[Bug 641008] New: pam_krb5: pam_sm_setcred() is too verbose
https://bugzilla.novell.com/show_bug.cgi?id=641008 https://bugzilla.novell.com/show_bug.cgi?id=641008#c0 Summary: pam_krb5: pam_sm_setcred() is too verbose Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Minor Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: christian.jung@saarstahl.de QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=390884) --> (http://bugzilla.novell.com/attachment.cgi?id=390884) changed notice() call in pam_sm_setcred() to debug() and added if-clause to check if debug output is wanted User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 SUSE/3.6.8-0.1.1 Firefox/3.6.8 auth.c:pam_sm_setcred() logs every call of itself. On a productive system this can be very annoying. It seems that pam_sm_setcred() is called by every session-establishment of PAM too. For example every "sudo" log entry is followed by a PAM log entry: Sep 22 09:32:30 dave sudo: cju : TTY=pts/24 ; PWD=/home/cju ; USER=root ; COMMAND=less /var/log/messages Sep 22 09:32:30 dave sudo: pam_krb5[4614]: pam_setcred (establish credential) called Reproducible: Always Steps to Reproduce: 1. setup kerberos environment 2. install pam_krb5 3. add pam_krb5 entries to at least those files: /etc/pam.d/common-{auth,session} 4. use a program which uses PAM (e.g. login to the system on the console) 5. take a look in /var/log/messages Actual Results: content of /var/log/messages: Sep 22 09:32:30 dave sudo: cju : TTY=pts/24 ; PWD=/home/cju ; USER=root ; COMMAND=less /var/log/messages Sep 22 09:32:30 dave sudo: pam_krb5[4614]: pam_setcred (establish credential) called Expected Results: The last line of the syslog example in "actual results" should only be written if "debug" is given as pam_krb5 option. content of /var/log/messages: Sep 22 09:32:30 dave sudo: cju : TTY=pts/24 ; PWD=/home/cju ; USER=root ; COMMAND=less /var/log/messages The patch is more complex because pam_sm_setcred() does not have access to the _pam_krb5_options struct and therefore needs to initialize it by creating a krb5_context. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=641008 https://bugzilla.novell.com/show_bug.cgi?id=641008#c Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |mc@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=641008 https://bugzilla.novell.com/show_bug.cgi?id=641008#c1 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Status|NEW |RESOLVED Resolution| |FIXED Target Milestone|--- |Factory --- Comment #1 from Michael Calmer <mc@novell.com> 2011-03-01 16:48:13 UTC --- Thanks for the patch. I have submitted it to Factory so it is hopefull in 11.4 . -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com