From owner-cvs-all  Thu Apr 23 19:23:53 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA07228
          for cvs-all-outgoing; Thu, 23 Apr 1998 19:23:53 -0700 (PDT)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [207.149.232.62] (may be forged))
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA07186;
          Thu, 23 Apr 1998 19:22:57 -0700 (PDT)
          (envelope-from rgrimes@GndRsh.aac.dev.com)
Received: (from rgrimes@localhost)
	by GndRsh.aac.dev.com (8.8.8/8.8.8) id TAA10069;
	Thu, 23 Apr 1998 19:20:20 -0700 (PDT)
	(envelope-from rgrimes)
From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
Message-Id: <199804240220.TAA10069@GndRsh.aac.dev.com>
Subject: Re: cvs commit: src/usr.sbin/syslogd syslogd.c
In-Reply-To: <4852.893278525@critter.freebsd.dk> from Poul-Henning Kamp at "Apr 22, 98 10:55:25 pm"
To: phk@critter.freebsd.dk (Poul-Henning Kamp)
Date: Thu, 23 Apr 1998 19:20:20 -0700 (PDT)
Cc: peter@netplex.com.au, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG,
        cvs-usrsbin@FreeBSD.ORG, soren@dt.dk
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

> 
> >> I would think that all securemode should do would be to not include the
> >> fd in what select is watching, but the code before this change also
> >> diked out the bind, so you wouldn't know what port you would be sending
> >> syslog messages from, making ipfw unable to decide if the message came
> >> from syslogd or some random user...
> >
> >True, but your changes force us to run wide open, both in and out, if
> >we want to do remote logging at all :-(.
> 
> Yes, but remember that the mods (not mine!) was reviewed by me, and 
> I concluded that since that bind was absent it was snake oil security.
> 
> If you and peter agree with me that all -s should do is to not listen
> for packets, but still bind to the syslog udp port so the remote
> receiver of our syslog messages know we sent them, then I'll happily
> make it do that.

Yes, I agree with that.

-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation, Inc.                   Reliable computers for FreeBSD

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message