This message is seemingly lost in the archive, yet I did receive a copy by the daemon, so I bring the matter up once more.
måndag den 29 november 2010 klockan 01:02 skrev Mats Erik Andersson detta: > Hello all, > > I would like comments on a planned change to `src/syslogd.c' > that makes it possible to have the daemon binding to a single > INET socket, instead of the wildcard address that presently > is the only possibility. Personally I judge this as a major > improvement to secure usage of the daemon, and I am supported > by an old entry [1] in the BTS of Debian. > > A preliminary patch is included here for the sake of discussion. > (Not intended for pushing!) The changes implement the address > resolver using getaddrinfo(3), thus preparing a later change > to IPv6 support. I have again tested this patch with IU-syslogd and IU-logger alongside Rsyslogd on a Debian system and it works very well. Is there a sensible reason not to implement this? Expansion to allow multiple UDP sockets, but no wild card, and possibly TCP communication are best left for a later stage. Best regards, Mats
--- inetutils/src/syslogd.c
+++ inetutils/src/syslogd.c
@@ -268,6 +268,7 @@
int finet = -1; /* Internet datagram socket fd. */
int fklog = -1; /* Kernel log device fd. */
int LogPort; /* Port number for INET connections. */
+char *LogHost = NULL; /* Address for single homed IP socket. */
int Initialized; /* True when we are initialized. */
int MarkInterval = 20 * 60; /* Interval between marks in seconds. */
int MarkSeq; /* Mark sequence number. */
@@ -309,6 +310,8 @@
{"hop", 'h', NULL, 0, "forward messages from remote hosts", GRP+1},
{"inet", 'r', NULL, 0, "receive remote messages via internet domain socket",
GRP+1},
+ {"bind", 'b', "ADDRESS", 0, "bind to a single internet domain address "
+ "(only with --inet; default is binding to all)", GRP+1},
{"mark", 'm', "INTVL", 0, "specify timestamp interval in logs (0 for no "
"timestamps)", GRP+1},
{"no-detach", 'n', NULL, 0, "do not enter daemon mode", GRP+1},
@@ -365,6 +368,11 @@
AcceptRemote = 1;
break;
+ case 'b':
+ if (arg && *arg)
+ LogHost = arg;
+ break;
+
case 'm':
v = strtol (arg, &endptr, 10);
if (*endptr)
@@ -784,24 +792,41 @@
static int
create_inet_socket (void)
{
- int fd;
- struct sockaddr_in sin;
+ int err, fd = -1;
+ struct addrinfo hints, *rp, *ai;
+
+ memset (&hints, 0, sizeof (hints));
+ hints.ai_family = AF_INET;
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_flags = AI_PASSIVE;
- fd = socket (AF_INET, SOCK_DGRAM, 0);
- if (fd < 0)
+ err = getaddrinfo (LogHost, "syslog", &hints, &rp);
+ if (err)
{
- logerror ("unknown protocol, suspending inet service");
+ logerror ("inet service: lookup error");
return fd;
}
- memset (&sin, 0, sizeof (sin));
- sin.sin_family = AF_INET;
- sin.sin_port = LogPort;
- if (bind (fd, (struct sockaddr *) &sin, sizeof (sin)) < 0)
+ for (ai = rp; ai; ai = ai->ai_next)
{
- logerror ("bind, suspending inet");
- close (fd);
- return -1;
+ fd = socket (ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+ if (fd < 0)
+ continue;
+ if (bind (fd, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+ close (fd);
+ fd = -1;
+ continue;
+ }
+ /* Success */
+ break;
+ }
+ freeaddrinfo (rp);
+
+ if (ai == NULL)
+ {
+ logerror ("inet service: Failed host lookup.");
+ return fd;
}
return fd;
}
signature.asc
Description: Digital signature
