debcrafters-packages team mailing list archive

Thread
Date
[Bug 2087827] Re: Pam includes does not look in /usr/lib/pam.d

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Simon Chopin <2087827@xxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Jun 2025 15:38:18 -0000
Reply-to: Bug 2087827 <2087827@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Verified on noble:


root@pam-noble:~# dpkg -l libpam0g | tail -n 1
ii  libpam0g:amd64 1.5.3-5ubuntu5.2 amd64        Pluggable Authentication Modules library
root@pam-noble:~# useradd -p $(openssl passwd -6 foo) foo
root@pam-noble:~# mv /etc/pam.d/* /usr/lib/pam.d
root@pam-noble:~# login foo
Password:
[snip]
$
root@pam-noble:~# mv /usr/lib/pam.d/common-password /etc/pam.d
root@pam-noble:~# mv /usr/lib/pam.d/login /etc/pam.d
root@pam-noble:~# login foo
Password:
[snip]
$
root@pam-noble:~# cp /usr/lib/pam.d/common-account /etc/pam.d
root@pam-noble:~# echo foobar >> /etc/pam.d/common-account
root@pam-noble:~# login foo
Password:

Login incorrect
pam-noble login: ^C
root@pam-noble:~# journalctl -xe | tail
░░ The job identifier is 1350 and the job result is done.
Jun 13 15:25:41 pam-noble login[1441]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
Jun 13 15:25:41 pam-noble login[1441]: PAM adding faulty module: pam_lastlog.so
Jun 13 15:25:41 pam-noble login[1441]: PAM (login) illegal module type: foobar
Jun 13 15:25:41 pam-noble login[1441]: PAM (login) no control flag supplied
Jun 13 15:25:41 pam-noble login[1441]: PAM (login) no module name supplied
Jun 13 15:25:41 pam-noble login[1441]: PAM (other) illegal module type: foobar
Jun 13 15:25:41 pam-noble login[1441]: PAM (other) no control flag supplied
Jun 13 15:25:41 pam-noble login[1441]: PAM (other) no module name supplied
Jun 13 15:25:45 pam-noble login[1441]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'foo', Permission denied

** Tags removed: verification-needed verification-needed-noble verification-needed-oracular
** Tags added: verification-done verification-done-noble verification-done-oracular

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2087827

Title:
  Pam includes does not look in /usr/lib/pam.d

Status in pam package in Ubuntu:
  Fix Released
Status in pam source package in Noble:
  Fix Committed
Status in pam source package in Oracular:
  Fix Committed
Status in pam source package in Plucky:
  Fix Committed
Status in pam source package in Questing:
  Fix Released

Bug description:
  [ Impact ]
  The Debian-specific (and fairly heavily used) @include stanza doesn't load anything from /usr/lib/pam.d, preventing moving default configuration from /etc, which is needed for Ubuntu Core.

  [ Test Plan ]

  In a fresh container:

  # adduser foo
  # mv /etc/pam.d/* /usr/lib/pam.d
  # login 

  You should be able to log in as user foo.

  After exiting the foo session, to check cross-folder inclusion:

  # mv /usr/lib/pam.d/common-password /etc/pam.d
  # mv /usr/lib/pam.d/login /etc/pam.d
  # login

  And finally, to check that they load the /etc file in priority:
  # cp /usr/lib/pam.d/common-account /etc/pam.d
  # echo foobar >> /etc/pam.d/common-account
  # login

  That last one should fail with foobar-related errors in the system
  logs.

  [ Where problems could occur ]

  To minimize user setup breakage potential the test plan ensures that
  there wouldn't be any new shadowing of user config file. Any other
  config that includes something only present in /usr/lib would have
  been broken anyway.

  [Original report]
  We're using libpam in the Ubuntu Core rootfs for the core24 snap (which is pam from Noble). We've run into a sitaution where we would like to move pam.d files into /usr/lib/pam.d instead of /etc/pam.d, and looking at man pages this should be supported. (I.e it always checks /etc/pam.d first, then /usr/lib/pam.d).

  However, there seems to be an issue (or misunderstanding) in terms of
  how `include`'s are loaded. For an installation that has all pam.d
  files in /usr/lib we get this error:

  ```
  [  556.375377] sshd[3553]: PAM _pam_load_conf_file: unable to open config for /etc/pam.d/common-auth
  [  556.377644] sshd[3553]: PAM error loading (null)
  [  556.379731] sshd[3553]: PAM _pam_init_handlers: error reading /usr/lib/pam.d/sshd
  [  556.382681] sshd[3553]: PAM _pam_init_handlers: [Critical error - immediate abort]
  [  556.384512] sshd[3553]: PAM error reading PAM configuration file
  [  556.386397] sshd[3553]: PAM pam_start: failed to initialize handlers
  [  556.389716] sshd[3553]: PAM pam_end: NULL pam handle passed
  [  556.393755] sshd[3553]: fatal: PAM: initialisation failed

  ```

  It seems to correctly read sshd from /usr/lib/pam.d/, however the
  includes it seems it insists on loading through /etc/pam.d. Looking at
  the code:
  https://git.launchpad.net/ubuntu/+source/pam/tree/libpam/pam_handlers.c?h=applied/ubuntu/noble#n227
  it seems that it only checks /etc/pam.d, and not /usr/lib/pam.d. This
  seems to not be in line with the man pages?

  *note* this seem at first glance that there might be a bug in the
  patch `debian/patches/031_pam_include`

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2087827/+subscriptions