[Pkg-shadow-commits] r180 - trunk/debian/patches
Nicolas FRANCOIS
pkg-shadow-devel@lists.alioth.debian.org
Sun, 29 May 2005 13:16:13 +0000
Author: nekral-guest
Date: 2005-05-29 13:16:12 +0000 (Sun, 29 May 2005)
New Revision: 180
Added:
trunk/debian/patches/008_login_FAILLOG_ENAB
trunk/debian/patches/008_login_MAXHOSTNAMELEN
trunk/debian/patches/008_login_PAM_SILENT_if_hushed_login
trunk/debian/patches/008_login_cancel_timout_after_authentication
trunk/debian/patches/008_login_log_failure_in_FTMP
trunk/debian/patches/008_login_log_pam_user_if_USE_PAM
trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB
trunk/debian/patches/008_su_syslog_old:new
Modified:
trunk/debian/patches/008_login_close_session_as_root
trunk/debian/patches/008_src.dpatch
trunk/debian/patches/series
Log:
Continue splitting 008_src, which now only contains patches for src/su.c
Added: trunk/debian/patches/008_login_FAILLOG_ENAB
===================================================================
--- trunk/debian/patches/008_login_FAILLOG_ENAB 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_login_FAILLOG_ENAB 2005-05-29 13:16:12 UTC (rev 180)
@@ -0,0 +1,72 @@
+Goal: ??
+Depends: 008_login_more_LOG_UNKFAIL_ENAB
+
+Notes:
+ * I've not found a related entry in the changelog.
+ * This patch looks strang to me. It adds #ifndef USE_PAM in section already
+ enclosed by either #ifdef USE_PAM or #ifndef USE_PAM.
+
+ IMHO, it should ignored or rewritten.
+
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c 2005-05-29 00:03:47.374189000 +0200
++++ shadow-4.0.3/src/login.c 2005-05-29 00:03:58.704189000 +0200
+@@ -809,6 +809,10 @@
+ syslog (LOG_NOTICE,
+ _("TOO MANY LOGIN TRIES (%d)%s FOR `%s'"),
+ failcount, fromhost, failent_user);
++#ifndef USE_PAM
++ if (pwd && getdef_bool("FAILLOG_ENAB"))
++ failure (pwent.pw_uid, tty, &faillog);
++#endif
+ fprintf(stderr,
+ _("Maximum number of tries exceeded (%d)\n"),
+ failcount);
+@@ -826,11 +830,22 @@
+ pam_strerror (pamh, retcode));
+ failed = 1;
+ }
++#ifndef USE_PAM
++ if (pwd && getdef_bool("FAILLOG_ENAB") &&
++ ! failcheck (pwent.pw_uid, &faillog, failed)) {
++ SYSLOG((LOG_CRIT, FAILURE_CNT, failent_user, fromhost));
++ failed = 1;
++ }
++#endif
+
+ if (!failed)
+ break;
+
+ fprintf(stderr,"Login incorrect\n\n");
++#ifndef USE_PAM
++ if (pwd && getdef_bool("FAILLOG_ENAB"))
++ failure (pwent.pw_uid, tty, &faillog);
++#endif
+ if (getdef_str("FTMP_FILE") != NULL) {
+ #if HAVE_UTMPX_H
+ failent = utxent;
+@@ -1047,6 +1062,7 @@
+ failed = 1;
+ }
+ #endif
++#ifndef USE_PAM
+ if (pwd && getdef_bool ("FAILLOG_ENAB") &&
+ !failcheck (pwent.pw_uid, &faillog, failed)) {
+ SYSLOG ((LOG_CRIT,
+@@ -1054,12 +1070,15 @@
+ username, fromhost));
+ failed = 1;
+ }
++#endif
+ if (!failed)
+ break;
+
++#ifndef USE_PAM
+ /* don't log non-existent users */
+ if (pwd && getdef_bool ("FAILLOG_ENAB"))
+ failure (pwent.pw_uid, tty, &faillog);
++#endif
+ if (getdef_str ("FTMP_FILE") != NULL) {
+ const char *failent_user;
+
Added: trunk/debian/patches/008_login_MAXHOSTNAMELEN
===================================================================
--- trunk/debian/patches/008_login_MAXHOSTNAMELEN 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_login_MAXHOSTNAMELEN 2005-05-29 13:16:12 UTC (rev 180)
@@ -0,0 +1,19 @@
+Goal: ???
+
+
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c 2005-05-29 11:07:14.638975000 +0200
++++ shadow-4.0.3/src/login.c 2005-05-29 11:09:47.018975000 +0200
+@@ -58,6 +58,11 @@
+ #include <sys/proc.h>
+ #include <sys/sysi86.h>
+ #endif
++
++#ifndef MAXHOSTNAMELEN
++#define MAXHOSTNAMELEN 64
++#endif
++
+ #ifdef RADIUS
+ /*
+ * Support for RADIUS authentication based on a hacked util-linux login
Added: trunk/debian/patches/008_login_PAM_SILENT_if_hushed_login
===================================================================
--- trunk/debian/patches/008_login_PAM_SILENT_if_hushed_login 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_login_PAM_SILENT_if_hushed_login 2005-05-29 13:16:12 UTC (rev 180)
@@ -0,0 +1,25 @@
+Goal: check for hushed login and pass PAM_SILENT if true,
+Fixes: #48002
+
+Status wrt upstream: It should be forwarded to upstream.
+
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c 2005-05-28 22:21:29.434189000 +0200
++++ shadow-4.0.3/src/login.c 2005-05-28 22:21:32.774189000 +0200
+@@ -889,11 +889,14 @@
+
+ if (!pwd || setup_groups (pwd))
+ exit (1);
++ else
++ pwent = *pwd;
+
+ retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+ PAM_FAIL_CHECK;
+
+- retcode = pam_open_session (pamh, 0);
++ retcode = pam_open_session (pamh,
++ hushed(&pwent) ? PAM_SILENT : 0);
+ PAM_FAIL_CHECK;
+
+ #else /* ! USE_PAM */
Added: trunk/debian/patches/008_login_cancel_timout_after_authentication
===================================================================
--- trunk/debian/patches/008_login_cancel_timout_after_authentication 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_login_cancel_timout_after_authentication 2005-05-29 13:16:12 UTC (rev 180)
@@ -0,0 +1,19 @@
+Goal: Cancel login timeout after authentication so that patient people
+ timing out on network directory services can log in with local
+ accounts.
+Fixes: #107148
+
+Status wrt upstream: It should be forwarded to upstream.
+
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c 2005-05-28 22:21:15.794189000 +0200
++++ shadow-4.0.3/src/login.c 2005-05-28 22:21:22.214189000 +0200
+@@ -866,6 +866,7 @@
+ }
+
+ /* We don't get here unless they were authenticated above */
++ alarm(0);
+ retcode = pam_acct_mgmt (pamh, 0);
+
+ if (retcode == PAM_NEW_AUTHTOK_REQD) {
Modified: trunk/debian/patches/008_login_close_session_as_root
===================================================================
--- trunk/debian/patches/008_login_close_session_as_root 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_login_close_session_as_root 2005-05-29 13:16:12 UTC (rev 180)
@@ -19,7 +19,7 @@
===================================================================
--- shadow-4.0.3.orig/src/login.c 2005-05-28 19:11:32.274189000 +0200
+++ shadow-4.0.3/src/login.c 2005-05-28 19:11:33.674189000 +0200
-@@ -1276,6 +1276,40 @@
+@@ -1273,6 +1273,40 @@
login_fbtab (tty, pwent.pw_uid, pwent.pw_gid);
#endif
@@ -60,7 +60,7 @@
/* We call set_groups() above because this clobbers pam_groups.so */
#ifndef USE_PAM
if (setup_uid_gid (&pwent, is_console))
-@@ -1377,41 +1411,6 @@
+@@ -1374,41 +1408,6 @@
signal (SIGTERM, SIG_DFL); /* default terminate signal */
signal (SIGALRM, SIG_DFL); /* default alarm signal */
signal (SIGHUP, SIG_DFL); /* added this. --marekm */
Added: trunk/debian/patches/008_login_log_failure_in_FTMP
===================================================================
--- trunk/debian/patches/008_login_log_failure_in_FTMP 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_login_log_failure_in_FTMP 2005-05-29 13:16:12 UTC (rev 180)
@@ -0,0 +1,31 @@
+Goal: Log login failures to the btmp file
+
+Notes:
+ * I'm not sure login should add an entry in the FTMP file when PAM is used.
