pam-auth-update fails to enable Default: yes profiles

Bug #294513 reported by Greg Price on 2008-11-06
4
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Medium
Steve Langasek
Intrepid
Medium
Unassigned

Bug Description

In certain circumstances, pam-auth-update ignores the Default: lines in profiles newly arrived in /usr/share/pam-configs and never sees them later. As a consequence profiles that have Default: yes are never enabled without user intervention.

In particular, when the file /var/lib/pam/seen is absent it is treated effectively as if it contained every possible name. When in addition libpam-runtime/profiles in debconf is nonempty, pam-auth-update does not look at the Default: entries of any profile. It does record all the newly seen profiles in /var/lib/pam/seen, so it never looks at their Default: entries later either.

This situation arises for me when I have modifications to /etc/pam.d/common-*, upgrade from hardy to intrepid, and decline the offer to pam-auth-update --force during the upgrade.

I've attached a patch to the pam-auth-update in 1.0.1-4ubuntu5 that causes /var/lib/pam/seen to be treated as empty if it is absent, which seems like the right behavior and fixes this error case.

Related branches

Greg Price (gregprice) wrote :
Greg Price (gregprice) wrote :

As a separate issue that hasn't bitten me but that I saw while editing the code, if some profiles were previously selected but all of them have now disappeared then we should presumably enter the same "use all the defaults" fallback that we do if no profiles were selected. The present version doesn't. Here's a patch (applying after the previous one) to make it do so.

Steve Langasek (vorlon) wrote :

Thanks for the patches, Greg. I've applied the first to the bzr tree, and am having a look at the second one now.

Seeing that you're using git-formatted patches, I feel compelled to mention that there's a bzr branch specifically for the pam-auth-update work, available at bzr.debian.org/bzr/pkg-pam/debian/features/config-framework/, if you would prefer to work from there instead of working off of the packages directly.

Changed in pam:
assignee: nobody → vorlon
importance: Undecided → Medium
status: New → Confirmed

Excellent, thanks. I don't know much about the Ubuntu release and
update process; does a fix like this eventually appear in the apt
repositories under intrepid-updates or otherwise become available to
intrepid machines, or will it only be fixed in jaunty?

I've never used bzr, but I checked out (no, 'branched') that branch
just now. Perhaps I'll use it for the next patch I send.

Steve Langasek (vorlon) wrote :

It will definitely be fixed in jaunty; I'm not sure yet whether I'll push this as a change for intrepid-updates, because while I'm sure that it fixes a bug, I'm less confident that it won't reduce any other regressions in the process. So I'm going to let it cook in jaunty for a bit first to get it some extra testing before proposing it for intrepid.

In any case, I suspect that most users who are going to upgrade from hardy to intrepid have already done so (or will have done so soon), so pushing this into intrepid is not very time-critical particularly when weighed against the possibility of regression.

I've also committed the second patch now; you're right that if we consider an empty list of modules an error condition, we should do that when it's due to removals, as well.

Changed in pam:
status: Confirmed → Fix Committed
Steve Langasek (vorlon) on 2008-11-13
Changed in pam:
importance: Undecided → Medium
status: New → Confirmed
Steve Langasek (vorlon) wrote :

Not sure why, but this bug didn't get closed even though the fix has been uploaded. Changelog is:

pam (1.0.1-5ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable
  * Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/local/pam-auth-update (et al): new interface for managing
      /etc/pam.d/common-*, using drop-in config snippets provided by module
      packages.
    - debian/local/common-password, debian/pam-configs/unix: switch from
      "md5" to "sha512" as password crypt default.
  * Bump the version numbers referenced in the config files, again, as pam
    has revved in Debian and moved the bar.
  * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
    as a present but empty file; thanks to Greg Price for the patch.
    LP: #294513.
  * pam-auth-update: Ignore removed profiles when detecting an empty set
    of currently-enabled modules. Thanks to Greg Price for this as well.
  * debian/control: libpam-runtime needs a versioned dependency on
    debconf, because it uses the x_loadtemplatefile extension that's
    not supported by debconf versions before hardy. LP: #295135.
  * pam-auth-update: trim leading whitespace from multiline fields when
    parsing PAM profiles. LP: #295441.
  * pam-auth-update: factor out the duplicate code used for returning
    the lines for a given module

  [ Jonathan Marsden ]
  * debian/patches/027_pam_limits_better_init_allow_explicit_root:
    Add to patch, documenting how to set limits for root user.
    Include an example. Alters limits.conf, limits.conf.5.xml,
    and limits.conf.5 . (LP: #65244)

Changed in pam:
status: Fix Committed → Fix Released
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in pam (Ubuntu Intrepid):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers