6:36 a.m.
Hi,
pam_lastlog has currently the following code for a pure informative
message:
/* obtain the failed login attempt records from btmp */
fd = open(_PATH_BTMP, O_RDONLY);
if (fd < 0) {
pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_BTMP);
D(("unable to open %s file", _PATH_BTMP));
return PAM_SERVICE_ERR;
}
I think most people will use "optional" for the module in the session
section, so that it shouldn't really matter. On the other side, I don't
think pam_lastlog should fail, if it cannot print the failed login attempts
since the last successful login, because there where none.
Since this only happens if "showfailed" argument is given: shouldn't
we change the return value to PAM_IGNORE or something similar?
Or should we even remove the return code for that function completly?
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
6:52 a.m.
On Wed, 2011-05-04 at 13:36 +0200, Thorsten Kukuk wrote:
Hi,
pam_lastlog has currently the following code for a pure informative
message:
/* obtain the failed login attempt records from btmp */
fd = open(_PATH_BTMP, O_RDONLY);
if (fd < 0) {
pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_BTMP);
D(("unable to open %s file", _PATH_BTMP));
return PAM_SERVICE_ERR;
}
I think most people will use "optional" for the module in the session
section, so that it shouldn't really matter. On the other side, I don't
think pam_lastlog should fail, if it cannot print the failed login attempts
since the last successful login, because there where none.
Since this only happens if "showfailed" argument is given: shouldn't
we change the return value to PAM_IGNORE or something similar?
Or should we even remove the return code for that function completly?
Or perhaps we should differentiate based on the errno? If it is ENOENT,
then silently ignore the failure and return PAM_SUCCESS? And for the
remaining errnos leave it as is?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
7:01 a.m.
On Wed, May 04, Tomas Mraz wrote:
On Wed, 2011-05-04 at 13:36 +0200, Thorsten Kukuk wrote:
> Hi,
>
> pam_lastlog has currently the following code for a pure informative
> message:
>
> /* obtain the failed login attempt records from btmp */
> fd = open(_PATH_BTMP, O_RDONLY);
> if (fd < 0) {
> pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_BTMP);
> D(("unable to open %s file", _PATH_BTMP));
> return PAM_SERVICE_ERR;
> }
>
> I think most people will use "optional" for the module in the session
> section, so that it shouldn't really matter. On the other side, I don't
> think pam_lastlog should fail, if it cannot print the failed login attempts
> since the last successful login, because there where none.
>
> Since this only happens if "showfailed" argument is given: shouldn't
> we change the return value to PAM_IGNORE or something similar?
> Or should we even remove the return code for that function completly?
Or perhaps we should differentiate based on the errno? If it is ENOENT,
then silently ignore the failure and return PAM_SUCCESS? And for the
remaining errnos leave it as is?
Yes, that was another idea from me, too. I will implement this.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
4748
days inactive
4748
days old
pam-developers@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Thorsten Kukuk -
Tomas Mraz