Skip to content

fix(pam): pass profile names to pam-auth-update --remove#376

Open
maybebyte wants to merge 1 commit into
Kicksecure:masterfrom
maybebyte:fix/pam-auth-update-remove-profiles
Open

fix(pam): pass profile names to pam-auth-update --remove#376
maybebyte wants to merge 1 commit into
Kicksecure:masterfrom
maybebyte:fix/pam-auth-update-remove-profiles

Conversation

@maybebyte

Copy link
Copy Markdown
Contributor

Summary

The prerm/postrm scripts try to disable this package's PAM profiles when the
package is removed, but they pass the package name to pam-auth-update --remove,
which matches profile filenames — so the removal was silently a no-op. This
restores the intended early-disable and hardens the removal path across dpkg states.

Changes

  • Root cause: pam-auth-update --remove matches the config filenames in
    /usr/share/pam-configs/ (readdir basenames), never the package name. Both
    scripts passed $DPKG_MAINTSCRIPT_PACKAGE (security-misc-shared), matching no
    profile, so nothing was removed. An unknown target is not validated and never
    errors, so it failed silently. The prerm early-disable was therefore dead:
    on removal, /etc/pam.d/common-* kept referencing helper scripts under
    /usr/libexec/security-misc/ that dpkg then deleted — and block-unsafe-logins
    is a Priority 1100 requisite, so a dangling reference fails all logins.
  • prerm: pass the 8 actual profile filenames to --remove, guarded by
    command -v pam-auth-update. This is the man-page-documented purpose of
    --remove: strip profiles before the modules they reference leave disk.
  • postrm: replace the inert --remove <pkg> with a plain
    pam-auth-update --package reconciliation scoped to remove|purge|disappear,
    so upgrade/abort-* never strip live hardening mid-transaction.

Testing

  • Built a real security-misc-shared .deb (the actual profiles, the referenced
    helper scripts, and these maintainer scripts) and ran install → dpkg -r
    dpkg -P in debian:stable-slim11/11 checks passed. Crux: same tree,
    only the --remove argument differs — --remove security-misc-shared left the
    profile in common-auth (old no-op reproduced), while --remove <8 filenames>
    removed it with the files still on disk; dpkg -r/-P exited 0 with
    common-* cleaned before the helper was deleted.
  • Guard behavior confirmed: postrm invoked pam-auth-update only for
    remove/purge/disappear (not upgrade/abort-upgrade/abort-install/
    failed-upgrade/deconfigure), and postrm purge exited 0 with
    pam-auth-update absent from PATH.
  • bash -n passes on both scripts; shellcheck is clean on the changed blocks.

Notes for reviewers

  • On a normal remove/purge the observable end state is unchanged today —
    reconciliation already drops the profiles once their files are gone. This fix
    restores the prerm early-disable that closes the window where common-auth
    references a just-deleted module; it is a correctness/robustness fix, not a
    fix for a failure users currently hit.
  • Decision: postrm keeps a plain --package (rather than dropping the call)
    as a safety net for profile-list drift and the disappear state, where prerm
    never runs. A real --remove <profiles> there was deliberately avoided — it
    would strip live hardening during upgrade/abort-*.
  • Caveat: the 8-name list in prerm must stay in sync with
    debian/security-misc-shared.install and usr/share/pam-configs/; a forgotten
    profile is still reconciled away by the postrm net within the same dpkg run.

pam-auth-update --remove matches pam-config filenames under
/usr/share/pam-configs/, but prerm and postrm passed
$DPKG_MAINTSCRIPT_PACKAGE -- the package name security-misc-shared --
which matches no profile and is silently ignored. The prerm
early-disable was therefore dead: on removal, /etc/pam.d/common-* kept
referencing helper scripts under /usr/libexec/security-misc/ that dpkg
then deleted, risking failed authentication (block-unsafe-logins is a
Priority 1100 requisite entry).

prerm now passes the eight profile filenames explicitly, guarded by
command -v so a bulk purge cannot abort under set -e. postrm drops the
ineffective --remove for a plain reconciliation scoped to
remove|purge|disappear, so it never strips live hardening during an
upgrade or abort.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant