From 1530e7aa087276696db7d321a1b9164a49ddea4b Mon Sep 17 00:00:00 2001 From: kn Date: Fri, 9 Oct 2020 07:43:38 +0000 Subject: [PATCH] Add nolog option to avoid syslog(3) doas(1) unconditionally logs all executions but syslog.conf(5) provides no means to filter messages by user, target or command. Add the "nolog" option to doas.conf(5) such that syslog becomes an opt-out feature; this keeps configuration simple enough yet powerful since rule definition is the best place to decide whether to log commands or not on a per rule basis - this also aoids duplicating information or logic in any other log processing tool. OK tedu martijn --- doas.c | 7 +++++-- doas.conf.5 | 4 ++++ doas.h | 1 + parse.y | 6 +++++- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/doas.c b/doas.c index 8275fe1..dea68f8 100644 --- a/doas.c +++ b/doas.c @@ -391,8 +391,11 @@ main(int argc, char **argv) else cwd = cwdpath; - syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s", - mypw->pw_name, cmdline, targpw->pw_name, cwd); + if (!(rule->options & NOLOG)) { + syslog(LOG_AUTHPRIV | LOG_INFO, + "%s ran command %s as %s from %s", + mypw->pw_name, cmdline, targpw->pw_name, cwd); + } envp = prepenv(rule, mypw, targpw); diff --git a/doas.conf.5 b/doas.conf.5 index a14e778..ce66565 100644 --- a/doas.conf.5 +++ b/doas.conf.5 @@ -45,6 +45,9 @@ Options are: .Bl -tag -width keepenv .It Ic nopass The user is not required to enter a password. +.It Ic nolog +Do not log successful command execution to +.Xr syslogd 8 . .It Ic persist After the user successfully authenticates, do not ask for a password again for some time. @@ -140,6 +143,7 @@ permit nopass keepenv setenv { PATH } root as root .Ed .Sh SEE ALSO .Xr doas 1 +.Xr syslogd 8 .Sh HISTORY The .Nm diff --git a/doas.h b/doas.h index 4a117be..de8dbe1 100644 --- a/doas.h +++ b/doas.h @@ -42,3 +42,4 @@ char **prepenv(const struct rule *, const struct passwd *, #define NOPASS 0x1 #define KEEPENV 0x2 #define PERSIST 0x4 +#define NOLOG 0x8 diff --git a/parse.y b/parse.y index e4a041a..15c00c1 100644 --- a/parse.y +++ b/parse.y @@ -73,7 +73,7 @@ arraylen(const char **arr) %} %token TPERMIT TDENY TAS TCMD TARGS -%token TNOPASS TPERSIST TKEEPENV TSETENV +%token TNOPASS TNOLOG TPERSIST TKEEPENV TSETENV %token TSTRING %% @@ -139,6 +139,9 @@ options: /* none */ { option: TNOPASS { $$.options = NOPASS; $$.envlist = NULL; + } | TNOLOG { + $$.options = NOLOG; + $$.envlist = NULL; } | TPERSIST { $$.options = PERSIST; $$.envlist = NULL; @@ -212,6 +215,7 @@ static struct keyword { { "cmd", TCMD }, { "args", TARGS }, { "nopass", TNOPASS }, + { "nolog", TNOLOG }, { "persist", TPERSIST }, { "keepenv", TKEEPENV }, { "setenv", TSETENV }, -- 2.39.2