Suppress error messages related to kcheckpass failling to open its logfile

Scope:

After applying the update which bumped KDE Plasma version to 5.12.1-1, I noticed the following error messages on journalctl:

fev 20 09:52:28 mbb-laptop kcheckpass[1724]: pam_tally(kde:auth): Error opening /var/log/faillog for update
fev 20 09:52:28 mbb-laptop kcheckpass[1724]: pam_tally(kde:auth): Error opening /var/log/faillog for read
fev 20 09:52:28 mbb-laptop kcheckpass[1724]: pam_tally(kde:setcred): Error opening /var/log/faillog for update
fev 20 09:52:28 mbb-laptop kcheckpass[1724]: pam_tally(kde:setcred): Error opening /var/log/faillog for update
fev 20 09:53:46 mbb-laptop kcheckpass[1768]: pam_tally(kde:auth): Error opening /var/log/faillog for update
fev 20 09:53:46 mbb-laptop kcheckpass[1768]: pam_tally(kde:auth): Error opening /var/log/faillog for read
fev 20 09:53:46 mbb-laptop kcheckpass[1768]: pam_tally(kde:setcred): Error opening /var/log/faillog for update
fev 20 09:53:46 mbb-laptop kcheckpass[1768]: pam_tally(kde:setcred): Error opening /var/log/faillog for update

This tutorial explains why this happens and instructs on how to solve the issue.

Introduction:

kcheckpass is a library residing in/usr/lib/kcheckpass and belongs to the package kscreenlocker. This package is a kwin dependency and is responsible for providing a "Library and components for secure lock screen architecture". This means every-time you enter your password to login or unlock your screen, this library gets called. It can also be called by any other program trying to authenticate a user. The error messages above show this library is unable to access its logfile for some reason.

Cause:

Any process trying to use kcheckpass will cause it to access the log with the process' permissions. Since only root has rw permissions on /var/log/faillog the access won't be granted. Note this doesn't affect the authentication procedure, but only the ability to log related occurrences.

Solution:

There are two solutions for this:

  1. Set the bit setuid to kcheckpass so that requested operations are handled with its uid instead of the process':
sudo chmod +s /usr/lib/kcheckpass
  1. Change the authentication program from pam_tally to pam_tally2 and create the respective log file with the correct permissions:
    2.1. Note I commented the 1st line and added the 2nd in the file /etc/pam.d/system-login
[mbb@mbb-laptop ~]$ cat /etc/pam.d/system-login 
#%PAM-1.0

#auth       required   pam_tally.so         onerr=succeed file=/var/log/faillog
auth       required   pam_tally2.so
[...]

2.2. Then created the log file with the correct permissions:

sudo touch /var/log/tallylog
sudo chmod 600 /var/log/tallylog

According to sources 1 and 2 it's better to apply the 2nd solution for security reasons, as it avoids allowing a program running in user space to call kcheckpass and take advantage of its permissions. Also, source 3 refers pam_tally is deprecated or on its way to become as such.

Sources:

  1. https://bbs.archlinux.org/viewtopic.php?id=215322
  2. https://bugs.archlinux.org/task/50369
  3. https://bugs.archlinux.org/task/42120
  4. https://unix.stackexchange.com/questions/302381/kcheckpass-error-opening-var-log-faillog#302960

Not that this matters a lot for the system's health, but we all dislike error messages popping up unnecessarily.

Cheers.

11 Likes

I was just poking around when I found this, and was about to post about the same issue/procedure. Nice. Thanks :blush:

1 Like

Forum kindly sponsored by