dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0004-DEBUG-only-open-child-process-log-files-when-require.patch

1bb595
From 375887543daf26003ff7d900cf6a69d0c0b58523 Mon Sep 17 00:00:00 2001
1bb595
From: Alexey Tikhonov <atikhono@redhat.com>
1bb595
Date: Wed, 27 May 2020 22:33:50 +0200
1bb595
Subject: [PATCH] DEBUG: only open child process log files when required
1bb595
1bb595
There was no reason to keep child process log files open permanently.
1bb595
1bb595
This patch:
1bb595
 - helps to avoid issue when SIGHUP was ignored for child process logs;
1bb595
 - somewhat reduces code duplication.
1bb595
1bb595
Resolves: https://github.com/SSSD/sssd/issues/4667
1bb595
1bb595
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
1bb595
---
1bb595
 src/providers/ad/ad_gpo.c                | 17 +++--------------
1bb595
 src/providers/ad/ad_init.c               |  7 -------
1bb595
 src/providers/ad/ad_machine_pw_renewal.c |  2 +-
1bb595
 src/providers/ipa/ipa_init.c             |  7 -------
1bb595
 src/providers/ipa/ipa_selinux.c          | 17 +----------------
1bb595
 src/providers/krb5/krb5_child_handler.c  |  2 +-
1bb595
 src/providers/krb5/krb5_common.h         |  1 -
1bb595
 src/providers/krb5/krb5_init_shared.c    |  8 --------
1bb595
 src/providers/ldap/ldap_common.c         |  3 ---
1bb595
 src/providers/ldap/ldap_common.h         |  6 ------
1bb595
 src/providers/ldap/ldap_init.c           |  7 -------
1bb595
 src/providers/ldap/sdap_child_helpers.c  | 10 +---------
1bb595
 src/responder/pam/pamsrv.c               |  1 -
1bb595
 src/responder/pam/pamsrv.h               |  2 --
1bb595
 src/responder/pam/pamsrv_cmd.c           |  2 +-
1bb595
 src/responder/pam/pamsrv_p11.c           |  9 ++-------
1bb595
 src/responder/ssh/ssh_private.h          |  1 -
1bb595
 src/responder/ssh/ssh_reply.c            |  4 ++--
1bb595
 src/responder/ssh/sshsrv.c               | 10 ----------
1bb595
 src/tests/cmocka/test_cert_utils.c       | 12 ++++++------
1bb595
 src/util/cert.h                          |  2 +-
1bb595
 src/util/cert/cert_common_p11_child.c    |  9 ++++-----
1bb595
 src/util/child_common.c                  | 21 +++++++++++++++++----
1bb595
 src/util/child_common.h                  |  6 ++----
1bb595
 24 files changed, 42 insertions(+), 124 deletions(-)
1bb595
1bb595
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
1bb595
index f17917552..bbe8d8a1e 100644
1bb595
--- a/src/providers/ad/ad_gpo.c
1bb595
+++ b/src/providers/ad/ad_gpo.c
1bb595
@@ -99,15 +99,14 @@
1bb595
 #define GPO_CHILD SSSD_LIBEXEC_PATH"/gpo_child"
1bb595
 #endif
1bb595
 
1bb595
+#define GPO_CHILD_LOG_FILE "gpo_child"
1bb595
+
1bb595
 /* If INI_PARSE_IGNORE_NON_KVP is not defined, use 0 (no effect) */
1bb595
 #ifndef INI_PARSE_IGNORE_NON_KVP
1bb595
 #define INI_PARSE_IGNORE_NON_KVP 0
1bb595
 #warning INI_PARSE_IGNORE_NON_KVP not defined.
1bb595
 #endif
1bb595
 
1bb595
-/* fd used by the gpo_child process for logging */
1bb595
-int gpo_child_debug_fd = -1;
1bb595
-
1bb595
 /* == common data structures and declarations ============================= */
1bb595
 
1bb595
 struct gp_som {
1bb595
@@ -1618,13 +1617,6 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
1bb595
     return ret;
1bb595
 }
1bb595
 
