[Pkg-shadow-devel] Bug#922945: Bug#922945: /var/log/lastlog is a 110 TByte sparse file, seriously affecting backup

Sam Morris sam at robots.org.uk
Tue Apr 13 18:23:45 BST 2021

On Tue, 2021-04-13 at 15:26 +0200, Chris Hofstaedtler wrote:
> This will then silently hide login failures from userids larger than
> this ID? Given the original submitter has a user with uid 379400000,
> why whould this not be logged?
> If they didn't want those uids to be used, maybe dont assign them?
> Chris

I think login.defs(5) says it best:

"As higher user IDs are usually tracked by remote user identity and
authentication services there is no need to create a huge sparse
lastlog file for them."

The design of the lastlog format means you either have an apparantly
huge (sparse) file, which causes problems for badly written backup
software, or you don't record information for users with high UIDs in
this file at all.

In any case, it looks like OpenSSH has its own code to read/write to
/var/log/lastlog, rather than using pam_lastlog, so in any case
changing login.defs wouldn't be sufficient.

Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/attachments/20210413/78603c00/attachment.sig>

More information about the Pkg-shadow-devel mailing list