Subject: pkg/31417: gdm syslogs username
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: Hauke Fath <hf@spg.tu-darmstadt.de>
List: pkgsrc-bugs
Date: 09/29/2005 13:51:00
>Number:         31417
>Category:       pkg
>Synopsis:       x11/gdm logs username for failed login attempts
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 29 13:51:00 +0000 2005
>Originator:     Hauke Fath <hf@spg.tu-darmstadt.de>
>Release:        NetBSD 3.0_BETA
>Organization:
-- 
/~\  The ASCII Ribbon Campaign                      Hauke Fath
\ /    No HTML/RTF in email	          Institut für Nachrichtentechnik
 X     No Word docs in email	                    TU Darmstadt
/ \  Respect for open standards                Ruf +49-6151-16-3281
>Environment:
	
	
System: NetBSD Goliberg 3.0_BETA NetBSD 3.0_BETA (SPG_PIII) #5: Fri Sep 23 00:43:45 CEST 2005 hf@heiligenberg:/var/obj/netbsd-builds/3_0/i386/sys/arch/i386/compile/SPG_PIII i386
Architecture: i386
Machine: i386
>Description:

	When x11/gdm logs a failed login attempt, it logs the username
	with it. This is a security risk (which is why I marked the PR
	'critical') since if the user just got out of sync with the
	login wifget, she'll have her password logged. And she has to
	get help from the admin to remove it - if she is aware of the
	fact at all.

	But it gets worse: gdm syslogs _everything_ with category
	LOG_DAEMON which goes to the usually world-readable
	/var/log/messages.

>How-To-Repeat:

	Get out of sync with the gdm greeter; find your password
	logged to /var/log/messages and the console.

	Look through the config files and the gdm documentation and
	find that at runtime you can neither change the syslog
	category, nor change the amount of data that's being loggend
	(which is quite considerable), nor disable logging of failed
	login attempts.

	Look through the source and find that at compile time, you can
	neither gnuconfigure a different syslog category, nor limit
	the amount of logged information, nor disable logging of
	failed login attempts.

>Fix:
	Stop-gap: 

	Switch back to xdm.

	gdm fixes:

	(1) Make syslog category configurable _at least_ at compile
	time. Better: Use log_auth for any sensitive data, and a
	configurable category for anything else, including debug
	information, which can then be directed to a gdm-only logfile.

	(2) Make the amount of information logged controllable at
	least at compile time. Per default, log less to console.

	(3) Introduce a config-file switch to control logging of
	failed login attempts. Default to _off_.

>Unformatted: