teknoraver / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone

Blame SOURCES/0649-pam-do-not-require-a-non-expired-password-for-user-..patch

be0c12
From a677e477ef541d172ede2a5bd728a4ff1ffb312d Mon Sep 17 00:00:00 2001
be0c12
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
be0c12
Date: Tue, 1 Jun 2021 16:17:16 +0200
be0c12
Subject: [PATCH] pam: do not require a non-expired password for user@.service
be0c12
be0c12
Without this parameter, we would allow user@ to start if the user
be0c12
has no password (i.e. the password is "locked"). But when the user does have a password,
be0c12
and it is marked as expired, we would refuse to start the service.
be0c12
There are other authentication mechanisms and we should not tie this service to
be0c12
the password state.
be0c12
be0c12
The documented way to disable an *account* is to call 'chage -E0'. With a disabled
be0c12
account, user@.service will still refuse to start:
be0c12
be0c12
systemd[16598]: PAM failed: User account has expired
be0c12
systemd[16598]: PAM failed: User account has expired
be0c12
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
be0c12
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
be0c12
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
be0c12
systemd[1]: user@1005.service: Failed with result 'exit-code'.
be0c12
systemd[1]: Failed to start user@1005.service.
be0c12
systemd[1]: Stopping user-runtime-dir@1005.service...
be0c12
be0c12
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1961746.
be0c12
be0c12
(cherry picked from commit 71889176e4372b443018584c3520c1ff3efe2711)
be0c12
be0c12
Resolves: #1961746
be0c12
---
be0c12
 src/login/systemd-user.m4 | 2 +-
be0c12
 1 file changed, 1 insertion(+), 1 deletion(-)
be0c12
be0c12
diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
be0c12
index 4f85b4b7fe..20c8999331 100644
be0c12
--- a/src/login/systemd-user.m4
be0c12
+++ b/src/login/systemd-user.m4
be0c12
@@ -2,7 +2,7 @@
be0c12
 #
be0c12
 # Used by systemd --user instances.
be0c12
 
be0c12
-account required pam_unix.so
be0c12
+account sufficient pam_unix.so no_pass_expiry
be0c12
 m4_ifdef(`HAVE_SELINUX',
be0c12
 session required pam_selinux.so close
be0c12
 session required pam_selinux.so nottys open