syslogd: Add support for FreeBSD -s, secure mode

- Update man page
- Enable -s in default systemd service settings
- Add support for SecureMode, with shutdown()

Signed-off-by: Joachim Nilsson <troglobit@gmail.com>
This commit is contained in:
Joachim Nilsson 2019-11-12 12:53:21 +01:00
parent d607d6b845
commit f606667038
5 changed files with 36 additions and 28 deletions

View File

@ -13,7 +13,7 @@
.Nd System Log Daemon .Nd System Log Daemon
.Sh SYNOPSIS .Sh SYNOPSIS
.Nm .Nm
.Op Fl ?46Adhnv .Op Fl ?46Adhnsv
.Op Fl b Ar addr[:port] .Op Fl b Ar addr[:port]
.Op Fl b Ar :port .Op Fl b Ar :port
.Op Fl f Ar file .Op Fl f Ar file
@ -180,6 +180,10 @@ The size argument takes optional modifiers; k, M, G. E.g., 100M is
The optional number of files kept include both gzipped files and the The optional number of files kept include both gzipped files and the
first rotated (not zipped) file. The default for this, when omitted, first rotated (not zipped) file. The default for this, when omitted,
is 5. is 5.
.It Fl s
Operate in secure mode. Do not log messages from remote machines. If
specified twice, no network socket will be opened at all, which also
disables logging to remote machines.
.It Fl v .It Fl v
Print Print
.Nm .Nm

View File

@ -97,11 +97,14 @@ eaddr: free(entry);
err: return -1; err: return -1;
} }
static int socket_opts(int sd, int family) static int socket_opts(int sd, int family, int secure)
{ {
socklen_t len, slen; socklen_t len, slen;
int on = 1; int on = 1;
if (secure)
goto skip;
/* /*
* This first one is best-effort only, try to increase receive * This first one is best-effort only, try to increase receive
* buffer size. Alert user on failure and proceed. * buffer size. Alert user on failure and proceed.
@ -113,7 +116,7 @@ static int socket_opts(int sd, int family)
ERR("Failed increasing size of socket receive buffer"); ERR("Failed increasing size of socket receive buffer");
} }
switch (family) { skip: switch (family) {
case AF_INET6: case AF_INET6:
if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) { if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
ERR("setsockopt (IPV6_ONLY), suspending IPv6"); ERR("setsockopt (IPV6_ONLY), suspending IPv6");
@ -138,6 +141,7 @@ int socket_create(struct addrinfo *ai, void (*cb)(int, void *), void *arg)
{ {
struct sockaddr_un *sun = (struct sockaddr_un *)ai->ai_addr; struct sockaddr_un *sun = (struct sockaddr_un *)ai->ai_addr;
mode_t mode = ai->ai_protocol; mode_t mode = ai->ai_protocol;
int secure = ai->ai_flags & AI_SECURE;
int type = ai->ai_socktype | SOCK_CLOEXEC | SOCK_NONBLOCK; int type = ai->ai_socktype | SOCK_CLOEXEC | SOCK_NONBLOCK;
int sd; int sd;
@ -150,13 +154,16 @@ int socket_create(struct addrinfo *ai, void (*cb)(int, void *), void *arg)
if (sd < 0) if (sd < 0)
return -1; return -1;
if (socket_opts(sd, ai->ai_family)) if (socket_opts(sd, ai->ai_family, secure))
goto err; goto err;
if (secure)
goto skip;
if (bind(sd, ai->ai_addr, ai->ai_addrlen) < 0) if (bind(sd, ai->ai_addr, ai->ai_addrlen) < 0)
goto err; goto err;
if (ai->ai_family == AF_UNIX) { skip: if (ai->ai_family == AF_UNIX) {
if (chmod(sun->sun_path, mode) < 0) if (chmod(sun->sun_path, mode) < 0)
goto err; goto err;
} }

View File

@ -127,6 +127,7 @@ static int family = PF_UNSPEC; /* protocol family (IPv4, IPv6 or both) */
static int mask_C1 = 1; /* mask characters from 0x80 - 0x9F */ static int mask_C1 = 1; /* mask characters from 0x80 - 0x9F */
static int send_to_all; /* send message to all IPv4/IPv6 addresses */ static int send_to_all; /* send message to all IPv4/IPv6 addresses */
static int MarkSeq = 0; /* mark sequence number */ static int MarkSeq = 0; /* mark sequence number */
static int SecureMode; /* when true, receive only unix domain socks */
static int RemoteAddDate; /* Always set the date on remote messages */ static int RemoteAddDate; /* Always set the date on remote messages */
static int RemoteHostname; /* Log remote hostname from the message */ static int RemoteHostname; /* Log remote hostname from the message */
@ -191,8 +192,8 @@ static int addpeer(struct peer *pe0)
int usage(int code) int usage(int code)
{ {
printf("Usage:\n" printf("Usage:\n"
" syslogd [-46Adnrvh?] [-b :PORT] [-b ADDR[:PORT]] [-f FILE] [-m SEC]\n" " syslogd [-46Adnrsvh?] [-b :PORT] [-b ADDR[:PORT]] [-f FILE] [-m SEC]\n"
" [-P PID_FILE] [-p SOCK_PATH] [-R SIZE[:NUM]]\n" " [-P PID_FILE] [-p SOCK_PATH] [-R SIZE[:NUM]]\n"
"\n" "\n"
"Options:\n" "Options:\n"
" -4 Force IPv4 only\n" " -4 Force IPv4 only\n"
@ -212,6 +213,9 @@ int usage(int code)
" -R S[:R] Enable log rotation. The size argument (S) takes k/M/G qualifiers,\n" " -R S[:R] Enable log rotation. The size argument (S) takes k/M/G qualifiers,\n"
" e.g. 2M for 2 MiB. The optional rotations argument default to 5.\n" " e.g. 2M for 2 MiB. The optional rotations argument default to 5.\n"
" Rotation can also be defined per log file in syslog.conf\n" " Rotation can also be defined per log file in syslog.conf\n"
" -s Operate in secure mode, do not log messages from remote machines.\n"
" If specified twice, no socket at all will be opened, which also\n"
" disables support for logging to remote machines.\n"
"\n" "\n"
" -? Show this help text\n" " -? Show this help text\n"
" -v Show program version and exit\n" " -v Show program version and exit\n"
@ -242,7 +246,7 @@ int main(int argc, char *argv[])
KeepKernFac = 1; KeepKernFac = 1;
#endif #endif
while ((ch = getopt(argc, argv, "46Ab:dhHf:m:nP:p:R:v?")) != EOF) { while ((ch = getopt(argc, argv, "46Ab:dhHf:m:nP:p:R:sv?")) != EOF) {
switch ((char)ch) { switch ((char)ch) {
case '4': case '4':
family = PF_INET; family = PF_INET;
@ -312,6 +316,10 @@ int main(int argc, char *argv[])
parse_rotation(optarg, &RotateSz, &RotateCnt); parse_rotation(optarg, &RotateSz, &RotateCnt);
break; break;
case 's':
SecureMode++;
break;
case 'v': case 'v':
printf("syslogd v%s\n", VERSION); printf("syslogd v%s\n", VERSION);
exit(0); exit(0);
@ -393,7 +401,7 @@ int main(int argc, char *argv[])
SIMPLEQ_FOREACH(pe, &pqueue, next) { SIMPLEQ_FOREACH(pe, &pqueue, next) {
if (pe->pe_name && pe->pe_name[0] == '/') if (pe->pe_name && pe->pe_name[0] == '/')
create_unix_socket(pe); create_unix_socket(pe);
else // XXX if (cffwd() && SecureMode <= 1) else if (SecureMode < 2)
create_inet_socket(pe); create_inet_socket(pe);
} }
@ -540,6 +548,11 @@ static void create_inet_socket(struct peer *pe)
} }
for (r = res; r; r = r->ai_next) { for (r = res; r; r = r->ai_next) {
if (SecureMode)
r->ai_flags |= AI_SECURE;
else
r->ai_flags &= ~AI_SECURE;
sd = socket_create(r, inet_cb, NULL); sd = socket_create(r, inet_cb, NULL);
if (sd < 0) if (sd < 0)
continue; continue;
@ -1907,24 +1920,6 @@ void doexit(int signo)
exit(0); exit(0);
} }
/*
* Check active rules for action FWD
*/
static int cffwd(void)
{
struct filed *f;
int fwd = 0;
SIMPLEQ_FOREACH(f, &fhead, f_link) {
if (f->f_type == F_FORW ||
f->f_type == F_FORW_SUSP ||
f->f_type == F_FORW_UNKN)
fwd++;
}
return fwd;
}
/* Create fallback .conf with err+panic sent to console */ /* Create fallback .conf with err+panic sent to console */
static FILE *cftemp(void) static FILE *cftemp(void)
{ {

View File

@ -111,6 +111,8 @@
#define LIST_DELIMITER ':' /* delimiter between two hosts */ #define LIST_DELIMITER ':' /* delimiter between two hosts */
#define AI_SECURE 0x8000 /* Tell socket_create() to not bind() */
/* From The Practice of Programming, by Kernighan and Pike */ /* From The Practice of Programming, by Kernighan and Pike */
#ifndef NELEMS #ifndef NELEMS
#define NELEMS(array) (sizeof(array) / sizeof(array[0])) #define NELEMS(array) (sizeof(array) / sizeof(array[0]))

View File

@ -6,7 +6,7 @@ Requires=syslog.socket
[Service] [Service]
Type=simple Type=simple
ExecStart=@SBINDIR@/syslogd -n ExecStart=@SBINDIR@/syslogd -sn
StandardOutput=null StandardOutput=null
Restart=on-failure Restart=on-failure