Package: auditd
Version: 1:1.7.18-1.1
The auditd package included in Debian Wheezy and Ubuntu 12.04 LTS (and
probably other Debian and Ubuntu releases as well) adds pam_loginuid.so to
the /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive
PAM sub-configuration files. These sub-configuration files are in turn
included by reference in the /etc/pam.d/su and /etc/pam.d/sudo files. This
results in pam_loginuid.so being included when the user context is switched
by running su or sudo.
The man page for pam_loginuid, however, warns us not to do that, as this
will cause the original user context to be lost in the audit logs (emphasis
mine):
The pam_loginuid module sets the loginuid process attribute for the
> process that was authenticated. This is necessary for applications to
> be correctly audited. This PAM module should only be used for entry
> point applications like: login, sshd, gdm, vsftpd, crond and atd. There
> are probably other entry point applications besides these.
> *You should not use it for applications like sudo or su as that defeats
> the** purpose by changing the loginuid to the account they just
> switched to.*
The fix, of course, is never to add pam_loginuid.so to any common PAM
configuration file - or to exclude common-session and
common-session-noninteractive from /etc/pam.d/su and /etc/pam.d/sudo,
replacing it with the respective files' constituent lines, but without
pam_loginuid.so.
