Subject: bin/1761: enhancement to make syslogd work better on firewalls
To: None <gnats-bugs@gnats.netbsd.org>
From: Perry E. Metzger <perry@piermont.com>
List: netbsd-bugs
Date: 11/13/1995 15:29:24
>Number:         1761
>Category:       bin
>Synopsis:       enhancement to make syslogd work better on firewalls
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 13 16:20:01 1995
>Last-Modified:
>Originator:     Perry E. Metzger
>Organization:
Perry Metzger		perry@piermont.com
--
>Release:        NetBSD 1.1_ALPHA
>Environment:
	
System: NetBSD jekyll.piermont.com 1.1_ALPHA NetBSD 1.1_ALPHA (JEKYLL) #29: Sun Nov 12 15:13:29 EST 1995 root@jekyll.piermont.com:/usr/src/sys/arch/i386/compile/JEKYLL i386


>Description:
	syslogd works much better in a firewall or other insecure
        environment if it behaves "paranoid" and does not open a UDP
        socket but instead simply listens to local requests on its
        UNIX domain socket. (BTW, should that now be "LOCAL domain
        socket? None of the other documents are up to date on this...)
        The reason for this is to prevent attacks aimed at syslogd --
        you can obviously try to overflow the victim's file system,
        but more than that, someday people WILL find a security hole
        and the port you don't listen to can't be the one you are
        broken in to.
>How-To-Repeat:
	
>Fix:
	The following is a pair of (possibly reversed; I was tired)
        patches that add a -s option to syslogd that says "don't
        listen on the UDP port". It is suggested that those running on
        firewalls and other environments where they care can simply
        start syslogd with the new -s option. The first patch alters
        the code, the second fixed the documentation.
        I refered to this as high priority because this is a very
        serious concern for people building firewalls out of NetBSD
        machines, and many people are doing that these days. syslogd
        is one of the few dangerous things people typically leave
        running on firewall machines.
        The patches should be cut apart or otherwise edited before use
        -- I've provided CUT HERE lines. I'd forgotten if it was safe
        to simply catenate them so I didn't.

-- CUT HERE --------------------------------------------------------------
*** syslogd.c	Sun Nov 12 05:03:26 1995
--- syslogd.c.orig	Fri Oct 13 22:07:15 1995
***************
*** 182,192 ****
  int	finet;			/* Internet datagram socket */
  int	LogPort;		/* port number for INET connections */
  int	Initialized = 0;	/* set when we have initialized ourselves */
  int	MarkInterval = 20 * 60;	/* interval between marks in seconds */
  int	MarkSeq = 0;		/* mark sequence number */
- int	SecureMode = 0;		/* when true, speak only unix domain socks */
  
  extern	int errno;
  extern	char *ctime(), *index(), *calloc();
  
  main(argc, argv)
--- 182,191 ----
***************
*** 203,213 ****
  	char line[MSG_BSIZE + 1];
  	extern int optind;
  	extern char *optarg;
  	void die(), domark(), init(), reapchild();
  
! 	while ((ch = getopt(argc, argv, "dsf:m:p:")) != EOF)
  		switch((char)ch) {
  		case 'd':		/* debug */
  			Debug++;
  			break;
  		case 'f':		/* configuration file */
--- 202,212 ----
  	char line[MSG_BSIZE + 1];
  	extern int optind;
  	extern char *optarg;
  	void die(), domark(), init(), reapchild();
  
! 	while ((ch = getopt(argc, argv, "df:m:p:")) != EOF)
  		switch((char)ch) {
  		case 'd':		/* debug */
  			Debug++;
  			break;
  		case 'f':		/* configuration file */
***************
*** 217,229 ****
  			MarkInterval = atoi(optarg) * 60;
  			break;
  		case 'p':		/* path */
  			LogName = optarg;
  			break;
- 		case 's':		/* no network mode */
- 			SecureMode++;
- 			break;
  		case '?':
  		default:
  			usage();
  		}
  	if (argc -= optind)
--- 216,225 ----
***************
*** 262,277 ****
  		(void) sprintf(line, "cannot create %s", LogName);
  		logerror(line);
  		dprintf("cannot create %s (%d)\n", LogName, errno);
  		die(0);
  	}
! 	if (!SecureMode)
! 		finet = socket(AF_INET, SOCK_DGRAM, 0);
! 	else {
! 		finet = -1;
! 		inetm = 0;
! 	}
  	if (finet >= 0) {
  		struct servent *sp;
  
  		sp = getservbyname("syslog", "udp");
  		if (sp == NULL) {
--- 258,268 ----
  		(void) sprintf(line, "cannot create %s", LogName);
  		logerror(line);
  		dprintf("cannot create %s (%d)\n", LogName, errno);
  		die(0);
  	}
! 	finet = socket(AF_INET, SOCK_DGRAM, 0);
  	if (finet >= 0) {
  		struct servent *sp;
  
  		sp = getservbyname("syslog", "udp");
  		if (sp == NULL) {

-- CUT HERE --------------------------------------------------------------
*** syslogd.8	Mon Nov 13 15:18:40 1995
--- syslogd.8.orig	Mon Nov 13 15:18:51 1995
***************
*** 54,70 ****
  the default is
  .Pa /etc/syslog.conf .
  .It Fl m
  Select the number of minutes between ``mark'' messages;
  the default is 20 minutes.
- .It Fl s
- Select ``secure'' mode, in which syslogd does not open a UDP socket but
- only communicates over a UNIX domain socket.
- This is valuable when the machine on
- which syslogd runs is subject to attack over the network and it is desired
- that the machine be protected from attempts to remotely fill logs
- and similar attacks.
  .It Fl p
  Specify the pathname of an alternate log socket;
  the default is
  .Pa /dev/log .
  .El
--- 54,63 ----
-- CUT HERE --------------------------------------------------------------
>Audit-Trail:
>Unformatted: