

Debian bug report logs - #703
syslogd is insecure and is started too late

Package: syslogd ; Reported by: iwj10@cus.cam.ac.uk (Ian Jackson); Done:
imurdock@debian.org (Ian Murdock).
-----------------------------------------------------------------------

Message received at debian-bugs-done:


From debian.org!imurdock Thu Jun 22 22:19:22 1995
Return-Path: <imurdock@debian.org>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sP19G-0006CNC; Thu, 22 Jun 95 22:19 PDT
Received: from debian.org (debra.debian.org) by pixar.com with SMTP id 
AA12277
  (5.67b/IDA-1.5 for debian-bugs-done-pipe@mongo.pixar.com); Thu, 22 Jun 
1995 22:17:52 -0700
Received: by debian.org
        id m0sP1B2-0001chC
        (Debian /\oo/\ Smail3.1.29.1 #29.32); Fri, 23 Jun 95 00:21 EST
Message-Id: <m0sP1B2-0001chC@debian.org>
Date: Fri, 23 Jun 95 00:21 EST
From: imurdock@debian.org (Ian Murdock)
To: debian-bugs-done@pixar.com
Subject: Bug#703:

This bug was fixed in a recent upload of the package.  Please
check ftp.debian.org:/pub/debian/binary for the fixed version.
-----------------------------------------------------------------------
Notification sent to iwj10@cus.cam.ac.uk (Ian Jackson) :
Bug acknowledged by developer. Full text available.
-----------------------------------------------------------------------
Reply sent to imurdock@debian.org (Ian Murdock) :
You have taken responsibility. Full text available.
-----------------------------------------------------------------------

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Fri Jun  2 02:27:45 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sHT16-0007mTC; Fri, 2 Jun 95 02:27 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA09234
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 2 Jun 1995 
02:26:10 -0700
Received: by bootes.cus.cam.ac.uk 
        (Smail-3.1.29.0 #36) id m0sHT0V-000C0AC; Fri, 2 Jun 95 10:27 BST
Received: by chiark
        id <m0sHL9j-0000XBZ@chiark.al.cl.cam.ac.uk>
        (Debian /\oo/\ Smail3.1.29.1 #29.31); Fri, 2 Jun 95 02:04 BST
Message-Id: <m0sHL9j-0000XBZ@chiark.al.cl.cam.ac.uk>
Date: Fri, 2 Jun 95 02:04 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: imurdock@debian.org (Ian Murdock), debian-bugs@pixar.com
Subject: Re: Bug#703: syslogd is insecure and is started too late

Ian Murdock writes ("Bug#703: syslogd is insecure and is started too 
late"):
>    Date: Sun, 2 Apr 95 02:23 BST
>    From: iwj10@cus.cam.ac.uk (Ian Jackson)
> 
>    If it is not possible to disable (or restrict to particular hosts)
>    this rather dangerous feature then the binaries shipped with Debian
>    should not have it compiled in.
> 
> It appears to be possible to disable this by adding a comment before
> the following in /etc/services:
> 
> syslog                514/udp
> 
> Should this be commented by default, then?

How interesting.  This seems to me to be rather an odd way of fixing
this problem :-).

I don't know whether it should be disabled by default (though I'm
inclined to say that it should), but either way comments in the
/etc/services file and in the syslogd manpage about this would be a
good thing.

Ian.
-----------------------------------------------------------------------
Acknowledgement sent to iwj10@cus.cam.ac.uk (Ian Jackson) :
Extra info received and forwarded. Full text available.
-----------------------------------------------------------------------
Information forwarded to debian-devel@pixar.com :
Bug#703 ; Package syslogd . Full text available.
-----------------------------------------------------------------------

Message received at debian-bugs:


From debian.org!imurdock Thu Jun  1 08:46:23 1995
Return-Path: <imurdock@debian.org>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sHCRy-0005z9C; Thu, 1 Jun 95 08:46 PDT
Received: from debra.debian.org by pixar.com with SMTP id AA26560
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 1 Jun 1995 
08:44:51 -0700
Received: by debra.debian.org
        id m0sHCRW-00001xC
        (Debian /\oo/\ Smail3.1.29.1 #29.31); Thu, 1 Jun 95 10:45 EST
Message-Id: <m0sHCRW-00001xC@debra.debian.org>
Date: Thu, 1 Jun 95 10:45 EST
From: imurdock@debian.org (Ian Murdock)
To: debian-bugs@Pixar.com
In-Reply-To: <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu> 
(iwj10@cus.cam.ac.uk)
Subject: Re: Bug#703: syslogd is insecure and is started too late

   Date: Sun, 2 Apr 95 02:23 BST
   From: iwj10@cus.cam.ac.uk (Ian Jackson)

   If it is not possible to disable (or restrict to particular hosts)
   this rather dangerous feature then the binaries shipped with Debian
   should not have it compiled in.

It appears to be possible to disable this by adding a comment before
the following in /etc/services:

syslog          514/udp

Should this be commented by default, then?
-----------------------------------------------------------------------
Acknowledgement sent to imurdock@debian.org (Ian Murdock) :
Extra info received and forwarded. Full text available.
-----------------------------------------------------------------------
Information forwarded to debian-devel@pixar.com :
Bug#703 ; Package syslogd . Full text available.
-----------------------------------------------------------------------

Message received at debian-bugs:


From cus.cam.ac.uk!iwj10 Sun Apr  2 06:04:30 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0rvPKP-0002TeC; Sun, 2 Apr 95 06:04 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA01606
  (5.65c/IDA-1.4.4 for <debian-bugs@pixar.com>); Sun, 2 Apr 1995 
06:04:14 -0700
Received: by bootes.cus.cam.ac.uk 
        (Smail-3.1.29.0 #30) id m0rvPK5-000BzkC; Sun, 2 Apr 95 14:04 BST
Received: by chiark
        id m0rvENy-0000YTZ
        (Debian /\oo/\ Smail3.1.29.1 #29.27); Sun, 2 Apr 95 02:23 BST
Message-Id: <m0rvENy-0000YTZ.ijackson@nyx.cs.du.edu>
Date: Sun, 2 Apr 95 02:23 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: Debian bugs submission address <debian-bugs@pixar.com>
Subject: syslogd is insecure and is started too late

Package: syslogd
Version: 1.2-9

>From the syslogd manpage:
 SECURITY THREATS
       There is the potential for the syslogd daemon to be  used
       as a conduit for a denial of service attack.  Thanks go to
       John Morrison (jmorriso@rflab.ee.ubc.ca) for  alerting  me
       to this potential.  A rogue program(mer) could very easily
       flood the syslogd daemon with syslog messages resulting in
       the  log files   consuming  all the remaining space on the
       filesystem.  Activating logging over the inet domain sock-
       ets  will  of  course  expose a system to risks outside of
       programs or individuals on the local machine.

       Version 1.2 of the utility set will address this problem.
       In  the meantime there are a number of methods of protect-
       ing a machine:

It then goes on to list a number of unhelpful `solutions'.

I see (from netstat) that Debian 0.93R5's syslogd has network logging
service enabled.  I want to disable it, but I don't seem to be able
to.

If it is not possible to disable (or restrict to particular hosts)
this rather dangerous feature then the binaries shipped with Debian
should not have it compiled in.

If nothing gets done about this soon I suppose I could come up with a
little Perl script that binds to the UDP socket first so as to prevent
syslogd from getting it.


On another note, syslogd still uses /etc/rc.misc.  This means it gets
started at number `20' in the ordering, which is too late to catch the
messages from several of the other daemons around that time.  I have
reconfigured it to use 16 on my own system.

Ian.
-----------------------------------------------------------------------
Acknowledgement sent to iwj10@cus.cam.ac.uk (Ian Jackson) :
New bug report received and forwarded. Full text available.
-----------------------------------------------------------------------
Report forwarded to debian-devel@pixar.com :
Bug#703 ; Package syslogd . Full text available.
-----------------------------------------------------------------------
Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking
mechanism
This page last modified 05:43:02 GMT Fri 23 Jun