From 9efb224443d819b7d64ec76cb94c8aa625a8abf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 23 Nov 2022 16:05:48 +0100 Subject: pam: align second and third columns In our template file, we have jinja2 template markers, so the file looks fairly messy. But once it's rendered, it looks pretty clean, except that the columns are unaligned becuase of "-" in some lines in the first column. Let's make them aligned. --- src/login/systemd-user.in | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'src/login') diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in index 39bcbd71fe..d5597d28cb 100644 --- a/src/login/systemd-user.in +++ b/src/login/systemd-user.in @@ -4,18 +4,18 @@ # Used by systemd --user instances. {% if ENABLE_HOMED %} --account sufficient pam_systemd_home.so +-account sufficient pam_systemd_home.so {% endif %} -account sufficient pam_unix.so no_pass_expiry -account required pam_permit.so +account sufficient pam_unix.so no_pass_expiry +account required pam_permit.so {% if HAVE_SELINUX %} -session required pam_selinux.so close -session required pam_selinux.so nottys open +session required pam_selinux.so close +session required pam_selinux.so nottys open {% endif %} -session required pam_loginuid.so -session optional pam_keyinit.so force revoke +session required pam_loginuid.so +session optional pam_keyinit.so force revoke {% if ENABLE_HOMED %} --session optional pam_systemd_home.so +-session optional pam_systemd_home.so {% endif %} -session optional pam_systemd.so +session optional pam_systemd.so -- cgit v1.2.1 From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 23 Nov 2022 16:09:56 +0100 Subject: pam: add a call to pam_namespace A call to pam_namespace is required so that children of user@.service end up in a namespace as expected. pam_namespace gets called as part of the stack that creates a session (login, sshd, gdm, etc.) and those processes end up in a namespace, but it also needs to be called from our stack which is parallel and descends from pid1 itself. The call to pam_namespace is similar to the call to pam_keyinit that was added in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service creates a new session which is disconnected from the parent environment. Both calls are not suitable for inclusion in the shared part of the stack (e.g. @system-auth on Fedora/RHEL systems), because for example su/sudo/runuser should not include them. Fixes #17043 (Allow to execute user service into dedicated namespace if pam_namespace enabled) Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836 (Polyinstantiation is ignored/bypassed in GNOME sessions) --- src/login/systemd-user.in | 1 + 1 file changed, 1 insertion(+) (limited to 'src/login') diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in index d5597d28cb..06f7e36458 100644 --- a/src/login/systemd-user.in +++ b/src/login/systemd-user.in @@ -15,6 +15,7 @@ session required pam_selinux.so nottys open {% endif %} session required pam_loginuid.so session optional pam_keyinit.so force revoke +session required pam_namespace.so {% if ENABLE_HOMED %} -session optional pam_systemd_home.so {% endif %} -- cgit v1.2.1