diff --git a/man/syslog.conf.5 b/man/syslog.conf.5 index b232fb5..c23040d 100644 --- a/man/syslog.conf.5 +++ b/man/syslog.conf.5 @@ -68,6 +68,11 @@ OPTION := [OPTION,] |= RFC3164 |= RFC5424 |= rotate=SIZE:COUNT + +secure_mode [0,1,2] + +include /etc/syslog.d/*.conf +notify /path/to/script-on-rotate .Ed .Pp The @@ -105,9 +110,34 @@ cron or a separate log rotate daemon. Comments, lines starting with a hash mark ('#'), and empty lines are ignored. If an error occurs during parsing the whole line is ignored. .Pp -The special keyword -.Em notify -specifies the path to an executable program which will get called +Additional options include +.Ql secure_mode <0-2> +which is the same as the +.Nm syslogd Fl s +commandline option. +.Sy Note: +command line option always wins, so you need to drop +.Fl s +from the command line to use this .conf file option instead. +.Pp +.Bl -tag -compact -width "01" -offset indent +.It 0 +act as a syslog sink, listening on UDP port 514 by default, as well as +support for sending to remote syslog servers +.It 1 +only support for sending to remote syslog servers, no Internet ports +open +.It 2 +no Internet ports open at all, and no remote logging possible +.El +.Bd -literal -offset indent +# Example: only allow logging to remote servers +secure_mode 1 +.Ed +.Pp +The +.Ql notify +option specifies the path to an executable program which will get called whenever a log file has been rotated, with the name of the file, less its rotation suffix .Ql .0 , @@ -116,10 +146,10 @@ For example: .Ql notify /sbin/on-log-rotate.sh . Any number of notifiers may be installed. .Pp -A special -.Em include -keyword can be used to include all files with names ending in '.conf' -and not beginning with a '.' contained in the directory following the +The +.Ql include +option can be used to include all files with names ending in '.conf' and +not beginning with a '.' contained in the directory following the keyword. This keyword can only be used in the first level configuration file. The included example .Pa /etc/syslog.conf diff --git a/man/syslogd.8 b/man/syslogd.8 index 5819875..f2bdabe 100644 --- a/man/syslogd.8 +++ b/man/syslogd.8 @@ -334,6 +334,21 @@ is 5. Operate in secure mode. Do not log messages from remote machines. If specified twice, no network socket will be opened at all, which also disables logging to remote machines. +.Pp +Secure mode can also be set in +.Xr syslog.conf 5 +using the +.Cm secure_mode +config option. This is more flexible since you can change the option +and simply send +.Ar SIGHUP +to activate the changes, instead of having to restart +.Nm . +.Pp +.Sy Note: +the command line option always wins, so it must be removed for +.Nm +to consider the .conf file option instead. .It Fl T Always use the local time and date for messages received from the network, instead of the timestamp field supplied in the message by the remote host. diff --git a/src/syslogd.c b/src/syslogd.c index 986fa1c..3b89101 100644 --- a/src/syslogd.c +++ b/src/syslogd.c @@ -96,6 +96,8 @@ static char sccsid[] __attribute__((unused)) = #include "timer.h" #include "compat.h" +#define SecureMode (secure_opt > 0 ? secure_opt : secure_mode) + char *CacheFile = _PATH_CACHE; char *ConfFile = _PATH_LOGCONF; char *PidFile = _PATH_LOGPID; @@ -136,7 +138,8 @@ static int MarkInterval = 20 * 60; /* interval between marks in seconds */ static int family = PF_UNSPEC; /* protocol family (IPv4, IPv6 or both) */ static int mask_C1 = 1; /* mask characters from 0x80 - 0x9F */ static int send_to_all; /* send message to all IPv4/IPv6 addresses */ -static int SecureMode; /* when true, receive only unix domain socks */ +static int secure_opt; /* sink for others, log to remote, or only unix domain socks */ +static int secure_mode; /* same as above but from syslog.conf, only if cmdline unset */ static int RemoteAddDate; /* Always set the date on remote messages */ static int RemoteHostname; /* Log remote hostname from the message */ @@ -175,6 +178,7 @@ const struct cfkey { char **var; } cfkey[] = { { "notify", NULL }, + { "secure_mode", &secure_str }, }; /* Function prototypes. */ @@ -478,7 +482,7 @@ int main(int argc, char *argv[]) break; case 's': - SecureMode++; + secure_opt++; break; case 'T': @@ -727,6 +731,9 @@ static void create_unix_socket(struct peer *pe) struct addrinfo ai; int sd = -1; + if (pe->pe_socknum) + return; /* Already set up */ + memset(&ai, 0, sizeof(ai)); ai.ai_addr = (struct sockaddr *)&sun; ai.ai_addrlen = sizeof(sun); @@ -2244,6 +2251,14 @@ static void forw_lookup(struct filed *f) int err, first; time_t diff; + if (SecureMode > 1) { + if (f->f_un.f_forw.f_addr) + freeaddrinfo(f->f_un.f_forw.f_addr); + f->f_un.f_forw.f_addr = NULL; + f->f_type = F_FORW_UNKN; + return; + } + /* Called from cfline() for initial lookup? */ first = f->f_type == F_UNUSED ? 1 : 0; @@ -2525,10 +2540,10 @@ static void boot_time_init(void) */ static void init(void) { - static int once = 1; struct notifiers newn = SIMPLEQ_HEAD_INITIALIZER(newn); - struct filed *f; struct files newf = SIMPLEQ_HEAD_INITIALIZER(newf); + struct filed *f; + struct peer *pe; FILE *fp; char *p; @@ -2574,23 +2589,6 @@ static void init(void) *p = tolower(*p); } - /* - * Open sockets for local and remote communication - */ - if (once) { - struct peer *pe; - - /* Only once at startup */ - once = 0; - - SIMPLEQ_FOREACH(pe, &pqueue, pe_link) { - if (pe->pe_name && pe->pe_name[0] == '/') - create_unix_socket(pe); - else if (SecureMode < 2) - create_inet_socket(pe); - } - } - /* * Load / reload timezone data (in case it changed) */ @@ -2630,6 +2628,21 @@ static void init(void) nothead = newn; + /* + * Open or close sockets for local and remote communication + */ + SIMPLEQ_FOREACH(pe, &pqueue, pe_link) { + if (pe->pe_name && pe->pe_name[0] == '/') { + create_unix_socket(pe); + } else { + for (size_t i = 0; i < pe->pe_socknum; i++) + socket_close(pe->pe_sock[i]); + + if (SecureMode < 2) + create_inet_socket(pe); + } + } + Initialized = 1; if (Debug) { @@ -2771,7 +2784,7 @@ static struct filed *cfline(char *line) int syncfile, pri; int i, i2; - logit("cfline(%s)\n", line); + logit("cfline[%s]\n", line); f = calloc(1, sizeof(*f)); if (!f) { @@ -3033,7 +3046,7 @@ const struct cfkey *cfkey_match(char *cline) p++; if (cfk->var) - *cfk->var = strdupa(p); + *cfk->var = strdup(p); else memmove(cline, p, strlen(p) + 1); @@ -3133,6 +3146,19 @@ static int cfparse(FILE *fp, struct files *newf, struct notifiers *newn) SIMPLEQ_INSERT_TAIL(newf, f, f_link); } + if (secure_str) { + int val; + + val = atoi(secure_str); + if (val < 0 || val > 2) + logit("Invalid value to secure_mode = %s\n", secure_str); + else + secure_mode = val; + + free(secure_str); + secure_str = NULL; + } + return 0; }