dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From 375887543daf26003ff7d900cf6a69d0c0b58523 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 27 May 2020 22:33:50 +0200
Subject: [PATCH] DEBUG: only open child process log files when required

There was no reason to keep child process log files open permanently.

This patch:
 - helps to avoid issue when SIGHUP was ignored for child process logs;
 - somewhat reduces code duplication.

Resolves: https://github.com/SSSD/sssd/issues/4667

Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
 src/providers/ad/ad_gpo.c                | 17 +++--------------
 src/providers/ad/ad_init.c               |  7 -------
 src/providers/ad/ad_machine_pw_renewal.c |  2 +-
 src/providers/ipa/ipa_init.c             |  7 -------
 src/providers/ipa/ipa_selinux.c          | 17 +----------------
 src/providers/krb5/krb5_child_handler.c  |  2 +-
 src/providers/krb5/krb5_common.h         |  1 -
 src/providers/krb5/krb5_init_shared.c    |  8 --------
 src/providers/ldap/ldap_common.c         |  3 ---
 src/providers/ldap/ldap_common.h         |  6 ------
 src/providers/ldap/ldap_init.c           |  7 -------
 src/providers/ldap/sdap_child_helpers.c  | 10 +---------
 src/responder/pam/pamsrv.c               |  1 -
 src/responder/pam/pamsrv.h               |  2 --
 src/responder/pam/pamsrv_cmd.c           |  2 +-
 src/responder/pam/pamsrv_p11.c           |  9 ++-------
 src/responder/ssh/ssh_private.h          |  1 -
 src/responder/ssh/ssh_reply.c            |  4 ++--
 src/responder/ssh/sshsrv.c               | 10 ----------
 src/tests/cmocka/test_cert_utils.c       | 12 ++++++------
 src/util/cert.h                          |  2 +-
 src/util/cert/cert_common_p11_child.c    |  9 ++++-----
 src/util/child_common.c                  | 21 +++++++++++++++++----
 src/util/child_common.h                  |  6 ++----
 24 files changed, 42 insertions(+), 124 deletions(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index f17917552..bbe8d8a1e 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -99,15 +99,14 @@
 #define GPO_CHILD SSSD_LIBEXEC_PATH"/gpo_child"
 #endif
 
+#define GPO_CHILD_LOG_FILE "gpo_child"
+
 /* If INI_PARSE_IGNORE_NON_KVP is not defined, use 0 (no effect) */
 #ifndef INI_PARSE_IGNORE_NON_KVP
 #define INI_PARSE_IGNORE_NON_KVP 0
 #warning INI_PARSE_IGNORE_NON_KVP not defined.
 #endif
 
-/* fd used by the gpo_child process for logging */
-int gpo_child_debug_fd = -1;
-
 /* == common data structures and declarations ============================= */
 
 struct gp_som {
@@ -1618,13 +1617,6 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
     return ret;
 }
 
-#define GPO_CHILD_LOG_FILE "gpo_child"
-
-static errno_t gpo_child_init(void)
-{
-    return child_debug_init(GPO_CHILD_LOG_FILE, &gpo_child_debug_fd);
-}
-
 /*
  * This function retrieves the raw policy_setting_value for the input key from
  * the GPO_Result object in the sysdb cache. It then parses the raw value and
@@ -1808,9 +1800,6 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
     hash_value_t val;
     enum gpo_map_type gpo_map_type;
 
-    /* setup logging for gpo child */
-    gpo_child_init();
-
     req = tevent_req_create(mem_ctx, &state, struct ad_gpo_access_state);
     if (req == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
@@ -4763,7 +4752,7 @@ gpo_fork_child(struct tevent_req *req)
     if (pid == 0) { /* child */
         exec_child_ex(state,
                       pipefd_to_child, pipefd_from_child,
-                      GPO_CHILD, gpo_child_debug_fd, NULL, false,
+                      GPO_CHILD, GPO_CHILD_LOG_FILE, NULL, false,
                       STDIN_FILENO, AD_GPO_CHILD_OUT_FILENO);
 
         /* We should never get here */
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 05535fcb0..704e63a06 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -402,13 +402,6 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
 
     sdap_id_ctx->opts->sdom->pvt = ad_id_ctx;
 
-    ret = sdap_setup_child();
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n",
-              ret, sss_strerror(ret));
-        return ret;
-    }
-
     ret = ad_init_srv_plugin(be_ctx, ad_options);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n",
diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
index e0db5fad5..ce9bbe6f3 100644
--- a/src/providers/ad/ad_machine_pw_renewal.c
+++ b/src/providers/ad/ad_machine_pw_renewal.c
@@ -185,7 +185,7 @@ ad_machine_account_password_renewal_send(TALLOC_CTX *mem_ctx,
     child_pid = fork();
     if (child_pid == 0) { /* child */
         exec_child_ex(state, pipefd_to_child, pipefd_from_child,
-                      renewal_data->prog_path, -1,
+                      renewal_data->prog_path, NULL,
                       extra_args, true,
                       STDIN_FILENO, STDERR_FILENO);
 
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index cdfd11d7a..d8d592653 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -571,13 +571,6 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx,
         return ret;
     }
 
-    ret = sdap_setup_child();
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
-              ret, sss_strerror(ret));
-        return ret;
-    }
-
     if (dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE)) {
         ret = ipa_init_server_mode(be_ctx, ipa_options, ipa_id_ctx);
         if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 630f68ad5..9ae37b90d 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -51,9 +51,6 @@
 
 #include <selinux/selinux.h>
 
-/* fd used by the selinux_child process for logging */
-int selinux_child_debug_fd = -1;
-
 static struct tevent_req *
 ipa_get_selinux_send(TALLOC_CTX *mem_ctx,
                      struct be_ctx *be_ctx,
@@ -565,7 +562,6 @@ struct selinux_child_state {
     struct child_io_fds *io;
 };
 
-static errno_t selinux_child_init(void);
 static errno_t selinux_child_create_buffer(struct selinux_child_state *state);
 static errno_t selinux_fork_child(struct selinux_child_state *state);
 static void selinux_child_step(struct tevent_req *subreq);
@@ -602,12 +598,6 @@ static struct tevent_req *selinux_child_send(TALLOC_CTX *mem_ctx,
     state->io->read_from_child_fd = -1;
     talloc_set_destructor((void *) state->io, child_io_destructor);
 
-    ret = selinux_child_init();
-    if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "Failed to init the child\n");
-        goto immediately;
-    }
-
     ret = selinux_child_create_buffer(state);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "Failed to create the send buffer\n");
@@ -638,11 +628,6 @@ immediately:
     return req;
 }
 
-static errno_t selinux_child_init(void)
-{
-    return child_debug_init(SELINUX_CHILD_LOG_FILE, &selinux_child_debug_fd);
-}
-
 static errno_t selinux_child_create_buffer(struct selinux_child_state *state)
 {
     size_t rp;
@@ -712,7 +697,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
 
     if (pid == 0) { /* child */
         exec_child(state, pipefd_to_child, pipefd_from_child,
-                   SELINUX_CHILD, selinux_child_debug_fd);
+                   SELINUX_CHILD, SELINUX_CHILD_LOG_FILE);
         DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
               ret, sss_strerror(ret));
         return ret;
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index b7fb54499..8546285b2 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -465,7 +465,7 @@ static errno_t fork_child(struct tevent_req *req)
     if (pid == 0) { /* child */
         exec_child_ex(state,
                       pipefd_to_child, pipefd_from_child,
-                      KRB5_CHILD, state->kr->krb5_ctx->child_debug_fd,
+                      KRB5_CHILD, KRB5_CHILD_LOG_FILE,
                       krb5_child_extra_args, false,
                       STDIN_FILENO, STDOUT_FILENO);
 
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 493d12e5f..f198e2684 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -124,7 +124,6 @@ struct krb5_ctx {
     struct dp_option *opts;
     struct krb5_service *service;
     struct krb5_service *kpasswd_service;
-    int child_debug_fd;
 
     sss_regexp_t *illegal_path_re;
 
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
index afe15b365..ea3d32805 100644
--- a/src/providers/krb5/krb5_init_shared.c
+++ b/src/providers/krb5/krb5_init_shared.c
@@ -71,14 +71,6 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
         goto done;
     }
 
-    krb5_auth_ctx->child_debug_fd = -1; /* -1 means not initialized */
-    ret = child_debug_init(KRB5_CHILD_LOG_FILE,
-                           &krb5_auth_ctx->child_debug_fd);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "Could not set krb5_child debugging!\n");
-        goto done;
-    }
-
     ret = parse_krb5_map_user(krb5_auth_ctx,
                               dp_opt_get_cstring(krb5_auth_ctx->opts,
                                                  KRB5_MAP_USER),
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 9d7806a2f..2133db36f 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -35,9 +35,6 @@
 
 #include "providers/ldap/sdap_idmap.h"
 
