Should pam_unix log non-interactive sessions?
Hi folks,
I have a bug report objecting to pam_unix logging all PAM sessions, interactive and non-interactive alike, to syslog. Should pam_unix be dropped from /etc/pam.d/common-session-noninteractive? It's only after pam-auth-update started being used and common-session-noninteractive is split out that anyone mentioned this might be a problem; before that I assumed that having pam_unix log the session was the right thing to do. Any other arguments for/against this logging? On my systems, this affects atd, cron, and samba; conceptually it should also apply to services like imap, pop and ppp, but in practice these services haven't switched over to common-session-noninteractive at all yet. Any change to the pam_unix profile now would impact those services later, so if people expect syslogging of those sessions via pam_unix, we should determine that now. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org ----- Forwarded message from Craig Sanders <cas@taz.net.au> ----- Date: Tue, 8 Feb 2011 16:27:40 +1100 From: Craig Sanders <cas@taz.net.au> To: submit@bugs.debian.org Subject: Bug#612382: pam, non-interactive-sessions, and pam_unix spamming the auth log Resent-To: debian-bugs-dist@lists.debian.org User-Agent: Mutt/1.5.20 (2009-06-14) Package: libpam-runtime Version: 1.1.1-6.1 is there any reason why /etc/pam.d/common-session-noninteractive should load the pam_unix module? i.e. does it serve any useful purpose? unless there's a good reason not to, i strongly recommend that pam_unix should be disabled in common-session-noninteractive. The man page for pam_unix says: "The session component of this module logs when a user logins or leave the system." so it does nothing but spam the auth log every time cron runs something. ditto for other non-interactive "logins". there's already too much noise in the auth log...which makes it harder to spot things that really need to be noticed. i've commented it out on my systems with no ill-effects, but that means i now no longer benefit pam-auth-update craig -- craig sanders <cas@taz.net.au> ----- End forwarded message ----- |
Should pam_unix log non-interactive sessions?
Am 13.02.2011 23:45, schrieb Steve Langasek:
> Hi folks, > > I have a bug report objecting to pam_unix logging all PAM sessions, > interactive and non-interactive alike, to syslog. Should pam_unix be > dropped from /etc/pam.d/common-session-noninteractive? It's only after > pam-auth-update started being used and common-session-noninteractive is > split out that anyone mentioned this might be a problem; before that I > assumed that having pam_unix log the session was the right thing to do. > > Any other arguments for/against this logging? > > On my systems, this affects atd, cron, and samba; conceptually it should > also apply to services like imap, pop and ppp, but in practice these > services haven't switched over to common-session-noninteractive at all yet. > Any change to the pam_unix profile now would impact those services later, so > if people expect syslogging of those sessions via pam_unix, we should > determine that now. > *We* need those logging on our machines per default and I don't think, that we are the only one. Non-interactive sessions should still be logged. Personaly I would wish, that I can see in auth.log, if it is {non-}interactive or not, but that is not the topic of this thread. -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer E-Mail: pmatthaei@debian.org patrick@linux-dev.org Comment: Always if we think we are right, we were maybe wrong. */ |
Should pam_unix log non-interactive sessions?
]] Steve Langasek
| Hi folks, | | I have a bug report objecting to pam_unix logging all PAM sessions, | interactive and non-interactive alike, to syslog. Should pam_unix be | dropped from /etc/pam.d/common-session-noninteractive? It's only after | pam-auth-update started being used and common-session-noninteractive is | split out that anyone mentioned this might be a problem; before that I | assumed that having pam_unix log the session was the right thing to do. | | Any other arguments for/against this logging? I've found it useful to have the logging there, and it's easy enough to turn off if you don't want it there. (I'd love it if there was a way for admins to have a local per-pam-module override file of the bits in /usr/share/pam-configs, say you had /etc/pam-auth/override/libpam-mount it would override /usr/share/pam-configs/libpam-mount.) -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 87bp2fh6n3.fsf@qurzaw.varnish-software.com">http://lists.debian.org/87bp2fh6n3.fsf@qurzaw.varnish-software.com |
Should pam_unix log non-interactive sessions?
On 02/13/2011 11:50 PM, Patrick Matthäi wrote:
> Am 13.02.2011 23:45, schrieb Steve Langasek: >> Hi folks, >> >> I have a bug report objecting to pam_unix logging all PAM sessions, >> interactive and non-interactive alike, to syslog. Should pam_unix be >> dropped from /etc/pam.d/common-session-noninteractive? Did the user present a real use-case where this is an issue, or is this more of an aesthetic issue to the user? All too often, I've been confronted with the latter case. >> It's only after pam-auth-update started being used and >> common-session-noninteractive is split out that anyone mentioned >> this might be a problem; before that I assumed that having pam_unix >> log the session was the right thing to do. >> >> Any other arguments for/against this logging? In general, I would rather filter the output of syslog instead of limiting its input. I understand that this is currently not possible here, as there is no distinction between {non-,}interactive messages. > *We* need those logging on our machines per default and I don't think, > that we are the only one. Non-interactive sessions should still be > logged. Same here. > Personaly I would wish, that I can see in auth.log, if it is > {non-}interactive or not, but that is not the topic of this thread. |
| All times are GMT. The time now is 05:31 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.