< Changes
Authselect: Require explicit opt-out
Summary
Any user changes to a configuration generated by authselect will be overwritten by subsequent call to authselect. Users that do not want to use authselect to manage their nsswitch and PAM configuration can opt-out by calling authselect opt-out or removing /etc/authselect/authselect.conf. It will also make authselect work on CoreOS and other rpm-ostree systems.
Owner
- Name: Pavel Březina
- Email: pbrezina@redhat.com
Current status
- Targeted release: Fedora Linux 36
- Last updated: 2022-02-07
- devel thread
- FESCo issue: #2741
- Tracker bug: #2051545
- Release notes tracker: #802
Detailed Description
Authselect is trying hard to avoid overwriting any potential user changes to the configuration that were not done through the authselect tool. If the content of the configuration has changed without authselect, any subsequent call to authselect refuses to overwrite the changes unless --force parameter is given to the tool. This is to prevent destruction of any user configuration.
This behavior allows a "mixed" configuration where the original configuration was created by authselect and then modified by user. Authselect essentially stopped managing those files, but the files were still symbolic links to /etc/authselect directory. The way how this is implemented also breaks authselect on ostree systems (BZ#2034360). Also, it is always quite difficult to explain this behavior to users and it seems to create more confusion then what is the benefit.
This behavior was important in the past to allow smooth and non-breaking transition to authselect. Fedora 36 encourages users to switch to authselect (if they haven't done that already), see Changes/Make_Authselect_Mandatory. This behavior is therefore no longer needed and we want to eliminate this mixed configuration and let users either use authselect or not, but nothing in between.
The behavior will change to:
- if
/etc/authselect/authselect.confexists and is valid then allauthselectcalls write the new configuration- authselect will overwrite user changes if there are any and will not require user's confirmation through
--forceparameter - content of the files is no longer checked, therefore the files under
/var/lib/authselectare no longer needed (this will make authselect work on ostree systems)
- authselect will overwrite user changes if there are any and will not require user's confirmation through
- if
/etc/authselect/authselect.confdoes not exist or is corrupted, thenauthselectwill require--forceparameter - those users that don't want to have their configuration managed by
authselectcan callauthselect opt-out- this will convert authselect configuration to non-authselect configuration (convert symbolic links to regular files and remove authselect.conf)
- the result is that users would either use
authselector not, nothing in between
Feedback
Benefit to Fedora
- The system configuration will be clear - it is either managed by authselect or not
- This makes authselect compatible with ostree model.
- The new behavior is more simple and similar to what users already know (for example how /etc/resolv.conf is managed)
Scope
- Proposal owners: Implement these changes.
- Other developers: N/A (not needed for this Change)
- Release engineering: #10544
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A
Upgrade/compatibility impact
No impact.
How To Test
- Authselect keeps working as expected after the upgrade
- Any user change is overwritten when authselect is called if the configuration is managed by authselect (
/etc/authselect/authselect.confexist and is valid)
User Experience
Users that do not want to use authselect must explicitly opt-out by calling authselect opt-out. It is more clear how the authselect tool operates.
Dependencies
No dependencies.
Contingency Plan
- Contingency mechanism: N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)
Release Notes
Users that do not want use authselect to manage their nsswitch and PAM configuration must explicitly opt-out by calling authselect opt-out