mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 05:17:54 +00:00
Code Issues Releases Wiki Activity

Add configuration for sudo_logsrvd store-and-forward mode.

Browse Source 
Adds "relay_dir" and "store_first" settings to sudo_logsrvd.conf
in the [relay] section.  Also adds a --with-relaydir configure
argument to change the default value (usually /var/log/logsrvd-relay.
This commit is contained in:
Todd C. Miller 2021-04-23 16:54:15 -06:00
parent 727056e0c9
commit 6f5b353e87
10 changed files with 178 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
INSTALL
View File

@ -149,6 +149,12 @@ Directory and file names:
/var/db/sudo, /var/lib/sudo, /var/adm/sudo, /usr/adm/sudo /var/db/sudo, /var/lib/sudo, /var/adm/sudo, /usr/adm/sudo
This directory should *not* be cleared when the system boots. This directory should *not* be cleared when the system boots.
--with-relaydir=DIR
The directory to be used for sudo_logsrvd relay temporary files.
When sudo_logsrvd is configured as a store-and-forward relay,
the journaled data is written to this directory before it is
forwarded to a relay server.
--with-tzdir=DIR --with-tzdir=DIR
The directory to the system's time zone data files. This The directory to the system's time zone data files. This
is only used when sanitizing the TZ environment variable is only used when sanitizing the TZ environment variable

40
configure vendored
View File

@ -759,6 +759,7 @@ password_timeout
timeout timeout
vardir vardir
rundir rundir
relay_dir
logpath logpath
log_dir log_dir
iolog_dir iolog_dir
@ -954,6 +955,7 @@ with_timedir
with_rundir with_rundir
with_vardir with_vardir
with_iologdir with_iologdir
with_relaydir
with_tzdir with_tzdir
with_sendmail with_sendmail
with_sudoers_mode with_sudoers_mode
@ -1814,6 +1816,8 @@ Optional Packages:
system reboot, e.g. `/var/db/sudo' or system reboot, e.g. `/var/db/sudo' or
`/var/lib/sudo' `/var/lib/sudo'
--with-iologdir=DIR directory to store sudo I/O log files in --with-iologdir=DIR directory to store sudo I/O log files in
--with-relaydir=DIR directory to store sudo_logsrvd relay temporary
files in
--with-tzdir=DIR path to the time zone data directory --with-tzdir=DIR path to the time zone data directory
--with-sendmail set path to sendmail --with-sendmail set path to sendmail
--without-sendmail do not send mail at all --without-sendmail do not send mail at all
@ -3544,6 +3548,7 @@ printf "%s\n" "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
iolog_dir=/var/log/sudo-io iolog_dir=/var/log/sudo-io
log_dir=/var/log log_dir=/var/log
logpath=/var/log/sudo.log logpath=/var/log/sudo.log
relay_dir=/var/log/logsrvd-relay
rundir=/var/run/sudo rundir=/var/run/sudo
vardir=/var/adm/sudo vardir=/var/adm/sudo
timeout=5 timeout=5
@ -5869,6 +5874,18 @@ fi
# Check whether --with-relaydir was given.
if test ${with_relaydir+y}
then :
withval=$with_relaydir; case $with_relaydir in
yes) ;;
no) as_fn_error $? "\"--without-relaydir not supported.\"" "$LINENO" 5
;;
esac
fi
# Check whether --with-tzdir was given. # Check whether --with-tzdir was given.
if test ${with_tzdir+y} if test ${with_tzdir+y}
then : then :
@ -27863,6 +27880,29 @@ printf "%s\n" "$logpath" >&6; }
EOF EOF
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for sudo_logsrvd relay dir location" >&5
printf %s "checking for sudo_logsrvd relay dir location... " >&6; }
if test "${with_relaydir-yes}" != "yes"; then
relay_dir="$with_relaydir"
else
# Default value of relay_dir set in configure.ac
for d in /var/log /var/adm /usr/adm; do
if test -d "$d"; then
relay_dir="$d/logsrvd-relay"
break
fi
done
fi
if test "${with_relaydir}" != "no"; then
cat >>confdefs.h <<EOF
#define _PATH_SUDO_RELAY_DIR "$relay_dir"
EOF
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $relay_dir" >&5
printf "%s\n" "$relay_dir" >&6; }
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for sudo run dir location" >&5 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for sudo run dir location" >&5
printf %s "checking for sudo run dir location... " >&6; } printf %s "checking for sudo run dir location... " >&6; }
if test -n "$with_rundir"; then if test -n "$with_rundir"; then

10
configure.ac
View File

@ -132,6 +132,7 @@ dnl
AC_SUBST([iolog_dir])dnl real initial value from SUDO_IO_LOGDIR AC_SUBST([iolog_dir])dnl real initial value from SUDO_IO_LOGDIR
AC_SUBST([log_dir])dnl real initial value from SUDO_LOGDIR AC_SUBST([log_dir])dnl real initial value from SUDO_LOGDIR
AC_SUBST([logpath])dnl real initial value from SUDO_LOGFILE AC_SUBST([logpath])dnl real initial value from SUDO_LOGFILE
AC_SUBST([relay_dir])dnl real initial value from SUDO_RELAY_DIR
AC_SUBST([rundir])dnl real initial value from SUDO_RUNDIR AC_SUBST([rundir])dnl real initial value from SUDO_RUNDIR
AC_SUBST([vardir])dnl real initial value from SUDO_VARDIR AC_SUBST([vardir])dnl real initial value from SUDO_VARDIR
AC_SUBST([timeout]) AC_SUBST([timeout])
@ -177,6 +178,7 @@ AC_SUBST([plugindir])
iolog_dir=/var/log/sudo-io iolog_dir=/var/log/sudo-io
log_dir=/var/log log_dir=/var/log
logpath=/var/log/sudo.log logpath=/var/log/sudo.log
relay_dir=/var/log/logsrvd-relay
rundir=/var/run/sudo rundir=/var/run/sudo
vardir=/var/adm/sudo vardir=/var/adm/sudo
timeout=5 timeout=5
@ -910,6 +912,13 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([--with-iologdir=DIR], [directory to store
;; ;;
esac]) esac])
AC_ARG_WITH(relaydir, [AS_HELP_STRING([--with-relaydir=DIR], [directory to store sudo_logsrvd relay temporary files in])],
[case $with_relaydir in
yes) ;;
no) AC_MSG_ERROR(["--without-relaydir not supported."])
;;
esac])
AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])], AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
[case $with_tzdir in [case $with_tzdir in
yes) AC_MSG_ERROR(["must give --with-tzdir an argument."]) yes) AC_MSG_ERROR(["must give --with-tzdir an argument."])
@ -4424,6 +4433,7 @@ if test "$utmp_style" = "LEGACY"; then
fi fi
SUDO_LOGDIR SUDO_LOGDIR
SUDO_LOGFILE SUDO_LOGFILE
SUDO_RELAY_DIR
SUDO_RUNDIR SUDO_RUNDIR
SUDO_VARDIR SUDO_VARDIR
SUDO_IO_LOGDIR SUDO_IO_LOGDIR

20
doc/sudo_logsrvd.conf.man.in
View File

@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "April 9, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDO_LOGSRVD.CONF" "@mansectform@" "April 14, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -285,6 +285,14 @@ will wait for the relay to respond.
A value of 0 will disable the timeout. A value of 0 will disable the timeout.
The default value is 30. The default value is 30.
.TP 10n .TP 10n
relay_dir = path
The directory in which log messages are temporarily stored before they
are sent to the relay host.
Messages are stored in the wire format used by
sudo_logsrv.proto(@mansectform@)
The default value is
\fI@relay_dir@\fR.
.TP 10n
relay_host = host[:port][(tls)] relay_host = host[:port][(tls)]
The relay host name or IP address, optional port to connect to and The relay host name or IP address, optional port to connect to and
an optional Transport Layer Security (TLS) flag in parentheses. an optional Transport Layer Security (TLS) flag in parentheses.
@ -310,6 +318,16 @@ If multiple
\fIrelay_host\fR \fIrelay_host\fR
lines are specified, the first available relay host will be used. lines are specified, the first available relay host will be used.
.TP 10n .TP 10n
store_first = boolean
If true,
\fBsudo_logsrvd\fR
will store logs locally before relaying them.
Once the log is complete, a connection to the relay host is opened
and the log is relayed.
If the network connection is interrupted before the log can be fully
transfered, it will be retransmitted later.
The default is to relay logs in real-time.
.TP 10n
tcp_keepalive = boolean tcp_keepalive = boolean
If true, If true,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR

20
doc/sudo_logsrvd.conf.mdoc.in
View File

@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.Dd April 9, 2021 .Dd April 14, 2021
.Dt SUDO_LOGSRVD.CONF @mansectform@ .Dt SUDO_LOGSRVD.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -247,6 +247,13 @@ setting controls the amount of time
will wait for the relay to respond. will wait for the relay to respond.
A value of 0 will disable the timeout. A value of 0 will disable the timeout.
The default value is 30. The default value is 30.
.It relay_dir = path
The directory in which log messages are temporarily stored before they
are sent to the relay host.
Messages are stored in the wire format used by
.Xr sudo_logsrv.proto @mansectform@
The default value is
.Pa @relay_dir@ .
.It relay_host = host Ns Oo : Ns port Oc Ns Op (tls) .It relay_host = host Ns Oo : Ns port Oc Ns Op (tls)
The relay host name or IP address, optional port to connect to and The relay host name or IP address, optional port to connect to and
an optional Transport Layer Security (TLS) flag in parentheses. an optional Transport Layer Security (TLS) flag in parentheses.
@ -265,12 +272,21 @@ The
could be running an instance of could be running an instance of
.Nm sudo_logsrvd .Nm sudo_logsrvd
or another server that supports the or another server that supports the
.Xr sudo_logsrv.proto 5 .Xr sudo_logsrv.proto @mansectform@
protocol. protocol.
.Pp .Pp
If multiple If multiple
.Em relay_host .Em relay_host
lines are specified, the first available relay host will be used. lines are specified, the first available relay host will be used.
.It store_first = boolean
If true,
.Nm sudo_logsrvd
will store logs locally before relaying them.
Once the log is complete, a connection to the relay host is opened
and the log is relayed.
If the network connection is interrupted before the log can be fully
transfered, it will be retransmitted later.
The default is to relay logs in real-time.
.It tcp_keepalive = boolean .It tcp_keepalive = boolean
If true, If true,
.Nm sudo_logsrvd .Nm sudo_logsrvd

2
doc/sudo_logsrvd.mdoc.in
View File

@ -38,7 +38,7 @@ By default,
.Nm .Nm
stores the logs locally but it can also be configured to stores the logs locally but it can also be configured to
relay them to another server that supports the relay them to another server that supports the
.Xr sudo_logsrv.proto 5 .Xr sudo_logsrv.proto @mansectform@
protocol. protocol.
.Pp .Pp
When not relaying, event log entries may be logged either via When not relaying, event log entries may be logged either via

2
logsrvd/logsrvd.h
View File

@ -167,6 +167,8 @@ const char *logsrvd_conf_iolog_dir(void);
const char *logsrvd_conf_iolog_file(void); const char *logsrvd_conf_iolog_file(void);
struct server_address_list *logsrvd_conf_server_listen_address(void); struct server_address_list *logsrvd_conf_server_listen_address(void);
struct server_address_list *logsrvd_conf_relay_address(void); struct server_address_list *logsrvd_conf_relay_address(void);
const char *logsrvd_conf_relay_dir(void);
bool logsrvd_conf_relay_store_first(void);
bool logsrvd_conf_relay_tcp_keepalive(void); bool logsrvd_conf_relay_tcp_keepalive(void);
bool logsrvd_conf_server_tcp_keepalive(void); bool logsrvd_conf_server_tcp_keepalive(void);
const char *logsrvd_conf_pid_file(void); const char *logsrvd_conf_pid_file(void);

49
logsrvd/logsrvd_conf.c
View File

@ -119,7 +119,9 @@ static struct logsrvd_config {
struct address_list_container relays; struct address_list_container relays;
struct timespec connect_timeout; struct timespec connect_timeout;
struct timespec timeout; struct timespec timeout;
char *relay_dir;
bool tcp_keepalive; bool tcp_keepalive;
bool store_first;
#if defined(HAVE_OPENSSL) #if defined(HAVE_OPENSSL)
char *tls_key_path; char *tls_key_path;
char *tls_cert_path; char *tls_cert_path;
@ -230,6 +232,18 @@ logsrvd_conf_relay_address(void)
return &logsrvd_config->relay.relays.addrs; return &logsrvd_config->relay.relays.addrs;
} }
const char *
logsrvd_conf_relay_dir(void)
{
return logsrvd_config->relay.relay_dir;
}
bool
logsrvd_conf_relay_store_first(void)
{
return logsrvd_config->relay.store_first;
}
bool bool
logsrvd_conf_relay_tcp_keepalive(void) logsrvd_conf_relay_tcp_keepalive(void)
{ {
@ -692,6 +706,36 @@ cb_relay_connect_timeout(struct logsrvd_config *config, const char *str, size_t
debug_return_bool(true); debug_return_bool(true);
} }
static bool
cb_relay_dir(struct logsrvd_config *config, const char *str, size_t offset)
{
char *copy = NULL;
debug_decl(cb_relay_dir, SUDO_DEBUG_UTIL);
if ((copy = strdup(str)) == NULL) {
sudo_warn(NULL);
debug_return_bool(false);
}
free(config->relay.relay_dir);
config->relay.relay_dir = copy;
debug_return_bool(true);
}
static bool
cb_relay_store_first(struct logsrvd_config *config, const char *str, size_t offset)
{
int val;
debug_decl(cb_relay_store_first, SUDO_DEBUG_UTIL);
if ((val = sudo_strtobool(str)) == -1)
debug_return_bool(false);
config->relay.store_first = val;
debug_return_bool(true);
}
static bool static bool
cb_relay_keepalive(struct logsrvd_config *config, const char *str, size_t offset) cb_relay_keepalive(struct logsrvd_config *config, const char *str, size_t offset)
{ {
@ -906,6 +950,8 @@ static struct logsrvd_config_entry relay_conf_entries[] = {
{ "relay_host", cb_relay_host }, { "relay_host", cb_relay_host },
{ "timeout", cb_relay_timeout }, { "timeout", cb_relay_timeout },
{ "connect_timeout", cb_relay_connect_timeout }, { "connect_timeout", cb_relay_connect_timeout },
{ "relay_dir", cb_relay_dir },
{ "store_first", cb_relay_store_first },
{ "tcp_keepalive", cb_relay_keepalive }, { "tcp_keepalive", cb_relay_keepalive },
#if defined(HAVE_OPENSSL) #if defined(HAVE_OPENSSL)
{ "tls_key", cb_tls_key, offsetof(struct logsrvd_config, relay.tls_key_path) }, { "tls_key", cb_tls_key, offsetof(struct logsrvd_config, relay.tls_key_path) },
@ -1133,6 +1179,7 @@ logsrvd_conf_free(struct logsrvd_config *config)
/* struct logsrvd_config_relay */ /* struct logsrvd_config_relay */
address_list_delref(&config->relay.relays.addrs); address_list_delref(&config->relay.relays.addrs);
free(config->relay.relay_dir);
#if defined(HAVE_OPENSSL) #if defined(HAVE_OPENSSL)
free(config->relay.tls_key_path); free(config->relay.tls_key_path);
free(config->relay.tls_cert_path); free(config->relay.tls_cert_path);
@ -1178,6 +1225,8 @@ logsrvd_conf_alloc(void)
config->relay.timeout.tv_sec = DEFAULT_SOCKET_TIMEOUT_SEC; config->relay.timeout.tv_sec = DEFAULT_SOCKET_TIMEOUT_SEC;
config->relay.connect_timeout.tv_sec = DEFAULT_SOCKET_TIMEOUT_SEC; config->relay.connect_timeout.tv_sec = DEFAULT_SOCKET_TIMEOUT_SEC;
config->relay.tcp_keepalive = true; config->relay.tcp_keepalive = true;
if (!cb_relay_dir(config, _PATH_SUDO_RELAY_DIR, 0))
goto bad;
#if defined(HAVE_OPENSSL) #if defined(HAVE_OPENSSL)
config->relay.tls_verify = -1; config->relay.tls_verify = -1;
config->relay.tls_check_peer = -1; config->relay.tls_check_peer = -1;

24
m4/sudo.m4
View File

@ -153,6 +153,30 @@ AC_MSG_RESULT([$vardir])
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LECTURE_DIR, "$vardir/lectured") SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LECTURE_DIR, "$vardir/lectured")
])dnl ])dnl
dnl
dnl Where the sudo_logsrvd relay temporary log files go, use
dnl /var/log/logsrvd-relay if /var/log exists, else
dnl /{var,usr}/adm/logsrvd-relay
dnl
AC_DEFUN([SUDO_RELAY_DIR], [
AC_MSG_CHECKING(for sudo_logsrvd relay dir location)
if test "${with_relaydir-yes}" != "yes"; then
relay_dir="$with_relaydir"
else
# Default value of relay_dir set in configure.ac
for d in /var/log /var/adm /usr/adm; do
if test -d "$d"; then
relay_dir="$d/logsrvd-relay"
break
fi
done
fi
if test "${with_relaydir}" != "no"; then
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_RELAY_DIR, "$relay_dir")
fi
AC_MSG_RESULT($relay_dir)
])dnl
dnl dnl
dnl Where the I/O log files go, use /var/log/sudo-io if dnl Where the I/O log files go, use /var/log/sudo-io if
dnl /var/log exists, else /{var,usr}/adm/sudo-io dnl /var/log exists, else /{var,usr}/adm/sudo-io

9
pathnames.h.in
View File

@ -133,6 +133,15 @@
# undef _PATH_SUDO_LOGDIR # undef _PATH_SUDO_LOGDIR
#endif /* _PATH_SUDO_LOGDIR */ #endif /* _PATH_SUDO_LOGDIR */
/*
* Where to store sudo_logsrvd relay temporary files. Defaults to
* /var/log/logsrvd-relay, /var/adm/logsrvd-relay or /usr/adm/logsrvd-relay
* depending on what exists.
*/
#ifndef _PATH_SUDO_RELAY_DIR
# undef _PATH_SUDO_RELAY_DIR
#endif /* _PATH_SUDO_RELAY_DIR */
/* /*
* Where to put the sudo log file when logging to a file. Defaults to * Where to put the sudo log file when logging to a file. Defaults to
* /var/log/sudo.log if /var/log exists, else /var/adm/sudo.log. * /var/log/sudo.log if /var/log exists, else /var/adm/sudo.log.