Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Nov 2008 02:47:31 -0800
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        Garrett Cooper <yanefbsd@gmail.com>
Cc:        Ed Schouten <ed@80386.nl>, FreeBSD Hackers <freebsd-hackers@freebsd.org>, David Wolfskill <david@catwhisker.org>
Subject:   Re: [Testers wanted] /dev/console cleanups
Message-ID:  <20081119104731.GA83366@icarus.home.lan>
In-Reply-To: <7d6fde3d0811190202p4f6d8941h3932b70b8fe1a93a@mail.gmail.com>
References:  <e71790db0810271936r1ce4619an1d64c6aae62c3ec1@mail.gmail.com> <20081028081154.GQ6808@hoeg.nl> <20081118213410.GA81783@hoeg.nl> <20081118214919.GM83287@bunrab.catwhisker.org> <7d6fde3d0811190202p4f6d8941h3932b70b8fe1a93a@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 19, 2008 at 02:02:42AM -0800, Garrett Cooper wrote:
> On Tue, Nov 18, 2008 at 1:49 PM, David Wolfskill <david@catwhisker.org> wrote:
> > On Tue, Nov 18, 2008 at 10:34:10PM +0100, Ed Schouten wrote:
> >> ...
> >> One solution would be to let xconsole just display /var/log/messages.
> >
> > Errr... it may be rather a pathological case, but you might want to
> > check the content of /etc/syslog.conf on the local machine before
> > getting too carried away with that approach.
> >
> > For example, on my "firewall" box at home (where I really do not want to
> > log anything to local disk files, though I do have a serial console on it):
> >
> > janus(6.4-P)[1] grep -v '^#' /etc/syslog.conf
> > *.*                                             @bunrab.catwhisker.org
> > janus(6.4-P)[2]
> >
> > And then consider the fate of bunrab -- with stuff getting logged to
> > /var/log/messages from various machines....
> >
> >> ...
> >> I'll discuss this with others to decide if we should take such an
> >> approach.
> >
> > I'm not trying to be obstructionist, here.  If the above case is really
> > "too pathological to consider" -- or if it's a case of me bringing that
> > fate upon myself, I suppose -- that's actually something I can live
> > with.  It would be nice to be forwarned about it, though.  :-}
> >
> > Peace,
> > david
> 
> Uh, I second that. /var/log/messages shouldn't necessarily be
> accessible by non-root users. Also, OSX 10.5 protects against non-root
> access to dmesg. Not saying we should go that far, but it's already
> being implemented, so I don't see any harm in hiding the contents of
> `messages', as required by the sysadmin.

Footnote (not really applicable to the thread, but I want to point it
out to users/admins reading): inhibiting users viewing the kernel
message buffer (dmesg) can be accomplished by setting the
security.bsd.unprivileged_read_msgbuf sysctl to 0.

However, note that this can piss users off.  We have numerous users
on our system who rely on this information to see if anything "weird" is
going on with the box.  I set that sysctl one day (see below for why),
and I got flames in my mailbox within 48 hours.  Just something to keep
in mind if you have technically-savvy users.

There's a known "issue" with the kernel message buffer though: it's not
NULL'd out upon reboot.  Meaning, in some cases (depends on the BIOS or
system), the kernel message buffer from single-user mode is retained
even after a reboot!  A user can then do "dmesg" and see all the nifty
stuff you've done during single-user, which could include unencrypted
passwords if mergemaster was tinkering with passwd/master.passwd, etc..
I've brought this up before, and people said "Yeah, we know, moving on".
Rink Springer created a patch where the kernel message buffer will start
with NULL to keep this from happening, but it needs to be made into a
loader.conf tunable.

Also, /var/log/messages is explicitly set to 0644 in newsyslog.conf.  If
people want to debate that, be my guest.  I'm not sure what "security
hole" we'd be plugging if it was set to 0600, especially given that many
userland programs use the LOG_NOTICE facility in syslog.  If people want
to debate those default perms, be my guest.  I would rather people
debate the default syslog.conf layout altogether; I'm surprised we
haven't moved to syslog-ng (as part of the base system) by now.  :-)

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081119104731.GA83366>