Package: login Followup-For: Bug #922945 X-Debbugs-Cc: s...@robots.org.uk Control: affects -1 libpam-modules Control: tag -1 patch
There is a hint as to what's going on in login.defs(5). LASTLOG_UID_MAX (number) Highest user ID number for which the lastlog entries should be updated. As higher user IDs are usually tracked by remote user identity and authentication services there is no need to create a huge sparse lastlog file for them. No LASTLOG_UID_MAX option present in the configuration means that there is no user ID limit for writing lastlog entries. Maybe we could choose a sensible default value for this option? Per policy section 9.2.2, adduser will (by default) allocate from 1000-59,999. >From a quick skim through FreeIPA's source code, it looks like lowest possible ID range with the default settings is 60,000. These values line up quite nicely, however... Back to policy, nobody is 65534; although this account shouldn't ever log in, if the system was somehow misconfigured to allow this it would be nice to have the evidence show up in lastlog(8). Skipping past the next unusable values, we arrive at 65536 - dynamically allocated user accounts, but not (by default) allocated by adduser(8). So how about setting LASTLOG_UID_MAX to either 60000 or 65536 depending on whether we want failed logins by 'nobody' to appear in lastlog(8) or not? -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'testing-security'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-4-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_USER Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: default Versions of packages login depends on: ii libaudit1 1:3.0-2 ii libc6 2.31-11 ii libcrypt1 1:4.4.17-1 ii libpam-modules 1.4.0-7 ii libpam-runtime 1.4.0-7 ii libpam0g 1.4.0-7 login recommends no packages. login suggests no packages. -- Configuration Files: /etc/login.defs changed [not included] -- no debconf information