[Bug 2060676] Re: [SRU] login: remove pam_lastlog.so from config

Tue Nov 12 15:25:09 UTC 2024

I believe it is a problem, since it seems to be causing "last" not to
work correctly.

Removing the entry in /etc/pam.d/login will just clean up the
/var/log/auth.log file and not fix the missing entry in /var/log/wtmp -
right?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/2060676

Title:
  [SRU] login: remove pam_lastlog.so from config

Status in shadow package in Ubuntu:
  Fix Released
Status in shadow source package in Noble:
  In Progress
Status in shadow source package in Oracular:
  Fix Released
Status in shadow package in Debian:
  Fix Released

Bug description:
  [ Impact ]

   * The following line has been found in users logs when trying to log in to their systems:
     login[2449]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
     This results in users reporting that they cannot login to their systems. They can perhaps do so with other login methods (ssh, login, gdm, xdm, etc) that don't depend on the lastlog binary, but that doesn't suffice.

   * The upload fixes the issue by dropping pam_lastlog.so from all
  config, as well as not installing the lastlog binary.

  [ Test Plan ]

   * TODO: Need to come up with a test plan

  [ Where problems could occur ]

   * Users may no longer see the last login message when logging in via
  ssh, or other login methods.

  [ Other Info ]

   * This should already be fixed in Plucky and onwards, with necessary
  changes introduced in shadow/1:4.13+dfsg1-5, and in plucky we are
  already on shadow/1:4.15.3-3ubuntu2.

   * pam_lastlog2 is included in util-linux/2.40. We can make changes in
  shadow going forward that depends on pam_lastlog2 rather than
  pam_lastlog, going forward. But that's not really relevant to the SRU
  I guess. These changes are planned to be implemented upstream
  https://bugs.debian.org/cgi-
  bin/bugreport.cgi?att=0;bug=1068229;msg=39, so likely from Ubuntu's
  side, we can just wait for the changes.

  [Original description]

  Imported from Debian bug http://bugs.debian.org/1068229:

  Package: libpam-modules
  Version: 1.5.3-6
  Severity: normal

  I noticed the following line in my logs:

  login[2449]: PAM unable to dlopen(pam_lastlog.so):
  /usr/lib/security/pam_lastlog.so: cannot open shared object file: No
  such file or directory

  I looked in the deb files from snapshot.debian.org, and noticed the last version
  that had it was 1.5.2-9.1 - starting from 1.5.3-1 it disappeared.

  Maybe it's fallout from the time_t transition and you're already aware of it, in
  which case feel free to close.

  Thanks,

  -- M

  -- System Information:
  Debian Release: trixie/sid
    APT prefers unstable
    APT policy: (500, 'unstable'), (1, 'experimental')
  Architecture: amd64 (x86_64)
  Foreign Architectures: i386, arm64

  Kernel: Linux 6.7.9-amd64 (SMP w/4 CPU threads; PREEMPT)
  Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
  Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
  Shell: /bin/sh linked to /usr/bin/dash
  Init: systemd (via /run/systemd/system)

  Versions of packages libpam-modules depends on:
  ii  debconf [debconf-2.0]  1.5.86
  ii  libaudit1              1:3.1.2-2.1
  ii  libc6                  2.37-15.1
  ii  libcrypt1              1:4.4.36-4
  ii  libpam-modules-bin     1.5.3-6
  ii  libpam0g               1.5.3-6
  ii  libselinux1            3.5-2
  ii  libsystemd0            255.4-1+b1

  libpam-modules recommends no packages.

  libpam-modules suggests no packages.

  -- debconf information excluded

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2060676/+subscriptions