isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,022 Commits 1 Branch 0 Tags
788708c9ff925a79ffdd56612f86d3dfc36d7232
Commit Graph

71 Commits

Author SHA1 Message Date
Todd C. Miller
0dd2b6442a Add log_exit setting in the sudo_logsrvd.conf eventlog stanza 
This causes sudo_logsrvd to log a record with the exit status or
terminating signal in response to an ExitMessage.
 2021-07-09 11:08:44 -06:00
Todd C. Miller
efaa173fbe Replace logsrvd_is_early() with logsrvd_warn_stderr(). 
This is now defined in logsrvd_conf.c which removes a dependency
on another compilation unit for the fuzzer.
 2021-06-16 08:45:29 -06:00
Todd C. Miller
2c1988410e Add support for logging server warning/error messages. 
We can use sudo_warn_set_conversation() to set a conversation
function that either writes to a log file or calls syslog().
 2021-06-13 18:27:36 -06:00
Todd C. Miller
7b33974f21 Remove logsrvd closure ERROR state and use a boolean flag instead. 
Fixes a bug where we would not insert a journal file that failed
to relay into the queue because its state was changed from CONNECTING
to ERROR after failing to connect.
 2021-06-08 19:51:54 -06:00
Todd C. Miller
f49930c62e Make the failed relay retry interval configurable. 
This is the amount of time to wait before trying to resend a
journal to the relay server after a connection error.
 2021-05-02 06:19:32 -06:00
Todd C. Miller
177816b787 Send outgoing messages to the relay server on startup. 
Also attempt to retry messages that could not be relayed periodically.
 2021-05-01 16:27:21 -06:00
Todd C. Miller
f92bb8840c Create journal files in an incoming directory, move to outgoing when complete. 
This will make it possible to process completed journal files
periodically if the relay server is down.
 2021-04-29 14:19:08 -06:00
Todd C. Miller
84a01d3a93 Move local iolog log functions to logsrvd_local.c 2021-04-27 14:46:27 -06:00
Todd C. Miller
761b02d34f Use function pointers for each client message type instead of conditionals. 
This separats out the message handler from the functions that store
or relay the message contents.
 2021-04-23 16:56:21 -06:00
Todd C. Miller
64ac63918e Add enqueue_error_message() helper function. 
Formats and enqueues an error message and enables the write event.
 2021-04-23 16:56:20 -06:00
Todd C. Miller
050e91f8d1 Forward the journaled entry after it has been stored locally. 2021-04-23 16:56:18 -06:00
Todd C. Miller
280fabac38 Stash the value of the store_first config setting in connection_closure. 
If the configuration changes it should not affect a connection that
is already in progress.
 2021-04-23 16:56:17 -06:00
Todd C. Miller
c2d3070fa1 Journal messages to disk when store_first is set in the relay section. 
Instead of forwarding messages immediately, they are journaled
locally in wire format.
This will be used to implement relay store-and-forward mode.
 2021-04-23 16:55:30 -06:00
Todd C. Miller
6f5b353e87 Add configuration for sudo_logsrvd store-and-forward mode. 
Adds "relay_dir" and "store_first" settings to sudo_logsrvd.conf
in the [relay] section.  Also adds a --with-relaydir configure
argument to change the default value (usually /var/log/logsrvd-relay.
 2021-04-23 16:54:15 -06:00
Todd C. Miller
110d9667e5 Use the packed message buffer when relaying if possible. 
There's no need to rebuild the message buffer for anything but
RestartMessage and ClientHello.
 2021-04-19 09:44:37 -06:00
Todd C. Miller
935daf6b7e Allocate the data buffer in get_free_buf() too. 
We always know the size of the data buffer we need at allocation time.
 2021-04-18 17:10:53 -06:00
Todd C. Miller
3dce67ec10 Relay ChangeWindowSize and CommandSuspend events too. 2021-04-17 07:59:13 -06:00
Todd C. Miller
163a5f08b5 Move relay configuration into its own section and add TLS options. 
TLS options in the relay section will be used if specified, otherwise
the TLS options from the server section are used.
 2021-04-08 19:14:05 -06:00
Todd C. Miller
25d4dd8e6d Add "server" and "relay" to getters/callbacks specific to server and relay. 2021-04-08 19:09:55 -06:00
Todd C. Miller
90770794db Remove struct logsrvd_tls_config. 
Now that the SSL context is initialized in logsrvd_conf.c there's
no need to export TLS configuration other than tls_check_peer.
 2021-04-08 18:07:59 -06:00
Todd C. Miller
9779996c3c No longer need struct logsrvd_tls_runtime, use SSL_CTX instead. 2021-04-08 15:39:26 -06:00
Todd C. Miller
86c815fd61 Add logsrvd_conf_cleanup() to free the conf data structures on exit. 
There is no longer a need to do anything in shutdown_cb() other
than break out of the event loop.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
30f57bcdce Add sa_host to struct server_address as a ref counted string. 
Also convert sa_str to ref counted string.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
b1c4de2088 Add support for relaying to another sudo_logsrvd via TLS. 2021-04-06 14:44:19 -06:00
Todd C. Miller
d60b8a791c Add a relay mode to sudo_logsrvd where it forwards instead of stores. 
Relay hosts are be specified in the server section of sudo_logsrvd.conf.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
8101b23e54 Rename listen_address -> server_address and add reference counting. 
This will be used by the upcoming relay mode.
 2021-04-06 14:44:19 -06:00
Todd C. Miller
71e5275a1c Move common TLS initialization code to tls_init.c. 2021-03-10 16:29:27 -07:00
Todd C. Miller
7bb5eef9d9 Use a tailq of write buffers instead of a single one per connection. 
This allows us to queue up multiple messages for writing like the
sudoers client supports.  Currently, each connection has its own
free list.  In the future we may want a single free list with low
and high water marks.
 2021-04-06 14:30:16 -06:00
Todd C. Miller
d452678787 Log peer address in sudo_logsrvd JSON-format logs. 
The peer that connected to us might not be the same host where the
log entry originated.
 2021-03-02 18:37:35 -07:00
Todd C. Miller
db72498257 Use struct eventlog in place of struct iolog_info. 2020-10-26 15:31:41 -06:00
Todd C. Miller
b9aff696fb No longer need eventlog-related getters in logsrvd.c 2020-10-26 15:29:44 -06:00
Todd C. Miller
8c43340474 Use libeventlog in sudo_logsrvd. 2020-10-26 15:26:02 -06:00
Todd C. Miller
707437f6cb Refactor eventlog code into a library 2020-10-26 15:24:35 -06:00
Todd C. Miller
e92d10011e Rename sa_len -> sa_size to avoid a conflict on UnixWare and others. 
On some systems, sa_len is a #define for 4.4BSD compatibility.
 2020-09-04 16:06:37 -06:00
Todd C. Miller
bd254e1042 Read/write runchroot and runcwd entries in the JSON event log. 2020-09-01 06:26:05 -06:00
Todd C. Miller
d2686dde0c Rename FLUSHED state to FINISHED 
This makes more sense when receiving event-only logs.
 2020-05-13 09:30:05 -06:00
Todd C. Miller
0337f5b735 Fix handling of connections without associated I/O logs. 
This fixes reject events as well as accept events without the
expect_iobufs flag set.
 2020-05-13 07:40:47 -06:00
Todd C. Miller
1659d96c55 Use port 30343 for plaintext and port 30344 for TLS. 
For TLS connections we now do the TLS handshake immediately before
the ServerHello message.  This lets the client recieve an alert
from the server is there is a handshake error after the TLS connect
has succeeded.  It also means that the contents of the ServerHello
are protected from a man-in-the-middle attack.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
18ff60f6ff Disable IPv4-mapped IPv6 addresses in the listener. 
Also store the host + port string and use it in error messages.
 2020-04-08 08:54:28 -06:00
Todd C. Miller
f908ddd1bf Create a pidfile for sudo_logsrvd when not run with the -n flag. 2020-03-29 05:05:08 -06:00
Todd C. Miller
cffda82e20 Do not use JSON_ARRAY with sudo_json_add_value() 2020-03-29 05:05:08 -06:00
Todd C. Miller
9b144069fc Store runenv in the I/O log info file too. 2020-03-29 05:05:08 -06:00
Todd C. Miller
ea9b711a70 Write an extended I/O info log in JSON format. 
This will be used by sudoreplay if it exists to get more information
about the command being replayed.
 2020-03-29 05:05:08 -06:00
Todd C. Miller
5034ea91be Some new source files got created with my old email address. 2020-03-29 05:05:08 -06:00
Todd C. Miller
f561e2cafe Store the event base in the client closure. 
Explicitly passing the event base removes the need to set a default base.
 2020-03-01 13:36:59 -07:00
Todd C. Miller
f40b4c2887 Open event log at config time instead of open/close for each entry. 
If logging via syslog, do the openlog() at config time instead.
We still lock the log file prior to writing to it but unlock
immediately after.
 2020-02-22 16:13:56 -07:00
Todd C. Miller
a0c2de4cef Re-register listeners on SIGHUP. 
Previously, a config reload would refresh the listener address list
but the changes had no effect on the actual addresses being listened on.
 2020-02-18 13:13:03 -07:00
Todd C. Miller
5781a6a4cf Add support for JSON logging in sudo_logsrvd. 2020-02-17 16:10:56 -07:00
Laszlo Orban
24c9438486 logserver option to disable certificate verification on server side and server authentication on client side 2020-01-23 10:12:12 -07:00
Laszlo Orban
38160d0ccb logserver: enable/disable SO_KEEPALIVE socket option based on tcp_keepalive configuration option in sudo_logsrvd.conf 2020-01-22 10:52:18 -07:00