-/* a fd the child process would log into */
-int ldap_child_debug_fd = -1;
-
 errno_t ldap_id_setup_tasks(struct sdap_id_ctx *ctx)
 {
     return sdap_id_setup_tasks(ctx->be, ctx, ctx->opts->sdom,
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 63ee5dd84..13e6d4871 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -44,9 +44,6 @@
 
 #define LDAP_ENUM_PURGE_TIMEOUT 10800
 
-/* a fd the child process would log into */
-extern int ldap_child_debug_fd;
-
 struct sdap_id_ctx;
 
 struct sdap_id_conn_ctx {
@@ -342,9 +339,6 @@ sdap_ipnetwork_handler_recv(TALLOC_CTX *mem_ctx,
                             struct tevent_req *req,
                             struct dp_reply_std *data);
 
-/* setup child logging */
-int sdap_setup_child(void);
-
 
 errno_t string_to_shadowpw_days(const char *s, long *d);
 
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 1be5d13de..de64e5985 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -419,13 +419,6 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
         return ret;
     }
 
-    ret = sdap_setup_child();
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
-              ret, sss_strerror(ret));
-        return ret;
-    }
-
     /* Setup SRV lookup plugin */
     ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL);
     if (ret != EOK) {
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index a03d28c9c..9d25aea8b 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -111,7 +111,7 @@ static errno_t sdap_fork_child(struct tevent_context *ev,
     if (pid == 0) { /* child */
         exec_child(child,
                    pipefd_to_child, pipefd_from_child,
-                   LDAP_CHILD, ldap_child_debug_fd);
+                   LDAP_CHILD, LDAP_CHILD_LOG_FILE);
 
         /* We should never get here */
         DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec LDAP child\n");
@@ -512,11 +512,3 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req,
 
     return EOK;
 }
-
-
-
-/* Setup child logging */
-int sdap_setup_child(void)
-{
-    return child_debug_init(LDAP_CHILD_LOG_FILE, &ldap_child_debug_fd);
-}
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index a4c9ebbbb..dde44a472 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -277,7 +277,6 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
-    pctx->p11_child_debug_fd = -1;
     if (pctx->cert_auth) {
         ret = p11_child_init(pctx);
         if (ret != EOK) {
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 24bd9764d..478d91b93 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -54,7 +54,6 @@ struct pam_ctx {
     char **app_services;
 
     bool cert_auth;
-    int p11_child_debug_fd;
     char *nss_db;
     struct sss_certmap_ctx *sss_certmap_ctx;
     char **smartcard_services;
@@ -110,7 +109,6 @@ void sss_cai_check_users(struct cert_auth_info **list, size_t *_cert_count,
 
 struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
                                        struct tevent_context *ev,
-                                       int child_debug_fd,
                                        const char *nss_db,
                                        time_t timeout,
                                        const char *verify_opts,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ddde9eda2..1cd901f15 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1404,7 +1404,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
         return ret;
     }
 
-    req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
+    req = pam_check_cert_send(mctx, ev,
                               pctx->nss_db, p11_child_timeout,
                               cert_verification_opts, pctx->sss_certmap_ctx,
                               uri, pd);
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 8e276b200..3f0afaeff 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -242,7 +242,7 @@ errno_t p11_child_init(struct pam_ctx *pctx)
         return ret;
     }
 
-    return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
+    return EOK;
 }
 
 static inline bool
@@ -705,7 +705,6 @@ static void p11_child_timeout(struct tevent_context *ev,
 
 struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
                                        struct tevent_context *ev,
-                                       int child_debug_fd,
                                        const char *nss_db,
                                        time_t timeout,
                                        const char *verify_opts,
@@ -838,14 +837,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
-    if (child_debug_fd == -1) {
-        child_debug_fd = STDERR_FILENO;
-    }
-
     child_pid = fork();
     if (child_pid == 0) { /* child */
         exec_child_ex(state, pipefd_to_child, pipefd_from_child,
-                      P11_CHILD_PATH, child_debug_fd, extra_args, false,
+                      P11_CHILD_PATH, P11_CHILD_LOG_FILE, extra_args, false,
                       STDIN_FILENO, STDOUT_FILENO);
 
         /* We should never get here */
diff --git a/src/responder/ssh/ssh_private.h b/src/responder/ssh/ssh_private.h
index 028ccd616..5aa7e37d6 100644
--- a/src/responder/ssh/ssh_private.h
+++ b/src/responder/ssh/ssh_private.h
@@ -36,7 +36,6 @@ struct ssh_ctx {
     char *ca_db;
     bool use_cert_keys;
 