+ (but nothing in /etc/login.defs indicates that the failure is not logged)
+
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c 2005-05-29 00:06:56.174189000 +0200
++++ shadow-4.0.3/src/login.c 2005-05-29 00:10:42.704189000 +0200
+@@ -831,6 +831,20 @@
+ break;
+
+ fprintf(stderr,"Login incorrect\n\n");
++ if (getdef_str("FTMP_FILE") != NULL) {
++#if HAVE_UTMPX_H
++ failent = utxent;
++ gettimeofday(&(failent.ut_tv), NULL);
++#else
++ failent = utent;
++ time(&failent.ut_time);
++#endif
++ strncpy(failent.ut_user, failent_user, sizeof(failent.ut_user));
++#ifdef USER_PROCESS
++ failent.ut_type = USER_PROCESS;
++#endif
++ failtmp(&failent);
++ }
+
+ /* Let's give it another go around */
+ pam_set_item(pamh,PAM_USER,NULL);
Added: trunk/debian/patches/008_login_log_pam_user_if_USE_PAM
===================================================================
--- trunk/debian/patches/008_login_log_pam_user_if_USE_PAM 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_login_log_pam_user_if_USE_PAM 2005-05-29 13:16:12 UTC (rev 180)
@@ -0,0 +1,20 @@
+Goal: fixed loggin of username on succesful login (was using
+ the normal username, when it should have used pam_user)
+Fixes: #47819
+Status wrt upstream: It should be forwarded to upstream.
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c 2005-05-28 22:21:25.134189000 +0200
++++ shadow-4.0.3/src/login.c 2005-05-28 22:21:29.434189000 +0200
+@@ -1421,7 +1421,11 @@
+ if (pwent.pw_uid == 0)
+ SYSLOG ((LOG_NOTICE, "ROOT LOGIN %s", fromhost));
+ else if (getdef_bool ("LOG_OK_LOGINS"))
++#ifdef USE_PAM
++ SYSLOG ((LOG_INFO, "`%s' logged in %s", pam_user, fromhost));
++#else
+ SYSLOG ((LOG_INFO, "`%s' logged in %s", username, fromhost));
++#endif
+ closelog ();
+ #ifdef RADIUS
+ if (is_rad_login) {
Added: trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB
===================================================================
--- trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB 2005-05-29 13:16:12 UTC (rev 180)
@@ -0,0 +1,135 @@
+Goal: the username should be logged as UNKNOWN if LOG_UNKFAIL_ENAB is not set.
+
+Status wrt upstream: It should be applied upstream, or kept.
+
+Notes:
+ * This patch also adds the following minor changes (which are not easy to
+ extract from this patch):
+ + TOO MANY LOGIN... logged if PAM_MAXTRIES or failcount >= retries.
+ Upstream only test PAM_MAXTRIES.
+ + Print to stderr (in addition to syslog) in case of maximum number of
+ tries exceeded.
+ + Always prints the number of tries in the syslog entry.
+ + add special handling for PAM_ABORT
+ * This patch also adds the following non-minor change:
+ + add an entry to failog, as when USE_PAM is not defined. (#53164)
+ * The patch changed pam_end to PAM_END. This is certainly a mistake.
+ PAM_END is pam_close_seesion + pam_end. Here, the session is still not
+ open, we don't have to close it.
+ * a HAVE_PAM_FAIL_DELAY is missing
+
+
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c 2005-05-29 00:06:16.954189000 +0200
++++ shadow-4.0.3/src/login.c 2005-05-29 00:06:56.174189000 +0200
+@@ -775,49 +775,68 @@
+ * MAX_LOGIN_TRIES?
