summaryrefslogtreecommitdiff
path: root/usr.sbin/syslogd
AgeCommit message (Collapse)Author
2016-08-29Add more information to syslogd tls config error messages.Alexander Bluhm
OK millert@
2016-08-17By using the new tls_config_load_file() feature, syslogd(8) certificateAlexander Bluhm
and key loading can be simplified. OK jsing@
2016-08-16stop including sys/param.h for nitems. define locally as needed.Ted Unangst
ok natano reyk
2016-07-13Adjust existing tls_config_set_cipher() callers for TLS cipher groupJoel Sing
changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release. Discussed with beck@
2016-07-12Document that the syslogd options -c and -k must be used together.Alexander Bluhm
OK jmc@
2016-07-12Add support for TLS client certificates in syslogd. This allows aAlexander Bluhm
remote server to verify that the log messages from our syslogd are authentic. From Kapetanakis Giannis; man page input jmc@; OK jung@ deraadt@
2016-07-06Allow space-deliminated fields in syslog.conf in addition toTodd C. Miller
traditional tabs-deliminated fields. This is consistent with what FreeBSD, NetBSD and Linux do. Adapted from FreeBSD.
2016-07-01Avoid printing f->f_lasttime and/or f->f_prevhost if they are empty.Todd C. Miller
This fixes a long-standing issue where syslogd would print 15 NUL bytes followed by two blank spaces before the log message for warnings generated while parsing syslog.conf. OK bluhm@
2016-07-01Include errno string in log message when we fail to open a file.Todd C. Miller
The privileged process sends the errno value back when it cannot open a file. OK gilles@
2016-06-28whitespace nitJeremie Courreges-Anglas
2016-04-02Eliminate superfluous 3rd params in fcntl(F_GETFL) calls.Kenneth R Westerback
ttymsg.c doesn't need to include fcntl.h. Tweak standard fd sanitising to be more like the sanitise_stdfd() used elsewhere, though other uses of 'nullfd' make importing sanitise_stdfd() itself unappetizing. Add a die(0) if dup2() fails. suggestions & ok bluhm@
2016-03-31Don't use .Aq for syntax elements that require ASCII "<>".Ingo Schwarze
Patch from Christian Heckendorf <mbie at ulmus dot me>. OK jmc@ bentley@
2016-02-17Prevent an integer overflow in syslogd when parsing the priority.Alexander Bluhm
From Michael Savage; input and OK mmcc@
2015-12-29When running syslogd in debug mode, use a callback to print theAlexander Bluhm
libevent messages. Before the code was removed from libevent, the library itself printed that to stderr. OK nicm@
2015-12-16Adding mark messages to log files was broken since OpenBSD 5.7.Alexander Bluhm
The mark timeout event is not persistent, add the timer intervall everytime it fires. Bug report, analysis and fix from Einfach Jemand rru.142 at gmail.com
2015-10-24If loading the CA certificates at startup had failed, the syslogdAlexander Bluhm
child tried to load the default CA file when it was connecting to a TLS server. The latter has never worked as the child is chrooted to /var/empty. Set the CA storage to an empty string to avoid this behavior. As a benefit pledge "rpath" can be removed. OK benno@
2015-10-23If writing to a tty blocks, syslogd forked and tried to write againAlexander Bluhm
in a background process. A potential fork(2) at every message is bad, so replace this with an event. As a bonus the syslogd child process does not need to pledge "proc" anymore. Also limit the number of delayed write events. OK deraadt@
2015-10-21Do some cleanup in syslogd ttymsg(). Add a debug message when theAlexander Bluhm
syslogd child calls fork(2) to delay blocked output. OK benno@
2015-10-20After pledge "dns" has been refactored and setsockopt(SO_RCVBUF)Alexander Bluhm
has been added to it, the syslogd privsep parent does not need pledge "inet" anymore. discussed with deraadt@
2015-10-18Add "id" pledge to syslogd privsep process. Needed for logging to pipe.Alexander Bluhm
OK deraadt@
2015-10-16Pledge the syslogd privsep process with "stdio rpath wpath cpathAlexander Bluhm
inet dns getpw sendfd proc exec". OK deraadt@
2015-10-15In syslogd replace the dprintf() macro with a logdebug() functionAlexander Bluhm
as dprintf(3) is in libc now and does something different. OK guenther@
2015-10-11Pass unsigned char to isdigit(3).Alexander Bluhm
From Michael McConville; OK guenther@
2015-10-11Userspace doesn't need to use SUN_LEN(): connect() and bind() must acceptPhilip Guenther
sizeof(struct sockaddr_un), so do the simple, portable thing. Also convert some strncpy() to strlcpy() ok deraadt@
2015-10-10normalize a few more tame request orderings, to help reviewTheo de Raadt
2015-10-09If syslogd is started with -S, it accepts TLS connections to receiveAlexander Bluhm
encrypted messages. The server certificates are taken from /etc/ssl like relayd does. OK benno@ beck@ deraadt@
2015-10-09If syslogd is started with -S, it accepts TLS connections to receiveAlexander Bluhm
encrypted messages. The server certificates are taken from /etc/ssl like relayd does. OK benno@ beck@ deraadt@
2015-10-09A fork(2) is used in ttymsg() to delay the message to a tty if itAlexander Bluhm
blocks. Fix the potential syslogd's death, add "proc" to pledge. OK deraadt@
2015-10-09catch up to tame() -> pledge() renameTheo de Raadt
2015-10-09Tame syslogd privsep child with "stdio rpath unix inet recvfd".Alexander Bluhm
With and OK deraadt@
2015-09-29Delete the final, inscrutable NOSTRICT and VARARGS lint commentsPhilip Guenther
ok millert@
2015-09-20Misuse of libevent in TLS read and write might have caused strangeAlexander Bluhm
event loss in syslogd. The ev_read and ev_write event structures were used for both EV_READ and EV_WRITE events intermixedly. The correct way is to use each event for its read and write purpose and instead switch the handler. Then libevent is no longer confused. When doing TLS read and a TLS_WANT_POLLOUT occures, call event_set() for the write event to change the callback to read. As there might be an event scheduled on the event, call event_del() before event_set(). After a successful TLS read, change back the write event. Add analog code for TLS write and handshake. OK beck@
2015-09-12It is not necessary to reset errno to 0 since we use logerrorx().Alexander Bluhm
Spotted by jung@
2015-09-11Instead of printing errno strings here and there, add a logerrorx()Alexander Bluhm
to syslogd that does not do that. Use it for anything that does not look like a system call or library call around it. Also add logerrorctx() that prints the TLS error instead. Reduce the maximum CAfile limit to 50MB, requested by Bob. OK beck@
2015-09-11Syslog does not need the global list of TCP clients, libevent handlesAlexander Bluhm
everything. OK benno@
2015-09-10Instead of having global variables containing the libevent structures,Alexander Bluhm
allocate them with malloc. This makes the address space layout more random. OK deraadt@ benno@
2015-09-10Convert syslogd TLS connect to use handshake callback. The bt_hostnameAlexander Bluhm
can go away as the callback does not need the hostname anymore. Call tls_handshake() until successful. Remove the function tls_socket() as it has a bad prefix. Just call tls_client(), tls_configure() and tls_connect_socket() after the TCP socket has been created. There is no need to wait until TCP connect has finished. OK beck@ jsing@
2015-09-10reduce .Nd to one line and kill .Tn while hereIngo Schwarze
2015-09-10Make syslogd compile again after recent libtls changes. Adapt toAlexander Bluhm
new tls_read() and tls_write() calling semantics, adapt to TLS_WANT_POLLIN and TLS_WANT_POLLOUT renaming. OK beck@
2015-09-09To double the receive buffer of a socketpair does not help as sendingAlexander Bluhm
checks the send buffer size. So double both buffer sizes. Moreover the default for sending is 2048 and for receiving is 4096. This makes the existing double buffer algorithm inconsistent. It is better to make the buffers large enough to hold 8 full length messages. Just make sure that it does not shrink. Keep the approach that doubles the buffer sizes. When we are low on buffers and cannot reach the full size, increase it as much as possible. While there, add consistent error messages. OK benno@
2015-09-03In sendsyslog(2) I got the plural s of messages right. The messagesAlexander Bluhm
of syslogd(8) should be alike. syslogd: dropped 1 message OK lteo@ millert@
2015-09-03Instead of creating a line buffer on the stack, tcp_readcb() canAlexander Bluhm
use the global linebuf like the other libevent read callbacks. OK jung@
2015-09-01Bind the *:514 UDP socket of syslogd with SO_REUSEADDR. This avoidsAlexander Bluhm
conflicts with other processes bound to a specific address with the same port. Syslogd uses this socket basically for outgoing traffic to remote UDP log servers, so increase the chance that it works. OK jung@ benno@
2015-08-31The !prog and +host features allow to select log messages from aAlexander Bluhm
specific programm or host. It does not make sense to truncate the string from the config at some character from a list. Just take whatever the user specified as progname or hostname. If it contains funky charactes it will not match and the action is not taken. This fixes matching with IP addresses if syslogd is started with -n. OK semarie@
2015-08-27When syslogd is reloading a modified config, it does a reexec onAlexander Bluhm
itself. For this it uses the original arguments of main(). The function loghost_parse() modifies the optarg memory it is operating on. To prevent that the exec arguments have been tampered, pass a copy of optarg to loghost_parse(). OK deraadt@
2015-08-25strlcpy() accesses the source string until it finds NUL, even ifAlexander Bluhm
it is behind the size limit. As msg is not NUL-terminated in this case, it depended on memory content wether syslogd will crash. So using memcpy() and setting the NUL explicitly is the correct way. OK deraadt@
2015-07-20Do not reconnect outgoing TCP connections too aggressively. InAlexander Bluhm
case the receiver closes the connection, wait for a second to give him a chance to recover. OK benno@
2015-07-20Do not accept sockets when syslogd reaches the file descriptorAlexander Bluhm
limit. Instead disable the listen event and wait for a second. Keep a reserve of 5 file descriptors. OK benno@
2015-07-19For incoming TCP message streams autodetect wether the method isAlexander Bluhm
octet counting or non transparent framing. OK benno@
2015-07-18As libtls previously did not set SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,Alexander Bluhm
syslogd had to drop messages after tls_write() returned TLS_{READ,WRITE}_AGAIN. Now after libtls has been fixed, remove the workaround. Messages are stored in the libevent write buffer as we can safely do a realloc(3) now. OK reyk@