Project

General

Profile

Bug #2031

[pam] On i686 libpam.so links against libaudit.so, but doesn not depends=(audit)

bill-auger - about 1 year ago - . Updated about 1 year ago.

Status:
forwarded upstream
Priority:
critical
Assignee:
% Done:

90%


Description

i cant fully explain why this is, but there is a major breakage for anyone using openrc who upgrades i686 today

$ sudo ls /
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy" 
sudo: unable to load /usr/lib/sudo/sudoers.so: libaudit.so.1: cannot open shared object file: No 
such file or directory
sudo: fatal error, unable to load plugins

this seems to comes down to the latest version of systemd that is in [core], which has added a dependency on the 'audit' package - now su from 'util-linux' wants to link to the audit .so - there is no update to 'util-linux' - the linker is enforcing this for some reason - this causes su and sudo not to work - and worse, it is not possible to login as any user; so as soon as you logout, yer toast - i had to chroot in and install the 'audit' package - but that did solve the problem

so probably the 'notsystemd' dummy package needs to depend on 'audit' now - that is the one that depends on util-linux
su is the only thing i noticed that actually needs it so maybe it is only a dependency of that; but it is 'systemd' in [core] that added the dependency explicitly and not 'util-linux'

another thing i note was that 'util-linux' is a 'base' package; but not a 'base-openrc' package - im not sure why that is

History

#1

Updated by bill-auger about 1 year ago

  • Priority changed from bug to critical
#2

Updated by lukeshu about 1 year ago

another thing i note was that 'util-linux' is a 'base' package; but not a 'base-openrc' package - im not sure why that is

Because it's imported from Arch; and that would be the only change. So, instead, it's a dep of the pcr/base-meta.

#3

Updated by lukeshu about 1 year ago

Wait, is su affected, or just sudo?

#4

Updated by lukeshu about 1 year ago

$ pacman -Qlq util-linux libutil-linux sudo | grep -v '/$' | xargs ldd 2>/dev/null | grep -i -e audit -e ^/ | grep -i -B1 audit
/usr/bin/chfn:
    libaudit.so.1 => /usr/lib/libaudit.so.1 (0xb7cc8000)
--
/usr/bin/chsh:
    libaudit.so.1 => /usr/lib/libaudit.so.1 (0xb7bfb000)
--
/usr/bin/login:
    libaudit.so.1 => /usr/lib/libaudit.so.1 (0xb7cd7000)
--
/usr/bin/runuser:
    libaudit.so.1 => /usr/lib/libaudit.so.1 (0xb7d39000)
--
/usr/bin/su:
    libaudit.so.1 => /usr/lib/libaudit.so.1 (0xb7cea000)
--
/usr/lib/sudo/sudoers.so:
    libaudit.so.1 => /usr/lib/libaudit.so.1 (0xb7aaa000)

and


$ pacman -Qlq util-linux libutil-linux sudo | grep -v '/$' | xargs ldd 2>/dev/null | grep -i -e audit -e ^/ | grep -i -B1 -e audit | grep ^/ |cut -d: -f1 | pacman -Qo -
/usr/bin/chfn is owned by util-linux 2.32.1-2.1
/usr/bin/chsh is owned by util-linux 2.32.1-2.1
/usr/bin/login is owned by util-linux 2.32.1-2.1
/usr/bin/runuser is owned by util-linux 2.32.1-2.1
/usr/bin/su is owned by util-linux 2.32.1-2.1
/usr/lib/sudo/sudoers.so is owned by sudo 1.8.25-1.0

Note that this only appears to be an issue on i686; on x86_64 those are not linked against libaudit.

#5

Updated by lukeshu about 1 year ago

Versions:

       | util-linux | sudo
x86_64 | 2.32.1-2   | 1.8.25.p1-1
i686   | 2.32.1-2.1 | 1.8.25-1.0
#6

Updated by lukeshu about 1 year ago

They seem to be linked with libaudit indirectly through libpam.

       | pam
x86_64 | 1.3.1-1
i686   | 1.3.1-1.2
#8

Updated by lukeshu about 1 year ago

Temporary fix:

  • Copy Arch 32's pam PKGBUILD to libre/pam/
  • Add depends+=(audit)
  • Set arch=(i686) (removing the other arches)
  • Set ver to 1.3.1-1.3.par1
#9

Updated by lukeshu about 1 year ago

  • Subject changed from [util-linux][notsystemd]: su requires audit .so that is not a dependency on an openrc system to [pam] On i686 libpam.so links against libaudit.so, but doesn not depends=(audit)
#10

Updated by bill-auger about 1 year ago

  • Status changed from open to forwarded upstream
#12

Updated by lukeshu about 1 year ago

  • % Done changed from 0 to 90

pam-1.3.1-1.3.par1-i686 is now on libre.

Leaving this issue open until it's fixed upstream in Arch 32 and we can remove libre/pam.

Also available in: Atom PDF