Because of commit c550eb [1] if you mix stable and unstable packages you might end up with a system without the su command (e.g. sys-apps/shadow-4.10-r4 and sys-apps/util-linux-2.37.2-r1). I know that it's not recommended to mix stable and unstable packages but, for example, adding !<sys-apps/util-linux-2.37.2-r3 in RDEPEND variable on sys-apps/shadow-4.10-r4 the problem can be avoided (I don't think it's an optimal solution but it seems to work). [1] https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c550eb53b108fcf6d4e2a38778230bc9a7d078e8 Reproducible: Always
I'd say this is probably obsolete given bug 831980 now.
I don't thinks this bug is obsolete, since after a full system update yesterday and restarted my computer did not have su! At minimum a news should have been put out alerting people of potentially bricked systems requiring manual recovery due to this change. Then it turns out that today's update requires sys-apps/util-linux-2.37.3 with su and *pam*. I have pam blacklisted on my computer and will not re-enable it over my dead body due to the piece of vunerable crap that it is, so I guess I'll be using an older version of shadow until I can find my own su replacement outside of linux-utils.
(In reply to tonemgub from comment #2) > I don't thinks this bug is obsolete, since after a full system update > yesterday and restarted my computer did not have su! At minimum a news > should have been put out alerting people of potentially bricked systems > requiring manual recovery due to this change. > > Then it turns out that today's update requires sys-apps/util-linux-2.37.3 > with su and *pam*. I have pam blacklisted on my computer and will not > re-enable it over my dead body due to the piece of vunerable crap that it > is, so I guess I'll be using an older version of shadow until I can find my > own su replacement outside of linux-utils. 1. It has a REQUIRED_USE which makes the PAM requirement clear... it will tell you PAM must be enabled if su is enabled, which it is by default. 2. You can just use shadow su but re-enable the flag on it. Upstream agreed to keep it for this use case.
My system is stable so I didn't expect that level of breakage without news. As you mentioned, for anyone else with this issue, I resolved it with: USE=su emerge --ask =sys-apps/shadow-4.11.1 USE=-su emerge --ask =sys-apps/util-linux-2.37.3 Depending on how bricked your system is you may need to do it from a livecd/chroot. Make sure and add these flags directly to your /etc/portage/package.use/ as well. Per https://github.com/shadow-maint/shadow/issues/464 su has not yet been removed from shadow, so breaking everyone and forcing them to use pam certainly seems a bit premature.
(In reply to tonemgub from comment #4) > My system is stable so I didn't expect that level of breakage without news. > > > As you mentioned, for anyone else with this issue, I resolved it with: > > USE=su emerge --ask =sys-apps/shadow-4.11.1 > > USE=-su emerge --ask =sys-apps/util-linux-2.37.3 > > When doing a world upgrade, util-linux on a PAM-less system with USE=su would refuse to emerge. You would then be aware of the situation? > Depending on how bricked your system is you may need to do it from a > livecd/chroot. Make sure and add these flags directly to your > /etc/portage/package.use/ as well. > > > Per https://github.com/shadow-maint/shadow/issues/464 su has not yet been > removed from shadow, so breaking everyone and forcing them to use pam > certainly seems a bit premature. That bug was filed (by me) because of concerns raised and that's why they've agreed to keep it for now. The switch was made when they were intent on removing it imminently.
> When doing a world upgrade, util-linux on a PAM-less system with USE=su would refuse to emerge. When I passed "USE=-su" appears to have been what caused the situation since I didn't realize shadow had been built *without* su by default and util-linux was the new su. I never expected that, and did check for enews prior. > That bug was filed (by me) because of concerns raised and that's why they've agreed to keep it for now. The switch was made when they were intent on removing it imminently. Fair enough, thanks for submitting the bug. I hope they keep it for awhile at least until util-linux can be built without PAM for this purpose.
