#11 Add script to update fingerprint-auth in case authselect is not in use
Opened a month ago by benzea. Modified 22 days ago
rpms/ benzea/authselect f34  into  f34

file modified
+15 -1
@@ -3,7 +3,7 @@ 

  

  Name:           authselect

  Version:        1.2.3

- Release:        1%{?dist}

+ Release:        2%{?dist}

  Summary:        Configures authentication and identity sources from supported profiles

  URL:            https://github.com/authselect/authselect

  
@@ -288,6 +288,16 @@ 

      fi

  fi

  

+ # For people upgrading from older Fedora versions, authselect might not be

+ # enabled or unable to do anything due to e.g. a modified nsswitch.conf.

+ # The following snippets apply important fixes in those cases.

+ 

+ # Change pam_fprintd.so in fingerprint-auth from sufficient to [success=done default=bad]

+ # in order for PAM_AUTHINFO_UNAVAIL error codes to be propagated.

+ FILE="$(readlink -f %{_sysconfdir}/pam.d/fingerprint-auth || echo %{_sysconfdir}/pam.d/fingerprint-auth)"

+ %__grep -q '^auth[[:space:]]\+sufficient[[:space:]]\+pam_fprintd.so' $FILE && \

+   %__sed -i.bak -e 's/^auth[[:space:]]\+sufficient[[:space:]]\+pam_fprintd.so\(.*\)/auth        [success=done default=bad]                   pam_fprintd.so\1/g' $FILE

+ 

  exit 0

  

  %posttrans compat
@@ -299,6 +309,10 @@ 

  exit 0

  

  %changelog

+ * Fri Apr 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.3-2

+ - Add script to update fingerprint-auth in case authselect is not in use

+   Resolves: #1942443

+ 

  * Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-1

  - Rebase to 1.2.3

  

I don't think this belongs to authselect, but rather in pam package.

Ideally, patch https://src.fedoraproject.org/rpms/pam/blob/rawhide/f/fingerprint-auth.pamd and let users run rpmconf -o pam.

Hmm. But I see here:

ls -lha /etc/pam.d/fingerprint-auth
lrwxrwxrwx. 1 root root 19 Feb 1 2017 /etc/pam.d/fingerprint-auth -> fingerprint-auth-ac

(or, with authselect pointing to a different location)

And the file currently has the header:

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

So, I am not sure that doing this from the PAM side makes sense. We would at least need to detect whether authselect is enabled/working before trying to do anything.

And we would need to make sure that we first upgrade authselect and then PAM in a F33 -> F34 upgrade, as otherwise I expect authselect to complain that the file has been modified.

But, it is entirely true that we really need to update the file in the pam package!

Created https://src.fedoraproject.org/rpms/pam/pull-request/14 for the trivial change, in the hope that pushes things along a little bit at least.

Hmm. But I see here:

ls -lha /etc/pam.d/fingerprint-auth
lrwxrwxrwx. 1 root root 19 Feb 1 2017 /etc/pam.d/fingerprint-auth -> fingerprint-auth-ac

Pre F28 authconfig configuration?

(or, with authselect pointing to a different location)

And the file currently has the header:

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

The original pam maintainer just copied authconfig file to the pam package, this should be removed so users don't get confused.

So, I am not sure that doing this from the PAM side makes sense. We would at least need to detect whether authselect is enabled/working before trying to do anything.

This is not needed, see below.

And we would need to make sure that we first upgrade authselect and then PAM in a F33 -> F34 upgrade, as otherwise I expect authselect to complain that the file has been modified.

This is also not needed. PAM owns the file as %config(noreplace) %{_pamconfdir}/fingerprint-auth. Therefore it will not overwrite the file, it will create fingerprint-auth.rpmnew that needs to be applied with rpmconf by administrator.

Since the pam config still has 'sufficient' it is not that important and it will not break login, will it?

Since the pam config still has 'sufficient' it is not that important and it will not break login, will it?

The trouble is, that we still run into an authentication failure. So that will be visible in GDM and also prevents password login from working due to https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3853

@pbrezina so, I really am not sure what to do at this point.

We really need to make sure that any "sufficient" for pam_fprintd.so in /etc/pam.d/fingerprint-auth is replaced with [success=done default=bad] for anyone upgrading from older Fedora versions to F34.

I think we can only do so using a script and believe that the script suggested here will work. In contrast, I don't think that the same script in the pam packge would work, because doing that could possibly confuse authselect into thinking that the user has done manual modifications.

In PAM, force update the file if it is not a symlink or it links to a different location then /etc/authselect and it will work.

If it is a symlink to /etc/authselect/fingerprint-auth, do not update. Authselect will update it for you.

Metadata