Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
shadow updates nukes /etc/pam.d/system-auth
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
TheQuickBrownFox
n00b
n00b


Joined: 08 Oct 2002
Posts: 37

PostPosted: Wed May 14, 2003 9:20 am    Post subject: shadow updates nukes /etc/pam.d/system-auth Reply with quote

shadow-4.0.3-r5 update nukes /etc/pam.d/system-auth !!! :x It replaces the file with the default one without asking.

edit: Seems it does make a backup of the old one: system-auth.bak :oops:

This can seriously screw you over if you're using winbind, pamsmbd and possibly others!
_________________
-- jumps over the lazy dog


Last edited by TheQuickBrownFox on Wed May 14, 2003 3:26 pm; edited 3 times in total
Back to top
View user's profile Send private message
Genone
Retired Dev
Retired Dev


Joined: 14 Mar 2003
Posts: 9233
Location: beyond the rim

PostPosted: Wed May 14, 2003 10:53 am    Post subject: Reply with quote

Thanks for the warning. I wouldn't have noticed it until the next reboot. Have you filed a bug for this ?
Back to top
View user's profile Send private message
TheQuickBrownFox
n00b
n00b


Joined: 08 Oct 2002
Posts: 37

PostPosted: Wed May 14, 2003 11:17 am    Post subject: Reply with quote

A bug has been filed, but by someone who noticed it before I did.
_________________
-- jumps over the lazy dog
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17508

PostPosted: Wed May 14, 2003 3:19 pm    Post subject: Reply with quote

Very interesting, it made a backup on my system:
shadow ebuild wrote:
Code:
                ewarn "Due to a security issue, ${ROOT}etc/pam.d/system-auth "
                ewarn "is being updated automatically. Your old "
                ewarn "system-auth will be backed up as:"
                ewarn
                ewarn "  ${ROOT}etc/pam.d/system-auth.bak"
As it indicates, the backup was system-auth.bak

EDIT: If anyone else is curious, the bug report is here. Although, the bug report makes no claim that a backup isn't made.
_________________
It is what it is out there. So whatever it is, it is.
Back to top
View user's profile Send private message
dma
Guru
Guru


Joined: 31 Jan 2003
Posts: 437
Location: Charlotte, NC, USA

PostPosted: Wed May 14, 2003 3:37 pm    Post subject: Reply with quote

Yes, but I don't see why it isn't handled through etc-update like everything else. It completely bypasses config file protection.

Not "nice".
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17508

PostPosted: Wed May 14, 2003 3:53 pm    Post subject: Reply with quote

I'm guessing because if system-auth was compromised, replacing it with a default will eliminate that. Though I do think the ebuild should warn about it before starting the compile.

Also, an awful lot of people don't use etc-update.
_________________
It is what it is out there. So whatever it is, it is.
Back to top
View user's profile Send private message
TheQuickBrownFox
n00b
n00b


Joined: 08 Oct 2002
Posts: 37

PostPosted: Wed May 14, 2003 4:18 pm    Post subject: Reply with quote

Is it enough to simply warn the user? I often miss warnings while merging packages.

Is there a way that these warnings can be logged? Mailed to root?

What about automagically starting etc-update after emerging? I know I can probably hack something, but is it a bad idea to do this by default?
If a user chooses to quit etc-update and not update his configs immediately, then at least he still knows what files were affected.

Also, isn't there an easy way to use a split screen mode where the new config is displayed in one pane and the original in another? I know vim can do this, but not everyone grokks the tau of vim.

I would also like to see a system where config files can be flagged for critical updates (system-auth), or low priority updates (X server i18n fixes), etc. Any plans for this? Is it worth sending in a feature request?
_________________
-- jumps over the lazy dog
Back to top
View user's profile Send private message
dma
Guru
Guru


Joined: 31 Jan 2003
Posts: 437
Location: Charlotte, NC, USA

PostPosted: Wed May 14, 2003 10:08 pm    Post subject: Reply with quote

in /etc/etc-update.conf:

Code:
# pager for use with diff commands (see NOTE_2)
pager="less"

# vim-users: you CAN use vimdiff for diff_command. (see NOTE_1)
diff_command="colordiff -uN %file1 %file2"
#diff_command="vim -d %file1 %file2"



that's what I use at the moment.

Or you can use that vim thing:

[img:082afd3515]http://www.coe.uncc.edu/~danderse/images/vim_d.png[/img:082afd3515]
Back to top
View user's profile Send private message
TheQuickBrownFox
n00b
n00b


Joined: 08 Oct 2002
Posts: 37

PostPosted: Thu May 15, 2003 6:50 am    Post subject: Reply with quote

Cool!

Now what about assigning priorities to config file updates and logging messages? Should I hack at it, is there already a way/plan, or should I just let it go?
_________________
-- jumps over the lazy dog
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum