From 35741267c0767d45ab00923eec6c98e87b4e3217 Mon Sep 17 00:00:00 2001 From: Xin LI Date: Thu, 14 Jul 2011 07:33:53 +0000 Subject: [PATCH] Add a new option, -N to disable the default and recommended syslogd(8) behavior, which binds to the well known UDP port. This option implies -s. MFC after: 2 months --- usr.sbin/syslogd/syslogd.8 | 9 ++++++++- usr.sbin/syslogd/syslogd.c | 30 +++++++++++++++++++++++------- 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/usr.sbin/syslogd/syslogd.8 b/usr.sbin/syslogd/syslogd.8 index ff0141daa08c..23ba6d0542ce 100644 --- a/usr.sbin/syslogd/syslogd.8 +++ b/usr.sbin/syslogd/syslogd.8 @@ -36,7 +36,7 @@ .Nd log systems messages .Sh SYNOPSIS .Nm -.Op Fl 468ACcdknosuv +.Op Fl 468ACcdkNnosuv .Op Fl a Ar allowed_peer .Op Fl b Ar bind_address .Op Fl f Ar config_file @@ -227,6 +227,13 @@ facility is reserved for messages read directly from Select the number of minutes between .Dq mark messages; the default is 20 minutes. +.It Fl N +Disable binding on UDP sockets. RFC 3164 recommends that outgoing +syslogd messages should originate from the privileged port, this +option +.Em disables +the recommended behavior. This option inherits +.Fl s . .It Fl n Disable dns query for every request. .It Fl o diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index 045da5b8159d..d1c9fd16e28b 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -278,6 +278,7 @@ static int fklog = -1; /* /dev/klog */ static int Initialized; /* set when we have initialized ourselves */ static int MarkInterval = 20 * 60; /* interval between marks in seconds */ static int MarkSeq; /* mark sequence number */ +static int NoBind; /* don't bind() as suggested by RFC 3164 */ static int SecureMode; /* when true, receive only unix domain socks */ #ifdef INET6 static int family = PF_UNSPEC; /* protocol family (IPv4, IPv6 or both) */ @@ -358,7 +359,7 @@ main(int argc, char *argv[]) dprintf("madvise() failed: %s\n", strerror(errno)); bindhostname = NULL; - while ((ch = getopt(argc, argv, "468Aa:b:cCdf:kl:m:nop:P:sS:Tuv")) + while ((ch = getopt(argc, argv, "468Aa:b:cCdf:kl:m:nNop:P:sS:Tuv")) != -1) switch (ch) { case '4': @@ -437,6 +438,10 @@ main(int argc, char *argv[]) case 'm': /* mark interval */ MarkInterval = atoi(optarg) * 60; break; + case 'N': + NoBind = 1; + SecureMode = 1; + break; case 'n': resolve = 0; break; @@ -2685,13 +2690,24 @@ socksetup(int af, char *bindhostname) close(*s); continue; } - if (bind(*s, r->ai_addr, r->ai_addrlen) < 0) { - close(*s); - logerror("bind"); - continue; - } + /* + * RFC 3164 recommends that client side message + * should come from the privileged syslogd port. + * + * If the system administrator choose not to obey + * this, we can skip the bind() step so that the + * system will choose a port for us. + */ + if (!NoBind) { + if (bind(*s, r->ai_addr, r->ai_addrlen) < 0) { + close(*s); + logerror("bind"); + continue; + } - double_rbuf(*s); + if (!SecureMode) + double_rbuf(*s); + } (*socks)++; s++;