A call to pam_namespace is required so that children of user@.service end up in
a namespace as expected. pam_namespace gets called as part of the stack that
creates a session (login, sshd, gdm, etc.) and those processes end up in a
namespace, but it also needs to be called from our stack which is parallel and
descends from pid1 itself.
The call to pam_namespace is similar to the call to pam_keyinit that was added
in ab79099. The pam stack for user@.service
creates a new session which is disconnected from the parent environment. Both
calls are not suitable for inclusion in the shared part of the stack (e.g.
@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
should not include them.
Fixes#17043 (Allow to execute user service into dedicated namespace
if pam_namespace enabled)
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
(Polyinstantiation is ignored/bypassed in GNOME sessions)
rhel-only
Resolves: #2218184
Setting umask for user sessions via UMASK setting in /etc/login.defs is
a well-known feature. Let's make sure that user manager also runs with
this umask value.
rhel-only
Resolves: #2210145
... (rhbz#2104141)
In the first version, I wanted to use POSIX quotes with $''. But that required
'printf %q', which brings in a dependency on coreutils.
Following mcr0mmand's suggestion, ${foo@Q} is used instead, which should work
equivalently, and does not require anything new.
Tested with 'sysusers.generate-pre.sh /usr/lib/sysusers.d/*conf'. The output is
the same before and after, apart from the dovecot user with a quote.
rhel-only
Resolves: #2217149
We need to use a mix of spaces and tabs: the tabs are removed because of -EOF,
and then the spaces indent the output. Jesus.
rhel-only
Resolves: #2217149
This tweaks the sysusers.d handling logic so that 'm' entries are
now translated to a series of groupadd + useradd + usermod call.
The last usermod call is the notable change, effectively affecting
the list of secondary groups now.
rhel-only
Resolves: #2217149
There should be almost no functional change, but shellcheck complains
less. User/group descriptions with escaped characters are handled
properly.
rhel-only
Resolves: #2217149
Without that patch, on every package upgrade, a 'systemd' is forcibly appended
to passwd and group in nsswitch.conf which is not desirable for some customers.
It is required until authselect change introduction in RHEL.
RHEL-only
Resolves: #2176337