[Bug 2060676] Re: [SRU] login: remove pam_lastlog.so from config
Tim Andersson
2060676 at bugs.launchpad.net
Wed Nov 13 11:13:01 UTC 2024
** Description changed:
[ Impact ]
* The following line has been found in users logs when trying to log in to their systems:
login[2449]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
- This results in users reporting that they cannot login to their systems. They can perhaps do so with other login methods (ssh, login, gdm, xdm, etc) that don't depend on the lastlog binary, but that doesn't suffice.
+ This is the only known occurrence of the log. It occurs when users log in to their systems using a tty, or rather referred to as the 'login' method in shadow/pam etc. This log error message is not present when logging in via ssh, gdm, xdm, or other login methods, as they do not depend on the lastlog binary.
* The upload fixes the issue by dropping pam_lastlog.so from all
config, as well as not installing the lastlog binary.
[ Test Plan ]
- * TODO: Need to come up with a test plan
+ * To reproduce the bug, simply take the Noble 24.04.1 iso, install to a system, and login via a TTY instead of the graphical display manager. Then check journalctl -b 0 and search for 'lastlog'. You should see the log message.
+
+ * To test the change, remove the session optional pam_lastlog.so from /etc/pam.d/login, and then try to login with a tty again, then check the journal.
[ Where problems could occur ]
- * Users may no longer see the last login message when logging in via
- ssh, or other login methods.
+ * Any production systems that use lastlog in a `required` manner may be
+ broken by this change, if they are not already in a broken state.
[ Other Info ]
* This should already be fixed in Plucky and onwards, with necessary
changes introduced in shadow/1:4.13+dfsg1-5, and in plucky we are
already on shadow/1:4.15.3-3ubuntu2.
* pam_lastlog2 is included in util-linux/2.40. We can make changes in
shadow going forward that depends on pam_lastlog2 rather than
pam_lastlog, going forward. But that's not really relevant to the SRU I
guess. These changes are planned to be implemented upstream
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=0;bug=1068229;msg=39,
so likely from Ubuntu's side, we can just wait for the changes.
[Original description]
Imported from Debian bug http://bugs.debian.org/1068229:
Package: libpam-modules
Version: 1.5.3-6
Severity: normal
I noticed the following line in my logs:
login[2449]: PAM unable to dlopen(pam_lastlog.so):
/usr/lib/security/pam_lastlog.so: cannot open shared object file: No
such file or directory
I looked in the deb files from snapshot.debian.org, and noticed the last version
that had it was 1.5.2-9.1 - starting from 1.5.3-1 it disappeared.
Maybe it's fallout from the time_t transition and you're already aware of it, in
which case feel free to close.
Thanks,
-- M
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64
Kernel: Linux 6.7.9-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpam-modules depends on:
ii debconf [debconf-2.0] 1.5.86
ii libaudit1 1:3.1.2-2.1
ii libc6 2.37-15.1
ii libcrypt1 1:4.4.36-4
ii libpam-modules-bin 1.5.3-6
ii libpam0g 1.5.3-6
ii libselinux1 3.5-2
ii libsystemd0 255.4-1+b1
libpam-modules recommends no packages.
libpam-modules suggests no packages.
-- debconf information excluded
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/2060676
Title:
[SRU] login: remove pam_lastlog.so from config
Status in shadow package in Ubuntu:
Fix Released
Status in shadow source package in Noble:
In Progress
Status in shadow source package in Oracular:
Fix Released
Status in shadow package in Debian:
Fix Released
Bug description:
[ Impact ]
* The following line has been found in users logs when trying to log in to their systems:
login[2449]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
This is the only known occurrence of the log. It occurs when users log in to their systems using a tty, or rather referred to as the 'login' method in shadow/pam etc. This log error message is not present when logging in via ssh, gdm, xdm, or other login methods, as they do not depend on the lastlog binary.
* The upload fixes the issue by dropping pam_lastlog.so from all
config, as well as not installing the lastlog binary.
[ Test Plan ]
* To reproduce the bug, simply take the Noble 24.04.1 iso, install to a system, and login via a TTY instead of the graphical display manager. Then check journalctl -b 0 and search for 'lastlog'. You should see the log message.
* To test the change, remove the session optional pam_lastlog.so from /etc/pam.d/login, and then try to login with a tty again, then check the journal.
[ Where problems could occur ]
* Any production systems that use lastlog in a `required` manner may
be broken by this change, if they are not already in a broken state.
[ Other Info ]
* This should already be fixed in Plucky and onwards, with necessary
changes introduced in shadow/1:4.13+dfsg1-5, and in plucky we are
already on shadow/1:4.15.3-3ubuntu2.
* pam_lastlog2 is included in util-linux/2.40. We can make changes in
shadow going forward that depends on pam_lastlog2 rather than
pam_lastlog, going forward. But that's not really relevant to the SRU
I guess. These changes are planned to be implemented upstream
https://bugs.debian.org/cgi-
bin/bugreport.cgi?att=0;bug=1068229;msg=39, so likely from Ubuntu's
side, we can just wait for the changes.
[Original description]
Imported from Debian bug http://bugs.debian.org/1068229:
Package: libpam-modules
Version: 1.5.3-6
Severity: normal
I noticed the following line in my logs:
login[2449]: PAM unable to dlopen(pam_lastlog.so):
/usr/lib/security/pam_lastlog.so: cannot open shared object file: No
such file or directory
I looked in the deb files from snapshot.debian.org, and noticed the last version
that had it was 1.5.2-9.1 - starting from 1.5.3-1 it disappeared.
Maybe it's fallout from the time_t transition and you're already aware of it, in
which case feel free to close.
Thanks,
-- M
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64
Kernel: Linux 6.7.9-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpam-modules depends on:
ii debconf [debconf-2.0] 1.5.86
ii libaudit1 1:3.1.2-2.1
ii libc6 2.37-15.1
ii libcrypt1 1:4.4.36-4
ii libpam-modules-bin 1.5.3-6
ii libpam0g 1.5.3-6
ii libselinux1 3.5-2
ii libsystemd0 255.4-1+b1
libpam-modules recommends no packages.
libpam-modules suggests no packages.
-- debconf information excluded
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2060676/+subscriptions
More information about the foundations-bugs
mailing list