Improve error message on missing permission

In case "cmd" (and "args") in doas.conf(5) mismatch, the log syslog(3)
message might be read as if the command was executed but failed, i.e.
returned non-zero.

Be unambiguous and help admins spot execution *attempts* as such:

-Oct  9 01:05:20 eru doas: failed command for kn: echo bar
+Oct  9 01:05:20 eru doas: command not permitted for kn: echo bar

OK tedu deraadt

diff --git a/doas.c b/doas.c
index 008132b3a6e0d8c485f040049a973f54cec18040..8275fe180b70ed80e99a8ee05affcca54b610e38 100644 (file)
--- a/doas.c
+++ b/doas.c
@@ -340,7 +340,7 @@ main(int argc, char **argv)
        if (!permit(uid, groups, ngroups, &rule, target, cmd,
            (const char **)argv + 1)) {
                syslog(LOG_AUTHPRIV | LOG_NOTICE,
-                   "failed command for %s: %s", mypw->pw_name, cmdline);
+                   "command not permitted for %s: %s", mypw->pw_name, cmdline);
                errc(1, EPERM, NULL);
        }