RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2062512 - Failure record file under /var/run/faillock removed after os reboot
Summary: Failure record file under /var/run/faillock removed after os reboot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pam
Version: 8.3
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Iker Pedrosa
QA Contact: Anuj Borah
URL:
Whiteboard: review
Depends On:
Blocks: 2126632
TreeView+ depends on / blocked
 
Reported: 2022-03-10 02:31 UTC by masanari iida
Modified: 2023-05-16 10:57 UTC (History)
4 users (show)

Fixed In Version: pam-1.3.1-25.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2126632 (view as bug list)
Environment:
Last Closed: 2023-05-16 09:02:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-115090 0 None None None 2022-03-10 02:36:30 UTC
Red Hat Issue Tracker SSSD-4397 0 None None None 2022-03-11 08:52:10 UTC
Red Hat Product Errata RHBA-2023:2954 0 None None None 2023-05-16 09:03:00 UTC

Description masanari iida 2022-03-10 02:31:37 UTC 
Description of problem:
Followint test is done on a system which enabled faillock feature.

If admin reboot a system after one of the user's account locked by faillock,
the user's failure record in /var/run/faillock will be removed and the user's
account will become unlocked status.

I am not saying this is a bug.
If developer think this is an expected result, please add the information 
in pam_faillock man page or README in /usr/share/doc.

Version-Release number of selected component (if applicable):
pam-1.3.1-11.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Enable faillock feature
  # authselect enable-feature with-faillock

2. Attempt to login to the system with wrong password at least 3 times.

3. make sure the failure is recorded in /var/run/faillock/user_name file
  # faillock --user user_name

4. reboot the system

5. Try to login to the system with the test user with correct password.

Actual results:
The user can login to the system. 

Expected results:
The user can not login to the system, 
because the user's account already account locked before reboot.

Additional info:
Comment 1 Iker Pedrosa 2022-03-10 08:25:41 UTC 
/var/run is symlinked to /run, which is a tmpfs that exists only in memory. Thus, when the system reboots the content of the folder is recreated and all the information is lost.

As a possible workaround you can edit the content of /etc/security/faillock.conf to point to another directory instead of /var/run/faillock.
Comment 2 masanari iida 2022-03-10 11:43:31 UTC 
Thanks for the reply.
I understand why the failure record files are removed after reboot.
As I wrote in description, I would like to see an information that
failure record files are removed after reboot.

If this information doesn't fit in man page,
then I would like to discuss with Christian Horn about possibility
to create a KB about this.

In the mean time, I know that Red Hat is working on bz#1978029.
If I want add a workaround (save failure information files on 
storage, instead of tmpfs) in the KB, then I need to write about
current faillock limitation. 

Probably, I need to think about impact of SELinux, 
if I want to save the failure record files other than /var.
Comment 3 Christian Horn 2022-03-11 00:42:03 UTC 
kbase is possible, but having it in the man-pages would mean it
also gets to upstream and other distros, so might be preferable.
Comment 4 Iker Pedrosa 2022-03-11 08:37:27 UTC 
I'll include that in the man pages so that everybody is aware of the possible problem.
Comment 5 masanari iida 2022-03-11 08:41:11 UTC 
Thank you for your decision. 
Every body will be happy.
Masanari
Comment 8 Iker Pedrosa 2022-11-09 08:14:38 UTC 
master:
    pam_faillock: Clarify missing user faillock files after reboot - bcbf145ce925934214e48200c27c9ff736452549
Comment 13 errata-xmlrpc 2023-05-16 09:02:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pam bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2954
Note You need to log in before you can comment on or make changes to this bug.