Bug 1655334 - pam /etc/pam.d/*-auth files conflict with those generated by authselect
Summary: pam /etc/pam.d/*-auth files conflict with those generated by authselect
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 29
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-02 21:22 UTC by Michael Carney
Modified: 2018-12-03 09:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-12-03 09:31:27 UTC
Type: Bug

Attachments (Terms of Use)

Description Michael Carney 2018-12-02 21:22:33 UTC
Description of problem: The pam rpm contains /etc/pam.d/*-auth files which authselect manages. When pam is updated, this results in /etc/pam.d/*-auth.rpmnew files

Version-Release number of selected component (if applicable): pam-1.3.1-8.fc29,

Additional info:
The /etc/pam.d/*-auth files should be removed from the pam rpm and merged with those in the authselect-libs rpm. There should only be one copy of the templates, those in authselect-libs. Whenever the templates are updated, authselect should be rerun.

Comment 1 Björn 'besser82' Esser 2018-12-02 21:40:18 UTC
@tmraz maybe we should package those files as %ghost, so there are sane presets installed with pam and do not generate .rpmnew files when the settings are updated by authselect?

Comment 2 Tomas Mraz 2018-12-03 07:56:27 UTC
The question is whether it is possible to install a minimal core system without authselect. It used to be possible when there was authconfig instead of authselect.

And if it is still possible even with authselect, I do not think we should change PAM for this. It would be still useful, if you do not manage your PAM configuration with authselect, to know whether the package's configuration changed or not.

So, I do not see this as a real bug.

Comment 3 Tomas Mraz 2018-12-03 07:57:54 UTC
What might be a kind-of bug is whether the default configuration as created by authselect is different from what is shipped in the PAM package - if that's so, we might want to align - most probably by changing the PAM package configuration.

Comment 4 Pavel Březina 2018-12-03 09:07:57 UTC
It is possible to have system completely without authselect. In the future, we would like to take over ownership of nsswitch.conf and these pam files, but there are still things to solve before we can start discussion about it.

Why this was not an issue with authconfig and is now with authselect? I would expect %config(noreplace) so even custom changes are not overwritten.

Comment 5 Björn 'besser82' Esser 2018-12-03 09:23:33 UTC
(In reply to Pavel Březina from comment #4)
> I would expect %config(noreplace) so even custom changes are not overwritten.

For that reason I've suggested to package those files as %ghost in the PAM package.

This will ensure:

  a) no such file exists?  Install the file from the pam package (sane preset).

  b) file already exists?  Do not alter / overwrite it, but still own it.  Do
                           not create .rpmnew / .rpmsave files.  Leave changes
                           to authselect and/or system administrator.

Any thoughts?

Comment 6 Tomas Mraz 2018-12-03 09:31:27 UTC
It was always like this that the .rpmnew files were created. And I do not regard this as an issue.

I do not think making the files as %ghost is a good idea.


Note You need to log in before you can comment on or make changes to this bug.