Date: Tue, 21 Aug 2018 23:12:46 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r338165 - head/usr.sbin/newsyslog Message-ID: <201808212312.w7LNCkvO036009@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Tue Aug 21 23:12:46 2018 New Revision: 338165 URL: https://svnweb.freebsd.org/changeset/base/338165 Log: newsyslog(8): Reject configurations that specify setuid or executable logs Prevent some classes of foot-shooting that may result in permissions problems. Reviewed by: dab, delphij, vangyzen (earlier version) Relnotes: yes (behavior change) Sponsored by: Dell EMC Isilon Differential Revision: D16831 Modified: head/usr.sbin/newsyslog/newsyslog.c head/usr.sbin/newsyslog/newsyslog.conf.5 Modified: head/usr.sbin/newsyslog/newsyslog.c ============================================================================== --- head/usr.sbin/newsyslog/newsyslog.c Tue Aug 21 23:11:26 2018 (r338164) +++ head/usr.sbin/newsyslog/newsyslog.c Tue Aug 21 23:12:46 2018 (r338165) @@ -1193,6 +1193,12 @@ parse_file(FILE *cf, struct cflist *work_p, struct cfl if (!sscanf(q, "%o", &working->permissions)) errx(1, "error in config file; bad permissions:\n%s", errline); + if ((working->permissions & ~DEFFILEMODE) != 0) { + warnx("File mode bits 0%o changed to 0%o in line:\n%s", + working->permissions, + working->permissions & DEFFILEMODE, errline); + working->permissions &= DEFFILEMODE; + } q = parse = missing_field(sob(parse + 1), errline); parse = son(parse); Modified: head/usr.sbin/newsyslog/newsyslog.conf.5 ============================================================================== --- head/usr.sbin/newsyslog/newsyslog.conf.5 Tue Aug 21 23:11:26 2018 (r338164) +++ head/usr.sbin/newsyslog/newsyslog.conf.5 Tue Aug 21 23:12:46 2018 (r338165) @@ -21,7 +21,7 @@ .\" the suitability of this software for any purpose. It is .\" provided "as is" without express or implied warranty. .\" -.Dd January 15, 2018 +.Dd August 21, 2018 .Dt NEWSYSLOG.CONF 5 .Os .Sh NAME @@ -96,6 +96,11 @@ or .Pa /etc/group . .It Ar mode Specify the file mode of the log file and archives. +Valid mode bits are +.Dv 0666 . +(That is, read and write permissions for the rotated log may be specified for +the owner, group, and others.) +All other mode bits are ignored. .It Ar count Specify the maximum number of archive files which may exist. This does not consider the current log file.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808212312.w7LNCkvO036009>