Bugzilla – Bug 1226639
Custom PAM configuration replaced with pam-config links during Leap 15.6 upgrade
Last modified: 2024-06-20 23:38:23 UTC
Hi, in our openSUSE infrastructure we use custom PAM configuration - pam-config is installed because it's a dependency of some applications but is not used. When upgrading Leap 15.5 to 15.6, the package pam-config-1.1-150600.14.3.x86_6 is installed, and overwrites the custom common-X configuration files with common-X-pc symlinks in /etc/pam.d which effectively locks me out of the system when doing remote upgrades over SSH.
Please provide some more information beside "overwrites something". By default pam-config does not overwrite anything if you follow the instructions, look at the pam-config %post script. Did you follow the instructions from the common-*-pc files how to disable pam-config? Log files? How to reproduce? In all cases I saw this behavior the reason was because people did not read.
The %post script checks for a file "common-auth-pc", if it is missing, pam-config will be called with --force, causing the observed effect. This file sure gets preserved when merely using the command line suggested in the -pc file comments, but we don't seem to have this file on all machines. Git history indicates it got deleted accidentally by configuration management in the past, which was corrected shortly after but without having re-run pam-config with --force afterwards due to lack of knowledge about the importance of this particular -pc file - the zypp history suggests no pam-config update happened recently, so it's likely it was merely not noticed earlier. Thanks for the pointer.
It seems a lot more like a bug that if the -pc files don't exist, pam-config should be free to recreate them, but in that case it should'nt be nuking the config just because someone deleted the -pc files.