[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: su/PAM_pwdb logging glitch?



Chris,

Chris Siebenmann writes:
> [Environment: stock RedHat 5.0 install, stock /etc/pam.d setup]

>  PAM_pwdb (as used in su) seems to have some problems logging full
> information about successful su's if the session su'ing is not in
> utmp (as it might be inside screen or inside an 'xterm -ut' window).
> Normally logged is:
> 	PAM_pwdb[26064]: (su) session opened for user root by cks(uid=0)
> When the session isn't in utmp what's logged is only
> 	PAM_pwdb[26105]: (su) session opened for user root by (uid=0)
> (ie no user name is logged). PAM_pwdb does successfully log the right
> information if a su fails and there is no a utmp entry:
> 	PAM_pwdb[26129]: 1 authentication failure; (uid=19) -> root for su service

Actually, there are two issues here.

	1. the 'su' shipped with Red Hat does not retain the uid of
	   the user that invoked it for long enough to correctly fill
	   the uid field.  [As per the Linux-PAM documentation, the
	   pwdb module expects the real-uid to be that of the invoking
	   user.]

	2. if the user does not have a controlling terminal,
	   getlogin() returns NULL.  This is a feature of POSIX. :)


>  Since I like to track all su's to root in our environment (we have
> multiple staff members who may do this), accurate logging of whodunit
> would be quite helpful.

The su in SimplePAMApps (available from linux.kernel.org/pub/libs/pam)
works "correctly".  It will not satify your problem with #2, but it
will at least give the correct uid.  Of course, the su in
SimplePAMApps is "unsupported" and does not have the same number of
features so you'll get what you pay for there.

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []