Red Hat Bugzilla – Bug 124979
pam_succeed_if.so generates noisy secure syslog msgs
Last modified: 2007-11-30 17:10:43 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040116
Description of problem:
By default, pam_succeed_if.so is the first module in the system-auth
account stack, checking if the userid is less than 100 (I assume to
avoid unneccessary name service lookups for system accounts?). Each
time this stack is traversed for a non-system user, pam_succeed_if
generates an authpriv.info message:
pam_succeed_if: requirement "uid < 100" not met by user "username"
This will send an authpriv.info message every time a (non-system) user
logs into dovecot, for instance, if dovecot is configured to check
accounts with pam. This seems like a lot of log pollution for a
commonplace and benign activity.
Version-Release number of selected component (if applicable):
I got the same message last night as well, but my pam version is a tad
Hard to know what to do about this one -- obviously there are a lot of
cases where one would want to use this module and would very much want
success or failure to be logged.
Hmmm -- or maybe a flag which toggles whether success or failure is
logged? In this particular use, the interesting case is when the uid
*is* less than 100 -- not when the test fails.
You make a good point, Matthew. log_pass, log_fail, log_both maybe?
I was leaning toward Scott's view, but Matthew's right that in many
cases you'd want that information logged. Perhaps flags to quiet the
module would be better, since in this instance we don't care enough
either way, and authconfig can pick up a versioned dependency on
whichever pam package starts recognizing a "be more quiet" flag.
See also bug 55193 where this noise was introduced.
Created attachment 103674 [details]
For proposed patch see above.
I've added 3 obvious parameters to the module - quiet (don't log
success or failure), quiet_fail (don't log failure), quiet_success
(don't log success).
I have opened a new bug 133179 against authconfig to include the quiet
option for pam_succeed_if in system-auth file.
For an immediate workaround for people who do not need _any_ reports
on this, in /etc/log.d/conf/services/secure.conf add dovecot-auth to
These module parameters did not make it into the pam_succeed_if
manpage in the FC3 release.
Yes, please open a new bug for that issue.
*** Bug 152061 has been marked as a duplicate of this bug. ***
*** Bug 158103 has been marked as a duplicate of this bug. ***