Name: authselect Version: 1.0 Release: 13%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/pbrezina/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz %if 0%{?rhel} Source1: translations-1.0-12.tar.gz %endif %global makedir %{_builddir}/%{name}-%{version} Patch0001: 0001-lib-fix-profile-origin-debug-message.patch Patch0002: 0002-man-remove-duplicate-of-with-pamaccess.patch Patch0003: 0003-Don-t-write-options-without-value-to-pwquality-conf-.patch Patch0004: 0004-compat-write-only-options-set-on-command-line-to-pwq.patch Patch0005: 0005-compat-fix-regular-expression-for-environment-files.patch Patch0006: 0006-compat-fix-typo-in-compat-tool-that-produces-TypeErr.patch Patch0007: 0007-compat-use-current-configuration-unless-other-profil.patch Patch0008: 0008-compat-do-not-disable-service-if-its-option-is-not-s.patch Patch0009: 0009-nis-add-all-maps-supported-by-nss_nis.patch Patch0010: 0010-nis-add-systemd-module-to-nsswitch.conf.patch Patch0011: 0011-nis-add-nis-option-to-pam_unix-in-password-phase.patch Patch0012: 0012-nis-with-nispwquality-will-enable-pwquality-for-nis-.patch Patch0013: 0013-profiles-add-without-nullok.patch Patch0014: 0014-profiles-add-options-to-exclude-lines-from-nsswitch..patch Patch0015: 0015-compat-do-not-stop-rpcbind-only-start-it.patch Patch0016: 0016-sssd-document-that-this-profile-can-be-used-also-wit.patch Patch0017: 0017-sssd-add-support-for-local-users-authentication-via-.patch Patch0018: 0018-sssd-add-with-smartcard-required-feature.patch Patch0019: 0019-sssd-remove-with-sudo-duplicate-from-readme.patch Patch0020: 0020-profiles-end-all-files-with-new-line.patch Patch0021: 0021-compat-add-support-for-with-smartcard-required-enabl.patch Patch0022: 0022-compat-support-with-smartcard-lock-on-removal-smartc.patch Patch0023: 0023-profiles-mention-pam_oddjob_mkhomedir-in-requirement.patch Patch0024: 0024-lib-fix-memory-leak-in-authselect_profile_free.patch Patch0025: 0025-lib-fix-memory-leak-in-authselect_config_validate_ex.patch Patch0026: 0026-profiles-make-session-pam_systemd-required.patch Patch0027: 0027-lib-add-authselect_profile_features-to-list-supporte.patch Patch0028: 0028-lib-refuse-to-activate-profile-if-unsupported-featur.patch Patch0029: 0029-lib-remove-no-longer-supported-features-in-apply-cha.patch Patch0030: 0030-compat-write-to-sysconfig-after-all-changes-are-done.patch Patch0031: 0031-util-remove-duplicate-values-correctly-in-string_arr.patch Patch0032: 0032-util-do-not-return-value-from-string_array_del_value.patch Patch0033: 0033-util-fix-buffer-error-in-textfile_copy.patch Patch0034: 0034-lib-fix-coverity-warnings.patch Patch0035: 0035-lib-label-temporary-files-with-correct-selinux-conte.patch Patch0036: 0036-authselect-fix-memory-leak-of-maps.patch Patch0037: 0037-lib-make-selinux-functions-work-with-selinux-disable.patch Patch0038: 0038-sssd-require-smartcard-only-for-specific-services.patch Patch0039: 0039-Revert-profiles-make-session-pam_systemd-required.patch # Downstream only Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: findutils BuildRequires: libtool BuildRequires: m4 BuildRequires: gcc BuildRequires: pkgconfig BuildRequires: pkgconfig(popt) BuildRequires: gettext-devel BuildRequires: po4a BuildRequires: %{_bindir}/a2x BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: libselinux-devel Requires: authselect-libs%{?_isa} = %{version}-%{release} Suggests: sssd Suggests: samba-winbind Suggests: fprintd-pam Suggests: oddjob-mkhomedir %description Authselect is designed to be a replacement for authconfig but it takes a different approach to configure the system. Instead of letting the administrator build the PAM stack with a tool (which may potentially end up with a broken configuration), it would ship several tested stacks (profiles) that solve a use-case and are well tested and supported. At the same time, some obsolete features of authconfig are not supported by authselect. %package libs Summary: Utility library used by the authselect tool Requires: libselinux # Required by scriptlets Requires: coreutils Requires: findutils Requires: gawk Requires: grep Requires: sed Requires: systemd %description libs Common library files for authselect. This package is used by the authselect command line tool and any other potential front-ends. %package compat Summary: Tool to provide minimum backwards compatibility with authconfig Obsoletes: authconfig < 7.0.1-6 Provides: authconfig BuildRequires: python3-devel Requires: authselect%{?_isa} = %{version}-%{release} Suggests: sssd Suggests: realmd Suggests: samba-winbind Suggests: oddjob-mkhomedir # Required by scriptlets Requires: sed %description compat This package will replace %{_sbindir}/authconfig with a tool that will translate some of the authconfig calls into authselect calls. It provides only minimum backward compatibility and users are encouraged to migrate to authselect completely. %package devel Summary: Development libraries and headers for authselect Requires: authselect-libs%{?_isa} = %{version}-%{release} %description devel System header files and development libraries for authselect. Useful if you develop a front-end for the authselect library. %prep %setup -q for p in %patches ; do %__patch -p1 -i $p done # Install RHEL translations # It is not possible to use wildcards here so we need to use 'find' %if 0%{?rhel} find "%{makedir}/po" "%{makedir}/src/man/po" -name "*.po" -delete %__rm "%{makedir}/po/LINGUAS" %setup -T -D -a 1 %endif %build autoreconf -if %configure --with-pythonbin="%{__python3}" %make_build %check %make_build check %install %make_install # Find translations %find_lang %{name} %find_lang %{name} %{name}.8.lang --with-man %find_lang %{name}-migration %{name}-migration.7.lang --with-man %find_lang %{name}-profiles %{name}-profiles.5.lang --with-man # We want this file to contain only manual page translations sed -i '/LC_MESSAGES/d' %{name}.8.lang # Remove .la and .a files created by libtool find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; find $RPM_BUILD_ROOT -name "*.a" -exec rm -f {} \; %ldconfig_scriptlets libs %files libs -f %{name}.lang -f %{name}-profiles.5.lang %dir %{_sysconfdir}/authselect %dir %{_sysconfdir}/authselect/custom %dir %{_localstatedir}/lib/authselect %dir %{_datadir}/authselect %dir %{_datadir}/authselect/vendor %dir %{_datadir}/authselect/default %dir %{_datadir}/authselect/default/nis/ %dir %{_datadir}/authselect/default/sssd/ %dir %{_datadir}/authselect/default/winbind/ %{_datadir}/authselect/default/nis/dconf-db %{_datadir}/authselect/default/nis/dconf-locks %{_datadir}/authselect/default/nis/fingerprint-auth %{_datadir}/authselect/default/nis/nsswitch.conf %{_datadir}/authselect/default/nis/password-auth %{_datadir}/authselect/default/nis/postlogin %{_datadir}/authselect/default/nis/README %{_datadir}/authselect/default/nis/REQUIREMENTS %{_datadir}/authselect/default/nis/system-auth %{_datadir}/authselect/default/sssd/dconf-db %{_datadir}/authselect/default/sssd/dconf-locks %{_datadir}/authselect/default/sssd/fingerprint-auth %{_datadir}/authselect/default/sssd/nsswitch.conf %{_datadir}/authselect/default/sssd/password-auth %{_datadir}/authselect/default/sssd/postlogin %{_datadir}/authselect/default/sssd/README %{_datadir}/authselect/default/sssd/REQUIREMENTS %{_datadir}/authselect/default/sssd/smartcard-auth %{_datadir}/authselect/default/sssd/system-auth %{_datadir}/authselect/default/winbind/dconf-db %{_datadir}/authselect/default/winbind/dconf-locks %{_datadir}/authselect/default/winbind/fingerprint-auth %{_datadir}/authselect/default/winbind/nsswitch.conf %{_datadir}/authselect/default/winbind/password-auth %{_datadir}/authselect/default/winbind/postlogin %{_datadir}/authselect/default/winbind/README %{_datadir}/authselect/default/winbind/REQUIREMENTS %{_datadir}/authselect/default/winbind/system-auth %{_libdir}/libauthselect.so.* %{_mandir}/man5/authselect-profiles.5* %{_datadir}/doc/authselect/COPYING %{_datadir}/doc/authselect/README.md %license COPYING %doc README.md %files compat %{_sbindir}/authconfig %{python3_sitelib}/authselect/ %files devel %{_includedir}/authselect.h %{_libdir}/libauthselect.so %{_libdir}/pkgconfig/authselect.pc %files -f %{name}.8.lang -f %{name}-migration.7.lang %{_bindir}/authselect %{_mandir}/man8/authselect.8* %{_mandir}/man7/authselect-migration.7* %global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid %pre libs rm -f %{validfile} if [ $1 -gt 1 ] ; then # Remember if the current configuration is valid %{_bindir}/authselect check &> /dev/null if [ $? -eq 0 ]; then touch %{validfile} fi fi exit 0 %posttrans libs # Copy nsswitch.conf to user-nsswitch.conf if it was not yet created if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null # If we are upgrading from older version, we want to remove these comments. sed -i '/^# Generated by authselect on .*$/{$!{ N;N # Read also next two lines /# Generated by authselect on .*\n# Do not modify this file manually.\n/d }}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null fi # If the configuration is valid and we are upgrading from older version # we need to create these files since they were added in 1.0. if [ -f %{validfile} ]; then FILES="nsswitch.conf system-auth password-auth fingerprint-auth \ smartcard-auth postlogin dconf-db dconf-locks" for FILE in $FILES ; do cp -n %{_sysconfdir}/authselect/$FILE \ %{_localstatedir}/lib/authselect/$FILE &> /dev/null done rm -f %{validfile} fi # Apply any changes to profiles (validates configuration first internally) %{_bindir}/authselect apply-changes &> /dev/null # Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111 CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null` if [ $? -eq 0 ]; then PROFILE=`echo $CURRENT | awk '{print $1;}'` if [ $PROFILE == "sssd" ] ; then if grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then %{_bindir}/authselect enable-feature with-sudo &> /dev/null elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then %{_bindir}/authselect enable-feature with-sudo &> /dev/null fi fi fi exit 0 %posttrans compat # Fix for RHBZ#1618865 # Remove invalid lines from pwquality.conf generated by authconfig compat tool # - previous version could write some options without value, which is invalid # - we delete all options without value from existing file sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null exit 0 %changelog * Mon Feb 25 2019 Jakub Hrozek - 1.0-13 - Revert pam_systemd.so to be optional - Resolves: #rhbz1643928 - pam_systemd shouldn't be optional in system-auth * Mon Feb 4 2019 Pavel Březina - 1.0-12 - make authselect work with selinux disabled (RHBZ #1668025) - require smartcard authentication only for specific services (RHBZ #1665058) - update translations (RHBZ #1608286) * Fri Jan 11 2019 Pavel Březina - 1.0-11 - require libselinux needed by (RHBZ #1664650) * Fri Jan 11 2019 Pavel Březina - 1.0-10 - invalid selinux context for files under /etc/authselect (RHBZ #1664650) * Tue Dec 4 2018 Pavel Březina - 1.0-9 - fix sources for official rhel translations (RHBZ #1608286) - fix coverity warnings for authselect enable-features should error on unknown features (RHBZ #1651637) * Mon Dec 3 2018 Pavel Březina - 1.0-8 - add official rhel translations (RHBZ #1608286) * Mon Dec 3 2018 Pavel Březina - 1.0-7 - pam_systemd shouldn't be optional in system-auth (RHBZ #1643928) - compat tool: support --enablerequiresmartcard (RHBZ #1649277) - compat tool: support --smartcardaction=0 (RHBZ #1649279) - remove ecryptfs from authselect since it is not present in rhel8 (RHBZ #1649282) - authselect enable-features should error on unknown features (RHBZ #1651637) * Wed Oct 31 2018 Pavel Březina - 1.0-6 - Remove mention of Fedora Change page from compat tool (RHBZ #1644309) * Wed Oct 10 2018 Pavel Březina - 1.0-5 - Support for "require smartcard for login option" (RHBZ #1611012) * Mon Oct 1 2018 Pavel Březina - 1.0-4 - add official rhel translations (RHBZ #1608286) * Fri Sep 28 2018 Pavel Březina - 1.0-3 - scriptlet can fail if coreutils is not installed (RHBZ #1630896) - fix typo (require systemd instead of systemctl) * Thu Sep 27 2018 Pavel Březina - 1.0-2 - authconfig --update overwrites current profile (RHBZ #1628492) - authselect profile nis enhancements (RHBZ #1628493) - scriptlet can fail if coreutils is not installed (RHBZ #1630896) - authconfig --update --enablenis stops ypserv (RHBZ #1632567) - compat tool generates invalid pwquality configuration (RHBZ #1628491) * Mon Aug 13 2018 Pavel Březina - 1.0-1 - Rebase to 1.0 (RHBZ #1614235) * Wed Aug 01 2018 Charalampos Stratakis - 0.4-4 - Rebuild for platform-python * Mon May 14 2018 Pavel Březina - 0.4-3 - Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403) * Wed Apr 25 2018 Christian Heimes - 0.4-2 - Don't disable oddjobd.service (RHBZ #1571844) * Mon Apr 9 2018 Pavel Březina - 0.4-1 - rebasing to 0.4 * Tue Mar 6 2018 Pavel Březina - 0.3.2-1 - rebasing to 0.3.2 - authselect-compat now only suggests packages, not recommends * Mon Mar 5 2018 Pavel Březina - 0.3.1-1 - rebasing to 0.3.1 * Tue Feb 20 2018 Igor Gnatenko - 0.3-3 - Provide authconfig * Tue Feb 20 2018 Igor Gnatenko - 0.3-2 - Properly own all appropriate directories - Remove unneeded %%defattr - Remove deprecated Group tag - Make Obsoletes versioned - Remove unneeded ldconfig scriptlets * Tue Feb 20 2018 Pavel Březina - 0.3-1 - rebasing to 0.3 * Wed Feb 07 2018 Fedora Release Engineering - 0.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Wed Jan 10 2018 Pavel Březina - 0.2-2 - fix rpmlint errors * Wed Jan 10 2018 Pavel Březina - 0.2-1 - rebasing to 0.2 * Mon Jul 31 2017 Jakub Hrozek - 0.1-1 - initial packaging