systemd/fedora-use-system-auth-in-pam-systemd-user.patch
Zbigniew Jędrzejewski-Szmek 2a3fc2e21f Use upstream pam systemd-auth file with a patch, add pam_keyinit
This file changes rarely, but it does every one in a while. And since we have an
independent copy, we forget to adjust it. We have had already two bugs because
of this. I submitted a PR upstream to include pam_namespace (because that makes
sense for all distros), so the diff between upstream and us now is just the
inclusion of system-auth (which is not upstreamable).

Effectively, the only difference right now is that 'pam_keyinit force revoke'
is included. It was added upstream with the comment:

   We want that systemd --user gets its own keyring as usual, even if the
   barebones PAM snippet we ship upstream is used. If we don't do this we get
   the basic keyring systemd --system sets up for us.
2022-12-14 22:35:52 +01:00

32 lines
971 B
Diff

From 4e6479054ae2090b99a50d6ae954d22efc8340a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 14 Dec 2022 22:24:53 +0100
Subject: [PATCH 4/4] fedora: use system-auth in pam systemd-user
---
src/login/systemd-user.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index 9a665bd959..703a4b3174 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -7,7 +7,7 @@
-account sufficient pam_systemd_home.so
{% endif %}
account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account include system-auth
{% if HAVE_SELINUX %}
session required pam_selinux.so close
@@ -19,4 +19,4 @@ session required pam_namespace.so
{% if ENABLE_HOMED %}
-session optional pam_systemd_home.so
{% endif %}
-session optional pam_systemd.so
+session include system-auth
--
2.38.1