Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#31544 - [i3lock] can't write to /var/log/faillog

Attached to Project: Community Packages
Opened by jason ryan (jasonwryan) - Saturday, 15 September 2012, 03:05 GMT
Last edited by Thorsten Töpper (Atsutane) - Monday, 28 January 2013, 17:57 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Thorsten Töpper (Atsutane)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No


i3lock spams journalctl with the message:
pam_tally(i3lock:auth): Error opening /var/log/faillog for read

Additional info:
i3lock 2.4.1-1
also happens with i3lock-git

I am not running console-kit.

There are a number of older bugs re. pam_tally, for example here:
but I could find nothing current. Is this a bug or a misconfiguration?

Steps to reproduce:
Install i3lock, and start with:
xautolock -time 8 -locker "i3lock -c 302B54" -nowlocker "i3lock -c 302B54" &
then lock and unlock the screen and then check the systemd journal with journalctl.
This task depends upon

Closed by  Thorsten Töpper (Atsutane)
Monday, 28 January 2013, 17:57 GMT
Reason for closing:  Fixed
Comment by Thorsten Töpper (Atsutane) - Sunday, 16 September 2012, 20:10 GMT
I could not reproduce this, it's propably a configuration problem.
Comment by jason ryan (jasonwryan) - Sunday, 16 September 2012, 20:54 GMT
Thanks Thorsten: sadly, there is not too much to configure, so I am at a loss as to where to look.

Fell free to close. Cheers.
Comment by Mariusz Libera (mar04) - Thursday, 17 January 2013, 02:11 GMT
  • Field changed: Percent Complete (100% → 0%)
Still an issue
Comment by Mariusz Libera (mar04) - Thursday, 17 January 2013, 10:20 GMT
Thanks for reopening.
I investigated this a bit and it seems to be an issue with Arch package.
i3lock is packaged with upstream pam file containing:
auth include login
which is supposed to be a sane default - see
and it probably is ...on Debian, which doesn't make use of pam_tally in it's
/etc/pam.d/login - checked on Debian testing.
pam_tally wants to write to /var/log/faillog which is 600, so it doesn't have
necessary priviledges when called by i3lock,
see -

- do what Gentoo does - replace "include login" with "include system-auth"
see -
simple and sane, works nicely on my system
- do what Fedora does - write custom pam file
see -
- do what xscreensaver and gnome-screensaver do on Arch which is:
provide a simple pam file containing more or less:
"auth required"
compare that with upstream gnome-screensaver pam file
see -
- fix login policy? Man page of pam_tally says it's deprecated. Debian and
Fedora don't use it.
Comment by Thorsten Töpper (Atsutane) - Monday, 28 January 2013, 15:28 GMT
There is an updated version in [community-testing] test it and tell me if it works as you expect it.
Comment by Mariusz Libera (mar04) - Monday, 28 January 2013, 17:28 GMT
Yes, that fixes it, thanks.
Comment by Thorsten Töpper (Atsutane) - Monday, 28 January 2013, 17:57 GMT
Thank you, moved it to [community].