nixos/pam: create wtmp/lastlog iff using pam_lastlog

I think pam_lastlog is the only thing that writes to these files in practice on a modern Linux system, so in a configuration that doesn't use that module, we don't need to create these files. I used tmpfiles.d instead of activation snippets to create the logs. It's good enough for upstream and other distros; it's probably good enough for us.
6 years ago · b63f65aea0
parent 188bdfb95d
commit b63f65aea0
2 changed files with 7 additions and 5 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -548,6 +548,13 @@ in
    environment.etc =
      mapAttrsToList (n: v: makePAMService v) config.security.pam.services;

+    systemd.tmpfiles.rules = optionals
+      (any (s: s.updateWtmp) (attrValues config.security.pam.services))
+      [
+        "f /var/log/wtmp"
+        "f /var/log/lastlog"
+      ];
+
    security.pam.services =
      { other.text =
          ''
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@ -128,11 +128,6 @@ in
      ''
        # Various log/runtime directories.

-        mkdir -m 0755 -p /var/log
-
-        touch /var/log/wtmp /var/log/lastlog # must exist
-        chmod 644 /var/log/wtmp /var/log/lastlog
-
        mkdir -m 1777 -p /var/tmp

        # Empty, immutable home directory of many system accounts.