From owner-freebsd-security Sun Sep 3 16:02:35 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id QAA03651 for security-outgoing; Sun, 3 Sep 1995 16:02:35 -0700 Received: from nosferatu.cas.usf.edu (nosferatu.cas.usf.edu [131.247.31.155]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id QAA03645 for ; Sun, 3 Sep 1995 16:02:33 -0700 Received: (mephisto@localhost) by nosferatu.cas.usf.edu (8.6.11/8.6.5) id TAA05704; Sun, 3 Sep 1995 19:03:47 -0400 Date: Sun, 3 Sep 1995 19:03:47 -0400 (EDT) From: NatureBoy To: security@freebsd.org Subject: Stel? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk Just wondering what the current status of Stel is. Is it ported? Availible? Released? Thanks for any responses, Joseph D. Orthoefer From owner-freebsd-security Mon Sep 4 01:31:22 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id BAA22033 for security-outgoing; Mon, 4 Sep 1995 01:31:22 -0700 Received: from relay.philips.nl (relay.philips.nl [130.144.65.1]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id BAA22025 for ; Mon, 4 Sep 1995 01:31:18 -0700 Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id KAA11865 for ; Mon, 4 Sep 1995 10:30:42 +0200 Received: from unknown(130.144.198.1) by relay.philips.nl via smap (V1.3+ESMTP) with SMTP id sma011664; Mon Sep 4 10:29:21 1995 Received: from spooky.lss.cp.philips.com by cnps.lss.cp.philips.com with smtp (Smail3.1.28.1 #1) id m0spXqU-0001CZC; Mon, 4 Sep 95 10:29 MET Received: by spooky.lss.cp.philips.com (Smail3.1.29.1 #1) id m0spVjn-000HoGC; Mon, 4 Sep 95 09:14 MET DST Message-Id: From: guido@spooky.lss.cp.philips.com (Guido van Rooij) Subject: syslog patches? To: freebsd-security@freebsd.org Date: Mon, 4 Sep 1995 09:14:35 +0200 (MET DST) Reply-To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 244 Sender: security-owner@freebsd.org Precedence: bulk After the intial posting of Paul Traina's modified syslog I haven't seen a new attempt yet. I did see a NetBSD solution to the problem though. My question: is theer any syslog.c that can be incorporated in the source tree and to 2.1.0? -Guido From owner-freebsd-security Mon Sep 4 02:14:25 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id CAA23809 for security-outgoing; Mon, 4 Sep 1995 02:14:25 -0700 Received: from haywire.DIALix.COM (haywire.DIALix.COM [192.203.228.65]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id CAA23767 for ; Mon, 4 Sep 1995 02:13:28 -0700 Received: (from news@localhost) by haywire.DIALix.COM (sendmail) id RAA16320 for freebsd-security@freebsd.org; Mon, 4 Sep 1995 17:11:47 +0800 (WST) Received: from GATEWAY by haywire.DIALix.COM with netnews for freebsd-security@freebsd.org (problems to: usenet@haywire.dialix.com) To: freebsd-security@freebsd.org Date: 4 Sep 1995 17:11:42 +0800 From: peter@haywire.dialix.com (Peter Wemm) Message-ID: <42efse$fts$1@haywire.DIALix.COM> Organization: DIALix Services, Perth, Australia. References: Subject: Re: syslog patches? Sender: security-owner@freebsd.org Precedence: bulk guido@spooky.lss.cp.philips.com (Guido van Rooij) writes: >After the intial posting of Paul Traina's modified syslog I haven't >seen a new attempt yet. I did see a NetBSD solution to the problem >though. My question: is theer any syslog.c that can be incorporated >in the source tree and to 2.1.0? >-Guido Not trying to offend Paul Traina, but I'd prefer to take Eric Allman's one and apply the necessary bandaids to it. But whatever the case, something *has* to go in, because if we ship 2.1 with the buggy version, because of the identical binaries on each system, somebody *will* calculate the offsets and the code to subvert 2.1R. If going with Paul Traina's version is what it takes to get it fixed, I'll gladly put aside my slight preference for Eric's version. Cheers, -Peter From owner-freebsd-security Mon Sep 4 03:08:47 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id DAA26416 for security-outgoing; Mon, 4 Sep 1995 03:08:47 -0700 Received: from gvr.win.tue.nl (gvr.win.tue.nl [131.155.210.19]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id DAA26408 for ; Mon, 4 Sep 1995 03:08:36 -0700 Received: by gvr.win.tue.nl (8.6.10/1.53) id MAA27848; Mon, 4 Sep 1995 12:06:36 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199509041006.MAA27848@gvr.win.tue.nl> Subject: Re: syslog patches? To: peter@haywire.dialix.com (Peter Wemm) Date: Mon, 4 Sep 1995 12:06:35 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: <42efse$fts$1@haywire.DIALix.COM> from "Peter Wemm" at Sep 4, 95 05:11:42 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 370 Sender: security-owner@freebsd.org Precedence: bulk > > But whatever the case, something *has* to go in, because if we ship > 2.1 with the buggy version, because of the identical binaries on each > system, somebody *will* calculate the offsets and the code to subvert > 2.1R. > That is exactly why I brought this up. I also like the Allman fix. Not because it is better or worse, but because more ppl use it. -Guido From owner-freebsd-security Mon Sep 4 22:29:14 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id WAA01530 for security-outgoing; Mon, 4 Sep 1995 22:29:14 -0700 Received: from who.cdrom.com (who.cdrom.com [192.216.222.3]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id WAA01497 for ; Mon, 4 Sep 1995 22:29:11 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by who.cdrom.com (8.6.11/8.6.11) with ESMTP id TAA15837 for ; Mon, 4 Sep 1995 19:33:12 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id TAA00530; Mon, 4 Sep 1995 19:30:11 -0700 Message-Id: <199509050230.TAA00530@precipice.shockwave.com> To: peter@haywire.dialix.com (Peter Wemm) cc: freebsd-security@FreeBSD.org Subject: Re: syslog patches? In-reply-to: Your message of "04 Sep 1995 17:11:42 +0800." <42efse$fts$1@haywire.DIALix.COM> Date: Mon, 04 Sep 1995 19:30:10 -0700 From: Paul Traina Sender: security-owner@FreeBSD.org Precedence: bulk From: peter@haywire.dialix.com (Peter Wemm) Subject: Re: syslog patches? guido@spooky.lss.cp.philips.com (Guido van Rooij) writes: >After the intial posting of Paul Traina's modified syslog I haven't >seen a new attempt yet. I did see a NetBSD solution to the problem >though. My question: is theer any syslog.c that can be incorporated >in the source tree and to 2.1.0? >-Guido Not trying to offend Paul Traina, but I'd prefer to take Eric Allman's one and apply the necessary bandaids to it. You won't offend me. But whatever the case, something *has* to go in, because if we ship 2.1 with the buggy version, because of the identical binaries on each system, somebody *will* calculate the offsets and the code to subvert 2.1R. Absolutely. If going with Paul Traina's version is what it takes to get it fixed, I'll gladly put aside my slight preference for Eric's version. I don't care one way or another, however I would prefer the more paranoid version in any case. Eric's certainly had enough sendmail related bugs in the past that I would actually prefer to go with a version that NOT everyone is going to pound on. From owner-freebsd-security Wed Sep 6 09:39:35 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id JAA11413 for security-outgoing; Wed, 6 Sep 1995 09:39:35 -0700 Received: from gate.sinica.edu.tw (gate.sinica.edu.tw [140.109.14.2]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id JAA11304 for ; Wed, 6 Sep 1995 09:39:22 -0700 Received: by gate.sinica.edu.tw (5.x/SMI-SVR4) id AA22789; Thu, 7 Sep 1995 00:36:43 +0800 Date: Thu, 7 Sep 1995 00:36:42 +0800 (CST) From: Brian Tao To: freebsd-security@freebsd.org Subject: Do we *really* need logger(1)? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk I was looking through my lp wrapper shell script (basically redirects output to an SGI elsewhere on the LAN, while passing options and around). I use logger(1) to keep track of who uses the command. With the recent hoopla with sprintf() and lack of bounds checking in syslogd(), it dawned on me that logger(1) could be a hacker's dream. Forget for a moment that logger gives any user convenient access to syslogd. Any user could cause the sysadmin grief by issuing something like: % logger -t login login from evil.com as root ... or perhaps use the LOG_EMERG priority level (logger does not call setlogmask() at all): % logger -p kern.emerg -t /kernel WARNING: Core meltdown imminent\! Of course, you could substitute a non-bogus message and there would be no immediate way of telling if the syslog entry was real or caused by a prankster. The point is that any user can easily write to a file owned and normally writeable only by root. "logger -f huge.core" can easily fill up your /var filesystem. For your convenience, it will even take input from stdin. This essentially makes /var/log/messages untrustworthy and possibly dangerous if you rely on it for accounting or resource tracking purposes. I checked my machines and SunOS, Solaris, IRIX, AIX and FreeBSD all have this facility. Since logger is so widespread, I wonder if perhaps I am just stirring up a storm in a teacup? It certainly *looks* like a rather dangerous tool to have sitting around. Since syslogd runs as root (getting back to the recent 8lgm advisory), would it be possible to use logger to overrun its stack and somehow get it to execute a root shell or do other dastardly deeds a la Internet Worm? Could someone then distribute an file that any user can feed to logger to exploit this hole? Please keep me in the cc list since I won't be subscribed to freebsd-security for the next couple of weeks (in the process of moving back to Toronto). Thanks. -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Wed Sep 6 11:29:35 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id LAA29600 for security-outgoing; Wed, 6 Sep 1995 11:29:35 -0700 Received: from jli (jli.portland.or.us [199.2.111.1]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id LAA29573 for ; Wed, 6 Sep 1995 11:29:32 -0700 Received: from cumulus by jli with uucp (Smail3.1.29.1 #3) id m0sqPDV-0001bBC; Wed, 6 Sep 95 11:28 PDT Message-Id: To: Brian Tao cc: freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? References: In-reply-to: Your message of Thu, 07 Sep 1995 00:36:42 +0800. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <6828.810412160.1@cloud.rain.com> Date: Wed, 06 Sep 1995 11:29:20 -0700 From: Bill Trost Sender: security-owner@freebsd.org Precedence: bulk Brian Tao writes: it dawned on me that logger(1) could be a hacker's dream. Logger requires no special permissions to run; anyone can run such a program. Better yet, anyone could run such a program anywhere on the Internet, so syslogd(8) can also be used as a remote disk-filling service. (And, since it's UDP-based, you can't tcp-wrap it...). Since syslogd runs as root.... Gads, why? Require that files specified in syslog.conf be writeable by user syslog, and put user syslog in group tty (to handle broadcasts to all users), and syslogd can setuid to syslog as soon as it has its sockets open. All these root-level daemons floating around is a disaster waiting to happen. Certainly something as simple as syslog doesn't need that kind of privilege. From owner-freebsd-security Wed Sep 6 12:49:44 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id MAA03094 for security-outgoing; Wed, 6 Sep 1995 12:49:44 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id MAA03060 for ; Wed, 6 Sep 1995 12:49:42 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id MAA12942 for ; Wed, 6 Sep 1995 12:49:07 -0700 Message-Id: <199509061949.MAA12942@precipice.shockwave.com> To: security@freebsd.org Subject: syslog.c revisited Date: Wed, 06 Sep 1995 12:49:07 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk I finally got off my butt and put this together. It's more anal than Eric's proposed fix..actually, it's insanely anal, but then again, syslog performance isn't exactly critical. The main difference between this and the previous version is the addition of overflow checking and improved checking of the fmt_cpy code. There is -no- attempt at optimization here, and in fact, there are several basicly useless checks in this code. It's not designed to be efficient, it's designed to be a 707. Please review/comment, it is my intent to dump this into 2.2 and as David to include in 2.1 once I excercise it and test it on thud. Paul From owner-freebsd-security Wed Sep 6 12:50:15 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id MAA03413 for security-outgoing; Wed, 6 Sep 1995 12:50:15 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id MAA03385 for ; Wed, 6 Sep 1995 12:50:13 -0700 Received: (from pst@localhost) by precipice.shockwave.com (8.6.12/8.6.12) id MAA12949 for security@freebsd.org; Wed, 6 Sep 1995 12:49:39 -0700 Date: Wed, 6 Sep 1995 12:49:39 -0700 From: Paul Traina Message-Id: <199509061949.MAA12949@precipice.shockwave.com> To: security@freebsd.org Subject: diffs for syslog.c Sender: security-owner@freebsd.org Precedence: bulk --- /usr/src/lib/libc/gen/syslog.c Tue Aug 29 08:04:17 1995 +++ syslog.c Wed Sep 6 12:44:59 1995 @@ -88,6 +88,24 @@ va_end(ap); } +/* + * Some rather anal checks to make sure we don't overflow our stack. + * We want to make sure no one can attack either the program stack or + * syslogd's stack. All writes are limited by SPACELEFT, and an additional + * overflow check is performed to insure that the travelling pointer has + * not exceeded the bounds of the buffer (the return value from snprintf + * is the number of characters it expected to write, not the number of + * characters is did write if the limit was reached). + * + * The overflow check could be eliminated if we changed v/snprintf or + * made "safe" versions of those routines. + */ + +#define SPACELEFT(buffer, current) (sizeof (buffer) - \ + ((char *)(current) - (char *)(buffer))) +#define OVERFLOW(buffer, current) ((current) > \ + (char *)(buffer) + sizeof (buffer)) + void vsyslog(pri, fmt, ap) int pri; @@ -120,31 +138,46 @@ /* Build the message. */ (void)time(&now); - p = tbuf + sprintf(tbuf, "<%d>", pri); - p += sprintf(p, "%.15s ", ctime(&now) + 4); + p = tbuf + snprintf(tbuf, sizeof(tbuf), "<%d>", pri); + if (OVERFLOW(tbuf, p)) + goto overflow; + p += snprintf(p, SPACELEFT(tbuf, p), "%.15s ", ctime(&now) + 4); + if (OVERFLOW(tbuf, p)) + goto overflow; if (LogStat & LOG_PERROR) stdp = p; if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) - p += sprintf(p, "%s", LogTag); + p += snprintf(p, SPACELEFT(tbuf, p), "%s", LogTag); + if (OVERFLOW(tbuf, p)) + goto overflow; if (LogStat & LOG_PID) - p += sprintf(p, "[%d]", getpid()); - if (LogTag != NULL) { + p += snprintf(p, SPACELEFT(tbuf, p), "[%d]", getpid()); + if (OVERFLOW(tbuf, p)) + goto overflow; + if (LogTag != NULL && (SPACELEFT(tbuf, p) > 2)) { *p++ = ':'; *p++ = ' '; } + if (OVERFLOW(tbuf, p)) + goto overflow; /* Substitute error message for %m. */ - for (t = fmt_cpy; ch = *fmt; ++fmt) + for (t = fmt_cpy; ch = *fmt && (SPACELEFT(fmt_cpy, t) > 0); ++fmt) if (ch == '%' && fmt[1] == 'm') { ++fmt; - t += sprintf(t, "%s", strerror(saved_errno)); + t += snprintf(t, SPACELEFT(fmt_cpy, t), "%s", strerror(saved_errno)); } else *t++ = ch; *t = '\0'; + if (OVERFLOW(fmt_cpy, t)) + goto overflow; + + p += vsnprintf(p, SPACELEFT(tbuf, p), fmt_cpy, ap); + if (OVERFLOW(tbuf, p)) + goto overflow; - p += vsprintf(p, fmt_cpy, ap); cnt = p - tbuf; /* Output to stderr if requested. */ @@ -178,6 +211,12 @@ p = index(tbuf, '>') + 1; (void)write(fd, p, cnt - (p - tbuf)); (void)close(fd); + } + + if (SPACELEFT(tbuf, p) < 2) { + overflow: + syslog(LOG_CRIT|LOG_AUTH|LOG_CONS|LOG_PERROR|LOG_PID, + "DANGER: syslog buffer overflow attempt--possible attack"); } } From owner-freebsd-security Wed Sep 6 12:55:00 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id MAA06332 for security-outgoing; Wed, 6 Sep 1995 12:55:00 -0700 Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id MAA06300 for ; Wed, 6 Sep 1995 12:54:57 -0700 Received: by haven.uniserve.com id <30736>; Wed, 6 Sep 1995 12:56:33 +0100 Date: Wed, 6 Sep 1995 12:56:23 -0700 (PDT) From: Tom Samplonius To: Bill Trost cc: Brian Tao , freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Wed, 6 Sep 1995, Bill Trost wrote: > Internet, so syslogd(8) can also be used as a remote disk-filling > service. (And, since it's UDP-based, you can't tcp-wrap it...). tcp_wrapper is primitive. xinetd is better and can support UDP. Tom From owner-freebsd-security Wed Sep 6 12:57:10 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id MAA07847 for security-outgoing; Wed, 6 Sep 1995 12:57:10 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id MAA07838 for ; Wed, 6 Sep 1995 12:57:09 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id MAA12996; Wed, 6 Sep 1995 12:55:58 -0700 Message-Id: <199509061955.MAA12996@precipice.shockwave.com> To: Bill Trost cc: Brian Tao , freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-reply-to: Your message of "Wed, 06 Sep 1995 11:29:20 PDT." Date: Wed, 06 Sep 1995 12:55:57 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk From: Bill Trost Subject: Re: Do we *really* need logger(1)? Brian Tao writes: it dawned on me that logger(1) could be a hacker's dream. Logger requires no special permissions to run; anyone can run such a program. Better yet, anyone could run such a program anywhere on the Internet, so syslogd(8) can also be used as a remote disk-filling service. (And, since it's UDP-based, you can't tcp-wrap it...). Since syslogd runs as root.... Gads, why? Require that files specified in syslog.conf be writeable by user syslog, and put user syslog in group tty (to handle broadcasts to all users), and syslogd can setuid to syslog as soon as it has its sockets open. All these root-level daemons floating around is a disaster waiting to happen. Certainly something as simple as syslog doesn't need that kind of privilege. Bzzzt. If your disk fills up, you want syslog to be able to operate until it goes to 110%. Unless you run as root or modify the kernel, you lose. From owner-freebsd-security Wed Sep 6 13:18:11 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id NAA18010 for security-outgoing; Wed, 6 Sep 1995 13:18:11 -0700 Received: from Root.COM (implode.Root.COM [198.145.90.17]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id NAA17945 for ; Wed, 6 Sep 1995 13:18:06 -0700 Received: from corbin.Root.COM (corbin [198.145.90.34]) by Root.COM (8.6.12/8.6.5) with ESMTP id NAA12641; Wed, 6 Sep 1995 13:16:43 -0700 Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.11/8.6.5) with SMTP id NAA26551; Wed, 6 Sep 1995 13:18:39 -0700 Message-Id: <199509062018.NAA26551@corbin.Root.COM> To: Paul Traina cc: security@freebsd.org Subject: Re: syslog.c revisited In-reply-to: Your message of "Wed, 06 Sep 95 12:49:07 PDT." <199509061949.MAA12942@precipice.shockwave.com> From: David Greenman Reply-To: davidg@Root.COM Date: Wed, 06 Sep 1995 13:18:31 -0700 Sender: security-owner@freebsd.org Precedence: bulk >I finally got off my butt and put this together. It's more anal than Eric's >proposed fix..actually, it's insanely anal, but then again, syslog performance >isn't exactly critical. Actually, syslogd consumes about 25% of all of the CPU cycles on wcarchive. This will be true on any machine that is using wu-ftpd heavily. -DG From owner-freebsd-security Wed Sep 6 13:21:32 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id NAA19638 for security-outgoing; Wed, 6 Sep 1995 13:21:32 -0700 Received: from Root.COM (implode.Root.COM [198.145.90.17]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id NAA19619 for ; Wed, 6 Sep 1995 13:21:28 -0700 Received: from corbin.Root.COM (corbin [198.145.90.34]) by Root.COM (8.6.12/8.6.5) with ESMTP id NAA13308; Wed, 6 Sep 1995 13:20:19 -0700 Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.11/8.6.5) with SMTP id NAA26565; Wed, 6 Sep 1995 13:22:16 -0700 Message-Id: <199509062022.NAA26565@corbin.Root.COM> To: Tom Samplonius cc: Bill Trost , Brian Tao , freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-reply-to: Your message of "Wed, 06 Sep 95 12:56:23 PDT." From: David Greenman Reply-To: davidg@Root.COM Date: Wed, 06 Sep 1995 13:22:14 -0700 Sender: security-owner@freebsd.org Precedence: bulk >On Wed, 6 Sep 1995, Bill Trost wrote: > >> Internet, so syslogd(8) can also be used as a remote disk-filling >> service. (And, since it's UDP-based, you can't tcp-wrap it...). > > tcp_wrapper is primitive. xinetd is better and can support UDP. Um, syslogd is a daemon and is not spawned by inetd...so how would doing anything with inetd affect this problem? -DG From owner-freebsd-security Wed Sep 6 13:42:39 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id NAA22705 for security-outgoing; Wed, 6 Sep 1995 13:42:39 -0700 Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id NAA22698 for ; Wed, 6 Sep 1995 13:42:37 -0700 Received: by haven.uniserve.com id <30843>; Wed, 6 Sep 1995 13:44:29 +0100 Date: Wed, 6 Sep 1995 13:30:58 -0700 (PDT) From: Tom Samplonius To: David Greenman cc: Bill Trost , Brian Tao , freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: <199509062022.NAA26565@corbin.Root.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Wed, 6 Sep 1995, David Greenman wrote: > >On Wed, 6 Sep 1995, Bill Trost wrote: > > > >> Internet, so syslogd(8) can also be used as a remote disk-filling > >> service. (And, since it's UDP-based, you can't tcp-wrap it...). > > > > tcp_wrapper is primitive. xinetd is better and can support UDP. > > Um, syslogd is a daemon and is not spawned by inetd...so how would doing > anything with inetd affect this problem? True. My point was that xinetd can wrap UDP daemons and tcp_wrapper can not. Plus, xinetd can do it without exec'ing an additional program. Filters on border routers should be used to block "outside" syslogd abuse. Tom From owner-freebsd-security Wed Sep 6 14:03:07 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id OAA23079 for security-outgoing; Wed, 6 Sep 1995 14:03:07 -0700 Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id OAA23073 for ; Wed, 6 Sep 1995 14:03:06 -0700 Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA21414; Wed, 6 Sep 1995 17:02:50 -0400 Date: Wed, 6 Sep 1995 17:02:50 -0400 From: "Garrett A. Wollman" Message-Id: <9509062102.AA21414@halloran-eldar.lcs.mit.edu> To: Tom Samplonius Cc: freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: References: <199509062022.NAA26565@corbin.Root.COM> Sender: security-owner@freebsd.org Precedence: bulk < said: > True. My point was that xinetd can wrap UDP daemons and tcp_wrapper > can not. Plus, xinetd can do it without exec'ing an additional program. > Filters on border routers should be used to block "outside" syslogd abuse. Um, no, syslog should be fixed to not accept random junk from anyone who cares to send it. Packet filtering is never the correct answer, despite what some vendors may try to make people think. As for `logger', it's a useful tool that anyone could write if it did not exist before. People running public-access systems should do the same thing to `logger' as they do to `cc', `as', and `ld'. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Wed Sep 6 14:25:52 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id OAA23863 for security-outgoing; Wed, 6 Sep 1995 14:25:52 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id OAA23832 for ; Wed, 6 Sep 1995 14:25:45 -0700 Received: by disperse.demon.co.uk id aa00737; 6 Sep 95 19:44 +0100 Received: from post.demon.co.uk by disperse.demon.co.uk id aa26361; 6 Sep 95 18:52 +0100 Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa08433; 6 Sep 95 18:49 +0100 Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id KAA09814; Wed, 6 Sep 1995 10:10:30 +0100 From: Karl Strickland Message-Id: <199509060910.KAA09814@bagpuss.demon.co.uk> Subject: Re: syslog patches? To: Paul Traina MMDF-Warning: Unable to confirm address in preceding line at disperse.demon.co.uk Date: Wed, 6 Sep 1995 10:10:29 +0100 (BST) Cc: peter@haywire.dialix.com, freebsd-security@freebsd.org In-Reply-To: <199509050230.TAA00530@precipice.shockwave.com> from "Paul Traina" at Sep 4, 95 07:30:10 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1086 Sender: security-owner@freebsd.org Precedence: bulk > I don't care one way or another, however I would prefer the more paranoid > version in any case. Eric's certainly had enough sendmail related bugs in > the past that I would actually prefer to go with a version that NOT everyone > is going to pound on. I'm sure you're not Eric-bashing here (!), but just to make the point - I dont think its fair to say 'lets not use Eric's code because Eric's sendmail has bugs'! Given the quality of sendmail 8.6, and Eric's many other contributions to BSD over the years, I'd say Eric does an excellent job. Going with a version that everyone will pound on is a *good* thing IMHO; the more people that perform security audits on the code, the better it is in the long term. It may be a nusiance in the short term, when bugs are found, but STO doesnt work. -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk | From owner-freebsd-security Wed Sep 6 17:39:12 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id RAA00568 for security-outgoing; Wed, 6 Sep 1995 17:39:12 -0700 Received: from gate.sinica.edu.tw (gate.sinica.edu.tw [140.109.14.2]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id RAA00549 for ; Wed, 6 Sep 1995 17:38:57 -0700 Received: by gate.sinica.edu.tw (5.x/SMI-SVR4) id AA27639; Thu, 7 Sep 1995 08:35:48 +0800 Date: Thu, 7 Sep 1995 08:35:48 +0800 (CST) From: Brian Tao To: Paul Traina Cc: freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: <199509061955.MAA12996@precipice.shockwave.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Wed, 6 Sep 1995, Paul Traina wrote: > > If your disk fills up, you want syslog to be able to operate until it goes to > 110%. Unless you run as root or modify the kernel, you lose. No, you want messages created by root-owned processes to fill your disk to 110% (not that it's a good thing in any case, especially if /var is the same filesystem as /). What we need is credential checking in the syslog() call and syslogd daemon. I imagine any ISP that offers shell access and uses the default syslog.conf is susceptible to a prankster sending *.emerg level notices and getting syslogd to write "SYSTEM REBOOT, LOG OFF NOW!" to the ttys of every online user. -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Wed Sep 6 17:48:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id RAA01061 for security-outgoing; Wed, 6 Sep 1995 17:48:04 -0700 Received: from gate.sinica.edu.tw (gate.sinica.edu.tw [140.109.14.2]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id RAA01053 for ; Wed, 6 Sep 1995 17:47:59 -0700 Received: by gate.sinica.edu.tw (5.x/SMI-SVR4) id AA27853; Thu, 7 Sep 1995 08:44:50 +0800 Date: Thu, 7 Sep 1995 08:44:50 +0800 (CST) From: Brian Tao To: Bill Trost Cc: freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Wed, 6 Sep 1995, Bill Trost wrote: > > Logger requires no special permissions to run; anyone can run such a > program. Better yet, anyone could run such a program anywhere on the > Internet, so syslogd(8) can also be used as a remote disk-filling > service. (And, since it's UDP-based, you can't tcp-wrap it...). syslog() and syslogd are the real problems. What use is there for a syslog service on port 514? I don't see why it should even bother listening to a network port. It should only accept input from /dev/[k]log. -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Wed Sep 6 18:19:03 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id SAA02441 for security-outgoing; Wed, 6 Sep 1995 18:19:03 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id SAA02435 for ; Wed, 6 Sep 1995 18:18:59 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id LAA10056; Thu, 7 Sep 1995 11:13:46 +1000 Date: Thu, 7 Sep 1995 11:13:46 +1000 From: Bruce Evans Message-Id: <199509070113.LAA10056@godzilla.zeta.org.au> To: pst@shockwave.com, security@freebsd.org Subject: Re: diffs for syslog.c Sender: security-owner@freebsd.org Precedence: bulk >+/* >+ * Some rather anal checks to make sure we don't overflow our stack. >+ * We want to make sure no one can attack either the program stack or >+ * syslogd's stack. All writes are limited by SPACELEFT, and an additional >+ * overflow check is performed to insure that the travelling pointer has ensure [too English?] >+ * not exceeded the bounds of the buffer (the return value from snprintf >+ * is the number of characters it expected to write, not the number of >+ * characters is did write if the limit was reached). it >+ * >+ * The overflow check could be eliminated if we changed v/snprintf or >+ * made "safe" versions of those routines. >+ */ >+ >+#define SPACELEFT(buffer, current) (sizeof (buffer) - \ >+ ((char *)(current) - (char *)(buffer))) This is wrong if size_t is larger than ptrdiff_t. Then the result is unsigned and large if `current' is after the end of the buffer, as it may be the `fmt' conversion (the overflow check doesn't get done early enough to help). Also, the pointer difference is undefined ig `current' isn't in the buffer. >+#define OVERFLOW(buffer, current) ((current) > \ >+ (char *)(buffer) + sizeof (buffer)) ^ Anal code should check for overflow here. In fact, the check can't be written like this in Standard C. `fooptr + offset' is undefined if the offset isn't a valid array index (or maybe one larger). The correct test is something like int nwritten; ssize_t spaceleft; ... spaceleft = SPACELEFT(...); assert(spaceleft >= 0); nwritten = vsnprintf(..., spaceleft, ...); assert(nwritten >= 0); if (nwritten > spaceleft) goto overflow; Bruce From owner-freebsd-security Wed Sep 6 18:40:01 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id SAA02936 for security-outgoing; Wed, 6 Sep 1995 18:40:01 -0700 Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id SAA02930 for ; Wed, 6 Sep 1995 18:39:59 -0700 Received: by haven.uniserve.com id <31047>; Wed, 6 Sep 1995 18:41:47 +0100 Date: Wed, 6 Sep 1995 18:41:35 -0700 (PDT) From: Tom Samplonius To: Brian Tao cc: Bill Trost , freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Thu, 7 Sep 1995, Brian Tao wrote: > syslog() and syslogd are the real problems. What use is there for a > syslog service on port 514? I don't see why it should even bother listening > to a network port. It should only accept input from /dev/[k]log. Logging events to another machine is _very_ useful. Especially for systems (ex. routers) that have no permanent storage for events, or when you need to collect logging information for large number of hosts. Tom From owner-freebsd-security Wed Sep 6 18:58:55 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id SAA03312 for security-outgoing; Wed, 6 Sep 1995 18:58:55 -0700 Received: from thumper.osix.com.au (osixsyd.tmx.com.au [203.9.152.143]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id SAA03293 for ; Wed, 6 Sep 1995 18:58:24 -0700 Received: from bruce.osix.com.au (bruce.osix.com.au [203.18.59.4]) by thumper.osix.com.au (8.6.11/8.6.9) with SMTP id LAA09858; Thu, 7 Sep 1995 11:37:33 GMT Message-Id: <199509071137.LAA09858@thumper.osix.com.au> Comments: Authenticated sender is From: "Peter May" Organization: OSIX Pty Ltd To: Brian Tao , freebsd-security@freebsd.org Date: Thu, 7 Sep 1995 11:51:30 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Do we *really* need logger(1)? Reply-to: peter@osix.com.au Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: security-owner@freebsd.org Precedence: bulk > On Wed, 6 Sep 1995, Paul Traina wrote: > > > > If your disk fills up, you want syslog to be able to operate until it goes to > > 110%. Unless you run as root or modify the kernel, you lose. > > No, you want messages created by root-owned processes to fill your disk > to 110% (not that it's a good thing in any case, especially if /var is the > same filesystem as /). What we need is credential checking in the syslog() > call and syslogd daemon. I imagine any ISP that offers shell access and uses > the default syslog.conf is susceptible to a prankster sending *.emerg level > notices and getting syslogd to write "SYSTEM REBOOT, LOG OFF NOW!" to the > ttys of every online user. Hmmmm ... the best way of doing this is probably a rotary log file rather than a flat log file. For example, the error log on an AIX system uses at most 1Mb of storage (the error log entries are small). Once the log file wraps, older entries are overwritten. A better approach might be to use multiple rotaries depending upon the log level (i.e., emerg.log, daemon.log etc.) Alternatively, syslog could execute another process to 'clean up' the log file (aka /etc/daily), i.e., compress it and move it to another name/place, once it reaches a certain threshold. However, all of these changes are significant, and it means making syslog somewhat non-standard. I guess that could be important as well. > -- > Brian ("Though this be madness, yet there is method in't") Tao > taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org ---------------------------------------------------------------->>>>> Peter May OSIX Pty Ltd Director Level 1, 261-263 Pacific Highway Technical Services North Sydney. NSW. Australia. 2060. Home: +61-2-418-7656 Internet: peter@osix.com.au Work: +61-2-922-3999 Fax: +61-2-922-3314 >>>> PGP Public key available upon request <<<< ---------------------------------------------------------------->>>>> From owner-freebsd-security Wed Sep 6 20:53:25 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id UAA07058 for security-outgoing; Wed, 6 Sep 1995 20:53:25 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id UAA07052 for ; Wed, 6 Sep 1995 20:53:23 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id UAA00744; Wed, 6 Sep 1995 20:52:10 -0700 Message-Id: <199509070352.UAA00744@precipice.shockwave.com> To: Brian Tao cc: Bill Trost , freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-reply-to: Your message of "Thu, 07 Sep 1995 08:44:50 +0800." Date: Wed, 06 Sep 1995 20:52:10 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk Because one machine typically serves as a central logging repository for a number of machines. From: Brian Tao Subject: Re: Do we *really* need logger(1)? On Wed, 6 Sep 1995, Bill Trost wrote: > > Logger requires no special permissions to run; anyone can run such a > program. Better yet, anyone could run such a program anywhere on the > Internet, so syslogd(8) can also be used as a remote disk-filling > service. (And, since it's UDP-based, you can't tcp-wrap it...). syslog() and syslogd are the real problems. What use is there for a syslog service on port 514? I don't see why it should even bother listening to a network port. It should only accept input from /dev/[k]log. -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Wed Sep 6 21:04:05 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id VAA07300 for security-outgoing; Wed, 6 Sep 1995 21:04:05 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id VAA07294 for ; Wed, 6 Sep 1995 21:04:03 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id VAA00782; Wed, 6 Sep 1995 21:03:00 -0700 Message-Id: <199509070403.VAA00782@precipice.shockwave.com> To: Bruce Evans cc: security@freebsd.org Subject: Re: diffs for syslog.c In-reply-to: Your message of "Thu, 07 Sep 1995 11:13:46 +1000." <199509070113.LAA10056@godzilla.zeta.org.au> Date: Wed, 06 Sep 1995 21:02:59 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk From: Bruce Evans Subject: Re: diffs for syslog.c >+/* >+ * Some rather anal checks to make sure we don't overflow our stack. >+ * We want to make sure no one can attack either the program stack or >+ * syslogd's stack. All writes are limited by SPACELEFT, and an additional >+ * overflow check is performed to insure that the travelling pointer has ensure [too English?] >+ * not exceeded the bounds of the buffer (the return value from snprintf >+ * is the number of characters it expected to write, not the number of >+ * characters is did write if the limit was reached). it >+ * >+ * The overflow check could be eliminated if we changed v/snprintf or >+ * made "safe" versions of those routines. >+ */ >+ >+#define SPACELEFT(buffer, current) (sizeof (buffer) - \ >+ ((char *)(current) - (char *)(buffer))) This is wrong if size_t is larger than ptrdiff_t. Thanks for the code review, I think we have some disagreements. I don't have an ANSI spec in front of me, so please bear with me if I'm being a fool. It is my impression that the standard would have the pointer expression evaluated first. I believe the result of the pointer arithmetic here is an integer offset, not a pointer. This signed integer value would be promoted to type size_t for an arithmetic expression. Then the result is unsigned and large if `current' is after the end of the buffer, as it may be the `fmt' conversion (the overflow check doesn't get done early enough to help). Also, the pointer difference is undefined if `current' isn't in the buffer. See below (1) >+#define OVERFLOW(buffer, current) ((current) > \ >+ (char *)(buffer) + sizeof (buffer)) ^ Anal code should check for overflow here. OK, yes, if buffer really was at the top of memory space, you're absolutely correct. How would you propose to code that overflow check? In fact, the check can't be written like this in Standard C. `fooptr + offset' is undefined if the offset isn't a valid array index (or maybe one larger). I disagree. Performing a dereference of the value is undefined, but the pointer arithmetic is still valid and defined. The correct test is something like int nwritten; ssize_t spaceleft; ... spaceleft = SPACELEFT(...); assert(spaceleft >= 0); nwritten = vsnprintf(..., spaceleft, ...); assert(nwritten >= 0); When would you see nwritten return less than 0? It's a signed integer, and the 'error' case is 0. if (nwritten > spaceleft) goto overflow; Bruce From owner-freebsd-security Wed Sep 6 21:06:35 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id VAA07426 for security-outgoing; Wed, 6 Sep 1995 21:06:35 -0700 Received: from jli (jli.portland.or.us [199.2.111.1]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id VAA07419 for ; Wed, 6 Sep 1995 21:06:32 -0700 Received: from cumulus by jli with uucp (Smail3.1.29.1 #3) id m0sqYDv-0001bLC; Wed, 6 Sep 95 21:05 PDT Message-Id: To: freebsd-security@freebsd.org Subject: syslogd as root? References: <199509061955.MAA12996@precipice.shockwave.com> In-reply-to: Your message of Wed, 06 Sep 1995 12:55:57 PDT. <199509061955.MAA12996@precipice.shockwave.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <8071.810443422.1@cloud.rain.com> Date: Wed, 06 Sep 1995 20:10:23 -0700 From: Bill Trost Sender: security-owner@freebsd.org Precedence: bulk Paul Traina writes: From: Bill Trost Require that files specified in syslog.conf be writeable by user syslog, and put user syslog in group tty (to handle broadcasts to all users), and syslogd can setuid to syslog as soon as it has its sockets open. If your disk fills up, you want syslog to be able to operate until it goes to 110%. Unless you run as root or modify the kernel, you lose. Or unless you run tunefs on the partition(s) containing the log files (thereby allowing anyone to fill up the partition(s) syslog writes to -- as if they can't already). Nits aside, I can't decide whether letting syslogd "really" fill up the disk is a win or not. Certainly from a security standpoint (what was the name of this mailing list again? (-: ) there is little difference, given that syslogd is vulnerable to spam attacks. So -- why do I want syslogd to be capable of completely filling the disk? From owner-freebsd-security Wed Sep 6 21:27:56 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id VAA08291 for security-outgoing; Wed, 6 Sep 1995 21:27:56 -0700 Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id VAA08275 for ; Wed, 6 Sep 1995 21:27:41 -0700 Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.9/8.6.9) id OAA28459; Thu, 7 Sep 1995 14:04:28 +0930 From: Michael Smith Message-Id: <199509070434.OAA28459@genesis.atrad.adelaide.edu.au> Subject: Re: syslogd as root? To: trost@cloud.rain.com (Bill Trost) Date: Thu, 7 Sep 1995 14:04:28 +0930 (CST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Bill Trost" at Sep 6, 95 08:10:23 pm Content-Type: text Content-Length: 565 Sender: security-owner@freebsd.org Precedence: bulk Bill Trost stands accused of saying: > So -- why do I want syslogd to be capable of completely filling the disk? So that you know what has died because it couldn't fill up the disk 8) -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] My car has "demand start" -Terry Lambert UNIX: live FreeBSD or die! [[ From owner-freebsd-security Wed Sep 6 21:30:48 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id VAA08488 for security-outgoing; Wed, 6 Sep 1995 21:30:48 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id VAA08476 for ; Wed, 6 Sep 1995 21:30:47 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id VAA00899; Wed, 6 Sep 1995 21:30:09 -0700 Message-Id: <199509070430.VAA00899@precipice.shockwave.com> To: Bill Trost cc: freebsd-security@freebsd.org Subject: Re: syslogd as root? In-reply-to: Your message of "Wed, 06 Sep 1995 20:10:23 PDT." Date: Wed, 06 Sep 1995 21:30:09 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk From: Bill Trost Subject: syslogd as root? So -- why do I want syslogd to be capable of completely filling the disk? So that syslogd can continue to warn you of security or other critical problems (like your disk is full) after a user has filled up the disk to hose over your logs. It's certainly possible to protect syslogd from spamming, which is an orthoganal issue left up to the administration of an individual site. From owner-freebsd-security Wed Sep 6 22:00:03 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id WAA10668 for security-outgoing; Wed, 6 Sep 1995 22:00:03 -0700 Received: from gate.sinica.edu.tw (gate.sinica.edu.tw [140.109.14.2]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id VAA10643 for ; Wed, 6 Sep 1995 21:59:57 -0700 Received: by gate.sinica.edu.tw (5.x/SMI-SVR4) id AA11413; Thu, 7 Sep 1995 12:54:22 +0800 Date: Thu, 7 Sep 1995 12:54:22 +0800 (CST) From: Brian Tao To: Tom Samplonius Cc: freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Wed, 6 Sep 1995, Tom Samplonius wrote: > On Thu, 7 Sep 1995, Brian Tao wrote: > > > syslog() and syslogd are the real problems. What use is there for a > > syslog service on port 514? I don't see why it should even bother listening > > to a network port. It should only accept input from /dev/[k]log. > > Logging events to another machine is _very_ useful. Oh, forgot about that bit. :) It even says so right there in the syslog.conf man page. *sigh* :-/ -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Wed Sep 6 22:02:10 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id WAA10917 for security-outgoing; Wed, 6 Sep 1995 22:02:10 -0700 Received: from gate.sinica.edu.tw (gate.sinica.edu.tw [140.109.14.2]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id WAA10836 for ; Wed, 6 Sep 1995 22:01:34 -0700 Received: by gate.sinica.edu.tw (5.x/SMI-SVR4) id AA11509; Thu, 7 Sep 1995 12:56:31 +0800 Date: Thu, 7 Sep 1995 12:56:30 +0800 (CST) From: Brian Tao To: peter@osix.com.au Cc: freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: <199509071137.LAA09858@thumper.osix.com.au> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Thu, 7 Sep 1995, Peter May wrote: > > Hmmmm ... the best way of doing this is probably a rotary log file > rather than a flat log file. This will prevent your disks from filling up, but then allows a malicious user to fill up your logs with junk, once again making syslog useless. -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Thu Sep 7 06:48:46 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id GAA20046 for security-outgoing; Thu, 7 Sep 1995 06:48:46 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id GAA20040 for ; Thu, 7 Sep 1995 06:48:42 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id XAA04311; Thu, 7 Sep 1995 23:46:14 +1000 Date: Thu, 7 Sep 1995 23:46:14 +1000 From: Bruce Evans Message-Id: <199509071346.XAA04311@godzilla.zeta.org.au> To: bde@zeta.org.au, pst@shockwave.com Subject: Re: diffs for syslog.c Cc: security@freebsd.org Sender: security-owner@freebsd.org Precedence: bulk > >+#define SPACELEFT(buffer, current) (sizeof (buffer) - \ > >+ ((char *)(current) - (char *)(buffer))) > > This is wrong if size_t is larger than ptrdiff_t. >Thanks for the code review, I think we have some disagreements. I don't >have an ANSI spec in front of me, so please bear with me if I'm being a >fool. >It is my impression that the standard would have the pointer expression >evaluated first. I believe the result of the pointer arithmetic here is >an integer offset, not a pointer. >This signed integer value would be promoted to type size_t for an arithmetic >expression. Correct so far. If sizeof(buffer) is (unsigned)2048, and the pointer difference is (int)2049, then the result is (unsigned)(-1) = UINT_MAX. Thus SPACELEFT() can say that there is an "infinite" amount of space when there is actually none. > >+#define OVERFLOW(buffer, current) ((current) > \ > >+ (char *)(buffer) + sizeof (buffer)) > ^ > Anal code should check for overflow here. >OK, yes, if buffer really was at the top of memory space, you're absolutely >correct. How would you propose to code that overflow check? Oops, the overflow possibility is in the `+' for the evaluation of `current', not for the fixed buffer. Buffers are not allowed to be allocated at the end of memory in Standard C. Otherwise it would be even harder to write these checks portably. > In fact, the check can't be > written like this in Standard C. `fooptr + offset' is undefined if the > offset isn't a valid array index (or maybe one larger). >I disagree. Performing a dereference of the value is undefined, but the >pointer arithmetic is still valid and defined. Well, it isn't. Consider the simplest case of a linear address space when the addition overflows. The usual behaviour is to wrap but the "right" behaviour is to trap. The standard correctly refrains from specifying either behaviour. > The correct test is something like > > int nwritten; > ssize_t spaceleft; > ... > spaceleft = SPACELEFT(...); > assert(spaceleft >= 0); > nwritten = vsnprintf(..., spaceleft, ...); > assert(nwritten >= 0); >When would you see nwritten return less than 0? It's a signed integer, >and the 'error' case is 0. There is no error case for [v]s[n]printf() AFAIK. I was thinking of vnsprintf() returning EOF although this "can't happen". Actually the following returns less than 0 (INT_MIN) in FreeBSD-current: snprintf(buf, 1, "%*s%*s", INT_MAX, "", 1, ""); (this takes 322 seconds on a 486DX2/66), and the following returns 0: snprintf(buf, 2, "%*s%*s%*s", INT_MAX, "foo", INT_MAX, "", 2, ""); It leaves buf[0] as '\0' instead of 'f'. I think it writes 'f' at first and wraps to write '\0' out of the last string. vsprintf() expects to accumulate the return value in an `int'. It deserves to be terminated by an overflow trap. BTW, `gcc -Wformat' doesn't know about [v]snprintf(). Bruce From owner-freebsd-security Thu Sep 7 07:35:02 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id HAA24690 for security-outgoing; Thu, 7 Sep 1995 07:35:02 -0700 Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id HAA24672 for ; Thu, 7 Sep 1995 07:34:55 -0700 Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA22441; Thu, 7 Sep 1995 10:34:39 -0400 Date: Thu, 7 Sep 1995 10:34:39 -0400 From: "Garrett A. Wollman" Message-Id: <9509071434.AA22441@halloran-eldar.lcs.mit.edu> To: peter@osix.com.au Cc: Brian Tao , freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: <199509071137.LAA09858@thumper.osix.com.au> References: <199509071137.LAA09858@thumper.osix.com.au> Sender: security-owner@freebsd.org Precedence: bulk < said: > However, all of these changes are significant, and it means making > syslog somewhat non-standard. I guess that could be important as > well. Actually, I have a number of times contemplated writing a syslog-replacement that would have a better configuration file and allow for automatic log rotation. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Thu Sep 7 07:50:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id HAA02741 for security-outgoing; Thu, 7 Sep 1995 07:50:04 -0700 Received: from critter.tfs.com ([140.145.230.252]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id HAA02721 for ; Thu, 7 Sep 1995 07:49:57 -0700 Received: from localhost (localhost [127.0.0.1]) by critter.tfs.com (8.6.11/8.6.9) with SMTP id HAA01631; Thu, 7 Sep 1995 07:48:32 -0700 X-Authentication-Warning: critter.tfs.com: Host localhost didn't use HELO protocol To: "Garrett A. Wollman" cc: peter@osix.com.au, Brian Tao , freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-reply-to: Your message of "Thu, 07 Sep 1995 10:34:39 EDT." <9509071434.AA22441@halloran-eldar.lcs.mit.edu> Date: Thu, 07 Sep 1995 07:48:32 -0700 Message-ID: <1629.810485312@critter.tfs.com> From: Poul-Henning Kamp Sender: security-owner@freebsd.org Precedence: bulk > < said : > > > However, all of these changes are significant, and it means making > > syslog somewhat non-standard. I guess that could be important as > > well. > > Actually, I have a number of times contemplated writing a > syslog-replacement that would have a better configuration file and > allow for automatic log rotation. > I planned on doing it in tcl, then you could also take action when something happened... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Just that: dried leaves in boiling water ? From owner-freebsd-security Thu Sep 7 07:50:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id HAA02764 for security-outgoing; Thu, 7 Sep 1995 07:50:08 -0700 Received: from strider.ibenet.it ([194.179.130.1]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id HAA02713 for ; Thu, 7 Sep 1995 07:49:53 -0700 Received: (from piero@localhost) by strider.ibenet.it (8.6.12/8.6.12) id QAA20015; Thu, 7 Sep 1995 16:52:42 +0200 From: Piero Serini Message-Id: <199509071452.QAA20015@strider.ibenet.it> Subject: Re: Do we *really* need logger(1)? To: wollman@lcs.mit.edu (Garrett A. Wollman) Date: Thu, 7 Sep 1995 16:52:41 +0200 (MET DST) Cc: tom@uniserve.com, freebsd-security@freebsd.org In-Reply-To: <9509062102.AA21414@halloran-eldar.lcs.mit.edu> from "Garrett A. Wollman" at Sep 6, 95 05:02:50 pm Reply-To: piero@strider.ibenet.it Operating-System: FreeBSD 1.1.5.1 X-Phone-Number: +39 (2) 58113562 X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 764 Sender: security-owner@freebsd.org Precedence: bulk Hello. Quoting from Garrett A. Wollman (Wed Sep 6 23:02:50 1995): > As for `logger', it's a useful tool that anyone could write if it did > not exist before. People running public-access systems should do the > same thing to `logger' as they do to `cc', `as', and `ld'. And cat and ftp... I can compile logger on another FreeBSD machine and then import it in my personal ~/bin on the PA host. If you run a PA system, you alread have NO security. If you give your users a restricted shell, you aren't running a useful service any more. Bye, -- # $Id: .signature,v 1.12 1995/08/14 12:10:54 piero Exp $ Piero Serini Via Giambologna, 1 I 20136 Milano - ITALY From owner-freebsd-security Thu Sep 7 09:04:46 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id JAA13831 for security-outgoing; Thu, 7 Sep 1995 09:04:46 -0700 Received: from fslg8.fsl.noaa.gov (fslg8.fsl.noaa.gov [137.75.131.171]) by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id JAA13825 for ; Thu, 7 Sep 1995 09:04:44 -0700 Received: by fslg8.fsl.noaa.gov (5.57/Ultrix3.0-C) id AA29736; Thu, 7 Sep 95 16:04:08 GMT Received: by emu.fsl.noaa.gov (1.38.193.4/SMI-4.1 (1.38.193.4)) id AA21812; Thu, 7 Sep 1995 10:04:05 -0600 Date: Thu, 7 Sep 1995 10:04:05 -0600 From: kelly@fsl.noaa.gov (Sean Kelly) Message-Id: <9509071604.AA21812@emu.fsl.noaa.gov> To: phk@critter.tfs.com Cc: wollman@lcs.mit.edu, peter@osix.com.au, taob@gate.sinica.edu.tw, freebsd-security@freebsd.org In-Reply-To: <1629.810485312@critter.tfs.com> (message from Poul-Henning Kamp on Thu, 07 Sep 1995 07:48:32 -0700) Subject: Re: Do we *really* need logger(1)? Sender: security-owner@freebsd.org Precedence: bulk >>>>> "Poul-Henning" == Poul-Henning Kamp writes: >> Actually, I have a number of times contemplated writing a >> syslog-replacement that would have a better configuration file >> and allow for automatic log rotation. Poul-Henning> I planned on doing it in tcl, then you could also Poul-Henning> take action when something happened... Do you mean have ordinary users send tcl scripts to syslog to be evaluated/executed? -- Sean Kelly NOAA Forecast Systems Lab, Boulder Colorado USA Babies don't need a vacation, but I still see them at the beach... It pisses me off! I'll go over to a little baby and say, "What are you doing here? You haven't worked a day in your life!" -- Steven Wright From owner-freebsd-security Thu Sep 7 09:07:16 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id JAA13888 for security-outgoing; Thu, 7 Sep 1995 09:07:16 -0700 Received: from critter.tfs.com ([140.145.230.252]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id JAA13882 for ; Thu, 7 Sep 1995 09:07:15 -0700 Received: from localhost (localhost [127.0.0.1]) by critter.tfs.com (8.6.11/8.6.9) with SMTP id JAA01794; Thu, 7 Sep 1995 09:06:00 -0700 X-Authentication-Warning: critter.tfs.com: Host localhost didn't use HELO protocol To: kelly@fsl.noaa.gov (Sean Kelly) cc: wollman@lcs.mit.edu, peter@osix.com.au, taob@gate.sinica.edu.tw, freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-reply-to: Your message of "Thu, 07 Sep 1995 10:04:05 MDT." <9509071604.AA21812@emu.fsl.noaa.gov> Date: Thu, 07 Sep 1995 09:06:00 -0700 Message-ID: <1792.810489960@critter.tfs.com> From: Poul-Henning Kamp Sender: security-owner@freebsd.org Precedence: bulk > >>>>> "Poul-Henning" == Poul-Henning Kamp writes: > > >> Actually, I have a number of times contemplated writing a > >> syslog-replacement that would have a better configuration file > >> and allow for automatic log rotation. > > Poul-Henning> I planned on doing it in tcl, then you could also > Poul-Henning> take action when something happened... > > Do you mean have ordinary users send tcl scripts to syslog to be > evaluated/executed? No, I mean that the root can be paged when sendmail keels over... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Just that: dried leaves in boiling water ? From owner-freebsd-security Thu Sep 7 09:47:29 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id JAA13888 for security-outgoing; Thu, 7 Sep 1995 09:07:16 -0700 Received: from critter.tfs.com ([140.145.230.252]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id JAA13882 for ; Thu, 7 Sep 1995 09:07:15 -0700 Received: from localhost (localhost [127.0.0.1]) by critter.tfs.com (8.6.11/8.6.9) with SMTP id JAA01794; Thu, 7 Sep 1995 09:06:00 -0700 X-Authentication-Warning: critter.tfs.com: Host localhost didn't use HELO protocol To: kelly@fsl.noaa.gov (Sean Kelly) cc: wollman@lcs.mit.edu, peter@osix.com.au, taob@gate.sinica.edu.tw, freebsd-security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-reply-to: Your message of "Thu, 07 Sep 1995 10:04:05 MDT." <9509071604.AA21812@emu.fsl.noaa.gov> Date: Thu, 07 Sep 1995 09:06:00 -0700 Message-ID: <1792.810489960@critter.tfs.com> From: Poul-Henning Kamp Sender: security-owner@freebsd.org Precedence: bulk > >>>>> "Poul-Henning" == Poul-Henning Kamp writes: > > >> Actually, I have a number of times contemplated writing a > >> syslog-replacement that would have a better configuration file > >> and allow for automatic log rotation. > > Poul-Henning> I planned on doing it in tcl, then you could also > Poul-Henning> take action when something happened... > > Do you mean have ordinary users send tcl scripts to syslog to be > evaluated/executed? No, I mean that the root can be paged when sendmail keels over... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Just that: dried leaves in boiling water ? From owner-freebsd-security Thu Sep 7 12:21:54 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id MAA06044 for security-outgoing; Thu, 7 Sep 1995 12:21:54 -0700 Received: from who.cdrom.com (who.cdrom.com [192.216.222.3]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id MAA06038 for ; Thu, 7 Sep 1995 12:21:53 -0700 Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.125.68.130]) by who.cdrom.com (8.6.11/8.6.11) with ESMTP id MAA02945 for ; Thu, 7 Sep 1995 12:19:59 -0700 Received: from elvisti.kiev.ua (uucp@localhost) by sivka.carrier.kiev.ua (Sendmail 8.who.cares/5) with UUCP id WAA17889 for security@freebsd.org; Thu, 7 Sep 1995 22:18:26 +0300 Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.33]) by spider2.elvisti.kiev.ua (8.6.12/8.6.9) with ESMTP id UAA16792 for ; Thu, 7 Sep 1995 20:07:28 +0300 Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.6.9) id UAA29202; Thu, 7 Sep 1995 20:07:27 +0300 From: "Andrew V. Stesin" Message-Id: <199509071707.UAA29202@office.elvisti.kiev.ua> Subject: Re: Do we *really* need logger(1)? To: wollman@lcs.mit.edu (Garrett A. Wollman) Date: Thu, 7 Sep 1995 20:07:26 +0300 (EET DST) Cc: security@freebsd.org In-Reply-To: <9509062102.AA21414@halloran-eldar.lcs.mit.edu> from "Garrett A. Wollman" at Sep 6, 95 05:02:50 pm X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Content-Length: 1408 Sender: security-owner@freebsd.org Precedence: bulk Hello, # > True. My point was that xinetd can wrap UDP daemons and tcp_wrapper # > can not. Plus, xinetd can do it without exec'ing an additional program. # # > Filters on border routers should be used to block "outside" syslogd abuse. # # Um, no, syslog should be fixed to not accept random junk from anyone # who cares to send it. Another 2 things which (I beleive) are worth the effort: (a) Some king of ACK protocol when logging goes to another host; seems to be a better solution than using TCP connection. I've read about this kind of simple and cost-effective message exchange protocols in Addison-Wesley book on distributed computing, 2 ed. For a pity, that book wasn't mine. (b) Optional encryption capability for the messages, using the system-wide libcrypt facility; even very simple one will be good, with parameters stored in /etc/syslog.conf. Better than nothing, really. # Packet filtering is never the correct answer, # despite what some vendors may try to make people think. How one can design a strategy of living without it? What are better solutions? # As for `logger', it's a useful tool that anyone could write if it did # not exist before. People running public-access systems should do the # same thing to `logger' as they do to `cc', `as', and `ld'. Agreed. # # -GAWollman # -- With best regards -- Andrew Stesin. From owner-freebsd-security Thu Sep 7 13:21:53 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id NAA07266 for