[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux-PAM and syslog (POSIX) (fwd)



-----Forwarded message from Cristian Gafton <gafton@redhat.com>-----

Date: Thu, 26 Mar 1998 11:10:45 -0500 (EST)
From: Cristian Gafton <gafton@redhat.com>
To: Savochkin Andrey Vladimirovich <saw@msu.ru>
cc: gafton@redhat.com, Andrew Morgan <morgan@transmeta.com>
Subject: Re: Linux-PAM and syslog (POSIX)
In-Reply-To: <19980326164742.48967@castle.nmd.msu.ru>
Message-ID: <Pine.LNX.3.96.980326110147.1574G-100000@shefu.redhat.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Thu, 26 Mar 1998, Savochkin Andrey Vladimirovich wrote:

> The particular question about syslog that Cristian raised isn't very difficult.
> The correct and natural solution is to patch application that uses both PAM
> and syslog to reopen syslog after PAM calls.

This is completely dump and I really hope you are not serious. Simply
because sometimes it is not possible and that we promised that using PAM
would mean replacing getpwnam()/crypt()/strcmp() calls with a simple call
to pam_auth functions.

I advocate removal of all the openlog and closelog calls from pam modules.
The pam modules will log under application's name and facility (whihc
makes a *whole* lot more of sense).

> PAM modules are allowed to log what they want and with facility and priority
> they wanted.

No kidding, said who ? I don't find any trace of this bill of rights in
the PAM specs.

And using common sense, if after calling a function in a library I have to
take care of some completely unrelated problems (like syslog), I'll say
"no, thanks" to that library...

> For example PAM documentation states that configuration
> errors should be reported at ALERT level (if I remember right).

which means syslog(LOG_ALERT, message), thus no need to change facility or
name.

> To solve the syslog problem in sshd we put an additional code to log_msg()
> that wraps the syslog call. Calling PAM we mark that log needs to be reopened
> and inside log_msg() we check if the reopen is needed.


The problem is that openlog() is not stackable. And I do really have a
problem with pam_pwdb logging under it's own name instead of the
application using it.

> BTW, about syslog problem in wu-ftp I sent a letter
> to Michael Johnson at Tue, 20 Jan 1998 22:38:21 +0300
> with subject "A problem with PAMified wu-ftpd" and received no answer.

Because the problem is in Linux-PAM. As you imagine, reopening the log for
wu-ftpd after calling pam fixes a lot of things. But that's not a patch.

Best wishes,

Cristian

P.S: If you want, please post this reply and your reply to this message to
pam-list too. I didn't post it there because I didn't ask for permission
from Andrey, which is the author of the message. If you feel like taking
this to public, be my guest.

--
----------------------------------------------------------------------
Cristian Gafton   --   gafton@redhat.com   --   Red Hat Software, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 UNIX is user friendly. It's just selective about who its friends are.



-----End of forwarded message-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []