From afb90ea5348520d11144cc40badbdaad1dd57077 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Aug 30 2016 20:44:41 +0000 Subject: - Fix autologin --- diff --git a/fix-autologin.patch b/fix-autologin.patch new file mode 100644 index 0000000..f20a316 --- /dev/null +++ b/fix-autologin.patch @@ -0,0 +1,154 @@ +From 0a7779b47319eb47b4d5d51f6eb653434c204c29 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 30 Aug 2016 16:10:19 -0400 +Subject: [PATCH 1/2] pam_gdm: return AUTHINFO_UNAVAIL if kernel keyring + unavailable + +right now we return PAM_SUCCESS if keyutils are unavailable. +This is the wrong default, we should fail if we aren't able to +get the password. + +https://bugzilla.gnome.org/show_bug.cgi?id=770612 +--- + pam_gdm/pam_gdm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c +index 7beb04e..f491b8d 100644 +--- a/pam_gdm/pam_gdm.c ++++ b/pam_gdm/pam_gdm.c +@@ -31,61 +31,61 @@ + #include + #endif + + int + pam_sm_authenticate (pam_handle_t *pamh, + int flags, + int argc, + const char **argv) + { + #ifdef HAVE_KEYUTILS + int r; + void *cached_password = NULL; + key_serial_t serial; + + serial = find_key_by_type_and_desc ("user", "cryptsetup", 0); + if (serial == 0) + return PAM_AUTHINFO_UNAVAIL; + + r = keyctl_read_alloc (serial, &cached_password); + if (r < 0) + return PAM_AUTHINFO_UNAVAIL; + + r = pam_set_item (pamh, PAM_AUTHTOK, cached_password); + + free (cached_password); + + if (r < 0) + return PAM_AUTH_ERR; + #endif + +- return PAM_SUCCESS; ++ return PAM_AUTHINFO_UNAVAIL; + } + + int + pam_sm_setcred (pam_handle_t *pamh, + int flags, + int argc, + const char **argv) + { + return PAM_SUCCESS; + } + + int + pam_sm_acct_mgmt (pam_handle_t *pamh, + int flags, + int argc, + const char **argv) + { + return PAM_SUCCESS; + } + + int + pam_sm_chauthtok (pam_handle_t *pamh, + int flags, + int argc, + const char **argv) + { + return PAM_SUCCESS; + } + + int +-- +2.7.4 + + +From 5716de2c0ec11a77c279c6952ea76d173d46b0e3 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 30 Aug 2016 15:58:15 -0400 +Subject: [PATCH 2/2] pam: don't call into pam_unix if pam_gdm fails for + autolgoin + +If pam_gdm fails we shouldn't call into pam_unix since it can lead +to the system asking for a password, and autologin isn't equipped for +that. + +This commit changes the pam configuration to jump to pam_permit if +pam_gdm fails. + +https://bugzilla.gnome.org/show_bug.cgi?id=770612 +--- + data/pam-exherbo/gdm-autologin.pam | 4 ++-- + data/pam-redhat/gdm-autologin.pam | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/data/pam-exherbo/gdm-autologin.pam b/data/pam-exherbo/gdm-autologin.pam +index afde048..61f8e54 100644 +--- a/data/pam-exherbo/gdm-autologin.pam ++++ b/data/pam-exherbo/gdm-autologin.pam +@@ -1,15 +1,15 @@ + # mirrors system-auth / system(-local)-login + # except for the authentication method, which is: + # always permit login + +-auth optional pam_gdm.so ++auth [success=ok default=2] pam_gdm.so + auth substack system-local-login +-auth sufficient pam_permit.so + -auth optional pam_gnome_keyring.so ++auth sufficient pam_permit.so + + account include system-local-login + + password include system-local-login + + session include system-local-login + -session optional pam_gnome_keyring.so auto_start +diff --git a/data/pam-redhat/gdm-autologin.pam b/data/pam-redhat/gdm-autologin.pam +index c2efea8..fbc9d9c 100644 +--- a/data/pam-redhat/gdm-autologin.pam ++++ b/data/pam-redhat/gdm-autologin.pam +@@ -1,18 +1,18 @@ + #%PAM-1.0 +-auth optional pam_gdm.so ++auth [success=ok default=2] pam_gdm.so + auth substack password-auth + auth optional pam_gnome_keyring.so + auth sufficient pam_permit.so + auth include postlogin + account required pam_nologin.so + account include system-auth + password include system-auth + session required pam_selinux.so close + session required pam_loginuid.so + session optional pam_console.so + session required pam_selinux.so open + session optional pam_keyinit.so force revoke + session required pam_namespace.so + session include system-auth + session optional pam_gnome_keyring.so auto_start + session include postlogin +-- +2.7.4 + diff --git a/gdm.spec b/gdm.spec index 5bcbf6f..04555c0 100644 --- a/gdm.spec +++ b/gdm.spec @@ -10,7 +10,7 @@ Summary: The GNOME Display Manager Name: gdm Version: 3.21.90 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 License: GPLv2+ Group: User Interface/X @@ -86,6 +86,8 @@ Provides: gdm-plugin-smartcard = %{epoch}:%{version}-%{release} Obsoletes: gdm-plugin-fingerprint < 1:3.2.1 Provides: gdm-plugin-fingerprint = %{epoch}:%{version}-%{release} +Patch0: fix-autologin.patch + %description GDM provides the graphical login screen, shown shortly after boot up, log out, and when user-switching. @@ -101,6 +103,7 @@ files needed to build custom greeters. %prep %setup -q +%patch0 -p1 -b .fix-autologin autoreconf -i -f intltoolize -f @@ -295,6 +298,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || : %{_libdir}/pkgconfig/gdm.pc %changelog +* Tue Aug 30 2016 Ray Strode - 1:3.21.90-2 +- Fix autologin + * Tue Aug 23 2016 Kalev Lember - 1:3.21.90-1 - Update to 3.21.90