common-auth

Nicolas François Mon, 14 Apr 2008 17:50:17 -0700

reassign 472986 libpam-p11
retitle 472986 libpam-p11 should use pam_syslog for logging instead of 
openlog/syslog/closelog
notfound 472986 1:4.1.0-2
found 472986 0.1.3-1
thanks



Hello,

libpam-p11 uses openlog/syslog/closelog sequences.

The closelog calls will break applications if they wish to report logs
after calling pam functions.

In the case of the original segfault in su, the issue was caused by
openlog. I don't really understand why it is problematic to openlog()
twice, but the attached patch fixed the segfault is su.

pam_syslog will also make the syslog message look prettier (it will
mention the service, not only the name of the module).

Best Regards,
-- 
Nekral

diff -rauN ../orig/pam-p11-0.1.3/src/pam_p11.c ./pam-p11-0.1.3/src/pam_p11.c
--- ../orig/pam-p11-0.1.3/src/pam_p11.c	2007-07-03 18:19:22.000000000 +0200
+++ ./pam-p11-0.1.3/src/pam_p11.c	2008-04-15 02:10:11.300075856 +0200
@@ -31,6 +31,7 @@
 #define PAM_SM_PASSWORD
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
+#include <security/pam_ext.h>
 
 #ifndef PAM_EXTERN
 #define PAM_EXTERN extern
@@ -87,12 +88,9 @@
 	int fd;
 	unsigned siglen;
 
-	/* open log */
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-
 	/* check parameters */
 	if (argc != 1) {
-		syslog(LOG_ERR, "need pkcs11 module as argument");
+		pam_syslog(pamh, LOG_ERR, "need pkcs11 module as argument");
 		return PAM_ABORT;
 	}
 
@@ -105,7 +103,7 @@
 	/* get user name */
 	rv = pam_get_user(pamh, &user, NULL);
 	if (rv != PAM_SUCCESS) {
-		syslog(LOG_ERR, "pam_get_user() failed %s",
+		pam_syslog(pamh, LOG_ERR, "pam_get_user() failed %s",
 		       pam_strerror(pamh, rv));
 		return PAM_USER_UNKNOWN;
 	}
@@ -113,21 +111,21 @@
 	/* load pkcs #11 module */
 	rv = PKCS11_CTX_load(ctx, argv[0]);
 	if (rv) {
-		syslog(LOG_ERR, "loading pkcs11 engine failed");
+		pam_syslog(pamh, LOG_ERR, "loading pkcs11 engine failed");
 		return PAM_AUTHINFO_UNAVAIL;
 	}
 
 	/* get all slots */
 	rv = PKCS11_enumerate_slots(ctx, &slots, &nslots);
 	if (rv) {
-		syslog(LOG_ERR, "listing slots failed");
+		pam_syslog(pamh, LOG_ERR, "listing slots failed");
 		return PAM_AUTHINFO_UNAVAIL;
 	}
 
 	/* search for the first slot with a token */
 	slot = PKCS11_find_token(ctx, slots, nslots);
 	if (!slot || !slot->token) {
-		syslog(LOG_ERR, "no token available");
+		pam_syslog(pamh, LOG_ERR, "no token available");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -135,12 +133,12 @@
 	/* get all certs */
 	rv = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
 	if (rv) {
-		syslog(LOG_ERR, "PKCS11_enumerate_certs failed");
+		pam_syslog(pamh, LOG_ERR, "PKCS11_enumerate_certs failed");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
 	if (ncerts <= 0) {
-		syslog(LOG_ERR, "no certificates found");
+		pam_syslog(pamh, LOG_ERR, "no certificates found");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -152,7 +150,7 @@
 			/* check whether the certificate matches the user */
 			rv = match_user(authcert->x509, user);
 			if (rv < 0) {
-				syslog(LOG_ERR, "match_user() failed");
+				pam_syslog(pamh, LOG_ERR, "match_user() failed");
 				rv = PAM_AUTHINFO_UNAVAIL;
 				goto out;
 			} else if (rv == 0) {
@@ -165,7 +163,7 @@
 	}
 
 	if (!authcert) {
-		syslog(LOG_ERR, "not matching certificate found");
+		pam_syslog(pamh, LOG_ERR, "not matching certificate found");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -218,7 +216,7 @@
 	memset(password, 0, strlen(password));
 	free(password);
 	if (rv != 0) {
-		syslog(LOG_ERR, "PKCS11_login failed");
+		pam_syslog(pamh, LOG_ERR, "PKCS11_login failed");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -227,21 +225,21 @@
 	/* get random bytes */
 	fd = open(RANDOM_SOURCE, O_RDONLY);
 	if (fd < 0) {
-		syslog(LOG_ERR, "fatal: cannot open RANDOM_SOURCE: ");
+		pam_syslog(pamh, LOG_ERR, "fatal: cannot open RANDOM_SOURCE: ");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
 
 	rv = read(fd, rand_bytes, RANDOM_SIZE);
 	if (rv < 0) {
-		syslog(LOG_ERR, "fatal: read from random source failed: ");
+		pam_syslog(pamh, LOG_ERR, "fatal: read from random source failed: ");
 		close(fd);
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
 
 	if (rv < RANDOM_SIZE) {
-		syslog(LOG_ERR, "fatal: read returned less than %d<%d bytes\n",
+		pam_syslog(pamh, LOG_ERR, "fatal: read returned less than %d<%d bytes\n",
 		       rv, RANDOM_SIZE);
 		close(fd);
 		rv = PAM_AUTHINFO_UNAVAIL;
@@ -252,7 +250,7 @@
 
 	authkey = PKCS11_find_key(authcert);
 	if (!authkey) {
-		syslog(LOG_ERR, "no key matching certificate available");
+		pam_syslog(pamh, LOG_ERR, "no key matching certificate available");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -262,7 +260,7 @@
 	rv = PKCS11_sign(NID_sha1, rand_bytes, RANDOM_SIZE, signature, &siglen,
 			 authkey);
 	if (rv != 1) {
-		syslog(LOG_ERR, "fatal: pkcs11_sign failed\n");
+		pam_syslog(pamh, LOG_ERR, "fatal: pkcs11_sign failed\n");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -270,7 +268,7 @@
 	/* verify the signature */
 	pubkey = X509_get_pubkey(authcert->x509);
 	if (pubkey == NULL) {
-		syslog(LOG_ERR, "could not extract public key");
+		pam_syslog(pamh, LOG_ERR, "could not extract public key");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -279,7 +277,7 @@
 	rv = RSA_verify(NID_sha1, rand_bytes, RANDOM_SIZE,
 			signature, siglen, pubkey->pkey.rsa);
 	if (rv != 1) {
-		syslog(LOG_ERR, "fatal: RSA_verify failed\n");
+		pam_syslog(pamh, LOG_ERR, "fatal: RSA_verify failed\n");
 		rv = PAM_AUTHINFO_UNAVAIL;
 		goto out;
 	}
@@ -303,40 +301,32 @@
 PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
 				const char **argv)
 {
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-	syslog(LOG_WARNING,
+	pam_syslog(pamh, LOG_WARNING,
 	       "Function pam_sm_acct_mgmt() is not implemented in this module");
-	closelog();
 	return PAM_SERVICE_ERR;
 }
 
 PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc,
 				   const char **argv)
 {
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-	syslog(LOG_WARNING,
+	pam_syslog(pamh, LOG_WARNING,
 	       "Function pam_sm_open_session() is not implemented in this module");
-	closelog();
 	return PAM_SERVICE_ERR;
 }
 
 PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, int argc,
 				    const char **argv)
 {
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-	syslog(LOG_WARNING,
+	pam_syslog(pamh, LOG_WARNING,
 	       "Function pam_sm_close_session() is not implemented in this module");
-	closelog();
 	return PAM_SERVICE_ERR;
 }
 
 PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc,
 				const char **argv)
 {
-	openlog(LOGNAME, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-	syslog(LOG_WARNING,
+	pam_syslog(pamh, LOG_WARNING,
 	       "Function pam_sm_chauthtok() is not implemented in this module");
-	closelog();
 	return PAM_SERVICE_ERR;
 }

Bug#472986: [SPAM?] Re: Bug#472986: /bin/su: su segfaults with libpam-p11 activated in /etc/pam.d/common-auth

Reply via email to