1bb595
-#define GPO_CHILD_LOG_FILE "gpo_child"
1bb595
-
1bb595
-static errno_t gpo_child_init(void)
1bb595
-{
1bb595
-    return child_debug_init(GPO_CHILD_LOG_FILE, &gpo_child_debug_fd);
1bb595
-}
1bb595
-
1bb595
 /*
1bb595
  * This function retrieves the raw policy_setting_value for the input key from
1bb595
  * the GPO_Result object in the sysdb cache. It then parses the raw value and
1bb595
@@ -1808,9 +1800,6 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
1bb595
     hash_value_t val;
1bb595
     enum gpo_map_type gpo_map_type;
1bb595
 
1bb595
-    /* setup logging for gpo child */
1bb595
-    gpo_child_init();
1bb595
-
1bb595
     req = tevent_req_create(mem_ctx, &state, struct ad_gpo_access_state);
1bb595
     if (req == NULL) {
1bb595
         DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
1bb595
@@ -4763,7 +4752,7 @@ gpo_fork_child(struct tevent_req *req)
1bb595
     if (pid == 0) { /* child */
1bb595
         exec_child_ex(state,
1bb595
                       pipefd_to_child, pipefd_from_child,
1bb595
-                      GPO_CHILD, gpo_child_debug_fd, NULL, false,
1bb595
+                      GPO_CHILD, GPO_CHILD_LOG_FILE, NULL, false,
1bb595
                       STDIN_FILENO, AD_GPO_CHILD_OUT_FILENO);
1bb595
 
1bb595
         /* We should never get here */
1bb595
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
1bb595
index 05535fcb0..704e63a06 100644
1bb595
--- a/src/providers/ad/ad_init.c
1bb595
+++ b/src/providers/ad/ad_init.c
1bb595
@@ -402,13 +402,6 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
1bb595
 
1bb595
     sdap_id_ctx->opts->sdom->pvt = ad_id_ctx;
1bb595
 
1bb595
-    ret = sdap_setup_child();
1bb595
-    if (ret != EOK) {
1bb595
-        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n",
1bb595
-              ret, sss_strerror(ret));
1bb595
-        return ret;
1bb595
-    }
1bb595
-
1bb595
     ret = ad_init_srv_plugin(be_ctx, ad_options);
1bb595
     if (ret != EOK) {
1bb595
         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n",
1bb595
diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
1bb595
index e0db5fad5..ce9bbe6f3 100644
1bb595
--- a/src/providers/ad/ad_machine_pw_renewal.c
1bb595
+++ b/src/providers/ad/ad_machine_pw_renewal.c
1bb595
@@ -185,7 +185,7 @@ ad_machine_account_password_renewal_send(TALLOC_CTX *mem_ctx,
1bb595
     child_pid = fork();
1bb595
     if (child_pid == 0) { /* child */
1bb595
         exec_child_ex(state, pipefd_to_child, pipefd_from_child,
1bb595
-                      renewal_data->prog_path, -1,
1bb595
+                      renewal_data->prog_path, NULL,
1bb595
                       extra_args, true,
1bb595
                       STDIN_FILENO, STDERR_FILENO);
1bb595
 
1bb595
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
1bb595
index cdfd11d7a..d8d592653 100644
1bb595
--- a/src/providers/ipa/ipa_init.c
1bb595
+++ b/src/providers/ipa/ipa_init.c
1bb595
@@ -571,13 +571,6 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx,
1bb595
         return ret;
1bb595
     }
1bb595
 
1bb595
-    ret = sdap_setup_child();
1bb595
-    if (ret != EOK) {
1bb595
-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
1bb595
-              ret, sss_strerror(ret));
1bb595
-        return ret;
1bb595
-    }
1bb595
-
1bb595
     if (dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE)) {
1bb595
         ret = ipa_init_server_mode(be_ctx, ipa_options, ipa_id_ctx);
1bb595
         if (ret != EOK) {
1bb595
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
1bb595
index 630f68ad5..9ae37b90d 100644
1bb595
--- a/src/providers/ipa/ipa_selinux.c
1bb595
+++ b/src/providers/ipa/ipa_selinux.c
1bb595
@@ -51,9 +51,6 @@
1bb595
 
1bb595
 #include <selinux/selinux.h>
1bb595
 
1bb595
-/* fd used by the selinux_child process for logging */
1bb595
-int selinux_child_debug_fd = -1;
1bb595
-
1bb595
 static struct tevent_req *
1bb595
 ipa_get_selinux_send(TALLOC_CTX *mem_ctx,
1bb595
                      struct be_ctx *be_ctx,
1bb595
@@ -565,7 +562,6 @@ struct selinux_child_state {
1bb595
     struct child_io_fds *io;
1bb595
 };
1bb595
 
1bb595
-static errno_t selinux_child_init(void);
1bb595
 static errno_t selinux_child_create_buffer(struct selinux_child_state *state);
1bb595
 static errno_t selinux_fork_child(struct selinux_child_state *state);
1bb595
 static void selinux_child_step(struct tevent_req *subreq);
1bb595
@@ -602,12 +598,6 @@ static struct tevent_req *selinux_child_send(TALLOC_CTX *mem_ctx,
1bb595
     state->io->read_from_child_fd = -1;
1bb595
     talloc_set_destructor((void *) state->io, child_io_destructor);
1bb595
 
1bb595
-    ret = selinux_child_init();
1bb595
-    if (ret != EOK) {
1bb595
-        DEBUG(SSSDBG_OP_FAILURE, "Failed to init the child\n");
1bb595
-        goto immediately;
1bb595
-    }
1bb595
-
1bb595
     ret = selinux_child_create_buffer(state);
1bb595
     if (ret != EOK) {
1bb595
         DEBUG(SSSDBG_OP_FAILURE, "Failed to create the send buffer\n");
1bb595
@@ -638,11 +628,6 @@ immediately:
1bb595
     return req;
1bb595
 }
1bb595
 
1bb595
-static errno_t selinux_child_init(void)
1bb595
-{
1bb595
-    return child_debug_init(SELINUX_CHILD_LOG_FILE, &selinux_child_debug_fd);
1bb595
-}
1bb595
-
1bb595
 static errno_t selinux_child_create_buffer(struct selinux_child_state *state)
1bb595
 {
1bb595
     size_t rp;
1bb595
@@ -712,7 +697,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
1bb595
 
1bb595
     if (pid == 0) { /* child */
1bb595
         exec_child(state, pipefd_to_child, pipefd_from_child,
1bb595
-                   SELINUX_CHILD, selinux_child_debug_fd);
1bb595
+                   SELINUX_CHILD, SELINUX_CHILD_LOG_FILE);
1bb595
         DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
1bb595
               ret, sss_strerror(ret));
1bb595
         return ret;
1bb595
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
1bb595
index b7fb54499..8546285b2 100644
1bb595
--- a/src/providers/krb5/krb5_child_handler.c
1bb595
+++ b/src/providers/krb5/krb5_child_handler.c
1bb595
@@ -465,7 +465,7 @@ static errno_t fork_child(struct tevent_req *req)
1bb595
     if (pid == 0) { /* child */
1bb595
         exec_child_ex(state,
1bb595
                       pipefd_to_child, pipefd_from_child,
1bb595
-                      KRB5_CHILD, state->kr->krb5_ctx->child_debug_fd,
1bb595
+                      KRB5_CHILD, KRB5_CHILD_LOG_FILE,
1bb595
                       krb5_child_extra_args, false,
1bb595
                       STDIN_FILENO, STDOUT_FILENO);
1bb595
 
1bb595
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
1bb595
index 493d12e5f..f198e2684 100644
1bb595
--- a/src/providers/krb5/krb5_common.h
1bb595
+++ b/src/providers/krb5/krb5_common.h
1bb595
@@ -124,7 +124,6 @@ struct krb5_ctx {
1bb595
     struct dp_option *opts;
1bb595
     struct krb5_service *service;
1bb595
     struct krb5_service *kpasswd_service;
1bb595
-    int child_debug_fd;
1bb595
 
1bb595
     sss_regexp_t *illegal_path_re;
1bb595
 
1bb595
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
1bb595
index afe15b365..ea3d32805 100644
1bb595
--- a/src/providers/krb5/krb5_init_shared.c
1bb595
+++ b/src/providers/krb5/krb5_init_shared.c
1bb595
@@ -71,14 +71,6 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
1bb595
         goto done;
1bb595
     }
1bb595
 
