Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 10 Oct 2004 12:08:42 +0100
From:      David Malone <dwmalone@maths.tcd.ie>
To:        Gleb Smirnoff <glebius@freebsd.org>
Cc:        cvs-src@freebsd.org
Subject:   Re: cvs commit: src/lib/libc/gen syslog.c
Message-ID:  <20041010110842.GA16446@walton.maths.tcd.ie>
In-Reply-To: <20041010101612.GB11523@cell.sick.ru>
References:  <200410082115.i98LFLMU034965@repoman.freebsd.org> <20041009153916.GA2003@webcom.it> <20041009212952.GA8922@cell.sick.ru> <200410082115.i98LFLMU034965@repoman.freebsd.org> <20041009153916.GA2003@webcom.it> <20041009190714.GB1093@green.homeunix.org> <20041010072205.GA1617@webcom.it> <20041010101612.GB11523@cell.sick.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 10, 2004 at 02:16:12PM +0400, Gleb Smirnoff wrote:

[Sorry - I sent Gleb feedback on this earlier this week but I've been
busy and so didn't have a chance to follow up on it properly.]

> 1. Not forever.

If syslogd has hung (as opposed to being busy), it will wait forever.
Try "killall -STOP syslogd" and then logging a bundle of messages.
With the old situation other services continue to run, with the new
situation every program that calls syslog(3) end up stuck.

> 3. If /var/run/log is overflowed that means that your machine is already
> slowed down by syslogd process and its IO. Your application is already
> not doing its best.

> Better have consistent logs later to investigate that DoS. An attacker
> may trigger that DoS intentionally to hide some messages, which will
> be logged if syslogd is not overflowed.

This can happen in situations other than DoSs. Previously there
have been situations where syslogd hangs if a serial console becomes
confused or because of a coding error. This change makes it impossible
to su and fix the problem. IMHO, this is worse than loosing syslog
messages.

(I guess if someone can log enough messages to the syslog socket
to cause ENOBUFS, they can also log enough messages to fill up /var
and have syslogd stop logging because the disk is full.)

	David.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041010110842.GA16446>