Add support for setting secure_mode=[0,1,2] in .conf file

Logic for secure mode setting in .conf file

 - Command line always wins
 - SIGHUP activates changes

Note, if -s is given on command line it always wins, regardless.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
This commit is contained in:
Joachim Wiberg 2022-05-22 21:55:46 +02:00
parent 577d20b8da
commit 075815eeb8
3 changed files with 101 additions and 30 deletions

View File

@ -68,6 +68,11 @@ OPTION := [OPTION,]
|= RFC3164
|= RFC5424
|= rotate=SIZE:COUNT
secure_mode [0,1,2]
include /etc/syslog.d/*.conf
notify /path/to/script-on-rotate
.Ed
.Pp
The
@ -105,9 +110,34 @@ cron or a separate log rotate daemon.
Comments, lines starting with a hash mark ('#'), and empty lines are
ignored. If an error occurs during parsing the whole line is ignored.
.Pp
The special keyword
.Em notify
specifies the path to an executable program which will get called
Additional options include
.Ql secure_mode <0-2>
which is the same as the
.Nm syslogd Fl s
commandline option.
.Sy Note:
command line option always wins, so you need to drop
.Fl s
from the command line to use this .conf file option instead.
.Pp
.Bl -tag -compact -width "01" -offset indent
.It 0
act as a syslog sink, listening on UDP port 514 by default, as well as
support for sending to remote syslog servers
.It 1
only support for sending to remote syslog servers, no Internet ports
open
.It 2
no Internet ports open at all, and no remote logging possible
.El
.Bd -literal -offset indent
# Example: only allow logging to remote servers
secure_mode 1
.Ed
.Pp
The
.Ql notify <PATH>
option specifies the path to an executable program which will get called
whenever a log file has been rotated, with the name of the file, less
its rotation suffix
.Ql .0 ,
@ -116,10 +146,10 @@ For example:
.Ql notify /sbin/on-log-rotate.sh .
Any number of notifiers may be installed.
.Pp
A special
.Em include
keyword can be used to include all files with names ending in '.conf'
and not beginning with a '.' contained in the directory following the
The
.Ql include <PATH/*.conf>
option can be used to include all files with names ending in '.conf' and
not beginning with a '.' contained in the directory following the
keyword. This keyword can only be used in the first level configuration
file. The included example
.Pa /etc/syslog.conf

View File

@ -334,6 +334,21 @@ is 5.
Operate in secure mode. Do not log messages from remote machines. If
specified twice, no network socket will be opened at all, which also
disables logging to remote machines.
.Pp
Secure mode can also be set in
.Xr syslog.conf 5
using the
.Cm secure_mode
config option. This is more flexible since you can change the option
and simply send
.Ar SIGHUP
to activate the changes, instead of having to restart
.Nm .
.Pp
.Sy Note:
the command line option always wins, so it must be removed for
.Nm
to consider the .conf file option instead.
.It Fl T
Always use the local time and date for messages received from the network,
instead of the timestamp field supplied in the message by the remote host.

View File

@ -96,6 +96,8 @@ static char sccsid[] __attribute__((unused)) =
#include "timer.h"
#include "compat.h"
#define SecureMode (secure_opt > 0 ? secure_opt : secure_mode)
char *CacheFile = _PATH_CACHE;
char *ConfFile = _PATH_LOGCONF;
char *PidFile = _PATH_LOGPID;
@ -136,7 +138,8 @@ static int MarkInterval = 20 * 60; /* interval between marks in seconds */
static int family = PF_UNSPEC; /* protocol family (IPv4, IPv6 or both) */
static int mask_C1 = 1; /* mask characters from 0x80 - 0x9F */
static int send_to_all; /* send message to all IPv4/IPv6 addresses */
static int SecureMode; /* when true, receive only unix domain socks */
static int secure_opt; /* sink for others, log to remote, or only unix domain socks */
static int secure_mode; /* same as above but from syslog.conf, only if cmdline unset */
static int RemoteAddDate; /* Always set the date on remote messages */
static int RemoteHostname; /* Log remote hostname from the message */
@ -175,6 +178,7 @@ const struct cfkey {
char **var;
} cfkey[] = {
{ "notify", NULL },
{ "secure_mode", &secure_str },
};
/* Function prototypes. */
@ -478,7 +482,7 @@ int main(int argc, char *argv[])
break;
case 's':
SecureMode++;
secure_opt++;
break;
case 'T':
@ -727,6 +731,9 @@ static void create_unix_socket(struct peer *pe)
struct addrinfo ai;
int sd = -1;
if (pe->pe_socknum)
return; /* Already set up */
memset(&ai, 0, sizeof(ai));
ai.ai_addr = (struct sockaddr *)&sun;
ai.ai_addrlen = sizeof(sun);
@ -2244,6 +2251,14 @@ static void forw_lookup(struct filed *f)
int err, first;
time_t diff;
if (SecureMode > 1) {
if (f->f_un.f_forw.f_addr)
freeaddrinfo(f->f_un.f_forw.f_addr);
f->f_un.f_forw.f_addr = NULL;
f->f_type = F_FORW_UNKN;
return;
}
/* Called from cfline() for initial lookup? */
first = f->f_type == F_UNUSED ? 1 : 0;
@ -2525,10 +2540,10 @@ static void boot_time_init(void)
*/
static void init(void)
{
static int once = 1;
struct notifiers newn = SIMPLEQ_HEAD_INITIALIZER(newn);
struct filed *f;
struct files newf = SIMPLEQ_HEAD_INITIALIZER(newf);
struct filed *f;
struct peer *pe;
FILE *fp;
char *p;
@ -2574,23 +2589,6 @@ static void init(void)
*p = tolower(*p);
}
/*
* Open sockets for local and remote communication
*/
if (once) {
struct peer *pe;
/* Only once at startup */
once = 0;
SIMPLEQ_FOREACH(pe, &pqueue, pe_link) {
if (pe->pe_name && pe->pe_name[0] == '/')
create_unix_socket(pe);
else if (SecureMode < 2)
create_inet_socket(pe);
}
}
/*
* Load / reload timezone data (in case it changed)
*/
@ -2630,6 +2628,21 @@ static void init(void)
nothead = newn;
/*
* Open or close sockets for local and remote communication
*/
SIMPLEQ_FOREACH(pe, &pqueue, pe_link) {
if (pe->pe_name && pe->pe_name[0] == '/') {
create_unix_socket(pe);
} else {
for (size_t i = 0; i < pe->pe_socknum; i++)
socket_close(pe->pe_sock[i]);
if (SecureMode < 2)
create_inet_socket(pe);
}
}
Initialized = 1;
if (Debug) {
@ -2771,7 +2784,7 @@ static struct filed *cfline(char *line)
int syncfile, pri;
int i, i2;
logit("cfline(%s)\n", line);
logit("cfline[%s]\n", line);
f = calloc(1, sizeof(*f));
if (!f) {
@ -3033,7 +3046,7 @@ const struct cfkey *cfkey_match(char *cline)
p++;
if (cfk->var)
*cfk->var = strdupa(p);
*cfk->var = strdup(p);
else
memmove(cline, p, strlen(p) + 1);
@ -3133,6 +3146,19 @@ static int cfparse(FILE *fp, struct files *newf, struct notifiers *newn)
SIMPLEQ_INSERT_TAIL(newf, f, f_link);
}
if (secure_str) {
int val;
val = atoi(secure_str);
if (val < 0 || val > 2)
logit("Invalid value to secure_mode = %s\n", secure_str);
else
secure_mode = val;
free(secure_str);
secure_str = NULL;
}
return 0;
}