1bb595
-    krb5_auth_ctx->child_debug_fd = -1; /* -1 means not initialized */
1bb595
-    ret = child_debug_init(KRB5_CHILD_LOG_FILE,
1bb595
-                           &krb5_auth_ctx->child_debug_fd);
1bb595
-    if (ret != EOK) {
1bb595
-        DEBUG(SSSDBG_OP_FAILURE, "Could not set krb5_child debugging!\n");
1bb595
-        goto done;
1bb595
-    }
1bb595
-
1bb595
     ret = parse_krb5_map_user(krb5_auth_ctx,
1bb595
                               dp_opt_get_cstring(krb5_auth_ctx->opts,
1bb595
                                                  KRB5_MAP_USER),
1bb595
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
1bb595
index 9d7806a2f..2133db36f 100644
1bb595
--- a/src/providers/ldap/ldap_common.c
1bb595
+++ b/src/providers/ldap/ldap_common.c
1bb595
@@ -35,9 +35,6 @@
1bb595
 
1bb595
 #include "providers/ldap/sdap_idmap.h"
1bb595
 
1bb595
-/* a fd the child process would log into */
1bb595
-int ldap_child_debug_fd = -1;
1bb595
-
1bb595
 errno_t ldap_id_setup_tasks(struct sdap_id_ctx *ctx)
1bb595
 {
1bb595
     return sdap_id_setup_tasks(ctx->be, ctx, ctx->opts->sdom,
1bb595
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
1bb595
index 63ee5dd84..13e6d4871 100644
1bb595
--- a/src/providers/ldap/ldap_common.h
1bb595
+++ b/src/providers/ldap/ldap_common.h
1bb595
@@ -44,9 +44,6 @@
1bb595
 
1bb595
 #define LDAP_ENUM_PURGE_TIMEOUT 10800
1bb595
 
1bb595
-/* a fd the child process would log into */
1bb595
-extern int ldap_child_debug_fd;
1bb595
-
1bb595
 struct sdap_id_ctx;
1bb595
 
1bb595
 struct sdap_id_conn_ctx {
1bb595
@@ -342,9 +339,6 @@ sdap_ipnetwork_handler_recv(TALLOC_CTX *mem_ctx,
1bb595
                             struct tevent_req *req,
1bb595
                             struct dp_reply_std *data);
1bb595
 
1bb595
-/* setup child logging */
1bb595
-int sdap_setup_child(void);
1bb595
-
1bb595
 
1bb595
 errno_t string_to_shadowpw_days(const char *s, long *d);
1bb595
 
1bb595
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
1bb595
index 1be5d13de..de64e5985 100644
1bb595
--- a/src/providers/ldap/ldap_init.c
1bb595
+++ b/src/providers/ldap/ldap_init.c
1bb595
@@ -419,13 +419,6 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
1bb595
         return ret;
1bb595
     }
1bb595
 
1bb595
-    ret = sdap_setup_child();
1bb595
-    if (ret != EOK) {
1bb595
-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
1bb595
-              ret, sss_strerror(ret));
1bb595
-        return ret;
1bb595
-    }
1bb595
-
1bb595
     /* Setup SRV lookup plugin */
1bb595
     ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL);
1bb595
     if (ret != EOK) {
1bb595
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
1bb595
index a03d28c9c..9d25aea8b 100644
1bb595
--- a/src/providers/ldap/sdap_child_helpers.c
1bb595
+++ b/src/providers/ldap/sdap_child_helpers.c
1bb595
@@ -111,7 +111,7 @@ static errno_t sdap_fork_child(struct tevent_context *ev,
1bb595
     if (pid == 0) { /* child */
1bb595
         exec_child(child,
1bb595
                    pipefd_to_child, pipefd_from_child,
1bb595
-                   LDAP_CHILD, ldap_child_debug_fd);
1bb595
+                   LDAP_CHILD, LDAP_CHILD_LOG_FILE);
1bb595
 
1bb595
         /* We should never get here */
1bb595
         DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec LDAP child\n");
1bb595
@@ -512,11 +512,3 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req,
1bb595
 
1bb595
     return EOK;
1bb595
 }
1bb595
-
1bb595
-
1bb595
-
1bb595
-/* Setup child logging */
1bb595
-int sdap_setup_child(void)
1bb595
-{
1bb595
-    return child_debug_init(LDAP_CHILD_LOG_FILE, &ldap_child_debug_fd);
1bb595
-}
1bb595
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
1bb595
index a4c9ebbbb..dde44a472 100644
1bb595
--- a/src/responder/pam/pamsrv.c
1bb595
+++ b/src/responder/pam/pamsrv.c
1bb595
@@ -277,7 +277,6 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
1bb595
         goto done;
1bb595
     }
1bb595
 
