pam_systemd_home: Use PAM_TEXT_INFO for token prompts

The prompts asking the user to physically authenticate
or confirm presence on a security token are informational
requests for action, not error conditions.

This commit changes the message type to PAM_TEXT_INFO,
which is more appropriate for guiding the user through
the authentication process.

mkosi/mkosi.conf.d/arch/mkosi.conf

@@ -31,6 +31,7 @@ Packages=
         iproute
         iputils
         knot
+        libucontext
         linux
         man-db
         multipath-tools

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -43,6 +43,7 @@ Packages=
         kernel-core
         knot
         libcap-ng-utils
+        libucontext
         man-db
         nmap-ncat
         openssh-clients

mkosi/mkosi.images/build/mkosi.conf.d/arch/mkosi.conf

@@ -10,3 +10,4 @@ Packages=
         diffutils
         erofs-utils
         git
+        libucontext

mkosi/mkosi.images/build/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -12,5 +12,6 @@ Packages=
         git-core
         libasan
         libubsan
+        libucontext-devel
         rpm-build
         which

mkosi/mkosi.tools.conf/mkosi.conf.d/arch.conf

@@ -10,6 +10,7 @@ Packages=
         clang-tools-extra
         github-cli
         lcov
+        libucontext
         mypy
         pkgconf
         ruff

mkosi/mkosi.tools.conf/mkosi.conf.d/centos-fedora.conf

@@ -12,4 +12,5 @@ Packages=
         rpm-build
         libasan
         libubsan
+        libucontext-devel
         compiler-rt

src/home/pam_systemd_home.c

@@ -432,7 +432,7 @@ static int handle_generic_user_record_error(
 
                 assert(secret);
 
-                (void) pam_prompt_graceful(pamh, PAM_ERROR_MSG, NULL, _("Please authenticate physically on security token of user %s."), user_name);
+                (void) pam_prompt_graceful(pamh, PAM_TEXT_INFO, NULL, _("Please authenticate physically on security token of user %s."), user_name);
 
                 r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true);
                 if (r < 0)
@@ -443,7 +443,7 @@ static int handle_generic_user_record_error(
 
                 assert(secret);
 
-                (void) pam_prompt_graceful(pamh, PAM_ERROR_MSG, NULL, _("Please confirm presence on security token of user %s."), user_name);
+                (void) pam_prompt_graceful(pamh, PAM_TEXT_INFO, NULL, _("Please confirm presence on security token of user %s."), user_name);
 
                 r = user_record_set_fido2_user_presence_permitted(secret, true);
                 if (r < 0)
@@ -454,7 +454,7 @@ static int handle_generic_user_record_error(
 
                 assert(secret);
 
-                (void) pam_prompt_graceful(pamh, PAM_ERROR_MSG, NULL, _("Please verify user on security token of user %s."), user_name);
+                (void) pam_prompt_graceful(pamh, PAM_TEXT_INFO, NULL, _("Please verify user on security token of user %s."), user_name);
 
                 r = user_record_set_fido2_user_verification_permitted(secret, true);
                 if (r < 0)

src/shared/fdset.c

@@ -8,6 +8,7 @@
 #include "alloc-util.h"
 #include "async.h"
 #include "dirent-util.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "fdset.h"
 #include "log.h"
@@ -179,9 +180,10 @@ int fdset_new_fill(
         d = opendir("/proc/self/fd");
         if (!d) {
                 if (errno == ENOENT && proc_mounted() == 0)
-                        return -ENOSYS;
+                        return log_debug_errno(SYNTHETIC_ERRNO(ENOSYS),
+                                               "Failed to open /proc/self/fd/, /proc/ is not mounted.");
 
-                return -errno;
+                return log_debug_errno(errno, "Failed to open /proc/self/fd/: %m ");
         }
 
         s = fdset_new();
@@ -210,9 +212,14 @@ int fdset_new_fill(
                          * been passed in can be collected and fds which have been created locally can be
                          * ignored, under the assumption that only the latter have O_CLOEXEC set. */
 
-                        fl = fcntl(fd, F_GETFD);
+                        fl = RET_NERRNO(fcntl(fd, F_GETFD));
-                        if (fl < 0)
+                        if (fl < 0) {
-                                return -errno;
+                                _cleanup_free_ char *path = NULL;
+                                (void) fd_get_path(fd, &path);
+                                return log_debug_errno(fl,
+                                                       "Failed to get flag of fd=%d (%s): %m ",
+                                                       fd, strna(path));
+                        }
 
                         if (FLAGS_SET(fl, FD_CLOEXEC) != !!filter_cloexec)
                                 continue;
@@ -221,13 +228,23 @@ int fdset_new_fill(
                 /* We need to set CLOEXEC manually only if we're collecting non-CLOEXEC fds. */
                 if (filter_cloexec <= 0) {
                         r = fd_cloexec(fd, true);
-                        if (r < 0)
+                        if (r < 0) {
-                                return r;
+                                _cleanup_free_ char *path = NULL;
+                                (void) fd_get_path(fd, &path);
+                                return log_debug_errno(r,
+                                                       "Failed to set CLOEXEC flag fd=%d (%s): %m ",
+                                                       fd, strna(path));
+                        }
                 }
 
                 r = fdset_put(s, fd);
-                if (r < 0)
+                if (r < 0) {
-                        return r;
+                        _cleanup_free_ char *path = NULL;
+                        (void) fd_get_path(fd, &path);
+                        return log_debug_errno(r,
+                                               "Failed to put fd=%d (%s) into fdset: %m ",
+                                               fd, strna(path));
+                }
         }
 
         *ret = TAKE_PTR(s);