Verified on oracular: root@pam-oracular:~# useradd -s /bin/sh -p $(openssl passwd -6 foo) foo root@pam-oracular:~# mv /etc/pam.d/* /usr/lib/pam.d root@pam-oracular:~# login pam-oracular login: foo Password: run-parts: /etc/update-motd.d/98-fsck-at-reboot exited with return code 2 [snip] $ root@pam-oracular:~# mv /usr/lib/pam.d/common-password /etc/pam.d root@pam-oracular:~# mv /usr/lib/pam.d/login /etc/pam.d root@pam-oracular:~# MOTD_FILE="" login foo Password: Welcome to Ubuntu 24.10 (GNU/Linux 6.14.0-15-generic x86_64) [snip] $ root@pam-oracular:~# cp /usr/lib/pam.d/common-account /etc/pam.d root@pam-oracular:~# echo foobar >> /etc/pam.d/common-account root@pam-oracular:~# login pam-oracular login: foo Password:
Login incorrect pam-oracular login: Login incorrect pam-oracular login: ^C root@pam-oracular:~# journalctl -xe | tail Jun 13 15:14:09 pam-oracular login[1624]: PAM (login) illegal module type: foobar Jun 13 15:14:09 pam-oracular login[1624]: PAM (login) no control flag supplied Jun 13 15:14:09 pam-oracular login[1624]: PAM (login) no module name supplied Jun 13 15:14:09 pam-oracular login[1624]: PAM (other) illegal module type: foobar Jun 13 15:14:09 pam-oracular login[1624]: PAM (other) no control flag supplied Jun 13 15:14:09 pam-oracular login[1624]: PAM (other) no module name supplied Jun 13 15:14:17 pam-oracular login[1624]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'foo', Permission denied Jun 13 15:14:20 pam-oracular login[1624]: pam_nologin(login:auth): unexpected response from failed conversation function Jun 13 15:14:20 pam-oracular login[1624]: pam_nologin(login:auth): cannot determine user name Jun 13 15:14:22 pam-oracular login[1624]: FAILED LOGIN (2) on '/dev/pts/1' FOR 'UNKNOWN', User not known to the underlying authentication module root@pam-oracular:~# dpkg -l libpam0g ii libpam0g:amd64 1.5.3-7ubuntu2.1 amd64 Pluggable Authentication Modules library -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2087827 Title: Pam includes does not look in /usr/lib/pam.d Status in pam package in Ubuntu: Fix Released Status in pam source package in Noble: Fix Committed Status in pam source package in Oracular: Fix Committed Status in pam source package in Plucky: Fix Committed Status in pam source package in Questing: Fix Released Bug description: [ Impact ] The Debian-specific (and fairly heavily used) @include stanza doesn't load anything from /usr/lib/pam.d, preventing moving default configuration from /etc, which is needed for Ubuntu Core. [ Test Plan ] In a fresh container: # adduser foo # mv /etc/pam.d/* /usr/lib/pam.d # login You should be able to log in as user foo. After exiting the foo session, to check cross-folder inclusion: # mv /usr/lib/pam.d/common-password /etc/pam.d # mv /usr/lib/pam.d/login /etc/pam.d # login And finally, to check that they load the /etc file in priority: # cp /usr/lib/pam.d/common-account /etc/pam.d # echo foobar >> /etc/pam.d/common-account # login That last one should fail with foobar-related errors in the system logs. [ Where problems could occur ] To minimize user setup breakage potential the test plan ensures that there wouldn't be any new shadowing of user config file. Any other config that includes something only present in /usr/lib would have been broken anyway. [Original report] We're using libpam in the Ubuntu Core rootfs for the core24 snap (which is pam from Noble). We've run into a sitaution where we would like to move pam.d files into /usr/lib/pam.d instead of /etc/pam.d, and looking at man pages this should be supported. (I.e it always checks /etc/pam.d first, then /usr/lib/pam.d). However, there seems to be an issue (or misunderstanding) in terms of how `include`'s are loaded. For an installation that has all pam.d files in /usr/lib we get this error: ``` [ 556.375377] sshd[3553]: PAM _pam_load_conf_file: unable to open config for /etc/pam.d/common-auth [ 556.377644] sshd[3553]: PAM error loading (null) [ 556.379731] sshd[3553]: PAM _pam_init_handlers: error reading /usr/lib/pam.d/sshd [ 556.382681] sshd[3553]: PAM _pam_init_handlers: [Critical error - immediate abort] [ 556.384512] sshd[3553]: PAM error reading PAM configuration file [ 556.386397] sshd[3553]: PAM pam_start: failed to initialize handlers [ 556.389716] sshd[3553]: PAM pam_end: NULL pam handle passed [ 556.393755] sshd[3553]: fatal: PAM: initialisation failed ``` It seems to correctly read sshd from /usr/lib/pam.d/, however the includes it seems it insists on loading through /etc/pam.d. Looking at the code: https://git.launchpad.net/ubuntu/+source/pam/tree/libpam/pam_handlers.c?h=applied/ubuntu/noble#n227 it seems that it only checks /etc/pam.d, and not /usr/lib/pam.d. This seems to not be in line with the man pages? *note* this seem at first glance that there might be a bug in the patch `debian/patches/031_pam_include` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2087827/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
