!31 [sync] PR-30: 【openEuler-22.03-LTS】Fix the failure of login by root

From: @openeuler-sync-bot Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2023-05-31 02:22:54 +00:00 · 2023-05-31 02:22:54 +00:00 · 87814b2450
commit 87814b2450
parent 3ab5f37585 f30bdb1dfc
2 changed files with 382 additions and 1 deletions
--- a/authselect.spec
+++ b/authselect.spec
@ -1,6 +1,6 @@
 Name:          authselect
 Version:       1.2.4
-Release:       6
+Release:       7
 Summary:       A tool to select system authentication and identity sources from a list of supported profiles
 License:       GPLv3+
 URL:           https://github.com/authselect/authselect
@ -9,6 +9,7 @@ Source0:       https://github.com/authselect/authselect/archive/%{version}/%{nam
 Patch0:        authselect-revert-remove-authselect-compat-package.patch
 Patch1:        backport-main-Drop-an-unnecessary-NULL-check-before-free.patch
 Patch2:        backport-cli-fix-memory-handling-with-new-popt-library.patch
+Patch3:        backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch

 BuildRequires: autoconf gettext-devel automake libtool popt-devel libcmocka-devel
 BuildRequires: m4 gcc pkgconfig pkgconfig(popt) po4a asciidoc python3-devel
@ -113,6 +114,9 @@ sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwq
 exit 0

 %changelog
+* Tue May 30 2023 yixiangzhike <yixiangzhike007@163.com> - 1.2.4-7
+- fix the failure of login by root
+
 * Mon Aug 15 2022 panxiaohe <panxh.life@foxmail.com> - 1.2.4-6
 - cli: fix memory handling with new popt library

--- a/backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch
+++ b/backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch
@ -0,0 +1,377 @@
+From 3e3a473c66c24b621838c1285f1f808149d3967b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 16 Nov 2021 13:10:12 +0100
+Subject: [PATCH] profiles: update nsswitch.conf due to user-nsswitch.conf
+ removal
+
+user-nsswitch.conf support is now disabled by default, therefore
+we need to support important modules (altfiles, mdns) and include
+all databases again in the profile.
+
+- add mdns support
+- add altfiles support
+- include all databases in all profiles
+- reorder databases in order of likelihood (taken from glibc)
+
+Resolves: https://github.com/authselect/authselect/issues/282
+---
+ profiles/minimal/README        | 56 ++++-----------------------------
+ profiles/minimal/nsswitch.conf | 30 +++++++++---------
+ profiles/nis/README            | 57 +++++-----------------------------
+ profiles/nis/nsswitch.conf     | 30 +++++++++---------
+ profiles/sssd/README           | 32 ++++++-------------
+ profiles/sssd/nsswitch.conf    | 23 ++++++++++----
+ profiles/winbind/README        | 21 +++++--------
+ profiles/winbind/nsswitch.conf | 18 +++++++++--
+ 8 files changed, 96 insertions(+), 171 deletions(-)
+
+diff --git a/profiles/minimal/README b/profiles/minimal/README
+index 131ff14..11548ba 100644
+--- a/profiles/minimal/README
+++ b/profiles/minimal/README
+@@ -35,58 +35,14 @@ with-pamaccess::
+ with-altfiles::
+     Use nss_altfiles for passwd and group nsswitch databases.
+ 
+-without-nullok::
+-    Do not add nullok parameter to pam_unix.
+-
+-DISABLE SPECIFIC NSSWITCH DATABASES
+------------------------------------
+-
+-Normally, nsswitch databases set by the profile overwrites values set in
+-user-nsswitch.conf. The following options can force authselect to
+-ignore value set by the profile and use the one set in user-nsswitch.conf
+-instead.
+-
+-with-custom-aliases::
+-Ignore "aliases" map set by the profile.
+-
+-with-custom-automount::
+-Ignore "automount" map set by the profile.
+-
+-with-custom-ethers::
+-Ignore "ethers" map set by the profile.
+-
+-with-custom-group::
+-Ignore "group" map set by the profile.
+-
+-with-custom-hosts::
+-Ignore "hosts" map set by the profile.
+with-mdns4::
+    Enable multicast DNS over IPv4.
+ 
+-with-custom-initgroups::
+-Ignore "initgroups" map set by the profile.
+with-mdns6::
+    Enable multicast DNS over IPv6.
+ 
+-with-custom-netgroup::
+-Ignore "netgroup" map set by the profile.
+-
+-with-custom-networks::
+-Ignore "networks" map set by the profile.
+-
+-with-custom-passwd::
+-Ignore "passwd" map set by the profile.
+-
+-with-custom-protocols::
+-Ignore "protocols" map set by the profile.
+-
+-with-custom-publickey::
+-Ignore "publickey" map set by the profile.
+-
+-with-custom-rpc::
+-Ignore "rpc" map set by the profile.
+-
+-with-custom-services::
+-Ignore "services" map set by the profile.
+-
+-with-custom-shadow::
+-Ignore "shadow" map set by the profile.
