Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   Should pam_unix log non-interactive sessions? (http://www.linux-archive.org/debian-development/488907-should-pam_unix-log-non-interactive-sessions.html)

Steve Langasek 02-13-2011 09:45 PM

Should pam_unix log non-interactive sessions?
 
Hi folks,

I have a bug report objecting to pam_unix logging all PAM sessions,
interactive and non-interactive alike, to syslog. Should pam_unix be
dropped from /etc/pam.d/common-session-noninteractive? It's only after
pam-auth-update started being used and common-session-noninteractive is
split out that anyone mentioned this might be a problem; before that I
assumed that having pam_unix log the session was the right thing to do.

Any other arguments for/against this logging?

On my systems, this affects atd, cron, and samba; conceptually it should
also apply to services like imap, pop and ppp, but in practice these
services haven't switched over to common-session-noninteractive at all yet.
Any change to the pam_unix profile now would impact those services later, so
if people expect syslogging of those sessions via pam_unix, we should
determine that now.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org

----- Forwarded message from Craig Sanders <cas@taz.net.au> -----

Date: Tue, 8 Feb 2011 16:27:40 +1100
From: Craig Sanders <cas@taz.net.au>
To: submit@bugs.debian.org
Subject: Bug#612382: pam, non-interactive-sessions, and pam_unix spamming the
auth log
Resent-To: debian-bugs-dist@lists.debian.org
User-Agent: Mutt/1.5.20 (2009-06-14)

Package: libpam-runtime
Version: 1.1.1-6.1

is there any reason why /etc/pam.d/common-session-noninteractive should
load the pam_unix module? i.e. does it serve any useful purpose?

unless there's a good reason not to, i strongly recommend that pam_unix
should be disabled in common-session-noninteractive.


The man page for pam_unix says:

"The session component of this module logs when a user logins or leave
the system."

so it does nothing but spam the auth log every time cron runs something.
ditto for other non-interactive "logins". there's already too much noise
in the auth log...which makes it harder to spot things that really need
to be noticed.


i've commented it out on my systems with no ill-effects, but that means i
now no longer benefit pam-auth-update


craig

--
craig sanders <cas@taz.net.au>



----- End forwarded message -----

Patrick Matthäi 02-13-2011 09:50 PM

Should pam_unix log non-interactive sessions?
 
Am 13.02.2011 23:45, schrieb Steve Langasek:
> Hi folks,
>
> I have a bug report objecting to pam_unix logging all PAM sessions,
> interactive and non-interactive alike, to syslog. Should pam_unix be
> dropped from /etc/pam.d/common-session-noninteractive? It's only after
> pam-auth-update started being used and common-session-noninteractive is
> split out that anyone mentioned this might be a problem; before that I
> assumed that having pam_unix log the session was the right thing to do.
>
> Any other arguments for/against this logging?
>
> On my systems, this affects atd, cron, and samba; conceptually it should
> also apply to services like imap, pop and ppp, but in practice these
> services haven't switched over to common-session-noninteractive at all yet.
> Any change to the pam_unix profile now would impact those services later, so
> if people expect syslogging of those sessions via pam_unix, we should
> determine that now.
>

*We* need those logging on our machines per default and I don't think,
that we are the only one. Non-interactive sessions should still be logged.
Personaly I would wish, that I can see in auth.log, if it is
{non-}interactive or not, but that is not the topic of this thread.

--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org
patrick@linux-dev.org

Comment:
Always if we think we are right,
we were maybe wrong.
*/

Tollef Fog Heen 02-13-2011 10:11 PM

Should pam_unix log non-interactive sessions?
 
]] Steve Langasek

| Hi folks,
|
| I have a bug report objecting to pam_unix logging all PAM sessions,
| interactive and non-interactive alike, to syslog. Should pam_unix be
| dropped from /etc/pam.d/common-session-noninteractive? It's only after
| pam-auth-update started being used and common-session-noninteractive is
| split out that anyone mentioned this might be a problem; before that I
| assumed that having pam_unix log the session was the right thing to do.
|
| Any other arguments for/against this logging?

I've found it useful to have the logging there, and it's easy enough to
turn off if you don't want it there. (I'd love it if there was a way
for admins to have a local per-pam-module override file of the bits in
/usr/share/pam-configs, say you had /etc/pam-auth/override/libpam-mount
it would override /usr/share/pam-configs/libpam-mount.)

--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87bp2fh6n3.fsf@qurzaw.varnish-software.com">http://lists.debian.org/87bp2fh6n3.fsf@qurzaw.varnish-software.com

Christian Kastner 02-15-2011 08:57 PM

Should pam_unix log non-interactive sessions?
 
On 02/13/2011 11:50 PM, Patrick Matthäi wrote:
> Am 13.02.2011 23:45, schrieb Steve Langasek:
>> Hi folks,
>>
>> I have a bug report objecting to pam_unix logging all PAM sessions,
>> interactive and non-interactive alike, to syslog. Should pam_unix be
>> dropped from /etc/pam.d/common-session-noninteractive?

Did the user present a real use-case where this is an issue, or is this
more of an aesthetic issue to the user? All too often, I've been
confronted with the latter case.

>> It's only after pam-auth-update started being used and
>> common-session-noninteractive is split out that anyone mentioned
>> this might be a problem; before that I assumed that having pam_unix
>> log the session was the right thing to do.
>>
>> Any other arguments for/against this logging?

In general, I would rather filter the output of syslog instead of
limiting its input. I understand that this is currently not possible
here, as there is no distinction between {non-,}interactive messages.

> *We* need those logging on our machines per default and I don't think,
> that we are the only one. Non-interactive sessions should still be
> logged.

Same here.

> Personaly I would wish, that I can see in auth.log, if it is
> {non-}interactive or not, but that is not the topic of this thread.


All times are GMT. The time now is 09:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.