Bugtraq mailing list archives
Re: local users can panic linux kernel (was: SuSE syslogd
From: saw () MSU RU (Savochkin Andrey Vladimirovich)
Date: Wed, 24 Nov 1999 12:05:44 +0300
On Wed, Nov 24, 1999 at 12:06:05PM +1100, Darren Reed wrote:
In some mail from Savochkin Andrey Vladimirovich, sie said:I think that replacing stream sockets by datagram is a step in a wrong direction. Datagram sockets are not only unreliable by definition. Their use makes completely impossible for applications to check if their message has been properly logged or no. Stream sockets allows at least catch some cases when the message is lost.I'd venture to say that this is not true. The syslog protocol is unidirectional (sender sends, only) and as such, the sender receives
That's the main mistake in the design...
no indication that messages are ever received or stored. Using stream
Well, the sender under certain conditions receives an indication that the message was not received and stored.
sockets in this environment leads to false beliefs about what happens at the other end. The syslog-sec mailling list has been discussing some
With stream socket I get absolutely correct information: if I get a communication error then my message isn't properly logged.
of these problems and what would be required to address them. Just replacing datagrams with streams is not enough.
Who says that it's enough? :-) The current syslog protocol is undoubtfully very weak. But I don't see good reasons to make it even more weaker. I repeat what I stated: "Stream sockets allows at least catch some cases when the message is lost". We catch probably the most frequent cases but not all of them.
[...]It's clear that there are some resource control problems with connection oriented sockets. These resource control problems may block logging under certain conditions. But I don't think that these problems are unsolvable. As a first step we may consider creating several unix sockets for different facilities and some access control.In an uncontrolled environment, this will do nothing to prevent D.O.S attacks. Creating extra sockets just means I've more targets to kill before completing the mission.
The key point in my statement is the access control. The system may be configured so that an attacker needs e.g. group daemon to stop logging of system daemons, and root privileges to stop logging of privileged processes like `su'. A person with root privileges may do much more than stop logging :-). So in such an environment at least privileged process logging is fully protected. Best regards Andrey
Current thread:
- Re: Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability, (continued)
- Re: Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Seth R Arnold (Nov 17)
- Re: Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Marc (Nov 17)
- SuSE Security Announcement - syslogd (a1) Thomas Biege (Nov 18)
- local users can panic linux kernel (was: SuSE syslogd advisory) Mixter (Nov 18)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Alan Cox (Nov 19)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Savochkin Andrey Vladimirovich (Nov 20)
- ANN: Bruce v1.0 Early Access 1 - Available for downloa Alec Muffett (Nov 22)
- Re: local users can panic linux kernel (was: SuSE syslogd Alan Cox (Nov 22)
- Re: local users can panic linux kernel (was: SuSE syslogd Savochkin Andrey Vladimirovich (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogd Savochkin Andrey Vladimirovich (Nov 24)
- Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability Ussr Labs (Nov 24)
- Remote DoS Attack in BisonWare FTP Server V3.5 Vulnerability Ussr Labs (Nov 24)
- Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 24)
- [w00giving '99 #5 and w00news]: UnixWare 7's su Matt Conover (Nov 25)
- Buffer Overflow Survey Paper Crispin Cowan (Nov 22)
- Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Crispin Cowan (Nov 23)
- [ COBALT ] Security Advisory - Sendmail Jeff Bilicki (Nov 24)
- Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Scott Zimmerman (Nov 24)
- Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Simple Nomad (Nov 24)
- Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 24)