FS#61689 - [pambase] Either specify /var/log/tallylog for both auth AND account or dont specify at all
Attached to Project:
Arch Linux
Opened by AMM (amish) - Saturday, 09 February 2019, 05:54 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 14 August 2020, 12:48 GMT
Opened by AMM (amish) - Saturday, 09 February 2019, 05:54 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 14 August 2020, 12:48 GMT
|
Details
Description:
Recently pambase switched from pam_tally to pam_tally2. Commit: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/pambase&id=63d98c5eca79ea60493241951f6aeb5c98c9b892 Bug report: https://bugs.archlinux.org/task/42120 File /etc/pam.d/system-login was modified as follows: A "auth" line was modified to use pam_tally2 and also log file was changed from faillog to tallylog -auth required pam_tally.so onerr=succeed file=/var/log/faillog +auth required pam_tally2.so onerr=succeed file=/var/log/tallylog And new "account" line was added +account required pam_tally2.so Since /var/log/tallylog is the default file for pam_tally2, above is not a bug in its current form. But if someone changes file= in "auth" line they may not reliaze to make the same change to "account" line. And then "account" module will still continue to use default file /var/log/tallylog. For clarity and to be more specific we should modify the "account" line as well to: -account required pam_tally2.so +account required pam_tally2.so onerr=succeed file=/var/log/tallylog where onerr and file are global options. See "man pam_tally2" Additional info: * package version(s) pambase 20190105.1-1 * config and/or log files etc. /etc/pam.d/system-login Steps to reproduce: Not a bug in current form but can lead to bug / mis-configuration. See description above. |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Friday, 14 August 2020, 12:48 GMT
Reason for closing: Fixed
Additional comments about closing: 1.4.0-3
Friday, 14 August 2020, 12:48 GMT
Reason for closing: Fixed
Additional comments about closing: 1.4.0-3
The lack of onerr=succeed for the account line appears to have caused local login failures in a misconfigured system where /var/log/tallylog was globally writeable.
So if "auth" is set to succeed on error then "account" should be set to succeed on error too.
Please vote for this bug report.
Please assign to appropriate person. (mostly the same person who switched package to use pam_tally2 instead of pam_tally)
Thank you.
Clearly it was not a General Gripe.
[1] https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0