https://bugzilla.mindrot.org/show_bug.cgi?id=2681
--- Comment #1 from Damien Miller <[email protected]> --- Comment on attachment 2945 --> https://bugzilla.mindrot.org/attachment.cgi?id=2945 log in postauth via monitor (if there is no /dev/log) > void >-monitor_reinit(struct monitor *mon) >+monitor_reinit(struct monitor *mon, const char *chroot_dir) > { >- monitor_openfds(mon, 0); >+ struct stat dev_log_stat; >+ char *dev_log_path; >+ int do_logfds = 0; >+ >+ if (chroot_dir != NULL) { >+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir); >+ >+ if (stat(dev_log_path, &dev_log_stat) != 0) { >+ debug("%s: /dev/log doesn't exist in %s chroot - will >try to log via monitor using [postauth] suffix", __func__, chroot_dir); >+ do_logfds = 1; I think it's simpler to log via the monitor unconditionally. There are fewer paths to think about that way. > static char *auth_sock_name = NULL; >@@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c > is_child = 1; > > /* Child. Reinitialize the log since the pid has changed. */ >- log_init(__progname, options.log_level, >- options.log_facility, log_stderr); >+ log_init_handler(__progname, options.log_level, >+ options.log_facility, log_stderr, have_dev_log); I'm not sure whether this is needed anymore. It seems like a holdover from when log_init() called openlog() itself, but it stopped doing that in <checks> November 1999 :) >- log_init(__progname, options.log_level, >- options.log_facility, log_stderr); >+ log_init_handler(__progname, options.log_level, >+ options.log_facility, log_stderr, have_dev_log); ditto >@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command) > int ret; > const char *forced = NULL, *tty = NULL; > char session_type[1024]; >+ struct stat dev_log_stat; > > if (options.adm_forced_command) { > original_command = command; >@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command) > tty += 5; > } > >+ if (lstat("/dev/log", &dev_log_stat) != 0) { >+ have_dev_log = 0; >+ } >+ ditto re always logging via monitor >- /* >- * Close any extra open file descriptors so that we don't have them >- * hanging around in clients. Note that we want to do this after >- * initgroups, because at least on Solaris 2.3 it leaves file >- * descriptors open. >- */ >- closefrom(STDERR_FILENO + 1); If you remove this then I think you need to add an explicit closefrom() before the do_pwchange() call in do_child(). >- closefrom(STDERR_FILENO + 1); I don't think this one should be removed. IMO it would be better arrange for the log socket to be on fd=4 and closefrom(5) instead (with a comment explaining why). -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
