Dominique Leuenberger 2019-12-09 20:34:38 +00:00 committed by Git OBS Bridge
commit 21e713f7b7
3 changed files with 47 additions and 1 deletions

View File

@ -0,0 +1,34 @@
Index: pam_mount-2.16/doc/pam_mount.8.in
===================================================================
--- pam_mount-2.16.orig/doc/pam_mount.8.in
+++ pam_mount-2.16/doc/pam_mount.8.in
@@ -51,7 +51,7 @@ volumes are not allowed by the example p
pam_mount.
.SH PAM configuration
.PP
-In addition, you must include two entries in the system's applicable
+In addition, you must include three entries in the system's applicable
/etc/pam.d/\fIservice\fP config files, as the following example shows:
.IP
.nf
@@ -64,9 +64,12 @@ In addition, you must include two entrie
password required pam_pwdb.so shadow nullok use_authtok
session required pam_pwdb.so
session optional pam_console.so
++++ session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
+++ session optional pam_mount.so
.fi
.PP
+The two lines marked "session" must be kept together!
+.PP
When "sufficient" is used in the second column, you must make sure that
pam_mount is added before this entry. Otherwise pam_mount will not get executed
should a previous PAM module succeed. Also be aware of the "include"
@@ -84,6 +87,7 @@ account sufficient pam_ldap.so
auth required pam_mount.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix.so use_first_pass
+session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
session optional pam_mount.so
\(bu\(bu\(bu
.fi

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon Nov 25 08:24:18 UTC 2019 - Josef Möllers <josef.moellers@suse.com>
- Systemd-user must be prevented from invoking pam_mount.so in the
"session" management group eg by invoking pam_succeed_if.so to
skip the pam_mount entry when systemd-user is calling
pam_{open,close}_session.
[bsc#1153630,
bsc1153630-prevent-systemd-from-calling-pam_mount.patch]
-------------------------------------------------------------------
Sat Nov 17 09:18:54 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>

View File

@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -34,6 +34,7 @@ Source5: baselibs.conf
Source6: %{name}.keyring
Patch1: pam_mount-0.47-enable-logout-kill.dif
Patch2: pam_mount-2.16-fix-luks2-mount.patch
Patch3: bsc1153630-prevent-systemd-from-calling-pam_mount.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: fdupes
BuildRequires: libtool
@ -101,6 +102,7 @@ and transparent use of the OS's crypto layer.
%setup -q
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
%build
%configure --disable-static --with-slibdir="/%_lib" \