CoCalc -- logsrvd

GitHub Repository: sudo-project/sudo
Path: blob/main/logsrvd/logsrvd_conf.c
³⁸⁰⁷ views
1
/*
2
 * SPDX-License-Identifier: ISC
3
 *
4
 * Copyright (c) 2019-2026 Todd C. Miller <[email protected]>
5
 *
6
 * Permission to use, copy, modify, and distribute this software for any
7
 * purpose with or without fee is hereby granted, provided that the above
8
 * copyright notice and this permission notice appear in all copies.
9
 *
10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
 */
18

19
#include <config.h>
20

21
#include <sys/stat.h>
22
#include <sys/types.h>
23
#include <sys/socket.h>
24
#include <netinet/in.h>
25

26
#include <errno.h>
27
#include <ctype.h>
28
#include <fcntl.h>
29
#include <limits.h>
30
#include <netdb.h>
31
#ifdef HAVE_STDBOOL_H
32
# include <stdbool.h>
33
#else
34
# include <compat/stdbool.h>
35
#endif
36
#include <stddef.h>
37
#include <stdio.h>
38
#include <stdlib.h>
39
#include <string.h>
40
#include <syslog.h>
41
#include <time.h>
42
#include <unistd.h>
43
#include <grp.h>
44
#include <pwd.h>
45
#ifndef HAVE_GETADDRINFO
46
# include <compat/getaddrinfo.h>
47
#endif
48

49
#include <pathnames.h>
50
#include <sudo_compat.h>
51
#include <sudo_debug.h>
52
#include <sudo_eventlog.h>
53
#include <sudo_fatal.h>
54
#include <sudo_gettext.h>
55
#include <sudo_iolog.h>
56
#include <sudo_util.h>
57

58
#include <logsrvd.h>
59

60
#if defined(HAVE_OPENSSL)
61
# define DEFAULT_CA_CERT_PATH       "/etc/ssl/sudo/cacert.pem"
62
# define DEFAULT_SERVER_CERT_PATH   "/etc/ssl/sudo/certs/logsrvd_cert.pem"
63
# define DEFAULT_SERVER_KEY_PATH    "/etc/ssl/sudo/private/logsrvd_key.pem"
64

65
/* Evaluates to the relay-specific TLS setting, falling back to server. */
66
# define TLS_RELAY_STR(_c, _f)	\
67
    ((_c)->relay._f != NULL ? (_c)->relay._f : (_c)->server._f)
68

69
# define TLS_RELAY_INT(_c, _f)	\
70
    ((_c)->relay._f != -1 ? (_c)->relay._f : (_c)->server._f)
71
#endif
72

73
enum server_log_type {
74
    SERVER_LOG_NONE,
75
    SERVER_LOG_STDERR,
76
    SERVER_LOG_SYSLOG,
77
    SERVER_LOG_FILE
78
};
79

80
struct logsrvd_config;
81
typedef bool (*logsrvd_conf_cb_t)(struct logsrvd_config *, const char *, size_t);
82

83
struct logsrvd_config_entry {
84
    const char *conf_str;
85
    logsrvd_conf_cb_t setter;
86
    size_t offset;
87
};
88

89
struct logsrvd_config_section {
90
    const char *name;
91
    struct logsrvd_config_entry *entries;
92
};
93

94
struct address_list_container {
95
    unsigned int refcnt;
96
    struct server_address_list addrs;
97
};
98

99
static struct logsrvd_config {
100
    struct logsrvd_config_server {
101
        struct address_list_container addresses;
102
        struct timespec timeout;
103
        bool tcp_keepalive;
104
	enum server_log_type log_type;
105
	FILE *log_stream;
106
	char *log_file;
107
	char *pid_file;
108
#if defined(HAVE_OPENSSL)
109
	char *tls_key_path;
110
	char *tls_cert_path;
111
	char *tls_cacert_path;
112
	char *tls_dhparams_path;
113
	char *tls_ciphers_v12;
114
	char *tls_ciphers_v13;
115
	int tls_check_peer;
116
	int tls_verify;
117
	SSL_CTX *ssl_ctx;
118
#endif
119
    } server;
120
    struct logsrvd_config_relay {
121
        struct address_list_container relays;
122
        struct timespec connect_timeout;
123
        struct timespec timeout;
124
	time_t retry_interval;
125
	char *relay_dir;
126
        bool tcp_keepalive;
127
	bool store_first;
128
#if defined(HAVE_OPENSSL)
129
	char *tls_key_path;
130
	char *tls_cert_path;
131
	char *tls_cacert_path;
132
	char *tls_dhparams_path;
133
	char *tls_ciphers_v12;
134
	char *tls_ciphers_v13;
135
	int tls_check_peer;
136
	int tls_verify;
137
	SSL_CTX *ssl_ctx;
138
#endif
139
    } relay;
140
    struct logsrvd_config_iolog {
141
	bool compress;
142
	bool flush;
143
	bool gid_set;
144
	bool log_passwords;
145
	uid_t uid;
146
	gid_t gid;
147
	mode_t mode;
148
	unsigned int maxseq;
149
	char *iolog_base;
150
	char *iolog_dir;
151
	char *iolog_file;
152
	void *passprompt_regex;
153
    } iolog;
154
    struct logsrvd_config_eventlog {
155
	int log_type;
156
        bool log_exit;
157
	enum eventlog_format log_format;
158
    } eventlog;
159
    struct logsrvd_config_syslog {
160
	unsigned int maxlen;
161
	int server_facility;
162
	int facility;
163
	int acceptpri;
164
	int rejectpri;
165
	int alertpri;
166
    } syslog;
167
    struct logsrvd_config_logfile {
168
	char *path;
169
	char *time_format;
170
	FILE *stream;
171
    } logfile;
172
} *logsrvd_config;
173

174
static bool logsrvd_warn_enable_stderr = true;
175

176
/* eventlog getters */
177
bool
178
logsrvd_conf_log_exit(void)
179
{
180
    return logsrvd_config->eventlog.log_exit;
181
}
182

183
/* iolog getters */
184
uid_t
185
logsrvd_conf_iolog_uid(void)
186
{
187
    return logsrvd_config->iolog.uid;
188
}
189

190
gid_t
191
logsrvd_conf_iolog_gid(void)
192
{
193
    return logsrvd_config->iolog.gid;
194
}
195

196
mode_t
197
logsrvd_conf_iolog_mode(void)
198
{
199
    return logsrvd_config->iolog.mode;
200
}
201

202
const char *
203
logsrvd_conf_iolog_base(void)
204
{
205
    return logsrvd_config->iolog.iolog_base;
206
}
207

208
const char *
209
logsrvd_conf_iolog_dir(void)
210
{
211
    return logsrvd_config->iolog.iolog_dir;
212
}
213

214
const char *
215
logsrvd_conf_iolog_file(void)
216
{
217
    return logsrvd_config->iolog.iolog_file;
218
}
219

220
bool
221
logsrvd_conf_iolog_log_passwords(void)
222
{
223
    return logsrvd_config->iolog.log_passwords;
224
}
225

226
void *
227
logsrvd_conf_iolog_passprompt_regex(void)
228
{
229
    return logsrvd_config->iolog.passprompt_regex;
230
}
231

232
/* server getters */
233
struct server_address_list *
234
logsrvd_conf_server_listen_address(void)
235
{
236
    return &logsrvd_config->server.addresses.addrs;
237
}
238

239
bool
240
logsrvd_conf_server_tcp_keepalive(void)
241
{
242
    return logsrvd_config->server.tcp_keepalive;
243
}
244

245
const char *
246
logsrvd_conf_pid_file(void)
247
{
248
    return logsrvd_config->server.pid_file;
249
}
250

251
struct timespec *
252
logsrvd_conf_server_timeout(void)
253
{
254
    if (sudo_timespecisset(&logsrvd_config->server.timeout)) {
255
        return &logsrvd_config->server.timeout;
256
    }
257

258
    return NULL;
259
}
260

261
#if defined(HAVE_OPENSSL)
262
SSL_CTX *
263
logsrvd_server_tls_ctx(void)
264
{
265
    return logsrvd_config->server.ssl_ctx;
266
}
267

268
bool
269
logsrvd_conf_server_tls_check_peer(void)
270
{
271
    return logsrvd_config->server.tls_check_peer;
272
}
273
#endif
274

275
/* relay getters */
276
struct server_address_list *
277
logsrvd_conf_relay_address(void)
278
{
279
    return &logsrvd_config->relay.relays.addrs;
280
}
281

282
const char *
283
logsrvd_conf_relay_dir(void)
284
{
285
    return logsrvd_config->relay.relay_dir;
286
}
287

288
bool
289
logsrvd_conf_relay_store_first(void)
290
{
291
    return logsrvd_config->relay.store_first;
292
}
293

294
bool
295
logsrvd_conf_relay_tcp_keepalive(void)
296
{
297
    return logsrvd_config->relay.tcp_keepalive;
298
}
299

300
struct timespec *
301
logsrvd_conf_relay_timeout(void)
302
{
303
    if (sudo_timespecisset(&logsrvd_config->relay.timeout)) {
304
        return &logsrvd_config->relay.timeout;
305
    }
306

307
    return NULL;
308
}
309

310
struct timespec *
311
logsrvd_conf_relay_connect_timeout(void)
312
{
313
    if (sudo_timespecisset(&logsrvd_config->relay.connect_timeout)) {
314
        return &logsrvd_config->relay.connect_timeout;
315
    }
316

317
    return NULL;
318
}
319

320
time_t
321
logsrvd_conf_relay_retry_interval(void)
322
{
323
    return logsrvd_config->relay.retry_interval;
324
}
325

326
#if defined(HAVE_OPENSSL)
327
SSL_CTX *
328
logsrvd_relay_tls_ctx(void)
329
{
330
    return logsrvd_config->relay.ssl_ctx;
331
}
332

333
bool
334
logsrvd_conf_relay_tls_check_peer(void)
335
{
336
    if (logsrvd_config->relay.tls_check_peer != -1)
337
	return logsrvd_config->relay.tls_check_peer;
338
    return logsrvd_config->server.tls_check_peer;
339
}
340
#endif
341

342
/* I/O log callbacks */
343
static bool
344
cb_iolog_dir(struct logsrvd_config *config, const char *path, size_t offset)
345
{
346
    size_t base_len = 0;
347
    debug_decl(cb_iolog_dir, SUDO_DEBUG_UTIL);
348

349
    free(config->iolog.iolog_dir);
350
    if ((config->iolog.iolog_dir = strdup(path)) == NULL)
351
	goto oom;
352

353
    /*
354
     * iolog_base is the portion of iolog_dir that contains no escapes.
355
     * This is used to create a relative path for the log id.
356
     */
357
    free(config->iolog.iolog_base);
358
    for (;;) {
359
	base_len += strcspn(path + base_len, "%");
360
	if (path[base_len] == '\0')
361
	    break;
362
	if (path[base_len + 1] == '{') {
363
	    /* We want the base to end on a directory boundary. */
364
	    while (base_len > 0 && path[base_len] != '/')
365
		base_len--;
366
	    break;
367
	}
368
	base_len++;
369
    }
370
    if ((config->iolog.iolog_base = strndup(path, base_len)) == NULL)
371
	goto oom;
372

373
    debug_return_bool(true);
374
oom:
375
    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
376
    debug_return_bool(false);
377
}
378

379
static bool
380
cb_iolog_file(struct logsrvd_config *config, const char *path, size_t offset)
381
{
382
    debug_decl(cb_iolog_file, SUDO_DEBUG_UTIL);
383

384
    free(config->iolog.iolog_file);
385
    if ((config->iolog.iolog_file = strdup(path)) == NULL) {
386
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
387
	debug_return_bool(false);
388
    }
389
    debug_return_bool(true);
390
}
391

392
static bool
393
cb_iolog_compress(struct logsrvd_config *config, const char *str, size_t offset)
394
{
395
    int val;
396
    debug_decl(cb_iolog_compress, SUDO_DEBUG_UTIL);
397

398
    if ((val = sudo_strtobool(str)) == -1)
399
	debug_return_bool(false);
400

401
    config->iolog.compress = val;
402
    debug_return_bool(true);
403
}
404

405
static bool
406
cb_iolog_log_passwords(struct logsrvd_config *config, const char *str, size_t offset)
407
{
408
    int val;
409
    debug_decl(cb_iolog_log_passwords, SUDO_DEBUG_UTIL);
410

411
    if ((val = sudo_strtobool(str)) == -1)
412
	debug_return_bool(false);
413

414
    config->iolog.log_passwords = val;
415
    debug_return_bool(true);
416
}
417

418
static bool
419
cb_iolog_flush(struct logsrvd_config *config, const char *str, size_t offset)
420
{
421
    int val;
422
    debug_decl(cb_iolog_flush, SUDO_DEBUG_UTIL);
423

424
    if ((val = sudo_strtobool(str)) == -1)
425
	debug_return_bool(false);
426

427
    config->iolog.flush = val;
428
    debug_return_bool(true);
429
}
430

431
static bool
432
cb_iolog_user(struct logsrvd_config *config, const char *user, size_t offset)
433
{
434
    struct passwd *pw;
435
    debug_decl(cb_iolog_user, SUDO_DEBUG_UTIL);
436

437
    if ((pw = getpwnam(user)) == NULL) {
438
	sudo_warnx(U_("unknown user %s"), user);
439
	debug_return_bool(false);
440
    }
441
    config->iolog.uid = pw->pw_uid;
442
    if (!config->iolog.gid_set)
443
	config->iolog.gid = pw->pw_gid;
444

445
    debug_return_bool(true);
446
}
447

448
static bool
449
cb_iolog_group(struct logsrvd_config *config, const char *group, size_t offset)
450
{
451
    struct group *gr;
452
    debug_decl(cb_iolog_group, SUDO_DEBUG_UTIL);
453

454
    if ((gr = getgrnam(group)) == NULL) {
455
	sudo_warnx(U_("unknown group %s"), group);
456
	debug_return_bool(false);
457
    }
458
    config->iolog.gid = gr->gr_gid;
459
    config->iolog.gid_set = true;
460

461
    debug_return_bool(true);
462
}
463

464
static bool
465
cb_iolog_mode(struct logsrvd_config *config, const char *str, size_t offset)
466
{
467
    const char *errstr;
468
    mode_t mode;
469
    debug_decl(cb_iolog_mode, SUDO_DEBUG_UTIL);
470

471
    mode = sudo_strtomode(str, &errstr);
472
    if (errstr != NULL) {
473
	sudo_warnx(U_("unable to parse iolog mode %s"), str);
474
	debug_return_bool(false);
475
    }
476
    config->iolog.mode = mode;
477
    debug_return_bool(true);
478
}
479

480
static bool
481
cb_iolog_maxseq(struct logsrvd_config *config, const char *str, size_t offset)
482
{
483
    const char *errstr;
484
    unsigned int value;
485
    debug_decl(cb_iolog_maxseq, SUDO_DEBUG_UTIL);
486

487
    value = (unsigned int)sudo_strtonum(str, 0, SESSID_MAX, &errstr);
488
    if (errstr != NULL) {
489
        if (errno != ERANGE) {
490
	    sudo_warnx(U_("invalid value for %s: %s"), "maxseq", errstr);
491
            debug_return_bool(false);
492
        }
493
        /* Out of range, clamp to SESSID_MAX as documented. */
494
        value = SESSID_MAX;
495
    }
496
    config->iolog.maxseq = value;
497
    debug_return_bool(true);
498
}
499

500
static bool
501
cb_iolog_passprompt_regex(struct logsrvd_config *config, const char *str, size_t offset)
502
{
503
    debug_decl(cb_iolog_passprompt_regex, SUDO_DEBUG_UTIL);
504

505
    if (config->iolog.passprompt_regex == NULL) {
506
	/* Lazy alloc of the passprompt regex handle. */
507
	config->iolog.passprompt_regex = iolog_pwfilt_alloc();
508
	if (config->iolog.passprompt_regex == NULL)
509
	    debug_return_bool(false);
510
    }
511
    debug_return_bool(iolog_pwfilt_add(config->iolog.passprompt_regex, str));
512
}
513

514
/* Server callbacks */
515
static bool
516
append_address(struct server_address_list *addresses, const char *str,
517
    bool allow_wildcard)
518
{
519
    struct addrinfo hints, *res, *res0 = NULL;
520
    char *sa_str = NULL, *sa_host = NULL;
521
    char *copy, *host, *port;
522
    bool tls, ret = false;
523
    int error;
524
    debug_decl(append_address, SUDO_DEBUG_UTIL);
525

526
    if ((copy = strdup(str)) == NULL) {
527
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
528
	debug_return_bool(false);
529
    }
530

531
    /* Parse host[:port] */
532
    if (!iolog_parse_host_port(copy, &host, &port, &tls, DEFAULT_PORT,
533
	    DEFAULT_PORT_TLS))
534
	goto done;
535
    if (host[0] == '*' && host[1] == '\0') {
536
	if (!allow_wildcard)
537
	    goto done;
538
	host = NULL;
539
    }
540

541
#if !defined(HAVE_OPENSSL)
542
    if (tls) {
543
	sudo_warnx("%s", U_("TLS not supported"));
544
	goto done;
545
    }
546
#endif
547

548
    /* Only make a single copy of the string + host for all addresses. */
549
    if ((sa_str = sudo_rcstr_dup(str)) == NULL)	{
550
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
551
	goto done;
552
    }
553
    if (host != NULL && (sa_host = sudo_rcstr_dup(host)) == NULL) {
554
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
555
	goto done;
556
    }
557

558
    /* Resolve host (and port if it is a service). */
559
    memset(&hints, 0, sizeof(hints));
560
    hints.ai_family = AF_UNSPEC;
561
    hints.ai_socktype = SOCK_STREAM;
562
    hints.ai_flags = AI_PASSIVE;
563
    error = getaddrinfo(host, port, &hints, &res0);
564
    if (error != 0) {
565
	sudo_gai_warn(error, U_("%s:%s"), host ? host : "*", port);
566
	goto done;
567
    }
568
    for (res = res0; res != NULL; res = res->ai_next) {
569
	struct server_address *addr;
570

571
	if ((addr = malloc(sizeof(*addr))) == NULL) {
572
	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
573
	    goto done;
574
	}
575
	addr->sa_str = sudo_rcstr_addref(sa_str);
576
	addr->sa_host = sudo_rcstr_addref(sa_host);
577

578
	memcpy(&addr->sa_un, res->ai_addr, res->ai_addrlen);
579
	addr->sa_size = res->ai_addrlen;
580
	addr->tls = tls;
581
	TAILQ_INSERT_TAIL(addresses, addr, entries);
582
    }
583

584
    ret = true;
585
done:
586
    sudo_rcstr_delref(sa_str);
587
    sudo_rcstr_delref(sa_host);
588
    if (res0 != NULL)
589
	freeaddrinfo(res0);
590
    free(copy);
591
    debug_return_bool(ret);
592
}
593

594
static bool
595
cb_server_listen_address(struct logsrvd_config *config, const char *str, size_t offset)
596
{
597
    return append_address(&config->server.addresses.addrs, str, true);
598
}
599

600
static bool
601
cb_server_timeout(struct logsrvd_config *config, const char *str, size_t offset)
602
{
603
    time_t timeout;
604
    const char *errstr;
605
    debug_decl(cb_server_timeout, SUDO_DEBUG_UTIL);
606

607
    timeout = (time_t)sudo_strtonum(str, 0, TIME_T_MAX, &errstr);
608
    if (errstr != NULL)
609
	debug_return_bool(false);
610

611
    config->server.timeout.tv_sec = timeout;
612

613
    debug_return_bool(true);
614
}
615

616
static bool
617
cb_server_keepalive(struct logsrvd_config *config, const char *str, size_t offset)
618
{
619
    int val;
620
    debug_decl(cb_server_keepalive, SUDO_DEBUG_UTIL);
621

622
    if ((val = sudo_strtobool(str)) == -1)
623
	debug_return_bool(false);
624

625
    config->server.tcp_keepalive = val;
626
    debug_return_bool(true);
627
}
628

629
static bool
630
cb_server_pid_file(struct logsrvd_config *config, const char *str, size_t offset)
631
{
632
    char *copy = NULL;
633
    debug_decl(cb_server_pid_file, SUDO_DEBUG_UTIL);
634

635
    /* An empty value means to disable the pid file. */
636
    if (*str != '\0') {
637
	if (*str != '/') {
638
	    sudo_warnx(U_("%s: not a fully qualified path"), str);
639
	    debug_return_bool(false);
640
	}
641
	if ((copy = strdup(str)) == NULL) {
642
	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
643
	    debug_return_bool(false);
644
	}
645
    }
646

647
    free(config->server.pid_file);
648
    config->server.pid_file = copy;
649

650
    debug_return_bool(true);
651
}
652

653
static bool
654
cb_server_log(struct logsrvd_config *config, const char *str, size_t offset)
655
{
656
    char *copy = NULL;
657
    enum server_log_type log_type = SERVER_LOG_NONE;
658
    debug_decl(cb_server_log, SUDO_DEBUG_UTIL);
659

660
    /* An empty value means to disable the server log. */
661
    if (*str != '\0') {
662
	if (*str == '/') {
663
	    log_type = SERVER_LOG_FILE;
664
	    if ((copy = strdup(str)) == NULL) {
665
		sudo_warnx(U_("%s: %s"), __func__,
666
		    U_("unable to allocate memory"));
667
		debug_return_bool(false);
668
	    }
669
	} else if (strcmp(str, "stderr") == 0) {
670
	    log_type = SERVER_LOG_STDERR;
671
	} else if (strcmp(str, "syslog") == 0) {
672
	    log_type = SERVER_LOG_SYSLOG;
673
	} else {
674
	    debug_return_bool(false);
675
	}
676
    }
677

678
    free(config->server.log_file);
679
    config->server.log_file = copy;
680
    config->server.log_type = log_type;
681

682
    debug_return_bool(true);
683
}
684

685
#if defined(HAVE_OPENSSL)
686
static bool
687
cb_tls_key(struct logsrvd_config *config, const char *path, size_t offset)
688
{
689
    char **p = (char **)((char *)config + offset);
690
    debug_decl(cb_tls_key, SUDO_DEBUG_UTIL);
691

692
    free(*p);
693
    if ((*p = strdup(path)) == NULL) {
694
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
695
        debug_return_bool(false);
696
    }
697
    debug_return_bool(true);
698
}
699

700
static bool
701
cb_tls_cacert(struct logsrvd_config *config, const char *path, size_t offset)
702
{
703
    char **p = (char **)((char *)config + offset);
704
    debug_decl(cb_tls_cacert, SUDO_DEBUG_UTIL);
705

706
    free(*p);
707
    if ((*p = strdup(path)) == NULL) {
708
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
709
        debug_return_bool(false);
710
    }
711
    debug_return_bool(true);
712
}
713

714
static bool
715
cb_tls_cert(struct logsrvd_config *config, const char *path, size_t offset)
716
{
717
    char **p = (char **)((char *)config + offset);
718
    debug_decl(cb_tls_cert, SUDO_DEBUG_UTIL);
719

720
    free(*p);
721
    if ((*p = strdup(path)) == NULL) {
722
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
723
        debug_return_bool(false);
724
    }
725
    debug_return_bool(true);
726
}
727

728
static bool
729
cb_tls_dhparams(struct logsrvd_config *config, const char *path, size_t offset)
730
{
731
    char **p = (char **)((char *)config + offset);
732
    debug_decl(cb_tls_dhparams, SUDO_DEBUG_UTIL);
733

734
    free(*p);
735
    if ((*p = strdup(path)) == NULL) {
736
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
737
        debug_return_bool(false);
738
    }
739
    debug_return_bool(true);
740
}
741

742
static bool
743
cb_tls_ciphers12(struct logsrvd_config *config, const char *str, size_t offset)
744
{
745
    char **p = (char **)((char *)config + offset);
746
    debug_decl(cb_tls_ciphers12, SUDO_DEBUG_UTIL);
747

748
    free(*p);
749
    if ((*p = strdup(str)) == NULL) {
750
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
751
        debug_return_bool(false);
752
    }
753
    debug_return_bool(true);
754
}
755

756
static bool
757
cb_tls_ciphers13(struct logsrvd_config *config, const char *str, size_t offset)
758
{
759
    char **p = (char **)((char *)config + offset);
760
    debug_decl(cb_tls_ciphers13, SUDO_DEBUG_UTIL);
761

762
    free(*p);
763
    if ((*p = strdup(str)) == NULL) {
764
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
765
        debug_return_bool(false);
766
    }
767
    debug_return_bool(true);
768
}
769

770
static bool
771
cb_tls_verify(struct logsrvd_config *config, const char *str, size_t offset)
772
{
773
    int *p = (int *)((char *)config + offset);
774
    int val;
775
    debug_decl(cb_tls_verify, SUDO_DEBUG_UTIL);
776

777
    if ((val = sudo_strtobool(str)) == -1)
778
	debug_return_bool(false);
779

780
    *p = val;
781
    debug_return_bool(true);
782
}
783

784
static bool
785
cb_tls_checkpeer(struct logsrvd_config *config, const char *str, size_t offset)
786
{
787
    int *p = (int *)((char *)config + offset);
788
    int val;
789
    debug_decl(cb_tls_checkpeer, SUDO_DEBUG_UTIL);
790

791
    if ((val = sudo_strtobool(str)) == -1)
792
	debug_return_bool(false);
793

794
    *p = val;
795
    debug_return_bool(true);
796
}
797
#endif
798

799
/* relay callbacks */
800
static bool
801
cb_relay_host(struct logsrvd_config *config, const char *str, size_t offset)
802
{
803
    return append_address(&config->relay.relays.addrs, str, false);
804
}
805

806
static bool
807
cb_relay_timeout(struct logsrvd_config *config, const char *str, size_t offset)
808
{
809
    time_t timeout;
810
    const char *errstr;
811
    debug_decl(cb_relay_timeout, SUDO_DEBUG_UTIL);
812

813
    timeout = (time_t)sudo_strtonum(str, 0, TIME_T_MAX, &errstr);
814
    if (errstr != NULL)
815
	debug_return_bool(false);
816

817
    config->server.timeout.tv_sec = timeout;
818

819
    debug_return_bool(true);
820
}
821

822
static bool
823
cb_relay_connect_timeout(struct logsrvd_config *config, const char *str, size_t offset)
824
{
825
    time_t timeout;
826
    const char *errstr;
827
    debug_decl(cb_relay_connect_timeout, SUDO_DEBUG_UTIL);
828

829
    timeout = (time_t)sudo_strtonum(str, 0, TIME_T_MAX, &errstr);
830
    if (errstr != NULL)
831
	debug_return_bool(false);
832

833
    config->relay.connect_timeout.tv_sec = timeout;
834

835
    debug_return_bool(true);
836
}
837

838
static bool
839
cb_relay_dir(struct logsrvd_config *config, const char *str, size_t offset)
840
{
841
    char *copy = NULL;
842
    debug_decl(cb_relay_dir, SUDO_DEBUG_UTIL);
843

844
    if ((copy = strdup(str)) == NULL) {
845
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
846
	debug_return_bool(false);
847
    }
848

849
    free(config->relay.relay_dir);
850
    config->relay.relay_dir = copy;
851

852
    debug_return_bool(true);
853
}
854

855
static bool
856
cb_retry_interval(struct logsrvd_config *config, const char *str, size_t offset)
857
{
858
    time_t interval;
859
    const char *errstr;
860
    debug_decl(cb_retry_interval, SUDO_DEBUG_UTIL);
861

862
    interval = (time_t)sudo_strtonum(str, 0, TIME_T_MAX, &errstr);
863
    if (errstr != NULL)
864
	debug_return_bool(false);
865

866
    config->relay.retry_interval = interval;
867

868
    debug_return_bool(true);
869
}
870

871
static bool
872
cb_relay_store_first(struct logsrvd_config *config, const char *str, size_t offset)
873
{
874
    int val;
875
    debug_decl(cb_relay_store_first, SUDO_DEBUG_UTIL);
876

877
    if ((val = sudo_strtobool(str)) == -1)
878
	debug_return_bool(false);
879

880
    config->relay.store_first = val;
881
    debug_return_bool(true);
882
}
883

884
static bool
885
cb_relay_keepalive(struct logsrvd_config *config, const char *str, size_t offset)
886
{
887
    int val;
888
    debug_decl(cb_relay_keepalive, SUDO_DEBUG_UTIL);
889

890
    if ((val = sudo_strtobool(str)) == -1)
891
	debug_return_bool(false);
892

893
    config->relay.tcp_keepalive = val;
894
    debug_return_bool(true);
895
}
896

897
/* eventlog callbacks */
898
static bool
899
cb_eventlog_type(struct logsrvd_config *config, const char *str, size_t offset)
900
{
901
    debug_decl(cb_eventlog_type, SUDO_DEBUG_UTIL);
902

903
    if (strcmp(str, "none") == 0)
904
	config->eventlog.log_type = EVLOG_NONE;
905
    else if (strcmp(str, "syslog") == 0)
906
	config->eventlog.log_type = EVLOG_SYSLOG;
907
    else if (strcmp(str, "logfile") == 0)
908
	config->eventlog.log_type = EVLOG_FILE;
909
    else
910
	debug_return_bool(false);
911

912
    debug_return_bool(true);
913
}
914

915
static bool
916
cb_eventlog_format(struct logsrvd_config *config, const char *str, size_t offset)
917
{
918
    debug_decl(cb_eventlog_format, SUDO_DEBUG_UTIL);
919

920
    /* FFR - make "json" an alias for EVLOG_JSON_COMPACT instead. */
921
    if (strcmp(str, "json") == 0)
922
	config->eventlog.log_format = EVLOG_JSON_PRETTY;
923
    else if (strcmp(str, "json_compact") == 0)
924
	config->eventlog.log_format = EVLOG_JSON_COMPACT;
925
    else if (strcmp(str, "json_pretty") == 0)
926
	config->eventlog.log_format = EVLOG_JSON_PRETTY;
927
    else if (strcmp(str, "sudo") == 0)
928
	config->eventlog.log_format = EVLOG_SUDO;
929
    else
930
	debug_return_bool(false);
931

932
    debug_return_bool(true);
933
}
934

935
static bool
936
cb_eventlog_exit(struct logsrvd_config *config, const char *str, size_t offset)
937
{
938
    int val;
939
    debug_decl(cb_eventlog_exit, SUDO_DEBUG_UTIL);
940

941
    if ((val = sudo_strtobool(str)) == -1)
942
	debug_return_bool(false);
943

944
    config->eventlog.log_exit = val;
945
    debug_return_bool(true);
946
}
947

948
/* syslog callbacks */
949
static bool
950
cb_syslog_maxlen(struct logsrvd_config *config, const char *str, size_t offset)
951
{
952
    unsigned int maxlen;
953
    const char *errstr;
954
    debug_decl(cb_syslog_maxlen, SUDO_DEBUG_UTIL);
955

956
    maxlen = (unsigned int)sudo_strtonum(str, 1, UINT_MAX, &errstr);
957
    if (errstr != NULL)
958
	debug_return_bool(false);
959

960
    config->syslog.maxlen = maxlen;
961

962
    debug_return_bool(true);
963
}
964

965
static bool
966
cb_syslog_server_facility(struct logsrvd_config *config, const char *str, size_t offset)
967
{
968
    int logfac;
969
    debug_decl(cb_syslog_server_facility, SUDO_DEBUG_UTIL);
970

971
    if (!sudo_str2logfac(str, &logfac)) {
972
	sudo_warnx(U_("unknown syslog facility %s"), str);
973
	debug_return_bool(false);
974
    }
975

976
    config->syslog.server_facility = logfac;
977

978
    debug_return_bool(true);
979
}
980

981
static bool
982
cb_syslog_facility(struct logsrvd_config *config, const char *str, size_t offset)
983
{
984
    int logfac;
985
    debug_decl(cb_syslog_facility, SUDO_DEBUG_UTIL);
986

987
    if (!sudo_str2logfac(str, &logfac)) {
988
	sudo_warnx(U_("unknown syslog facility %s"), str);
989
	debug_return_bool(false);
990
    }
991

992
    config->syslog.facility = logfac;
993

994
    debug_return_bool(true);
995
}
996

997
static bool
998
cb_syslog_acceptpri(struct logsrvd_config *config, const char *str, size_t offset)
999
{
1000
    int logpri;
1001
    debug_decl(cb_syslog_acceptpri, SUDO_DEBUG_UTIL);
1002

1003
    if (!sudo_str2logpri(str, &logpri)) {
1004
	sudo_warnx(U_("unknown syslog priority %s"), str);
1005
	debug_return_bool(false);
1006
    }
1007

1008
    config->syslog.acceptpri = logpri;
1009

1010
    debug_return_bool(true);
1011
}
1012

1013
static bool
1014
cb_syslog_rejectpri(struct logsrvd_config *config, const char *str, size_t offset)
1015
{
1016
    int logpri;
1017
    debug_decl(cb_syslog_rejectpri, SUDO_DEBUG_UTIL);
1018

1019
    if (!sudo_str2logpri(str, &logpri)) {
1020
	sudo_warnx(U_("unknown syslog priority %s"), str);
1021
	debug_return_bool(false);
1022
    }
1023

1024
    config->syslog.rejectpri = logpri;
1025

1026
    debug_return_bool(true);
1027
}
1028

1029
static bool
1030
cb_syslog_alertpri(struct logsrvd_config *config, const char *str, size_t offset)
1031
{
1032
    int logpri;
1033
    debug_decl(cb_syslog_alertpri, SUDO_DEBUG_UTIL);
1034

1035
    if (!sudo_str2logpri(str, &logpri)) {
1036
	sudo_warnx(U_("unknown syslog priority %s"), str);
1037
	debug_return_bool(false);
1038
    }
1039

1040
    config->syslog.alertpri = logpri;
1041

1042
    debug_return_bool(true);
1043
}
1044

1045
/* logfile callbacks */
1046
static bool
1047
cb_logfile_path(struct logsrvd_config *config, const char *str, size_t offset)
1048
{
1049
    char *copy = NULL;
1050
    debug_decl(cb_logfile_path, SUDO_DEBUG_UTIL);
1051

1052
    if (*str != '/') {
1053
	sudo_warnx(U_("%s: not a fully qualified path"), str);
1054
	debug_return_bool(false);
1055
    }
1056
    if ((copy = strdup(str)) == NULL) {
1057
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1058
	debug_return_bool(false);
1059
    }
1060

1061
    free(config->logfile.path);
1062
    config->logfile.path = copy;
1063

1064
    debug_return_bool(true);
1065
}
1066

1067
static bool
1068
cb_logfile_time_format(struct logsrvd_config *config, const char *str, size_t offset)
1069
{
1070
    char *copy = NULL;
1071
    debug_decl(cb_logfile_time_format, SUDO_DEBUG_UTIL);
1072

1073
    if ((copy = strdup(str)) == NULL) {
1074
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1075
	debug_return_bool(false);
1076
    }
1077

1078
    free(config->logfile.time_format);
1079
    config->logfile.time_format = copy;
1080

1081
    debug_return_bool(true);
1082
}
1083

1084
void
1085
address_list_addref(struct server_address_list *al)
1086
{
1087
    struct address_list_container *container =
1088
	__containerof(al, struct address_list_container, addrs);
1089
    container->refcnt++;
1090
}
1091

1092
void
1093
address_list_delref(struct server_address_list *al)
1094
{
1095
    struct address_list_container *container =
1096
	__containerof(al, struct address_list_container, addrs);
1097
    if (--container->refcnt == 0) {
1098
	struct server_address *addr;
1099
	while ((addr = TAILQ_FIRST(al))) {
1100
	    TAILQ_REMOVE(al, addr, entries);
1101
	    sudo_rcstr_delref(addr->sa_str);
1102
	    sudo_rcstr_delref(addr->sa_host);
1103
	    free(addr);
1104
	}
1105
    }
1106
}
1107

1108
static struct logsrvd_config_entry server_conf_entries[] = {
1109
    { "listen_address", cb_server_listen_address },
1110
    { "timeout", cb_server_timeout },
1111
    { "tcp_keepalive", cb_server_keepalive },
1112
    { "pid_file", cb_server_pid_file },
1113
    { "server_log", cb_server_log },
1114
#if defined(HAVE_OPENSSL)
1115
    { "tls_key", cb_tls_key, offsetof(struct logsrvd_config, server.tls_key_path) },
1116
    { "tls_cacert", cb_tls_cacert, offsetof(struct logsrvd_config, server.tls_cacert_path) },
1117
    { "tls_cert", cb_tls_cert, offsetof(struct logsrvd_config, server.tls_cert_path) },
1118
    { "tls_dhparams", cb_tls_dhparams, offsetof(struct logsrvd_config, server.tls_dhparams_path) },
1119
    { "tls_ciphers_v12", cb_tls_ciphers12, offsetof(struct logsrvd_config, server.tls_ciphers_v12) },
1120
    { "tls_ciphers_v13", cb_tls_ciphers13, offsetof(struct logsrvd_config, server.tls_ciphers_v13) },
1121
    { "tls_checkpeer", cb_tls_checkpeer, offsetof(struct logsrvd_config, server.tls_check_peer) },
1122
    { "tls_verify", cb_tls_verify, offsetof(struct logsrvd_config, server.tls_verify) },
1123
#endif
1124
    { NULL }
1125
};
1126

1127
static struct logsrvd_config_entry relay_conf_entries[] = {
1128
    { "relay_host", cb_relay_host },
1129
    { "timeout", cb_relay_timeout },
1130
    { "connect_timeout", cb_relay_connect_timeout },
1131
    { "relay_dir", cb_relay_dir },
1132
    { "retry_interval", cb_retry_interval },
1133
    { "store_first", cb_relay_store_first },
1134
    { "tcp_keepalive", cb_relay_keepalive },
1135
#if defined(HAVE_OPENSSL)
1136
    { "tls_key", cb_tls_key, offsetof(struct logsrvd_config, relay.tls_key_path) },
1137
    { "tls_cacert", cb_tls_cacert, offsetof(struct logsrvd_config, relay.tls_cacert_path) },
1138
    { "tls_cert", cb_tls_cert, offsetof(struct logsrvd_config, relay.tls_cert_path) },
1139
    { "tls_dhparams", cb_tls_dhparams, offsetof(struct logsrvd_config, relay.tls_dhparams_path) },
1140
    { "tls_ciphers_v12", cb_tls_ciphers12, offsetof(struct logsrvd_config, relay.tls_ciphers_v12) },
1141
    { "tls_ciphers_v13", cb_tls_ciphers13, offsetof(struct logsrvd_config, relay.tls_ciphers_v13) },
1142
    { "tls_checkpeer", cb_tls_checkpeer, offsetof(struct logsrvd_config, relay.tls_check_peer) },
1143
    { "tls_verify", cb_tls_verify, offsetof(struct logsrvd_config, relay.tls_verify) },
1144
#endif
1145
    { NULL }
1146
};
1147

1148
static struct logsrvd_config_entry iolog_conf_entries[] = {
1149
    { "iolog_dir", cb_iolog_dir },
1150
    { "iolog_file", cb_iolog_file },
1151
    { "iolog_flush", cb_iolog_flush },
1152
    { "iolog_compress", cb_iolog_compress },
1153
    { "iolog_user", cb_iolog_user },
1154
    { "iolog_group", cb_iolog_group },
1155
    { "iolog_mode", cb_iolog_mode },
1156
    { "log_passwords", cb_iolog_log_passwords },
1157
    { "maxseq", cb_iolog_maxseq },
1158
    { "passprompt_regex", cb_iolog_passprompt_regex },
1159
    { NULL }
1160
};
1161

1162
static struct logsrvd_config_entry eventlog_conf_entries[] = {
1163
    { "log_type", cb_eventlog_type },
1164
    { "log_format", cb_eventlog_format },
1165
    { "log_exit", cb_eventlog_exit },
1166
    { NULL }
1167
};
1168

1169
static struct logsrvd_config_entry syslog_conf_entries[] = {
1170
    { "maxlen", cb_syslog_maxlen },
1171
    { "server_facility", cb_syslog_server_facility },
1172
    { "facility", cb_syslog_facility },
1173
    { "reject_priority", cb_syslog_rejectpri },
1174
    { "accept_priority", cb_syslog_acceptpri },
1175
    { "alert_priority", cb_syslog_alertpri },
1176
    { NULL }
1177
};
1178

1179
static struct logsrvd_config_entry logfile_conf_entries[] = {
1180
    { "path", cb_logfile_path },
1181
    { "time_format", cb_logfile_time_format },
1182
    { NULL }
1183
};
1184

1185
static struct logsrvd_config_section logsrvd_config_sections[] = {
1186
    { "server", server_conf_entries },
1187
    { "relay", relay_conf_entries },
1188
    { "iolog", iolog_conf_entries },
1189
    { "eventlog", eventlog_conf_entries },
1190
    { "syslog", syslog_conf_entries },
1191
    { "logfile", logfile_conf_entries },
1192
    { NULL }
1193
};
1194

1195
static bool
1196
logsrvd_conf_parse(struct logsrvd_config *config, FILE *fp, const char *path)
1197
{
1198
    struct logsrvd_config_section *conf_section = NULL;
1199
    unsigned int lineno = 0;
1200
    size_t linesize = 0;
1201
    char *line = NULL;
1202
    bool ret = false;
1203
    debug_decl(logsrvd_conf_parse, SUDO_DEBUG_UTIL);
1204

1205
    while (sudo_parseln(&line, &linesize, &lineno, fp, 0) != -1) {
1206
	struct logsrvd_config_entry *entry;
1207
	char *ep, *val;
1208

1209
	/* Skip blank, comment or invalid lines. */
1210
	if (*line == '\0' || *line == ';')
1211
	    continue;
1212

1213
	/* New section */
1214
	if (line[0] == '[') {
1215
	    char *cp, *section_name = line + 1;
1216

1217
	    if ((ep = strchr(section_name, ']')) == NULL) {
1218
		sudo_warnx(U_("%s:%d unmatched '[': %s"),
1219
		    path, lineno, line);
1220
		goto done;
1221
	    }
1222
	    for (cp = ep + 1; *cp != '\0'; cp++) {
1223
		if (!isspace((unsigned char)*cp)) {
1224
		    sudo_warnx(U_("%s:%d garbage after ']': %s"),
1225
			path, lineno, line);
1226
		    goto done;
1227
		}
1228
	    }
1229
	    *ep = '\0';
1230
	    for (conf_section = logsrvd_config_sections; conf_section->name != NULL;
1231
		    conf_section++) {
1232
		if (strcasecmp(section_name, conf_section->name) == 0)
1233
		    break;
1234
	    }
1235
	    if (conf_section->name == NULL) {
1236
		sudo_warnx(U_("%s:%d invalid config section: %s"),
1237
		    path, lineno, section_name);
1238
		goto done;
1239
	    }
1240
	    continue;
1241
	}
1242

1243
	if ((ep = strchr(line, '=')) == NULL) {
1244
	    sudo_warnx(U_("%s:%d invalid configuration line: %s"),
1245
		path, lineno, line);
1246
	    goto done;
1247
	}
1248

1249
	if (conf_section == NULL) {
1250
	    sudo_warnx(U_("%s:%d expected section name: %s"),
1251
		path, lineno, line);
1252
	    goto done;
1253
	}
1254

1255
	val = ep + 1;
1256
	while (isspace((unsigned char)*val))
1257
	    val++;
1258
	while (ep > line && isspace((unsigned char)ep[-1]))
1259
	    ep--;
1260
	*ep = '\0';
1261
	for (entry = conf_section->entries; entry->conf_str != NULL; entry++) {
1262
	    if (strcasecmp(line, entry->conf_str) == 0) {
1263
		if (!entry->setter(config, val, entry->offset)) {
1264
		    sudo_warnx(U_("invalid value for %s: %s"),
1265
			entry->conf_str, val);
1266
		    goto done;
1267
		}
1268
		break;
1269
	    }
1270
	}
1271
	if (entry->conf_str == NULL) {
1272
	    sudo_warnx(U_("%s:%d [%s] illegal key: %s"), path, lineno,
1273
		conf_section->name, line);
1274
	    goto done;
1275
	}
1276
    }
1277
    ret = true;
1278

1279
done:
1280
    free(line);
1281
    debug_return_bool(ret);
1282
}
1283

1284
static FILE *
1285
logsrvd_open_log_file(const char *path, int flags)
1286
{
1287
    mode_t oldmask;
1288
    FILE *fp = NULL;
1289
    const char *omode;
1290
    int fd;
1291
    debug_decl(logsrvd_open_log_file, SUDO_DEBUG_UTIL);
1292

1293
    if (ISSET(flags, O_APPEND)) {
1294
	omode = "a";
1295
    } else {
1296
	omode = "w";
1297
    }
1298
    oldmask = umask(S_IRWXG|S_IRWXO);
1299
    fd = open(path, flags, S_IRUSR|S_IWUSR);
1300
    (void)umask(oldmask);
1301
    if (fd == -1 || (fp = fdopen(fd, omode)) == NULL) {
1302
	sudo_warn(U_("unable to open log file %s"), path);
1303
	if (fd != -1)
1304
	    close(fd);
1305
    }
1306

1307
    debug_return_ptr(fp);
1308
}
1309

1310
static FILE *
1311
logsrvd_open_eventlog(struct logsrvd_config *config)
1312
{
1313
    int flags;
1314
    debug_decl(logsrvd_open_eventlog, SUDO_DEBUG_UTIL);
1315

1316
    /* Cannot append to a JSON file that is a single object. */
1317
    if (config->eventlog.log_format == EVLOG_JSON_PRETTY) {
1318
	flags = O_RDWR|O_CREAT|O_NOFOLLOW;
1319
    } else {
1320
	flags = O_WRONLY|O_APPEND|O_CREAT|O_NOFOLLOW;
1321
    }
1322
    debug_return_ptr(logsrvd_open_log_file(config->logfile.path, flags));
1323
}
1324

1325
static FILE *
1326
logsrvd_stub_open_log(int type, const char *logfile)
1327
{
1328
    /* Actual open already done by logsrvd_open_eventlog() */
1329
    return logsrvd_config->logfile.stream;
1330
}
1331

1332
static void
1333
logsrvd_stub_close_log(int type, FILE *fp)
1334
{
1335
    return;
1336
}
1337

1338
/* Set eventlog configuration settings from logsrvd config. */
1339
static void
1340
logsrvd_conf_eventlog_setconf(struct logsrvd_config *config)
1341
{
1342
    debug_decl(logsrvd_conf_eventlog_setconf, SUDO_DEBUG_UTIL);
1343

1344
    eventlog_set_type(config->eventlog.log_type);
1345
    eventlog_set_format(config->eventlog.log_format);
1346
    eventlog_set_syslog_acceptpri(config->syslog.acceptpri); 
1347
    eventlog_set_syslog_rejectpri(config->syslog.rejectpri); 
1348
    eventlog_set_syslog_alertpri(config->syslog.alertpri); 
1349
    eventlog_set_syslog_maxlen(config->syslog.maxlen); 
1350
    eventlog_set_logpath(config->logfile.path);
1351
    eventlog_set_time_fmt(config->logfile.time_format);
1352
    eventlog_set_open_log(logsrvd_stub_open_log);
1353
    eventlog_set_close_log(logsrvd_stub_close_log);
1354

1355
    debug_return;
1356
}
1357

1358
/* Set I/O log configuration settings from logsrvd config. */
1359
static void
1360
logsrvd_conf_iolog_setconf(struct logsrvd_config *config)
1361
{
1362
    debug_decl(logsrvd_conf_iolog_setconf, SUDO_DEBUG_UTIL);
1363

1364
    iolog_set_defaults();
1365
    iolog_set_compress(config->iolog.compress);
1366
    iolog_set_flush(config->iolog.flush);
1367
    iolog_set_owner(config->iolog.uid, config->iolog.gid);
1368
    iolog_set_mode(config->iolog.mode);
1369
    iolog_set_maxseq(config->iolog.maxseq);
1370

1371
    debug_return;
1372
}
1373

1374
/*
1375
 * Conversation function for use by sudo_warn/sudo_fatal.
1376
 * Logs to stdout/stderr.
1377
 */
1378
static int
1379
logsrvd_conv_stderr(int num_msgs, const struct sudo_conv_message msgs[],
1380
    struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
1381
{
1382
    int i;
1383
    debug_decl(logsrvd_conv_stderr, SUDO_DEBUG_UTIL);
1384

1385
    for (i = 0; i < num_msgs; i++) {
1386
	if (fputs(msgs[i].msg, stderr) == EOF)
1387
	    debug_return_int(-1);
1388
    }
1389

1390
    debug_return_int(0);
1391
}
1392

1393
/*
1394
 * Conversation function for use by sudo_warn/sudo_fatal.
1395
 * Acts as a no-op log sink.
1396
 */
1397
static int
1398
logsrvd_conv_none(int num_msgs, const struct sudo_conv_message msgs[],
1399
    struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
1400
{
1401
    /* Also write to stderr if still in the foreground. */
1402
    if (logsrvd_warn_enable_stderr) {
1403
	(void)logsrvd_conv_stderr(num_msgs, msgs, replies, callback);
1404
    }
1405

1406
    return 0;
1407
}
1408

1409
/*
1410
 * Conversation function for use by sudo_warn/sudo_fatal.
1411
 * Logs to syslog.
1412
 */
1413
static int
1414
logsrvd_conv_syslog(int num_msgs, const struct sudo_conv_message msgs[],
1415
    struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
1416
{
1417
    const char *progname;
1418
    char buf[4096], *cp, *ep;
1419
    size_t proglen;
1420
    int i;
1421
    debug_decl(logsrvd_conv_syslog, SUDO_DEBUG_UTIL);
1422

1423
    if (logsrvd_config == NULL) {
1424
	debug_return_int(logsrvd_conv_stderr(num_msgs, msgs, replies, callback));
1425
    }
1426

1427
    /* Also write to stderr if still in the foreground. */
1428
    if (logsrvd_warn_enable_stderr) {
1429
	(void)logsrvd_conv_stderr(num_msgs, msgs, replies, callback);
1430
    }
1431

1432
    /*
1433
     * Concat messages into a flag string that we can syslog.
1434
     */
1435
    progname = getprogname();
1436
    proglen = strlen(progname);
1437
    cp = buf;
1438
    ep = buf + sizeof(buf);
1439
    for (i = 0; i < num_msgs && ep - cp > 1; i++) {
1440
	const char *msg = msgs[i].msg;
1441
	size_t len = strlen(msg);
1442

1443
	/* Strip leading "sudo_logsrvd: " prefix. */
1444
	if (strncmp(msg, progname, proglen) == 0) {
1445
	    msg += proglen;
1446
	    len -= proglen;
1447
	    if (len == 0) {
1448
		/* Skip over ": " string that follows program name. */
1449
		if (i + 1 < num_msgs && strcmp(msgs[i + 1].msg, ": ") == 0) {
1450
		    i++;
1451
		    continue;
1452
		}
1453
	    } else if (msg[0] == ':' && msg[1] == ' ') {
1454
		/* Handle "progname: " */
1455
		msg += 2;
1456
		len -= 2;
1457
	    }
1458
	}
1459

1460
	/* Strip off trailing newlines. */
1461
	while (len > 1 && msg[len - 1] == '\n')
1462
	    len--;
1463
	if (len == 0)
1464
	    continue;
1465

1466
	if (len >= (size_t)(ep - cp)) {
1467
	    /* Message too long, truncate. */
1468
	    len = (size_t)(ep - cp) - 1;
1469
	}
1470
	memcpy(cp, msg, len);
1471
	cp[len] = '\0';
1472
	cp += len;
1473
    }
1474
    if (cp != buf) {
1475
	openlog(progname, 0, logsrvd_config->syslog.server_facility);
1476
	syslog(LOG_ERR, "%s", buf);
1477

1478
	/* Restore old syslog settings. */
1479
	if (logsrvd_config->eventlog.log_type == EVLOG_SYSLOG)
1480
	    openlog("sudo", 0, logsrvd_config->syslog.facility);
1481
    }
1482

1483
    debug_return_int(0);
1484
}
1485

1486
/*
1487
 * Conversation function for use by sudo_warn/sudo_fatal.
1488
 * Logs to an already-open log file.
1489
 */
1490
static int
1491
logsrvd_conv_logfile(int num_msgs, const struct sudo_conv_message msgs[],
1492
    struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
1493
{
1494
    const char *progname;
1495
    size_t proglen;
1496
    int i;
1497
    debug_decl(logsrvd_conv_logfile, SUDO_DEBUG_UTIL);
1498

1499
    if (logsrvd_config == NULL) {
1500
	debug_return_int(logsrvd_conv_stderr(num_msgs, msgs, replies, callback));
1501
    }
1502

1503
    /* Also write to stderr if still in the foreground. */
1504
    if (logsrvd_warn_enable_stderr) {
1505
	(void)logsrvd_conv_stderr(num_msgs, msgs, replies, callback);
1506
    }
1507

1508
    if (logsrvd_config->server.log_stream == NULL) {
1509
	errno = EBADF;
1510
	debug_return_int(-1);
1511
    }
1512

1513
    progname = getprogname();
1514
    proglen = strlen(progname);
1515
    for (i = 0; i < num_msgs; i++) {
1516
	const char *msg = msgs[i].msg;
1517
	size_t len = strlen(msg);
1518

1519
	/* Strip leading "sudo_logsrvd: " prefix. */
1520
	if (strncmp(msg, progname, proglen) == 0) {
1521
	    msg += proglen;
1522
	    len -= proglen;
1523
	    if (len == 0) {
1524
		/* Skip over ": " string that follows program name. */
1525
		if (i + 1 < num_msgs && strcmp(msgs[i + 1].msg, ": ") == 0) {
1526
		    i++;
1527
		    continue;
1528
		}
1529
	    } else if (msg[0] == ':' && msg[1] == ' ') {
1530
		/* Handle "progname: " */
1531
		msg += 2;
1532
		len -= 2;
1533
	    }
1534
	}
1535

1536
	if (fwrite(msg, len, 1, logsrvd_config->server.log_stream) != 1)
1537
	    debug_return_int(-1);
1538
    }
1539

1540
    debug_return_int(0);
1541
}
1542

1543
/* Free the specified struct logsrvd_config and its contents. */
1544
static void
1545
logsrvd_conf_free(struct logsrvd_config *config)
1546
{
1547
    debug_decl(logsrvd_conf_free, SUDO_DEBUG_UTIL);
1548

1549
    if (config == NULL)
1550
	debug_return;
1551

1552
    /* struct logsrvd_config_server */
1553
    address_list_delref(&config->server.addresses.addrs);
1554
    free(config->server.pid_file);
1555
    free(config->server.log_file);
1556
    if (config->server.log_stream != NULL)
1557
	fclose(config->server.log_stream);
1558
#if defined(HAVE_OPENSSL)
1559
    free(config->server.tls_key_path);
1560
    free(config->server.tls_cert_path);
1561
    free(config->server.tls_cacert_path);
1562
    free(config->server.tls_dhparams_path);
1563
    free(config->server.tls_ciphers_v12);
1564
    free(config->server.tls_ciphers_v13);
1565

1566
    if (config->server.ssl_ctx != NULL)
1567
	SSL_CTX_free(config->server.ssl_ctx);
1568
#endif
1569

1570
    /* struct logsrvd_config_relay */
1571
    address_list_delref(&config->relay.relays.addrs);
1572
    free(config->relay.relay_dir);
1573
#if defined(HAVE_OPENSSL)
1574
    free(config->relay.tls_key_path);
1575
    free(config->relay.tls_cert_path);
1576
    free(config->relay.tls_cacert_path);
1577
    free(config->relay.tls_dhparams_path);
1578
    free(config->relay.tls_ciphers_v12);
1579
    free(config->relay.tls_ciphers_v13);
1580

1581
    if (config->relay.ssl_ctx != NULL)
1582
	SSL_CTX_free(config->relay.ssl_ctx);
1583
#endif
1584

1585
    /* struct logsrvd_config_iolog */
1586
    free(config->iolog.iolog_base);
1587
    free(config->iolog.iolog_dir);
1588
    free(config->iolog.iolog_file);
1589
    iolog_pwfilt_free(config->iolog.passprompt_regex);
1590

1591
    /* struct logsrvd_config_logfile */
1592
    free(config->logfile.path);
1593
    free(config->logfile.time_format);
1594
    if (config->logfile.stream != NULL)
1595
	fclose(config->logfile.stream);
1596

1597
    free(config);
1598

1599
    debug_return;
1600
}
1601

1602
/* Allocate a new struct logsrvd_config and set default values. */
1603
static struct logsrvd_config *
1604
logsrvd_conf_alloc(void)
1605
{
1606
    struct logsrvd_config *config;
1607
    debug_decl(logsrvd_conf_alloc, SUDO_DEBUG_UTIL);
1608

1609
    if ((config = calloc(1, sizeof(*config))) == NULL) {
1610
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1611
	debug_return_ptr(NULL);
1612
    }
1613

1614
    /* Relay defaults */
1615
    TAILQ_INIT(&config->relay.relays.addrs);
1616
    config->relay.relays.refcnt = 1;
1617
    config->relay.timeout.tv_sec = DEFAULT_SOCKET_TIMEOUT_SEC;
1618
    config->relay.connect_timeout.tv_sec = DEFAULT_SOCKET_TIMEOUT_SEC;
1619
    config->relay.tcp_keepalive = true;
1620
    config->relay.retry_interval = 30;
1621
    if (!cb_relay_dir(config, _PATH_SUDO_RELAY_DIR, 0))
1622
	goto bad;
1623
#if defined(HAVE_OPENSSL)
1624
    config->relay.tls_verify = -1;
1625
    config->relay.tls_check_peer = -1;
1626
#endif
1627

1628
    /* Server defaults */
1629
    TAILQ_INIT(&config->server.addresses.addrs);
1630
    config->server.addresses.refcnt = 1;
1631
    config->server.timeout.tv_sec = DEFAULT_SOCKET_TIMEOUT_SEC;
1632
    config->server.tcp_keepalive = true;
1633
    config->server.log_type = SERVER_LOG_SYSLOG;
1634
    config->server.pid_file = strdup(_PATH_SUDO_LOGSRVD_PID);
1635
    if (config->server.pid_file == NULL) {
1636
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1637
	goto bad;
1638
    }
1639

1640
#if defined(HAVE_OPENSSL)
1641
    /*
1642
     * Only set default CA and cert paths if the files actually exist.
1643
     * This ensures we don't enable TLS by default when it is not configured.
1644
     */
1645
    if (access(DEFAULT_CA_CERT_PATH, R_OK) == 0) {
1646
	config->server.tls_cacert_path = strdup(DEFAULT_CA_CERT_PATH);
1647
	if (config->server.tls_cacert_path == NULL) {
1648
	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1649
	    goto bad;
1650
	}
1651
    }
1652
    if (access(DEFAULT_SERVER_CERT_PATH, R_OK) == 0) {
1653
	config->server.tls_cert_path = strdup(DEFAULT_SERVER_CERT_PATH);
1654
	if (config->server.tls_cert_path == NULL) {
1655
	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1656
	    goto bad;
1657
	}
1658
    }
1659
    config->server.tls_key_path = strdup(DEFAULT_SERVER_KEY_PATH);
1660
    if (config->server.tls_key_path == NULL) {
1661
	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1662
	goto bad;
1663
    }
1664
    config->server.tls_verify = true;
1665
    config->server.tls_check_peer = false;
1666
#endif
1667

1668
    /* I/O log defaults */
1669
    config->iolog.compress = false;
1670
    config->iolog.flush = true;
1671
    config->iolog.mode = S_IRUSR|S_IWUSR;
1672
    config->iolog.maxseq = SESSID_MAX;
1673
    if (!cb_iolog_dir(config, _PATH_SUDO_IO_LOGDIR, 0))
1674
	goto bad;
1675
    if (!cb_iolog_file(config, "%{seq}", 0))
1676
	goto bad;
1677
    config->iolog.uid = ROOT_UID;
1678
    config->iolog.gid = ROOT_GID;
1679
    config->iolog.gid_set = false;
1680
    config->iolog.log_passwords = false;
1681

1682
    /* Event log defaults */
1683
    config->eventlog.log_type = EVLOG_SYSLOG;
1684
    config->eventlog.log_format = EVLOG_SUDO;
1685
    config->eventlog.log_exit = false;
1686

1687
    /* Syslog defaults */
1688
    config->syslog.maxlen = 960;
1689
    config->syslog.server_facility = LOG_DAEMON;
1690
    if (!cb_syslog_facility(config, LOGFAC, 0)) {
1691
	sudo_warnx(U_("unknown syslog facility %s"), LOGFAC);
1692
	goto bad;
1693
    }
1694
    if (!cb_syslog_acceptpri(config, PRI_SUCCESS, 0)) {
1695
	sudo_warnx(U_("unknown syslog priority %s"), PRI_SUCCESS);
1696
	goto bad;
1697
    }
1698
    if (!cb_syslog_rejectpri(config, PRI_FAILURE, 0)) {
1699
	sudo_warnx(U_("unknown syslog priority %s"), PRI_FAILURE);
1700
	goto bad;
1701
    }
1702
    if (!cb_syslog_alertpri(config, PRI_FAILURE, 0)) {
1703
	sudo_warnx(U_("unknown syslog priority %s"), PRI_FAILURE);
1704
	goto bad;
1705
    }
1706

1707
    /* Log file defaults */
1708
    if (!cb_logfile_time_format(config, "%h %e %T", 0))
1709
	goto bad;
1710
    if (!cb_logfile_path(config, _PATH_SUDO_LOGFILE, 0))
1711
	goto bad;
1712

1713
    debug_return_ptr(config);
1714
bad:
1715
    logsrvd_conf_free(config);
1716
    debug_return_ptr(NULL);
1717
}
1718

1719
static bool
1720
logsrvd_conf_apply(struct logsrvd_config *config)
1721
{
1722
#if defined(HAVE_OPENSSL)
1723
    struct server_address *addr;
1724
#endif
1725
    debug_decl(logsrvd_conf_apply, SUDO_DEBUG_UTIL);
1726

1727
    /* There can be multiple passprompt regular expressions. */
1728
    if (config->iolog.passprompt_regex == NULL) {
1729
	if (!cb_iolog_passprompt_regex(config, PASSPROMPT_REGEX, 0))
1730
	    debug_return_bool(false);
1731
    }
1732

1733
    /* There can be multiple addresses so we can't set a default earlier. */
1734
#if defined(HAVE_OPENSSL)
1735
    if (TAILQ_EMPTY(&config->server.addresses.addrs)) {
1736
	/* TLS certificate configured, enable default TLS listener. */
1737
	if (config->server.tls_cert_path != NULL) {
1738
	    if (!cb_server_listen_address(config, "*:" DEFAULT_PORT_TLS "(tls)", 0))
1739
		debug_return_bool(false);
1740
	}
1741
    } else {
1742
	/* Check that TLS configuration is valid. */
1743
	TAILQ_FOREACH(addr, &config->server.addresses.addrs, entries) {
1744
	    if (!addr->tls)
1745
		continue;
1746
	    /*
1747
	     * If a TLS listener was explicitly enabled but the cert path
1748
	     * was not, use the default.
1749
	     */
1750
	    if (config->server.tls_cert_path == NULL) {
1751
		config->server.tls_cert_path =
1752
		    strdup(DEFAULT_SERVER_CERT_PATH);
1753
		if (config->server.tls_cert_path == NULL) {
1754
		    sudo_warnx(U_("%s: %s"), __func__,
1755
			U_("unable to allocate memory"));
1756
		    debug_return_bool(false);
1757
		}
1758
	    }
1759
	    break;
1760
	}
1761
    }
1762
#endif /* HAVE_OPENSSL */
1763
    if (TAILQ_EMPTY(&config->server.addresses.addrs)) {
1764
	/* TLS not configured, enable plaintext listener. */
1765
	if (!cb_server_listen_address(config, "*:" DEFAULT_PORT, 0))
1766
	    debug_return_bool(false);
1767
    }
1768

1769
#if defined(HAVE_OPENSSL)
1770
    TAILQ_FOREACH(addr, &config->server.addresses.addrs, entries) {
1771
	if (!addr->tls)
1772
	    continue;
1773
        /* Create a TLS context for the server. */
1774
	config->server.ssl_ctx = init_tls_context(
1775
	    config->server.tls_cacert_path, config->server.tls_cert_path,
1776
	    config->server.tls_key_path, config->server.tls_dhparams_path,
1777
	    config->server.tls_ciphers_v12, config->server.tls_ciphers_v13,
1778
	    config->server.tls_verify);
1779
	if (config->server.ssl_ctx == NULL) {
1780
	    sudo_warnx("%s", U_("unable to initialize server TLS context"));
1781
	    debug_return_bool(false);
1782
	}
1783
	break;
1784
    }
1785

1786
    TAILQ_FOREACH(addr, &config->relay.relays.addrs, entries) {
1787
	if (!addr->tls)
1788
	    continue;
1789

1790
	/* Create a TLS context for the relay. */
1791
	config->relay.ssl_ctx = init_tls_context(
1792
	    TLS_RELAY_STR(config, tls_cacert_path),
1793
	    TLS_RELAY_STR(config, tls_cert_path),
1794
	    TLS_RELAY_STR(config, tls_key_path),
1795
	    TLS_RELAY_STR(config, tls_dhparams_path),
1796
	    TLS_RELAY_STR(config, tls_ciphers_v12),
1797
	    TLS_RELAY_STR(config, tls_ciphers_v13),
1798
	    TLS_RELAY_INT(config, tls_verify));
1799
	if (config->relay.ssl_ctx == NULL) {
1800
	    sudo_warnx("%s", U_("unable to initialize relay TLS context"));
1801
	    debug_return_bool(false);
1802
	}
1803
	break;
1804
    }
1805
#endif /* HAVE_OPENSSL */
1806

1807
    /* Clear store_first if not relaying. */
1808
    if (TAILQ_EMPTY(&config->relay.relays.addrs))
1809
	config->relay.store_first = false;
1810

1811
    /* Open event log if specified. */
1812
    switch (config->eventlog.log_type) {
1813
    case EVLOG_SYSLOG:
1814
	openlog("sudo", 0, config->syslog.facility);
1815
	break;
1816
    case EVLOG_FILE:
1817
	config->logfile.stream = logsrvd_open_eventlog(config);
1818
	if (config->logfile.stream == NULL)
1819
	    debug_return_bool(false);
1820
	break;
1821
    case EVLOG_NONE:
1822
	break;
1823
    default:
1824
	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
1825
	    "cannot open unknown log type %d", config->eventlog.log_type);
1826
	break;
1827
    }
1828

1829
    /*
1830
     * Open server log if specified.
1831
     * We do this last due to the sudo_warn_set_conversation() call.
1832
     */
1833
    switch (config->server.log_type) {
1834
    case SERVER_LOG_SYSLOG:
1835
	sudo_warn_set_conversation(logsrvd_conv_syslog);
1836
	break;
1837
    case SERVER_LOG_FILE:
1838
	config->server.log_stream =
1839
	    logsrvd_open_log_file(config->server.log_file,
1840
	    O_WRONLY|O_APPEND|O_CREAT|O_NOFOLLOW);
1841
	if (config->server.log_stream == NULL)
1842
	    debug_return_bool(false);
1843
	sudo_warn_set_conversation(logsrvd_conv_logfile);
1844
	break;
1845
    case SERVER_LOG_NONE:
1846
	sudo_warn_set_conversation(logsrvd_conv_none);
1847
	break;
1848
    case SERVER_LOG_STDERR:
1849
	/* Default is stderr. */
1850
	sudo_warn_set_conversation(NULL);
1851
	break;
1852
    default:
1853
	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
1854
	    "cannot open unknown log type %d", config->eventlog.log_type);
1855
	break;
1856
    }
1857

1858
    /*
1859
     * Update event and I/O log library config and install the new
1860
     * logsrvd config.  We must not fail past this point or the event
1861
     * and I/O log config will be inconsistent with the logsrvd config.
1862
     */
1863
    logsrvd_conf_iolog_setconf(config);
1864
    logsrvd_conf_eventlog_setconf(config);
1865

1866
    logsrvd_conf_free(logsrvd_config);
1867
    logsrvd_config = config;
1868

1869
    debug_return_bool(true);
1870
}
1871

1872
/*
1873
 * Read .ini style logsrvd.conf file.
1874
 * If path is NULL, use _PATH_SUDO_LOGSRVD_CONF.
1875
 * Note that we use '#' not ';' for the comment character.
1876
 */
1877
bool
1878
logsrvd_conf_read(const char *path)
1879
{
1880
    struct logsrvd_config *config;
1881
    char conf_file[PATH_MAX];
1882
    bool ret = false;
1883
    FILE *fp = NULL;
1884
    int fd = -1;
1885
    debug_decl(logsrvd_conf_read, SUDO_DEBUG_UTIL);
1886

1887
    config = logsrvd_conf_alloc();
1888

1889
    if (path != NULL) {
1890
       if (strlcpy(conf_file, path, sizeof(conf_file)) >= sizeof(conf_file))
1891
            errno = ENAMETOOLONG;
1892
	else
1893
	    fd = open(conf_file, O_RDONLY);
1894
    } else {
1895
	fd = sudo_open_conf_path(_PATH_SUDO_LOGSRVD_CONF, conf_file,
1896
	    sizeof(conf_file), NULL);
1897
    }
1898
    if (fd != -1)
1899
	fp = fdopen(fd, "r");
1900
    if (fp == NULL) {
1901
	if (path != NULL || errno != ENOENT) {
1902
	    sudo_warn("%s", conf_file);
1903
	    goto done;
1904
	}
1905
    } else {
1906
	if (!logsrvd_conf_parse(config, fp, conf_file))
1907
	    goto done;
1908
    }
1909

1910
    /* Install new config */
1911
    if (logsrvd_conf_apply(config)) {
1912
	config = NULL;
1913
	ret = true;
1914
    }
1915

1916
done:
1917
    logsrvd_conf_free(config);
1918
    if (fp != NULL)
1919
	fclose(fp);
1920
    debug_return_bool(ret);
1921
}
1922

1923
void
1924
logsrvd_conf_cleanup(void)
1925
{
1926
    debug_decl(logsrvd_conf_cleanup, SUDO_DEBUG_UTIL);
1927

1928
    logsrvd_conf_free(logsrvd_config);
1929
    logsrvd_config = NULL;
1930

1931
    debug_return;
1932
}
1933

1934
void
1935
logsrvd_warn_stderr(bool enabled)
1936
{
1937
    logsrvd_warn_enable_stderr = enabled;
1938
}
1939

1940
Product

Resources

Company
