Subject: Re: /var/run/log
To: None <wojtek@wojtek.from.pl>
From: Luke Mewburn <lukem@wasabisystems.com>
List: netbsd-users
Date: 02/12/2001 05:46:07
On Sun, Feb 11, 2001 at 07:38:57PM +0100, wojtek@wojtek.from.pl wrote:
> > On Sun, Feb 11, 2001 at 11:09:22AM +0100, wojtek@wojtek.from.pl wrote:
> > > why it have 666 permissions - it allows everybody to log anything and with
> > > -t option it could look like anything else (for eg. kernel messages)
> >
> > How else do you allow arbitrary programs that don't run as root to log to
> > syslog unless it's world writable? Creating a special `syslog' group and
> > putting all the appropriate users in seems tedious to me.
> i was doing this on linux and i'm suprised the same on netbsd is possible,
> >
> > If you check usr.sbin/syslogd/syslogd.c::printline(), you'll see:
> > /* don't allow users to log kernel messages */
> > if (LOG_FAC(pri) == LOG_KERN)
> > pri = LOG_MAKEPRI(LOG_USER, LOG_PRI(pri));
> what about:
>
> a) logger -t su "wojtek to root on /dev/ttyp7"
> add -p to select the same logfile that normal su does (i have 1 logfile
> for everything)
>
> b) while true;do echo zzzzzzzzzzzzzzzzzzzzzzzzzzzzz|logger ;done
>
> and pollute logfiles
So create yourself a syslog group, change the permissions on /var/log,
and put all the appropriate users (root, www, named, uucp, ...) into the
group.
As I said, tedious work, and doesn't necessarily solve the problem. If a
local user wants to cause a denial of service against your machine
there are *many* ways in which they can do it.
This doesn't mean that other enhancements to the syslog mechanism
can't be added, such as:
* using (kernel) authenticated credentials over the socket
so that you can get the userid of the syslogger and putting
that in your logs