On Wed, May 04, Tomas Mraz wrote:
On Wed, 2011-05-04 at 13:36 +0200, Thorsten Kukuk wrote:
> Hi,
>
> pam_lastlog has currently the following code for a pure informative
> message:
>
> /* obtain the failed login attempt records from btmp */
> fd = open(_PATH_BTMP, O_RDONLY);
> if (fd < 0) {
> pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_BTMP);
> D(("unable to open %s file", _PATH_BTMP));
> return PAM_SERVICE_ERR;
> }
>
> I think most people will use "optional" for the module in the session
> section, so that it shouldn't really matter. On the other side, I don't
> think pam_lastlog should fail, if it cannot print the failed login attempts
> since the last successful login, because there where none.
>
> Since this only happens if "showfailed" argument is given: shouldn't
> we change the return value to PAM_IGNORE or something similar?
> Or should we even remove the return code for that function completly?
Or perhaps we should differentiate based on the errno? If it is ENOENT,
then silently ignore the failure and return PAM_SUCCESS? And for the
remaining errnos leave it as is?
Yes, that was another idea from me, too. I will implement this.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)