Should pam_unix log non-interactive sessions? [cas@taz.net.au: Bug#612382: pam, non-interactive-sessions, and pam_unix spamming the auth log]

[Steve Langasek]

Hi folks,

I have a bug report objecting to pam_unix logging all PAM sessions,
interactive and non-interactive alike, to syslog.  Should pam_unix be
dropped from /etc/pam.d/common-session-noninteractive?  It's only after
pam-auth-update started being used and common-session-noninteractive is
split out that anyone mentioned this might be a problem; before that I
assumed that having pam_unix log the session was the right thing to do.

Any other arguments for/against this logging?

On my systems, this affects atd, cron, and samba; conceptually it should
also apply to services like imap, pop and ppp, but in practice these
services haven't switched over to common-session-noninteractive at all yet.
Any change to the pam_unix profile now would impact those services later, so
if people expect syslogging of those sessions via pam_unix, we should
determine that now.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

----- Forwarded message from Craig Sanders <c...@taz.net.au> -----

Date: Tue, 8 Feb 2011 16:27:40 +1100
From: Craig Sanders <c...@taz.net.au>
To: sub...@bugs.debian.org
Subject: Bug#612382: pam, non-interactive-sessions, and pam_unix spamming the
        auth log
Resent-To: debian-bugs-d...@lists.debian.org
User-Agent: Mutt/1.5.20 (2009-06-14)

Package: libpam-runtime
Version: 1.1.1-6.1

is there any reason why /etc/pam.d/common-session-noninteractive should
load the pam_unix module? i.e. does it serve any useful purpose?

unless there's a good reason not to, i strongly recommend that pam_unix
should be disabled in common-session-noninteractive.


The man page for pam_unix says:

  "The session component of this module logs when a user logins or leave
   the system."

so it does nothing but spam the auth log every time cron runs something.
ditto for other non-interactive "logins". there's already too much noise
in the auth log...which makes it harder to spot things that really need
to be noticed.


i've commented it out on my systems with no ill-effects, but that means i
now no longer benefit pam-auth-update


craig

-- 
craig sanders <c...@taz.net.au>



----- End forwarded message -----

signature.asc
Description: Digital signature