syslogd(8) Dropping Privs
Crist J. Clark
cristjc at comcast.net
Mon Jun 7 20:27:50 GMT 2004
On Sat, Jun 05, 2004 at 06:21:29PM +1000, Darren Reed wrote:
> ...and this works in the case of SIGHUP too ?
>
> i.e. re-read syslogd.conf and can open new files r/w root only ?
Syslogd(8) does NOT run as root by the time log files are openned
at startup or a reconfig (SIGHUP). As I stated in the original
message, the log files will have to be writable by the user. Same
goes for writting messages to users via their ttys. Although having
things set up otherwise is probably rare, make sure that the user
can read the configuration file.
What do we do while still root? Open the UNIX domain log sockets
(/var/run/log and any others specified) and open the network socket
(514/udp by default or whatever specified). The PID file is also
written while still root.
I'm thinking of writing a "conversion" script to make the required
changes.
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
More information about the freebsd-security
mailing list