Patch systemd

The role ufrmath.computer_labs.patch_systemd is used to build patched systemd allowing numeric username.

In recent versions of systemd, the PAM module pam_systemd.so provided by libpam-systemd prevents users with purely numerical username to login through gdm. In situations where such numerical usernames are provided by an external tool (like ldap), it might be desirable to patch systemd in order to bypass this restriction.

It is assumed that username and uid coincide for all numerical usernames, otherwise this might create confusion.

The aim is to build a a patched version libpam-systemd-patch of libpam-systemd.

The first step is to download systemd source package:

apt source systemd

The key part is the patch

From: Julien Guillod
Date: 1 Feb 2022
Subject: [CUSTOM PATCH] Allow numerical username even in relaxed mode

Even in relaxed mode (used for SSSD or Samba for example) systemd prevent numerical username,
which are not POSIX compliant. This patch allows numerical username even in relaxed mode.

The main reason is to permit login of users from an LDAP having numerical usernames.
For such numerical logins it is expected that the username and uid match.
Index: system2/src/basic/user-util.c
===================================================================
--- system2.orig/src/basic/user-util.c
+++ system2/src/basic/user-util.c
@@ -714,9 +714,9 @@ bool valid_user_group_name(const char *u
         if (isempty(u)) /* An empty user name is never valid */
                 return false;
 
-        if (parse_uid(u, NULL) >= 0) /* Something that parses as numeric UID string is valid exactly when the
-                                      * flag for it is set */
-                return FLAGS_SET(flags, VALID_USER_ALLOW_NUMERIC);
+        if (parse_uid(u, NULL) >= 0) /* Something that parses as numeric UID string is valid exactly when
+                                      * a least one numeric or relax flag is set */
+                return FLAGS_SET(flags, VALID_USER_ALLOW_NUMERIC) || FLAGS_SET(flags, VALID_USER_RELAX);
 
         if (FLAGS_SET(flags, VALID_USER_RELAX)) {
 
Index: system2/src/test/test-user-util.c
===================================================================
--- system2.orig/src/test/test-user-util.c
+++ system2/src/test/test-user-util.c
@@ -68,8 +68,11 @@ static void test_valid_user_group_name_r
 
         assert_se(!valid_user_group_name(NULL, VALID_USER_RELAX));
         assert_se(!valid_user_group_name("", VALID_USER_RELAX));
-        assert_se(!valid_user_group_name("1", VALID_USER_RELAX));
+        assert_se(valid_user_group_name("1", VALID_USER_RELAX));
+        assert_se(valid_user_group_name("65534", VALID_USER_RELAX));
         assert_se(!valid_user_group_name("65535", VALID_USER_RELAX));
+        assert_se(valid_user_group_name("65536", VALID_USER_RELAX));
+        assert_se(valid_user_group_name("12345678", VALID_USER_RELAX));
         assert_se(!valid_user_group_name("-1", VALID_USER_RELAX));
         assert_se(!valid_user_group_name("foo\nbar", VALID_USER_RELAX));
         assert_se(!valid_user_group_name("0123456789012345678901234567890123456789", VALID_USER_RELAX));
@@ -156,6 +159,7 @@ static void test_valid_user_group_name_o
         assert_se(valid_user_group_name("65534", VALID_USER_ALLOW_NUMERIC|VALID_USER_RELAX));
         assert_se(!valid_user_group_name("65535", VALID_USER_ALLOW_NUMERIC|VALID_USER_RELAX));
         assert_se(valid_user_group_name("65536", VALID_USER_ALLOW_NUMERIC|VALID_USER_RELAX));
+        assert_se(valid_user_group_name("12345678", VALID_USER_ALLOW_NUMERIC|VALID_USER_RELAX));
         assert_se(!valid_user_group_name("-1", VALID_USER_ALLOW_NUMERIC|VALID_USER_RELAX));
         assert_se(!valid_user_group_name("foo\nbar", VALID_USER_ALLOW_NUMERIC|VALID_USER_RELAX));
         assert_se(!valid_user_group_name("0123456789012345678901234567890123456789", VALID_USER_ALLOW_NUMERIC|VALID_USER_RELAX));

which allows numerical login also in the VALID_USER_RELAX mode.

This patch has to be imported and applied with:

quilt import ../allow_numerical_user.patch

To build a different package (libpam-systemd-patch instead of libpam-systemd), one need to replace libpam-systemd. by libpam-systemd-patch. in filenames debian/libpam-systemd.*.

Then the debian/control file has to be edited to replaces the lines after Package: libpam-systemd by:

...
Package: libpam-systemd-patch
...
Provides: logind (= ${binary:Version}), default-logind (= ${binary:Version})
Conflicts: libpam-systemd
Replaces: libpam-systemd
...

Finally, the patched package can be built using:

debuild -b -us -uc

The installation of libpam-systemd-patch:

apt install `libpam-systemd-patch*.deb

will automatically remove libpam-systemd.

Previous
Next

Last updated on 1 May 2023