From owner-freebsd-security@FreeBSD.ORG Sat Jun 5 01:19:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AE1B16A4CE; Sat, 5 Jun 2004 01:19:41 -0700 (PDT) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7908643D3F; Sat, 5 Jun 2004 01:19:40 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i558IpSf003177; Sat, 5 Jun 2004 18:18:51 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i558ImAC003171; Sat, 5 Jun 2004 18:18:48 +1000 (EST) From: Darren Reed Message-Id: <200406050818.i558ImAC003171@caligula.anu.edu.au> To: colin.percival@wadham.ox.ac.uk (Colin Percival) Date: Sat, 5 Jun 2004 18:18:48 +1000 (Australia/ACT) In-Reply-To: <6.1.0.6.1.20040604235214.03fec120@popserver.sfu.ca> from "Colin Percival" at Jun 04, 2004 11:57:51 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: syslogd(8) Dropping Privs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jun 2004 08:19:41 -0000 In some mail from Colin Percival, sie said: > At 20:53 04/06/2004, Crist J. Clark wrote: > >We haven't had many syslogd(8) vulnerabilities lately, but one > >less daemon running as root seems like a Good Thing. I do not > >see any drawbacks from a security point of view. The log files > >would have to be owned, or otherwise writeable, by this other > >user, but so what. Obviously, I may be missing something. > > One consideration is that if syslogd is not running as root, > it will no longer be able to write to a filesystem which is > already "full". > On systems where non-root users can write to the filesystem > containing /var/log (and are not limited by quotas) this would > allow non-root users to disable logging, which would probably > be a Bad Thing. One way or another, you can generally exploit a DoS attack against syslogd with disk space. Well at least with current sources, anyway. Lets pretend that /var/log is its own filesystem, isolated from a full /var/tmp. The attack is then to just spam syslogd with lots of data such that it fills /var/log. Granted this is harder but not impossible. How do you defend against that? Add code to rate limit messages from a given source to a max of x kb/s ? As an "out there" suggestion, you might increase the % for root only to be greater than 10% on a /var/log so you can always run newsyslog successfully. Darren