Red Hat Bugzilla – Bug 178432
prediction: vixie-cron-4.1's pam_unix session log messages will be most unpopular
Last modified: 2007-11-30 17:07:09 EST
Description of problem:
With vixie-cron-4.1 adding PAM support to cron, the default PAM configuration
session required pam_stack.so service=system-auth
session required pam_unix.so
The pam_unix module's session handling consists entirely of logging these
messages to /var/log/messages:
Jan 16 16:15:15 bender sshd(pam_unix): session opened for user root by (uid=0)
Jan 16 16:16:01 bender crond(pam_unix): session opened for user root by
Jan 16 16:16:01 bender crond(pam_unix): session closed for user root
Jan 16 16:17:01 bender crond(pam_unix): session opened for user root by
Jan 16 16:17:01 bender crond(pam_unix): session closed for user root
Jan 16 16:18:01 bender crond(pam_unix): session opened for user root by
Jan 16 16:18:01 bender crond(pam_unix): session closed for user root
Jan 16 16:19:01 bender crond(pam_unix): session opened for user root by
Jan 16 16:19:01 bender crond(pam_unix): session closed for user root
Jan 16 16:20:01 bender crond(pam_unix): session opened for user root by
While for sshd, these messages may be of interest to administrators, they
are an annoyance when generated for EVERY run of EVERY cron job, about which
Fedora and RHEL-4 users have complained vociferously:
bug 176423 - Looped logging to syslog
bug 130242 â Cron/PAM logging crontabs
If there are many cron jobs, especially jobs run every minute, these messages
can quickly fill up the logs and /var/log partition.
Previously, I was not aware that this could be fixed easily, as I thought
pam_unix did something more important for session handling than just create
the log messages, but apparently not - as pointed out in bug 173926 , all
pam_unix does for session handling is emit these log messages, and it can
safely be removed from cron's session PAM stack.
So, with vixie-cron-4.1-10.EL3, I'd like to remove pam_unix from crond's
PAM session handling, with this /etc/pam.d/crond file:
# The PAM configuration file for the cron daemon
auth sufficient pam_rootok.so
auth required pam_stack.so service=system-auth
auth required pam_env.so
account required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_krb5.so
Here, pam_stack is NOT used for the session, and the session modules are
identical to that in system-auth except for the removal of pam_unix .
I predict many bug reports from annoyed admins about the sudden flood of
new crond PAM log messages after updating to the new vixie-cron-4.1 in
RHEL-3-U7 unless we can prevent them being generated with the above crond
pam file .
This bug could be considered a "regression" as previous RHEL-3 vixie-cron
versions did not create 2 messages in /var/log/messages for every cron job.
These messages are made redundant by the LAuS audit log messages for every
cron job that admins can enable by enabling LAuS .
Since vixie-cron must be updated anyway to fix problems found during
RHEL-3-U7 errata QA testing, I think we should fix this issue also.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Run a cron job
Two messages are logged to /var/log/messages by pam_unix
No messages in /var/log/messages for every cron job run
fixed in vixie-cron-4.1-10.EL3
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.