From 5b4c4698e8ae75093292f49ee6456f85f95a3d5d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 30 Jun 2016 14:29:40 +0200 Subject: Unification and cleanup of syslog log levels. * libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT. * libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT. * modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT. * modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT. * modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT. * modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR. * modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT. * modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT. * modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors with LOG_ERR. * modules/pam_limits/pam_limits.c: User login limit messages are syslogged with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with LOG_ERR. * modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged with LOG_NOTICE. * modules/pam_namespace/pam_namespace.c: Make memory allocation failures LOG_CRIT. * modules/pam_nologin/pam_nologin.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged with LOG_NOTICE, non-memory errors with LOG_ERR. * modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT. * modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors LOG_ERR. * modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT. * modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures LOG_CRIT. * modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE. * modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and max retries ignorance by application likewise. * modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR. * modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged with LOG_NOTICE. * modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT. --- modules/pam_unix/pam_unix_acct.c | 4 ++-- modules/pam_unix/pam_unix_passwd.c | 4 ++-- modules/pam_unix/pam_unix_sess.c | 4 ++-- modules/pam_unix/passverify.c | 2 +- modules/pam_unix/support.c | 6 +++--- modules/pam_unix/unix_chkpwd.c | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 782d84ac..88331149 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -201,7 +201,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) uname = void_uname; D(("user = `%s'", uname)); if (retval != PAM_SUCCESS || uname == NULL) { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "could not identify user (from uid=%lu)", (unsigned long int)getuid()); return PAM_USER_UNKNOWN; @@ -209,7 +209,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = get_account_info(pamh, uname, &pwent, &spent); if (retval == PAM_USER_UNKNOWN) { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "could not identify user (from getpwnam(%s))", uname); return retval; diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index c2e43423..9fdebefb 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -774,7 +774,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval != PAM_SUCCESS) { if (on(UNIX_DEBUG, ctrl)) { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_ERR, "password - new password not obtained"); } pass_old = NULL; /* tidy up */ @@ -864,7 +864,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) _pam_delete(tpass); pass_old = pass_new = NULL; } else { /* something has broken with the module */ - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_CRIT, "password received unknown request"); retval = PAM_ABORT; } diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index dbc62983..03e7dcd9 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -77,7 +77,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_CRIT, + pam_syslog(pamh, LOG_ERR, "open_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ @@ -112,7 +112,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_CRIT, + pam_syslog(pamh, LOG_ERR, "close_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 5d6a1484..9c1771e2 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -1023,7 +1023,7 @@ helper_verify_password(const char *name, const char *p, int nullok) retval = get_pwd_hash(name, &pwd, &salt); if (pwd == NULL || salt == NULL) { - helper_log_err(LOG_WARNING, "check pass; user unknown"); + helper_log_err(LOG_NOTICE, "check pass; user unknown"); retval = PAM_USER_UNKNOWN; } else { retval = verify_pwd_hash(p, salt, nullok); diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index fc8595e9..f2e28d35 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -345,7 +345,7 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) ); if (failure->count > UNIX_MAX_RETRIES) { - pam_syslog(pamh, LOG_ALERT, + pam_syslog(pamh, LOG_NOTICE, "service(%s) ignoring max retries; %d > %d", service == NULL ? "**unknown**" : (const char *)service, failure->count, @@ -744,12 +744,12 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name if (on(UNIX_AUDIT, ctrl)) { /* this might be a typo and the user has given a password instead of a username. Careful with this. */ - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_NOTICE, "check pass; user (%s) unknown", name); } else { name = NULL; if (on(UNIX_DEBUG, ctrl) || pwd == NULL) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_NOTICE, "check pass; user unknown"); } else { /* don't log failure as another pam module can succeed */ diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 61675ed2..39c84dbf 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -43,7 +43,7 @@ static int _check_expiry(const char *uname) retval = get_account_info(uname, &pwent, &spent); if (retval != PAM_SUCCESS) { - helper_log_err(LOG_ALERT, "could not obtain user info (%s)", uname); + helper_log_err(LOG_ERR, "could not obtain user info (%s)", uname); printf("-1\n"); return retval; } -- cgit v1.2.3 From 3466dbea5532dbddfd9b725dd242d68ab7388ed8 Mon Sep 17 00:00:00 2001 From: Peter Urbanec Date: Wed, 12 Jul 2017 17:47:47 +1000 Subject: pam_unix: Check return value of malloc used for setcred data (#24) Check the return value of malloc and if it failed print debug info, send a syslog message and return an error code. The test in AUTH_RETURN for ret_data not being NULL becomes redundant. Signed-off-by: Peter Urbanec --- modules/pam_unix/pam_unix_auth.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 673861e4..fce6bce1 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -77,14 +77,12 @@ #define _UNIX_AUTHTOK "-UN*X-PASS" #define AUTH_RETURN \ -do { \ - if (ret_data) { \ - D(("recording return code for next time [%d]", \ - retval)); \ - *ret_data = retval; \ - pam_set_data(pamh, "unix_setcred_return", \ - (void *) ret_data, setcred_free); \ - } \ +do { \ + D(("recording return code for next time [%d]", \ + retval)); \ + *ret_data = retval; \ + pam_set_data(pamh, "unix_setcred_return", \ + (void *) ret_data, setcred_free); \ D(("done. [%s]", pam_strerror(pamh, retval))); \ return retval; \ } while (0) @@ -112,6 +110,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) /* Get a few bytes so we can pass our return value to pam_sm_setcred() and pam_sm_acct_mgmt(). */ ret_data = malloc(sizeof(int)); + if (!ret_data) { + D(("cannot malloc ret_data")); + pam_syslog(pamh, LOG_CRIT, + "pam_unix_auth: cannot allocate ret_data"); + return PAM_BUF_ERR; + } /* get the user'name' */ -- cgit v1.2.3