Bug 2000936 - Enforce Authselect Configuration Consistency
Summary: Enforce Authselect Configuration Consistency
Alias: None
Product: Fedora
Classification: Fedora
Component: authselect
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Pavel Březina
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 2019052
TreeView+ depends on / blocked
Reported: 2021-09-03 10:31 UTC by Benjamin Berg
Modified: 2021-12-13 12:25 UTC (History)
7 users (show)

Fixed In Version: authselect-1.3.0-3.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-12-13 12:25:51 UTC
Type: Bug

Attachments (Terms of Use)

Description Benjamin Berg 2021-09-03 10:31:48 UTC
Currently, authselect is not mandatory and tries to go out of the way if the user makes local changes. However, making it mandatory has advantages:

 * All components can rely on configurations to be consistent across installations
 * We can roll out fixes for configurations (such as the pam_fprintd.so issue in F34) more easily

Comment 1 Florian Weimer 2021-09-03 10:36:28 UTC
This could also replace patching of glibc confinguration files by packages.  For an example, see “rpm -q --scripts systemd-libs”.

The ad-hoc patching often does not take into account that the system administrator does not want to enable certain functionality: it tends to come back as the result of package upgrades.

Comment 2 Bastien Nocera 2021-09-03 10:51:04 UTC
(In reply to Florian Weimer from comment #1)
> This could also replace patching of glibc confinguration files by packages. 
> For an example, see “rpm -q --scripts systemd-libs”.

Or "rpm -q --scripts nss-mdns"

Is there a reason why we'd need to wait another 8 months to get a stable Fedora with that problem fixed though?

Comment 3 Pavel Březina 2021-09-03 11:13:34 UTC
Thank you for creating this tracking bug.

I believe making authselect mandatory requires some bigger code and packaging changes that needs to be carefully design. From the top of my head, it should take ownership of the whole pam.d directory and not just few selected files and also own nsswitch.conf and drop support for manual nsswitch.conf edits. I do plan to submit a system wide change page for Fedora 36.

Comment 4 Pavel Březina 2021-11-12 14:02:06 UTC
Change page was accepted:

Comment 5 Pavel Březina 2021-12-13 11:34:49 UTC
FEDORA-2021-c2b61f2725 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c2b61f2725

Comment 6 Fedora Update System 2021-12-13 12:25:51 UTC
FEDORA-2021-c2b61f2725 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.