[PC-BSD Testing] System Ports Clobbering and LDAP oh my!

Eric Crist ecrist at secure-computing.net
Thu Jun 21 08:42:26 PDT 2012


Kris,

Can you make sure SUDO gets compiled with LDAP support, if it isn't already?

Thanks.
-----
Eric F Crist



On Jun 6, 2012, at 16:37:11, Kris Moore wrote:

> On 06/06/2012 16:00, Eric Crist wrote:
>> On Jun 6, 2012, at 12:20:53, Kris Moore wrote:
>> 
>>> On 06/06/2012 09:29, Eric Crist wrote:
>>>> On Jun 6, 2012, at 08:25:27, Kris Moore wrote:
>>>> 
>>>>> On 06/05/2012 14:35, Eric Crist wrote:
>>>>>> Kris, all,
>>>>>> 
>>>>>> I was asked to post this here, so please feel free to direct all flames toward Dru.  It's her fault. :)
>>>>>> 
>>>>>> We have a couple PC-BSD systems that were installed and configured back in the middle of December, 2011.  The configuration included all my rain dances to get LDAP configured for authentication, groups, and sudo.  Today, upon doing what ever updates were needed between December 15 and now, all off our PAM configs were reset, and a series of ports we installed in base, were removed.  This includes pam_ldap, nss_ldap, pam_mkhomedir, and others.
>>>>>> 
>>>>>> I think the update procedure should do similar to mergemaster, and if a file has been changed, leave it alone.  The end result today was a user, after applying system updates, could not get into their own system.  We do not give out the system root credentials.
>>>>>> 
>>>>>> Please let me know what the canonical way to do these configurations is, or what I can do to help you develop an update mechanism that is a bit more safe.
>>>>>> 
>>>>> I'll be happy to give you a hand with this. What kind of updates did you
>>>>> specifically do? Did you go from 9.0 -> 9-STABLE? Or was it just the
>>>>> "freebsd-update" stuff that was applied? I've not issued any patches for
>>>>> 9.0 which monkey around in /etc yet.
>>>> Unfortunately, I don't recall the specific update.  The machine in question had been sitting on a shelf since initial install and configuration, and I just deployed it.  I do remember that there were three updates listed, a security update, something else, and a system upgrade.  The system upgrade was what was selected.  It took nearly 2 hours to download, and another 45 minutes to install after a reboot.
>>>> 
>>>> There were PAM configs in /etc/pam.d as well as /usr/local/etc/pam.d that were defaulted.  Is there a log for the updater, so I can see what was done?
>>>> -----
>>>> Eric F Crist
>>>> 
>>> Ok, that helps. It was the system upgrade that clobbered your files.
>>> That's when you move versions from 8.1 -> 8.2, or 8.2 -> 9.0, etc.
>>> 
>>> I don't have a log file, but if you send me the list of files you need
>>> excluded, I'll be sure to add them to the exclude list we keep for
>>> upgrades.
>> 
>> It was everything in /etc/pam.d, /usr/local/etc/pam.d, and the ports I listed in my original email:
>> * security/sudo
>> * security/pam_ldap
>> * security/pam_mkhomedir
>> * net/nss_ldap
>> * net/openldap*-client
>> 
>> Thanks!
>> -----
>> Eric F Crist
>> 
>> 
> 
> I've added those extra ports to our base-install, so they don't get
> removed during the upgrade process. Did you have any other custom files
> getting clobbered outside the pam.d directories? I've made sure they are
> preserved now.
> 
> -- 
> Kris Moore
> PC-BSD Software
> iXsystems
> 
> _______________________________________________
> Testing mailing list
> Testing at lists.pcbsd.org
> http://lists.pcbsd.org/mailman/listinfo/testing

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.pcbsd.org/pipermail/testing/attachments/20120621/5047a362/attachment.bin>


More information about the Testing mailing list