* [9fans] log oversight
@ 2009-03-16 1:49 Jeff Sickel
2009-03-16 2:35 ` balaji
2009-03-16 4:23 ` Nathaniel W Filardo
0 siblings, 2 replies; 11+ messages in thread
From: Jeff Sickel @ 2009-03-16 1:49 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
I've just built out a new Plan 9 cpu/auth server and noticed that
others are able to write to the logs. Is this intentional or just an
oversight?
cpu% ls -l /sys/log
a-rw-rw-rw- M 2936 sys sys 0 Aug 3 2007 /sys/log/6in4
a-rw-rw-rw- M 2936 sys sys 0 Apr 26 2002 /sys/log/aan
a-rw-rw-rw- M 2936 sys sys 9644 Mar 15 19:45 /sys/log/auth
a-rw-rw-r-- M 2936 bootes bootes 219734 Mar 15 20:30 /sys/log/cron
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/cs
a-rw-rw-rw- M 2936 sys sys 1273328 Mar 15 20:37 /sys/log/dns
a-rw-rw-rw- M 2936 sys sys 0 Sep 12 2007 /sys/log/fossil
a-rw-rw-rw- M 2936 sys sys 1145 Mar 7 14:55 /sys/log/ftp
d-rwxrwxr-x M 2936 sys sys 0 Feb 28 13:32 /sys/log/httpd
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/imap4d
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/ipboot
a-rw-rw-rw- M 2936 sys sys 0 Jul 31 2007 /sys/log/ipconfig
a-rw-rw-rw- M 2936 sys sys 29713 Mar 13 01:46 /sys/log/listen
a-rw-rw-rw- M 2936 sys sys 914 Sep 12 2007 /sys/log/mail
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/nfs
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/nfsserver
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/pop3
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/
portmapper
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/ppp
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/pptpd
a-rw-rw-rw- M 2936 sys sys 182 Mar 24 2004 /sys/log/runq
a-rw-rw-rw- M 2936 sys sys 0 Jan 5 2005 /sys/log/secstore
a-rw-rw-rw- M 2936 sys sys 69 Mar 24 2004 /sys/log/smtp
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/smtp.fail
a-rw-rw-rw- M 2936 sys sys 1032 Mar 13 06:56 /sys/log/smtpd
a-rw-rw-rw- M 2936 sys sys 0 Oct 29 2004 /sys/log/smtpd.mx
a-rw-rw-rw- M 2936 sys sys 4965 Mar 14 10:24 /sys/log/ssh
a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/telnet
a-rw-rw-rw- M 2936 sys sys 1764 Mar 8 12:57 /sys/log/timesync
d-rwxrwxr-x M 2936 sys sys 0 Feb 28 13:32 /sys/log/
timesync.d
a-rw-rw-rw- M 2936 sys sys 0 Jul 31 2007 /sys/log/
v6routeradv
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 1:49 [9fans] log oversight Jeff Sickel
@ 2009-03-16 2:35 ` balaji
2009-03-16 3:04 ` erik quanstrom
2009-03-16 4:23 ` Nathaniel W Filardo
1 sibling, 1 reply; 11+ messages in thread
From: balaji @ 2009-03-16 2:35 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
intentional. if you do a ls -ltm, you will see [none] would have
updated smtp*, runq etc...
upas/*, others run as none, and well...
is it a shortcoming compared to unix world? these logs
are not sacrosanct.
On Sun, Mar 15, 2009 at 6:49 PM, Jeff Sickel <jas@corpus-callosum.com> wrote:
> I've just built out a new Plan 9 cpu/auth server and noticed that others are
> able to write to the logs. Is this intentional or just an oversight?
>
>
> cpu% ls -l /sys/log
> a-rw-rw-rw- M 2936 sys sys 0 Aug 3 2007 /sys/log/6in4
> a-rw-rw-rw- M 2936 sys sys 0 Apr 26 2002 /sys/log/aan
> a-rw-rw-rw- M 2936 sys sys 9644 Mar 15 19:45 /sys/log/auth
> a-rw-rw-r-- M 2936 bootes bootes 219734 Mar 15 20:30 /sys/log/cron
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/cs
> a-rw-rw-rw- M 2936 sys sys 1273328 Mar 15 20:37 /sys/log/dns
> a-rw-rw-rw- M 2936 sys sys 0 Sep 12 2007 /sys/log/fossil
> a-rw-rw-rw- M 2936 sys sys 1145 Mar 7 14:55 /sys/log/ftp
> d-rwxrwxr-x M 2936 sys sys 0 Feb 28 13:32 /sys/log/httpd
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/imap4d
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/ipboot
> a-rw-rw-rw- M 2936 sys sys 0 Jul 31 2007 /sys/log/ipconfig
> a-rw-rw-rw- M 2936 sys sys 29713 Mar 13 01:46 /sys/log/listen
> a-rw-rw-rw- M 2936 sys sys 914 Sep 12 2007 /sys/log/mail
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/nfs
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/nfsserver
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/pop3
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/portmapper
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/ppp
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/pptpd
> a-rw-rw-rw- M 2936 sys sys 182 Mar 24 2004 /sys/log/runq
> a-rw-rw-rw- M 2936 sys sys 0 Jan 5 2005 /sys/log/secstore
> a-rw-rw-rw- M 2936 sys sys 69 Mar 24 2004 /sys/log/smtp
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/smtp.fail
> a-rw-rw-rw- M 2936 sys sys 1032 Mar 13 06:56 /sys/log/smtpd
> a-rw-rw-rw- M 2936 sys sys 0 Oct 29 2004 /sys/log/smtpd.mx
> a-rw-rw-rw- M 2936 sys sys 4965 Mar 14 10:24 /sys/log/ssh
> a-rw-rw-rw- M 2936 sys sys 0 May 21 2000 /sys/log/telnet
> a-rw-rw-rw- M 2936 sys sys 1764 Mar 8 12:57 /sys/log/timesync
> d-rwxrwxr-x M 2936 sys sys 0 Feb 28 13:32 /sys/log/timesync.d
> a-rw-rw-rw- M 2936 sys sys 0 Jul 31 2007 /sys/log/v6routeradv
>
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 2:35 ` balaji
@ 2009-03-16 3:04 ` erik quanstrom
2009-03-16 3:18 ` ron minnich
0 siblings, 1 reply; 11+ messages in thread
From: erik quanstrom @ 2009-03-16 3:04 UTC (permalink / raw)
To: 9fans
> is it a shortcoming compared to unix world? these logs
> are not sacrosanct.
>
linux typically uses log daemons to do the actual logging.
unless they are encrypting all those channels, even from
untrusted agents like smtp daemons, i don't know how you
provide better security. actually plan 9 has one big advantage:
the append-only flag. the worst a rogue agent can do is
waste disk space.
the plan 9 solution isn't perfect, but a better solution would
be many times more complex.
- erik
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 3:04 ` erik quanstrom
@ 2009-03-16 3:18 ` ron minnich
2009-03-16 3:55 ` J.R. Mauro
0 siblings, 1 reply; 11+ messages in thread
From: ron minnich @ 2009-03-16 3:18 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
note that those files are append-only.
logs on unix are writeable by everyone:
[rminnich@Panzer ~]$ logger -p kern.err "JUNK"
[rminnich@Panzer ~]$ sudo tail -f /var/log/messages
Mar 16 04:15:03 Panzer rminnich: JUNK
ron
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 3:18 ` ron minnich
@ 2009-03-16 3:55 ` J.R. Mauro
2009-03-16 4:31 ` Alex Efros
2009-03-16 6:30 ` ron minnich
0 siblings, 2 replies; 11+ messages in thread
From: J.R. Mauro @ 2009-03-16 3:55 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
On Sun, Mar 15, 2009 at 11:18 PM, ron minnich <rminnich@gmail.com> wrote:
> note that those files are append-only.
