Debian bug report logs -
#703, boring messages
Message sent to debian-devel@pixar.com:
Subject: Bug#703: syslogd is insecure and is started too late
Reply-To: iwj10@cus.cam.ac.uk (Ian Jackson), debian-bugs@pixar.com
Resent-To: debian-devel@pixar.com
Resent-From: iwj10@cus.cam.ac.uk (Ian Jackson)
Resent-Sender: iwj10@cus.cam.ac.uk
Resent-Date: Sun, 02 Apr 1995 13:18:02 GMT
Resent-Message-ID: <debian-bugs-handler.703.040213053520808@pixar.com>
X-Debian-PR-Package: syslogd
X-Debian-PR-Keywords:
Received: via spool for debian-bugs; Sun, 02 Apr 1995 13:18:02 GMT
Received: with rfc822 via encapsulated-mail id 040213053520808;
Sun, 02 Apr 1995 13:05:35 GMT
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0rvPKP-0002TeC; Sun, 2 Apr 95 06:04 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA01606
(5.65c/IDA-1.4.4 for <debian-bugs@pixar.com>); Sun, 2 Apr 1995 06:04:14 -0700
Received: by bootes.cus.cam.ac.uk
(Smail-3.1.29.0 #30) id m0rvPK5-000BzkC; Sun, 2 Apr 95 14:04 BST
Received: by chiark
id m0rvENy-0000YTZ
(Debian /\oo/\ Smail3.1.29.1 #29.27); Sun, 2 Apr 95 02:23 BST
Message-Id: <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu>
Date: Sun, 2 Apr 95 02:23 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: Debian bugs submission address <debian-bugs@pixar.com>
Package: syslogd
Version: 1.2-9
>From the syslogd manpage:
SECURITY THREATS
There is the potential for the syslogd daemon to be used
as a conduit for a denial of service attack. Thanks go to
John Morrison (jmorriso@rflab.ee.ubc.ca) for alerting me
to this potential. A rogue program(mer) could very easily
flood the syslogd daemon with syslog messages resulting in
the log files consuming all the remaining space on the
filesystem. Activating logging over the inet domain sock-
ets will of course expose a system to risks outside of
programs or individuals on the local machine.
Version 1.2 of the utility set will address this problem.
In the meantime there are a number of methods of protect-
ing a machine:
It then goes on to list a number of unhelpful `solutions'.
I see (from netstat) that Debian 0.93R5's syslogd has network logging
service enabled. I want to disable it, but I don't seem to be able
to.
If it is not possible to disable (or restrict to particular hosts)
this rather dangerous feature then the binaries shipped with Debian
should not have it compiled in.
If nothing gets done about this soon I suppose I could come up with a
little Perl script that binds to the UDP socket first so as to prevent
syslogd from getting it.
On another note, syslogd still uses /etc/rc.misc. This means it gets
started at number `20' in the ordering, which is too late to catch the
messages from several of the other daemons around that time. I have
reconfigured it to use 16 on my own system.
Ian.
Message sent:
From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: iwj10@cus.cam.ac.uk (Ian Jackson)
Subject: Bug#703: Acknowledgement (was: syslogd is insecure and is started too late)
In-Reply-To: <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu>
References: <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu>
Thank you for the problem report you have sent regarding Debian GNU/Linux.
This is an automatically generated reply, to let you know your message has
been received. It is being forwarded to the developers' mailing list for
their attention; they will reply in due course.
If you wish to submit further information on your problem, please send
it to debian-bugs@pixar.com, but please ensure that the Subject
line of your message starts with "Bug#703" or "Re: Bug#703" so that
we can identify it as relating to the same problem.
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.
Ian Jackson
(maintainer, debian-bugs)
Message sent to debian-devel@pixar.com:
Subject: Bug#703: syslogd is insecure and is started too late
Reply-To: imurdock@debian.org (Ian Murdock), debian-bugs@pixar.com
Resent-To: debian-devel@pixar.com
Resent-From: imurdock@debian.org (Ian Murdock)
Resent-Sender: iwj10@cus.cam.ac.uk
Resent-Date: Thu, 01 Jun 1995 16:03:11 GMT
Resent-Message-ID: <debian-bugs-handler.703.060115542218170@pixar.com>
X-Debian-PR-Package: syslogd
X-Debian-PR-Keywords:
Received: via spool for debian-bugs; Thu, 01 Jun 1995 16:03:11 GMT
Received: with rfc822 via encapsulated-mail id 060115542218170;
Thu, 01 Jun 1995 15:54:22 GMT
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sHCRy-0005z9C; Thu, 1 Jun 95 08:46 PDT
Received: from debra.debian.org by pixar.com with SMTP id AA26560
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 1 Jun 1995 08:44:51 -0700
Received: by debra.debian.org
id m0sHCRW-00001xC
(Debian /\oo/\ Smail3.1.29.1 #29.31); Thu, 1 Jun 95 10:45 EST
Message-Id: <m0sHCRW-00001xC@debra.debian.org>
Date: Thu, 1 Jun 95 10:45 EST
From: imurdock@debian.org (Ian Murdock)
To: debian-bugs@Pixar.com
In-Reply-To: <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu> (iwj10@cus.cam.ac.uk)
Date: Sun, 2 Apr 95 02:23 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
If it is not possible to disable (or restrict to particular hosts)
this rather dangerous feature then the binaries shipped with Debian
should not have it compiled in.
It appears to be possible to disable this by adding a comment before
the following in /etc/services:
syslog 514/udp
Should this be commented by default, then?
Message sent:
From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: imurdock@debian.org (Ian Murdock)
Subject: Bug#703: Info received (was Bug#703: syslogd is insecure and is started too late)
In-Reply-To: <m0sHCRW-00001xC@debra.debian.org>
References: <m0sHCRW-00001xC@debra.debian.org>
Thank you for the additional information you have supplied regarding
this problem report. It has been forwarded to the developers to
accompany the original report.
If you wish to continue to submit further information on your problem,
please do the same thing again: send it to debian-bugs@pixar.com, ensuring
that the Subject line starts with "Bug#703" or "Re: Bug#703" so that
we can identify it as relating to the same problem.
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.
Ian Jackson
(maintainer, debian-bugs)
Message sent to debian-devel@pixar.com:
Subject: Bug#703: syslogd is insecure and is started too late
Reply-To: iwj10@cus.cam.ac.uk (Ian Jackson), debian-bugs@pixar.com
Resent-To: debian-devel@pixar.com
Resent-From: iwj10@cus.cam.ac.uk (Ian Jackson)
Resent-Sender: iwj10@cus.cam.ac.uk
Resent-Date: Fri, 02 Jun 1995 09:33:05 GMT
Resent-Message-ID: <debian-bugs-handler.703.06020930438796@pixar.com>
X-Debian-PR-Package: syslogd
X-Debian-PR-Keywords:
Received: via spool for debian-bugs; Fri, 02 Jun 1995 09:33:05 GMT
Received: with rfc822 via encapsulated-mail id 06020930438796;
Fri, 02 Jun 1995 09:30:44 GMT
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sHT16-0007mTC; Fri, 2 Jun 95 02:27 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA09234
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 2 Jun 1995 02:26:10 -0700
Received: by bootes.cus.cam.ac.uk
(Smail-3.1.29.0 #36) id m0sHT0V-000C0AC; Fri, 2 Jun 95 10:27 BST
Received: by chiark
id <m0sHL9j-0000XBZ@chiark.al.cl.cam.ac.uk>
(Debian /\oo/\ Smail3.1.29.1 #29.31); Fri, 2 Jun 95 02:04 BST
Message-Id: <m0sHL9j-0000XBZ@chiark.al.cl.cam.ac.uk>
Date: Fri, 2 Jun 95 02:04 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: imurdock@debian.org (Ian Murdock), debian-bugs@pixar.com
Ian Murdock writes ("Bug#703: syslogd is insecure and is started too late"):
> Date: Sun, 2 Apr 95 02:23 BST
> From: iwj10@cus.cam.ac.uk (Ian Jackson)
>
> If it is not possible to disable (or restrict to particular hosts)
> this rather dangerous feature then the binaries shipped with Debian
> should not have it compiled in.
>
> It appears to be possible to disable this by adding a comment before
> the following in /etc/services:
>
> syslog 514/udp
>
> Should this be commented by default, then?
How interesting. This seems to me to be rather an odd way of fixing
this problem :-).
I don't know whether it should be disabled by default (though I'm
inclined to say that it should), but either way comments in the
/etc/services file and in the syslogd manpage about this would be a
good thing.
Ian.
Message sent:
From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: iwj10@cus.cam.ac.uk (Ian Jackson)
Subject: Bug#703: Info received (was Bug#703: syslogd is insecure and is started too late)
In-Reply-To: <m0sHL9j-0000XBZ@chiark.al.cl.cam.ac.uk>
References: <m0sHL9j-0000XBZ@chiark.al.cl.cam.ac.uk>
Thank you for the additional information you have supplied regarding
this problem report. It has been forwarded to the developers to
accompany the original report.
If you wish to continue to submit further information on your problem,
please do the same thing again: send it to debian-bugs@pixar.com, ensuring
that the Subject line starts with "Bug#703" or "Re: Bug#703" so that
we can identify it as relating to the same problem.
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.
Ian Jackson
(maintainer, debian-bugs)
Message sent:
From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: imurdock@debian.org (Ian Murdock)
In-Reply-To: <m0sP1B2-0001chC@debian.org>
References: <m0sP1B2-0001chC@debian.org> <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu>
Subject: Bug#703: marked as done (was: syslogd is insecure and is started too late)
Your message dated Fri, 23 Jun 95 00:21 EST
with message-id <m0sP1B2-0001chC@debian.org>
and subject line Bug#703:
has caused the attached bug report to be marked as done.
It is your now responsibility to ensure that the bug report is dealt
with.
(NB: If you are a system administrator and have no idea what I'm
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Ian Jackson
(maintainer, debian-bugs)
Received: with rfc822 via encapsulated-mail id 040213053520808;
Sun, 02 Apr 1995 13:05:35 GMT
From cus.cam.ac.uk!iwj10 Sun Apr 2 06:04:30 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0rvPKP-0002TeC; Sun, 2 Apr 95 06:04 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA01606
(5.65c/IDA-1.4.4 for <debian-bugs@pixar.com>); Sun, 2 Apr 1995 06:04:14 -0700
Received: by bootes.cus.cam.ac.uk
(Smail-3.1.29.0 #30) id m0rvPK5-000BzkC; Sun, 2 Apr 95 14:04 BST
Received: by chiark
id m0rvENy-0000YTZ
(Debian /\oo/\ Smail3.1.29.1 #29.27); Sun, 2 Apr 95 02:23 BST
Message-Id: <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu>
Date: Sun, 2 Apr 95 02:23 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: Debian bugs submission address <debian-bugs@pixar.com>
Subject: syslogd is insecure and is started too late
Package: syslogd
Version: 1.2-9
>From the syslogd manpage:
SECURITY THREATS
There is the potential for the syslogd daemon to be used
as a conduit for a denial of service attack. Thanks go to
John Morrison (jmorriso@rflab.ee.ubc.ca) for alerting me
to this potential. A rogue program(mer) could very easily
flood the syslogd daemon with syslog messages resulting in
the log files consuming all the remaining space on the
filesystem. Activating logging over the inet domain sock-
ets will of course expose a system to risks outside of
programs or individuals on the local machine.
Version 1.2 of the utility set will address this problem.
In the meantime there are a number of methods of protect-
ing a machine:
It then goes on to list a number of unhelpful `solutions'.
I see (from netstat) that Debian 0.93R5's syslogd has network logging
service enabled. I want to disable it, but I don't seem to be able
to.
If it is not possible to disable (or restrict to particular hosts)
this rather dangerous feature then the binaries shipped with Debian
should not have it compiled in.
If nothing gets done about this soon I suppose I could come up with a
little Perl script that binds to the UDP socket first so as to prevent
syslogd from getting it.
On another note, syslogd still uses /etc/rc.misc. This means it gets
started at number `20' in the ordering, which is too late to catch the
messages from several of the other daemons around that time. I have
reconfigured it to use 16 on my own system.
Ian.
Message sent:
From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: iwj10@cus.cam.ac.uk (Ian Jackson)
Subject: Bug#703 acknowledged by developer (was: syslogd is insecure and is started too late)
References: <m0sP1B2-0001chC@debian.org> <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu>
In-Reply-To: <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu>
This is an automatic notification regarding your bug report.
Responsibility for it has been taken by one of the developers, namely
imurdock@debian.org (Ian Murdock).
You should be hearing from them with a substantive response shortly, if
you have not already done so. If not, please contact them directly,
or email debian-bugs@pixar.com or myself.
Ian Jackson
(maintainer, debian-bugs)
Ian Jackson /
iwj10@thor.cam.ac.uk,
with the debian-bugs tracking mechanism