Hi I have the auth.log given below and I do not understand most of it. I googled around for a while to understand the cron:sessions happening regularly but I could not find anything useful. Also the successful su for www-data is another thing. If anybody could explain what is causing these it would be great. By the way I was sleeping while this auth.log is occuring so I did not get online. Thank you...

P.S:I am using debian lenny. Installed a couple of weeks ago...


Jan 9 06:09:01 hdd CRON[2116]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:09:01 hdd CRON[2116]: pam_unix(cron:session): session closed for user root
Jan 9 06:17:01 hdd CRON[2127]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:17:01 hdd CRON[2127]: pam_unix(cron:session): session closed for user root
Jan 9 06:25:01 hdd CRON[2132]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:25:03 hdd su[2147]: Successful su for www-data by root
Jan 9 06:25:03 hdd su[2147]: + ??? root:www-data
Jan 9 06:25:03 hdd su[2147]: pam_unix(su:session): session opened for user www-data by (uid=0)
Jan 9 06:25:03 hdd su[2147]: pam_unix(su:session): session closed for user www-data
Jan 9 06:25:03 hdd su[2151]: Successful su for www-data by root
Jan 9 06:25:03 hdd su[2151]: + ??? root:www-data
Jan 9 06:25:03 hdd su[2151]: pam_unix(su:session): session opened for user www-data by (uid=0)
Jan 9 06:25:04 hdd su[2151]: pam_unix(su:session): session closed for user www-data
Jan 9 06:26:02 hdd CRON[2132]: pam_unix(cron:session): session closed for user root

well, the CRON lines are for a cron job that runs as root.

the "su" lines are when a user needs to do something as another user. Here, it appears that root's cron that executed at Jan 9 06:25:01 had to do some stuff with apache (so it does it as the 'www-data' user to be safe).... notice the 06:25:01 CRON entry says "session opened for root" then a bunch of other "su" stuff, then @ 06:26:02 you see another CRON entry with "session closed for root"... So all that was what happened in root's cron. In other words, nothing to worry about.

The auth.log messages are normal and created by the pam module.
It would seem you have a cron job running under the 'www-date' userid.
Check the system and www-data user cron jobs to determine what's running:
sudo crontab -u www-data -l
sudo cat /etc/crontab

thanx for the advice but
# crontab -u www-data -l says
no crontab for www-data

Isn't that weird??
Actually my root device is a usb disk and I do not want that regular messages to appear. I do not want my usb disk to wear out soon. Any advice to prevent those messages?

#17 * * * * root cd / && run-parts --report /etc/cron.hourly
#25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
#47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
#52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$

I commented those lines. I think this will disable the messages happening again. Is that ok what I do in here?

These have nothing to do with the messages in auth.log, they are used by the system
cron jobs also live in /etc/cron.*

Do you have apache running ?

No I use lighttpd instead. I found the problem by the way. It was in cron.d. It was php5 and closing sessions in every 30 mins 9,39 so I commented that line also. After that the problem solved. No more lines like that but I do not know if it causes a problem for me.