From de0168f1ebb871b80c2552f1ef8dd8f145dacf29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 20 Nov 2018 13:07:19 +0100 Subject: [PATCH 08/15] profiles: make session pam_systemd required There was a time when pam_systemd was optional but today if pam_systemd fails to register a session it's catastrophic and we should just fail the whole pam conversation. Resolves: https://github.com/pbrezina/authselect/issues/118 --- profiles/nis/fingerprint-auth | 2 +- profiles/nis/password-auth | 2 +- profiles/nis/system-auth | 2 +- profiles/sssd/fingerprint-auth | 2 +- profiles/sssd/password-auth | 2 +- profiles/sssd/smartcard-auth | 2 +- profiles/sssd/system-auth | 2 +- profiles/winbind/fingerprint-auth | 2 +- profiles/winbind/password-auth | 2 +- profiles/winbind/system-auth | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth index 278487b2a0f9ce103afebb0809ffffa2cfbbba7e..dc9e53ba28974eb75828220d9b80d626106b9652 100644 --- a/profiles/nis/fingerprint-auth +++ b/profiles/nis/fingerprint-auth @@ -17,7 +17,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth index 615544d16f7fc8551cb06a221825526f12cbfc64..d22dcef9529ca51a1812ae0733b543d13f6ae235 100644 --- a/profiles/nis/password-auth +++ b/profiles/nis/password-auth @@ -20,7 +20,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth index a41828d8972537b1b24d0ff21cd52976fba6646d..d394d3e1200755d2233d4f86e3866620539fc18d 100644 --- a/profiles/nis/system-auth +++ b/profiles/nis/system-auth @@ -21,7 +21,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth index 01b70f3533149d00700859f3e0a1c3f2abb33a8a..3bdaf3e71ba7afc66864f9c2acbf584c0b77a82d 100644 --- a/profiles/sssd/fingerprint-auth +++ b/profiles/sssd/fingerprint-auth @@ -19,7 +19,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth index 3205f261dd8c898baf292c252ebdb346fcb779bb..1e529184cdc04a94fb4f2b52f733cf6df73b7fda 100644 --- a/profiles/sssd/password-auth +++ b/profiles/sssd/password-auth @@ -26,7 +26,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth index b16ba0f44ca4c896c1980a292cf78f12d7f2f06d..b89a23a111560877785c9d17fd65c0bfd3f3ae22 100644 --- a/profiles/sssd/smartcard-auth +++ b/profiles/sssd/smartcard-auth @@ -16,7 +16,7 @@ account required pam_permit.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth index 982cada1f774e6d53dd75c9f5dbc0603337cd70b..22dba5b2d3db23855724ddb05528e5013c63c5af 100644 --- a/profiles/sssd/system-auth +++ b/profiles/sssd/system-auth @@ -29,7 +29,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth index 0beff74eba83f12c4ad5a6147a6194608cd047e3..92649461564dd4e6f78f467dc1be455f29edfe08 100644 --- a/profiles/winbind/fingerprint-auth +++ b/profiles/winbind/fingerprint-auth @@ -18,7 +18,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth index c984d817c537c48a358c644083a4f8979181dd1d..fb59e295c3a220acfdf633f69a0204328150a5c3 100644 --- a/profiles/winbind/password-auth +++ b/profiles/winbind/password-auth @@ -23,7 +23,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth index 33dc491c2125c7fe06d6475369f1654a900c7050..bb75c327db3315c22a22f375a5cc633e33c30c19 100644 --- a/profiles/winbind/system-auth +++ b/profiles/winbind/system-auth @@ -24,7 +24,7 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} --session optional pam_systemd.so +session required pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so -- 2.17.2