doas(1) unconditionally logs all executions but syslog.conf(5) provides no
means to filter messages by user, target or command.
Add the "nolog" option to doas.conf(5) such that syslog becomes an opt-out
feature; this keeps configuration simple enough yet powerful since rule
definition is the best place to decide whether to log commands or not on a
per rule basis - this also aoids duplicating information or logic in any
other log processing tool.
OK tedu martijn
else
cwd = cwdpath;
- syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
- mypw->pw_name, cmdline, targpw->pw_name, cwd);
+ if (!(rule->options & NOLOG)) {
+ syslog(LOG_AUTHPRIV | LOG_INFO,
+ "%s ran command %s as %s from %s",
+ mypw->pw_name, cmdline, targpw->pw_name, cwd);
+ }
envp = prepenv(rule, mypw, targpw);
.Bl -tag -width keepenv
.It Ic nopass
The user is not required to enter a password.
+.It Ic nolog
+Do not log successful command execution to
+.Xr syslogd 8 .
.It Ic persist
After the user successfully authenticates, do not ask for a password
again for some time.
.Ed
.Sh SEE ALSO
.Xr doas 1
+.Xr syslogd 8
.Sh HISTORY
The
.Nm
#define NOPASS 0x1
#define KEEPENV 0x2
#define PERSIST 0x4
+#define NOLOG 0x8
%}
%token TPERMIT TDENY TAS TCMD TARGS
-%token TNOPASS TPERSIST TKEEPENV TSETENV
+%token TNOPASS TNOLOG TPERSIST TKEEPENV TSETENV
%token TSTRING
%%
option: TNOPASS {
$$.options = NOPASS;
$$.envlist = NULL;
+ } | TNOLOG {
+ $$.options = NOLOG;
+ $$.envlist = NULL;
} | TPERSIST {
$$.options = PERSIST;
$$.envlist = NULL;
{ "cmd", TCMD },
{ "args", TARGS },
{ "nopass", TNOPASS },
+ { "nolog", TNOLOG },
{ "persist", TPERSIST },
{ "keepenv", TKEEPENV },
{ "setenv", TSETENV },