[syslog-ng] login.pdb reworked

Balazs Scheidler bazsi at balabit.hu
Fri Nov 5 16:01:31 CET 2010


On Tue, 2010-11-02 at 17:07 +0100, Peter Czanik wrote:
> On 10/30/2010 12:05 AM, Matthew Hall wrote:
> > On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
> >   
> >> On 10/29/2010 04:32 PM, Martin Holste wrote:
> >>     
> >>> Won't the user login pattern only catch root logins because of uid=0?
> >>>
> >>> <pattern>pam_unix(login:session): session opened for user
> >>> @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
> >>>
> >>> Couldn't it be changed to
> >>>
> >>> <pattern>pam_unix(login:session): session opened for user
> >>> @ESTRING:usracct.username: @by
> >>> @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
> >>>   
> >>>       
> >> No, check my log samples I used to create the patterns. User "czanik"
> >> has uid=1000, still all the logs end with (uid=0):
> >>
> >> Oct  7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session
> >> opened for user czanik by (uid=0)
> >>     
> > The reason for this is because the (uid=0) is indicating the uid of the 
> > user who opened the session. Meaning that the login was created by 
> > something running as the root user uid 0. So in reality the pattern 
> > should capture this other variable somewhere, for people who have 
> > daemons which are non-root.
> >   
> OK. For now I leave it as is, and I'm very interested to see, if it
> causes any problem anywhere. If yes, I'm happy to add support for it any
> time.

login alwazs runs as the root user. I'd be surprised if there was an
exception to that.

Don't forget that this is only about the "login" program, executed by
getty-s and telnet, not when another daemon runs authenticates the user
(which certainly may run as non-root).

-- 
Bazsi



More information about the syslog-ng mailing list