netbsd-bugs: Re: bin/2075: change root login failures to LOG

Subject: Re: bin/2075: change root login failures to LOG_WARNING?
To: None <gnats-bugs@NetBSD.ORG, netbsd-bugs@NetBSD.ORG>
From: Chris Jones <cjones@rupert.oscs.montana.edu>
List: netbsd-bugs
Date: 02/14/1996 19:59:53

Here's a patch for su.  Please note that this doesn't directly fix the
problem in my pr; incorrect passwords are all reported at a priority
of LOG_WARNING.  I did, however, change the kerberos section of su so
that it will report incorrect passwords with the same priority,
instead of LOG_NOTICE, which was the previous.  Maybe this should be
in a different pr...

It's also possible that su should report bad passwords to both
LOG_AUTH and LOG_AUTHPRIV, like login does.  That's a judgment call
that I'm not going to make.

As for kerberos, I'm not familiar with it, and consequently I don't
know which, if any, files should be changed.  Please either close the
pr if this all doesn't apply to kerberos, or leave it open if it does.

*** su.c.old	Wed Feb 14 17:31:56 1996
--- su.c	Wed Feb 14 19:29:55 1996
***************
*** 364,370 ****
  		}
  		(void)fprintf(stderr, "su: unable to su: %s\n",
  		    krb_err_txt[kerno]);
! 		syslog(LOG_NOTICE|LOG_AUTH,
  		    "BAD Kerberos SU: %s to %s%s: %s",
  		    username, user, ontty(), krb_err_txt[kerno]);
  		return (1);
--- 364,370 ----
  		}
  		(void)fprintf(stderr, "su: unable to su: %s\n",
  		    krb_err_txt[kerno]);
! 		syslog(LOG_WARNING|LOG_AUTH,
  		    "BAD Kerberos SU: %s to %s%s: %s",
  		    username, user, ontty(), krb_err_txt[kerno]);
  		return (1);
***************
*** 398,404 ****
  	} else if (kerno != KSUCCESS) {
  		(void)fprintf(stderr, "Unable to use TGT: %s\n",
  		    krb_err_txt[kerno]);
! 		syslog(LOG_NOTICE|LOG_AUTH, "failed su: %s to %s%s: %s",
  		    username, user, ontty(), krb_err_txt[kerno]);
  		dest_tkt();
  		return (1);
--- 398,404 ----
  	} else if (kerno != KSUCCESS) {
  		(void)fprintf(stderr, "Unable to use TGT: %s\n",
  		    krb_err_txt[kerno]);
! 		syslog(LOG_WARNING|LOG_AUTH, "failed su: %s to %s%s: %s",
  		    username, user, ontty(), krb_err_txt[kerno]);
  		dest_tkt();
  		return (1);
***************
*** 416,422 ****
  			(void)fprintf(stderr,
  			    "su: unable to verify rcmd ticket: %s\n",
  			    krb_err_txt[kerno]);
! 			syslog(LOG_NOTICE|LOG_AUTH,
  			    "failed su: %s to %s%s: %s", username,
  			     user, ontty(), krb_err_txt[kerno]);
  			dest_tkt();
--- 416,422 ----
  			(void)fprintf(stderr,
  			    "su: unable to verify rcmd ticket: %s\n",
  			    krb_err_txt[kerno]);
! 			syslog(LOG_WARNING|LOG_AUTH,
  			    "failed su: %s to %s%s: %s", username,
  			     user, ontty(), krb_err_txt[kerno]);
  			dest_tkt();