Add script to avoid fingerprint-auth issues for long term Fedora users

Resolves: #1942443

pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.5.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -361,7 +361,26 @@ done
 %doc doc/txts
 %doc doc/sag/*.txt doc/sag/html
 
+%posttrans
+
+# For people upgrading from older Fedora versions, authselect might not be
+# enabled or unable to do anything due to e.g. a modified nsswitch.conf.
+# The following snippets apply important fixes in those cases.
+
+# Change pam_fprintd.so in fingerprint-auth from sufficient to [success=done default=bad]
+# in order for PAM_AUTHINFO_UNAVAIL error codes to be propagated.
+FILE="$(readlink -f %{_sysconfdir}/pam.d/fingerprint-auth || echo %{_sysconfdir}/pam.d/fingerprint-auth)"
+test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \
+  %__grep -q '^auth[[:space:]]\+sufficient[[:space:]]\+pam_fprintd.so' $FILE && \
+  %__sed -i.bak -e 's/^auth[[:space:]]\+sufficient[[:space:]]\+pam_fprintd.so\(.*\)/auth        [success=done default=bad]                   pam_fprintd.so\1/g' $FILE
+
+exit 0
+
 %changelog
+* Fri Apr 16 2021 Benjamin Berg <bberg@redhat.com> - 1.5.1-5
+- Add script to avoid fingerprint-auth issues for long term Fedora users
+  Resolves: #1942443
+
 * Mon Apr 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-4
 - Change fingerprint-auth.pamd to return PAM_AUTHINFO_UNAVAIL from pam_fprintd.so
 - Clean auto-generated message from pam stack files