From owner-freebsd-hackers@FreeBSD.ORG Wed Nov 19 10:47:33 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4D5C106564A for ; Wed, 19 Nov 2008 10:47:33 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA06.westchester.pa.mail.comcast.net (qmta06.westchester.pa.mail.comcast.net [76.96.62.56]) by mx1.freebsd.org (Postfix) with ESMTP id 775368FC20 for ; Wed, 19 Nov 2008 10:47:33 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA05.westchester.pa.mail.comcast.net ([76.96.62.43]) by QMTA06.westchester.pa.mail.comcast.net with comcast id gySw1a0010vyq2s56ynYui; Wed, 19 Nov 2008 10:47:32 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA05.westchester.pa.mail.comcast.net with comcast id gynX1a0052P6wsM3RynXxL; Wed, 19 Nov 2008 10:47:32 +0000 X-Authority-Analysis: v=1.0 c=1 a=NTqVaNuko5sA:10 a=QycZ5dHgAAAA:8 a=48gLa1GcRi-lpoS5xS4A:9 a=8_xUQ1drp4wAVpXyh7cA:7 a=N7-ST9V3kKPLEbYi7xZhjtggGpcA:4 a=EoioJ0NPDVgA:10 a=AxzJsZMqWAcA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 20FB633C36; Wed, 19 Nov 2008 02:47:31 -0800 (PST) Date: Wed, 19 Nov 2008 02:47:31 -0800 From: Jeremy Chadwick To: Garrett Cooper Message-ID: <20081119104731.GA83366@icarus.home.lan> References: <20081028081154.GQ6808@hoeg.nl> <20081118213410.GA81783@hoeg.nl> <20081118214919.GM83287@bunrab.catwhisker.org> <7d6fde3d0811190202p4f6d8941h3932b70b8fe1a93a@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7d6fde3d0811190202p4f6d8941h3932b70b8fe1a93a@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Ed Schouten , FreeBSD Hackers , David Wolfskill Subject: Re: [Testers wanted] /dev/console cleanups X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2008 10:47:33 -0000 On Wed, Nov 19, 2008 at 02:02:42AM -0800, Garrett Cooper wrote: > On Tue, Nov 18, 2008 at 1:49 PM, David Wolfskill wrote: > > On Tue, Nov 18, 2008 at 10:34:10PM +0100, Ed Schouten wrote: > >> ... > >> One solution would be to let xconsole just display /var/log/messages. > > > > Errr... it may be rather a pathological case, but you might want to > > check the content of /etc/syslog.conf on the local machine before > > getting too carried away with that approach. > > > > For example, on my "firewall" box at home (where I really do not want to > > log anything to local disk files, though I do have a serial console on it): > > > > janus(6.4-P)[1] grep -v '^#' /etc/syslog.conf > > *.* @bunrab.catwhisker.org > > janus(6.4-P)[2] > > > > And then consider the fate of bunrab -- with stuff getting logged to > > /var/log/messages from various machines.... > > > >> ... > >> I'll discuss this with others to decide if we should take such an > >> approach. > > > > I'm not trying to be obstructionist, here. If the above case is really > > "too pathological to consider" -- or if it's a case of me bringing that > > fate upon myself, I suppose -- that's actually something I can live > > with. It would be nice to be forwarned about it, though. :-} > > > > Peace, > > david > > Uh, I second that. /var/log/messages shouldn't necessarily be > accessible by non-root users. Also, OSX 10.5 protects against non-root > access to dmesg. Not saying we should go that far, but it's already > being implemented, so I don't see any harm in hiding the contents of > `messages', as required by the sysadmin. Footnote (not really applicable to the thread, but I want to point it out to users/admins reading): inhibiting users viewing the kernel message buffer (dmesg) can be accomplished by setting the security.bsd.unprivileged_read_msgbuf sysctl to 0. However, note that this can piss users off. We have numerous users on our system who rely on this information to see if anything "weird" is going on with the box. I set that sysctl one day (see below for why), and I got flames in my mailbox within 48 hours. Just something to keep in mind if you have technically-savvy users. There's a known "issue" with the kernel message buffer though: it's not NULL'd out upon reboot. Meaning, in some cases (depends on the BIOS or system), the kernel message buffer from single-user mode is retained even after a reboot! A user can then do "dmesg" and see all the nifty stuff you've done during single-user, which could include unencrypted passwords if mergemaster was tinkering with passwd/master.passwd, etc.. I've brought this up before, and people said "Yeah, we know, moving on". Rink Springer created a patch where the kernel message buffer will start with NULL to keep this from happening, but it needs to be made into a loader.conf tunable. Also, /var/log/messages is explicitly set to 0644 in newsyslog.conf. If people want to debate that, be my guest. I'm not sure what "security hole" we'd be plugging if it was set to 0600, especially given that many userland programs use the LOG_NOTICE facility in syslog. If people want to debate those default perms, be my guest. I would rather people debate the default syslog.conf layout altogether; I'm surprised we haven't moved to syslog-ng (as part of the base system) by now. :-) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |