Bug 178432

Description of problem:

With vixie-cron-4.1 adding PAM support to cron, the default PAM configuration
file specified:

   session required pam_stack.so service=system-auth

system-auth includes:

   session required pam_unix.so

The pam_unix module's session handling consists entirely of logging these
messages to /var/log/messages:

Jan 16 16:15:15 bender sshd(pam_unix)[3316]: session opened for user root by (uid=0)
Jan 16 16:16:01 bender crond(pam_unix)[3384]: session opened for user root by
(uid=0)
Jan 16 16:16:01 bender crond(pam_unix)[3384]: session closed for user root
Jan 16 16:17:01 bender crond(pam_unix)[3387]: session opened for user root by
(uid=0)
Jan 16 16:17:01 bender crond(pam_unix)[3387]: session closed for user root
Jan 16 16:18:01 bender crond(pam_unix)[3390]: session opened for user root by
(uid=0)
Jan 16 16:18:01 bender crond(pam_unix)[3390]: session closed for user root
Jan 16 16:19:01 bender crond(pam_unix)[3942]: session opened for user root by
(uid=0)
Jan 16 16:19:01 bender crond(pam_unix)[3942]: session closed for user root
Jan 16 16:20:01 bender crond(pam_unix)[3945]: session opened for user root by
(uid=0)

While for sshd, these messages may be of interest to administrators, they
are an annoyance when generated for EVERY run of EVERY cron job, about which
Fedora and RHEL-4 users have complained vociferously:
   bug 176423 - Looped logging to syslog
   bug 130242 â Cron/PAM logging crontabs

If there are many cron jobs, especially jobs run every minute, these messages
can quickly fill up the logs and /var/log partition.

Previously, I was not aware that this could be fixed easily, as I thought
pam_unix did something more important for session handling than just create
the log messages, but apparently not - as pointed out in bug 173926 , all
pam_unix does for session handling is emit these log messages, and it can
safely be removed from cron's session PAM stack.

So, with vixie-cron-4.1-10.EL3, I'd like to remove pam_unix from crond's
PAM session handling, with this /etc/pam.d/crond file:
---
#
# The PAM configuration file for the cron daemon
#
#
auth    sufficient      pam_rootok.so
auth    required        pam_stack.so service=system-auth
auth    required        pam_env.so
account required        pam_stack.so service=system-auth
session required        pam_limits.so
session optional        pam_krb5.so
---

Here, pam_stack is NOT used for the session, and the session modules are
identical to that in system-auth except for the removal of pam_unix .

I predict many bug reports from annoyed admins about the sudden flood of 
new crond PAM log messages after updating to the new vixie-cron-4.1 in 
RHEL-3-U7 unless we can prevent them being generated with the above crond
pam file .

This bug could be considered a "regression" as previous RHEL-3 vixie-cron
versions did not create 2 messages in /var/log/messages for every cron job. 

These messages are made redundant by the LAuS audit log messages for every
cron job that admins can enable by enabling LAuS .

Since vixie-cron must be updated anyway to fix problems found during
RHEL-3-U7 errata QA testing, I think we should fix this issue also. 

Version-Release number of selected component (if applicable):
vixie-cron-4.1-8.EL3

How reproducible:
100%

Steps to Reproduce:
Run a cron job
  
Actual results:
Two messages are logged to /var/log/messages by pam_unix

Expected results:
No messages in /var/log/messages for every cron job run