From ffad028ee5d1828e6b29fec66a2084a12e6f3c87284dc2b7b33c02e3dd94f135 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Tue, 23 Nov 2021 15:38:41 +0000 Subject: [PATCH 1/4] Reference jsc#SLE-17798 in the changelog OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1214 --- systemd.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd.changes b/systemd.changes index ea9ee3fc..9aaf613f 100644 --- a/systemd.changes +++ b/systemd.changes @@ -281,6 +281,7 @@ Mon Aug 2 12:54:44 UTC 2021 - Franck Bui This includes the following bug fixes: - upstream commit 6fb61918ccdd0610b425d5b0e5417751f8f8f783 (bsc#1182870) + - upstream commit 6fe2a70b9160e35fdeed9d37bd31727c2d46a8b2 (jsc#SLE-17798) - Rebased 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch From 3fdff99e48beb74b65b386fb7ca74c76d65f7c258a0aa4642f46f27287b61011 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Thu, 25 Nov 2021 10:00:18 +0000 Subject: [PATCH 2/4] Accepting request 933656 from home:lnussel:branches:Base:System - Replace S:$n references with SOURCE$n. Makes vim * search work. OBS-URL: https://build.opensuse.org/request/show/933656 OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1215 --- systemd.changes | 5 +++++ systemd.spec | 14 +++++++------- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/systemd.changes b/systemd.changes index 9aaf613f..a4f9a49a 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Nov 24 10:40:01 UTC 2021 - Ludwig Nussel + +- Replace S:$n references with SOURCE$n. Makes vim * search work. + ------------------------------------------------------------------- Mon Nov 22 08:48:12 UTC 2021 - Franck Bui diff --git a/systemd.spec b/systemd.spec index 522090e0..6a9741d8 100644 --- a/systemd.spec +++ b/systemd.spec @@ -725,8 +725,8 @@ rm %{buildroot}%{_mandir}/man1/resolvconf.1* mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/sysv-convert mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/migrated -install -m0755 -D %{S:3} %{buildroot}/%{_prefix}/lib/systemd/systemd-sysv-convert -install -m0755 -D %{S:4} %{buildroot}/%{_prefix}/lib/systemd/systemd-sysv-install +install -m0755 -D %{SOURCE3} %{buildroot}/%{_prefix}/lib/systemd/systemd-sysv-convert +install -m0755 -D %{SOURCE4} %{buildroot}/%{_prefix}/lib/systemd/systemd-sysv-install %endif mkdir -p % %{buildroot}%{_sysconfdir}/systemd/network @@ -735,7 +735,7 @@ mkdir -p % %{buildroot}%{_sysconfdir}/systemd/nspawn # Package the scripts used to fix all packaging issues. Also drop the # "scripts-{systemd/udev}" prefix which is used because osc doesn't # allow directory structure... -for s in %{S:100} %{S:101} %{S:102}; do +for s in %{SOURCE100} %{SOURCE101} %{SOURCE102}; do install -m0755 -D $s %{buildroot}%{_prefix}/lib/systemd/scripts/${s#*/scripts-systemd-} done @@ -759,7 +759,7 @@ rm -rf %{buildroot}/etc/systemd/system/*.target.{requires,wants} rm -f %{buildroot}/etc/systemd/system/default.target # Replace upstream systemd-user with the openSUSE one. -install -m0644 -D --target-directory=%{buildroot}%{_pam_vendordir} %{S:2} +install -m0644 -D --target-directory=%{buildroot}%{_pam_vendordir} %{SOURCE2} # don't enable wall ask password service, it spams every console (bnc#747783) rm %{buildroot}%{_unitdir}/multi-user.target.wants/systemd-ask-password-wall.path @@ -824,7 +824,7 @@ mkdir -p %{buildroot}%{_systemd_system_env_generator_dir} mkdir -p %{buildroot}%{_systemd_user_env_generator_dir} # ensure after.local wrapper is called -install -m 644 %{S:11} %{buildroot}%{_unitdir}/ +install -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/ ln -s ../after-local.service %{buildroot}%{_unitdir}/multi-user.target.wants/ # ghost directories with default permissions. @@ -867,7 +867,7 @@ echo 'disable *' >%{buildroot}%{_userpresetdir}/99-default.preset # still keep the remaining paths that still don't have a better home # in suse.conf. rm -f %{buildroot}%{_tmpfilesdir}/{etc,home,legacy,tmp,var}.conf -install -m 644 %{S:5} %{buildroot}%{_tmpfilesdir}/suse.conf +install -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/suse.conf # The content of the files shipped by systemd doesn't match the # defaults used by SUSE. Don't ship those files but leave the decision @@ -891,7 +891,7 @@ fi # kbd-model-map.legacy is used to provide mapping for legacy keymaps, # which may still be used by yast. -cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map +cat %{SOURCE14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map # Don't ship systemd-journald-audit.socket as there's no other way for # us to prevent journald from recording audit messages in the journal From 493d5f22b905611abb0ec99525f15a2546323f530e066d1bc27f4fcb0c19efc7 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Tue, 7 Dec 2021 19:29:40 +0000 Subject: [PATCH 3/4] Accepting request 936250 from home:lnussel:branches:Base:System - move files related to static nodes to udev OBS-URL: https://build.opensuse.org/request/show/936250 OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1216 --- systemd.changes | 5 +++++ systemd.spec | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/systemd.changes b/systemd.changes index a4f9a49a..e87b9a2c 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Dec 7 12:05:55 UTC 2021 - Ludwig Nussel + +- move files related to static nodes to udev + ------------------------------------------------------------------- Wed Nov 24 10:40:01 UTC 2021 - Ludwig Nussel diff --git a/systemd.spec b/systemd.spec index 6a9741d8..5e637c0c 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1304,6 +1304,8 @@ fi %exclude %{_unitdir}/*.target.wants/systemd-hwdb*.* %exclude %{_unitdir}/initrd-udevadm-cleanup-db.service %exclude %{_unitdir}/kmod-static-nodes.service +%exclude %{_unitdir}/sysinit.target.wants/kmod-static-nodes.service +%exclude %{_tmpfilesdir}/static-nodes-permissions.conf %exclude %{_unitdir}/systemd-nspawn@.service %if %{with machined} %exclude %{_prefix}/lib/systemd/systemd-machined @@ -1651,6 +1653,8 @@ fi %dir %{_unitdir} %{_prefix}/lib/systemd/systemd-udevd %{_unitdir}/kmod-static-nodes.service +%{_unitdir}/sysinit.target.wants/kmod-static-nodes.service +%{_tmpfilesdir}/static-nodes-permissions.conf %{_unitdir}/systemd-udev*.service %{_unitdir}/systemd-udevd*.socket %{_unitdir}/systemd-hwdb*.* From c3f45bf95e7c43a9ef06619a249213d39a3ed61388b671a986dfec96a981d2be Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Tue, 4 Jan 2022 08:30:42 +0000 Subject: [PATCH 4/4] - Update systemd-user PAM service again Change the default implementation of pam_setcred() again, previously customized to run the full "auth" PAM stack and only call pam_deny.so which is basically the SUSE default behavior without pam_warn.so. This is considered safer, especially on SLE where a regression was spotted by QA. OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1217 --- systemd-user | 21 +++++++++++---------- systemd.changes | 12 ++++++++++++ systemd.spec | 2 +- 3 files changed, 24 insertions(+), 11 deletions(-) diff --git a/systemd-user b/systemd-user index 3907c885..066515cd 100644 --- a/systemd-user +++ b/systemd-user @@ -2,18 +2,19 @@ # # Used by systemd --user instances. -# This is not about authentication per se (user@.service is a system -# service anyway) but to give the possibility to user services -# (especially those like gnome-terminal, see [1]) to have theirs -# credentials extended similar to the ones received by a user when he -# logs in (and the full PAM authentication stack is run). See [2] and -# [3] for details. +# Override the default behavior of the "auth" PAM stack and don't throw a +# warning each time a user instance is started, which is the default behavior of +# the PAM stack when no auth is defined. Indeed PID1 calls pam_setcred() when +# the user instance is about to be started to allow some user services, such as +# gnome-terminal, to extend theirs credentials similar to the ones received by a +# user when he logs in (and the full PAM authentication stack is run). For some +# details, see: # -# [1] https://gitlab.gnome.org/GNOME/gdm/-/issues/393 -# [2] https://github.com/systemd/systemd/issues/11198 -# [3] https://bugzilla.suse.com/show_bug.cgi?id=1190515 +# https://gitlab.gnome.org/GNOME/gdm/-/issues/393 +# https://github.com/systemd/systemd/issues/11198 +# https://bugzilla.suse.com/show_bug.cgi?id=1190515 # -auth include common-auth +auth required pam_deny.so account include common-account diff --git a/systemd.changes b/systemd.changes index e87b9a2c..1b31cf54 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Tue Jan 4 08:23:19 UTC 2022 - Franck Bui + +- Update systemd-user PAM service again + + Change the default implementation of pam_setcred() again, previously + customized to run the full "auth" PAM stack and only call pam_deny.so which is + basically the SUSE default behavior without pam_warn.so. + + This is considered safer, especially on SLE where a regression was spotted by + QA. + ------------------------------------------------------------------- Tue Dec 7 12:05:55 UTC 2021 - Ludwig Nussel diff --git a/systemd.spec b/systemd.spec index 5e637c0c..616eb386 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,7 +1,7 @@ # # spec file for package systemd # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed