From owner-cvs-usrsbin Wed Apr 22 07:06:04 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA17338 for cvs-usrsbin-outgoing; Wed, 22 Apr 1998 07:06:04 -0700 (PDT) (envelope-from owner-cvs-usrsbin) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA17248; Wed, 22 Apr 1998 14:05:39 GMT (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id WAA07928; Wed, 22 Apr 1998 22:02:44 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199804221402.WAA07928@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: Poul-Henning Kamp cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-usrsbin@FreeBSD.ORG, soren@dt.dk Subject: Re: cvs commit: src/usr.sbin/syslogd syslogd.c In-reply-to: Your message of "Wed, 22 Apr 1998 13:34:52 +0200." <3176.893244892@critter.freebsd.dk> Date: Wed, 22 Apr 1998 22:02:43 +0800 From: Peter Wemm Sender: owner-cvs-usrsbin@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Poul-Henning Kamp wrote: > > Hmmmm, > > Now, I'm not too sure what people use SecureMode for, but it doesn't > make sense to expect one host to accept remote logging from other > hosts that don't, at least in my book... > > I would tend to say `document that you cant do remote logging with "-s"' > and leave it at that, but I may be overlooking something here... Secure mode is 'do not accept log entries from remote servers', which is what the existing code does (did). It's not supposed to disable the local server from *sending* queries. Many security conscious sites have a central log collector that accepts syslog entries from all it's associated machines, and doesn't offer login or other services that might be compromisable to gain access. All the other machines have their local syslogd's forwarding the more important log entries to the central machine. They need to be able to send (obviously), but generally shouldn't accept syslog entries from "out there". What you've done is disable the ability to send logs to a central server without exposing the machine to abuse. This is a step backwards IMHO. > Comments ? If people are concerned about having the socket "sitting there" (which is a good thing IMHO, since syslogd can't be sure of *getting* a fd if somebody is attacking the machine by trying to use up all files), then perhaps an alternative might be to open and close the socket() before and after the sendto() while in SecureMode. Incidently, I don't disagree with the cleanup in the diff, just the removal of the socket open. The existing code was a bit messy and did work that was not needed (initialise sin, do the getservbyname() etc). I suggest the following fix (relative to -current): (mind xterm cut/paste spammage) diff -u -r1.29 syslogd.c --- syslogd.c 1998/04/22 06:28:18 1.29 +++ syslogd.c 1998/04/22 13:59:52 @@ -366,8 +366,8 @@ created_lsock = 1; inetm = 0; + finet = socket(AF_INET, SOCK_DGRAM, 0); /* needed for forwarding */ if (!SecureMode) { - finet = socket(AF_INET, SOCK_DGRAM, 0); if (finet >= 0) { struct servent *sp; > Poul-Henning Cheers, -Peter -- Peter Wemm Netplex Consulting