Bug#163635: [Pkg-shadow-devel] Bug#163635: Advice about this bug report
Alexander Gattin
Alexander Gattin <arg@online.com.ua>, 163635@bugs.debian.org
Sat, 9 Apr 2005 19:07:23 +0300
Hi!
On Sat, Apr 09, 2005 at 09:14:58AM +0200, Christian Perrier wrote:
> I'm ready to follow the bug submitter's advice, with Bastian K. advice
> as well but I'm indeed not very competent about this.
If Debian used pam_xauth, for example, the setting
would already have been changed to be "yes" by
default. ;)
In fact, having CLOSE_SESSION set to "no" results in
pam_close_session not being called, and this IMO will
only affect session termination not being logged(1),
pam_lastlog(? - wrong description there), modules
which should perform accounting, like pam_radius(2),
modules which delete auth-cookie/auth-token file,
like pam_xauth/pam_krb(3), pam_mount(4) and similar
modules, which do unmount/unlink cleanup at end of
session etc.
And, of course, CLOSE_SESSION does not affect ALL
utils. From what I see, it affects "su" and "login"
(just look into /var/log/auth.log).
CRON, for example, does pam session management
independently of login.defs/CLOSE_SESSION.
> With no more input, I will probably just change the setting in
> post-sarge versions of shadow but even if you're OK, please give me as
> much as possible good reasons to do so...
I'm installing additional pam modules just to check
my assumptions. But don't expect results to appear
soon.
P.S. to PAM maintainers:
citing pam.txt.gz:
> This session module maintains the /var/log/lastlog file. Adding an
> open entry when called via the pam_open_seesion() function and
> completing it when pam_close_session() is called. This module can
> also display a line of information about the last login of the user.
> If an application already performs these tasks, it is not necessary to
> use this module.
The description of what's performed upon pam_close_session
is plain wrong, because (citing pam_lastlog.c):
> int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
> ,const char **argv)
> {
> return PAM_SUCCESS;
> }
I studied pam-0.76/Linux-PAM and debian (-22) patches too
(debian/patches-applied/051_32_bit_pam_lastlog_ll_time).
--
WBR
xrgtn