Bug 10222
Summary: | /dev/log permits anyone to forge arbitrary audit records | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | David A. Wheeler <dwheeler> |
Component: | sysklogd | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.0 | CC: | abartlet, k.georgiou, mitr, rvokal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-06-18 15:36:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David A. Wheeler
2000-03-17 15:35:36 UTC
Newer versions of logger from util-linux prepend the user's name to the log entry before sending it to syslogd, but this should really be fixed in syslogd. Per private email, logger doesn't have any special privileges, and there's no way to fix this with the current syslogd while still making the logging facility available to everyone. Using a connected Unix-domain socket would let syslogd identify the UID/GID/PID of the sending process and impose limits that way, but this was changed to work around a DoS problem that cropped up a while back. Changing the permissions will break many programs, so syslog needs to be able to distinguish between various users who send it data. Could all users that need to log messages be placed in a special group 'log' with the respective changes on the /dev/log premissions? Such a solution would also require stopping access to syslog over the network (at least from the local computer) to avoid sombody just bypassing the permissions. (I don't mind network based syslog being fakeable, as long as it does not contain *my* hostname). Also it would be nice to make it impossible for a user to write kernel messages, or at least make sure syslogd gets its kernel input only from klogd, not joe-random-hacker. As for the last selection, no. Programs run as arbitrary users still need to be able to call syslog(). This sounds like the job for a small sgid wrapper, which would verify its input as sane (correct timestamps, program names distinugised by username etc) and pass it onto the standard syslog. Is this at all possible? Or are the implications of yet another set-uid program not worth the bother? Newer kernels have socket options to get the peer information - so it is now possible to log this data I think Closing; This issue was fixed a while ago. |