Accepting request 1077756 from GNOME:Factory

- Create two set of pam configuration files:
  + *-sle.pamd are for SLES15 and older
  + add postlogin-* includes to the others as required by openSUSEs
    PAM config policy

OBS-URL: https://build.opensuse.org/request/show/1077756
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gdm?expand=0&rev=253

gdm-autologin-sle.pamd

@@ -0,0 +1,11 @@
+#%PAM-1.0
+# GDM PAM configuration for autologin
+auth     requisite      pam_nologin.so
+auth     required       pam_permit.so
+auth     optional       pam_gdm.so
+auth     optional       pam_gnome_keyring.so
+account  include        common-account
+password include        common-password
+session  required       pam_loginuid.so
+session  optional       pam_keyinit.so force revoke
+session  include        common-session

gdm-autologin.pamd

@@ -4,8 +4,11 @@ auth     requisite      pam_nologin.so
 auth     required       pam_permit.so
 auth     optional       pam_gdm.so
 auth     optional       pam_gnome_keyring.so
-account  include        common-account
-password include        common-password
+account  substack       common-account
+account  include        postlogin-account
+password substack       common-password
+password include        postlogin-password
 session  required       pam_loginuid.so
 session  optional       pam_keyinit.so force revoke
-session  include        common-session
+session  substack       common-session
+session  include        postlogin-session

gdm-fingerprint-sle.pamd

@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       requisite                   pam_faillock.so      preauth
+auth       required                    pam_fprintd.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
+
+account    include                     common-account
+
+password   required                    pam_deny.so
+
+session    include                     common-session
+session    optional                    pam_gnome_keyring.so auto_start

gdm-fingerprint.pamd

@@ -9,9 +9,11 @@ auth       required                    pam_env.so
 auth       [success=ok default=1]      pam_gdm.so
 auth       optional                    pam_gnome_keyring.so
 
+account    substack                    common-account
 account    include                     common-account
 
 password   required                    pam_deny.so
 
-session    include                     common-session
+session    substack                    common-session
+session    include                     postlogin-session
 session    optional                    pam_gnome_keyring.so auto_start

gdm-sle.pamd

@@ -0,0 +1,9 @@
+#%PAM-1.0
+# GDM PAM standard configuration (with passwords)
+auth     requisite      pam_nologin.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  required       pam_loginuid.so
+session  optional       pam_keyinit.so force revoke
+session  include        common-session

gdm-smartcard-sle.pamd

@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+auth       requisite                   pam_faillock.so      preauth
+auth       required                    pam_pkcs11.so        wait_for_card card_only
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
+
+account    include                     common-account
+
+password   required                    pam_deny.so
+
+session    include                     common-session
+session    optional                    pam_gnome_keyring.so auto_start

gdm-smartcard.pamd

@@ -9,9 +9,11 @@ auth       required                    pam_env.so
 auth       [success=ok default=1]      pam_gdm.so
 auth       optional                    pam_gnome_keyring.so
 
-account    include                     common-account
+account    substack                    common-account
+account    include                     postlogin-account
 
 password   required                    pam_deny.so
 
-session    include                     common-session
+session    substack                    common-session
+session    include                     postlogin-session
 session    optional                    pam_gnome_keyring.so auto_start

gdm.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Mar 28 11:34:53 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
+
+- Create two set of pam configuration files:
+  + *-sle.pamd are for SLES15 and older
+  + add postlogin-* includes to the others as required by openSUSEs
+    PAM config policy
+
 -------------------------------------------------------------------
 Mon Mar 20 16:07:47 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
 

gdm.pamd

@@ -1,9 +1,13 @@
 #%PAM-1.0
 # GDM PAM standard configuration (with passwords)
 auth     requisite      pam_nologin.so
-auth     include        common-auth
-account  include        common-account
-password include        common-password
+auth     substack       common-auth
+auth     include        postlogin-auth
+account  substack       common-account
+account  include        postlogin-account
+password substack       common-password
+password include        postlogin-password
 session  required       pam_loginuid.so
 session  optional       pam_keyinit.so force revoke
-session  include        common-session
+session  substack       common-session
+session  include        postlogin-session

gdm.spec

@@ -50,6 +50,11 @@ Source9:        gdm.tmpfiles
 Source10:       reserveVT.conf
 # Use sysusers to create gdm system user
 Source11:       gdm.sysusers
+# PAM configuration files for SLE15 and older
+Source12:       gdm-sle.pamd
+Source13:       gdm-autologin-sle.pamd
+Source14:       gdm-fingerprint-sle.pamd
+Source15:       gdm-smartcard-sle.pamd
 # WARNING: do not remove/significantly change patch0 without updating the relevant patch in accountsservice too
 # PATCH-FIX-OPENSUSE gdm-s390-not-require-g-s-d_wacom.patch bsc#1129412 yfjiang@suse.com -- Remove the runtime requirement of g-s-d Wacom plugin
 Patch0:         gdm-s390-not-require-g-s-d_wacom.patch
@@ -273,18 +278,31 @@ running display manager.
 %meson_install
 ## Install PAM files.
 mkdir -p %{buildroot}%{_pam_vendordir}
+# Pam config for the greeter session
+cp %{SOURCE3} %{buildroot}%{_pam_vendordir}/gdm-launch-environment
+%if 0%{?suse_version} >= 1550
 # Generic pam config
 cp %{SOURCE1} %{buildroot}%{_pam_vendordir}/gdm
 # Pam config for autologin
 cp %{SOURCE2} %{buildroot}%{_pam_vendordir}/gdm-autologin
-# Pam config for the greeter session
-cp %{SOURCE3} %{buildroot}%{_pam_vendordir}/gdm-launch-environment
 %if %{enable_split_authentication}
 # Pam config for fingerprint authentication
 cp %{SOURCE4} %{buildroot}%{_pam_vendordir}/gdm-fingerprint
 # Pam config for smartcard authentication
 cp %{SOURCE5} %{buildroot}%{_pam_vendordir}/gdm-smartcard
 %endif
+%else
+# Generic pam config
+cp %{SOURCE12} %{buildroot}%{_pam_vendordir}/gdm
+# Pam config for autologin
+cp %{SOURCE13} %{buildroot}%{_pam_vendordir}/gdm-autologin
+%if %{enable_split_authentication}
+# Pam config for fingerprint authentication
+cp %{SOURCE14} %{buildroot}%{_pam_vendordir}/gdm-fingerprint
+# Pam config for smartcard authentication
+cp %{SOURCE15} %{buildroot}%{_pam_vendordir}/gdm-smartcard
+%endif
+%endif
 # The default gdm pam configuration is the one to be used as pam-password too
 ln -s gdm %{buildroot}%{_pam_vendordir}/gdm-password
 ## Install other files