1 Goal: Don't call openlog() or closelog() from pam_smbpass
3 Fixes: bug #434372 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434372)
5 Upstream status: submitted as bugzilla bug #4831
7 Index: samba-3.0.25c/source/pam_smbpass/support.c
8 ===================================================================
9 --- samba-3.0.25c.orig/source/pam_smbpass/support.c 2007-08-26 12:07:14.098417404 +0200
10 +++ samba-3.0.25c/source/pam_smbpass/support.c 2007-08-26 13:09:09.419359938 +0200
12 * Mass Ave, Cambridge, MA 02139, USA.
21 char *servicesf = dyn_CONFIGFILE;
23 - /* syslogging function for errors and other information */
25 - void _log_err( int err, const char *format, ... )
28 +/* syslogging function for errors and other information */
29 +#ifdef HAVE_PAM_VSYSLOG
30 +void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
34 - va_start( args, format );
35 - openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH );
36 - vsyslog( err, format, args );
39 + va_start(args, format);
40 + pam_vsyslog(pamh, err, format, args);
44 +void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
47 + const char tag[] = "(pam_smbpass) ";
50 + mod_format = SMB_MALLOC_ARRAY(char, sizeof(tag) + strlen(format));
51 + /* try really, really hard to log something, since this may have
52 + been a message about a malloc() failure... */
53 + if (mod_format == NULL) {
54 + va_start(args, format);
55 + vsyslog(err | LOG_AUTH, format, args);
60 + strncpy(mod_format, tag, strlen(tag)+1);
61 + strncat(mod_format, format, strlen(format));
63 + va_start(args, format);
64 + vsyslog(err | LOG_AUTH, mod_format, args);
71 /* this is a front-end for module-application conversations */
73 int converse( pam_handle_t * pamh, int ctrl, int nargs
75 ,response, conv->appdata_ptr);
77 if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
78 - _log_err(LOG_DEBUG, "conversation failure [%s]"
79 - ,pam_strerror(pamh, retval));
80 + _log_err(pamh, LOG_DEBUG,
81 + "conversation failure [%s]",
82 + pam_strerror(pamh, retval));
85 - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
86 - ,pam_strerror(pamh, retval));
87 + _log_err(pamh, LOG_ERR,
88 + "couldn't obtain coversation function [%s]",
89 + pam_strerror(pamh, retval));
92 return retval; /* propagate error status */
95 /* set the control flags for the SMB module. */
97 -int set_ctrl( int flags, int argc, const char **argv )
98 +int set_ctrl( pam_handle_t *pamh, int flags, int argc, const char **argv )
101 const char *service_file = dyn_CONFIGFILE;
103 /* Read some options from the Samba config. Can be overridden by
105 if(lp_load(service_file,True,False,False,True) == False) {
106 - _log_err( LOG_ERR, "Error loading service file %s", service_file );
107 + _log_err(pamh, LOG_ERR, "Error loading service file %s", service_file);
114 if (j >= SMB_CTRLS_) {
115 - _log_err( LOG_ERR, "unrecognized option [%s]", *argv );
116 + _log_err(pamh, LOG_ERR, "unrecognized option [%s]", *argv);
118 ctrl &= smb_args[j].mask; /* for turning things off */
119 ctrl |= smb_args[j].flag; /* for turning things on */
121 * evidence of old token around for later stack analysis.
124 -char * smbpXstrDup( const char *x )
125 +char * smbpXstrDup( pam_handle_t *pamh, const char *x )
127 register char *newstr = NULL;
130 for (i = 0; x[i]; ++i); /* length of string */
131 if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
133 - _log_err( LOG_CRIT, "out of memory in smbpXstrDup" );
134 + _log_err(pamh, LOG_CRIT, "out of memory in smbpXstrDup");
139 /* log the number of authentication failures */
140 if (failure->count != 0) {
141 pam_get_item( pamh, PAM_SERVICE, (const void **) &service );
142 - _log_err( LOG_NOTICE
143 + _log_err(pamh, LOG_NOTICE
144 , "%d authentication %s "
145 "from %s for service %s as %s(%d)"
148 , service == NULL ? "**unknown**" : service
149 , failure->user, failure->id );
150 if (failure->count > SMB_MAX_RETRIES) {
151 - _log_err( LOG_ALERT
152 + _log_err(pamh, LOG_ALERT
153 , "service(%s) ignoring max retries; %d > %d"
154 , service == NULL ? "**unknown**" : service
158 if (!pdb_get_lanman_passwd(sampass))
160 - _log_err( LOG_DEBUG, "user %s has null SMB password"
162 + _log_err(pamh, LOG_DEBUG, "user %s has null SMB password", name);
164 if (off( SMB__NONULL, ctrl )
165 && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
166 @@ -338,15 +365,16 @@
169 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
170 - _log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s",
171 - uidtoname(getuid()), service ? service : "**unknown**", name);
172 + _log_err(pamh, LOG_NOTICE,
173 + "failed auth request by %s for service %s as %s",
174 + uidtoname(getuid()), service ? service : "**unknown**", name);
179 data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
180 if (data_name == NULL) {
181 - _log_err( LOG_CRIT, "no memory for data-name" );
182 + _log_err(pamh, LOG_CRIT, "no memory for data-name");
184 strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
185 strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
186 @@ -392,31 +420,31 @@
187 retval = PAM_MAXTRIES;
190 - _log_err(LOG_NOTICE,
191 + _log_err(pamh, LOG_NOTICE,
192 "failed auth request by %s for service %s as %s",
194 service ? service : "**unknown**", name);
197 if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
198 - _log_err(LOG_NOTICE,
199 + _log_err(pamh, LOG_NOTICE,
200 "failed auth request by %s for service %s as %s",
202 service ? service : "**unknown**", name);
204 - newauth->user = smbpXstrDup( name );
205 - newauth->agent = smbpXstrDup( uidtoname( getuid() ) );
206 + newauth->user = smbpXstrDup(pamh, name);
207 + newauth->agent = smbpXstrDup(pamh, uidtoname( getuid() ));
208 pam_set_data( pamh, data_name, newauth, _cleanup_failures );
211 - _log_err( LOG_CRIT, "no memory for failure recorder" );
212 - _log_err(LOG_NOTICE,
213 + _log_err(pamh, LOG_CRIT, "no memory for failure recorder");
214 + _log_err(pamh, LOG_NOTICE,
215 "failed auth request by %s for service %s as %s(%d)",
217 service ? service : "**unknown**", name);
220 - _log_err(LOG_NOTICE,
221 + _log_err(pamh, LOG_NOTICE,
222 "failed auth request by %s for service %s as %s(%d)",
224 service ? service : "**unknown**", name);
226 retval = pam_get_item( pamh, authtok_flag, (const void **) &item );
227 if (retval != PAM_SUCCESS) {
229 - _log_err( LOG_ALERT
230 - , "pam_get_item returned error to smb_read_password" );
231 + _log_err(pamh, LOG_ALERT,
232 + "pam_get_item returned error to smb_read_password");
234 } else if (item != NULL) { /* we have a password! */
238 if (retval == PAM_SUCCESS) { /* a good conversation */
240 - token = smbpXstrDup(resp[j++].resp);
241 + token = smbpXstrDup(pamh, resp[j++].resp);
244 /* verify that password entered correctly */
249 - _log_err(LOG_NOTICE, "could not recover authentication token");
250 + _log_err(pamh, LOG_NOTICE,
251 + "could not recover authentication token");
257 if (retval != PAM_SUCCESS) {
258 if (on( SMB_DEBUG, ctrl ))
259 - _log_err( LOG_DEBUG, "unable to obtain a password" );
260 + _log_err(pamh, LOG_DEBUG, "unable to obtain a password");
263 /* 'token' is the entered password */
265 || (retval = pam_get_item( pamh, authtok_flag
266 ,(const void **)&item )) != PAM_SUCCESS)
268 - _log_err( LOG_CRIT, "error manipulating password" );
269 + _log_err(pamh, LOG_CRIT, "error manipulating password");
274 || (retval = pam_get_data( pamh, data_name, (const void **)&item ))
277 - _log_err( LOG_CRIT, "error manipulating password data [%s]"
278 - , pam_strerror( pamh, retval ));
279 + _log_err(pamh, LOG_CRIT, "error manipulating password data [%s]",
280 + pam_strerror( pamh, retval ));
281 _pam_delete( token );
285 if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
287 if (on(SMB_DEBUG, ctrl)) {
288 - _log_err( LOG_DEBUG,
289 - "passwd: bad authentication token (null or unchanged)" );
290 + _log_err(pamh, LOG_DEBUG,
291 + "passwd: bad authentication token (null or unchanged)");
293 make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
294 "No password supplied" : "Password unchanged" );
295 Index: samba-3.0.25c/source/pam_smbpass/pam_smb_auth.c
296 ===================================================================
297 --- samba-3.0.25c.orig/source/pam_smbpass/pam_smb_auth.c 2007-08-26 12:07:14.098417404 +0200
298 +++ samba-3.0.25c/source/pam_smbpass/pam_smb_auth.c 2007-08-26 13:09:09.419359938 +0200
301 /* Samba initialization. */
303 - setup_logging("pam_smbpass",False);
306 - ctrl = set_ctrl(flags, argc, argv);
307 + ctrl = set_ctrl(pamh, flags, argc, argv);
309 /* Get a few bytes so we can pass our return value to
312 retval = pam_get_user( pamh, &name, "Username: " );
313 if ( retval != PAM_SUCCESS ) {
314 if (on( SMB_DEBUG, ctrl )) {
315 - _log_err(LOG_DEBUG, "auth: could not identify user");
316 + _log_err(pamh, LOG_DEBUG, "auth: could not identify user");
320 if (on( SMB_DEBUG, ctrl )) {
321 - _log_err( LOG_DEBUG, "username [%s] obtained", name );
322 + _log_err(pamh, LOG_DEBUG, "username [%s] obtained", name);
325 if (!initialize_password_db(True)) {
326 - _log_err( LOG_ALERT, "Cannot access samba password database" );
327 + _log_err(pamh, LOG_ALERT, "Cannot access samba password database");
328 retval = PAM_AUTHINFO_UNAVAIL;
332 sampass = samu_new( NULL );
334 - _log_err( LOG_ALERT, "Cannot talloc a samu struct" );
335 + _log_err(pamh, LOG_ALERT, "Cannot talloc a samu struct");
336 retval = nt_status_to_pam(NT_STATUS_NO_MEMORY);
343 - _log_err(LOG_ALERT, "Failed to find entry for user %s.", name);
344 + _log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", name);
345 retval = PAM_USER_UNKNOWN;
346 TALLOC_FREE(sampass);
350 retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
351 if (retval != PAM_SUCCESS ) {
352 - _log_err(LOG_CRIT, "auth: no password provided for [%s]", name);
353 + _log_err(pamh,LOG_CRIT, "auth: no password provided for [%s]", name);
354 TALLOC_FREE(sampass);
358 retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass );
360 if (retval != PAM_SUCCESS) {
361 - _log_err( LOG_ALERT
362 - , "pam_get_item returned error to pam_sm_authenticate" );
363 + _log_err(pamh, LOG_ALERT,
364 + "pam_get_item returned error to pam_sm_authenticate");
365 return PAM_AUTHTOK_RECOVER_ERR;
366 } else if (pass == NULL) {
367 return PAM_AUTHTOK_RECOVER_ERR;
368 Index: samba-3.0.25c/source/pam_smbpass/pam_smb_acct.c
369 ===================================================================
370 --- samba-3.0.25c.orig/source/pam_smbpass/pam_smb_acct.c 2007-08-26 12:07:14.098417404 +0200
371 +++ samba-3.0.25c/source/pam_smbpass/pam_smb_acct.c 2007-08-26 13:09:09.419359938 +0200
374 /* Samba initialization. */
376 - setup_logging( "pam_smbpass", False );
379 - ctrl = set_ctrl( flags, argc, argv );
380 + ctrl = set_ctrl(pamh, flags, argc, argv);
382 /* get the username */
384 retval = pam_get_user( pamh, &name, "Username: " );
385 if (retval != PAM_SUCCESS) {
386 if (on( SMB_DEBUG, ctrl )) {
387 - _log_err( LOG_DEBUG, "acct: could not identify user" );
388 + _log_err(pamh, LOG_DEBUG, "acct: could not identify user");
392 if (on( SMB_DEBUG, ctrl )) {
393 - _log_err( LOG_DEBUG, "acct: username [%s] obtained", name );
394 + _log_err(pamh, LOG_DEBUG, "acct: username [%s] obtained", name);
397 /* Getting into places that might use LDAP -- protect the app
398 from a SIGPIPE it's not expecting */
399 oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
400 if (!initialize_password_db(True)) {
401 - _log_err( LOG_ALERT, "Cannot access samba password database" );
402 + _log_err(pamh, LOG_ALERT, "Cannot access samba password database");
403 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
404 return PAM_AUTHINFO_UNAVAIL;
409 if (!pdb_getsampwnam(sampass, name )) {
410 - _log_err( LOG_DEBUG, "acct: could not identify user" );
411 + _log_err(pamh, LOG_DEBUG, "acct: could not identify user");
412 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
413 return PAM_USER_UNKNOWN;
417 if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
418 if (on( SMB_DEBUG, ctrl )) {
419 - _log_err( LOG_DEBUG
420 - , "acct: account %s is administratively disabled", name );
421 + _log_err(pamh, LOG_DEBUG,
422 + "acct: account %s is administratively disabled", name);
424 make_remark( pamh, ctrl, PAM_ERROR_MSG
425 , "Your account has been disabled; "
426 Index: samba-3.0.25c/source/pam_smbpass/pam_smb_passwd.c
427 ===================================================================
428 --- samba-3.0.25c.orig/source/pam_smbpass/pam_smb_passwd.c 2007-08-26 12:07:14.098417404 +0200
429 +++ samba-3.0.25c/source/pam_smbpass/pam_smb_passwd.c 2007-08-26 13:09:09.419359938 +0200
432 /* Samba initialization. */
434 - setup_logging( "pam_smbpass", False );
437 - ctrl = set_ctrl(flags, argc, argv);
438 + ctrl = set_ctrl(pamh, flags, argc, argv);
441 * First get the name of a user. No need to do anything if we can't
442 @@ -117,12 +116,12 @@
443 retval = pam_get_user( pamh, &user, "Username: " );
444 if (retval != PAM_SUCCESS) {
445 if (on( SMB_DEBUG, ctrl )) {
446 - _log_err( LOG_DEBUG, "password: could not identify user" );
447 + _log_err(pamh, LOG_DEBUG, "password: could not identify user");
451 if (on( SMB_DEBUG, ctrl )) {
452 - _log_err( LOG_DEBUG, "username [%s] obtained", user );
453 + _log_err(pamh, LOG_DEBUG, "username [%s] obtained", user);
456 /* Getting into places that might use LDAP -- protect the app
458 oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
460 if (!initialize_password_db(False)) {
461 - _log_err( LOG_ALERT, "Cannot access samba password database" );
462 + _log_err(pamh, LOG_ALERT, "Cannot access samba password database");
463 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
464 return PAM_AUTHINFO_UNAVAIL;
466 @@ -142,12 +141,12 @@
469 if (!pdb_getsampwnam(sampass,user)) {
470 - _log_err( LOG_ALERT, "Failed to find entry for user %s.", user );
471 + _log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", user);
472 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
473 return PAM_USER_UNKNOWN;
475 if (on( SMB_DEBUG, ctrl )) {
476 - _log_err( LOG_DEBUG, "Located account for %s", user );
