diff options
| author | David Tardon <dtardon@redhat.com> | 2023-06-07 15:16:18 +0200 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-06-07 22:53:05 +0200 |
| commit | f71b55b51075e7ce42fa0ad4ae5569ba1aea6ee2 (patch) | |
| tree | 4d311be492c002611b45c0ce54f8facbabf9afed /src/home/pam_systemd_home.c | |
| parent | preset: enable systemd-networkd-wait-online.service by default (diff) | |
| download | systemd-f71b55b51075e7ce42fa0ad4ae5569ba1aea6ee2.tar.xz systemd-f71b55b51075e7ce42fa0ad4ae5569ba1aea6ee2.zip | |
pam_systemd_home: suppress LOG_DEBUG msgs if debugging is off
This is a "sequel" to commit 2675747f3cdd6f1e6236bbb2f79abfa53fb307f1 .
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2210770
Diffstat (limited to '')
| -rw-r--r-- | src/home/pam_systemd_home.c | 82 |
1 files changed, 54 insertions, 28 deletions
diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c index db5b1b8d4a..aa93a86ca5 100644 --- a/src/home/pam_systemd_home.c +++ b/src/home/pam_systemd_home.c @@ -91,6 +91,7 @@ static int parse_env( static int acquire_user_record( pam_handle_t *handle, const char *username, + bool debug, UserRecord **ret_record, PamBusData **bus_data) { @@ -148,12 +149,14 @@ static int acquire_user_record( r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", username); if (r < 0) { if (bus_error_is_unknown_service(&error)) { - pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r)); + if (debug) + pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r)); goto user_unknown; } if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_HOME)) { - pam_syslog(handle, LOG_DEBUG, "Not a user managed by systemd-homed: %s", bus_error_message(&error, r)); + if (debug) + pam_syslog(handle, LOG_DEBUG, "Not a user managed by systemd-homed: %s", bus_error_message(&error, r)); goto user_unknown; } @@ -265,7 +268,8 @@ static int handle_generic_user_record_error( const char *user_name, UserRecord *secret, int ret, - const sd_bus_error *error) { + const sd_bus_error *error, + bool debug) { assert(user_name); assert(error); @@ -301,9 +305,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, - "Password request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "Password request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_password(secret, STRV_MAKE(newp), true); if (r < 0) @@ -325,9 +331,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, - "Recovery key request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "Recovery key request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_password(secret, STRV_MAKE(newp), true); if (r < 0) @@ -348,9 +356,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, - "Password request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "Password request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_password(secret, STRV_MAKE(newp), true); @@ -366,8 +376,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "PIN request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) @@ -421,8 +434,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "PIN request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) @@ -438,8 +454,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "PIN request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) @@ -455,8 +474,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "PIN request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) @@ -519,7 +541,7 @@ static int acquire_home( if (r != PAM_SUCCESS) return r; - r = acquire_user_record(handle, username, &ur, bus_data); + r = acquire_user_record(handle, username, debug, &ur, bus_data); if (r != PAM_SUCCESS) return r; @@ -586,7 +608,7 @@ static int acquire_home( else if (sd_bus_error_has_name(&error, BUS_ERROR_HOME_LOCKED)) home_locked = true; /* Similar */ else { - r = handle_generic_user_record_error(handle, ur->user_name, secret, r, &error); + r = handle_generic_user_record_error(handle, ur->user_name, secret, r, &error, debug); if (r == PAM_CONV_ERR) { /* Password/PIN prompts will fail in certain environments, for example when * we are called from OpenSSH's account or session hooks, or in systemd's @@ -598,7 +620,8 @@ static int acquire_home( if (home_locked) (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Home of user %s is currently locked, please unlock locally first.", ur->user_name); - pam_syslog(handle, please_authenticate ? LOG_ERR : LOG_DEBUG, "Failed to prompt for password/prompt."); + if (please_authenticate || debug) + pam_syslog(handle, please_authenticate ? LOG_ERR : LOG_DEBUG, "Failed to prompt for password/prompt."); return home_not_active || home_locked ? PAM_PERM_DENIED : PAM_CONV_ERR; } @@ -837,7 +860,7 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt( if (r != PAM_SUCCESS) return r; - r = acquire_user_record(handle, NULL, &ur, NULL); + r = acquire_user_record(handle, NULL, debug, &ur, NULL); if (r != PAM_SUCCESS) return r; @@ -949,7 +972,7 @@ _public_ PAM_EXTERN int pam_sm_chauthtok( if (r != PAM_SUCCESS) return r; - r = acquire_user_record(handle, NULL, &ur, NULL); + r = acquire_user_record(handle, NULL, debug, &ur, NULL); if (r != PAM_SUCCESS) return r; @@ -970,8 +993,11 @@ _public_ PAM_EXTERN int pam_sm_chauthtok( if (r != PAM_SUCCESS) return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get new password: @PAMERR@"); - if (isempty(new_password)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "Password request aborted."); + if (isempty(new_password)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "Password request aborted."); + return PAM_AUTHTOK_ERR; + } r = pam_get_authtok_verify(handle, &new_password, "new password: "); /* Lower case, since PAM prefixes 'Repeat' */ if (r != PAM_SUCCESS) @@ -1026,7 +1052,7 @@ _public_ PAM_EXTERN int pam_sm_chauthtok( r = sd_bus_call(bus, m, HOME_SLOW_BUS_CALL_TIMEOUT_USEC, &error, NULL); if (r < 0) { - r = handle_generic_user_record_error(handle, ur->user_name, old_secret, r, &error); + r = handle_generic_user_record_error(handle, ur->user_name, old_secret, r, &error, debug); if (r == PAM_CONV_ERR) return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to prompt for password/prompt."); |