Web lists-archives.com

Re: jessie to stretch upgrade Killed sudo.

[ fix send to list ]

Quoting Martin McCormick (2019-05-06 14:29:07)
> After upgrading 2 older I86 systems to stretch, sudo works on one
> and fails on the other but I am writing about both.  The problem
> was probably on the failing system all along but su still allowed
> a su to root under jessie but won't allow it under stretch.
> sudo: pam_open_session: Permission denied
> sudo: policy plugin failed session initialization
>         The first thing I did was classic finger-pointing.  I
> de-installed sudo on the limping system and reinstalled it at
> which point the problem persisted.  A look at /var/log/auth.log
> tells me something but I am not sure what.
>         If you look in auth.log, it is peppered with
> May  5 13:11:32 audio3 sudo: PAM no modules loaded for `sudo' service
>         This occurs both before and after the upgrade which
> succeeds before and fails after.
>         The other system which totally survived the upgrade never
> shows this message so it seems that the pam service is partly
> broken on one and OK on the other.  Right now, I can ssh in to
> the broken system and do anything but sudo commands.  What is the
> safest way to rescue the system while still remotely attached via
> ssh?
>         As I said, the problem may have been here for quite some
> time so the upgrade didn't cause it.  It just accentuates it
> since sudo now complains.
>         Thanks for all constructive ideas.

I recommend to first make sure that the system tracks only packages from 
one single Debian release (not a mixture of multiple releases, and 
certainly not any non-Debian repositories).

(then I'd probably install etckeeper if not done already, to have a way 
of reverting some kinds of accidents in the following steps)

Then I'd check that all packages have fully upgraded and no packages are 
left that in not part of the new system.  Several ways to do that - 
personally I prefer using aptitude in fullscreen mode (i.e. start it 
with no non-option arguments) and look first at "Obsolete and Locally 
Created Packages" section, then "Upgradable Packages", and then _all_ of 
"Installed Packages" checking that the version is the one in the current 

Then I'd inspect all packages recommended but not installed.  You 
certainly should know for sure that why each and every exception is 
there and that you really don't need it!  With aptitude that's done by 
hitting "CTRL+t" and in menu "Views" select "Audit Recommendations".

Then I'd purge all packages not installed.  In aptitude that's done by 
standing on the section "Not Installed Packages" and hit "_", and then 
"g" twice (skimming through what the list after first "g" to ensure 
nothing suspicious sticks out).

Then I'd inspect files below /etc - obvous bugs like broken symlinks, 
and unfinished merge of conffiles (look for *.dpkg* files).

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature