logins are not recorded in wtmp

Status changed to 'Confirmed' because the bug affects multiple users.

Confirmed.

So I had a look at this and pam_lastlog is used in the 'login' PAM service which is used for text logins. However it doesn't appear to be in the GDM PAM configuration.

So my questions are:
1. Does this work in GDM currently
2. How does GDM set it (i.e. is there another syscall we should be making in LightDM), and is the PAM method preferrable?

pam_lastlog updates both wtmp and /var/log/lastlog. I'm not sure whether anything else actually writes to lastlog; there is no library to do so (both pam_lastlog and login without PAM seem to handle the file directly, using the struct from lastlog.h; see eg. libmisc/log.c in the 'shadow' source package)

That said, I haven't tested what GDM does, but grepping the gdm3 source tree for 'lastlog' finds nothing but a mention in the documentation: http://library.gnome.org/admin/gdm/stable/security.html.en#PAM (I don't know what to make of those docs; the mention is vague and they discuss PAM modules not even present on my system). Therefore I assume GDM doesn't update lastlog, but this should probably be double-checked.

As for updating wtmp, once we have the utmpx struct it's just a matter of calling udpwtmpx. That's simpler than changing the pam configuration, at least.

I am not sure this bug should be considered a low priority, given that it breaks core utilities such as 'who', 'users', 'top', and similar by fooling them in to saying there is no one else logged in (which might result in a remote reboot being initiated while a user is on the normal keyboard/video/mouse interface).

Paul: 'who', 'users' and 'top' all look at utmp. The utmp issue was fixed already, this concerns wtmp and lastlog ('last' and 'lastlog' utilities show those records).

Sorry about that.
I am still seeing the problem with an up-to-date 12.04 system and my bug #1029048 was marked as a duplicate of this one, so I presumed it was still a significant unresolved issue. I guess it is a case of the previous bug-fix not being released yet.

As for pam_lastlog, add this to the PAM configuration for lightdm resolves the wtmp issue. The last command works again and all users logged in through lightdm are logged.

Due to the principal design of lightdm, there are no failed login attempts possible and therefore btmp is never written (this might be an issue to be addressed, since the current lightdm design allows an infinite number of unsuccessful logins!).

Adrian

Really, no logging or blocking of failed log-in attempts? Did no one learn from computing history?

Also another failing of lightdm is it fails to respond to the power button, even if you have set it under Gnome, etc, to do an orderly shut-down. There have been times when a keyboard/mouse problem has prevented normal control, and being able to safely shut the computer down this way is useful.

@Paul: the power button is another issue, please use another bug report for that (not that things set under your session don't apply to the login screen because the login screen is common to all users)

@Sebastien Apologies for the apparent hijacking of this bug, opening a new report for that subject.

Found the power button issue is already open as bug #915382

I confirm this bug.
We use last to see who are connected and when they are connected. We need that for security reason.
We have to keep one year of log in case of one of our users made an intrusion on some site.
It's really not a low bug.

I agree with Jean-Daniel, this is something that must be adressed. While you now see any graphical log-in using 'who' and it lists users both at "tty7" etc, for graphical log-in, and as "pts/2" etc for terminal log-in, only the termianl sessions are seen with the "last" command.

That worked correctly with Ubuntu 10.04 (showed graphical log-in), now it is broken with 12.04 and lightdm. For anyone who is trying to diagnose security breaches or just general system screw-ups, it is a serious omission given that most users log-in via the graphical screen.

sessreg(1) could also be used for this (in retrospect, it would actually also work for #870297)

Fix committed into lp:lightdm at revision None, scheduled for release in lightdm, milestone Unknown

This bug was fixed in the package lightdm - 1.9.11-0ubuntu1

---------------
lightdm (1.9.11-0ubuntu1) trusty; urgency=medium

  * New upstream release:
    - Don't use g_hash_table_get_keys_as_array, it's a glib 2.40 feature
 -- Robert Ancell <email address hidden> Thu, 13 Mar 2014 13:42:04 +1300