Relevant BUGIDs: 126431, 126423

author Steve Langasek <vorlon@debian.org>

Wed, 20 Dec 2000 05:15:05 +0000 (05:15 +0000)

committer Steve Langasek <vorlon@debian.org>

Wed, 20 Dec 2000 05:15:05 +0000 (05:15 +0000)
author Steve Langasek <vorlon@debian.org>
Wed, 20 Dec 2000 05:15:05 +0000 (05:15 +0000)
committer Steve Langasek <vorlon@debian.org>
Wed, 20 Dec 2000 05:15:05 +0000 (05:15 +0000)
diff --git a/CHANGELOG b/CHANGELOG

index a353a5e126c318a54da275a1e9745182a411b9b8..214e09f6685cb7df007e88da55bd668d8de1f8c3 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -35,6 +35,9 @@ Where you should replace XXXXX with a bug-id.
  0.74: please submit patches for this section with actual code/doc
        patches!
  
+* modify format of pam_unix log messages to include service name
+  (Bug 126423)
+* prevent pam_unix from logging unknown usernames (Bug 126431 - vorlon)
  * changed format of pam_unix 'authentication failure' log messages to make
    them clearer and more consistent (Bug 126036 - vorlon)
  * improved portability of pam_unix by eliminating Linux-specific utmp
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c

index 8aeb43f3d1250df0a07c6f61d10a93e5b2c86502..178b6037465ab409dab7651f85da74fd2ff26699 100644 (file)
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -78,12 +78,12 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
  
         D(("called."));
  
-       ctrl = _set_ctrl(flags, NULL, argc, argv);
+       ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
  
         retval = pam_get_item(pamh, PAM_USER, (const void **) &uname);
         D(("user = `%s'", uname));
         if (retval != PAM_SUCCESS || uname == NULL) {
-               _log_err(LOG_ALERT
+               _log_err(LOG_ALERT, pamh
                          ,"could not identify user (from uid=%d)"
                          ,getuid());
                 return PAM_USER_UNKNOWN;
@@ -91,7 +91,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
  
         pwent = getpwnam(uname);
         if (!pwent) {
-               _log_err(LOG_ALERT
+               _log_err(LOG_ALERT, pamh
                          ,"could not identify user (from getpwnam(%s))"
                          ,uname);
                 return PAM_USER_UNKNOWN;
@@ -135,7 +135,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
         D(("today is %d, last change %d", curdays, spent->sp_lstchg));
         if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)
             && (spent->sp_lstchg != 0)) {
-               _log_err(LOG_NOTICE
+               _log_err(LOG_NOTICE, pamh
                          ,"account %s has expired (account expired)"
                          ,uname);
                 _make_remark(pamh, ctrl, PAM_ERROR_MSG,
@@ -146,7 +146,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
         if ((curdays > (spent->sp_lstchg + spent->sp_max + spent->sp_inact))
             && (spent->sp_max != -1) && (spent->sp_inact != -1)
             && (spent->sp_lstchg != 0)) {
-               _log_err(LOG_NOTICE
+               _log_err(LOG_NOTICE, pamh
                     ,"account %s has expired (failed to change password)"
                          ,uname);
                 _make_remark(pamh, ctrl, PAM_ERROR_MSG,
@@ -156,7 +156,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
         }
         D(("when was the last change"));
         if (spent->sp_lstchg == 0) {
-               _log_err(LOG_NOTICE
+               _log_err(LOG_NOTICE, pamh
                          ,"expired password for user %s (root enforced)"
                          ,uname);
                 _make_remark(pamh, ctrl, PAM_ERROR_MSG,
@@ -165,7 +165,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
                 return PAM_NEW_AUTHTOK_REQD;
         }
         if (((spent->sp_lstchg + spent->sp_max) < curdays) && (spent->sp_max != -1)) {
-               _log_err(LOG_DEBUG
+               _log_err(LOG_DEBUG, pamh
                          ,"expired password for user %s (password aged)"
                          ,uname);
                 _make_remark(pamh, ctrl, PAM_ERROR_MSG,
@@ -176,7 +176,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
         if ((curdays > (spent->sp_lstchg + spent->sp_max - spent->sp_warn))
             && (spent->sp_max != -1) && (spent->sp_warn != -1)) {
                 daysleft = (spent->sp_lstchg + spent->sp_max) - curdays;
-               _log_err(LOG_DEBUG
+               _log_err(LOG_DEBUG, pamh
                          ,"password for user %s will expire in %d days"
                          ,uname, daysleft);
                 snprintf(buf, 80, "Warning: your password will expire in %d day%.2s",
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c

index bec9d99f43aed0f97e9a910cee0b824ce7ac2f3b..f08ea515b4d483e6b882a6fd719235b529888c41 100644 (file)
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -101,7 +101,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
  
