pam_access: add quiet_log option

If quiet_log option is specified, no "access denied" message is logged.

* modules/pam_access/pam_access.c (struct login_info): Add quiet_log.
(parse_args): Initialize it.
(pam_sm_authenticate): Use it.
* modules/pam_access/pam_access.8.xml: Document quiet_log option.

Closes: https://github.com/linux-pam/linux-pam/issues/706

2 files changed, 24 insertions, 3 deletions

diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
index 010e749e..c991d7a0 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -29,6 +29,9 @@
         noaudit
       </arg>
       <arg choice="opt" rep="norepeat">
+        quiet_log
+      </arg>
+      <arg choice="opt" rep="norepeat">
         accessfile=<replaceable>file</replaceable>
       </arg>
       <arg choice="opt" rep="norepeat">
@@ -131,6 +134,18 @@
 
       <varlistentry>
         <term>
+          quiet_log
+        </term>
+        <listitem>
+          <para>
+            Do not log denials with
+            <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
           fieldsep=separators
         </term>
         <listitem>
@@ -286,4 +301,4 @@
       was developed and provided by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
     </para>
   </refsect1>
-</refentry>
\ No newline at end of file
+</refentry>
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 1bb7a70b..f52ab2c3 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -99,6 +99,7 @@ struct login_info {
     int debug;				/* Print debugging messages. */
     int only_new_group_syntax;		/* Only allow group entries of the form "(xyz)" */
     int noaudit;			/* Do not audit denials */
+    int quiet_log;			/* Do not log denials */
     const char *fs;			/* field separator */
     const char *sep;			/* list-element separator */
     int from_remote_host;               /* If PAM_RHOST was used for from */
@@ -115,6 +116,7 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
     int i;
 
     loginfo->noaudit = NO;
+    loginfo->quiet_log = NO;
     loginfo->debug = NO;
     loginfo->only_new_group_syntax = NO;
     loginfo->fs = ":";
@@ -150,6 +152,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
 	    loginfo->only_new_group_syntax = YES;
 	} else if (strcmp (argv[i], "noaudit") == 0) {
 	    loginfo->noaudit = YES;
+	} else if (strcmp (argv[i], "quiet_log") == 0) {
+	    loginfo->quiet_log = YES;
 	} else {
 	    pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
 	}
@@ -1105,8 +1109,10 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     if (rv) {
 	return (PAM_SUCCESS);
     } else {
-	pam_syslog(pamh, LOG_ERR,
-                   "access denied for user `%s' from `%s'",user,from);
+	if (!loginfo.quiet_log) {
+	    pam_syslog(pamh, LOG_ERR,
+	               "access denied for user `%s' from `%s'",user,from);
+	}
 	return (PAM_PERM_DENIED);
     }
 }