Ubuntu
util-linux package

system with high numbered uids has huge sparse /var/log/lastlog

Bug #1707645 reported by Jamie Strandboge
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Confirmed
Undecided
Unassigned
shadow (Ubuntu)
Confirmed
Undecided
Unassigned
util-linux (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

I was investigating the use of a single high UID user (ie, 2000000000) and discovered that /var/log/lastlog grew to an enormously large sparse file:

$ ls -lh /var/log/lastlog
-rw-rw-r-- 1 root utmp 544G Jul 27 12:35 /var/log/lastlog

The file is actually quite small though:
$ ls -lh --size /var/log/lastlog
56K -rw-rw-r-- 1 root utmp 544G Jul 27 12:35 /var/log/lastlog

On a standalone system, this is possibly not a problem since it is highly unlikely that a system will have 2 billion users, but this is confirmed to wreak havoc on rsync backups.

Tags: artful
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, people using rsync for backups might be interested in the --sparse (-S) option.

Brian Murray (brian-murray)
Changed in util-linux (Ubuntu):
importance: Undecided → Low
Brian Murray (brian-murray)
tags: added: artful
Revision history for this message
Steve Langasek (vorlon) wrote :

I don't see what we can be expected to do with this bug report. This is the defined file format for /var/log/lastlog.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pam (Ubuntu):
status: New → Confirmed
Changed in shadow (Ubuntu):
status: New → Confirmed
Changed in util-linux (Ubuntu):
status: New → Confirmed
Revision history for this message
aaron (nelaaro) wrote :

Someone needs to take on all the affected systems, PAM, users etc to find a fix.

In redhat this has been an open issue since 2013. If anybody sees this hopefully it will direct interested parties to places where other people are talking about the same issue.

This also becomes an issue in Docker containers, where user IDs are large.
Great way to fill up your docker image with junk.

https://bugzilla.redhat.com/show_bug.cgi?id=951564

Revision history for this message
Oliver O'Boyle (ooboyle) wrote :

This is affecting Ubuntu 20.04 with sssd integration to AD. I am seeing massive lastlog files because of what appears to be the use of very high UID's being assigned to AD users when they log in.

-rw-rw-r-- 1 root utmp 88943346292 Jan 6 16:50 lastlog

Oliver

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Oliver, from the lastlog(8) manpage:

       The lastlog file is a database which contains info on the
       last login of each user. You should not rotate it. It is a
       sparse file, so its size on the disk is usually much smaller
       than the one shown by "ls -l" (which can indicate a really
       big file if you have in passwd users with a high UID). You
       can display its real size with "ls -s".

http://manpages.ubuntu.com/manpages/focal/man8/lastlog.8.html

If you're using a filesystem that can't handle sparse files it might be best to not use lastlog.

Thanks

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.