diff mbox series

[meta-selinux] shadow: comment out pam_lastlog line in login pam file

Message ID 20240724141329.3326073-1-yi.zhao@windriver.com
State New
Headers show
Series [meta-selinux] shadow: comment out pam_lastlog line in login pam file | expand

Commit Message

Yi Zhao July 24, 2024, 2:13 p.m. UTC
The pam_lastlog module is deprecated and disabled by default in
linux-pam since 1.5.3[1]. Comment out this line to avoid loading
pam_lastlog module by default. Users can use lastlog2 provided by
util-linux as an alternative[2].

[1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816
[2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 recipes-extended/shadow/files/pam.d/login | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Joe MacDonald July 24, 2024, 2:53 p.m. UTC | #1
Given that this is deprecated and disabled by default, is there any
reason to keep this in at all, rather than just removing lines 67-70?

[[meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 22:13) Yi Zhao wrote:

> The pam_lastlog module is deprecated and disabled by default in
> linux-pam since 1.5.3[1]. Comment out this line to avoid loading
> pam_lastlog module by default. Users can use lastlog2 provided by
> util-linux as an alternative[2].
> 
> [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816
> [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0
> 
> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
>  recipes-extended/shadow/files/pam.d/login | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login
> index ec5bba9..eb43f3b 100644
> --- a/recipes-extended/shadow/files/pam.d/login
> +++ b/recipes-extended/shadow/files/pam.d/login
> @@ -66,7 +66,7 @@ session    required   pam_limits.so
>  
>  # Prints the last login info upon succesful login
>  # (Replaces the `LASTLOG_ENAB' option from login.defs)
> -session    optional   pam_lastlog.so
> +#session    optional   pam_lastlog.so
>  
>  # Prints the motd upon succesful login
>  # (Replaces the `MOTD_FILE' option in login.defs)
> -- 
> 2.25.1
>
Yi Zhao July 24, 2024, 3:16 p.m. UTC | #2
On 7/24/24 22:53, Joe MacDonald wrote:
> Given that this is deprecated and disabled by default, is there any
> reason to keep this in at all, rather than just removing lines 67-70?

Although lastlog is disabled by default, the code is still there and 
users can enable it via configure option --enable-lastlog. So I did not 
delete these lines. In addition, keeping this line will allow users to 
easily switch to lastlog2. Just change pam_lastlog.so to pam_lastlog2.so 
in the line.



//Yi


>
> [[meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 22:13) Yi Zhao wrote:
>
>> The pam_lastlog module is deprecated and disabled by default in
>> linux-pam since 1.5.3[1]. Comment out this line to avoid loading
>> pam_lastlog module by default. Users can use lastlog2 provided by
>> util-linux as an alternative[2].
>>
>> [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816
>> [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0
>>
>> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
>> ---
>>   recipes-extended/shadow/files/pam.d/login | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login
>> index ec5bba9..eb43f3b 100644
>> --- a/recipes-extended/shadow/files/pam.d/login
>> +++ b/recipes-extended/shadow/files/pam.d/login
>> @@ -66,7 +66,7 @@ session    required   pam_limits.so
>>   
>>   # Prints the last login info upon succesful login
>>   # (Replaces the `LASTLOG_ENAB' option from login.defs)
>> -session    optional   pam_lastlog.so
>> +#session    optional   pam_lastlog.so
>>   
>>   # Prints the motd upon succesful login
>>   # (Replaces the `MOTD_FILE' option in login.defs)
>> -- 
>> 2.25.1
>>
Joe MacDonald July 24, 2024, 3:26 p.m. UTC | #3
[Re: [meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 23:16) Yi Zhao wrote:

> 
> On 7/24/24 22:53, Joe MacDonald wrote:
> > Given that this is deprecated and disabled by default, is there any
> > reason to keep this in at all, rather than just removing lines 67-70?
> 
> Although lastlog is disabled by default, the code is still there and
> users can enable it via configure option --enable-lastlog. So I did not
> delete these lines. In addition, keeping this line will allow users to
> easily switch to lastlog2. Just change pam_lastlog.so to pam_lastlog2.so
> in the line.

What about commenting it out but also changing pam_lastlog to pam_lastlog2
since that is part of util-linux 2.40+ and that's the version in Yocto
today, then?

-J.

> //Yi
> 
> 
> > 
> > [[meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 22:13) Yi Zhao wrote:
> > 
> > > The pam_lastlog module is deprecated and disabled by default in
> > > linux-pam since 1.5.3[1]. Comment out this line to avoid loading
> > > pam_lastlog module by default. Users can use lastlog2 provided by
> > > util-linux as an alternative[2].
> > > 
> > > [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816
> > > [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0
> > > 
> > > Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> > > ---
> > >   recipes-extended/shadow/files/pam.d/login | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login
> > > index ec5bba9..eb43f3b 100644
> > > --- a/recipes-extended/shadow/files/pam.d/login
> > > +++ b/recipes-extended/shadow/files/pam.d/login
> > > @@ -66,7 +66,7 @@ session    required   pam_limits.so
> > >   # Prints the last login info upon succesful login
> > >   # (Replaces the `LASTLOG_ENAB' option from login.defs)
> > > -session    optional   pam_lastlog.so
> > > +#session    optional   pam_lastlog.so
> > >   # Prints the motd upon succesful login
> > >   # (Replaces the `MOTD_FILE' option in login.defs)
> > > -- 
> > > 2.25.1
> > >
Yi Zhao July 25, 2024, 8:43 a.m. UTC | #4
On 7/24/24 23:26, Joe MacDonald wrote:
> [Re: [meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 23:16) Yi Zhao wrote:
>
>> On 7/24/24 22:53, Joe MacDonald wrote:
>>> Given that this is deprecated and disabled by default, is there any
>>> reason to keep this in at all, rather than just removing lines 67-70?
>> Although lastlog is disabled by default, the code is still there and
>> users can enable it via configure option --enable-lastlog. So I did not
>> delete these lines. In addition, keeping this line will allow users to
>> easily switch to lastlog2. Just change pam_lastlog.so to pam_lastlog2.so
>> in the line.
> What about commenting it out but also changing pam_lastlog to pam_lastlog2
> since that is part of util-linux 2.40+ and that's the version in Yocto
> today, then?

It's good to me. I will update the patch.


Thanks,

Yi


>
> -J.
>
>> //Yi
>>
>>
>>> [[meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 22:13) Yi Zhao wrote:
>>>
>>>> The pam_lastlog module is deprecated and disabled by default in
>>>> linux-pam since 1.5.3[1]. Comment out this line to avoid loading
>>>> pam_lastlog module by default. Users can use lastlog2 provided by
>>>> util-linux as an alternative[2].
>>>>
>>>> [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816
>>>> [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0
>>>>
>>>> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
>>>> ---
>>>>    recipes-extended/shadow/files/pam.d/login | 2 +-
>>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login
>>>> index ec5bba9..eb43f3b 100644
>>>> --- a/recipes-extended/shadow/files/pam.d/login
>>>> +++ b/recipes-extended/shadow/files/pam.d/login
>>>> @@ -66,7 +66,7 @@ session    required   pam_limits.so
>>>>    # Prints the last login info upon succesful login
>>>>    # (Replaces the `LASTLOG_ENAB' option from login.defs)
>>>> -session    optional   pam_lastlog.so
>>>> +#session    optional   pam_lastlog.so
>>>>    # Prints the motd upon succesful login
>>>>    # (Replaces the `MOTD_FILE' option in login.defs)
>>>> -- 
>>>> 2.25.1
>>>>
diff mbox series

Patch

diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login
index ec5bba9..eb43f3b 100644
--- a/recipes-extended/shadow/files/pam.d/login
+++ b/recipes-extended/shadow/files/pam.d/login
@@ -66,7 +66,7 @@  session    required   pam_limits.so
 
 # Prints the last login info upon succesful login
 # (Replaces the `LASTLOG_ENAB' option from login.defs)
-session    optional   pam_lastlog.so
+#session    optional   pam_lastlog.so
 
 # Prints the motd upon succesful login
 # (Replaces the `MOTD_FILE' option in login.defs)