FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-13-2011, 09:45 PM
Steve Langasek
 
Default Should pam_unix log non-interactive sessions?

Hi folks,

I have a bug report objecting to pam_unix logging all PAM sessions,
interactive and non-interactive alike, to syslog. Should pam_unix be
dropped from /etc/pam.d/common-session-noninteractive? It's only after
pam-auth-update started being used and common-session-noninteractive is
split out that anyone mentioned this might be a problem; before that I
assumed that having pam_unix log the session was the right thing to do.

Any other arguments for/against this logging?

On my systems, this affects atd, cron, and samba; conceptually it should
also apply to services like imap, pop and ppp, but in practice these
services haven't switched over to common-session-noninteractive at all yet.
Any change to the pam_unix profile now would impact those services later, so
if people expect syslogging of those sessions via pam_unix, we should
determine that now.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org

----- Forwarded message from Craig Sanders <cas@taz.net.au> -----

Date: Tue, 8 Feb 2011 16:27:40 +1100
From: Craig Sanders <cas@taz.net.au>
To: submit@bugs.debian.org
Subject: Bug#612382: pam, non-interactive-sessions, and pam_unix spamming the
auth log
Resent-To: debian-bugs-dist@lists.debian.org
User-Agent: Mutt/1.5.20 (2009-06-14)

Package: libpam-runtime
Version: 1.1.1-6.1

is there any reason why /etc/pam.d/common-session-noninteractive should
load the pam_unix module? i.e. does it serve any useful purpose?

unless there's a good reason not to, i strongly recommend that pam_unix
should be disabled in common-session-noninteractive.


The man page for pam_unix says:

"The session component of this module logs when a user logins or leave
the system."

so it does nothing but spam the auth log every time cron runs something.
ditto for other non-interactive "logins". there's already too much noise
in the auth log...which makes it harder to spot things that really need
to be noticed.


i've commented it out on my systems with no ill-effects, but that means i
now no longer benefit pam-auth-update


craig

--
craig sanders <cas@taz.net.au>



----- End forwarded message -----
 
Old 02-13-2011, 09:50 PM
Patrick Matthäi
 
Default Should pam_unix log non-interactive sessions?

Am 13.02.2011 23:45, schrieb Steve Langasek:
> Hi folks,
>
> I have a bug report objecting to pam_unix logging all PAM sessions,
> interactive and non-interactive alike, to syslog. Should pam_unix be
> dropped from /etc/pam.d/common-session-noninteractive? It's only after
> pam-auth-update started being used and common-session-noninteractive is
> split out that anyone mentioned this might be a problem; before that I
> assumed that having pam_unix log the session was the right thing to do.
>
> Any other arguments for/against this logging?
>
> On my systems, this affects atd, cron, and samba; conceptually it should
> also apply to services like imap, pop and ppp, but in practice these
> services haven't switched over to common-session-noninteractive at all yet.
> Any change to the pam_unix profile now would impact those services later, so
> if people expect syslogging of those sessions via pam_unix, we should
> determine that now.
>

*We* need those logging on our machines per default and I don't think,
that we are the only one. Non-interactive sessions should still be logged.
Personaly I would wish, that I can see in auth.log, if it is
{non-}interactive or not, but that is not the topic of this thread.

--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org
patrick@linux-dev.org

Comment:
Always if we think we are right,
we were maybe wrong.
*/
 
Old 02-13-2011, 10:11 PM
Tollef Fog Heen
 
Default Should pam_unix log non-interactive sessions?

]] Steve Langasek

| Hi folks,
|
| I have a bug report objecting to pam_unix logging all PAM sessions,
| interactive and non-interactive alike, to syslog. Should pam_unix be
| dropped from /etc/pam.d/common-session-noninteractive? It's only after
| pam-auth-update started being used and common-session-noninteractive is
| split out that anyone mentioned this might be a problem; before that I
| assumed that having pam_unix log the session was the right thing to do.
|
| Any other arguments for/against this logging?

I've found it useful to have the logging there, and it's easy enough to
turn off if you don't want it there. (I'd love it if there was a way
for admins to have a local per-pam-module override file of the bits in
/usr/share/pam-configs, say you had /etc/pam-auth/override/libpam-mount
it would override /usr/share/pam-configs/libpam-mount.)

--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87bp2fh6n3.fsf@qurzaw.varnish-software.com">http://lists.debian.org/87bp2fh6n3.fsf@qurzaw.varnish-software.com
 
Old 02-15-2011, 08:57 PM
Christian Kastner
 
Default Should pam_unix log non-interactive sessions?

On 02/13/2011 11:50 PM, Patrick Matthäi wrote:
> Am 13.02.2011 23:45, schrieb Steve Langasek:
>> Hi folks,
>>
>> I have a bug report objecting to pam_unix logging all PAM sessions,
>> interactive and non-interactive alike, to syslog. Should pam_unix be
>> dropped from /etc/pam.d/common-session-noninteractive?

Did the user present a real use-case where this is an issue, or is this
more of an aesthetic issue to the user? All too often, I've been
confronted with the latter case.

>> It's only after pam-auth-update started being used and
>> common-session-noninteractive is split out that anyone mentioned
>> this might be a problem; before that I assumed that having pam_unix
>> log the session was the right thing to do.
>>
>> Any other arguments for/against this logging?

In general, I would rather filter the output of syslog instead of
limiting its input. I understand that this is currently not possible
here, as there is no distinction between {non-,}interactive messages.

> *We* need those logging on our machines per default and I don't think,
> that we are the only one. Non-interactive sessions should still be
> logged.

Same here.

> Personaly I would wish, that I can see in auth.log, if it is
> {non-}interactive or not, but that is not the topic of this thread.
 

Thread Tools




All times are GMT. The time now is 02:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org