opendoas

my fork of doas with custom prompt
git clone git://git.kocotian.pl/opendoas.git
Log | Files | Refs | README | LICENSE

commit 1530e7aa087276696db7d321a1b9164a49ddea4b
parent 7441dfc4da8c9474ee767464dabe73ca90ff42ae
Author: kn <kn>
Date:   Fri,  9 Oct 2020 07:43:38 +0000

Add nolog option to avoid syslog(3)

doas(1) unconditionally logs all executions but syslog.conf(5) provides no
means to filter messages by user, target or command.

Add the "nolog" option to doas.conf(5) such that syslog becomes an opt-out
feature;  this keeps configuration simple enough yet powerful since rule
definition is the best place to decide whether to log commands or not on a
per rule basis - this also aoids duplicating information or logic in any
other log processing tool.

OK tedu martijn

Diffstat:
Mdoas.c | 7+++++--
Mdoas.conf.5 | 4++++
Mdoas.h | 1+
Mparse.y | 6+++++-
4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/doas.c b/doas.c @@ -391,8 +391,11 @@ main(int argc, char **argv) else cwd = cwdpath; - syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s", - mypw->pw_name, cmdline, targpw->pw_name, cwd); + if (!(rule->options & NOLOG)) { + syslog(LOG_AUTHPRIV | LOG_INFO, + "%s ran command %s as %s from %s", + mypw->pw_name, cmdline, targpw->pw_name, cwd); + } envp = prepenv(rule, mypw, targpw); diff --git a/doas.conf.5 b/doas.conf.5 @@ -45,6 +45,9 @@ Options are: .Bl -tag -width keepenv .It Ic nopass The user is not required to enter a password. +.It Ic nolog +Do not log successful command execution to +.Xr syslogd 8 . .It Ic persist After the user successfully authenticates, do not ask for a password again for some time. @@ -140,6 +143,7 @@ permit nopass keepenv setenv { PATH } root as root .Ed .Sh SEE ALSO .Xr doas 1 +.Xr syslogd 8 .Sh HISTORY The .Nm diff --git a/doas.h b/doas.h @@ -42,3 +42,4 @@ char **prepenv(const struct rule *, const struct passwd *, #define NOPASS 0x1 #define KEEPENV 0x2 #define PERSIST 0x4 +#define NOLOG 0x8 diff --git a/parse.y b/parse.y @@ -73,7 +73,7 @@ arraylen(const char **arr) %} %token TPERMIT TDENY TAS TCMD TARGS -%token TNOPASS TPERSIST TKEEPENV TSETENV +%token TNOPASS TNOLOG TPERSIST TKEEPENV TSETENV %token TSTRING %% @@ -139,6 +139,9 @@ options: /* none */ { option: TNOPASS { $$.options = NOPASS; $$.envlist = NULL; + } | TNOLOG { + $$.options = NOLOG; + $$.envlist = NULL; } | TPERSIST { $$.options = PERSIST; $$.envlist = NULL; @@ -212,6 +215,7 @@ static struct keyword { { "cmd", TCMD }, { "args", TARGS }, { "nopass", TNOPASS }, + { "nolog", TNOLOG }, { "persist", TPERSIST }, { "keepenv", TKEEPENV }, { "setenv", TSETENV },