From 7441dfc4da8c9474ee767464dabe73ca90ff42ae Mon Sep 17 00:00:00 2001
From: kn <kn>
Date: Fri, 9 Oct 2020 00:04:05 +0000
Subject: [PATCH] Improve error message on missing permission

In case "cmd" (and "args") in doas.conf(5) mismatch, the log syslog(3)
message might be read as if the command was executed but failed, i.e.
returned non-zero.

Be unambiguous and help admins spot execution *attempts* as such:

-Oct  9 01:05:20 eru doas: failed command for kn: echo bar
+Oct  9 01:05:20 eru doas: command not permitted for kn: echo bar

OK tedu deraadt
---
 doas.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doas.c b/doas.c
index 008132b..8275fe1 100644
--- a/doas.c
+++ b/doas.c
@@ -340,7 +340,7 @@ main(int argc, char **argv)
 	if (!permit(uid, groups, ngroups, &rule, target, cmd,
 	    (const char **)argv + 1)) {
 		syslog(LOG_AUTHPRIV | LOG_NOTICE,
-		    "failed command for %s: %s", mypw->pw_name, cmdline);
+		    "command not permitted for %s: %s", mypw->pw_name, cmdline);
 		errc(1, EPERM, NULL);
 	}
 
-- 
2.39.2