security-outgoing; Thu, 7 Sep 1995 13:21:53 -0700 Received: from haywire.DIALix.COM (news@haywire.DIALix.COM [192.203.228.65]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id NAA07259 for ; Thu, 7 Sep 1995 13:21:43 -0700 Received: (from news@localhost) by haywire.DIALix.COM (sendmail) id EAA10662 for freebsd-security@freebsd.org; Fri, 8 Sep 1995 04:21:38 +0800 (WST) Received: from GATEWAY by haywire.DIALix.COM with netnews for freebsd-security@freebsd.org (problems to: usenet@haywire.dialix.com) To: freebsd-security@freebsd.org Date: 8 Sep 1995 04:21:28 +0800 From: peter@haywire.dialix.com (Peter Wemm) Message-ID: <42nk88$ad0$1@haywire.DIALix.COM> Organization: DIALix Services, Perth, Australia. Subject: Are we doing this syslog() thing the wrong way? Sender: security-owner@freebsd.org Precedence: bulk Are we not all looking at it from the wrong way? It seems that an incredible effort is being spent to make the message fit in a small, fixed size buffer. I have a half-baked idea for an alternative, that might just be better and more efficient.. It might be even easier still.. How's this for a skeleton for starters: vsyslog(...) { ... FILE fake; fake._flags = _SWR | _SSTR; /* from libc/stdio/vsnprintf.c */ fake._bf._base = fake._p = (unsigned char *)tbuf; fake._bf._size = fake._w = sizeof(tbuf); ... then do *all* the printfs via fprintf().. fprintf(&fake, "<%d>", pri); fprintf(&fake, "%.15s ", ctime(now) + 4); .. if (LogTag) fprintf(&fake, "%s", LogTag); if (LogStat & LOG_PID) fprintf(&fake, "[%d]", getpid()); if (LogTag) fprintf(&fake, ": "); for (....) { .... fprintf(&fake, "%s", strerror(saved_errno); .... } vfprintf(&fake, fmt_cpy, ap); /* at this point, we're done. fake._w has (I think) the space left */ #if hmm... I dont think this is needed, tbuf[sizeof(tbuf) - 1] = '\0'; cnt = strlen(tbuf); #else cnt = sizeof(tbuf) - fake._w; /* have not checked yet... */ #endif .. writev()... send(LogFile, tbuf, cnt, 0) ... ... write() to console... } stdio is meant to be our friend. It can help us here... Comments? Is this a better way? It'd be nice if stdio exported a non-advertised routine to set things like this up. I'm sure they could be used elsewhere in the system if it wasn't for the "detailed knowledge" of the stdio internals. Anyway, here's a *minimally* touched version of our current syslog, which appears to work with a couple of simple tests with logger. I have not analysed to see if there are any off-by-one errors - it may be possible that it writes one character too many into tbuf. I'm sure there are minor things that need cleaning, but the basics are there. I think this ties it up pretty well... I guess the collective gaze of a group of security-suspicious people will find it's holes pretty quick.. :-) Please, be gentle.. :-) -Peter /* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * Copyright (c) 1995 Peter Wemm (so there.. :-) * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94"; #endif /* LIBC_SCCS and not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #if __STDC__ #include #else #include #endif static int LogFile = -1; /* fd for log */ static int connected; /* have done connect */ static int LogStat = 0; /* status bits, set by openlog() */ static const char *LogTag = NULL; /* string to tag the entry with */ static int LogFacility = LOG_USER; /* default facility code */ static int LogMask = 0xff; /* mask of priorities to be logged */ extern char *__progname; /* Program name, from crt0. */ /* * syslog, vsyslog -- * print message on log file; output is intended for syslogd(8). */ void #if __STDC__ syslog(int pri, const char *fmt, ...) #else syslog(pri, fmt, va_alist) int pri; char *fmt; va_dcl #endif { va_list ap; #if __STDC__ va_start(ap, fmt); #else va_start(ap); #endif vsyslog(pri, fmt, ap); va_end(ap); } void vsyslog(pri, fmt, ap) int pri; register const char *fmt; va_list ap; { register int cnt; register char ch, *p, *t; time_t now; int fd, saved_errno; char *stdp, tbuf[2048], fmt_cpy[1024]; FILE f; /* * Initialise the stdio buffer to do multiple writes to a * string buffer */ f._flags = __SWR | __SSTR; /* __SSTR means string buffer mode */ f._bf._base = f._p = (unsigned char *) tbuf; f._bf._size = f._w = sizeof(tbuf); #define INTERNALLOG LOG_ERR|LOG_CONS|LOG_PERROR|LOG_PID /* Check for invalid bits. */ if (pri & ~(LOG_PRIMASK|LOG_FACMASK)) { syslog(INTERNALLOG, "syslog: unknown facility/priority: %x", pri); pri &= LOG_PRIMASK|LOG_FACMASK; } /* Check priority against setlogmask values. */ if (!(LOG_MASK(LOG_PRI(pri)) & LogMask)) return; saved_errno = errno; /* Set default facility if none specified. */ if ((pri & LOG_FACMASK) == 0) pri |= LogFacility; /* Build the message. */ (void)time(&now); (void)fprintf(&f, "<%d>", pri); (void)fprintf(&f, "%.15s ", ctime(&now) + 4); if (LogStat & LOG_PERROR) stdp = tbuf + (sizeof(tbuf) - f._w); if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) (void)fprintf(&f, "%s", LogTag); if (LogStat & LOG_PID) (void)fprintf(&f, "[%d]", getpid()); if (LogTag != NULL) { (void)fprintf(&f, ": "); } /* Substitute error message for %m. */ for (t = fmt_cpy; ch = *fmt; ++fmt) if (ch == '%' && fmt[1] == 'm') { ++fmt; t += sprintf(t, "%s", strerror(saved_errno)); } else *t++ = ch; *t = '\0'; vfprintf(&f, fmt_cpy, ap); cnt = sizeof(tbuf) - f._w; /* Output to stderr if requested. */ if (LogStat & LOG_PERROR) { struct iovec iov[2]; register struct iovec *v = iov; v->iov_base = stdp; v->iov_len = cnt - (stdp - tbuf); ++v; v->iov_base = "\n"; v->iov_len = 1; (void)writev(STDERR_FILENO, iov, 2); } /* Get connected, output the message to the local logger. */ if (!connected) openlog(LogTag, LogStat | LOG_NDELAY, 0); if (send(LogFile, tbuf, cnt, 0) >= 0) return; /* * Output the message to the console; don't worry about blocking, * if console blocks everything will. Make sure the error reported * is the one from the syslogd failure. */ if (LogStat & LOG_CONS && (fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) { (void)strcat(tbuf, "\r\n"); cnt += 2; p = index(tbuf, '>') + 1; (void)write(fd, p, cnt - (p - tbuf)); (void)close(fd); } } static struct sockaddr SyslogAddr; /* AF_UNIX address of local logger */ void openlog(ident, logstat, logfac) const char *ident; int logstat, logfac; { if (ident != NULL) LogTag = ident; LogStat = logstat; if (logfac != 0 && (logfac &~ LOG_FACMASK) == 0) LogFacility = logfac; if (LogFile == -1) { SyslogAddr.sa_family = AF_UNIX; (void)strncpy(SyslogAddr.sa_data, _PATH_LOG, sizeof(SyslogAddr.sa_data)); if (LogStat & LOG_NDELAY) { if ((LogFile = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) return; (void)fcntl(LogFile, F_SETFD, 1); } } if (LogFile != -1 && !connected) if (connect(LogFile, &SyslogAddr, sizeof(SyslogAddr)) == -1) { (void)close(LogFile); LogFile = -1; } else connected = 1; } void closelog() { (void)close(LogFile); LogFile = -1; connected = 0; } /* setlogmask -- set the log mask level */ int setlogmask(pmask) int pmask; { int omask; omask = LogMask; if (pmask != 0) LogMask = pmask; return (omask); } From owner-freebsd-security Thu Sep 7 16:06:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id QAA13637 for security-outgoing; Thu, 7 Sep 1995 16:06:28 -0700 Received: from thing.sunquest.com (thing.Sunquest.COM [149.138.1.11]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id QAA13631 for ; Thu, 7 Sep 1995 16:06:22 -0700 Received: by thing.sunquest.com; id AA13936; Thu, 7 Sep 1995 16:02:29 -0700 Date: Thu, 7 Sep 1995 16:02:29 -0700 From: Tony Jones Message-Id: <9509072302.AA13936@thing.sunquest.com> To: security@freebsd.org Subject: Re: Do we *really* need logger(1)? Sender: security-owner@freebsd.org Precedence: bulk peter@osix.osix.oz.au writes >Hmmmm ... the best way of doing this is probably a rotary log file >rather than a flat log file. For example, the error log on an AIX >system uses at most 1Mb of storage (the error log entries are small). >Once the log file wraps, older entries are overwritten. A better I was surprised to see FreeBSD didn't have the 'syslog.dated' feature which rolls over the log files daily (or at boot time). It's a nice feature of OSF/1 - leaves me wondering if it's a SVR4ism. tony From owner-freebsd-security Fri Sep 8 03:29:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id DAA29335 for security-outgoing; Fri, 8 Sep 1995 03:29:08 -0700 Received: from strider.ibenet.it (root@[194.179.130.1]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id DAA29325 for ; Fri, 8 Sep 1995 03:28:50 -0700 Received: (from piero@localhost) by strider.ibenet.it (8.6.12/8.6.12) id MAA22658; Fri, 8 Sep 1995 12:26:38 +0200 From: Piero Serini Message-Id: <199509081026.MAA22658@strider.ibenet.it> Subject: Re: Do we *really* need logger(1)? To: stesin@elvisti.kiev.ua (Andrew V. Stesin) Date: Fri, 8 Sep 1995 12:26:37 +0200 (MET DST) Cc: wollman@lcs.mit.edu, security@freebsd.org In-Reply-To: <199509071707.UAA29202@office.elvisti.kiev.ua> from "Andrew V. Stesin" at Sep 7, 95 08:07:26 pm Reply-To: piero@strider.ibenet.it Operating-System: FreeBSD 1.1.5.1 X-Phone-Number: +39 (2) 58113562 X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1338 Sender: security-owner@freebsd.org Precedence: bulk Hello. Quoting from Andrew V. Stesin (Thu Sep 7 19:07:26 1995): > (b) Optional encryption capability for the messages, > using the system-wide libcrypt facility; > even very simple one will be good, with parameters stored in > /etc/syslog.conf. Better than nothing, really. Use the root passwd on the originating machine to encrypt the logs sent via network. +----+ +----+ | A | ---- logs to ---> | B | +----+ +----+ syslogd on A uses its root passwd to encrypt the data, B just stores it. 2 possible scenarios: 1) B is the central repository for all the logs in the network. It's common practice that the staff on B knows the root passwd for all the network machines; 2) B is another machine which stores the logs, but the staff hasn't the root passwd. In this situation, B receives logs already encrypted regarding a machine they don't have root accesss to, so they probably have no need to read the data. If A system manager wants to read its own logs, (s)he has the root passwd to do that. Comments? Bye, -- # $Id: .signature,v 1.12 1995/08/14 12:10:54 piero Exp $ Piero Serini Via Giambologna, 1 I 20136 Milano - ITALY From owner-freebsd-security Fri Sep 8 03:49:57 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id DAA29787 for security-outgoing; Fri, 8 Sep 1995 03:49:57 -0700 Received: from Relay1.Austria.EU.net (relay1.Austria.EU.net [192.92.138.47]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id DAA29780 for ; Fri, 8 Sep 1995 03:49:49 -0700 From: marino.ladavac@aut.alcatel.at Received: from aut.alcatel.at (dnisun.aut.alcatel.at) by Relay1.Austria.EU.net with SMTP id AA29578 (5.67b/IDA-1.5 for ); Fri, 8 Sep 1995 12:48:46 +0200 Received: from atuhc16 by aut.alcatel.at (4.1/SMI-4.1/AAA-1.29/main) id AA06504; Fri, 8 Sep 95 12:48:47 +0200 Message-Id: <9509081048.AA06504@atuhc16.aut.alcatel.at> Received: by atuhc16 (1.38.193.4/16.2) id AA12617; Fri, 8 Sep 1995 12:48:38 +0200 Subject: Re: Do we *really* need logger(1)? To: piero@strider.ibenet.it Date: Fri, 8 Sep 95 12:48:38 METDST Cc: security@freebsd.org In-Reply-To: <199509081026.MAA22658@strider.ibenet.it>; from "Piero Serini" at Sep 8, 95 12:26 (noon) Mailer: Elm [revision: 70.85] Sender: security-owner@freebsd.org Precedence: bulk > Hello. > Quoting from Andrew V. Stesin (Thu Sep 7 19:07:26 1995): > > (b) Optional encryption capability for the messages, > > using the system-wide libcrypt facility; > > even very simple one will be good, with parameters stored in > > /etc/syslog.conf. Better than nothing, really. > Use the root passwd on the originating machine to encrypt the logs > sent via network. > +----+ +----+ > | A | ---- logs to ---> | B | > +----+ +----+ > syslogd on A uses its root passwd to encrypt the data, B just stores > it. 2 possible scenarios: > 1) B is the central repository for all the logs in the network. > It's common practice that the staff on B knows the root passwd > for all the network machines; > 2) B is another machine which stores the logs, but the staff hasn't > the root passwd. In this situation, B receives logs already encrypted > regarding a machine they don't have root accesss to, so they probably > have no need to read the data. If A system manager wants to read > its own logs, (s)he has the root passwd to do that. > Comments? Better yet, use the password to authenticate the sent data, so that the central server can easily ignore possibly malicious foreign logs. This way one can fight against port 154 or logger attack on the logfiles. /Alby > Bye, > -- > # $Id: .signature,v 1.12 1995/08/14 12:10:54 piero Exp $ > Piero Serini Via Giambologna, 1 > I 20136 Milano - ITALY From owner-freebsd-security Fri Sep 8 04:12:49 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id EAA01181 for security-outgoing; Fri, 8 Sep 1995 04:12:49 -0700 Received: from relay.philips.nl (relay.philips.nl [130.144.65.1]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id EAA01175 for ; Fri, 8 Sep 1995 04:12:47 -0700 Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id NAA21490; Fri, 8 Sep 1995 13:11:00 +0200 Received: from unknown(130.144.198.1) by relay.philips.nl via smap (V1.3+ESMTP) with SMTP id sma021416; Fri Sep 8 13:10:30 1995 Received: from spooky.lss.cp.philips.com by cnps.lss.cp.philips.com with smtp (Smail3.1.28.1 #1) id m0sr2Hq-0000qjC; Fri, 8 Sep 95 13:12 MET Received: by spooky.lss.cp.philips.com (Smail3.1.29.1 #1) id m0sr1K1-000HneC; Fri, 8 Sep 95 13:10 MET DST Message-Id: From: guido@spooky.lss.cp.philips.com (Guido van Rooij) Subject: Re: Do we *really* need logger(1)? To: piero@strider.ibenet.it Date: Fri, 8 Sep 1995 13:10:13 +0200 (MET DST) Cc: stesin@elvisti.kiev.ua, wollman@lcs.mit.edu, security@freebsd.org In-Reply-To: <199509081026.MAA22658@strider.ibenet.it> from "Piero Serini" at Sep 8, 95 12:26:37 pm Reply-To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 549 Sender: security-owner@freebsd.org Precedence: bulk Piero Serini wrote: > > Hello. > > Quoting from Andrew V. Stesin (Thu Sep 7 19:07:26 1995): > > (b) Optional encryption capability for the messages, > > using the system-wide libcrypt facility; > > even very simple one will be good, with parameters stored in > > /etc/syslog.conf. Better than nothing, really. > > Use the root passwd on the originating machine to encrypt the logs > sent via network. > I dont like a root password stored in a program. Better is to have a diffie-hellman scheme to obtain a session key. -Guido From owner-freebsd-security Fri Sep 8 05:47:55 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id FAA05461 for security-outgoing; Fri, 8 Sep 1995 05:47:55 -0700 Received: from strider.ibenet.it (root@[194.179.130.1]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id FAA05452 for ; Fri, 8 Sep 1995 05:47:37 -0700 Received: (from piero@localhost) by strider.ibenet.it (8.6.12/8.6.12) id OAA22923; Fri, 8 Sep 1995 14:48:33 +0200 From: Piero Serini Message-Id: <199509081248.OAA22923@strider.ibenet.it> Subject: Re: Do we *really* need logger(1)? To: Guido.vanRooij@nl.cis.philips.com Date: Fri, 8 Sep 1995 14:48:32 +0200 (MET DST) Cc: piero@strider.ibenet.it, stesin@elvisti.kiev.ua, wollman@lcs.mit.edu, security@freebsd.org In-Reply-To: from "Guido van Rooij" at Sep 8, 95 01:10:13 pm Reply-To: piero@strider.ibenet.it Operating-System: FreeBSD 1.1.5.1 X-Phone-Number: +39 (2) 58113562 X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 476 Sender: security-owner@freebsd.org Precedence: bulk Hello. Quoting from Guido van Rooij (Fri Sep 8 13:10:13 1995): > I dont like a root password stored in a program. You can do this in a secure manner. But I agree with you. > Better is to have a > diffie-hellman scheme to obtain a session key. Ok. Bye, -- # $Id: .signature,v 1.12 1995/08/14 12:10:54 piero Exp $ Piero Serini Via Giambologna, 1 I 20136 Milano - ITALY From owner-freebsd-security Fri Sep 8 06:26:21 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id GAA06511 for security-outgoing; Fri, 8 Sep 1995 06:26:21 -0700 Received: from alpha.dsu.edu (ghelmer@alpha.dsu.edu [138.247.32.12]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id GAA06505 for ; Fri, 8 Sep 1995 06:26:19 -0700 Received: (from ghelmer@localhost) by alpha.dsu.edu (8.6.12/8.6.12) id IAA18134; Fri, 8 Sep 1995 08:25:34 -0500 Date: Fri, 8 Sep 1995 08:25:34 -0500 (CDT) From: Guy Helmer To: Piero Serini cc: Guido.vanRooij@nl.cis.philips.com, piero@strider.ibenet.it, stesin@elvisti.kiev.ua, wollman@lcs.mit.edu, security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-Reply-To: <199509081248.OAA22923@strider.ibenet.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Fri, 8 Sep 1995, Piero Serini wrote: > Hello. > > Quoting from Guido van Rooij (Fri Sep 8 13:10:13 1995): > > I dont like a root password stored in a program. > > You can do this in a secure manner. But I agree with you. > > > Better is to have a > > diffie-hellman scheme to obtain a session key. Better yet (IMHO), use a key known only to the client and the server that, when concatenated with the data on the client, provides an MD5 signature on the data that the server can verify (like I believe NTP's protocol works) -- this avoids patent problems _and_ the US ITAR encryption export restrictions... Guy Helmer, Dakota State University Computing Services - ghelmer@alpha.dsu.edu From owner-freebsd-security Fri Sep 8 07:24:06 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id HAA08309 for security-outgoing; Fri, 8 Sep 1995 07:24:06 -0700 Received: from gateway.fedex.com (gateway.fedex.com [198.80.10.2]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id HAA08303 for ; Fri, 8 Sep 1995 07:23:59 -0700 Received: by gateway.fedex.com id AA08525 (InterLock SMTP Gateway 3.0 for security@freebsd.org); Fri, 8 Sep 1995 09:23:48 -0500 Message-Id: <199509081423.AA08525@gateway.fedex.com> Received: by gateway.fedex.com (Internal Mail Agent-2); Fri, 8 Sep 1995 09:23:48 -0500 Received: by gateway.fedex.com (Internal Mail Agent-1); Fri, 8 Sep 1995 09:23:48 -0500 To: Guido.vanRooij@nl.cis.philips.com, security@freebsd.org Subject: Re: Do we *really* need logger(1)? Date: Fri, 08 Sep 1995 09:24:46 -0500 From: William McVey - wam Sender: security-owner@freebsd.org Precedence: bulk Guido van Rooij wrote: > Better is to have a > diffie-hellman scheme to obtain a session key. This is just an FYI, Diffie Helman key exchange is patented by PKP. If we are going to revamp syslog to use it, then for our sakes, we should do the legal work to get a license. The patent doesn't expire for another 2 years even... :-( -- William From owner-freebsd-security Fri Sep 8 08:43:34 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id IAA12667 for security-outgoing; Fri, 8 Sep 1995 08:43:34 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id IAA12661 for ; Fri, 8 Sep 1995 08:43:32 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id IAA02968; Fri, 8 Sep 1995 08:38:10 -0700 Message-Id: <199509081538.IAA02968@precipice.shockwave.com> To: piero@strider.ibenet.it cc: stesin@elvisti.kiev.ua (Andrew V. Stesin), wollman@lcs.mit.edu, security@freebsd.org Subject: Re: Do we *really* need logger(1)? In-reply-to: Your message of "Fri, 08 Sep 1995 12:26:37 +0200." <199509081026.MAA22658@strider.ibenet.it> Date: Fri, 08 Sep 1995 08:38:10 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk Comments? no, no, No, NO.....NO!!!!!!!!! Don't duplicate effort with half-assed schemes that make local assumptions. Don't confuse authentication with authorization. There are already kerberos patches available for syslogd to do the right thing.