From nobody Sun Oct 29 22:21:04 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SJW8K24QJz4yHK1 for ; Sun, 29 Oct 2023 22:21:21 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from irmo.kmail.bg (mx.kmail.bg [IPv6:2a01:8740:ffff:ffdc::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SJW8J21h7z4jdl for ; Sun, 29 Oct 2023 22:21:20 +0000 (UTC) (envelope-from roam@ringlet.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of roam@ringlet.net designates 2a01:8740:ffff:ffdc::2 as permitted sender) smtp.mailfrom=roam@ringlet.net; dmarc=none Received: from straylight.ringlet.net (unknown [93.152.132.21]) by irmo.kmail.bg (Postfix) with ESMTPSA id C26F940064 for ; Mon, 30 Oct 2023 00:21:07 +0200 (EET) Received: from roam (uid 1000) (envelope-from roam@ringlet.net) id 194071d by straylight.ringlet.net (DragonFly Mail Agent v0.13); Mon, 30 Oct 2023 00:21:04 +0200 Date: Mon, 30 Oct 2023 00:21:04 +0200 From: Peter Pentchev To: freebsd-security@freebsd.org Subject: Re: securelevel 1 Message-ID: Mail-Followup-To: freebsd-security@freebsd.org References: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com> <86ttqd12y1.fsf@ltc.des.no> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="+KrF+88Xv48gcpmN" Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [-5.40 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.996]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[ringlet.net]; ASN(0.00)[asn:57344, ipnet:2a01:8740::/32, country:BG]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; R_DKIM_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[roam]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4SJW8J21h7z4jdl X-Spamd-Bar: ----- --+KrF+88Xv48gcpmN Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 27, 2023 at 03:34:28AM +0100, void wrote: > On Thu, Oct 26, 2023 at 11:36:22PM +0200, Dag-Erling Sm=C3=B8rgrav wrote: > > void writes: > > > In order to accomplish what I'd like, I understand that I'd need to s= et +schg > > > on the individual logs, then set the securelevel afterwards and reboo= t. > >=20 > > If you set the log file +schg, it can't be written to at all. That's > > obviously not what you want. >=20 > Yes, I'm sorry; I meant to type +sappnd >=20 > > If you set it +sappnd, it can be written to, and newsyslog will be able > > to rotate it; an attacker with superuser privileges will also be able to > > replace it with a doctored file. >=20 > Yes. But if sappend is set on the required files, and then securelevel=3D1 > is set, then nothing can change the flag while the system is multiuser. > That is, if I'm understanding correctly? >=20 > So, on such a system, if I understand correctly, newsyslog would need to = be > turned off. newsyslog does not need to change the file; it renames the file, then it tells syslog to start a new one (one that does not exist until that point in time), and then newsyslog may also read the renamed file, compress the data, write it to yet another new file, etc. So setting +sappnd on a logfile should not prevent newsyslog from processing it. However, the fact that the file is renamed and a brand new one is created in its place probably means that the new logfile will *not* have the +sappnd flag set. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 --+KrF+88Xv48gcpmN Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmU+2soACgkQZR7vsCUn 3xNL3xAAsyl6lyyoUdX9K86W6cpus4qgEe3oOiCYoSeC91jyephUMsp425oqCoDx wsftAfq92plctQfNHPPBReQVmMcbyC22UQ4/nZWJrIvfNAzYgxI/7bsbP4jNL1SP k1VV3880h4ssa+VqxRvrVyvzzUN/zWgXqpxKHAyEAQmqOq4psDdQYOAwLNb3A1rH l+W173Iy5GBxSsuc3p+qam9h6t9/q5RBFedAfXLYM0axltvwZwCigoV7mo1Plkwc /IRqrVwbm1ExnX2qgGSSET2TbWG9tiFnqFvsF3WC5uFXtk/BIf1MoRea1713GLB6 5m/npvg+OsHZ4yAQi/vx/zBDikkcIiCn6+b9c+Kny/wXNDnOlflbTQgykMDwlcwN vvto+1u82UrA10Zfpq3Msa0sOCodgVdmYWhi8JuJAzjELtWyPZTgeBANnTie92Gm cjXXq0Rw6SCmYQwEbqDi1KDXxezduiqcmAlqkA0+lTK9mVxVv0bwt/2SO/Nd7ZhN /jc+Drh3J1bYVPpbP7rj+lkWV1lPsirOh1kRBjfyyHwZAq0wVleeyJhrsXCzQhO0 OAbD11Gg7LZ7N31cUklQbHtqY9/HtL0cCxNg1uWy1hr52irkYoKQVcikWjKlEArG /bAfA7JSbrueFBK9TO/5mHy0LEPEMWenOkP10c1SwvzHGRBcqgY= =uUL9 -----END PGP SIGNATURE----- --+KrF+88Xv48gcpmN--