forked from pool/systemd
- Drop 0011-core-disable-session-keyring-per-system-sevice-entir.patch
Since bsc#1081947 has been addressed, we can attempt to re-enable private session kernel keyring for each system service hence each service gets a session keyring that is specific to the service. OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1278
This commit is contained in:
parent
35f5ab4e2b
commit
6d7a87b727
@ -1,45 +0,0 @@
|
||||
From 67f3fa5aa2781d42c809da9303f81b28544824d8 Mon Sep 17 00:00:00 2001
|
||||
From: Franck Bui <fbui@suse.com>
|
||||
Date: Thu, 6 Jul 2017 15:48:10 +0200
|
||||
Subject: [PATCH 10/11] core: disable session keyring per system sevice
|
||||
entirely for now
|
||||
|
||||
Until PAM module "pam_keyinit" is fully integrated in SUSE's PAM stack, this
|
||||
feature has to be disabled.
|
||||
|
||||
openSUSE is still not ready for enabling the keyring stuff (see
|
||||
bsc#1081947). Some services got fixed (sshd, getty@.service) but some still
|
||||
haven't (xdm, login, ...)
|
||||
|
||||
So leave it disabled again otherwise different users might end up using the
|
||||
same session keyring - the one created for the service used for logging in
|
||||
(sshd, getty@.service, xdm, etc...)
|
||||
|
||||
The integration of pam_keyinit is tracked here:
|
||||
https://bugzilla.opensuse.org/show_bug.cgi?id=1081947
|
||||
|
||||
See also:
|
||||
https://github.com/systemd/systemd/pull/6286
|
||||
|
||||
[fbui: fixes boo#1045886]
|
||||
---
|
||||
src/core/execute.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/core/execute.c b/src/core/execute.c
|
||||
index 2a337b55a2..b5a1a3b6e5 100644
|
||||
--- a/src/core/execute.c
|
||||
+++ b/src/core/execute.c
|
||||
@@ -3356,6 +3356,9 @@ static int setup_keyring(
|
||||
assert(context);
|
||||
assert(p);
|
||||
|
||||
+ /* SUSE: pam_keyinit is still not fully integrated to SUSE's PAM stack... */
|
||||
+ return 0;
|
||||
+
|
||||
/* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
|
||||
* each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
|
||||
* that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 19 11:17:03 UTC 2022 - Franck Bui <fbui@suse.com>
|
||||
|
||||
- Drop 0011-core-disable-session-keyring-per-system-sevice-entir.patch
|
||||
|
||||
Since bsc#1081947 has been addressed, we can attempt to re-enable private
|
||||
session kernel keyring for each system service hence each service gets a
|
||||
session keyring that is specific to the service.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 19 07:30:31 UTC 2022 - Franck Bui <fbui@suse.com>
|
||||
|
||||
|
@ -195,7 +195,6 @@ Patch5: 0005-udev-create-default-symlinks-for-primary-cd_dvd-driv.patch
|
||||
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
|
||||
%endif
|
||||
Patch10: 0001-conf-parser-introduce-early-drop-ins.patch
|
||||
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
|
||||
Patch12: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
|
||||
|
||||
# Temporary workaround until bsc#1197178 is addressed.
|
||||
|
Loading…
Reference in New Issue
Block a user