On Thu, Apr 23, Tomas Mraz wrote:
I am for backwards compatible change - that is introducing the
'quiet'
option.
Ok, done. Attached is the patch, ok to commit?
BTW we have:
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
in Fedora/RHEL for a long time to workaround this problem. And recently
in cronie I have added a patch that completely skips PAM calls for
system cron jobs. So it is really questionable whether this change in
PAM is needed.
It's not only cron who prints this very often, and I think adding
several pam_succeed_if.so to suppress a log message is not the right
way to go.
I put the quiet entry before the DES entry, because that is somehow
special and don't want to have that in the middle of the table.
Thorsten
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index 9ce084e..55d27bb 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -131,6 +131,20 @@
<varlistentry>
<term>
+ <option>quiet</option>
+ </term>
+ <listitem>
+ <para>
+ Turns off informational messages via
+ <citerefentry>
+
<refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
<option>nullok</option>
</term>
<listitem>
diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c
index d137673..5d00181 100644
--- a/modules/pam_unix/pam_unix_sess.c
+++ b/modules/pam_unix/pam_unix_sess.c
@@ -96,8 +96,9 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char
**argv)
if (login_name == NULL) {
login_name = "";
}
- pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)",
- user_name, login_name, (unsigned long)getuid());
+ if (off (UNIX_QUIET, ctrl))
+ pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)",
+ user_name, login_name, (unsigned long)getuid());
return PAM_SUCCESS;
}
@@ -126,8 +127,9 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const
char **argv)
"close_session - error recovering service");
return PAM_SESSION_ERR;
}
- pam_syslog(pamh, LOG_INFO, "session closed for user %s",
- user_name);
+ if (off (UNIX_QUIET, ctrl))
+ pam_syslog(pamh, LOG_INFO, "session closed for user %s",
+ user_name);
return PAM_SUCCESS;
}
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index cd6ddb7..3729ce0 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -97,9 +97,10 @@ typedef struct {
password hash algorithms */
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
-#define UNIX_DES 28 /* DES, default */
+#define UNIX_QUIET 28 /* Don't print informational messages */
+#define UNIX_DES 29 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
#define
UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -136,6 +137,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000,
0},
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000,
1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000,
0},
/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0,
1},
};
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB
21284 (AG Nürnberg)