+without-nullok::
+    Do not add nullok parameter to pam_unix.
+ 
+ EXAMPLES
+ --------
+diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
+index a9e4bc7..6c3c355 100644
+--- a/profiles/minimal/nsswitch.conf
+++ b/profiles/minimal/nsswitch.conf
+@@ -1,14 +1,16 @@
+-aliases:    files                                       {exclude if "with-custom-aliases"}
+-automount:  files                                       {exclude if "with-custom-automount"}
+-ethers:     files                                       {exclude if "with-custom-ethers"}
+-group:      files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
+-hosts:      resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"}
+-initgroups: files                                       {exclude if "with-custom-initgroups"}
+-netgroup:   files                                       {exclude if "with-custom-netgroup"}
+-networks:   files                                       {exclude if "with-custom-networks"}
+-passwd:     files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-passwd"}
+-protocols:  files                                       {exclude if "with-custom-protocols"}
+-publickey:  files                                       {exclude if "with-custom-publickey"}
+-rpc:        files                                       {exclude if "with-custom-rpc"}
+-services:   files                                       {exclude if "with-custom-services"}
+-shadow:     files                                       {exclude if "with-custom-shadow"}
+\ No newline at end of file
+# In order of likelihood of use to accelerate lookup.
+passwd:     files {if "with-altfiles":altfiles }systemd
+shadow:     files
+group:      files {if "with-altfiles":altfiles }systemd
+hosts:      files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
+services:   files
+netgroup:   files
+automount:  files
+
+aliases:    files
+ethers:     files
+gshadow:    files
+networks:   files dns
+protocols:  files
+publickey:  files
+rpc:        files
+diff --git a/profiles/nis/README b/profiles/nis/README
+index 5dbb9b4..9f629db 100644
+--- a/profiles/nis/README
+++ b/profiles/nis/README
+@@ -50,58 +50,17 @@ with-nispwquality::
+     for NIS users as well as local users during password change. Without this
+     option only local users passwords are checked.
+ 
+-without-nullok::
+-    Do not add nullok parameter to pam_unix.
+-
+-DISABLE SPECIFIC NSSWITCH DATABASES
+------------------------------------
+-
+-Normally, nsswitch databases set by the profile overwrites values set in
+-user-nsswitch.conf. The following options can force authselect to
+-ignore value set by the profile and use the one set in user-nsswitch.conf
+-instead.
+-
+-with-custom-aliases::
+-Ignore "aliases" map set by the profile.
+-
+-with-custom-automount::
+-Ignore "automount" map set by the profile.
+-
+-with-custom-ethers::
+-Ignore "ethers" map set by the profile.
+-
+-with-custom-group::
+-Ignore "group" map set by the profile.
+-
+-with-custom-hosts::
+-Ignore "hosts" map set by the profile.
+with-altfiles::
+    Use nss_altfiles for passwd and group nsswitch databases.
+ 
+-with-custom-initgroups::
+-Ignore "initgroups" map set by the profile.
+with-mdns4::
+    Enable multicast DNS over IPv4.
+ 
+-with-custom-netgroup::
+-Ignore "netgroup" map set by the profile.
+with-mdns6::
+    Enable multicast DNS over IPv6.
+ 
+-with-custom-networks::
+-Ignore "networks" map set by the profile.
+-
+-with-custom-passwd::
+-Ignore "passwd" map set by the profile.
+-
+-with-custom-protocols::
+-Ignore "protocols" map set by the profile.
+-
+-with-custom-publickey::
+-Ignore "publickey" map set by the profile.
+-
+-with-custom-rpc::
+-Ignore "rpc" map set by the profile.
+-
+-with-custom-services::
+-Ignore "services" map set by the profile.
+-
+-with-custom-shadow::
+-Ignore "shadow" map set by the profile.
+without-nullok::
+    Do not add nullok parameter to pam_unix.
+ 
+ EXAMPLES
+ --------
+diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
+index 50a3ffb..e60eeaa 100644
+--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
+@@ -1,14 +1,16 @@
+-aliases:    files nis                   {exclude if "with-custom-aliases"}
+-automount:  files nis                   {exclude if "with-custom-automount"}
+-ethers:     files nis                   {exclude if "with-custom-ethers"}
+-group:      files nis systemd           {exclude if "with-custom-group"}
+-hosts:      resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"}
+-initgroups: files nis                   {exclude if "with-custom-initgroups"}
+-netgroup:   files nis                   {exclude if "with-custom-netgroup"}
+-networks:   files nis                   {exclude if "with-custom-networks"}
+-passwd:     files nis systemd           {exclude if "with-custom-passwd"}
+-protocols:  files nis                   {exclude if "with-custom-protocols"}
+-publickey:  files nis                   {exclude if "with-custom-publickey"}
+-rpc:        files nis                   {exclude if "with-custom-rpc"}
+-services:   files nis                   {exclude if "with-custom-services"}
+-shadow:     files nis                   {exclude if "with-custom-shadow"}
+# In order of likelihood of use to accelerate lookup.
+passwd:     files {if "with-altfiles":altfiles }nis systemd
+shadow:     files nis
+group:      files {if "with-altfiles":altfiles }nis systemd
+hosts:      files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] nis myhostname dns
+services:   files nis
+netgroup:   files nis
+automount:  files nis
+
+aliases:    files nis
+ethers:     files nis
+gshadow:    files nis
+networks:   files nis dns
+protocols:  files nis
+publickey:  files nis
+rpc:        files nis
+diff --git a/profiles/sssd/README b/profiles/sssd/README
+index 59871f7..fff913a 100644
+--- a/profiles/sssd/README
+++ b/profiles/sssd/README
+@@ -79,6 +79,15 @@ with-sudo::
+ with-pamaccess::
+     Check access.conf during account authorization.
+ 
+with-altfiles::
+    Use nss_altfiles for passwd and group nsswitch databases.
+
+with-mdns4::
+    Enable multicast DNS over IPv4.
+
+with-mdns6::
+    Enable multicast DNS over IPv6.
+
+ with-files-domain::
+     If set, SSSD will be contacted before "files" when resolving users and
+     groups. The order in nsswitch.conf will be set to "sss files" instead of
+@@ -97,29 +106,6 @@ with-files-access-provider::
+ without-nullok::
+     Do not add nullok parameter to pam_unix.
+ 
+-DISABLE SPECIFIC NSSWITCH DATABASES
+------------------------------------
+-
+-Normally, nsswitch databases set by the profile overwrites values set in
+-user-nsswitch.conf. The following options can force authselect to
+-ignore value set by the profile and use the one set in user-nsswitch.conf
+-instead.
+-
+-with-custom-passwd::
+-Ignore "passwd" database set by the profile.
+-
+-with-custom-group::
+-Ignore "group" database set by the profile.
+-
+-with-custom-netgroup::
+-Ignore "netgroup" database set by the profile.
+-
+-with-custom-automount::
+-Ignore "automount" database set by the profile.
+-
+-with-custom-services::
+-Ignore "services" database set by the profile.
+-
+ EXAMPLES
+ --------
+ 
+diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
+index 91c9fe9..526cbae 100644
+--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
+@@ -1,6 +1,17 @@
+-passwd:     {if "with-files-domain":sss files|files sss} systemd   {exclude if "with-custom-passwd"}
+-group:      {if "with-files-domain":sss files|files sss} systemd   {exclude if "with-custom-group"}
+-netgroup:   sss files           {exclude if "with-custom-netgroup"}
+-automount:  sss files           {exclude if "with-custom-automount"}
+-services:   sss files           {exclude if "with-custom-services"}
+-sudoers:    files sss           {include if "with-sudo"}
+# In order of likelihood of use to accelerate lookup.
+passwd:     {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd
+shadow:     files
+group:      {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd
+hosts:      files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
+services:   files sss
+netgroup:   files sss
+sudoers:    files sss {include if "with-sudo"}
+automount:  files sss
+
+aliases:    files
+ethers:     files
+gshadow:    files
+networks:   files dns
+protocols:  files
+publickey:  files
+rpc:        files
+diff --git a/profiles/winbind/README b/profiles/winbind/README
+index 40a1a45..39a15fc 100644
+--- a/profiles/winbind/README
+++ b/profiles/winbind/README
+@@ -60,22 +60,17 @@ with-silent-lastlog::
+ with-pamaccess::
+     Check access.conf during account authorization.
+ 
+-without-nullok::
+-    Do not add nullok parameter to pam_unix.
+-
+-DISABLE SPECIFIC NSSWITCH DATABASES
+------------------------------------
+with-altfiles::
+    Use nss_altfiles for passwd and group nsswitch databases.
+ 
+-Normally, nsswitch databases set by the profile overwrites values set in
+-user-nsswitch.conf. The following options can force authselect to
+-ignore value set by the profile and use the one set in user-nsswitch.conf
+-instead.
+with-mdns4::
+    Enable multicast DNS over IPv4.
+ 
+-with-custom-passwd::
+-Ignore "passwd" database set by the profile.
+with-mdns6::
+    Enable multicast DNS over IPv6.
+ 
+-with-custom-group::
+-Ignore "group" database set by the profile.
+without-nullok::
+    Do not add nullok parameter to pam_unix.
+ 
+ EXAMPLES
+ --------
+diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
+index 8a23bd7..b3ea72d 100644
+--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
+@@ -1,2 +1,16 @@
+-passwd:     files winbind systemd    {exclude if "with-custom-passwd"}
+-group:      files winbind systemd    {exclude if "with-custom-group"}
+# In order of likelihood of use to accelerate lookup.
+passwd:     files {if "with-altfiles":altfiles }winbind systemd
+shadow:     files
+group:      files {if "with-altfiles":altfiles }winbind systemd
+hosts:      files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
+services:   files
+netgroup:   files
+automount:  files
+
+aliases:    files
+ethers:     files
+gshadow:    files
+networks:   files dns
+protocols:  files
+publickey:  files
+rpc:        files
+-- 
+2.27.0
+