1317798 – lastlog does not work as non-root

Bug 1317798 - lastlog does not work as non-root

Summary: lastlog does not work as non-root

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ostree
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Colin Walters
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-15 09:09 UTC by Stef Walter
Modified:	2020-04-29 15:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-29 15:26:47 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1229724	0	unspecified	CLOSED	pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory	2021-02-22 00:41:40 UTC

Internal Links: 1229724

Description Stef Walter 2016-03-15 09:09:44 UTC

Previously non-root users could use 'lastlog' command. Now they get 'Permission denied'.

This issue was caught by the Cockpit integration tests.

There is a separate bug #1317773 for Fedora. But since RHEL Atomic Host does not track Fedora Atomic Host, I'm filing this issue separately with appropriate version numbers, etc.

Version-Release number of selected component (if applicable):

* 2016-03-01 01:35:21     7.2.2-2     8b2cf24b42     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard     

shadow-utils-4.1.5.1-18.el7.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. Boot RHEL Atomic Host 7.2.2-2
2. Log in as a non-root user, such as cloud-user
3. Run lastlog

Actual results:

$ lastlog
/var/log/lastlog: Permission denied
$ sudo ls -l /var/log/lastlog
----------. 1 root root 292584 Mar 15 09:05 /var/log/lastlog


Expected results:

$ lastlog
Username         Port     From             Latest
root                                       **Never logged in**
...
$ sudo ls -l /var/log/lastlog 
-rw-r--r--. 1 root root 292584 Mar 15 03:49 /var/log/lastlog

Comment 2 Alex Jia 2016-04-07 09:34:35 UTC

For now, a non-root user hasn't a read permission on /var/log/lastlog file, if only root user can write /var/log/lastlog file, I'm not sure if it's information leakage to allow non-root to read /var/log/lastlog.

[cloud-user@atomic-00 ~]$ sudo atomic host status
  TIMESTAMP (UTC)         VERSION   ID             OSNAME               REFSPEC                                                        
* 2016-03-29 20:52:18     7.2.3     d620e84186     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard     
  2016-03-11 19:31:01     7.2.3     f6f9c97816     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard  
   
[cloud-user@atomic-00 ~]$ rpm -q shadow-utils
shadow-utils-4.1.5.1-18.el7.x86_64

[cloud-user@atomic-00 ~]$ sudo ls -l /var/log/lastlog
----------. 1 root root 292292 Apr  6 09:10 /var/log/lastlog

[cloud-user@atomic-00 ~]$ lastlog
/var/log/lastlog: Permission denied

Comment 3 Stef Walter 2016-04-07 09:44:15 UTC

Why can a user read /var/log/lastlog on RHEL and Fedora but not on Atomic? Does Atomic have different requirements about sharing login information with non-root users?

Comment 4 Alex Jia 2016-04-07 11:03:45 UTC

(In reply to Stef Walter from comment #3)
> Why can a user read /var/log/lastlog on RHEL and Fedora but not on Atomic?
> Does Atomic have different requirements about sharing login information with
> non-root users?

I just checked a RHEL system, yes, the non-root users should have a read permison for /var/log/lastlog, but I'm not sure if it's an design for Atomic Host, anyway, I think Daniel can give a authoritative answer.

Comment 5 Daniel Walsh 2016-04-07 11:55:43 UTC

This seems like a bug.  Having permissions of 000 means that even root can not read it, unless it has CAP_DAC_ADMIN.  Lastlog info is not that valuable.

Comment 6 Daniel Walsh 2016-06-03 19:49:25 UTC

Colin this looks like an Atomic host bug that got lost in the noise,

Comment 7 Colin Walters 2016-06-08 15:20:05 UTC

I can't reproduce this with:

| image                                | rhel-atomic-cloud-7.2-latest (936d1121-6a31-49d3-b308-a1d2c6d54c27) |

Comment 8 Daniel Walsh 2016-06-08 15:54:39 UTC

Ok lets mark this as modified then

Comment 13 Lokesh Mandvekar 2016-06-15 14:47:06 UTC

i'll have this removed from the atomic errata. Thanks Colin

Comment 16 Micah Abbott 2020-04-29 15:26:47 UTC

```$ rpm-ostree status
State: idle; auto updates disabled
Deployments:
* ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.8.0 (2020-03-27 12:03:52)
                    Commit: 0bbae7b8382b6228274909d26acf455738241115af3de44deac128348036f1ab

  ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.7.3 (2019-11-19 15:23:12)
                    Commit: e0ac32316936b7e138a2f9bea407bf20124f34f519e8f7147df3edc69ca86296

$ sudo ls -l /var/log/lastlog 
-rw-r--r--. 1 root root 292292 Apr 29 15:17 /var/log/lastlog

$ lastlog
Username         Port     From             Latest
root             pts/2                     Mon Feb 10 14:40:23 +0000 2020
cloud-user       pts/0    ovpn-66-149.rdu2 Wed Apr 29 15:17:39 +0000 2020
bin                                        **Never logged in**
daemon                                     **Never logged in**
adm                                        **Never logged in**
lp                                         **Never logged in**
sync                                       **Never logged in**
shutdown                                   **Never logged in**
halt                                       **Never logged in**
mail                                       **Never logged in**
operator                                   **Never logged in**
games                                      **Never logged in**
ftp                                        **Never logged in**
nobody                                     **Never logged in**
dbus                                       **Never logged in**
polkitd                                    **Never logged in**
etcd                                       **Never logged in**
tss                                        **Never logged in**
avahi-autoipd                              **Never logged in**
rpc                                        **Never logged in**
sssd                                       **Never logged in**
dockerroot                                 **Never logged in**
rpcuser                                    **Never logged in**
nfsnobody                                  **Never logged in**
kube                                       **Never logged in**
sshd                                       **Never logged in**
chrony                                     **Never logged in**
systemd-network                            **Never logged in**
gluster                                    **Never logged in**
ceph                                       **Never logged in**
```

Note You need to log in before you can comment on or make changes to this bug.