Bug 807099

I assume you modified /etc/login.defs and now you have a /etc/login.defs.rpmnew, and you did not merge your changes?

I did not modify that file for sure. This is on a fresh install.  I checked /etc/login.def* and there is only /etc/login.defs, no .rpmnew or .rpmsave, etc...

If you install new and choose automatic configuration, a broken entry is
added to /etc/login.defs at the end:

'LASTLOG_ENAB   ""'

That's not and was never a valid syntax.

Looks like old code in YaST2 is writing something it shouldn't do.

It is true YaST writes "" for LASTLOG_ENAB, but why is not LASTLOG_ENAB defined in installed /etc/login.defs before?

(In reply to comment #4)
> It is true YaST writes "" for LASTLOG_ENAB, but why is not LASTLOG_ENAB defined
> in installed /etc/login.defs before?

8 years ago it was decided (I think the request did come from somebody from the security team, but my notes don't go back so far anymore) that LASTLOG_ENAB is a bad idea since it was only used by /bin/login and nothing else, and that we should use pam_lastlog.so instead, so that all tools can use it.

The old tools ignored syntax errors, the new tools now aborts, that's why it did not show up earlier.

But in any case, YaST should never add new variables to config files, especially not with an empty value, except the user/sysadmin explicit enables this option somewhere ...

Still: if LASTLOG_ENAB is not even present in fresh /etc/login.defs and because it is bad idea itself, should YaST offer its configuration? Shouldn't we drop it completly?

(In reply to comment #6)
> Still: if LASTLOG_ENAB is not even present in fresh /etc/login.defs and because
> it is bad idea itself, should YaST offer its configuration? Shouldn't we drop
> it completly?

Sorry, misunderstand you: we should not offer it, since nobody uses this variable anymore. So drop completly.

And we should check at some point (before SLE12) which variables YaST else uses and if they are still valid.

https://build.opensuse.org/request/show/157607

Hm, so the fix did not make it to openSUSE 12.3

And simply releasing yast2-security for online update won't fix it: current fix means that LASTLOG_ENAB is dropped and that yast2-security won't write new config file variables.


Thorsten, how severe is the problem? This looks like all 12.3 users will have that broken line in their login.defs.
Maybe we can fix it by some rpm script, that would just look for such line in /etc/login.defs and remove it.

(In reply to comment #9)

> Thorsten, how severe is the problem? This looks like all 12.3 users will have
> that broken line in their login.defs.

I would assume that at least all users which use the default "automatical configuration" cannot create users/groups after a fresh installation.
I had always disabled that option and didn't saw the problem.

(In reply to comment #10)

> I would assume that at least all users which use the default "automatical
> configuration" cannot create users/groups after a fresh installation.

You mean, cannot create users/groups with command line tools. It still should work with YaST.

> I had always disabled that option and didn't saw the problem.

I think most of openSUSE users do not disable Automatic Configuration.

And thinking about it... I actually think that disabling it will not help, as yast2-security is used anyway (for saving the crypt method).

So, I propose adding this to %post of yast2-security, released as online update:


sed -e '/^[ \t]*LASTLOG_ENAB[ \t]*\"\"/d' -i /etc/login.defs

OK, I've just tested with 12.3 GM:

- /etc/login.defs is not broken every time, just when yast2 Security is written. This happens for example when changing password encryption in Users module

- even with LASTLOG_ENAB = "" present, useradd can add new user (but it reports error). I guess friend tools act alike.

- adding users with YaST is not affected, as expected

Could I prepare yast2-security for update?

Created attachment 528911 [details]
patch for yast2-security

It looks good for an update. Could you create a maintenancerequest with the updated package please?

I hope this is it:


> osc maintenancerequest home:jsuchome:12.3 yast2-security openSUSE:12.3
Using target project 'openSUSE:Maintenance'
158659

This is an autogenerated message for OBS integration:
This bug (807099) was mentioned in
https://build.opensuse.org/request/show/158659 Maintenance /

openSUSE-RU-2013:0474-1: An update that has two recommended fixes can now be installed.

Category: recommended (low)
Bug References: 802006,807099
CVE References: 
Sources used:
openSUSE 12.3 (src):    yast2-security-2.23.5-1.4.1

This error is still present in 13.1Rc1

Yast2 is leaving LASTLOG_ENAB "" in /etc/login.defs which is causing error messages

(In reply to comment #21)
> Yast2 is leaving LASTLOG_ENAB "" in /etc/login.defs which is causing error
> messages

How? The code for writing LASTLOG_ENAB was removed from YaST. When (after which module run) do you see such behavior?

Today I did a new installation of 12.3x64 in a virtualbox, all patches applied

Right afterwards I installed trytond (see http://code.google.com/p/tryton/wiki/InstallationonopenSUSE ) via zypper, during which a group and user-add should take place.
Result:
(25/37) Installation von: trytond-2.8.3-5.1 .........................................................................[fertig]
Zusätzliche rpm-Ausgabe:
configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)

I have no /etc/login.defs.rpmnew or similar.
User and group were created properly.

Any information I can provide?

Is LASTLOG_ENAB in /etc/login.defs?
Peter, how do you know it's there from YaST?

Any news?

Let me retest in the coming days..

ping...

No response for quite some time...