pam_userdb.so is missing

Bug #2064350 reported by Thomas-Thomas
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Debian)
Fix Released
Unknown
pam (Ubuntu)
Fix Released
High
Dan Bungert
Noble
Fix Released
High
Dan Bungert

Bug Description

[ Impact ]

 * In the process of bootstrapping pam for time_t, libdb-dev was
   deliberately removed in salsa commit 65621d8 to allow libdb-dev to
   undergo time_t transition.
 * The result of that is no pam_userdb.so in libpam-modules
 * The fix takes the form of correcting a build dependency, which
   results in pam_userdb.so being again available.

[ Test Plan ]

 * regression
   * obtain a noble test system - I personally used a noble chroot
   * adjust apt sources and ensure noble-proposed is present
   * install libpam-modules 1.5.3-5ubuntu5.1
   * login to the test machine with appropriate credentials - the
     literal `login` command is useful here
 * userdb functionality
   * start with the same test machine from the regression test
   * install db5.3-util
   * modify /etc/pam.d/login to comment out all `auth` lines, and add
     this instead
```
auth requisite pam_userdb.so db=/etc/dbtest
```
   * create a textfile named `input` that looks like
```
your_username
test_password - different than /etc/shadow
```
   * `db5.3_load -T -f input -t hash /etc/dbtest.db`
   * login to the test machine with your_username and the
     test_password - the literal `login` command is useful here

[ Where problems could occur ]

 * As usual, no SRU has zero risk
 * Any change to pam risks problems in user logins failing, so a
   basic regression test has been provided

[ Development release status ]

Issue fixed in merge from Debian and subsequent 1.5.3-7ubuntu1 upload.

[ Other Info ]

 * None at this time

original description follows
---

The file is missing from libpam-modules.
This breaks, for example, existing vsftp configs if it is configured to use pam_userdb.so

Log:

vsftpd: PAM unable to dlopen(pam_userdb.so): /usr/lib/security/pam_userdb.so: cannot open shared object file: No such file or directory
vsftpd: PAM adding faulty module: pam_userdb.so

Apparently there was a change which removed this in the past, and it might be the removal has not been undone, while the package has been released nevertheless.

http://changelogs.ubuntu.com/changelogs/pool/main/p/pam/pam_1.5.3-5ubuntu5/changelog

  * For now remove libdb-dev so that libdb-dev can undergo time_t
    transition. That means this version of pam does not include
    pam_userdb, which makes pam unsuitable for release.

$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04

$ apt-cache policy libpam-modules
libpam-modules:
  Installed: 1.5.3-5ubuntu5
  Candidate: 1.5.3-5ubuntu5
  Version table:
 *** 1.5.3-5ubuntu5 500
        500 http://de.archive.ubuntu.com/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status

description: updated
description: updated
Steve Langasek (vorlon)
Changed in pam (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Dan Bungert (dbungert)
Dan Bungert (dbungert)
Changed in pam (Ubuntu):
status: Triaged → In Progress
Changed in pam (Debian):
status: Unknown → Fix Released
Dan Bungert (dbungert)
description: updated
Dan Bungert (dbungert)
Changed in pam (Ubuntu):
status: In Progress → Fix Committed
Changed in pam (Ubuntu Noble):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Dan Bungert (dbungert)
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Thomas-Thomas, or anyone else affected,

Accepted pam into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam/1.5.3-5ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in pam (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-noble
Revision history for this message
Thomas-Thomas (thomas-thomas) wrote (last edit ):

Version 1.5.3-5ubuntu5.1 of pam indeed fixed my problem. Thank you!

I updated the packages and restarted the vsftpd. It works again now.

tags: added: verification-done-noble
removed: verification-needed-noble
Revision history for this message
Dan Bungert (dbungert) wrote :

Using a noble schroot, I have confirmed that the fix looks correct.

Dan Bungert (dbungert)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (pam/1.5.3-5ubuntu5.1)

All autopkgtests for the newly accepted pam (1.5.3-5ubuntu5.1) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

cron/3.0pl1-184ubuntu2 (s390x)
dovecot/1:2.3.21+dfsg1-2ubuntu5 (s390x)
inetutils/2:2.5-3ubuntu4 (s390x)
libreswan/4.14-1ubuntu2 (s390x)
lxc/1:5.0.3-2ubuntu7 (s390x)
openssh/unknown (armhf, s390x)
samba/2:4.19.5+dfsg-4ubuntu9 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#pam

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Dan Bungert (dbungert) wrote :

Marking fix released for Oracular, this was fixed but it wasn't noted in the changelog.

Changed in pam (Ubuntu):
status: Fix Committed → Fix Released
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.5.3-5ubuntu5.1

---------------
pam (1.5.3-5ubuntu5.1) noble; urgency=medium

  [ Sam Hartman ]
  * Correct Build depends for docbook5 (LP: #2064360)
  * Depend on libdb-dev again, bringing back pam_userdb (LP: #2064350)

 -- Dan Bungert <email address hidden> Thu, 02 May 2024 16:20:13 -0600

Changed in pam (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for pam has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.