# pam.d/*.rpmnew on first update

I installed Fedora 20ß from the DVD. The files:

were either copied to my system from the DVD or generated by the installer. They are all dated November 14 2013.

When I updated the system on my first login, password-auth.rpmnew, postlogin.rpmnew and system-auth.rpmnew were created. Obviously, they are different from the original files. These files are all dated October 14, 2013. They are one month older than the files from the DVD, even though they come from the updates.

Which version of the files should I keep?

edit retag close merge delete

Sort by » oldest newest most voted

I tend to say that the current state is correct (i.e. /etc/pam.d/*.rpmnew files should be ignored - https://lists.fedoraproject.org/pipermail/users/2012-June/420686.html), with a longer answer given below.

Let's take /etc/pam.d/password-auth as an example. This file belongs to the pam rpm:

rpm -qf /etc/pam.d/password-auth


but you can notice that it is actually a symlink to /etc/pam.d/password-auth-ac, which belongs to the authconfig rpm and is marked as %ghost %config(noreplace) (%ghost http://osdir.com/ml/package-management.openpkg.devel/2006-03/msg00085.html is a placeholder for future files, which are not present in the given (authconfig) rpm):

rpm -qf readlink -f /etc/pam.d/password-auth


authoconfig handles creation of the /etc/pam.d/*-ac links (see https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-March/002768.html), and generates the contents of the files.

When you look into the Fedora pam src.rpm (e.g. http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Fedora/source/SRPMS/p/pam-1.1.6-11.fc19.1.src.rpm) you will see that the contents of its password-auth.pamd differs from /etc/pam.d/password-auth already on an initial Fedora installation. This is because authoconfig created /etc/pam.d/password-auth-ac and linked /etc/pam.d/password-auth to it, so /etc/pam.d/password-auth does not have the original pam contents of the file anymore. When you update the pam package, rpm correctly recognizes that /etc/pam.d/password-auth on the system has changed (really? does rpm follow links?), and due to the fact that the file is marked as %config(noreplace) (see https://ask.fedoraproject.org/question/25722/what-are-rpmnew-files/) rpm creates /etc/pam.d/password-auth.rpmnew with the contents of password-auth.pamd. I have noticed however that the /etc/pam.d/*.rpmnew files are not consistently present across few Fedora systems i verified, so there may be still something fishy here.

You can experiment with authconfig:

su -c "mv /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.save"
su -c "authconfig --update"


I think the issue is worth clarification by opening a bug on bugz.fedoraproject.org/authconfig

more

This is expected, files modified on the HDD are bound to have newer timestamps than files installed by rpm packages from updates when you update for the very first time after installation.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.


so I think you don't need to change/edit anything.

more