|
|
be0c12 |
From a677e477ef541d172ede2a5bd728a4ff1ffb312d Mon Sep 17 00:00:00 2001
|
|
|
be0c12 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
be0c12 |
Date: Tue, 1 Jun 2021 16:17:16 +0200
|
|
|
be0c12 |
Subject: [PATCH] pam: do not require a non-expired password for user@.service
|
|
|
be0c12 |
|
|
|
be0c12 |
Without this parameter, we would allow user@ to start if the user
|
|
|
be0c12 |
has no password (i.e. the password is "locked"). But when the user does have a password,
|
|
|
be0c12 |
and it is marked as expired, we would refuse to start the service.
|
|
|
be0c12 |
There are other authentication mechanisms and we should not tie this service to
|
|
|
be0c12 |
the password state.
|
|
|
be0c12 |
|
|
|
be0c12 |
The documented way to disable an *account* is to call 'chage -E0'. With a disabled
|
|
|
be0c12 |
account, user@.service will still refuse to start:
|
|
|
be0c12 |
|
|
|
be0c12 |
systemd[16598]: PAM failed: User account has expired
|
|
|
be0c12 |
systemd[16598]: PAM failed: User account has expired
|
|
|
be0c12 |
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
|
|
|
be0c12 |
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
|
|
|
be0c12 |
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
|
|
|
be0c12 |
systemd[1]: user@1005.service: Failed with result 'exit-code'.
|
|
|
be0c12 |
systemd[1]: Failed to start user@1005.service.
|
|
|
be0c12 |
systemd[1]: Stopping user-runtime-dir@1005.service...
|
|
|
be0c12 |
|
|
|
be0c12 |
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1961746.
|
|
|
be0c12 |
|
|
|
be0c12 |
(cherry picked from commit 71889176e4372b443018584c3520c1ff3efe2711)
|
|
|
be0c12 |
|
|
|
be0c12 |
Resolves: #1961746
|
|
|
be0c12 |
---
|
|
|
be0c12 |
src/login/systemd-user.m4 | 2 +-
|
|
|
be0c12 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
be0c12 |
|
|
|
be0c12 |
diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
|
|
|
be0c12 |
index 4f85b4b7fe..20c8999331 100644
|
|
|
be0c12 |
--- a/src/login/systemd-user.m4
|
|
|
be0c12 |
+++ b/src/login/systemd-user.m4
|
|
|
be0c12 |
@@ -2,7 +2,7 @@
|
|
|
be0c12 |
#
|
|
|
be0c12 |
# Used by systemd --user instances.
|
|
|
be0c12 |
|
|
|
be0c12 |
-account required pam_unix.so
|
|
|
be0c12 |
+account sufficient pam_unix.so no_pass_expiry
|
|
|
be0c12 |
m4_ifdef(`HAVE_SELINUX',
|
|
|
be0c12 |
session required pam_selinux.so close
|
|
|
be0c12 |
session required pam_selinux.so nottys open
|