Am 2021-02-12 00:46, schrieb Sam Hartman:
Why wouldn't we just comment out the lines in the upgrade rather than blocking the upgrade?
I absolutely want to avoid breaking pam config for the user. I am not sure if we can comment out something without possibly causing havoc. I am not overly familiar with debian, so I might miss some important places. From what I understand we would need to search for any file in /usr/share/pam-configs that contains pam_tally and run "pam-auth-update --package --remove <file>". I am currently not sure how to handle files is /usr/share/pam. I suppose we could comment out lines there. After this we need to check files in /etc/pam.d because, if the user already manually edited these, pam-auth-update will not touch them. That is also why we should not just comment directly in /etc/pam.d. Another problem with commenting is pam stacking, some pam modules like to be called differently if they come first, and pam_tally usually has the first place in configs. So this would change the parameters of the new first module. This is something we cannot handle automatically. So as a short summary, if the user uses pam-auth-config and did not break stuff before, I think we could handle this, but anything further than that will get complicated very fast. The main problem is, once the update is installed, it is already to late and pam is broken. The user would have to keep the session where the upgrade was started and fix the problem exactly in this moment, or be locked out from the system. In any case we really should write a message to the user, because we are disabling a willfully enabled security feature.