         D(("called."));
  
-       ctrl = _set_ctrl(flags, NULL, argc, argv);
+       ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
  
         /* Get a few bytes so we can pass our return value to
            pam_sm_setcred(). */
@@ -118,7 +118,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
                  * alphanumeric character.
                  */
                 if (name == NULL || !isalnum(*name)) {
-                       _log_err(LOG_ERR, "bad username [%s]", name);
+                       _log_err(LOG_ERR, pamh, "bad username [%s]", name);
                         retval = PAM_USER_UNKNOWN;
                         AUTH_RETURN
                 }
@@ -150,7 +150,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
                                      ,_UNIX_AUTHTOK, &p);
         if (retval != PAM_SUCCESS) {
                 if (retval != PAM_CONV_AGAIN) {
-                       _log_err(LOG_CRIT, "auth could not identify password for [%s]"
+                       _log_err(LOG_CRIT, pamh, "auth could not identify password for [%s]"
                                  ,name);
                 } else {
                         D(("conversation function is not ready yet"));
@@ -194,7 +194,7 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags
            only argument we need is UNIX_LIKE_AUTH: if it was set,
            pam_get_data will succeed. If it wasn't, it will fail, and we
            return PAM_SUCCESS.  -SRL */
-       ctrl = _set_ctrl(flags, NULL, argc, argv);
+       ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
         retval = PAM_SUCCESS;
  
         if (on(UNIX_LIKE_AUTH, ctrl)) {
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c

index e4998afd44fb02937042efda0c790d94ff4e56a1..5d8d2d7dc96948d7389a33119b421cec98e31003 100644 (file)
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -178,29 +178,31 @@ static char *crypt_md5_wrapper(const char *pass_new)
         return x;
  }
  
-static char *getNISserver(void)
+static char *getNISserver(pam_handle_t *pamh)
  {
         char *master;
         char *domainname;
         int port, err;
  
         if ((err = yp_get_default_domain(&domainname)) != 0) {
-               _log_err(LOG_WARNING, "can't get local yp domain: %s\n",
+               _log_err(LOG_WARNING, pamh, "can't get local yp domain: %s\n",
                          yperr_string(err));
                 return NULL;
         }
         if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
-               _log_err(LOG_WARNING, "can't find the master ypserver: %s\n",
+               _log_err(LOG_WARNING, pamh, "can't find the master ypserver: %s\n",
                          yperr_string(err));
                 return NULL;
         }
         port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
         if (port == 0) {
-               _log_err(LOG_WARNING, "yppasswdd not running on NIS master host\n");
+               _log_err(LOG_WARNING, pamh,
+                        "yppasswdd not running on NIS master host\n");
                 return NULL;
         }
         if (port >= IPPORT_RESERVED) {
-               _log_err(LOG_WARNING, "yppasswd daemon running on illegal port.\n");
+               _log_err(LOG_WARNING, pamh,
+                        "yppasswd daemon running on illegal port.\n");
                 return NULL;
         }
         return master;
@@ -424,8 +426,8 @@ static int _update_shadow(const char *forwho, char *towhat)
         return retval;
  }
  
-static int _do_setpass(const char *forwho, char *fromwhat, char *towhat,
-                      unsigned int ctrl, int remember)
+static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat,
+                      char *towhat, unsigned int ctrl, int remember)
  {
         struct passwd *pwd = NULL;
         int retval = 0;
@@ -448,7 +450,7 @@ static int _do_setpass(const char *forwho, char *fromwhat, char *towhat,
                 int err = 0;
  
                 /* Make RPC call to NIS server */
-               if ((master = getNISserver()) == NULL)
+               if ((master = getNISserver(pamh)) == NULL)
                         return PAM_TRY_AGAIN;
  
                 /* Initialize password information */
@@ -595,7 +597,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
  
         if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) {
                 if (on(UNIX_DEBUG, ctrl)) {
-                       _log_err(LOG_DEBUG, "bad authentication token");
+                       _log_err(LOG_DEBUG, pamh, "bad authentication token");
                 }
                 _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
                           "No password supplied" : "Password unchanged");
@@ -609,7 +611,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
         retval = pam_get_item(pamh, PAM_USER, (const void **) &user);
         if (retval != PAM_SUCCESS) {
                 if (on(UNIX_DEBUG, ctrl)) {
-                       _log_err(LOG_ERR, "Can not get username");
+                       _log_err(LOG_ERR, pamh, "Can not get username");
                         return PAM_AUTHTOK_ERR;
                 }
         }
@@ -669,7 +671,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                 return PAM_AUTHTOK_LOCK_BUSY;
         }
  #endif
-       ctrl = _set_ctrl(flags, &remember, argc, argv);
+       ctrl = _set_ctrl(pamh, flags, &remember, argc, argv);
  
         /*
          * First get the name of a user
@@ -683,17 +685,19 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                  * alphanumeric character.
                  */
                 if (user == NULL || !isalnum(*user)) {
-                       _log_err(LOG_ERR, "bad username [%s]", user);
+                       _log_err(LOG_ERR, pamh, "bad username [%s]", user);
  #ifdef USE_LCKPWDF
                         ulckpwdf();
  #endif
                         return PAM_USER_UNKNOWN;
                 }
                 if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
-                       _log_err(LOG_DEBUG, "username [%s] obtained", user);
+                       _log_err(LOG_DEBUG, pamh, "username [%s] obtained",
+                                user);
         } else {
                 if (on(UNIX_DEBUG, ctrl))
-                       _log_err(LOG_DEBUG, "password - could not identify user");
+                       _log_err(LOG_DEBUG, pamh,
+                                "password - could not identify user");
  #ifdef USE_LCKPWDF
                 ulckpwdf();
  #endif
@@ -728,7 +732,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
  #define greeting "Changing password for "
                         Announce = (char *) malloc(sizeof(greeting) + strlen(user));
                         if (Announce == NULL) {
-                               _log_err(LOG_CRIT, "password - out of memory");
+                               _log_err(LOG_CRIT, pamh,
+                                        "password - out of memory");
  #ifdef USE_LCKPWDF
                                 ulckpwdf();
  #endif
@@ -749,7 +754,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                         free(Announce);
  
                         if (retval != PAM_SUCCESS) {
-                               _log_err(LOG_NOTICE
+                               _log_err(LOG_NOTICE, pamh
                                  ,"password - (old) token not obtained");
  #ifdef USE_LCKPWDF
                                 ulckpwdf();
@@ -776,7 +781,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                 retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
                 pass_old = NULL;
                 if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
+                       _log_err(LOG_CRIT, pamh,
+                                "failed to set PAM_OLDAUTHTOK");
                 }
                 retval = _unix_verify_shadow(user, ctrl);
                 if (retval == PAM_AUTHTOK_ERR) {
@@ -821,7 +827,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                 D(("pass_old [%s]", pass_old));
  
                 if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_NOTICE, "user not authenticated");
+                       _log_err(LOG_NOTICE, pamh, "user not authenticated");
  #ifdef USE_LCKPWDF
                         ulckpwdf();
  #endif
@@ -829,7 +835,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                 }
                 retval = _unix_verify_shadow(user, ctrl);
                 if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_NOTICE, "user not authenticated 2");
+                       _log_err(LOG_NOTICE, pamh, "user not authenticated 2");
  #ifdef USE_LCKPWDF
                         ulckpwdf();
  #endif
@@ -859,7 +865,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
  
                         if (retval != PAM_SUCCESS) {
                                 if (on(UNIX_DEBUG, ctrl)) {
-                                       _log_err(LOG_ALERT
+                                       _log_err(LOG_ALERT, pamh
                                                  ,"password - new password not obtained");
                                 }
                                 pass_old = NULL;        /* tidy up */
@@ -883,7 +889,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                 }
  
                 if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_NOTICE, "new password not acceptable");
+                       _log_err(LOG_NOTICE, pamh,
+                                "new password not acceptable");
                         _pam_overwrite(pass_new);
                         _pam_overwrite(pass_old);
                         pass_new = pass_old = NULL;     /* tidy up */
@@ -926,7 +933,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                                 char *e;
  
                                 if (temp == NULL) {
-                                       _log_err(LOG_CRIT, "out of memory for password");
+                                       _log_err(LOG_CRIT, pamh,
+                                                "out of memory for password");
                                         _pam_overwrite(pass_new);
                                         _pam_overwrite(pass_old);
                                         pass_new = pass_old = NULL;     /* tidy up */
@@ -960,13 +968,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
  
                 /* update the password database(s) -- race conditions..? */
  
-               retval = _do_setpass(user, pass_old, tpass, ctrl, remember);
+               retval = _do_setpass(pamh, user, pass_old, tpass, ctrl,
+                                    remember);
                 _pam_overwrite(pass_new);
                 _pam_overwrite(pass_old);
                 _pam_delete(tpass);
                 pass_old = pass_new = NULL;
         } else {                /* something has broken with the module */
-               _log_err(LOG_ALERT, "password received unknown request");
+               _log_err(LOG_ALERT, pamh,
+                        "password received unknown request");
                 retval = PAM_ABORT;
         }
  
diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c

index e97bc1f0f937ba88b7fe270094086280c5f00bd1..faef3e42b8c135b694621c26d9bebd637af093a8 100644 (file)
--- a/modules/pam_unix/pam_unix_sess.c
+++ b/modules/pam_unix/pam_unix_sess.c
@@ -74,21 +74,23 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags,
  
         D(("called."));
  
-       ctrl = _set_ctrl(flags, NULL, argc, argv);
+       ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
  
         retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
         if (user_name == NULL || retval != PAM_SUCCESS) {
-               _log_err(LOG_CRIT, "open_session - error recovering username");
+               _log_err(LOG_CRIT, pamh,
+                        "open_session - error recovering username");
                 return PAM_SESSION_ERR;         /* How did we get authenticated with
                                                    no username?! */
         }
         retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
         if (service == NULL || retval != PAM_SUCCESS) {
-               _log_err(LOG_CRIT, "open_session - error recovering service");
+               _log_err(LOG_CRIT, pamh,
+                        "open_session - error recovering service");
                 return PAM_SESSION_ERR;
         }
-       _log_err(LOG_INFO, "(%s) session opened for user %s by %s(uid=%d)"
-                ,service, user_name
+       _log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)"
+                ,user_name
                  ,PAM_getlogin() == NULL ? "" : PAM_getlogin(), getuid());
  
         return PAM_SUCCESS;
@@ -103,21 +105,23 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags,
  
         D(("called."));
  
-       ctrl = _set_ctrl(flags, NULL, argc, argv);
+       ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
  
         retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
         if (user_name == NULL || retval != PAM_SUCCESS) {
-               _log_err(LOG_CRIT, "close_session - error recovering username");
+               _log_err(LOG_CRIT, pamh,
+                        "close_session - error recovering username");
                 return PAM_SESSION_ERR;         /* How did we get authenticated with
                                                    no username?! */
         }
         retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
         if (service == NULL || retval != PAM_SUCCESS) {
-               _log_err(LOG_CRIT, "close_session - error recovering service");
+               _log_err(LOG_CRIT, pamh,
+                        "close_session - error recovering service");
                 return PAM_SESSION_ERR;
         }
-       _log_err(LOG_INFO, "(%s) session closed for user %s"
-                ,service, user_name);
+       _log_err(LOG_INFO, pamh, "session closed for user %s"
+                ,user_name);
  
         return PAM_SUCCESS;
  }
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c

index ed64b344dd640708ae74778da447a70b90d76640..87a5d938f5fb674dbe5fd20d42684c9ba8559e82 100644 (file)
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -27,12 +27,23 @@ extern char *bigcrypt(const char *key, const char *salt);
  
  /* syslogging function for errors and other information */
  
-void _log_err(int err, const char *format,...)
+void _log_err(int err, pam_handle_t *pamh, const char *format,...)
  {
+       char *service = NULL;
+       char logname[256];
         va_list args;
  
+       pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
+       if (service) {
+               strncpy(logname, service, sizeof(logname));
+               logname[sizeof(logname) - 1 - strlen("(pam_unix)")] = '\0';
+               strncat(logname, "(pam_unix)", strlen("(pam_unix)"));
+       } else {
+               strncpy(logname, "pam_unix", sizeof(logname) - 1);
+       }
+
         va_start(args, format);
-       openlog("PAM_unix", LOG_CONS | LOG_PID, LOG_AUTH);
+       openlog(logname, LOG_CONS | LOG_PID, LOG_AUTH);
         vsyslog(err, format, args);
         va_end(args);
         closelog();
@@ -58,11 +69,12 @@ static int converse(pam_handle_t * pamh, int ctrl, int nargs
                 D(("returned from application's conversation function"));
  
                 if (retval != PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) {
-                       _log_err(LOG_DEBUG, "conversation failure [%s]"
+                       _log_err(LOG_DEBUG, pamh, "conversation failure [%s]"
                                  ,pam_strerror(pamh, retval));
                 }
         } else if (retval != PAM_CONV_AGAIN) {
-               _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
+               _log_err(LOG_ERR, pamh
+                        ,"couldn't obtain coversation function [%s]"
                          ,pam_strerror(pamh, retval));
         }
         D(("ready to return from module conversation"));
@@ -126,7 +138,8 @@ char *PAM_getlogin(void)
   * set the control flags for the UNIX module.
   */
  
-int _set_ctrl(int flags, int *remember, int argc, const char **argv)
+int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc,
+              const char **argv)
  {
         unsigned int ctrl;
  
@@ -171,7 +184,8 @@ int _set_ctrl(int flags, int *remember, int argc, const char **argv)
                 }
  
                 if (j >= UNIX_CTRLS_) {
-                       _log_err(LOG_ERR, "unrecognized option [%s]", *argv);
+                       _log_err(LOG_ERR, pamh,
+                                "unrecognized option [%s]", *argv);
                 } else {
                         ctrl &= unix_args[j].mask;      /* for turning things off */
                         ctrl |= unix_args[j].flag;      /* for turning things on  */
@@ -259,22 +273,21 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err)
                                                     (const void **)&rhost);
                                 (void) pam_get_item(pamh, PAM_TTY,
                                                     (const void **)&tty);
-                               _log_err(LOG_NOTICE,
+                               _log_err(LOG_NOTICE, pamh,
                                          "%d more authentication failure%s; "
                                          "logname=%s uid=%d euid=%d "
                                          "tty=%s ruser=%s rhost=%s "
-                                        "service=%s%s%s",
+                                        "%s%s",
                                          failure->count - 1, failure->count == 2 ? "" : "s",
                                          failure->name, failure->uid, failure->euid,
                                          tty ? tty : "", ruser ? ruser : "",
                                          rhost ? rhost : "",
-                                        service ? service : "**unknown**",
                                          (failure->user && failure->user[0] != '\0')
                                           ? " user=" : "", failure->user
                                 );
  
                                 if (failure->count > UNIX_MAX_RETRIES) {
-                                       _log_err(LOG_ALERT
+                                       _log_err(LOG_ALERT, pamh
                                                  ,"service(%s) ignoring max retries; %d > %d"
                                                  ,service == NULL ? "**unknown**" : service
                                                  ,failure->count
@@ -506,7 +519,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
  
         data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name));
         if (data_name == NULL) {
-               _log_err(LOG_CRIT, "no memory for data-name");
+               _log_err(LOG_CRIT, pamh, "no memory for data-name");
         } else {
                 strcpy(data_name, FAIL_PREFIX);
                 strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name);
@@ -518,15 +531,22 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                         /* we are not root perhaps this is the reason? Run helper */
                         D(("running helper binary"));
                         retval = _unix_run_helper_binary(pamh, p, ctrl);
+                       if (pwd == NULL && !on(UNIX_AUDIT,ctrl)
+                           && retval != PAM_SUCCESS)
+                       {
+                               name = NULL;
+                       }
                 } else {
                         D(("user's record unavailable"));
                         if (on(UNIX_AUDIT, ctrl)) {
                                 /* this might be a typo and the user has given a password
                                    instead of a username. Careful with this. */
-                               _log_err(LOG_ALERT, "check pass; user (%s) unknown", name);
+                               _log_err(LOG_ALERT, pamh,
+                                        "check pass; user (%s) unknown", name);
                         } else {
                                 name = NULL;
-                               _log_err(LOG_ALERT, "check pass; user unknown");
+                               _log_err(LOG_ALERT, pamh,
+                                        "check pass; user unknown");
                         }
                         p = NULL;
                         retval = PAM_AUTHINFO_UNAVAIL;
@@ -608,16 +628,15 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                                         (void) pam_get_item(pamh, PAM_TTY,
                                                             (const void **)&tty);
  
-                                       _log_err(LOG_NOTICE,
+                                       _log_err(LOG_NOTICE, pamh,
                                                  "authentication failure; "
                                                  "logname=%s uid=%d euid=%d "
                                                  "tty=%s ruser=%s rhost=%s "
-                                                "service=%s%s%s",
+                                                "%s%s",
                                                  new->name, new->uid, new->euid,
                                                  tty ? tty : "",
                                                  ruser ? ruser : "",
                                                  rhost ? rhost : "",
-                                                service ? service : "**unknown**",
                                                  (new->user && new->user[0] != '\0')
                                                   ? " user=" : "",
                                                  new->user
@@ -628,7 +647,8 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                                 pam_set_data(pamh, data_name, new, _cleanup_failures);
  
                         } else {
-                               _log_err(LOG_CRIT, "no memory for failure recorder");
+                               _log_err(LOG_CRIT, pamh,
+                                        "no memory for failure recorder");
                         }
                 }
         }
@@ -684,7 +704,7 @@ int _unix_read_password(pam_handle_t * pamh
                 retval = pam_get_item(pamh, authtok_flag, (const void **) &item);
                 if (retval != PAM_SUCCESS) {
                         /* very strange. */
-                       _log_err(LOG_ALERT
+                       _log_err(LOG_ALERT, pamh
                                  ,"pam_get_item returned error to unix-read-password"
                             );
                         return retval;
@@ -755,7 +775,7 @@ int _unix_read_password(pam_handle_t * pamh
                                                 }
                                         }
                                 } else {
-                                       _log_err(LOG_NOTICE
+                                       _log_err(LOG_NOTICE, pamh
                                                  ,"could not recover authentication token");
                                 }
  
@@ -775,7 +795,8 @@ int _unix_read_password(pam_handle_t * pamh
  
         if (retval != PAM_SUCCESS) {
                 if (on(UNIX_DEBUG, ctrl))
-                       _log_err(LOG_DEBUG, "unable to obtain a password");
+                       _log_err(LOG_DEBUG, pamh,
+                                "unable to obtain a password");
                 return retval;
         }
         /* 'token' is the entered password */
@@ -791,7 +812,7 @@ int _unix_read_password(pam_handle_t * pamh
                                               ,(const void **) &item))
                     != PAM_SUCCESS) {
  
-                       _log_err(LOG_CRIT, "error manipulating password");
+                       _log_err(LOG_CRIT, pamh, "error manipulating password");
                         return retval;
  
                 }
@@ -803,7 +824,8 @@ int _unix_read_password(pam_handle_t * pamh
  
                 retval = pam_set_data(pamh, data_name, (void *) token, _cleanup);
                 if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_CRIT, "error manipulating password data [%s]"
+                       _log_err(LOG_CRIT, pamh
+                                ,"error manipulating password data [%s]"
                                  ,pam_strerror(pamh, retval));
                         _pam_delete(token);
                         return retval;
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h

index 419f527307601136ab9e912cf373b393ee4b3868..0b6b6e04601b39ab83952d52d1fce2df5cfa3830 100644 (file)
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -124,10 +124,11 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
  }
  
  extern char *PAM_getlogin(void);
-extern void _log_err(int err, const char *format,...);
+extern void _log_err(int err, pam_handle_t *pamh, const char *format,...);
  extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
                        ,int type, const char *text);
-extern int _set_ctrl(int flags, int *remember, int argc, const char **argv);
+extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc,
+                    const char **argv);
  extern int _unix_blankpasswd(unsigned int ctrl, const char *name);
  extern int _unix_verify_password(pam_handle_t * pamh, const char *name
                           ,const char *p, unsigned int ctrl);
author	Steve Langasek <vorlon@debian.org>
	Wed, 20 Dec 2000 05:15:05 +0000 (05:15 +0000)
committer	Steve Langasek <vorlon@debian.org>
	Wed, 20 Dec 2000 05:15:05 +0000 (05:15 +0000)
CHANGELOG		patch \| blob \| history
modules/pam_unix/pam_unix_acct.c		patch \| blob \| history
modules/pam_unix/pam_unix_auth.c		patch \| blob \| history
modules/pam_unix/pam_unix_passwd.c		patch \| blob \| history
modules/pam_unix/pam_unix_sess.c		patch \| blob \| history
modules/pam_unix/support.c		patch \| blob \| history
modules/pam_unix/support.h		patch \| blob \| history