mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 01:55:22 +03:00
pam_systemd_home: suppress LOG_DEBUG msgs if debugging is off
This is a "sequel" to commit 2675747f3c
.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2210770
This commit is contained in:
parent
615d795d9a
commit
f71b55b510
@ -91,6 +91,7 @@ static int parse_env(
|
||||
static int acquire_user_record(
|
||||
pam_handle_t *handle,
|
||||
const char *username,
|
||||
bool debug,
|
||||
UserRecord **ret_record,
|
||||
PamBusData **bus_data) {
|
||||
|
||||
@ -148,12 +149,14 @@ static int acquire_user_record(
|
||||
r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", username);
|
||||
if (r < 0) {
|
||||
if (bus_error_is_unknown_service(&error)) {
|
||||
pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r));
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r));
|
||||
goto user_unknown;
|
||||
}
|
||||
|
||||
if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_HOME)) {
|
||||
pam_syslog(handle, LOG_DEBUG, "Not a user managed by systemd-homed: %s", bus_error_message(&error, r));
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "Not a user managed by systemd-homed: %s", bus_error_message(&error, r));
|
||||
goto user_unknown;
|
||||
}
|
||||
|
||||
@ -265,7 +268,8 @@ static int handle_generic_user_record_error(
|
||||
const char *user_name,
|
||||
UserRecord *secret,
|
||||
int ret,
|
||||
const sd_bus_error *error) {
|
||||
const sd_bus_error *error,
|
||||
bool debug) {
|
||||
|
||||
assert(user_name);
|
||||
assert(error);
|
||||
@ -301,9 +305,11 @@ static int handle_generic_user_record_error(
|
||||
if (r != PAM_SUCCESS)
|
||||
return PAM_CONV_ERR; /* no logging here */
|
||||
|
||||
if (isempty(newp))
|
||||
return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR,
|
||||
"Password request aborted.");
|
||||
if (isempty(newp)) {
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "Password request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_password(secret, STRV_MAKE(newp), true);
|
||||
if (r < 0)
|
||||
@ -325,9 +331,11 @@ static int handle_generic_user_record_error(
|
||||
if (r != PAM_SUCCESS)
|
||||
return PAM_CONV_ERR; /* no logging here */
|
||||
|
||||
if (isempty(newp))
|
||||
return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR,
|
||||
"Recovery key request aborted.");
|
||||
if (isempty(newp)) {
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "Recovery key request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_password(secret, STRV_MAKE(newp), true);
|
||||
if (r < 0)
|
||||
@ -348,9 +356,11 @@ static int handle_generic_user_record_error(
|
||||
if (r != PAM_SUCCESS)
|
||||
return PAM_CONV_ERR; /* no logging here */
|
||||
|
||||
if (isempty(newp))
|
||||
return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR,
|
||||
"Password request aborted.");
|
||||
if (isempty(newp)) {
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "Password request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
|
||||
r = user_record_set_password(secret, STRV_MAKE(newp), true);
|
||||
@ -366,8 +376,11 @@ static int handle_generic_user_record_error(
|
||||
if (r != PAM_SUCCESS)
|
||||
return PAM_CONV_ERR; /* no logging here */
|
||||
|
||||
if (isempty(newp))
|
||||
return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted.");
|
||||
if (isempty(newp)) {
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "PIN request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
|
||||
if (r < 0)
|
||||
@ -421,8 +434,11 @@ static int handle_generic_user_record_error(
|
||||
if (r != PAM_SUCCESS)
|
||||
return PAM_CONV_ERR; /* no logging here */
|
||||
|
||||
if (isempty(newp))
|
||||
return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted.");
|
||||
if (isempty(newp)) {
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "PIN request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
|
||||
if (r < 0)
|
||||
@ -438,8 +454,11 @@ static int handle_generic_user_record_error(
|
||||
if (r != PAM_SUCCESS)
|
||||
return PAM_CONV_ERR; /* no logging here */
|
||||
|
||||
if (isempty(newp))
|
||||
return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted.");
|
||||
if (isempty(newp)) {
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "PIN request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
|
||||
if (r < 0)
|
||||
@ -455,8 +474,11 @@ static int handle_generic_user_record_error(
|
||||
if (r != PAM_SUCCESS)
|
||||
return PAM_CONV_ERR; /* no logging here */
|
||||
|
||||
if (isempty(newp))
|
||||
return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted.");
|
||||
if (isempty(newp)) {
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "PIN request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
|
||||
if (r < 0)
|
||||
@ -519,7 +541,7 @@ static int acquire_home(
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
|
||||
r = acquire_user_record(handle, username, &ur, bus_data);
|
||||
r = acquire_user_record(handle, username, debug, &ur, bus_data);
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
|
||||
@ -586,7 +608,7 @@ static int acquire_home(
|
||||
else if (sd_bus_error_has_name(&error, BUS_ERROR_HOME_LOCKED))
|
||||
home_locked = true; /* Similar */
|
||||
else {
|
||||
r = handle_generic_user_record_error(handle, ur->user_name, secret, r, &error);
|
||||
r = handle_generic_user_record_error(handle, ur->user_name, secret, r, &error, debug);
|
||||
if (r == PAM_CONV_ERR) {
|
||||
/* Password/PIN prompts will fail in certain environments, for example when
|
||||
* we are called from OpenSSH's account or session hooks, or in systemd's
|
||||
@ -598,7 +620,8 @@ static int acquire_home(
|
||||
if (home_locked)
|
||||
(void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Home of user %s is currently locked, please unlock locally first.", ur->user_name);
|
||||
|
||||
pam_syslog(handle, please_authenticate ? LOG_ERR : LOG_DEBUG, "Failed to prompt for password/prompt.");
|
||||
if (please_authenticate || debug)
|
||||
pam_syslog(handle, please_authenticate ? LOG_ERR : LOG_DEBUG, "Failed to prompt for password/prompt.");
|
||||
|
||||
return home_not_active || home_locked ? PAM_PERM_DENIED : PAM_CONV_ERR;
|
||||
}
|
||||
@ -837,7 +860,7 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt(
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
|
||||
r = acquire_user_record(handle, NULL, &ur, NULL);
|
||||
r = acquire_user_record(handle, NULL, debug, &ur, NULL);
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
|
||||
@ -949,7 +972,7 @@ _public_ PAM_EXTERN int pam_sm_chauthtok(
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
|
||||
r = acquire_user_record(handle, NULL, &ur, NULL);
|
||||
r = acquire_user_record(handle, NULL, debug, &ur, NULL);
|
||||
if (r != PAM_SUCCESS)
|
||||
return r;
|
||||
|
||||
@ -970,8 +993,11 @@ _public_ PAM_EXTERN int pam_sm_chauthtok(
|
||||
if (r != PAM_SUCCESS)
|
||||
return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get new password: @PAMERR@");
|
||||
|
||||
if (isempty(new_password))
|
||||
return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "Password request aborted.");
|
||||
if (isempty(new_password)) {
|
||||
if (debug)
|
||||
pam_syslog(handle, LOG_DEBUG, "Password request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = pam_get_authtok_verify(handle, &new_password, "new password: "); /* Lower case, since PAM prefixes 'Repeat' */
|
||||
if (r != PAM_SUCCESS)
|
||||
@ -1026,7 +1052,7 @@ _public_ PAM_EXTERN int pam_sm_chauthtok(
|
||||
|
||||
r = sd_bus_call(bus, m, HOME_SLOW_BUS_CALL_TIMEOUT_USEC, &error, NULL);
|
||||
if (r < 0) {
|
||||
r = handle_generic_user_record_error(handle, ur->user_name, old_secret, r, &error);
|
||||
r = handle_generic_user_record_error(handle, ur->user_name, old_secret, r, &error, debug);
|
||||
if (r == PAM_CONV_ERR)
|
||||
return pam_syslog_pam_error(handle, LOG_ERR, r,
|
||||
"Failed to prompt for password/prompt.");
|
||||
|
Loading…
Reference in New Issue
Block a user