ryantimwilson / rpms / systemd

Forked from rpms/systemd 3 months ago
Clone
b8c242
From a677e477ef541d172ede2a5bd728a4ff1ffb312d Mon Sep 17 00:00:00 2001
b8c242
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
b8c242
Date: Tue, 1 Jun 2021 16:17:16 +0200
b8c242
Subject: [PATCH] pam: do not require a non-expired password for user@.service
b8c242
b8c242
Without this parameter, we would allow user@ to start if the user
b8c242
has no password (i.e. the password is "locked"). But when the user does have a password,
b8c242
and it is marked as expired, we would refuse to start the service.
b8c242
There are other authentication mechanisms and we should not tie this service to
b8c242
the password state.
b8c242
b8c242
The documented way to disable an *account* is to call 'chage -E0'. With a disabled
b8c242
account, user@.service will still refuse to start:
b8c242
b8c242
systemd[16598]: PAM failed: User account has expired
b8c242
systemd[16598]: PAM failed: User account has expired
b8c242
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
b8c242
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
b8c242
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
b8c242
systemd[1]: user@1005.service: Failed with result 'exit-code'.
b8c242
systemd[1]: Failed to start user@1005.service.
b8c242
systemd[1]: Stopping user-runtime-dir@1005.service...
b8c242
b8c242
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1961746.
b8c242
b8c242
(cherry picked from commit 71889176e4372b443018584c3520c1ff3efe2711)
b8c242
b8c242
Resolves: #1961746
b8c242
---
b8c242
 src/login/systemd-user.m4 | 2 +-
b8c242
 1 file changed, 1 insertion(+), 1 deletion(-)
b8c242
b8c242
diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
b8c242
index 4f85b4b7fe..20c8999331 100644
b8c242
--- a/src/login/systemd-user.m4
b8c242
+++ b/src/login/systemd-user.m4
b8c242
@@ -2,7 +2,7 @@
b8c242
 #
b8c242
 # Used by systemd --user instances.
b8c242
 
b8c242
-account required pam_unix.so
b8c242
+account sufficient pam_unix.so no_pass_expiry
b8c242
 m4_ifdef(`HAVE_SELINUX',
b8c242
 session required pam_selinux.so close
b8c242
 session required pam_selinux.so nottys open