Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#61689 - [pambase] Either specify /var/log/tallylog for both auth AND account or dont specify at all

Attached to Project: Arch Linux
Opened by AMM (amish) - Saturday, 09 February 2019, 05:54 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 10 December 2019, 16:07 GMT
Task Type General Gripe
Category Packages: Core
Status Assigned
Assigned To Tobias Powalowski (tpowa)
Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 3
Private No



Recently pambase switched from pam_tally to pam_tally2.


Bug report:

File /etc/pam.d/system-login was modified as follows:

A "auth" line was modified to use pam_tally2 and also log file was changed from faillog to tallylog
-auth required onerr=succeed file=/var/log/faillog
+auth required onerr=succeed file=/var/log/tallylog

And new "account" line was added
+account required

Since /var/log/tallylog is the default file for pam_tally2, above is not a bug in its current form.

But if someone changes file= in "auth" line they may not reliaze to make the same change to "account" line. And then "account" module will still continue to use default file /var/log/tallylog.

For clarity and to be more specific we should modify the "account" line as well to:
-account required
+account required onerr=succeed file=/var/log/tallylog

where onerr and file are global options. See "man pam_tally2"

Additional info:
* package version(s)
pambase 20190105.1-1

* config and/or log files etc.

Steps to reproduce:
Not a bug in current form but can lead to bug / mis-configuration. See description above.
This task depends upon

Comment by Jake Kreiger (Magali75) - Saturday, 09 February 2019, 10:49 GMT
I think it's better to remove "onerr=succeed file=/var/log/tallylog" from auth module as it's already the default and thus redundant.
Comment by loqs (loqs) - Saturday, 23 February 2019, 10:31 GMT
The lack of onerr=succeed for the account line appears to have caused local login failures in a misconfigured system where /var/log/tallylog was globally writeable.
Comment by AMM (amish) - Saturday, 23 February 2019, 12:16 GMT
Yes default Arch config for pam_tally2 is to not deny anything, it just acts as a counter.

So if "auth" is set to succeed on error then "account" should be set to succeed on error too.

Please vote for this bug report.

Please assign to appropriate person. (mostly the same person who switched package to use pam_tally2 instead of pam_tally)

Thank you.
Comment by Alexander Schnaidt (Namarrgon) - Monday, 18 November 2019, 23:40 GMT
The lack of 'onerr=succeed' on the "account required" line also breaks login for root and users when the /var-fs is mounted RO.
Comment by AMM (amish) - Tuesday, 19 November 2019, 04:22 GMT
I believe we now have sufficient reports to change the "Task type" from "General Gripe" to "Bug Report"

Clearly it was not a General Gripe.
Comment by loqs (loqs) - Tuesday, 16 June 2020, 21:58 GMT
With the pam 1.4 release [1] is deprecated. The suggested replacement is the newly introduced