diff options
author | Robin Lange | 2021-11-27 10:10:55 +1100 |
---|---|---|
committer | Robin Lange | 2021-11-27 10:10:55 +1100 |
commit | b3040ac5c2f67dd764324beb0d1eca09fd7e4514 (patch) | |
tree | b0076823f1193564b2263ab30eb25d569014e8ce | |
parent | b2642d0a42fe117edd76c8c8da7fc120f4412e63 (diff) | |
download | aur-b3040ac5c2f67dd764324beb0d1eca09fd7e4514.tar.gz |
Update to 41.0+r15+g23ebe617
-rw-r--r-- | .SRCINFO | 12 | ||||
-rw-r--r-- | 0001-Xsession-Don-t-start-ssh-agent-by-default.patch (renamed from 0002-Xsession-Don-t-start-ssh-agent-by-default.patch) | 2 | ||||
-rw-r--r-- | 0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch | 216 | ||||
-rw-r--r-- | 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch | 73 | ||||
-rw-r--r-- | PKGBUILD | 25 |
5 files changed, 94 insertions, 234 deletions
@@ -1,6 +1,6 @@ pkgbase = gdm-prime pkgdesc = Display manager and login screen - pkgver = 40.0 + pkgver = 41.0+r15+g23ebe617 pkgrel = 1 url = https://wiki.gnome.org/Projects/GDM arch = x86_64 @@ -19,14 +19,14 @@ pkgbase = gdm-prime depends = xorg-xhost depends = libxdmcp depends = systemd - source = git+https://gitlab.gnome.org/GNOME/gdm.git#commit=3246bf1af8589899621649df523e6840e4858cda - source = 0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch - source = 0002-Xsession-Don-t-start-ssh-agent-by-default.patch + source = git+https://gitlab.gnome.org/GNOME/gdm.git#commit=23ebe617119506a0614f1bd2c76cd9bcf7e8fb7c + source = 0001-Xsession-Don-t-start-ssh-agent-by-default.patch + source = 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch source = 0003-nvidia-prime.patch source = default.pa sha256sums = SKIP - sha256sums = f32555703d4f3b6babbe49ddd2c82295238623050b63826c95a959d5caec37f8 - sha256sums = aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313 + sha256sums = 39a7e1189d423dd428ace9baac77ba0442c6706a861d3c3db9eb3a6643e223f8 + sha256sums = e3dcaaa5ffa2dd4d3338c8b5827965ea2ca1efd9a95d7272a107e6121cb7898f sha256sums = a1fb80c69454492390e4b7edac0efe55b2178c7031051d3eab99ed8c14d3e0e4 sha256sums = e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb diff --git a/0002-Xsession-Don-t-start-ssh-agent-by-default.patch b/0001-Xsession-Don-t-start-ssh-agent-by-default.patch index 568eb2c56828..56699008c6fc 100644 --- a/0002-Xsession-Don-t-start-ssh-agent-by-default.patch +++ b/0001-Xsession-Don-t-start-ssh-agent-by-default.patch @@ -8,7 +8,7 @@ Subject: [PATCH] Xsession: Don't start ssh-agent by default 1 file changed, 8 deletions(-) diff --git a/data/Xsession.in b/data/Xsession.in -index 2e4de4fe..29ebc30e 100755 +index 2e4de4fe384f..29ebc30ea0c5 100755 --- a/data/Xsession.in +++ b/data/Xsession.in @@ -207,14 +207,6 @@ if [ "x$command" = "xdefault" ] ; then diff --git a/0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch b/0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch deleted file mode 100644 index 9f4cce14fc54..000000000000 --- a/0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org> -Date: Tue, 27 Oct 2020 18:59:14 +0000 -Subject: [PATCH] pam-arch: Update to match pambase 20200721.1-2 - -Update the PAM files for Arch Linux. This has been applied downstream -since Aug 2020. - -https://bugs.archlinux.org/task/67485 ---- - data/meson.build | 1 - - data/pam-arch/gdm-autologin.pam | 22 +++++++++-------- - data/pam-arch/gdm-fingerprint.pam | 31 +++++++++++++++--------- - data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++-------- - data/pam-arch/gdm-password.pam | 17 +++++++------ - data/pam-arch/gdm-pin.pam | 13 ---------- - data/pam-arch/gdm-smartcard.pam | 31 +++++++++++++++--------- - 7 files changed, 75 insertions(+), 64 deletions(-) - delete mode 100644 data/pam-arch/gdm-pin.pam - -diff --git a/data/meson.build b/data/meson.build -index 23e2d7f9..7c5222ea 100644 ---- a/data/meson.build -+++ b/data/meson.build -@@ -134,7 +134,6 @@ pam_data_files_map = { - 'gdm-fingerprint', - 'gdm-smartcard', - 'gdm-password', -- 'gdm-pin', - ], - 'none': [], - # We should no longer have 'autodetect' at this point -diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam -index 99b14209..30bdf529 100644 ---- a/data/pam-arch/gdm-autologin.pam -+++ b/data/pam-arch/gdm-autologin.pam -@@ -1,13 +1,15 @@ --auth requisite pam_nologin.so --auth required pam_env.so --auth optional pam_gdm.so --auth optional pam_gnome_keyring.so --auth optional pam_permit.so -+#%PAM-1.0 - --account include system-local-login -+auth required pam_shells.so -+auth requisite pam_nologin.so -+auth optional pam_permit.so -+auth required pam_env.so -+auth [success=ok default=1] pam_gdm.so -+auth optional pam_gnome_keyring.so - --password include system-local-login -+account include system-local-login - --session optional pam_keyinit.so force revoke --session include system-local-login --session optional pam_gnome_keyring.so auto_start -+password required pam_deny.so -+ -+session include system-local-login -+session optional pam_gnome_keyring.so auto_start -diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam -index a4808617..cc660d9a 100644 ---- a/data/pam-arch/gdm-fingerprint.pam -+++ b/data/pam-arch/gdm-fingerprint.pam -@@ -1,14 +1,23 @@ --auth required pam_tally.so onerr=succeed file=/var/log/faillog --auth required pam_shells.so --auth requisite pam_nologin.so --auth required pam_env.so --auth required pam_fprintd.so --auth optional pam_permit.so -+#%PAM-1.0 - --account include system-local-login -+auth required pam_shells.so -+auth requisite pam_nologin.so -+auth required pam_faillock.so preauth -+# Optionally use requisite above if you do not want to prompt for the fingerprint -+# on locked accounts. -+auth [success=1 default=ignore] pam_fprintd.so -+auth [default=die] pam_faillock.so authfail -+auth optional pam_permit.so -+auth required pam_env.so -+auth required pam_faillock.so authsucc -+# If you drop the above call to pam_faillock.so the lock will be done also -+# on non-consecutive authentication failures. -+auth [success=ok default=1] pam_gdm.so -+auth optional pam_gnome_keyring.so - --password required pam_fprintd.so --password optional pam_permit.so -+account include system-local-login - --session optional pam_keyinit.so force revoke --session include system-local-login -+password required pam_deny.so -+ -+session include system-local-login -+session optional pam_gnome_keyring.so auto_start -diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam -index d59c9cb9..20d1810a 100644 ---- a/data/pam-arch/gdm-launch-environment.pam -+++ b/data/pam-arch/gdm-launch-environment.pam -@@ -1,13 +1,17 @@ --auth required pam_env.so --auth required pam_succeed_if.so audit quiet_success user = gdm --auth optional pam_permit.so -+#%PAM-1.0 - --account required pam_succeed_if.so audit quiet_success user = gdm --account optional pam_permit.so -+auth required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup -+auth optional pam_permit.so -+auth required pam_env.so - --password required pam_deny.so -+account required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup -+account optional pam_permit.so - --session optional pam_keyinit.so force revoke --session required pam_succeed_if.so audit quiet_success user = gdm --session required pam_systemd.so --session optional pam_permit.so -+password required pam_deny.so -+ -+session optional pam_loginuid.so -+session optional pam_keyinit.so force revoke -+session required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup -+session optional pam_permit.so -+-session optional pam_systemd.so -+session required pam_env.so user_readenv=1 -diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam -index 8d34794e..137242a6 100644 ---- a/data/pam-arch/gdm-password.pam -+++ b/data/pam-arch/gdm-password.pam -@@ -1,11 +1,12 @@ --auth include system-local-login --auth optional pam_gnome_keyring.so -+#%PAM-1.0 - --account include system-local-login -+auth include system-local-login -+auth optional pam_gnome_keyring.so - --password include system-local-login --password optional pam_gnome_keyring.so use_authtok -+account include system-local-login - --session optional pam_keyinit.so force revoke --session include system-local-login --session optional pam_gnome_keyring.so auto_start -+password include system-local-login -+password optional pam_gnome_keyring.so use_authtok -+ -+session include system-local-login -+session optional pam_gnome_keyring.so auto_start -diff --git a/data/pam-arch/gdm-pin.pam b/data/pam-arch/gdm-pin.pam -deleted file mode 100644 -index 135e205e..00000000 ---- a/data/pam-arch/gdm-pin.pam -+++ /dev/null -@@ -1,13 +0,0 @@ --auth requisite pam_pin.so --auth include system-local-login --auth optional pam_gnome_keyring.so -- --account include system-local-login -- --password include system-local-login --password optional pam_pin.so --password optional pam_gnome_keyring.so use_authtok -- --session optional pam_keyinit.so force revoke --session include system-local-login --session optional pam_gnome_keyring.so auto_start -diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam -index ec6f75d5..e6ec1299 100644 ---- a/data/pam-arch/gdm-smartcard.pam -+++ b/data/pam-arch/gdm-smartcard.pam -@@ -1,14 +1,23 @@ --auth required pam_tally.so onerr=succeed file=/var/log/faillog --auth required pam_shells.so --auth requisite pam_nologin.so --auth required pam_env.so --auth required pam_pkcs11.so wait_for_card card_only --auth optional pam_permit.so -+#%PAM-1.0 - --account include system-local-login -+auth required pam_shells.so -+auth requisite pam_nologin.so -+auth required pam_faillock.so preauth -+# Optionally use requisite above if you do not want to prompt for the smartcard -+# on locked accounts. -+auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only -+auth [default=die] pam_faillock.so authfail -+auth optional pam_permit.so -+auth required pam_env.so -+auth required pam_faillock.so authsucc -+# If you drop the above call to pam_faillock.so the lock will be done also -+# on non-consecutive authentication failures. -+auth [success=ok default=1] pam_gdm.so -+auth optional pam_gnome_keyring.so - --password required pam_pkcs11.so --password optional pam_permit.so -+account include system-local-login - --session optional pam_keyinit.so force revoke --session include system-local-login -+password required pam_deny.so -+ -+session include system-local-login -+session optional pam_gnome_keyring.so auto_start diff --git a/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch b/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch new file mode 100644 index 000000000000..ce6d5539376f --- /dev/null +++ b/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch @@ -0,0 +1,73 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org> +Date: Tue, 31 Aug 2021 21:51:46 +0000 +Subject: [PATCH] pam-arch: Drop pam_faillock counting from fingerprint and + smartcard + +As mentioned in an [fprintd issue comment][1], we need to make sure that +the stack's error status is taken from the main auth module, i.e. +pam_fprintd, otherwise GDM will not behave correctly. + +Still use pam_faillock preauth so that we test whether the account is +locked, but don't use authfail/authsucc to log a failure/success so this +stack doesn't participate in triggering the lock. + +Ideally we would check which return values we actually want to treat as +a reason to lock the account (e.g. fingerprint mismatch) and which are +neutral (e.g. no fingerprints enrolled), but that's much more effort. + +Should fix [FS#71750][2]. + +[1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191 +[2]: https://bugs.archlinux.org/task/71750 +--- + data/pam-arch/gdm-fingerprint.pam | 10 ++-------- + data/pam-arch/gdm-smartcard.pam | 10 ++-------- + 2 files changed, 4 insertions(+), 16 deletions(-) + +diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam +index cc660d9a90ba..2aaf9f6c88a0 100644 +--- a/data/pam-arch/gdm-fingerprint.pam ++++ b/data/pam-arch/gdm-fingerprint.pam +@@ -2,16 +2,10 @@ + + auth required pam_shells.so + auth requisite pam_nologin.so +-auth required pam_faillock.so preauth +-# Optionally use requisite above if you do not want to prompt for the