From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 17 08:25:35 2022 Received: (at 52533) by debbugs.gnu.org; 17 Jan 2022 13:25:36 +0000 Received: from localhost ([127.0.0.1]:45315 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n9S0t-00055f-Fk for submit@debbugs.gnu.org; Mon, 17 Jan 2022 08:25:35 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:43770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n9S0r-00055M-TM for 52533@debbugs.gnu.org; Mon, 17 Jan 2022 08:25:34 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 127CE52F; Mon, 17 Jan 2022 14:25:27 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrGzUrU-UkZ4; Mon, 17 Jan 2022 14:25:25 +0100 (CET) Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 689752D7; Mon, 17 Jan 2022 14:25:25 +0100 (CET) From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxim Cournoyer Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error References: <87czlx88ez.fsf@gmail.com> <87ilvor3sn.fsf@gnu.org> <87r19bom0r.fsf@gnu.org> <87tue77k40.fsf@gnu.org> <87mtjz1t63.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 =?utf-8?Q?Niv=C3=B4se?= an 230 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 17 Jan 2022 14:25:24 +0100 In-Reply-To: <87mtjz1t63.fsf@gmail.com> (Maxim Cournoyer's message of "Thu, 13 Jan 2022 11:45:08 -0500") Message-ID: <877daypk8r.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / Authentication-Results: hera.aquilenet.fr; none X-Rspamd-Server: hera X-Rspamd-Queue-Id: 127CE52F X-Spamd-Result: default: False [-0.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 52533 Cc: Mathieu Othacehe , 52533@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Hi, Maxim Cournoyer skribis: >>> I was just kicked out of my own server due to this PAM/SSH issue. It >>> happens quite frequently here. Time for a fix :). > > Not a meaningful contribution to the discussion, but my workaround is to > disable PAM; as it is not enabled in OpenSSH by default, perhaps we > should also leave it off unless requested? What are the advantages of > having it on? Consistency: authentication had rather work consistently across all system services that depend on it. [...] >> The crux of the problem rather is the global /etc/pam.d: it=E2=80=99s va= lid for >> pre-glibc upgrade programs, or for post-glibc upgrade programs, but not >> both. >> >> FHS distros have a similar problem though; how do they handle it? Do >> they force services to be restarted when glibc is upgraded, or something >> along these lines? > > I just asked this question in Debian's OFTC channel: > > "how does debian handle glibc updates? are services restarted when it > happens? Or does it postpone updating glibc until the next reboot?" > > And got for answer: "there is no magic postponing of updates"; the > external needrestart [0] program was also mentioned. > > Researching some more, it seems this may be handled on Debian by the use > of postinst scripts (which is an arbitrary shell script run after a > package is installed); so the libc package of Debian for example > restarts the postgres service to avoid problems: > > [0] https://github.com/liske/needrestart > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D710275 Yeah. My recollection is that apt is interactive by default, and it would typically pop up a dialog telling you that services X and Y need to be restarted, and asking whether you want to restart them now. The difference compared to what we have (a message at then telling that you =E2=80=9Cmay need=E2=80=9D to run =E2=80=98herd restart X=E2=80=99), th= e benefit IIRC is that it tells you which services need to be restarted. [...] >> We could maybe sidestep the issue altogether with socket-activated >> services: they=E2=80=99d be started on-demand, so the second scenario ab= ove >> would be unlikely. But getting there is quite a bit of work=E2=80=A6 > > I fail to see how this would be a solution for openssh, which would > typically already be running unless you've never login ounce since the > machine was up (or am I missing something?). sshd could also be started via socket activation; =E2=80=98sshd=E2=80=99 su= bprocesses corresponding to existing logins would be unaffected. > Also, it seems to me inetd can already do "socket activation", if this > was somehow useful. Yes, inetd can do that. It would be nicer though to have it all integrated in the Shepherd. (Basically, it=E2=80=99s a choice we could make right away: do we move all network daemons, plus things like guix-daemon, dbus-daemon, etc. etc. to inetd services, or do we instead extend the Shepherd to support socket activation? I=E2=80=99m rather in favor of the latter, but if in Guix Syst= em we build an abstraction that can equally well target inetd or a future Shepherd version, that=E2=80=99s even better.) Ludo=E2=80=99.