Bug 178432 - prediction: vixie-cron-4.1's pam_unix session log messages will be most unpopular
prediction: vixie-cron-4.1's pam_unix session log messages will be most unpop...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: vixie-cron (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
Brock Organ
: Regression
Depends On:
Blocks: 168426
  Show dependency treegraph
 
Reported: 2006-01-20 10:38 EST by Jason Vas Dias
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHSA-2006-0117
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-15 10:31:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Vas Dias 2006-01-20 10:38:10 EST
Description of problem:

With vixie-cron-4.1 adding PAM support to cron, the default PAM configuration
file specified:

   session required pam_stack.so service=system-auth

system-auth includes:

   session required pam_unix.so

The pam_unix module's session handling consists entirely of logging these
messages to /var/log/messages:

Jan 16 16:15:15 bender sshd(pam_unix)[3316]: session opened for user root by (uid=0)
Jan 16 16:16:01 bender crond(pam_unix)[3384]: session opened for user root by
(uid=0)
Jan 16 16:16:01 bender crond(pam_unix)[3384]: session closed for user root
Jan 16 16:17:01 bender crond(pam_unix)[3387]: session opened for user root by
(uid=0)
Jan 16 16:17:01 bender crond(pam_unix)[3387]: session closed for user root
Jan 16 16:18:01 bender crond(pam_unix)[3390]: session opened for user root by
(uid=0)
Jan 16 16:18:01 bender crond(pam_unix)[3390]: session closed for user root
Jan 16 16:19:01 bender crond(pam_unix)[3942]: session opened for user root by
(uid=0)
Jan 16 16:19:01 bender crond(pam_unix)[3942]: session closed for user root
Jan 16 16:20:01 bender crond(pam_unix)[3945]: session opened for user root by
(uid=0)

While for sshd, these messages may be of interest to administrators, they
are an annoyance when generated for EVERY run of EVERY cron job, about which
Fedora and RHEL-4 users have complained vociferously:
   bug 176423 - Looped logging to syslog
   bug 130242 – Cron/PAM logging crontabs

If there are many cron jobs, especially jobs run every minute, these messages
can quickly fill up the logs and /var/log partition.

Previously, I was not aware that this could be fixed easily, as I thought
pam_unix did something more important for session handling than just create
the log messages, but apparently not - as pointed out in bug 173926 , all
pam_unix does for session handling is emit these log messages, and it can
safely be removed from cron's session PAM stack.

So, with vixie-cron-4.1-10.EL3, I'd like to remove pam_unix from crond's
PAM session handling, with this /etc/pam.d/crond file:
---
#
# The PAM configuration file for the cron daemon
#
#
auth    sufficient      pam_rootok.so
auth    required        pam_stack.so service=system-auth
auth    required        pam_env.so
account required        pam_stack.so service=system-auth
session required        pam_limits.so
session optional        pam_krb5.so
---

Here, pam_stack is NOT used for the session, and the session modules are
identical to that in system-auth except for the removal of pam_unix .

I predict many bug reports from annoyed admins about the sudden flood of 
new crond PAM log messages after updating to the new vixie-cron-4.1 in 
RHEL-3-U7 unless we can prevent them being generated with the above crond
pam file .

This bug could be considered a "regression" as previous RHEL-3 vixie-cron
versions did not create 2 messages in /var/log/messages for every cron job. 

These messages are made redundant by the LAuS audit log messages for every
cron job that admins can enable by enabling LAuS .

Since vixie-cron must be updated anyway to fix problems found during
RHEL-3-U7 errata QA testing, I think we should fix this issue also. 

Version-Release number of selected component (if applicable):
vixie-cron-4.1-8.EL3

How reproducible:
100%

Steps to Reproduce:
Run a cron job
  
Actual results:
Two messages are logged to /var/log/messages by pam_unix

Expected results:
No messages in /var/log/messages for every cron job run
Comment 1 Jason Vas Dias 2006-01-20 10:39:51 EST
fixed in vixie-cron-4.1-10.EL3
Comment 7 Red Hat Bugzilla 2006-03-15 10:31:19 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0117.html

Note You need to log in before you can comment on or make changes to this bug.