From owner-freebsd-security@FreeBSD.ORG  Sat Jun  5 01:19:41 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2AE1B16A4CE; Sat,  5 Jun 2004 01:19:41 -0700 (PDT)
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 7908643D3F; Sat,  5 Jun 2004 01:19:40 -0700 (PDT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: from caligula.anu.edu.au (localhost [127.0.0.1])
	by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i558IpSf003177;
	Sat, 5 Jun 2004 18:18:51 +1000 (EST)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i558ImAC003171;
	Sat, 5 Jun 2004 18:18:48 +1000 (EST)
From: Darren Reed <avalon@caligula.anu.edu.au>
Message-Id: <200406050818.i558ImAC003171@caligula.anu.edu.au>
To: colin.percival@wadham.ox.ac.uk (Colin Percival)
Date: Sat, 5 Jun 2004 18:18:48 +1000 (Australia/ACT)
In-Reply-To: <6.1.0.6.1.20040604235214.03fec120@popserver.sfu.ca> from "Colin
	Percival" at Jun 04, 2004 11:57:51 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: freebsd-security@freebsd.org
Subject: Re: syslogd(8) Dropping Privs
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jun 2004 08:19:41 -0000

In some mail from Colin Percival, sie said:
> At 20:53 04/06/2004, Crist J. Clark wrote:
> >We haven't had many syslogd(8) vulnerabilities lately, but one
> >less daemon running as root seems like a Good Thing. I do not
> >see any drawbacks from a security point of view. The log files
> >would have to be owned, or otherwise writeable, by this other
> >user, but so what. Obviously, I may be missing something.
> 
>   One consideration is that if syslogd is not running as root,
> it will no longer be able to write to a filesystem which is
> already "full".
>   On systems where non-root users can write to the filesystem
> containing /var/log (and are not limited by quotas) this would
> allow non-root users to disable logging, which would probably
> be a Bad Thing.

One way or another, you can generally exploit a DoS attack against
syslogd with disk space.

Well at least with current sources, anyway.

Lets pretend that /var/log is its own filesystem, isolated from
a full /var/tmp.

The attack is then to just spam syslogd with lots of data such
that it fills /var/log.  Granted this is harder but not impossible.
How do you defend against that?  Add code to rate limit messages
from a given source to a max of x kb/s ?

As an "out there" suggestion, you might increase the % for root
only to be greater than 10% on a /var/log so you can always run
newsyslog successfully.

Darren