summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorTaijian2021-09-01 12:29:18 +0200
committerTaijian2021-09-01 12:29:18 +0200
commitbb95e359f154229c19a504a016ee0fb80eb7aabf (patch)
treed412bfe92e155530fdb96e6c70372da10b9d8d97
parent6ed4c9c5ccbcb39cc885e5c398ee46605b100f00 (diff)
downloadaur-bb95e359f154229c19a504a016ee0fb80eb7aabf.tar.gz
update to match extra/40.1-2
Diffstat
-rw-r--r--.SRCINFO4
-rw-r--r--0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch73
-rw-r--r--PKGBUILD7
3 files changed, 82 insertions, 2 deletions
diff --git a/.SRCINFO b/.SRCINFO
index eb40acbfd964..bdc6d268313b 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
pkgbase = gdm-plymouth
pkgdesc = Display manager and login screen with plymouth support
pkgver = 40.1
- pkgrel = 1
+ pkgrel = 2
url = https://wiki.gnome.org/Projects/GDM
arch = x86_64
license = GPL
@@ -22,9 +22,11 @@ pkgbase = gdm-plymouth
depends = libxdmcp
source = git+https://gitlab.gnome.org/GNOME/gdm.git#commit=7fafdbcac9b970492e9ea23df42111d90986f3f3
source = 0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+ source = 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
source = default.pa
sha256sums = SKIP
sha256sums = aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313
+ sha256sums = a5dc583f37311164526569e54fe2d2c06fa27de9995848d7f374b4a554c4c8c0
sha256sums = e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb
pkgname = gdm-plymouth
diff --git a/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch b/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
new file mode 100644
index 000000000000..5fe1838e945b
--- /dev/null
+++ b/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
+Date: Tue, 31 Aug 2021 21:51:46 +0000
+Subject: [PATCH] pam-arch: Drop pam_faillock counting from fingerprint and
+ smartcard
+
+As mentioned in an [fprintd issue comment][1], we need to make sure that
+the stack's error status is taken from the main auth module, i.e.
+pam_fprintd, otherwise GDM will not behave correctly.
+
+Still use pam_faillock preauth so that we test whether the account is
+locked, but don't use authfail/authsucc to log a failure/success so this
+stack doesn't participate in triggering the lock.
+
+Ideally we would check which return values we actually want to treat as
+a reason to lock the account (e.g. fingerprint mismatch) and which are
+neutral (e.g. no fingerprints enrolled), but that's much more effort.
+
+Should fix [FS#71750][2].
+
+[1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191
+[2]: https://bugs.archlinux.org/task/71750
+---
+ data/pam-arch/gdm-fingerprint.pam | 10 ++--------
+ data/pam-arch/gdm-smartcard.pam | 10 ++--------
+ 2 files changed, 4 insertions(+), 16 deletions(-)
+
+diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
+index cc660d9a..2aaf9f6c 100644
+--- a/data/pam-arch/gdm-fingerprint.pam
++++ b/data/pam-arch/gdm-fingerprint.pam
+@@ -2,16 +2,10 @@
+
+ auth required pam_shells.so
+ auth requisite pam_nologin.so
+-auth required pam_faillock.so preauth
+-# Optionally use requisite above if you do not want to prompt for the fingerprint
+-# on locked accounts.
+-auth [success=1 default=ignore] pam_fprintd.so
+-auth [default=die] pam_faillock.so authfail
++auth requisite pam_faillock.so preauth
++auth required pam_fprintd.so
+ auth optional pam_permit.so
+ auth required pam_env.so
+-auth required pam_faillock.so authsucc
+-# If you drop the above call to pam_faillock.so the lock will be done also
+-# on non-consecutive authentication failures.
+ auth [success=ok default=1] pam_gdm.so
+ auth optional pam_gnome_keyring.so
+
+diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
+index e6ec1299..6d7333bf 100644
+--- a/data/pam-arch/gdm-smartcard.pam
++++ b/data/pam-arch/gdm-smartcard.pam
+@@ -2,16 +2,10 @@
+
+ auth required pam_shells.so
+ auth requisite pam_nologin.so
+-auth required pam_faillock.so preauth
+-# Optionally use requisite above if you do not want to prompt for the smartcard
+-# on locked accounts.
+-auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only
+-auth [default=die] pam_faillock.so authfail
++auth requisite pam_faillock.so preauth
++auth required pam_pkcs11.so wait_for_card card_only
+ auth optional pam_permit.so
+ auth required pam_env.so
+-auth required pam_faillock.so authsucc
+-# If you drop the above call to pam_faillock.so the lock will be done also
+-# on non-consecutive authentication failures.
+ auth [success=ok default=1] pam_gdm.so
+ auth optional pam_gnome_keyring.so
+
diff --git a/PKGBUILD b/PKGBUILD
index 0b18ccfc1f89..021dccb9b4c7 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -8,7 +8,7 @@ _pkgbase=gdm
pkgbase=gdm-plymouth
pkgname=(gdm-plymouth libgdm-plymouth)
pkgver=40.1
-pkgrel=1
+pkgrel=2
pkgdesc="Display manager and login screen with plymouth support"
url="https://wiki.gnome.org/Projects/GDM"
arch=(x86_64)
@@ -19,9 +19,11 @@ checkdepends=(check)
_commit=7fafdbcac9b970492e9ea23df42111d90986f3f3 # tags/40.1^0
source=("git+https://gitlab.gnome.org/GNOME/gdm.git#commit=$_commit"
0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+ 0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
default.pa)
sha256sums=('SKIP'
'aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313'
+ 'a5dc583f37311164526569e54fe2d2c06fa27de9995848d7f374b4a554c4c8c0'
'e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb')
pkgver() {
@@ -39,6 +41,9 @@ prepare() {
# Don't start ssh-agent by default
git apply -3 ../0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+
+ # https://bugs.archlinux.org/task/71750
+ git apply -3 ../0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
}
build() {