[Pkg-shadow-devel] Re: Bug#330291: Authentication problem with pbuilder

Junichi Uekawa dancer at netfort.gr.jp
Wed Sep 28 12:39:23 UTC 2005 

tags 330291 +patch
reassign 330291 login
severity 330291 serious
thanks

Hi,

> > Extracting source
> > Password: su: Authentication failure
> > Sorry.
> > pbuilder: Failed extracting the source
> >   -> Aborting with an error
> >   -> unmounting dev/pts filesystem
> > ...
> > 
> > 
> > I guess I have to set a further sudo permission here but for what program?
> > It is 'sudo su' ?  I would not really like this even if it is convinient.
> > 
> 
> I've tracked the problem down to the fact that 
> /etc/pam.d/su no longer exists with a clean install
> since around yesterday.
> Upgraded systems continue to work since /etc/pam.d/su 
> already exists.
> 
> Without /etc/pam.d/su, root running su will be asked
> for a password.
> 
> I'm suspecting either of
> 
> login 1:4.0.12-2 -> 1:4.0.12-3
> pam 0.76-23->0.79-1

I've tracked it down to shadow; I think this is the required patch.



diff -urN shadow-4.0.12-orig/debian/login.su.pam shadow-4.0.12/debian/login.su.pam
--- shadow-4.0.12-orig/debian/login.su.pam	1970-01-01 09:00:00.000000000 +0900
+++ shadow-4.0.12/debian/login.su.pam	2005-09-28 21:16:25.598938168 +0900
@@ -0,0 +1,45 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo" to
+# to the end of this line if you want to use a group other
+# than the default "root".
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses /etc/environment (the standard for setting
+# environ vars) and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# (Replaces the `ENVIRON_FILE' setting from login.defs)
+auth       required   pam_env.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+ at include common-auth
+ at include common-account
+ at include common-session
+
+# Sets up user limits, please uncomment and read /etc/security/limits.conf
+# to enable this functionality.
+# (Replaces the use of /etc/limits in old login)
+# session    required   pam_limits.so
diff -urN shadow-4.0.12-orig/debian/passwd.su.pam shadow-4.0.12/debian/passwd.su.pam
--- shadow-4.0.12-orig/debian/passwd.su.pam	2005-09-28 21:16:25.598938168 +0900
+++ shadow-4.0.12/debian/passwd.su.pam	1970-01-01 09:00:00.000000000 +0900
@@ -1,45 +0,0 @@
-#
-# The PAM configuration file for the Shadow `su' service
-#
-
-# Uncomment this to force users to be a member of group root
-# before they can use `su'. You can also add "group=foo" to
-# to the end of this line if you want to use a group other
-# than the default "root".
-# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
-# auth       required   pam_wheel.so
-
-# Uncomment this if you want wheel members to be able to
-# su without a password.
-# auth       sufficient pam_wheel.so trust
-
-# Uncomment this if you want members of a specific group to not
-# be allowed to use su at all.
-# auth       required   pam_wheel.so deny group=nosu
-
-# This allows root to su without passwords (normal operation)
-auth       sufficient pam_rootok.so
-
-# Uncomment and edit /etc/security/time.conf if you need to set
-# time restrainst on su usage.
-# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
-# as well as /etc/porttime)
-# account    requisite  pam_time.so
-
-# This module parses /etc/environment (the standard for setting
-# environ vars) and also allows you to use an extended config
-# file /etc/security/pam_env.conf.
-# (Replaces the `ENVIRON_FILE' setting from login.defs)
-auth       required   pam_env.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
- at include common-auth
- at include common-account
- at include common-session
-
-# Sets up user limits, please uncomment and read /etc/security/limits.conf
-# to enable this functionality.
-# (Replaces the use of /etc/limits in old login)
-# session    required   pam_limits.so
diff -urN shadow-4.0.12-orig/debian/rules shadow-4.0.12/debian/rules
--- shadow-4.0.12-orig/debian/rules	2005-09-28 21:16:25.599938016 +0900
+++ shadow-4.0.12/debian/rules	2005-09-28 21:33:47.577533344 +0900
@@ -115,6 +115,7 @@
 	dh_installpam -p passwd --name=groupmod
 	dh_installpam -p passwd --name=newusers
 	dh_installpam -p login
+	dh_installpam -p login --name=su
 	install -c -m 444 debian/login.defs debian/login/etc/login.defs
 	install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
 	install -d debian/passwd/usr/share/passwd

More information about the Pkg-shadow-devel mailing list