+ */
+
+- retcode = pam_authenticate (pamh, 0);
+- while ((failcount++ < retries) &&
+- ((retcode == PAM_AUTH_ERR) ||
+- (retcode == PAM_USER_UNKNOWN) ||
+- (retcode == PAM_CRED_INSUFFICIENT) ||
+- (retcode == PAM_AUTHINFO_UNAVAIL))) {
+- pam_get_item (pamh, PAM_USER,
+- (const void **) &pam_user);
+- syslog (LOG_NOTICE,
+- "FAILED LOGIN %d FROM %s FOR %s, %s",
+- failcount, hostname, pam_user,
+- pam_strerror (pamh, retcode));
+-#ifdef HAVE_PAM_FAIL_DELAY
+- pam_fail_delay (pamh, 1000000 * delay);
+-#endif
+- fprintf (stderr, "Login incorrect\n\n");
+- pam_set_item (pamh, PAM_USER, NULL);
+- retcode = pam_authenticate (pamh, 0);
+- }
+-
+- if (retcode != PAM_SUCCESS) {
+- pam_get_item (pamh, PAM_USER,
+- (const void **) &pam_user);
+-
+- if (retcode == PAM_MAXTRIES)
+- syslog (LOG_NOTICE,
+- "TOO MANY LOGIN TRIES (%d) FROM %s FOR %s, %s",
+- failcount, hostname,
+- pam_user,
+- pam_strerror (pamh,
+- retcode));
+- else
+- syslog (LOG_NOTICE,
+- "FAILED LOGIN SESSION FROM %s FOR %s, %s",
+- hostname, pam_user,
+- pam_strerror (pamh,
+- retcode));
+-
+- fprintf (stderr, "\nLogin incorrect\n");
+- pam_end (pamh, retcode);
+- exit (0);
++ failcount = 0;
++ while (1) {
++ const char *failent_user;
++ failed = 0;
++
++ failcount++;
++ if (delay > 0)
++ retcode = pam_fail_delay(pamh, 1000000*delay);
++
++ retcode = pam_authenticate (pamh, 0);
++
++ pam_get_item (pamh, PAM_USER,
++ (const void **) &pam_user);
++
++ if (pam_user && pam_user[0]) {
++ pwd = getpwnam(pam_user);
++ if (pwd) {
++ pwent = *pwd;
++ failent_user = pwent.pw_name;
++ } else {
++ if (getdef_bool("LOG_UNKFAIL_ENAB") && pam_user)
++ failent_user = pam_user;
++ else
++ failent_user = "UNKNOWN";
++ }
++ } else {
++ pwd = NULL;
++ failent_user = "UNKNOWN";
++ }
++
++ if (retcode == PAM_MAXTRIES || failcount >= retries) {
++ syslog (LOG_NOTICE,
++ _("TOO MANY LOGIN TRIES (%d)%s FOR `%s'"),
++ failcount, fromhost, failent_user);
++ fprintf(stderr,
++ _("Maximum number of tries exceeded (%d)\n"),
++ failcount);
++ PAM_END;
++ exit(0);
++ } else if (retcode == PAM_ABORT) {
++ /* Serious problems, quit now */
++ fprintf(stderr,_("login: abort requested by PAM\n"));
++ syslog(LOG_ERR,_("PAM_ABORT returned from pam_authenticate()"));
++ PAM_END;
++ exit(99);
++ } else if (retcode != PAM_SUCCESS) {
++ syslog(LOG_NOTICE,_("FAILED LOGIN (%d)%s FOR `%s', %s"),
++ failcount, fromhost, failent_user,
++ pam_strerror (pamh, retcode));
++ failed = 1;
++ }
++
++ if (!failed)
++ break;
++
++ fprintf(stderr,"Login incorrect\n\n");
++
++ /* Let's give it another go around */
++ pam_set_item(pamh,PAM_USER,NULL);
+ }
+
++ /* We don't get here unless they were authenticated above */
+ retcode = pam_acct_mgmt (pamh, 0);
+
+ if (retcode == PAM_NEW_AUTHTOK_REQD) {
Modified: trunk/debian/patches/008_src.dpatch
===================================================================
--- trunk/debian/patches/008_src.dpatch 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_src.dpatch 2005-05-29 13:16:12 UTC (rev 180)
@@ -24,216 +24,10 @@
@DPATCH@
-Index: shadow-4.0.3/src/login.c
-===================================================================
---- shadow-4.0.3.orig/src/login.c 2005-05-23 00:40:16.187167000 +0200
-+++ shadow-4.0.3/src/login.c 2005-05-23 00:40:50.307167000 +0200
-@@ -58,6 +58,11 @@
- #include <sys/proc.h>
- #include <sys/sysi86.h>
- #endif
-+
-+#ifndef MAXHOSTNAMELEN
-+#define MAXHOSTNAMELEN 64
-+#endif
-+
- #ifdef RADIUS
- /*
- * Support for RADIUS authentication based on a hacked util-linux login
-@@ -763,49 +768,98 @@
- * MAX_LOGIN_TRIES?
