From fa9ab25e069c68b2b1a76cb5ff0192d8a16c6535 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 14 2020 22:08:10 +0000 Subject: import authselect-1.2.1-1.el8 --- diff --git a/.authselect.metadata b/.authselect.metadata new file mode 100644 index 0000000..1a9c021 --- /dev/null +++ b/.authselect.metadata @@ -0,0 +1 @@ +5136bf93d7cbcbbcf039f1b180e5cb644758ed21 SOURCES/authselect-1.2.1.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8698a31 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/authselect-1.2.1.tar.gz diff --git a/SOURCES/0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch b/SOURCES/0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch new file mode 100644 index 0000000..c2bc01b --- /dev/null +++ b/SOURCES/0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch @@ -0,0 +1,24 @@ +From 009be0fc33866a590de8720cb0f3dab811e10059 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 30 Oct 2018 14:08:12 +0100 +Subject: [PATCH] rhel8: remove mention of Fedora Change page in compat tool + +--- + src/compat/authcompat.py.in.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index 0be644222a44185cb08ff696afad5adf05995093..42cc6f3c0e38d8e14d62bd5acdc171176a6cb51f 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -469,7 +469,6 @@ class AuthCompat: + "It does not provide all capabilities of authconfig.\n")) + print(_("IMPORTANT: authconfig is replaced by authselect, " + "please update your scripts.")) +- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault")) + print(_("See man authselect-migration(7) to help you with migration to authselect")) + + options = self.options.getSetButUnsupported() +-- +2.17.2 + diff --git a/SOURCES/0902-rhel8-remove-ecryptfs-support.patch b/SOURCES/0902-rhel8-remove-ecryptfs-support.patch new file mode 100644 index 0000000..a021aa9 --- /dev/null +++ b/SOURCES/0902-rhel8-remove-ecryptfs-support.patch @@ -0,0 +1,283 @@ +From 8f39d5ebcf18b9d987af5ad851fe1637ce1fce22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 10 Jun 2019 10:53:15 +0200 +Subject: [PATCH] rhel8: remove ecryptfs support + +--- + profiles/nis/README | 3 --- + profiles/nis/fingerprint-auth | 1 - + profiles/nis/password-auth | 1 - + profiles/nis/postlogin | 4 ---- + profiles/nis/system-auth | 1 - + profiles/sssd/README | 3 --- + profiles/sssd/fingerprint-auth | 1 - + profiles/sssd/password-auth | 1 - + profiles/sssd/postlogin | 4 ---- + profiles/sssd/smartcard-auth | 1 - + profiles/sssd/system-auth | 1 - + profiles/winbind/README | 3 --- + profiles/winbind/fingerprint-auth | 1 - + profiles/winbind/password-auth | 1 - + profiles/winbind/postlogin | 4 ---- + profiles/winbind/system-auth | 1 - + src/compat/authcompat.py.in.in | 1 - + src/compat/authcompat_Options.py | 2 +- + src/man/authselect-migration.7.adoc | 5 ++--- + 19 files changed, 3 insertions(+), 36 deletions(-) + +diff --git a/profiles/nis/README b/profiles/nis/README +index b8453bd357a1cec0d3c1981257271170f029fe8c..8b2cc1baa8a3429039f5bbeb0778113238ef6633 100644 +--- a/profiles/nis/README ++++ b/profiles/nis/README +@@ -21,9 +21,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth +index 278487b2a0f9ce103afebb0809ffffa2cfbbba7e..8d6bc3fe8ada7305280503bfa350cd78723c988a 100644 +--- a/profiles/nis/fingerprint-auth ++++ b/profiles/nis/fingerprint-auth +@@ -16,7 +16,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth +index 2ce77fded674684987849b027debe2b17a7bac94..46786cc8c2c90a2be98d71684b9286c37ff5b678 100644 +--- a/profiles/nis/password-auth ++++ b/profiles/nis/password-auth +@@ -21,7 +21,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/nis/postlogin ++++ b/profiles/nis/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth +index d1f270a9e6f0ded1ff2d9c24fcd78c31e7a6debe..25148b060ecd0b52868386abf14ca5a9fd8fdfc3 100644 +--- a/profiles/nis/system-auth ++++ b/profiles/nis/system-auth +@@ -22,7 +22,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/README b/profiles/sssd/README +index a2b52b7d4178bfaca260d31267dac396b514e656..b007621a4abd6423605507af5b03131c58a44f29 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -40,9 +40,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-smartcard:: + Enable authentication with smartcards through SSSD. Please note that + smartcard support must be also explicitly enabled within +diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth +index 01b70f3533149d00700859f3e0a1c3f2abb33a8a..b9bbc63d96e1d982a54b537402fed5e2201ce533 100644 +--- a/profiles/sssd/fingerprint-auth ++++ b/profiles/sssd/fingerprint-auth +@@ -18,7 +18,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth +index c61630d5a71772c61cbdcce00bb5b64a83e87d8e..fe2e3a4bf68fb53e46af56577c9d67c7eabf2fff 100644 +--- a/profiles/sssd/password-auth ++++ b/profiles/sssd/password-auth +@@ -27,7 +27,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/sssd/postlogin ++++ b/profiles/sssd/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth +index a47f44389d89797b2404ce44a78c2bc8a936225d..a15a033f58b766074ccc6a271f146341ff62f2e4 100644 +--- a/profiles/sssd/smartcard-auth ++++ b/profiles/sssd/smartcard-auth +@@ -16,7 +16,6 @@ account required pam_permit.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth +index 0c53fc0c326a6ab9b9720c3c0de4f7377431f689..788c92ba27f9b0febdbe00f265bc75e754aca8df 100644 +--- a/profiles/sssd/system-auth ++++ b/profiles/sssd/system-auth +@@ -32,7 +32,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/README b/profiles/winbind/README +index e711b546c51fbe1ccf30b203cb854398d5e95caa..72f55e640c04bd539bef979da71d6d9ee0a2fd72 100644 +--- a/profiles/winbind/README ++++ b/profiles/winbind/README +@@ -33,9 +33,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth +index 0beff74eba83f12c4ad5a6147a6194608cd047e3..cdc61a1e9ff2ff8d58b58a076f001933092d0a90 100644 +--- a/profiles/winbind/fingerprint-auth ++++ b/profiles/winbind/fingerprint-auth +@@ -17,7 +17,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth +index 455add4c0c6aa2fecc850dc2b315998c6b4c4fb5..d60fb34c1c9a4f49f68b5c036a72127996bff9be 100644 +--- a/profiles/winbind/password-auth ++++ b/profiles/winbind/password-auth +@@ -24,7 +24,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/winbind/postlogin ++++ b/profiles/winbind/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth +index 5b383f70df6f03f59c6ab3b1dd5686382745b978..c169d7f3b75893ba61d60e085ef86bb658debf5b 100644 +--- a/profiles/winbind/system-auth ++++ b/profiles/winbind/system-auth +@@ -25,7 +25,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -520,7 +520,6 @@ class AuthCompat: + 'smartcard' : 'with-smartcard', + 'requiresmartcard' : 'with-smartcard-required', + 'fingerprint' : 'with-fingerprint', +- 'ecryptfs' : 'with-ecryptfs', + 'mkhomedir' : 'with-mkhomedir', + 'faillock' : 'with-faillock', + 'pamaccess' : 'with-pamaccess', +diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py +index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644 +--- a/src/compat/authcompat_Options.py ++++ b/src/compat/authcompat_Options.py +@@ -93,7 +93,6 @@ class Options: + Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")), + Option.Feature("requiresmartcard",_("require smart card for authentication by default")), + Option.Feature("fingerprint", _("authentication with fingerprint readers by default")), +- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")), + Option.Feature("krb5", _("Kerberos authentication by default")), + Option.Valued ("krb5kdc", _(""), _("default Kerberos KDC")), + Option.Valued ("krb5adminserver", _(""), _("default Kerberos admin server")), +@@ -141,6 +140,7 @@ class Options: + # layers and will produce warning when used. They will not affect + # the system. + Option.UnsupportedFeature("cache"), ++ Option.UnsupportedFeature("ecryptfs"), + Option.UnsupportedFeature("shadow"), + Option.UnsupportedSwitch ("useshadow"), + Option.UnsupportedFeature("md5"), +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -80,7 +80,6 @@ configuration file for required services. + |*Authconfig options* |*Authselect profile feature* + |--enablesmartcard |with-smartcard + |--enablefingerprint |with-fingerprint +-|--enableecryptfs |with-ecryptfs + |--enablemkhomedir |with-mkhomedir + |--enablefaillock |with-faillock + |--enablepamaccess |with-pamaccess +@@ -95,8 +94,8 @@ authselect select sssd with-faillock + authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall + authselect select sssd with-smartcard + +-authconfig --enableecryptfs --enablepamaccess --updateall +-authselect select sssd with-ecryptfs with-pamaccess ++authconfig --enablepamaccess --updateall ++authselect select sssd with-pamaccess + + authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall + realm join -U Administrator --client-software=winbind WINBINDDOMAIN +-- +2.20.1 + diff --git a/SPECS/authselect.spec b/SPECS/authselect.spec new file mode 100644 index 0000000..25fe1f3 --- /dev/null +++ b/SPECS/authselect.spec @@ -0,0 +1,377 @@ +# Do not terminate build if language files are empty. +%define _empty_manifest_terminate_build 0 + +Name: authselect +Version: 1.2.1 +Release: 1%{?dist} +Summary: Configures authentication and identity sources from supported profiles +URL: https://github.com/authselect/authselect + +License: GPLv3+ +Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + +%global makedir %{_builddir}/%{name}-%{version} + +# Downstream only +Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch +Patch0902: 0902-rhel8-remove-ecryptfs-support.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: findutils +BuildRequires: libtool +BuildRequires: m4 +BuildRequires: gcc +BuildRequires: pkgconfig +BuildRequires: pkgconfig(popt) +BuildRequires: gettext-devel +BuildRequires: po4a +BuildRequires: %{_bindir}/a2x +BuildRequires: libcmocka-devel >= 1.0.0 +BuildRequires: libselinux-devel +Requires: authselect-libs%{?_isa} = %{version}-%{release} +Suggests: sssd +Suggests: samba-winbind +Suggests: fprintd-pam +Suggests: oddjob-mkhomedir + +%description +Authselect is designed to be a replacement for authconfig but it takes +a different approach to configure the system. Instead of letting +the administrator build the PAM stack with a tool (which may potentially +end up with a broken configuration), it would ship several tested stacks +(profiles) that solve a use-case and are well tested and supported. +At the same time, some obsolete features of authconfig are not +supported by authselect. + +%package libs +Summary: Utility library used by the authselect tool +# Required by scriptlets +Requires: coreutils +Requires: findutils +Requires: gawk +Requires: grep +Requires: sed +Requires: systemd +Requires: pam >= 1.3.1-9 + +%description libs +Common library files for authselect. This package is used by the authselect +command line tool and any other potential front-ends. + +%package compat +Summary: Tool to provide minimum backwards compatibility with authconfig +Obsoletes: authconfig < 7.0.1-6 +Provides: authconfig +BuildRequires: python3-devel +Requires: authselect%{?