Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Jan 1999 16:23:52 -0800
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Vadim Kolontsov <vadim@tversu.ru>, Don Lewis <Don.Lewis@tsc.tdk.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: kernel/syslogd hack
Message-ID:  <199901070023.QAA02193@salsa.gv.tsc.tdk.com>
In-Reply-To: Vadim Kolontsov <vadim@tversu.ru> "Re: kernel/syslogd hack" (Jan  6,  9:47am)
next in thread | previous in thread | raw e-mail | index | archive | help 
On Jan 6,  9:47am, Vadim Kolontsov wrote:
} Subject: Re: kernel/syslogd hack
} Hi,
} 
} On Tue, Jan 05, 1999 at 04:39:53PM -0800, Don Lewis wrote:
} 
} > }    Advantages: it doesn't require to recompile client applications or
} > }    shared libraries, it's completely transparent for clients, can be
} > 
} > If you wanted to use SCM_CREDS, you'd need to tweak syslog() and rebuild
} > the shared library.  I don't think this is too much of a disadvantage.
} 
}   Who will rebuild all binary-only FreeBSD/Linux apps, available on the market?
} Not all of them use shared libraries.

I suspect that not many of those that are statically linked call syslog().

If syslogd received a message without the credentials, it could log the
information that it was handed with an indication that the information
may not be trustworthy.

} > }    Of course this patch doesn't solve problem with syslog/514 UDP. I
} > }    know it
} > 
} > Someone has written a secure syslog protocol that uses encryption, etc.
} 
}   it signs local logs, it encrypts it during network transfer, but it
} does nothing for the problem I've described -- log socket (AF_UNIX) is available
} for everyone and all information is trusted (correct me if I'm wrong)

This is correct, but at least it prevents someone from sending totally
fabricated (IP source address and all) messages to UDP port 514.  Even
if the message is signed and encrypted, you still might not be able to
trust the sender as much as you can with SCM_CREDS or equivalent.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901070023.QAA02193>