Subject: PAM su log-spam
To: None <>
From: Jed Davis <>
List: tech-userlevel
Date: 07/12/2006 21:49:27
In 3.0, libpam is build with debugging support enabled, meaning
(AFAICT) that if debugging is enabled by the administrator in a PAM
config, then lots of messages will be syslogged at auth.debug.

Meanwhile, su_pam.c, if compiled with PAM_DEBUG defined, which we do,
will override that and turn on debugging unconditionally.  I have no
idea why we define it, but we do.

This doesn't matter for the default NetBSD install, because auth.debug
goes nowhere in syslog.conf.  However, if one is logging everything,
then it's kind of a pain having all this voluminous unnecessary
garbage whenever some cron job or whatever runs su.

Because that wasn't confusing enough, -DDEBUG was removed from the
libpam build in -current, meaning (again, assuming I've not misread
things) that the administrator can't enable the debugging messages if
they specifically want them.

So... does anyone know why it's like this, instead of enabling the
debugging support in libpam and disabling the hack in su_pam.c?

(let ((C call-with-current-continuation)) (apply (lambda (x y) (x y)) (map
((lambda (r) ((C C) (lambda (s) (r (lambda l (apply (s s) l))))))  (lambda
(f) (lambda (l) (if (null? l) C (lambda (k) (display (car l)) ((f (cdr l))
(C k)))))))    '((#\J #\d #\D #\v #\s) (#\e #\space #\a #\i #\newline)))))