>
> logs on unix are writeable by everyone:
> [rminnich@Panzer ~]$ logger -p kern.err "JUNK"
> [rminnich@Panzer ~]$ sudo tail -f /var/log/messages
>
> Mar 16 04:15:03 Panzer rminnich: JUNK
>
This didn't work on my linux box. I actually have:
% ls -l /var/log/messages
-rw------- 1 root root 960355 2009-03-15 23:51 /var/log/messages
>
> ron
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 3:55 ` J.R. Mauro
@ 2009-03-16 4:31 ` Alex Efros
2009-03-16 6:30 ` ron minnich
1 sibling, 0 replies; 11+ messages in thread
From: Alex Efros @ 2009-03-16 4:31 UTC (permalink / raw)
To: 9fans
Hi!
On Sun, Mar 15, 2009 at 11:55:39PM -0400, J.R. Mauro wrote:
> > logs on unix are writeable by everyone:
> > [rminnich@Panzer ~]$ logger -p kern.err "JUNK"
> > [rminnich@Panzer ~]$ sudo tail -f /var/log/messages
> This didn't work on my linux box. I actually have:
> % ls -l /var/log/messages
> -rw------- 1 root root 960355 2009-03-15 23:51 /var/log/messages
[OT]
Actually, logger works using /dev/log:
# ls -l /dev/log
srwxrwxrwx 1 root root 0 Мар 13 18:55 /dev/log
After chmod 0700 /dev/log users will not be able to use logger anymore.
I usually have all services output logs to stdout (or fifo) and pipe them to
special logging tools like multilog or svlogd, which in turn run as user 'log'
and all these logs have permissions like:
# ls -ld /var/log/apache2/access{,/current}
drwxr-s--- 2 log root 4096 Mar 15 03:55 /var/log/apache2/access
-rw-r--r-- 1 log root 688994 Mar 16 06:11 /var/log/apache2/access/current
So, 'logs on unix' are very configurable and it's not correct to say they
are 'writeable by everyone'. There even no such thing as 'out of box'
setup in unix because it not designed to work 'out of box' and expect some
manual configuration first, :) also, for example, in linux there too many
distributions with different 'out of box' configurations - apache logs
configuration shown above is my 'out of box' configuration installed
automatically while installing Gentoo on new server using my portage overlay.
[/OT]
Back to original question - I think append only is 'good, but not enough'
for logs: adding fake records may hurt no less than mangling existing records.
Reading logs by unauthorized user also may be dangerous.
To solve these two issues you have to set log permissions similar to my
example above: nobody read and only root and log service able to write.
After that it become much less important is these logs are append-only or not
(if one really want to make logs append-only - use chattr +a).
--
WBR, Alex.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 3:55 ` J.R. Mauro
2009-03-16 4:31 ` Alex Efros
@ 2009-03-16 6:30 ` ron minnich
2009-03-16 15:06 ` J.R. Mauro
1 sibling, 1 reply; 11+ messages in thread
From: ron minnich @ 2009-03-16 6:30 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
On Sun, Mar 15, 2009 at 8:55 PM, J.R. Mauro <jrm8005@gmail.com> wrote:
> On Sun, Mar 15, 2009 at 11:18 PM, ron minnich <rminnich@gmail.com> wrote:
>> note that those files are append-only.
>>
>> logs on unix are writeable by everyone:
>> [rminnich@Panzer ~]$ logger -p kern.err "JUNK"
>> [rminnich@Panzer ~]$ sudo tail -f /var/log/messages
>>
>> Mar 16 04:15:03 Panzer rminnich: JUNK
>>
>
> This didn't work on my linux box. I actually have:
>
> % ls -l /var/log/messages
> -rw------- 1 root root 960355 2009-03-15 23:51 /var/log/messages
>
what didn't work? did you try the logger command?
ron
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 6:30 ` ron minnich
@ 2009-03-16 15:06 ` J.R. Mauro
0 siblings, 0 replies; 11+ messages in thread
From: J.R. Mauro @ 2009-03-16 15:06 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
On Mon, Mar 16, 2009 at 2:30 AM, ron minnich <rminnich@gmail.com> wrote:
> On Sun, Mar 15, 2009 at 8:55 PM, J.R. Mauro <jrm8005@gmail.com> wrote:
>> On Sun, Mar 15, 2009 at 11:18 PM, ron minnich <rminnich@gmail.com> wrote:
>>> note that those files are append-only.
>>>
>>> logs on unix are writeable by everyone:
>>> [rminnich@Panzer ~]$ logger -p kern.err "JUNK"
>>> [rminnich@Panzer ~]$ sudo tail -f /var/log/messages
>>>
>>> Mar 16 04:15:03 Panzer rminnich: JUNK
>>>
>>
>> This didn't work on my linux box. I actually have:
>>
>> % ls -l /var/log/messages
>> -rw------- 1 root root 960355 2009-03-15 23:51 /var/log/messages
>>
>
>
> what didn't work? did you try the logger command?
>
Yep. Nothing happened to the logs.
> ron
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 1:49 [9fans] log oversight Jeff Sickel
2009-03-16 2:35 ` balaji
@ 2009-03-16 4:23 ` Nathaniel W Filardo
2009-03-16 4:36 ` Jeff Sickel
2009-03-16 13:37 ` erik quanstrom
1 sibling, 2 replies; 11+ messages in thread
From: Nathaniel W Filardo @ 2009-03-16 4:23 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 701 bytes --]
On Sun, Mar 15, 2009 at 08:49:50PM -0500, Jeff Sickel wrote:
> I've just built out a new Plan 9 cpu/auth server and noticed that others
> are able to write to the logs. Is this intentional or just an
> oversight?
It is intentional, AFAIK.
An alternative for the paranoid perhaps would be to make an additional fs
(in fossil) containing the log files. This fs could be set to accept only
the hostowner's credentials for attach requests. The hostowner, meanwhile,
when constructing namespaces, could bind the right file(s) into the log
directory. I haven't thought it through in more detail than that, but if I
were to engineer a replacement, that's how I'd start. HTH.
--nwf;
[-- Attachment #2: Type: application/pgp-signature, Size: 204 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 4:23 ` Nathaniel W Filardo
@ 2009-03-16 4:36 ` Jeff Sickel
2009-03-16 13:37 ` erik quanstrom
1 sibling, 0 replies; 11+ messages in thread
From: Jeff Sickel @ 2009-03-16 4:36 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
ah, not all are append only...
cpu% ls -lm /sys/log/httpd/clf
[jas] --rw-rw-rw- M 2936 sys sys 0 Mar 15 20:41 /sys/log/httpd/clf
As for paranoia--just more proof I need to stop mucking w/ Linux and
read more of the Plan 9 docs again.
-jas
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] log oversight
2009-03-16 4:23 ` Nathaniel W Filardo
2009-03-16 4:36 ` Jeff Sickel
@ 2009-03-16 13:37 ` erik quanstrom
1 sibling, 0 replies; 11+ messages in thread
From: erik quanstrom @ 2009-03-16 13:37 UTC (permalink / raw)
To: 9fans
> An alternative for the paranoid perhaps would be to make an additional fs
> (in fossil) containing the log files. This fs could be set to accept only
> the hostowner's credentials for attach requests. The hostowner, meanwhile,
> when constructing namespaces, could bind the right file(s) into the log
> directory. I haven't thought it through in more detail than that, but if I
> were to engineer a replacement, that's how I'd start. HTH.
this would give you exactly the same security behavior as we currently have,
but if the fd were ever closed or dup(2)'d over, syslog(2) would
stop working.
- erik
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2009-03-16 15:06 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-03-16 1:49 [9fans] log oversight Jeff Sickel
2009-03-16 2:35 ` balaji
2009-03-16 3:04 ` erik quanstrom
2009-03-16 3:18 ` ron minnich
2009-03-16 3:55 ` J.R. Mauro
2009-03-16 4:31 ` Alex Efros
2009-03-16 6:30 ` ron minnich
2009-03-16 15:06 ` J.R. Mauro
2009-03-16 4:23 ` Nathaniel W Filardo
2009-03-16 4:36 ` Jeff Sickel
2009-03-16 13:37 ` erik quanstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).