From d0c10f7df935b2c222b168fffdf68d25adef9739 Mon Sep 17 00:00:00 2001
From: Karel Zak
Date: Mon, 21 Oct 2013 14:27:30 +0200
Subject: su: add info about pam_lastlog to su.1

References: https://bugzilla.redhat.com/show_bug.cgi?id=1021108
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 login-utils/su.1 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'login-utils/su.1')

diff --git a/login-utils/su.1 b/login-utils/su.1
index 1d8176218..55c0b8bac 100644
--- a/login-utils/su.1
+++ b/login-utils/su.1
@@ -226,6 +226,20 @@ command specific logindef config file
 /etc/login.defs
 global logindef config file
 .PD 1
+.SH NOTES
+For security reasons
+.B su
+always logs failed log-in attempts to the btmp file, but it does not write to
+the lastlog file at all.  This solution allows to control
+.B su
+behavior by PAM configuration.  If you want to use the pam_lastlog module to
+print warning message about failed log-in attempts then the pam_lastlog has to
+be configured to update lastlog file too. For example by:
+
+.RS
+.br
+session  required  pam_lastlog.so nowtmp
+.RE
 .SH "SEE ALSO"
 .BR runuser (8),
 .BR pam (8),
-- 
cgit v1.2.3-55-g7522