Merge pull request #142 from t8m/lastlog-limit

login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.

lib/getdef.c

@@ -92,6 +92,7 @@ static struct itemdef def_table[] = {
 	{"GID_MIN", NULL},
 	{"HUSHLOGIN_FILE", NULL},
 	{"KILLCHAR", NULL},
+	{"LASTLOG_UID_MAX", NULL},
 	{"LOGIN_RETRIES", NULL},
 	{"LOGIN_TIMEOUT", NULL},
 	{"LOG_OK_LOGINS", NULL},

man/Makefile.am

@@ -137,6 +137,7 @@ login_defs_v = \
 	ISSUE_FILE.xml \
 	KILLCHAR.xml \
 	LASTLOG_ENAB.xml \
+	LASTLOG_UID_MAX.xml \
 	LOGIN_RETRIES.xml \
 	LOGIN_STRING.xml \
 	LOGIN_TIMEOUT.xml \

man/lastlog.8.xml

@@ -31,6 +31,7 @@
 -->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
 <!-- SHADOW-CONFIG-HERE -->
 ]>
 <refentry id='lastlog.8'>
@@ -200,6 +201,18 @@
     </para>
   </refsect1>
 
+  <refsect1 id='configuration'>
+    <title>CONFIGURATION</title>
+    <para>
+      The following configuration variables in
+      <filename>/etc/login.defs</filename> change the behavior of this
+      tool:
+    </para>
+    <variablelist>
+      &LASTLOG_UID_MAX;
+    </variablelist>
+  </refsect1>
+
   <refsect1 id='files'>
     <title>FILES</title>
     <variablelist>

man/login.defs.5.xml

@@ -54,6 +54,7 @@
 <!ENTITY ISSUE_FILE            SYSTEM "login.defs.d/ISSUE_FILE.xml">
 <!ENTITY KILLCHAR              SYSTEM "login.defs.d/KILLCHAR.xml">
 <!ENTITY LASTLOG_ENAB          SYSTEM "login.defs.d/LASTLOG_ENAB.xml">
+<!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
 <!ENTITY LOG_OK_LOGINS         SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
 <!ENTITY LOG_UNKFAIL_ENAB      SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
 <!ENTITY LOGIN_RETRIES         SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
@@ -188,6 +189,7 @@
       &ISSUE_FILE;
       &KILLCHAR;
       &LASTLOG_ENAB;
+      &LASTLOG_UID_MAX;
       &LOG_OK_LOGINS;
       &LOG_UNKFAIL_ENAB;
       &LOGIN_RETRIES;
@@ -349,7 +351,12 @@
 	</listitem>
       </varlistentry>
       <!-- id: no variables -->
-      <!-- lastlog: no variables -->
+      <varlistentry>
+	<term>lastlog</term>
+	<listitem>
+	  <para>LASTLOG_UID_MAX</para>
+	</listitem>
+      </varlistentry>
       <varlistentry>
 	<term>login</term>
 	<listitem>
@@ -365,7 +372,7 @@
 	    HUSHLOGIN_FILE
 	    <phrase condition="no_pam">ISSUE_FILE</phrase>
 	    KILLCHAR
-	    <phrase condition="no_pam">LASTLOG_ENAB</phrase>
+	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
 	    LOGIN_RETRIES
 	    <phrase condition="no_pam">LOGIN_STRING</phrase>
 	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
@@ -474,6 +481,7 @@
 	  <para>
 	    CREATE_HOME
 	    GID_MAX GID_MIN
+	    LASTLOG_UID_MAX
 	    MAIL_DIR MAX_MEMBERS_PER_GROUP
 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
 	    SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
@@ -498,6 +506,7 @@
 	<term>usermod</term>
 	<listitem>
 	  <para>
+	    LASTLOG_UID_MAX
 	    MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
 	    <phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase>
 	  </para>

man/login.defs.d/LASTLOG_UID_MAX.xml

@@ -0,0 +1,46 @@
+<!--
+   Copyright (c) 1991 - 1993, Julianne Frances Haugh
+   Copyright (c) 1991 - 1993, Chip Rosenthal
+   Copyright (c) 2007 - 2008, Nicolas François
+   Copyright (c) 2018, Red Hat, inc.
+   All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. The name of the copyright holders or contributors may not be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+  
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+  <term><option>LASTLOG_UID_MAX</option> (number)</term>
+  <listitem>
+    <para>
+      Highest user ID number for which the lastlog entries should be
+      updated. As higher user IDs are usually tracked by remote user
+      identity and authentication services there is no need to create
+      a huge sparse lastlog file for them.
+    </para>
+    <para>
+      No <option>LASTLOG_UID_MAX</option> option present in the configuration
+      means that there is no user ID limit for writing lastlog entries.
+    </para>
+  </listitem>
+</varlistentry>

man/useradd.8.xml

@@ -32,6 +32,7 @@
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY CREATE_HOME           SYSTEM "login.defs.d/CREATE_HOME.xml">
 <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
+<!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
 <!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
 <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
 <!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
@@ -670,6 +671,7 @@
     <variablelist>
       &CREATE_HOME;
       &GID_MAX; <!-- documents also GID_MIN -->
+      &LASTLOG_UID_MAX;
       &MAIL_DIR;
       &MAX_MEMBERS_PER_GROUP;
       &PASS_MAX_DAYS;

man/usermod.8.xml

@@ -30,6 +30,7 @@
 -->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
 <!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
 <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
 <!ENTITY SUB_GID_COUNT         SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
@@ -517,6 +518,7 @@
       tool:
     </para>
     <variablelist>
+      &LASTLOG_UID_MAX;
       &MAIL_DIR; <!-- documents also MAIL_FILE -->
       &MAX_MEMBERS_PER_GROUP;
       &SUB_GID_COUNT; <!-- documents also SUB_GID_MAX and SUB_GID_MIN -->

src/lastlog.c

@@ -44,6 +44,7 @@
 #include <assert.h>
 #include "defines.h"
 #include "prototypes.h"
+#include "getdef.h"
 /*@-exitarg@*/
 #include "exitcodes.h"
 
@@ -182,6 +183,15 @@ static void print_one (/*@null@*/const struct passwd *pw)
 static void print (void)
 {
 	const struct passwd *pwent;
+	unsigned long lastlog_uid_max;
+
+	lastlog_uid_max = getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL);
+	if (   (has_umin && umin > lastlog_uid_max)
+	    || (has_umax && umax > lastlog_uid_max)) {
+		fprintf (stderr, _("%s: Selected uid(s) are higher than LASTLOG_UID_MAX (%lu),\n"
+				   "\tthe output might be incorrect.\n"), Prog, lastlog_uid_max);
+	}
+
 	if (uflg && has_umin && has_umax && (umin == umax)) {
 		print_one (getpwuid ((uid_t)umin));
 	} else {
@@ -191,6 +201,8 @@ static void print (void)
 			    && (   (has_umin && (pwent->pw_uid < (uid_t)umin))
 			        || (has_umax && (pwent->pw_uid > (uid_t)umax)))) {
 				continue;
+			} else if ( !uflg && pwent->pw_uid > (uid_t) lastlog_uid_max) {
+				continue;
 			}
 			print_one (pwent);
 		}
@@ -246,10 +258,19 @@ static void update_one (/*@null@*/const struct passwd *pw)
 static void update (void)
 {
 	const struct passwd *pwent;
+	unsigned long lastlog_uid_max;
 
 	if (!uflg) /* safety measure */
 		return;
 
+	lastlog_uid_max = getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL);
+	if (   (has_umin && umin > lastlog_uid_max)
+	    || (has_umax && umax > lastlog_uid_max)) {
+		fprintf (stderr, _("%s: Selected uid(s) are higher than LASTLOG_UID_MAX (%lu),\n"
+				   "\tthey will not be updated.\n"), Prog, lastlog_uid_max);
+		return;
+	}
+
 	if (has_umin && has_umax && (umin == umax)) {
 		update_one (getpwuid ((uid_t)umin));
 	} else {

src/login.c

@@ -1162,7 +1162,9 @@ int main (int argc, char **argv)
 #endif				/* WITH_AUDIT */
 
 #ifndef USE_PAM			/* pam_lastlog handles this */
-	if (getdef_bool ("LASTLOG_ENAB")) {	/* give last login and log this one */
+	if (   getdef_bool ("LASTLOG_ENAB")
+	    && pwd->pw_uid <= (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL)) {
+		/* give last login and log this one */
 		dolastlog (&ll, pwd, tty, hostname);
 	}
 #endif
@@ -1298,6 +1300,7 @@ int main (int argc, char **argv)
 			}
 		}
 		if (   getdef_bool ("LASTLOG_ENAB")
+		    && pwd->pw_uid <= (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL)
 		    && (ll.ll_time != 0)) {
 			time_t ll_time = ll.ll_time;
 

src/useradd.c

@@ -1863,11 +1863,18 @@ static void lastlog_reset (uid_t uid)
 	struct lastlog ll;
 	int fd;
 	off_t offset_uid = (off_t) (sizeof ll) * uid;
+	uid_t max_uid;
 
 	if (access (LASTLOG_FILE, F_OK) != 0) {
 		return;
 	}
 
+	max_uid = (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL);
+	if (uid > max_uid) {
+		/* do not touch lastlog for large uids */
+		return;
+	}
+
 	memzero (&ll, sizeof (ll));
 
 	fd = open (LASTLOG_FILE, O_RDWR);

src/usermod.c

@@ -1864,11 +1864,18 @@ static void update_lastlog (void)
 	int fd;
 	off_t off_uid = (off_t) user_id * sizeof ll;
 	off_t off_newuid = (off_t) user_newid * sizeof ll;
+	uid_t max_uid;
 
 	if (access (LASTLOG_FILE, F_OK) != 0) {
 		return;
 	}
 
+	max_uid = (uid_t) getdef_ulong ("LASTLOG_MAX_UID", 0xFFFFFFFFUL);
+	if (user_newid > max_uid) {
+		/* do not touch lastlog for large uids */
+		return;
+	}
+
 	fd = open (LASTLOG_FILE, O_RDWR);
 
 	if (-1 == fd) {