40.1-2: add a patch for FS#71750

a18af295 · Jan Alexander Steffens (heftig) · 6c0f2104 · a18af295 · a18af295
Commit a18af295 authored 3 years ago by Jan Alexander Steffens (heftig)
--- a/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
+++ b/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
+Date: Tue, 31 Aug 2021 21:51:46 +0000
+Subject: [PATCH] pam-arch: Drop pam_faillock counting from fingerprint and
+ smartcard
+As mentioned in an [fprintd issue comment][1], we need to make sure that
+the stack's error status is taken from the main auth module, i.e.
+pam_fprintd, otherwise GDM will not behave correctly.
+Still use pam_faillock preauth so that we test whether the account is
+locked, but don't use authfail/authsucc to log a failure/success so this
+stack doesn't participate in triggering the lock.
+Ideally we would check which return values we actually want to treat as
+a reason to lock the account (e.g. fingerprint mismatch) and which are
+neutral (e.g. no fingerprints enrolled), but that's much more effort.
+Should fix [FS#71750][2].
+[1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191
+[2]: https://bugs.archlinux.org/task/71750
+---
+ data/pam-arch/gdm-fingerprint.pam | 10 ++--------
+ data/pam-arch/gdm-smartcard.pam   | 10 ++--------
+ 2 files changed, 4 insertions(+), 16 deletions(-)
+diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
+index cc660d9a..2aaf9f6c 100644
+--- a/data/pam-arch/gdm-fingerprint.pam
+++ b/data/pam-arch/gdm-fingerprint.pam
+@@ -2,16 +2,10 @@
+ auth       required                    pam_shells.so
+ auth       requisite                   pam_nologin.so
+-auth       required                    pam_faillock.so      preauth
+-# Optionally use requisite above if you do not want to prompt for the fingerprint
+-# on locked accounts.
+-auth       [success=1 default=ignore]  pam_fprintd.so
+-auth       [default=die]               pam_faillock.so      authfail
+auth       requisite                   pam_faillock.so      preauth
+auth       required                    pam_fprintd.so
+ auth       optional                    pam_permit.so
+ auth       required                    pam_env.so
+-auth       required                    pam_faillock.so      authsucc
+-# If you drop the above call to pam_faillock.so the lock will be done also
+-# on non-consecutive authentication failures.
+ auth       [success=ok default=1]      pam_gdm.so
+ auth       optional                    pam_gnome_keyring.so
+diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
+index e6ec1299..6d7333bf 100644
+--- a/data/pam-arch/gdm-smartcard.pam
+++ b/data/pam-arch/gdm-smartcard.pam
+@@ -2,16 +2,10 @@
+ auth       required                    pam_shells.so
+ auth       requisite                   pam_nologin.so
+-auth       required                    pam_faillock.so      preauth
+-# Optionally use requisite above if you do not want to prompt for the smartcard
+-# on locked accounts.
+-auth       [success=1 default=ignore]  pam_pkcs11.so        wait_for_card card_only
+-auth       [default=die]               pam_faillock.so      authfail
+auth       requisite                   pam_faillock.so      preauth
+auth       required                    pam_pkcs11.so        wait_for_card card_only
+ auth       optional                    pam_permit.so
+ auth       required                    pam_env.so
+-auth       required                    pam_faillock.so      authsucc
+-# If you drop the above call to pam_faillock.so the lock will be done also
+-# on non-consecutive authentication failures.
+ auth       [success=ok default=1]      pam_gdm.so
+ auth       optional                    pam_gnome_keyring.so
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -4,7 +4,7 @@
 pkgbase=gdm
 pkgname=(gdm libgdm)
 pkgver=40.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Display manager and login screen"
 url="https://wiki.gnome.org/Projects/GDM"
 arch=(x86_64)
@@ -16,9 +16,11 @@ checkdepends=(check)
 _commit=7fafdbcac9b970492e9ea23df42111d90986f3f3  # tags/40.1^0
 source=("git+https://gitlab.gnome.org/GNOME/gdm.git#commit=$_commit"
        0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+        0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
        default.pa)
 sha256sums=('SKIP'
            'aa751223e8664f65fe2cae032dc93bb94338a41cfca4c6b66a0fca0c788c4313'
+            'a5dc583f37311164526569e54fe2d2c06fa27de9995848d7f374b4a554c4c8c0'
            'e88410bcec9e2c7a22a319be0b771d1f8d536863a7fc618b6352a09d61327dcb')
 pkgver() {
@@ -34,6 +36,9 @@ prepare() {
  # Don't start ssh-agent by default
  git apply -3 ../0001-Xsession-Don-t-start-ssh-agent-by-default.patch
+  # https://bugs.archlinux.org/task/71750
+  git apply -3 ../0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch
 }
 build() {