login: log PAM errors to syslog, not stderr

By Ian Wienand (ianw AT vmware.com)

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/loginutils/login.c b/loginutils/login.c
index 31b25a43e67b08f1f60812e1d399b71efa69f42e..ed2ab7f805f7a17723564c40a82c08cd3c856e0b 100644 (file)
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -409,7 +409,9 @@ int login_main(int argc UNUSED_PARAM, char **argv)
                break; /* success, continue login process */
 
  pam_auth_failed:
-               bb_error_msg("pam_%s call failed: %s (%d)", failed_msg,
+               /* syslog, because we don't want potential attacker
+                * to know _why_ login failed */
+               syslog(LOG_WARNING, "pam_%s call failed: %s (%d)", failed_msg,
                                        pam_strerror(pamh, pamret), pamret);
                safe_strncpy(username, "UNKNOWN", sizeof(username));
 #else /* not PAM */