diff options
| author | Steve Langasek <vorlon@debian.org> | 2000-12-20 05:15:05 +0000 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2000-12-20 05:15:05 +0000 |
| commit | 38da6ae394a4b2f18e210369562928dc0e404f54 (patch) | |
| tree | d5ee266e4c99c2a950ec6ad7fabc016c140a66c0 | |
| parent | e23b51cda072fbd6fc65f5ff43d196eeea28cac5 (diff) | |
| download | pam-38da6ae394a4b2f18e210369562928dc0e404f54.tar.gz pam-38da6ae394a4b2f18e210369562928dc0e404f54.tar.bz2 pam-38da6ae394a4b2f18e210369562928dc0e404f54.zip | |
Relevant BUGIDs: 126431, 126423
Purpose of commit: new feature / bugfix
Commit summary:
---------------
This changes the format of pam_unix log messages, per bug 126423. The
change is extensive (every call to _log_err() now has an additional
argument) but straightforward.
These changes to the logging code incidentally fix the problem reported in
bug 126431.
| -rw-r--r-- | CHANGELOG | 3 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_acct.c | 16 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_auth.c | 8 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_passwd.c | 58 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_sess.c | 24 | ||||
| -rw-r--r-- | modules/pam_unix/support.c | 66 | ||||
| -rw-r--r-- | modules/pam_unix/support.h | 5 |
7 files changed, 110 insertions, 70 deletions
@@ -35,6 +35,9 @@ Where you should replace XXXXX with a bug-id. 0.74: please submit patches for this section with actual code/doc patches! +* modify format of pam_unix log messages to include service name + (Bug 126423) +* prevent pam_unix from logging unknown usernames (Bug 126431 - vorlon) * changed format of pam_unix 'authentication failure' log messages to make them clearer and more consistent (Bug 126036 - vorlon) * improved portability of pam_unix by eliminating Linux-specific utmp diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 8aeb43f3..178b6037 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -78,12 +78,12 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, D(("called.")); - ctrl = _set_ctrl(flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); retval = pam_get_item(pamh, PAM_USER, (const void **) &uname); D(("user = `%s'", uname)); if (retval != PAM_SUCCESS || uname == NULL) { - _log_err(LOG_ALERT + _log_err(LOG_ALERT, pamh ,"could not identify user (from uid=%d)" ,getuid()); return PAM_USER_UNKNOWN; @@ -91,7 +91,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, pwent = getpwnam(uname); if (!pwent) { - _log_err(LOG_ALERT + _log_err(LOG_ALERT, pamh ,"could not identify user (from getpwnam(%s))" ,uname); return PAM_USER_UNKNOWN; @@ -135,7 +135,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, D(("today is %d, last change %d", curdays, spent->sp_lstchg)); if ((curdays > spent->sp_expire) && (spent->sp_expire != -1) && (spent->sp_lstchg != 0)) { - _log_err(LOG_NOTICE + _log_err(LOG_NOTICE, pamh ,"account %s has expired (account expired)" ,uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, @@ -146,7 +146,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, if ((curdays > (spent->sp_lstchg + spent->sp_max + spent->sp_inact)) && (spent->sp_max != -1) && (spent->sp_inact != -1) && (spent->sp_lstchg != 0)) { - _log_err(LOG_NOTICE + _log_err(LOG_NOTICE, pamh ,"account %s has expired (failed to change password)" ,uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, @@ -156,7 +156,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, } D(("when was the last change")); if (spent->sp_lstchg == 0) { - _log_err(LOG_NOTICE + _log_err(LOG_NOTICE, pamh ,"expired password for user %s (root enforced)" ,uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, @@ -165,7 +165,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, return PAM_NEW_AUTHTOK_REQD; } if (((spent->sp_lstchg + spent->sp_max) < curdays) && (spent->sp_max != -1)) { - _log_err(LOG_DEBUG + _log_err(LOG_DEBUG, pamh ,"expired password for user %s (password aged)" ,uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, @@ -176,7 +176,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, if ((curdays > (spent->sp_lstchg + spent->sp_max - spent->sp_warn)) && (spent->sp_max != -1) && (spent->sp_warn != -1)) { daysleft = (spent->sp_lstchg + spent->sp_max) - curdays; - _log_err(LOG_DEBUG + _log_err(LOG_DEBUG, pamh ,"password for user %s will expire in %d days" ,uname, daysleft); snprintf(buf, 80, "Warning: your password will expire in %d day%.2s", diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index bec9d99f..f08ea515 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -101,7 +101,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags D(("called.")); - ctrl = _set_ctrl(flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); /* Get a few bytes so we can pass our return value to pam_sm_setcred(). */ @@ -118,7 +118,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags * alphanumeric character. */ if (name == NULL || !isalnum(*name)) { - _log_err(LOG_ERR, "bad username [%s]", name); + _log_err(LOG_ERR, pamh, "bad username [%s]", name); retval = PAM_USER_UNKNOWN; AUTH_RETURN } @@ -150,7 +150,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags ,_UNIX_AUTHTOK, &p); if (retval != PAM_SUCCESS) { if (retval != PAM_CONV_AGAIN) { - _log_err(LOG_CRIT, "auth could not identify password for [%s]" + _log_err(LOG_CRIT, pamh, "auth could not identify password for [%s]" ,name); } else { D(("conversation function is not ready yet")); @@ -194,7 +194,7 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags only argument we need is UNIX_LIKE_AUTH: if it was set, pam_get_data will succeed. If it wasn't, it will fail, and we return PAM_SUCCESS. -SRL */ - ctrl = _set_ctrl(flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); retval = PAM_SUCCESS; if (on(UNIX_LIKE_AUTH, ctrl)) { diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index e4998afd..5d8d2d7d 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -178,29 +178,31 @@ static char *crypt_md5_wrapper(const char *pass_new) return x; } -static char *getNISserver(void) +static char *getNISserver(pam_handle_t *pamh) { char *master; char *domainname; int port, err; if ((err = yp_get_default_domain(&domainname)) != 0) { - _log_err(LOG_WARNING, "can't get local yp domain: %s\n", + _log_err(LOG_WARNING, pamh, "can't get local yp domain: %s\n", yperr_string(err)); return NULL; } if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) { - _log_err(LOG_WARNING, "can't find the master ypserver: %s\n", + _log_err(LOG_WARNING, pamh, "can't find the master ypserver: %s\n", yperr_string(err)); return NULL; } port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP); if (port == 0) { - _log_err(LOG_WARNING, "yppasswdd not running on NIS master host\n"); + _log_err(LOG_WARNING, pamh, + "yppasswdd not running on NIS master host\n"); return NULL; } if (port >= IPPORT_RESERVED) { - _log_err(LOG_WARNING, "yppasswd daemon running on illegal port.\n"); + _log_err(LOG_WARNING, pamh, + "yppasswd daemon running on illegal port.\n"); return NULL; } return master; @@ -424,8 +426,8 @@ static int _update_shadow(const char *forwho, char *towhat) return retval; } -static int _do_setpass(const char *forwho, char *fromwhat, char *towhat, - unsigned int ctrl, int remember) +static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat, + char *towhat, unsigned int ctrl, int remember) { struct passwd *pwd = NULL; int retval = 0; @@ -448,7 +450,7 @@ static int _do_setpass(const char *forwho, char *fromwhat, char *towhat, int err = 0; /* Make RPC call to NIS server */ - if ((master = getNISserver()) == NULL) + if ((master = getNISserver(pamh)) == NULL) return PAM_TRY_AGAIN; /* Initialize password information */ @@ -595,7 +597,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, "bad authentication token"); + _log_err(LOG_DEBUG, pamh, "bad authentication token"); } _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? "No password supplied" : "Password unchanged"); @@ -609,7 +611,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh retval = pam_get_item(pamh, PAM_USER, (const void **) &user); if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_ERR, "Can not get username"); + _log_err(LOG_ERR, pamh, "Can not get username"); return PAM_AUTHTOK_ERR; } } @@ -669,7 +671,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, return PAM_AUTHTOK_LOCK_BUSY; } #endif - ctrl = _set_ctrl(flags, &remember, argc, argv); + ctrl = _set_ctrl(pamh, flags, &remember, argc, argv); /* * First get the name of a user @@ -683,17 +685,19 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, * alphanumeric character. */ if (user == NULL || !isalnum(*user)) { - _log_err(LOG_ERR, "bad username [%s]", user); + _log_err(LOG_ERR, pamh, "bad username [%s]", user); #ifdef USE_LCKPWDF ulckpwdf(); #endif return PAM_USER_UNKNOWN; } if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, "username [%s] obtained", user); + _log_err(LOG_DEBUG, pamh, "username [%s] obtained", + user); } else { if (on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, "password - could not identify user"); + _log_err(LOG_DEBUG, pamh, + "password - could not identify user"); #ifdef USE_LCKPWDF ulckpwdf(); #endif @@ -728,7 +732,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, #define greeting "Changing password for " Announce = (char *) malloc(sizeof(greeting) + strlen(user)); if (Announce == NULL) { - _log_err(LOG_CRIT, "password - out of memory"); + _log_err(LOG_CRIT, pamh, + "password - out of memory"); #ifdef USE_LCKPWDF ulckpwdf(); #endif @@ -749,7 +754,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, free(Announce); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE + _log_err(LOG_NOTICE, pamh ,"password - (old) token not obtained"); #ifdef USE_LCKPWDF ulckpwdf(); @@ -776,7 +781,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); pass_old = NULL; if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK"); + _log_err(LOG_CRIT, pamh, + "failed to set PAM_OLDAUTHTOK"); } retval = _unix_verify_shadow(user, ctrl); if (retval == PAM_AUTHTOK_ERR) { @@ -821,7 +827,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, D(("pass_old [%s]", pass_old)); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "user not authenticated"); + _log_err(LOG_NOTICE, pamh, "user not authenticated"); #ifdef USE_LCKPWDF ulckpwdf(); #endif @@ -829,7 +835,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, } retval = _unix_verify_shadow(user, ctrl); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "user not authenticated 2"); + _log_err(LOG_NOTICE, pamh, "user not authenticated 2"); #ifdef USE_LCKPWDF ulckpwdf(); #endif @@ -859,7 +865,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_ALERT + _log_err(LOG_ALERT, pamh ,"password - new password not obtained"); } pass_old = NULL; /* tidy up */ @@ -883,7 +889,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, } if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "new password not acceptable"); + _log_err(LOG_NOTICE, pamh, + "new password not acceptable"); _pam_overwrite(pass_new); _pam_overwrite(pass_old); pass_new = pass_old = NULL; /* tidy up */ @@ -926,7 +933,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, char *e; if (temp == NULL) { - _log_err(LOG_CRIT, "out of memory for password"); + _log_err(LOG_CRIT, pamh, + "out of memory for password"); _pam_overwrite(pass_new); _pam_overwrite(pass_old); pass_new = pass_old = NULL; /* tidy up */ @@ -960,13 +968,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, /* update the password database(s) -- race conditions..? */ - retval = _do_setpass(user, pass_old, tpass, ctrl, remember); + retval = _do_setpass(pamh, user, pass_old, tpass, ctrl, + remember); _pam_overwrite(pass_new); _pam_overwrite(pass_old); _pam_delete(tpass); pass_old = pass_new = NULL; } else { /* something has broken with the module */ - _log_err(LOG_ALERT, "password received unknown request"); + _log_err(LOG_ALERT, pamh, + "password received unknown request"); retval = PAM_ABORT; } diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index e97bc1f0..faef3e42 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -74,21 +74,23 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, D(("called.")); - ctrl = _set_ctrl(flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "open_session - error recovering username"); + _log_err(LOG_CRIT, pamh, + "open_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "open_session - error recovering service"); + _log_err(LOG_CRIT, pamh, + "open_session - error recovering service"); return PAM_SESSION_ERR; } - _log_err(LOG_INFO, "(%s) session opened for user %s by %s(uid=%d)" - ,service, user_name + _log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)" + ,user_name ,PAM_getlogin() == NULL ? "" : PAM_getlogin(), getuid()); return PAM_SUCCESS; @@ -103,21 +105,23 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, D(("called.")); - ctrl = _set_ctrl(flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "close_session - error recovering username"); + _log_err(LOG_CRIT, pamh, + "close_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "close_session - error recovering service"); + _log_err(LOG_CRIT, pamh, + "close_session - error recovering service"); return PAM_SESSION_ERR; } - _log_err(LOG_INFO, "(%s) session closed for user %s" - ,service, user_name); + _log_err(LOG_INFO, pamh, "session closed for user %s" + ,user_name); return PAM_SUCCESS; } diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index ed64b344..87a5d938 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -27,12 +27,23 @@ extern char *bigcrypt(const char *key, const char *salt); /* syslogging function for errors and other information */ -void _log_err(int err, const char *format,...) +void _log_err(int err, pam_handle_t *pamh, const char *format,...) { + char *service = NULL; + char logname[256]; va_list args; + pam_get_item(pamh, PAM_SERVICE, (const void **) &service); + if (service) { + strncpy(logname, service, sizeof(logname)); + logname[sizeof(logname) - 1 - strlen("(pam_unix)")] = '\0'; + strncat(logname, "(pam_unix)", strlen("(pam_unix)")); + } else { + strncpy(logname, "pam_unix", sizeof(logname) - 1); + } + va_start(args, format); - openlog("PAM_unix", LOG_CONS | LOG_PID, LOG_AUTH); + openlog(logname, LOG_CONS | LOG_PID, LOG_AUTH); vsyslog(err, format, args); va_end(args); closelog(); @@ -58,11 +69,12 @@ static int converse(pam_handle_t * pamh, int ctrl, int nargs D(("returned from application's conversation function")); if (retval != PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) { - _log_err(LOG_DEBUG, "conversation failure [%s]" + _log_err(LOG_DEBUG, pamh, "conversation failure [%s]" ,pam_strerror(pamh, retval)); } } else if (retval != PAM_CONV_AGAIN) { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" + _log_err(LOG_ERR, pamh + ,"couldn't obtain coversation function [%s]" ,pam_strerror(pamh, retval)); } D(("ready to return from module conversation")); @@ -126,7 +138,8 @@ char *PAM_getlogin(void) * set the control flags for the UNIX module. */ -int _set_ctrl(int flags, int *remember, int argc, const char **argv) +int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc, + const char **argv) { unsigned int ctrl; @@ -171,7 +184,8 @@ int _set_ctrl(int flags, int *remember, int argc, const char **argv) } if (j >= UNIX_CTRLS_) { - _log_err(LOG_ERR, "unrecognized option [%s]", *argv); + _log_err(LOG_ERR, pamh, + "unrecognized option [%s]", *argv); } else { ctrl &= unix_args[j].mask; /* for turning things off */ ctrl |= unix_args[j].flag; /* for turning things on */ @@ -259,22 +273,21 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) (const void **)&rhost); (void) pam_get_item(pamh, PAM_TTY, (const void **)&tty); - _log_err(LOG_NOTICE, + _log_err(LOG_NOTICE, pamh, "%d more authentication failure%s; " "logname=%s uid=%d euid=%d " "tty=%s ruser=%s rhost=%s " - "service=%s%s%s", + "%s%s", failure->count - 1, failure->count == 2 ? "" : "s", failure->name, failure->uid, failure->euid, tty ? tty : "", ruser ? ruser : "", rhost ? rhost : "", - service ? service : "**unknown**", (failure->user && failure->user[0] != '\0') ? " user=" : "", failure->user ); if (failure->count > UNIX_MAX_RETRIES) { - _log_err(LOG_ALERT + _log_err(LOG_ALERT, pamh ,"service(%s) ignoring max retries; %d > %d" ,service == NULL ? "**unknown**" : service ,failure->count @@ -506,7 +519,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name)); if (data_name == NULL) { - _log_err(LOG_CRIT, "no memory for data-name"); + _log_err(LOG_CRIT, pamh, "no memory for data-name"); } else { strcpy(data_name, FAIL_PREFIX); strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name); @@ -518,15 +531,22 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name /* we are not root perhaps this is the reason? Run helper */ D(("running helper binary")); retval = _unix_run_helper_binary(pamh, p, ctrl); + if (pwd == NULL && !on(UNIX_AUDIT,ctrl) + && retval != PAM_SUCCESS) + { + name = NULL; + } } else { D(("user's record unavailable")); if (on(UNIX_AUDIT, ctrl)) { /* this might be a typo and the user has given a password instead of a username. Careful with this. */ - _log_err(LOG_ALERT, "check pass; user (%s) unknown", name); + _log_err(LOG_ALERT, pamh, + "check pass; user (%s) unknown", name); } else { name = NULL; - _log_err(LOG_ALERT, "check pass; user unknown"); + _log_err(LOG_ALERT, pamh, + "check pass; user unknown"); } p = NULL; retval = PAM_AUTHINFO_UNAVAIL; @@ -608,16 +628,15 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name (void) pam_get_item(pamh, PAM_TTY, (const void **)&tty); - _log_err(LOG_NOTICE, + _log_err(LOG_NOTICE, pamh, "authentication failure; " "logname=%s uid=%d euid=%d " "tty=%s ruser=%s rhost=%s " - "service=%s%s%s", + "%s%s", new->name, new->uid, new->euid, tty ? tty : "", ruser ? ruser : "", rhost ? rhost : "", - service ? service : "**unknown**", (new->user && new->user[0] != '\0') ? " user=" : "", new->user @@ -628,7 +647,8 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name pam_set_data(pamh, data_name, new, _cleanup_failures); } else { - _log_err(LOG_CRIT, "no memory for failure recorder"); + _log_err(LOG_CRIT, pamh, + "no memory for failure recorder"); } } } @@ -684,7 +704,7 @@ int _unix_read_password(pam_handle_t * pamh retval = pam_get_item(pamh, authtok_flag, (const void **) &item); if (retval != PAM_SUCCESS) { /* very strange. */ - _log_err(LOG_ALERT + _log_err(LOG_ALERT, pamh ,"pam_get_item returned error to unix-read-password" ); return retval; @@ -755,7 +775,7 @@ int _unix_read_password(pam_handle_t * pamh } } } else { - _log_err(LOG_NOTICE + _log_err(LOG_NOTICE, pamh ,"could not recover authentication token"); } @@ -775,7 +795,8 @@ int _unix_read_password(pam_handle_t * pamh if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, "unable to obtain a password"); + _log_err(LOG_DEBUG, pamh, + "unable to obtain a password"); return retval; } /* 'token' is the entered password */ @@ -791,7 +812,7 @@ int _unix_read_password(pam_handle_t * pamh ,(const void **) &item)) != PAM_SUCCESS) { - _log_err(LOG_CRIT, "error manipulating password"); + _log_err(LOG_CRIT, pamh, "error manipulating password"); return retval; } @@ -803,7 +824,8 @@ int _unix_read_password(pam_handle_t * pamh retval = pam_set_data(pamh, data_name, (void *) token, _cleanup); if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "error manipulating password data [%s]" + _log_err(LOG_CRIT, pamh + ,"error manipulating password data [%s]" ,pam_strerror(pamh, retval)); _pam_delete(token); return retval; diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 419f5273..0b6b6e04 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -124,10 +124,11 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = } extern char *PAM_getlogin(void); -extern void _log_err(int err, const char *format,...); +extern void _log_err(int err, pam_handle_t *pamh, const char *format,...); extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl ,int type, const char *text); -extern int _set_ctrl(int flags, int *remember, int argc, const char **argv); +extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc, + const char **argv); extern int _unix_blankpasswd(unsigned int ctrl, const char *name); extern int _unix_verify_password(pam_handle_t * pamh, const char *name ,const char *p, unsigned int ctrl); |