su: add info about pam_lastlog to su.1

References: https://bugzilla.redhat.com/show_bug.cgi?id=1021108 Signed-off-by: Karel Zak <kzak@redhat.com>
author: Karel Zak 2013-10-21 14:27:30 +0200
committer: Karel Zak 2013-10-21 14:27:30 +0200
commit: d0c10f7df935b2c222b168fffdf68d25adef9739 (patch)
tree: fa64041ab3cd673fa151ef459d5de0932de09a7a /login-utils/su.1
parent: po: merge changes (diff)
download: kernel-qcow2-util-linux-d0c10f7df935b2c222b168fffdf68d25adef9739.tar.gz
kernel-qcow2-util-linux-d0c10f7df935b2c222b168fffdf68d25adef9739.tar.xz
kernel-qcow2-util-linux-d0c10f7df935b2c222b168fffdf68d25adef9739.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/login-utils/su.1 b/login-utils/su.1
index 1d8176218..55c0b8bac 100644
--- a/login-utils/su.1
+++ b/login-utils/su.1
@@ -226,6 +226,20 @@ command specific logindef config file
 /etc/login.defs
 global logindef config file
 .PD 1
+.SH NOTES
+For security reasons
+.B su
+always logs failed log-in attempts to the btmp file, but it does not write to
+the lastlog file at all.  This solution allows to control
+.B su
+behavior by PAM configuration.  If you want to use the pam_lastlog module to
+print warning message about failed log-in attempts then the pam_lastlog has to
+be configured to update lastlog file too. For example by:
+
+.RS
+.br
+session  required  pam_lastlog.so nowtmp
+.RE
 .SH "SEE ALSO"
 .BR runuser (8),
 .BR pam (8),
author	Karel Zak	2013-10-21 14:27:30 +0200
committer	Karel Zak	2013-10-21 14:27:30 +0200
commit	d0c10f7df935b2c222b168fffdf68d25adef9739 (patch)
tree	fa64041ab3cd673fa151ef459d5de0932de09a7a /login-utils/su.1
parent	po: merge changes (diff)
download	kernel-qcow2-util-linux-d0c10f7df935b2c222b168fffdf68d25adef9739.tar.gz kernel-qcow2-util-linux-d0c10f7df935b2c222b168fffdf68d25adef9739.tar.xz kernel-qcow2-util-linux-d0c10f7df935b2c222b168fffdf68d25adef9739.zip