- Update systemd-user PAM service again
Change the default implementation of pam_setcred() again, previously customized to run the full "auth" PAM stack and only call pam_deny.so which is basically the SUSE default behavior without pam_warn.so. This is considered safer, especially on SLE where a regression was spotted by QA. OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1217
This commit is contained in:
Franck Bui
Git OBS Bridge
parent
493d5f22b9
commit
c3f45bf95e
21
systemd-user
21
systemd-user
@ -2,18 +2,19 @@
|
||||
#
|
||||
# Used by systemd --user instances.
|
||||
|
||||
# This is not about authentication per se (user@.service is a system
|
||||
# service anyway) but to give the possibility to user services
|
||||
# (especially those like gnome-terminal, see [1]) to have theirs
|
||||
# credentials extended similar to the ones received by a user when he
|
||||
# logs in (and the full PAM authentication stack is run). See [2] and
|
||||
# [3] for details.
|
||||
# Override the default behavior of the "auth" PAM stack and don't throw a
|
||||
# warning each time a user instance is started, which is the default behavior of
|
||||
# the PAM stack when no auth is defined. Indeed PID1 calls pam_setcred() when
|
||||
# the user instance is about to be started to allow some user services, such as
|
||||
# gnome-terminal, to extend theirs credentials similar to the ones received by a
|
||||
# user when he logs in (and the full PAM authentication stack is run). For some
|
||||
# details, see:
|
||||
#
|
||||
# [1] https://gitlab.gnome.org/GNOME/gdm/-/issues/393
|
||||
# [2] https://github.com/systemd/systemd/issues/11198
|
||||
# [3] https://bugzilla.suse.com/show_bug.cgi?id=1190515
|
||||
# https://gitlab.gnome.org/GNOME/gdm/-/issues/393
|
||||
# https://github.com/systemd/systemd/issues/11198
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1190515
|
||||
#
|
||||
auth include common-auth
|
||||
auth required pam_deny.so
|
||||
|
||||
account include common-account
|
||||
|
||||
|
||||
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 4 08:23:19 UTC 2022 - Franck Bui <fbui@suse.com>
|
||||
|
||||
- Update systemd-user PAM service again
|
||||
|
||||
Change the default implementation of pam_setcred() again, previously
|
||||
customized to run the full "auth" PAM stack and only call pam_deny.so which is
|
||||
basically the SUSE default behavior without pam_warn.so.
|
||||
|
||||
This is considered safer, especially on SLE where a regression was spotted by
|
||||
QA.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 7 12:05:55 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package systemd
|
||||
#
|
||||
# Copyright (c) 2021 SUSE LLC
|
||||
# Copyright (c) 2022 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
|
||||
Loading…
Reference in New Issue
Block a user