FS#61689 - [pambase] Either specify /var/log/tallylog for both auth AND account or dont specify at all

Attached to Project: Arch Linux
Opened by AMM (amish) - Saturday, 09 February 2019, 05:54 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 14 August 2020, 12:48 GMT
Task Type General Gripe
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

Recently pambase switched from pam_tally to pam_tally2.

Commit: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/pambase&id=63d98c5eca79ea60493241951f6aeb5c98c9b892

Bug report: https://bugs.archlinux.org/task/42120

File /etc/pam.d/system-login was modified as follows:

A "auth" line was modified to use pam_tally2 and also log file was changed from faillog to tallylog
-auth required pam_tally.so onerr=succeed file=/var/log/faillog
+auth required pam_tally2.so onerr=succeed file=/var/log/tallylog

And new "account" line was added
+account required pam_tally2.so

Since /var/log/tallylog is the default file for pam_tally2, above is not a bug in its current form.

But if someone changes file= in "auth" line they may not reliaze to make the same change to "account" line. And then "account" module will still continue to use default file /var/log/tallylog.

For clarity and to be more specific we should modify the "account" line as well to:
-account required pam_tally2.so
+account required pam_tally2.so onerr=succeed file=/var/log/tallylog

where onerr and file are global options. See "man pam_tally2"

Additional info:
* package version(s)
pambase 20190105.1-1

* config and/or log files etc.
/etc/pam.d/system-login

Steps to reproduce:
Not a bug in current form but can lead to bug / mis-configuration. See description above.
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Friday, 14 August 2020, 12:48 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.4.0-3
Comment by Jake Kreiger (Magali75) - Saturday, 09 February 2019, 10:49 GMT
I think it's better to remove "onerr=succeed file=/var/log/tallylog" from auth module as it's already the default and thus redundant.
Comment by loqs (loqs) - Saturday, 23 February 2019, 10:31 GMT
https://bbs.archlinux.org/viewtopic.php?pid=1833256#p1833256
The lack of onerr=succeed for the account line appears to have caused local login failures in a misconfigured system where /var/log/tallylog was globally writeable.
Comment by AMM (amish) - Saturday, 23 February 2019, 12:16 GMT
Yes default Arch config for pam_tally2 is to not deny anything, it just acts as a counter.

So if "auth" is set to succeed on error then "account" should be set to succeed on error too.

Please vote for this bug report.

Please assign to appropriate person. (mostly the same person who switched package to use pam_tally2 instead of pam_tally)

Thank you.
Comment by Alexander Schnaidt (Namarrgon) - Monday, 18 November 2019, 23:40 GMT
The lack of 'onerr=succeed' on the "account required pam_tally2.so" line also breaks login for root and users when the /var-fs is mounted RO.
Comment by AMM (amish) - Tuesday, 19 November 2019, 04:22 GMT
I believe we now have sufficient reports to change the "Task type" from "General Gripe" to "Bug Report"

Clearly it was not a General Gripe.
Comment by loqs (loqs) - Tuesday, 16 June 2020, 21:58 GMT
With the pam 1.4 release [1] pam_tally2.so is deprecated. The suggested replacement is the newly introduced pam_faillock.so.

[1] https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0

Loading...