[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#983407: marked as done (Pam: Multiple issues Affecting Upgrades)

Your message dated Tue, 09 Mar 2021 12:36:03 -0500
with message-id <tslo8fsrzzw.fsf@suchdamage.org>
and subject line PAm Upgrades Migrated to Testing
has caused the Debian Bug report #983407,
regarding Pam: Multiple issues Affecting Upgrades
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
983407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983407
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: vorlon@debian.org

Hi.  I'm writing with my pam uploader hat on to give you a heads up about two issues  that are kind of nasty and affect upgrades.  This is just a FYI, opened as a bug because you've expressed a preference for that communication style.
Feel free to close now; if this is still open when I have an unblock ready, I'll close and file the unblock.

I hope to have something in experimental or unstable by end of this
week.  Depending on my confidence in the fixes, I may be ready for an
unblock at that point, or I may want to ask for additional review
before I'm ready to recommend inclusion in testing.


* 982530: removal of pam_tally

Up through buster, there were pam_tally and pam_tally2 modules available to provide lockout.
These modules were not in the default configuration, but apparently various hardening guides turned them on.

They were deprecated upstream, and we've chosen to remove them from bullseye.
Unfortunately, if your pam config  includes these modules, then probably you can't login until you boot with rescue media and fix the pam config.
Moreover, while you probably get reasonable errors in the journal, you probably can't see that because you can't log in.

Plan is to detect the situation and scream in the preinst.
Down side is that means new strings that need translation (debconf templates)

* 982295: pam won't deal with upgrades without an init script

Pam restarts various services on upgrade (including buster to bullseye).  The consequence of not restarting can be segfaults or failed pam authentications going forward.  (libpam-modules gets out of sync with libpam0g and ether fails to dlopen or segfaults depending).
The logic in libpam0g.postinst is init-script specific.

Our current policy allows init scripts to be removed, and apparently
various users and downstreams are removing init scripts even when the
package still contains them.
I'm testing a patch to  use systemd facilities for doing restarts if booted with systemd as init.





-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing'), (500, 'stable'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Fixes to the two upgrade issues we discussed migrated to bullseye.
However, there are some bugs discovered in code review I requested of
the fixes as well as a whole slew of translation updates.  I will be
submitting an unblock in the next few days, but this tracking bug has
been dealt with.

--- End Message ---
Reply to: