Use upstream pam systemd-auth file with a patch, add pam_keyinit

This file changes rarely, but it does every one in a while. And since we have an
independent copy, we forget to adjust it. We have had already two bugs because
of this. I submitted a PR upstream to include pam_namespace (because that makes
sense for all distros), so the diff between upstream and us now is just the
inclusion of system-auth (which is not upstreamable).

Effectively, the only difference right now is that 'pam_keyinit force revoke'
is included. It was added upstream with the comment:

   We want that systemd --user gets its own keyring as usual, even if the
   barebones PAM snippet we ship upstream is used. If we don't do this we get
   the basic keyring systemd --system sets up for us.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2022-12-14 22:35:52 +01:00
parent ef4c00c6a4
commit 2a3fc2e21f
6 changed files with 173 additions and 14 deletions

View File

@ -0,0 +1,48 @@
From 9efb224443d819b7d64ec76cb94c8aa625a8abf2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 23 Nov 2022 16:05:48 +0100
Subject: [PATCH 1/2] pam: align second and third columns
In our template file, we have jinja2 template markers, so the file
looks fairly messy. But once it's rendered, it looks pretty clean, except
that the columns are unaligned becuase of "-" in some lines in the first
column. Let's make them aligned.
---
src/login/systemd-user.in | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index 39bcbd71fe..d5597d28cb 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -4,18 +4,18 @@
# Used by systemd --user instances.
{% if ENABLE_HOMED %}
--account sufficient pam_systemd_home.so
+-account sufficient pam_systemd_home.so
{% endif %}
-account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account sufficient pam_unix.so no_pass_expiry
+account required pam_permit.so
{% if HAVE_SELINUX %}
-session required pam_selinux.so close
-session required pam_selinux.so nottys open
+session required pam_selinux.so close
+session required pam_selinux.so nottys open
{% endif %}
-session required pam_loginuid.so
-session optional pam_keyinit.so force revoke
+session required pam_loginuid.so
+session optional pam_keyinit.so force revoke
{% if ENABLE_HOMED %}
--session optional pam_systemd_home.so
+-session optional pam_systemd_home.so
{% endif %}
-session optional pam_systemd.so
+session optional pam_systemd.so
--
2.38.1

View File

@ -0,0 +1,41 @@
From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 23 Nov 2022 16:09:56 +0100
Subject: [PATCH 2/2] pam: add a call to pam_namespace
A call to pam_namespace is required so that children of user@.service end up in
a namespace as expected. pam_namespace gets called as part of the stack that
creates a session (login, sshd, gdm, etc.) and those processes end up in a
namespace, but it also needs to be called from our stack which is parallel and
descends from pid1 itself.
The call to pam_namespace is similar to the call to pam_keyinit that was added
in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service
creates a new session which is disconnected from the parent environment. Both
calls are not suitable for inclusion in the shared part of the stack (e.g.
@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
should not include them.
Fixes #17043 (Allow to execute user service into dedicated namespace
if pam_namespace enabled)
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
(Polyinstantiation is ignored/bypassed in GNOME sessions)
---
src/login/systemd-user.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index d5597d28cb..06f7e36458 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -15,6 +15,7 @@ session required pam_selinux.so nottys open
{% endif %}
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
+session required pam_namespace.so
{% if ENABLE_HOMED %}
-session optional pam_systemd_home.so
{% endif %}
--
2.38.1

View File

@ -0,0 +1,47 @@
From 369dfbf43a0064b70a774ccdd3dd1c1a09fd95ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 14 Dec 2022 22:23:31 +0100
Subject: [PATCH 3/4] pam: actually align the columns
In 9efb224443d819b7d64ec76cb94c8aa625a8abf2 was supposed to align
them, but for some reason I just added a second space everywhere.
---
src/login/systemd-user.in | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index 06f7e36458..9a665bd959 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -4,19 +4,19 @@
# Used by systemd --user instances.
{% if ENABLE_HOMED %}
--account sufficient pam_systemd_home.so
+-account sufficient pam_systemd_home.so
{% endif %}
account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account required pam_permit.so
{% if HAVE_SELINUX %}
-session required pam_selinux.so close
-session required pam_selinux.so nottys open
+session required pam_selinux.so close
+session required pam_selinux.so nottys open
{% endif %}
-session required pam_loginuid.so
-session optional pam_keyinit.so force revoke
-session required pam_namespace.so
+session required pam_loginuid.so
+session optional pam_keyinit.so force revoke
+session required pam_namespace.so
{% if ENABLE_HOMED %}
--session optional pam_systemd_home.so
+-session optional pam_systemd_home.so
{% endif %}
-session optional pam_systemd.so
+session optional pam_systemd.so
--
2.38.1

View File

@ -0,0 +1,31 @@
From 4e6479054ae2090b99a50d6ae954d22efc8340a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 14 Dec 2022 22:24:53 +0100
Subject: [PATCH 4/4] fedora: use system-auth in pam systemd-user
---
src/login/systemd-user.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index 9a665bd959..703a4b3174 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -7,7 +7,7 @@
-account sufficient pam_systemd_home.so
{% endif %}
account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account include system-auth
{% if HAVE_SELINUX %}
session required pam_selinux.so close
@@ -19,4 +19,4 @@ session required pam_namespace.so
{% if ENABLE_HOMED %}
-session optional pam_systemd_home.so
{% endif %}
-session optional pam_systemd.so
+session include system-auth
--
2.38.1

View File

@ -1,14 +0,0 @@
# This file is part of systemd.
#
# Used by systemd --user instances.
-account sufficient pam_systemd_home.so
account sufficient pam_unix.so no_pass_expiry
account include system-auth
session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session required pam_namespace.so
-session optional pam_systemd_home.so
session include system-auth

View File

@ -89,11 +89,17 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# than in the next section. Packit CI will drop any patches in this range before
# applying upstream pull requests.
Patch0001: 0001-pam-align-second-and-third-columns.patch
Patch0002: 0002-pam-add-a-call-to-pam_namespace.patch
Patch0003: 0003-pam-actually-align-the-columns.patch
# Those are downstream-only patches, but we don't want them in packit builds:
# https://bugzilla.redhat.com/show_bug.cgi?id=1738828
Patch0490: use-bfq-scheduler.patch
# Adjust upstream config to use our shared stack
Patch0491: fedora-use-system-auth-in-pam-systemd-user.patch
%ifarch %{ix86} x86_64 aarch64
%global have_gnu_efi 1
%endif