pam_systemd_home: suppress LOG_DEBUG msgs if debugging is off

dtardon · bluca · commit 6e798f74d79e · 2023-07-18T10:11:33.000+01:00
This is a "sequel" to commit 2675747 . Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2210770 (cherry picked from commit f71b55b) (cherry picked from commit d6b23dd)
diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c
@@ -91,6 +91,7 @@ static int parse_env(
 static int acquire_user_record(
                 pam_handle_t *handle,
                 const char *username,
+                bool debug,
                 UserRecord **ret_record) {
 
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
@@ -147,12 +148,14 @@ static int acquire_user_record(
                 r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", username);
                 if (r < 0) {
                         if (bus_error_is_unknown_service(&error)) {
-                                pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r));
+                                if (debug)
+                                        pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r));
                                 goto user_unknown;
                         }
 
                         if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_HOME)) {
-                                pam_syslog(handle, LOG_DEBUG, "Not a user managed by systemd-homed: %s", bus_error_message(&error, r));
+                                if (debug)
+                                        pam_syslog(handle, LOG_DEBUG, "Not a user managed by systemd-homed: %s", bus_error_message(&error, r));
                                 goto user_unknown;
                         }
 
@@ -264,7 +267,8 @@ static int handle_generic_user_record_error(
                 const char *user_name,
                 UserRecord *secret,
                 int ret,
-                const sd_bus_error *error) {
+                const sd_bus_error *error,
+                bool debug) {
 
         assert(user_name);
         assert(error);
@@ -300,9 +304,11 @@ static int handle_generic_user_record_error(
                 if (r != PAM_SUCCESS)
                         return PAM_CONV_ERR; /* no logging here */
 
-                if (isempty(newp))
-                        return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR,
-                                                    "Password request aborted.");
+                if (isempty(newp)) {
+                        if (debug)
+                                pam_syslog(handle, LOG_DEBUG, "Password request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
 
                 r = user_record_set_password(secret, STRV_MAKE(newp), true);
                 if (r < 0)
@@ -324,9 +330,11 @@ static int handle_generic_user_record_error(
                 if (r != PAM_SUCCESS)
                         return PAM_CONV_ERR; /* no logging here */
 
-                if (isempty(newp))
-                        return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR,
-                                                    "Recovery key request aborted.");
+                if (isempty(newp)) {
+                        if (debug)
+                                pam_syslog(handle, LOG_DEBUG, "Recovery key request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
 
                 r = user_record_set_password(secret, STRV_MAKE(newp), true);
                 if (r < 0)
@@ -347,9 +355,11 @@ static int handle_generic_user_record_error(
                 if (r != PAM_SUCCESS)
                         return PAM_CONV_ERR; /* no logging here */
 
-                if (isempty(newp))
-                        return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR,
-                                                    "Password request aborted.");
+                if (isempty(newp)) {
+                        if (debug)
+                                pam_syslog(handle, LOG_DEBUG, "Password request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
 
 
                 r = user_record_set_password(secret, STRV_MAKE(newp), true);
@@ -365,8 +375,11 @@ static int handle_generic_user_record_error(
                 if (r != PAM_SUCCESS)
                         return PAM_CONV_ERR; /* no logging here */
 
-                if (isempty(newp))
-                        return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted.");
+                if (isempty(newp)) {
+                        if (debug)
+                                pam_syslog(handle, LOG_DEBUG, "PIN request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
 
                 r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
                 if (r < 0)
@@ -420,8 +433,11 @@ static int handle_generic_user_record_error(
                 if (r != PAM_SUCCESS)
                         return PAM_CONV_ERR; /* no logging here */
 
-                if (isempty(newp))
-                        return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted.");
+                if (isempty(newp)) {
+                        if (debug)
+                                pam_syslog(handle, LOG_DEBUG, "PIN request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
 
                 r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
                 if (r < 0)
@@ -437,8 +453,11 @@ static int handle_generic_user_record_error(
                 if (r != PAM_SUCCESS)
                         return PAM_CONV_ERR; /* no logging here */
 
