PR#16: pam_fprintd.so releated fixes for F34 - rpms/pam

rpms / pam

#16 pam_fprintd.so releated fixes for F34

Merged 3 years ago by ipedrosa. Opened 3 years ago by benzea.

rpms/ benzea/pam f34 into f34

Add script to avoid fingerprint-auth issues for long term Fedora users

Benjamin Berg • 3 years ago

1d8ac5d

Clean auto-generated message from pam stack files

Iker Pedrosa • 3 years ago

ea80571

Return PAM_AUTHINFO_UNAVAIL from pam_fprintd.so

Benjamin Berg • 3 years ago

dff39dc

fingerprint-auth.pamd

file modified

+1 -3

		`@@ -1,8 +1,6 @@`
		`#%PAM-1.0`
		`- # This file is auto-generated.`
		`- # User changes will be destroyed the next time authselect is run.`
		`auth required pam_env.so`
		`- auth sufficient pam_fprintd.so`
		`+ auth [success=done default=bad] pam_fprintd.so`
		`auth required pam_deny.so`

		`account required pam_unix.so`

pam.spec

file modified

+24 -1

		`@@ -3,7 +3,7 @@`
		`Summary: An extensible library which provides authentication for applications`
		`Name: pam`
		`Version: 1.5.1`
		`- Release: 3%{?dist}`
		`+ Release: 5%{?dist}`
		`# The library is BSD licensed with option to relicense as GPLv2+`
		`# - this option is redundant as the BSD license allows that anyway.`
		`# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.`
		`@@ -361,7 +361,30 @@`
		`%doc doc/txts`
		`%doc doc/sag/*.txt doc/sag/html`

		`+ %posttrans`
		`+`
		`+ # For people upgrading from older Fedora versions, authselect might not be`
		`+ # enabled or unable to do anything due to e.g. a modified nsswitch.conf.`
		`+ # The following snippets apply important fixes in those cases.`
		`+`
		`+ # Change pam_fprintd.so in fingerprint-auth from sufficient to [success=done default=bad]`
		`+ # in order for PAM_AUTHINFO_UNAVAIL error codes to be propagated.`
		`+ FILE="$(readlink -f %{_sysconfdir}/pam.d/fingerprint-auth \|\| echo %{_sysconfdir}/pam.d/fingerprint-auth)"`
		`+ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \`
		`+ %__grep -q '^auth[[:space:]]\+sufficient[[:space:]]\+pam_fprintd.so' $FILE && \`
		`+ %__sed -i.bak -e 's/^auth[[:space:]]\+sufficient[[:space:]]\+pam_fprintd.so$.*$/auth [success=done default=bad] pam_fprintd.so\1/g' $FILE`
		`+`
		`+ exit 0`
		`+`
		`%changelog`
		`+ * Fri Apr 16 2021 Benjamin Berg <bberg@redhat.com> - 1.5.1-5`
		`+ - Add script to avoid fingerprint-auth issues for long term Fedora users`
		`+ Resolves: #1942443`
		`+`
		`+ * Mon Apr 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-4`
		`+ - Change fingerprint-auth.pamd to return PAM_AUTHINFO_UNAVAIL from pam_fprintd.so`
		`+ - Clean auto-generated message from pam stack files`
		`+`
		`* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.1-3`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild`

password-auth.pamd

file modified

-2

		`@@ -1,6 +1,4 @@`
		`#%PAM-1.0`
		`- # This file is auto-generated.`
		`- # User changes will be destroyed the next time authselect is run.`
		`auth required pam_env.so`
		`auth sufficient pam_unix.so try_first_pass nullok`
		`auth required pam_deny.so`

postlogin.pamd

file modified

-3

		`@@ -1,7 +1,4 @@`
		`#%PAM-1.0`
		`- # This file is auto-generated.`
		`- # User changes will be destroyed the next time authselect is run.`
		`-`
		`session optional pam_umask.so silent`
		`session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet`
		`session [default=1] pam_lastlog.so nowtmp showfailed`

smartcard-auth.pamd

file modified

-2

		`@@ -1,6 +1,4 @@`
		`#%PAM-1.0`
		`- # This file is auto-generated.`
		`- # User changes will be destroyed the next time authselect is run.`
		`auth required pam_env.so`
		`auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card`
		`auth required pam_deny.so`

system-auth.pamd

file modified

-2

		`@@ -1,6 +1,4 @@`
		`#%PAM-1.0`
		`- # This file is auto-generated.`
		`- # User changes will be destroyed the next time authselect is run.`
		`auth required pam_env.so`
		`auth sufficient pam_unix.so try_first_pass nullok`
		`auth required pam_deny.so`

benzea commented 3 years ago

Pull in pam_fprintd.so fixes into F34 and add scriptlet to fix users upgrading from old Fedora releases (it is not quite clear how old, but some people are upgrading since F27 or even older).

Note that #1942443 is an accepted freeze exception.

It is important that anyone upgrading from F33 will get the scriptlet executed. I suspect we don't need it in F35 as a direct F33 -> F35 upgrade is not supported.

CC: @pbrezina

zuul commented 3 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

check-for-arches : SUCCESS in 1m 14s
rpm-scratch-build : SUCCESS in 10m 49s
rpm-scratch-build-s390x : SUCCESS in 11m 16s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 14m 20s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 9m 56s (non-voting)
rpm-scratch-build-armv7hl : SUCCESS in 14m 18s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 12m 32s (non-voting)
rpm-linter : FAILURE in 3m 45s
rpm-rpminspect : FAILURE in 8m 27s (non-voting)
check-for-tests : SUCCESS in 1m 44s
rpm-install-test : SKIPPED
rpm-test : FAILURE in 5m 18s

ipedrosa commented 3 years ago

I wonder, wouldn't it be better to remove the noreplace in https://src.fedoraproject.org/rpms/pam/blob/f34/f/pam.spec#_243? This way the update script will replace fingerprint-auth file and copy the old one in fingerprint-auth.rpmsave. @pbrezina what do you think?

benzea commented 3 years ago

If everything is working correctly, then /etc/pam.d/fingerprint-auth is a symlink to /etc/authselect/fingerprint-auth and this file is managed by authselect.

Not sure what would happen if one removes the noreplace, but it sounds like that might cause PAM to override the authselect changes. And we really do not want that to ever happen.

pbrezina commented 3 years ago

If everything is working correctly, then /etc/pam.d/fingerprint-auth is a symlink to /etc/authselect/fingerprint-auth and this file is managed by authselect.

Not sure what would happen if one removes the noreplace, but it sounds like that might cause PAM to override the authselect changes. And we really do not want that to ever happen.

Not only authselect. Keep in mind that users can overwrite PAM stack and tailor it to their need (and they often do). Removing noreplace would replace perfectly correct customized configurations with each pam update. Therefore updates can't be delivered with pam package, this is something that authselect solves.

pbrezina commented 3 years ago

I'm not a fan of this kind of scriptlets but unfortunately it seems that we can't avoid it in this situation. Hopefully, things will improve soon.

benzea commented 3 years ago

Yeah, this scriptlet is really ugly. Unfortunately it seems like the best option we have if we don't want to leave long-term Fedora users out in the cold when they upgrade :-/

ipedrosa commented 3 years ago

I see why we can't use that method. Thanks for clarifying it.

I'll merge this PR tomorrow morning as it's fine for me.

benzea commented 3 years ago

@ipedrosa, it seems that it would be good to get a build today for F34 RC. If you don't get around to that, then someone else might do the package build to push it through.

ipedrosa commented 3 years ago

Thank you for the patch.