The `/etc/pam.d/sudo` references `session pam_systemd.so` (as included by `system-auth`) which is not supposed to be the case (and isn't the case on other distros). For regular interactive users this is harmless because systemd just prints a warning about a session already running when using `sudo` interactively, but when using `sudo` from a script (e.g. as run by a daemon), it unnecessarily creates and tears down a login session, perhaps multiple times. This is not only unnecessary but it also causes a few thousand kernel worker threads to be spawned in the process (see https://github.com/systemd/systemd/issues/4069). Ideally, this should simply never be done for `sudo` since it makes little sense and even if that systemd bug gets fixed it's still completely unnecessary overhead and unexpected behavior.
Note: I can work around the issue by rewriting my /etc/pam.d/sudo from this: {{{ auth include system-auth account include system-auth session include system-auth }}} to this: {{{ auth include system-auth account include system-auth session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so }}}
Maybe we should move pam_systemd out of system-auth.
Seems like the purpose of `pam_systemd.so` is creating a logind session for what would be considered an interactive login, i.e. from getty or via ssh. If `system-auth` is just for providing authentication, then it should not be referencing anything to do with login sessions. (Instead, maybe a separate category like `system-session` would be more appropriate?)
it seems it was added to system-auth in bug 485470
(In reply to Mike Gilbert from comment #2) > Maybe we should move pam_systemd out of system-auth. yes, and this should be the system-login file
*** This bug has been marked as a duplicate of bug 504492 ***
