[Pkg-shadow-devel] Bug#922945: /var/log/lastlog is a 110 TByte sparse file, seriously affecting backup
sam at robots.org.uk
Tue Apr 13 13:02:30 BST 2021
Followup-For: Bug #922945
X-Debbugs-Cc: sam at robots.org.uk
Control: affects -1 libpam-modules
Control: tag -1 patch
There is a hint as to what's going on in login.defs(5).
Highest user ID number for which the lastlog entries should be
updated. As higher user IDs are usually tracked by remote user
identity and authentication services there is no need to create a
huge sparse lastlog file for them.
No LASTLOG_UID_MAX option present in the configuration means that
there is no user ID limit for writing lastlog entries.
Maybe we could choose a sensible default value for this option?
Per policy section 9.2.2, adduser will (by default) allocate from
>From a quick skim through FreeIPA's source code, it looks like lowest
possible ID range with the default settings is 60,000.
These values line up quite nicely, however...
Back to policy, nobody is 65534; although this account shouldn't ever
log in, if the system was somehow misconfigured to allow this it would
be nice to have the evidence show up in lastlog(8).
Skipping past the next unusable values, we arrive at 65536 - dynamically
allocated user accounts, but not (by default) allocated by adduser(8).
So how about setting LASTLOG_UID_MAX to either 60000 or 65536 depending
on whether we want failed logins by 'nobody' to appear in lastlog(8) or
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-debug
APT policy: (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'testing-security'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages login depends on:
ii libaudit1 1:3.0-2
ii libc6 2.31-11
ii libcrypt1 1:4.4.17-1
ii libpam-modules 1.4.0-7
ii libpam-runtime 1.4.0-7
ii libpam0g 1.4.0-7
login recommends no packages.
login suggests no packages.
-- Configuration Files:
/etc/login.defs changed [not included]
-- no debconf information
More information about the Pkg-shadow-devel