Hi Craig, On Tue, Feb 08, 2011 at 04:27:40PM +1100, Craig Sanders wrote:
> is there any reason why /etc/pam.d/common-session-noninteractive should > load the pam_unix module? i.e. does it serve any useful purpose? > unless there's a good reason not to, i strongly recommend that pam_unix > should be disabled in common-session-noninteractive. > The man page for pam_unix says: > "The session component of this module logs when a user logins or leave > the system." > so it does nothing but spam the auth log every time cron runs something. > ditto for other non-interactive "logins". there's already too much noise > in the auth log...which makes it harder to spot things that really need > to be noticed. Hmm, the reason we do this is because it's Always Been That Way <tm>. When the split of common-session into common-session and common-session-noninteractive was conceived, the kinds of modules I had in mind were things like consolekit and ecryptfs, not pam_unix. pam_unix had been in /etc/pam.d/common-session for years already and no one had reported any bugs about this. But as you say, the value of pam_unix as a session module is marginal, and possibly even less so for the non-interactive cases. Before changing the unix profile, though, I'd like to see what the consensus is on debian-devel. > i've commented it out on my systems with no ill-effects, but that means i > now no longer benefit pam-auth-update Assuming you don't need other session modules running on your system to be managed by pam-auth-update, there are a couple of ways you can cut pam_unix out of the stack in the noninteractive case. You can either edit the /etc/pam.d/ config file for the corresponding service and drop the include of common-session-noninteractive; or you can edit /etc/pam.d/common-session-noninteractive itself to short-circuit the stack, which you can do without breaking pam-auth-update by either adding a line before the '# here are the per-package modules' comment or between the '# here's the fallback' and '# and here are more per-package modules' comments. This is probably woefully underdocumented, and still doesn't help if what you really want is to enable only half of the profile in question. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
