[PATCH] log PAM login errors into syslog, not console

Ian Wienand Thu, 24 Sep 2009 15:09:13 -0700

Hi,

Users don't care about these messages, and it breaks the old security
maxim of not telling an attacker why they weren't able to get in.


-i

diff --git a/loginutils/login.c b/loginutils/login.c
index 31b25a4..2572e29 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -409,8 +409,8 @@ int login_main(int argc UNUSED_PARAM, char **argv)
                break; /* success, continue login process */

  pam_auth_failed:
-               bb_error_msg("pam_%s call failed: %s (%d)", failed_msg,
-                                       pam_strerror(pamh, pamret), pamret);
+               syslog(LOG_WARNING, "pam_%s call failed: %s (%d)", failed_msg,
+                      pam_strerror(pamh, pamret), pamret);
                safe_strncpy(username, "UNKNOWN", sizeof(username));
 #else /* not PAM */
                pw = getpwnam(username);
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox

[PATCH] log PAM login errors into syslog, not console

Reply via email to