Blame SOURCES/0902-rhel8-remove-ecryptfs-support.patch

fa9ab2
From 8f39d5ebcf18b9d987af5ad851fe1637ce1fce22 Mon Sep 17 00:00:00 2001
fa9ab2
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
fa9ab2
Date: Mon, 10 Jun 2019 10:53:15 +0200
fa9ab2
Subject: [PATCH] rhel8: remove ecryptfs support
fa9ab2
fa9ab2
---
fa9ab2
 profiles/nis/README                 | 3 ---
fa9ab2
 profiles/nis/fingerprint-auth       | 1 -
fa9ab2
 profiles/nis/password-auth          | 1 -
fa9ab2
 profiles/nis/postlogin              | 4 ----
fa9ab2
 profiles/nis/system-auth            | 1 -
fa9ab2
 profiles/sssd/README                | 3 ---
fa9ab2
 profiles/sssd/fingerprint-auth      | 1 -
fa9ab2
 profiles/sssd/password-auth         | 1 -
fa9ab2
 profiles/sssd/postlogin             | 4 ----
fa9ab2
 profiles/sssd/smartcard-auth        | 1 -
fa9ab2
 profiles/sssd/system-auth           | 1 -
fa9ab2
 profiles/winbind/README             | 3 ---
fa9ab2
 profiles/winbind/fingerprint-auth   | 1 -
fa9ab2
 profiles/winbind/password-auth      | 1 -
fa9ab2
 profiles/winbind/postlogin          | 4 ----
fa9ab2
 profiles/winbind/system-auth        | 1 -
fa9ab2
 src/compat/authcompat.py.in.in      | 1 -
fa9ab2
 src/compat/authcompat_Options.py    | 2 +-
fa9ab2
 src/man/authselect-migration.7.adoc | 5 ++---
fa9ab2
 19 files changed, 3 insertions(+), 36 deletions(-)
fa9ab2
fa9ab2
diff --git a/profiles/nis/README b/profiles/nis/README
fa9ab2
index b8453bd357a1cec0d3c1981257271170f029fe8c..8b2cc1baa8a3429039f5bbeb0778113238ef6633 100644
fa9ab2
--- a/profiles/nis/README
fa9ab2
+++ b/profiles/nis/README
fa9ab2
@@ -21,9 +21,6 @@ with-mkhomedir::
fa9ab2
     Enable automatic creation of home directories for users on their
fa9ab2
     first login.
fa9ab2
 
fa9ab2
-with-ecryptfs::
fa9ab2
-    Enable automatic per-user ecryptfs.
fa9ab2
-
fa9ab2
 with-fingerprint::
fa9ab2
     Enable authentication with fingerprint reader through *pam_fprintd*.
fa9ab2
 
fa9ab2
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
fa9ab2
index 278487b2a0f9ce103afebb0809ffffa2cfbbba7e..8d6bc3fe8ada7305280503bfa350cd78723c988a 100644
fa9ab2
--- a/profiles/nis/fingerprint-auth
fa9ab2
+++ b/profiles/nis/fingerprint-auth
fa9ab2
@@ -16,7 +16,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
fa9ab2
 -session     optional                                    pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
fa9ab2
index 2ce77fded674684987849b027debe2b17a7bac94..46786cc8c2c90a2be98d71684b9286c37ff5b678 100644
fa9ab2
--- a/profiles/nis/password-auth
fa9ab2
+++ b/profiles/nis/password-auth
fa9ab2
@@ -21,7 +21,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                  {include if "with-ecryptfs"}
fa9ab2
 -session    optional                                     pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                      {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
fa9ab2
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
fa9ab2
--- a/profiles/nis/postlogin
fa9ab2
+++ b/profiles/nis/postlogin
fa9ab2
@@ -1,7 +1,3 @@
fa9ab2
-auth        optional                   pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
fa9ab2
-
fa9ab2
-password    optional                   pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
fa9ab2
-
fa9ab2
 session     optional                   pam_umask.so silent
fa9ab2
 session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
fa9ab2
 session     [default=1]                pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
fa9ab2
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
fa9ab2
index d1f270a9e6f0ded1ff2d9c24fcd78c31e7a6debe..25148b060ecd0b52868386abf14ca5a9fd8fdfc3 100644
fa9ab2
--- a/profiles/nis/system-auth
fa9ab2
+++ b/profiles/nis/system-auth
fa9ab2
@@ -22,7 +22,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
fa9ab2
 -session    optional                                     pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/sssd/README b/profiles/sssd/README
fa9ab2
index a2b52b7d4178bfaca260d31267dac396b514e656..b007621a4abd6423605507af5b03131c58a44f29 100644
fa9ab2
--- a/profiles/sssd/README
fa9ab2
+++ b/profiles/sssd/README
fa9ab2
@@ -40,9 +40,6 @@ with-mkhomedir::
fa9ab2
     Enable automatic creation of home directories for users on their
fa9ab2
     first login.
fa9ab2
 
