From owner-freebsd-security  Wed Sep  6 18:58:55 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.freebsd.org (8.6.11/8.6.6) id SAA03312
          for security-outgoing; Wed, 6 Sep 1995 18:58:55 -0700
Received: from thumper.osix.com.au (osixsyd.tmx.com.au [203.9.152.143])
          by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id SAA03293
          for <freebsd-security@freebsd.org>; Wed, 6 Sep 1995 18:58:24 -0700
Received: from bruce.osix.com.au (bruce.osix.com.au [203.18.59.4]) by thumper.osix.com.au (8.6.11/8.6.9) with SMTP id LAA09858; Thu, 7 Sep 1995 11:37:33 GMT
Message-Id: <199509071137.LAA09858@thumper.osix.com.au>
Comments: Authenticated sender is <peter@blain.osix.com.au>
From: "Peter May" <peter@osix.osix.oz.au>
Organization:  OSIX Pty Ltd
To: Brian Tao <taob@gate.sinica.edu.tw>, freebsd-security@freebsd.org
Date:          Thu, 7 Sep 1995 11:51:30 +0000
MIME-Version:  1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject:       Re: Do we *really* need logger(1)? 
Reply-to: peter@osix.com.au
Priority: normal
X-mailer: Pegasus Mail for Windows (v2.01)
Sender: security-owner@freebsd.org
Precedence: bulk

> On Wed, 6 Sep 1995, Paul Traina wrote:
> > 
> > If your disk fills up, you want syslog to be able to operate until it goes to
> > 110%.  Unless you run as root or modify the kernel, you lose.
> 
>     No, you want messages created by root-owned processes to fill your disk
> to 110% (not that it's a good thing in any case, especially if /var is the
> same filesystem as /).  What we need is credential checking in the syslog()
> call and syslogd daemon.  I imagine any ISP that offers shell access and uses
> the default syslog.conf is susceptible to a prankster sending *.emerg level
> notices and getting syslogd to write "SYSTEM REBOOT, LOG OFF NOW!" to the
> ttys of every online user.

Hmmmm ... the best way of doing this is probably a rotary log file 
rather than a flat log file. For example, the error log on an AIX 
system uses at most 1Mb of storage (the error log entries are small). 
Once the log file wraps, older entries are overwritten. A better 
approach might be to use multiple rotaries depending upon the log 
level (i.e., emerg.log, daemon.log etc.)

Alternatively, syslog could execute another process to 'clean up' the 
log file (aka /etc/daily), i.e., compress it and move it to another 
name/place, once it reaches a certain threshold.

However, all of these changes are significant, and it means making 
syslog somewhat non-standard. I guess that could be important as 
well.

> --
> Brian ("Though this be madness, yet there is method in't") Tao
> taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org
---------------------------------------------------------------->>>>>

Peter May                           OSIX Pty Ltd
Director                            Level 1, 261-263 Pacific Highway
Technical Services                  North Sydney. NSW. Australia. 2060.

Home: +61-2-418-7656                Internet: peter@osix.com.au
Work: +61-2-922-3999                Fax:  +61-2-922-3314

          >>>> PGP Public key available upon request <<<<

---------------------------------------------------------------->>>>>