OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1994: Re: syslog/udp

Re: syslog/udp

Julian Assange (proffsuburbia.apana.org.au)
Thu, 24 Feb 1994 15:32:46 +1100 (EST) 

>
> >
> > The problem is that syslogd will accept any message from anywhere
> > on the net. If you have to accept messages from your local net,
> > this fix is not useful -- if you're only logging things on your
> > local machine (i.e. all programs logging are using syslog(3)),
> > then you can disable logging over UDP.
>
> Even worse its only UDP packets, *very very* easy to forge
> so that you cant even trust the IP address in them.
>
> > > How can we, who are without source code, change this behavior?
> >
> > You can get the Berkeley syslogd code, which is in all likelyhood
> > compatible with your current syslogd.
>
> I'm afraid this is not the case.  To compile BSD's syslogd
> code you will have to collect syslogd and rwalld sources and
> will have to find (or rewrite your own) the daemon() call (I
> assume this takes you off the tty and forks and has the parent
> return).  Sun's syslogd has at least one feature that the BSD
> version does not.  It doesnt open the syslog.conf for reading
> directly but rather pipes it through the 'm4' macro processor
> with the LOGHOST variable set if loghost's address is the same
> as one of the machines net interfaces.  This allows you to use
> the same syslog.conf file on loghost and non-loghost machines.
> With BSD's syslog you would have to remove the if() lines in
> the syslog.conf and make two seperate files.
>

my version of daemon():

void daemon()
{
	close(0);
	close(1);
	close(2);
	setsid();
	if (fork()) _exit(0);
}

- Julian.