I know this is the way that the new ebuild is intended to work, but automatically overwriting the /etc/pam.d/system-auth file is a very bad idea. Here's what happened in my case: I started an emerge shadow on my desktop to upgrade to the latest version to fix the GLSA issue, then went to another building to fix a server. After coming back, I was unable to unlock my screensaver. After going to a terminal, I realized that system-auth had been overwritten. All of our machines use AFS for authentication, which was broken after system-auth got overwritten. This also happened for our servers, causing mail clients, etc. to not be able to log in until the problem was fixed. Why can't this be handled like regular configuration files? I know that this is a security issue, but it's not a major one, and anyone who doesn't run etc-update after every emerge doesn't deserve to be running Gentoo anyways.<g> Reproducible: Always Steps to Reproduce: 1. emerge shadow 2. Bang head on keyboard when not able to log in Actual Results: Expected Results:
I had the same problem on my fileserver and domain controller using samba with openldap as a backend. I agree with Chris that updating the system-auth should be handled by etc-update as any other config file update. What saved our lives was the .bak file. brgds Michael
I very much agree, it's not Gentoo's fault if a user can't use etc-update.
Newly stable -r7 have this disabled.
*** Bug 31585 has been marked as a duplicate of this bug. ***
No it doesn't. Maybe you forgot to commit?
sys-apps/shadow-4.0.3-r8 still overwrites /etc/pam.d/system-auth. Please refrain from outright overwriting this file, and instead let the admins replace it using etc-update or their own scripts. I see it as saying that this is done "due to a security issue" but these things are: 1) missed when someone wants to do "emerge -u world" and get some sleep and 2) unnecessary as I don't see any difference between -r8 and my previous system-auth, besides my own personal changes for ldap.
For shadow-4.0.3-r6, -r7, and -r8, all of them overwrite system-auth, "for security purposes". I was beginning to wonder why there are so many packages that overwrite system-auth. Now I realize that it was only one. Fun stuff. It would be nicer if the ebuild person would kindly put a warning (and maybe a URL for info) in system-auth, rather than overwriting it and giving systems admins a headache when users complain.
*** Bug 34339 has been marked as a duplicate of this bug. ***
-r9 is still doing this :(
Yes. -r9 still does this. I'll tell you what happened to me: I've got all users that have a valid shell in ldap and authentication using pam_ldap except root. sshd_config is set so that root cannot log in via ssh (PermitRootLogin no). I updated the server box of mine (no keyboard nor monitor etc. attached...) system-auth got overwritten automagically by shadow package so no normal user could log in, since pam_ldap is not in the default config, and root cannot login because of sshd_config. No one could log in. :( Luckily I had one terminal open in the other desktop. I think this automagic thing is not wise.
-r10 also looks to still do this.
shadow-4.0.4.1-r4 does not do this