1734302 – authselect cannot validate its own files

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1734302 - authselect cannot validate its own files

Summary: authselect cannot validate its own files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	authselect
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Pavel Březina
QA Contact:	Steeve Goveas
Docs Contact:
URL:
Whiteboard:
Depends On:	1697267
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-30 08:14 UTC by Pavel Březina
Modified:	2020-09-08 06:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:	authselect-1.1-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1697267
Environment:
Last Closed:	2019-11-05 22:33:32 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3647	0	None	None	None	2019-11-05 22:33:41 UTC

Description Pavel Březina 2019-07-30 08:14:00 UTC

+++ This bug was initially created as a clone of Bug #1697267 +++

Description of problem:
Sometimes I can see failures when enabling/disabling features.
Even though there were not any manual changes to files.

e.g.
sh$ authselect enable-feature with-mkhomedir'
[error] [/etc/authselect/postlogin] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists

sh$ authselect enable-feature with-mkhomedir'
[error] [/etc/authselect/dconf-locks] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists

Version-Release number of selected component (if applicable):
authselect-1.0.3-1.fc30.x86_64

How reproducible:
I do not have deterministic reproducer.
Just run tests many times.

Additional info:
sh-5.0# authselect check
[error] [/etc/authselect/postlogin] has unexpected content!
Current configuration is not valid. It was probably modified outside authselect.

sh-5.0# diff -i /etc/authselect/postlogin /var/lib/authselect/postlogin
1c1
< # Generated by authselect on Sat Apr  6 17:02:02 2019
---
> # Generated by authselect on Sat Apr  6 17:02:01 2019



sh-5.0# authselect check
[error] [/etc/authselect/postlogin] has unexpected content!
Current configuration is not valid. It was probably modified outside authselect.
sh-5.0# 
sh-5.0# diff /etc/authselect/postlogin /var/lib/authselect/postlogin
1c1
< # Generated by authselect on Sat Apr  6 17:02:02 2019
---
> # Generated by authselect on Sat Apr  6 17:02:01 2019

--- Additional comment from Pavel Březina on 2019-04-10 09:30:48 UTC ---

Thank you. I will try to reproduce it.

--- Additional comment from Pavel Březina on 2019-04-11 10:13:53 UTC ---

Upstream ticket:
https://github.com/pbrezina/authselect/issues/146

--- Additional comment from Pavel Březina on 2019-04-25 08:42:28 UTC ---

Steps to reproduce:

$ sudo gdb -quiet authselect -ex 'set breakpoint pending on' -ex 'b src/lib/files/system.c:428' -ex 'run select sssd --force' -ex 'shell sleep 1' -ex 'detach' -ex 'quit'
$ sudo authselect check
[error] [/dev/shm/authselect-install/etc/authselect/system-auth] has unexpected content!
Current configuration is not valid. It was probably modified outside authselect.

--- Additional comment from Ben Cotton on 2019-05-02 19:39:15 UTC ---

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

--- Additional comment from Ben Cotton on 2019-05-28 23:57:06 UTC ---

Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

--- Additional comment from Fedora Update System on 2019-06-13 09:55:44 UTC ---

FEDORA-2019-84659dbcb4 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-84659dbcb4

--- Additional comment from Fedora Update System on 2019-06-14 02:12:31 UTC ---

authselect-1.0.4-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-84659dbcb4

--- Additional comment from John on 2019-07-24 06:26:12 UTC ---


YOU SEE WHAT HAPPENS WHEN YOU REFUSE TO FIX A PROBLEM PROPERLY IN FEDORA?

IT ENDS UP IN YOUR "Enterprise" OS, EL8:

    [error] [/etc/authselect/password-auth] has unexpected content!
    [error] Unexpected changes to the configuration were detected.
    [error] Refusing to activate profile unless those changes are removed or overwrite is requested.

I very much doubt /etc/authselect/password-auth has been modified by *ANYTHING* besides authselect, as it doesn't look like something systemd would bother with.

Just ridiculous.

authselect-1.0-13.el8

--- Additional comment from John on 2019-07-24 06:33:58 UTC ---


# cat /etc/authselect/password-auth
# Generated by authselect on Wed Jul 24 16:14:19 2019
...

And look at this:

#stat  /etc/authselect/password-auth
  File: /etc/authselect/password-auth
  Size: 2062            Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 6293724     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2019-07-24 16:16:04.383700066 +1000
Modify: 2019-07-24 16:14:19.001835541 +1000
Change: 2019-07-24 16:14:19.069836099 +1000

File has not been modified since authselect generated it.



authselect cannot validate its own files

FIX IT.

--- Additional comment from Fedora Update System on 2019-07-30 01:45:14 UTC ---

authselect-1.0.4-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 2 Dan Lavu 2019-09-04 12:11:33 UTC

Verified against sssd-2.2.0-16.el8.x86_64

[root@kvm-08-guest27 ~]# realm join sssdad2012r2.com
Password for Administrator: 

[root@kvm-08-guest27 ~]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service

[root@kvm-08-guest27 ~]# sudo gdb -quiet authselect -ex 'set breakpoint pending on' -ex 'b src/lib/files/system.c:428' -ex 'run select sssd --force' -ex 'shell sleep 1' -ex 'detach' -ex 'quit'
Reading symbols from authselect...Reading symbols from .gnu_debugdata for /usr/bin/authselect...(no debugging symbols found)...done.
(no debugging symbols found)...done.
No symbol table is loaded.  Use the "file" command.
Breakpoint 1 (src/lib/files/system.c:428) pending.
Starting program: /usr/bin/authselect select sssd --force
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[Detaching after fork from child process 7748]
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

[Inferior 1 (process 7744) exited normally]
The program is not being run.

[root@kvm-08-guest27 ~]# authselect check
Current configuration is valid.

Comment 4 errata-xmlrpc 2019-11-05 22:33:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3647

Note You need to log in before you can comment on or make changes to this bug.