Package: debian-security-support
Version: 2015.04.04~deb7u1
Severity: wishlist
Dear Maintainer,
postinst script takes the risk to call su to invoke check-support-status
as the user 'debian-security-support', but hangs when the line
'auth sufficient pam_rootok.so' is missing or disabled in /etc/pam.d/su.
To avoid possible configuration conflict and provide a hint to sysadmin
when postinst interfere with /etc/pam.d/su rules, please add a preinst
script to the package.
For example, the script debian-security-support.preinst could look
like this:
#!/bin/sh
## Check if /etc/pam.d/su allows root to login as another user
## without prompting for password. If no, abort installation logging an
## error to help sysadmin to fix the problem.
case $1 in
install|upgrade)
if ! grep -qE '^\s*auth\s+sufficient\s+pam_rootok\.so' /etc/pam.d/su;
then
echo "'auth sufficient pam_rootok.so' not found in /etc/pam.d/su" |\
logger -st "/usr/bin/dpkg --configure $DPKG_MAINTSCRIPT_PACKAGE"
exit 1
fi
;;
esac
Regards,
Mederic Claassen
