In the past there was a desire to keep parse.y in sync. Something we did
not fully achieve though:
find bin sbin usr.bin usr.sbin libexec -name parse.y -print0 | xargs -0 fgrep
'*pushfile('
bin/chio/parse.y:struct file *pushfile(const char *);
sbin/iked/parse.y:struct file *pushfile(const char *, int);
sbin/ipsecctl/parse.y:struct file *pushfile(const char *, int);
sbin/pfctl/parse.y:struct file *pushfile(const char *, int);
sbin/unwind/parse.y:struct file *pushfile(const char *, int);
sbin/dhcpleased/parse.y:struct file *pushfile(const char *, int);
usr.sbin/acme-client/parse.y:struct file *pushfile(const char *);
usr.sbin/bgpd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/dvmrpd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/lpd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/eigrpd/parse.y:static struct file *pushfile(const char *, int);
usr.sbin/hostapd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/httpd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/ifstated/parse.y:struct file *pushfile(const char *, int);
usr.sbin/iscsictl/parse.y:struct file *pushfile(const char *, int);
usr.sbin/ldapd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/ldomctl/parse.y:struct file *pushfile(const char *);
usr.sbin/ldpd/parse.y:static struct file *pushfile(const char *, int);
usr.sbin/npppd/npppd/parse.y:struct file *pushfile(const char *);
usr.sbin/ntpd/parse.y:struct file *pushfile(const char *);
usr.sbin/ospf6d/parse.y:struct file *pushfile(const char *, int);
usr.sbin/ospfd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/rad/parse.y:struct file *pushfile(const char *, int);
usr.sbin/radiusd/parse.y:struct file *pushfile(const char *);
usr.sbin/relayd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/ripd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/smtpd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/snmpd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/vmd/parse.y:struct file *pushfile(const char *, int);
usr.sbin/ypldap/parse.y:struct file *pushfile(const char *, int);
I looked at npppd's parse.y and apparently it lost
check_file_secrecy()...
On 2026-02-18 07:38 +01, Rafael Sadowski <[email protected]> wrote:
> On Wed Feb 18, 2026 at 07:29:47AM +0100, Rafael Sadowski wrote:
>> On Wed Feb 18, 2026 at 02:03:22AM +0100, Christian Schulte wrote:
>> > Starting with revision 1.171 of parse.y [1], relayd config files may
>> > contain cleartext passwords. Although the example relayd.conf file
>> > is not group writeable or world read/writeable - preserved when copied
>> > to /etc - the parser does not check file permissions.
>> >
>> > $ ls -lah /etc/examples/relayd.conf
>> > -rw------- 1 root wheel 2.7K Feb 17 09:11 /etc/examples/relayd.conf
>> >
>> > The parser should call check_file_secrecy to give users a chance to
>> > notice they may be using unsecure file permissions. The following diff
>> > adds those checks.
>> >
>> > [1]
>> > <https://github.com/openbsd/src/commit/cf39ad791b5ef405f8d49ae32cced6e5cf55b8e7>
>> >
>> >
>> > Index: usr.sbin/relayd/parse.y
>> > ===================================================================
>> > RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
>> > diff -u -p -u -r1.258 parse.y
>> > --- usr.sbin/relayd/parse.y 28 Oct 2024 19:56:18 -0000 1.258
>> > +++ usr.sbin/relayd/parse.y 18 Feb 2026 00:54:51 -0000
>> > @@ -215,7 +215,7 @@ grammar : /* empty */
>> > include : INCLUDE STRING {
>> > struct file *nfile;
>> >
>> > - if ((nfile = pushfile($2, 0)) == NULL) {
>> > + if ((nfile = pushfile($2, 1)) == NULL) {
>> > yyerror("failed to include file %s", $2);
>> > free($2);
>> > YYERROR;
>> > @@ -2883,7 +2883,7 @@ parse_config(const char *filename, struc
>> >
>> > errors = 0;
>> >
>> > - if ((file = pushfile(filename, 0)) == NULL)
>> > + if ((file = pushfile(filename, 1)) == NULL)
>> > return (-1);
>> >
>> > topfile = file;
>> > @@ -2932,7 +2932,7 @@ load_config(const char *filename, struct
>> > proto = NULL;
>> > router = NULL;
>> >
>> > - if ((file = pushfile(filename, 0)) == NULL)
>> > + if ((file = pushfile(filename, 1)) == NULL)
>> > return (-1);
>> >
>> > topfile = file;
>> >
>>
>> I come to the same conclusion. However, I would completely remove the
>> flag since it is no longer used. We should ALWAYS do check_file_secrecy.
>>
>
> ... and now with the proper diff:
>
> diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y
> index fcdfb8e92e3..62ba3522b6d 100644
> --- a/usr.sbin/relayd/parse.y
> +++ b/usr.sbin/relayd/parse.y
> @@ -70,7 +70,7 @@ static struct file {
> int lineno;
> int errors;
> } *file, *topfile;
> -struct file *pushfile(const char *, int);
> +struct file *pushfile(const char *);
> int popfile(void);
> int check_file_secrecy(int, const char *);
> int yyparse(void);
> @@ -215,7 +215,7 @@ grammar : /* empty */
> include : INCLUDE STRING {
> struct file *nfile;
>
> - if ((nfile = pushfile($2, 0)) == NULL) {
> + if ((nfile = pushfile($2)) == NULL) {
> yyerror("failed to include file %s", $2);
> free($2);
> YYERROR;
> @@ -2814,7 +2814,7 @@ check_file_secrecy(int fd, const char *fname)
> }
>
> struct file *
> -pushfile(const char *name, int secret)
> +pushfile(const char *name)
> {
> struct file *nfile;
>
> @@ -2832,8 +2832,8 @@ pushfile(const char *name, int secret)
> free(nfile->name);
> free(nfile);
> return (NULL);
> - } else if (secret &&
> - check_file_secrecy(fileno(nfile->stream), nfile->name)) {
> + }
> + if (check_file_secrecy(fileno(nfile->stream), nfile->name)) {
> fclose(nfile->stream);
> free(nfile->name);
> free(nfile);
> @@ -2883,7 +2883,7 @@ parse_config(const char *filename, struct relayd
> *x_conf)
>
> errors = 0;
>
> - if ((file = pushfile(filename, 0)) == NULL)
> + if ((file = pushfile(filename)) == NULL)
> return (-1);
>
> topfile = file;
> @@ -2932,7 +2932,7 @@ load_config(const char *filename, struct relayd *x_conf)
> proto = NULL;
> router = NULL;
>
> - if ((file = pushfile(filename, 0)) == NULL)
> + if ((file = pushfile(filename)) == NULL)
> return (-1);
>
> topfile = file;
>
--
In my defence, I have been left unsupervised.
