* pam_fshadow/pam_fshadow.c, pam_sql/pam_mysql.c,

pam_sql/pam_sql.c, pam_regex/pam_regex.c: Ensure passwords might
get divulged only at debugging level 100.


git-svn-id: file:///svnroot/pam-modules/trunk@87 56984be4-0537-0410-a56c-fcb268c96130

ChangeLog

@@ -1,3 +1,9 @@
+2008-03-17  Sergey Poznyakoff  <gray@gnu.org.ua>
+
+	* pam_fshadow/pam_fshadow.c, pam_sql/pam_mysql.c,
+	pam_sql/pam_sql.c, pam_regex/pam_regex.c: Ensure passwords might
+	get divulged only at debugging level 100.
+
 2008-03-16  Sergey Poznyakoff  <gray@gnu.org.ua>
 
 	Add session management to pam_sql.

pam_fshadow/pam_fshadow.c

@@ -135,7 +135,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt)
 	struct pam_response *resp;
 	int i, replies;
 
-	DEBUG(100,("enter _pam_get_password"));
+	DEBUG(90,("enter _pam_get_password"));
 	
 	if (cntl_flags & CNTL_AUTHTOK) {
 		/*
@@ -176,7 +176,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt)
 	if (resp != NULL) {
 		if (retval == PAM_SUCCESS) { 	/* a good conversation */
  			token = XSTRDUP(resp[i - replies].resp);
-			DEBUG(10,("app returned [%s]", token));
+			DEBUG(100,("app returned [%s]", token));
 			PAM_DROP_REPLY(resp, 1);
 		} else {
 			_pam_log(LOG_ERR, "conversation error: %s",
@@ -211,7 +211,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt)
 			 pam_strerror(pamh, retval));
 	} 
 	
-	DEBUG(100,("exit _pam_get_password: %d", retval));
+	DEBUG(90,("exit _pam_get_password: %d", retval));
 	return retval;
 }
 
@@ -274,9 +274,13 @@ verify_user_pass(const char *confdir, const char *username,
 	FILE *fp;
 	int retval = PAM_AUTH_ERR;
 	char *shadow = mkfilename(confdir, "shadow");
-		
-	DEBUG(10,("Verifying user `%s' with password `%s' in `%s'",
-		  username, password, shadow));
+
+	if (debug_level == 100)
+		_pam_debug("Verifying user `%s' with password `%s' in `%s'",
+			   username, password, shadow);
+	else if (debug_level >= 10)
+		_pam_debug("Verifying user `%s' in `%s'",
+			   username, password, shadow);
 
 	fp = fopen(shadow, "r");
 	if (!fp) {
@@ -376,7 +380,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 	/* Get the username */
 	retval = pam_get_user(pamh, &username, NULL);
 	if (retval != PAM_SUCCESS || !username) {
-		_pam_log(LOG_DEBUG,"can not get the username");
+		DEBUG(1,("can not get the username"));
 		return PAM_SERVICE_ERR;
 	}
 
@@ -397,11 +401,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 			pam_set_data(pamh, "CONFDIR",
 				     (void *)confdir, gray_cleanup_string);
 		} else {
-			_pam_log(LOG_DEBUG,
-				 "user name `%s' does not match regular "
+			DEBUG(1,("user name `%s' does not match regular "
 				 "expression `%s'",
 				 username,
-				 regex_str);
+				 regex_str));
 		}
 	}
 		

pam_regex/pam_regex.c

@@ -112,7 +112,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
 	
 	_pam_parse(pamh, argc, argv);
 	
-	DEBUG(100,("enter pam_sm_authenticate"));
+	DEBUG(90,("enter pam_sm_authenticate"));
 
 	gray_pam_init(PAM_AUTHINFO_UNAVAIL);
 
@@ -134,7 +134,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
 		gray_set_transform_expr(transform);
 		slist = gray_slist_create();
 		gray_transform_name_to_slist(slist, name, &newname);
-		DEBUG(100,("new name: %s", newname));
+		DEBUG(90,("new name: %s", newname));
 		MAKE_STR(pamh, newname, name);
 		retval = pam_set_item(pamh, PAM_USER, name);
 		if (retval != PAM_SUCCESS) {
@@ -181,7 +181,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
 		}
 	}
 
-	DEBUG(100,("exit pam_sm_authenticate: %d", retval));
+	DEBUG(90,("exit pam_sm_authenticate: %d", retval));
 	return retval;
 }
 

pam_sql/pam_mysql.c

@@ -294,6 +294,7 @@ verify_user_pass(pam_handle_t *pamh, const char *password, const char *query)
 		return PAM_SERVICE_ERR;
 	}
 	
+	DEBUG(10,("Executing %s", query));
 	if (mysql_query(&mysql, query)) {
 		_pam_log(LOG_ERR, "MySQL: %s", mysql_error(&mysql));
 		mysql_close(&mysql);
@@ -358,6 +359,7 @@ sql_acct(pam_handle_t *pamh, const char *query)
 		return PAM_SERVICE_ERR;
 	}
 	
+	DEBUG(10,("Executing %s", query));
 	if (mysql_query(&mysql, query)) {
 		_pam_log(LOG_ERR, "MySQL: %s", mysql_error(&mysql));
 		mysql_close(&mysql);
@@ -372,7 +374,7 @@ sql_acct(pam_handle_t *pamh, const char *query)
 		} else {
 			size_t n = mysql_num_rows(result);
 			mysql_free_result(result);
-			DEBUG(10, ("query affected %lu tuples", n));
+			_pam_debug("query affected %lu tuples", n);
 		}
 	}
 	mysql_close(&mysql);

pam_sql/pam_sql.c

@@ -73,7 +73,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt)
 	struct pam_response *resp;
 	int i, replies;
 
-	DEBUG(100,("enter _pam_get_password"));
+	DEBUG(90,("enter _pam_get_password"));
 	
 	if (cntl_flags & CNTL_AUTHTOK) {
 		/*
@@ -114,7 +114,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt)
 	if (resp != NULL) {
 		if (retval == PAM_SUCCESS) { 	/* a good conversation */
 			token = XSTRDUP(resp[i - replies].resp);
-			DEBUG(10,("app returned [%s]", token));
+			DEBUG(100,("app returned [%s]", token));
 			PAM_DROP_REPLY(resp, 1);
 		} else {
 			_pam_log(LOG_ERR, "conversation error: %s",
@@ -149,7 +149,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt)
 			 pam_strerror(pamh, retval));
 	} 
 	
-	DEBUG(100,("exit _pam_get_password: %d", retval));
+	DEBUG(90,("exit _pam_get_password: %d", retval));
 	return retval;
 }
 
@@ -384,7 +384,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	/* Get the username */
 	retval = pam_get_user(pamh, &username, NULL);
 	if (retval != PAM_SUCCESS || !username) {
-		_pam_log(LOG_DEBUG, "can not get the username");
+		DEBUG(1, ("can not get the username"));
 		return PAM_SERVICE_ERR;
 	}