Fixed a bug due to which gsettings could not cache the specified URI

- Fix regression with kestroy for user credential cache
- Update system-policy-gpupdate PAM-rules to ignore applying group policies
  for local users and system users with uid less than 500
- Add control facilities to rule system-policy-gpupdate rules:
  + gpupdate-group-users
  + gpupdate-localusers
  + gpupdate-system-uids

dist/gpupdate-group-users

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+. /etc/control.d/functions
+
+CONFIG=/etc/pam.d/system-policy-gpupdate
+
+new_subst disabled \
+        '^[[:space:]]*session[[:space:]]+\[.*default=1.*\][[:space:]]+pam_succeed_if.so user ingroup users.*' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)default=[[:alnum:]]\+\(.*pam_succeed_if.so user ingroup users.*\)$,\1default=1\2,'
+new_subst enabled \
+        '^[[:space:]]*session[[:space:]]+\[.*default=ignore.*\][[:space:]]+pam_succeed_if.so user ingroup users.*' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)default=[[:alnum:]]\+\(.*pam_succeed_if.so user ingroup users.*\)$,\1default=ignore\2,'
+
+new_help disabled "Disable group policy applying for users in 'users' group only"
+new_help enabled "Enable group policy applying for users in 'users' group only"
+
+new_summary "Group policy applying for users in 'users' group only"
+
+control_subst "$CONFIG" "$*"

dist/gpupdate-localusers

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+. /etc/control.d/functions
+
+CONFIG=/etc/pam.d/system-policy-gpupdate
+
+new_subst disabled \
+        '^[[:space:]]*session[[:space:]]+\[.*success=2.*\][[:space:]]+pam_localuser.so' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)success=[[:alnum:]]\+\(.*pam_localuser.so.*\)$,\1success=2\2,'
+new_subst enabled \
+        '^[[:space:]]*session[[:space:]]+\[.*success=1.*\][[:space:]]+pam_localuser.so' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)success=[[:alnum:]]\+\(.*pam_localuser.so.*\)$,\1success=1\2,'
+
+new_help disabled 'Disable group policy applying for local users'
+new_help enabled 'Enable group policy applying for local users'
+
+new_summary 'Group policy applying for local users'
+
+control_subst "$CONFIG" "$*"

dist/gpupdate-system-uids

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+. /etc/control.d/functions
+
+CONFIG=/etc/pam.d/system-policy-gpupdate
+
+new_subst disabled \
+        '^[[:space:]]*session[[:space:]]+\[.*default=1.*\][[:space:]]+pam_succeed_if.so uid >= 500.*' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)default=[[:alnum:]]\+\(.*pam_succeed_if.so uid >= 500.*\)$,\1default=1\2,'
+new_subst enabled \
+        '^[[:space:]]*session[[:space:]]+\[.*default=ignore.*\][[:space:]]+pam_succeed_if.so uid >= 500.*' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)default=[[:alnum:]]\+\(.*pam_succeed_if.so uid >= 500.*\)$,\1default=ignore\2,'
+
+new_help disabled "Disable group policy applying for users with not system uids only"
+new_help enabled "Enable group policy applying for users with not system uids only"
+
+new_summary "Group policy applying for users with not system uids (greater or equal 500) only"
+
+control_subst "$CONFIG" "$*"

dist/system-policy-gpupdate

@@ -1,4 +1,12 @@
 #%PAM-1.0
+session		[success=2 perm_denied=ignore default=die]	pam_localuser.so
 session		required	pam_mkhomedir.so silent
+session		[default=1]	pam_permit.so
+session		[default=6]	pam_permit.so
+session		[success=1 default=ignore]	pam_succeed_if.so user ingroup users quiet
+session		[default=4]	pam_permit.so
+session		[success=1 default=ignore]	pam_succeed_if.so uid >= 500 quiet
+session		[default=2]	pam_permit.so
 -session	required	pam_oddjob_gpupdate.so
 session		optional	pam_env.so user_readenv=1 conffile=/etc/gpupdate/environment user_envfile=.gpupdate_environment
+session		required	pam_permit.so

gpoa/frontend/appliers/gsettings.py

@@ -96,7 +96,7 @@ class system_gsettings:
 def glib_map(value, glib_type):
     result_value = value
 
-    if glib_type == 'i' or glib_type == 'b':
+    if glib_type == 'i' or glib_type == 'b' or glib_type == 'q':
         result_value = GLib.Variant(glib_type, int(value))
     else:
         result_value = GLib.Variant(glib_type, value)

gpoa/frontend/gsettings_applier.py

@@ -20,6 +20,7 @@ import logging
 import os
 import pwd
 import subprocess
+import urllib.parse
 
 from gi.repository import (
       Gio
@@ -62,6 +63,7 @@ class gsettings_applier(applier_frontend):
     __registry_branch = 'Software\\BaseALT\\Policies\\GSettings\\'
     __registry_locks_branch = 'Software\\BaseALT\\Policies\\GSettingsLocks\\'
     __wallpaper_entry = 'Software\\BaseALT\\Policies\\GSettings\\org.mate.background.picture-filename'
+    __vino_authentication_methods_entry = 'Software\\BaseALT\\Policies\\GSettings\\org.gnome.Vino.authentication-methods'
     __global_schema = '/usr/share/glib-2.0/schemas'
     __override_priority_file = 'zzz_policy.gschema.override'
     __override_old_file = '0_policy.gschema.override'
@@ -117,11 +119,16 @@ class gsettings_applier(applier_frontend):
             rp = valuename.rpartition('.')
             schema = rp[0]
             path = rp[2]
+            data = setting.data
             lock = bool(self.locks[valuename]) if valuename in self.locks else None
             if setting.hive_key.lower() == self.__wallpaper_entry.lower():
-                self.update_file_cache(setting.data)
-                helper = self.uri_fetch_helper
-            self.gsettings.append(schema, path, setting.data, lock, helper)
+                check = urllib.parse.urlparse(setting.data)
+                if check.scheme:
+                    self.update_file_cache(setting.data)
+                    helper = self.uri_fetch_helper
+            elif setting.hive_key.lower() == self.__vino_authentication_methods_entry.lower():
+                data = [setting.data]
+            self.gsettings.append(schema, path, data, lock, helper)
 
         # Create GSettings policy with highest available priority
         self.gsettings.apply()
@@ -182,6 +189,7 @@ class gsettings_applier_user(applier_frontend):
     __module_enabled = True
     __registry_branch = 'Software\\BaseALT\\Policies\\GSettings\\'
     __wallpaper_entry = 'Software\\BaseALT\\Policies\\GSettings\\org.mate.background.picture-filename'
+    __vino_authentication_methods_entry = 'Software\\BaseALT\\Policies\\GSettings\\org.gnome.Vino.authentication-methods'
 
     def __init__(self, storage, file_cache, sid, username):
         self.storage = storage
@@ -264,8 +272,11 @@ class gsettings_applier_user(applier_frontend):
             rp = valuename.rpartition('.')
             schema = rp[0]
             path = rp[2]
+            data = setting.data
             helper = self.uri_fetch_helper if setting.hive_key.lower() == self.__wallpaper_entry.lower() else None
-            self.gsettings.append(user_gsetting(schema, path, setting.data, helper))
+            if setting.hive_key.lower() == self.__vino_authentication_methods_entry.lower():
+                data = [setting.data]
+            self.gsettings.append(user_gsetting(schema, path, data, helper))
 
         # Create GSettings policy with highest available priority
         for gsetting in self.gsettings:

gpoa/util/kerberos.py

@@ -59,8 +59,9 @@ def machine_kdestroy(cache_name=None):
     if cache_name:
         kdestroy_cmd.extend(['-c', cache_name])
 
-    proc = subprocess.Popen(kdestroy_cmd, stderr=subprocess.DEVNULL)
-    proc.wait()
+    if cache_name or 'KRB5CCNAME' in os.environ:
+        proc = subprocess.Popen(kdestroy_cmd, stderr=subprocess.DEVNULL)
+        proc.wait()
 
     if cache_name and os.path.exists(cache_name):
         os.unlink(cache_name)

gpupdate.spec

@@ -1,8 +1,8 @@
 %define _unpackaged_files_terminate_build 1
 
 Name: gpupdate
-Version: 0.9.6
-Release: alt1
+Version: 0.9.8
+Release: alt0.dev1
 
 Summary: GPT applier
 License: GPLv3+
@@ -74,6 +74,14 @@ install -Dm0644 dist/%name.ini %buildroot%_sysconfdir/%name/%name.ini
 install -Dm0644 doc/gpoa.1 %buildroot/%_man1dir/gpoa.1
 install -Dm0644 doc/gpupdate.1 %buildroot/%_man1dir/gpupdate.1
 
+for i in gpupdate-localusers \
+	 gpupdate-group-users \
+	 gpupdate-system-uids
+do
+	install -pD -m755 "dist/$i" \
+		"%buildroot%_sysconfdir/control.d/facilities/$i"
+done
+
 %preun
 %preun_service gpupdate
 
@@ -104,6 +112,7 @@ fi
 %_man1dir/gpupdate.1.*
 /usr/lib/systemd/user/%name-user.service
 %dir %_sysconfdir/%name
+%_sysconfdir/control.d/facilities/*
 %config(noreplace) %_sysconfdir/%name/environment
 %config(noreplace) %_sysconfdir/%name/%name.ini
 %config(noreplace) %_sysconfdir/pam.d/system-policy-%name
@@ -116,6 +125,15 @@ fi
 %exclude %python3_sitelibdir/gpoa/test
 
 %changelog
+* Wed Sep 29 2021 Evgeny Sinelnikov <sin@altlinux.org> 0.9.7-alt1
+- Fix regression with kestroy for user credential cache
+- Update system-policy-gpupdate PAM-rules to ignore applying group policies
+  for local users and system users with uid less than 500
+- Add control facilities to rule system-policy-gpupdate rules:
+  + gpupdate-group-users
+  + gpupdate-localusers
+  + gpupdate-system-uids
+
 * Mon Sep 20 2021 Evgeny Sinelnikov <sin@altlinux.org> 0.9.6-alt1
 - Add support changed GPO List Processing for '**DelVals.' value name