Added the "nolog" configuration file flag which allows specified

users to perform commands without successful commands being logged to syslogd. Added documentation to doas.conf manual page and doas.conf.sample files to include tips and and example of the "nolog" flag in action. The "nolog" flag is a feature of OpenBSD's doas command and has been introduced for compatibility and as an optional way to avoid filling up system logs with successful doas calls.
2024-09-28 20:23:31 +00:00 · 2021-01-27 22:43:22 -04:00 · 2021-01-27 22:43:22 -04:00 · 91622fcbb1
parent 1110295035
commit 91622fcbb1
5 changed files with 19 additions and 3 deletions
--- a/doas.c
+++ b/doas.c
@ -557,8 +557,12 @@ main(int argc, char **argv)
 		err(1, "pledge");
        */

-	syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
-	    myname, cmdline, target_pw->pw_name, cwd);
+        /* skip logging if NOLOG is set */
+        if (!(rule->options & NOLOG))
+        {
+	    syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
+	            myname, cmdline, target_pw->pw_name, cwd);
+        }

 	envp = prepenv(rule, original_pw, target_pw);

--- a/doas.conf.5
+++ b/doas.conf.5
@ -47,6 +47,9 @@ Options are:
 .Bl -tag -width keepenv
 .It Ic nopass
 The user is not required to enter a password.
+.It Ic nolog
+Do not log successful command execution to
+.Xr syslogd.
 .It Ic persist
 After the user successfully authenticates, do not ask for a password
 again for some time. Works on OpenBSD only, persist is not available on Linux or FreeBSD.
--- a/doas.conf.sample
+++ b/doas.conf.sample
@ -16,3 +16,7 @@ permit keepenv bob as root
 # to perform package updates and upgrades.
 permit cindy as root cmd pkg args update
 permit cindy as root cmd pkg args upgrade
+
+# Allow david to run id command as root without logging it
+permit nolog david as root cmd id
+
--- a/doas.h
+++ b/doas.h
@ -43,6 +43,7 @@ struct passwd *copyenvpw(struct passwd *original);
 #define NOPASS		0x1
 #define KEEPENV		0x2
 #define PERSIST		0x4
+#define NOLOG           0x8

 #ifndef UID_MAX
 #define UID_MAX 65535
--- a/parse.y
+++ b/parse.y
@ -71,7 +71,7 @@ arraylen(const char **arr)
 %}

 %token TPERMIT TDENY TAS TCMD TARGS
-%token TNOPASS TPERSIST TKEEPENV TSETENV
+%token TNOPASS TNOLOG TPERSIST TKEEPENV TSETENV
 %token TSTRING

 %%
@ -137,6 +137,9 @@ options:	/* none */ {
 option:		TNOPASS {
 			$$.options = NOPASS;
 			$$.envlist = NULL;
+                } | TNOLOG {
+			$$.options = NOLOG;
+			$$.envlist = NULL;
 		} | TPERSIST {
 			$$.options = PERSIST;
 			$$.envlist = NULL;
@ -210,6 +213,7 @@ static struct keyword {
 	{ "cmd", TCMD },
 	{ "args", TARGS },
 	{ "nopass", TNOPASS },
+        { "nolog", TNOLOG },
 	{ "persist", TPERSIST },
 	{ "keepenv", TKEEPENV },
 	{ "setenv", TSETENV },