Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: No acces to normal user after update (possibly related to changed permissions?) (Read 656 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

No acces to normal user after update (possibly related to changed permissions?)

System: Artix
init:   Runit
DE:     XFCE
DM:     Light-dm
Thinkpad: x200 libreboot


Dear forum,

recently I did an update. The output looks like this:

(I only included the "warning messages", because the the other updates were installed correctly. Also to keep the output shorter)

I am typing from my Debian laptop so I hope I don't do any typing mistakes regarding the log:


(02/89) upgrading filesystem

- /etc/passwd installed as /etc/passwd.pacnew

(13/89) upgrading audit

- warning: directory permissions differ on /var/log/audit/
  filesystem: 700 package: 755


(23/89) upgrading polkit

- warning: directory permissions differ on /usr/share/polikt-1/rules.d/
  filesystem: 750 package: 755


(48/89) upgrading geoclue

- warning: directory permissions differ on usr/share/polkit-1/rules.d/
  filesystem: 750 package: 755


For context:

1. When I did the system upgrade (sudo pacman -Syu) I was logged in as normal user.
    I should have done that it on the tty as root. Once the update was done I did:

   sudo cp passwd passwd.bak

   then I did either (don't remember in which order anymore)

   sudo rm passwd
   sudo mv passwd.pacnew passwd (Maybe I should have done that before?)

   Anyway, I believe it is here where I messed up my system.

After that neither "sudo" nor "su" did work anymore. I don't remember the exact message.
Something about "user xyz not being part of passwd".

It is not the first time I had to replace passwd with passwd.pacnew.
Never had any issue. Maybe this time I did something wrong. It might be the order of
operations that I did.


So I rebooted the system. The bad news is that my normal user account dissapeared from
my login mangaer "lightdm" even if I type in "username" and "password" it doesn't work.
If I try to access the system as normal user through the TTY I get the same result: nothing.
As I thought my home folder and data are still in place.

The good news is that I can still use my root account on the tty. So I logged in,
went into /etc and saw three passwd files. One was broken I think (from when I tried to replace>
as normal user), the other was passwd.pacnew. And my old passwd.bak of course was still there.

So again, as root, I did. mv passwd.pacnew. passwd. Then I removed the broken file.

Reboot. Result: I still cannot access my normal user.

This time as root, I opened vim /etc/passwd. I never looked into it. But as a user
I only see "root" along with other stuff, but no normal user. Furthermore, most of the
other entries have "nologin" at the end. I do not know if that is normal or if I have
broken something.


2. A couple of months ago I have changed the permissons of my normal user's home folder
to 700. I think the default is 755. I did it because I thought it is more secure as I
thought only root and my normal user can access the folder. And yes, I have read the wiki
before doing that. Maybe I missed something.

In the mean time I did another system upgrade, hoping to solve the problem. However
nothing has changed. So, for now, I will refrain from updating since I don't want
to damage my system even further.

My questions are:


Is my normal user account unreachable, because I have made a mistake when I substituted
passwd. with passwd.pacnew? Or is it due to the initial warnigs about audit, polkit and
geoclue regarding my change of my normal user's homfolder file permissions?


Should I change my normal user's homefolder filesystem permissions from 700 back to 755?

RECAP:

- Changed: passwd.pacnew to passwd
- Permissions on audit, geoclue, polkit differ from filesystem permissions
- Normal user account unreachable on lightdm and tty. System access only possible through root
  user on tty.


Possible solutions?


I did research and found:


https://forum.artixlinux.org/index.php/topic,6357.msg39247.html#new


Here they suggest to change the permissions and owner of polkit

# chmod 750 /etc/polkit-1/rules.d/
# chmod 750 /usr/share/polkit-1/rules.d/
# chown root:polkitd /usr/share/polkit-1/rules.d/



But within that thread they also refer to this thread:

https://forum.artixlinux.org/index.php/topic,6108

Where it is suggested reinstalling the packages. I'm not sure I understood it
correctly, though.


https://wiki.archlinux.org/title/File_permissions_and_attributes#Preserve_root

I am not sure if this is important in this case:

"Preserve root

Use the --preserve-root flag to prevent chmod from acting recursively on /.
This can, for example, prevent one from removing the executable bit systemwide and
thus breaking the system. To use this flag every time, set it within an alias".

https://forum.garudalinux.org/t/warning-about-permissions-usr-share-polkit-1-rules-d-during-an-update/4686

Here I tried as they said to look which package has changed:
pacman -Qo /usr/share/polkit-1/rules.d/

Got: geoclue 2.7.1-2
     gvfs    1.52.2-1
     lightdm 1:1.32.0-5
     polikt  124-1


(Usually I don't look on other distro's forums, because sometimes they are not accurate
or the information risks to worsen my situation).


Any suggestions, please? :)


Thank you for your time.

 

Re: No acces to normal user after update (possibly related to changed permissions?)

Reply #1
I think what you are looking for is here is
Code: [Select]
mv passwd.bak passwd

I just looked and I have a /etc/passwd.pacnew dated 19.01.2024.
It is devoid of any users bar 'root' as I'd expect.
I know full well that if I copied it over /etc/passwd it would break my system.

The reason you still have easy root access is the actual passwords are in shadow

Well done for keeping a backup. If you hadn't the system probably made one for you the last time it altered the passwd file with a system tool.
It's passwd-

Do not blindly replace config files with the *.pacnew files
The whole reason the pacnew file is created is because you (or a program) made changes to the config file.
When you replace the modified config files with the .pacnew file you lose all the changes which is almost never what you want.

You've less chance of breaking your system by just ignoring them than by blindly copying them.

If you are concerned use a diff program to view the diferances and make an informed decision.

Again well done for keeping a backup

Re: No acces to normal user after update (possibly related to changed permissions?)

Reply #3
Hello,

first of all thank you very very much!  It was close one! I was dancing on the razor's edge.
I was able to restore my system thanks to you!

Here is what I have done:

1. mv passwd.bak passwd

However it did not work. I must have broken that file by accident. Clearly I must have made a mistake during the backup.
I don't remember what, though.


2.

The good news is, that I do regular backups using the program "Timeshift" (live saver!). So I have had a couple of snapshots
to chose from. I went into the more recent one, copied that passwd file into my /etc and it worked!

3.

 Next I logged back in and restored my system to the last snapshot using "Timeshift" (maybe unnecessary).

4.

Once restoration was complete I reran "pacman -Syu". After that the same warnings reappeared which is logical:

(02/89) upgrading filesystem

- /etc/passwd installed as /etc/passwd.pacnew

(13/89) upgrading audit

- warning: directory permissions differ on /var/log/audit/
  filesystem: 700 package: 755


(23/89) upgrading polkit

- warning: directory permissions differ on /usr/share/polikt-1/rules.d/
  filesystem: 750 package: 755


(48/89) upgrading geoclue

- warning: directory permissions differ on usr/share/polkit-1/rules.d/
  filesystem: 750 package: 755


I left password.pacnew alone as you have suggested. For the other three warnings I will search for solutions.


5.

With the newly updated system I have created another snapshot. Now everything is fine again. :)


Quote
I know full well that if I copied it over /etc/passwd it would break my system.

The reason you still have easy root access is the actual passwords are in shadow


I see. Thanks!


Quote
Well done for keeping a backup. If you hadn't the system probably made one for you the last time it altered the passwd file with a system tool. It's passwd-


In fact, the system did create a "passwd-". I can only assume, as mentioned before, that I must have done something
wrong during the backup. So, is it safe to delete this "passwd-" file now?


Quote
Do not blindly replace config files with the *.pacnew files
The whole reason the pacnew file is created is because you (or a program) made changes to the config file.
When you replace the modified config files with the .pacnew file you lose all the changes which is almost never what you want.


Okay. I believe you. The reason I did this is because, it is written in the Arch Wiki as you know. While studying package management some time ago:

https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave

Section 1 last paragraph:

"These files require manual intervention from the user and it is good practice to handle them right after every package  upgrade or removal. If left unhandled, improper configurations can result in improper function of the software or the software being unable to run altogether".


I know that the paragraph states that improper configuration "can" result to in improper function. It does not mean
that it is certain. So I thought it is best to rename "pacnew" as the default file or merge (which I still have to learn), before I might break my system if it is ignored. Also because it states "it is good practice to handle them right after every upgrade".

Clearly I was wrong by assuming that this rule applies to all ".pacnew" (or .pacsave) files, right?


Example, I did this a couple of times with mirrorlist.pacnew in the past. And never had any issues.

Quote
You've less chance of breaking your system by just ignoring them than by blindly copying them.

If you are concerned use a diff program to view the diferances and make an informed decision.


Okay, I understand.


Quote
Again well done for keeping a backup

Thanks! :)


Quote
This. Also, pacman won't overwrite files that have changed, will create file.pacnew instead if it has an update.


Thanks! :)

Re: No acces to normal user after update (possibly related to changed permissions?)

Reply #4
Glad you got your system working again :)
Quote from: maverick – on
Okay. I believe you. The reason I did this is because, it is written in the Arch Wiki as you know. While studying package management some time ago:

https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave

Section 1 last paragraph:

"These files require manual intervention from the user and it is good practice to handle them right after every package  upgrade or removal. If left unhandled, improper configurations can result in improper function of the software or the software being unable to run altogether".


I know that the paragraph states that improper configuration "can" result to in improper function. It does not mean
that it is certain. So I thought it is best to rename "pacnew" as the default file or merge (which I still have to learn), before I might break my system if it is ignored. Also because it states "it is good practice to handle them right after every upgrade".

Clearly I was wrong by assuming that this rule applies to all ".pacnew" (or .pacsave) files, right?


Example, I did this a couple of times with mirrorlist.pacnew in the past. And never had any issues.

While "it is good practice to handle them right after every upgrade" might be technically correct it makes it sound way more necessary than I've found myself in years of using Pacman based systems.
I consider that particular wiki article poorly written as ideally, especially for newer users, it should clearly and simply define what is meant by "handle". As more damage can often be caused by an incorrect 'handling' than by just doing nothing.

Each case is different. Get yourself a diff program such as kdiff3 (qt) or meld.
When you open the original and the pacnew you'll see the differences.
Often they are trivial. Often the only difference is the change you actually wanted.
By replacing the current file with the pacnew you lose the change to the default configuration made either manually or by a program as I was saying before.
The idea is to look at the pacnew and then judge if any of the differences are needed (rare imho) or beneficial in some way.
Then either adapt your config file to have the newer bits of the pacnew or adapt the pacnew to contain your changes made to what would have been the default of the previous version. (I hope that makes some sense?)

You give the example /etc/mirrorlist.
Mirrors get added, mirrors get removed.  But it you have taken the time to select a particular mirror by un-commenting it and commenting the other mirrors that change get lost when replaced with the pacnew file. However that's not going to be system breaking.

Now look at /etc/passwd
A default version just contains the root user.
It's called 'passwd' as historically it did contain passwords but that was a long time ago.
What it really is now is a list of users, their UID's, home dir (if any) and shell.
As well as your user, which was added to the file when installing the system, many services add the users they run as when installed.
All of that is lost when the pacnew replaces your current version. Your system is now only partially functional and needs fixing. If you didn't have a backup you're a lot screwed unless you really know what you are doing.

Rarely in my experience does a pacnew file require immediate intervention but it does happen.
The first instance that springs to mind is a program called opensmtp.
A few years back they completely changed the format, and much syntax, of smtpd.conf.
Without intervention an email server using the current file would not start.
But the answer would not have been to just move the pacnew to smtpd.conf
That would have resulted in an email server that did start but did next to nothing. I had to go and learn about the new format and then adapt my old server settings to use it.

It's fine to leave the passwd- file. Another backup never hurts.

Edit: I wouldn't worry too much about the file permission warnings either unless something isn't working
What they show in your examples is the permissions are more restricted that when the package was first installed. It's most likely the programs using those folders that did the restricting. Search and read about 'Octal file permissions'.

Re: No acces to normal user after update (possibly related to changed permissions?)

Reply #5
Even when you have not edited a file manually, do not blindly overwrite a live file with its .pacnew version. Always compare and merge the changes manually.

Package
Code: [Select]
pacman-contrib
provides the simple pacdiff tool for managing .pac* files. It will search all .pacnew and .pacsave files and ask for any actions on them. It uses vimdiff by default, but you may specify a different tool with
Code: [Select]
DIFFPROG=your_editor pacdiff


For comparing you can install program meld:

Code: [Select]
DIFFPROG=meld pacdiff

Re: No acces to normal user after update (possibly related to changed permissions?)

Reply #6
Quote
While "it is good practice to handle them right after every upgrade" might be technically correct it makes it sound way more necessary than I've found myself in years of using Pacman based systems.
I consider that particular wiki article poorly written as ideally, especially for newer users, it should clearly and simply define what is meant by "handle". As more damage can often be caused by an incorrect 'handling' than by just doing nothing.

I see. I will try do be more cautious, when I am reading the Arch Wiki. Even thought it is sometimes difficult to tell the difference between what is accurate and what is poorly written, but I will try.


Quote
Each case is different. Get yourself a diff program such as kdiff3 (qt) or meld.
When you open the original and the pacnew you'll see the differences.
Often they are trivial. Often the only difference is the change you actually wanted.
By replacing the current file with the pacnew you lose the change to the default configuration made either manually or by a program as I was saying before.
The idea is to look at the pacnew and then judge if any of the differences are needed (rare imho) or beneficial in some way.

Okay, yes I will follow your advice. In fact, I have already started using the diff command. There I could see what you have said in the beginning: That passwd.pacnew is empty except for the "root" line.

Quote
Then either adapt your config file to have the newer bits of the pacnew or adapt the pacnew to contain your changes made to what would have been the default of the previous version. (I hope that makes some sense?)

Indeed, it does make very much sense! :) To me, option 1 is the best: adapting changes from .pacnew into the default config
file (There might be less to be copied). That is, like you have said, if merging is necessary. Otherwise I will leave .pacnew alone. Once I have learned how to merge files and to determine whether it needs to be done.


Quote
You give the example /etc/mirrorlist.
Mirrors get added, mirrors get removed.  But it you have taken the time to select a particular mirror by un-commenting it and commenting the other mirrors that change get lost when replaced with the pacnew file. However that's not going to be system breaking.

Okay, I understand.

Quote
Now look at /etc/passwd
A default version just contains the root user.
It's called 'passwd' as historically it did contain passwords but that was a long time ago.
What it really is now is a list of users, their UID's, home dir (if any) and shell.
As well as your user, which was added to the file when installing the system, many services add the users they run as when installed.
All of that is lost when the pacnew replaces your current version. Your system is now only partially functional and needs fixing. If you didn't have a backup you're a lot screwed unless you really know what you are doing.

Okay, glad to know that now. But why is it still called passwd, if it doesn't store them anymore?
In that case, shouldn't passwords be stored in shadows anyway?

(If I'm asking to many questions, somebody please tell me.
I do not want to go off topic).

Quote
If you didn't have a backup you're a lot screwed unless you really know what you are doing.

Yes, I guess, that somebody who is very skilled could have written that file manually, if no  backup was available. :)


Quote
Rarely in my experience does a pacnew file require immediate intervention but it does happen.
The first instance that springs to mind is a program called opensmtp.
A few years back they completely changed the format, and much syntax, of smtpd.conf.
Without intervention an email server using the current file would not start.
But the answer would not have been to just move the pacnew to smtpd.conf
That would have resulted in an email server that did start but did next to nothing. I had to go and learn about the new format and then adapt my old server settings to use it.

Okay.


Quote
Edit: I wouldn't worry too much about the file permission warnings either unless something isn't working
What they show in your examples is the permissions are more restricted that when the package was first installed. It's most likely the programs using those folders that did the restricting. Search and read about 'Octal file permissions'.


Okay, I already did read about octal permissions, but I have read it again.
It might also be caused by me, like I said in the beginning, when I changed my homefolder to 700. I will look into it.

Thanks for your help! :)


Quote
Even when you have not edited a file manually, do not blindly overwrite a live file with its .pacnew version. Always compare and merge the changes manually.

That is a very important advice! I will keep that in mind! Thanks! And thank you also for the programs that you have recommended! :)

Re: No acces to normal user after update (possibly related to changed permissions?)

Reply #7
Quote from: maverick – on
I see. I will try do be more cautious, when I am reading the Arch Wiki. Even thought it is sometimes difficult to tell the difference between what is accurate and what is poorly written, but I will try.

Best advice is to read the whole page on any given subject. Overall the Arch wiki is priceless. I've read that page again and none of it is actually wrong imho. It's not inaccurate. But while it goes heavy on techno babble surrounding mdsums and comparsions it neglects to properly explain how to handle the merges other than give information about tools to automate that process. Which helps only if you understand the concept underlying the process. Otherwise they just help you break your system faster :)
But the warning is there:
Note: Even when you have not edited a file manually, do not blindly overwrite a live file with its .pacnew version. Always compare and merge the changes manually.
Just a bit too far down the page !
Quote
Okay, glad to know that now. But why is it still called passwd, if it doesn't store them anymore?
In that case, shouldn't passwords be stored in shadows anyway?
https://wiki.informationhouse.co.uk/wiki/Passwd?lang=en#History
They are stored in shadow (there are exceptions). I imagine when the change was made altering the name of the passwd file would have broken a lot of programs and scripts that expect it be there to get the other information it held so it was left the same.