Description of problem: With vixie-cron-4.1 adding PAM support to cron, the default PAM configuration file specified: session required pam_stack.so service=system-auth system-auth includes: session required pam_unix.so The pam_unix module's session handling consists entirely of logging these messages to /var/log/messages: Jan 16 16:15:15 bender sshd(pam_unix)[3316]: session opened for user root by (uid=0) Jan 16 16:16:01 bender crond(pam_unix)[3384]: session opened for user root by (uid=0) Jan 16 16:16:01 bender crond(pam_unix)[3384]: session closed for user root Jan 16 16:17:01 bender crond(pam_unix)[3387]: session opened for user root by (uid=0) Jan 16 16:17:01 bender crond(pam_unix)[3387]: session closed for user root Jan 16 16:18:01 bender crond(pam_unix)[3390]: session opened for user root by (uid=0) Jan 16 16:18:01 bender crond(pam_unix)[3390]: session closed for user root Jan 16 16:19:01 bender crond(pam_unix)[3942]: session opened for user root by (uid=0) Jan 16 16:19:01 bender crond(pam_unix)[3942]: session closed for user root Jan 16 16:20:01 bender crond(pam_unix)[3945]: session opened for user root by (uid=0) While for sshd, these messages may be of interest to administrators, they are an annoyance when generated for EVERY run of EVERY cron job, about which Fedora and RHEL-4 users have complained vociferously: bug 176423 - Looped logging to syslog bug 130242 รข Cron/PAM logging crontabs If there are many cron jobs, especially jobs run every minute, these messages can quickly fill up the logs and /var/log partition. Previously, I was not aware that this could be fixed easily, as I thought pam_unix did something more important for session handling than just create the log messages, but apparently not - as pointed out in bug 173926 , all pam_unix does for session handling is emit these log messages, and it can safely be removed from cron's session PAM stack. So, with vixie-cron-4.1-10.EL3, I'd like to remove pam_unix from crond's PAM session handling, with this /etc/pam.d/crond file: --- # # The PAM configuration file for the cron daemon # # auth sufficient pam_rootok.so auth required pam_stack.so service=system-auth auth required pam_env.so account required pam_stack.so service=system-auth session required pam_limits.so session optional pam_krb5.so --- Here, pam_stack is NOT used for the session, and the session modules are identical to that in system-auth except for the removal of pam_unix . I predict many bug reports from annoyed admins about the sudden flood of new crond PAM log messages after updating to the new vixie-cron-4.1 in RHEL-3-U7 unless we can prevent them being generated with the above crond pam file . This bug could be considered a "regression" as previous RHEL-3 vixie-cron versions did not create 2 messages in /var/log/messages for every cron job. These messages are made redundant by the LAuS audit log messages for every cron job that admins can enable by enabling LAuS . Since vixie-cron must be updated anyway to fix problems found during RHEL-3-U7 errata QA testing, I think we should fix this issue also. Version-Release number of selected component (if applicable): vixie-cron-4.1-8.EL3 How reproducible: 100% Steps to Reproduce: Run a cron job Actual results: Two messages are logged to /var/log/messages by pam_unix Expected results: No messages in /var/log/messages for every cron job run
fixed in vixie-cron-4.1-10.EL3
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0117.html