Ask Your Question
1

pam.d/*.rpmnew on first update

asked 2013-11-14 18:43:40 -0500

pgueckel gravatar image

I installed Fedora 20ß from the DVD. The files:

/etc/pam.d/password-auth /etc/pam.d/postlogin /etc/pam.d/system-auth

were either copied to my system from the DVD or generated by the installer. They are all dated November 14 2013.

When I updated the system on my first login, password-auth.rpmnew, postlogin.rpmnew and system-auth.rpmnew were created. Obviously, they are different from the original files. These files are all dated October 14, 2013. They are one month older than the files from the DVD, even though they come from the updates.

Which version of the files should I keep?

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
1

answered 2013-11-15 05:19:50 -0500

marcindulak gravatar image

updated 2013-11-15 06:34:18 -0500

I tend to say that the current state is correct (i.e. /etc/pam.d/*.rpmnew files should be ignored - https://lists.fedoraproject.org/pipermail/users/2012-June/420686.html), with a longer answer given below.

Let's take /etc/pam.d/password-auth as an example. This file belongs to the pam rpm:

rpm -qf /etc/pam.d/password-auth

but you can notice that it is actually a symlink to /etc/pam.d/password-auth-ac, which belongs to the authconfig rpm and is marked as %ghost %config(noreplace) (%ghost http://osdir.com/ml/package-management.openpkg.devel/2006-03/msg00085.html is a placeholder for future files, which are not present in the given (authconfig) rpm):

rpm -qf `readlink -f /etc/pam.d/password-auth`

authoconfig handles creation of the /etc/pam.d/*-ac links (see https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-March/002768.html), and generates the contents of the files.

When you look into the Fedora pam src.rpm (e.g. http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Fedora/source/SRPMS/p/pam-1.1.6-11.fc19.1.src.rpm) you will see that the contents of its password-auth.pamd differs from /etc/pam.d/password-auth already on an initial Fedora installation. This is because authoconfig created /etc/pam.d/password-auth-ac and linked /etc/pam.d/password-auth to it, so /etc/pam.d/password-auth does not have the original pam contents of the file anymore. When you update the pam package, rpm correctly recognizes that /etc/pam.d/password-auth on the system has changed (really? does rpm follow links?), and due to the fact that the file is marked as %config(noreplace) (see https://ask.fedoraproject.org/question/25722/what-are-rpmnew-files/) rpm creates /etc/pam.d/password-auth.rpmnew with the contents of password-auth.pamd. I have noticed however that the /etc/pam.d/*.rpmnew files are not consistently present across few Fedora systems i verified, so there may be still something fishy here.

You can experiment with authconfig:

su -c "mv /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.save"
su -c "authconfig --update"
diff /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.save

I think the issue is worth clarification by opening a bug on bugz.fedoraproject.org/authconfig

edit flag offensive delete link more
0

answered 2013-11-15 03:35:58 -0500

Ahmad Samir gravatar image

updated 2013-11-15 06:08:16 -0500

This is expected, files modified on the HDD are bound to have newer timestamps than files installed by rpm packages from updates when you update for the very first time after installation.

Looking at password-auth and system-auth, they have this header:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

so I think you don't need to change/edit anything.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2013-11-14 18:43:40 -0500

Seen: 580 times

Last updated: Nov 15 '13