pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Debian) |
Fix Released
|
Unknown
|
|||
pam (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Focal |
Fix Released
|
Low
|
Unassigned | ||
Groovy |
Won't Fix
|
Low
|
Unassigned |
Bug Description
[Impact]
Removal of the /etc/securetty file from the system results in useless log messages whenever pam_unix is invoked, which for some systems is quite a lot of logging. /etc/securetty is not coming back, and this is not an error.
[Test Plan]
1. Run 'sudo -s'. Confirm that 'journalctl | grep sudo.*securetty' returns a line 'sudo[...]: pam_unix(
2. Install libpam-modules update from -proposed.
3. Confirm that 'grep nullok_secure' /etc/pam.
4. Run 'sudo -k'.
5. Run 'sudo -s' again.
6. Confirm that sudo succeeds and gives you a root shell.
7. Confirm that 'journalctl | grep sudo.*securetty' does not show any new lines.
[Where problems could occur]
PAM is a sensitive package because it's used in all authentication operations on the system. A bug here could render a user unable to log in to their system.
Risks are mitigated by:
- including a patch that treats the obsolete 'nullok_secure' as an alias for 'nullok' to ensure any user-edited configurations continue to work rather than throwing errors about unknown options
- editing the system-managed /etc/pam.
Because we are editing the system config, this could also cause issues on future upgrades with undesirable prompts to the user. However, the maintainer scripts are not meant to prompt on changes to the pam-config, and this code has been in Debian for a while with no reports of problems.
[Original description]
Hello, after upgrading to focal I found the following in my journalctl output:
Jan 24 23:07:00 millbarge sudo[32120]: pam_unix(
Jan 24 23:07:01 millbarge sudo[32120]: pam_unix(
The login package stopped packaging this file:
https:/
and now forcibly removes the file:
https:/
However, the pam package's pam_unix.so module has not yet been adapted to ignore this file:
https:/
Thanks
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libpam-modules 1.3.1-5ubuntu4
ProcVersionSign
Uname: Linux 5.4.0-9-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu15
Architecture: amd64
Date: Fri Jan 24 23:35:33 2020
ProcEnviron:
TERM=rxvt-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: pam
UpgradeStatus: Upgraded to focal on 2020-01-24 (0 days ago)
tags: | added: champagne |
Changed in pam (Debian): | |
status: | Unknown → New |
tags: | added: id-5ebd60b9e10a724ad7cbaffe |
tags: | removed: champagne |
tags: | added: fr-14 |
Changed in pam (Debian): | |
status: | New → Fix Released |
Changed in pam (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in pam (Ubuntu Groovy): | |
status: | Confirmed → Won't Fix |
Changed in pam (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in pam (Ubuntu Focal): | |
status: | Confirmed → In Progress |
description: | updated |
Changed in pam (Ubuntu Focal): | |
importance: | Undecided → Low |
Looks like Balint has been looking at that problem from the Debian side, assigning to him
@Balint, feel free to unassign if I got that wrong :)