- Fix autologin

fix-autologin.patch

@@ -0,0 +1,154 @@
+From 0a7779b47319eb47b4d5d51f6eb653434c204c29 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 30 Aug 2016 16:10:19 -0400
+Subject: [PATCH 1/2] pam_gdm: return AUTHINFO_UNAVAIL if kernel keyring
+ unavailable
+
+right now we return PAM_SUCCESS if keyutils are unavailable.
+This is the wrong default, we should fail if we aren't able to
+get the password.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=770612
+---
+ pam_gdm/pam_gdm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c
+index 7beb04e..f491b8d 100644
+--- a/pam_gdm/pam_gdm.c
++++ b/pam_gdm/pam_gdm.c
+@@ -31,61 +31,61 @@
+ #include <keyutils.h>
+ #endif
+ 
+ int
+ pam_sm_authenticate (pam_handle_t  *pamh,
+                      int            flags,
+                      int            argc,
+                      const char   **argv)
+ {
+ #ifdef HAVE_KEYUTILS
+         int r;
+         void *cached_password = NULL;
+         key_serial_t serial;
+ 
+         serial = find_key_by_type_and_desc ("user", "cryptsetup", 0);
+         if (serial == 0)
+                 return PAM_AUTHINFO_UNAVAIL;
+ 
+         r = keyctl_read_alloc (serial, &cached_password);
+         if (r < 0)
+                 return PAM_AUTHINFO_UNAVAIL;
+ 
+         r = pam_set_item (pamh, PAM_AUTHTOK, cached_password);
+ 
+         free (cached_password);
+ 
+         if (r < 0)
+                 return PAM_AUTH_ERR;
+ #endif
+ 
+-        return PAM_SUCCESS;
++        return PAM_AUTHINFO_UNAVAIL;
+ }
+ 
+ int
+ pam_sm_setcred (pam_handle_t *pamh,
+                 int           flags,
+                 int           argc,
+                 const char  **argv)
+ {
+         return PAM_SUCCESS;
+ }
+ 
+ int
+ pam_sm_acct_mgmt (pam_handle_t  *pamh,
+                   int            flags,
+                   int            argc,
+                   const char   **argv)
+ {
+         return PAM_SUCCESS;
+ }
+ 
+ int
+ pam_sm_chauthtok (pam_handle_t  *pamh,
+                   int            flags,
+                   int            argc,
+                   const char   **argv)
+ {
+         return PAM_SUCCESS;
+ }
+ 
+ int
+-- 
+2.7.4
+
+
+From 5716de2c0ec11a77c279c6952ea76d173d46b0e3 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 30 Aug 2016 15:58:15 -0400
+Subject: [PATCH 2/2] pam: don't call into pam_unix if pam_gdm fails for
+ autolgoin
+
+If pam_gdm fails we shouldn't call into pam_unix since it can lead
+to the system asking for a password, and autologin isn't equipped for
+that.
+
+This commit changes the pam configuration to jump to pam_permit if
+pam_gdm fails.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=770612
+---
+ data/pam-exherbo/gdm-autologin.pam | 4 ++--
+ data/pam-redhat/gdm-autologin.pam  | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/data/pam-exherbo/gdm-autologin.pam b/data/pam-exherbo/gdm-autologin.pam
+index afde048..61f8e54 100644
+--- a/data/pam-exherbo/gdm-autologin.pam
++++ b/data/pam-exherbo/gdm-autologin.pam
+@@ -1,15 +1,15 @@
+ # mirrors system-auth / system(-local)-login
+ # except for the authentication method, which is:
+ # always permit login
+ 
+-auth        optional    pam_gdm.so
++auth        [success=ok default=2] pam_gdm.so
+ auth        substack    system-local-login
+-auth        sufficient  pam_permit.so
+ -auth       optional    pam_gnome_keyring.so
++auth        sufficient  pam_permit.so
+ 
+ account     include     system-local-login
+ 
+ password    include     system-local-login
+ 
+ session     include     system-local-login
+ -session    optional    pam_gnome_keyring.so auto_start
+diff --git a/data/pam-redhat/gdm-autologin.pam b/data/pam-redhat/gdm-autologin.pam
+index c2efea8..fbc9d9c 100644
+--- a/data/pam-redhat/gdm-autologin.pam
++++ b/data/pam-redhat/gdm-autologin.pam
+@@ -1,18 +1,18 @@
+  #%PAM-1.0
+-auth       optional    pam_gdm.so
++auth       [success=ok default=2]    pam_gdm.so
+ auth       substack    password-auth
+ auth       optional    pam_gnome_keyring.so
+ auth       sufficient  pam_permit.so
+ auth       include     postlogin
+ account    required    pam_nologin.so
+ account    include     system-auth
+ password   include     system-auth
+ session    required    pam_selinux.so close
+ session    required    pam_loginuid.so
+ session    optional    pam_console.so
+ session    required    pam_selinux.so open
+ session    optional    pam_keyinit.so force revoke
+ session    required    pam_namespace.so
+ session    include     system-auth
+ session    optional    pam_gnome_keyring.so auto_start
+ session    include     postlogin
+-- 
+2.7.4
+

gdm.spec

@@ -10,7 +10,7 @@
 Summary: The GNOME Display Manager
 Name: gdm
 Version: 3.21.90
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 License: GPLv2+
 Group: User Interface/X
@@ -86,6 +86,8 @@ Provides: gdm-plugin-smartcard = %{epoch}:%{version}-%{release}
 Obsoletes: gdm-plugin-fingerprint < 1:3.2.1
 Provides: gdm-plugin-fingerprint = %{epoch}:%{version}-%{release}
 
+Patch0: fix-autologin.patch
+
 %description
 GDM provides the graphical login screen, shown shortly after boot up,
 log out, and when user-switching.
@@ -101,6 +103,7 @@ files needed to build custom greeters.
 
 %prep
 %setup -q
+%patch0 -p1 -b .fix-autologin
 
 autoreconf -i -f
 intltoolize -f
@@ -295,6 +298,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
 %{_libdir}/pkgconfig/gdm.pc
 
 %changelog
+* Tue Aug 30 2016 Ray Strode <rstrode@redhat.com> - 1:3.21.90-2
+- Fix autologin
+
 * Tue Aug 23 2016 Kalev Lember <klember@redhat.com> - 1:3.21.90-1
 - Update to 3.21.90