From owner-freebsd-security  Wed Sep  6 11:29:35 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.freebsd.org (8.6.11/8.6.6) id LAA29600
          for security-outgoing; Wed, 6 Sep 1995 11:29:35 -0700
Received: from jli (jli.portland.or.us [199.2.111.1])
          by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id LAA29573
          for <freebsd-security@freebsd.org>; Wed, 6 Sep 1995 11:29:32 -0700
Received: from cumulus by jli with uucp
	(Smail3.1.29.1 #3) id m0sqPDV-0001bBC; Wed, 6 Sep 95 11:28 PDT
Message-Id: <m0sqPDt-00004yC@cloud.rain.com>
To: Brian Tao <taob@gate.sinica.edu.tw>
cc: freebsd-security@freebsd.org
Subject: Re: Do we *really* need logger(1)? 
References: <Pine.SOL.3.91.950906235946.15418C-100000@gate> 
In-reply-to: Your message of Thu, 07 Sep 1995 00:36:42 +0800.
             <Pine.SOL.3.91.950906235946.15418C-100000@gate> 
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6828.810412160.1@cloud.rain.com>
Date: Wed, 06 Sep 1995 11:29:20 -0700
From: Bill Trost <trost@cloud.rain.com>
Sender: security-owner@freebsd.org
Precedence: bulk

Brian Tao writes:
    it dawned on me that logger(1) could be a hacker's dream.

Logger requires no special permissions to run; anyone can run such a
program.  Better yet, anyone could run such a program anywhere on the
Internet, so syslogd(8) can also be used as a remote disk-filling
service.  (And, since it's UDP-based, you can't tcp-wrap it...).

    Since syslogd runs as root....

Gads, why?  Require that files specified in syslog.conf be writeable
by user syslog, and put user syslog in group tty (to handle broadcasts
to all users), and syslogd can setuid to syslog as soon as it has its
sockets open.

All these root-level daemons floating around is a disaster waiting to
happen.  Certainly something as simple as syslog doesn't need that
kind of privilege.