Bug 2055604 - Configurations under pwquality.conf.d should override pwquality.conf
Summary: Configurations under pwquality.conf.d should override pwquality.conf
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libpwquality
Version: 8.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Dmitry Belyavskiy
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-17 11:01 UTC by Marko Myllynen
Modified: 2023-08-01 13:16 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-01 13:16:23 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-7967 0 None None None 2022-07-26 23:09:45 UTC
Red Hat Issue Tracker RHELPLAN-112727 0 None None None 2022-02-17 11:06:45 UTC

Description Marko Myllynen 2022-02-17 11:01:47 UTC
Description of problem:
libpwquality supports providing custom configuration as separate .conf files under /etc/security/pwquality.conf.d which is great. However, unlike with many other packages (for instance openssh) libpwquality does not override /etc/security/pwquality.conf settings with settings read from .conf files. This makes it harder than with other tools to ensure the wanted settings are in use which with other tools is a simple matter of copying something like zzz-local.conf in place, now with libpwquality the main configuration file also needs to be touched. It would also be consistent and more similar with other tools if .conf files would take precedence over the main configuration file.

This change is probably too late for RHEL 8 but I'm filing this BZ against it to have the situation documented here and if possible to change in a later RHEL release this BZ can be cloned. Thanks.

Version-Release number of selected component (if applicable):
libpwquality-1.4.4-3.el8

Comment 1 Dmitry Belyavskiy 2022-03-02 12:13:23 UTC
This bug should go to upstream first, I think?

Sorry, it will definitely not go to RHEL 8 series but may be considered for RHEL 9.

Comment 2 Marko Myllynen 2022-03-02 13:14:15 UTC
Thanks for looking into this.

> This bug should go to upstream first, I think?

Yes, that would be good.

> Sorry, it will definitely not go to RHEL 8 series but may be considered for RHEL 9.

Sure, no worries. I think for RHEL 9 doing this before 9.0 would be much better than after that, if even possible then.

Thanks.

Comment 3 Dmitry Belyavskiy 2022-03-02 13:18:03 UTC
So would you mind to report this issue upstream?

Comment 4 Marko Myllynen 2022-03-02 15:57:17 UTC
I've now filed an upstream issue at https://github.com/libpwquality/libpwquality/issues/60 after verifying this is also the behavior on latest Fedora 35.

Comment 6 Dmitry Belyavskiy 2023-08-01 13:16:06 UTC
Looks like no interest either here or upstream, so closing


Note You need to log in before you can comment on or make changes to this bug.