Bug 987787
Summary: | Remove lastlogin from su | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Miroslav Vadkerti <mvadkert> | |
Component: | util-linux | Assignee: | Karel Zak <kzak> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | qe-baseos-daemons | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.0 | CC: | amarecek, kzak, mmarhefk, sgrubb, tmraz | |
Target Milestone: | beta | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | util-linux-2.23.2-3.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1263851 (view as bug list) | Environment: | ||
Last Closed: | 2014-06-13 10:37:12 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1263851 |
Description
Miroslav Vadkerti
2013-07-24 07:34:41 UTC
Steve, please is the last login after su a requirement of some security standards? Or are we safe to turn it off by default? Its not needed for su, but it is required for logins. Yes there are security standards asking for this information. My guess is the '-' being passed tells it to simulate a login. Offhand I don't know how you can remove it conditionally just for su. Nope the same issue is with "bare" su without the -. Tomas so according to Steve's comments can we remove it? If the lastlog is needed for su -, AFAIK we need the change only in su-l pam.d config file. We can remove it for su and keep it for su - that's no problem. But is that a good idea? What are the concerns that we won't have it there? I do not see really the added value it pops up every time I do su. I am fine to not have it there. What I am in doubt about is whether making the su and 'su -' behaviour different in this aspect is a good idea. As you can do basically everything the same in both invocations is saying that su - equals to login and pure su does not equal to login correct? Greetings! I can imagine the last login is needed for "su" and "su -" but in case of "-c" option? When "-c" option is called it means I want to execute some command thus I don't really care about any login messages, just if the command were successful or not. Is it possible to remove it the message when "-c" is used? What do you think about this idea? Next option could be "call the last login message" by explicit option. I don't know how many users and how important is the "last login" messages for su when we have "classic" login, ssh and logs. Thanks and Regards! Yes, having the -c determine whether the last login messages should be output or not would probably be the best way. This would require change in su though. Karel, what do you think about suppressing pam messages from the session if -c is used? It would be probably better to suppress the message for -c as well as for non-login "su". The message should be visible only for interactive (shell) login-like sessions, it means "su -" without -c. What is necessary to change in su(1) to inform PAM that the session is interactive login session? I'd prefer the su to just suppress the messages that it receives from the conversation function from PAM in such situation and not inventing a new mechanism to inform PAM about this. Fixed in upstream tree, commit fb4edda749e4c81e9ce713a017240ded8f521d07. VERIFIED as fixed for util-linux-2.23.2-10.el7.x86_64 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'useradd tester' (Expected 0, got 0) :: [ INFO ] :: rlRun: command = 'su - -c "id"'; exitcode = 0; expected = 0 :: [ PASS ] :: Running 'su - -c "id"' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.r0V9cfkEXM' should not contain 'Last login' :: [ LOG ] :: Duration: 0s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: Test This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |