diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2007-12-19 07:25:58 +0000 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2007-12-19 07:25:58 +0000 |
| commit | 33a274f0258d6798f82aa16ddc2a77b718f81953 (patch) | |
| tree | 57c98d5e7094a524b747f08d45a2dee1967129a6 /syslogd.c | |
| parent | dce6853568b164dc015339fc6078ebd75f67346a (diff) | |
| download | rsyslog-33a274f0258d6798f82aa16ddc2a77b718f81953.tar.gz rsyslog-33a274f0258d6798f82aa16ddc2a77b718f81953.tar.xz rsyslog-33a274f0258d6798f82aa16ddc2a77b718f81953.zip | |
applied gss-api enhancement form varmojfekoj
Diffstat (limited to 'syslogd.c')
| -rw-r--r-- | syslogd.c | 88 |
1 files changed, 68 insertions, 20 deletions
@@ -643,6 +643,10 @@ static struct AllowedSenders *pAllowedSenders_UDP = NULL; /* the roots of the al struct AllowedSenders *pAllowedSenders_TCP = NULL; /* lists. If NULL, all senders are ok! */ static struct AllowedSenders *pLastAllowedSenders_UDP = NULL; /* and now the pointers to the last */ static struct AllowedSenders *pLastAllowedSenders_TCP = NULL; /* element in the respective list */ +#ifdef USE_GSSAPI +struct AllowedSenders *pAllowedSenders_GSS = NULL; +static struct AllowedSenders *pLastAllowedSenders_GSS = NULL; +#endif #endif /* #ifdef SYSLOG_INET */ int option_DisallowWarning = 1; /* complain if message from disallowed sender is received */ @@ -940,12 +944,24 @@ static void PrintAllowedSenders(int iListToPrint) struct AllowedSenders *pSender; uchar szIP[64]; - assert((iListToPrint == 1) || (iListToPrint == 2)); + assert((iListToPrint == 1) || (iListToPrint == 2) +#ifdef USE_GSSAPI + || (iListToPrint == 3) +#endif + ); printf("\nAllowed %s Senders:\n", - (iListToPrint == 1) ? "UDP" : "TCP"); - pSender = (iListToPrint == 1) ? - pAllowedSenders_UDP : pAllowedSenders_TCP; + (iListToPrint == 1) ? "UDP" : +#ifdef USE_GSSAPI + (iListToPrint == 3) ? "GSS" : +#endif + "TCP"); + + pSender = (iListToPrint == 1) ? pAllowedSenders_UDP : +#ifdef USE_GSSAPI + (iListToPrint == 3) ? pAllowedSenders_GSS : +#endif + pAllowedSenders_TCP; if(pSender == NULL) { printf("\tNo restrictions set.\n"); } else { @@ -1068,7 +1084,6 @@ int isAllowedSender(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, c if (MaskCmp (&(pAllow->allowedSender), pAllow->SignificantBits, pFrom, pszFromHost)) return 1; } - dbgprintf("%s is not an allowed sender\n", pszFromHost); return 0; } #endif /* #ifdef SYSLOG_INET */ @@ -1629,7 +1644,7 @@ void getCurrTime(struct syslogTime *t) static int usage(void) { fprintf(stderr, "usage: rsyslogd [-46AdhqQvw] [-l hostlist] [-m markinterval] [-n] [-p path]\n" \ - " [-s domainlist] [-r[port]] [-tport[,max-sessions]] [-f conffile] [-i pidfile] [-x]\n"); + " [-s domainlist] [-r[port]] [-tport[,max-sessions]] [-gport[,max-sessions]] [-f conffile] [-i pidfile] [-x]\n"); exit(1); /* "good" exit - done to terminate usage() */ } @@ -3624,6 +3639,10 @@ static void die(int sig) if(sockTCPLstn != NULL && *sockTCPLstn) { deinit_tcp_listener(); } +#ifdef USE_GSSAPI + if(bEnableTCP & ALLOWEDMETHOD_GSS) + TCPSessGSSDeinit(); +#endif #endif /* Clean-up files. */ @@ -3714,6 +3733,11 @@ static rsRetVal addAllowedSenderLine(char* pName, uchar** ppRestOfConfLine) } else if(!strcasecmp(pName, "tcp")) { ppRoot = &pAllowedSenders_TCP; ppLast = &pLastAllowedSenders_TCP; +#ifdef USE_GSSAPI + } else if(!strcasecmp(pName, "gss")) { + ppRoot = &pAllowedSenders_GSS; + ppLast = &pLastAllowedSenders_GSS; +#endif } else { logerrorSz("Invalid protocol '%s' in allowed sender " "list, line ignored", pName); @@ -4217,6 +4241,9 @@ static void dbgPrintInitInfo(void) /* now the allowedSender lists: */ PrintAllowedSenders(1); /* UDP */ PrintAllowedSenders(2); /* TCP */ +#ifdef USE_GSSAPI + PrintAllowedSenders(3); /* GSS */ +#endif printf("\n"); #endif /* #ifdef SYSLOG_INET */ @@ -4370,9 +4397,19 @@ static void init(void) clearAllowedSenders (pAllowedSenders_TCP); pAllowedSenders_TCP = NULL; } +#ifdef USE_GSSAPI + if (pAllowedSenders_GSS != NULL) { + clearAllowedSenders (pAllowedSenders_GSS); + pAllowedSenders_GSS = NULL; + } +#endif } - assert(pAllowedSenders_UDP == NULL && pAllowedSenders_TCP == NULL); + assert(pAllowedSenders_UDP == NULL && pAllowedSenders_TCP == NULL +#ifdef USE_GSSAPI + && pAllowedSenders_GSS == NULL +#endif + ); #endif /* I was told by an IPv6 expert that calling getservbyname() seems to be * still valid, at least for the use case we have. So I re-enabled that @@ -4509,16 +4546,17 @@ static void init(void) * user-selectable option. rgerhards, 2007-06-21 */ # ifdef USE_GSSAPI - if(bEnableTCP == 2) { + if(bEnableTCP & ALLOWEDMETHOD_GSS) { if(TCPSessGSSInit()) { logerror("GSS-API initialization failed\n"); - bEnableTCP = -1; + bEnableTCP &= ~(ALLOWEDMETHOD_GSS); } } + if(bEnableTCP) # endif - if((sockTCPLstn = create_tcp_socket()) != NULL) { - dbgprintf("Opened %d syslog TCP port(s).\n", *sockTCPLstn); - } + if((sockTCPLstn = create_tcp_socket()) != NULL) { + dbgprintf("Opened %d syslog TCP port(s).\n", *sockTCPLstn); + } } } #endif @@ -5728,6 +5766,7 @@ static rsRetVal processSelectAfter(int maxfds, int nfds, fd_set *pReadfds, fd_se (struct sockaddr *)&frominet, (char*)fromHostFQDN)) { printchopped((char*)fromHost, line, l, finet[i+1], 1); } else { + dbgprintf("%s is not an allowed sender\n", (char*)fromHostFQDN); if(option_DisallowWarning) { logerrorSz("UDP message from disallowed sender %s discarded", (char*)fromHost); @@ -5752,7 +5791,7 @@ static rsRetVal processSelectAfter(int maxfds, int nfds, fd_set *pReadfds, fd_se if (FD_ISSET(sockTCPLstn[i+1], pReadfds)) { dbgprintf("New connect on TCP inetd socket: #%d\n", sockTCPLstn[i+1]); # ifdef USE_GSSAPI - if(bEnableTCP == 2) + if(bEnableTCP & ALLOWEDMETHOD_GSS) TCPSessGSSAccept(sockTCPLstn[i+1]); else # endif @@ -5773,14 +5812,15 @@ static rsRetVal processSelectAfter(int maxfds, int nfds, fd_set *pReadfds, fd_se /* Receive message */ # ifdef USE_GSSAPI - if(bEnableTCP == 2) + int allowedMethods = pTCPSessions[iTCPSess].allowedMethods; + if(allowedMethods & ALLOWEDMETHOD_GSS) state = TCPSessGSSRecv(iTCPSess, buf, sizeof(buf)); else # endif state = recv(fdSess, buf, sizeof(buf), 0); if(state == 0) { # ifdef USE_GSSAPI - if(bEnableTCP == 2) + if(allowedMethods & ALLOWEDMETHOD_GSS) TCPSessGSSClose(iTCPSess); else { # endif @@ -5795,7 +5835,7 @@ static rsRetVal processSelectAfter(int maxfds, int nfds, fd_set *pReadfds, fd_se logerrorInt("TCP session %d will be closed, error ignored\n", fdSess); # ifdef USE_GSSAPI - if(bEnableTCP == 2) + if(allowedMethods & ALLOWEDMETHOD_GSS) TCPSessGSSClose(iTCPSess); else # endif @@ -5810,7 +5850,7 @@ static rsRetVal processSelectAfter(int maxfds, int nfds, fd_set *pReadfds, fd_se "previous messages for reason(s)\n", iTCPSess); # ifdef USE_GSSAPI - if(bEnableTCP == 2) + if(allowedMethods & ALLOWEDMETHOD_GSS) TCPSessGSSClose(iTCPSess); else # endif @@ -6136,6 +6176,11 @@ static void printVersion(void) #else printf("\tSYSLOG_INET (Internet/remote support):\tNo\n"); #endif +#if defined(SYSLOG_INET) && defined(USE_GSSAPI) + printf("\tFEATURE_GSSAPI (GSSAPI Kerberos 5 support):\tYes\n"); +#else + printf("\tFEATURE_GSSAPI (GSSAPI Kerberos 5 support):\tNo\n"); +#endif #ifndef NDEBUG printf("\tFEATURE_DEBUG (debug build, slow code):\tYes\n"); #else @@ -6282,8 +6327,9 @@ int main(int argc, char **argv) break; case 'g': /* enable tcp gssapi logging */ #if defined(SYSLOG_INET) && defined(USE_GSSAPI) - configureTCPListen(optarg); - bEnableTCP = 2; + if (!bEnableTCP) + configureTCPListen(optarg); + bEnableTCP |= ALLOWEDMETHOD_GSS; #else fprintf(stderr, "rsyslogd: -g not valid - not compiled with gssapi support"); #endif @@ -6341,7 +6387,9 @@ int main(int argc, char **argv) break; case 't': /* enable tcp logging */ #ifdef SYSLOG_INET - configureTCPListen(optarg); + if (!bEnableTCP) + configureTCPListen(optarg); + bEnableTCP |= ALLOWEDMETHOD_TCP; #else fprintf(stderr, "rsyslogd: -t not valid - not compiled with network support"); #endif |