From bd76c538ef4747912733458a5d9e645424ea93fb Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 1 Mar 2021 14:07:10 +0000
Subject: pam_exec: implement quiet_log option

* modules/pam_exec/pam_exec.c (call_exec): Implement quiet_log option.
* modules/pam_exec/pam_exec.8.xml: Document it.

Resolves: https://github.com/linux-pam/linux-pam/issues/334
---
 modules/pam_exec/pam_exec.8.xml | 16 ++++++++++++++++
 modules/pam_exec/pam_exec.c     |  6 ++++++
 2 files changed, 22 insertions(+)

(limited to 'modules/pam_exec')

diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
index 1f217339..7e89943c 100644
--- a/modules/pam_exec/pam_exec.8.xml
+++ b/modules/pam_exec/pam_exec.8.xml
@@ -30,6 +30,9 @@
       <arg choice="opt">
         quiet
       </arg>
+      <arg choice="opt">
+        quiet_log
+      </arg>
       <arg choice="opt">
         stdout
       </arg>
@@ -159,6 +162,19 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term>
+            <option>quiet_log</option>
+          </term>
+          <listitem>
+            <para>
+              Per default pam_exec.so will log the exit status of the
+              external command if it fails.
+              Specifying this option will suppress the log message.
+            </para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term>
             <option>seteuid</option>
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index 5ca85ab3..05dec167 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -93,6 +93,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
   int debug = 0;
   int call_setuid = 0;
   int quiet = 0;
+  int quiet_log = 0;
   int expose_authtok = 0;
   int use_stdout = 0;
   int optargc;
@@ -133,6 +134,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 	call_setuid = 1;
       else if (strcasecmp (argv[optargc], "quiet") == 0)
 	quiet = 1;
+      else if (strcasecmp (argv[optargc], "quiet_log") == 0)
+	quiet_log = 1;
       else if (strcasecmp (argv[optargc], "expose_authtok") == 0)
 	expose_authtok = 1;
       else
@@ -269,6 +272,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 	{
 	  if (WIFEXITED(status))
 	    {
+		if (!quiet_log)
 	      pam_syslog (pamh, LOG_ERR, "%s failed: exit code %d",
 			  argv[optargc], WEXITSTATUS(status));
 		if (!quiet)
@@ -277,6 +281,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 	    }
 	  else if (WIFSIGNALED(status))
 	    {
+		if (!quiet_log)
 	      pam_syslog (pamh, LOG_ERR, "%s failed: caught signal %d%s",
 			  argv[optargc], WTERMSIG(status),
 			  WCOREDUMP(status) ? " (core dumped)" : "");
@@ -287,6 +292,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 	    }
 	  else
 	    {
+		if (!quiet_log)
 	      pam_syslog (pamh, LOG_ERR, "%s failed: unknown status 0x%x",
 			  argv[optargc], status);
 		if (!quiet)
-- 
cgit v1.2.3