Bug 2000936

Summary: Enforce Authselect Configuration Consistency
Product: [Fedora] Fedora Reporter: Benjamin Berg <bberg>
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: aboscatt, ashankar, bnocera, fweimer, jhrozek, mcatanza, pbrezina
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: authselect-1.3.0-3.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-13 12:25:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2019052    

Description Benjamin Berg 2021-09-03 10:31:48 UTC 
Currently, authselect is not mandatory and tries to go out of the way if the user makes local changes. However, making it mandatory has advantages:

 * All components can rely on configurations to be consistent across installations
 * We can roll out fixes for configurations (such as the pam_fprintd.so issue in F34) more easily
Comment 1 Florian Weimer 2021-09-03 10:36:28 UTC 
This could also replace patching of glibc confinguration files by packages.  For an example, see “rpm -q --scripts systemd-libs”.

The ad-hoc patching often does not take into account that the system administrator does not want to enable certain functionality: it tends to come back as the result of package upgrades.
Comment 2 Bastien Nocera 2021-09-03 10:51:04 UTC 
(In reply to Florian Weimer from comment #1)
> This could also replace patching of glibc confinguration files by packages. 
> For an example, see “rpm -q --scripts systemd-libs”.

Or "rpm -q --scripts nss-mdns"

Is there a reason why we'd need to wait another 8 months to get a stable Fedora with that problem fixed though?
Comment 3 Pavel Březina 2021-09-03 11:13:34 UTC 
Thank you for creating this tracking bug.

I believe making authselect mandatory requires some bigger code and packaging changes that needs to be carefully design. From the top of my head, it should take ownership of the whole pam.d directory and not just few selected files and also own nsswitch.conf and drop support for manual nsswitch.conf edits. I do plan to submit a system wide change page for Fedora 36.
Comment 4 Pavel Březina 2021-11-12 14:02:06 UTC 
Change page was accepted:
https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory
Comment 5 Pavel Březina 2021-12-13 11:34:49 UTC 
FEDORA-2021-c2b61f2725 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c2b61f2725
Comment 6 Fedora Update System 2021-12-13 12:25:51 UTC 
FEDORA-2021-c2b61f2725 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.