Add support for setting secure_mode=[0,1,2] in .conf file

Logic for secure mode setting in .conf file - Command line always wins - SIGHUP activates changes Note, if -s is given on command line it always wins, regardless. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
2022-05-22 21:55:46 +02:00 · 2022-05-22 21:55:46 +02:00 · 075815eeb8
commit 075815eeb8
parent 577d20b8da
3 changed files with 101 additions and 30 deletions
--- a/man/syslog.conf.5
+++ b/man/syslog.conf.5
@ -68,6 +68,11 @@ OPTION   := [OPTION,]
 	 |= RFC3164
 	 |= RFC5424
         |= rotate=SIZE:COUNT
+
+secure_mode [0,1,2]
+
+include /etc/syslog.d/*.conf
+notify  /path/to/script-on-rotate
 .Ed
 .Pp
 The
@ -105,9 +110,34 @@ cron or a separate log rotate daemon.
 Comments, lines starting with a hash mark ('#'), and empty lines are
 ignored.  If an error occurs during parsing the whole line is ignored.
 .Pp
-The special keyword
-.Em notify
-specifies the path to an executable program which will get called
+Additional options include
+.Ql secure_mode <0-2>
+which is the same as the
+.Nm syslogd Fl s
+commandline option.
+.Sy Note:
+command line option always wins, so you need to drop
+.Fl s
+from the command line to use this .conf file option instead.
+.Pp
+.Bl -tag -compact -width "01" -offset indent
+.It 0
+act as a syslog sink, listening on UDP port 514 by default, as well as
+support for sending to remote syslog servers
+.It 1
+only support for sending to remote syslog servers, no Internet ports
+open
+.It 2
+no Internet ports open at all, and no remote logging possible
+.El
+.Bd -literal -offset indent
+# Example: only allow logging to remote servers
+secure_mode 1
+.Ed
+.Pp
+The
+.Ql notify <PATH>
+option specifies the path to an executable program which will get called
 whenever a log file has been rotated, with the name of the file, less
 its rotation suffix
 .Ql .0 ,
@ -116,10 +146,10 @@ For example:
 .Ql notify /sbin/on-log-rotate.sh .
 Any number of notifiers may be installed.
 .Pp
-A special
-.Em include
-keyword can be used to include all files with names ending in '.conf'
-and not beginning with a '.' contained in the directory following the
+The
+.Ql include <PATH/*.conf>
+option can be used to include all files with names ending in '.conf' and
+not beginning with a '.' contained in the directory following the
 keyword.  This keyword can only be used in the first level configuration
 file.  The included example
 .Pa /etc/syslog.conf
--- a/man/syslogd.8
+++ b/man/syslogd.8
@ -334,6 +334,21 @@ is 5.
 Operate in secure mode.  Do not log messages from remote machines.  If
 specified twice, no network socket will be opened at all, which also
 disables logging to remote machines.
+.Pp
+Secure mode can also be set in
+.Xr syslog.conf 5
+using the
+.Cm secure_mode
+config option.  This is more flexible since you can change the option
+and simply send
+.Ar SIGHUP
+to activate the changes, instead of having to restart
+.Nm .
+.Pp
+.Sy Note:
+the command line option always wins, so it must be removed for
+.Nm
+to consider the .conf file option instead.
 .It Fl T
 Always use the local time and date for messages received from the network,
 instead of the timestamp field supplied in the message by the remote host.
--- a/src/syslogd.c
+++ b/src/syslogd.c
@ -96,6 +96,8 @@ static char sccsid[] __attribute__((unused)) =
 #include "timer.h"
 #include "compat.h"

+#define SecureMode (secure_opt > 0 ? secure_opt : secure_mode)
+
 char *CacheFile = _PATH_CACHE;
 char *ConfFile  = _PATH_LOGCONF;
 char *PidFile   = _PATH_LOGPID;
@ -136,7 +138,8 @@ static int	  MarkInterval = 20 * 60; /* interval between marks in seconds */
 static int	  family = PF_UNSPEC;	  /* protocol family (IPv4, IPv6 or both) */
 static int	  mask_C1 = 1;		  /* mask characters from 0x80 - 0x9F */
 static int	  send_to_all;		  /* send message to all IPv4/IPv6 addresses */
-static int	  SecureMode;		  /* when true, receive only unix domain socks */
+static int	  secure_opt;		  /* sink for others, log to remote, or only unix domain socks */
+static int	  secure_mode;		  /* same as above but from syslog.conf, only if cmdline unset */

 static int	  RemoteAddDate;	  /* Always set the date on remote messages */
 static int	  RemoteHostname;	  /* Log remote hostname from the message */
@ -175,6 +178,7 @@ const struct cfkey {
 	char       **var;
 } cfkey[] = {
 	{ "notify",      NULL        },
+	{ "secure_mode", &secure_str },
 };

 /* Function prototypes. */
@ -478,7 +482,7 @@ int main(int argc, char *argv[])
 			break;

 		case 's':
-			SecureMode++;
+			secure_opt++;
 			break;

 		case 'T':
@ -727,6 +731,9 @@ static void create_unix_socket(struct peer *pe)
 	struct addrinfo ai;
 	int sd = -1;

+	if (pe->pe_socknum)
+		return;		/* Already set up */
+
 	memset(&ai, 0, sizeof(ai));
 	ai.ai_addr = (struct sockaddr *)&sun;
 	ai.ai_addrlen = sizeof(sun);
@ -2244,6 +2251,14 @@ static void forw_lookup(struct filed *f)
 	int err, first;
 	time_t diff;

+	if (SecureMode > 1) {
+		if (f->f_un.f_forw.f_addr)
+			freeaddrinfo(f->f_un.f_forw.f_addr);
+		f->f_un.f_forw.f_addr = NULL;
+		f->f_type = F_FORW_UNKN;
+		return;
+	}
+
 	/* Called from cfline() for initial lookup? */
 	first = f->f_type == F_UNUSED ? 1 : 0;

@ -2525,10 +2540,10 @@ static void boot_time_init(void)
 */
 static void init(void)
 {
-	static int once = 1;
 	struct notifiers newn = SIMPLEQ_HEAD_INITIALIZER(newn);
-	struct filed *f;
 	struct files newf = SIMPLEQ_HEAD_INITIALIZER(newf);
+	struct filed *f;
+	struct peer *pe;
 	FILE *fp;
 	char *p;

@ -2574,23 +2589,6 @@ static void init(void)
 			*p = tolower(*p);
 	}

-	/*
-	 * Open sockets for local and remote communication
-	 */
-	if (once) {
-		struct peer *pe;
-
-		/* Only once at startup */
-		once = 0;
-
-		SIMPLEQ_FOREACH(pe, &pqueue, pe_link) {
-			if (pe->pe_name && pe->pe_name[0] == '/')
-				create_unix_socket(pe);
-			else if (SecureMode < 2)
-				create_inet_socket(pe);
-		}
-	}
-
 	/*
 	 * Load / reload timezone data (in case it changed)
 	 */
@ -2630,6 +2628,21 @@ static void init(void)

 	nothead = newn;

+	/*
+	 * Open or close sockets for local and remote communication
+	 */
+	SIMPLEQ_FOREACH(pe, &pqueue, pe_link) {
+		if (pe->pe_name && pe->pe_name[0] == '/') {
+			create_unix_socket(pe);
+		} else {
+			for (size_t i = 0; i < pe->pe_socknum; i++)
+				socket_close(pe->pe_sock[i]);
+
+			if (SecureMode < 2)
+				create_inet_socket(pe);
+		}
+	}
+
 	Initialized = 1;

 	if (Debug) {
@ -2771,7 +2784,7 @@ static struct filed *cfline(char *line)
 	int syncfile, pri;
 	int i, i2;

-	logit("cfline(%s)\n", line);
+	logit("cfline[%s]\n", line);

 	f = calloc(1, sizeof(*f));
 	if (!f) {
@ -3033,7 +3046,7 @@ const struct cfkey *cfkey_match(char *cline)
 			p++;

 		if (cfk->var)
-			*cfk->var = strdupa(p);
+			*cfk->var = strdup(p);
 		else
 			memmove(cline, p, strlen(p) + 1);

@ -3133,6 +3146,19 @@ static int cfparse(FILE *fp, struct files *newf, struct notifiers *newn)
 		SIMPLEQ_INSERT_TAIL(newf, f, f_link);
 	}

+	if (secure_str) {
+		int val;
+
+		val = atoi(secure_str);
+		if (val < 0 || val > 2)
+			logit("Invalid value to secure_mode = %s\n", secure_str);
+		else
+			secure_mode = val;
+
+		free(secure_str);
+		secure_str = NULL;
+	}
+
 	return 0;
 }