diff --git a/defaults.h b/defaults.h new file mode 100644 index 00000000..b641bf3f --- /dev/null +++ b/defaults.h @@ -0,0 +1,61 @@ +/* + * SSLsplit - transparent and scalable SSL/TLS interception + * Copyright (c) 2009-2014, Daniel Roethlisberger + * All rights reserved. + * http://www.roe.ch/SSLsplit + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice unmodified, this list of conditions, and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef DEFAULTS_H +#define DEFAULTS_H + +/* + * Defaults for convenient tweaking or patching. + */ + +/* + * User to drop privileges to by default. + * Packagers may want to use a specific service user account instead of + * overloading nobody with yet another use case. Using nobody for source + * builds makes sense because chances are high that it exists. + */ +#define DFLT_DROPUSER "nobody" + +/* + * Default file and directory modes for newly created files and directories + * created as part of e.g. logging. The default is to use full permissions + * subject to the system's umask, as is the default for system utilities. + * Use a more restrictive mode for the PID file. + */ +#define DFLT_DIRMODE 0777 +#define DFLT_FILEMODE 0666 +#define DFLT_PIDFMODE 0644 + +/* + * Default elliptic curve for EC cipher suites. + */ +#define DFLT_CURVE "secp160r2" + +#endif /* !DEFAULTS_H */ + +/* vim: set noet ft=c: */ diff --git a/log.c b/log.c index 262b4f14..fd65b7f8 100644 --- a/log.c +++ b/log.c @@ -32,6 +32,7 @@ #include "sys.h" #include "attrib.h" #include "privsep.h" +#include "defaults.h" #include #include @@ -164,14 +165,37 @@ log_dbg_mode(int mode) logger_t *connect_log = NULL; static int connect_fd = -1; +static char *connect_fn = NULL; static int -log_connect_open(const char *logfile) +log_connect_preinit(const char *logfile) { - connect_fd = open(logfile, O_WRONLY|O_APPEND|O_CREAT, 0660); + connect_fd = open(logfile, O_WRONLY|O_APPEND|O_CREAT, DFLT_FILEMODE); + if (connect_fd == -1) { + log_err_printf("Failed to open '%s' for writing: %s (%i)\n", + logfile, strerror(errno), errno); + return -1; + } + if (!(connect_fn = realpath(logfile, NULL))) { + log_err_printf("Failed to realpath '%s': %s (%i)\n", + logfile, strerror(errno), errno); + close(connect_fd); + connect_fd = -1; + return -1; + } + return 0; +} + +static int +log_connect_reopencb(void) +{ + close(connect_fd); + connect_fd = open(connect_fn, O_WRONLY|O_APPEND|O_CREAT, DFLT_FILEMODE); if (connect_fd == -1) { log_err_printf("Failed to open '%s' for writing: %s\n", - logfile, strerror(errno)); + connect_fn, strerror(errno)); + free(connect_fn); + connect_fn = NULL; return -1; } return 0; @@ -207,7 +231,7 @@ log_connect_writecb(UNUSED void *fh, const void *buf, size_t sz) } static void -log_connect_close(void) +log_connect_fini(void) { close(connect_fd); } @@ -227,46 +251,25 @@ log_connect_close(void) struct log_content_ctx { unsigned int open : 1; - int fd; union { struct { char *header_req; char *header_resp; } file; struct { + int fd; char *filename; } dir; struct { + int fd; char *filename; } spec; } u; }; static logger_t *content_log = NULL; -static int content_fd = -1; /* set in 'file' mode */ static int content_clisock = -1; /* privsep client socket for content logger */ -static int -log_content_file_preinit(const char *logfile) -{ - content_fd = open(logfile, O_WRONLY|O_APPEND|O_CREAT, 0660); - if (content_fd == -1) { - log_err_printf("Failed to open '%s' for writing: %s\n", - logfile, strerror(errno)); - return -1; - } - return 0; -} - -static void -log_content_file_fini(void) -{ - if (content_fd != -1) { - close(content_fd); - content_fd = -1; - } -} - /* * Split a pathname into static LHS (including final slashes) and dynamic RHS. * Returns -1 on error, 0 on success. @@ -503,7 +506,6 @@ log_content_open(log_content_ctx_t **pctx, opts_t *opts, } } else { /* single-file content log (-L) */ - ctx->fd = content_fd; if (asprintf(&ctx->u.file.header_req, "%s -> %s", srcaddr, dstaddr) < 0) { goto errout; @@ -556,30 +558,20 @@ log_content_close(log_content_ctx_t **pctx) } /* - * Callback functions that are executed in the logger thread. + * Log-type specific code. + * + * The init/fini functions are executed globally in the main thread. + * Callback functions are executed in the logger thread. */ -static ssize_t -log_content_common_writecb(void *fh, const void *buf, size_t sz) -{ - log_content_ctx_t *ctx = fh; - - if (write(ctx->fd, buf, sz) == -1) { - log_err_printf("Warning: Failed to write to content log: %s\n", - strerror(errno)); - return -1; - } - return 0; -} - static int log_content_dir_opencb(void *fh) { log_content_ctx_t *ctx = fh; - if ((ctx->fd = privsep_client_openfile(content_clisock, - ctx->u.dir.filename, - 0)) == -1) { + if ((ctx->u.dir.fd = privsep_client_openfile(content_clisock, + ctx->u.dir.filename, + 0)) == -1) { log_err_printf("Opening logdir file '%s' failed: %s (%i)\n", ctx->u.dir.filename, strerror(errno), errno); return -1; @@ -594,19 +586,32 @@ log_content_dir_closecb(void *fh) if (ctx->u.dir.filename) free(ctx->u.dir.filename); - if (ctx->fd != 1) - close(ctx->fd); + if (ctx->u.dir.fd != 1) + close(ctx->u.dir.fd); free(ctx); } +static ssize_t +log_content_dir_writecb(void *fh, const void *buf, size_t sz) +{ + log_content_ctx_t *ctx = fh; + + if (write(ctx->u.dir.fd, buf, sz) == -1) { + log_err_printf("Warning: Failed to write to content log: %s\n", + strerror(errno)); + return -1; + } + return 0; +} + static int log_content_spec_opencb(void *fh) { log_content_ctx_t *ctx = fh; - if ((ctx->fd = privsep_client_openfile(content_clisock, - ctx->u.spec.filename, - 1)) == -1) { + if ((ctx->u.spec.fd = privsep_client_openfile(content_clisock, + ctx->u.spec.filename, + 1)) == -1) { log_err_printf("Opening logspec file '%s' failed: %s (%i)\n", ctx->u.spec.filename, strerror(errno), errno); return -1; @@ -621,11 +626,74 @@ log_content_spec_closecb(void *fh) if (ctx->u.spec.filename) free(ctx->u.spec.filename); - if (ctx->fd != -1) - close(ctx->fd); + if (ctx->u.spec.fd != -1) + close(ctx->u.spec.fd); free(ctx); } +static ssize_t +log_content_spec_writecb(void *fh, const void *buf, size_t sz) +{ + log_content_ctx_t *ctx = fh; + + if (write(ctx->u.spec.fd, buf, sz) == -1) { + log_err_printf("Warning: Failed to write to content log: %s\n", + strerror(errno)); + return -1; + } + return 0; +} + +static int content_file_fd = -1; +static char *content_file_fn = NULL; + +static int +log_content_file_preinit(const char *logfile) +{ + content_file_fd = open(logfile, O_WRONLY|O_APPEND|O_CREAT, + DFLT_FILEMODE); + if (content_file_fd == -1) { + log_err_printf("Failed to open '%s' for writing: %s (%i)\n", + logfile, strerror(errno), errno); + return -1; + } + if (!(content_file_fn = realpath(logfile, NULL))) { + log_err_printf("Failed to realpath '%s': %s (%i)\n", + logfile, strerror(errno), errno); + close(content_file_fd); + connect_fd = -1; + return -1; + } + return 0; +} + +static void +log_content_file_fini(void) +{ + if (content_file_fn) { + free(content_file_fn); + content_file_fn = NULL; + } + if (content_file_fd != -1) { + close(content_file_fd); + content_file_fd = -1; + } +} + +static int +log_content_file_reopencb(void) +{ + close(content_file_fd); + content_file_fd = open(content_file_fn, + O_WRONLY|O_APPEND|O_CREAT, DFLT_FILEMODE); + if (content_file_fd == -1) { + log_err_printf("Failed to open '%s' for writing: %s (%i)\n", + content_file_fn, strerror(errno), errno); + return -1; + } + return 0; +} + /* static int log_content_file_opencb(void *fh) @@ -649,6 +717,19 @@ log_content_file_closecb(void *fh) free(ctx); } +static ssize_t +log_content_file_writecb(void *fh, const void *buf, size_t sz) +{ + UNUSED log_content_ctx_t *ctx = fh; + + if (write(content_file_fd, buf, sz) == -1) { + log_err_printf("Warning: Failed to write to content log: %s\n", + strerror(errno)); + return -1; + } + return 0; +} + static logbuf_t * log_content_file_prepcb(void *fh, unsigned long prepflags, logbuf_t *lb) { @@ -711,6 +792,7 @@ log_content_file_prepcb(void *fh, unsigned long prepflags, logbuf_t *lb) int log_preinit(opts_t *opts) { + logger_reopen_func_t reopencb; logger_open_func_t opencb; logger_close_func_t closecb; logger_write_func_t writecb; @@ -718,39 +800,42 @@ log_preinit(opts_t *opts) if (opts->contentlog) { if (opts->contentlog_isdir) { + reopencb = NULL; opencb = log_content_dir_opencb; closecb = log_content_dir_closecb; - writecb = log_content_common_writecb; + writecb = log_content_dir_writecb; prepcb = NULL; } else if (opts->contentlog_isspec) { + reopencb = NULL; opencb = log_content_spec_opencb; closecb = log_content_spec_closecb; - writecb = log_content_common_writecb; + writecb = log_content_spec_writecb; prepcb = NULL; } else { if (log_content_file_preinit(opts->contentlog) == -1) goto out; + reopencb = log_content_file_reopencb; opencb = NULL; closecb = log_content_file_closecb; - writecb = log_content_common_writecb; + writecb = log_content_file_writecb; prepcb = log_content_file_prepcb; } - if (!(content_log = logger_new(opencb, closecb, writecb, - prepcb))) { + if (!(content_log = logger_new(reopencb, opencb, closecb, + writecb, prepcb))) { log_content_file_fini(); goto out; } } if (opts->connectlog) { - if (log_connect_open(opts->connectlog) == -1) + if (log_connect_preinit(opts->connectlog) == -1) goto out; - if (!(connect_log = logger_new(NULL, NULL, + if (!(connect_log = logger_new(log_connect_reopencb, NULL, NULL, log_connect_writecb, NULL))) { - log_connect_close(); + log_connect_fini(); goto out; } } - if (!(err_log = logger_new(NULL, NULL, log_err_writecb, NULL))) + if (!(err_log = logger_new(NULL, NULL, NULL, log_err_writecb, NULL))) goto out; return 0; @@ -760,7 +845,7 @@ log_preinit(opts_t *opts) logger_free(content_log); } if (connect_log) { - log_connect_close(); + log_connect_fini(); logger_free(connect_log); } return -1; @@ -778,7 +863,7 @@ log_preinit_undo(void) logger_free(content_log); } if (connect_log) { - log_connect_close(); + log_connect_fini(); logger_free(connect_log); } } @@ -844,10 +929,25 @@ log_fini(void) if (content_log) log_content_file_fini(); if (connect_log) - log_connect_close(); + log_connect_fini(); if (content_clisock != -1) privsep_client_close(content_clisock); } +int +log_reopen(void) +{ + int rv = 0; + + if (content_log) + if (logger_reopen(content_log) == -1) + rv = -1; + if (connect_log) + if (logger_reopen(connect_log) == -1) + rv = -1; + + return rv; +} + /* vim: set noet ft=c: */ diff --git a/log.h b/log.h index eec9870f..8b2e555b 100644 --- a/log.h +++ b/log.h @@ -70,6 +70,7 @@ int log_preinit(opts_t *) NONNULL(1) WUNRES; void log_preinit_undo(void); int log_init(opts_t *, int) NONNULL(1) WUNRES; void log_fini(void); +int log_reopen(void) WUNRES; #endif /* !LOG_H */ diff --git a/logger.c b/logger.c index 3b4cb675..01b60d6b 100644 --- a/logger.c +++ b/logger.c @@ -45,6 +45,7 @@ struct logger { pthread_t thr; + logger_reopen_func_t reopen; logger_open_func_t open; logger_close_func_t close; logger_prep_func_t prep; @@ -52,8 +53,9 @@ struct logger { thrqueue_t *queue; }; -#define LBFLAG_OPEN 1 -#define LBFLAG_CLOSE 2 +#define LBFLAG_REOPEN (1 << 0) +#define LBFLAG_OPEN (1 << 1) +#define LBFLAG_CLOSE (1 << 2) static void logger_clear(logger_t *logger) @@ -67,8 +69,9 @@ logger_clear(logger_t *logger) * not in the thread calling logger_submit(). */ logger_t * -logger_new(logger_open_func_t openfunc, logger_close_func_t closefunc, - logger_write_func_t writefunc, logger_prep_func_t prepfunc) +logger_new(logger_reopen_func_t reopenfunc, logger_open_func_t openfunc, + logger_close_func_t closefunc, logger_write_func_t writefunc, + logger_prep_func_t prepfunc) { logger_t *logger; @@ -76,6 +79,7 @@ logger_new(logger_open_func_t openfunc, logger_close_func_t closefunc, if (!logger) return NULL; logger_clear(logger); + logger->reopen = reopenfunc; logger->open = openfunc; logger->close = closefunc; logger->write = writefunc; @@ -115,13 +119,30 @@ logger_submit(logger_t *logger, void *fh, unsigned long prepflags, return thrqueue_enqueue(logger->queue, lb) ? 0 : -1; } +/* + * Submit a log reopen event to the logger thread. + */ +int +logger_reopen(logger_t *logger) +{ + logbuf_t *lb; + + if (!logger->reopen) + return 0; + + lb = logbuf_new(NULL, 0, NULL, NULL); + logbuf_ctl_set(lb, LBFLAG_REOPEN); + return thrqueue_enqueue(logger->queue, lb) ? 0 : -1; +} + /* * Submit a file open event to the logger thread. * fh is the file handle; an opaque unique address identifying the new file. * If no open callback is configured, returns successfully. * Returns 0 on success, -1 on failure. */ -int logger_open(logger_t *logger, void *fh) +int +logger_open(logger_t *logger, void *fh) { logbuf_t *lb; @@ -139,7 +160,8 @@ int logger_open(logger_t *logger, void *fh) * If no close callback is configured, returns successfully. * Returns 0 on success, -1 on failure. */ -int logger_close(logger_t *logger, void *fh) +int +logger_close(logger_t *logger, void *fh) { logbuf_t *lb; @@ -162,7 +184,9 @@ logger_thread(void *arg) logbuf_t *lb; while ((lb = thrqueue_dequeue(logger->queue))) { - if (logbuf_ctl_isset(lb, LBFLAG_OPEN)) { + if (logbuf_ctl_isset(lb, LBFLAG_REOPEN)) { + logger->reopen(); + } else if (logbuf_ctl_isset(lb, LBFLAG_OPEN)) { logger->open(lb->fh); } else if (logbuf_ctl_isset(lb, LBFLAG_CLOSE)) { logger->close(lb->fh); diff --git a/logger.h b/logger.h index 828265b2..e0958bfc 100644 --- a/logger.h +++ b/logger.h @@ -35,20 +35,22 @@ #include #include +typedef int (*logger_reopen_func_t)(void); typedef int (*logger_open_func_t)(void *); typedef void (*logger_close_func_t)(void *); typedef ssize_t (*logger_write_func_t)(void *, const void *, size_t); typedef logbuf_t * (*logger_prep_func_t)(void *, unsigned long, logbuf_t *); typedef struct logger logger_t; -logger_t * logger_new(logger_open_func_t, logger_close_func_t, - logger_write_func_t, logger_prep_func_t) - NONNULL(3) MALLOC; +logger_t * logger_new(logger_reopen_func_t, logger_open_func_t, + logger_close_func_t, logger_write_func_t, + logger_prep_func_t) NONNULL(4) MALLOC; void logger_free(logger_t *) NONNULL(1); int logger_start(logger_t *) NONNULL(1) WUNRES; void logger_leave(logger_t *) NONNULL(1); int logger_join(logger_t *) NONNULL(1); int logger_stop(logger_t *) NONNULL(1) WUNRES; +int logger_reopen(logger_t *) NONNULL(1) WUNRES; int logger_open(logger_t *, void *) NONNULL(1,2) WUNRES; int logger_close(logger_t *, void *) NONNULL(1,2) WUNRES; int logger_submit(logger_t *, void *, unsigned long, diff --git a/main.c b/main.c index 85ee3098..8fe457e3 100644 --- a/main.c +++ b/main.c @@ -41,6 +41,7 @@ #include "sys.h" #include "log.h" #include "version.h" +#include "defaults.h" #include #include @@ -62,7 +63,6 @@ extern int daemon(int, int); #endif /* __APPLE__ */ -#define DEFAULT_DROPUSER "nobody" /* * Print version information to stderr. @@ -131,7 +131,7 @@ main_usage(void) #define OPT_g #endif /* !OPENSSL_NO_DH */ #ifndef OPENSSL_NO_ECDH -" -G curve use ECDH named curve (default: %s for non-RSA leafkey)\n" +" -G curve use ECDH named curve (default: " DFLT_CURVE " for non-RSA leafkey)\n" #define OPT_G "G:" #else /* OPENSSL_NO_ECDH */ #define OPT_G @@ -147,8 +147,7 @@ main_usage(void) " -s ciphers use the given OpenSSL cipher suite spec (default: ALL:-aNULL)\n" " -e engine specify default NAT engine to use (default: %s)\n" " -E list available NAT engines and exit\n" -" -u user drop privileges to user (default if run as root: " - DEFAULT_DROPUSER ")\n" +" -u user drop privileges to user (default if run as root: " DFLT_DROPUSER ")\n" " -m group when using -u, override group (default: primary group of