From owner-freebsd-security Wed Sep 6 18:58:55 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id SAA03312 for security-outgoing; Wed, 6 Sep 1995 18:58:55 -0700 Received: from thumper.osix.com.au (osixsyd.tmx.com.au [203.9.152.143]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id SAA03293 for ; Wed, 6 Sep 1995 18:58:24 -0700 Received: from bruce.osix.com.au (bruce.osix.com.au [203.18.59.4]) by thumper.osix.com.au (8.6.11/8.6.9) with SMTP id LAA09858; Thu, 7 Sep 1995 11:37:33 GMT Message-Id: <199509071137.LAA09858@thumper.osix.com.au> Comments: Authenticated sender is From: "Peter May" Organization: OSIX Pty Ltd To: Brian Tao , freebsd-security@freebsd.org Date: Thu, 7 Sep 1995 11:51:30 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Do we *really* need logger(1)? Reply-to: peter@osix.com.au Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) Sender: security-owner@freebsd.org Precedence: bulk > On Wed, 6 Sep 1995, Paul Traina wrote: > > > > If your disk fills up, you want syslog to be able to operate until it goes to > > 110%. Unless you run as root or modify the kernel, you lose. > > No, you want messages created by root-owned processes to fill your disk > to 110% (not that it's a good thing in any case, especially if /var is the > same filesystem as /). What we need is credential checking in the syslog() > call and syslogd daemon. I imagine any ISP that offers shell access and uses > the default syslog.conf is susceptible to a prankster sending *.emerg level > notices and getting syslogd to write "SYSTEM REBOOT, LOG OFF NOW!" to the > ttys of every online user. Hmmmm ... the best way of doing this is probably a rotary log file rather than a flat log file. For example, the error log on an AIX system uses at most 1Mb of storage (the error log entries are small). Once the log file wraps, older entries are overwritten. A better approach might be to use multiple rotaries depending upon the log level (i.e., emerg.log, daemon.log etc.) Alternatively, syslog could execute another process to 'clean up' the log file (aka /etc/daily), i.e., compress it and move it to another name/place, once it reaches a certain threshold. However, all of these changes are significant, and it means making syslog somewhat non-standard. I guess that could be important as well. > -- > Brian ("Though this be madness, yet there is method in't") Tao > taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org ---------------------------------------------------------------->>>>> Peter May OSIX Pty Ltd Director Level 1, 261-263 Pacific Highway Technical Services North Sydney. NSW. Australia. 2060. Home: +61-2-418-7656 Internet: peter@osix.com.au Work: +61-2-922-3999 Fax: +61-2-922-3314 >>>> PGP Public key available upon request <<<< ---------------------------------------------------------------->>>>>