fa9ab2
-with-ecryptfs::
fa9ab2
-    Enable automatic per-user ecryptfs.
fa9ab2
-
fa9ab2
 with-smartcard::
fa9ab2
     Enable authentication with smartcards through SSSD. Please note that
fa9ab2
     smartcard support must be also explicitly enabled within
fa9ab2
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
fa9ab2
index 01b70f3533149d00700859f3e0a1c3f2abb33a8a..b9bbc63d96e1d982a54b537402fed5e2201ce533 100644
fa9ab2
--- a/profiles/sssd/fingerprint-auth
fa9ab2
+++ b/profiles/sssd/fingerprint-auth
fa9ab2
@@ -18,7 +18,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
fa9ab2
 -session    optional                                     pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
fa9ab2
index c61630d5a71772c61cbdcce00bb5b64a83e87d8e..fe2e3a4bf68fb53e46af56577c9d67c7eabf2fff 100644
fa9ab2
--- a/profiles/sssd/password-auth
fa9ab2
+++ b/profiles/sssd/password-auth
fa9ab2
@@ -27,7 +27,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
fa9ab2
 -session    optional                                     pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
fa9ab2
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
fa9ab2
--- a/profiles/sssd/postlogin
fa9ab2
+++ b/profiles/sssd/postlogin
fa9ab2
@@ -1,7 +1,3 @@
fa9ab2
-auth        optional                   pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
fa9ab2
-
fa9ab2
-password    optional                   pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
fa9ab2
-
fa9ab2
 session     optional                   pam_umask.so silent
fa9ab2
 session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
fa9ab2
 session     [default=1]                pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
fa9ab2
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
fa9ab2
index a47f44389d89797b2404ce44a78c2bc8a936225d..a15a033f58b766074ccc6a271f146341ff62f2e4 100644
fa9ab2
--- a/profiles/sssd/smartcard-auth
fa9ab2
+++ b/profiles/sssd/smartcard-auth
fa9ab2
@@ -16,7 +16,6 @@ account     required                                     pam_permit.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
fa9ab2
 -session     optional                                    pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                     {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
fa9ab2
index 0c53fc0c326a6ab9b9720c3c0de4f7377431f689..788c92ba27f9b0febdbe00f265bc75e754aca8df 100644
fa9ab2
--- a/profiles/sssd/system-auth
fa9ab2
+++ b/profiles/sssd/system-auth
fa9ab2
@@ -32,7 +32,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
fa9ab2
 -session    optional                                     pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/winbind/README b/profiles/winbind/README
fa9ab2
index e711b546c51fbe1ccf30b203cb854398d5e95caa..72f55e640c04bd539bef979da71d6d9ee0a2fd72 100644
fa9ab2
--- a/profiles/winbind/README
fa9ab2
+++ b/profiles/winbind/README
fa9ab2
@@ -33,9 +33,6 @@ with-mkhomedir::
fa9ab2
     Enable automatic creation of home directories for users on their
fa9ab2
     first login.
fa9ab2
 
fa9ab2
-with-ecryptfs::
fa9ab2
-    Enable automatic per-user ecryptfs.
fa9ab2
-
fa9ab2
 with-fingerprint::
fa9ab2
     Enable authentication with fingerprint reader through *pam_fprintd*.
fa9ab2
 
fa9ab2
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
fa9ab2
index 0beff74eba83f12c4ad5a6147a6194608cd047e3..cdc61a1e9ff2ff8d58b58a076f001933092d0a90 100644
fa9ab2
--- a/profiles/winbind/fingerprint-auth
fa9ab2
+++ b/profiles/winbind/fingerprint-auth
fa9ab2
@@ -17,7 +17,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
fa9ab2
 -session     optional                                    pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
fa9ab2
index 455add4c0c6aa2fecc850dc2b315998c6b4c4fb5..d60fb34c1c9a4f49f68b5c036a72127996bff9be 100644
fa9ab2
--- a/profiles/winbind/password-auth
fa9ab2
+++ b/profiles/winbind/password-auth
fa9ab2
@@ -24,7 +24,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                  {include if "with-ecryptfs"}
fa9ab2
 -session    optional                                     pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                      {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin
fa9ab2
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
fa9ab2
--- a/profiles/winbind/postlogin
fa9ab2
+++ b/profiles/winbind/postlogin
fa9ab2
@@ -1,7 +1,3 @@
fa9ab2
-auth        optional                   pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
fa9ab2
-
fa9ab2
-password    optional                   pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
fa9ab2
-
fa9ab2
 session     optional                   pam_umask.so silent
fa9ab2
 session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
fa9ab2
 session     [default=1]                pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
fa9ab2
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
fa9ab2
index 5b383f70df6f03f59c6ab3b1dd5686382745b978..c169d7f3b75893ba61d60e085ef86bb658debf5b 100644
fa9ab2
--- a/profiles/winbind/system-auth
fa9ab2
+++ b/profiles/winbind/system-auth
fa9ab2
@@ -25,7 +25,6 @@ password    required                                     pam_deny.so
fa9ab2
 
fa9ab2
 session     optional                                     pam_keyinit.so revoke
fa9ab2
 session     required                                     pam_limits.so
fa9ab2
-session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
fa9ab2
 -session    optional                                     pam_systemd.so
fa9ab2
 session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
fa9ab2
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
fa9ab2
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
fa9ab2
index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755
fa9ab2
--- a/src/compat/authcompat.py.in.in
fa9ab2
+++ b/src/compat/authcompat.py.in.in
fa9ab2
@@ -520,7 +520,6 @@ class AuthCompat:
fa9ab2
             'smartcard'        : 'with-smartcard',
fa9ab2
             'requiresmartcard' : 'with-smartcard-required',
fa9ab2
             'fingerprint'      : 'with-fingerprint',
fa9ab2
-            'ecryptfs'         : 'with-ecryptfs',
fa9ab2
             'mkhomedir'        : 'with-mkhomedir',
fa9ab2
             'faillock'         : 'with-faillock',
fa9ab2
             'pamaccess'        : 'with-pamaccess',
fa9ab2
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
fa9ab2
index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644
fa9ab2
--- a/src/compat/authcompat_Options.py
fa9ab2
+++ b/src/compat/authcompat_Options.py
fa9ab2
@@ -93,7 +93,6 @@ class Options:
fa9ab2
         Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
fa9ab2
         Option.Feature("requiresmartcard",_("require smart card for authentication by default")),
fa9ab2
         Option.Feature("fingerprint",     _("authentication with fingerprint readers by default")),
fa9ab2
-        Option.Feature("ecryptfs",        _("automatic per-user ecryptfs")),
fa9ab2
         Option.Feature("krb5",            _("Kerberos authentication by default")),
fa9ab2
         Option.Valued ("krb5kdc",         _("<server>"), _("default Kerberos KDC")),
fa9ab2
         Option.Valued ("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
fa9ab2
@@ -141,6 +140,7 @@ class Options:
fa9ab2
         # layers and will produce warning when used. They will not affect
fa9ab2
         # the system.
fa9ab2
         Option.UnsupportedFeature("cache"),
fa9ab2
+        Option.UnsupportedFeature("ecryptfs"),
fa9ab2
         Option.UnsupportedFeature("shadow"),
fa9ab2
         Option.UnsupportedSwitch ("useshadow"),
fa9ab2
         Option.UnsupportedFeature("md5"),
fa9ab2
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
fa9ab2
index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644
fa9ab2
--- a/src/man/authselect-migration.7.adoc
fa9ab2
+++ b/src/man/authselect-migration.7.adoc
fa9ab2
@@ -80,7 +80,6 @@ configuration file for required services.
fa9ab2
 |*Authconfig options* |*Authselect profile feature*
fa9ab2
 |--enablesmartcard    |with-smartcard
fa9ab2
 |--enablefingerprint  |with-fingerprint
fa9ab2
-|--enableecryptfs     |with-ecryptfs
fa9ab2
 |--enablemkhomedir    |with-mkhomedir
fa9ab2
 |--enablefaillock     |with-faillock
fa9ab2
 |--enablepamaccess    |with-pamaccess
fa9ab2
@@ -95,8 +94,8 @@ authselect select sssd with-faillock
fa9ab2
 authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
fa9ab2
 authselect select sssd with-smartcard
fa9ab2
 
fa9ab2
-authconfig --enableecryptfs --enablepamaccess --updateall
fa9ab2
-authselect select sssd with-ecryptfs with-pamaccess
fa9ab2
+authconfig --enablepamaccess --updateall
fa9ab2
+authselect select sssd with-pamaccess
fa9ab2
 
fa9ab2
 authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
fa9ab2
 realm join -U Administrator --client-software=winbind WINBINDDOMAIN
fa9ab2
-- 
fa9ab2
2.20.1
fa9ab2