[Intrepid] Upgrading to Intrepid beta, PAM asks confusing question

Bug #278117 reported by Shaun Crampton on 2008-10-04
Affects Status Importance Assigned to Milestone
pam (Ubuntu)

Bug Description

Just upgraded to intrepid beta. During the install, PAM asks which services should be restarted (to get the new libpam?).

This is unacceptable for a non-technical user since a non-technical user
  - has no idea what PAM is
  - has no idea what a service is
  - has no idea which should be restarted, if any.

I'm a technical user and I still don't now what the impact of the question is or why I'm being asked. I can see that I might not want to restart apache immediately if I was running a web server say but I'm not, I'm running a desktop PC.

I think the dialog should be dropped and just restart the services, especially on a dist upgrade when I'd rather leave the PC unattended rather than babysit it for 2 hours.

Steve Langasek (vorlon) wrote :

Thank you for taking the time to file this report and help to improve Ubuntu.

The question in this package has already been tuned, relative to what's asked in Debian, to ensure that it's not asked by default on systems using update-manager. But the question is still asked if you have other services installed, because

- these services need to be restarted in order to be able to continue authenticating users via PAM
- some of them are services that it's inappropriate for PAM to restart without explicit admin approval.

There is consequently no reasonable default here because this package can't sanely get information about which services it's "safe" to restart - it can only hint to the admin which services need to be restarted again in order to use PAM authentication.

In fact, we simultaneously have another bug report, bug #256238, about the fact that with the current handling PAM never prompts at all under update-manager, and as a result a user who lets their screen lock after the upgrade will be unable to get in past the screensaver.

Which services were you asked about restarting on upgrade? Most of the affected services are not at all suitable for running on a desktop; and the ones that are installed by default are supposed to be filtered out already so as to not trigger the prompt. But I see that we do have a bug with handling the cups package name change, and we probably also want to filter out samba since this can be pulled in by the desktop for file sharing. If there are others that are going to be installed on a typical Ubuntu desktop, I would want to know about them too.

As for not knowing why you're being asked, if there are improvements that can be made to the question that communicate this better in cases when the question /is/ asked, I'm certainly in favor of that. For reference, here is the full text of the question:

 Services to restart for PAM library upgrade:

 Most services that use PAM need to be restarted to use modules built for
 this new version of libpam. Please review the following space-separated
 list of init.d scripts for services to be restarted now, and correct it
 if needed.
 Some other services such as xscreensaver, gnome-screensaver, and xlockmore
 cannot be restarted for you. You will not be able to authenticate to these
 services until you restart them manually.

Shaun Crampton (fasaxc) wrote :

I'm not sure which services I was asked about (didn't think to write it down), but I run a host of services because I use my box for web development work. I had assumed that the question would be asked to all users and since it doesn't pass the "could my mother answer it" test, I filed a bug.

As you said, it's unfortunate if SAMBA triggers the question. If that can't be avoided, I suggest rewording it to be intelligible to non-techies. The following might be better:

Services to restart for login library (PAM) upgrade:

Most services that use the login library need to be restarted to use this new
version. Without a restart, login to the corresponding service may fail.

The services in the following space-separated list will be restarted.
Unless you are a system administrator and you have specific requirements it is safe to
continue with the default list.

Some other services such as xscreensaver, gnome-screensaver, and xlockmore
cannot be restarted for you. You will not be able to authenticate to these
services until you restart them manually.

Steve Langasek (vorlon) wrote :

With the latest pam upload, the question should now be avoided for samba.

I think rewriting the debconf question should be postponed until jaunty, since hat will disrupt translations.

Kees Cook (kees) wrote :

(See also, bug 141309) For Karmic, does libpam0g need to grow knowledge of upstartified services? Currently, it only checks for scripts in /etc/init.d/. (e.g. cron has moved, though the /etc/init.d location still contains the upstart place-holder script.)

Steve Langasek (vorlon) wrote :

eventually it needs to know about upstartified services. Since the only ones it cares about for right now will all have upstart-job compat symlinks, we shouldn't have to worry about this until post-lucid.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers