From owner-freebsd-hackers Wed Aug 30 10:42:28 1995 Return-Path: hackers-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id KAA16312 for hackers-outgoing; Wed, 30 Aug 1995 10:42:28 -0700 Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id KAA16300 for ; Wed, 30 Aug 1995 10:42:23 -0700 Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id KAA18719; Wed, 30 Aug 1995 10:39:12 -0700 From: Terry Lambert Message-Id: <199508301739.KAA18719@phaeton.artisoft.com> Subject: Re: *READ THIS* snapshot fixes security hole *READ THIS* (fwd) To: kuku@gilberto.physik.rwth-aachen.de Date: Wed, 30 Aug 1995 10:39:12 -0700 (MST) Cc: freebsd-hackers@freefall.FreeBSD.org In-Reply-To: <199508301035.MAA16690@gilberto.physik.rwth-aachen.de> from "Christoph Kukulies" at Aug 30, 95 12:35:55 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1101 Sender: hackers-owner@FreeBSD.org Precedence: bulk > > Here are the files in /bin and /sbin which call syslog() > > > > BIN > > ./date/date.c > > > > SBIN > > ./shutdown/shutdown.c > > ./savecore/savecore.c > > ./routed/tables.c > > ./routed/startup.c > > ./routed/main.c > > ./routed/input.c > > ./reboot/reboot.c > > ./nfsiod/nfsiod.c > > ./nfsd/nfsd.c > > ./newfs/newfs.c > > ./mountd/mountd.c > > ./init/init.c > > ./dmesg/dmesg.c > > ./mount_portal/pt_file.c > > ./mount_portal/mount_portal.c > > ./mount_portal/activate.c > > ./mount_portal/conf.c > > ./mount_portal/pt_exec.c > > ./mount_portal/pt_tcp.c > > ./mount_nfs/mount_nfs.c This is silly (and the list is incomplete -- you see the CERT advisory target program listed there at all? 8-)). The only "danger" from the syslog() is when it's used to log user input and that userinput consists of a clever stack hack to make the program blow. Unless it's a daemon or an SUID/SGID program, there is *no* hole. Programs run by inetd count as "SUID". Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.