what is up with /etc/pam.d?

Michael Schwendt mschwendt at gmail.com
Sun Jun 24 12:11:01 UTC 2012 

On Sun, 24 Jun 2012 07:14:03 -0400, Tom Horsley wrote:

> I've never looked at or modified any files in /etc/pam.d
> till I happened to notice some *.rpmnew files in there.
> 
> Now I see a bunch of files that are symlinks to
> other files with -ac on the end, but also have
> versions that are *.rpmnew.
> 
> rpm queries show that the pam rpm owns the
> files without the -ac and the authconfig rpm
> owns the ones with the -ac suffix.
> 
> So now, what should really be in /etc/pam.d?
> 
> [root at zooty pam.d]# pwd
> /etc/pam.d
> [root at zooty pam.d]# ls -l smartcard-auth*
> lrwxrwxrwx. 1 root root  17 May 31 17:02 smartcard-auth -> smartcard-auth-ac
> -rw-r--r--. 1 root root 754 May 31 17:25 smartcard-auth-ac
> -rw-r--r--  1 root root 743 May  9 05:21 smartcard-auth.rpmnew
> [root at zooty pam.d]# rpm -q -f /etc/pam.d/smartcard-auth              
> pam-1.1.5-6.fc17.x86_64
> [root at zooty pam.d]# rpm -q -f /etc/pam.d/smartcard-auth-ac           
> authconfig-6.2.1-1.fc17.x86_64

A side-effect of "pam" package updates recognizing the symlinks
as modified config files and therefore refusing to replace them.

# rpmls pam|grep -e etc/p
drwxr-xr-x  /etc/pam.d
-rw-r--r--  /etc/pam.d/config-util
-rw-r--r--  /etc/pam.d/fingerprint-auth
-rw-r--r--  /etc/pam.d/other
-rw-r--r--  /etc/pam.d/password-auth
-rw-r--r--  /etc/pam.d/postlogin
-rw-r--r--  /etc/pam.d/smartcard-auth
-rw-r--r--  /etc/pam.d/system-auth

"pam" contains the files, not the symlinks.

# diff -u smartcard-auth-ac smartcard-auth.rpmnew|grep -v '^[ ]'
--- smartcard-auth-ac	2012-04-13 13:25:00.949090013 +0200
+++ smartcard-auth.rpmnew	2012-05-09 11:21:13.000000000 +0200
@@ -2,15 +2,15 @@
-auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
+auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
-account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     sufficient    pam_succeed_if.so uid < 500 quiet
-password    required      pam_pkcs11.so
+password    optional      pam_pkcs11.so

The UID in the .rpmnew file would be incorrect for Fedora >= 16.

The -ac files from authconfig are those which to use by symlinking them.

-- 
Fedora release 17 (Beefy Miracle) - Linux 3.4.3-1.fc17.x86_64
loadavg: 0.89 0.37 0.17

More information about the users mailing list