From 485c74c9689854a3d56e58f30114954d493ddfee Mon Sep 17 00:00:00 2001 From: Colin Guthrie <colin@mageia.org> Date: Tue, 30 Aug 2011 20:28:57 +0100 Subject: [PATCH 302/303] Fix gdm pam.d configs. This ensures that pam_console is included in the gdm-welcome pam.d to allow e.g. the PulseAudio spawned by gdm to access bluetooth h/w. While this isn't in itself necessarily majorly useful, it does solve a problem where by bluetoothd is enabled, but not yet started when gdm's PulseAudio is launched. This will cause bus activation to kick in and attempt to lauch bluetoothd, but due to the default bluez dbus policy gdm will not be allowed to talk to to the necessary interfaces resulting in an activation failure and a 30s timeout before gdm appears. References: * https://bugs.mageia.org/show_bug.cgi?id=5148 The other fix is to ensure that pam_gnome_keyring.so is included after system-auth (or rather after pam_systemd specifically) to ensure that the XDG_RUNTIME_DIR variable is set. References: * http://pkgs.fedoraproject.org/gitweb/?p=gdm.git;a=commit;h=12886d9c0f01e4f52eea9a3b63602c996bd7f084 * https://bugzilla.gnome.org/show_bug.cgi?id=655867 * http://mail.gnome.org/archives/distributor-list/2012-April/msg00000.html Also add in pam_namespace.so which is needed for xguest. References: * https://bugs.mageia.org/show_bug.cgi?id=4950 --- data/pam-redhat/gdm-autologin.pam | 3 +-- data/pam-redhat/gdm-fingerprint.pam | 21 ++++++++++++++------- data/pam-redhat/gdm-launch-environment.pam | 1 + data/pam-redhat/gdm-password.pam | 17 +++++++++-------- data/pam-redhat/gdm-smartcard.pam | 21 ++++++++++++++------- 5 files changed, 39 insertions(+), 24 deletions(-) diff -Nurp gdm-44.0.orig/data/pam-redhat/gdm-autologin.pam gdm-44.0/data/pam-redhat/gdm-autologin.pam --- gdm-44.0.orig/data/pam-redhat/gdm-autologin.pam 2023-03-20 17:42:37.000000000 +0200 +++ gdm-44.0/data/pam-redhat/gdm-autologin.pam 2023-04-22 12:32:20.096748903 +0300 @@ -5,9 +5,8 @@ auth sufficient pam_permit.so account required pam_nologin.so account include system-auth password include system-auth -session required pam_selinux.so close session required pam_loginuid.so -session required pam_selinux.so open +session optional pam_console.so session optional pam_keyinit.so force revoke session required pam_namespace.so session include system-auth diff -Nurp gdm-44.0.orig/data/pam-redhat/gdm-fingerprint.pam gdm-44.0/data/pam-redhat/gdm-fingerprint.pam --- gdm-44.0.orig/data/pam-redhat/gdm-fingerprint.pam 2023-03-20 17:42:37.000000000 +0200 +++ gdm-44.0/data/pam-redhat/gdm-fingerprint.pam 2023-04-22 12:32:20.096748903 +0300 @@ -1,15 +1,22 @@ -auth substack fingerprint-auth +# Sample PAM file for doing fingerprint authentication. +# Distros should replace this with what makes sense for them. +auth required pam_env.so +auth required pam_fprintd.so +auth sufficient pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so auth include postlogin -account required pam_nologin.so -account include fingerprint-auth +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so -password include fingerprint-auth +password required pam_deny.so -session required pam_selinux.so close session required pam_loginuid.so -session required pam_selinux.so open +session optional pam_console.so session optional pam_keyinit.so force revoke session required pam_namespace.so -session include fingerprint-auth +session required pam_limits.so +session required pam_unix.so session include postlogin diff -Nurp gdm-44.0.orig/data/pam-redhat/gdm-launch-environment.pam gdm-44.0/data/pam-redhat/gdm-launch-environment.pam --- gdm-44.0.orig/data/pam-redhat/gdm-launch-environment.pam 2023-03-20 17:42:37.000000000 +0200 +++ gdm-44.0/data/pam-redhat/gdm-launch-environment.pam 2023-04-22 12:32:20.096748903 +0300 @@ -4,6 +4,7 @@ auth required pam_permit.so auth include postlogin account required pam_permit.so password required pam_permit.so +session optional pam_console.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin diff -Nurp gdm-44.0.orig/data/pam-redhat/gdm-password.pam gdm-44.0/data/pam-redhat/gdm-password.pam --- gdm-44.0.orig/data/pam-redhat/gdm-password.pam 2023-03-20 17:42:37.000000000 +0200 +++ gdm-44.0/data/pam-redhat/gdm-password.pam 2023-04-22 12:32:20.096748903 +0300 @@ -1,19 +1,20 @@ -auth [success=done ignore=ignore default=bad] pam_selinux_permit.so -auth substack password-auth +#%PAM-1.0 +auth required pam_env.so +auth sufficient pam_succeed_if.so user ingroup nopasswdlogin +auth substack system-auth auth optional pam_gnome_keyring.so auth include postlogin account required pam_nologin.so -account include password-auth +account include system-auth -password substack password-auth --password optional pam_gnome_keyring.so use_authtok +password substack system-auth +password optional pam_gnome_keyring.so use_authtok -session required pam_selinux.so close session required pam_loginuid.so -session required pam_selinux.so open +session optional pam_console.so session optional pam_keyinit.so force revoke session required pam_namespace.so -session include password-auth +session include system-auth session optional pam_gnome_keyring.so auto_start session include postlogin diff -Nurp gdm-44.0.orig/data/pam-redhat/gdm-smartcard.pam gdm-44.0/data/pam-redhat/gdm-smartcard.pam --- gdm-44.0.orig/data/pam-redhat/gdm-smartcard.pam 2023-03-20 17:42:37.000000000 +0200 +++ gdm-44.0/data/pam-redhat/gdm-smartcard.pam 2023-04-22 12:32:20.096748903 +0300 @@ -1,15 +1,22 @@ -auth substack smartcard-auth +# Sample PAM file for doing smartcard authentication. +# Distros should replace this with what makes sense for them. +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so auth include postlogin -account required pam_nologin.so -account include smartcard-auth +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so -password include smartcard-auth +password optional pam_pkcs11.so -session required pam_selinux.so close session required pam_loginuid.so -session required pam_selinux.so open +session optional pam_console.so session optional pam_keyinit.so force revoke session required pam_namespace.so -session include smartcard-auth +session required pam_limits.so +session required pam_unix.so session include postlogin