# ls -l /var/log/tallylog -rwx------ 1 root root 64064 Apr 7 22:56 tallylog I'm unsure which version of pam actually created this file. Maybe it was a predecessor version.
Created attachment 240187 [details] Output of emerge --info =sys-libs/pam-1.1.1-r2
Please run `portageq owners / /var/log/tallylog' and post the output here.
$ portageq owners / /var/log/tallylog None of the installed packages claim the file(s). However, the file seems to contain a single valid counter: $ pam_tally2 --file /var/log/tallylog Login Failures Latest failure From someone 1 03/28/10 23:18:31 somewhere (known ip)
$ strings /lib/security/pam_tally2.so | grep tallylog /var/log/tallylog
Ok, this is from static int get_tally() from within pam_tally.c: 374 lstat_ret = lstat(filename, &fileinfo); 375 if (lstat_ret) { 376 *tfile=open(filename, O_APPEND|O_CREAT, 0700); 377 /* Create file, or append-open in pathological case. */ It uses open with mode 0700 (rwx). Thus it voluntarily creates a pathological case here.
You're right and the thing is still broken upstream; will fix without revbump, as it's far from being overly important IMHO.
Committed, thanks, going to send it upstream in a moment ;)
Diego, your patch only addresses a newly created tallylog. Hence the pam ebuild should explicitly remove the executable bit from that file, if it exists.
Sincerely, I'd like to mess with live filesystem permission the least possible, especially since it shouldn't be much of trouble beside being wrong..