From 81b5034618d0a6ab8736134092f2774bb6582166 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Sep 14 2018 08:22:44 +0000 Subject: Fix pwquality configuration and silent scriptlets Resolves: - Scriptlets should no produce any error messages (RHBZ #1622272) - Provide fix for pwquality configuration (RHBZ #1618865) --- diff --git a/0001-Don-t-write-options-without-value-to-pwquality-conf-.patch b/0001-Don-t-write-options-without-value-to-pwquality-conf-.patch deleted file mode 100644 index a604699..0000000 --- a/0001-Don-t-write-options-without-value-to-pwquality-conf-.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 9e17c60b267f4c0a5e5f2fb33c409cd50c96ad10 Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Tue, 28 Aug 2018 11:49:35 -0700 -Subject: [PATCH] Don't write options without value to pwquality conf - (#1618865) - -Per https://bugzilla.redhat.com/show_bug.cgi?id=1618865 , it is -incorrect to write lines like this in a pwquality config file: - -minlen= -minclass= -maxrepeat= -maxclassrepeat= - -There should either be an actual integer value, or the line -should be omitted entirely. Including the option with no value -is wrong and breaks pwquality. This should fix the problem by -only writing the lines if the option is actually set. - -Signed-off-by: Adam Williamson ---- - src/compat/authcompat.py.in.in | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in -index abe1e58..1b4f531 100755 ---- a/src/compat/authcompat.py.in.in -+++ b/src/compat/authcompat.py.in.in -@@ -319,10 +319,13 @@ class Configuration: - def write(self): - config = EnvironmentFile(Path.System('pwquality.conf')) - -- config.set("minlen", self.get("passminlen")) -- config.set("minclass", self.get("passminclass")) -- config.set("maxrepeat", self.get("passmaxrepeat")) -- config.set("maxclassrepeat", self.get("passmaxclassrepeat")) -+ # for each if these options, we want to write a line to the config -+ # *only if* it is set to an actual value, see -+ # https://bugzilla.redhat.com/show_bug.cgi?id=1618865 -+ for pwval in ["minlen", "minclass", "maxrepeat", "maxclassrepeat"]: -+ if self.isset("pass{0}".format(pwval)): -+ config.set(pwval, self.get("pass{0}".format(pwval))) -+ - config.set("lcredit", self.getBoolAsValue("reqlower", -1, 0)) - config.set("ucredit", self.getBoolAsValue("requpper", -1, 0)) - config.set("dcredit", self.getBoolAsValue("reqdigit", -1, 0)) --- -2.17.1 - diff --git a/0001-lib-fix-profile-origin-debug-message.patch b/0001-lib-fix-profile-origin-debug-message.patch new file mode 100644 index 0000000..7eb09dd --- /dev/null +++ b/0001-lib-fix-profile-origin-debug-message.patch @@ -0,0 +1,29 @@ +From 607235797f0503178f81b5a2074803fdddd84071 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 4 Sep 2018 12:33:21 +0200 +Subject: [PATCH 1/7] lib: fix profile origin debug message + +Previously, we failed to match the location and always print that +the selected profile is a default profile. +--- + src/lib/profiles/read.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lib/profiles/read.c b/src/lib/profiles/read.c +index 002329090cec29eee7969a5f04634ba1bb214a4c..a3a3e62788a3b3ae493a22a8b8e10170d572fc6f 100644 +--- a/src/lib/profiles/read.c ++++ b/src/lib/profiles/read.c +@@ -125,9 +125,9 @@ authselect_profile_open(const char *id, + return ret; + } + +- if (strcmp(location, DIR_CUSTOM_PROFILES) == 0) { ++ if (strcmp(locations[i], DIR_CUSTOM_PROFILES) == 0) { + INFO("Profile [%s] is a custom profile", id); +- } else if (strcmp(location, DIR_VENDOR_PROFILES) == 0) { ++ } else if (strcmp(locations[i], DIR_VENDOR_PROFILES) == 0) { + INFO("Profile [%s] is a vendor profile", id); + } else { + INFO("Profile [%s] is a default profile", id); +-- +2.17.1 diff --git a/0002-man-remove-duplicate-of-with-pamaccess.patch b/0002-man-remove-duplicate-of-with-pamaccess.patch new file mode 100644 index 0000000..88dfee3 --- /dev/null +++ b/0002-man-remove-duplicate-of-with-pamaccess.patch @@ -0,0 +1,23 @@ +From 3b6ba3c895dfc7a3c6b3fa43d2c76070e45b0d94 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 4 Sep 2018 12:39:16 +0200 +Subject: [PATCH 2/7] man: remove duplicate of with-pamaccess + +--- + src/man/authselect-migration.7.adoc | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index 47544a53efd70b55a75d68d5bcbf3c89f875d7e7..35ba484d576ab8a3d923a124f6b1577085deedd4 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -85,7 +85,6 @@ configuration file for required services. + |--enablefaillock |with-faillock + |--enablepamaccess |with-pamaccess + |--enablewinbindkrb5 |with-krb5 +-|--enablepamaccess |with-pamaccess + |================================================== + + .Examples +-- +2.17.1 diff --git a/0003-spec-do-not-print-any-output-when-enabling-with-sudo.patch b/0003-spec-do-not-print-any-output-when-enabling-with-sudo.patch new file mode 100644 index 0000000..82d465f --- /dev/null +++ b/0003-spec-do-not-print-any-output-when-enabling-with-sudo.patch @@ -0,0 +1,27 @@ +From dd0b2a5b4293ac5a46c1ecf64b2716d210ade1ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 4 Sep 2018 14:13:49 +0200 +Subject: [PATCH 3/7] spec: do not print any output when enabling with-sudo + +--- + rpm/authselect.spec.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index c1de3107b099bab05284f65a4f6712fac41297da..70af91e16c72478e5e5bba0b4f59df86b66fb99f 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -210,9 +210,9 @@ if [ $? -eq 0 ]; then + + if [ $PROFILE == "sssd" ] ; then + if grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then +- %{_bindir}/authselect enable-feature with-sudo ++ %{_bindir}/authselect enable-feature with-sudo &> /dev/null + elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then +- %{_bindir}/authselect enable-feature with-sudo ++ %{_bindir}/authselect enable-feature with-sudo &> /dev/null + fi + fi + fi +-- +2.17.1 diff --git a/0004-Don-t-write-options-without-value-to-pwquality-conf-.patch b/0004-Don-t-write-options-without-value-to-pwquality-conf-.patch new file mode 100644 index 0000000..e76d95c --- /dev/null +++ b/0004-Don-t-write-options-without-value-to-pwquality-conf-.patch @@ -0,0 +1,49 @@ +From 748e7672134545c5c66fab180c983edbd8d7a106 Mon Sep 17 00:00:00 2001 +From: Adam Williamson +Date: Tue, 28 Aug 2018 11:49:35 -0700 +Subject: [PATCH 4/7] Don't write options without value to pwquality conf + (#1618865) + +Per https://bugzilla.redhat.com/show_bug.cgi?id=1618865 , it is +incorrect to write lines like this in a pwquality config file: + +minlen= +minclass= +maxrepeat= +maxclassrepeat= + +There should either be an actual integer value, or the line +should be omitted entirely. Including the option with no value +is wrong and breaks pwquality. This should fix the problem by +only writing the lines if the option is actually set. + +Signed-off-by: Adam Williamson +--- + src/compat/authcompat.py.in.in | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index abe1e585954ccd5ac555339f23c175e941c76ea3..1b4f531b021c1e2e8fd99bd081094da365c0c64e 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -319,10 +319,13 @@ class Configuration: + def write(self): + config = EnvironmentFile(Path.System('pwquality.conf')) + +- config.set("minlen", self.get("passminlen")) +- config.set("minclass", self.get("passminclass")) +- config.set("maxrepeat", self.get("passmaxrepeat")) +- config.set("maxclassrepeat", self.get("passmaxclassrepeat")) ++ # for each if these options, we want to write a line to the config ++ # *only if* it is set to an actual value, see ++ # https://bugzilla.redhat.com/show_bug.cgi?id=1618865 ++ for pwval in ["minlen", "minclass", "maxrepeat", "maxclassrepeat"]: ++ if self.isset("pass{0}".format(pwval)): ++ config.set(pwval, self.get("pass{0}".format(pwval))) ++ + config.set("lcredit", self.getBoolAsValue("reqlower", -1, 0)) + config.set("ucredit", self.getBoolAsValue("requpper", -1, 0)) + config.set("dcredit", self.getBoolAsValue("reqdigit", -1, 0)) +-- +2.17.1 + diff --git a/0005-compat-write-only-options-set-on-command-line-to-pwq.patch b/0005-compat-write-only-options-set-on-command-line-to-pwq.patch new file mode 100644 index 0000000..77b302d --- /dev/null +++ b/0005-compat-write-only-options-set-on-command-line-to-pwq.patch @@ -0,0 +1,71 @@ +From 65c081520d2192602ecffb31a06f96e577ed3998 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 4 Sep 2018 11:36:43 +0200 +Subject: [PATCH 5/7] compat: write only options set on command line to + pwquality.conf + +This will not overwrite pwquality.conf if for exapmle "authconfig --update" +is called. Without this patch the values would get overriden with empty +values. +--- + src/compat/authcompat.py.in.in | 36 ++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index 1b4f531b021c1e2e8fd99bd081094da365c0c64e..4fa9a6afc1d62aa9dde41b525d473168e6dc2901 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -166,7 +166,10 @@ class Configuration: + def getBool(self, name): + return self.options.getBool(name) + +- def getBoolAsValue(self, name, if_true, if_false): ++ def getBoolAsValue(self, name, if_true, if_false, AllowNone=False): ++ if AllowNone and not self.isset(name): ++ return None ++ + value = self.getBool(name) + if value: + return if_true +@@ -318,19 +321,28 @@ class Configuration: + + def write(self): + config = EnvironmentFile(Path.System('pwquality.conf')) ++ value_set = False + +- # for each if these options, we want to write a line to the config +- # *only if* it is set to an actual value, see +- # https://bugzilla.redhat.com/show_bug.cgi?id=1618865 +- for pwval in ["minlen", "minclass", "maxrepeat", "maxclassrepeat"]: +- if self.isset("pass{0}".format(pwval)): +- config.set(pwval, self.get("pass{0}".format(pwval))) ++ pwopts = { ++ "minlen" : self.get("passminlen"), ++ "minclass" : self.get("passminclass"), ++ "maxrepeat" : self.get("passmaxrepeat"), ++ "maxclassrepeat" : self.get("passmaxclassrepeat"), ++ "lcredit" : self.getBoolAsValue("reqlower", -1, 0, AllowNone=True), ++ "ucredit" : self.getBoolAsValue("requpper", -1, 0, AllowNone=True), ++ "dcredit" : self.getBoolAsValue("reqdigit", -1, 0, AllowNone=True), ++ "ocredit" : self.getBoolAsValue("reqother", -1, 0, AllowNone=True) ++ } + +- config.set("lcredit", self.getBoolAsValue("reqlower", -1, 0)) +- config.set("ucredit", self.getBoolAsValue("requpper", -1, 0)) +- config.set("dcredit", self.getBoolAsValue("reqdigit", -1, 0)) +- config.set("ocredit", self.getBoolAsValue("reqother", -1, 0)) +- config.write() ++ # Write options only if their are actually set ++ for opt, value in pwopts.items(): ++ if value is not None: ++ print(opt + "=" + str(value)) ++ config.set(opt, value) ++ value_set = True ++ ++ if value_set: ++ config.write() + + class MakeHomedir(Base): + def __init__(self, options): +-- +2.17.1 diff --git a/0006-compat-fix-regular-expression-for-environment-files.patch b/0006-compat-fix-regular-expression-for-environment-files.patch new file mode 100644 index 0000000..7b8650c --- /dev/null +++ b/0006-compat-fix-regular-expression-for-environment-files.patch @@ -0,0 +1,30 @@ +From 7c37960dbf378dc1041c1d635629d509c48bae20 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 4 Sep 2018 11:38:38 +0200 +Subject: [PATCH 6/7] compat: fix regular expression for environment files + +Any word character (\w) was not enough as it does not accept e.g. '-'. +Therefore line like 'ocredit=-1' was incorrectly parse returning only +'1' as value instead of '-1'. +--- + src/compat/authcompat_EnvironmentFile.