Re: Possible syslogd DoS ?

From: Crist J. Clark (cristjcat_private)
Date: Wed Oct 03 2001 - 23:10:33 PDT

Next message: VeNoMouS: "Re: Possible syslogd DoS ?"

Previous message: Jose Nazario: "Re: Tools to exercise SSL implementation"
In reply to: Petr Baudis: "Possible syslogd DoS ?"
Next in thread: VeNoMouS: "Re: Possible syslogd DoS ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 03, 2001 at 08:09:58PM +0200, Petr Baudis wrote:
> Hello,
>   I just recently came on a thought (thanks to Marek Jaros) of possible
> DoS of syslogd. It uses /dev/log for receiving log messages, which has
> mode 0666 on most linuxes. It should be ok, as many non-root applications
> should be allowed to log things etc.

[snip]

>   Discussion? Something i didn't take into account? Possible solutions?

To paraphrase an old quote, syslog is basically an unauthenticated
disk filling utility.

  #!/bin/sh

  while :; do

    logger "This is message one."
    logger "This is message two."

  done

On a system with untrusted users, you may need to do some special
configuration (change permissions on the log socket, make sure the
filling the partitions syslog writes to are not fatal, etc.).

This is a well known vulnerability of the syslog system, but is often
overlooked due to greater concerns over remote disk filling
possibilities.
-- 
Crist J. Clark                           cjclarkat_private
                                         cjclarkat_private
                                         cjcat_private

Next message: VeNoMouS: "Re: Possible syslogd DoS ?"
Previous message: Jose Nazario: "Re: Tools to exercise SSL implementation"
In reply to: Petr Baudis: "Possible syslogd DoS ?"
Next in thread: VeNoMouS: "Re: Possible syslogd DoS ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 08:25:53 PDT