From owner-freebsd-security  Fri Jan  8 09:56:25 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA27377
          for freebsd-security-outgoing; Fri, 8 Jan 1999 09:56:25 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27353;
          Fri, 8 Jan 1999 09:56:11 -0800 (PST)
          (envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id MAA05636;
	Fri, 8 Jan 1999 12:56:55 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Sender: drosih@pop1.rpi.edu
Message-Id: <v04011700b2bbf2c450b3@[128.113.24.47]>
In-Reply-To: <19990108165225.A1603@gvr.org>
References: <19990108141005.F348@follo.net>; from Eivind Eklund on Fri,
 Jan 08, 1999 at 02:10:05PM +0100 <vadim@tversu.ru>
 <199901060039.QAA13314@salsa.gv.tsc.tdk.com>
 <19990106094701.A28727@tversu.ru> <19990107214242.A1721@gvr.org>
 <19990108141005.F348@follo.net>
Date: Fri, 8 Jan 1999 12:55:28 -0500
To: Guido van Rooij <guido@gvr.org>, Eivind Eklund <eivind@FreeBSD.ORG>,
        Vadim Kolontsov <vadim@tversu.ru>, Don Lewis <Don.Lewis@tsc.tdk.com>
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: kernel/syslogd hack
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 4:52 PM +0100 1/8/99, Guido van Rooij wrote:
>On Fri, Jan 08, 1999 at 02:10:05PM +0100, Eivind Eklund wrote:
>> I think we need to fix the interface here; forcing the client to
>> 'give ID' is IMO bad for security (it is somewhat good for privacy,
>
> So make an option to syslogd: accept old style (unauthenticated)
> messages.  If you remove that option, only authenticated mesages
> will come through.  That way, you dont need to change the name of
> syslog(2) and you still get all the desired functionality.

It is probably bad to completely drop unauthenticated messages,
because you might be getting those from some program that you
DO care about, but that you forgot to compile for this option
(as far as I understand the option, at least).

I would think you'd just want a way to log authenticated messages
to a separate file (and probably a different format) than the
unauthenticated ones.  This also allows you to select the behavior
you want on a per-facility or per-level basis.

I might want:

lpr.info		/dev/null,auth=/var/log/lpd-errs

for instance.  Perhaps even allow the config file to set a
default for all unauthenticated records via:

unauth=/dev/null

as the first line, but still specify alternate locations
for unauthenticated records on a per-line basis.  I haven't
thought enough about this to say exactly what I'd like to
see, but I'd like to see something in this general direction
instead of an option to syslog which fixes the behavior for
all facilities and all priorities.

---
Garance Alistair Drosehn           =   gad@eclipse.its.rpi.edu
Senior Systems Programmer          or  drosih@rpi.edu
Rensselaer Polytechnic Institute

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message