Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1577174 - ecryptfs-utils calls authconfig in postinstall and postuninstall, but authconfig is depredicated in Fedora 28
Summary: ecryptfs-utils calls authconfig in postinstall and postuninstall, but authcon...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ecryptfs-utils
Version: 28
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-11 11:58 UTC by Edgar Hoch
Modified: 2018-11-27 03:30 UTC (History)
4 users (show)

Fixed In Version: ecryptfs-utils-111-15.fc28 ecryptfs-utils-111-15.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-01 02:46:31 UTC
Type: Bug


Attachments (Terms of Use)
F28 dist-git patch (3.29 KB, patch)
2018-09-07 11:07 UTC, Pavel Březina
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1458602 0 medium CLOSED ecryptfs-utils: Proper packaging of python part, e.g. rename and add subpackage(s) for python[2|3] 2021-02-22 00:41:40 UTC

Internal Links: 1458602

Description Edgar Hoch 2018-05-11 11:58:13 UTC
Description of problem:

Package ecryptfs-utils calls authconfig in postinstall and postuninstall script.
But authconfig is replaced by authselect in Fedora 28,
and the compatibility tool does not what an administrator expects
when it removes package fprintd-pam.

I think the authconfig call should either removed in Fedora 28, or do the right thing - that is only enable or disable enableecryptfs, and leave the other authentication configuration in the same state (same config values, services in the same state).


# rpm -q --scripts ecryptfs-utils
preinstall scriptlet (using /bin/sh):
groupadd -r -f ecryptfs
postinstall scriptlet (using /bin/sh):
/sbin/ldconfig
if [ $1 -eq 1 ] ; then 
 # Initial installation 
 authconfig --enableecryptfs --update
fi
postuninstall scriptlet (using /bin/sh):
/sbin/ldconfig
if [ $1 -eq 0 ] ; then
 # Package removal, not upgrade
 authconfig --disableecryptfs --update
fi


Here you can see what it would do:

# authconfig --enableecryptfs --update
Running authconfig compatibility tool.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect select sssd --force with-ecryptfs
Removing file: /etc/krb5.conf.d/authconfig-krb.conf
Removing file: /etc/sssd/conf.d/authconfig-sssd.conf
Executing: /usr/bin/systemctl disable sssd.service
Executing: /usr/bin/systemctl stop sssd.service
Executing: /usr/bin/systemctl disable winbind.service
Executing: /usr/bin/systemctl stop winbind.service


# authconfig --disableecryptfs --update
Running authconfig compatibility tool.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect select sssd --force
Removing file: /etc/krb5.conf.d/authconfig-krb.conf
Removing file: /etc/sssd/conf.d/authconfig-sssd.conf
Executing: /usr/bin/systemctl disable sssd.service
Executing: /usr/bin/systemctl stop sssd.service
Executing: /usr/bin/systemctl disable winbind.service
Executing: /usr/bin/systemctl stop winbind.service


Version-Release number of selected component (if applicable):
ecryptfs-utils-111-12.fc28.x86_64

How reproducible:
Always.

Comment 1 Edgar Hoch 2018-09-06 12:52:44 UTC
Why did nothing happen since nearly four months??? It would be so easy to release a package that no longer calls authconfig.

But now, with a new release of authselect, the installation of your package destroys our running systems, because it changes the profile to sssd and disables rpcbind.service and ypbind.service! This makes our systems unusable. Very bad!


From the logs:

Running authconfig compatibility tool.
The purpose of this tool is to enable authentication against chosen services with authselect and minimum configuration. It does not provide all capabilities of authconfig.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect select sssd --force with-ecryptfs
Removing file: /etc/krb5.conf.d/authconfig-krb.conf
Executing: /usr/bin/systemctl disable sssd.service
Executing: /usr/bin/systemctl stop sssd.service
Removing file: /etc/sssd/conf.d/authconfig-sssd.conf
Executing: /usr/bin/systemctl disable winbind.service
Executing: /usr/bin/systemctl stop winbind.service
Executing: /usr/bin/domainname (none)
Executing: /usr/sbin/setsebool -P allow_ypbind 0
Executing: /usr/bin/systemctl disable rpcbind.service
Executing: /usr/bin/systemctl disable ypbind.service
Executing: /usr/bin/systemctl stop rpcbind.service
Executing: /usr/bin/systemctl stop ypbind.service

Comment 2 Raphael Groner 2018-09-06 17:47:42 UTC
Sorry for inactivity here. But I guess upstream development is nearly dead, so the package isn't updated for a long time due to no plan for any official release(s) ahead. 

<rant> ecryptfs has never correctly worked for me in RPM based distributions but on ubuntu, maybe they use weird patches, also in kernel.

Maybe we should consider to file a ticket about non-responsive maintainer, or at least orphan this package.

There are better alternatives available like e.g. cryfs or securefs but not packaged yet.

Comment 3 Edgar Hoch 2018-09-07 01:59:14 UTC
Thanks for the reaction. I have excluded the package from our installation list now. I don't know if any of our users have used it.

(The package was included as dependency of python2-ecryptfs-utils, which was in my list because of the (not really good) idea to provide our users all available python packages...).

Comment 4 Raphael Groner 2018-09-07 05:00:23 UTC
python2-ecryptfs-utils should go away anyways, see rhbz#1458602.

Comment 5 Raphael Groner 2018-09-07 05:02:04 UTC
python2-ecryptfs-utils should go away anyways, see bug #1458602.

Comment 6 Pavel Březina 2018-09-07 11:07:52 UTC
Created attachment 1481563 [details]
F28 dist-git patch

Comment 7 Pavel Březina 2018-09-07 11:08:47 UTC
I attached a patch for F28 dist-git that should be pushed. I do not have the permission to do so as I am not a maintainer nor member of provenpackager group.

It should be applied to f28, f29 and rawhide.

Comment 8 Michal Hlavinka 2018-09-07 14:00:05 UTC
Pavel, thanks for the patch. Just a minor thing. Be aware that rpm scripts are executed with /bin/sh and while on most systems it means bash, it's not guaranteed, so you should not use any bashisms in scripts, only posix. Anyway, thanks for the patch

Comment 9 Fedora Update System 2018-09-07 14:16:34 UTC
ecryptfs-utils-111-15.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-73af536826

Comment 10 Fedora Update System 2018-09-07 14:16:41 UTC
ecryptfs-utils-111-15.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0523848188

Comment 11 Fedora Update System 2018-09-07 22:50:08 UTC
ecryptfs-utils-111-15.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-73af536826

Comment 12 Fedora Update System 2018-09-09 09:19:34 UTC
ecryptfs-utils-111-15.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0523848188

Comment 13 Fedora Update System 2018-10-01 02:46:31 UTC
ecryptfs-utils-111-15.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2018-11-27 03:30:19 UTC
ecryptfs-utils-111-15.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.