[gentoo-user] fcron: writes logs but it should not...

[gentoo-user] fcron: writes logs but it should not...

[Jarry]

Hi,
I just checked my log-files and found these strange messages:
-----
2011-07-18T18:31:02+00:00 game fcron[30032]: pam_unix(fcron:session): 
session opened for user root by (uid=0)
2011-07-18T18:31:04+00:00 game fcron[30032]: pam_unix(fcron:session): 
session closed for user root
2011-07-18T18:41:02+00:00 game fcron[30787]: pam_unix(fcron:session): 
session opened for user root by (uid=0)
2011-07-18T18:41:04+00:00 game fcron[30787]: pam_unix(fcron:session): 
session closed for user root
-----

They are repeated exactly every 10min. I think reason for this
is /etc/fcron/crontab (did not find anything else might cause it):
-----
# Script for checking system crontabs and creating the fcron systab.
# Runs every 10 minutes, does not mail output, doesn't log job runs
# except for errors.
@mail(false),nolog(true) 10 /usr/sbin/check_system_crontabs -s 0
-----

Now my question is: why is fcron sending messages to /dev/log,
when it should not do it?

Jarry
-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] fcron: writes logs but it should not...

[Michael Mol]

On Mon, Jul 18, 2011 at 3:00 PM, Jarry <mr.jarry@gmail.com> wrote:
> Hi,
> I just checked my log-files and found these strange messages:
> -----
> 2011-07-18T18:31:02+00:00 game fcron[30032]: pam_unix(fcron:session):
> session opened for user root by (uid=0)
> 2011-07-18T18:31:04+00:00 game fcron[30032]: pam_unix(fcron:session):
> session closed for user root
> 2011-07-18T18:41:02+00:00 game fcron[30787]: pam_unix(fcron:session):
> session opened for user root by (uid=0)
> 2011-07-18T18:41:04+00:00 game fcron[30787]: pam_unix(fcron:session):
> session closed for user root

> Now my question is: why is fcron sending messages to /dev/log,
> when it should not do it?

If I'm reading that correctly, it's not really fcron that's logging, but PAM.

-- 
:wq

Re: [gentoo-user] fcron: writes logs but it should not...

[Jarry]

On 18-Jul-11 21:07, Michael Mol wrote:
>> -----
>> 2011-07-18T18:31:02+00:00 game fcron[30032]: pam_unix(fcron:session):
>> session opened for user root by (uid=0)
>> 2011-07-18T18:31:04+00:00 game fcron[30032]: pam_unix(fcron:session):
>> session closed for user root
>> 2011-07-18T18:41:02+00:00 game fcron[30787]: pam_unix(fcron:session):
>> session opened for user root by (uid=0)
>> 2011-07-18T18:41:04+00:00 game fcron[30787]: pam_unix(fcron:session):
>> session closed for user root
>
>> Now my question is: why is fcron sending messages to /dev/log,
>> when it should not do it?
>
> If I'm reading that correctly, it's not really fcron that's logging, but PAM.

I thought it is because cron is opening session as root.
There is nothing else that could fire pam every 10 min.

I already checked /etc/cron.hourly (daily, weekly, monthly),
there is nothing else that could cause it. And the process
name calling syslog is "fcron" (3rd field in message)...

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] fcron: writes logs but it should not...

[Michael Mol]

On Mon, Jul 18, 2011 at 3:16 PM, Jarry <mr.jarry@gmail.com> wrote:
> On 18-Jul-11 21:07, Michael Mol wrote:
>>>
>>> -----
>>> 2011-07-18T18:31:02+00:00 game fcron[30032]: pam_unix(fcron:session):
>>> session opened for user root by (uid=0)
>>> 2011-07-18T18:31:04+00:00 game fcron[30032]: pam_unix(fcron:session):
>>> session closed for user root
>>> 2011-07-18T18:41:02+00:00 game fcron[30787]: pam_unix(fcron:session):
>>> session opened for user root by (uid=0)
>>> 2011-07-18T18:41:04+00:00 game fcron[30787]: pam_unix(fcron:session):
>>> session closed for user root
>>
>>> Now my question is: why is fcron sending messages to /dev/log,
>>> when it should not do it?
>>
>> If I'm reading that correctly, it's not really fcron that's logging, but
>> PAM.
>
> I thought it is because cron is opening session as root.
> There is nothing else that could fire pam every 10 min.
>
> I already checked /etc/cron.hourly (daily, weekly, monthly),
> there is nothing else that could cause it. And the process
> name calling syslog is "fcron" (3rd field in message)...

Cron is opening a session as root. Pam is part of that process. Pam is
logging its participation in that process.

