syslogd(8) Dropping Privs
Darren Reed
avalon at caligula.anu.edu.au
Sat Jun 5 01:19:41 PDT 2004
In some mail from Colin Percival, sie said:
> At 20:53 04/06/2004, Crist J. Clark wrote:
> >We haven't had many syslogd(8) vulnerabilities lately, but one
> >less daemon running as root seems like a Good Thing. I do not
> >see any drawbacks from a security point of view. The log files
> >would have to be owned, or otherwise writeable, by this other
> >user, but so what. Obviously, I may be missing something.
>
> One consideration is that if syslogd is not running as root,
> it will no longer be able to write to a filesystem which is
> already "full".
> On systems where non-root users can write to the filesystem
> containing /var/log (and are not limited by quotas) this would
> allow non-root users to disable logging, which would probably
> be a Bad Thing.
One way or another, you can generally exploit a DoS attack against
syslogd with disk space.
Well at least with current sources, anyway.
Lets pretend that /var/log is its own filesystem, isolated from
a full /var/tmp.
The attack is then to just spam syslogd with lots of data such
that it fills /var/log. Granted this is harder but not impossible.
How do you defend against that? Add code to rate limit messages
from a given source to a max of x kb/s ?
As an "out there" suggestion, you might increase the % for root
only to be greater than 10% on a /var/log so you can always run
newsyslog successfully.
Darren
More information about the freebsd-security
mailing list