[arch-commits] Commit in gdm/trunk (2 files)
Jan Steffens
heftig at gemini.archlinux.org
Tue Aug 31 22:14:44 UTC 2021
Date: Tuesday, August 31, 2021 @ 22:14:43
Author: heftig
Revision: 422795
40.1-2: add a patch for FS#71750
Added:
gdm/trunk/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
Modified:
gdm/trunk/PKGBUILD
-----------------------------------------------------------------+
0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch | 73 ++++++++++
PKGBUILD | 7
2 files changed, 79 insertions(+), 1 deletion(-)
Added: 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
===================================================================
--- 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch (rev 0)
+++ 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch 2021-08-31 22:14:43 UTC (rev 422795)
@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <heftig at archlinux.org>
+Date: Tue, 31 Aug 2021 21:51:46 +0000
+Subject: [PATCH] pam-arch: Drop pam_faillock counting from fingerprint and
+ smartcard
+
+As mentioned in an [fprintd issue comment][1], we need to make sure that
+the stack's error status is taken from the main auth module, i.e.
+pam_fprintd, otherwise GDM will not behave correctly.
+
+Still use pam_faillock preauth so that we test whether the account is
+locked, but don't use authfail/authsucc to log a failure/success so this
+stack doesn't participate in triggering the lock.
+
+Ideally we would check which return values we actually want to treat as
+a reason to lock the account (e.g. fingerprint mismatch) and which are
+neutral (e.g. no fingerprints enrolled), but that's much more effort.
+
+Should fix [FS#71750][2].
+
+[1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191
+[2]: https://bugs.archlinux.org/task/71750
+---
+ data/pam-arch/gdm-fingerprint.pam | 10 ++--------
+ data/pam-arch/gdm-smartcard.pam | 10 ++--------
+ 2 files changed, 4 insertions(+), 16 deletions(-)
+
+diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
+index cc660d9a..2aaf9f6c 100644
+--- a/data/pam-arch/gdm-fingerprint.pam
++++ b/data/pam-arch/gdm-fingerprint.pam
+@@ -2,16 +2,10 @@
+
+ auth required pam_shells.so
+ auth requisite pam_nologin.so
+-auth required pam_faillock.so preauth
+-# Optionally use requisite above if you do not want to prompt for the fingerprint
+-# on locked accounts.
+-auth [success=1 default=ignore] pam_fprintd.so
+-auth [default=die] pam_faillock.so authfail
++auth requisite pam_faillock.so preauth
++auth required pam_fprintd.so
+ auth optional pam_permit.so
+ auth required pam_env.so
+-auth required pam_faillock.so authsucc
+-# If you drop the above call to pam_faillock.so the lock will be done also
+-# on non-consecutive authentication failures.
+ auth [success=ok default=1] pam_gdm.so
+ auth optional pam_gnome_keyring.so
+
+diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
+index e6ec1299..6d7333bf 100644
+--- a/data/pam-arch/gdm-smartcard.pam
++++ b/data/pam-arch/gdm-smartcard.pam
+@@ -2,16 +2,10 @@
+
+ auth required pam_shells.so
+ auth requisite pam_nologin.so
+-auth required pam_faillock.so preauth
+-# Optionally use requisite above if you do not want to prompt for the smartcard
+-# on locked accounts.
+-auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only
+-auth [default=die] pam_faillock.so authfail
++auth requisite pam_faillock.so preauth
++auth required pam_pkcs11.so wait_for_card card_only
+ auth optional pam_permit.so
+ auth required pam_env.so
+-auth required pam_faillock.so authsucc
+-# If you drop the above call to pam_faillock.so the lock will be done also
+-# on non-consecutive authentication failures.
+ auth [success=ok default=1] pam_gdm.so
+ auth optional pam_gnome_keyring.so
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-08-31 21:45:30 UTC (rev 422794)
+++ PKGBUILD 2021-08-31 22:14:43 UTC (rev 422795)
@@ -4,7 +4,7 @@
pkgbase=gdm
pkgname=(gdm libgdm)
pkgver=40.1
-pkgrel=1
+pkgrel=2
pkgdesc="Display manager and login screen"
url="https://wiki.gnome.org/Projects/GDM"
arch=(x86_64)
@@ -16,9 +16,11 @@
_commit=7fafdbcac9b970492e9ea23df42111d90986f3f3 # tags/40.1^0
source=("git+https://gitlab.gnome.org/GNOME/gdm.git#commit=$_commit"
0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+ 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
default.pa)
sha256sums=('SKIP'
'aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313'
+ 'a5dc583f37311164526569e54fe2d2c06fa27de9995848d7f374b4a554c4c8c0'
'e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb')
pkgver() {
@@ -34,6 +36,9 @@
# Don't start ssh-agent by default
git apply -3 ../0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+
+ # https://bugs.archlinux.org/task/71750
+ git apply -3 ../0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
}
build() {
More information about the arch-commits
mailing list