Description of problem: Seems like this bug from authconfig is repeated in authselect: https://bugzilla.redhat.com/show_bug.cgi?id=717112 Setting UID_MIN in /etc/login.defs dont propagate to /etc/pam.d/password-auth and /etc/pam.d/system-auth after run of authselect. Please add this feature.
Upstream ticket: https://github.com/pbrezina/authselect/issues/182
Thinking about this, I do not think that authselect (or authconfig) is the correct place for this. Everytime /etc/login.defs is changed authselect would have to be called again in order to regenerate the pam stack with updated value. Better solution would be to add a new feature to pam_succeed_if that would read the value from login.defs and use it. Something like: pam_succeed_if.so uid >= UID_MIN Tomas, what do you think? I could do the coding, but I want to know your opinion.
It seems to me to be a little feature creep for pam_succeed_if.so. Maybe a better solution would be a new module - something like pam_usertype.so It could have options like: "isregular" - if uid within UID_MIN and MAX, "issystem" - within SYS_UID_MIN SYS_UID_MAX. And "notregular" "notsystem" for inverted test. It could also support "use_uid" option similarly to pam_succeed_if.
Why not do this as part of pam_succeed_if?
Because by adding reading of login.defs it would be overstretching its purpose.
From man page: "pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated" It fits perfectly for "user isregular" and "user issystem" conditions. Besides the new module would share the whole code with pam_succeed_if because the logic and purpose is the same just the available conditions would be different.
(In reply to Pavel Březina from comment #6) > It fits perfectly for "user isregular" and "user issystem" conditions. > Besides the new module would share the whole code with pam_succeed_if > because the logic and purpose is the same just the available conditions > would be different. Not really. If these are just options, there would not be much code shared except for the usual PAM module boilerplate. With my upstream hat on I really dislike adding this to pam_succeed_if.
Ok. Thank you for your opinion. I will write the new module.
linux-pam PR: https://github.com/linux-pam/linux-pam/pull/166
* `master` * 4cfb20423ca9a3e9b2b3de627b751e61fb0cf560 - profiles: switch uid checks to pam_usertype
FEDORA-2020-9f8d3d996d has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9f8d3d996d
authselect-1.2-1.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9f8d3d996d
FEDORA-2020-9f8d3d996d has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.