Date: Mon, 7 Jun 2004 13:27:45 -0700 From: "Crist J. Clark" <cristjc@comcast.net> To: Darren Reed <avalon@caligula.anu.edu.au> Cc: freebsd-security@freebsd.org Subject: Re: syslogd(8) Dropping Privs Message-ID: <20040607202745.GA75747@blossom.cjclark.org> In-Reply-To: <200406050821.i558LUtm003296@caligula.anu.edu.au> References: <20040604195338.GA50275@blossom.cjclark.org> <200406050821.i558LUtm003296@caligula.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 05, 2004 at 06:21:29PM +1000, Darren Reed wrote:
> ...and this works in the case of SIGHUP too ?
>
> i.e. re-read syslogd.conf and can open new files r/w root only ?
Syslogd(8) does NOT run as root by the time log files are openned
at startup or a reconfig (SIGHUP). As I stated in the original
message, the log files will have to be writable by the user. Same
goes for writting messages to users via their ttys. Although having
things set up otherwise is probably rare, make sure that the user
can read the configuration file.
What do we do while still root? Open the UNIX domain log sockets
(/var/run/log and any others specified) and open the network socket
(514/udp by default or whatever specified). The PID file is also
written while still root.
I'm thinking of writing a "conversion" script to make the required
changes.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040607202745.GA75747>