svn commit: r338165 - head/usr.sbin/newsyslog

Tue, 21 Aug 2018 16:13:11 -0700 

Author: cem
Date: Tue Aug 21 23:12:46 2018
New Revision: 338165
URL: https://svnweb.freebsd.org/changeset/base/338165

Log:
  newsyslog(8): Reject configurations that specify setuid or executable logs
  
  Prevent some classes of foot-shooting that may result in permissions
  problems.
  
  Reviewed by:  dab, delphij, vangyzen (earlier version)
  Relnotes:     yes (behavior change)
  Sponsored by: Dell EMC Isilon
  Differential Revision:        D16831

Modified:
  head/usr.sbin/newsyslog/newsyslog.c
  head/usr.sbin/newsyslog/newsyslog.conf.5

Modified: head/usr.sbin/newsyslog/newsyslog.c
==============================================================================
--- head/usr.sbin/newsyslog/newsyslog.c Tue Aug 21 23:11:26 2018        
(r338164)
+++ head/usr.sbin/newsyslog/newsyslog.c Tue Aug 21 23:12:46 2018        
(r338165)
@@ -1193,6 +1193,12 @@ parse_file(FILE *cf, struct cflist *work_p, struct cfl
                if (!sscanf(q, "%o", &working->permissions))
                        errx(1, "error in config file; bad permissions:\n%s",
                            errline);
+               if ((working->permissions & ~DEFFILEMODE) != 0) {
+                       warnx("File mode bits 0%o changed to 0%o in line:\n%s",
+                           working->permissions,
+                           working->permissions & DEFFILEMODE, errline);
+                       working->permissions &= DEFFILEMODE;
+               }
 
                q = parse = missing_field(sob(parse + 1), errline);
                parse = son(parse);

Modified: head/usr.sbin/newsyslog/newsyslog.conf.5
==============================================================================
--- head/usr.sbin/newsyslog/newsyslog.conf.5    Tue Aug 21 23:11:26 2018        
(r338164)
+++ head/usr.sbin/newsyslog/newsyslog.conf.5    Tue Aug 21 23:12:46 2018        
(r338165)
@@ -21,7 +21,7 @@
 .\" the suitability of this software for any purpose.  It is
 .\" provided "as is" without express or implied warranty.
 .\"
-.Dd January 15, 2018
+.Dd August 21, 2018
 .Dt NEWSYSLOG.CONF 5
 .Os
 .Sh NAME
@@ -96,6 +96,11 @@ or
 .Pa /etc/group .
 .It Ar mode
 Specify the file mode of the log file and archives.
+Valid mode bits are
+.Dv 0666 .
+(That is, read and write permissions for the rotated log may be specified for
+the owner, group, and others.)
+All other mode bits are ignored.
 .It Ar count
 Specify the maximum number of archive files which may exist.
 This does not consider the current log file.
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to