Commit Graph

119 Commits

Author SHA1 Message Date
Jan Macku
c8e795b373 pam: add a call to pam_namespace
A call to pam_namespace is required so that children of user@.service end up in
a namespace as expected. pam_namespace gets called as part of the stack that
creates a session (login, sshd, gdm, etc.) and those processes end up in a
namespace, but it also needs to be called from our stack which is parallel and
descends from pid1 itself.

The call to pam_namespace is similar to the call to pam_keyinit that was added
in ab79099. The pam stack for user@.service
creates a new session which is disconnected from the parent environment. Both
calls are not suitable for inclusion in the shared part of the stack (e.g.
@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
should not include them.

Fixes #17043 (Allow to execute user service into dedicated namespace
              if pam_namespace enabled)
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
(Polyinstantiation is ignored/bypassed in GNOME sessions)

rhel-only

Resolves: #2218184
2023-07-13 16:23:05 +02:00
Jan Macku
8478dae30b pam: add call to pam_umask
Setting umask for user sessions via UMASK setting in /etc/login.defs is
a well-known feature. Let's make sure that user manager also runs with
this umask value.

rhel-only

Resolves: #2210145
2023-07-13 16:19:01 +02:00
Jan Macku
e181f5306e pam: add pam_keyinit.so to systemd-user
rhel-only

Resolves: #2044486
2023-07-13 14:14:05 +00:00
Zbigniew Jędrzejewski-Szmek
66144f688d sysusers.generate-pre.sh: properly escape quotes in description strings
... (rhbz#2104141)

In the first version, I wanted to use POSIX quotes with $''. But that required
'printf %q', which brings in a dependency on coreutils.

Following mcr0mmand's suggestion, ${foo@Q} is used instead, which should work
equivalently, and does not require anything new.

Tested with 'sysusers.generate-pre.sh /usr/lib/sysusers.d/*conf'. The output is
the same before and after, apart from the dovecot user with a quote.

rhel-only

Resolves: #2217149
2023-06-29 15:29:04 +02:00
Zbigniew Jędrzejewski-Szmek
00374b7b6e sysusers.generate-pre.sh: fix indentation in generated scripts
We need to use a mix of spaces and tabs: the tabs are removed because of -EOF,
and then the spaces indent the output. Jesus.

rhel-only

Resolves: #2217149
2023-06-29 15:29:04 +02:00
Martin Osvald
b99e4e7874 Support user:group notation by sysusers.generate-pre.sh script
#Type Name       ID                  GECOS              Home directory Shell
u     user_name  uid:gid             "User Description" /home/dir      /path/to/shell

According to: https://www.freedesktop.org/software/systemd/man/sysusers.d.html

rhel-only

Resolves: #2217149
2023-06-29 15:27:54 +02:00
Zbigniew Jędrzejewski-Szmek
302add7ebd Fix indentation in %sysusers_create_compat macro (rhbz#2132835)
Automatic unindentation after <<-EOF only works with tabs. Jesus.

rhel-only

Resolves: #2217149
2023-06-29 15:24:37 +02:00
Luca BRUNO
7c2e28783a sysusers/generate: bridge 'm' entries to usermod
This tweaks the sysusers.d handling logic so that 'm' entries are
now translated to a series of groupadd + useradd + usermod call.
The last usermod call is the notable change, effectively affecting
the list of secondary groups now.

rhel-only

Resolves: #2217149
2023-06-29 15:24:30 +02:00
Luca BRUNO
83d62beefc Align sysusers-generated shell value with upstream systemd default
rhel-only

Resolves: #2217149
2023-06-29 15:24:24 +02:00
Zbigniew Jędrzejewski-Szmek
1a82a5d221 Supress errors from useradd/groupadd
rhel-only

Resolves: #2217149
2023-06-29 15:24:19 +02:00
Zbigniew Jędrzejewski-Szmek
eac5440e8e Shellcheckify sysusers.generate-pre.sh
There should be almost no functional change, but shellcheck complains
less. User/group descriptions with escaped characters are handled
properly.

rhel-only

Resolves: #2217149
2023-06-29 15:24:11 +02:00
Zbigniew Jędrzejewski-Szmek
42b42fd61e sysusers.generate-pre: indentation
rhel-only

Resolves: #2217149
2023-06-29 15:24:04 +02:00
Jacek Migacz
36f2f948cd spec: Append 'systemd' to nsswitch.conf only during install
Without that patch, on every package upgrade, a 'systemd' is forcibly appended
to passwd and group in nsswitch.conf which is not desirable for some customers.

It is required until authselect change introduction in RHEL.

RHEL-only

Resolves: #2176337
2023-05-29 11:31:10 +00:00
Jan Macku
96f92a96d3 systemd-252-15
Resolves: #2100440,#2143107,#2183546,#2203133
2023-05-18 13:38:48 +02:00
Jan Macku
2a07d74ee6 systemd-252-14
Resolves: #2176918,#2180120
2023-03-21 14:10:11 +01:00
Zbigniew Jędrzejewski-Szmek
6cce65c41b Move /usr/lib/systemd/boot/ to systemd-boot-unsigned subpackage
(cherry picked from commit 1a6178ce6e)

Resolves: #2176772
2023-03-09 10:30:51 +01:00
Zbigniew Jędrzejewski-Szmek
0802b86b22 Move man pages for sd-boot into systemd-boot-unsigned
(cherry picked from commit 7a81930dd2)

Resolves: #2176772
2023-03-09 10:30:35 +01:00
Jan Macku
54fa34c9c2 systemd-252-8
Resolves: #2173682
2023-02-27 17:36:21 +01:00
Jan Macku
a8492f86d1 spec: Correctly obsolete boot-unsigned and systemd-udev
Related: #2157663
2023-02-27 17:11:54 +01:00
Zbigniew Jędrzejewski-Szmek
6d0071c1b2 Do not create boot subpackage on non-efi arches
This fixes build.
[skip changelog]

(cherry picked from commit 778f8ef8a5)

Related: #2157663
2023-02-27 17:11:54 +01:00
Zbigniew Jędrzejewski-Szmek
133bef1c24 Add a new provides with just the version
[skip changelog]

(cherry picked from commit 189f5d16f4)

Related: #2157663
2023-02-27 17:11:54 +01:00
Jan Macku
4befd8c339 boot: add Provides:systemd-boot(isa)
As requested in https://github.com/rhinstaller/anaconda/pull/4368#discussion_r1043839809,
so that it's easier to depend on the appropriate package. Once we have the
signed version built, this provides might be dropped. But let's add it at least
for now so that there's a stable name to depend on.

Based on fedora patch - 732bdcb223

Related: #2157663
2023-02-27 17:11:54 +01:00
Zbigniew Jędrzejewski-Szmek
f2837adf41 Split out systemd-boot-unsigned package
(cherry picked from commit 54a3b6f942)

Resolves: #2157663
2023-02-27 17:11:54 +01:00
Jan Macku
5637d04f70 systemd-252-7
Resolves: #1985288,#2172401
2023-02-27 15:01:29 +01:00
Lukas Nykryn
d005486d57 systemd-252-6
Resolves: #2122500,#2138081,#2140646
2023-02-22 13:23:31 +01:00
Jan Macku
942940330e systemd-252-5
Resolves: #1952378,#2151612,#2167468,#2170500
2023-02-17 09:20:01 +01:00
Jan Macku
2d7302fd0b systemd-252-4
Resolves: #2138081,#2159448
2023-02-06 12:28:47 +01:00
Jan Synacek
b81de9fb53 spec: fix rpm verification (#1702300)
(cherry picked from commit 15d8f0c95a3fff7d78a8c22cb0aae45ae471add1)

Related: #2165316
2023-01-30 16:02:01 +01:00
Zbigniew Jędrzejewski-Szmek
82fe48cc58 Fix permissions on %ghost files (rhbz#2122889)
(cherry picked from commit 58777c7cac)

Related: #2165316
2023-01-30 15:56:55 +01:00
Zbigniew Jędrzejewski-Szmek
3b40355969 Correct file modes for %ghosted files
/var/log/btmp was changed in https://github.com/systemd/systemd/commit/f6e64b78cc,
but never adjusted here.

(cherry picked from commit db26d980dd)

Related: #2165316
2023-01-30 15:56:00 +01:00
Jan Macku
eceb26ad96 systemd-252-3
Resolves: #2138081,#2141979,#2151993,#2155517,#2160477
2023-01-16 09:56:47 +01:00
Jan Macku
79350f79d8 systemd-252-2
Resolves: #2137584,#2138081,#2141979
2022-12-09 09:36:14 +01:00
Jan Macku
d3400e6e35 Use split-files.py from Fedora
Related: #2138081
2022-12-05 12:22:58 +01:00
Jan Macku
12166e1929 Rebase to systemd v252 + systemd-stable v252.2
Resolves: #2138081
2022-12-05 12:22:58 +01:00
Jan Macku
dd626b6e53 Remove patches - rebase preparation
Related: #2138081
2022-12-05 12:22:58 +01:00
Jan Macku
454e3e2598 spec: Explicitly set default net naming scheme to rhel-9
Resolves: #2138883
2022-12-02 15:33:45 +01:00
Jan Macku
888bfe290c spec: Release bump
Related: #2140646
2022-12-02 14:44:17 +01:00
Jan Macku
9875c7e5b4 spec: Build systemd-boot EFI tools
Resolves: #2140646
2022-12-02 13:19:39 +01:00
Jan Macku
56f1ee916b systemd-250-11
Resolves: #2120604,#2121144
2022-08-25 10:24:32 +02:00
Jan Macku
2891ff393e systemd-250-10
Resolves: #2120222
2022-08-22 14:51:33 +02:00
Jan Macku
50665f7e22 systemd-250-9
Resolves: #2087778,#2116681,#2118297,#2118668
2022-08-18 13:35:33 +02:00
Jan Macku
0daf48d9aa systemd-250-8
Resolves: #2047682,#2068043,#2068131,#2073003,#2073994,#2082131,#2083493,#2087652,#2100340
2022-07-20 08:37:23 +02:00
Jan Macku
c895351950 systemd-250-7
Resolves: #2017035
2022-04-20 08:57:39 +00:00
David Tardon
4ab2887d57 pam: do not require a non-expired password for user@.service
Without this parameter, we would allow user@ to start if the user
has no password (i.e. the password is "locked"). But when the user does have a password,
and it is marked as expired, we would refuse to start the service.
There are other authentication mechanisms and we should not tie this service to
the password state.

The documented way to disable an *account* is to call 'chage -E0'. With a disabled
account, user@.service will still refuse to start:

systemd[16598]: PAM failed: User account has expired
systemd[16598]: PAM failed: User account has expired
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation n  ot permitted
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
systemd[1]: user@1005.service: Failed with result 'exit-code'.
systemd[1]: Failed to start user@1005.service.
systemd[1]: Stopping user-runtime-dir@1005.service...

RHEL-only

Resolves: #2059553
2022-04-20 10:19:51 +02:00
Jan Macku
a7a177e071 systemd-250-4
Resolves: #1982596,#2009237,#2013213,#2052106
2022-02-23 11:09:19 +01:00
Jan Macku
b650a930d3 systemd-250-3
Resolves: #2047768,#2017035
2022-02-08 16:11:14 +01:00
David Tardon
f53bd80383 Switch from gcrypt to openssl
Resolves: #1642072
2022-02-07 15:04:02 +00:00
Michal Sekletar
07a470e853 spec: make sure version string starts with version number
This is SAP requirement, but at the same time we make it compatible with
RHEL-8.

Related: #2049054
2022-02-07 12:53:07 +00:00
David Tardon
12239cde92 Add runtime Requires on cryptsetup-libs too
Related: #2017541
2022-02-07 11:01:01 +00:00
David Tardon
0ccc6aac5f Add runtime Requires on tpm2-tss
Related: #2017541
2022-02-07 11:01:01 +00:00