All autopkgtests for the newly accepted pam (1.5.3-7ubuntu2.1) for oracular have finished running. The following regressions have been reported in tests triggered by the package:
apparmor/unknown (amd64) at/3.2.5-2.1ubuntu3 (s390x) courier-authlib/unknown (amd64) cron/unknown (amd64) dovecot/1:2.3.21.1+dfsg1-1ubuntu1 (armhf, ppc64el, s390x) freeradius/3.2.5+dfsg-3ubuntu0.2 (s390x) inetutils/2:2.5-5ubuntu1 (s390x) inetutils/unknown (ppc64el) inn2/unknown (ppc64el) libcap2/unknown (ppc64el) libpam-mount/unknown (arm64) lxc/unknown (arm64) mariadb/1:11.4.5-0ubuntu0.24.10.1 (armhf, ppc64el, s390x) mariadb/unknown (arm64) ngircd/unknown (arm64) oath-toolkit/unknown (arm64) openssh/1:9.7p1-7ubuntu4.3 (s390x) samba/unknown (ppc64el) shadow/unknown (ppc64el) slurm-wlm/unknown (s390x) soju/unknown (s390x) strongswan/unknown (s390x) update-motd/unknown (ppc64el) util-linux/2.40.2-1ubuntu1.1 (ppc64el) vsftpd/unknown (ppc64el) zfs-linux/unknown (s390x) Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1]. https://people.canonical.com/~ubuntu-archive/proposed- migration/oracular/update_excuses.html#pam [1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions Thank you! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2087827 Title: Pam includes does not look in /usr/lib/pam.d Status in pam package in Ubuntu: Fix Released Status in pam source package in Noble: Fix Committed Status in pam source package in Oracular: Fix Committed Status in pam source package in Plucky: Fix Committed Status in pam source package in Questing: Fix Released Bug description: [ Impact ] The Debian-specific (and fairly heavily used) @include stanza doesn't load anything from /usr/lib/pam.d, preventing moving default configuration from /etc, which is needed for Ubuntu Core. [ Test Plan ] In a fresh container: # adduser foo # mv /etc/pam.d/* /usr/lib/pam.d # login You should be able to log in as user foo. After exiting the foo session, to check cross-folder inclusion: # mv /usr/lib/pam.d/common-password /etc/pam.d # mv /usr/lib/pam.d/login /etc/pam.d # login And finally, to check that they load the /etc file in priority: # cp /usr/lib/pam.d/common-account /etc/pam.d # echo foobar >> /etc/pam.d/common-account # login That last one should fail with foobar-related errors in the system logs. [ Where problems could occur ] To minimize user setup breakage potential the test plan ensures that there wouldn't be any new shadowing of user config file. Any other config that includes something only present in /usr/lib would have been broken anyway. [Original report] We're using libpam in the Ubuntu Core rootfs for the core24 snap (which is pam from Noble). We've run into a sitaution where we would like to move pam.d files into /usr/lib/pam.d instead of /etc/pam.d, and looking at man pages this should be supported. (I.e it always checks /etc/pam.d first, then /usr/lib/pam.d). However, there seems to be an issue (or misunderstanding) in terms of how `include`'s are loaded. For an installation that has all pam.d files in /usr/lib we get this error: ``` [ 556.375377] sshd[3553]: PAM _pam_load_conf_file: unable to open config for /etc/pam.d/common-auth [ 556.377644] sshd[3553]: PAM error loading (null) [ 556.379731] sshd[3553]: PAM _pam_init_handlers: error reading /usr/lib/pam.d/sshd [ 556.382681] sshd[3553]: PAM _pam_init_handlers: [Critical error - immediate abort] [ 556.384512] sshd[3553]: PAM error reading PAM configuration file [ 556.386397] sshd[3553]: PAM pam_start: failed to initialize handlers [ 556.389716] sshd[3553]: PAM pam_end: NULL pam handle passed [ 556.393755] sshd[3553]: fatal: PAM: initialisation failed ``` It seems to correctly read sshd from /usr/lib/pam.d/, however the includes it seems it insists on loading through /etc/pam.d. Looking at the code: https://git.launchpad.net/ubuntu/+source/pam/tree/libpam/pam_handlers.c?h=applied/ubuntu/noble#n227 it seems that it only checks /etc/pam.d, and not /usr/lib/pam.d. This seems to not be in line with the man pages? *note* this seem at first glance that there might be a bug in the patch `debian/patches/031_pam_include` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2087827/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