_isa} = %{version}-%{release} +Recommends: oddjob-mkhomedir +Suggests: sssd +Suggests: realmd +Suggests: samba-winbind +# Required by scriptlets +Requires: sed + +%description compat +This package will replace %{_sbindir}/authconfig with a tool that will +translate some of the authconfig calls into authselect calls. It provides +only minimum backward compatibility and users are encouraged to migrate +to authselect completely. + +%package devel +Summary: Development libraries and headers for authselect +Requires: authselect-libs%{?_isa} = %{version}-%{release} + +%description devel +System header files and development libraries for authselect. Useful if +you develop a front-end for the authselect library. + + +%prep +%setup -q + +for p in %patches ; do + %__patch -p1 -i $p +done + +%build +autoreconf -if +%configure --with-pythonbin="%{__python3}" +%make_build + +%check +%make_build check + +%install +%make_install + +# Find translations +%find_lang %{name} +%find_lang %{name} %{name}.8.lang --with-man +%find_lang %{name}-migration %{name}-migration.7.lang --with-man +%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man + +# We want this file to contain only manual page translations +%__sed -i '/LC_MESSAGES/d' %{name}.8.lang + +# Remove .la and .a files created by libtool +find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \; +find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + +%ldconfig_scriptlets libs + +%files libs -f %{name}.lang -f %{name}-profiles.5.lang +%dir %{_sysconfdir}/authselect +%dir %{_sysconfdir}/authselect/custom +%dir %{_localstatedir}/lib/authselect +%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/ +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth +%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created +%dir %{_datadir}/authselect +%dir %{_datadir}/authselect/vendor +%dir %{_datadir}/authselect/default +%dir %{_datadir}/authselect/default/minimal/ +%dir %{_datadir}/authselect/default/nis/ +%dir %{_datadir}/authselect/default/sssd/ +%dir %{_datadir}/authselect/default/winbind/ +%{_datadir}/authselect/default/minimal/nsswitch.conf +%{_datadir}/authselect/default/minimal/password-auth +%{_datadir}/authselect/default/minimal/postlogin +%{_datadir}/authselect/default/minimal/README +%{_datadir}/authselect/default/minimal/REQUIREMENTS +%{_datadir}/authselect/default/minimal/system-auth +%{_datadir}/authselect/default/nis/dconf-db +%{_datadir}/authselect/default/nis/dconf-locks +%{_datadir}/authselect/default/nis/fingerprint-auth +%{_datadir}/authselect/default/nis/nsswitch.conf +%{_datadir}/authselect/default/nis/password-auth +%{_datadir}/authselect/default/nis/postlogin +%{_datadir}/authselect/default/nis/README +%{_datadir}/authselect/default/nis/REQUIREMENTS +%{_datadir}/authselect/default/nis/system-auth +%{_datadir}/authselect/default/sssd/dconf-db +%{_datadir}/authselect/default/sssd/dconf-locks +%{_datadir}/authselect/default/sssd/fingerprint-auth +%{_datadir}/authselect/default/sssd/nsswitch.conf +%{_datadir}/authselect/default/sssd/password-auth +%{_datadir}/authselect/default/sssd/postlogin +%{_datadir}/authselect/default/sssd/README +%{_datadir}/authselect/default/sssd/REQUIREMENTS +%{_datadir}/authselect/default/sssd/smartcard-auth +%{_datadir}/authselect/default/sssd/system-auth +%{_datadir}/authselect/default/winbind/dconf-db +%{_datadir}/authselect/default/winbind/dconf-locks +%{_datadir}/authselect/default/winbind/fingerprint-auth +%{_datadir}/authselect/default/winbind/nsswitch.conf +%{_datadir}/authselect/default/winbind/password-auth +%{_datadir}/authselect/default/winbind/postlogin +%{_datadir}/authselect/default/winbind/README +%{_datadir}/authselect/default/winbind/REQUIREMENTS +%{_datadir}/authselect/default/winbind/system-auth +%{_libdir}/libauthselect.so.