Use upstream pam systemd-auth file with a patch, add pam_keyinit

This file changes rarely, but it does every one in a while. And since we have an independent copy, we forget to adjust it. We have had already two bugs because of this. I submitted a PR upstream to include pam_namespace (because that makes sense for all distros), so the diff between upstream and us now is just the inclusion of system-auth (which is not upstreamable). Effectively, the only difference right now is that 'pam_keyinit force revoke' is included. It was added upstream with the comment: We want that systemd --user gets its own keyring as usual, even if the barebones PAM snippet we ship upstream is used. If we don't do this we get the basic keyring systemd --system sets up for us.
2022-12-14 22:35:52 +01:00 · 2022-12-14 22:35:52 +01:00 · 2a3fc2e21f
commit 2a3fc2e21f
parent ef4c00c6a4
6 changed files with 173 additions and 14 deletions
--- a/0001-pam-align-second-and-third-columns.patch
+++ b/0001-pam-align-second-and-third-columns.patch
@ -0,0 +1,48 @@
+From 9efb224443d819b7d64ec76cb94c8aa625a8abf2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Nov 2022 16:05:48 +0100
+Subject: [PATCH 1/2] pam: align second and third columns
+
+In our template file, we have jinja2 template markers, so the file
+looks fairly messy. But once it's rendered, it looks pretty clean, except
+that the columns are unaligned becuase of "-" in some lines in the first
+column. Let's make them aligned.
+---
+ src/login/systemd-user.in | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 39bcbd71fe..d5597d28cb 100644
+--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
+@@ -4,18 +4,18 @@
+ # Used by systemd --user instances.
+ 
+ {% if ENABLE_HOMED %}
+--account sufficient pam_systemd_home.so
+-account  sufficient pam_systemd_home.so
+ {% endif %}
+-account sufficient pam_unix.so no_pass_expiry
+-account required pam_permit.so
+account  sufficient pam_unix.so no_pass_expiry
+account  required pam_permit.so
+ 
+ {% if HAVE_SELINUX %}
+-session required pam_selinux.so close
+-session required pam_selinux.so nottys open
+session  required pam_selinux.so close
+session  required pam_selinux.so nottys open
+ {% endif %}
+-session required pam_loginuid.so
+-session optional pam_keyinit.so force revoke
+session  required pam_loginuid.so
+session  optional pam_keyinit.so force revoke
+ {% if ENABLE_HOMED %}
+--session optional pam_systemd_home.so
+-session  optional pam_systemd_home.so
+ {% endif %}
+-session optional pam_systemd.so
+session  optional pam_systemd.so
+-- 
+2.38.1
+
--- a/0002-pam-add-a-call-to-pam_namespace.patch
+++ b/0002-pam-add-a-call-to-pam_namespace.patch
@ -0,0 +1,41 @@
+From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Nov 2022 16:09:56 +0100
+Subject: [PATCH 2/2] pam: add a call to pam_namespace
+
+A call to pam_namespace is required so that children of user@.service end up in
+a namespace as expected. pam_namespace gets called as part of the stack that
+creates a session (login, sshd, gdm, etc.) and those processes end up in a
+namespace, but it also needs to be called from our stack which is parallel and
+descends from pid1 itself.
+
+The call to pam_namespace is similar to the call to pam_keyinit that was added
+in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service
+creates a new session which is disconnected from the parent environment. Both
+calls are not suitable for inclusion in the shared part of the stack (e.g.
+@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
+should not include them.
+
+Fixes #17043 (Allow to execute user service into dedicated namespace
+              if pam_namespace enabled)
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
+(Polyinstantiation is ignored/bypassed in GNOME sessions)
+---
+ src/login/systemd-user.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index d5597d28cb..06f7e36458 100644
+--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
+@@ -15,6 +15,7 @@ session  required pam_selinux.so nottys open
+ {% endif %}
+ session  required pam_loginuid.so
+ session  optional pam_keyinit.so force revoke
+session  required pam_namespace.so
+ {% if ENABLE_HOMED %}
+ -session  optional pam_systemd_home.so
+ {% endif %}
+-- 
+2.38.1
+
--- a/0003-pam-actually-align-the-columns.patch
+++ b/0003-pam-actually-align-the-columns.patch
@ -0,0 +1,47 @@
+From 369dfbf43a0064b70a774ccdd3dd1c1a09fd95ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Dec 2022 22:23:31 +0100
+Subject: [PATCH 3/4] pam: actually align the columns
+
+In 9efb224443d819b7d64ec76cb94c8aa625a8abf2 was supposed to align
+them, but for some reason I just added a second space everywhere.
+---
+ src/login/systemd-user.in | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 06f7e36458..9a665bd959 100644
+--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
+@@ -4,19 +4,19 @@
+ # Used by systemd --user instances.
+ 
+ {% if ENABLE_HOMED %}
+--account  sufficient pam_systemd_home.so
+-account sufficient pam_systemd_home.so
+ {% endif %}
+ account  sufficient pam_unix.so no_pass_expiry
+-account  required pam_permit.so
+account  required   pam_permit.so
+ 
+ {% if HAVE_SELINUX %}
+-session  required pam_selinux.so close
+-session  required pam_selinux.so nottys open
+session  required   pam_selinux.so close
+session  required   pam_selinux.so nottys open
+ {% endif %}
+-session  required pam_loginuid.so
+-session  optional pam_keyinit.so force revoke
+-session  required pam_namespace.so
+session  required   pam_loginuid.so
+session  optional   pam_keyinit.so force revoke
+session  required   pam_namespace.so
+ {% if ENABLE_HOMED %}
+--session  optional pam_systemd_home.so
+-session optional   pam_systemd_home.so
+ {% endif %}
+-session  optional pam_systemd.so
+session  optional   pam_systemd.so
+-- 
+2.38.1
+
--- a/fedora-use-system-auth-in-pam-systemd-user.patch
+++ b/fedora-use-system-auth-in-pam-systemd-user.patch
@ -0,0 +1,31 @@
+From 4e6479054ae2090b99a50d6ae954d22efc8340a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Dec 2022 22:24:53 +0100
+Subject: [PATCH 4/4] fedora: use system-auth in pam systemd-user
+
+---
+ src/login/systemd-user.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 9a665bd959..703a4b3174 100644
+--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
+@@ -7,7 +7,7 @@
+ -account sufficient pam_systemd_home.so
+ {% endif %}
+ account  sufficient pam_unix.so no_pass_expiry
+-account  required   pam_permit.so
+account  include    system-auth
+ 
+ {% if HAVE_SELINUX %}
+ session  required   pam_selinux.so close
+@@ -19,4 +19,4 @@ session  required   pam_namespace.so
+ {% if ENABLE_HOMED %}
+ -session optional   pam_systemd_home.so
+ {% endif %}
+-session  optional   pam_systemd.so
+session  include    system-auth
+-- 
+2.38.1
+
--- a/14
+++ b/14
@ -1,14 +0,0 @@
-# This file is part of systemd.
-#
-# Used by systemd --user instances.
-
-account sufficient pam_systemd_home.so
-account  sufficient pam_unix.so no_pass_expiry
-account  include system-auth
-
-session  required pam_selinux.so close
-session  required pam_selinux.so nottys open
-session  required pam_loginuid.so
-session  required pam_namespace.so
-session optional pam_systemd_home.so
-session  include system-auth
--- a/systemd.spec
+++ b/systemd.spec
@ -89,11 +89,17 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 # than in the next section. Packit CI will drop any patches in this range before
 # applying upstream pull requests.

+Patch0001:      0001-pam-align-second-and-third-columns.patch
+Patch0002:      0002-pam-add-a-call-to-pam_namespace.patch
+Patch0003:      0003-pam-actually-align-the-columns.patch

 # Those are downstream-only patches, but we don't want them in packit builds:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828
 Patch0490:      use-bfq-scheduler.patch

+# Adjust upstream config to use our shared stack
+Patch0491:      fedora-use-system-auth-in-pam-systemd-user.patch
+
 %ifarch %{ix86} x86_64 aarch64
 %global have_gnu_efi 1
 %endif