Bugzilla Bug 196409

Please test and mark stable a newer version of PAM. Please refer to
http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml for upgrade procedure.

[Note: If you find trouble, give me one more day from the opening of the bug to
handle them, system is still rebuilding]

Stable for HPPA.

Forgot to say that optionally you might want to stable sys-auth/pam_userdb (and
if you're really masochistic, even pam_console, but for that I'd wait for
someone to ask it). HPPA, I re-cced you in case you're interested, but see the
note below.

My opinion about stabling pam_userdb: beside the most popular architectures
(x86, amd64, sparc, whatever), I would wait for it to be requested by users,
it's one less package to track down and maintain stable for.

You have a stable keyword for sys-auth/pam_userdb. :)

on amd64:

well i'm using 

sys-libs/pam-0.99.8.1-r1  USE="cracklib nls vim-syntax -audit (-selinux)"

for quite a few days and didn't experience any problems. however, note that i
did install my system in august this year and never had the desire to configure
pam manualy.

Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.22-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r8 x86_64 Intel(R) Core(TM)2 Duo CPU E6550 @
2.33GHz
Timestamp of tree: Sun, 21 Oct 2007 09:20:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild
/etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=nocona -O2 -pipe"
DISTDIR="/var/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans
userfetch"
GENTOO_MIRRORS="http://gentoo.ynet.sk/pub"
LC_ALL="en_US.utf8"
LINGUAS="en de"
MAKEOPTS="-j3"
PKGDIR="/var/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/portage/repos/gentoo"
PORTDIR_OVERLAY="/var/portage/repos/private"
SYNC="rsync://192.168.0.1/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi alsa amd64 berkdb bitmap-fonts bzip2 cairo
caps cddb cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss
encode evo exif fam ffmpeg firefox flac fortran gd gdbm gif gimp gnome gphoto2
gpm gstreamer gtk hal hddtemp iconv icu ipod ipv6 isdnlog java jpeg jpeg2k lcms
ldap libnotify lm_sensors mad matroska midi mikmod mmap mmx mmxext mono mp3
mpeg mudflap ncurses nls nptl nptlonly nvidia ogg opengl openmp pam pcre pdf
perl plotutils png pppd python qt3support quicktime readline reflection ruby
sdl session spell spl sse sse2 ssl ssse3 svg tcpd tetex theora threads tiff
truetype truetype-fonts type1-fonts unicode usb vcd vim-syntax vorbis xattr xml
xorg xv xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi
null plug rate route share shm softvol" CAMERAS="canon konica ptp2 kodak"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LINGUAS="en
de" USERLAND="GNU" VIDEO_CARDS="nvidia nv"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

on x86:

i'm also using

sys-libs/pam-0.99.8.1-r1  USE="cracklib nls vim-syntax -audit (-selinux)"

for quite a few days on a trustworthy x86 box and it seems to do a good job.
genlop suggests that i installed this system somewhere in november 2005 and
i've never ever touched a pam configuration file directly.

Portage 2.1.3.9 (default-linux/x86/2006.1/desktop, gcc-4.1.2, glibc-2.5-r4,
2.6.22-gentoo-r8 i686)
=================================================================
System uname: 2.6.22-gentoo-r8 i686 Intel(R) Pentium(R) 4 CPU 3.40GHz
Timestamp of tree: Mon, 22 Oct 2007 21:50:01 +0000
ccache version 2.4 [disabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.3.5-r3, 2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild
/etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=prescott -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans
userfetch"
GENTOO_MIRRORS="ftp://mirror.switch.ch/mirror/gentoo/
http://gentoo.mirror.solnet.ch http://mirror.etf.bg.ac.yu/gentoo"
LC_ALL="en_US.utf8"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X acpi aiglx alsa berkdb bitmap-fonts browserplugin bzip2 cairo cli
cracklib crypt cups dbus dlloader dri dvd dvi emboss encode fam firefox fortran
gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg ldap mad midi
mikmod mmx mp3 mpeg mudflap nautilus ncurses nls nptl nptlonly nsplugin nvidia
ogg opengl openmp pam pcre perl png ppds pppd python quicktime readline
reflection ruby sdl session spell spl sse sse2 ssl svg tcpd threads tiff
truetype truetype-fonts type1-fonts unicode usb vim-syntax vorbis win32codecs
x86 xinerama xml xorg xprint xv zlib" ELIBC="glibc" INPUT_DEVICES="keyboard
mouse" KERNEL="linux" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

sys-libs/pam-0.99.8.1-r1 and sys-auth/pam_userdb-0.99.8.1 stable on ppc64.

sys-auth/pam_userdb-0.99.8.1 (nls)
sys-libs/pam-0.99.8.1-r1 (cracklib nls)

1. Both emerge on SPARC64.
2. No collisions.
3. Tests run sucessfully for pam. No test suite for pam_userdb.
4. Still able to login to the system (no ldap / mysql / or other exotic
backends here)

emerge --info:
Portage 2.1.3.9 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.17-gentoo-r8 sparc64)
=================================================================
System uname: 2.6.17-gentoo-r8 sparc64 sun4u
Timestamp of tree: Sat, 20 Oct 2007 11:50:01 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.7.9-r1, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="sparc"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/
/etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild
/etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protection distlocks metadata-transfer parallel-fetch
sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
ftp://ftp.gentoo-pt.org/pub/gentoo ftp://mirrors1.netvisao.pt/gentoo/
http://trumpetti.tut.atm.fi/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://atl64.acores.pt/gentoo-portage"
USE="bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv isdnlog
midi mudflap nls nptl nptlonly openmp pam pcre ppds pppd reflection session
sparc spl tcpd test truetype-fonts type1-fonts unicode vhosts xorg"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="dummy fbdev glint mach64 mga
r128 radeon sunbw2 suncg14 suncg3 suncg6 sunffb sunleo tdfx v4l voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

This needs sys-process/audit stable, is that fine, Robin?

armin76: yes. you can stabilize audit-1.5.4 or newer

ia64/sparc stable

Stable on x86

I notice that this version of pam moves some modules (pam_chroot, pam_console,
pam_userdb) to their own packages.  Thus, when upgrading, anyone who cares
about those modules must emerge them separately.  However, they all remain
~arch for all architectures.  To maintain consistency for the upgrade requested
here, should not these three packages go stable as well?

For pam_userdb I added a note to this bug, for pam_chroot, I'd rather wait for
some user requesting it. As for pam_console, I'd very much like not seeing that
going stable, but if someone requires it...

I vote "no", even though this appears to have alreay happened. It has problems.
I has disabled cron on my system.

Oct 26 07:30:01 lnx-2132 cron[4128]: PAM unable to
dlopen(/lib/security/pam_unix.so)
Oct 26 07:30:01 lnx-2132 cron[4128]: PAM [dlerror: /lib/security/pam_unix.so:
symbol pam_modutil_getlogin, version LIBPAM_MODUTIL_1.0 not defined in file
libpam.so.0 with link time reference]
Oct 26 07:30:01 lnx-2132 cron[4128]: PAM adding faulty module:
/lib/security/pam_unix.so
Oct 26 07:30:01 lnx-2132 cron[4128]: PAM unable to
dlopen(/lib/security/pam_limits.so)
Oct 26 07:30:01 lnx-2132 cron[4128]: PAM [dlerror: /lib/security/pam_limits.so:
symbol pam_syslog, version LIBPAM_EXTENSION_1.0 not defined in file libpam.so.0
with link time reference]
Oct 26 07:30:01 lnx-2132 cron[4128]: PAM adding faulty module:
/lib/security/pam_limits.so
Oct 26 07:30:01 lnx-2132 cron[4128]: Module is unknown

From the upgrade guide[1]:

Important:  After upgrading PAM, from any version to any version, you have to
restart those services that are using it to avoid internal ABI mismatches. This
includes sshd, vixie-cron (and probably any other cron service), mail servers,
and in general almost every service that accepts users.

[1] http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml

Indeed, even xscreensaver will lock you out, as I found out this morning. 
Fortunately I suspected it was an upgrade issue, and genlop proved me right. 
Restarting works, as expected.

(In reply to comment #15)
> From the upgrade guide[1]:
> 
> Important:  After upgrading PAM, from any version to any version, you have to
> restart those services that are using it to avoid internal ABI mismatches. This
> includes sshd, vixie-cron (and probably any other cron service), mail servers,
> and in general almost every service that accepts users.
> 
> [1] http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml
> 

stable on ppc

audit, pam and pam_userdb are amd64... if anyone really wants pam_console..
please ping us.

Oct 29 06:30:57 home login[10529]: pam_tally(login:auth): unknown option:
no_magic_root
Oct 29 06:31:03 home login[10529]: pam_tally(login:account): option deny=0
allowed in auth phase only
Oct 29 06:31:03 home login[10529]: pam_tally(login:account): unknown option:
no_magic_root
Oct 29 06:31:03 home login[10529]: pam_tally(login:setcred): unknown option:
no_magic_root
Oct 29 06:31:03 home login[10529]: pam_unix(login:session): session opened for
user xpoint by LOGIN(uid=0)

Linux_PAM tar ball have pam.conf with should be splited into /etc/pam.d/ for
gentoo use no ?

No, Gentoo setup has always been slightly different. Ignore those warnings,
they'll disappear whenever I care enough to do a new update of the
configuration files, but has no bad effect, so can just be ignored.

Alpha:  I'd like to get this into the release, can we up the priority on this
one?

alpha stable, thanks Tobias

arm/s390/sh are stable as well, closing.