ryantimwilson / rpms / systemd

Forked from rpms/systemd 3 months ago
Clone
17aa40
From a677e477ef541d172ede2a5bd728a4ff1ffb312d Mon Sep 17 00:00:00 2001
17aa40
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
17aa40
Date: Tue, 1 Jun 2021 16:17:16 +0200
17aa40
Subject: [PATCH] pam: do not require a non-expired password for user@.service
17aa40
17aa40
Without this parameter, we would allow user@ to start if the user
17aa40
has no password (i.e. the password is "locked"). But when the user does have a password,
17aa40
and it is marked as expired, we would refuse to start the service.
17aa40
There are other authentication mechanisms and we should not tie this service to
17aa40
the password state.
17aa40
17aa40
The documented way to disable an *account* is to call 'chage -E0'. With a disabled
17aa40
account, user@.service will still refuse to start:
17aa40
17aa40
systemd[16598]: PAM failed: User account has expired
17aa40
systemd[16598]: PAM failed: User account has expired
17aa40
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
17aa40
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
17aa40
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
17aa40
systemd[1]: user@1005.service: Failed with result 'exit-code'.
17aa40
systemd[1]: Failed to start user@1005.service.
17aa40
systemd[1]: Stopping user-runtime-dir@1005.service...
17aa40
17aa40
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1961746.
17aa40
17aa40
(cherry picked from commit 71889176e4372b443018584c3520c1ff3efe2711)
17aa40
17aa40
Resolves: #1961746
17aa40
---
17aa40
 src/login/systemd-user.m4 | 2 +-
17aa40
 1 file changed, 1 insertion(+), 1 deletion(-)
17aa40
17aa40
diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
17aa40
index 4f85b4b7fe..20c8999331 100644
17aa40
--- a/src/login/systemd-user.m4
17aa40
+++ b/src/login/systemd-user.m4
17aa40
@@ -2,7 +2,7 @@
17aa40
 #
17aa40
 # Used by systemd --user instances.
17aa40
 
17aa40
-account required pam_unix.so
17aa40
+account sufficient pam_unix.so no_pass_expiry
17aa40
 m4_ifdef(`HAVE_SELINUX',
17aa40
 session required pam_selinux.so close
17aa40
 session required pam_selinux.so nottys open