Date: Tue, 1 Dec 1998 09:19:10 -0500 From: Keith Stevenson <k.stevenson@louisville.edu> To: "Open Systems Inc." <opsys@open-systems.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: chflags sappnd and secure level 3 question... Message-ID: <19981201091910.A2864@homer.louisville.edu> In-Reply-To: <Pine.BSF.3.96.981130182802.17477A-100000@pinkfloyd.open-systems.net>; from Open Systems Inc. on Mon, Nov 30, 1998 at 06:29:45PM -0600 References: <Pine.BSF.3.96.981130182802.17477A-100000@pinkfloyd.open-systems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 30, 1998 at 06:29:45PM -0600, Open Systems Inc. wrote: > > Ok apparently I dont quite grawk what the problem is here. > I have a firewall box running secure level 3. > With ALL the log files in /var/log/* set with sappnd. > But newsyslog keeps spitting out: > <small snip> > newsyslog: can't start new log: Operation not permitted > > I thought sappnd would allow root to append files. Do I have that part > right? True, sappnd will allow root (or any other user with sufficient permission) to _append_ to a file. Newsyslog, however, doesn't append. A quick reading of the newsyslog source (/usr/src/usr.sbin/newsyslog/newsyslog.c on my system) shows that newsyslog actually does a rename(2) on the file as it rotates the file. Since this syscall modifies the file's inode, it is forbidden at high securelevels. If you want newsyslog to be able to rotate the log files in a high security environment you will need to use the uappnd flag. This will prevent non-root processes from doing anything other than appending to the file. Root can do whatever root wants. This is probably not a good solution for a firewall, since it effectively negates most of the security benefits of running at the high securelevel. In my environment, I have the luxury of a regularly scheduled downtime period. (It's bad for the uptime statistics, but wonderful for getting work done!) During these scheduled downtime periods, I take the servers to single user mode and run a script which removes the sappnd flags, runs newsyslog, and then replaces the sappnd flags. (I've removed newsylog from my crontab.) Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981201091910.A2864>