Re: [gentoo-user] Re: pambase/shadow warning
On Sun, Apr 22 2012, Neil Bothwick wrote: On Sun, 22 Apr 2012 14:21:56 -0400, Allan Gottlieb wrote: First, thanks for the fix, hopefully not needed. It appears that the bug is in conf-update and not shadow so the rather brusque changing of the status of the shadow bug to resolved might be appropriate. But it would have been nice if they mentioned conf-update and neil's fix. The bug is not the same as I experienced. That problem is caused by not running any updater, and there are circumstances in which this might happen. My issue was cause by running a misbehaving updater. Thanks for the clarification. allan
Re: [gentoo-user] Re: pambase/shadow warning
On Sun, 22 Apr 2012 03:52:39 +0200, Alex Schuster wrote: The comments there say that if you run etc-update right after the emerge all is well (but this isn't sufficient for people who use screen, detatch, and log out). Someone also mentioned dispatch-conf working. No one mentioned cfg-update, which I use (and I believe neil does as well). Could the problem be dependent on which configuration file updater one uses? No, he is using conf-update, which is a different utility. Yes, and it appears that conf-update handles orphaned ._cfg files poorly. Whether these files are allowed to exist or not it not really relevant, it should handle the situation, time for a bug report. Incidentally, if anyone gets hit by this, the simple fix is to re-emerge shadow with --noconfmem, which installs the missing files. -- Neil Bothwick I am Zaphod of Borg. Now, where's the coolest place to be assimilated... signature.asc Description: PGP signature
Re: [gentoo-user] Re: pambase/shadow warning
On Sun, Apr 22 2012, Neil Bothwick wrote: On Sun, 22 Apr 2012 03:52:39 +0200, Alex Schuster wrote: The comments there say that if you run etc-update right after the emerge all is well (but this isn't sufficient for people who use screen, detatch, and log out). Someone also mentioned dispatch-conf working. No one mentioned cfg-update, which I use (and I believe neil does as well). Could the problem be dependent on which configuration file updater one uses? No, he is using conf-update, which is a different utility. Yes, and it appears that conf-update handles orphaned ._cfg files poorly. Whether these files are allowed to exist or not it not really relevant, it should handle the situation, time for a bug report. Incidentally, if anyone gets hit by this, the simple fix is to re-emerge shadow with --noconfmem, which installs the missing files. First, thanks for the fix, hopefully not needed. It appears that the bug is in conf-update and not shadow so the rather brusque changing of the status of the shadow bug to resolved might be appropriate. But it would have been nice if they mentioned conf-update and neil's fix. So the way to avoid the problem is to run a configuration file updater other than conf-update right after the emerge world. Since I use cfg-update, this would explain why I had not problem on my secondary. Having also ensured that I can use key-based ssh from the secondary to my primary machine, I am now unmasking pambase and shadow on the primary. Hopefully soon the conf-update exception can be removed. thanks again, allan
Re: [gentoo-user] Re: pambase/shadow warning
On Sun, 22 Apr 2012 14:21:56 -0400, Allan Gottlieb wrote: First, thanks for the fix, hopefully not needed. It appears that the bug is in conf-update and not shadow so the rather brusque changing of the status of the shadow bug to resolved might be appropriate. But it would have been nice if they mentioned conf-update and neil's fix. The bug is not the same as I experienced. That problem is caused by not running any updater, and there are circumstances in which this might happen. My issue was cause by running a misbehaving updater. -- Neil Bothwick Help put the fun back in dysfunctional ! signature.asc Description: PGP signature
Re: [gentoo-user] Re: pambase/shadow warning
On Fri, Apr 20 2012, Neil Bothwick wrote: On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote: I'll run the update again today, paying more attention, and see what happens. What happened is it broke again, with no obvious signs of the cause. conf-update reported only trivial changes to three files. I've just tried it on my netbook and the same happened, but I think I'm closer to the cause. The three files in /etc/pam.d are login, passwd and su. After updating, there were ._cfg* versions of these files, but no originals, so conf-update just deleted them. It turns out these were owned by shadow but now belong to pambase. I suspect that pambase installed them as ._cfg versions, because the others already existed, then shadow removed the originals as they were no longer part of the package. Whether this is a bug in portage, the ebuilds or conf-update is open to debate, but conf-update ought to handle the situation better. I'll file a bug later if no one beats me to it. First, thanks for the warning. There is a bug filed https://bugs.gentoo.org/show_bug.cgi?id=412721 The comments there say that if you run etc-update right after the emerge all is well (but this isn't sufficient for people who use screen, detatch, and log out). Someone also mentioned dispatch-conf working. No one mentioned cfg-update, which I use (and I believe neil does as well). Could the problem be dependent on which configuration file updater one uses? I have not updated my primary machine. I did update another one (both machines are ~amd64) including a cfg-update -q, but have not rebooted it. The secondary can su. This seems to suggest that cfg-update is sufficient in some cases. Am I correct in believing the safe procedure is to add =sys-auth/pambase-20101024-r2 =sys-apps/shadow-4.1.5. to /etc/portage/package.mask (or a file in that directory)? thanks, allan
Re: [gentoo-user] Re: pambase/shadow warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21.04.2012 17:30, Allan Gottlieb wrote: On Fri, Apr 20 2012, Neil Bothwick wrote: On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote: I'll run the update again today, paying more attention, and see what happens. What happened is it broke again, with no obvious signs of the cause. conf-update reported only trivial changes to three files. I've just tried it on my netbook and the same happened, but I think I'm closer to the cause. The three files in /etc/pam.d are login, passwd and su. After updating, there were ._cfg* versions of these files, but no originals, so conf-update just deleted them. It turns out these were owned by shadow but now belong to pambase. I suspect that pambase installed them as ._cfg versions, because the others already existed, then shadow removed the originals as they were no longer part of the package. Whether this is a bug in portage, the ebuilds or conf-update is open to debate, but conf-update ought to handle the situation better. I'll file a bug later if no one beats me to it. First, thanks for the warning. There is a bug filed https://bugs.gentoo.org/show_bug.cgi?id=412721 The comments there say that if you run etc-update right after the emerge all is well (but this isn't sufficient for people who use screen, detatch, and log out). Someone also mentioned dispatch-conf working. No one mentioned cfg-update, which I use (and I believe neil does as well). Could the problem be dependent on which configuration file updater one uses? I have not updated my primary machine. I did update another one (both machines are ~amd64) including a cfg-update -q, but have not rebooted it. The secondary can su. This seems to suggest that cfg-update is sufficient in some cases. Am I correct in believing the safe procedure is to add =sys-auth/pambase-20101024-r2 =sys-apps/shadow-4.1.5. to /etc/portage/package.mask (or a file in that directory)? thanks, allan Hi, I actually used cfg-update -u on 3 different machines up to now. So cfg-update can't be at the core of that problem. Maybe it's some kind of race-condition or the bug depends on other things too (e.g.: I'm using gnome and gdm also puts some files to /etc/pam.d which maybe mitigate the issue somehow) - pure speculation, though. The syntax for the masking seems to be correct (since shadow-4.1.5-r2 already has hit the tree maybe the problem is solved. Otherwise you would most likely like to mask -r1 and -r2 also). WKR Hinnerk -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPkwltAAoJEJwwOFaNFkYcuRwH/2FoHs4JwplMRZlSS4dtg388 y82/o4Cu60kgbdC1kHS7d/OXhu5ZHgTH1KhxW3zZZYxSBc6yGlTV4XBnBveEPBQG R7VkBwLMK7kgQewQGBO2GVIVzDlKa2QtZAHTySgqFritZXZeYrpC5FXC+yj3/k3S tpwZ2RcTFjdaCK8fbELRLtFK4DO00+j7Zs+3NvUz33tTSg8RBKh908DX6IRGW557 Ypd1o1X+Ea8RJcPN71Z8k4EGfwOI3nJW/kpttar3NdRfio6Kc7Gb8MYFeMFIGnX2 AVRTu7pfhdlkjR7+BCXm5kpMtcMZmhN1jelOj8lKtrZsC2VRuYbyjsT+1rssO8Q= =CPBN -END PGP SIGNATURE-
Re: [gentoo-user] Re: pambase/shadow warning
On Sat, Apr 21 2012, Hinnerk van Bruinehsen wrote: On 21.04.2012 17:30, Allan Gottlieb wrote: There is a bug filed https://bugs.gentoo.org/show_bug.cgi?id=412721 Am I correct in believing the safe procedure is to add =sys-auth/pambase-20101024-r2 =sys-apps/shadow-4.1.5. to /etc/portage/package.mask (or a file in that directory)? I actually used cfg-update -u on 3 different machines up to now. So cfg-update can't be at the core of that problem. Maybe it's some kind of race-condition or the bug depends on other things too (e.g.: I'm using gnome and gdm also puts some files to /etc/pam.d which maybe mitigate the issue somehow) - pure speculation, though. Thanks. I also use gnome (-3) and gdm on all machines and this might explain why my secondary machine survived the update. However, there are doubtless many users and developers running KDE and the bug has no mention of them being unable to run after etc-update and friends (unless the damage is so great they can't add to the bug :-( ). My secondary laptop has the dangerous versions installed and has been successfully rebooted and logged in to. I am taking a more cautious approach on my primary laptop and masking =sys-auth/pambase-20120417 =sys-apps/shadow-4.1.5-r1 until the smoke clears. allan
Re: [gentoo-user] Re: pambase/shadow warning
Hinnerk van Bruinehsen writes: On 21.04.2012 17:30, Allan Gottlieb wrote: On Fri, Apr 20 2012, Neil Bothwick wrote: On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote: [...] What happened is it broke again, with no obvious signs of the cause. conf-update reported only trivial changes to three files. [...] There is a bug filed https://bugs.gentoo.org/show_bug.cgi?id=412721 The comments there say that if you run etc-update right after the emerge all is well (but this isn't sufficient for people who use screen, detatch, and log out). Someone also mentioned dispatch-conf working. No one mentioned cfg-update, which I use (and I believe neil does as well). Could the problem be dependent on which configuration file updater one uses? No, he is using conf-update, which is a different utility. Wonko
Re: [gentoo-user] Re: pambase/shadow warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Before etc-update severaly login-related things didn't work for me (su not possible for example). After running etc-update everything seems to work fine for me (e.g. selinux and gnome3). I must confess that I didn't use sshd on my laptop so I can't say anything about that. With kind regards, Hinnerk On 20.04.2012 02:12, walt wrote: On 04/19/2012 04:41 PM, Neil Bothwick wrote: On Thu, 19 Apr 2012 15:39:25 -0700, walt wrote: That would have failed on su. It works because I have key authentication for SSH. Otherwise I'd have been screwed. That seems like a (possibly) helpful clue. When you downgraded, did you do etc-update again, or were you asked to? Did you run it after the original upgrade? No, no and no. Just to confirm, are you saying that you did *not* run etc-update after the original upgrade? I remember clearly from this morning that etc-update asked me to replace some files in /etc/pam.d, and I said yes to all. (I don't understand pam well enough to disobey orders ;) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPkQgcAAoJEJwwOFaNFkYc5I8H/0EWKBxnGZg90NS1zg2jzELh 5aFfK2KV+OrDrBgnYYeSupFjuC6Cyo5BkWs2eB6t47RF3cG0aM9sl4fSdRJ+pmUc Fbs0XAaa6jrwsjjtz9o5pgMNIOlZHmFyS6rlMGaj9kMTg8TSWBqBNY3ZbLFDx8gT DkXLCuXOU8tUGYXn8rjbDn6KAxtQzRIfATLBEl3xk/Sa6stAUIwVWvtSK4tk42gI LaMQ4SwwYskinYfRjn/zBjvbFv0ae+w3790UaiV2MlpGzvd0GN9RN3oW4DzhyuvQ k8S+IviozMkEMotVhdB/I//88x052WF/cvG5ncJO1Yeop64pyZ/WF6nl+tYJXwM= =gHkI -END PGP SIGNATURE-
Re: [gentoo-user] Re: pambase/shadow warning
On Thu, 19 Apr 2012 17:12:55 -0700, walt wrote: That seems like a (possibly) helpful clue. When you downgraded, did you do etc-update again, or were you asked to? Did you run it after the original upgrade? No, no and no. Just to confirm, are you saying that you did *not* run etc-update after the original upgrade? I remember clearly from this morning that etc-update asked me to replace some files in /etc/pam.d, and I said yes to all. (I don't understand pam well enough to disobey orders ;) AFAIR there was no suggestion to run etc-update. I certainly don't remember replacing any pam files, but I have conf-update set to automatically replace files that only differ in their comments. I'll run the update again today, paying more attention, and see what happens. -- Neil Bothwick I'm firm. You're obstinate. He's a pigheaded fool signature.asc Description: PGP signature
Re: [gentoo-user] Re: pambase/shadow warning
On Fri, 20 Apr 2012 08:56:48 +0100, Neil Bothwick wrote: I'll run the update again today, paying more attention, and see what happens. What happened is it broke again, with no obvious signs of the cause. conf-update reported only trivial changes to three files. % su su: Authentication failure It didn't even ask for a password. All the syslog contained was Apr 20 13:17:19 hactar su[27738]: pam_authenticate: Authentication failure Apr 20 13:17:19 hactar su[27738]: FAILED su for root by nelz Apr 20 13:17:19 hactar su[27738]: - /dev/pts/3 nelz:root Which is about as informative as Doh!. This was in Konsole, switching to a VC, entering my username (or root) gave five reports of Login incorrect followed by Maximum number of tries exceeded. Once again, no password request. Could this be the problem, that it is trying to authenticate me without, for whatever reason, asking for a password first? -- Neil Bothwick You know the end of the world is near when the Spice Girls start reproducing. signature.asc Description: PGP signature
Re: [gentoo-user] Re: pambase/shadow warning
On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote: I'll run the update again today, paying more attention, and see what happens. What happened is it broke again, with no obvious signs of the cause. conf-update reported only trivial changes to three files. I've just tried it on my netbook and the same happened, but I think I'm closer to the cause. The three files in /etc/pam.d are login, passwd and su. After updating, there were ._cfg* versions of these files, but no originals, so conf-update just deleted them. It turns out these were owned by shadow but now belong to pambase. I suspect that pambase installed them as ._cfg versions, because the others already existed, then shadow removed the originals as they were no longer part of the package. Whether this is a bug in portage, the ebuilds or conf-update is open to debate, but conf-update ought to handle the situation better. I'll file a bug later if no one beats me to it. -- Neil Bothwick Only an idiot actually READS taglines. signature.asc Description: PGP signature
Re: [gentoo-user] Re: pambase/shadow warning
On Thu, 19 Apr 2012 22:57:45 +0300, Nikos Chantziaras wrote: Good thing I don't have pambase installed :-P This is a recent build, so I thought I'd come out of the stone age and try using pam. That cave looks rather inviting right now... -- Neil Bothwick - We are but packets in the internet of Life- signature.asc Description: PGP signature
Re: [gentoo-user] Re: pambase/shadow warning
On Thu, 19 Apr 2012 13:58:42 -0700, walt wrote: I upgraded to sys-auth/pambase-20120417 and sys-apps/shadow-4.1.5-r1 and found I couldn't login to a new session or use su. Rebooting only made the problem permanent, I had to SSH in to revert to sys-auth/pambase-20101024-r2 and sys-apps/shadow-4.1.5. I've never been clear on how ssh authenticates a new login. Why would your ssh login be accepted? Did you ssh in as a user and su to root? That would have failed on su. It works because I have key authentication for SSH. Otherwise I'd have been screwed. Anyway, just as another data point I did the same update today and have no trouble logging in. Here are my useflags for comparison Installed versions: 20120417!b(03:40:29 AM 04/19/2012)(consolekit cracklib gnome-keyring pam_ssh sha512 -debug -minimal -mktemp -pam_krb5 -passwdqc -selinux) Installed versions: 4.1.5-r1(03:41:02 AM 04/19/2012)(acl cracklib pam -audit -nls -selinux -skey -tcb -xattr) Mine are the same except for gnome-keyring - I use KDE. -- Neil Bothwick The sergeant walked into the shower and caught me giving myself a dishonorable discharge. Without missing a beat, I said, It's my dick and I can wash it as fast as I want! signature.asc Description: PGP signature
Re: [gentoo-user] Re: pambase/shadow warning
On Thu, 19 Apr 2012 15:39:25 -0700, walt wrote: That would have failed on su. It works because I have key authentication for SSH. Otherwise I'd have been screwed. That seems like a (possibly) helpful clue. When you downgraded, did you do etc-update again, or were you asked to? Did you run it after the original upgrade? No, no and no. I see that almost all of /etc/pam.d/* have today's date on them, the only exceptions being samba, sshd, imap, sudo, polkit-1, and start-stop-daemon. Same here, and some of them have moved between the two packages. -- Neil Bothwick An unemployed Court Jester is nobody's fool. signature.asc Description: PGP signature