daemon: Add option for output file mode

The daemon utility has always created its output file with a fixed mode
of 0600. This causes issues for log collection setups where the collector
does not run as root but instead relies on group access to the watched
daemon’s log file.

Introduce a new option that allows specifying the output file mode using
install(1)-style semantics. This enables non-root log collectors to access
the file as intended and improves compatibility with log rotation tools.

Reviewed by:	kevans
MFC after:	1 week
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D54930
This commit is contained in:
Michael Osipov
2026-01-28 19:49:26 +01:00
parent 4e160c6197
commit a3b90a1f00
2 changed files with 36 additions and 9 deletions
+15 -2
View File
@@ -24,7 +24,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd April 25, 2024
.Dd January 28, 2026
.Dt DAEMON 8
.Os
.Sh NAME
@@ -111,10 +111,23 @@ or both
This value specifies what is sent to syslog and the log file.
The default is
.Cm 3 .
.It Fl M , Fl -output-file-mode Ar mode
Specify the file
.Ar mode
to use when creating the
.Pa output_file .
The mode is interpreted using
.Xr chmod 1
style semantics.
This option is useful when the daemonized process or external log
collectors require group or world access to the output file.
The default is
.Cm 0600 .
.It Fl o , Fl -output-file Ar output_file
Append output from the daemonized process to
.Pa output_file .
If the file does not exist, it is created with permissions 0600.
If the file does not exist, it is created with the default file
.Ar mode .
When this option is used together with options
.Fl -change-dir
and
+21 -7
View File
@@ -93,6 +93,7 @@ struct daemon_state {
int syslog_facility;
int keep_fds_open;
int output_fd;
mode_t output_file_mode;
bool restart_enabled;
bool syslog_enabled;
bool log_reopen;
@@ -101,7 +102,7 @@ struct daemon_state {
};
static void restrict_process(const char *);
static int open_log(const char *);
static int open_log(const char *, mode_t);
static void reopen_log(struct daemon_state *);
static bool listen_child(struct daemon_state *);
static int get_log_mapping(const char *, const CODE *);
@@ -118,7 +119,7 @@ static int daemon_setup_kqueue(void);
static int pidfile_truncate(struct pidfh *);
static const char shortopts[] = "+cfHSp:P:ru:o:s:l:t:m:R:T:C:h";
static const char shortopts[] = "+cfHSp:P:ru:o:M:s:l:t:m:R:T:C:h";
static const struct option longopts[] = {
{ "change-dir", no_argument, NULL, 'c' },
@@ -126,6 +127,7 @@ static const struct option longopts[] = {
{ "sighup", no_argument, NULL, 'H' },
{ "syslog", no_argument, NULL, 'S' },
{ "output-file", required_argument, NULL, 'o' },
{ "output-file-mode", required_argument, NULL, 'M' },
{ "output-mask", required_argument, NULL, 'm' },
{ "child-pidfile", required_argument, NULL, 'p' },
{ "supervisor-pidfile", required_argument, NULL, 'P' },
@@ -146,7 +148,7 @@ usage(int exitcode)
{
(void)fprintf(stderr,
"usage: daemon [-cfHrS] [-p child_pidfile] [-P supervisor_pidfile]\n"
" [-u user] [-o output_file] [-t title]\n"
" [-u user] [-o output_file] [-M output_file_mode] [-t title]\n"
" [-l syslog_facility] [-s syslog_priority]\n"
" [-T syslog_tag] [-m output_mask] [-R restart_delay_secs]\n"
" [-C restart_count]\n"
@@ -158,6 +160,7 @@ usage(int exitcode)
" --sighup -H Close and re-open output file on SIGHUP\n"
" --syslog -S Send output to syslog\n"
" --output-file -o <file> Append output of the child process to file\n"
" --output-file-mode -M <mode> Output file mode of the child process\n"
" --output-mask -m <mask> What to send to syslog/file\n"
" 1=stdout, 2=stderr, 3=both\n"
" --child-pidfile -p <file> Write PID of the child process to file\n"
@@ -180,6 +183,7 @@ main(int argc, char *argv[])
{
const char *e = NULL;
int ch = 0;
mode_t *set = NULL;
struct daemon_state state;
daemon_state_init(&state);
@@ -248,6 +252,15 @@ main(int argc, char *argv[])
*/
state.mode = MODE_SUPERVISE;
break;
case 'M':
if ((set = setmode(optarg)) == NULL) {
errx(6, "unrecognized output file mode: %s", optarg);
} else {
state.output_file_mode = getmode(set, 0);
}
free(set);
set = NULL;
break;
case 'p':
state.child_pidfile = optarg;
state.mode = MODE_SUPERVISE;
@@ -313,7 +326,7 @@ main(int argc, char *argv[])
}
if (state.output_filename) {
state.output_fd = open_log(state.output_filename);
state.output_fd = open_log(state.output_filename, state.output_file_mode);
if (state.output_fd == -1) {
err(7, "open");
}
@@ -756,10 +769,10 @@ do_output(const unsigned char *buf, size_t len, struct daemon_state *state)
}
static int
open_log(const char *outfn)
open_log(const char *outfn, mode_t outfm)
{
return open(outfn, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0600);
return open(outfn, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, outfm);
}
static void
@@ -767,7 +780,7 @@ reopen_log(struct daemon_state *state)
{
int outfd;
outfd = open_log(state->output_filename);
outfd = open_log(state->output_filename, state->output_file_mode);
if (state->output_fd >= 0) {
close(state->output_fd);
}
@@ -804,6 +817,7 @@ daemon_state_init(struct daemon_state *state)
.keep_fds_open = 1,
.output_fd = -1,
.output_filename = NULL,
.output_file_mode = 0600,
.restart_count = -1,
.restarted_count = 0
};