fyrebox3n.gumbynet.org

• Next message: David A. Wagner: "Re: Sys(k)logd running as non-root"
• Previous message: Solar Designer: "Re: chroot vs namespaces (Was: Sys(k)logd running as non-root)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Theo de Raadt's view on the syslog timestamp situation. I replied and
agreed that timestamps from the network can't be easily checked, but
timestamps on messages from the local machine recieved should be checked.

Tim

---------- Forwarded message ----------
Date: Thu, 21 Sep 2000 11:30:59 -0600
From: Theo de Raadt <deraadtcvs.openbsd.org>
To: Tim Robbins <fyrebox3n.gumbynet.org>
Cc: Theo de Raadt <deraadtopenbsd.org>, millertcvs.openbsd.org
Subject: Re: syslogd allows arbitrary timestamps

I think this would break far too much stuff. Timezone settings even
on a local net could vary far more than that, and there is no reason
really to fail in those cases.

The only thing, and I have not checked it, is... does it let any bad
chars through in that block.

> I'm not really sure whether this is a feature or a bug, but this code from
> syslogd.c allows timestamps such as 'ABC DE:FG:HI ' through and into the
> system logs:
>
> /*
> * Check to see if msg looks non-standard.
> */
> msglen = strlen(msg);
> if (msglen < 16 || msg[3] != ' ' || msg[6] != ' ' ||
> msg[9] != ':' || msg[12] != ':' || msg[15] != ' ')
> flags |= ADDDATE;
>
> My suggestion is to verify the timestamp that is supplied in the message
> matches the system time, perhaps allowing a few minutes difference if the
> machine is recieved from the network.
>
> Cheers,
> Tim
>

• Next message: David A. Wagner: "Re: Sys(k)logd running as non-root"
• Previous message: Solar Designer: "Re: chroot vs namespaces (Was: Sys(k)logd running as non-root)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]