diff options
| author | K900 <me@0upti.me> | 2025-08-11 13:22:51 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-08-11 13:22:51 +0300 |
| commit | a6809ffcc6b2038292d723b3e3a7ffcbbf6d6c03 (patch) | |
| tree | 15f30983576a38f416267ca6bca9e89c3809d939 | |
| parent | Merge master into staging-next (diff) | |
| parent | nixos/tests/pam-lastlog: test legacy lastlog importer (diff) | |
| download | nixpkgs-origin/staging-next.tar.gz | |
nixos/pam: enable lastlog2 import service if any pam service uses lastlog (#432567)origin/staging-next
| -rw-r--r-- | nixos/modules/security/pam.nix | 27 | ||||
| -rw-r--r-- | nixos/tests/pam/pam-lastlog.nix | 17 |
2 files changed, 35 insertions, 9 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index fb42bba9d01c..abc632c1c07d 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -2311,11 +2311,28 @@ in environment.etc = lib.mapAttrs' makePAMService enabledServices; - systemd = lib.optionalAttrs config.security.pam.services.login.updateWtmp { - tmpfiles.packages = [ pkgs.util-linux.lastlog ]; # /lib/tmpfiles.d/lastlog2-tmpfiles.conf - services.lastlog2-import.enable = true; - packages = [ pkgs.util-linux.lastlog ]; # lib/systemd/system/lastlog2-import.service - }; + systemd = + lib.optionalAttrs + (lib.any (service: service.updateWtmp) (lib.attrValues config.security.pam.services)) + { + tmpfiles.packages = [ pkgs.util-linux.lastlog ]; # /lib/tmpfiles.d/lastlog2-tmpfiles.conf + services.lastlog2-import = { + enable = true; + wantedBy = [ "default.target" ]; + after = [ + "local-fs.target" + "systemd-tmpfiles-setup.service" + ]; + # TODO: ${pkgs.util-linux.lastlog}/lib/systemd/system/lastlog2-import.service + # uses unpatched /usr/bin/mv, needs to be fixed on staging + # in the meantime, use a service drop-in here + serviceConfig.ExecStartPost = [ + "" + "${lib.getExe' pkgs.coreutils "mv"} /var/log/lastlog /var/log/lastlog.migrated" + ]; + }; + packages = [ pkgs.util-linux.lastlog ]; # lib/systemd/system/lastlog2-import.service + }; security.pam.services = { other.text = '' diff --git a/nixos/tests/pam/pam-lastlog.nix b/nixos/tests/pam/pam-lastlog.nix index 837c84e1e601..cefc8a3d4e45 100644 --- a/nixos/tests/pam/pam-lastlog.nix +++ b/nixos/tests/pam/pam-lastlog.nix @@ -13,9 +13,18 @@ }; testScript = '' - machine.wait_for_unit("multi-user.target") - machine.succeed("run0 --pty true") # perform full login - print(machine.succeed("lastlog2 --active --user root")) - machine.succeed("stat /var/lib/lastlog/lastlog2.db") + with subtest("Test legacy lastlog import"): + # create old lastlog file to test import + # empty = nothing will actually be imported, but the service will run + machine.succeed("touch /var/log/lastlog") + machine.wait_for_unit("lastlog2-import.service") + machine.succeed("journalctl -b --grep 'Starting Import lastlog data into lastlog2 database'") + machine.succeed("stat /var/log/lastlog.migrated") + + with subtest("Test lastlog entries are created by logins"): + machine.wait_for_unit("multi-user.target") + machine.succeed("run0 --pty true") # perform full login + print(machine.succeed("lastlog2 --active --user root")) + machine.succeed("stat /var/lib/lastlog/lastlog2.db") ''; } |