From de0168f1ebb871b80c2552f1ef8dd8f145dacf29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 20 Nov 2018 13:07:19 +0100
Subject: [PATCH 08/15] profiles: make session pam_systemd required
There was a time when pam_systemd was optional but today
if pam_systemd fails to register a session it's catastrophic
and we should just fail the whole pam conversation.
Resolves:
https://github.com/pbrezina/authselect/issues/118
---
profiles/nis/fingerprint-auth | 2 +-
profiles/nis/password-auth | 2 +-
profiles/nis/system-auth | 2 +-
profiles/sssd/fingerprint-auth | 2 +-
profiles/sssd/password-auth | 2 +-
profiles/sssd/smartcard-auth | 2 +-
profiles/sssd/system-auth | 2 +-
profiles/winbind/fingerprint-auth | 2 +-
profiles/winbind/password-auth | 2 +-
profiles/winbind/system-auth | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 278487b2a0f9ce103afebb0809ffffa2cfbbba7e..dc9e53ba28974eb75828220d9b80d626106b9652 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -17,7 +17,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 615544d16f7fc8551cb06a221825526f12cbfc64..d22dcef9529ca51a1812ae0733b543d13f6ae235 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -20,7 +20,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index a41828d8972537b1b24d0ff21cd52976fba6646d..d394d3e1200755d2233d4f86e3866620539fc18d 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -21,7 +21,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 01b70f3533149d00700859f3e0a1c3f2abb33a8a..3bdaf3e71ba7afc66864f9c2acbf584c0b77a82d 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -19,7 +19,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 3205f261dd8c898baf292c252ebdb346fcb779bb..1e529184cdc04a94fb4f2b52f733cf6df73b7fda 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -26,7 +26,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index b16ba0f44ca4c896c1980a292cf78f12d7f2f06d..b89a23a111560877785c9d17fd65c0bfd3f3ae22 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -16,7 +16,7 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 982cada1f774e6d53dd75c9f5dbc0603337cd70b..22dba5b2d3db23855724ddb05528e5013c63c5af 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -29,7 +29,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index 0beff74eba83f12c4ad5a6147a6194608cd047e3..92649461564dd4e6f78f467dc1be455f29edfe08 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -18,7 +18,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index c984d817c537c48a358c644083a4f8979181dd1d..fb59e295c3a220acfdf633f69a0204328150a5c3 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -23,7 +23,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 33dc491c2125c7fe06d6475369f1654a900c7050..bb75c327db3315c22a22f375a5cc633e33c30c19 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -24,7 +24,7 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
--session optional pam_systemd.so
+session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
--
2.17.2