http://bugzilla.suse.com/show_bug.cgi?id=1081947
http://bugzilla.suse.com/show_bug.cgi?id=1081947#c90
George Gkioulis
Important note to all package maintainers who use %config(noreplace) /etc/pam.d/foo
If you use this, pam_keyinit will not be integrated on upgrade of systems with custom modifications of the PAM file.
I recommend to use: %config /etc/pam.d/foo
Note: Most RPM documentation doesn't say true about "%config". Following is correct:
%config(noreplace)
If the old and new packaged config files have the same MD5: Installed file is left as it is, update is completely skipped.
If the old and new packaged config files have different MD5: Installed file is left as it is and .rpmnew file with a new packaged contents is created.
%config If the old and new packaged config files have the same MD5: Installed file is left as it is, update is completely skipped.
If the old and new packaged config files have different MD5: Installed file is replaced and .rpmorig file with the previous installed file is created.
It implies: 1) %config /etc/pam.d/foo is what most maintainers want:
- If the package maintainer does not change the pam file, custom modifications are kept forever. - If the package maintainer changes the pam file, custom modification are removed (and backed up) in favor of the new contents.
2) If you integrate pam_keyinit first and later remove "(noreplace)", and these changes are installed by two steps on a system with custom modifications, then the custom modifications are kept forever, and pam_keyinit is not integrated.
A simple work around: Together with removal of "(noreplace)", do pam files modification (e. g. use "expand" command, change number of spaces or so).
The fix was not present in https://build.suse.de/request/show/199906 https://build.suse.de/request/show/199904 https://build.suse.de/request/show/199905 grep -r pam_keyinit /etc/pam.d yields no output In contrast, eg for https://build.suse.de/request/show/200156 the issue is fixed: grep -r pam_keyinit /etc/pam.d shows the various entries of pam_keyinit.so in the pam.d files -- You are receiving this mail because: You are on the CC list for the bug.