[Pkg-shadow-devel] Bug#1038861: login updates login.defs, adds options that old groupmod doesn't understand

Marc Haber mh+debian-packages at zugschlus.de
Thu Jun 22 07:13:24 BST 2023 

Package: login
Version: 1:4.13+dfsg1-1+b1
Severity: minor

Hi,

upgrading from bullseye to bookworm, during the "apt upgrade" step, it
may happen that login updates login.defs and adds the NONEXISTENT and
PREVENT_NO_AUTH options to login.defs. However, it is not guaranteed
that passwd gets upgraded quickly afterwards. Old groupmod, from old
passwd, doesn't understand the new configuration options and logs

Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `NONEXISTENT'
Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `PREVENT_NO_AUTH'

Those messages also end up on the console, unfortunately without a
prefix indicating which program caused the message. It just says
"configuration error - unknown item NONEXISTENT". If groupmod didn't log to
syslog as well, I would still be searching.

This shows, for example, when openssh-client tries to rename its ssh
group to _ssh in postinst between the updates of login and passwd. I
have also seen this when upgrading udev from bullseye to bookworm as it
tries to create the new sgx group.

Functionality is not affected, the operation succeeds, but there is a
confusing error message on the console.

Maybe it would be a good idea to have a versioned dependency between
login and passwd, preventing the case of an old binary not fully
understanding a new configuration file.

Greetings
Marc


-- System Information:
Debian Release: 11.7
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.3.7-zgsrv20080 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages login depends on:
ii  libaudit1       1:3.0-2
ii  libc6           2.36-9
ii  libcrypt1       1:4.4.18-4
ii  libpam-modules  1.4.0-9+deb11u1
ii  libpam-runtime  1.4.0-9+deb11u1
ii  libpam0g        1.4.0-9+deb11u1

login recommends no packages.

login suggests no packages.

-- Configuration Files:
/etc/pam.d/login changed [not included]

-- no debconf information

More information about the Pkg-shadow-devel mailing list