mod_auth_pam logging annoyance (w/ patch)

Matthew Whitworth <matthew@xxxxxxxxxxxxxx> · Fri, 21 May 2004 21:19:51 -0700

I've been running mod_auth_pam 1.1.1 (for apache 1.3.x) and have noticed 
that authentication errors get logged with odd error messages, like so:



  [Mon May 17 11:28:00 2004] [error] [client 192.168.42.250]
  (25)Inappropriate ioctl for device: PAM: user 'matthew' - not
  authenticated: Authentication failure


The "(25)Inappropriate ioctl for device" is the result of using 
ap_log_reason(), which includes the output of strerror(errno).  This is 
fine for logging I/O errors, but it produces meaningless results when 
attempting to log PAM authentication errors.



Someone seems to have tried to correct this in CVS, and replaced all the 
calls to ap_log_reason() with calls to ap_log_rerror().  However, the 
APLOG_NOERRNO bit is still not being set and the inappropriate system 
call errors are still being included.



Below is a patch against CVS that modifies the calls to ap_log_rerror() 
to set the APLOG_NOERRNO where appropriate.  I didn't modify the call 
right after pam_start(), where errno might be relevant.



Hope this is useful,



Matthew



--

--- mod_auth_pam.c      14 Sep 2002 13:29:40 -0000      1.4

+++ mod_auth_pam.c      22 May 2004 03:31:36 -0000

@@ -343,7 +343,7 @@

   /* this is only set after get_basic_auth_pw was called */

   userinfo.name = r->connection->user;

   if(userinfo.name == NULL || strlen(userinfo.name) == 0) {

-    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,

+    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,

                   "PAM: no username, refusing request");

     return AUTH_REQUIRED;

   }

@@ -379,14 +379,14 @@

      PAM_SUCCESS ) {

       if(res == PAM_USER_UNKNOWN) {

        if(conf->fall_through) {

-         ap_log_rerror(APLOG_MARK, APLOG_NOTICE, r,

+         ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,

                        "PAM: user '%s' unknown (%s), falling through",

                        r->connection->user, compat_pam_strerror(pamh, 
res));

          pam_end(pamh, PAM_SUCCESS);

          /* pass on to other modules */

          return DECLINED;

        } else {

-         ap_log_rerror(APLOG_MARK, APLOG_ERR, r,

+         ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,

                        "PAM: user '%s' unknown (%s), no fall through",

                        r->connection->user, compat_pam_strerror(pamh, 
res));

          /* refuse client */

@@ -395,7 +395,7 @@

          return HTTP_UNAUTHORIZED;

       }

     } else {

-      ap_log_rerror(APLOG_MARK, APLOG_ERR, r,

+      ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,

                    "PAM: user '%s' - not authenticated: %s",

                    r->connection->user, compat_pam_strerror(pamh, res));

       pam_end(pamh, PAM_SUCCESS);

@@ -406,7 +406,7 @@



   /* check that the account is healthy */

   if((res = pam_acct_mgmt(pamh, PAM_DISALLOW_NULL_AUTHTOK)) != 
PAM_SUCCESS) {

-    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,

+    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,

                  "PAM: user '%s' - invalid account: %s",

                  r->connection->user, compat_pam_strerror(pamh, res));

     pam_end(pamh, PAM_SUCCESS);




_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




