Date: Mon, 30 Nov 1998 20:28:08 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: "Open Systems Inc." <opsys@open-systems.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: chflags sappnd and secure level 3 question... Message-ID: <Pine.BSF.3.96.981130202356.19304C-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.3.96.981130182802.17477A-100000@pinkfloyd.open-systems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 30 Nov 1998, Open Systems Inc. wrote: > Ok apparently I dont quite grawk what the problem is here. > I have a firewall box running secure level 3. > With ALL the log files in /var/log/* set with sappnd. > But newsyslog keeps spitting out: > > From: root (Cron Daemon) > To: root > Subject: Cron <root@pm330> /usr/sbin/newsyslog > X-Cron-Env: <SHELL=/bin/sh> > X-Cron-Env: <PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin> > X-Cron-Env: <HOME=/root> > X-Cron-Env: <LOGNAME=root> > X-Cron-Env: <USER=root> > Status: RO > > newsyslog: can't start new log: Operation not permitted > > I thought sappnd would allow root to append files. Do I have that part > right? > > newsyslog cant rotate the logs. Does the /var/log dir need to be set > sappnd itself? > > I guess ill go try that. The 'rotate log' behavior consists (I assume) of the following: 1. Delete the oldest log if desired 2. Rename old logs to bump up their count 3. Rename current log to an old log name (optionally compress and so on) 4. Create a new log file with the appropriate permissions, etc, and write out a restart line. 5. Send a -HUP to syslogd so it opens the new log files Depending on the flags on the directory, etc, this is not going to be so happy in a high secure level. I suspect that there is no reasonable way to manage log rotation in a high secure level, and as a result it is probably desirable to rotate the logs at boot but not otherwise. Either that, or use remote logging. I'm not sure I see a way that has local log rotation occuring once the securelevel is raised -- otherwise I could just rename the logs to something innocuous (like /usr/sbin/somereasonablelookingbinaryname) and create my own files there with whatever contents I like. This is logically fairly similar to being able to modify the logs. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981130202356.19304C-100000>