Re: relayd.conf may contain world readable cleartext passwords

Rafael Sadowski Wed, 18 Feb 2026 03:44:38 -0800

On Wed Feb 18, 2026 at 07:54:26AM +0100, Florian Obser wrote:
> In the past there was a desire to keep parse.y in sync. Something we did
> not fully achieve though:
> 
> find bin sbin usr.bin usr.sbin libexec -name parse.y -print0 | xargs -0 fgrep 
> '*pushfile('
> 
> bin/chio/parse.y:struct file  *pushfile(const char *);
> sbin/iked/parse.y:struct file *pushfile(const char *, int);
> sbin/ipsecctl/parse.y:struct file     *pushfile(const char *, int);
> sbin/pfctl/parse.y:struct file        *pushfile(const char *, int);
> sbin/unwind/parse.y:struct file       *pushfile(const char *, int);
> sbin/dhcpleased/parse.y:struct file   *pushfile(const char *, int);
> usr.sbin/acme-client/parse.y:struct file      *pushfile(const char *);
> usr.sbin/bgpd/parse.y:struct file     *pushfile(const char *, int);
> usr.sbin/dvmrpd/parse.y:struct file   *pushfile(const char *, int);
> usr.sbin/lpd/parse.y:struct file      *pushfile(const char *, int);
> usr.sbin/eigrpd/parse.y:static struct file    *pushfile(const char *, int);
> usr.sbin/hostapd/parse.y:struct file  *pushfile(const char *, int);
> usr.sbin/httpd/parse.y:struct file    *pushfile(const char *, int);
> usr.sbin/ifstated/parse.y:struct file *pushfile(const char *, int);
> usr.sbin/iscsictl/parse.y:struct file *pushfile(const char *, int);
> usr.sbin/ldapd/parse.y:struct file    *pushfile(const char *, int);
> usr.sbin/ldomctl/parse.y:struct file  *pushfile(const char *);
> usr.sbin/ldpd/parse.y:static struct file      *pushfile(const char *, int);
> usr.sbin/npppd/npppd/parse.y:struct file      *pushfile(const char *);
> usr.sbin/ntpd/parse.y:struct file     *pushfile(const char *);
> usr.sbin/ospf6d/parse.y:struct file   *pushfile(const char *, int);
> usr.sbin/ospfd/parse.y:struct file    *pushfile(const char *, int);
> usr.sbin/rad/parse.y:struct file      *pushfile(const char *, int);
> usr.sbin/radiusd/parse.y:struct file  *pushfile(const char *);
> usr.sbin/relayd/parse.y:struct file   *pushfile(const char *, int);
> usr.sbin/ripd/parse.y:struct file     *pushfile(const char *, int);
> usr.sbin/smtpd/parse.y:struct file    *pushfile(const char *, int);
> usr.sbin/snmpd/parse.y:struct file    *pushfile(const char *, int);
> usr.sbin/vmd/parse.y:struct file      *pushfile(const char *, int);
> usr.sbin/ypldap/parse.y:struct file   *pushfile(const char *, int);
>


Thanks for pointing that out. Although I consider this idea to have
failed (I have read through some parse.y), I don't want to drag it out
any further.

I'm OK with Christian's diff.

> I looked at npppd's parse.y and apparently it lost
> check_file_secrecy()...
> 
> On 2026-02-18 07:38 +01, Rafael Sadowski <[email protected]> wrote:
> > On Wed Feb 18, 2026 at 07:29:47AM +0100, Rafael Sadowski wrote:
> >> On Wed Feb 18, 2026 at 02:03:22AM +0100, Christian Schulte wrote:
> >> > Starting with revision 1.171 of parse.y [1], relayd config files may
> >> > contain cleartext passwords. Although the example relayd.conf file
> >> > is not group writeable or world read/writeable - preserved when copied
> >> > to /etc - the parser does not check file permissions.
> >> > 
> >> > $ ls -lah /etc/examples/relayd.conf
> >> > -rw-------  1 root  wheel   2.7K Feb 17 09:11 /etc/examples/relayd.conf
> >> > 
> >> > The parser should call check_file_secrecy to give users a chance to
> >> > notice they may be using unsecure file permissions. The following diff
> >> > adds those checks.
> >> > 
> >> > [1] 
> >> > <https://github.com/openbsd/src/commit/cf39ad791b5ef405f8d49ae32cced6e5cf55b8e7>
> >> > 
> >> > 
> >> > Index: usr.sbin/relayd/parse.y
> >> > ===================================================================
> >> > RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> >> > diff -u -p -u -r1.258 parse.y
> >> > --- usr.sbin/relayd/parse.y      28 Oct 2024 19:56:18 -0000      1.258
> >> > +++ usr.sbin/relayd/parse.y      18 Feb 2026 00:54:51 -0000
> >> > @@ -215,7 +215,7 @@ grammar              : /* empty */
> >> >  include         : INCLUDE STRING                {
> >> >                          struct file     *nfile;
> >> >  
> >> > -                        if ((nfile = pushfile($2, 0)) == NULL) {
> >> > +                        if ((nfile = pushfile($2, 1)) == NULL) {
> >> >                                  yyerror("failed to include file %s", 
> >> > $2);
> >> >                                  free($2);
> >> >                                  YYERROR;
> >> > @@ -2883,7 +2883,7 @@ parse_config(const char *filename, struc
> >> >  
> >> >          errors = 0;
> >> >  
> >> > -        if ((file = pushfile(filename, 0)) == NULL)
> >> > +        if ((file = pushfile(filename, 1)) == NULL)
> >> >                  return (-1);
> >> >  
> >> >          topfile = file;
> >> > @@ -2932,7 +2932,7 @@ load_config(const char *filename, struct
> >> >          proto = NULL;
> >> >          router = NULL;
> >> >  
> >> > -        if ((file = pushfile(filename, 0)) == NULL)
> >> > +        if ((file = pushfile(filename, 1)) == NULL)
> >> >                  return (-1);
> >> >  
> >> >          topfile = file;
> >> > 
> >> 
> >> I come to the same conclusion. However, I would completely remove the
> >> flag since it is no longer used. We should ALWAYS do check_file_secrecy.
> >> 
> >
> > ... and now with the proper diff:
> >
> > diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y
> > index fcdfb8e92e3..62ba3522b6d 100644
> > --- a/usr.sbin/relayd/parse.y
> > +++ b/usr.sbin/relayd/parse.y
> > @@ -70,7 +70,7 @@ static struct file {
> >     int                      lineno;
> >     int                      errors;
> >  } *file, *topfile;
> > -struct file        *pushfile(const char *, int);
> > +struct file        *pushfile(const char *);
> >  int                 popfile(void);
> >  int                 check_file_secrecy(int, const char *);
> >  int                 yyparse(void);
> > @@ -215,7 +215,7 @@ grammar         : /* empty */
> >  include            : INCLUDE STRING                {
> >                     struct file     *nfile;
> >  
> > -                   if ((nfile = pushfile($2, 0)) == NULL) {
> > +                   if ((nfile = pushfile($2)) == NULL) {
> >                             yyerror("failed to include file %s", $2);
> >                             free($2);
> >                             YYERROR;
> > @@ -2814,7 +2814,7 @@ check_file_secrecy(int fd, const char *fname)
> >  }
> >  
> >  struct file *
> > -pushfile(const char *name, int secret)
> > +pushfile(const char *name)
> >  {
> >     struct file     *nfile;
> >  
> > @@ -2832,8 +2832,8 @@ pushfile(const char *name, int secret)
> >             free(nfile->name);
> >             free(nfile);
> >             return (NULL);
> > -   } else if (secret &&
> > -       check_file_secrecy(fileno(nfile->stream), nfile->name)) {
> > +   }
> > +   if (check_file_secrecy(fileno(nfile->stream), nfile->name)) {
> >             fclose(nfile->stream);
> >             free(nfile->name);
> >             free(nfile);
> > @@ -2883,7 +2883,7 @@ parse_config(const char *filename, struct relayd 
> > *x_conf)
> >  
> >     errors = 0;
> >  
> > -   if ((file = pushfile(filename, 0)) == NULL)
> > +   if ((file = pushfile(filename)) == NULL)
> >             return (-1);
> >  
> >     topfile = file;
> > @@ -2932,7 +2932,7 @@ load_config(const char *filename, struct relayd 
> > *x_conf)
> >     proto = NULL;
> >     router = NULL;
> >  
> > -   if ((file = pushfile(filename, 0)) == NULL)
> > +   if ((file = pushfile(filename)) == NULL)
> >             return (-1);
> >  
> >     topfile = file;
> >
> 
> -- 
> In my defence, I have been left unsupervised.
>

Re: relayd.conf may contain world readable cleartext passwords

Reply via email to