[Bug 1860826] Re: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

Brian Murray 1860826 at bugs.launchpad.net
Tue Sep 28 16:35:43 UTC 2021 

Hello Seth, or anyone else affected,

Accepted pam into focal-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/pam/1.3.1-5ubuntu4.3
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: pam (Ubuntu Focal)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1860826

Title:
  pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or
  directory

Status in pam package in Ubuntu:
  Fix Released
Status in pam source package in Focal:
  Fix Committed
Status in pam source package in Groovy:
  Won't Fix
Status in pam package in Debian:
  Fix Released

Bug description:
  [Impact]
  Removal of the /etc/securetty file from the system results in useless log messages whenever pam_unix is invoked, which for some systems is quite a lot of logging. /etc/securetty is not coming back, and this is not an error.

  [Test Plan]
  1. Run 'sudo -s'.  Confirm that 'journalctl | grep sudo.*securetty' returns a line 'sudo[...]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory'.
  2. Install libpam-modules update from -proposed.
  3. Confirm that 'grep nullok_secure' /etc/pam.d/common-auth returns no lines.
  4. Run 'sudo -k'.
  5. Run 'sudo -s' again.
  6. Confirm that sudo succeeds and gives you a root shell.
  7. Confirm that 'journalctl | grep sudo.*securetty' does not show any new lines.

  [Where problems could occur]
  PAM is a sensitive package because it's used in all authentication operations on the system.  A bug here could render a user unable to log in to their system.

  Risks are mitigated by:
  - including a patch that treats the obsolete 'nullok_secure' as an alias for 'nullok' to ensure any user-edited configurations continue to work rather than throwing errors about unknown options
  - editing the system-managed /etc/pam.d/common-auth config to use 'nullok' instead of 'nullok_secure' for future compatibility.

  Because we are editing the system config, this could also cause issues
  on future upgrades with undesirable prompts to the user.  However, the
  maintainer scripts are not meant to prompt on changes to the pam-
  config, and this code has been in Debian for a while with no reports
  of problems.

  
  [Original description]
  Hello, after upgrading to focal I found the following in my journalctl output:

  Jan 24 23:07:00 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
  Jan 24 23:07:01 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

  The login package stopped packaging this file:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731656
  and now forcibly removes the file:
  https://paste.ubuntu.com/p/myh9cGWrHD/

  However, the pam package's pam_unix.so module has not yet been adapted to ignore this file:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libpam-modules 1.3.1-5ubuntu4
  ProcVersionSignature: Ubuntu 5.4.0-9.12-generic 5.4.3
  Uname: Linux 5.4.0-9-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu15
  Architecture: amd64
  Date: Fri Jan 24 23:35:33 2020
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: pam
  UpgradeStatus: Upgraded to focal on 2020-01-24 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1860826/+subscriptions

More information about the foundations-bugs mailing list