[Bug 2087827] Re: Pam includes does not look in /usr/lib/pam.d
Philip Meulengracht
2087827 at bugs.launchpad.net
Mon Nov 11 09:08:48 UTC 2024
** Description changed:
Hey!
We're using libpam in the Ubuntu Core rootfs for the core24 snap (which
is pam from Noble). We've run into a sitaution where we would like to
move pam.d files into /usr/lib/pam.d instead of /etc/pam.d, and looking
at man pages this should be supported. (I.e it always checks /etc/pam.d
first, then /usr/lib/pam.d).
However, there seems to be an issue (or misunderstanding) in terms of
how `include`'s are loaded. For an installation that has all pam.d files
in /usr/lib we get this error:
```
[ 556.375377] sshd[3553]: PAM _pam_load_conf_file: unable to open config for /etc/pam.d/common-auth
[ 556.377644] sshd[3553]: PAM error loading (null)
[ 556.379731] sshd[3553]: PAM _pam_init_handlers: error reading /usr/lib/pam.d/sshd
[ 556.382681] sshd[3553]: PAM _pam_init_handlers: [Critical error - immediate abort]
[ 556.384512] sshd[3553]: PAM error reading PAM configuration file
[ 556.386397] sshd[3553]: PAM pam_start: failed to initialize handlers
[ 556.389716] sshd[3553]: PAM pam_end: NULL pam handle passed
[ 556.393755] sshd[3553]: fatal: PAM: initialisation failed
```
It seems to correctly read sshd from /usr/lib/pam.d/, however the
includes it seems it insists on loading through /etc/pam.d. Looking at
the code:
https://git.launchpad.net/ubuntu/+source/pam/tree/libpam/pam_handlers.c?h=applied/ubuntu/noble#n227
it seems that it only checks /etc/pam.d, and not /usr/lib/pam.d. This
seems to not be in line with the man pages?
+
+ *note* this seem at first glance that there might be a bug in the patch
+ `debian/patches/031_pam_include`
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2087827
Title:
Pam includes does not look in /usr/lib/pam.d
Status in pam package in Ubuntu:
New
Bug description:
Hey!
We're using libpam in the Ubuntu Core rootfs for the core24 snap
(which is pam from Noble). We've run into a sitaution where we would
like to move pam.d files into /usr/lib/pam.d instead of /etc/pam.d,
and looking at man pages this should be supported. (I.e it always
checks /etc/pam.d first, then /usr/lib/pam.d).
However, there seems to be an issue (or misunderstanding) in terms of
how `include`'s are loaded. For an installation that has all pam.d
files in /usr/lib we get this error:
```
[ 556.375377] sshd[3553]: PAM _pam_load_conf_file: unable to open config for /etc/pam.d/common-auth
[ 556.377644] sshd[3553]: PAM error loading (null)
[ 556.379731] sshd[3553]: PAM _pam_init_handlers: error reading /usr/lib/pam.d/sshd
[ 556.382681] sshd[3553]: PAM _pam_init_handlers: [Critical error - immediate abort]
[ 556.384512] sshd[3553]: PAM error reading PAM configuration file
[ 556.386397] sshd[3553]: PAM pam_start: failed to initialize handlers
[ 556.389716] sshd[3553]: PAM pam_end: NULL pam handle passed
[ 556.393755] sshd[3553]: fatal: PAM: initialisation failed
```
It seems to correctly read sshd from /usr/lib/pam.d/, however the
includes it seems it insists on loading through /etc/pam.d. Looking at
the code:
https://git.launchpad.net/ubuntu/+source/pam/tree/libpam/pam_handlers.c?h=applied/ubuntu/noble#n227
it seems that it only checks /etc/pam.d, and not /usr/lib/pam.d. This
seems to not be in line with the man pages?
*note* this seem at first glance that there might be a bug in the
patch `debian/patches/031_pam_include`
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2087827/+subscriptions
More information about the foundations-bugs
mailing list