diff options
| author |   bluhm <bluhm@openbsd.org> | 2017-09-12 15:17:20 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2017-09-12 15:17:20 +0000 |
| commit | a27d310c2f14331e5f0febc67e22d035fa7a5170 (patch) | |
| tree | 66a2ca1d66029225b6db7e3c62979e411642cf86 /usr.sbin/syslogd | |
| parent | use .Dv for ioctl(2) request names; (diff) | |
| download | wireguard-openbsd-a27d310c2f14331e5f0febc67e22d035fa7a5170.tar.xz wireguard-openbsd-a27d310c2f14331e5f0febc67e22d035fa7a5170.zip | |
In the default configuration syslogd(8) kept two *:514 UDP sockets
open. These sockets are used for sending UDP packets if there is
a UDP loghost in syslog.conf(5). If syslogd is started with -u,
they can receive packets, otherwise they are disabled with
shutdown(SHUT_RD). In case syslogd does neither send nor receive,
close the sockets after reading the configuration file. This gives
us a cleaner netstat output, and the ports are not reported by port
scanners. This has no security implication.
OK benno@ jca@ sthen@ deraadt@
Diffstat (limited to 'usr.sbin/syslogd')
| -rw-r--r-- | usr.sbin/syslogd/syslogd.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index 8d043123aaa..1b66f5b9f6a 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.245 2017/08/08 14:23:23 bluhm Exp $ */ +/* $OpenBSD: syslogd.c,v 1.246 2017/09/12 15:17:20 bluhm Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -274,7 +274,7 @@ size_t ctl_reply_offset = 0; /* Number of bytes of reply written so far */ char *linebuf; int linesize; -int fd_ctlconn, fd_udp, fd_udp6; +int fd_ctlconn, fd_udp, fd_udp6, send_udp, send_udp6; struct event *ev_ctlaccept, *ev_ctlread, *ev_ctlwrite; struct peer { @@ -825,6 +825,20 @@ main(int argc, char *argv[]) event_add(ev_udp, NULL); if (fd_udp6 != -1) event_add(ev_udp6, NULL); + } else { + /* + * If generic UDP file descriptors are used neither + * for receiving nor for sending, close them. Then + * there is no useless *.514 in netstat. + */ + if (fd_udp != -1 && !send_udp) { + close(fd_udp); + fd_udp = -1; + } + if (fd_udp6 != -1 && !send_udp6) { + close(fd_udp6); + fd_udp6 = -1; + } } for (i = 0; i < nbind; i++) if (fd_bind[i] != -1) @@ -2659,9 +2673,11 @@ cfline(char *line, char *progblock, char *hostblock) if (strncmp(proto, "udp", 3) == 0) { switch (f->f_un.f_forw.f_addr.ss_family) { case AF_INET: + send_udp = 1; f->f_file = fd_udp; break; case AF_INET6: + send_udp6 = 1; f->f_file = fd_udp6; break; } |