[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#678931: debian-edu-config: modified base pam configuration after purge

[Holger Levsen]
> we don't call pam-auth-update during install, so why should we call
> it during uninstall?

I believe I know the answer to this one.  I tried to reproduce this
issue, by first creating a squeeze chroot, installing etckeeper to
track changes to /etc/, then installing debian-edu-config before doing
dist-upgrade to sid, commiting all changes with etckeeper and
finishing off by purging debian-edu-config.

After this, I ran pam-auth-update to update the pam setup, and this
change was done:

diff --git a/pam.d/common-auth b/pam.d/common-auth
index c054e01..5facfa2 100644
--- a/pam.d/common-auth
+++ b/pam.d/common-auth
@@ -22,5 +22,4 @@ auth  requisite                       pam_deny.so
 # since the modules above will each just jump around
 auth   required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block)
-auth   optional                        pam_group.so 
 # end of pam-auth-update config
diff --git a/pam.d/common-session b/pam.d/common-session
index d6731eb..464d41d 100644
--- a/pam.d/common-session
+++ b/pam.d/common-session
@@ -22,6 +22,5 @@ session       requisite                       pam_deny.so
 session        required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block)
 session        required        pam_unix.so 
-session        optional                        pam_umask.so umask=002
 session        optional                        pam_ck_connector.so nox11
 # end of pam-auth-update config
diff --git a/pam.d/common-session-noninteractive b/pam.d/common-session-noninteractive
index 13c0610..c9144d5 100644
--- a/pam.d/common-session-noninteractive
+++ b/pam.d/common-session-noninteractive
@@ -22,5 +22,4 @@ session       requisite                       pam_deny.so
 session        required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block)
 session        required        pam_unix.so 
-session        optional                        pam_umask.so umask=002
 # end of pam-auth-update config

The cause for this "post-purge" change is that debian-edu-config
include two files in /usr/share/pam-configs/, the edu-group and
edu-umask files.  These two files will cause pam-auth-update to enable
pam_group and pam_umask by default.

As debian-edu-config do not run pam-auth-update on its own, these
settings only take effect when other packages call pam-auth-update
during dist-upgrade.

I suspect a good correction is to change debian-edu-config to call
pam-auth-update during installation and purge, to make sure its
pam-configs files are properly and predicatbly handled.

But I'm not quite sure this will make piuparts happy, as the pam
related files piuparts complain about are files created and handled by
pam-auth-update from the libpam-runtime package.  Thus I suspect we
can not make piuparts happy without teaching it to associate the files
and directories in question with that package.

-- 
Happy hacking
Petter Reinholdtsen
Reply to: