21,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 756993cf1b2095f505208df19dd739dcaed1af31..eebec6d0d6edeae6a3eb224f0ff284016b0fc642 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -13,7 +13,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..9a8ae9cde644a4ac981f4b9553af2f0f428bfebb 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -17,7 +17,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/nis/postlogin
+++ b/profiles/nis/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 057b31e074f29c46b492fa310a954e281631800e..2e7462983d35e4a2f5cef8151ed53baaf7e5c790 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 95ef5dc785ed0530122837b5e08d03590ed1ada5..ac063e8d065d0488279dc2381bdd7f8ac361bfcb 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -40,9 +40,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-smartcard::
Enable authentication with smartcards through SSSD. Please note that
smartcard support must be also explicitly enabled within
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index fe3cac7a976845017d034ac1158a38f889926ce8..ad0a95440ebd006ff88264177598c77afc472dda 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..6d87cbe0a805bf5d3ab2a6192d570b9e5c6dc143 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -27,7 +27,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/sssd/postlogin
+++ b/profiles/sssd/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 230269c42508a50ad5b4677ab6514b9afe4d5fbf..874ffaca1b2c15c81adc4ca130c15834154bdc0e 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -16,7 +16,6 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 6f914ea91eb7782d60959ced56112f9cc1365347..dfc53b4ce55a0d575dc4fe68004a846f43360ccc 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,7 +32,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index 40a1a459355d2ee8ab98e31d2868cb24261e2c17..0e80bb697f8050ac8eb3c78d4f41945b9bcbba29 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -33,9 +33,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index c4b8261ca45d4f6b9eda03ea96850bb32d605d30..6262549af2ca8aed540e7a7e1d97e0ba3b2ef088 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -17,7 +17,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index bbeca057d49102889e3eeee040ea256dbd751eef..aef4d5ce6a6ec9496deabc1010cde0370a3ecba7 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -24,7 +24,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/winbind/postlogin
+++ b/profiles/winbind/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..e4bdd0bf1c315c86cc8064625b80161baa5c455f 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -25,7 +25,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -520,7 +520,6 @@ class AuthCompat:
'smartcard' : 'with-smartcard',
'requiresmartcard' : 'with-smartcard-required',
'fingerprint' : 'with-fingerprint',
- 'ecryptfs' : 'with-ecryptfs',
'mkhomedir' : 'with-mkhomedir',
'faillock' : 'with-faillock',
'pamaccess' : 'with-pamaccess',
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -93,7 +93,6 @@ class Options:
Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard",_("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued ("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued ("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
@@ -141,6 +140,7 @@ class Options:
# layers and will produce warning when used. They will not affect
# the system.
Option.UnsupportedFeature("cache"),
+ Option.UnsupportedFeature("ecryptfs"),
Option.UnsupportedFeature("shadow"),
Option.UnsupportedSwitch ("useshadow"),
Option.UnsupportedFeature("md5"),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -80,7 +80,6 @@ configuration file for required services.
|*Authconfig options* |*Authselect profile feature*
|--enablesmartcard |with-smartcard
|--enablefingerprint |with-fingerprint
-|--enableecryptfs |with-ecryptfs
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
@@ -95,8 +94,8 @@ authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
-authconfig --enableecryptfs --enablepamaccess --updateall
-authselect select sssd with-ecryptfs with-pamaccess
+authconfig --enablepamaccess --updateall
+authselect select sssd with-pamaccess
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
--
2.29.2

58
9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch Normal file
View File

@ -0,0 +1,58 @@
From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 18 Feb 2021 13:38:53 +0100
Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups
The passwd and group databases will now default to files first.
The order "sss files" can be enabled with "with-files-provider"
feature.
---
profiles/sssd/README | 5 +++++
profiles/sssd/REQUIREMENTS | 4 ++++
profiles/sssd/nsswitch.conf | 4 ++--
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -76,6 +76,11 @@ with-sudo::
with-pamaccess::
Check access.conf during account authorization.
+with-files-domain::
+ If set, SSSD will be contacted before "files" when resolving users and
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
+ "files sss" for passwd and group maps.
+
with-files-access-provider::
If set, account management for local users is handled also by pam_sss. This
is needed if there is an explicitly configured domain with id_provider=files
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
+ {include if "with-files-domain"}
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
\ No newline at end of file
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,5 +1,5 @@
-passwd: sss files systemd {exclude if "with-custom-passwd"}
-group: sss files systemd {exclude if "with-custom-group"}
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
netgroup: sss files {exclude if "with-custom-netgroup"}
automount: sss files {exclude if "with-custom-automount"}
services: sss files {exclude if "with-custom-services"}
--
2.29.2

29
authselect.spec
View File

@ -3,13 +3,23 @@
Name: authselect
Version: 1.2.2
Release: 2%{?dist}
Release: 6%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
Patch0001: 0001-minimal-add-dconf-settings-to-explicitly-disable-fpr.patch
Patch0002: 0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch
### Downstream Patches ###
%if 0%{?rhel}
Patch9001: 9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch9002: 9002-rhel9-remove-ecryptfs-support.patch
Patch9003: 9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch
%endif
%global makedir %{_builddir}/%{name}-%{version}
BuildRequires: autoconf
@ -148,6 +158,8 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/dconf-db
%{_datadir}/authselect/default/minimal/dconf-locks
%{_datadir}/authselect/default/minimal/nsswitch.conf
%{_datadir}/authselect/default/minimal/password-auth
%{_datadir}/authselect/default/minimal/postlogin
@ -290,6 +302,19 @@ exit 0
exit 0
%changelog
* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-6
- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors
Resolves: #1935331
* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-5
- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication
* Wed Feb 24 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-4
- Prepare authselect for RHEL-9, add downstream-only patches that will be synced
* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- Add RHEL9 only patch
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
@ -393,7 +418,7 @@ exit 0
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
- Properly own all appropriate directories
- Remove unneeded %%defattr
- Remove deprecated Group tag
- Remove deprecated Group tag
- Make Obsoletes versioned
- Remove unneeded ldconfig scriptlets