Make users with nologin as their shell fail to login

Resolves: #2015519
2021-10-25 13:22:16 -04:00 · 2021-10-25 13:22:16 -04:00 · 39ea6b6f8c
parent 2c3198a352
commit 39ea6b6f8c
2 changed files with 73 additions and 6 deletions
--- a/0001-gnome-session-don-t-validate-shell-before-using-it.patch
+++ b/0001-gnome-session-don-t-validate-shell-before-using-it.patch
@ -0,0 +1,57 @@
+From 63d74edc4b112669fdce14d88d37e2dd0315ff7e Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 19 Nov 2019 09:29:16 -0500
+Subject: [PATCH] gnome-session: don't validate shell before using it
+
+Users sometimes set their shell to an invalid shell to prevent
+login from proceeding.
+
+GNOME on Wayland still allows login in these cases.
+
+This commit makes the behavior match expectations by skipping
+shell validity checks when deciding to run though a login shell.
+---
+ gnome-session/gnome-session.in | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/gnome-session/gnome-session.in b/gnome-session/gnome-session.in
+index ddd1a591..b4b1f8fa 100755
+--- a/gnome-session/gnome-session.in
+++ b/gnome-session/gnome-session.in
+@@ -1,32 +1,29 @@
+ #!/bin/sh
+ 
+ if [ "x$XDG_SESSION_TYPE" = "xwayland" ] &&
+    [ "x$XDG_SESSION_CLASS" != "xgreeter" ] &&
+-   [  -n "$SHELL" ] &&
+-   grep -q "$SHELL" /etc/shells &&
+-   ! (echo "$SHELL" | grep -q "false") &&
+-   ! (echo "$SHELL" | grep -q "nologin"); then
+   [  -n "$SHELL" ]; then
+   if [ "$1" != '-l' ]; then
+     exec bash -c "exec -l '$SHELL' -c '$0 -l $*'"
+   else
+     shift
+   fi
+ fi
+ 
+ SETTING=$(G_MESSAGES_DEBUG='' gsettings get org.gnome.system.locale region)
+ REGION=${SETTING#\'}
+ REGION=${REGION%\'}
+ 
+ if [ -n "$REGION" ]; then
+   unset LC_TIME LC_NUMERIC LC_MONETARY LC_MEASUREMENT LC_PAPER
+ 
+   if [ "$LANG" != "$REGION" ] ; then
+     export LC_TIME=$REGION
+     export LC_NUMERIC=$REGION
+     export LC_MONETARY=$REGION
+     export LC_MEASUREMENT=$REGION
+     export LC_PAPER=$REGION
+   fi
+ fi
+ 
+ exec @libexecdir@/gnome-session-binary "$@"
+-- 
+2.32.0
+
--- a/gnome-session.spec
+++ b/gnome-session.spec
@ -9,7 +9,7 @@

 Name: gnome-session
 Version: 40.1.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: GNOME session manager

 License: GPLv2+
@ -19,15 +19,21 @@ Source1: gnome.desktop
 Source2: gnome-xorg.desktop

 # Blacklist NV30: https://bugzilla.redhat.com/show_bug.cgi?id=745202
-Patch1: gnome-session-3.3.92-nv30.patch
-Patch3: gnome-session-3.6.2-swrast.patch
+Patch10001: gnome-session-3.3.92-nv30.patch
+
+Patch20001: gnome-session-3.6.2-swrast.patch
+
 # https://bugzilla.gnome.org/show_bug.cgi?id=772421
-Patch4: 0001-check-accelerated-gles-Use-eglGetPlatformDisplay-EXT.patch
+Patch30001: 0001-check-accelerated-gles-Use-eglGetPlatformDisplay-EXT.patch
+
 # For https://fedoraproject.org/w/index.php?title=Changes/HiddenGrubMenu
 # This should go upstream once systemd has a generic interface for this
-Patch5: 0001-Fedora-Set-grub-boot-flags-on-shutdown-reboot.patch
+Patch40001: 0001-Fedora-Set-grub-boot-flags-on-shutdown-reboot.patch
+
 # subscription manager support
-Patch6: subscription-manager-support.patch
+Patch50001: subscription-manager-support.patch
+
+Patch60001: 0001-gnome-session-don-t-validate-shell-before-using-it.patch

 BuildRequires: meson
 BuildRequires: gcc
@ -139,6 +145,10 @@ cp $RPM_SOURCE_DIR/gnome-xorg.desktop $RPM_BUILD_ROOT%{_datadir}/xsessions/gnome
 %{_userunitdir}/gnome-launched-.scope.d/

 %changelog
+* Mon Oct 25 2021 Ray Strode <rstrode@redhat.com> - 40.1.1-5
+- Make users with nologin as their shell fail to login
+  Resolves: #2015519
+
 * Mon Sep 06 2021 Kalev Lember <klember@redhat.com> - 40.1.1-4
 - Forward port subscription manager support from RHEL 8
 - Resolves: #1937113