Hello Philip, or anyone else affected, Accepted pam into plucky-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam/1.5.3-7ubuntu4.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- plucky to verification-done-plucky. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-plucky. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: pam (Ubuntu Plucky) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-plucky ** Changed in: pam (Ubuntu Oracular) Status: In Progress => Fix Committed ** Tags added: verification-needed-oracular -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2087827 Title: Pam includes does not look in /usr/lib/pam.d Status in pam package in Ubuntu: Fix Released Status in pam source package in Noble: Fix Committed Status in pam source package in Oracular: Fix Committed Status in pam source package in Plucky: Fix Committed Status in pam source package in Questing: Fix Released Bug description: [ Impact ] The Debian-specific (and fairly heavily used) @include stanza doesn't load anything from /usr/lib/pam.d, preventing moving default configuration from /etc, which is needed for Ubuntu Core. [ Test Plan ] In a fresh container: # adduser foo # mv /etc/pam.d/* /usr/lib/pam.d # login You should be able to log in as user foo. After exiting the foo session, to check cross-folder inclusion: # mv /usr/lib/pam.d/common-password /etc/pam.d # mv /usr/lib/pam.d/login /etc/pam.d # login And finally, to check that they load the /etc file in priority: # cp /usr/lib/pam.d/common-account /etc/pam.d # echo foobar >> /etc/pam.d/common-account # login That last one should fail with foobar-related errors in the system logs. [ Where problems could occur ] To minimize user setup breakage potential the test plan ensures that there wouldn't be any new shadowing of user config file. Any other config that includes something only present in /usr/lib would have been broken anyway. [Original report] We're using libpam in the Ubuntu Core rootfs for the core24 snap (which is pam from Noble). We've run into a sitaution where we would like to move pam.d files into /usr/lib/pam.d instead of /etc/pam.d, and looking at man pages this should be supported. (I.e it always checks /etc/pam.d first, then /usr/lib/pam.d). However, there seems to be an issue (or misunderstanding) in terms of how `include`'s are loaded. For an installation that has all pam.d files in /usr/lib we get this error: ``` [ 556.375377] sshd[3553]: PAM _pam_load_conf_file: unable to open config for /etc/pam.d/common-auth [ 556.377644] sshd[3553]: PAM error loading (null) [ 556.379731] sshd[3553]: PAM _pam_init_handlers: error reading /usr/lib/pam.d/sshd [ 556.382681] sshd[3553]: PAM _pam_init_handlers: [Critical error - immediate abort] [ 556.384512] sshd[3553]: PAM error reading PAM configuration file [ 556.386397] sshd[3553]: PAM pam_start: failed to initialize handlers [ 556.389716] sshd[3553]: PAM pam_end: NULL pam handle passed [ 556.393755] sshd[3553]: fatal: PAM: initialisation failed ``` It seems to correctly read sshd from /usr/lib/pam.d/, however the includes it seems it insists on loading through /etc/pam.d. Looking at the code: https://git.launchpad.net/ubuntu/+source/pam/tree/libpam/pam_handlers.c?h=applied/ubuntu/noble#n227 it seems that it only checks /etc/pam.d, and not /usr/lib/pam.d. This seems to not be in line with the man pages? *note* this seem at first glance that there might be a bug in the patch `debian/patches/031_pam_include` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2087827/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
