(In reply to comment #11) > Well, I suspect the pam subsystem try to open a /dev/log.
PAM calls syslog(), which I assumes opens /dev/log.
> 2013-02-21T14:20:17.693042+01:00 linux-xtv2 vsftpd[1]: pam_unix(vsftpd:auth): > authentication failure; logname= uid=0 euid=0 tty=ftp ruser=mvyskocil rhost=::1 > user=mvyskocil > 2013-02-21T14:20:18.407159+01:00 linux-xtv2 vsftpd[1]: pam_sss(vsftpd:auth): > authentication success; logname= uid=0 euid=0 tty=ftp ruser=mvyskocil rhost=::1 > user=mvyskocil > 2013-02-21T14:20:18.409089+01:00 linux-xtv2 vsftpd[1]: PAM > audit_log_acct_message() failed: Operation not permitted > 2013-02-21T14:20:18.411338+01:00 linux-xtv2 vsftpd[1]: [mvyskocil] FAIL LOGIN: > Client "::1" > > @thorsen: I would say both CAP_AUDIT_* are needed for vsftpd. I'm right?
I have no idea about CAP_AUDIT_*, but PAM is using the audit subsystem for logging.
(In reply to comment #11)
> Well, I suspect the pam subsystem try to open a /dev/log.
PAM calls syslog(), which I assumes opens /dev/log.
> 2013-02- 21T14:20: 17.693042+ 01:00 linux-xtv2 vsftpd[1]: pam_unix( vsftpd: auth): 21T14:20: 18.407159+ 01:00 linux-xtv2 vsftpd[1]: pam_sss( vsftpd: auth): 21T14:20: 18.409089+ 01:00 linux-xtv2 vsftpd[1]: PAM acct_message( ) failed: Operation not permitted 21T14:20: 18.411338+ 01:00 linux-xtv2 vsftpd[1]: [mvyskocil] FAIL LOGIN:
> authentication failure; logname= uid=0 euid=0 tty=ftp ruser=mvyskocil rhost=::1
> user=mvyskocil
> 2013-02-
> authentication success; logname= uid=0 euid=0 tty=ftp ruser=mvyskocil rhost=::1
> user=mvyskocil
> 2013-02-
> audit_log_
> 2013-02-
> Client "::1"
>
> @thorsen: I would say both CAP_AUDIT_* are needed for vsftpd. I'm right?
I have no idea about CAP_AUDIT_*, but PAM is using the audit subsystem for logging.