pam-auth-update fails to enable Default: yes profiles

Bug #294513 reported by Greg Price
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Fix Released
Steve Langasek

Bug Description

In certain circumstances, pam-auth-update ignores the Default: lines in profiles newly arrived in /usr/share/pam-configs and never sees them later. As a consequence profiles that have Default: yes are never enabled without user intervention.

In particular, when the file /var/lib/pam/seen is absent it is treated effectively as if it contained every possible name. When in addition libpam-runtime/profiles in debconf is nonempty, pam-auth-update does not look at the Default: entries of any profile. It does record all the newly seen profiles in /var/lib/pam/seen, so it never looks at their Default: entries later either.

This situation arises for me when I have modifications to /etc/pam.d/common-*, upgrade from hardy to intrepid, and decline the offer to pam-auth-update --force during the upgrade.

I've attached a patch to the pam-auth-update in 1.0.1-4ubuntu5 that causes /var/lib/pam/seen to be treated as empty if it is absent, which seems like the right behavior and fixes this error case.

Related branches

Revision history for this message
Greg Price (gregprice) wrote :
Revision history for this message
Greg Price (gregprice) wrote :

As a separate issue that hasn't bitten me but that I saw while editing the code, if some profiles were previously selected but all of them have now disappeared then we should presumably enter the same "use all the defaults" fallback that we do if no profiles were selected. The present version doesn't. Here's a patch (applying after the previous one) to make it do so.

Revision history for this message
Steve Langasek (vorlon) wrote :

Thanks for the patches, Greg. I've applied the first to the bzr tree, and am having a look at the second one now.

Seeing that you're using git-formatted patches, I feel compelled to mention that there's a bzr branch specifically for the pam-auth-update work, available at, if you would prefer to work from there instead of working off of the packages directly.

Changed in pam:
assignee: nobody → vorlon
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Greg Price (gregprice) wrote : Re: [Bug 294513] Re: pam-auth-update fails to enable Default: yes profiles

Excellent, thanks. I don't know much about the Ubuntu release and
update process; does a fix like this eventually appear in the apt
repositories under intrepid-updates or otherwise become available to
intrepid machines, or will it only be fixed in jaunty?

I've never used bzr, but I checked out (no, 'branched') that branch
just now. Perhaps I'll use it for the next patch I send.

Revision history for this message
Steve Langasek (vorlon) wrote :

It will definitely be fixed in jaunty; I'm not sure yet whether I'll push this as a change for intrepid-updates, because while I'm sure that it fixes a bug, I'm less confident that it won't reduce any other regressions in the process. So I'm going to let it cook in jaunty for a bit first to get it some extra testing before proposing it for intrepid.

In any case, I suspect that most users who are going to upgrade from hardy to intrepid have already done so (or will have done so soon), so pushing this into intrepid is not very time-critical particularly when weighed against the possibility of regression.

I've also committed the second patch now; you're right that if we consider an empty list of modules an error condition, we should do that when it's due to removals, as well.

Changed in pam:
status: Confirmed → Fix Committed
Steve Langasek (vorlon)
Changed in pam:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

Not sure why, but this bug didn't get closed even though the fix has been uploaded. Changelog is:

pam (1.0.1-5ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable
  * Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/local/pam-auth-update (et al): new interface for managing
      /etc/pam.d/common-*, using drop-in config snippets provided by module
    - debian/local/common-password, debian/pam-configs/unix: switch from
      "md5" to "sha512" as password crypt default.
  * Bump the version numbers referenced in the config files, again, as pam
    has revved in Debian and moved the bar.
  * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
    as a present but empty file; thanks to Greg Price for the patch.
    LP: #294513.
  * pam-auth-update: Ignore removed profiles when detecting an empty set
    of currently-enabled modules. Thanks to Greg Price for this as well.
  * debian/control: libpam-runtime needs a versioned dependency on
    debconf, because it uses the x_loadtemplatefile extension that's
    not supported by debconf versions before hardy. LP: #295135.
  * pam-auth-update: trim leading whitespace from multiline fields when
    parsing PAM profiles. LP: #295441.
  * pam-auth-update: factor out the duplicate code used for returning
    the lines for a given module

  [ Jonathan Marsden ]
  * debian/patches/027_pam_limits_better_init_allow_explicit_root:
    Add to patch, documenting how to set limits for root user.
    Include an example. Alters limits.conf, limits.conf.5.xml,
    and limits.conf.5 . (LP: #65244)

Changed in pam:
status: Fix Committed → Fix Released
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in pam (Ubuntu Intrepid):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.