newsyslog(8): Reject configurations that specify setuid or executable logs
Prevent some classes of foot-shooting that may result in permissions problems. Reviewed by: dab, delphij, vangyzen (earlier version) Relnotes: yes (behavior change) Sponsored by: Dell EMC Isilon Differential Revision: D16831
This commit is contained in:
parent
1465a1e1eb
commit
c657f9385b
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=338165
@ -1193,6 +1193,12 @@ parse_file(FILE *cf, struct cflist *work_p, struct cflist *glob_p,
|
|||||||
if (!sscanf(q, "%o", &working->permissions))
|
if (!sscanf(q, "%o", &working->permissions))
|
||||||
errx(1, "error in config file; bad permissions:\n%s",
|
errx(1, "error in config file; bad permissions:\n%s",
|
||||||
errline);
|
errline);
|
||||||
|
if ((working->permissions & ~DEFFILEMODE) != 0) {
|
||||||
|
warnx("File mode bits 0%o changed to 0%o in line:\n%s",
|
||||||
|
working->permissions,
|
||||||
|
working->permissions & DEFFILEMODE, errline);
|
||||||
|
working->permissions &= DEFFILEMODE;
|
||||||
|
}
|
||||||
|
|
||||||
q = parse = missing_field(sob(parse + 1), errline);
|
q = parse = missing_field(sob(parse + 1), errline);
|
||||||
parse = son(parse);
|
parse = son(parse);
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
.\" the suitability of this software for any purpose. It is
|
.\" the suitability of this software for any purpose. It is
|
||||||
.\" provided "as is" without express or implied warranty.
|
.\" provided "as is" without express or implied warranty.
|
||||||
.\"
|
.\"
|
||||||
.Dd January 15, 2018
|
.Dd August 21, 2018
|
||||||
.Dt NEWSYSLOG.CONF 5
|
.Dt NEWSYSLOG.CONF 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -96,6 +96,11 @@ or
|
|||||||
.Pa /etc/group .
|
.Pa /etc/group .
|
||||||
.It Ar mode
|
.It Ar mode
|
||||||
Specify the file mode of the log file and archives.
|
Specify the file mode of the log file and archives.
|
||||||
|
Valid mode bits are
|
||||||
|
.Dv 0666 .
|
||||||
|
(That is, read and write permissions for the rotated log may be specified for
|
||||||
|
the owner, group, and others.)
|
||||||
|
All other mode bits are ignored.
|
||||||
.It Ar count
|
.It Ar count
|
||||||
Specify the maximum number of archive files which may exist.
|
Specify the maximum number of archive files which may exist.
|
||||||
This does not consider the current log file.
|
This does not consider the current log file.
|
||||||
|
Loading…
Reference in New Issue
Block a user