On Mon, Jul 18, 2011 at 3:48 PM, Jarry <[email protected]> wrote: > On 18-Jul-11 21:24, Michael Mol wrote: >> >> On Mon, Jul 18, 2011 at 3:16 PM, Jarry<[email protected]> wrote: >>> >>> On 18-Jul-11 21:07, Michael Mol wrote: >>>>> >>>>> ----- >>>>> 2011-07-18T18:41:02+00:00 game fcron[30787]: pam_unix(fcron:session): >>>>> session opened for user root by (uid=0) >>>>> 2011-07-18T18:41:04+00:00 game fcron[30787]: pam_unix(fcron:session): >>>>> session closed for user root >>>> >>>>> Now my question is: why is fcron sending messages to /dev/log, >>>>> when it should not do it? >>>> >>>> If I'm reading that correctly, it's not really fcron that's logging, but >>>> PAM. >>> >>> I thought it is because cron is opening session as root. >>> There is nothing else that could fire pam every 10 min. >>> >>> I already checked /etc/cron.hourly (daily, weekly, monthly), >>> there is nothing else that could cause it. And the process >>> name calling syslog is "fcron" (3rd field in message)... >> >> Cron is opening a session as root. Pam is part of that process. Pam is >> logging its participation in that process. >> >> At least, that's what it looks like from here. >> > > I'm no expert for logging, but I think syslog-message looks like: > <priority> timestamp hostname program[pid]: message > > So to me it looks fcron (pid 30787) is sending output to > /dev/syslog. pam is sending message back to fcron but not > to syslog. And I wonder why fcron is forwarding that message > to syslog, when it should not...
I'm not an expert on logging, PAM or fcron, but software is my day-job, and I know that many system functions are implemented as libraries, which get loaded into a process and perform activities from within that process. (DNS resolvers work this way, too) If getting elevated privileges via PAM is part of some library which is loaded into the fcron process, then any activity of PAM which is done from within userland will happen as an action by the fcron process. I'm fairly confident that the lines you're highlighting are not wholly unique to the fcron process. Taken from my server for example: Jul 18 19:56:47 [redacted] su[8878]: pam_unix(su:session): session opened for user root by shortcircuit(uid=0) Jul 18 19:56:48 [redacted] su[8878]: pam_unix(su:session): session closed for user root Here, I ran 'sudo su', and entered my password. The common components to your fcron lines are: "pam_unix(...): session opened for user root by (...)(uid=0)" Your line shows a PAM session for fcron:session, opened through pam_unix. My line shows a PAM session for su:session, opened through pam_unix. My line shows the username I was logged in as at the time, while yours does not. My expectation is that, if you want to hide those lines from you logs, you need to change your PAM configuration. -- :wq
