Version in base suite: 0.73.0-3 Base version: wtmpdb_0.73.0-3 Target version: wtmpdb_0.73.0-3+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/w/wtmpdb/wtmpdb_0.73.0-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/w/wtmpdb/wtmpdb_0.73.0-3+deb13u1.dsc README.Debian | 33 +---- changelog | 12 + control | 1 libwtmpdb0.postinst | 29 ++++ libwtmpdb0.postrm | 10 + libwtmpdb0.wtmpdb.logrotate | 7 + not-installed | 2 patches/db-in-var-log.patch | 207 ++++++++++++++++++++++++++++++++ patches/handle-empty-file-reading.patch | 105 ++++++++++++++++ patches/series | 2 rules | 9 - wtmpdb.install | 2 wtmpdb.postinst | 2 13 files changed, 390 insertions(+), 31 deletions(-) diff -Nru wtmpdb-0.73.0/debian/README.Debian wtmpdb-0.73.0/debian/README.Debian --- wtmpdb-0.73.0/debian/README.Debian 2025-05-04 17:39:33.000000000 +0000 +++ wtmpdb-0.73.0/debian/README.Debian 2025-10-20 18:12:54.000000000 +0000 @@ -1,7 +1,7 @@ wtmpdb in Debian ---------------- -In Debian 13 "trixie", login and reboot records are recorded by the 'wtmpdb' +Since Debian 13 "trixie", login and reboot records are recorded by the 'wtmpdb' solution in an sqlite3 database file. This document identifies differences in behaviour since earlier Debian releases that may require action by system administators. @@ -10,8 +10,10 @@ Log location ------------ -The datafile for the login and reboot records is stored in the tool's state -directory '/var/lib/wtmpdb' instead of the system log directory '/var/log'. +The datafile for the login and reboot records is currently stored in the +system log directory '/var/log' instead of the tool's state directory +'/var/lib/wtmpdb' as defined upstream via /usr/include/wtmpdb.h. On Debian +/var/lib/wtmpdb/wtmp.db should be a symbolic link to /var/log/wtmp.db. Logging SSH sessions @@ -50,27 +52,8 @@ Log rotation and pruning ------------------------ -Logs can be rotated by the 'wtmpdb rotate' command. A systemd timer unit -is installed to do this on a monthly basis; however, this timer is not -enabled by default because of its limitations: +Logs are rotated and pruned by logrotate(8). The rotation and retention +periods may be modified in /etc/logrotate.d/wtmpdb - 1. The rotated files are dated by the latest rotated entry in the form - wtmp_YYYYMMDD.db, rather than numerically like wtmp.1[.gz]. - 2. The rotated files are saved alongside the live database in /var/lib, - contrary to what might be expected under the FHS 3.0 followed by Debian. - - 3. Rotated files are NOT pruned [1], as they would be by logrotate(8). - If you need to prune old logs then this will require custom scripts as - logrotate cannot be configured to achieve this. - -Use 'systemctl enable wtmpdb-rotate.timer' to enable rotation. - -Users needing to remove old login records for regulatory purposes will need to -implement a pruning function in addition to rotating the database. logrotate(8) -may be suitable for this purpose instead of the installed systemd timer. - -[1] https://bugs.debian.org/1094965 - - - -- Andrew Bower Sun, 4 May 2025 18:10:00 +0100 + -- Andrew Bower Wed, 24 Sep 2025 23:37:29 +0100 diff -Nru wtmpdb-0.73.0/debian/changelog wtmpdb-0.73.0/debian/changelog --- wtmpdb-0.73.0/debian/changelog 2025-05-04 17:39:33.000000000 +0000 +++ wtmpdb-0.73.0/debian/changelog 2025-10-20 18:32:19.000000000 +0000 @@ -1,3 +1,15 @@ +wtmpdb (0.73.0-3+deb13u1) trixie; urgency=medium + + * Rotate and prune logs using logrotate (Closes: #1094965) + - patch to handle empty file reading + - remove units and cron jobs for old (disabled) rotation solution + - cause new and rotated files to keep permissions (Closes: #1076308) + * Store logs in system log directory, /var/log (Closes: #1117719) + * Remove logs on package purge + * README.Debian: document new log handling + + -- Andrew Bower Mon, 20 Oct 2025 19:32:19 +0100 + wtmpdb (0.73.0-3) unstable; urgency=medium * Do not rotate database by default because the rotation operation does diff -Nru wtmpdb-0.73.0/debian/control wtmpdb-0.73.0/debian/control --- wtmpdb-0.73.0/debian/control 2025-05-04 17:39:33.000000000 +0000 +++ wtmpdb-0.73.0/debian/control 2025-10-20 18:12:30.000000000 +0000 @@ -32,6 +32,7 @@ util-linux (<< 2.40.1-3), Recommends: libpam-wtmpdb, + logrotate, Multi-Arch: foreign Description: utility to display login/logout/reboot information This package provides the program wtmpdb, which reads wtmpdb's diff -Nru wtmpdb-0.73.0/debian/libwtmpdb0.postinst wtmpdb-0.73.0/debian/libwtmpdb0.postinst --- wtmpdb-0.73.0/debian/libwtmpdb0.postinst 1970-01-01 00:00:00.000000000 +0000 +++ wtmpdb-0.73.0/debian/libwtmpdb0.postinst 2025-10-20 18:12:54.000000000 +0000 @@ -0,0 +1,29 @@ +#!/bin/sh + +set -e + +lib_log="${DPKG_ROOT:-}/var/lib/wtmpdb/wtmp.db" +new_log="${DPKG_ROOT:-}/var/log/wtmp.db" + +# Effect the conversion from storing the live log in the state directory to +# storing it in its proper place, the logs directory. Also set up the symlink +# where tmpfiles.d is not available. +if [ "$1" = "configure" ] +then + if [ -s "$lib_log" ] && [ ! -h "$lib_log" ] && [ ! -s "$new_log" ] + then + mv -f "$lib_log" "$new_log" + fi + + # The unhandled case is records in both locations. For this we need + # a 'wtmpdb merge' operation called in wtmpdb.postinst but no such + # operation yet exists. + + if [ ! -f "$lib_log" ] + then + mkdir -p "$(dirname "$lib_log")" + ln -sf ../../log/wtmp.db "$lib_log" + fi +fi + +#DEBHELPER# diff -Nru wtmpdb-0.73.0/debian/libwtmpdb0.postrm wtmpdb-0.73.0/debian/libwtmpdb0.postrm --- wtmpdb-0.73.0/debian/libwtmpdb0.postrm 1970-01-01 00:00:00.000000000 +0000 +++ wtmpdb-0.73.0/debian/libwtmpdb0.postrm 2025-10-20 18:12:54.000000000 +0000 @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +if [ "$1" = "purge" ] +then + rm -rf "${DPKG_ROOT:-}"/var/log/wtmp.db* "${DPKG_ROOT:-}"/var/lib/wtmpdb +fi + +#DEBHELPER# diff -Nru wtmpdb-0.73.0/debian/libwtmpdb0.wtmpdb.logrotate wtmpdb-0.73.0/debian/libwtmpdb0.wtmpdb.logrotate --- wtmpdb-0.73.0/debian/libwtmpdb0.wtmpdb.logrotate 1970-01-01 00:00:00.000000000 +0000 +++ wtmpdb-0.73.0/debian/libwtmpdb0.wtmpdb.logrotate 2025-10-20 18:12:54.000000000 +0000 @@ -0,0 +1,7 @@ +/var/log/wtmp.db { + missingok + yearly + create + nocompress + rotate 4 +} diff -Nru wtmpdb-0.73.0/debian/not-installed wtmpdb-0.73.0/debian/not-installed --- wtmpdb-0.73.0/debian/not-installed 2025-05-04 17:39:33.000000000 +0000 +++ wtmpdb-0.73.0/debian/not-installed 2025-10-20 18:12:30.000000000 +0000 @@ -1,3 +1,5 @@ +usr/lib/systemd/system/wtmpdb-rotate.service +usr/lib/systemd/system/wtmpdb-rotate.timer usr/lib/systemd/system/wtmpdbd.service usr/lib/systemd/system/wtmpdbd.socket usr/libexec/wtmpdbd diff -Nru wtmpdb-0.73.0/debian/patches/db-in-var-log.patch wtmpdb-0.73.0/debian/patches/db-in-var-log.patch --- wtmpdb-0.73.0/debian/patches/db-in-var-log.patch 1970-01-01 00:00:00.000000000 +0000 +++ wtmpdb-0.73.0/debian/patches/db-in-var-log.patch 2025-10-20 18:12:54.000000000 +0000 @@ -0,0 +1,207 @@ +From: Andrew Bower +Date: Thu, 9 Oct 2025 22:02:22 +0100 +Subject: Use /var/log/wtmp.db as default database location + +Forwarded: not-needed +--- + README.md | 2 +- + lib/libwtmpdb.c | 3 +++ + man/pam_wtmpdb.8.xml | 15 ++++++++++++--- + man/wtmpdb.8.xml | 21 +++++++++++++++------ + src/pam_wtmpdb.c | 3 +++ + tmpfiles.d/wtmpdb.conf | 1 + + units/wtmpdb-rotate.service | 2 +- + units/wtmpdb-update-boot.service | 2 +- + 8 files changed, 37 insertions(+), 12 deletions(-) + +diff --git a/README.md b/README.md +index e2f8a0f..2e02328 100644 +--- a/README.md ++++ b/README.md +@@ -30,7 +30,7 @@ The package constists of a library, PAM module, a commandline interface and an o + * `wtmpdb` is used to add reboot and shutdown entries and to display existing entries (like `last`). + * `wtmpdbd` is used to manage the database in a secure way. + +-By default the database will be written as `/var/lib/wtmpdb/wtmp.db`. ++By default the database will be written as `/var/log/wtmp.db`, with a symbolic link from `/var/lib/wtmpdb/wtmp.db`. + + ## Configuration + +diff --git a/lib/libwtmpdb.c b/lib/libwtmpdb.c +index 8e5f2d9..a0c54e3 100644 +--- a/lib/libwtmpdb.c ++++ b/lib/libwtmpdb.c +@@ -38,6 +38,9 @@ + + #include "varlink.h" + ++#undef _PATH_WTMPDB ++#define _PATH_WTMPDB "/var/log/wtmp.db" ++ + #if WITH_WTMPDBD + static int varlink_is_active = 1; + #else +diff --git a/man/pam_wtmpdb.8.xml b/man/pam_wtmpdb.8.xml +index 2781648..54a2c4f 100644 +--- a/man/pam_wtmpdb.8.xml ++++ b/man/pam_wtmpdb.8.xml +@@ -36,7 +36,7 @@ + + pam_wtmpdb is a PAM module to record the login and logout + information of the user. The module uses +- /var/lib/wtmpdb/wtmp.db as database ++ /var/log/wtmp.db as database + file to store all information. + + +@@ -90,7 +90,7 @@ + + + Use instead of +- /var/lib/wtmpdb/wtmp.db. ++ /var/log/wtmp.db. + + + +@@ -166,11 +166,20 @@ + FILES + + +- /var/lib/wtmpdb/wtmp.db ++ /var/log/wtmp.db + + Wtmpdb logging database file + + ++ ++ /var/lib/wtmpdb/wtmp.db ++ ++ ++ Symbolic link from the upstream location to the above ++ database file ++ ++ ++ + + + +diff --git a/man/wtmpdb.8.xml b/man/wtmpdb.8.xml +index ba4975b..04e1b06 100644 +--- a/man/wtmpdb.8.xml ++++ b/man/wtmpdb.8.xml +@@ -49,7 +49,7 @@ + + + wtmpdb last goes through the +- /var/lib/wtmpdb/wtmp.db database (or the ++ /var/log/wtmp.db database (or the + database designated by the -f option) and + displays a list of of all users logged in and logged out. The + output can be restricted to different patterns via various +@@ -242,7 +242,7 @@ + + + wtmpdb boot writes system boot times +- to the /var/lib/wtmpdb/wtmp.db database. ++ to the /var/log/wtmp.db database. + + boot options + +@@ -273,7 +273,7 @@ + + + wtmpdb shutdown writes system shutdown +- requests to the /var/lib/wtmpdb/wtmp.db ++ requests to the /var/log/wtmp.db + database. + + shutdown options +@@ -295,7 +295,7 @@ + + + wtmpdb rotate exports old log entries +- to the /var/lib/wtmpdb/wtmp_yyyymmmdd.db ++ to the /var/log/wtmp_yyyymmmdd.db + database and removes these entries from the original one. + + rotate options +@@ -331,7 +331,7 @@ + + + wtmpdb import imports legacy wtmp log +- files to the /var/lib/wtmpdb/wtmp.db ++ files to the /var/log/wtmp.db + database. + + import options +@@ -378,11 +378,20 @@ + FILES + + +- /var/lib/wtmpdb/wtmp.db ++ /var/log/wtmp.db + + Wtmpdb logging database file + + ++ ++ /var/lib/wtmpdb/wtmp.db ++ ++ ++ Symbolic link from the upstream location to the above ++ database file ++ ++ ++ + + + +diff --git a/src/pam_wtmpdb.c b/src/pam_wtmpdb.c +index 8b5a24f..5aeaccb 100644 +--- a/src/pam_wtmpdb.c ++++ b/src/pam_wtmpdb.c +@@ -36,6 +36,9 @@ + + #include "wtmpdb.h" + ++#undef _PATH_WTMPDB ++#define _PATH_WTMPDB "/var/log/wtmp.db" ++ + #define WTMPDB_DEBUG 01 /* send info to syslog(3) */ + #define WTMPDB_QUIET 02 /* keep quiet about things */ + #define WTMPDB_SKIP 04 /* Skip if service is in skip list */ +diff --git a/tmpfiles.d/wtmpdb.conf b/tmpfiles.d/wtmpdb.conf +index f66548e..dcaf2a9 100644 +--- a/tmpfiles.d/wtmpdb.conf ++++ b/tmpfiles.d/wtmpdb.conf +@@ -3,3 +3,4 @@ + # See tmpfiles.d(5) for details + # + d /var/lib/wtmpdb 0755 - - - ++L /var/lib/wtmpdb/wtmp.db - - - - ../../log/wtmp.db +diff --git a/units/wtmpdb-rotate.service b/units/wtmpdb-rotate.service +index 7918857..465b659 100644 +--- a/units/wtmpdb-rotate.service ++++ b/units/wtmpdb-rotate.service +@@ -1,7 +1,7 @@ + [Unit] + Description=Rotate wtmpdb + Documentation=man:wtmpdb(8) +-RequiresMountsFor=/var/lib/wtmpdb ++RequiresMountsFor=/var/log + + [Service] + Type=oneshot +diff --git a/units/wtmpdb-update-boot.service b/units/wtmpdb-update-boot.service +index c46dcb9..bc16f7c 100644 +--- a/units/wtmpdb-update-boot.service ++++ b/units/wtmpdb-update-boot.service +@@ -2,7 +2,7 @@ + Description=Write boot and shutdown times into wtmpdb + Documentation=man:wtmpdb(8) + DefaultDependencies=no +-RequiresMountsFor=/var/lib/wtmpdb ++RequiresMountsFor=/var/log + Conflicts=shutdown.target + After=systemd-remount-fs.service systemd-tmpfiles-setup.service + Before=shutdown.target diff -Nru wtmpdb-0.73.0/debian/patches/handle-empty-file-reading.patch wtmpdb-0.73.0/debian/patches/handle-empty-file-reading.patch --- wtmpdb-0.73.0/debian/patches/handle-empty-file-reading.patch 1970-01-01 00:00:00.000000000 +0000 +++ wtmpdb-0.73.0/debian/patches/handle-empty-file-reading.patch 2025-10-20 18:12:30.000000000 +0000 @@ -0,0 +1,105 @@ +From: Andrew Bower +Subject: Use empty memory table instead of failing to read empty file + +Forwarded: https://github.com/thkukuk/wtmpdb/pull/39 +Applied-Upstream: 0.75.0 +Bug-Debian: https://bugs.debian.org/1094965 +Last-Update: 2025-10-09 + +Previously, attempting to read an empty file gave an error +message and non-zero return code. Instead, when asked to open +an empty file as a read-only database, open a memory database +and populate it with an empty table. This avoids needing any +special case handling in calling code and matches the behaviour +of classic 'last' on an empty file. +--- + lib/sqlite.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +diff --git a/lib/sqlite.c b/lib/sqlite.c +index 001eb71..0f3090c 100644 +--- a/lib/sqlite.c ++++ b/lib/sqlite.c +@@ -61,12 +61,37 @@ strip_extension(char *in_str) + } + } + ++/* Creates the table if it does not exist. ++ * Returns 0 on success, -1 on failure. */ ++static int64_t ++create_table (sqlite3 *db, char **error) ++{ ++ char *err_msg = NULL; ++ char *sql_table = "CREATE TABLE IF NOT EXISTS wtmp(ID INTEGER PRIMARY KEY, Type INTEGER, User TEXT NOT NULL, Login INTEGER, Logout INTEGER, TTY TEXT, RemoteHost TEXT, Service TEXT) STRICT;"; ++ ++ if (sqlite3_exec (db, sql_table, 0, 0, &err_msg) != SQLITE_OK) ++ { ++ if (error) ++ if (asprintf (error, "SQL error creating table: %s", err_msg) < 0) ++ *error = strdup ("create_table: Out of memory"); ++ sqlite3_free (err_msg); ++ ++ return -1; ++ } ++ return 0; ++} ++ + static int + open_database_ro (const char *path, sqlite3 **db, char **error) + { ++ struct stat statbuf; ++ int empty_file; + int r; + +- r = sqlite3_open_v2 (path, db, SQLITE_OPEN_READONLY, NULL); ++ empty_file = stat(path, &statbuf) == 0 && statbuf.st_size == 0; ++ r = sqlite3_open_v2 (path, db, empty_file ? ++ SQLITE_OPEN_READWRITE | SQLITE_OPEN_MEMORY : ++ SQLITE_OPEN_READONLY, NULL); + if (r != SQLITE_OK) + { + if (error) +@@ -80,7 +105,10 @@ open_database_ro (const char *path, sqlite3 **db, char **error) + + sqlite3_busy_timeout(*db, TIMEOUT); + +- return 0; ++ if (empty_file) ++ r = create_table (*db, error); ++ ++ return r == SQLITE_OK ? 0 : -1; + } + + static int +@@ -114,7 +142,8 @@ open_database_rw (const char *path, sqlite3 **db, char **error) + + sqlite3_busy_timeout(*db, TIMEOUT); + +- return 0; ++ r = create_table (*db, error); ++ return r == SQLITE_OK ? 0 : -1; + } + + /* Add a new entry. Returns ID (>=0) on success, -1 on failure. */ +@@ -123,21 +152,9 @@ add_entry (sqlite3 *db, int type, const char *user, + uint64_t usec_login, const char *tty, const char *rhost, + const char *service, char **error) + { +- char *err_msg = NULL; + sqlite3_stmt *res; +- char *sql_table = "CREATE TABLE IF NOT EXISTS wtmp(ID INTEGER PRIMARY KEY, Type INTEGER, User TEXT NOT NULL, Login INTEGER, Logout INTEGER, TTY TEXT, RemoteHost TEXT, Service TEXT) STRICT;"; + char *sql_insert = "INSERT INTO wtmp (Type,User,Login,TTY,RemoteHost,Service) VALUES(?,?,?,?,?,?);"; + +- if (sqlite3_exec (db, sql_table, 0, 0, &err_msg) != SQLITE_OK) +- { +- if (error) +- if (asprintf (error, "add_entry: SQL error: %s", err_msg) < 0) +- *error = strdup ("add_entry: Out of memory"); +- sqlite3_free (err_msg); +- +- return -1; +- } +- + if (sqlite3_prepare_v2 (db, sql_insert, -1, &res, 0) != SQLITE_OK) + { + if (error) diff -Nru wtmpdb-0.73.0/debian/patches/series wtmpdb-0.73.0/debian/patches/series --- wtmpdb-0.73.0/debian/patches/series 2025-05-04 17:39:33.000000000 +0000 +++ wtmpdb-0.73.0/debian/patches/series 2025-10-20 18:12:49.000000000 +0000 @@ -1,3 +1,5 @@ avoid-noise-if-systemd-not-running.patch refine-man-page-for-Debian.patch import-match-login-by-tty-if-non-zero-pid-does-not-match.patch +handle-empty-file-reading.patch +db-in-var-log.patch diff -Nru wtmpdb-0.73.0/debian/rules wtmpdb-0.73.0/debian/rules --- wtmpdb-0.73.0/debian/rules 2025-05-04 17:39:33.000000000 +0000 +++ wtmpdb-0.73.0/debian/rules 2025-10-20 18:12:30.000000000 +0000 @@ -18,12 +18,15 @@ # 1. Do not add a boot entry on installation because most likely we are # either not running in the target system or we have migrated the wtmp # boot entry and in all cases we did not just boot up. -# 2. Do not enable the rotation service because it provides no benefit: the -# rotated logs are not pruned, they simply become harder to interrogate. +# 2. Do not install the rotation service because log rotation is handled +# by logrotate(8) and the competing (half) solution would be especially +# harmful if boith methods were enabled by misconfiguration. override_dh_installsystemd: dh_installsystemd -pwtmpdb --no-start --no-stop-on-upgrade wtmpdb-update-boot.service - dh_installsystemd -pwtmpdb --no-enable wtmpdb-rotate.timer dh_installsystemd -Nwtmpdb override_dh_installinit: dh_installinit --name=wtmpdb-update-boot --no-start --no-stop-on-upgrade + +override_dh_installlogrotate: + dh_installlogrotate --name=wtmpdb diff -Nru wtmpdb-0.73.0/debian/wtmpdb.install wtmpdb-0.73.0/debian/wtmpdb.install --- wtmpdb-0.73.0/debian/wtmpdb.install 2025-05-04 17:39:33.000000000 +0000 +++ wtmpdb-0.73.0/debian/wtmpdb.install 2025-10-20 18:29:10.000000000 +0000 @@ -1,6 +1,4 @@ usr/bin/wtmpdb -usr/lib/systemd/system/wtmpdb-rotate.service -usr/lib/systemd/system/wtmpdb-rotate.timer usr/lib/systemd/system/wtmpdb-update-boot.service usr/lib/tmpfiles.d/wtmpdb.conf usr/share/man/man8/wtmpdb.8 diff -Nru wtmpdb-0.73.0/debian/wtmpdb.postinst wtmpdb-0.73.0/debian/wtmpdb.postinst --- wtmpdb-0.73.0/debian/wtmpdb.postinst 2025-05-04 17:39:33.000000000 +0000 +++ wtmpdb-0.73.0/debian/wtmpdb.postinst 2025-10-20 18:12:54.000000000 +0000 @@ -11,7 +11,7 @@ fi old_log="${DPKG_ROOT:-}/var/log/wtmp" -new_log="${DPKG_ROOT:-}/var/lib/wtmpdb/wtmp.db" +new_log="${DPKG_ROOT:-}/var/log/wtmp.db" tmp_log="$new_log.import-tmp" # If wtmp logs are present on first installation, import them.