Mandriva

Return to the main archive index.

Custom Search

Mandriva Linux Archives: cooker@mandrivalinux.org

Mandriva Linux: cooker@mandrivalinux.org

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

* [2008-05-20 10:57:06 +0200] Olivier Blin wrote:

"Gustavo De Nardin (spuk)" <gustavodn@mandriva.com> writes:

* Moreno <moreno.mg@gmail.com> [2008-05-20 08:37 +0200]:
Hi

On Tue, May 20, 2008 at 8:01 AM, Moreno <moreno.mg@gmail.com> wrote:
> Hi
>
> After the daily update of my Cooker machine all attempts to make a login fail.

The problem is which urpmi have installed the packages and generated 2
rpmnew files but it do not have signalled this.

I have replaced the /etc/login-def and /etc/pam.d/system-auth file
with the .rpmnew file and all return to work normally.


Do you have msec installled? See
<https://qa.mandriva.com/show_bug.cgi?id=29719>.


That's not strictly related to msec, other config tools can modify pam
config files.

But is it normal that pam_unix does not work anymore in the config
file? In the initial plan, it was said that pam_tcb was backwards
compatible with pam_unix, it does not seem to be the case...

Anyway, I don't think we should force migration to pam_tcb in %post,
there's no real reason to handle .rpmnew files differently in this
package if pam_tcb is backwards compatible as you claim.


The symlinks are supposed to be sufficient.  I'm not sure why they
aren't working, but when I noticed that they had stopped, I had made the
changes.

Anyways, if using pam_tcb is going to be default, then changing
system-auth is required.  pam_tcb is backwards compatible in that it
uses /etc/shadow just as well as the tcb scheme.  But we should be using
pam_tcb across the board, especially considering that for most people,
system-auth will be completely replaced with the tcb-aware one (it's
only for people who have made changes to system-auth, i.e. inserting
other pam modules or using LDAP for auth, etc.) that would have the
.rpmnew created.

The %post changes should be sufficient to ensure no one gets locked out,
although with mirror synching and such, there was a window of a few
hours where it could have happened.

--
Vincent Danen @ http://linsec.ca/

Attachment: pgp00077.pgp
Description: PGP signature


Date Index | Thread Index

Contact Mandriva, the official producer and publisher of the Mandriva Linux distribution.

Last modified: Sun Aug 17 19:52:43 2008

Linux is a registered trademark of Linus Torvalds. The contents of these pages and all images are copyright by their respective owners. All the contents of the pages - texts and logos - are copyrighted by Mandriva SA 2001 - 2008.