Re: PING: Igor S. , regarding Kerberos v4. - BSD

This is a discussion on Re: PING: Igor S. , regarding Kerberos v4. - BSD ; Marco S Hyman wrote: >A grep of /etc/services or running fstat | grep 514 shows that this >is for and in use by syslogd. Reading the man page for syslogd gives >you the necessary information to check if this is ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: PING: Igor S. , regarding Kerberos v4.

  1. Re: PING: Igor S. , regarding Kerberos v4.

    Marco S Hyman wrote:

    >A grep of /etc/services or running fstat | grep 514 shows that this
    >is for and in use by syslogd. Reading the man page for syslogd gives
    >you the necessary information to check if this is a problem or not.
    >It says:


    >syslogd opens an Internet domain socket as specified in /etc/services.
    >Normally syslogd will only use this socket to send messages outwards, but
    >in ``insecure'' mode it will also read messages from this socket.
    >syslogd also opens and reads messages from the UNIX domain socket
    >/dev/log, and from the special device /dev/klog (to read kernel mes-
    >sages).


    >It also says that to be ``insecure'' syslogd has to be started with
    >the -u option. A ps or a grep of "syslogd" in /etc/rc* will tell
    >show that this is not the case (unless you changed your rc.conf or
    >rc.conf.local files).


    >Next you're going to tell me that sending syslog messages outwards
    >is obsolete. Perhaps on the public internet, but it is still used
    >quite often on private nets where there is an otherwise protected
    >log server that is started in ``insecure'' mode.


    >// marc





    Hmm , interesting.


    I knew that this port was affiliated with syslog , but I
    was under the impression that it's presence was vestigial.


    If a user does not wish to use this port , why can't a
    parameter or switch be added to disable the feature?



    Regards , An Odd User.


  2. syslogd socket (was Re: PING: Igor S. , regarding Kerberos v4.)

    Anonyma writes:

    > I knew that this port was affiliated with syslog , but I
    > was under the impression that it's presence was vestigial.


    Nope.

    > If a user does not wish to use this port , why can't a
    > parameter or switch be added to disable the feature?


    syslogd is controlled by /etc/syslog.conf. syslog.conf can be
    updated on the fly, so to speak. That is part of its design.
    An update may specify a remote host as the destination for some
    class of message. To send a message to a remote host requires
    a socket and convention requires syslog to use a privileged port.

    syslogd is also "privilege separated" for security. Most of
    the code is running as user _syslogd. User _syslogd does not
    have the permissions necessary to bind a socket to a privileged
    port. The socket is created and bound at startup, before
    privileges are dropped. This allows the non-privileged code
    to use the bound socket with a sendto(2) system call. As
    long as -u is not specified on the command line the socket is
    "closed" in the incoming direction using a shutdown(2) system
    call shortly after being bound to its source address.

    To "disable" the feature of creating the socket would require
    the removal of features needed by users or making the program
    more INSECURE by removing privilege separation so the socket
    could be created on demand. Less secure for no good reason.

    // marc

+ Reply to Thread