Bug#451521: small logging improvement to login
I did not apply this patch, but another which should also solve your issue. Thanks a lot! Your changes make more sense than mine. -- Kind regards, Thiemo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#451521: small logging improvement to login
tags 451521 fixed-upstream thanks Hello, On Fri, Nov 16, 2007 at 03:42:32PM +0100, [EMAIL PROTECTED] wrote: I'm sending a small patch to improve logging of login. When getpwnam() fails inside the PAM section, login would just silently quit, which caused me a considerable amount of pain while debugging my setup. I thought, I'd help avoid others falling into that trap in the future. Thanks for the patch. I did not apply this patch, but another which should also solve your issue. * setup_groups already log information about the issue, so an additional log is not required. * if the password entry could not be retrieved, it is not recommended to log the username: users sometimes enter their password instead of login. This is the default behavior, which can be turned off with LOG_UNKFAIL_ENAB in /etc/login.defs. Please find attached the patch applied upstream for the next version. -- Nekral ? shadow-4.0.18.2.tar.bz2 ? man_po ? gen_translations.sh ? table_translations_doc.php ? table_translations_bin.php ? src/usermod.c.nf ? src/userdel.c.nf M src/login.c M ChangeLog
Bug#451521: small logging improvement to login
And now, the real patch... -- Nekral Index: ChangeLog === --- ChangeLog (révision 1365) +++ ChangeLog (révision 1366) @@ -1,5 +1,11 @@ 2007-11-17 Nicolas François [EMAIL PROTECTED] + * src/login.c: Log an error if the password entry could not be + found (respect LOG_UNKFAIL_ENAB to avoid logging a password). This + fixes the Debian bug http://bugs.debian.org/451521 + +2007-11-17 Nicolas François [EMAIL PROTECTED] + * man/useradd.8.xml: -b documenation: Use the same notation for the -d argument as in the -d documentation. Index: src/login.c === --- src/login.c (révision 1365) +++ src/login.c (révision 1366) @@ -739,17 +739,23 @@ pam_get_item (pamh, PAM_USER, (const void **) pam_user); setpwent (); pwd = getpwnam (pam_user); + if (!pwd) { + SYSLOG ((LOG_ERR, getpwnam(%s) failed, + getdef_bool (LOG_UNKFAIL_ENAB) ? + pam_user : UNKNOWN)); + exit (1); + } if (fflg) { retcode = pam_acct_mgmt (pamh, 0); PAM_FAIL_CHECK; } - if (!pwd || setup_groups (pwd)) + if (setup_groups (pwd)) { exit (1); - else - pwent = *pwd; + pwent = *pwd; + retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED); PAM_FAIL_CHECK;
Bug#451521: small logging improvement to login
Package: login Version: 1:4.0.18.1-7 Severity: wishlist Tags: patch I'm sending a small patch to improve logging of login. When getpwnam() fails inside the PAM section, login would just silently quit, which caused me a considerable amount of pain while debugging my setup. I thought, I'd help avoid others falling into that trap in the future. Kind regards, Thiemo --- login.c-orig2007-11-16 15:23:59.0 +0100 +++ login.c 2007-11-16 15:32:17.0 +0100 @@ -745,10 +745,18 @@ PAM_FAIL_CHECK; } - if (!pwd || setup_groups (pwd)) + if (!pwd) { + SYSLOG ((LOG_ERR, getpwnam(%s) failed, pam_user)); exit (1); - else - pwent = *pwd; + } + + if (setup_groups (pwd)) { + SYSLOG ((LOG_ERR, setup_groups() failed for user %s, +pam_user)); + exit (1); + } + + pwent = *pwd; retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED); PAM_FAIL_CHECK; -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-486 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages login depends on: ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libpam-modules 0.79-4Pluggable Authentication Modules f ii libpam-runtime 0.79-4Runtime support for the PAM librar ii libpam0g 0.79-4Pluggable Authentication Modules l login recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]