[arch-commits] Commit in gdm/trunk (2 files)

[Jan Steffens]

    Date: Tuesday, August 31, 2021 @ 22:14:43
  Author: heftig
Revision: 422795

40.1-2: add a patch for FS#71750

Added:
  gdm/trunk/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
Modified:
  gdm/trunk/PKGBUILD

-----------------------------------------------------------------+
 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch |   73 ++++++++++
 PKGBUILD                                                        |    7 
 2 files changed, 79 insertions(+), 1 deletion(-)

Added: 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
===================================================================
--- 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch	                        (rev 0)
+++ 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch	2021-08-31 22:14:43 UTC (rev 422795)
@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <heftig at archlinux.org>
+Date: Tue, 31 Aug 2021 21:51:46 +0000
+Subject: [PATCH] pam-arch: Drop pam_faillock counting from fingerprint and
+ smartcard
+
+As mentioned in an [fprintd issue comment][1], we need to make sure that
+the stack's error status is taken from the main auth module, i.e.
+pam_fprintd, otherwise GDM will not behave correctly.
+
+Still use pam_faillock preauth so that we test whether the account is
+locked, but don't use authfail/authsucc to log a failure/success so this
+stack doesn't participate in triggering the lock.
+
+Ideally we would check which return values we actually want to treat as
+a reason to lock the account (e.g. fingerprint mismatch) and which are
+neutral (e.g. no fingerprints enrolled), but that's much more effort.
+
+Should fix [FS#71750][2].
+
+[1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191
+[2]: https://bugs.archlinux.org/task/71750
+---
+ data/pam-arch/gdm-fingerprint.pam | 10 ++--------
+ data/pam-arch/gdm-smartcard.pam   | 10 ++--------
+ 2 files changed, 4 insertions(+), 16 deletions(-)
+
+diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
+index cc660d9a..2aaf9f6c 100644
+--- a/data/pam-arch/gdm-fingerprint.pam
++++ b/data/pam-arch/gdm-fingerprint.pam
+@@ -2,16 +2,10 @@
+ 
+ auth       required                    pam_shells.so
+ auth       requisite                   pam_nologin.so
+-auth       required                    pam_faillock.so      preauth
+-# Optionally use requisite above if you do not want to prompt for the fingerprint
+-# on locked accounts.
+-auth       [success=1 default=ignore]  pam_fprintd.so
+-auth       [default=die]               pam_faillock.so      authfail
++auth       requisite                   pam_faillock.so      preauth
++auth       required                    pam_fprintd.so
+ auth       optional                    pam_permit.so
+ auth       required                    pam_env.so
+-auth       required                    pam_faillock.so      authsucc
+-# If you drop the above call to pam_faillock.so the lock will be done also
+-# on non-consecutive authentication failures.
+ auth       [success=ok default=1]      pam_gdm.so
+ auth       optional                    pam_gnome_keyring.so
+ 
+diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
+index e6ec1299..6d7333bf 100644
+--- a/data/pam-arch/gdm-smartcard.pam
++++ b/data/pam-arch/gdm-smartcard.pam
+@@ -2,16 +2,10 @@
+ 
+ auth       required                    pam_shells.so
+ auth       requisite                   pam_nologin.so
+-auth       required                    pam_faillock.so      preauth
+-# Optionally use requisite above if you do not want to prompt for the smartcard
+-# on locked accounts.
+-auth       [success=1 default=ignore]  pam_pkcs11.so        wait_for_card card_only
+-auth       [default=die]               pam_faillock.so      authfail
++auth       requisite                   pam_faillock.so      preauth
++auth       required                    pam_pkcs11.so        wait_for_card card_only
+ auth       optional                    pam_permit.so
+ auth       required                    pam_env.so
+-auth       required                    pam_faillock.so      authsucc
+-# If you drop the above call to pam_faillock.so the lock will be done also
+-# on non-consecutive authentication failures.
+ auth       [success=ok default=1]      pam_gdm.so
+ auth       optional                    pam_gnome_keyring.so
+ 

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-08-31 21:45:30 UTC (rev 422794)
+++ PKGBUILD	2021-08-31 22:14:43 UTC (rev 422795)
@@ -4,7 +4,7 @@
 pkgbase=gdm
 pkgname=(gdm libgdm)
 pkgver=40.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Display manager and login screen"
 url="https://wiki.gnome.org/Projects/GDM"
 arch=(x86_64)
@@ -16,9 +16,11 @@
 _commit=7fafdbcac9b970492e9ea23df42111d90986f3f3  # tags/40.1^0
 source=("git+https://gitlab.gnome.org/GNOME/gdm.git#commit=$_commit"
         0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+        0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
         default.pa)
 sha256sums=('SKIP'
             'aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313'
+            'a5dc583f37311164526569e54fe2d2c06fa27de9995848d7f374b4a554c4c8c0'
             'e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb')
 
 pkgver() {
@@ -34,6 +36,9 @@
 
   # Don't start ssh-agent by default
   git apply -3 ../0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+
+  # https://bugs.archlinux.org/task/71750
+  git apply -3 ../0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
 }
 
 build() {