use of syslog by pam_unix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I noticed that if pam_unix sees that a user does not exist on the system, it
logs this information via syslog at priority level LOG_ALERT.

I take issue with this, on two points:

1) The user may in fact exist, but only be accessible via other pam modules
(ie, pam_ldap).  Thus, it would seem to make more sense to either leave
logging of this condition up to the client, or to have the pam module perform
this logging only in the case where it is the last one in the stack (in which
case it can be sure that the user *really* doesn't exist).

I see that in the module writers guide:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-5.html#ss5.2

that "Authentication failures, associated with an incorrectly typed password
should be logged at level, LOG_NOTICE", but I see nothing about the condition
where the username is non-existant.

2) LOG_ALERT.  According to syslog(2):

    #define KERN_ALERT    "<1>"  /* action must be taken immediately */

I would posit that a client attempting to authenticate with a non-existing
username does not meet this criteria.  In my opinion an argument can be made
that this is not even an error condition, and thus should be at level
LOG_WARNING or below.

The above two points assume that my interpretation of the code is correct,
given the case of a client attempting to authenticate a user, where the
client's configuration is to use pam_unix followed by pam_ldap for auth.

in unix_chkpwd.c line 129:

    pwd = getpwnam(name);   /* Get password file entry... */

and line 157:

    if (pwd == NULL || salt == NULL) {
	_log_err(LOG_ALERT, "check pass; user unknown");

from getpwnam(3):

    "The getpwnam() and getpwuid() functions return a pointer to the passwd
    structure, or NULL if the matching entry is not found"

Thus, if the user does not exist in /etc/passwd (but does exist in ldap), pwd
will be NULL, causing the logging condition to occur.

My intent is to start a dialog on this issue to determine if this is a valid
criticism.  If so, I would be happy to assist on creating a patch.

Thanks,
Jason Pepas

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux