From f30bdb1dfc726cba900b45350ab4535d787b41d3 Mon Sep 17 00:00:00 2001 From: yixiangzhike Date: Tue, 30 May 2023 18:59:33 +0800 Subject: [PATCH] Fix the failure of login by root (cherry picked from commit 915c44df6ff76de0e17311dc0d04b650816dc600) --- authselect.spec | 6 +- ...nsswitch.conf-due-to-user-nsswitch.c.patch | 377 ++++++++++++++++++ 2 files changed, 382 insertions(+), 1 deletion(-) create mode 100644 backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch diff --git a/authselect.spec b/authselect.spec index ee2c232..fe1d368 100644 --- a/authselect.spec +++ b/authselect.spec @@ -1,6 +1,6 @@ Name: authselect Version: 1.2.4 -Release: 6 +Release: 7 Summary: A tool to select system authentication and identity sources from a list of supported profiles License: GPLv3+ URL: https://github.com/authselect/authselect @@ -9,6 +9,7 @@ Source0: https://github.com/authselect/authselect/archive/%{version}/%{nam Patch0: authselect-revert-remove-authselect-compat-package.patch Patch1: backport-main-Drop-an-unnecessary-NULL-check-before-free.patch Patch2: backport-cli-fix-memory-handling-with-new-popt-library.patch +Patch3: backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch BuildRequires: autoconf gettext-devel automake libtool popt-devel libcmocka-devel BuildRequires: m4 gcc pkgconfig pkgconfig(popt) po4a asciidoc python3-devel @@ -113,6 +114,9 @@ sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwq exit 0 %changelog +* Tue May 30 2023 yixiangzhike - 1.2.4-7 +- fix the failure of login by root + * Mon Aug 15 2022 panxiaohe - 1.2.4-6 - cli: fix memory handling with new popt library diff --git a/backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch b/backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch new file mode 100644 index 0000000..9779187 --- /dev/null +++ b/backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch @@ -0,0 +1,377 @@ +From 3e3a473c66c24b621838c1285f1f808149d3967b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 16 Nov 2021 13:10:12 +0100 +Subject: [PATCH] profiles: update nsswitch.conf due to user-nsswitch.conf + removal + +user-nsswitch.conf support is now disabled by default, therefore +we need to support important modules (altfiles, mdns) and include +all databases again in the profile. + +- add mdns support +- add altfiles support +- include all databases in all profiles +- reorder databases in order of likelihood (taken from glibc) + +Resolves: https://github.com/authselect/authselect/issues/282 +--- + profiles/minimal/README | 56 ++++----------------------------- + profiles/minimal/nsswitch.conf | 30 +++++++++--------- + profiles/nis/README | 57 +++++----------------------------- + profiles/nis/nsswitch.conf | 30 +++++++++--------- + profiles/sssd/README | 32 ++++++------------- + profiles/sssd/nsswitch.conf | 23 ++++++++++---- + profiles/winbind/README | 21 +++++-------- + profiles/winbind/nsswitch.conf | 18 +++++++++-- + 8 files changed, 96 insertions(+), 171 deletions(-) + +diff --git a/profiles/minimal/README b/profiles/minimal/README +index 131ff14..11548ba 100644 +--- a/profiles/minimal/README ++++ b/profiles/minimal/README +@@ -35,58 +35,14 @@ with-pamaccess:: + with-altfiles:: + Use nss_altfiles for passwd and group nsswitch databases. + +-without-nullok:: +- Do not add nullok parameter to pam_unix. +- +-DISABLE SPECIFIC NSSWITCH DATABASES +------------------------------------ +- +-Normally, nsswitch databases set by the profile overwrites values set in +-user-nsswitch.conf. The following options can force authselect to +-ignore value set by the profile and use the one set in user-nsswitch.conf +-instead. +- +-with-custom-aliases:: +-Ignore "aliases" map set by the profile. +- +-with-custom-automount:: +-Ignore "automount" map set by the profile. +- +-with-custom-ethers:: +-Ignore "ethers" map set by the profile. +- +-with-custom-group:: +-Ignore "group" map set by the profile. +- +-with-custom-hosts:: +-Ignore "hosts" map set by the profile. ++with-mdns4:: ++ Enable multicast DNS over IPv4. + +-with-custom-initgroups:: +-Ignore "initgroups" map set by the profile. ++with-mdns6:: ++ Enable multicast DNS over IPv6. + +-with-custom-netgroup:: +-Ignore "netgroup" map set by the profile. +- +-with-custom-networks:: +-Ignore "networks" map set by the profile. +- +-with-custom-passwd:: +-Ignore "passwd" map set by the profile. +- +-with-custom-protocols:: +-Ignore "protocols" map set by the profile. +- +-with-custom-publickey:: +-Ignore "publickey" map set by the profile. +- +-with-custom-rpc:: +-Ignore "rpc" map set by the profile. +- +-with-custom-services:: +-Ignore "services" map set by the profile. +- +-with-custom-shadow:: +-Ignore "shadow" map set by the profile. ++without-nullok:: ++ Do not add nullok parameter to pam_unix. + + EXAMPLES + -------- +diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf +index a9e4bc7..6c3c355 100644 +--- a/profiles/minimal/nsswitch.conf ++++ b/profiles/minimal/nsswitch.conf +@@ -1,14 +1,16 @@ +-aliases: files {exclude if "with-custom-aliases"} +-automount: files {exclude if "with-custom-automount"} +-ethers: files {exclude if "with-custom-ethers"} +-group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"} +-hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"} +-initgroups: files {exclude if "with-custom-initgroups"} +-netgroup: files {exclude if "with-custom-netgroup"} +-networks: files {exclude if "with-custom-networks"} +-passwd: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-passwd"} +-protocols: files {exclude if "with-custom-protocols"} +-publickey: files {exclude if "with-custom-publickey"} +-rpc: files {exclude if "with-custom-rpc"} +-services: files {exclude if "with-custom-services"} +-shadow: files {exclude if "with-custom-shadow"} +\ No newline at end of file ++# In order of likelihood of use to accelerate lookup. ++passwd: files {if "with-altfiles":altfiles }systemd ++shadow: files ++group: files {if "with-altfiles":altfiles }systemd ++hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns ++services: files ++netgroup: files ++automount: files ++ ++aliases: files ++ethers: files ++gshadow: files ++networks: files dns ++protocols: files ++publickey: files ++rpc: files +diff --git a/profiles/nis/README b/profiles/nis/README +index 5dbb9b4..9f629db 100644 +--- a/profiles/nis/README ++++ b/profiles/nis/README +@@ -50,58 +50,17 @@ with-nispwquality:: + for NIS users as well as local users during password change. Without this + option only local users passwords are checked. + +-without-nullok:: +- Do not add nullok parameter to pam_unix. +- +-DISABLE SPECIFIC NSSWITCH DATABASES +------------------------------------ +- +-Normally, nsswitch databases set by the profile overwrites values set in +-user-nsswitch.conf. The following options can force authselect to +-ignore value set by the profile and use the one set in user-nsswitch.conf +-instead. +- +-with-custom-aliases:: +-Ignore "aliases" map set by the profile. +- +-with-custom-automount:: +-Ignore "automount" map set by the profile. +- +-with-custom-ethers:: +-Ignore "ethers" map set by the profile. +- +-with-custom-group:: +-Ignore "group" map set by the profile. +- +-with-custom-hosts:: +-Ignore "hosts" map set by the profile. ++with-altfiles:: ++ Use nss_altfiles for passwd and group nsswitch databases. + +-with-custom-initgroups:: +-Ignore "initgroups" map set by the profile. ++with-mdns4:: ++ Enable multicast DNS over IPv4. + +-with-custom-netgroup:: +-Ignore "netgroup" map set by the profile. ++with-mdns6:: ++ Enable multicast DNS over IPv6. + +-with-custom-networks:: +-Ignore "networks" map set by the profile. +- +-with-custom-passwd:: +-Ignore "passwd" map set by the profile. +- +-with-custom-protocols:: +-Ignore "protocols" map set by the profile. +- +-with-custom-publickey:: +-Ignore "publickey" map set by the profile. +- +-with-custom-rpc:: +-Ignore "rpc" map set by the profile. +- +-with-custom-services:: +-Ignore "services" map set by the profile. +- +-with-custom-shadow:: +-Ignore "shadow" map set by the profile. ++without-nullok:: ++ Do not add nullok parameter to pam_unix. + + EXAMPLES + -------- +diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf +index 50a3ffb..e60eeaa 100644 +--- a/profiles/nis/nsswitch.conf ++++ b/profiles/nis/nsswitch.conf +@@ -1,14 +1,16 @@ +-aliases: files nis {exclude if "with-custom-aliases"} +-automount: files nis {exclude if "with-custom-automount"} +-ethers: files nis {exclude if "with-custom-ethers"} +-group: files nis systemd {exclude if "with-custom-group"} +-hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"} +-initgroups: files nis {exclude if "with-custom-initgroups"} +-netgroup: files nis {exclude if "with-custom-netgroup"} +-networks: files nis {exclude if "with-custom-networks"} +-passwd: files nis systemd {exclude if "with-custom-passwd"} +-protocols: files nis {exclude if "with-custom-protocols"} +-publickey: files nis {exclude if "with-custom-publickey"} +-rpc: files nis {exclude if "with-custom-rpc"} +-services: files nis {exclude if "with-custom-services"} +-shadow: files nis {exclude if "with-custom-shadow"} ++# In order of likelihood of use to accelerate lookup. ++passwd: files {if "with-altfiles":altfiles }nis systemd ++shadow: files nis ++group: files {if "with-altfiles":altfiles }nis systemd ++hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] nis myhostname dns ++services: files nis ++netgroup: files nis ++automount: files nis ++ ++aliases: files nis ++ethers: files nis ++gshadow: files nis ++networks: files nis dns ++protocols: files nis ++publickey: files nis ++rpc: files nis +diff --git a/profiles/sssd/README b/profiles/sssd/README +index 59871f7..fff913a 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -79,6 +79,15 @@ with-sudo:: + with-pamaccess:: + Check access.conf during account authorization. + ++with-altfiles:: ++ Use nss_altfiles for passwd and group nsswitch databases. ++ ++with-mdns4:: ++ Enable multicast DNS over IPv4. ++ ++with-mdns6:: ++ Enable multicast DNS over IPv6. ++ + with-files-domain:: + If set, SSSD will be contacted before "files" when resolving users and + groups. The order in nsswitch.conf will be set to "sss files" instead of +@@ -97,29 +106,6 @@ with-files-access-provider:: + without-nullok:: + Do not add nullok parameter to pam_unix. + +-DISABLE SPECIFIC NSSWITCH DATABASES +------------------------------------ +- +-Normally, nsswitch databases set by the profile overwrites values set in +-user-nsswitch.conf. The following options can force authselect to +-ignore value set by the profile and use the one set in user-nsswitch.conf +-instead. +- +-with-custom-passwd:: +-Ignore "passwd" database set by the profile. +- +-with-custom-group:: +-Ignore "group" database set by the profile. +- +-with-custom-netgroup:: +-Ignore "netgroup" database set by the profile. +- +-with-custom-automount:: +-Ignore "automount" database set by the profile. +- +-with-custom-services:: +-Ignore "services" database set by the profile. +- + EXAMPLES + -------- + +diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf +index 91c9fe9..526cbae 100644 +--- a/profiles/sssd/nsswitch.conf ++++ b/profiles/sssd/nsswitch.conf +@@ -1,6 +1,17 @@ +-passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} +-group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} +-netgroup: sss files {exclude if "with-custom-netgroup"} +-automount: sss files {exclude if "with-custom-automount"} +-services: sss files {exclude if "with-custom-services"} +-sudoers: files sss {include if "with-sudo"} ++# In order of likelihood of use to accelerate lookup. ++passwd: {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd ++shadow: files ++group: {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd ++hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns ++services: files sss ++netgroup: files sss ++sudoers: files sss {include if "with-sudo"} ++automount: files sss ++ ++aliases: files ++ethers: files ++gshadow: files ++networks: files dns ++protocols: files ++publickey: files ++rpc: files +diff --git a/profiles/winbind/README b/profiles/winbind/README +index 40a1a45..39a15fc 100644 +--- a/profiles/winbind/README ++++ b/profiles/winbind/README +@@ -60,22 +60,17 @@ with-silent-lastlog:: + with-pamaccess:: + Check access.conf during account authorization. + +-without-nullok:: +- Do not add nullok parameter to pam_unix. +- +-DISABLE SPECIFIC NSSWITCH DATABASES +------------------------------------ ++with-altfiles:: ++ Use nss_altfiles for passwd and group nsswitch databases. + +-Normally, nsswitch databases set by the profile overwrites values set in +-user-nsswitch.conf. The following options can force authselect to +-ignore value set by the profile and use the one set in user-nsswitch.conf +-instead. ++with-mdns4:: ++ Enable multicast DNS over IPv4. + +-with-custom-passwd:: +-Ignore "passwd" database set by the profile. ++with-mdns6:: ++ Enable multicast DNS over IPv6. + +-with-custom-group:: +-Ignore "group" database set by the profile. ++without-nullok:: ++ Do not add nullok parameter to pam_unix. + + EXAMPLES + -------- +diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf +index 8a23bd7..b3ea72d 100644 +--- a/profiles/winbind/nsswitch.conf ++++ b/profiles/winbind/nsswitch.conf +@@ -1,2 +1,16 @@ +-passwd: files winbind systemd {exclude if "with-custom-passwd"} +-group: files winbind systemd {exclude if "with-custom-group"} ++# In order of likelihood of use to accelerate lookup. ++passwd: files {if "with-altfiles":altfiles }winbind systemd ++shadow: files ++group: files {if "with-altfiles":altfiles }winbind systemd ++hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns ++services: files ++netgroup: files ++automount: files ++ ++aliases: files ++ethers: files ++gshadow: files ++networks: files dns ++protocols: files ++publickey: files ++rpc: files +-- +2.27.0 +