diff --git a/0001-pam-align-second-and-third-columns.patch b/0001-pam-align-second-and-third-columns.patch new file mode 100644 index 0000000..8ab341b --- /dev/null +++ b/0001-pam-align-second-and-third-columns.patch @@ -0,0 +1,48 @@ +From 9efb224443d819b7d64ec76cb94c8aa625a8abf2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Nov 2022 16:05:48 +0100 +Subject: [PATCH 1/2] pam: align second and third columns + +In our template file, we have jinja2 template markers, so the file +looks fairly messy. But once it's rendered, it looks pretty clean, except +that the columns are unaligned becuase of "-" in some lines in the first +column. Let's make them aligned. +--- + src/login/systemd-user.in | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in +index 39bcbd71fe..d5597d28cb 100644 +--- a/src/login/systemd-user.in ++++ b/src/login/systemd-user.in +@@ -4,18 +4,18 @@ + # Used by systemd --user instances. + + {% if ENABLE_HOMED %} +--account sufficient pam_systemd_home.so ++-account sufficient pam_systemd_home.so + {% endif %} +-account sufficient pam_unix.so no_pass_expiry +-account required pam_permit.so ++account sufficient pam_unix.so no_pass_expiry ++account required pam_permit.so + + {% if HAVE_SELINUX %} +-session required pam_selinux.so close +-session required pam_selinux.so nottys open ++session required pam_selinux.so close ++session required pam_selinux.so nottys open + {% endif %} +-session required pam_loginuid.so +-session optional pam_keyinit.so force revoke ++session required pam_loginuid.so ++session optional pam_keyinit.so force revoke + {% if ENABLE_HOMED %} +--session optional pam_systemd_home.so ++-session optional pam_systemd_home.so + {% endif %} +-session optional pam_systemd.so ++session optional pam_systemd.so +-- +2.38.1 + diff --git a/0002-pam-add-a-call-to-pam_namespace.patch b/0002-pam-add-a-call-to-pam_namespace.patch new file mode 100644 index 0000000..51564d9 --- /dev/null +++ b/0002-pam-add-a-call-to-pam_namespace.patch @@ -0,0 +1,41 @@ +From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Nov 2022 16:09:56 +0100 +Subject: [PATCH 2/2] pam: add a call to pam_namespace + +A call to pam_namespace is required so that children of user@.service end up in +a namespace as expected. pam_namespace gets called as part of the stack that +creates a session (login, sshd, gdm, etc.) and those processes end up in a +namespace, but it also needs to be called from our stack which is parallel and +descends from pid1 itself. + +The call to pam_namespace is similar to the call to pam_keyinit that was added +in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service +creates a new session which is disconnected from the parent environment. Both +calls are not suitable for inclusion in the shared part of the stack (e.g. +@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser +should not include them. + +Fixes #17043 (Allow to execute user service into dedicated namespace + if pam_namespace enabled) +Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836 +(Polyinstantiation is ignored/bypassed in GNOME sessions) +--- + src/login/systemd-user.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in +index d5597d28cb..06f7e36458 100644 +--- a/src/login/systemd-user.in ++++ b/src/login/systemd-user.in +@@ -15,6 +15,7 @@ session required pam_selinux.so nottys open + {% endif %} + session required pam_loginuid.so + session optional pam_keyinit.so force revoke ++session required pam_namespace.so + {% if ENABLE_HOMED %} + -session optional pam_systemd_home.so + {% endif %} +-- +2.38.1 + diff --git a/0003-pam-actually-align-the-columns.patch b/0003-pam-actually-align-the-columns.patch new file mode 100644 index 0000000..da4fcf2 --- /dev/null +++ b/0003-pam-actually-align-the-columns.patch @@ -0,0 +1,47 @@ +From 369dfbf43a0064b70a774ccdd3dd1c1a09fd95ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 14 Dec 2022 22:23:31 +0100 +Subject: [PATCH 3/4] pam: actually align the columns + +In 9efb224443d819b7d64ec76cb94c8aa625a8abf2 was supposed to align +them, but for some reason I just added a second space everywhere. +--- + src/login/systemd-user.in | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in +index 06f7e36458..9a665bd959 100644 +--- a/src/login/systemd-user.in ++++ b/src/login/systemd-user.in +@@ -4,19 +4,19 @@ + # Used by systemd --user instances. + + {% if ENABLE_HOMED %} +--account sufficient pam_systemd_home.so ++-account sufficient pam_systemd_home.so + {% endif %} + account sufficient pam_unix.so no_pass_expiry +-account required pam_permit.so ++account required pam_permit.so + + {% if HAVE_SELINUX %} +-session required pam_selinux.so close +-session required pam_selinux.so nottys open ++session required pam_selinux.so close ++session required pam_selinux.so nottys open + {% endif %} +-session required pam_loginuid.so +-session optional pam_keyinit.so force revoke +-session required pam_namespace.so ++session required pam_loginuid.so ++session optional pam_keyinit.so force revoke ++session required pam_namespace.so + {% if ENABLE_HOMED %} +--session optional pam_systemd_home.so ++-session optional pam_systemd_home.so + {% endif %} +-session optional pam_systemd.so ++session optional pam_systemd.so +-- +2.38.1 + diff --git a/fedora-use-system-auth-in-pam-systemd-user.patch b/fedora-use-system-auth-in-pam-systemd-user.patch new file mode 100644 index 0000000..3b7c10d --- /dev/null +++ b/fedora-use-system-auth-in-pam-systemd-user.patch @@ -0,0 +1,31 @@ +From 4e6479054ae2090b99a50d6ae954d22efc8340a0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 14 Dec 2022 22:24:53 +0100 +Subject: [PATCH 4/4] fedora: use system-auth in pam systemd-user + +--- + src/login/systemd-user.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in +index 9a665bd959..703a4b3174 100644 +--- a/src/login/systemd-user.in ++++ b/src/login/systemd-user.in +@@ -7,7 +7,7 @@ + -account sufficient pam_systemd_home.so + {% endif %} + account sufficient pam_unix.so no_pass_expiry +-account required pam_permit.so ++account include system-auth + + {% if HAVE_SELINUX %} + session required pam_selinux.so close +@@ -19,4 +19,4 @@ session required pam_namespace.so + {% if ENABLE_HOMED %} + -session optional pam_systemd_home.so + {% endif %} +-session optional pam_systemd.so ++session include system-auth +-- +2.38.1 + diff --git a/systemd-user b/systemd-user deleted file mode 100644 index 8ef2c18..0000000 --- a/systemd-user +++ /dev/null @@ -1,14 +0,0 @@ -# This file is part of systemd. -# -# Used by systemd --user instances. - --account sufficient pam_systemd_home.so -account sufficient pam_unix.so no_pass_expiry -account include system-auth - -session required pam_selinux.so close -session required pam_selinux.so nottys open -session required pam_loginuid.so -session required pam_namespace.so --session optional pam_systemd_home.so -session include system-auth diff --git a/systemd.spec b/systemd.spec index 306c90b..f531c1c 100644 --- a/systemd.spec +++ b/systemd.spec @@ -89,11 +89,17 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # than in the next section. Packit CI will drop any patches in this range before # applying upstream pull requests. +Patch0001: 0001-pam-align-second-and-third-columns.patch +Patch0002: 0002-pam-add-a-call-to-pam_namespace.patch +Patch0003: 0003-pam-actually-align-the-columns.patch # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0490: use-bfq-scheduler.patch +# Adjust upstream config to use our shared stack +Patch0491: fedora-use-system-auth-in-pam-systemd-user.patch + %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif