Re: syslogd close *:514 sockets

Tue, 12 Sep 2017 00:51:07 -0700 

On Mon, Sep 11 2017, Alexander Bluhm <[email protected]> wrote:
> Hi,
>
> In the default configuration syslogd keeps two *:514 UDP sockets
> open.
>
> udp          0      0  *.514                  *.*                   
> udp6         0      0  *.514                  *.*                   
>
> Several people have asked me why they are in netstat output and
> whether it is a security risk.  These sockets are used for sending
> UDP packets if there is a UDP loghost in syslog.conf.  If syslogd
> is started with -u, they can receive packets, otherwise they are
> disabled with shutdown(SHUT_RD).
>
> In case we do neither send nor receive, we can close them after
> reading the config file.  This gives us a cleaner netstat output.
>
> ok?

ok jca@

> bluhm
>
> Index: usr.sbin/syslogd/syslogd.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
> retrieving revision 1.245
> diff -u -p -r1.245 syslogd.c
> --- usr.sbin/syslogd/syslogd.c        8 Aug 2017 14:23:23 -0000       1.245
> +++ usr.sbin/syslogd/syslogd.c        11 Sep 2017 21:25:39 -0000
> @@ -274,7 +274,7 @@ size_t    ctl_reply_offset = 0;   /* Number o
>  char *linebuf;
>  int   linesize;
>  
> -int           fd_ctlconn, fd_udp, fd_udp6;
> +int           fd_ctlconn, fd_udp, fd_udp6, send_udp, send_udp6;
>  struct event *ev_ctlaccept, *ev_ctlread, *ev_ctlwrite;
>  
>  struct peer {
> @@ -825,6 +825,20 @@ main(int argc, char *argv[])
>                       event_add(ev_udp, NULL);
>               if (fd_udp6 != -1)
>                       event_add(ev_udp6, NULL);
> +     } else {
> +             /*
> +              * If generic UDP file descriptors are used neither
> +              * for receiving nor for sending, close them.  Then
> +              * there is no useless *.514 in netstat.
> +              */
> +             if (fd_udp != -1 && !send_udp) {
> +                     close(fd_udp);
> +                     fd_udp = -1;
> +             }
> +             if (fd_udp6 != -1 && !send_udp6) {
> +                     close(fd_udp6);
> +                     fd_udp6 = -1;
> +             }
>       }
>       for (i = 0; i < nbind; i++)
>               if (fd_bind[i] != -1)
> @@ -2659,9 +2673,11 @@ cfline(char *line, char *progblock, char
>               if (strncmp(proto, "udp", 3) == 0) {
>                       switch (f->f_un.f_forw.f_addr.ss_family) {
>                       case AF_INET:
> +                             send_udp = 1;
>                               f->f_file = fd_udp;
>                               break;
>                       case AF_INET6:
> +                             send_udp6 = 1;
>                               f->f_file = fd_udp6;
>                               break;
>                       }
>

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply via email to