1bb595
-    pctx->p11_child_debug_fd = -1;
1bb595
     if (pctx->cert_auth) {
1bb595
         ret = p11_child_init(pctx);
1bb595
         if (ret != EOK) {
1bb595
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
1bb595
index 24bd9764d..478d91b93 100644
1bb595
--- a/src/responder/pam/pamsrv.h
1bb595
+++ b/src/responder/pam/pamsrv.h
1bb595
@@ -54,7 +54,6 @@ struct pam_ctx {
1bb595
     char **app_services;
1bb595
 
1bb595
     bool cert_auth;
1bb595
-    int p11_child_debug_fd;
1bb595
     char *nss_db;
1bb595
     struct sss_certmap_ctx *sss_certmap_ctx;
1bb595
     char **smartcard_services;
1bb595
@@ -110,7 +109,6 @@ void sss_cai_check_users(struct cert_auth_info **list, size_t *_cert_count,
1bb595
 
1bb595
 struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
1bb595
                                        struct tevent_context *ev,
1bb595
-                                       int child_debug_fd,
1bb595
                                        const char *nss_db,
1bb595
                                        time_t timeout,
1bb595
                                        const char *verify_opts,
1bb595
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
1bb595
index ddde9eda2..1cd901f15 100644
1bb595
--- a/src/responder/pam/pamsrv_cmd.c
1bb595
+++ b/src/responder/pam/pamsrv_cmd.c
1bb595
@@ -1404,7 +1404,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
1bb595
         return ret;
1bb595
     }
1bb595
 
1bb595
-    req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
1bb595
+    req = pam_check_cert_send(mctx, ev,
1bb595
                               pctx->nss_db, p11_child_timeout,
1bb595
                               cert_verification_opts, pctx->sss_certmap_ctx,
1bb595
                               uri, pd);
1bb595
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
1bb595
index 8e276b200..3f0afaeff 100644
1bb595
--- a/src/responder/pam/pamsrv_p11.c
1bb595
+++ b/src/responder/pam/pamsrv_p11.c
1bb595
@@ -242,7 +242,7 @@ errno_t p11_child_init(struct pam_ctx *pctx)
1bb595
         return ret;
1bb595
     }
1bb595
 
1bb595
-    return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
1bb595
+    return EOK;
1bb595
 }
1bb595
 
1bb595
 static inline bool
1bb595
@@ -705,7 +705,6 @@ static void p11_child_timeout(struct tevent_context *ev,
1bb595
 
1bb595
 struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
1bb595
                                        struct tevent_context *ev,
1bb595
-                                       int child_debug_fd,
1bb595
                                        const char *nss_db,
1bb595
                                        time_t timeout,
1bb595
                                        const char *verify_opts,
1bb595
@@ -838,14 +837,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
1bb595
         goto done;
1bb595
     }
1bb595
 
1bb595
-    if (child_debug_fd == -1) {
1bb595
-        child_debug_fd = STDERR_FILENO;
1bb595
-    }
1bb595
-
1bb595
     child_pid = fork();
1bb595
     if (child_pid == 0) { /* child */
1bb595
         exec_child_ex(state, pipefd_to_child, pipefd_from_child,
1bb595
-                      P11_CHILD_PATH, child_debug_fd, extra_args, false,
1bb595
+                      P11_CHILD_PATH, P11_CHILD_LOG_FILE, extra_args, false,
1bb595
                       STDIN_FILENO, STDOUT_FILENO);
1bb595
 
1bb595
         /* We should never get here */
1bb595
diff --git a/src/responder/ssh/ssh_private.h b/src/responder/ssh/ssh_private.h
1bb595
index 028ccd616..5aa7e37d6 100644
1bb595
--- a/src/responder/ssh/ssh_private.h
1bb595
+++ b/src/responder/ssh/ssh_private.h
1bb595
@@ -36,7 +36,6 @@ struct ssh_ctx {
1bb595
     char *ca_db;
1bb595
     bool use_cert_keys;
1bb595
 
1bb595
-    int p11_child_debug_fd;
1bb595
     time_t certmap_last_read;
1bb595
     struct sss_certmap_ctx *sss_certmap_ctx;
1bb595
     char **cert_rules;
1bb595
diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c
1bb595
index 97914266d..edeb28765 100644
1bb595
--- a/src/responder/ssh/ssh_reply.c
1bb595
+++ b/src/responder/ssh/ssh_reply.c
1bb595
@@ -249,7 +249,7 @@ struct tevent_req *ssh_get_output_keys_send(TALLOC_CTX *mem_ctx,
1bb595
                                                    : state->user_cert_override;
1bb595
 
1bb595
     subreq = cert_to_ssh_key_send(state, state->ev,
1bb595
-                                  state->ssh_ctx->p11_child_debug_fd,
1bb595
+                                  P11_CHILD_LOG_FILE,
1bb595
                                   state->p11_child_timeout,
1bb595
                                   state->ssh_ctx->ca_db,
1bb595
                                   state->ssh_ctx->sss_certmap_ctx,
1bb595
@@ -335,7 +335,7 @@ void ssh_get_output_keys_done(struct tevent_req *subreq)
1bb595
         goto done;
1bb595
     }
1bb595
 
1bb595
-    subreq = cert_to_ssh_key_send(state, state->ev, -1,
1bb595
+    subreq = cert_to_ssh_key_send(state, state->ev, NULL,
1bb595
                                   state->p11_child_timeout,
1bb595
                                   state->ssh_ctx->ca_db,
1bb595
                                   state->ssh_ctx->sss_certmap_ctx,
1bb595
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
1bb595
index 7765e91b8..6072a702c 100644
1bb595
--- a/src/responder/ssh/sshsrv.c
1bb595
+++ b/src/responder/ssh/sshsrv.c
1bb595
@@ -126,16 +126,6 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
1bb595
         goto fail;
1bb595
     }
1bb595
 
1bb595
-    ssh_ctx->p11_child_debug_fd = -1;
1bb595
-    if (ssh_ctx->use_cert_keys) {
1bb595
-        ret = child_debug_init(P11_CHILD_LOG_FILE,
1bb595
-                               &ssh_ctx->p11_child_debug_fd);
1bb595
-        if (ret != EOK) {
1bb595
-            DEBUG(SSSDBG_FATAL_FAILURE,
1bb595
-                  "Failed to setup p11_child logging, ignored.\n");
1bb595
-        }
1bb595
-    }
1bb595
-
1bb595
     ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
1bb595
     if (ret != EOK) {
1bb595
         DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
1bb595
diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c
1bb595
index 848ed1a8d..1ff20576a 100644
1bb595
--- a/src/tests/cmocka/test_cert_utils.c
1bb595
+++ b/src/tests/cmocka/test_cert_utils.c
1bb595
@@ -391,7 +391,7 @@ void test_cert_to_ssh_key_send(void **state)
1bb595
     ev = tevent_context_init(ts);
1bb595
     assert_non_null(ev);
1bb595
 
1bb595
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
1bb595
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
1bb595
 #ifdef HAVE_NSS
1bb595
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
1bb595
 #else
1bb595
@@ -465,7 +465,7 @@ void test_cert_to_ssh_2keys_send(void **state)
1bb595
     ev = tevent_context_init(ts);
1bb595
     assert_non_null(ev);
1bb595
 
1bb595
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
1bb595
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
1bb595
 #ifdef HAVE_NSS
1bb595
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
1bb595
 #else
1bb595
@@ -548,7 +548,7 @@ void test_cert_to_ssh_2keys_invalid_send(void **state)
1bb595
     ev = tevent_context_init(ts);
1bb595
     assert_non_null(ev);
1bb595
 
1bb595
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
1bb595
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
1bb595
 #ifdef HAVE_NSS
1bb595
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
1bb595
 #else
1bb595
@@ -614,7 +614,7 @@ void test_ec_cert_to_ssh_key_send(void **state)
1bb595
     ev = tevent_context_init(ts);
1bb595
     assert_non_null(ev);
1bb595
 
1bb595
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
1bb595
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
1bb595
 #ifdef HAVE_NSS
1bb595
                     "sql:" ABS_BUILD_DIR "/src/tests/test_ECC_CA/p11_ecc_nssdb",
1bb595
 #else
1bb595
@@ -691,7 +691,7 @@ void test_cert_to_ssh_2keys_with_certmap_send(void **state)
1bb595
     ev = tevent_context_init(ts);
1bb595
     assert_non_null(ev);
1bb595
 
1bb595
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
1bb595
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
1bb595
 #ifdef HAVE_NSS
1bb595
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
1bb595
 #else
1bb595
@@ -769,7 +769,7 @@ void test_cert_to_ssh_2keys_with_certmap_2_send(void **state)
1bb595
     ev = tevent_context_init(ts);
1bb595
     assert_non_null(ev);
1bb595
 
1bb595
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
1bb595
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
1bb595
 #ifdef HAVE_NSS
1bb595
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
1bb595
 #else
1bb595
diff --git a/src/util/cert.h b/src/util/cert.h
1bb595
index d038a99f6..16dda37b3 100644
1bb595
--- a/src/util/cert.h
1bb595
+++ b/src/util/cert.h
1bb595
@@ -57,7 +57,7 @@ errno_t get_ssh_key_from_derb64(TALLOC_CTX *mem_ctx, const char *derb64,
1bb595
 
1bb595
 struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
1bb595
                                         struct tevent_context *ev,
1bb595
-                                        int child_debug_fd, time_t timeout,
1bb595
+                                        const char *logfile, time_t timeout,
1bb595
                                         const char *ca_db,
1bb595
                                         struct sss_certmap_ctx *sss_certmap_ctx,
1bb595
                                         size_t cert_count,
1bb595
diff --git a/src/util/cert/cert_common_p11_child.c b/src/util/cert/cert_common_p11_child.c
1bb595
index 1846ff89a..18a331f23 100644
1bb595
--- a/src/util/cert/cert_common_p11_child.c
1bb595
+++ b/src/util/cert/cert_common_p11_child.c
1bb595
@@ -24,7 +24,7 @@
1bb595
 
1bb595
 struct cert_to_ssh_key_state {
1bb595
     struct tevent_context *ev;
1bb595
-    int child_debug_fd;
1bb595
+    const char *logfile;
1bb595
     time_t timeout;
1bb595
     const char **extra_args;
1bb595
     const char **certs;
1bb595
@@ -45,7 +45,7 @@ static void cert_to_ssh_key_done(int child_status,
1bb595
 
1bb595
 struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
1bb595
                                         struct tevent_context *ev,
1bb595
-                                        int child_debug_fd, time_t timeout,
1bb595
+                                        const char *logfile, time_t timeout,
1bb595
                                         const char *ca_db,
1bb595
                                         struct sss_certmap_ctx *sss_certmap_ctx,
1bb595
                                         size_t cert_count,
1bb595
@@ -70,8 +70,7 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
1bb595
     }
1bb595
 
1bb595
     state->ev = ev;
1bb595
-    state->child_debug_fd = (child_debug_fd == -1) ? STDERR_FILENO
1bb595
-                                                   : child_debug_fd;
1bb595
+    state->logfile = logfile;
1bb595
     state->timeout = timeout;
1bb595
     state->io = talloc(state, struct child_io_fds);
1bb595
     if (state->io == NULL) {
1bb595
@@ -205,7 +204,7 @@ static errno_t cert_to_ssh_key_step(struct tevent_req *req)
1bb595
     child_pid = fork();
1bb595
     if (child_pid == 0) { /* child */
1bb595
         exec_child_ex(state, pipefd_to_child, pipefd_from_child, P11_CHILD_PATH,
1bb595
-                      state->child_debug_fd, state->extra_args, false,
1bb595
+                      state->logfile, state->extra_args, false,
1bb595
                       STDIN_FILENO, STDOUT_FILENO);
1bb595
         /* We should never get here */
1bb595
         DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec p11 child\n");
1bb595
diff --git a/src/util/child_common.c b/src/util/child_common.c
1bb595
index 3a07580c2..5cac725ca 100644
1bb595
--- a/src/util/child_common.c
1bb595
+++ b/src/util/child_common.c
1bb595
@@ -47,6 +47,8 @@ struct sss_child_ctx {
1bb595
     struct sss_sigchild_ctx *sigchld_ctx;
1bb595
 };
1bb595
 
