[Bug 2681] postauth processes to log via monitor

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jun 23 14:33:20 AEST 2017 

https://bugzilla.mindrot.org/show_bug.cgi?id=2681

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 2945
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2945
log in postauth via monitor (if there is no /dev/log)

> void
>-monitor_reinit(struct monitor *mon)
>+monitor_reinit(struct monitor *mon, const char *chroot_dir)
> {
>-	monitor_openfds(mon, 0);
>+	struct stat dev_log_stat;
>+	char *dev_log_path;
>+	int do_logfds = 0;
>+
>+	if (chroot_dir != NULL) {
>+		xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
>+
>+		if (stat(dev_log_path, &dev_log_stat) != 0) {
>+			debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
>+			do_logfds = 1;

I think it's simpler to log via the monitor unconditionally. There are
fewer paths to think about that way.

> static char *auth_sock_name = NULL;
>@@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c
> 		is_child = 1;
> 
> 		/* Child.  Reinitialize the log since the pid has changed. */
>-		log_init(__progname, options.log_level,
>-		    options.log_facility, log_stderr);
>+		log_init_handler(__progname, options.log_level,
>+		    options.log_facility, log_stderr, have_dev_log);

I'm not sure whether this is needed anymore. It seems like a holdover
from when log_init() called openlog() itself, but it stopped doing that
in <checks> November 1999 :)

>-		log_init(__progname, options.log_level,
>-		    options.log_facility, log_stderr);
>+		log_init_handler(__progname, options.log_level,
>+		    options.log_facility, log_stderr, have_dev_log);

ditto

>@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
> 	int ret;
> 	const char *forced = NULL, *tty = NULL;
> 	char session_type[1024];
>+	struct stat dev_log_stat;
> 
> 	if (options.adm_forced_command) {
> 		original_command = command;
>@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
> 			tty += 5;
> 	}
> 
>+	if (lstat("/dev/log", &dev_log_stat) != 0) {
>+		have_dev_log = 0;
>+	}
>+

ditto re always logging via monitor

>-	/*
>-	 * Close any extra open file descriptors so that we don't have them
>-	 * hanging around in clients.  Note that we want to do this after
>-	 * initgroups, because at least on Solaris 2.3 it leaves file
>-	 * descriptors open.
>-	 */
>-	closefrom(STDERR_FILENO + 1);

If you remove this then I think you need to add an explicit closefrom()
before the do_pwchange() call in do_child().

>-	closefrom(STDERR_FILENO + 1);

I don't think this one should be removed. IMO it would be better
arrange for the log socket to be on fd=4 and closefrom(5) instead (with
a comment explaining why).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list