I’m security engineer.
I wanted to change the mode(644) of /var/lastlog. But over time, it returns to its original state(664). I want to know the reason.
Please tell me the solution. Or please tell me why.
I’ve never changed the permissions on /var/lastlog , but I imagine the main reason other users have read access (664) is for various system utilities to work which rely on reading it, such as last and who, and even some login shell scripts.
That said, if you’ve already tried changing permissions on /var/lastlog from 0644 to something like 660 or 640, and have seen that it reverts to 664 after a period of time… fairly certain systemd is resetting the permissions (part of tmpfiles).
$ man pam_lastlog
As @LinuxGuy1997 said, best place check /lib/tmpfiles.d/var.conf, you will see this:
f /var/log/lastlog 0664 root utmp -
change the number if you wish but be aware there might be problems with the lastlog command from the command line if you do this. You can always change it back if problems occur.