At least, that's what it looks like from here.

-- 
:wq

Re: [gentoo-user] fcron: writes logs but it should not...

[Jarry]

On 18-Jul-11 21:24, Michael Mol wrote:
> On Mon, Jul 18, 2011 at 3:16 PM, Jarry<mr.jarry@gmail.com>  wrote:
>> On 18-Jul-11 21:07, Michael Mol wrote:
>>>>
>>>> -----
>>>> 2011-07-18T18:41:02+00:00 game fcron[30787]: pam_unix(fcron:session):
>>>> session opened for user root by (uid=0)
>>>> 2011-07-18T18:41:04+00:00 game fcron[30787]: pam_unix(fcron:session):
>>>> session closed for user root
>>>
>>>> Now my question is: why is fcron sending messages to /dev/log,
>>>> when it should not do it?
>>>
>>> If I'm reading that correctly, it's not really fcron that's logging, but
>>> PAM.
>>
>> I thought it is because cron is opening session as root.
>> There is nothing else that could fire pam every 10 min.
>>
>> I already checked /etc/cron.hourly (daily, weekly, monthly),
>> there is nothing else that could cause it. And the process
>> name calling syslog is "fcron" (3rd field in message)...
>
> Cron is opening a session as root. Pam is part of that process. Pam is
> logging its participation in that process.
>
> At least, that's what it looks like from here.
>

I'm no expert for logging, but I think syslog-message looks like:
<priority> timestamp hostname program[pid]: message

So to me it looks fcron (pid 30787) is sending output to
/dev/syslog. pam is sending message back to fcron but not
to syslog. And I wonder why fcron is forwarding that message
to syslog, when it should not...

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] fcron: writes logs but it should not...

[Michael Mol]

On Mon, Jul 18, 2011 at 3:48 PM, Jarry <mr.jarry@gmail.com> wrote:
> On 18-Jul-11 21:24, Michael Mol wrote:
>>
>> On Mon, Jul 18, 2011 at 3:16 PM, Jarry<mr.jarry@gmail.com>  wrote:
>>>
>>> On 18-Jul-11 21:07, Michael Mol wrote:
>>>>>
>>>>> -----
>>>>> 2011-07-18T18:41:02+00:00 game fcron[30787]: pam_unix(fcron:session):
>>>>> session opened for user root by (uid=0)
>>>>> 2011-07-18T18:41:04+00:00 game fcron[30787]: pam_unix(fcron:session):
>>>>> session closed for user root
>>>>
>>>>> Now my question is: why is fcron sending messages to /dev/log,
>>>>> when it should not do it?
>>>>
>>>> If I'm reading that correctly, it's not really fcron that's logging, but
>>>> PAM.
>>>
>>> I thought it is because cron is opening session as root.
>>> There is nothing else that could fire pam every 10 min.
>>>
>>> I already checked /etc/cron.hourly (daily, weekly, monthly),
>>> there is nothing else that could cause it. And the process
>>> name calling syslog is "fcron" (3rd field in message)...
>>
>> Cron is opening a session as root. Pam is part of that process. Pam is
>> logging its participation in that process.
>>
>> At least, that's what it looks like from here.
>>
>
> I'm no expert for logging, but I think syslog-message looks like:
> <priority> timestamp hostname program[pid]: message
>
> So to me it looks fcron (pid 30787) is sending output to
> /dev/syslog. pam is sending message back to fcron but not
> to syslog. And I wonder why fcron is forwarding that message
> to syslog, when it should not...

I'm not an expert on logging, PAM or fcron, but software is my
day-job, and I know that many system functions are implemented as
libraries, which get loaded into a process and perform activities from
within that process. (DNS resolvers work this way, too) If getting
elevated privileges via PAM is part of some library which is loaded
into the fcron process, then any activity of PAM which is done from
within userland will happen as an action by the fcron process.

I'm fairly confident that the lines you're highlighting are not wholly
unique to the fcron process. Taken from my server for example:

Jul 18 19:56:47 [redacted] su[8878]: pam_unix(su:session): session
opened for user root by shortcircuit(uid=0)
Jul 18 19:56:48 [redacted] su[8878]: pam_unix(su:session): session
closed for user root

Here, I ran 'sudo su', and entered my password. The common components
to your fcron lines are: "pam_unix(...): session opened for user root
by (...)(uid=0)"

Your line shows a PAM session for fcron:session, opened through
pam_unix. My line shows a PAM session for su:session, opened through
pam_unix. My line shows the username I was logged in as at the time,
while yours does not.

My expectation is that, if you want to hide those lines from you logs,
you need to change your PAM configuration.

-- 
:wq