opendoas

my fork of doas with custom prompt
git clone git://git.kocotian.pl/opendoas.git
Log | Files | Refs | README | LICENSE
commit 1530e7aa087276696db7d321a1b9164a49ddea4b
parent 7441dfc4da8c9474ee767464dabe73ca90ff42ae
Author: kn <kn>
Date:   Fri,  9 Oct 2020 07:43:38 +0000

Add nolog option to avoid syslog(3)

doas(1) unconditionally logs all executions but syslog.conf(5) provides no
means to filter messages by user, target or command.

Add the "nolog" option to doas.conf(5) such that syslog becomes an opt-out
feature;  this keeps configuration simple enough yet powerful since rule
definition is the best place to decide whether to log commands or not on a
per rule basis - this also aoids duplicating information or logic in any
other log processing tool.

OK tedu martijn

Diffstat:

Mdoas.c | 7+++++--


Mdoas.conf.5 | 4++++


Mdoas.h | 1+


Mparse.y | 6+++++-


4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/doas.c b/doas.c
@@ -391,8 +391,11 @@ main(int argc, char **argv)
 	else
 		cwd = cwdpath;
 
-	syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
-	    mypw->pw_name, cmdline, targpw->pw_name, cwd);
+	if (!(rule->options & NOLOG)) {
+		syslog(LOG_AUTHPRIV | LOG_INFO,
+		    "%s ran command %s as %s from %s",
+		    mypw->pw_name, cmdline, targpw->pw_name, cwd);
+	}
 
 	envp = prepenv(rule, mypw, targpw);
 
diff --git a/doas.conf.5 b/doas.conf.5
@@ -45,6 +45,9 @@ Options are:
 .Bl -tag -width keepenv
 .It Ic nopass
 The user is not required to enter a password.
+.It Ic nolog
+Do not log successful command execution to
+.Xr syslogd 8 .
 .It Ic persist
 After the user successfully authenticates, do not ask for a password
 again for some time.
@@ -140,6 +143,7 @@ permit nopass keepenv setenv { PATH } root as root
 .Ed
 .Sh SEE ALSO
 .Xr doas 1
+.Xr syslogd 8
 .Sh HISTORY
 The
 .Nm
diff --git a/doas.h b/doas.h
@@ -42,3 +42,4 @@ char **prepenv(const struct rule *, const struct passwd *,
 #define NOPASS		0x1
 #define KEEPENV		0x2
 #define PERSIST		0x4
+#define NOLOG		0x8
diff --git a/parse.y b/parse.y
@@ -73,7 +73,7 @@ arraylen(const char **arr)
 %}
 
 %token TPERMIT TDENY TAS TCMD TARGS
-%token TNOPASS TPERSIST TKEEPENV TSETENV
+%token TNOPASS TNOLOG TPERSIST TKEEPENV TSETENV
 %token TSTRING
 
 %%
@@ -139,6 +139,9 @@ options:	/* none */ {
 option:		TNOPASS {
 			$$.options = NOPASS;
 			$$.envlist = NULL;
+		} | TNOLOG {
+			$$.options = NOLOG;
+			$$.envlist = NULL;
 		} | TPERSIST {
 			$$.options = PERSIST;
 			$$.envlist = NULL;
@@ -212,6 +215,7 @@ static struct keyword {
 	{ "cmd", TCMD },
 	{ "args", TARGS },
 	{ "nopass", TNOPASS },
+	{ "nolog", TNOLOG },
 	{ "persist", TPERSIST },
 	{ "keepenv", TKEEPENV },
 	{ "setenv", TSETENV },