systemd/0011-core-disable-session-keyring-per-system-sevice-entir.patch
Franck Bui c939ecec0c - Upgrade to v246.4 (commit f1344d5b7f31e98aedb01e606f41d74d3caaf446)
See https://github.com/openSUSE/systemd/blob/SUSE/v246/NEWS for
  details. 
  Now that the number of SUSE specific patches has been shrinked and
  is pretty low (12 at the time of this writing), they are no more
  tracked by the git repo and are now handled at the package
  level. Hence It is easier to maintain and identify them. This
  effectively means that SUSE/v246 will contain upstream commits only.

OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1113
2020-09-04 06:47:46 +00:00

46 lines
1.6 KiB
Diff

From e5b3d1d00bbdbcb168889699c462bf01b58062a5 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Thu, 6 Jul 2017 15:48:10 +0200
Subject: [PATCH 11/12] core: disable session keyring per system sevice
entirely for now
Until PAM module "pam_keyinit" is fully integrated in SUSE's PAM stack, this
feature has to be disabled.
openSUSE is still not ready for enabling the keyring stuff (see
bsc#1081947). Some services got fixed (sshd, getty@.service) but some still
haven't (xdm, login, ...)
So leave it disabled again otherwise different users might end up using the
same session keyring - the one created for the service used for logging in
(sshd, getty@.service, xdm, etc...)
The integration of pam_keyinit is tracked here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1081947
See also:
https://github.com/systemd/systemd/pull/6286
[fbui: fixes boo#1045886]
---
src/core/execute.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/core/execute.c b/src/core/execute.c
index 2a4840a3a9..aefd4eaff1 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2779,6 +2779,9 @@ static int setup_keyring(
assert(context);
assert(p);
+ /* SUSE: pam_keyinit is still not fully integrated to SUSE's PAM stack... */
+ return 0;
+
/* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
* each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
* that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
--
2.26.2