Summary: | New shadow ebuild indiscriminately overwrites system-auth | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Chris Snyder <csnyder> |
Component: | [OLD] Core system | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | dave128, genone, mrannanj, tpeland |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Chris Snyder
2003-05-13 18:55:50 UTC
I had the same problem on my fileserver and domain controller using samba with openldap as a backend. I agree with Chris that updating the system-auth should be handled by etc-update as any other config file update. What saved our lives was the .bak file. brgds Michael I very much agree, it's not Gentoo's fault if a user can't use etc-update. Newly stable -r7 have this disabled. *** Bug 31585 has been marked as a duplicate of this bug. *** No it doesn't. Maybe you forgot to commit? sys-apps/shadow-4.0.3-r8 still overwrites /etc/pam.d/system-auth. Please refrain from outright overwriting this file, and instead let the admins replace it using etc-update or their own scripts. I see it as saying that this is done "due to a security issue" but these things are: 1) missed when someone wants to do "emerge -u world" and get some sleep and 2) unnecessary as I don't see any difference between -r8 and my previous system-auth, besides my own personal changes for ldap. For shadow-4.0.3-r6, -r7, and -r8, all of them overwrite system-auth, "for security purposes". I was beginning to wonder why there are so many packages that overwrite system-auth. Now I realize that it was only one. Fun stuff. It would be nicer if the ebuild person would kindly put a warning (and maybe a URL for info) in system-auth, rather than overwriting it and giving systems admins a headache when users complain. *** Bug 34339 has been marked as a duplicate of this bug. *** -r9 is still doing this :( Yes. -r9 still does this. I'll tell you what happened to me: I've got all users that have a valid shell in ldap and authentication using pam_ldap except root. sshd_config is set so that root cannot log in via ssh (PermitRootLogin no). I updated the server box of mine (no keyboard nor monitor etc. attached...) system-auth got overwritten automagically by shadow package so no normal user could log in, since pam_ldap is not in the default config, and root cannot login because of sshd_config. No one could log in. :( Luckily I had one terminal open in the other desktop. I think this automagic thing is not wise. -r10 also looks to still do this. shadow-4.0.4.1-r4 does not do this |