Bug 2055604

Summary: Configurations under pwquality.conf.d should override pwquality.conf
Product: Red Hat Enterprise Linux 8 Reporter: Marko Myllynen <myllynen>
Component: libpwqualityAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: prd-fedora
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-01 13:16:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2022-02-17 11:01:47 UTC 
Description of problem:
libpwquality supports providing custom configuration as separate .conf files under /etc/security/pwquality.conf.d which is great. However, unlike with many other packages (for instance openssh) libpwquality does not override /etc/security/pwquality.conf settings with settings read from .conf files. This makes it harder than with other tools to ensure the wanted settings are in use which with other tools is a simple matter of copying something like zzz-local.conf in place, now with libpwquality the main configuration file also needs to be touched. It would also be consistent and more similar with other tools if .conf files would take precedence over the main configuration file.

This change is probably too late for RHEL 8 but I'm filing this BZ against it to have the situation documented here and if possible to change in a later RHEL release this BZ can be cloned. Thanks.

Version-Release number of selected component (if applicable):
libpwquality-1.4.4-3.el8
Comment 1 Dmitry Belyavskiy 2022-03-02 12:13:23 UTC 
This bug should go to upstream first, I think?

Sorry, it will definitely not go to RHEL 8 series but may be considered for RHEL 9.
Comment 2 Marko Myllynen 2022-03-02 13:14:15 UTC 
Thanks for looking into this.

> This bug should go to upstream first, I think?

Yes, that would be good.

> Sorry, it will definitely not go to RHEL 8 series but may be considered for RHEL 9.

Sure, no worries. I think for RHEL 9 doing this before 9.0 would be much better than after that, if even possible then.

Thanks.
Comment 3 Dmitry Belyavskiy 2022-03-02 13:18:03 UTC 
So would you mind to report this issue upstream?
Comment 4 Marko Myllynen 2022-03-02 15:57:17 UTC 
I've now filed an upstream issue at https://github.com/libpwquality/libpwquality/issues/60 after verifying this is also the behavior on latest Fedora 35.
Comment 6 Dmitry Belyavskiy 2023-08-01 13:16:06 UTC 
Looks like no interest either here or upstream, so closing