Bug#158090: security.debian.org: Easy for any user to fake messages into syslog
reassign 158090 sysklogd
thanks
At Sun, 25 Aug 2002 15:15:08 -0400,
Joey Hess wrote:
> syslogd could use getsockopt(SO_PEERCRED) to get a ucred structure and
> work out the user who has opened /dev/log and include that info in the
> log somewhere. This would require no special glibc support. If you want
> generic code to do that on a unix socket (works on linux, and probably
> freebsd, and possibly other bsd's), I can provide it. Where in the log
> to put this information without changing the format and breaking a lot of
> stuff, I do not know.
Correct. Looking throughout this bug, there may be two fixes: (1)
control /dev/log permission (2) use getsockopt to check the peer
credential.
However, I wonder the current behavior causes any problems - no one
has actually troubles. Even if /var/log/* has an entry with <pid> or
process title, it may be faked (in addition, syslogd format is
defined, so it's standard violation). I suspect authentication is
actually needed.
I reassign it to sysklogd rathar than closing it because (1) there's
no fault around this report (2) sysklogd can have credential check
code (3) glibc cannot contribute to improve this kind of area.
Credential check may become interesting sysklogd feature for nervous
administrator.
In future POSIX may have more informative and more powerful syslog
facility. However it's another issue, if you want to discuss about
new syslog, please discuss at austin group.
Sysklogd maintainer, I leave this report into your hands to close or
implement this report.
Regards,
-- gotom
Reply to: