Bug#451521: small logging improvement to login
I did not apply this patch, but another which should also solve your issue. Thanks a lot! Your changes make more sense than mine. -- Kind regards, Thiemo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#451521: small logging improvement to login
tags 451521 fixed-upstream thanks Hello, On Fri, Nov 16, 2007 at 03:42:32PM +0100, [EMAIL PROTECTED] wrote: I'm sending a small patch to improve logging of login. When getpwnam() fails inside the PAM section, login would just silently quit, which caused me a considerable amount of pain while debugging my setup. I thought, I'd help avoid others falling into that trap in the future. Thanks for the patch. I did not apply this patch, but another which should also solve your issue. * setup_groups already log information about the issue, so an additional log is not required. * if the password entry could not be retrieved, it is not recommended to log the username: users sometimes enter their password instead of login. This is the default behavior, which can be turned off with LOG_UNKFAIL_ENAB in /etc/login.defs. Please find attached the patch applied upstream for the next version. -- Nekral ? shadow-4.0.18.2.tar.bz2 ? man_po ? gen_translations.sh ? table_translations_doc.php ? table_translations_bin.php ? src/usermod.c.nf ? src/userdel.c.nf M src/login.c M ChangeLog
Bug#451521: small logging improvement to login
And now, the real patch...
--
Nekral
Index: ChangeLog
===
--- ChangeLog (révision 1365)
+++ ChangeLog (révision 1366)
@@ -1,5 +1,11 @@
2007-11-17 Nicolas François [EMAIL PROTECTED]
+ * src/login.c: Log an error if the password entry could not be
+ found (respect LOG_UNKFAIL_ENAB to avoid logging a password). This
+ fixes the Debian bug http://bugs.debian.org/451521
+
+2007-11-17 Nicolas François [EMAIL PROTECTED]
+
* man/useradd.8.xml: -b documenation: Use the same notation for
the -d argument as in the -d documentation.
Index: src/login.c
===
--- src/login.c (révision 1365)
+++ src/login.c (révision 1366)
@@ -739,17 +739,23 @@
pam_get_item (pamh, PAM_USER, (const void **) pam_user);
setpwent ();
pwd = getpwnam (pam_user);
+ if (!pwd) {
+ SYSLOG ((LOG_ERR, getpwnam(%s) failed,
+ getdef_bool (LOG_UNKFAIL_ENAB) ?
+ pam_user : UNKNOWN));
+ exit (1);
+ }
if (fflg) {
retcode = pam_acct_mgmt (pamh, 0);
PAM_FAIL_CHECK;
}
- if (!pwd || setup_groups (pwd))
+ if (setup_groups (pwd)) {
exit (1);
- else
- pwent = *pwd;
+ pwent = *pwd;
+
retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
PAM_FAIL_CHECK;
Bug#451521: small logging improvement to login
Package: login
Version: 1:4.0.18.1-7
Severity: wishlist
Tags: patch
I'm sending a small patch to improve logging of login. When getpwnam() fails
inside the PAM section, login
would just silently quit, which caused me a considerable amount of pain while
debugging my setup. I thought,
I'd help avoid others falling into that trap in the future.
Kind regards,
Thiemo
--- login.c-orig2007-11-16 15:23:59.0 +0100
+++ login.c 2007-11-16 15:32:17.0 +0100
@@ -745,10 +745,18 @@
PAM_FAIL_CHECK;
}
- if (!pwd || setup_groups (pwd))
+ if (!pwd) {
+ SYSLOG ((LOG_ERR, getpwnam(%s) failed, pam_user));
exit (1);
- else
- pwent = *pwd;
+ }
+
+ if (setup_groups (pwd)) {
+ SYSLOG ((LOG_ERR, setup_groups() failed for user %s,
+pam_user));
+ exit (1);
+ }
+
+ pwent = *pwd;
retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
PAM_FAIL_CHECK;
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages login depends on:
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libpam-modules 0.79-4Pluggable Authentication Modules f
ii libpam-runtime 0.79-4Runtime support for the PAM librar
ii libpam0g 0.79-4Pluggable Authentication Modules l
login recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
