From 1d8ac5d19c237f73209177d33edb379ed8006bdb Mon Sep 17 00:00:00 2001 From: Benjamin Berg Date: Fri, 16 Apr 2021 15:56:08 +0200 Subject: [PATCH] Add script to avoid fingerprint-auth issues for long term Fedora users Resolves: #1942443 --- pam.spec | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/pam.spec b/pam.spec index d87b6c3..10e85ec 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.5.1 -Release: 4%{?dist} +Release: 5%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -361,7 +361,26 @@ done %doc doc/txts %doc doc/sag/*.txt doc/sag/html +%posttrans + +# For people upgrading from older Fedora versions, authselect might not be +# enabled or unable to do anything due to e.g. a modified nsswitch.conf. +# The following snippets apply important fixes in those cases. + +# Change pam_fprintd.so in fingerprint-auth from sufficient to [success=done default=bad] +# in order for PAM_AUTHINFO_UNAVAIL error codes to be propagated. +FILE="$(readlink -f %{_sysconfdir}/pam.d/fingerprint-auth || echo %{_sysconfdir}/pam.d/fingerprint-auth)" +test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \ + %__grep -q '^auth[[:space:]]\+sufficient[[:space:]]\+pam_fprintd.so' $FILE && \ + %__sed -i.bak -e 's/^auth[[:space:]]\+sufficient[[:space:]]\+pam_fprintd.so\(.*\)/auth [success=done default=bad] pam_fprintd.so\1/g' $FILE + +exit 0 + %changelog +* Fri Apr 16 2021 Benjamin Berg - 1.5.1-5 +- Add script to avoid fingerprint-auth issues for long term Fedora users + Resolves: #1942443 + * Mon Apr 12 2021 Iker Pedrosa - 1.5.1-4 - Change fingerprint-auth.pamd to return PAM_AUTHINFO_UNAVAIL from pam_fprintd.so - Clean auto-generated message from pam stack files