From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 22 Apr 2016 18:14:14 +0000 (-0400)
Subject: Add debug message filtering to krb5_klog_syslog
X-Git-Tag: krb5-1.15-beta1~203
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F439%2Fhead;p=thirdparty%2Fkrb5.git

Add debug message filtering to krb5_klog_syslog

Support a new profile relation "debug" in the [logging] section to
indicate whether debugging messages should be included, defaulting to
false.

ticket: 8394 (new)
---

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 80a43f63df..b88ce79b57 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -474,8 +474,8 @@ section to control where database modules are loaded from:
 ~~~~~~~~~
 
 The [logging] section indicates how :ref:`krb5kdc(8)` and
-:ref:`kadmind(8)` perform logging.  The keys in this section are
-daemon names, which may be one of:
+:ref:`kadmind(8)` perform logging.  It may contain the following
+relations:
 
 **admin_server**
     Specifies how :ref:`kadmind(8)` performs logging.
@@ -487,7 +487,14 @@ daemon names, which may be one of:
     Specifies how either daemon performs logging in the absence of
     relations specific to the daemon.
 
-Values are of the following forms:
+**debug**
+    (Boolean value.)  Specifies whether debugging messages are
+    included in log outputs other than SYSLOG.  Debugging messages are
+    always included in the system log output because syslog performs
+    its own priority filtering.  The default value is false.  New in
+    release 1.15.
+
+Logging specifications may have the following forms:
 
 **FILE=**\ *filename* or **FILE:**\ *filename*
     This value causes the daemon's logging messages to go to the
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index d0216d61bb..1706790abb 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -189,6 +189,7 @@ typedef unsigned char   u_char;
 #define KRB5_CONF_CLOCKSKEW                    "clockskew"
 #define KRB5_CONF_DATABASE_NAME                "database_name"
 #define KRB5_CONF_DB_MODULE_DIR                "db_module_dir"
+#define KRB5_CONF_DEBUG                        "debug"
 #define KRB5_CONF_DEFAULT                      "default"
 #define KRB5_CONF_DEFAULT_CCACHE_NAME          "default_ccache_name"
 #define KRB5_CONF_DEFAULT_CLIENT_KEYTAB_NAME   "default_client_keytab_name"
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index 85e9f609b8..ce79fabf75 100644
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -137,6 +137,7 @@ struct log_control {
     char                *log_whoami;
     char                *log_hostname;
     krb5_boolean        log_opened;
+    krb5_boolean        log_debug;
 };
 
 static struct log_control log_control = {
@@ -253,6 +254,12 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
      * logging specification.
      */
     for (lindex = 0; lindex < log_control.log_nentries; lindex++) {
+        /* Omit messages marked as LOG_DEBUG for non-syslog outputs unless we
+         * are configured to include them. */
+        if (log_pri == LOG_DEBUG && !log_control.log_debug &&
+            log_control.log_entries[lindex].log_type != K_LOG_SYSLOG)
+            continue;
+
         switch (log_control.log_entries[lindex].log_type) {
         case K_LOG_FILE:
         case K_LOG_STDERR:
@@ -334,7 +341,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
     int         i, ngood, fd, append;
     char        *cp, *cp2;
     char        savec = '\0';
-    int         error;
+    int         error, debug;
     int         do_openlog, log_facility;
     FILE        *f = NULL;
 
@@ -344,6 +351,12 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
 
     err_context = kcontext;
 
+    /* Look up [logging]->debug in the profile to see if we should include
+     * debug messages for types other than syslog.  Default to false. */
+    if (!profile_get_boolean(kcontext->profile, KRB5_CONF_LOGGING,
+                             KRB5_CONF_DEBUG, NULL, 0, &debug))
+        log_control.log_debug = debug;
+
     /*
      * Look up [logging]-><ename> in the profile.  If that doesn't
      * succeed, then look for [logging]->default.
@@ -820,6 +833,12 @@ klog_vsyslog(int priority, const char *format, va_list arglist)
      * logging specification.
      */
     for (lindex = 0; lindex < log_control.log_nentries; lindex++) {
+        /* Omit LOG_DEBUG messages for non-syslog outputs unless we are
+         * configured to include them. */
+        if (priority == LOG_DEBUG && !log_control.log_debug &&
+            log_control.log_entries[lindex].log_type != K_LOG_SYSLOG)
+            continue;
+
         switch (log_control.log_entries[lindex].log_type) {
         case K_LOG_FILE:
         case K_LOG_STDERR: