2:38 a.m.
Hi,
at least from Ubuntu and openSUSE users there are a lot of
complains about the
"pam_unix(crond:session): session closed/open for user root"
messages pam_unix writes to syslog.
There is currently no option to disable this message.
I see two possible solutions:
- Only print it if "debug" option is given
- Introduce a "quiet" option to disable this
What do you think?
Thorsten
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB
21284 (AG Nürnberg)
3:05 a.m.
On Čt, 2015-04-23 at 09:38 +0200, Thorsten Kukuk wrote:
Hi,
at least from Ubuntu and openSUSE users there are a lot of
complains about the
"pam_unix(crond:session): session closed/open for user root"
messages pam_unix writes to syslog.
There is currently no option to disable this message.
I see two possible solutions:
- Only print it if "debug" option is given
- Introduce a "quiet" option to disable this
What do you think?
I am for backwards compatible change - that is introducing the 'quiet'
option.
BTW we have:
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
in Fedora/RHEL for a long time to workaround this problem. And recently
in cronie I have added a patch that completely skips PAM calls for
system cron jobs. So it is really questionable whether this change in
PAM is needed.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8:23 a.m.
On Thu, Apr 23, Tomas Mraz wrote:
I am for backwards compatible change - that is introducing the
'quiet'
option.
Ok, done. Attached is the patch, ok to commit?
BTW we have:
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
in Fedora/RHEL for a long time to workaround this problem. And recently
in cronie I have added a patch that completely skips PAM calls for
system cron jobs. So it is really questionable whether this change in
PAM is needed.
It's not only cron who prints this very often, and I think adding
several pam_succeed_if.so to suppress a log message is not the right
way to go.
I put the quiet entry before the DES entry, because that is somehow
special and don't want to have that in the middle of the table.
Thorsten
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index 9ce084e..55d27bb 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -131,6 +131,20 @@
<varlistentry>
<term>
+ <option>quiet</option>
+ </term>
+ <listitem>
+ <para>
+ Turns off informational messages via
+ <citerefentry>
+
<refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
<option>nullok</option>
</term>
<listitem>
diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c
index d137673..5d00181 100644
--- a/modules/pam_unix/pam_unix_sess.c
+++ b/modules/pam_unix/pam_unix_sess.c
@@ -96,8 +96,9 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char
**argv)
if (login_name == NULL) {
login_name = "";
}
- pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)",
- user_name, login_name, (unsigned long)getuid());
+ if (off (UNIX_QUIET, ctrl))
+ pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)",
+ user_name, login_name, (unsigned long)getuid());
return PAM_SUCCESS;
}
@@ -126,8 +127,9 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const
char **argv)
"close_session - error recovering service");
return PAM_SESSION_ERR;
}
- pam_syslog(pamh, LOG_INFO, "session closed for user %s",
- user_name);
+ if (off (UNIX_QUIET, ctrl))
+ pam_syslog(pamh, LOG_INFO, "session closed for user %s",
+ user_name);
return PAM_SUCCESS;
}
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index cd6ddb7..3729ce0 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -97,9 +97,10 @@ typedef struct {
password hash algorithms */
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
-#define UNIX_DES 28 /* DES, default */
+#define UNIX_QUIET 28 /* Don't print informational messages */
+#define UNIX_DES 29 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
#define
UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -136,6 +137,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000,
0},
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000,
1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000,
0},
/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0,
1},
};
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB
21284 (AG Nürnberg)
8:40 a.m.
On Čt, 2015-04-23 at 15:23 +0200, Thorsten Kukuk wrote:
On Thu, Apr 23, Tomas Mraz wrote:
> I am for backwards compatible change - that is introducing the 'quiet'
> option.
Ok, done. Attached is the patch, ok to commit?
OK, please just add to the manpage which concrete messages will be
switched off - i.e.:
'Turns off informational messages namely messages about session open and
close via ...'
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
3300
days inactive
3300
days old
pam-developers@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Thorsten Kukuk -
Tomas Mraz