[Pkg-shadow-devel] Bug#922945: /var/log/lastlog is a 110 TByte sparse file, seriously affecting backup

Sam Morris sam at robots.org.uk
Tue Apr 13 13:02:30 BST 2021

Package: login
Followup-For: Bug #922945
X-Debbugs-Cc: sam at robots.org.uk
Control: affects -1 libpam-modules
Control: tag -1 patch

There is a hint as to what's going on in login.defs(5).

    LASTLOG_UID_MAX (number)
       Highest user ID number for which the lastlog entries should be
       updated. As higher user IDs are usually tracked by remote user
       identity and authentication services there is no need to create a
       huge sparse lastlog file for them.

       No LASTLOG_UID_MAX option present in the configuration means that
       there is no user ID limit for writing lastlog entries.

Maybe we could choose a sensible default value for this option?

Per policy section 9.2.2, adduser will (by default) allocate from

>From a quick skim through FreeIPA's source code, it looks like lowest
possible ID range with the default settings is 60,000.

These values line up quite nicely, however...

Back to policy, nobody is 65534; although this account shouldn't ever
log in, if the system was somehow misconfigured to allow this it would
be nice to have the evidence show up in lastlog(8).

Skipping past the next unusable values, we arrive at 65536 - dynamically
allocated user accounts, but not (by default) allocated by adduser(8).

So how about setting LASTLOG_UID_MAX to either 60000 or 65536 depending
on whether we want failed logins by 'nobody' to appear in lastlog(8) or

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'testing-security'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-4-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages login depends on:
ii  libaudit1       1:3.0-2
ii  libc6           2.31-11
ii  libcrypt1       1:4.4.17-1
ii  libpam-modules  1.4.0-7
ii  libpam-runtime  1.4.0-7
ii  libpam0g        1.4.0-7

login recommends no packages.

login suggests no packages.

-- Configuration Files:
/etc/login.defs changed [not included]

-- no debconf information

More information about the Pkg-shadow-devel mailing list