From Fedora Project Wiki

Authselect: Require explicit opt-out

Summary

Any user changes to a configuration generated by authselect will be overwritten by subsequent call to authselect. Users that do not want to use authselect to manage their nsswitch and PAM configuration can opt-out by calling authselect opt-out or removing /etc/authselect/authselect.conf. It will also make authselect work on CoreOS and other rpm-ostree systems.

Owner


Current status

Detailed Description

Authselect is trying hard to avoid overwriting any potential user changes to the configuration that were not done through the authselect tool. If the content of the configuration has changed without authselect, any subsequent call to authselect refuses to overwrite the changes unless --force parameter is given to the tool. This is to prevent destruction of any user configuration.

This behavior allows a "mixed" configuration where the original configuration was created by authselect and then modified by user. Authselect essentially stopped managing those files, but the files were still symbolic links to /etc/authselect directory. The way how this is implemented also breaks authselect on ostree systems (BZ#2034360). Also, it is always quite difficult to explain this behavior to users and it seems to create more confusion then what is the benefit.

This behavior was important in the past to allow smooth and non-breaking transition to authselect. Fedora 36 encourages users to switch to authselect (if they haven't done that already), see Changes/Make_Authselect_Mandatory. This behavior is therefore no longer needed and we want to eliminate this mixed configuration and let users either use authselect or not, but nothing in between.

The behavior will change to:

  • if /etc/authselect/authselect.conf exists and is valid then all authselect calls write the new configuration
    • authselect will overwrite user changes if there are any and will not require user's confirmation through --force parameter
    • content of the files is no longer checked, therefore the files under /var/lib/authselect are no longer needed (this will make authselect work on ostree systems)
  • if /etc/authselect/authselect.conf does not exist or is corrupted, then authselect will require --force parameter
  • those users that don't want to have their configuration managed by authselect can call authselect opt-out
    • this will convert authselect configuration to non-authselect configuration (convert symbolic links to regular files and remove authselect.conf)
  • the result is that users would either use authselect or not, nothing in between

Feedback

Benefit to Fedora

  • The system configuration will be clear - it is either managed by authselect or not
  • This makes authselect compatible with ostree model.
  • The new behavior is more simple and similar to what users already know (for example how /etc/resolv.conf is managed)

Scope

  • Proposal owners: Implement these changes.
  • Other developers: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

No impact.

How To Test

  1. Authselect keeps working as expected after the upgrade
  2. Any user change is overwritten when authselect is called if the configuration is managed by authselect (/etc/authselect/authselect.conf exist and is valid)

User Experience

Users that do not want to use authselect must explicitly opt-out by calling authselect opt-out. It is more clear how the authselect tool operates.

Dependencies

No dependencies.

Contingency Plan

  • Contingency mechanism: N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

N/A (not a System Wide Change)

Release Notes

Users that do not want use authselect to manage their nsswitch and PAM configuration must explicitly opt-out by calling authselect opt-out