987787 – Remove lastlogin from su

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 987787 - Remove lastlogin from su

Summary: Remove lastlogin from su

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	util-linux
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Karel Zak
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1263851
TreeView+	depends on / blocked

Reported:	2013-07-24 07:34 UTC by Miroslav Vadkerti
Modified:	2015-09-16 21:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:	util-linux-2.23.2-3.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1263851 (view as bug list)
Environment:
Last Closed:	2014-06-13 10:37:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Miroslav Vadkerti 2013-07-24 07:34:41 UTC

Description of problem:
In our tests we often do
su - -c 'command' user

In current version in RHEL7, the subsequent runs results in last login messages, that break some of our tests, which expect only the output of the command as in RHEL6.

Is the last login info for su really required? I do not see the point exactly, I do agree it should be enabled for login/ssh and similar, but not for su.

Version-Release number of selected component (if applicable):
pam-1.1.6-12.el7

How reproducible:
100%

Steps to Reproduce:
1. useradd tester
2. su - -c "id"
3. su - -c "id"

Actual results:
Last login: Wed Jul 24 08:36:28 CEST 2013 from dhcp-25-161.brq.redhat.com on pts/18
uid=0(root) gid=0(root) skupiny=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
uid=0(root) gid=0(root) skupiny=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 1 Miroslav Vadkerti 2013-07-24 07:35:45 UTC

Steve, please is the last login after su a requirement of some security standards? Or are we safe to turn it off by default?

Comment 2 Steve Grubb 2013-07-24 13:48:40 UTC

Its not needed for su, but it is required for logins. Yes there are security standards asking for this information. My guess is the '-' being passed tells it to simulate a login. Offhand I don't know how you can remove it conditionally just for su.

Comment 3 Miroslav Vadkerti 2013-07-24 13:57:49 UTC

Nope the same issue is with "bare" su without the -. Tomas so according to Steve's comments can we remove it? If the lastlog is needed for su -, AFAIK we need the change only in su-l pam.d config file.

Comment 4 Tomas Mraz 2013-07-24 14:03:38 UTC

We can remove it for su and keep it for su - that's no problem. But is that a good idea?

Comment 5 Miroslav Vadkerti 2013-07-24 14:12:40 UTC

What are the concerns that we won't have it there? I do not see really the added value it pops up every time I do su.

Comment 6 Tomas Mraz 2013-07-24 14:34:45 UTC

I am fine to not have it there. What I am in doubt about is whether making the su and 'su -' behaviour different in this aspect is a good idea. As you can do basically everything the same in both invocations is saying that su - equals to login and pure su does not equal to login correct?

Comment 7 Aleš Mareček 2013-07-25 09:27:46 UTC

Greetings!
I can imagine the last login is needed for "su" and "su -" but in case of "-c" option? When "-c" option is called it means I want to execute some command thus I don't really care about any login messages, just if the command were successful or not.
Is it possible to remove it the message when "-c" is used? What do you think about this idea?

Next option could be "call the last login message" by explicit option. I don't know how many users and how important is the "last login" messages for su when we have "classic" login, ssh and logs.

Thanks and Regards!

Comment 8 Tomas Mraz 2013-07-25 09:51:12 UTC

Yes, having the -c determine whether the last login messages should be output or not would probably be the best way.

This would require change in su though.

Karel, what do you think about suppressing pam messages from the session if -c is used?

Comment 9 Karel Zak 2013-08-01 09:17:12 UTC

It would be probably better to suppress the message for -c as well as for non-login "su". The message should be visible only for interactive (shell) login-like sessions, it means "su -" without -c.

What is necessary to change in su(1) to inform PAM that the session is interactive login session?

Comment 10 Tomas Mraz 2013-08-05 13:32:02 UTC

I'd prefer the su to just suppress the messages that it receives from the conversation function from PAM in such situation and not inventing a new mechanism to inform PAM about this.

Comment 11 Karel Zak 2013-08-27 09:52:09 UTC

Fixed in upstream tree, commit fb4edda749e4c81e9ce713a017240ded8f521d07.

Comment 13 Matus Marhefka 2014-01-31 13:39:34 UTC

VERIFIED as fixed for util-linux-2.23.2-10.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'useradd tester' (Expected 0, got 0)
:: [   INFO   ] :: rlRun: command = 'su - -c "id"'; exitcode = 0; expected = 0
:: [   PASS   ] :: Running 'su - -c "id"' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.r0V9cfkEXM' should not contain 'Last login' 
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: Test

Comment 15 Ludek Smid 2014-06-13 10:37:12 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.