- */
-
-- retcode = pam_authenticate (pamh, 0);
-- while ((failcount++ < retries) &&
-- ((retcode == PAM_AUTH_ERR) ||
-- (retcode == PAM_USER_UNKNOWN) ||
-- (retcode == PAM_CRED_INSUFFICIENT) ||
-- (retcode == PAM_AUTHINFO_UNAVAIL))) {
-- pam_get_item (pamh, PAM_USER,
-- (const void **) &pam_user);
-- syslog (LOG_NOTICE,
-- "FAILED LOGIN %d FROM %s FOR %s, %s",
-- failcount, hostname, pam_user,
-- pam_strerror (pamh, retcode));
--#ifdef HAVE_PAM_FAIL_DELAY
-- pam_fail_delay (pamh, 1000000 * delay);
-+ failcount = 0;
-+ while (1) {
-+ const char *failent_user;
-+ failed = 0;
-+
-+ failcount++;
-+ if (delay > 0)
-+ retcode = pam_fail_delay(pamh, 1000000*delay);
-+
-+ retcode = pam_authenticate (pamh, 0);
-+
-+ pam_get_item (pamh, PAM_USER,
-+ (const void **) &pam_user);
-+
-+ if (pam_user && pam_user[0]) {
-+ pwd = getpwnam(pam_user);
-+ if (pwd) {
-+ pwent = *pwd;
-+ failent_user = pwent.pw_name;
-+ } else {
-+ if (getdef_bool("LOG_UNKFAIL_ENAB") && pam_user)
-+ failent_user = pam_user;
-+ else
-+ failent_user = "UNKNOWN";
-+ }
-+ } else {
-+ pwd = NULL;
-+ failent_user = "UNKNOWN";
-+ }
-+
-+ if (retcode == PAM_MAXTRIES || failcount >= retries) {
-+ syslog (LOG_NOTICE,
-+ _("TOO MANY LOGIN TRIES (%d)%s FOR `%s'"),
-+ failcount, fromhost, failent_user);
-+#ifndef USE_PAM
-+ if (pwd && getdef_bool("FAILLOG_ENAB"))
-+ failure (pwent.pw_uid, tty, &faillog);
-+#endif
-+ fprintf(stderr,
-+ _("Maximum number of tries exceeded (%d)\n"),
-+ failcount);
-+ PAM_END;
-+ exit(0);
-+ } else if (retcode == PAM_ABORT) {
-+ /* Serious problems, quit now */
-+ fprintf(stderr,_("login: abort requested by PAM\n"));
-+ syslog(LOG_ERR,_("PAM_ABORT returned from pam_authenticate()"));
-+ PAM_END;
-+ exit(99);
-+ } else if (retcode != PAM_SUCCESS) {
-+ syslog(LOG_NOTICE,_("FAILED LOGIN (%d)%s FOR `%s', %s"),
-+ failcount, fromhost, failent_user,
-+ pam_strerror (pamh, retcode));
-+ failed = 1;
-+ }
-+#ifndef USE_PAM
-+ if (pwd && getdef_bool("FAILLOG_ENAB") &&
-+ ! failcheck (pwent.pw_uid, &faillog, failed)) {
-+ SYSLOG((LOG_CRIT, FAILURE_CNT, failent_user, fromhost));
-+ failed = 1;
-+ }
- #endif
-- fprintf (stderr, "Login incorrect\n\n");
-- pam_set_item (pamh, PAM_USER, NULL);
-- retcode = pam_authenticate (pamh, 0);
-- }
-
-- if (retcode != PAM_SUCCESS) {
-- pam_get_item (pamh, PAM_USER,
-- (const void **) &pam_user);
--
-- if (retcode == PAM_MAXTRIES)
-- syslog (LOG_NOTICE,
-- "TOO MANY LOGIN TRIES (%d) FROM %s FOR %s, %s",
-- failcount, hostname,
-- pam_user,
-- pam_strerror (pamh,
-- retcode));
-- else
-- syslog (LOG_NOTICE,
-- "FAILED LOGIN SESSION FROM %s FOR %s, %s",
-- hostname, pam_user,
-- pam_strerror (pamh,
-- retcode));
--
-- fprintf (stderr, "\nLogin incorrect\n");
-- pam_end (pamh, retcode);
-- exit (0);
-+ if (!failed)
-+ break;
-+
-+ fprintf(stderr,"Login incorrect\n\n");
-+#ifndef USE_PAM
-+ if (pwd && getdef_bool("FAILLOG_ENAB"))
-+ failure (pwent.pw_uid, tty, &faillog);
-+#endif
-+ if (getdef_str("FTMP_FILE") != NULL) {
-+#if HAVE_UTMPX_H
-+ failent = utxent;
-+ gettimeofday(&(failent.ut_tv), NULL);
-+#else
-+ failent = utent;
-+ time(&failent.ut_time);
-+#endif
-+ strncpy(failent.ut_user, failent_user, sizeof(failent.ut_user));
-+#ifdef USER_PROCESS
-+ failent.ut_type = USER_PROCESS;
-+#endif
-+ failtmp(&failent);
-+ }
-+
-+ /* Let's give it another go around */
-+ pam_set_item(pamh,PAM_USER,NULL);
- }
-
-+ /* We don't get here unless they were authenticated above */
-+ alarm(0);
- retcode = pam_acct_mgmt (pamh, 0);
-
- if (retcode == PAM_NEW_AUTHTOK_REQD) {
-@@ -828,11 +882,14 @@
-
- if (!pwd || setup_groups (pwd))
- exit (1);
-+ else
-+ pwent = *pwd;
-
- retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
- PAM_FAIL_CHECK;
-
-- retcode = pam_open_session (pamh, 0);
-+ retcode = pam_open_session (pamh,
-+ hushed(&pwent) ? PAM_SILENT : 0);
- PAM_FAIL_CHECK;
-
- #else /* ! USE_PAM */
-@@ -1002,6 +1059,7 @@
- failed = 1;
- }
- #endif
-+#ifndef USE_PAM
- if (pwd && getdef_bool ("FAILLOG_ENAB") &&
- !failcheck (pwent.pw_uid, &faillog, failed)) {
- SYSLOG ((LOG_CRIT,
-@@ -1009,12 +1067,15 @@
- username, fromhost));
- failed = 1;
- }
-+#endif
- if (!failed)
- break;
-
-+#ifndef USE_PAM
- /* don't log non-existent users */
- if (pwd && getdef_bool ("FAILLOG_ENAB"))
- failure (pwent.pw_uid, tty, &faillog);
-+#endif
- if (getdef_str ("FTMP_FILE") != NULL) {
- const char *failent_user;
-
-@@ -1357,7 +1418,11 @@
- if (pwent.pw_uid == 0)
- SYSLOG ((LOG_NOTICE, "ROOT LOGIN %s", fromhost));
- else if (getdef_bool ("LOG_OK_LOGINS"))
-+#ifdef USE_PAM
-+ SYSLOG ((LOG_INFO, "`%s' logged in %s", pam_user, fromhost));
-+#else
- SYSLOG ((LOG_INFO, "`%s' logged in %s", username, fromhost));
-+#endif
- closelog ();
- #ifdef RADIUS
- if (is_rad_login) {
Index: shadow-4.0.3/src/su.c
===================================================================
---- shadow-4.0.3.orig/src/su.c 2005-05-23 01:32:45.977167000 +0200
-+++ shadow-4.0.3/src/su.c 2005-05-23 01:44:23.797167000 +0200
+--- shadow-4.0.3.orig/src/su.c 2005-05-29 11:05:49.128975000 +0200
++++ shadow-4.0.3/src/su.c 2005-05-29 11:06:07.168975000 +0200
@@ -49,6 +49,7 @@
#include <grp.h>
#include <signal.h>
@@ -358,15 +152,6 @@
static void su_failure (const char *tty)
{
-@@ -125,7 +228,7 @@
- #ifdef USE_SYSLOG
- if (getdef_bool ("SYSLOG_SU_ENAB"))
- SYSLOG ((pwent.pw_uid ? LOG_INFO : LOG_NOTICE,
-- "- %s %s-%s", tty,
-+ "- %s %s:%s", tty,
- oldname[0] ? oldname : "???",
- name[0] ? name : "???"));
- closelog ();
@@ -153,13 +256,14 @@
{
char *cp;
@@ -563,15 +348,6 @@
if (pwent.pw_shell[0] == '*') { /* subsystem root required */
pwent.pw_shell++; /* skip the '*' */
-@@ -529,7 +678,7 @@
- #endif
- #ifdef USE_SYSLOG
- if (getdef_bool ("SYSLOG_SU_ENAB"))
-- SYSLOG ((LOG_INFO, "+ %s %s-%s", tty,
-+ SYSLOG ((LOG_INFO, "+ %s %s:%s", tty,
- oldname[0] ? oldname : "???",
- name[0] ? name : "???"));
- #endif
@@ -554,17 +703,56 @@
pam_end (pamh, ret);
exit (1);
Added: trunk/debian/patches/008_su_syslog_old:new
===================================================================
--- trunk/debian/patches/008_su_syslog_old:new 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/008_su_syslog_old:new 2005-05-29 13:16:12 UTC (rev 180)
@@ -0,0 +1,29 @@
+Goal: Fix su syslogs to be less ambiguous. (old:new instead of old-new
+ because '-' can appear in usernames.) Not clearer, mind you, but less
+ ambiguous.
+Fixes: #213592
+
+Status wrt upstream: It should be forwarded to upstream.
+
+Index: shadow-4.0.3/src/su.c
+===================================================================
+--- shadow-4.0.3.orig/src/su.c 2005-05-29 12:11:25.560552000 +0200
++++ shadow-4.0.3/src/su.c 2005-05-29 12:12:22.910552000 +0200
+@@ -228,7 +228,7 @@
+ #ifdef USE_SYSLOG
+ if (getdef_bool ("SYSLOG_SU_ENAB"))
+ SYSLOG ((pwent.pw_uid ? LOG_INFO : LOG_NOTICE,
+- "- %s %s-%s", tty,
++ "- %s %s:%s", tty,
+ oldname[0] ? oldname : "???",
+ name[0] ? name : "???"));
+ closelog ();
+@@ -678,7 +678,7 @@
+ #endif
+ #ifdef USE_SYSLOG
+ if (getdef_bool ("SYSLOG_SU_ENAB"))
+- SYSLOG ((LOG_INFO, "+ %s %s-%s", tty,
++ SYSLOG ((LOG_INFO, "+ %s %s:%s", tty,
+ oldname[0] ? oldname : "???",
+ name[0] ? name : "???"));
+ #endif
Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series 2005-05-28 17:37:37 UTC (rev 179)
+++ trunk/debian/patches/series 2005-05-29 13:16:12 UTC (rev 180)
@@ -5,10 +5,18 @@
005_manpages.dpatch
006_libmisc.dpatch
008_src.dpatch
+008_su_syslog_old:new
+008_login_MAXHOSTNAMELEN
008_grpck_add_prune_option
008_login_stop_checking_args_after--
008_login_opt-f_with_username_after--
+008_login_more_LOG_UNKFAIL_ENAB
+008_login_log_failure_in_FTMP
+008_login_FAILLOG_ENAB
+008_login_cancel_timout_after_authentication
008_login_close_session_as_root
+008_login_log_pam_user_if_USE_PAM
+008_login_PAM_SILENT_if_hushed_login
008_usermod_warn_old_home_not_removed
008_userdel_remove_group_from_gshadow
008_newgrp_preserve_env