pam/pam-1.3.1-unix-improve-logging.patch

From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 14 Oct 2019 16:52:46 +0200
Subject: [PATCH] pam_unix: Add logging useful for debugging problems

Two messages added about obtaining the username are guarded
by the debug option as these should not be normally
logged - they can be useful for debugging but they do not
indicate any special condition.

The message about authenticating user with blank password is
still just LOG_DEBUG priority but it is logged unconditionally
because it is somewhat extraordinary condition to have an user
with blank password.

* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
  D() macro calls which are not enabled on production builds with
  regular pam_syslog() calls.
---
 modules/pam_unix/pam_unix_auth.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index 681e49d..3fca945 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			AUTH_RETURN;
 		}
 		if (on(UNIX_DEBUG, ctrl))
-			D(("username [%s] obtained", name));
+			pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
 	} else {
-		D(("trouble reading username"));
 		if (retval == PAM_CONV_AGAIN) {
 			D(("pam_get_user/conv() function is not ready yet"));
 			/* it is safe to resume this function so we translate this
 			 * retval to the value that indicates we're happy to resume.
 			 */
 			retval = PAM_INCOMPLETE;
+		} else if (on(UNIX_DEBUG, ctrl)) {
+			pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
 		}
 		AUTH_RETURN;
 	}
@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	/* if this user does not have a password... */
 
 	if (_unix_blankpasswd(pamh, ctrl, name)) {
-		D(("user '%s' has blank passwd", name));
+		pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
 		name = NULL;
 		retval = PAM_SUCCESS;
 		AUTH_RETURN;
-- 
2.20.1
Multiple fixes and enhancements pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts Drop tallylog and pam_tally documentation pam_faillock: Support local_users_only option pam_lastlog: Do not display failed attempts with PAM_SILENT flag pam_lastlog: Support unlimited option to override fsize limit pam_unix: Log if user authenticated without password pam_tty_audit: Improve manual page Optimize closing fds when spawning helpers Fix duplicate password verification in pam_authtok_verify() 2019-10-16 14:35:57 +00:00			`From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001`
			`From: Tomas Mraz <tmraz@fedoraproject.org>`
			`Date: Mon, 14 Oct 2019 16:52:46 +0200`
			`Subject: [PATCH] pam_unix: Add logging useful for debugging problems`

			`Two messages added about obtaining the username are guarded`
			`by the debug option as these should not be normally`
			`logged - they can be useful for debugging but they do not`
			`indicate any special condition.`

			`The message about authenticating user with blank password is`
			`still just LOG_DEBUG priority but it is logged unconditionally`
			`because it is somewhat extraordinary condition to have an user`
			`with blank password.`

			`* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace`
			`D() macro calls which are not enabled on production builds with`
			`regular pam_syslog() calls.`
			`---`
			`modules/pam_unix/pam_unix_auth.c \| 7 ++++---`
			`1 file changed, 4 insertions(+), 3 deletions(-)`

			`diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c`
			`index 681e49d..3fca945 100644`
			`--- a/modules/pam_unix/pam_unix_auth.c`
			`+++ b/modules/pam_unix/pam_unix_auth.c`
			`@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t pamh, int flags, int argc, const char *argv)`
			`AUTH_RETURN;`
			`}`
			`if (on(UNIX_DEBUG, ctrl))`
			`- D(("username [%s] obtained", name));`
			`+ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);`
			`} else {`
			`- D(("trouble reading username"));`
			`if (retval == PAM_CONV_AGAIN) {`
			`D(("pam_get_user/conv() function is not ready yet"));`
			`/* it is safe to resume this function so we translate this`
			`* retval to the value that indicates we're happy to resume.`
			`*/`
			`retval = PAM_INCOMPLETE;`
			`+ } else if (on(UNIX_DEBUG, ctrl)) {`
			`+ pam_syslog(pamh, LOG_DEBUG, "could not obtain username");`
			`}`
			`AUTH_RETURN;`
			`}`
			`@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t pamh, int flags, int argc, const char *argv)`
			`/* if this user does not have a password... */`

			`if (_unix_blankpasswd(pamh, ctrl, name)) {`
			`- D(("user '%s' has blank passwd", name));`
			`+ pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);`
			`name = NULL;`
			`retval = PAM_SUCCESS;`
			`AUTH_RETURN;`
			`--`
			`2.20.1`