A call to pam_namespace is required so that children of user@.service end up in
a namespace as expected. pam_namespace gets called as part of the stack that
creates a session (login, sshd, gdm, etc.) and those processes end up in a
namespace, but it also needs to be called from our stack which is parallel and
descends from pid1 itself.
The call to pam_namespace is similar to the call to pam_keyinit that was added
in ab79099. The pam stack for user@.service
creates a new session which is disconnected from the parent environment. Both
calls are not suitable for inclusion in the shared part of the stack (e.g.
@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
should not include them.
Fixes#17043 (Allow to execute user service into dedicated namespace
if pam_namespace enabled)
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
(Polyinstantiation is ignored/bypassed in GNOME sessions)
rhel-only
Resolves: #2218184
Setting umask for user sessions via UMASK setting in /etc/login.defs is
a well-known feature. Let's make sure that user manager also runs with
this umask value.
rhel-only
Resolves: #2210145
... (rhbz#2104141)
In the first version, I wanted to use POSIX quotes with $''. But that required
'printf %q', which brings in a dependency on coreutils.
Following mcr0mmand's suggestion, ${foo@Q} is used instead, which should work
equivalently, and does not require anything new.
Tested with 'sysusers.generate-pre.sh /usr/lib/sysusers.d/*conf'. The output is
the same before and after, apart from the dovecot user with a quote.
rhel-only
Resolves: #2217149
We need to use a mix of spaces and tabs: the tabs are removed because of -EOF,
and then the spaces indent the output. Jesus.
rhel-only
Resolves: #2217149
This tweaks the sysusers.d handling logic so that 'm' entries are
now translated to a series of groupadd + useradd + usermod call.
The last usermod call is the notable change, effectively affecting
the list of secondary groups now.
rhel-only
Resolves: #2217149
There should be almost no functional change, but shellcheck complains
less. User/group descriptions with escaped characters are handled
properly.
rhel-only
Resolves: #2217149
Without that patch, on every package upgrade, a 'systemd' is forcibly appended
to passwd and group in nsswitch.conf which is not desirable for some customers.
It is required until authselect change introduction in RHEL.
RHEL-only
Resolves: #2176337
As requested in https://github.com/rhinstaller/anaconda/pull/4368#discussion_r1043839809,
so that it's easier to depend on the appropriate package. Once we have the
signed version built, this provides might be dropped. But let's add it at least
for now so that there's a stable name to depend on.
Based on fedora patch - 732bdcb223ae95b41e37aa1ba1a3256781a51fbd
Related: #2157663