summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2008-11-24 13:56:29 +0000
committerTomas Mraz <tm@t8m.info>2008-11-24 13:56:29 +0000
commite6364f057ddd81b7eb06487047b20a04f29022af (patch)
tree42e58be4648d06fb5d27e30d5989a4487b8d91fa
parentbc32e648b76cb6eef5a3dd4720a7384d918ca6fb (diff)
Relevant BUGIDs: rhbz#471762
Purpose of commit: new feature Commit summary: --------------- 2008-11-24 Tomas Mraz <t8m@centrum.cz> * libpam/pam_handlers.c (_pam_parse_conf_file): '-' at beginning of type token marks silent module. (_pam_load_module): Add handler_type parameter. Do not log module load error if module is silent. (_pam_add_handler): Pass handler_type to _pam_load_module(). * libpam/pam_private.h: Add PAM_HT_SILENT_MODULE. * doc/man/pam.conf-syntax.xml: Document the '-' at beginning of type.
-rw-r--r--NEWS1
-rw-r--r--doc/man/pam.conf-syntax.xml8
-rw-r--r--libpam/pam_handlers.c56
-rw-r--r--libpam/pam_private.h1
4 files changed, 43 insertions, 23 deletions
diff --git a/NEWS b/NEWS
index c406472f..932d90c8 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ Release 1.0.90
* New pam_pwhistory module to store last used passwords
* New pam_tally2 module similar to pam_tally with wordsize independent
tally data format
+* Make libpam not log missing module if its type is prepended with '-'
Release 1.0.2
diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml
index 1460c6f6..ced8ff1f 100644
--- a/doc/man/pam.conf-syntax.xml
+++ b/doc/man/pam.conf-syntax.xml
@@ -102,6 +102,14 @@
</listitem>
</varlistentry>
</variablelist>
+ <para>
+ If the <emphasis>type</emphasis> value from the list above is prepended
+ with a <emphasis>-</emphasis> character the PAM library will not log to
+ the system log if it is not possible to load the module because it is
+ missing in the system. This can be useful especially for modules which
+ are not always installed on the system and are not required for correct
+ authentication and authorization of the login session.
+ </para>
<para>
The third field, <emphasis>control</emphasis>, indicates the
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
index 848c4fa5..bca3dd31 100644
--- a/libpam/pam_handlers.c
+++ b/libpam/pam_handlers.c
@@ -109,22 +109,28 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
module_type = (requested_module_type != PAM_T_ANY) ?
requested_module_type : PAM_T_AUTH; /* most sensitive */
handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */
- } else if (!strcasecmp("auth", tok)) {
- module_type = PAM_T_AUTH;
- } else if (!strcasecmp("session", tok)) {
- module_type = PAM_T_SESS;
- } else if (!strcasecmp("account", tok)) {
- module_type = PAM_T_ACCT;
- } else if (!strcasecmp("password", tok)) {
- module_type = PAM_T_PASS;
} else {
- /* Illegal module type */
- D(("_pam_init_handlers: bad module type: %s", tok));
- pam_syslog(pamh, LOG_ERR, "(%s) illegal module type: %s",
- this_service, tok);
- module_type = (requested_module_type != PAM_T_ANY) ?
- requested_module_type : PAM_T_AUTH; /* most sensitive */
- handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */
+ if (tok[0] == '-') { /* do not log module load errors */
+ handler_type = PAM_HT_SILENT_MODULE;
+ ++tok;
+ }
+ if (!strcasecmp("auth", tok)) {
+ module_type = PAM_T_AUTH;
+ } else if (!strcasecmp("session", tok)) {
+ module_type = PAM_T_SESS;
+ } else if (!strcasecmp("account", tok)) {
+ module_type = PAM_T_ACCT;
+ } else if (!strcasecmp("password", tok)) {
+ module_type = PAM_T_PASS;
+ } else {
+ /* Illegal module type */
+ D(("_pam_init_handlers: bad module type: %s", tok));
+ pam_syslog(pamh, LOG_ERR, "(%s) illegal module type: %s",
+ this_service, tok);
+ module_type = (requested_module_type != PAM_T_ANY) ?
+ requested_module_type : PAM_T_AUTH; /* most sensitive */
+ handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */
+ }
}
D(("Using %s config entry: %s", handler_type?"BAD ":"", tok));
if (requested_module_type != PAM_T_ANY &&
@@ -609,7 +615,7 @@ extract_modulename(const char *mod_path)
}
static struct loaded_module *
-_pam_load_module(pam_handle_t *pamh, const char *mod_path)
+_pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type)
{
int x = 0;
int success;
@@ -658,7 +664,8 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path)
if (mod->dl_handle == NULL) {
D(("_pam_load_module: unable to find static handler %s",
mod_path));
- pam_syslog(pamh, LOG_ERR,
+ if (handler_type != PAM_HT_SILENT_MODULE)
+ pam_syslog(pamh, LOG_ERR,
"unable to open static handler %s", mod_path);
/* Didn't find module in dynamic or static..will mark bad */
} else {
@@ -694,8 +701,9 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path)
}
if (mod->dl_handle == NULL) {
D(("_pam_load_module: _pam_dlopen(%s) failed", mod_path));
- pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path,
- _pam_dlerror());
+ if (handler_type != PAM_HT_SILENT_MODULE)
+ pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path,
+ _pam_dlerror());
/* Don't abort yet; static code may be able to find function.
* But defaults to abort if nothing found below... */
} else {
@@ -710,7 +718,8 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path)
mod->dl_handle = NULL;
mod->type = PAM_MT_FAULTY_MOD;
pamh->handlers.modules_used++;
- pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path);
+ if (handler_type != PAM_HT_SILENT_MODULE)
+ pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path);
success = PAM_SUCCESS; /* We have successfully added a module */
}
@@ -748,12 +757,13 @@ int _pam_add_handler(pam_handle_t *pamh
D(("_pam_add_handler: adding type %d, handler_type %d, module `%s'",
type, handler_type, mod_path));
- if (handler_type == PAM_HT_MODULE && mod_path != NULL) {
+ if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) &&
+ mod_path != NULL) {
if (mod_path[0] == '/') {
- mod = _pam_load_module(pamh, mod_path);
+ mod = _pam_load_module(pamh, mod_path, handler_type);
} else if (asprintf(&mod_full_path, "%s%s",
DEFAULT_MODULE_PATH, mod_path) >= 0) {
- mod = _pam_load_module(pamh, mod_full_path);
+ mod = _pam_load_module(pamh, mod_full_path, handler_type);
_pam_drop(mod_full_path);
} else {
pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
index 333f4d0f..62756ad4 100644
--- a/libpam/pam_private.h
+++ b/libpam/pam_private.h
@@ -60,6 +60,7 @@ struct handler {
#define PAM_HT_MODULE 0
#define PAM_HT_MUST_FAIL 1
#define PAM_HT_SUBSTACK 2
+#define PAM_HT_SILENT_MODULE 3
struct loaded_module {
char *name;