NEVERMIND!

[Ronald F. Guilmette]

In message <86r43gr5nb.fsf at nine.des.no>, 
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des at des.no> wrote:

>"Ronald F. Guilmette" <rfg at tristatelogic.com> writes:
>> I forgot that newsyslog(8) should limit the size of /var/log/messages,
>and
>> that as long as you limit the size of that to a reasnable value, and as
>> long as you have newsyslog(8) only keeping a finite & reasonable number
>> of "rotated out" copies, then /var won't fill up.
>
>It can still happen, since newsyslog only runs once per hour.  If /var
>fills up between two newsyslog runs...


Yes.  Good point.

So should I file a PR on this, or what?

My first thought is that perhaps what's needed is per-account logging
quotas, so that loging could be limited... on a per account basis...
much as the usage of memory and other finite resources are.  However
it occurs to me that perhaps the scenario I mentioned is only one of
a number of plausible scenarios that might result in total exhaustion
of /var between hourly newsyslog runs.

For example, I can easily envision remotely filling up your /var simply
by sending you, in rapid succession, a sufficient quantity of malformed
http requests, or perhaps even just an endless set of minimalist HELO/QUIT
sequences to your mail server.

Of course, none of these kinds of attacks will really be all that harmful
to any well-attended machines that are being properly monitored by even
minimally competent system administrators.  But given that more and more
machines these days run as "appliances" for long periods with no monitoring
whatsoever, attacks which exhaust /var, or which attemp to do so, might
actually be an issue worthy of attention.