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/compat/authcompat_EnvironmentFile.py b/src/compat/authcompat_EnvironmentFile.py +index 529497e61903b3fb89f560b8e0ac0bb38111b46a..5738c6cafaf75109a5c1dbb9d3f040686a4945e1 100644 +--- a/src/compat/authcompat_EnvironmentFile.py ++++ b/src/compat/authcompat_EnvironmentFile.py +@@ -34,9 +34,9 @@ class EnvironmentFile: + self.environment = [] + + delimiter_re = delimiter_re if delimiter_re is not None else delimiter +- self.pattern = re.compile('^(\s*)(\S*)([^\n\w]*)(' + ++ self.pattern = re.compile('^(\s*)(\S*)([^\n\S]*)(' + + delimiter_re + +- ')([^\n\w]*)(.*)$', ++ ')([^\n\S]*)(.*)$', + re.MULTILINE) + + self.read() +-- +2.17.1 diff --git a/0007-spec-fix-invalid-options-in-pwquality.conf-generated.patch b/0007-spec-fix-invalid-options-in-pwquality.conf-generated.patch new file mode 100644 index 0000000..e8f61e4 --- /dev/null +++ b/0007-spec-fix-invalid-options-in-pwquality.conf-generated.patch @@ -0,0 +1,31 @@ +From 81de5acd2ce27592b724ab564ed3ade6ed3d68eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 4 Sep 2018 11:51:20 +0200 +Subject: [PATCH 7/7] spec: fix invalid options in pwquality.conf generated by + compat tool + +--- + rpm/authselect.spec.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index 70af91e16c72478e5e5bba0b4f59df86b66fb99f..6887d1d16724412de8abfd5b872e5ecfc93e5ba5 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -219,6 +219,14 @@ fi + + exit 0 + ++%posttrans compat ++# Fix for RHBZ#1618865 ++# Remove invalid lines from pwquality.conf generated by authconfig compat tool ++# - previous version could write some options without value, which is invalid ++# - we delete all options without value from existing file ++sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null ++exit 0 ++ + %changelog + * Thu Feb 22 2018 Pavel Březina - @PACKAGE_VERSION@-@RELEASE_NUMBER@ + - Do not use change log for rpm generated from source +-- +2.17.1 diff --git a/authselect.spec b/authselect.spec index 4c84958..2bb28ad 100644 --- a/authselect.spec +++ b/authselect.spec @@ -1,14 +1,19 @@ Name: authselect Version: 1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/pbrezina/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz -# Backport https://github.com/pbrezina/authselect/pull/78 to fix -# https://bugzilla.redhat.com/show_bug.cgi?id=1618865 -Patch0: 0001-Don-t-write-options-without-value-to-pwquality-conf-.patch + +Patch0001: 0001-lib-fix-profile-origin-debug-message.patch +Patch0002: 0002-man-remove-duplicate-of-with-pamaccess.patch +Patch0003: 0003-spec-do-not-print-any-output-when-enabling-with-sudo.patch +Patch0004: 0004-Don-t-write-options-without-value-to-pwquality-conf-.patch +Patch0005: 0005-compat-write-only-options-set-on-command-line-to-pwq.patch +Patch0006: 0006-compat-fix-regular-expression-for-environment-files.patch +Patch0007: 0007-spec-fix-invalid-options-in-pwquality.conf-generated.patch BuildRequires: autoconf BuildRequires: automake @@ -75,8 +80,10 @@ you develop a front-end for the authselect library. %prep %setup -q -%patch0 -p1 +for p in %patches ; do + %__patch -p1 -i $p +done %build autoreconf -if @@ -214,16 +221,28 @@ if [ $? -eq 0 ]; then if [ $PROFILE == "sssd" ] ; then if grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then - %{_bindir}/authselect enable-feature with-sudo + %{_bindir}/authselect enable-feature with-sudo &> /dev/null elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then - %{_bindir}/authselect enable-feature with-sudo + %{_bindir}/authselect enable-feature with-sudo &> /dev/null fi fi fi exit 0 +%posttrans compat +# Fix for RHBZ#1618865 +# Remove invalid lines from pwquality.conf generated by authconfig compat tool +# - previous version could write some options without value, which is invalid +# - we delete all options without value from existing file +sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null +exit 0 + %changelog +* Fri Sep 14 2018 Pavel Březina - 1.0-3 +- Scriptlets should no produce any error messages (RHBZ #1622272) +- Provide fix for pwquality configuration (RHBZ #1618865) + * Thu Aug 30 2018 Adam Williamson - 1.0-2 - Backport PR #78 to fix broken pwquality config (RHBZ #1618865)