#
1.35 |
|
12-Jul-2021 |
beck |
Change the error reporting pattern throughout the tree when unveil fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.34 |
|
27-Nov-2019 |
deraadt |
use _PATH_ names for unveil if possible
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.33 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.32 |
|
26-Aug-2018 |
brynet |
Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8), the priviledged parent cannot be pledged due to certain ioctls, but we can use unveil(2) to lock down its access to the filesystem.
To be able to use hostnames/dns in tcpdump-like filter expressions, we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the kernel bypass for pledge("dns")
Additionally, we need to unveil /dev/bpf "r" and the output log file "rwc".
The unpriviledged child is pledged "stdio recvfd" and thus does not need any unveils.
With feedback/testing from florian@, deraadt@
ok florian@ deraadt@
|
#
1.31 |
|
26-Aug-2018 |
brynet |
pflogd(8): don't try to rename(2) broken/invalid pflog files, instead, suspend logging until the log file has been moved out of the way, and we have received either SIGHUP or SIGALRM.
ok florian@ deraadt@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.30 |
|
09-Sep-2017 |
brynet |
Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the privileged parent.
Based on feedback from deraadt@ and bluhm@ (worked on syslogd).
ok deraadt@
|
#
1.29 |
|
06-Sep-2017 |
brynet |
pflogd(8) currently spams the console on shutdown if syslogd(8) wins the race to die, so just stop logging pflogd exits.
This logging probably comes from the fact that pflogd was largely based on syslogd.
Removes the annoying "pflogd[23954]: Exiting" messages pointed out by deraadt@
Also cleanup some missed SIGCHLD handling code that is no longer needed.
"LGTM" mikeb@
|
#
1.28 |
|
05-Sep-2017 |
brynet |
fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep parent and use 'legit' fdpassing primitives to send the bpf fd to the unprivileged child process.
Also reduces the pledge(2) promises in the unpriv child to just "stdio recvfd"
with help from deraadt, pcap feedback from canacar
ok deraadt@
|
#
1.27 |
|
12-Aug-2017 |
florian |
Make not yet implemented pledges more visible in grep output. input benno, deraadt, tedu also standardize on #if 0 since it makes tedu's editor vomit. OK benno, pirofti on a previous version
|
#
1.26 |
|
04-Jul-2017 |
mestre |
Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at least not as is
Reported by tim@, OK deraadt@ to backout the pledge for now
|
#
1.25 |
|
12-Jun-2017 |
mestre |
pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable it also for pflogd(8)'s priv proc.
OK deraadt@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.24 |
|
23-Jan-2017 |
deraadt |
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only upon "inet". Adjust the 4 programs that care about this.
|
#
1.23 |
|
23-Jan-2017 |
benno |
pflogd will need pledge(proc), still disabled because of bfd ok deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.22 |
|
16-Jan-2016 |
canacar |
Interface status printing (at exit and USR1) was broken for a while. Remove it completely to simplify the code. even better deraadt@
|
#
1.21 |
|
10-Oct-2015 |
deraadt |
pflogd contained the same "privsep error" as tcpdump -- assuming that it can ioctl()'s against a bpf device node. Privsep that operation via a message to the parent process. Unfortunately "rpath wpath cpath" is still needed due to SIGHUP handling, but I have asked canacar the expert to look into this.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.20 |
|
28-Apr-2015 |
mlarkin |
Someone went to the trouble of vertically aligning a set of parameters but missed one. This diff is only a spacing change.
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.19 |
|
26-Jun-2014 |
tobias |
Create temporary file with mkstemp and unlink if rename operation fails.
ok deraadt@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.18 |
|
13-Sep-2013 |
blambert |
errx() provides its own newline, so remove it from the string here
ok henning@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.17 |
|
24-Dec-2009 |
sobrado |
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok.
ok jmc@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.16 |
|
25-Oct-2006 |
moritz |
Remove some unneeded externs. OK canacar@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.15 |
|
06-Mar-2006 |
djm |
convert permanent privilege revocation to use setresuid/setresgid; ok henning@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.14 |
|
15-Jan-2006 |
canacar |
If the log file is invalid/incompatible, try to rename the bad log file and continue with a new name instead of suspending. ok mcbride@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.13 |
|
22-Dec-2004 |
otto |
also pass SIGINT/QUIT to child, from mpech@. ok avsm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.12 |
|
14-Jul-2004 |
henning |
no \n in errx(3) From: Andrey Matveev <andrushock@korovino.net>
|
#
1.11 |
|
08-Apr-2004 |
avsm |
sigh, really fix the error message this time, thanks Moritz Jodeit
|
#
1.10 |
|
08-Apr-2004 |
avsm |
reorder error message and send_fd in order to display the correct errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>
|
#
1.9 |
|
03-Apr-2004 |
avsm |
dont close an invalid fd, canacar@ ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.8 |
|
14-Mar-2004 |
otto |
Check return code of chdir() after chroot(); noted by Joris Vink, slight mod from avsm@. ok avsm@ hshoexer@ henning@
|
#
1.7 |
|
13-Feb-2004 |
otto |
cleanup signal handling; close descriptors. ok avsm@ millert@ canacar@
|
#
1.6 |
|
18-Jan-2004 |
canacar |
Create log files if they do not already exist, but do not follow symlinks. ok markus@
|
#
1.5 |
|
15-Jan-2004 |
canacar |
Synchronize with syslogd privsep: When reading a new command fails, terminate the loop instead of exiting directly, suggested by avsm@ Also get rid of trailing comma in enum, makes lint(1) happier, from Andrey Matveev andrushock at korovino dot net
|
#
1.4 |
|
22-Oct-2003 |
deraadt |
spacing
|
#
1.3 |
|
22-Oct-2003 |
deraadt |
use setgroups too; canacar ok
|
#
1.2 |
|
22-Oct-2003 |
deraadt |
caution with kill
|
#
1.1 |
|
22-Oct-2003 |
canacar |
privilege seperated pflogd
_pflogd user and group must be created for proper operation.
ok frantzen@ henning@ mcbride@ deraadt@
|
#
1.34 |
|
27-Nov-2019 |
deraadt |
use _PATH_ names for unveil if possible
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.33 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.32 |
|
26-Aug-2018 |
brynet |
Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8), the priviledged parent cannot be pledged due to certain ioctls, but we can use unveil(2) to lock down its access to the filesystem.
To be able to use hostnames/dns in tcpdump-like filter expressions, we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the kernel bypass for pledge("dns")
Additionally, we need to unveil /dev/bpf "r" and the output log file "rwc".
The unpriviledged child is pledged "stdio recvfd" and thus does not need any unveils.
With feedback/testing from florian@, deraadt@
ok florian@ deraadt@
|
#
1.31 |
|
26-Aug-2018 |
brynet |
pflogd(8): don't try to rename(2) broken/invalid pflog files, instead, suspend logging until the log file has been moved out of the way, and we have received either SIGHUP or SIGALRM.
ok florian@ deraadt@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.30 |
|
09-Sep-2017 |
brynet |
Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the privileged parent.
Based on feedback from deraadt@ and bluhm@ (worked on syslogd).
ok deraadt@
|
#
1.29 |
|
06-Sep-2017 |
brynet |
pflogd(8) currently spams the console on shutdown if syslogd(8) wins the race to die, so just stop logging pflogd exits.
This logging probably comes from the fact that pflogd was largely based on syslogd.
Removes the annoying "pflogd[23954]: Exiting" messages pointed out by deraadt@
Also cleanup some missed SIGCHLD handling code that is no longer needed.
"LGTM" mikeb@
|
#
1.28 |
|
05-Sep-2017 |
brynet |
fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep parent and use 'legit' fdpassing primitives to send the bpf fd to the unprivileged child process.
Also reduces the pledge(2) promises in the unpriv child to just "stdio recvfd"
with help from deraadt, pcap feedback from canacar
ok deraadt@
|
#
1.27 |
|
12-Aug-2017 |
florian |
Make not yet implemented pledges more visible in grep output. input benno, deraadt, tedu also standardize on #if 0 since it makes tedu's editor vomit. OK benno, pirofti on a previous version
|
#
1.26 |
|
04-Jul-2017 |
mestre |
Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at least not as is
Reported by tim@, OK deraadt@ to backout the pledge for now
|
#
1.25 |
|
12-Jun-2017 |
mestre |
pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable it also for pflogd(8)'s priv proc.
