PrivDropToUser: fix abortOnIDResolutionFail handling

security.abortonidresolutionfail needs to be loaded glblProcessCnf, otherwise the setting is ignored in doGetUID / doGetGID. see also: https://github.com/rsyslog/rsyslog/issues/4642 see also: cbcaf2c7e5
2025-12-15 10:30:40 +01:00 · 2021-10-12 12:03:17 +02:00 · 2021-10-12 12:03:17 +02:00 · 03fdbfda74
commit 03fdbfda74
parent aebd4d649f
3 changed files with 47 additions and 2 deletions
--- a/runtime/glbl.c
+++ b/runtime/glbl.c
@ -1167,8 +1167,10 @@ glblProcessCnf(struct cnfobj *o)
 			continue;
 		if(!strcmp(paramblk.descr[i].name, "processinternalmessages")) {
 			bProcessInternalMessages = (int) cnfparamvals[i].val.d.n;
+			cnfparamvals[i].bUsed = TRUE;
 		} else if(!strcmp(paramblk.descr[i].name, "internal.developeronly.options")) {
 			glblDevOptions = (uint64_t) cnfparamvals[i].val.d.n;
+			cnfparamvals[i].bUsed = TRUE;
 		} else if(!strcmp(paramblk.descr[i].name, "stdlog.channelspec")) {
 #ifndef ENABLE_LIBLOGGING_STDLOG
 			LogError(0, RS_RET_ERR, "rsyslog wasn't "
@ -1176,12 +1178,12 @@ glblProcessCnf(struct cnfobj *o)
 				"The 'stdlog.channelspec' parameter "
 				"is ignored. Note: the syslog API is used instead.\n");
 #else
-			stdlog_chanspec = (uchar*)
-				es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+			stdlog_chanspec = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
 			/* we need to re-open with the new channel */
 			stdlog_close(stdlog_hdl);
 			stdlog_hdl = stdlog_open("rsyslogd", 0, STDLOG_SYSLOG,
 					(char*) stdlog_chanspec);
+			cnfparamvals[i].bUsed = TRUE;
 #endif
 		} else if(!strcmp(paramblk.descr[i].name, "operatingstatefile")) {
 			if(operatingStateFile != NULL) {
@ -1192,6 +1194,9 @@ glblProcessCnf(struct cnfobj *o)
 				operatingStateFile = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
 				osf_open();
 			}
+		} else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) {
+			loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n;
+			cnfparamvals[i].bUsed = TRUE;
 		}
 	}
 done:	return;
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -229,6 +229,7 @@ TESTS +=  \
 	privdropuserid.sh \
 	privdropgroup.sh \
 	privdropgroupid.sh \
+	privdropabortonidfaillegacy.sh \
 	json-nonstring.sh \
 	template-json.sh \
 	template-pure-json.sh \
@ -1944,6 +1945,7 @@ EXTRA_DIST= \
 	privdropuserid.sh \
 	privdropgroup.sh \
 	privdropgroupid.sh \
+	privdropabortonidfaillegacy.sh \
 	json-nonstring.sh \
 	template-json.sh \
 	template-pure-json.sh \
--- a/tests/privdropabortonidfaillegacy.sh
+++ b/tests/privdropabortonidfaillegacy.sh
@ -0,0 +1,38 @@
+#!/bin/bash
+# add 2021-10-12 by alorbach, released under ASL 2.0
+. ${srcdir:=.}/diag.sh init
+export RSYSLOG_DEBUG="debug nostdout noprintmutexaction"
+export RSYSLOG_DEBUGLOG="$RSYSLOG_DYNNAME.debuglog"
+
+skip_platform "SunOS"  "This test currently does not work on Solaris."
+export TESTBENCH_TESTUSER1="USER_${RSYSLOG_DYNNAME}_1"
+export TESTBENCH_TESTUSER2="USER_${RSYSLOG_DYNNAME}_2"
+
+generate_conf
+add_conf '
+global(
+	security.abortOnIDResolutionFail="off"
+)
+
+template(name="outfmt" type="list") {
+	property(name="msg" compressSpace="on")
+	constant(value="\n")
+}
+
+$FileOwner '${TESTBENCH_TESTUSER1}'
+$FileGroup '${TESTBENCH_TESTUSER1}'
+$DirOwner '${TESTBENCH_TESTUSER2}'
+$DirGroup '${TESTBENCH_TESTUSER2}'
+
+action(	type="omfile"
+	template="outfmt"
+	file=`echo $RSYSLOG_OUT_LOG`)
+'
+
+startup
+shutdown_when_empty
+wait_shutdown
+content_check --regex "ID for user '${TESTBENCH_TESTUSER1}' could not be found"
+content_check --regex "ID for user '${TESTBENCH_TESTUSER2}' could not be found"
+
+exit_test