I setup a new VPS with ubuntu 18.04, including virtualmin/usermin. In auth.log I see a lot of
su[12936]: Successful su for domain by root
su[12936]: + ??? root:domain
systemd-logind[148]: New session c315 of user domain .
su[12936]: pam_unix(su:session): session opened for user domain by (uid=0)
su[12936]: pam_unix(su:session): session closed for user domain
in syslog, I see a lot of
systemd[1]: Started Session c314 of user domain.
systemd[1]: Started Session c315 of user domain.
domain is the user of my virtual server defined in the VPS. c314/c315 increased by 1 each time... It used to appear every 2-3 minutes, now it's every 5 minutes.
Reading on the internet about this, all the "solutions" were how to remove this logging from the log but nothing was explaining what are all those open/close sessions in the first place.
Also, when running loginctl list-sessions
those sessions are accumulated in "active=yes" and "state=closing" mode and never disappear from the list. At the moment there are 95 such sessions.
What is happening on my VPS, who is opening/closing sessions so many times and why? Also, why those sessions never disappear from the sessions list?
Thanks
update
loginctl session-status c315
c315 - domain (1000)
Since: Sat 2020-02-08 20:27:08 UTC; 23h ago
Leader: 12936
TTY: ???
Remote: user root
Service: su; type tty; class user
State: closing
Unit: session-c315.scope
Unit user-1000.slice (/user.slice/user-1000.slice):
└─session-2691929.scope
├─19035 sshd: domain [priv]
├─19051 sshd: domain@pts/0
├─19052 -bash
├─20124 sudo systemd-cgls -u user-1000.slice
├─20125 systemd-cgls -u user-1000.slice
└─20126 pager
pam_unix sessions exit normally, as seen in the logs. Those increasing number of sessions are systemd-logind sessions, which for some reason remain open, even when they don't contain any processes.
A workaround you might try would be to force systemd-logind to kill all the session processes, when the session leader exits. You can do it by modifying the
KillUserProcesses
andKillOnlyUsers
setting in/etc/systemd/logind.conf
:and restarting
systemd-logind
:However, this does not answer the question, why the sessions are not closing by themselves, since the session scopes are empty.
Edit: About the difference between pam_unix and systemd-logind sessions:
/var/run/utmp
. You can list them withw
orwho
,loginctl list-sessions
Since you identified a possible culprit (in a comment to this answer), you can apply another workaround: replace
in
/etc/pam.d/su
with:which does not contain pam_systemd. When you modify
PAM
files, the usual precautions apply: keep a root shell active (e.g.sudo -i
) until you tested the new config, in case you break something.