Date: Tue, 28 Dec 1999 02:23:40 -0600 (CST) From: Kevin Day <toasty@dragondata.com> To: FreeBSD-gnats-submit@freebsd.org Subject: conf/15737: rc.conf should have '-s' for syslogd options Message-ID: <199912280823.CAA15129@celery.dragondata.com>
next in thread | raw e-mail | index | archive | help
>Number: 15737
>Category: conf
>Synopsis: rc.conf should have '-s' for syslogd options
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 28 00:30:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Kevin Day
>Release: FreeBSD 3.2-STABLE i386
>Organization:
DragonData Internet Services
>Environment:
Any networked FreeBSD system
>Description:
To quote syslogd's man page:
The ability to log messages received in UDP packets is equivalent to an
unauthenticated remote disk-filling service, and should probably be dis-
abled by default.
FreeBSD systems ship with syslogd enabled, but not with -s added to the
command line. If the goal is to make systems secure 'out of the box', it
would probably be wise to add -s.
After having a new machine 'remotely disk filled' for me, it occurred to me
that changing the defailt would be good.
If an option to make syslogd discard foreign packets silently is desired,
I'll whip up a patch.
>How-To-Repeat:
>Fix:
change etc/defaults/rc.conf to:
### Network daemon (miscellaneous) & NFS options: ###
syslogd_enable="YES" # Run syslog daemon (or NO).
-syslogd_flags="" # Flags to syslogd (if enabled).
+syslogd_flags="-s" # Flags to syslogd (if enabled).
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912280823.CAA15129>