[CentOS] system-auth.rpmnew

William L. Maltby CentOS4Bill at triad.rr.com
Mon Jun 30 12:34:05 UTC 2008

On Mon, 2008-06-30 at 13:14 +0200, Kai Schaetzl wrote:
> William L. Maltby wrote on Sun, 29 Jun 2008 09:09:17 -0400:
> > IMO, it's never OK w/o first examining the effects. The rpmnew is
> > provided specifically because replacing the previous one may be highly
> > destructive to the aims of that system's users/admins.
> > 
> > I've not looked, but I suspect the rpmnew needs to be compared to the
> > target of the symlink.
> That's the point and why I'm asking. I think the rpmnew got created 
> because the target is a symlink (I think normally rpm overwrites a config 
> file if it has not been changed from the previous version, this obviously 
> is bound to fail in this case). The question now is, should it have 

I'm not sure if it being a symlink is a determinant. Nor am I sure about
"if modified". I do recall rpmnew files being created when no symlink
was involved (caveat: wetware memory is highly unreliable).

In cases where an rpmnew was not created, there is often an rpmsave.
This is a copy of the file that was replaced. IIRC, it does not matter
if the original was previously modified or not.

My SOP is: after updates, run updatedb, do locate for rpmnew and
rpmsave, examine for differences between found and originals/related
files, adjust as needed.

As a former developer, I would suspect that I would *not* try to
determine creation of files based on a test for modification of the
original. It would increase the complexity and unreliability of the
update process (would it approach the unreliability of depending on the
user/admin to properly examine and adjust? Probably not.) and go counter
to the innate laziness of us all. Combine the two factors and a strong
argument is made against trying to detect changed base files.

Ditto for symlinks.

Having said all that, the scripted yum/rpm update processes may
incorporate that detection process. I don't know.

> actually replaced system-auth-ca, was the symlink incorrect in the first 
> place, should there be both system-auth and system-auth-ca be available in 

Using the yum or rpm facilities that tells what package provides the
file or symlink should help. I think it's --provides or whatprovides or
somesuch. Man pages will tell you.

> parallel, or what? I don't know for what exactly both or just one of the 
> files gets used, I can just assume it's some authorization. And ca file 
> might get used when authorizing with a certificate (remote or with a 
> card?).
> I don't find myself in a position to assess the difference between the 
> files and what it means for security. The main difference between the 
> files seems to be something about user-ids above/below 500.

That becomes a case of hoping there are adequate man pages. Even if not,
if you compare the old and new and determine what you state above, it's
likely that the update is OK to apply. YMMV, of course.

> Kai


More information about the CentOS mailing list