diff options
| author | Sam Hartman <hartmans@debian.org> | 2021-02-25 14:58:25 -0500 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2021-09-15 17:52:36 -0700 |
| commit | d2540f941667b1bdf71e73c0ea7eb752d4f5a4fa (patch) | |
| tree | 03bd1e3dbc4cbe88741ec44976c4cdb7c265ccdc | |
| parent | 2547108793e587e35782a9ec96cd5f297b7afff1 (diff) | |
| download | pam-d2540f941667b1bdf71e73c0ea7eb752d4f5a4fa.tar.gz pam-d2540f941667b1bdf71e73c0ea7eb752d4f5a4fa.tar.bz2 pam-d2540f941667b1bdf71e73c0ea7eb752d4f5a4fa.zip | |
libpam-modules.preinst,templates: detect pam_tally
Detect any uses of pam_tally that are left after disabling profiles,
and halt upgrade on them.
| -rw-r--r-- | debian/libpam-modules.preinst | 13 | ||||
| -rw-r--r-- | debian/libpam-modules.templates | 12 |
2 files changed, 23 insertions, 2 deletions
diff --git a/debian/libpam-modules.preinst b/debian/libpam-modules.preinst index 3102b6a6..25623fe8 100644 --- a/debian/libpam-modules.preinst +++ b/debian/libpam-modules.preinst @@ -36,7 +36,18 @@ handle_profiles_with_removed_modules() { if dpkg --compare-versions "$2" lt-nl 1.4.0-2; then db_version 2.0 - handle_profiles_with_removed_modules pam_tally + handle_profiles_with_removed_modules pam_tally + # We have a generic template for removing pam-profiles because + # there is a sane automatic action. If we detect the modules in + # user configurations we want a specific template so we can + # recommend a replacement + # /dev/null reference is to make sure we don't grep stdin if + # somehow ls returns empty + if grep -qe '^[^#]*pam_tally' $(ls -1d /etc/pam.d/* | grep -e '^/etc/pam.d/[0-9a-zA-Z/]*$' ) /dev/null ; then + db_input critical libpam-modules/deprecate-tally ||true + db_go ||true + exit 2 + fi if pidof xscreensaver xlockmore >/dev/null; then db_input critical libpam-modules/disable-screensaver || true diff --git a/debian/libpam-modules.templates b/debian/libpam-modules.templates index 491bc5c1..fcc9e2d6 100644 --- a/debian/libpam-modules.templates +++ b/debian/libpam-modules.templates @@ -15,4 +15,14 @@ _Description: PAM Profiles with Deprecated Modules Disabled modules. These modules have been removed from PAM. Leaving these PAM profiles enabled would prevent users from accessing your system. As a result, these profiles have been disabled. -
\ No newline at end of file + +Template: libpam-modules/deprecate-tally +Type: error +_Description: you are using pam_Tally or pam_tally2 in your configuration + The pam_tally and pam_tally2 modules have been removed from PAM. You + are using one of these modules in your PAM configuration in + /etc/pam.d. You must remove the uses of these modules before PAM can + be upgraded; including these modules in your PAM configuration after + the upgrade will stop users from being able to log into the system. + . + Consider the pam_faillock module as a replacement for pam_tally. |