* +%{_mandir}/man5/authselect-profiles.5* +%{_datadir}/doc/authselect/COPYING +%{_datadir}/doc/authselect/README.md +%license COPYING +%doc README.md + +%files compat +%{_sbindir}/authconfig +%{python3_sitelib}/authselect/ + +%files devel +%{_includedir}/authselect.h +%{_libdir}/libauthselect.so +%{_libdir}/pkgconfig/authselect.pc + +%files -f %{name}.8.lang -f %{name}-migration.7.lang +%{_bindir}/authselect +%{_mandir}/man8/authselect.8* +%{_mandir}/man7/authselect-migration.7* +%{_sysconfdir}/bash_completion.d/authselect-completion.sh + +%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid + +%pre libs +%__rm -f %{validfile} +if [ $1 -gt 1 ] ; then + # Remember if the current configuration is valid + %{_bindir}/authselect check &> /dev/null + if [ $? -eq 0 ]; then + touch %{validfile} + fi +fi + +exit 0 + +%posttrans libs +# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created +if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then + %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null + touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null + + # If we are upgrading from older version, we want to remove these comments. + %__sed -i '/^# Generated by authselect on .*$/{$!{ + N;N # Read also next two lines + /# Generated by authselect on .*\n# Do not modify this file manually.\n/d + }}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null +fi + +# If the configuration is valid and we are upgrading from older version +# we need to create these files since they were added in 1.0. +if [ -f %{validfile} ]; then + FILES="nsswitch.conf system-auth password-auth fingerprint-auth \ + smartcard-auth postlogin dconf-db dconf-locks" + + for FILE in $FILES ; do + %__cp -n %{_sysconfdir}/authselect/$FILE \ + %{_localstatedir}/lib/authselect/$FILE &> /dev/null + done + + %__rm -f %{validfile} +fi + +# Apply any changes to profiles (validates configuration first internally) +%{_bindir}/authselect apply-changes &> /dev/null + +# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111 +CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null` +if [ $? -eq 0 ]; then + PROFILE=`echo $CURRENT | %__awk '{print $1;}'` + + if [ $PROFILE == "sssd" ] ; then + if %__grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then + %{_bindir}/authselect enable-feature with-sudo &> /dev/null + elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then + %{_bindir}/authselect enable-feature with-sudo &> /dev/null + fi + fi +fi + +exit 0 + +%posttrans compat +# Fix for RHBZ#1618865 +# Remove invalid lines from pwquality.conf generated by authconfig compat tool +# - previous version could write some options without value, which is invalid +# - we delete all options without value from existing file +%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null +exit 0 + +%changelog +* Tue May 12 2020 Pavel Březina - 1.2.1-1 +- Rebase to authselect-1.2.1 (RHBZ #1810471) +- CLI commands are now correctly translated (RHBZ #1816009) +- Remove unsupported features from sssd profile description (RHBZ #1830251) +- add `with-files-access-provider` to sssd profile (RHBZ #1734094) +- switch to pam_usertype module (RHBZ #1773567) +- fix typo in sssd profile description (RHBZ #1787638) +- add minimal profile (RHBZ #1654018) + +* Thu Jul 4 2019 Pavel Březina - 1.1-2 +- Update translations (RHBZ #1689973) + +* Mon Jun 10 2019 Pavel Březina - 