Message ID | 20240724141329.3326073-1-yi.zhao@windriver.com |
---|---|
State | New |
Headers | show |
Series | [meta-selinux] shadow: comment out pam_lastlog line in login pam file | expand |
Given that this is deprecated and disabled by default, is there any reason to keep this in at all, rather than just removing lines 67-70? [[meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 22:13) Yi Zhao wrote: > The pam_lastlog module is deprecated and disabled by default in > linux-pam since 1.5.3[1]. Comment out this line to avoid loading > pam_lastlog module by default. Users can use lastlog2 provided by > util-linux as an alternative[2]. > > [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816 > [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0 > > Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > --- > recipes-extended/shadow/files/pam.d/login | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login > index ec5bba9..eb43f3b 100644 > --- a/recipes-extended/shadow/files/pam.d/login > +++ b/recipes-extended/shadow/files/pam.d/login > @@ -66,7 +66,7 @@ session required pam_limits.so > > # Prints the last login info upon succesful login > # (Replaces the `LASTLOG_ENAB' option from login.defs) > -session optional pam_lastlog.so > +#session optional pam_lastlog.so > > # Prints the motd upon succesful login > # (Replaces the `MOTD_FILE' option in login.defs) > -- > 2.25.1 >
On 7/24/24 22:53, Joe MacDonald wrote: > Given that this is deprecated and disabled by default, is there any > reason to keep this in at all, rather than just removing lines 67-70? Although lastlog is disabled by default, the code is still there and users can enable it via configure option --enable-lastlog. So I did not delete these lines. In addition, keeping this line will allow users to easily switch to lastlog2. Just change pam_lastlog.so to pam_lastlog2.so in the line. //Yi > > [[meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 22:13) Yi Zhao wrote: > >> The pam_lastlog module is deprecated and disabled by default in >> linux-pam since 1.5.3[1]. Comment out this line to avoid loading >> pam_lastlog module by default. Users can use lastlog2 provided by >> util-linux as an alternative[2]. >> >> [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816 >> [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0 >> >> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> >> --- >> recipes-extended/shadow/files/pam.d/login | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login >> index ec5bba9..eb43f3b 100644 >> --- a/recipes-extended/shadow/files/pam.d/login >> +++ b/recipes-extended/shadow/files/pam.d/login >> @@ -66,7 +66,7 @@ session required pam_limits.so >> >> # Prints the last login info upon succesful login >> # (Replaces the `LASTLOG_ENAB' option from login.defs) >> -session optional pam_lastlog.so >> +#session optional pam_lastlog.so >> >> # Prints the motd upon succesful login >> # (Replaces the `MOTD_FILE' option in login.defs) >> -- >> 2.25.1 >>
[Re: [meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 23:16) Yi Zhao wrote: > > On 7/24/24 22:53, Joe MacDonald wrote: > > Given that this is deprecated and disabled by default, is there any > > reason to keep this in at all, rather than just removing lines 67-70? > > Although lastlog is disabled by default, the code is still there and > users can enable it via configure option --enable-lastlog. So I did not > delete these lines. In addition, keeping this line will allow users to > easily switch to lastlog2. Just change pam_lastlog.so to pam_lastlog2.so > in the line. What about commenting it out but also changing pam_lastlog to pam_lastlog2 since that is part of util-linux 2.40+ and that's the version in Yocto today, then? -J. > //Yi > > > > > > [[meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 22:13) Yi Zhao wrote: > > > > > The pam_lastlog module is deprecated and disabled by default in > > > linux-pam since 1.5.3[1]. Comment out this line to avoid loading > > > pam_lastlog module by default. Users can use lastlog2 provided by > > > util-linux as an alternative[2]. > > > > > > [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816 > > > [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0 > > > > > > Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > > > --- > > > recipes-extended/shadow/files/pam.d/login | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login > > > index ec5bba9..eb43f3b 100644 > > > --- a/recipes-extended/shadow/files/pam.d/login > > > +++ b/recipes-extended/shadow/files/pam.d/login > > > @@ -66,7 +66,7 @@ session required pam_limits.so > > > # Prints the last login info upon succesful login > > > # (Replaces the `LASTLOG_ENAB' option from login.defs) > > > -session optional pam_lastlog.so > > > +#session optional pam_lastlog.so > > > # Prints the motd upon succesful login > > > # (Replaces the `MOTD_FILE' option in login.defs) > > > -- > > > 2.25.1 > > >
On 7/24/24 23:26, Joe MacDonald wrote: > [Re: [meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 23:16) Yi Zhao wrote: > >> On 7/24/24 22:53, Joe MacDonald wrote: >>> Given that this is deprecated and disabled by default, is there any >>> reason to keep this in at all, rather than just removing lines 67-70? >> Although lastlog is disabled by default, the code is still there and >> users can enable it via configure option --enable-lastlog. So I did not >> delete these lines. In addition, keeping this line will allow users to >> easily switch to lastlog2. Just change pam_lastlog.so to pam_lastlog2.so >> in the line. > What about commenting it out but also changing pam_lastlog to pam_lastlog2 > since that is part of util-linux 2.40+ and that's the version in Yocto > today, then? It's good to me. I will update the patch. Thanks, Yi > > -J. > >> //Yi >> >> >>> [[meta-selinux][PATCH] shadow: comment out pam_lastlog line in login pam file] On 24.07.24 (Wed 22:13) Yi Zhao wrote: >>> >>>> The pam_lastlog module is deprecated and disabled by default in >>>> linux-pam since 1.5.3[1]. Comment out this line to avoid loading >>>> pam_lastlog module by default. Users can use lastlog2 provided by >>>> util-linux as an alternative[2]. >>>> >>>> [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816 >>>> [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0 >>>> >>>> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> >>>> --- >>>> recipes-extended/shadow/files/pam.d/login | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login >>>> index ec5bba9..eb43f3b 100644 >>>> --- a/recipes-extended/shadow/files/pam.d/login >>>> +++ b/recipes-extended/shadow/files/pam.d/login >>>> @@ -66,7 +66,7 @@ session required pam_limits.so >>>> # Prints the last login info upon succesful login >>>> # (Replaces the `LASTLOG_ENAB' option from login.defs) >>>> -session optional pam_lastlog.so >>>> +#session optional pam_lastlog.so >>>> # Prints the motd upon succesful login >>>> # (Replaces the `MOTD_FILE' option in login.defs) >>>> -- >>>> 2.25.1 >>>>
diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login index ec5bba9..eb43f3b 100644 --- a/recipes-extended/shadow/files/pam.d/login +++ b/recipes-extended/shadow/files/pam.d/login @@ -66,7 +66,7 @@ session required pam_limits.so # Prints the last login info upon succesful login # (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so +#session optional pam_lastlog.so # Prints the motd upon succesful login # (Replaces the `MOTD_FILE' option in login.defs)
The pam_lastlog module is deprecated and disabled by default in linux-pam since 1.5.3[1]. Comment out this line to avoid loading pam_lastlog module by default. Users can use lastlog2 provided by util-linux as an alternative[2]. [1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816 [2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- recipes-extended/shadow/files/pam.d/login | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)