user)\n" " -j jaildir chroot() to jaildir (impacts sni proxyspecs, see manual page)\n" " -p pidfile write pid to pidfile (default: no pid file)\n" @@ -186,11 +185,7 @@ main_usage(void) " ssl 2001:db8::2 9999 pf # ssl/6; NAT engine 'pf'\n" "Example:\n" " %s -k ca.key -c ca.pem -P https 127.0.0.1 8443 https ::1 8443\n" - "%s", BNAME, -#ifndef OPENSSL_NO_ECDH - SSL_EC_KEY_CURVE_DEFAULT, -#endif /* !OPENSSL_NO_ECDH */ - dflt, BNAME, warn); + "%s", BNAME, dflt, BNAME, warn); } /* @@ -721,8 +716,8 @@ main(int argc, char *argv[]) oom_die(argv0); } if (!opts->dropuser && !geteuid() && !getuid() && - sys_isuser(DEFAULT_DROPUSER)) { - opts->dropuser = strdup(DEFAULT_DROPUSER); + sys_isuser(DFLT_DROPUSER)) { + opts->dropuser = strdup(DFLT_DROPUSER); if (!opts->dropuser) oom_die(argv0); } diff --git a/privsep.c b/privsep.c index 4aef5144..c40f6b9c 100644 --- a/privsep.c +++ b/privsep.c @@ -32,6 +32,7 @@ #include "util.h" #include "log.h" #include "attrib.h" +#include "defaults.h" #include #include @@ -151,7 +152,7 @@ privsep_server_openfile(char *fn, int mkpath) free(fn2); return -1; } - if (sys_mkpath(filedir, 0777) == -1) { + if (sys_mkpath(filedir, DFLT_DIRMODE) == -1) { log_err_printf("Could not create directory '%s': %s (%i)\n", filedir, strerror(errno), errno); free(fn2); @@ -160,7 +161,7 @@ privsep_server_openfile(char *fn, int mkpath) free(fn2); } - fd = open(fn, O_WRONLY|O_APPEND|O_CREAT, 0666); + fd = open(fn, O_WRONLY|O_APPEND|O_CREAT, DFLT_FILEMODE); if (fd == -1) { log_err_printf("Failed to open '%s': %s (%i)\n", fn, strerror(errno), errno); diff --git a/proxy.c b/proxy.c index def08c4f..35934538 100644 --- a/proxy.c +++ b/proxy.c @@ -57,7 +57,7 @@ * Proxy engine, built around libevent 2.x. */ -static int signals[] = { SIGQUIT, SIGHUP, SIGINT, SIGPIPE }; +static int signals[] = { SIGQUIT, SIGHUP, SIGINT, SIGPIPE, SIGUSR1 }; struct proxy_ctx { pxy_thrmgr_ctx_t *thrmgr; @@ -194,7 +194,7 @@ proxy_listener_setup(struct event_base *evbase, pxy_thrmgr_ctx_t *thrmgr, } /* - * Signal handler for SIGQUIT, SIGINT, SIGHUP and SIGPIPE. + * Signal handler for SIGQUIT, SIGINT, SIGHUP, SIGPIPE and SIGUSR1. */ static void proxy_signal_cb(evutil_socket_t fd, UNUSED short what, void *arg) @@ -205,10 +205,25 @@ proxy_signal_cb(evutil_socket_t fd, UNUSED short what, void *arg) log_dbg_printf("Received signal %i\n", fd); } - if (fd == SIGPIPE) { - log_err_printf("Warning: Received SIGPIPE; ignoring.\n"); - } else { + switch(fd) { + case SIGQUIT: + case SIGINT: + case SIGHUP: event_base_loopbreak(ctx->evbase); + break; + case SIGUSR1: + if (log_reopen() == -1) { + log_err_printf("Warning: Failed to reopen logs\n"); + } else { + log_dbg_printf("Reopened log files\n"); + } + break; + case SIGPIPE: + log_err_printf("Warning: Received SIGPIPE; ignoring.