FS#31544 - [i3lock] can't write to /var/log/faillog

Attached to Project: Community Packages
Opened by jason ryan (jasonwryan) - Saturday, 15 September 2012, 03:05 GMT
Last edited by Thorsten Töpper (Atsutane) - Monday, 28 January 2013, 17:57 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Thorsten Töpper (Atsutane)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
i3lock spams journalctl with the message:
pam_tally(i3lock:auth): Error opening /var/log/faillog for read


Additional info:
i3lock 2.4.1-1
also happens with i3lock-git

I am not running console-kit.

There are a number of older bugs re. pam_tally, for example here: https://bugzilla.redhat.com/show_bug.cgi?id=133854
but I could find nothing current. Is this a bug or a misconfiguration?


Steps to reproduce:
Install i3lock, and start with:
xautolock -time 8 -locker "i3lock -c 302B54" -nowlocker "i3lock -c 302B54" &
then lock and unlock the screen and then check the systemd journal with journalctl.
This task depends upon

Closed by  Thorsten Töpper (Atsutane)
Monday, 28 January 2013, 17:57 GMT
Reason for closing:  Fixed
Comment by Thorsten Töpper (Atsutane) - Sunday, 16 September 2012, 20:10 GMT
I could not reproduce this, it's propably a configuration problem.
Comment by jason ryan (jasonwryan) - Sunday, 16 September 2012, 20:54 GMT
Thanks Thorsten: sadly, there is not too much to configure, so I am at a loss as to where to look.

Fell free to close. Cheers.
Comment by Mariusz Libera (mar04) - Thursday, 17 January 2013, 02:11 GMT
  • Field changed: Percent Complete (100% → 0%)
Still an issue
Comment by Mariusz Libera (mar04) - Thursday, 17 January 2013, 10:20 GMT
Thanks for reopening.
I investigated this a bit and it seems to be an issue with Arch package.
i3lock is packaged with upstream pam file containing:
auth include login
which is supposed to be a sane default - see http://bugs.i3wm.org/report/ticket/260
and it probably is ...on Debian, which doesn't make use of pam_tally in it's
/etc/pam.d/login - checked on Debian testing.
pam_tally wants to write to /var/log/faillog which is 600, so it doesn't have
necessary priviledges when called by i3lock,
see - https://mail.gnome.org/archives/screensaver-list/2007-July/msg00005.html

Solutions:
- do what Gentoo does - replace "include login" with "include system-auth"
see - http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/x11-misc/i3lock/i3lock-2.4.1.ebuild?view=markup
simple and sane, works nicely on my system
- do what Fedora does - write custom pam file
see - http://pkgs.fedoraproject.org/cgit/i3lock.git/tree/i3lock.pam
- do what xscreensaver and gnome-screensaver do on Arch which is:
provide a simple pam file containing more or less:
"auth required pam_unix_auth.so"
compare that with upstream gnome-screensaver pam file
see - http://git.gnome.org/browse/gnome-screensaver/tree/data/gnome-screensaver
- fix login policy? Man page of pam_tally says it's deprecated. Debian and
Fedora don't use it.
Comment by Thorsten Töpper (Atsutane) - Monday, 28 January 2013, 15:28 GMT
There is an updated version in [community-testing] test it and tell me if it works as you expect it.
Comment by Mariusz Libera (mar04) - Monday, 28 January 2013, 17:28 GMT
Yes, that fixes it, thanks.
Comment by Thorsten Töpper (Atsutane) - Monday, 28 January 2013, 17:57 GMT
Thank you, moved it to [community].

Loading...