pam-auth-update fails to enable Default: yes profiles

As a separate issue that hasn't bitten me but that I saw while editing the code, if some profiles were previously selected but all of them have now disappeared then we should presumably enter the same "use all the defaults" fallback that we do if no profiles were selected. The present version doesn't. Here's a patch (applying after the previous one) to make it do so.

Thanks for the patches, Greg. I've applied the first to the bzr tree, and am having a look at the second one now.

Seeing that you're using git-formatted patches, I feel compelled to mention that there's a bzr branch specifically for the pam-auth-update work, available at bzr.debian.org/bzr/pkg-pam/debian/features/config-framework/, if you would prefer to work from there instead of working off of the packages directly.

Excellent, thanks. I don't know much about the Ubuntu release and
update process; does a fix like this eventually appear in the apt
repositories under intrepid-updates or otherwise become available to
intrepid machines, or will it only be fixed in jaunty?

I've never used bzr, but I checked out (no, 'branched') that branch
just now. Perhaps I'll use it for the next patch I send.

It will definitely be fixed in jaunty; I'm not sure yet whether I'll push this as a change for intrepid-updates, because while I'm sure that it fixes a bug, I'm less confident that it won't reduce any other regressions in the process. So I'm going to let it cook in jaunty for a bit first to get it some extra testing before proposing it for intrepid.

In any case, I suspect that most users who are going to upgrade from hardy to intrepid have already done so (or will have done so soon), so pushing this into intrepid is not very time-critical particularly when weighed against the possibility of regression.

I've also committed the second patch now; you're right that if we consider an empty list of modules an error condition, we should do that when it's due to removals, as well.

Not sure why, but this bug didn't get closed even though the fix has been uploaded. Changelog is:

pam (1.0.1-5ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable
  * Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/local/pam-auth-update (et al): new interface for managing
      /etc/pam.d/common-*, using drop-in config snippets provided by module
      packages.
    - debian/local/common-password, debian/pam-configs/unix: switch from
      "md5" to "sha512" as password crypt default.
  * Bump the version numbers referenced in the config files, again, as pam
    has revved in Debian and moved the bar.
  * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
    as a present but empty file; thanks to Greg Price for the patch.
    LP: #294513.
  * pam-auth-update: Ignore removed profiles when detecting an empty set
    of currently-enabled modules. Thanks to Greg Price for this as well.
  * debian/control: libpam-runtime needs a versioned dependency on
    debconf, because it uses the x_loadtemplatefile extension that's
    not supported by debconf versions before hardy. LP: #295135.
  * pam-auth-update: trim leading whitespace from multiline fields when
    parsing PAM profiles. LP: #295441.
  * pam-auth-update: factor out the duplicate code used for returning
    the lines for a given module

  [ Jonathan Marsden ]
  * debian/patches/027_pam_limits_better_init_allow_explicit_root:
    Add to patch, documenting how to set limits for root user.
    Include an example. Alters limits.conf, limits.conf.5.xml,
    and limits.conf.5 . (LP: #65244)

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.