diff options
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/libpam-modules.preinst | 33 | ||||
| -rw-r--r-- | debian/libpam-modules.templates | 9 |
3 files changed, 48 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index daa8e6bc..376b0ab5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +pam (1.4.0-5) unstable; urgency=medium + + * Remove profiles containing pam_tally or pam_tally2 since we no longer + build them. + + -- Sam Hartman <hartmans@debian.org> Wed, 24 Feb 2021 14:11:06 -0500 + pam (1.4.0-4) unstable; urgency=medium * Document in README.source how to avoid multi-arch problems with documentation, Closes: #851650 diff --git a/debian/libpam-modules.preinst b/debian/libpam-modules.preinst index 3a86a8fb..3102b6a6 100644 --- a/debian/libpam-modules.preinst +++ b/debian/libpam-modules.preinst @@ -4,8 +4,39 @@ set -e . /usr/share/debconf/confmodule + +handle_profiles_with_removed_modules() { + removed_modules="$1" + profiles="" + modules="" + test -x /usr/sbin/pam-auth-update ||return 0 + test -r /var/lib/pam/auth ||return 0 + for module in $removed_modules; do + new_profiles=$( perl -nle 'BEGIN {$removed = shift;} /^Module: (.*)$/&&($profile = $1); /^[^#]*$removed/&&$profile&&($profiles{$profile} = 1); END {print join("\n",keys %profiles) if %profiles;}' \ + $module \ + /var/lib/pam/auth /var/lib/pam/account \ + /var/lib/pam/password /var/lib/pam/session \ + /var/lib/pam/session-noninteractive) + if [ "$new_profiles" != "" ]; then + modules="$modules $module" + profiles="${profiles}${new_profiles}" + fi + done + profiles=$( echo "$profiles" |sort |uniq) + if [ "$profiles" != "" ]; then + db_reset libpam-modules/profiles-disabled + db_subst libpam-modules/profiles-disabled modules "$modules" + db_input critical libpam-modules/profiles-disabled ||true + db_go ||true + pam-auth-update --remove $profiles + fi +} + + + if dpkg --compare-versions "$2" lt-nl 1.4.0-2; then - db_version 2.0 + db_version 2.0 + handle_profiles_with_removed_modules pam_tally if pidof xscreensaver xlockmore >/dev/null; then db_input critical libpam-modules/disable-screensaver || true diff --git a/debian/libpam-modules.templates b/debian/libpam-modules.templates index b928751e..491bc5c1 100644 --- a/debian/libpam-modules.templates +++ b/debian/libpam-modules.templates @@ -7,3 +7,12 @@ _Description: xscreensaver and xlockmore must be restarted before upgrading authenticate to these programs. You should arrange for these programs to be restarted or stopped before continuing this upgrade, to avoid locking your users out of their current sessions. + +Template: libpam-modules/profiles-disabled +Type: error +_Description: PAM Profiles with Deprecated Modules Disabled + Your system had PAM profiles enabled with the ${modules} PAM + modules. These modules have been removed from PAM. Leaving these PAM + profiles enabled would prevent users from accessing your system. As a + result, these profiles have been disabled. +
\ No newline at end of file |