OK deraadt@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.24 |
|
23-Jan-2017 |
deraadt |
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only upon "inet". Adjust the 4 programs that care about this.
|
#
1.23 |
|
23-Jan-2017 |
benno |
pflogd will need pledge(proc), still disabled because of bfd ok deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.22 |
|
16-Jan-2016 |
canacar |
Interface status printing (at exit and USR1) was broken for a while. Remove it completely to simplify the code. even better deraadt@
|
#
1.21 |
|
10-Oct-2015 |
deraadt |
pflogd contained the same "privsep error" as tcpdump -- assuming that it can ioctl()'s against a bpf device node. Privsep that operation via a message to the parent process. Unfortunately "rpath wpath cpath" is still needed due to SIGHUP handling, but I have asked canacar the expert to look into this.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.20 |
|
28-Apr-2015 |
mlarkin |
Someone went to the trouble of vertically aligning a set of parameters but missed one. This diff is only a spacing change.
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.19 |
|
26-Jun-2014 |
tobias |
Create temporary file with mkstemp and unlink if rename operation fails.
ok deraadt@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.18 |
|
13-Sep-2013 |
blambert |
errx() provides its own newline, so remove it from the string here
ok henning@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.17 |
|
24-Dec-2009 |
sobrado |
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok.
ok jmc@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.16 |
|
25-Oct-2006 |
moritz |
Remove some unneeded externs. OK canacar@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.15 |
|
06-Mar-2006 |
djm |
convert permanent privilege revocation to use setresuid/setresgid; ok henning@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.14 |
|
15-Jan-2006 |
canacar |
If the log file is invalid/incompatible, try to rename the bad log file and continue with a new name instead of suspending. ok mcbride@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.13 |
|
22-Dec-2004 |
otto |
also pass SIGINT/QUIT to child, from mpech@. ok avsm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.12 |
|
14-Jul-2004 |
henning |
no \n in errx(3) From: Andrey Matveev <andrushock@korovino.net>
|
#
1.11 |
|
08-Apr-2004 |
avsm |
sigh, really fix the error message this time, thanks Moritz Jodeit
|
#
1.10 |
|
08-Apr-2004 |
avsm |
reorder error message and send_fd in order to display the correct errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>
|
#
1.9 |
|
03-Apr-2004 |
avsm |
dont close an invalid fd, canacar@ ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.8 |
|
14-Mar-2004 |
otto |
Check return code of chdir() after chroot(); noted by Joris Vink, slight mod from avsm@. ok avsm@ hshoexer@ henning@
|
#
1.7 |
|
13-Feb-2004 |
otto |
cleanup signal handling; close descriptors. ok avsm@ millert@ canacar@
|
#
1.6 |
|
18-Jan-2004 |
canacar |
Create log files if they do not already exist, but do not follow symlinks. ok markus@
|
#
1.5 |
|
15-Jan-2004 |
canacar |
Synchronize with syslogd privsep: When reading a new command fails, terminate the loop instead of exiting directly, suggested by avsm@ Also get rid of trailing comma in enum, makes lint(1) happier, from Andrey Matveev andrushock at korovino dot net
|
#
1.4 |
|
22-Oct-2003 |
deraadt |
spacing
|
#
1.3 |
|
22-Oct-2003 |
deraadt |
use setgroups too; canacar ok
|
#
1.2 |
|
22-Oct-2003 |
deraadt |
caution with kill
|
#
1.1 |
|
22-Oct-2003 |
canacar |
privilege seperated pflogd
_pflogd user and group must be created for proper operation.
ok frantzen@ henning@ mcbride@ deraadt@
|
#
1.33 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.32 |
|
26-Aug-2018 |
brynet |
Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8), the priviledged parent cannot be pledged due to certain ioctls, but we can use unveil(2) to lock down its access to the filesystem.
To be able to use hostnames/dns in tcpdump-like filter expressions, we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the kernel bypass for pledge("dns")
Additionally, we need to unveil /dev/bpf "r" and the output log file "rwc".