\n"); + break; + default: + log_err_printf("Warning: Received unexpected signal %i\n", fd); + break; } } diff --git a/ssl.c b/ssl.c index a39b399b..abb6bdc3 100644 --- a/ssl.c +++ b/ssl.c @@ -29,6 +29,7 @@ #include "ssl.h" #include "log.h" +#include "defaults.h" #include #include @@ -609,7 +610,7 @@ ssl_ec_by_name(const char *curvename) int nid; if (!curvename) - curvename = SSL_EC_KEY_CURVE_DEFAULT; + curvename = DFLT_CURVE; if ((nid = OBJ_sn2nid(curvename)) == NID_undef) { return NULL; diff --git a/ssl.h b/ssl.h index 40380933..592d3259 100644 --- a/ssl.h +++ b/ssl.h @@ -122,7 +122,6 @@ void ssl_dh_refcount_inc(DH *) NONNULL(1); #endif /* !OPENSSL_NO_DH */ #ifndef OPENSSL_NO_EC -#define SSL_EC_KEY_CURVE_DEFAULT "secp160r2" EC_KEY * ssl_ec_by_name(const char *) MALLOC; #endif /* !OPENSSL_NO_EC */ diff --git a/sslsplit.1 b/sslsplit.1 index e458ba86..d3a0c981 100644 --- a/sslsplit.1 +++ b/sslsplit.1 @@ -184,11 +184,13 @@ If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key. .B \-l \fIlogfile\fP Log connections to \fIlogfile\fP in a single line per connection format, including addresses and ports and some HTTP and SSL information, if available. +SIGUSR1 will cause \fIlogfile\fP to be re-opened. .TP .B \-L \fIlogfile\fP Log connection content to \fIlogfile\fP. The content log will contain a parsable log format with transmitted data, prepended with headers identifying the connection and the data length of each logged segment. +SIGUSR1 will cause \fIlogfile\fP to be re-opened. .TP .B \-m When dropping privileges using \fB-u\fP, override the target primary group @@ -356,6 +358,11 @@ than the NAT rules redirecting the actual connections. Note that when using \fB-j\fP with \fBsni\fP, you may need to prepare \fIjaildir\fP to make name resolution work from within the chroot directory. .LP +.SH SIGNALS +A running \fBsslsplit\fP accepts SIGINT and SIGQUIT for a clean shutdown and +SIGUSR1 to re-open the long-living log files (\fB-l\fP and \fB-L\fP). +Per-connection log files (\fB-S\fP and \fB-F\fP) are not re-opened because +their filename is specific to the connection. .SH "LOG SPECIFICATIONS" Log specifications are composed of zero or more printf-style directives; ordinary characters are included directly in the output path. diff --git a/sys.c b/sys.c index cd440417..b985a073 100644 --- a/sys.c +++ b/sys.c @@ -29,6 +29,7 @@ #include "sys.h" #include "log.h" +#include "defaults.h" #include #include @@ -190,7 +191,7 @@ sys_pidf_open(const char *fn) { int fd; - if ((fd = open(fn, O_RDWR|O_CREAT, 0640)) == -1) { + if ((fd = open(fn, O_RDWR|O_CREAT, DFLT_PIDFMODE)) == -1) { log_err_printf("Failed to open '%s': %s\n", fn, strerror(errno)); return -1; diff --git a/sys.t.c b/sys.t.c index 8484d3c0..f19c93c1 100644 --- a/sys.t.c +++ b/sys.t.c @@ -28,6 +28,8 @@ #include "sys.h" +#include "defaults.h" + #include #include #include @@ -61,7 +63,7 @@ sys_isdir_setup(void) perror("asprintf"); exit(EXIT_FAILURE); } - close(open(file, O_CREAT|O_WRONLY|O_APPEND, 0600)); + close(open(file, O_CREAT|O_WRONLY|O_APPEND, DFLT_FILEMODE)); symlink(file, lfile); mkdir(dir, 0700); symlink(dir, ldir); @@ -141,7 +143,7 @@ START_TEST(sys_mkpath_01) basedir); fail_unless(!!dir, "asprintf failed"); fail_unless(!sys_isdir(dir), "dir already sys_isdir()"); - fail_unless(!sys_mkpath(dir, 0777), "sys_mkpath failed"); + fail_unless(!sys_mkpath(dir, DFLT_DIRMODE), "sys_mkpath failed"); fail_unless(sys_isdir(dir), "dir not sys_isdir()"); free(dir); }