Add support for setting secure_mode=[0,1,2] in .conf file

Logic for secure mode setting in .conf file - Command line always wins - SIGHUP activates changes Note, if -s is given on command line it always wins, regardless. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
2022-05-22 21:55:46 +02:00 · 2022-05-22 21:55:46 +02:00 · 075815eeb8
commit 075815eeb8
parent 577d20b8da
3 changed files with 101 additions and 30 deletions
--- a/man/syslog.conf.5
+++ b/man/syslog.conf.5
@ -68,6 +68,11 @@ OPTION   := [OPTION,]
 	 |= RFC3164
 	 |= RFC5424
         |= rotate=SIZE:COUNT
 secure_mode [0,1,2]
 include /etc/syslog.d/*.conf
 notify  /path/to/script-on-rotate
 .Ed
 .Pp
 The
@ -105,9 +110,34 @@ cron or a separate log rotate daemon.
 Comments, lines starting with a hash mark ('#'), and empty lines are
 ignored.  If an error occurs during parsing the whole line is ignored.
 .Pp
-The special keyword
+Additional options include
-.Em notify
+.Ql secure_mode <0-2>
-specifies the path to an executable program which will get called
+which is the same as the
 .Nm syslogd Fl s
 commandline option.
 .Sy Note:
 command line option always wins, so you need to drop
 .Fl s
 from the command line to use this .conf file option instead.
 .Pp
 .Bl -tag -compact -width "01" -offset indent
 .It 0
 act as a syslog sink, listening on UDP port 514 by default, as well as
 support for sending to remote syslog servers
 .It 1
 only support for sending to remote syslog servers, no Internet ports
 open
 .It 2
 no Internet ports open at all, and no remote logging possible
 .El
 .Bd -literal -offset indent
 # Example: only allow logging to remote servers
 secure_mode 1
 .Ed
 .Pp
 The
 .Ql notify <PATH>
 option specifies the path to an executable program which will get called
 whenever a log file has been rotated, with the name of the file, less
 its rotation suffix
 .Ql .0 ,
@ -116,10 +146,10 @@ For example:
 .Ql notify /sbin/on-log-rotate.sh .
 Any number of notifiers may be installed.
 .Pp
-A special
+The
-.Em include
+.Ql include <PATH/*.conf>
-keyword can be used to include all files with names ending in '.conf'
+option can be used to include all files with names ending in '.conf' and
-and not beginning with a '.' contained in the directory following the
+not beginning with a '.' contained in the directory following the
 keyword.  This keyword can only be used in the first level configuration
 file.  The included example
 .Pa /etc/syslog.conf
--- a/man/syslogd.8
+++ b/man/syslogd.8
@ -334,6 +334,21 @@ is 5.
 Operate in secure mode.  Do not log messages from remote machines.  If
 specified twice, no network socket will be opened at all, which also
 disables logging to remote machines.
 .Pp
 Secure mode can also be set in
 .Xr syslog.conf 5
 using the
 .Cm secure_mode
 config option.  This is more flexible since you can change the option
 and simply send
 .Ar SIGHUP
 to activate the changes, instead of having to restart
 .Nm .
 .Pp
 .Sy Note:
 the command line option always wins, so it must be removed for
 .Nm
 to consider the .conf file option instead.
 .It Fl T
 Always use the local time and date for messages received from the network,
 instead of the timestamp field supplied in the message by the remote host.
--- a/src/syslogd.c
+++ b/src/syslogd.c
@ -96,6 +96,8 @@ static char sccsid[] __attribute__((unused)) =
 #include "timer.h"
 #include "compat.h"
 #define SecureMode (secure_opt > 0 ? secure_opt : secure_mode)
 char *CacheFile = _PATH_CACHE;
 char *ConfFile  = _PATH_LOGCONF;
 char *PidFile   = _PATH_LOGPID;
@ -136,7 +138,8 @@ static int	  MarkInterval = 20 * 60; /* interval between marks in seconds */
 static int	  family = PF_UNSPEC;	  /* protocol family (IPv4, IPv6 or both) */
 static int	  mask_C1 = 1;		  /* mask characters from 0x80 - 0x9F */
 static int	  send_to_all;		  /* send message to all IPv4/IPv6 addresses */
-static int	  SecureMode;		  /* when true, receive only unix domain socks */
+static int	  secure_opt;		  /* sink for others, log to remote, or only unix domain socks */
 static int	  secure_mode;		  /* same as above but from syslog.conf, only if cmdline unset */
 static int	  RemoteAddDate;	  /* Always set the date on remote messages */
 static int	  RemoteHostname;	  /* Log remote hostname from the message */
@ -175,6 +178,7 @@ const struct cfkey {
 	char       **var;
 } cfkey[] = {
 	{ "notify",      NULL        },
 	{ "secure_mode", &secure_str },
 };
 /* Function prototypes. */
@ -478,7 +482,7 @@ int main(int argc, char *argv[])
 			break;
 		case 's':
-			SecureMode++;
+			secure_opt++;
 			break;
 		case 'T':
@ -727,6 +731,9 @@ static void create_unix_socket(struct peer *pe)
 	struct addrinfo ai;
 	int sd = -1;
 	if (pe->pe_socknum)
 		return;		/* Already set up */
 	memset(&ai, 0, sizeof(ai));
 	ai.ai_addr = (struct sockaddr *)&sun;
 	ai.ai_addrlen = sizeof(sun);
@ -2244,6 +2251,14 @@ static void forw_lookup(struct filed *f)
 	int err, first;
 	time_t diff;
 	if (SecureMode > 1) {
 		if (f->f_un.f_forw.f_addr)
 			freeaddrinfo(f->f_un.f_forw.f_addr);
 		f->f_un.f_forw.f_addr = NULL;
 		f->f_type = F_FORW_UNKN;
 		return;
 	}
 	/* Called from cfline() for initial lookup? */
 	first = f->f_type == F_UNUSED ? 1 : 0;
@ -2525,10 +2540,10 @@ static void boot_time_init(void)
 */
 static void init(void)
 {
 	static int once = 1;
 	struct notifiers newn = SIMPLEQ_HEAD_INITIALIZER(newn);
 	struct filed *f;
 	struct files newf = SIMPLEQ_HEAD_INITIALIZER(newf);
 	struct filed *f;
 	struct peer *pe;
 	FILE *fp;
 	char *p;
@ -2574,23 +2589,6 @@ static void init(void)
 			*p = tolower(*p);
 	}
 	/*
 	 * Open sockets for local and remote communication
 	 */
 	if (once) {
 		struct peer *pe;
 		/* Only once at startup */
 		once = 0;
 		SIMPLEQ_FOREACH(pe, &pqueue, pe_link) {
 			if (pe->pe_name && pe->pe_name[0] == '/')
 				create_unix_socket(pe);
 			else if (SecureMode < 2)
 				create_inet_socket(pe);
 		}
 	}
 	/*
 	 * Load / reload timezone data (in case it changed)
 	 */
@ -2630,6 +2628,21 @@ static void init(void)
 	nothead = newn;
 	/*
 	 * Open or close sockets for local and remote communication
 	 */
 	SIMPLEQ_FOREACH(pe, &pqueue, pe_link) {
 		if (pe->pe_name && pe->pe_name[0] == '/') {
 			create_unix_socket(pe);
 		} else {
 			for (size_t i = 0; i < pe->pe_socknum; i++)
 				socket_close(pe->pe_sock[i]);
 			if (SecureMode < 2)
 				create_inet_socket(pe);
 		}
 	}
 	Initialized = 1;
 	if (Debug) {
@ -2771,7 +2784,7 @@ static struct filed *cfline(char *line)
 	int syncfile, pri;
 	int i, i2;
-	logit("cfline(%s)\n", line);
+	logit("cfline[%s]\n", line);
 	f = calloc(1, sizeof(*f));
 	if (!f) {
@ -3033,7 +3046,7 @@ const struct cfkey *cfkey_match(char *cline)
 			p++;
 		if (cfk->var)
-			*cfk->var = strdupa(p);
+			*cfk->var = strdup(p);
 		else
 			memmove(cline, p, strlen(p) + 1);
@ -3133,6 +3146,19 @@ static int cfparse(FILE *fp, struct files *newf, struct notifiers *newn)
 		SIMPLEQ_INSERT_TAIL(newf, f, f_link);
 	}
 	if (secure_str) {
 		int val;
 		val = atoi(secure_str);
 		if (val < 0 || val > 2)
 			logit("Invalid value to secure_mode = %s\n", secure_str);
 		else
 			secure_mode = val;
 		free(secure_str);
 		secure_str = NULL;
 	}
 	return 0;
 }