1bb595
+static errno_t child_debug_init(const char *logfile, int *debug_fd);
1bb595
+
1bb595
 static void sss_child_handler(struct tevent_context *ev,
1bb595
                               struct tevent_signal *se,
1bb595
                               int signum,
1bb595
@@ -725,13 +727,24 @@ fail:
1bb595
 
1bb595
 void exec_child_ex(TALLOC_CTX *mem_ctx,
1bb595
                    int *pipefd_to_child, int *pipefd_from_child,
1bb595
-                   const char *binary, int debug_fd,
1bb595
+                   const char *binary, const char *logfile,
1bb595
                    const char *extra_argv[], bool extra_args_only,
1bb595
                    int child_in_fd, int child_out_fd)
1bb595
 {
1bb595
     int ret;
1bb595
     errno_t err;
1bb595
     char **argv;
1bb595
+    int debug_fd = -1;
1bb595
+
1bb595
+    if (logfile) {
1bb595
+        ret = child_debug_init(logfile, &debug_fd);
1bb595
+        if (ret != EOK) {
1bb595
+            DEBUG(SSSDBG_CRIT_FAILURE, "child_debug_init() failed.\n");
1bb595
+            exit(EXIT_FAILURE);
1bb595
+        }
1bb595
+    } else {
1bb595
+        debug_fd = STDERR_FILENO;
1bb595
+    }
1bb595
 
1bb595
     close(pipefd_to_child[1]);
1bb595
     ret = dup2(pipefd_to_child[0], child_in_fd);
1bb595
@@ -767,10 +780,10 @@ void exec_child_ex(TALLOC_CTX *mem_ctx,
1bb595
 
1bb595
 void exec_child(TALLOC_CTX *mem_ctx,
1bb595
                 int *pipefd_to_child, int *pipefd_from_child,
1bb595
-                const char *binary, int debug_fd)
1bb595
+                const char *binary, const char *logfile)
1bb595
 {
1bb595
     exec_child_ex(mem_ctx, pipefd_to_child, pipefd_from_child,
1bb595
-                  binary, debug_fd, NULL, false,
1bb595
+                  binary, logfile, NULL, false,
1bb595
                   STDIN_FILENO, STDOUT_FILENO);
1bb595
 }
1bb595
 
1bb595
@@ -803,7 +816,7 @@ int child_io_destructor(void *ptr)
1bb595
     return EOK;
1bb595
 }
1bb595
 
1bb595
-errno_t child_debug_init(const char *logfile, int *debug_fd)
1bb595
+static errno_t child_debug_init(const char *logfile, int *debug_fd)
1bb595
 {
1bb595
     int ret;
1bb595
     FILE *debug_filep;
1bb595
diff --git a/src/util/child_common.h b/src/util/child_common.h
1bb595
index 37116e2a7..92d66a500 100644
1bb595
--- a/src/util/child_common.h
1bb595
+++ b/src/util/child_common.h
1bb595
@@ -106,7 +106,7 @@ void fd_nonblocking(int fd);
1bb595
 /* Never returns EOK, ether returns an error, or doesn't return on success */
1bb595
 void exec_child_ex(TALLOC_CTX *mem_ctx,
1bb595
                    int *pipefd_to_child, int *pipefd_from_child,
1bb595
-                   const char *binary, int debug_fd,
1bb595
+                   const char *binary, const char *logfile,
1bb595
                    const char *extra_argv[], bool extra_args_only,
1bb595
                    int child_in_fd, int child_out_fd);
1bb595
 
1bb595
@@ -115,10 +115,8 @@ void exec_child_ex(TALLOC_CTX *mem_ctx,
1bb595
  */
1bb595
 void exec_child(TALLOC_CTX *mem_ctx,
1bb595
                 int *pipefd_to_child, int *pipefd_from_child,
1bb595
-                const char *binary, int debug_fd);
1bb595
+                const char *binary, const char *logfile);
1bb595
 
1bb595
 int child_io_destructor(void *ptr);
1bb595
 
1bb595
-errno_t child_debug_init(const char *logfile, int *debug_fd);
1bb595
-
1bb595
 #endif /* __CHILD_COMMON_H__ */
1bb595
-- 
1bb595
2.21.3
1bb595