Date: Tue, 21 Aug 2018 23:12:46 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r338165 - head/usr.sbin/newsyslog Message-ID: <201808212312.w7LNCkvO036009@repo.freebsd.org>
index | next in thread | raw e-mail
Author: cem Date: Tue Aug 21 23:12:46 2018 New Revision: 338165 URL: https://svnweb.freebsd.org/changeset/base/338165 Log: newsyslog(8): Reject configurations that specify setuid or executable logs Prevent some classes of foot-shooting that may result in permissions problems. Reviewed by: dab, delphij, vangyzen (earlier version) Relnotes: yes (behavior change) Sponsored by: Dell EMC Isilon Differential Revision: D16831 Modified: head/usr.sbin/newsyslog/newsyslog.c head/usr.sbin/newsyslog/newsyslog.conf.5 Modified: head/usr.sbin/newsyslog/newsyslog.c ============================================================================== --- head/usr.sbin/newsyslog/newsyslog.c Tue Aug 21 23:11:26 2018 (r338164) +++ head/usr.sbin/newsyslog/newsyslog.c Tue Aug 21 23:12:46 2018 (r338165) @@ -1193,6 +1193,12 @@ parse_file(FILE *cf, struct cflist *work_p, struct cfl if (!sscanf(q, "%o", &working->permissions)) errx(1, "error in config file; bad permissions:\n%s", errline); + if ((working->permissions & ~DEFFILEMODE) != 0) { + warnx("File mode bits 0%o changed to 0%o in line:\n%s", + working->permissions, + working->permissions & DEFFILEMODE, errline); + working->permissions &= DEFFILEMODE; + } q = parse = missing_field(sob(parse + 1), errline); parse = son(parse); Modified: head/usr.sbin/newsyslog/newsyslog.conf.5 ============================================================================== --- head/usr.sbin/newsyslog/newsyslog.conf.5 Tue Aug 21 23:11:26 2018 (r338164) +++ head/usr.sbin/newsyslog/newsyslog.conf.5 Tue Aug 21 23:12:46 2018 (r338165) @@ -21,7 +21,7 @@ .\" the suitability of this software for any purpose. It is .\" provided "as is" without express or implied warranty. .\" -.Dd January 15, 2018 +.Dd August 21, 2018 .Dt NEWSYSLOG.CONF 5 .Os .Sh NAME @@ -96,6 +96,11 @@ or .Pa /etc/group . .It Ar mode Specify the file mode of the log file and archives. +Valid mode bits are +.Dv 0666 . +(That is, read and write permissions for the rotated log may be specified for +the owner, group, and others.) +All other mode bits are ignored. .It Ar count Specify the maximum number of archive files which may exist. This does not consider the current log file.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808212312.w7LNCkvO036009>