From owner-freebsd-security  Tue Jan  5 16:41:11 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA12706
          for freebsd-security-outgoing; Tue, 5 Jan 1999 16:41:11 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12699
          for <freebsd-security@FreeBSD.ORG>; Tue, 5 Jan 1999 16:41:09 -0800 (PST)
          (envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA10961;
	Tue, 5 Jan 1999 16:39:56 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id QAA27890;
	Tue, 5 Jan 1999 16:39:55 -0800 (PST)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA13314;
	Tue, 5 Jan 1999 16:39:54 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199901060039.QAA13314@salsa.gv.tsc.tdk.com>
Date: Tue, 5 Jan 1999 16:39:53 -0800
In-Reply-To: Vadim Kolontsov <vadim@tversu.ru>
       "kernel/syslogd hack" (Jan  6, 12:21am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Vadim Kolontsov <vadim@tversu.ru>, freebsd-security@FreeBSD.ORG
Subject: Re: kernel/syslogd hack
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jan 6, 12:21am, Vadim Kolontsov wrote:
} Subject: kernel/syslogd hack
} Hello,
} 
}    UNIX syslog mechanism (both concept & implementation) is very
}    insecure.  I'll not try to describe here all syslog's problems (it
}    worth making separate web page for it), but I'll propose a hack
}    for solving at least one.
} 
}    I call it "fake local logs" problem. Syslog messages are too easy
}    to forge; for example, it can be sendmail error messages or some
}    other important information (imagine that you're really analyzing
}    your syslogd output with logsurfer :).  Any user can do it.
} 
}    syslogd uses UNIX domain socket (/var/run/log, for example) and
}    trusts every information from it (usually sent by syslog(3)). I
}    think it would be nice if syslogd would have an ability to determine
}    euid/uid/egid/egid/pid of process which sends log information
}    (directly to socket or via syslog(3)).

It's possible to do this in current by using SCM_CREDS with sendmsg().

}    Advantages: it doesn't require to recompile client applications or
}    shared libraries, it's completely transparent for clients, can be

If you wanted to use SCM_CREDS, you'd need to tweak syslog() and rebuild
the shared library.  I don't think this is too much of a disadvantage.

}    used in other applications (I'm also thinking about some getpeeruid()
}    call for stream-based UNIX domain sockets -- I think it will just
}    walk through kernel structures (proc, p_fd, f_data, so_proto,
}    pr_domain..))

What if there are multiple processes at the other end?  If a process
calls connect() and then fork(), the socket created by accept() in the
server will have multiple peer processes.

}    Of course this patch doesn't solve problem with syslog/514 UDP. I
}    know it

Someone has written a secure syslog protocol that uses encryption, etc.

			---  Truck

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message