[Bug 1860826] Re: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

Seth Arnold 1860826 at bugs.launchpad.net
Tue Sep 28 20:31:55 UTC 2021 

Worked for me on my daily workstation:

⏚ [sarnold:~/trees] 100 $ sudo apt install -tfocal-proposed libpam0g libpam-runtime libpam-modules-bin libpam-modules
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Recommended packages:
  update-motd
The following packages will be upgraded:
  libpam-modules libpam-modules-bin libpam-runtime libpam0g
4 upgraded, 0 newly installed, 0 to remove and 50 not upgraded.
Need to get 394 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam0g amd64 1.3.1-5ubuntu4.3 [55.4 kB]
Get:2 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-modules-bin amd64 1.3.1-5ubuntu4.3 [41.2 kB]
Get:3 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-modules amd64 1.3.1-5ubuntu4.3 [260 kB]
Get:4 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-runtime all 1.3.1-5ubuntu4.3 [37.3 kB]
Fetched 394 kB in 0s (10.6 MB/s)          
Preconfiguring packages ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam0g_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam0g:amd64 (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam0g:amd64 (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-modules-bin_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam-modules-bin (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-modules-bin (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-modules_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam-modules:amd64 (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-modules:amd64 (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-runtime_1.3.1-5ubuntu4.3_all.deb ...
Unpacking libpam-runtime (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-runtime (1.3.1-5ubuntu4.3) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
⏚ [sarnold:~/trees] 7s $ sudo -k ; sudo ls 
[sudo] password for sarnold: 
...

recent journal entries:
Sep 28 20:24:43 millbarge sudo[540916]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Sep 28 20:24:45 millbarge sudo[540916]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

and journal entries from an authentication performed after installing
the update:

Sep 28 20:27:14 millbarge audit[548532]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=55bfed873130 a1=55bfed6fa4f0 a2=55bfed8b1910 a3=8 items=2 ppid=19448 pid=548532 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4 comm="sudo" exe="/usr/bin/sudo" key="execpriv"
Sep 28 20:27:14 millbarge audit: EXECVE argc=2 a0="sudo" a1="-k"
Sep 28 20:27:14 millbarge audit: CWD cwd="/home/sarnold/trees"
Sep 28 20:27:14 millbarge audit: PATH item=0 name="/usr/bin/sudo" inode=814680 dev=00:1c mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:14 millbarge audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=452898 dev=00:1c mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:14 millbarge audit: PROCTITLE proctitle=7375646F002D6B
Sep 28 20:27:14 millbarge audit[548533]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=55bfed6ddf40 a1=55bfed727b00 a2=55bfed8b1910 a3=8 items=2 ppid=19448 pid=548533 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4 comm="sudo" exe="/usr/bin/sudo" key="execpriv"
Sep 28 20:27:14 millbarge audit: EXECVE argc=2 a0="sudo" a1="ls"
Sep 28 20:27:14 millbarge audit: CWD cwd="/home/sarnold/trees"
Sep 28 20:27:14 millbarge audit: PATH item=0 name="/usr/bin/sudo" inode=814680 dev=00:1c mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:14 millbarge audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=452898 dev=00:1c mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:14 millbarge audit: PROCTITLE proctitle=7375646F006C73
Sep 28 20:27:17 millbarge audit[548533]: USER_AUTH pid=548533 uid=1000 auid=1000 ses=4 msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Sep 28 20:27:17 millbarge audit[548533]: USER_ACCT pid=548533 uid=1000 auid=1000 ses=4 msg='op=PAM:accounting grantors=pam_permit acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Sep 28 20:27:17 millbarge sudo[548533]:  sarnold : TTY=pts/2 ; PWD=/home/sarnold/trees ; USER=root ; COMMAND=/usr/bin/ls
Sep 28 20:27:17 millbarge audit[548533]: USER_CMD pid=548533 uid=1000 auid=1000 ses=4 msg='cwd="/home/sarnold/trees" cmd="ls" terminal=pts/2 res=success'
Sep 28 20:27:17 millbarge audit[548533]: CRED_REFR pid=548533 uid=0 auid=1000 ses=4 msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Sep 28 20:27:17 millbarge sudo[548533]: pam_unix(sudo:session): session opened for user root by sarnold(uid=0)
Sep 28 20:27:17 millbarge audit[548533]: USER_START pid=548533 uid=0 auid=1000 ses=4 msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Sep 28 20:27:17 millbarge audit[548533]: USER_END pid=548533 uid=0 auid=1000 ses=4 msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Sep 28 20:27:17 millbarge audit[548533]: CRED_DISP pid=548533 uid=0 auid=1000 ses=4 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Sep 28 20:27:17 millbarge sudo[548533]: pam_unix(sudo:session): session closed for user root
Sep 28 20:27:17 millbarge audit[548538]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f18e5b9c1a1 a2=80000 a3=0 items=1 ppid=548537 pid=548538 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4 comm="screen" exe="/usr/bin/screen" key="access"
Sep 28 20:27:17 millbarge audit: CWD cwd="/home/sarnold/trees"
Sep 28 20:27:17 millbarge audit: PATH item=0 name="/etc/shadow" inode=85678 dev=00:1c mode=0100640 ouid=0 ogid=42 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:17 millbarge audit: PROCTITLE proctitle=73637265656E002D6C73


And, some sanity tests with blank password, incorrect password, and ssh:

⏚ [sarnold:~/trees] 2s $ sudo -k
⏚ [sarnold:~/trees] $ sudo ls
[sudo] password for sarnold: 
Sorry, try again.
[sudo] password for sarnold: 
Sorry, try again.
[sudo] password for sarnold: 
sudo: 2 incorrect password attempts
⏚ [sarnold:~/trees] 7s 1 $ ssh localhost
Enter passphrase for key '/home/sarnold/.ssh/id_rsa': 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Tue Sep 28 15:21:40 2021 from ::1
⏚ [sarnold at millbarge:~] $ logout
Connection to localhost closed.


Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1860826

Title:
  pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or
  directory

Status in pam package in Ubuntu:
  Fix Released
Status in pam source package in Focal:
  Fix Committed
Status in pam source package in Groovy:
  Won't Fix
Status in pam package in Debian:
  Fix Released

Bug description:
  [Impact]
  Removal of the /etc/securetty file from the system results in useless log messages whenever pam_unix is invoked, which for some systems is quite a lot of logging. /etc/securetty is not coming back, and this is not an error.

  [Test Plan]
  1. Run 'sudo -s'.  Confirm that 'journalctl | grep sudo.*securetty' returns a line 'sudo[...]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory'.
  2. Install libpam-modules update from -proposed.
  3. Confirm that 'grep nullok_secure' /etc/pam.d/common-auth returns no lines.
  4. Run 'sudo -k'.
  5. Run 'sudo -s' again.
  6. Confirm that sudo succeeds and gives you a root shell.
  7. Confirm that 'journalctl | grep sudo.*securetty' does not show any new lines.

  [Where problems could occur]
  PAM is a sensitive package because it's used in all authentication operations on the system.  A bug here could render a user unable to log in to their system.

  Risks are mitigated by:
  - including a patch that treats the obsolete 'nullok_secure' as an alias for 'nullok' to ensure any user-edited configurations continue to work rather than throwing errors about unknown options
  - editing the system-managed /etc/pam.d/common-auth config to use 'nullok' instead of 'nullok_secure' for future compatibility.

  Because we are editing the system config, this could also cause issues
  on future upgrades with undesirable prompts to the user.  However, the
  maintainer scripts are not meant to prompt on changes to the pam-
  config, and this code has been in Debian for a while with no reports
  of problems.

  
  [Original description]
  Hello, after upgrading to focal I found the following in my journalctl output:

  Jan 24 23:07:00 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
  Jan 24 23:07:01 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

  The login package stopped packaging this file:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731656
  and now forcibly removes the file:
  https://paste.ubuntu.com/p/myh9cGWrHD/

  However, the pam package's pam_unix.so module has not yet been adapted to ignore this file:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libpam-modules 1.3.1-5ubuntu4
  ProcVersionSignature: Ubuntu 5.4.0-9.12-generic 5.4.3
  Uname: Linux 5.4.0-9-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu15
  Architecture: amd64
  Date: Fri Jan 24 23:35:33 2020
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: pam
  UpgradeStatus: Upgraded to focal on 2020-01-24 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1860826/+subscriptions

More information about the foundations-bugs mailing list