Bug 151635

Summary: /var/log/secure spam finding lastlog
Product: [Fedora] Fedora Reporter: Joe Orton <jorton>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: florin, kzak, pvrabec, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-30 10:57:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Orton 2005-03-21 09:57:18 UTC 
Description of problem:
With a Raw Hide install I'm getting spam in /var/log/secure like:

Mar 21 09:44:23 trash sshd[12324]: Accepted publickey for jorton from
::ffff:172.16.18.90 port 42150 ssh2
Mar 21 09:44:23 trash sshd[12324]: lastlog_perform_login: Couldn't stat
/var/log/lastlog: No such file or directory
Mar 21 09:44:23 trash sshd[12324]: lastlog_openseek: /var/log/lastlog is not a
file or director

Version-Release number of selected component (if applicable):
openssh-3.9p1-12
Comment 1 Tomas Mraz 2005-03-21 10:55:45 UTC 
This is a regression caused by the fix for bug 139539 in the setup package.

I don't think this is a sshd bug, for example the login binary doesn't work well
with missing lastlog file too (it won't create the file, so the last login
information is lost).

I'd suggest touching the lastlog file in the post install script of the setup
package if it has to be %ghost and not %config.
Comment 2 Bill Nottingham 2005-03-23 04:11:44 UTC 
This is *theoretically* created by useradd; did the behavior change there?
Comment 3 Tomas Mraz 2005-03-23 08:32:42 UTC 
If it changed it is not a recent change - on a FC3 box:
root@perun:~# ls -l /var/log/lastlog
-r--------  1 root root 146584 Mar 23 09:04 /var/log/lastlog
root@perun:~# rm /var/log/lastlog
rm: remove regular file `/var/log/lastlog'? y
root@perun:~# useradd testuser2
root@perun:~# ls -l /var/log/lastlog
ls: /var/log/lastlog: No such file or directory
Comment 4 Bill Nottingham 2005-03-23 17:44:40 UTC 
Unfortunately, setup *cannot* have prereqs, as it would create an unsolvable
dependency loop.

So, the creation would have to be somewhere else. :/

Candidates are shadow-utils, sysklogd, logrotate, util-linux... ?
Comment 5 Tomas Mraz 2005-03-23 19:43:33 UTC 
I vote for util-linux then as login is a part of the package.

Should the util-linux package also own the file as %ghost?
Comment 6 Bill Nottingham 2005-03-23 20:00:25 UTC 
If it creates it, probably.
Comment 7 Karel Zak 2005-03-24 07:38:58 UTC 
The login doesn't create /var/log/lastlog :-(

I don't know how many programs write something to the 'lastlog', but I think
each program that write something to 'lastlog' have to use something like:

  open(PATH_LASTLOG, O_RDWR | O_CREATE, 0)
                              ^^^^^^^^^

Or is there any reason why only (any) install script should be create it? IMHO
it's important file and it should be created always when it missing in system.
Comment 8 Bill Nottingham 2005-03-24 18:40:27 UTC 
Well, the messages from sshd are from the portions that simply read it to get
the last login time. I suppose you could argue that they could be silenced in
that case, but I don't think making the file is correct there.
Comment 10 Tomas Mraz 2005-03-31 07:09:26 UTC 
*** Bug 152635 has been marked as a duplicate of this bug. ***