Hello again,
let me suggest changes to the way shishid(8)
is submitting messages to LOG_DAEMON. A patch
suggestion is addressing these matters.
Contrary to claim in "src/kdc.c", shishid(8) is
committing non-error messages "Trying AS-REQ"
and "Trying TGS-REQ" in facility LOG_ERR.
Change these to use LOG_DEBUG.
The mandatory use of LOG_PERROR in "src/shishid.c"
is a mistake. It is better to condition use of
LOG_PERROR in openlog() on the test
if (arg.verbose_given > 0)
There is a further delicate issue with two LOG_INFO
messages in "src/kdc.c":
"AS-REQ from %s@%s for %s@%s"
"TGS-REQ from %s@%s for %s@%s"
I suggest downgrading to LOG_DEBUG and also to issue
them only if "arg.verbose_given > 0". However, both
messages present a security issue since they disclose
user information, Hence they should arguably only be sent
to LOG_AUTH, if committed at all instead of just calling
printf() for the running executable shishid(8).
Best regards,
Mats E A
>From ce0ed3e0247bdd54779775e720ec9a45250e5430 Mon Sep 17 00:00:00 2001
From: Mats Erik Andersson <[email protected]>
Date: Wed, 15 Aug 2012 09:52:58 +0200
Subject: [PATCH] shishid: Discriminate syslog use.
---
src/kdc.c | 14 ++++++++------
src/shishid.c | 7 ++++---
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/kdc.c b/src/kdc.c
index d648420..3e5561d 100644
--- a/src/kdc.c
+++ b/src/kdc.c
@@ -137,8 +137,9 @@ asreq1 (Shishi_as * as)
goto fatal;
}
- syslog (LOG_INFO, "AS-REQ from %s@%s for %s@%s", username, realm,
- servername, realm);
+ if (arg.verbose_given)
+ syslog (LOG_DEBUG, "AS-REQ from %s@%s for %s@%s", username, realm,
+ servername, realm);
/*
* If required, the server pre-authenticates the request, and if the
@@ -808,8 +809,9 @@ tgsreq1 (Shishi_tgs * tgs)
goto fatal;
}
- syslog (LOG_DEBUG, "TGS-REQ from %s@%s for %s@%s",
- clientname, clientrealm, servername, serverrealm);
+ if (arg.verbose_given)
+ syslog (LOG_DEBUG, "TGS-REQ from %s@%s for %s@%s",
+ clientname, clientrealm, servername, serverrealm);
/*
* If the request specifies an endtime, then the endtime of the new
@@ -1075,12 +1077,12 @@ process (const char *in, size_t inlen, char **out)
switch (shishi_asn1_msgtype (handle, node))
{
case SHISHI_MSGTYPE_AS_REQ:
- syslog (LOG_ERR, "Trying AS-REQ");
+ syslog (LOG_DEBUG, "Trying AS-REQ");
rc = asreq (node, out, &outlen);
break;
case SHISHI_MSGTYPE_TGS_REQ:
- syslog (LOG_ERR, "Trying TGS-REQ");
+ syslog (LOG_DEBUG, "Trying TGS-REQ");
rc = tgsreq (node, out, &outlen);
break;
diff --git a/src/shishid.c b/src/shishid.c
index ebc128d..ec3500e 100644
--- a/src/shishid.c
+++ b/src/shishid.c
@@ -336,10 +336,11 @@ doit (void)
const char *shortname = (slash != NULL ? slash + 1 : program_name);
#ifdef LOG_PERROR
- openlog (shortname, LOG_CONS | LOG_PERROR, LOG_DAEMON);
-#else
- openlog (shortname, LOG_CONS, LOG_DAEMON);
+ if (arg.verbose_given > 0)
+ openlog (shortname, LOG_CONS | LOG_PERROR, LOG_DAEMON);
+ else
#endif
+ openlog (shortname, LOG_CONS, LOG_DAEMON);
}
kdc_setuid ();
--
1.7.2.5
_______________________________________________
Help-shishi mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/help-shishi
