Compiler masochism compliance.

[exim.git] / src / src / log.c

diff --git a/src/src/log.c b/src/src/log.c
index 1d2c8f5e0a7a16833d21b46fbceb015c94a9d3cf..a2c1d44169d7e8b21b40e521544c1cdb9559d14a 100644 (file)
--- a/src/src/log.c
+++ b/src/src/log.c
@@ -255,11 +255,12 @@ if (type == lt_process)
 
 /* The names of the other three logs are controlled by file_path. The panic log
 is written to the same directory as the main and reject logs, but its name does
-not have a datestamp. The use of datestamps is indicated by %D in file_path.
-When opening the panic log, if %D is present, we remove the datestamp from the
-generated name; if it is at the start, remove a following non-alphameric
-character as well; otherwise, remove a preceding non-alphameric character. This
-is definitely kludgy, but it sort of does what people want, I hope. */
+not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
+When opening the panic log, if %D or %M is present, we remove the datestamp
+from the generated name; if it is at the start, remove a following
+non-alphanumeric character as well; otherwise, remove a preceding
+non-alphanumeric character. This is definitely kludgy, but it sort of does what
+people want, I hope. */
 
 else
   {
@@ -307,7 +308,7 @@ else
   else if (string_datestamp_offset >= 0)
     {
     uschar *from = buffer + string_datestamp_offset;
-    uschar *to = from + Ustrlen(tod_stamp(tod_log_datestamp));
+    uschar *to = from + string_datestamp_length;
     if (from == buffer || from[-1] == '/')
       {
       if (!isalnum(*to)) to++;
@@ -361,17 +362,26 @@ are neither exim nor root, creation is not attempted. */
 
 else if (euid == root_uid)
   {
-  int status;
+  int status, rv;
   pid_t pid = fork();
 
   /* In the subprocess, change uid/gid and do the creation. Return 0 from the
-  subprocess on success. There doesn't seem much point in testing for setgid
-  and setuid errors. */
+  subprocess on success. If we don't check for setuid failures, then the file
+  can be created as root, so vulnerabilities which cause setuid to fail mean
+  that the Exim user can use symlinks to cause a file to be opened/created as
+  root.  We always open for append, so can't nuke existing content but it would
+  still be Rather Bad. */
 
   if (pid == 0)
     {
-    (void)setgid(exim_gid);
-    (void)setuid(exim_uid);
+    rv = setgid(exim_gid);
+    if (rv)
+      die(US"exim: setgid for log-file creation failed, aborting",
+         US"Unexpected log failure, please try later");
+    rv = setuid(exim_uid);
+    if (rv)
+      die(US"exim: setuid for log-file creation failed, aborting",
+         US"Unexpected log failure, please try later");
     _exit((create_log(buffer) < 0)? 1 : 0);
     }
 
@@ -563,7 +573,7 @@ Returns:    nothing
 */
 
 void
-log_write(unsigned int selector, int flags, char *format, ...)
+log_write(unsigned int selector, int flags, const char *format, ...)
 {
 uschar *ptr;
 int length, rc;
@@ -849,7 +859,7 @@ if ((flags & LOG_MAIN) != 0 &&
 
     if (mainlog_datestamp != NULL)
       {
-      uschar *nowstamp = tod_stamp(tod_log_datestamp);
+      uschar *nowstamp = tod_stamp(string_datestamp_type);
       if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
         {
         (void)close(mainlogfd);       /* Close the file */
@@ -972,7 +982,7 @@ if ((flags & LOG_REJECT) != 0)
 
     if (rejectlog_datestamp != NULL)
       {
-      uschar *nowstamp = tod_stamp(tod_log_datestamp);
+      uschar *nowstamp = tod_stamp(string_datestamp_type);
       if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
         {
         (void)close(rejectlogfd);       /* Close the file */