1.1-1 +- Rebase to authselect-1.1 (RHBZ #1685516) +- Notify that oddjob-mkhomedir needs to be enabled manually (RHBZ #1694103) +- Ask for smartcard insertion when smartcard authentication is required (RHBZ #1674397) +- Update translations (RHBZ #1689973) + +* Mon Feb 25 2019 Jakub Hrozek - 1.0-13 +- Revert pam_systemd.so to be optional +- Resolves: #rhbz1643928 - pam_systemd shouldn't be optional in system-auth + +* Mon Feb 4 2019 Pavel Březina - 1.0-12 +- make authselect work with selinux disabled (RHBZ #1668025) +- require smartcard authentication only for specific services (RHBZ #1665058) +- update translations (RHBZ #1608286) + +* Fri Jan 11 2019 Pavel Březina - 1.0-11 +- require libselinux needed by (RHBZ #1664650) + +* Fri Jan 11 2019 Pavel Březina - 1.0-10 +- invalid selinux context for files under /etc/authselect (RHBZ #1664650) + +* Tue Dec 4 2018 Pavel Březina - 1.0-9 +- fix sources for official rhel translations (RHBZ #1608286) +- fix coverity warnings for authselect enable-features should error on unknown features (RHBZ #1651637) + +* Mon Dec 3 2018 Pavel Březina - 1.0-8 +- add official rhel translations (RHBZ #1608286) + +* Mon Dec 3 2018 Pavel Březina - 1.0-7 +- pam_systemd shouldn't be optional in system-auth (RHBZ #1643928) +- compat tool: support --enablerequiresmartcard (RHBZ #1649277) +- compat tool: support --smartcardaction=0 (RHBZ #1649279) +- remove ecryptfs from authselect since it is not present in rhel8 (RHBZ #1649282) +- authselect enable-features should error on unknown features (RHBZ #1651637) + +* Wed Oct 31 2018 Pavel Březina - 1.0-6 +- Remove mention of Fedora Change page from compat tool (RHBZ #1644309) + +* Wed Oct 10 2018 Pavel Březina - 1.0-5 +- Support for "require smartcard for login option" (RHBZ #1611012) + +* Mon Oct 1 2018 Pavel Březina - 1.0-4 +- add official rhel translations (RHBZ #1608286) + +* Fri Sep 28 2018 Pavel Březina - 1.0-3 +- scriptlet can fail if coreutils is not installed (RHBZ #1630896) +- fix typo (require systemd instead of systemctl) + +* Thu Sep 27 2018 Pavel Březina - 1.0-2 +- authconfig --update overwrites current profile (RHBZ #1628492) +- authselect profile nis enhancements (RHBZ #1628493) +- scriptlet can fail if coreutils is not installed (RHBZ #1630896) +- authconfig --update --enablenis stops ypserv (RHBZ #1632567) +- compat tool generates invalid pwquality configuration (RHBZ #1628491) + +* Mon Aug 13 2018 Pavel Březina - 1.0-1 +- Rebase to 1.0 (RHBZ #1614235) + +* Wed Aug 01 2018 Charalampos Stratakis - 0.4-4 +- Rebuild for platform-python + +* Mon May 14 2018 Pavel Březina - 0.4-3 +- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403) + +* Wed Apr 25 2018 Christian Heimes - 0.4-2 +- Don't disable oddjobd.service (RHBZ #1571844) + +* Mon Apr 9 2018 Pavel Březina - 0.4-1 +- rebasing to 0.4 + +* Tue Mar 6 2018 Pavel Březina - 0.3.2-1 +- rebasing to 0.3.2 +- authselect-compat now only suggests packages, not recommends + +* Mon Mar 5 2018 Pavel Březina - 0.3.1-1 +- rebasing to 0.3.1 + +* Tue Feb 20 2018 Igor Gnatenko - 0.3-3 +- Provide authconfig + +* Tue Feb 20 2018 Igor Gnatenko - 0.3-2 +- Properly own all appropriate directories +- Remove unneeded %%defattr +- Remove deprecated Group tag +- Make Obsoletes versioned +- Remove unneeded ldconfig scriptlets + +* Tue Feb 20 2018 Pavel Březina - 0.3-1 +- rebasing to 0.3 +* Wed Feb 07 2018 Fedora Release Engineering - 0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild +* Wed Jan 10 2018 Pavel Březina - 0.2-2 +- fix rpmlint errors +* Wed Jan 10 2018 Pavel Březina - 0.2-1 +- rebasing to 0.2 +* Mon Jul 31 2017 Jakub Hrozek - 0.1-1 +- initial packaging