mod_auth_pam logging annoyance (w/ patch)

[Matthew Whitworth]

I've been running mod_auth_pam 1.1.1 (for apache 1.3.x) and have noticed 
that authentication errors get logged with odd error messages, like so:

   [Mon May 17 11:28:00 2004] [error] [client 192.168.42.250]
   (25)Inappropriate ioctl for device: PAM: user 'matthew' - not
   authenticated: Authentication failure

The "(25)Inappropriate ioctl for device" is the result of using 
ap_log_reason(), which includes the output of strerror(errno).  This is 
fine for logging I/O errors, but it produces meaningless results when 
attempting to log PAM authentication errors.

Someone seems to have tried to correct this in CVS, and replaced all the 
calls to ap_log_reason() with calls to ap_log_rerror().  However, the 
APLOG_NOERRNO bit is still not being set and the inappropriate system 
call errors are still being included.

Below is a patch against CVS that modifies the calls to ap_log_rerror() 
to set the APLOG_NOERRNO where appropriate.  I didn't modify the call 
right after pam_start(), where errno might be relevant.

Hope this is useful,

Matthew

--

--- mod_auth_pam.c      14 Sep 2002 13:29:40 -0000      1.4
+++ mod_auth_pam.c      22 May 2004 03:31:36 -0000
@@ -343,7 +343,7 @@
    /* this is only set after get_basic_auth_pw was called */
    userinfo.name = r->connection->user;
    if(userinfo.name == NULL || strlen(userinfo.name) == 0) {
-    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
+    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                    "PAM: no username, refusing request");
      return AUTH_REQUIRED;
    }
@@ -379,14 +379,14 @@
       PAM_SUCCESS ) {
        if(res == PAM_USER_UNKNOWN) {
         if(conf->fall_through) {
-         ap_log_rerror(APLOG_MARK, APLOG_NOTICE, r,
+         ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
                         "PAM: user '%s' unknown (%s), falling through",
                         r->connection->user, compat_pam_strerror(pamh, 
res));
           pam_end(pamh, PAM_SUCCESS);
           /* pass on to other modules */
           return DECLINED;
         } else {
-         ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
+         ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                         "PAM: user '%s' unknown (%s), no fall through",
                         r->connection->user, compat_pam_strerror(pamh, 
res));
           /* refuse client */
@@ -395,7 +395,7 @@
           return HTTP_UNAUTHORIZED;
        }
      } else {
-      ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
+      ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                     "PAM: user '%s' - not authenticated: %s",
                     r->connection->user, compat_pam_strerror(pamh, res));
        pam_end(pamh, PAM_SUCCESS);
@@ -406,7 +406,7 @@

    /* check that the account is healthy */
    if((res = pam_acct_mgmt(pamh, PAM_DISALLOW_NULL_AUTHTOK)) != 
PAM_SUCCESS) {
-    ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
+    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                   "PAM: user '%s' - invalid account: %s",
                   r->connection->user, compat_pam_strerror(pamh, res));
      pam_end(pamh, PAM_SUCCESS);