[email protected] escreveu: > > While helping fedya to debug some problems in the aarch64 > chroot, I found that only mandriva* has this: > > $ rpm -q --scripts pam > [...] > if [ -f /etc/login.defs ] && ! grep -q USE_TCB /etc/login.defs; then > /usr/sbin/set_tcb --auto --migrate > fi > [...]
So, any comments about removing the above from pam %post? It is obviously wrong, because to be correct it should be something like "egrep -q '^[[:space:]]*USE_TCB[[:space:]]+[yY][eE]?[sS]?[[:space:]]*' > note that also, from tested distros (well, suse and fedora) only > mandriva* has a USE_TCB string in /etc/login.defs, but the scriplet > is very naive, because the USE_TCB string in mandriva* is setting it > to "no" ... > > I think it is safe to match other distros and remove that scriptlet. > > pam_tcb is supposed to be an alternative to shadow, and that may > cause a lot of harm... > > This probably was also the reason I did need to fix my cooker vm > because /etc/shadow was corrupted, and all started, apparently > after forcing a rebuild of libutempter to "fix" dependency issues > generating a new chroot. Actually, the problem is a bit complex, changing libutempter to require "pam" caused tcb to be installed, as only the pam package requires "tcb"... If any package were to be migrating from shadow to tcb, it should be tcb %post scriptlet itself, not pam %post scriptlet. > For better archeology: > http://svn.mandriva.com/viewvc/packages/cooker/pam/current/SPECS/pam.spec?view=annotate Thanks, Paulo
