`systemd-ukify` requires `/usr/lib/systemd/boot/efi/{addonx64,linuxx64}.efi.stub` to work properly, e.g.
```
Traceback (most recent call last):
File "/usr/bin/ukify", line 1660, in <module>
main()
File "/usr/bin/ukify", line 1648, in main
check_inputs(opts)
File "/usr/bin/ukify", line 390, in check_inputs
value.open().close()
File "/usr/lib64/python3.9/pathlib.py", line 1252, in open
return io.open(self, mode, buffering, encoding, errors, newline,
File "/usr/lib64/python3.9/pathlib.py", line 1120, in _opener
return self._accessor.open(self, flags, mode)
FileNotFoundError: [Errno 2] No such file or directory: '/usr/lib/systemd/boot/efi/addonx64.efi.stub'
```
`/usr/lib/systemd/boot/efi/{addonx64,linuxx64}.efi.stub` are now contained in `systemd-boot-unsigned` sub-package so adding a dependency on it seems like the easiest solution.
Originally reported by: Vitaly Kuznetsov <vkuznets@redhat.com> in https://issues.redhat.com/browse/RHEL-33990
Signed-off-by: Jan Macku <jamacku@redhat.com>
(cherry picked from commit b9ec39c0efa664f18666c8c94140f3bbfb0bca3b)
Resolves: RHEL-33990
A call to pam_namespace is required so that children of user@.service end up in
a namespace as expected. pam_namespace gets called as part of the stack that
creates a session (login, sshd, gdm, etc.) and those processes end up in a
namespace, but it also needs to be called from our stack which is parallel and
descends from pid1 itself.
The call to pam_namespace is similar to the call to pam_keyinit that was added
in ab79099. The pam stack for user@.service
creates a new session which is disconnected from the parent environment. Both
calls are not suitable for inclusion in the shared part of the stack (e.g.
@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
should not include them.
Fixes#17043 (Allow to execute user service into dedicated namespace
if pam_namespace enabled)
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
(Polyinstantiation is ignored/bypassed in GNOME sessions)
rhel-only
Resolves: #2218184
Setting umask for user sessions via UMASK setting in /etc/login.defs is
a well-known feature. Let's make sure that user manager also runs with
this umask value.
rhel-only
Resolves: #2210145
... (rhbz#2104141)
In the first version, I wanted to use POSIX quotes with $''. But that required
'printf %q', which brings in a dependency on coreutils.
Following mcr0mmand's suggestion, ${foo@Q} is used instead, which should work
equivalently, and does not require anything new.
Tested with 'sysusers.generate-pre.sh /usr/lib/sysusers.d/*conf'. The output is
the same before and after, apart from the dovecot user with a quote.
rhel-only
Resolves: #2217149
We need to use a mix of spaces and tabs: the tabs are removed because of -EOF,
and then the spaces indent the output. Jesus.
rhel-only
Resolves: #2217149
This tweaks the sysusers.d handling logic so that 'm' entries are
now translated to a series of groupadd + useradd + usermod call.
The last usermod call is the notable change, effectively affecting
the list of secondary groups now.
rhel-only
Resolves: #2217149
There should be almost no functional change, but shellcheck complains
less. User/group descriptions with escaped characters are handled
properly.
rhel-only
Resolves: #2217149
Without that patch, on every package upgrade, a 'systemd' is forcibly appended
to passwd and group in nsswitch.conf which is not desirable for some customers.
It is required until authselect change introduction in RHEL.
RHEL-only
Resolves: #2176337