doas(1) unconditionally logs all executions but syslog.conf(5) provides no
means to filter messages by user, target or command.
Add the "nolog" option to doas.conf(5) such that syslog becomes an opt-out
feature; this keeps configuration simple enough yet powerful since rule
definition is the best place to decide whether to log commands or not on a
per rule basis - this also aoids duplicating information or logic in any
other log processing tool.
OK tedu martijn
- syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
- mypw->pw_name, cmdline, targpw->pw_name, cwd);
+ if (!(rule->options & NOLOG)) {
+ syslog(LOG_AUTHPRIV | LOG_INFO,
+ "%s ran command %s as %s from %s",
+ mypw->pw_name, cmdline, targpw->pw_name, cwd);
+ }
envp = prepenv(rule, mypw, targpw);
envp = prepenv(rule, mypw, targpw);
.Bl -tag -width keepenv
.It Ic nopass
The user is not required to enter a password.
.Bl -tag -width keepenv
.It Ic nopass
The user is not required to enter a password.
+.It Ic nolog
+Do not log successful command execution to
+.Xr syslogd 8 .
.It Ic persist
After the user successfully authenticates, do not ask for a password
again for some time.
.It Ic persist
After the user successfully authenticates, do not ask for a password
again for some time.
.Ed
.Sh SEE ALSO
.Xr doas 1
.Ed
.Sh SEE ALSO
.Xr doas 1
#define NOPASS 0x1
#define KEEPENV 0x2
#define PERSIST 0x4
#define NOPASS 0x1
#define KEEPENV 0x2
#define PERSIST 0x4
%}
%token TPERMIT TDENY TAS TCMD TARGS
%}
%token TPERMIT TDENY TAS TCMD TARGS
-%token TNOPASS TPERSIST TKEEPENV TSETENV
+%token TNOPASS TNOLOG TPERSIST TKEEPENV TSETENV
option: TNOPASS {
$$.options = NOPASS;
$$.envlist = NULL;
option: TNOPASS {
$$.options = NOPASS;
$$.envlist = NULL;
+ } | TNOLOG {
+ $$.options = NOLOG;
+ $$.envlist = NULL;
} | TPERSIST {
$$.options = PERSIST;
$$.envlist = NULL;
} | TPERSIST {
$$.options = PERSIST;
$$.envlist = NULL;
{ "cmd", TCMD },
{ "args", TARGS },
{ "nopass", TNOPASS },
{ "cmd", TCMD },
{ "args", TARGS },
{ "nopass", TNOPASS },
{ "persist", TPERSIST },
{ "keepenv", TKEEPENV },
{ "setenv", TSETENV },
{ "persist", TPERSIST },
{ "keepenv", TKEEPENV },
{ "setenv", TSETENV },