Bug 1226639

Summary: Custom PAM configuration replaced with pam-config links during Leap 15.6 upgrade
Product: [openSUSE] openSUSE Distribution Reporter: Georg Pfuetzenreuter <georg.pfuetzenreuter>
Component: OtherAssignee: Thorsten Kukuk <kukuk>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: georg.pfuetzenreuter, william.brown
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Georg Pfuetzenreuter 2024-06-20 14:32:03 UTC 
Hi,

in our openSUSE infrastructure we use custom PAM configuration - pam-config is installed because it's a dependency of some applications but is not used.
When upgrading Leap 15.5 to 15.6, the package pam-config-1.1-150600.14.3.x86_6 is installed, and overwrites the custom common-X configuration files with common-X-pc symlinks in /etc/pam.d which effectively locks me out of the system when doing remote upgrades over SSH.
Comment 1 Thorsten Kukuk 2024-06-20 17:03:51 UTC 
Please provide some more information beside "overwrites something".
By default pam-config does not overwrite anything if you follow the instructions, look at the pam-config %post script.

Did you follow the instructions from the common-*-pc files how to disable pam-config?

Log files?

How to reproduce?

In all cases I saw this behavior the reason was because people did not read.
Comment 2 Georg Pfuetzenreuter 2024-06-20 17:48:01 UTC 
The %post script checks for a file "common-auth-pc", if it is missing, pam-config will be called with --force, causing the observed effect. This file sure gets preserved when merely using the command line suggested in the -pc file comments, but we don't seem to have this file on all machines. Git history indicates it got deleted accidentally by configuration management in the past, which was corrected shortly after but without having re-run pam-config with --force afterwards due to lack of knowledge about the importance of this particular -pc file - the zypp history suggests no pam-config update happened recently, so it's likely it was merely not noticed earlier.

Thanks for the pointer.
Comment 3 William Brown 2024-06-20 23:38:23 UTC 
It seems a lot more like a bug that if the -pc files don't exist, pam-config should be free to recreate them, but in that case it should'nt be nuking the config just because someone deleted the -pc files.