diff options
author | Taijian | 2021-09-01 12:29:18 +0200 |
---|---|---|
committer | Taijian | 2021-09-01 12:29:18 +0200 |
commit | bb95e359f154229c19a504a016ee0fb80eb7aabf (patch) | |
tree | d412bfe92e155530fdb96e6c70372da10b9d8d97 | |
parent | 6ed4c9c5ccbcb39cc885e5c398ee46605b100f00 (diff) | |
download | aur-bb95e359f154229c19a504a016ee0fb80eb7aabf.tar.gz |
update to match extra/40.1-2
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch | 73 | ||||
-rw-r--r-- | PKGBUILD | 7 |
3 files changed, 82 insertions, 2 deletions
@@ -1,7 +1,7 @@ pkgbase = gdm-plymouth pkgdesc = Display manager and login screen with plymouth support pkgver = 40.1 - pkgrel = 1 + pkgrel = 2 url = https://wiki.gnome.org/Projects/GDM arch = x86_64 license = GPL @@ -22,9 +22,11 @@ pkgbase = gdm-plymouth depends = libxdmcp source = git+https://gitlab.gnome.org/GNOME/gdm.git#commit=7fafdbcac9b970492e9ea23df42111d90986f3f3 source = 0001-Xsession-Don-t-start-ssh-agent-by-default.patch + source = 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch source = default.pa sha256sums = SKIP sha256sums = aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313 + sha256sums = a5dc583f37311164526569e54fe2d2c06fa27de9995848d7f374b4a554c4c8c0 sha256sums = e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb pkgname = gdm-plymouth diff --git a/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch b/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch new file mode 100644 index 000000000000..5fe1838e945b --- /dev/null +++ b/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch @@ -0,0 +1,73 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org> +Date: Tue, 31 Aug 2021 21:51:46 +0000 +Subject: [PATCH] pam-arch: Drop pam_faillock counting from fingerprint and + smartcard + +As mentioned in an [fprintd issue comment][1], we need to make sure that +the stack's error status is taken from the main auth module, i.e. +pam_fprintd, otherwise GDM will not behave correctly. + +Still use pam_faillock preauth so that we test whether the account is +locked, but don't use authfail/authsucc to log a failure/success so this +stack doesn't participate in triggering the lock. + +Ideally we would check which return values we actually want to treat as +a reason to lock the account (e.g. fingerprint mismatch) and which are +neutral (e.g. no fingerprints enrolled), but that's much more effort. + +Should fix [FS#71750][2]. + +[1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191 +[2]: https://bugs.archlinux.org/task/71750 +--- + data/pam-arch/gdm-fingerprint.pam | 10 ++-------- + data/pam-arch/gdm-smartcard.pam | 10 ++-------- + 2 files changed, 4 insertions(+), 16 deletions(-) + +diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam +index cc660d9a..2aaf9f6c 100644 +--- a/data/pam-arch/gdm-fingerprint.pam ++++ b/data/pam-arch/gdm-fingerprint.pam +@@ -2,16 +2,10 @@ + + auth required pam_shells.so + auth requisite pam_nologin.so +-auth required pam_faillock.so preauth +-# Optionally use requisite above if you do not want to prompt for the fingerprint +-# on locked accounts. +-auth [success=1 default=ignore] pam_fprintd.so +-auth [default=die] pam_faillock.so authfail ++auth requisite pam_faillock.so preauth ++auth required pam_fprintd.so + auth optional pam_permit.so + auth required pam_env.so +-auth required pam_faillock.so authsucc +-# If you drop the above call to pam_faillock.so the lock will be done also +-# on non-consecutive authentication failures. + auth [success=ok default=1] pam_gdm.so + auth optional pam_gnome_keyring.so + +diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam +index e6ec1299..6d7333bf 100644 +--- a/data/pam-arch/gdm-smartcard.pam ++++ b/data/pam-arch/gdm-smartcard.pam +@@ -2,16 +2,10 @@ + + auth required pam_shells.so + auth requisite pam_nologin.so +-auth required pam_faillock.so preauth +-# Optionally use requisite above if you do not want to prompt for the smartcard +-# on locked accounts. +-auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only +-auth [default=die] pam_faillock.so authfail ++auth requisite pam_faillock.so preauth ++auth required pam_pkcs11.so wait_for_card card_only + auth optional pam_permit.so + auth required pam_env.so +-auth required pam_faillock.so authsucc +-# If you drop the above call to pam_faillock.so the lock will be done also +-# on non-consecutive authentication failures. + auth [success=ok default=1] pam_gdm.so + auth optional pam_gnome_keyring.so + @@ -8,7 +8,7 @@ _pkgbase=gdm pkgbase=gdm-plymouth pkgname=(gdm-plymouth libgdm-plymouth) pkgver=40.1 -pkgrel=1 +pkgrel=2 pkgdesc="Display manager and login screen with plymouth support" url="https://wiki.gnome.org/Projects/GDM" arch=(x86_64) @@ -19,9 +19,11 @@ checkdepends=(check) _commit=7fafdbcac9b970492e9ea23df42111d90986f3f3 # tags/40.1^0 source=("git+https://gitlab.gnome.org/GNOME/gdm.git#commit=$_commit" 0001-Xsession-Don-t-start-ssh-agent-by-default.patch + 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch default.pa) sha256sums=('SKIP' 'aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313' + 'a5dc583f37311164526569e54fe2d2c06fa27de9995848d7f374b4a554c4c8c0' 'e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb') pkgver() { @@ -39,6 +41,9 @@ prepare() { # Don't start ssh-agent by default git apply -3 ../0001-Xsession-Don-t-start-ssh-agent-by-default.patch + + # https://bugs.archlinux.org/task/71750 + git apply -3 ../0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch } build() { |