fingerprint +-# on locked accounts. +-auth [success=1 default=ignore] pam_fprintd.so +-auth [default=die] pam_faillock.so authfail ++auth requisite pam_faillock.so preauth ++auth required pam_fprintd.so + auth optional pam_permit.so + auth required pam_env.so +-auth required pam_faillock.so authsucc +-# If you drop the above call to pam_faillock.so the lock will be done also +-# on non-consecutive authentication failures. + auth [success=ok default=1] pam_gdm.so + auth optional pam_gnome_keyring.so + +diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam +index e6ec129948a7..6d7333bf4204 100644 +--- a/data/pam-arch/gdm-smartcard.pam ++++ b/data/pam-arch/gdm-smartcard.pam +@@ -2,16 +2,10 @@ + + auth required pam_shells.so + auth requisite pam_nologin.so +-auth required pam_faillock.so preauth +-# Optionally use requisite above if you do not want to prompt for the smartcard +-# on locked accounts. +-auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only +-auth [default=die] pam_faillock.so authfail ++auth requisite pam_faillock.so preauth ++auth required pam_pkcs11.so wait_for_card card_only + auth optional pam_permit.so + auth required pam_env.so +-auth required pam_faillock.so authsucc +-# If you drop the above call to pam_faillock.so the lock will be done also +-# on non-consecutive authentication failures. + auth [success=ok default=1] pam_gdm.so + auth optional pam_gnome_keyring.so + @@ -4,7 +4,7 @@ pkgbase=gdm-prime pkgname=(gdm-prime libgdm-prime) -pkgver=40.0 +pkgver=41.0+r15+g23ebe617 pkgrel=1 pkgdesc="Display manager and login screen" url="https://wiki.gnome.org/Projects/GDM" @@ -14,31 +14,34 @@ depends=(gnome-shell gnome-session upower xorg-xrdb xorg-server xorg-xhost libxdmcp systemd) makedepends=(yelp-tools gobject-introspection git docbook-xsl meson) checkdepends=(check) -_commit=3246bf1af8589899621649df523e6840e4858cda # tags/40.0^0 +_commit=23ebe617119506a0614f1bd2c76cd9bcf7e8fb7c # main source=("git+https://gitlab.gnome.org/GNOME/gdm.git#commit=$_commit" - 0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch - 0002-Xsession-Don-t-start-ssh-agent-by-default.patch + 0001-Xsession-Don-t-start-ssh-agent-by-default.patch + 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch 0003-nvidia-prime.patch default.pa) sha256sums=('SKIP' - 'f32555703d4f3b6babbe49ddd2c82295238623050b63826c95a959d5caec37f8' - 'aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313' + '39a7e1189d423dd428ace9baac77ba0442c6706a861d3c3db9eb3a6643e223f8' + 'e3dcaaa5ffa2dd4d3338c8b5827965ea2ca1efd9a95d7272a107e6121cb7898f' 'a1fb80c69454492390e4b7edac0efe55b2178c7031051d3eab99ed8c14d3e0e4' 'e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb') pkgver() { cd gdm - git describe --tags | sed 's/\.rc/rc/;s/-/+/g' + git describe --tags | sed 's/\.rc/rc/;s/[^-]*-g/r&/;s/-/+/g' } prepare() { cd gdm # https://bugs.archlinux.org/task/67485 - git apply -3 ../0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch + git cherry-pick -n 8528a503ad70669a5f0c03d0a92ba19326983b82 # Don't start ssh-agent by default - git apply -3 ../0002-Xsession-Don-t-start-ssh-agent-by-default.patch + git apply -3 ../0001-Xsession-Don-t-start-ssh-agent-by-default.patch + + # https://bugs.archlinux.org/task/71750 + git apply -3 ../0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch git apply -3 ../0003-nvidia-prime.patch } @@ -72,7 +75,7 @@ package_gdm-prime() { groups=(gnome) install=gdm-prime.install - DESTDIR="$pkgdir" meson install -C build + meson install -C build --destdir "$pkgdir" install -d "$pkgdir/var/lib" install -d "$pkgdir/var/lib/gdm" -o120 -g120 -m1770 @@ -83,7 +86,7 @@ package_gdm-prime() { install -d "$pkgdir/var/lib/gdm/.local/share/applications" -o120 -g120 # https://src.fedoraproject.org/rpms/gdm/blob/master/f/default.pa-for-gdm - install -Dt "$pkgdir/var/lib/gdm/.config/pulse" -o120 -g120 -m644 default.pa + install -t "$pkgdir/var/lib/gdm/.config/pulse" -o120 -g120 -m644 default.pa install -Dm644 /dev/stdin "$pkgdir/usr/lib/sysusers.d/gdm.conf" <<END g gdm 120 - |