The unpriviledged child is pledged "stdio recvfd" and thus does not need any unveils.
With feedback/testing from florian@, deraadt@
ok florian@ deraadt@
|
#
1.31 |
|
26-Aug-2018 |
brynet |
pflogd(8): don't try to rename(2) broken/invalid pflog files, instead, suspend logging until the log file has been moved out of the way, and we have received either SIGHUP or SIGALRM.
ok florian@ deraadt@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.30 |
|
09-Sep-2017 |
brynet |
Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the privileged parent.
Based on feedback from deraadt@ and bluhm@ (worked on syslogd).
ok deraadt@
|
#
1.29 |
|
06-Sep-2017 |
brynet |
pflogd(8) currently spams the console on shutdown if syslogd(8) wins the race to die, so just stop logging pflogd exits.
This logging probably comes from the fact that pflogd was largely based on syslogd.
Removes the annoying "pflogd[23954]: Exiting" messages pointed out by deraadt@
Also cleanup some missed SIGCHLD handling code that is no longer needed.
"LGTM" mikeb@
|
#
1.28 |
|
05-Sep-2017 |
brynet |
fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep parent and use 'legit' fdpassing primitives to send the bpf fd to the unprivileged child process.
Also reduces the pledge(2) promises in the unpriv child to just "stdio recvfd"
with help from deraadt, pcap feedback from canacar
ok deraadt@
|
#
1.27 |
|
12-Aug-2017 |
florian |
Make not yet implemented pledges more visible in grep output. input benno, deraadt, tedu also standardize on #if 0 since it makes tedu's editor vomit. OK benno, pirofti on a previous version
|
#
1.26 |
|
04-Jul-2017 |
mestre |
Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at least not as is
Reported by tim@, OK deraadt@ to backout the pledge for now
|
#
1.25 |
|
12-Jun-2017 |
mestre |
pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable it also for pflogd(8)'s priv proc.
OK deraadt@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.24 |
|
23-Jan-2017 |
deraadt |
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only upon "inet". Adjust the 4 programs that care about this.
|
#
1.23 |
|
23-Jan-2017 |
benno |
pflogd will need pledge(proc), still disabled because of bfd ok deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.22 |
|
16-Jan-2016 |
canacar |
Interface status printing (at exit and USR1) was broken for a while. Remove it completely to simplify the code. even better deraadt@
|
#
1.21 |
|
10-Oct-2015 |
deraadt |
pflogd contained the same "privsep error" as tcpdump -- assuming that it can ioctl()'s against a bpf device node. Privsep that operation via a message to the parent process. Unfortunately "rpath wpath cpath" is still needed due to SIGHUP handling, but I have asked canacar the expert to look into this.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.20 |
|
28-Apr-2015 |
mlarkin |
Someone went to the trouble of vertically aligning a set of parameters but missed one. This diff is only a spacing change.
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.19 |
|
26-Jun-2014 |
tobias |
Create temporary file with mkstemp and unlink if rename operation fails.
ok deraadt@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.18 |
|
13-Sep-2013 |
blambert |
errx() provides its own newline, so remove it from the string here
ok henning@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.17 |
|
24-Dec-2009 |
sobrado |
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok.
ok jmc@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.16 |
|
25-Oct-2006 |
moritz |
Remove some unneeded externs. OK canacar@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.15 |
|
06-Mar-2006 |
djm |
convert permanent privilege revocation to use setresuid/setresgid; ok henning@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.14 |
|
15-Jan-2006 |
canacar |
If the log file is invalid/incompatible, try to rename the bad log file and continue with a new name instead of suspending. ok mcbride@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.13 |
|
22-Dec-2004 |
otto |
also pass SIGINT/QUIT to child, from mpech@. ok avsm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.12 |
|
14-Jul-2004 |
henning |
no \n in errx(3) From: Andrey Matveev <andrushock@korovino.net>
|
#
1.11 |
|
08-Apr-2004 |
avsm |
sigh, really fix the error message this time, thanks Moritz Jodeit
|
#
1.10 |
|
08-Apr-2004 |
avsm |
reorder error message and send_fd in order to display the correct errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>
|
#
1.9 |
|
03-Apr-2004 |
avsm |
dont close an invalid fd, canacar@ ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.8 |
|
14-Mar-2004 |
otto |
Check return code of chdir() after chroot(); noted by Joris Vink, slight mod from avsm@. ok avsm@ hshoexer@ henning@
|
#
1.7 |
|
13-Feb-2004 |
otto |
cleanup signal handling; close descriptors. ok avsm@ millert@ canacar@
|
#
1.6 |
|
18-Jan-2004 |
canacar |
Create log files if they do not already exist, but do not follow symlinks. ok markus@
|
#
1.5 |
|
15-Jan-2004 |
canacar |
Synchronize with syslogd privsep: When reading a new command fails, terminate the loop instead of exiting directly, suggested by avsm@ Also get rid of trailing comma in enum, makes lint(1) happier, from Andrey Matveev andrushock at korovino dot net
|
#
1.4 |
|
22-Oct-2003 |
deraadt |
spacing
|
#
1.3 |
|
22-Oct-2003 |
deraadt |
use setgroups too; canacar ok
|
#
1.2 |
|
22-Oct-2003 |
deraadt |
caution with kill
|
#
1.1 |
|
22-Oct-2003 |
canacar |
privilege seperated pflogd
_pflogd user and group must be created for proper operation.
ok frantzen@ henning@ mcbride@ deraadt@
|
#
1.32 |
|
26-Aug-2018 |
brynet |
Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8), the priviledged parent cannot be pledged due to certain ioctls, but we can use unveil(2) to lock down its access to the filesystem.
To be able to use hostnames/dns in tcpdump-like filter expressions, we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the kernel bypass for pledge("dns")
Additionally, we need to unveil /dev/bpf "r" and the output log file "rwc".
The unpriviledged child is pledged "stdio recvfd" and thus does not need any unveils.
With feedback/testing from florian@, deraadt@
ok florian@ deraadt@
|
#
1.31 |
|
26-Aug-2018 |
brynet |
pflogd(8): don't try to rename(2) broken/invalid pflog files, instead, suspend logging until the log file has been moved out of the way, and we have received either SIGHUP or SIGALRM.
ok florian@ deraadt@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.30 |
|
09-Sep-2017 |
brynet |
Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the privileged parent.
Based on feedback from deraadt@ and bluhm@ (worked on syslogd).
ok deraadt@
|
#
1.29 |
|
06-Sep-2017 |
brynet |
pflogd(8) currently spams the console on shutdown if syslogd(8) wins the race to die, so just stop logging pflogd exits.
This logging probably comes from the fact that pflogd was largely based on syslogd.
Removes the annoying "pflogd[23954]: Exiting" messages pointed out by deraadt@
Also cleanup some missed SIGCHLD handling code that is no longer needed.
"LGTM" mikeb@
|
#
1.28 |
|
05-Sep-2017 |
brynet |
fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep parent and use 'legit' fdpassing primitives to send the bpf fd to the unprivileged child process.
Also reduces the pledge(2) promises in the unpriv child to just "stdio recvfd"
with help from deraadt, pcap feedback from canacar
ok deraadt@
|
#
1.27 |
|
12-Aug-2017 |
florian |
Make not yet implemented pledges more visible in grep output. input benno, deraadt, tedu also standardize on #if 0 since it makes tedu's editor vomit. OK benno, pirofti on a previous version
|
#
1.26 |
|
04-Jul-2017 |
mestre |
Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at least not as is
Reported by tim@, OK deraadt@ to backout the pledge for now
|
#
1.25 |
|
12-Jun-2017 |
mestre |
pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable it also for pflogd(8)'s priv proc.
OK deraadt@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.24 |
|
23-Jan-2017 |
deraadt |
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only upon "inet". Adjust the 4 programs that care about this.
|
#
1.23 |
|
23-Jan-2017 |
benno |
pflogd will need pledge(proc), still disabled because of bfd ok deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.22 |
|
16-Jan-2016 |
canacar |
Interface status printing (at exit and USR1) was broken for a while. Remove it completely to simplify the code. even better deraadt@
|
#
1.21 |
|
10-Oct-2015 |
deraadt |
pflogd contained the same "privsep error" as tcpdump -- assuming that it can ioctl()'s against a bpf device node. Privsep that operation via a message to the parent process. Unfortunately "rpath wpath cpath" is still needed due to SIGHUP handling, but I have asked canacar the expert to look into this.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.20 |
|
28-Apr-2015 |
mlarkin |
Someone went to the trouble of vertically aligning a set of parameters but missed one. This diff is only a spacing change.
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.19 |
|
26-Jun-2014 |
tobias |
Create temporary file with mkstemp and unlink if rename operation fails.
ok deraadt@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.18 |
|
13-Sep-2013 |
blambert |
errx() provides its own newline, so remove it from the string here
ok henning@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.17 |
|
24-Dec-2009 |
sobrado |
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok.
ok jmc@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.16 |
|
25-Oct-2006 |
moritz |
Remove some unneeded externs. OK canacar@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.15 |
|
06-Mar-2006 |
djm |
convert permanent privilege revocation to use setresuid/setresgid; ok henning@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.14 |
|
15-Jan-2006 |
canacar |
If the log file is invalid/incompatible, try to rename the bad log file and continue with a new name instead of suspending. ok mcbride@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.13 |
|
22-Dec-2004 |
otto |
also pass SIGINT/QUIT to child, from mpech@. ok avsm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.12 |
|
14-Jul-2004 |
henning |
no \n in errx(3) From: Andrey Matveev <andrushock@korovino.net>
|
#
1.11 |
|
08-Apr-2004 |
avsm |
sigh, really fix the error message this time, thanks Moritz Jodeit
|
#
1.10 |
|
08-Apr-2004 |
avsm |
reorder error message and send_fd in order to display the correct errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>
|
#
1.9 |
|
03-Apr-2004 |
avsm |
dont close an invalid fd, canacar@ ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.8 |
|
14-Mar-2004 |
otto |
Check return code of chdir() after chroot(); noted by Joris Vink, slight mod from avsm@. ok avsm@ hshoexer@ henning@
|
#
1.7 |
|
13-Feb-2004 |
otto |
cleanup signal handling; close descriptors. ok avsm@ millert@ canacar@
|
#
1.6 |
|
18-Jan-2004 |
canacar |
Create log files if they do not already exist, but do not follow symlinks. ok markus@
|
#
1.5 |
|
15-Jan-2004 |
canacar |
Synchronize with syslogd privsep: When reading a new command fails, terminate the loop instead of exiting directly, suggested by avsm@ Also get rid of trailing comma in enum, makes lint(1) happier, from Andrey Matveev andrushock at korovino dot net
|
#
1.4 |
|
22-Oct-2003 |
deraadt |
spacing
|
#
1.3 |
|
22-Oct-2003 |
deraadt |
use setgroups too; canacar ok
|
#
1.2 |
|
22-Oct-2003 |
deraadt |
caution with kill
|
#
1.1 |
|
22-Oct-2003 |
canacar |
privilege seperated pflogd
_pflogd user and group must be created for proper operation.
ok frantzen@ henning@ mcbride@ deraadt@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.30 |
|
09-Sep-2017 |
brynet |
Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the privileged parent.
Based on feedback from deraadt@ and bluhm@ (worked on syslogd).
ok deraadt@
|
#
1.29 |
|
06-Sep-2017 |
brynet |
pflogd(8) currently spams the console on shutdown if syslogd(8) wins the race to die, so just stop logging pflogd exits.
This logging probably comes from the fact that pflogd was largely based on syslogd.
Removes the annoying "pflogd[23954]: Exiting" messages pointed out by deraadt@
Also cleanup some missed SIGCHLD handling code that is no longer needed.
"LGTM" mikeb@
|
#
1.28 |
|
05-Sep-2017 |
brynet |
fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep parent and use 'legit' fdpassing primitives to send the bpf fd to the unprivileged child process.
Also reduces the pledge(2) promises in the unpriv child to just "stdio recvfd"
with help from deraadt, pcap feedback from canacar
ok deraadt@
|
#
1.27 |
|
12-Aug-2017 |
florian |
Make not yet implemented pledges more visible in grep output. input benno, deraadt, tedu also standardize on #if 0 since it makes tedu's editor vomit. OK benno, pirofti on a previous version
|
#
1.26 |
|
04-Jul-2017 |
mestre |
Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at least not as is
Reported by tim@, OK deraadt@ to backout the pledge for now
|
#
1.25 |
|
12-Jun-2017 |
mestre |
pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable it also for pflogd(8)'s priv proc.
OK deraadt@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.24 |
|
23-Jan-2017 |
deraadt |
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only upon "inet". Adjust the 4 programs that care about this.
|
#
1.23 |
|
23-Jan-2017 |
benno |
pflogd will need pledge(proc), still disabled because of bfd ok deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.22 |
|
16-Jan-2016 |
canacar |
Interface status printing (at exit and USR1) was broken for a while. Remove it completely to simplify the code. even better deraadt@
|
#
1.21 |
|
10-Oct-2015 |
deraadt |
pflogd contained the same "privsep error" as tcpdump -- assuming that it can ioctl()'s against a bpf device node. Privsep that operation via a message to the parent process. Unfortunately "rpath wpath cpath" is still needed due to SIGHUP handling, but I have asked canacar the expert to look into this.
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.20 |
|
28-Apr-2015 |
mlarkin |
Someone went to the trouble of vertically aligning a set of parameters but missed one. This diff is only a spacing change.
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.19 |
|
26-Jun-2014 |
tobias |
Create temporary file with mkstemp and unlink if rename operation fails.
ok deraadt@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.18 |
|
13-Sep-2013 |
blambert |
errx() provides its own newline, so remove it from the string here
ok henning@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.17 |
|
24-Dec-2009 |
sobrado |
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok.
ok jmc@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.16 |
|
25-Oct-2006 |
moritz |
Remove some unneeded externs. OK canacar@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.15 |
|
06-Mar-2006 |
djm |
convert permanent privilege revocation to use setresuid/setresgid; ok henning@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.14 |
|
15-Jan-2006 |
canacar |
If the log file is invalid/incompatible, try to rename the bad log file and continue with a new name instead of suspending. ok mcbride@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.13 |
|
22-Dec-2004 |
otto |
also pass SIGINT/QUIT to child, from mpech@. ok avsm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.12 |
|
14-Jul-2004 |
henning |
no \n in errx(3) From: Andrey Matveev <andrushock@korovino.net>
|
#
1.11 |
|
08-Apr-2004 |
avsm |
sigh, really fix the error message this time, thanks Moritz Jodeit
|
#
1.10 |
|
08-Apr-2004 |
avsm |
reorder error message and send_fd in order to display the correct errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>
|
#
1.9 |
|
03-Apr-2004 |
avsm |
dont close an invalid fd, canacar@ ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.8 |
|
14-Mar-2004 |
otto |
Check return code of chdir() after chroot(); noted by Joris Vink, slight mod from avsm@. ok avsm@ hshoexer@ henning@
|
#
1.7 |
|
13-Feb-2004 |
otto |
cleanup signal handling; close descriptors. ok avsm@ millert@ canacar@
|
#
1.6 |
|
18-Jan-2004 |
canacar |
Create log files if they do not already exist, but do not follow symlinks. ok markus@
|
#
1.5 |
|
15-Jan-2004 |
canacar |
Synchronize with syslogd privsep: When reading a new command fails, terminate the loop instead of exiting directly, suggested by avsm@ Also get rid of trailing comma in enum, makes lint(1) happier, from Andrey Matveev andrushock at korovino dot net
|
#
1.4 |
|
22-Oct-2003 |
deraadt |
spacing
|
#
1.3 |
|
22-Oct-2003 |
deraadt |
use setgroups too; canacar ok
|
#
1.2 |
|
22-Oct-2003 |
deraadt |
caution with kill
|
#
1.1 |
|
22-Oct-2003 |
canacar |
privilege seperated pflogd
_pflogd user and group must be created for proper operation.
ok frantzen@ henning@ mcbride@ deraadt@
|