Use local time in syslog() function

Use local time in syslog() function

[Michael Kaufmann]

Hi,

I have found a bug in the implementation of syslog(). It should use  
the local time instead of UTC when sending the message to /dev/log. So  
in src/misc/syslog.c, the call to gmtime_r() should be replaced with  
localtime_r().

Regards,
Michael

Re: Use local time in syslog() function

[Rich Felker]

On Mon, Jan 14, 2019 at 10:23:03AM +0100, Michael Kaufmann wrote:
> Hi,
> 
> I have found a bug in the implementation of syslog(). It should use
> the local time instead of UTC when sending the message to /dev/log.
> So in src/misc/syslog.c, the call to gmtime_r() should be replaced
> with localtime_r().

This is not a bug; rather, use of local time there in glibc and other
systems is a bug. Local time varies by the sending process and
produces inconsistent and uninterpretable log messages. Moreover the
syslog() function is not specified to depend on the environment and
thereby is not allowed to call any function whose behavior is
dependant on the environment.

If you want local times in logs, the only consistant and conforming
way to do it is to have syslogd interpret the timestamps and rewrite
them to your preferred timezone. But that still doesn't help with the
issue of ambiguous timestamps at daylight-time transition that give
attackers neat opportunities to misrepresent sequence of events
between different systems...

Rich

Re: Use local time in syslog() function

[Michael Kaufmann]

>> I have found a bug in the implementation of syslog(). It should use
>> the local time instead of UTC when sending the message to /dev/log.
>> So in src/misc/syslog.c, the call to gmtime_r() should be replaced
>> with localtime_r().
>
> This is not a bug; rather, use of local time there in glibc and other
> systems is a bug. Local time varies by the sending process and
> produces inconsistent and uninterpretable log messages. Moreover the
> syslog() function is not specified to depend on the environment and
> thereby is not allowed to call any function whose behavior is
> dependant on the environment.

Thank you for responding!

I agree that GMT would have been a better choice, but I think local  
time is also mandated by RFC 3164,  
https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP  
field is the local time". Or does this RFC not apply for syslog() on  
Linux?

There's also this older discussion:  
https://www.openwall.com/lists/musl/2014/01/28/2 - sorry, I have not  
found it before.

Regards,
Michael

Re: Use local time in syslog() function

[Rich Felker]

On Mon, Jan 14, 2019 at 08:53:45PM +0100, Michael Kaufmann wrote:
> >>I have found a bug in the implementation of syslog(). It should use
> >>the local time instead of UTC when sending the message to /dev/log.
> >>So in src/misc/syslog.c, the call to gmtime_r() should be replaced
> >>with localtime_r().
> >
> >This is not a bug; rather, use of local time there in glibc and other
> >systems is a bug. Local time varies by the sending process and
> >produces inconsistent and uninterpretable log messages. Moreover the
> >syslog() function is not specified to depend on the environment and
> >thereby is not allowed to call any function whose behavior is
> >dependant on the environment.
> 
> Thank you for responding!
> 
> I agree that GMT would have been a better choice, but I think local
> time is also mandated by RFC 3164,
> https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP
> field is the local time". Or does this RFC not apply for syslog() on
> Linux?

I'm not sure. Nominally it governs the udp protocol over a network,
not the interface between local processes and syslogd over /dev/log
(unix domain socket), so in that sense the answer is no, but of course
in some sense it's the same protocol.

4.2 goes on to say:

    "It should be reiterated here that the payload of any IP packet
    destined to UDP port 514 MUST be considered to be a valid syslog
    message. It is, however, RECOMMENDED that the syslog packet have
    all of the parts described in Section 4.1..."

and:

    "If the originally formed message has a TIMESTAMP in the HEADER
    part, then it SHOULD be the local time of the device within its
    timezone."

"Local time of the device" is not defined anywhere, and in an
environment where processes on a "device" (host?) could all have
different local times, again the only reasonable choice for the device
zone seems to be UTC.

One possible interpretation would be using /etc/localtime
unconditionally (ignoring $TZ) for syslog purposes, but that would be
a lot more work and would reintroduce all of the problems of local
time log messages. It's far cleaner to simply configure the logging
process to be aware that the zone of the system sending the log
messages is UTC, if it needs to be.

> There's also this older discussion:
> https://www.openwall.com/lists/musl/2014/01/28/2 - sorry, I have not
> found it before.

Yes, I should have cited it but didn't have it handy.

Rich

Re: Use local time in syslog() function

[Szabolcs Nagy]

* Rich Felker <dalias@libc.org> [2019-01-14 15:27:26 -0500]:
> On Mon, Jan 14, 2019 at 08:53:45PM +0100, Michael Kaufmann wrote:
> > >>I have found a bug in the implementation of syslog(). It should use
> > >>the local time instead of UTC when sending the message to /dev/log.
> > >>So in src/misc/syslog.c, the call to gmtime_r() should be replaced
> > >>with localtime_r().
> > >
> > >This is not a bug; rather, use of local time there in glibc and other
> > >systems is a bug. Local time varies by the sending process and
> > >produces inconsistent and uninterpretable log messages. Moreover the
> > >syslog() function is not specified to depend on the environment and
> > >thereby is not allowed to call any function whose behavior is
> > >dependant on the environment.
> > 
> > Thank you for responding!
> > 
> > I agree that GMT would have been a better choice, but I think local
> > time is also mandated by RFC 3164,
> > https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP
> > field is the local time". Or does this RFC not apply for syslog() on
> > Linux?

note that rfc is deprecated by

https://tools.ietf.org/html/rfc5424

which has a timestamp format that always includes zone information
and i see no local time requirement any more, it also says

   The TIMESTAMP described in RFC 3164 offers less precision than the
   timestamp specified in this document.  It also lacks the year and
   time zone information.  If a message formatted according to this
   document needs to be reformatted to be in RFC 3164 format, it is
   suggested that the originator's local time zone be used, and the time
   zone information and the year be dropped.  If an RFC 3164 formatted
   message is received and must be transformed to be compliant to this
   document, the current year should be added and the time zone of the
   relay or collector MAY be used.

musl uses the old format, i don't know if existing tools depend on
this, if not then musl should use the unambigous timestamp format.

> 
> I'm not sure. Nominally it governs the udp protocol over a network,
> not the interface between local processes and syslogd over /dev/log
> (unix domain socket), so in that sense the answer is no, but of course
> in some sense it's the same protocol.
> 
> 4.2 goes on to say:
> 
>     "It should be reiterated here that the payload of any IP packet
>     destined to UDP port 514 MUST be considered to be a valid syslog
>     message. It is, however, RECOMMENDED that the syslog packet have
>     all of the parts described in Section 4.1..."
> 
> and:
> 
>     "If the originally formed message has a TIMESTAMP in the HEADER
>     part, then it SHOULD be the local time of the device within its
>     timezone."
> 
> "Local time of the device" is not defined anywhere, and in an
> environment where processes on a "device" (host?) could all have
> different local times, again the only reasonable choice for the device
> zone seems to be UTC.
> 
> One possible interpretation would be using /etc/localtime
> unconditionally (ignoring $TZ) for syslog purposes, but that would be
> a lot more work and would reintroduce all of the problems of local
> time log messages. It's far cleaner to simply configure the logging
> process to be aware that the zone of the system sending the log
> messages is UTC, if it needs to be.
> 
> > There's also this older discussion:
> > https://www.openwall.com/lists/musl/2014/01/28/2 - sorry, I have not
> > found it before.
> 
> Yes, I should have cited it but didn't have it handy.
> 
> Rich

Re: Use local time in syslog() function

[Rich Felker]

On Tue, Jan 15, 2019 at 12:02:25AM +0100, Szabolcs Nagy wrote:
> * Rich Felker <dalias@libc.org> [2019-01-14 15:27:26 -0500]:
> > On Mon, Jan 14, 2019 at 08:53:45PM +0100, Michael Kaufmann wrote:
> > > >>I have found a bug in the implementation of syslog(). It should use
> > > >>the local time instead of UTC when sending the message to /dev/log.
> > > >>So in src/misc/syslog.c, the call to gmtime_r() should be replaced
> > > >>with localtime_r().
> > > >
> > > >This is not a bug; rather, use of local time there in glibc and other
> > > >systems is a bug. Local time varies by the sending process and
> > > >produces inconsistent and uninterpretable log messages. Moreover the
> > > >syslog() function is not specified to depend on the environment and
> > > >thereby is not allowed to call any function whose behavior is
> > > >dependant on the environment.
> > > 
> > > Thank you for responding!
> > > 
> > > I agree that GMT would have been a better choice, but I think local
> > > time is also mandated by RFC 3164,
> > > https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP
> > > field is the local time". Or does this RFC not apply for syslog() on
> > > Linux?
> 
> note that rfc is deprecated by
> 
> https://tools.ietf.org/html/rfc5424

Thanks for finding that!

> which has a timestamp format that always includes zone information
> and i see no local time requirement any more, it also says
> 
>    The TIMESTAMP described in RFC 3164 offers less precision than the
>    timestamp specified in this document.  It also lacks the year and
>    time zone information.  If a message formatted according to this
>    document needs to be reformatted to be in RFC 3164 format, it is
>    suggested that the originator's local time zone be used, and the time
>    zone information and the year be dropped.  If an RFC 3164 formatted
>    message is received and must be transformed to be compliant to this
>    document, the current year should be added and the time zone of the
>    relay or collector MAY be used.
> 
> musl uses the old format, i don't know if existing tools depend on
> this, if not then musl should use the unambigous timestamp format.

I'm all for updating to the new format if there are no problems with
doing so, and expect it might fix whatever problems people are having
from timestamps being UTC (since syslogd would be able to see that
they are and reinterpret them however it likes).

Based on the obsolete RFC, I don't think there would be problems --
3164 makes it clear that the receiving process is supposed to accept
any message format even if it does not match the expected field
structure. Can anyone offer further insight into whether we might
break things for anyone?

Rich