-    int p11_child_debug_fd;
     time_t certmap_last_read;
     struct sss_certmap_ctx *sss_certmap_ctx;
     char **cert_rules;
diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c
index 97914266d..edeb28765 100644
--- a/src/responder/ssh/ssh_reply.c
+++ b/src/responder/ssh/ssh_reply.c
@@ -249,7 +249,7 @@ struct tevent_req *ssh_get_output_keys_send(TALLOC_CTX *mem_ctx,
                                                    : state->user_cert_override;
 
     subreq = cert_to_ssh_key_send(state, state->ev,
-                                  state->ssh_ctx->p11_child_debug_fd,
+                                  P11_CHILD_LOG_FILE,
                                   state->p11_child_timeout,
                                   state->ssh_ctx->ca_db,
                                   state->ssh_ctx->sss_certmap_ctx,
@@ -335,7 +335,7 @@ void ssh_get_output_keys_done(struct tevent_req *subreq)
         goto done;
     }
 
-    subreq = cert_to_ssh_key_send(state, state->ev, -1,
+    subreq = cert_to_ssh_key_send(state, state->ev, NULL,
                                   state->p11_child_timeout,
                                   state->ssh_ctx->ca_db,
                                   state->ssh_ctx->sss_certmap_ctx,
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index 7765e91b8..6072a702c 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -126,16 +126,6 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
-    ssh_ctx->p11_child_debug_fd = -1;
-    if (ssh_ctx->use_cert_keys) {
-        ret = child_debug_init(P11_CHILD_LOG_FILE,
-                               &ssh_ctx->p11_child_debug_fd);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_FATAL_FAILURE,
-                  "Failed to setup p11_child logging, ignored.\n");
-        }
-    }
-
     ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c
index 848ed1a8d..1ff20576a 100644
--- a/src/tests/cmocka/test_cert_utils.c
+++ b/src/tests/cmocka/test_cert_utils.c
@@ -391,7 +391,7 @@ void test_cert_to_ssh_key_send(void **state)
     ev = tevent_context_init(ts);
     assert_non_null(ev);
 
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
 #ifdef HAVE_NSS
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
 #else
@@ -465,7 +465,7 @@ void test_cert_to_ssh_2keys_send(void **state)
     ev = tevent_context_init(ts);
     assert_non_null(ev);
 
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
 #ifdef HAVE_NSS
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
 #else
@@ -548,7 +548,7 @@ void test_cert_to_ssh_2keys_invalid_send(void **state)
     ev = tevent_context_init(ts);
     assert_non_null(ev);
 
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
 #ifdef HAVE_NSS
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
 #else
@@ -614,7 +614,7 @@ void test_ec_cert_to_ssh_key_send(void **state)
     ev = tevent_context_init(ts);
     assert_non_null(ev);
 
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
 #ifdef HAVE_NSS
                     "sql:" ABS_BUILD_DIR "/src/tests/test_ECC_CA/p11_ecc_nssdb",
 #else
@@ -691,7 +691,7 @@ void test_cert_to_ssh_2keys_with_certmap_send(void **state)
     ev = tevent_context_init(ts);
     assert_non_null(ev);
 
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
 #ifdef HAVE_NSS
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
 #else
@@ -769,7 +769,7 @@ void test_cert_to_ssh_2keys_with_certmap_2_send(void **state)
     ev = tevent_context_init(ts);
     assert_non_null(ev);
 
-    req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+    req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
 #ifdef HAVE_NSS
                             "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
 #else
diff --git a/src/util/cert.h b/src/util/cert.h
index d038a99f6..16dda37b3 100644
--- a/src/util/cert.h
+++ b/src/util/cert.h
@@ -57,7 +57,7 @@ errno_t get_ssh_key_from_derb64(TALLOC_CTX *mem_ctx, const char *derb64,
 
 struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
                                         struct tevent_context *ev,
-                                        int child_debug_fd, time_t timeout,
+                                        const char *logfile, time_t timeout,
                                         const char *ca_db,
                                         struct sss_certmap_ctx *sss_certmap_ctx,
                                         size_t cert_count,
diff --git a/src/util/cert/cert_common_p11_child.c b/src/util/cert/cert_common_p11_child.c
index 1846ff89a..18a331f23 100644
--- a/src/util/cert/cert_common_p11_child.c
+++ b/src/util/cert/cert_common_p11_child.c
@@ -24,7 +24,7 @@
 
 struct cert_to_ssh_key_state {
     struct tevent_context *ev;
-    int child_debug_fd;
+    const char *logfile;
     time_t timeout;
     const char **extra_args;
     const char **certs;
@@ -45,7 +45,7 @@ static void cert_to_ssh_key_done(int child_status,
 
 struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
                                         struct tevent_context *ev,
-                                        int child_debug_fd, time_t timeout,
+                                        const char *logfile, time_t timeout,
                                         const char *ca_db,
                                         struct sss_certmap_ctx *sss_certmap_ctx,
                                         size_t cert_count,
@@ -70,8 +70,7 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
     }
 
     state->ev = ev;
-    state->child_debug_fd = (child_debug_fd == -1) ? STDERR_FILENO
-                                                   : child_debug_fd;
+    state->logfile = logfile;
     state->timeout = timeout;
     state->io = talloc(state, struct child_io_fds);
     if (state->io == NULL) {
@@ -205,7 +204,7 @@ static errno_t cert_to_ssh_key_step(struct tevent_req *req)
     child_pid = fork();
     if (child_pid == 0) { /* child */
         exec_child_ex(state, pipefd_to_child, pipefd_from_child, P11_CHILD_PATH,
-                      state->child_debug_fd, state->extra_args, false,
+                      state->logfile, state->extra_args, false,
                       STDIN_FILENO, STDOUT_FILENO);
         /* We should never get here */
         DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec p11 child\n");
diff --git a/src/util/child_common.c b/src/util/child_common.c
index 3a07580c2..5cac725ca 100644
--- a/src/util/child_common.c
+++ b/src/util/child_common.c
@@ -47,6 +47,8 @@ struct sss_child_ctx {
     struct sss_sigchild_ctx *sigchld_ctx;
 };
 
+static errno_t child_debug_init(const char *logfile, int *debug_fd);
+
 static void sss_child_handler(struct tevent_context *ev,
                               struct tevent_signal *se,
                               int signum,
@@ -725,13 +727,24 @@ fail:
 
 void exec_child_ex(TALLOC_CTX *mem_ctx,
                    int *pipefd_to_child, int *pipefd_from_child,
-                   const char *binary, int debug_fd,
+                   const char *binary, const char *logfile,
                    const char *extra_argv[], bool extra_args_only,
                    int child_in_fd, int child_out_fd)
 {
     int ret;
     errno_t err;
     char **argv;
+    int debug_fd = -1;
+
+    if (logfile) {
+        ret = child_debug_init(logfile, &debug_fd);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "child_debug_init() failed.\n");
+            exit(EXIT_FAILURE);
+        }
+    } else {
+        debug_fd = STDERR_FILENO;
+    }
 
     close(pipefd_to_child[1]);
     ret = dup2(pipefd_to_child[0], child_in_fd);
@@ -767,10 +780,10 @@ void exec_child_ex(TALLOC_CTX *mem_ctx,
 
 void exec_child(TALLOC_CTX *mem_ctx,
                 int *pipefd_to_child, int *pipefd_from_child,
-                const char *binary, int debug_fd)
+                const char *binary, const char *logfile)
 {
     exec_child_ex(mem_ctx, pipefd_to_child, pipefd_from_child,
-                  binary, debug_fd, NULL, false,
+                  binary, logfile, NULL, false,
                   STDIN_FILENO, STDOUT_FILENO);
 }
 
@@ -803,7 +816,7 @@ int child_io_destructor(void *ptr)
     return EOK;
 }
 
-errno_t child_debug_init(const char *logfile, int *debug_fd)
+static errno_t child_debug_init(const char *logfile, int *debug_fd)
 {
     int ret;
     FILE *debug_filep;
diff --git a/src/util/child_common.h b/src/util/child_common.h
index 37116e2a7..92d66a500 100644
--- a/src/util/child_common.h
+++ b/src/util/child_common.h
@@ -106,7 +106,7 @@ void fd_nonblocking(int fd);
 /* Never returns EOK, ether returns an error, or doesn't return on success */
 void exec_child_ex(TALLOC_CTX *mem_ctx,
                    int *pipefd_to_child, int *pipefd_from_child,
-                   const char *binary, int debug_fd,
+                   const char *binary, const char *logfile,
                    const char *extra_argv[], bool extra_args_only,
                    int child_in_fd, int child_out_fd);
 
@@ -115,10 +115,8 @@ void exec_child_ex(TALLOC_CTX *mem_ctx,
  */
 void exec_child(TALLOC_CTX *mem_ctx,
                 int *pipefd_to_child, int *pipefd_from_child,
-                const char *binary, int debug_fd);
+                const char *binary, const char *logfile);
 
 int child_io_destructor(void *ptr);
 
-errno_t child_debug_init(const char *logfile, int *debug_fd);
-
 #endif /* __CHILD_COMMON_H__ */
-- 
2.21.3