477 + _log_err(pamh, LOG_DEBUG, "Located account for %s", user);
480 if (flags & PAM_PRELIM_CHECK) {
482 #define greeting "Changing password for "
483 Announce = SMB_MALLOC_ARRAY(char, sizeof(greeting)+strlen(user));
484 if (Announce == NULL) {
485 - _log_err(LOG_CRIT, "password: out of memory");
486 + _log_err(pamh, LOG_CRIT, "password: out of memory");
487 TALLOC_FREE(sampass);
488 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
491 SAFE_FREE( Announce );
493 if (retval != PAM_SUCCESS) {
494 - _log_err( LOG_NOTICE
495 - , "password - (old) token not obtained" );
496 + _log_err(pamh, LOG_NOTICE,
497 + "password - (old) token not obtained");
498 TALLOC_FREE(sampass);
499 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
504 if (retval != PAM_SUCCESS) {
505 - _log_err( LOG_NOTICE, "password: user not authenticated" );
506 + _log_err(pamh, LOG_NOTICE, "password: user not authenticated");
507 TALLOC_FREE(sampass);
508 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
512 if (retval != PAM_SUCCESS) {
513 if (on( SMB_DEBUG, ctrl )) {
514 - _log_err( LOG_ALERT
515 - , "password: new password not obtained" );
516 + _log_err(pamh, LOG_ALERT,
517 + "password: new password not obtained");
519 pass_old = NULL; /* tidy up */
520 TALLOC_FREE(sampass);
522 retval = _pam_smb_approve_pass(pamh, ctrl, pass_old, pass_new);
524 if (retval != PAM_SUCCESS) {
525 - _log_err(LOG_NOTICE, "new password not acceptable");
526 + _log_err(pamh, LOG_NOTICE, "new password not acceptable");
527 pass_new = pass_old = NULL; /* tidy up */
528 TALLOC_FREE(sampass);
529 CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
530 @@ -301,16 +300,17 @@
532 /* password updated */
533 if (!sid_to_uid(pdb_get_user_sid(sampass), &uid)) {
534 - _log_err( LOG_NOTICE, "Unable to get uid for user %s",
535 + _log_err(pamh, LOG_NOTICE,
536 + "Unable to get uid for user %s",
537 pdb_get_username(sampass));
538 - _log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)",
539 + _log_err(pamh, LOG_NOTICE, "password for (%s) changed by (%s/%d)",
540 user, uidtoname(getuid()), getuid());
542 - _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)",
543 + _log_err(pamh, LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)",
544 user, uid, uidtoname(getuid()), getuid());
547 - _log_err( LOG_ERR, "password change failed for user %s", user);
548 + _log_err(pamh, LOG_ERR, "password change failed for user %s", user);
551 pass_old = pass_new = NULL;
554 } else { /* something has broken with the library */
556 - _log_err( LOG_ALERT, "password received unknown request" );
557 + _log_err(pamh, LOG_ALERT, "password received unknown request");
561 Index: samba-3.0.25c/source/pam_smbpass/support.h
562 ===================================================================
563 --- samba-3.0.25c.orig/source/pam_smbpass/support.h 2007-08-26 12:07:14.098417404 +0200
564 +++ samba-3.0.25c/source/pam_smbpass/support.h 2007-08-26 13:09:09.419359938 +0200
566 /* syslogging function for errors and other information */
567 -extern void _log_err(int, const char *, ...);
568 +extern void _log_err(pam_handle_t *, int, const char *, ...);
570 /* set the control flags for the UNIX module. */
571 -extern int set_ctrl(int, int, const char **);
572 +extern int set_ctrl(pam_handle_t *, int, int, const char **);
574 /* generic function for freeing pam data segments */
575 extern void _cleanup(pam_handle_t *, void *, int);
577 * evidence of old token around for later stack analysis.
580 -extern char *smbpXstrDup(const char *);
581 +extern char *smbpXstrDup(pam_handle_t *,const char *);
583 /* ************************************************************** *
584 * Useful non-trivial functions *