From: deraadt Date: Fri, 15 Dec 1995 18:19:23 +0000 (+0000) Subject: -s option prevents opening of UDP port; from perry@piermont.com; netbsd pr#1761 X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a7f747fe501d597a7a0ecec98a33e675a21586a4;p=openbsd -s option prevents opening of UDP port; from perry@piermont.com; netbsd pr#1761 --- diff --git a/usr.sbin/syslogd/syslogd.8 b/usr.sbin/syslogd/syslogd.8 index d2b60981b6e..55a1bf92d2a 100644 --- a/usr.sbin/syslogd/syslogd.8 +++ b/usr.sbin/syslogd/syslogd.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)syslogd.8 6.10 (Berkeley) 3/16/91 -.\" $Id: syslogd.8,v 1.1.1.1 1995/10/18 08:48:22 deraadt Exp $ +.\" $Id: syslogd.8,v 1.2 1995/12/15 18:19:23 deraadt Exp $ .\" .Dd March 16, 1991 .Dt SYSLOGD 8 @@ -56,6 +56,13 @@ the default is .It Fl m Select the number of minutes between ``mark'' messages; the default is 20 minutes. +.It Fl s +Select ``secure'' mode, in which syslogd does not open a UDP socket but +only communicates over a UNIX domain socket. +This is valuable when the machine on +which syslogd runs is subject to attack over the network and it is desired +that the machine be protected from attempts to remotely fill logs +and similar attacks. .It Fl p Specify the pathname of an alternate log socket; the default is diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index e243d8cac79..0bef15989fc 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -39,7 +39,7 @@ char copyright[] = #ifndef lint /*static char sccsid[] = "from: @(#)syslogd.c 5.45 (Berkeley) 3/2/91";*/ -static char rcsid[] = "$Id: syslogd.c,v 1.1.1.1 1995/10/18 08:48:22 deraadt Exp $"; +static char rcsid[] = "$Id: syslogd.c,v 1.2 1995/12/15 18:19:24 deraadt Exp $"; #endif /* not lint */ /* @@ -184,6 +184,7 @@ int LogPort; /* port number for INET connections */ int Initialized = 0; /* set when we have initialized ourselves */ int MarkInterval = 20 * 60; /* interval between marks in seconds */ int MarkSeq = 0; /* mark sequence number */ +int SecureMode = 0; /* when true, speak only unix domain socks */ extern int errno; extern char *ctime(), *index(), *calloc(); @@ -204,7 +205,7 @@ main(argc, argv) extern char *optarg; void die(), domark(), init(), reapchild(); - while ((ch = getopt(argc, argv, "df:m:p:")) != EOF) + while ((ch = getopt(argc, argv, "dsf:m:p:")) != EOF) switch((char)ch) { case 'd': /* debug */ Debug++; @@ -218,6 +219,9 @@ main(argc, argv) case 'p': /* path */ LogName = optarg; break; + case 's': /* no network mode */ + SecureMode++; + break; case '?': default: usage(); @@ -260,7 +264,12 @@ main(argc, argv) dprintf("cannot create %s (%d)\n", LogName, errno); die(0); } - finet = socket(AF_INET, SOCK_DGRAM, 0); + if (!SecureMode) + finet = socket(AF_INET, SOCK_DGRAM, 0); + else { + finet = -1; + inetm = 0; + } if (finet >= 0) { struct servent *sp;