forked from pool/systemd
- Update systemd-user PAM service again
Change the default implementation of pam_setcred() again, previously customized to run the full "auth" PAM stack and only call pam_deny.so which is basically the SUSE default behavior without pam_warn.so. This is considered safer, especially on SLE where a regression was spotted by QA. OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1217
This commit is contained in:
parent
493d5f22b9
commit
c3f45bf95e
21
systemd-user
21
systemd-user
@ -2,18 +2,19 @@
|
|||||||
#
|
#
|
||||||
# Used by systemd --user instances.
|
# Used by systemd --user instances.
|
||||||
|
|
||||||
# This is not about authentication per se (user@.service is a system
|
# Override the default behavior of the "auth" PAM stack and don't throw a
|
||||||
# service anyway) but to give the possibility to user services
|
# warning each time a user instance is started, which is the default behavior of
|
||||||
# (especially those like gnome-terminal, see [1]) to have theirs
|
# the PAM stack when no auth is defined. Indeed PID1 calls pam_setcred() when
|
||||||
# credentials extended similar to the ones received by a user when he
|
# the user instance is about to be started to allow some user services, such as
|
||||||
# logs in (and the full PAM authentication stack is run). See [2] and
|
# gnome-terminal, to extend theirs credentials similar to the ones received by a
|
||||||
# [3] for details.
|
# user when he logs in (and the full PAM authentication stack is run). For some
|
||||||
|
# details, see:
|
||||||
#
|
#
|
||||||
# [1] https://gitlab.gnome.org/GNOME/gdm/-/issues/393
|
# https://gitlab.gnome.org/GNOME/gdm/-/issues/393
|
||||||
# [2] https://github.com/systemd/systemd/issues/11198
|
# https://github.com/systemd/systemd/issues/11198
|
||||||
# [3] https://bugzilla.suse.com/show_bug.cgi?id=1190515
|
# https://bugzilla.suse.com/show_bug.cgi?id=1190515
|
||||||
#
|
#
|
||||||
auth include common-auth
|
auth required pam_deny.so
|
||||||
|
|
||||||
account include common-account
|
account include common-account
|
||||||
|
|
||||||
|
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 4 08:23:19 UTC 2022 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
- Update systemd-user PAM service again
|
||||||
|
|
||||||
|
Change the default implementation of pam_setcred() again, previously
|
||||||
|
customized to run the full "auth" PAM stack and only call pam_deny.so which is
|
||||||
|
basically the SUSE default behavior without pam_warn.so.
|
||||||
|
|
||||||
|
This is considered safer, especially on SLE where a regression was spotted by
|
||||||
|
QA.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Dec 7 12:05:55 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
Tue Dec 7 12:05:55 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package systemd
|
# spec file for package systemd
|
||||||
#
|
#
|
||||||
# Copyright (c) 2021 SUSE LLC
|
# Copyright (c) 2022 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
Loading…
Reference in New Issue
Block a user