Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1038861: login updates login.defs, adds options that old groupmod doesn't understand
151 views
Skip to first unread message
Marc Haber
Jun 22, 2023, 2:20:05 AM6/22/23
to
Package: login
Version: 1:4.13+dfsg1-1+b1
Severity: minor
Hi,
upgrading from bullseye to bookworm, during the "apt upgrade" step, it
may happen that login updates login.defs and adds the NONEXISTENT and
PREVENT_NO_AUTH options to login.defs. However, it is not guaranteed
that passwd gets upgraded quickly afterwards. Old groupmod, from old
passwd, doesn't understand the new configuration options and logs
Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `NONEXISTENT'
Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `PREVENT_NO_AUTH'
Those messages also end up on the console, unfortunately without a
prefix indicating which program caused the message. It just says
"configuration error - unknown item NONEXISTENT". If groupmod didn't log to
syslog as well, I would still be searching.
This shows, for example, when openssh-client tries to rename its ssh
group to _ssh in postinst between the updates of login and passwd. I
have also seen this when upgrading udev from bullseye to bookworm as it
tries to create the new sgx group.
Functionality is not affected, the operation succeeds, but there is a
confusing error message on the console.
Maybe it would be a good idea to have a versioned dependency between
login and passwd, preventing the case of an old binary not fully
understanding a new configuration file.
Greetings
Marc
-- System Information:
Debian Release: 11.7
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.3.7-zgsrv20080 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages login depends on:
ii libaudit1 1:3.0-2
ii libc6 2.36-9
ii libcrypt1 1:4.4.18-4
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpam0g 1.4.0-9+deb11u1
login recommends no packages.
login suggests no packages.
-- Configuration Files:
/etc/pam.d/login changed [not included]
-- no debconf information
Version: 1:4.13+dfsg1-1+b1
Severity: minor
Hi,
upgrading from bullseye to bookworm, during the "apt upgrade" step, it
may happen that login updates login.defs and adds the NONEXISTENT and
PREVENT_NO_AUTH options to login.defs. However, it is not guaranteed
that passwd gets upgraded quickly afterwards. Old groupmod, from old
passwd, doesn't understand the new configuration options and logs
Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `NONEXISTENT'
Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `PREVENT_NO_AUTH'
Those messages also end up on the console, unfortunately without a
prefix indicating which program caused the message. It just says
"configuration error - unknown item NONEXISTENT". If groupmod didn't log to
syslog as well, I would still be searching.
This shows, for example, when openssh-client tries to rename its ssh
group to _ssh in postinst between the updates of login and passwd. I
have also seen this when upgrading udev from bullseye to bookworm as it
tries to create the new sgx group.
Functionality is not affected, the operation succeeds, but there is a
confusing error message on the console.
Maybe it would be a good idea to have a versioned dependency between
login and passwd, preventing the case of an old binary not fully
understanding a new configuration file.
Greetings
Marc
-- System Information:
Debian Release: 11.7
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.3.7-zgsrv20080 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages login depends on:
ii libaudit1 1:3.0-2
ii libc6 2.36-9
ii libcrypt1 1:4.4.18-4
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpam0g 1.4.0-9+deb11u1
login recommends no packages.
login suggests no packages.
-- Configuration Files:
/etc/pam.d/login changed [not included]
-- no debconf information
Serge E. Hallyn
Jun 22, 2023, 9:20:04 AM6/22/23
to
On Thu, Jun 22, 2023 at 08:13:24AM +0200, Marc Haber wrote:
> Package: login
> Version: 1:4.13+dfsg1-1+b1
> Severity: minor
>
> Hi,
>
> upgrading from bullseye to bookworm, during the "apt upgrade" step, it
> may happen that login updates login.defs and adds the NONEXISTENT and
> PREVENT_NO_AUTH options to login.defs. However, it is not guaranteed
> that passwd gets upgraded quickly afterwards. Old groupmod, from old
> passwd, doesn't understand the new configuration options and logs
>
> Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `NONEXISTENT'
> Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `PREVENT_NO_AUTH'
>
> Those messages also end up on the console, unfortunately without a
> prefix indicating which program caused the message. It just says
> "configuration error - unknown item NONEXISTENT". If groupmod didn't log to
> syslog as well, I would still be searching.
That does seem annoying, I don't really see any reason for those error
> Package: login
> Version: 1:4.13+dfsg1-1+b1
> Severity: minor
>
> Hi,
>
> upgrading from bullseye to bookworm, during the "apt upgrade" step, it
> may happen that login updates login.defs and adds the NONEXISTENT and
> PREVENT_NO_AUTH options to login.defs. However, it is not guaranteed
> that passwd gets upgraded quickly afterwards. Old groupmod, from old
> passwd, doesn't understand the new configuration options and logs
>
> Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `NONEXISTENT'
> Jun 22 07:38:41 emptybullseye99 groupmod[6828]: unknown configuration item `PREVENT_NO_AUTH'
>
> Those messages also end up on the console, unfortunately without a
> prefix indicating which program caused the message. It just says
> "configuration error - unknown item NONEXISTENT". If groupmod didn't log to
> syslog as well, I would still be searching.
messages.
I filed https://github.com/shadow-maint/shadow/issues/746 about this.
> Pkg-shadow-devel mailing list
> Pkg-shad...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
pil...@riseup.net
Oct 1, 2023, 2:30:04 PM10/1/23
to
Hello,
I am upgrading my debian 11 to debian 12 and all my systems are affected
by this bug. The systems are fully upgraded and the bug is persistent.
$ apt info login
[...]
Version: 1:4.13+dfsg-1+b1
[...]
$ apt info passwd
[...]
Version: 1:4.13+dfsg1-1+b1
[...]
No only the upgrade process is affected, but most commands that read
/etc/login.defs : useradd, userdell, groupmems, ... etc.
As I am an user of QubesOS, I reported the bug first on :
https://github.com/QubesOS/qubes-issues/issues/8559
It should not matter as the relevant programs come from debian bookworm
stable.
Cdlt
pil...@riseup.net
Oct 2, 2023, 4:00:05 AM10/2/23
to
Hello,
My bad, it seems that the systems were not fully upgraded.
Cdlt.
0 new messages