Hide Forgot
Description of problem: su does not record failed logins in /var/log/btmp. SSH does this, but it is the only application that I am aware of that will record the failed logins. If pam_lastlog is enabled with the "showfailed" option in /etc/pam.d/su, failed logins will be displayed upon a successful su, but failed logins are not recorded on a failed su. Version-Release number of selected component (if applicable): coreutils-5.97-34.el5 How reproducible: every time Steps to Reproduce: 1. create user1 and user2 as local, unprivileged users 2. fail 2 logins with user1 over SSH (do NOT log in successfully afterward) 3. login over SSH with user2 successfully 4. su - user1 and succeed on the first try 5. you will see the failed logins from the SSH session if you have pam_lastlog configured with the 'showfailed' option 6. exit from user1's session so you become user2 again 7. su - user1 again, but fail on purpose 8. su - user1 and succeed 9. no failed logins are shown, even though you failed when attempting the su Actual results: Expected results: Additional info: I think just adding this function and calling it in the su failure case would handle this appropriately. This is very similar to what openssh does (the log_error function could be replaced by any function that writes to syslog). The hostname argument could probably be omitted as well, since the su will always come from the localhost by definition. Let me know if you have any questions: #define _PATH_BTMP "/var/log/btmp" static void record_failed_login(const char *username, const char *hostname) { int fd; struct utmp ut; time_t t; struct stat fst; if (geteuid() != 0) return; if ((fd = open(_PATH_BTMP, O_WRONLY | O_APPEND)) < 0) { log_debug("Unable to open the btmp file %s: %s", _PATH_BTMP, strerror(errno)); return; } if (fstat(fd, &fst) < 0) { log_error("%s: fstat of %s failed: %s", "record_failed_login", _PATH_BTMP, strerror(errno)); goto out; } if((fst.st_mode & (S_IRWXG | S_IRWXO)) || (fst.st_uid != 0)) { log_error("Excess permission or bad ownership on file %s", _PATH_BTMP); goto out; } memset(&ut, 0, sizeof(ut)); /* strncpy because we don't necessarily want nul termination */ strncpy(ut.ut_user, username, sizeof(ut.ut_user)); strncpy(ut.ut_line, "su", sizeof(ut.ut_line)); time(&t); ut.ut_time = t; /* ut_time is not always a time_t */ ut.ut_type = LOGIN_PROCESS; ut.ut_pid = getpid(); /* strncpy because we don't necessarily want nul termination */ strncpy(ut.ut_host, hostname, sizeof(ut.ut_host)); if (write(fd, &ut, sizeof(ut)) != sizeof(ut)) log_error("Failed to write to %s: %s", _PATH_BTMP, strerror(errno)); out: close(fd); }
Sorry for late response, I missed that bugzilla somehow. Thanks for the suggestion, but su pam support is downstream and the changes should be as minimal as possible. Therefore adding new function and do some hacks with that doesn't seem to be a good option to me. Adding Tomas Mraz to CC. Tomas, do you think that this should be handled on application or PAM side?
pam_lastlog currently does not handle the writing to btmp. But it could be added. su currently does not write neither to lastlog nor wtmp does it?
AFAIK it doesn't ...
Hmm thinking about it more - actually pam_lastlog cannot handle writing to btmp. So this has to be done directly in su.
The reason is that the PAM modules do not know the final outcome of the authentication if it failed.
Ok, thanks Tomas...
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.
This Bugzilla has been reviewed by Red Hat and is not planned on being addressed in Red Hat Enterprise Linux 5. Before I'll close it, adding Karel Zak to CC, to see how he feels about the changes as su moved from coreutils to util-linux meanwhile. Karel - is this change already done in upstream util-linux or worth to add there?
It's already implemented and available in RHEL7.
Ok, thanks for info, closing WONTFIX for RHEL-5.