-                if (isempty(newp))
-                        return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted.");
+                if (isempty(newp)) {
+                        if (debug)
+                                pam_syslog(handle, LOG_DEBUG, "PIN request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
 
                 r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
                 if (r < 0)
@@ -454,8 +473,11 @@ static int handle_generic_user_record_error(
                 if (r != PAM_SUCCESS)
                         return PAM_CONV_ERR; /* no logging here */
 
-                if (isempty(newp))
-                        return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted.");
+                if (isempty(newp)) {
+                        if (debug)
+                                pam_syslog(handle, LOG_DEBUG, "PIN request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
 
                 r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
                 if (r < 0)
@@ -517,7 +539,7 @@ static int acquire_home(
         if (r != PAM_SUCCESS)
                 return r;
 
-        r = acquire_user_record(handle, username, &ur);
+        r = acquire_user_record(handle, username, debug, &ur);
         if (r != PAM_SUCCESS)
                 return r;
 
@@ -584,7 +606,7 @@ static int acquire_home(
                         else if (sd_bus_error_has_name(&error, BUS_ERROR_HOME_LOCKED))
                                 home_locked = true; /* Similar */
                         else {
-                                r = handle_generic_user_record_error(handle, ur->user_name, secret, r, &error);
+                                r = handle_generic_user_record_error(handle, ur->user_name, secret, r, &error, debug);
                                 if (r == PAM_CONV_ERR) {
                                         /* Password/PIN prompts will fail in certain environments, for example when
                                          * we are called from OpenSSH's account or session hooks, or in systemd's
@@ -596,7 +618,8 @@ static int acquire_home(
                                         if (home_locked)
                                                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Home of user %s is currently locked, please unlock locally first.", ur->user_name);
 
-                                        pam_syslog(handle, please_authenticate ? LOG_ERR : LOG_DEBUG, "Failed to prompt for password/prompt.");
+                                        if (please_authenticate || debug)
+                                                pam_syslog(handle, please_authenticate ? LOG_ERR : LOG_DEBUG, "Failed to prompt for password/prompt.");
 
                                         return home_not_active || home_locked ? PAM_PERM_DENIED : PAM_CONV_ERR;
                                 }
@@ -836,7 +859,7 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt(
         if (r != PAM_SUCCESS)
                 return r;
 
-        r = acquire_user_record(handle, NULL, &ur);
+        r = acquire_user_record(handle, NULL, debug, &ur);
         if (r != PAM_SUCCESS)
                 return r;
 
@@ -948,7 +971,7 @@ _public_ PAM_EXTERN int pam_sm_chauthtok(
         if (r != PAM_SUCCESS)
                 return r;
 
-        r = acquire_user_record(handle, NULL, &ur);
+        r = acquire_user_record(handle, NULL, debug, &ur);
         if (r != PAM_SUCCESS)
                 return r;
 
@@ -969,8 +992,11 @@ _public_ PAM_EXTERN int pam_sm_chauthtok(
                 if (r != PAM_SUCCESS)
                         return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get new password: @PAMERR@");
 
-                if (isempty(new_password))
-                        return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "Password request aborted.");
+                if (isempty(new_password)) {
+                        if (debug)
+                                pam_syslog(handle, LOG_DEBUG, "Password request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
 
                 r = pam_get_authtok_verify(handle, &new_password, "new password: "); /* Lower case, since PAM prefixes 'Repeat' */
                 if (r != PAM_SUCCESS)
@@ -1025,7 +1051,7 @@ _public_ PAM_EXTERN int pam_sm_chauthtok(
 
                 r = sd_bus_call(bus, m, HOME_SLOW_BUS_CALL_TIMEOUT_USEC, &error, NULL);
                 if (r < 0) {
-                        r = handle_generic_user_record_error(handle, ur->user_name, old_secret, r, &error);
+                        r = handle_generic_user_record_error(handle, ur->user_name, old_secret, r, &error, debug);
                         if (r == PAM_CONV_ERR)
                                 return pam_syslog_pam_error(handle, LOG_ERR, r,
                                                             "Failed to prompt for password/prompt.");
