From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Tue, 4 Oct 2022 13:47:12 +0000 (+0200)
Subject: shared/pam-util: add pam_syslog_pam_error() wrapper
X-Git-Tag: v252-rc2~70^2~19
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4ac6ac9f09be05f17e454a3abc5f388f9ac51916;p=thirdparty%2Fsystemd.git

shared/pam-util: add pam_syslog_pam_error() wrapper

This is a primitive helper that wraps calls to pam_syslog() replacing
@PAMERR@ with pam_strerror() output in the format string. This allows for
a bunch of boilerplate to be removed.

@PAMERR@ is only supported at the end of the string. Similarly to %m,
realistically that's the only place where it is useful.

Note that unlike in logging functions in log.[ch], here the error value is
only used for the message and is not saved anywhere, so we don't need to
care about SYNTHETIC_ERRNO.
---

diff --git a/src/shared/pam-util.c b/src/shared/pam-util.c
index d9fee22cc60..9d74e08a2be 100644
--- a/src/shared/pam-util.c
+++ b/src/shared/pam-util.c
@@ -8,6 +8,8 @@
 #include "errno-util.h"
 #include "macro.h"
 #include "pam-util.h"
+#include "stdio-util.h"
+#include "string-util.h"
 
 int pam_syslog_errno(pam_handle_t *handle, int level, int error, const char *format, ...) {
         va_list ap;
@@ -21,6 +23,32 @@ int pam_syslog_errno(pam_handle_t *handle, int level, int error, const char *for
         return error == -ENOMEM ? PAM_BUF_ERR : PAM_SERVICE_ERR;
 }
 
+int pam_syslog_pam_error(pam_handle_t *handle, int level, int error, const char *format, ...) {
+        /* This wraps pam_syslog() but will replace @PAMERR@ with a string from pam_strerror().
+         * @PAMERR@ must be at the very end. */
+
+        va_list ap;
+        va_start(ap, format);
+
+        const char *p = endswith(format, "@PAMERR@");
+        if (p) {
+                const char *pamerr = pam_strerror(handle, error);
+                if (strchr(pamerr, '%'))
+                        pamerr = "n/a";  /* We cannot have any formatting chars */
+
+                char buf[p - format + strlen(pamerr) + 1];
+                xsprintf(buf, "%*s%s", (int)(p - format), format, pamerr);
+                DISABLE_WARNING_FORMAT_NONLITERAL;
+                pam_vsyslog(handle, level, buf, ap);
+                REENABLE_WARNING;
+        } else
+                pam_vsyslog(handle, level, format, ap);
+
+        va_end(ap);
+
+        return error;
+}
+
 static void cleanup_system_bus(pam_handle_t *handle, void *data, int error_status) {
         sd_bus_flush_close_unref(data);
 }
@@ -38,20 +66,16 @@ int pam_acquire_bus_connection(pam_handle_t *handle, sd_bus **ret) {
                 *ret = sd_bus_ref(TAKE_PTR(bus)); /* Increase the reference counter, so that the PAM data stays valid */
                 return PAM_SUCCESS;
         }
-        if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
-                pam_syslog(handle, LOG_ERR, "Failed to get bus connection: %s", pam_strerror(handle, r));
-                return r;
-        }
+        if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
+                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get bus connection: @PAMERR@");
 
         r = sd_bus_open_system(&bus);
         if (r < 0)
                 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to connect to system bus: %m");
 
         r = pam_set_data(handle, "systemd-system-bus", bus, cleanup_system_bus);
-        if (r != PAM_SUCCESS) {
-                pam_syslog(handle, LOG_ERR, "Failed to set PAM bus data: %s", pam_strerror(handle, r));
-                return r;
-        }
+        if (r != PAM_SUCCESS)
+                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to set PAM bus data: @PAMERR@");
 
         sd_bus_ref(bus);
         *ret = TAKE_PTR(bus);
@@ -64,9 +88,9 @@ int pam_release_bus_connection(pam_handle_t *handle) {
 
         r = pam_set_data(handle, "systemd-system-bus", NULL, NULL);
         if (r != PAM_SUCCESS)
-                pam_syslog(handle, LOG_ERR, "Failed to release PAM user record data: %s", pam_strerror(handle, r));
+                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to release PAM user record data: @PAMERR@");
 
-        return r;
+        return PAM_SUCCESS;
 }
 
 void pam_cleanup_free(pam_handle_t *handle, void *data, int error_status) {
diff --git a/src/shared/pam-util.h b/src/shared/pam-util.h
index 4a97d2d132a..1a17ea18c5c 100644
--- a/src/shared/pam-util.h
+++ b/src/shared/pam-util.h
@@ -7,6 +7,8 @@
 
 int pam_syslog_errno(pam_handle_t *handle, int level, int error, const char *format, ...) _printf_(4,5);
 
+int pam_syslog_pam_error(pam_handle_t *handle, int level, int error, const char *format, ...) _printf_(4,5);
+
 static inline int pam_log_oom(pam_handle_t *handle) {
         /* This is like log_oom(), but uses PAM logging */
         return pam_syslog_errno(handle, LOG_ERR, ENOMEM, "Out of memory.");