pam-auth-update does not correctly process a valid profile file

what is the fix for this? Will it be added to intrepid-updates?

This bug was fixed in the upload of pam 1.0.1-5ubuntu1. Changes:

pam (1.0.1-5ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable
  * Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/local/pam-auth-update (et al): new interface for managing
      /etc/pam.d/common-*, using drop-in config snippets provided by module
      packages.
    - debian/local/common-password, debian/pam-configs/unix: switch from
      "md5" to "sha512" as password crypt default.
  * Bump the version numbers referenced in the config files, again, as pam
    has revved in Debian and moved the bar.
  * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
    as a present but empty file; thanks to Greg Price for the patch.
    LP: #294513.
  * pam-auth-update: Ignore removed profiles when detecting an empty set
    of currently-enabled modules. Thanks to Greg Price for this as well.
  * debian/control: libpam-runtime needs a versioned dependency on
    debconf, because it uses the x_loadtemplatefile extension that's
    not supported by debconf versions before hardy. LP: #295135.
  * pam-auth-update: trim leading whitespace from multiline fields when
    parsing PAM profiles. LP: #295441.
  * pam-auth-update: factor out the duplicate code used for returning
    the lines for a given module

  [ Jonathan Marsden ]
  * debian/patches/027_pam_limits_better_init_allow_explicit_root:
    Add to patch, documenting how to set limits for root user.
    Include an example. Alters limits.conf, limits.conf.5.xml,
    and limits.conf.5 . (LP: #65244)

Accepted into intrepid-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Whoops, sorry. Rejecting:

FAILED: pam (The source pam - 1.0.1-4ubuntu5.4 is already accepted in ubuntu/jaunty and you cannot upload the same version within the same distribution. You have to modify the source version and re-upload.)

Please bump version and reupload.

On Fri, Mar 13, 2009 at 06:03:25PM -0000, Martin Pitt wrote:
> FAILED: pam (The source pam - 1.0.1-4ubuntu5.4 is already accepted in
> ubuntu/jaunty and you cannot upload the same version within the same
> distribution. You have to modify the source version and re-upload.)

> Please bump version and reupload.

Gah. :( Reuploaded.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Accepted into intrepid-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

pam-auth-update(8) from intrepid-proposed is no longer generating invalid PAM config files, but it still prints a spew of Perl warnings when invoked:

# /usr/sbin/pam-auth-update
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 27.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 28.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 29.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 29.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 29.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 29.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 29.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 29.

For reference purposes, I am attaching my modified copy of the (old) pam-auth-update script, that works correctly and does not produce warnings.

Please get a fix for this into Jaunty ASAP.

Can anyone test the intrepid-proposed version, please?

I installed this update today (I did not previously have the problem, or if I did, I fixed it by adjusting my profile)
After upgrading, I downloaded the test case, installed it in /usr/share/pam-configs, and ran pam-auth-update. There were no perl warnings, and the correct adjustment to /etc/pam.d/common-session occurred:
diff -r /tmp/pam-save/common-session /etc/pam.d/common-session
25a26,29
> session optional pam_krb5.so minimum_uid=20000
> session optional pam_afs_session.so
> session optional pam_exec.so /etc/athena/scratchdir
> session optional pam_exec.so /etc/athena/session

disabling the service also worked without any perl warnings. I can confirm that if I have libpam-runtime=1.0.1-4ubuntu5.3
installed, then pam-auth-update with the test case behaves as in the original report.

Martin, I have libpam-runtime 1.0.1-4ubuntu5.5 on Intrepid here. My report from 2009-03-25 still stands. Can you please fix those Perl warnings?

Daniel, can you please open a new bug for the warnings?

This bug was fixed in the package pam - 1.0.1-4ubuntu5.5

---------------
pam (1.0.1-4ubuntu5.5) intrepid-proposed; urgency=low

  * pam-auth-update: trim leading whitespace from multiline fields when
    parsing PAM profiles. LP: #295441.

 -- Steve Langasek <email address hidden> Mon, 09 Mar 2009 23:02:31 -0700

Bug #364665 created: "pam-auth-update spews Perl warnings while processing a valid profile file"