Bug 987787

Summary: Remove lastlogin from su
Product: Red Hat Enterprise Linux 7 Reporter: Miroslav Vadkerti <mvadkert>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: amarecek, kzak, mmarhefk, sgrubb, tmraz
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: util-linux-2.23.2-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1263851 (view as bug list) Environment:
Last Closed: 2014-06-13 10:37:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1263851    

Description Miroslav Vadkerti 2013-07-24 07:34:41 UTC
Description of problem:
In our tests we often do
su - -c 'command' user

In current version in RHEL7, the subsequent runs results in last login messages, that break some of our tests, which expect only the output of the command as in RHEL6.

Is the last login info for su really required? I do not see the point exactly, I do agree it should be enabled for login/ssh and similar, but not for su.

Version-Release number of selected component (if applicable):
pam-1.1.6-12.el7

How reproducible:
100%

Steps to Reproduce:
1. useradd tester
2. su - -c "id"
3. su - -c "id"

Actual results:
Last login: Wed Jul 24 08:36:28 CEST 2013 from dhcp-25-161.brq.redhat.com on pts/18
uid=0(root) gid=0(root) skupiny=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
uid=0(root) gid=0(root) skupiny=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 1 Miroslav Vadkerti 2013-07-24 07:35:45 UTC
Steve, please is the last login after su a requirement of some security standards? Or are we safe to turn it off by default?

Comment 2 Steve Grubb 2013-07-24 13:48:40 UTC
Its not needed for su, but it is required for logins. Yes there are security standards asking for this information. My guess is the '-' being passed tells it to simulate a login. Offhand I don't know how you can remove it conditionally just for su.

Comment 3 Miroslav Vadkerti 2013-07-24 13:57:49 UTC
Nope the same issue is with "bare" su without the -. Tomas so according to Steve's comments can we remove it? If the lastlog is needed for su -, AFAIK we need the change only in su-l pam.d config file.

Comment 4 Tomas Mraz 2013-07-24 14:03:38 UTC
We can remove it for su and keep it for su - that's no problem. But is that a good idea?

Comment 5 Miroslav Vadkerti 2013-07-24 14:12:40 UTC
What are the concerns that we won't have it there? I do not see really the added value it pops up every time I do su.

Comment 6 Tomas Mraz 2013-07-24 14:34:45 UTC
I am fine to not have it there. What I am in doubt about is whether making the su and 'su -' behaviour different in this aspect is a good idea. As you can do basically everything the same in both invocations is saying that su - equals to login and pure su does not equal to login correct?

Comment 7 Aleš Mareček 2013-07-25 09:27:46 UTC
Greetings!
I can imagine the last login is needed for "su" and "su -" but in case of "-c" option? When "-c" option is called it means I want to execute some command thus I don't really care about any login messages, just if the command were successful or not.
Is it possible to remove it the message when "-c" is used? What do you think about this idea?

Next option could be "call the last login message" by explicit option. I don't know how many users and how important is the "last login" messages for su when we have "classic" login, ssh and logs.

Thanks and Regards!

Comment 8 Tomas Mraz 2013-07-25 09:51:12 UTC
Yes, having the -c determine whether the last login messages should be output or not would probably be the best way.

This would require change in su though.

Karel, what do you think about suppressing pam messages from the session if -c is used?

Comment 9 Karel Zak 2013-08-01 09:17:12 UTC
It would be probably better to suppress the message for -c as well as for non-login "su". The message should be visible only for interactive (shell) login-like sessions, it means "su -" without -c.

What is necessary to change in su(1) to inform PAM that the session is interactive login session?

Comment 10 Tomas Mraz 2013-08-05 13:32:02 UTC
I'd prefer the su to just suppress the messages that it receives from the conversation function from PAM in such situation and not inventing a new mechanism to inform PAM about this.

Comment 11 Karel Zak 2013-08-27 09:52:09 UTC
Fixed in upstream tree, commit fb4edda749e4c81e9ce713a017240ded8f521d07.

Comment 13 Matus Marhefka 2014-01-31 13:39:34 UTC
VERIFIED as fixed for util-linux-2.23.2-10.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'useradd tester' (Expected 0, got 0)
:: [   INFO   ] :: rlRun: command = 'su - -c "id"'; exitcode = 0; expected = 0
:: [   PASS   ] :: Running 'su - -c "id"' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.r0V9cfkEXM' should not contain 'Last login' 
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: Test

Comment 15 Ludek Smid 2014-06-13 10:37:12 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.