* Use local time in syslog() function @ 2019-01-14 9:23 Michael Kaufmann 2019-01-14 16:25 ` Rich Felker 0 siblings, 1 reply; 6+ messages in thread From: Michael Kaufmann @ 2019-01-14 9:23 UTC (permalink / raw) To: musl Hi, I have found a bug in the implementation of syslog(). It should use the local time instead of UTC when sending the message to /dev/log. So in src/misc/syslog.c, the call to gmtime_r() should be replaced with localtime_r(). Regards, Michael ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Use local time in syslog() function 2019-01-14 9:23 Use local time in syslog() function Michael Kaufmann @ 2019-01-14 16:25 ` Rich Felker 2019-01-14 19:53 ` Michael Kaufmann 0 siblings, 1 reply; 6+ messages in thread From: Rich Felker @ 2019-01-14 16:25 UTC (permalink / raw) To: musl On Mon, Jan 14, 2019 at 10:23:03AM +0100, Michael Kaufmann wrote: > Hi, > > I have found a bug in the implementation of syslog(). It should use > the local time instead of UTC when sending the message to /dev/log. > So in src/misc/syslog.c, the call to gmtime_r() should be replaced > with localtime_r(). This is not a bug; rather, use of local time there in glibc and other systems is a bug. Local time varies by the sending process and produces inconsistent and uninterpretable log messages. Moreover the syslog() function is not specified to depend on the environment and thereby is not allowed to call any function whose behavior is dependant on the environment. If you want local times in logs, the only consistant and conforming way to do it is to have syslogd interpret the timestamps and rewrite them to your preferred timezone. But that still doesn't help with the issue of ambiguous timestamps at daylight-time transition that give attackers neat opportunities to misrepresent sequence of events between different systems... Rich ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Use local time in syslog() function 2019-01-14 16:25 ` Rich Felker @ 2019-01-14 19:53 ` Michael Kaufmann 2019-01-14 20:27 ` Rich Felker 0 siblings, 1 reply; 6+ messages in thread From: Michael Kaufmann @ 2019-01-14 19:53 UTC (permalink / raw) To: musl >> I have found a bug in the implementation of syslog(). It should use >> the local time instead of UTC when sending the message to /dev/log. >> So in src/misc/syslog.c, the call to gmtime_r() should be replaced >> with localtime_r(). > > This is not a bug; rather, use of local time there in glibc and other > systems is a bug. Local time varies by the sending process and > produces inconsistent and uninterpretable log messages. Moreover the > syslog() function is not specified to depend on the environment and > thereby is not allowed to call any function whose behavior is > dependant on the environment. Thank you for responding! I agree that GMT would have been a better choice, but I think local time is also mandated by RFC 3164, https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP field is the local time". Or does this RFC not apply for syslog() on Linux? There's also this older discussion: https://www.openwall.com/lists/musl/2014/01/28/2 - sorry, I have not found it before. Regards, Michael ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Use local time in syslog() function 2019-01-14 19:53 ` Michael Kaufmann @ 2019-01-14 20:27 ` Rich Felker 2019-01-14 23:02 ` Szabolcs Nagy 0 siblings, 1 reply; 6+ messages in thread From: Rich Felker @ 2019-01-14 20:27 UTC (permalink / raw) To: musl On Mon, Jan 14, 2019 at 08:53:45PM +0100, Michael Kaufmann wrote: > >>I have found a bug in the implementation of syslog(). It should use > >>the local time instead of UTC when sending the message to /dev/log. > >>So in src/misc/syslog.c, the call to gmtime_r() should be replaced > >>with localtime_r(). > > > >This is not a bug; rather, use of local time there in glibc and other > >systems is a bug. Local time varies by the sending process and > >produces inconsistent and uninterpretable log messages. Moreover the > >syslog() function is not specified to depend on the environment and > >thereby is not allowed to call any function whose behavior is > >dependant on the environment. > > Thank you for responding! > > I agree that GMT would have been a better choice, but I think local > time is also mandated by RFC 3164, > https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP > field is the local time". Or does this RFC not apply for syslog() on > Linux? I'm not sure. Nominally it governs the udp protocol over a network, not the interface between local processes and syslogd over /dev/log (unix domain socket), so in that sense the answer is no, but of course in some sense it's the same protocol. 4.2 goes on to say: "It should be reiterated here that the payload of any IP packet destined to UDP port 514 MUST be considered to be a valid syslog message. It is, however, RECOMMENDED that the syslog packet have all of the parts described in Section 4.1..." and: "If the originally formed message has a TIMESTAMP in the HEADER part, then it SHOULD be the local time of the device within its timezone." "Local time of the device" is not defined anywhere, and in an environment where processes on a "device" (host?) could all have different local times, again the only reasonable choice for the device zone seems to be UTC. One possible interpretation would be using /etc/localtime unconditionally (ignoring $TZ) for syslog purposes, but that would be a lot more work and would reintroduce all of the problems of local time log messages. It's far cleaner to simply configure the logging process to be aware that the zone of the system sending the log messages is UTC, if it needs to be. > There's also this older discussion: > https://www.openwall.com/lists/musl/2014/01/28/2 - sorry, I have not > found it before. Yes, I should have cited it but didn't have it handy. Rich ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Use local time in syslog() function 2019-01-14 20:27 ` Rich Felker @ 2019-01-14 23:02 ` Szabolcs Nagy 2019-01-15 4:12 ` Rich Felker 0 siblings, 1 reply; 6+ messages in thread From: Szabolcs Nagy @ 2019-01-14 23:02 UTC (permalink / raw) To: musl * Rich Felker <dalias@libc.org> [2019-01-14 15:27:26 -0500]: > On Mon, Jan 14, 2019 at 08:53:45PM +0100, Michael Kaufmann wrote: > > >>I have found a bug in the implementation of syslog(). It should use > > >>the local time instead of UTC when sending the message to /dev/log. > > >>So in src/misc/syslog.c, the call to gmtime_r() should be replaced > > >>with localtime_r(). > > > > > >This is not a bug; rather, use of local time there in glibc and other > > >systems is a bug. Local time varies by the sending process and > > >produces inconsistent and uninterpretable log messages. Moreover the > > >syslog() function is not specified to depend on the environment and > > >thereby is not allowed to call any function whose behavior is > > >dependant on the environment. > > > > Thank you for responding! > > > > I agree that GMT would have been a better choice, but I think local > > time is also mandated by RFC 3164, > > https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP > > field is the local time". Or does this RFC not apply for syslog() on > > Linux? note that rfc is deprecated by https://tools.ietf.org/html/rfc5424 which has a timestamp format that always includes zone information and i see no local time requirement any more, it also says The TIMESTAMP described in RFC 3164 offers less precision than the timestamp specified in this document. It also lacks the year and time zone information. If a message formatted according to this document needs to be reformatted to be in RFC 3164 format, it is suggested that the originator's local time zone be used, and the time zone information and the year be dropped. If an RFC 3164 formatted message is received and must be transformed to be compliant to this document, the current year should be added and the time zone of the relay or collector MAY be used. musl uses the old format, i don't know if existing tools depend on this, if not then musl should use the unambigous timestamp format. > > I'm not sure. Nominally it governs the udp protocol over a network, > not the interface between local processes and syslogd over /dev/log > (unix domain socket), so in that sense the answer is no, but of course > in some sense it's the same protocol. > > 4.2 goes on to say: > > "It should be reiterated here that the payload of any IP packet > destined to UDP port 514 MUST be considered to be a valid syslog > message. It is, however, RECOMMENDED that the syslog packet have > all of the parts described in Section 4.1..." > > and: > > "If the originally formed message has a TIMESTAMP in the HEADER > part, then it SHOULD be the local time of the device within its > timezone." > > "Local time of the device" is not defined anywhere, and in an > environment where processes on a "device" (host?) could all have > different local times, again the only reasonable choice for the device > zone seems to be UTC. > > One possible interpretation would be using /etc/localtime > unconditionally (ignoring $TZ) for syslog purposes, but that would be > a lot more work and would reintroduce all of the problems of local > time log messages. It's far cleaner to simply configure the logging > process to be aware that the zone of the system sending the log > messages is UTC, if it needs to be. > > > There's also this older discussion: > > https://www.openwall.com/lists/musl/2014/01/28/2 - sorry, I have not > > found it before. > > Yes, I should have cited it but didn't have it handy. > > Rich ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Use local time in syslog() function 2019-01-14 23:02 ` Szabolcs Nagy @ 2019-01-15 4:12 ` Rich Felker 0 siblings, 0 replies; 6+ messages in thread From: Rich Felker @ 2019-01-15 4:12 UTC (permalink / raw) To: musl On Tue, Jan 15, 2019 at 12:02:25AM +0100, Szabolcs Nagy wrote: > * Rich Felker <dalias@libc.org> [2019-01-14 15:27:26 -0500]: > > On Mon, Jan 14, 2019 at 08:53:45PM +0100, Michael Kaufmann wrote: > > > >>I have found a bug in the implementation of syslog(). It should use > > > >>the local time instead of UTC when sending the message to /dev/log. > > > >>So in src/misc/syslog.c, the call to gmtime_r() should be replaced > > > >>with localtime_r(). > > > > > > > >This is not a bug; rather, use of local time there in glibc and other > > > >systems is a bug. Local time varies by the sending process and > > > >produces inconsistent and uninterpretable log messages. Moreover the > > > >syslog() function is not specified to depend on the environment and > > > >thereby is not allowed to call any function whose behavior is > > > >dependant on the environment. > > > > > > Thank you for responding! > > > > > > I agree that GMT would have been a better choice, but I think local > > > time is also mandated by RFC 3164, > > > https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP > > > field is the local time". Or does this RFC not apply for syslog() on > > > Linux? > > note that rfc is deprecated by > > https://tools.ietf.org/html/rfc5424 Thanks for finding that! > which has a timestamp format that always includes zone information > and i see no local time requirement any more, it also says > > The TIMESTAMP described in RFC 3164 offers less precision than the > timestamp specified in this document. It also lacks the year and > time zone information. If a message formatted according to this > document needs to be reformatted to be in RFC 3164 format, it is > suggested that the originator's local time zone be used, and the time > zone information and the year be dropped. If an RFC 3164 formatted > message is received and must be transformed to be compliant to this > document, the current year should be added and the time zone of the > relay or collector MAY be used. > > musl uses the old format, i don't know if existing tools depend on > this, if not then musl should use the unambigous timestamp format. I'm all for updating to the new format if there are no problems with doing so, and expect it might fix whatever problems people are having from timestamps being UTC (since syslogd would be able to see that they are and reinterpret them however it likes). Based on the obsolete RFC, I don't think there would be problems -- 3164 makes it clear that the receiving process is supposed to accept any message format even if it does not match the expected field structure. Can anyone offer further insight into whether we might break things for anyone? Rich ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-01-15 4:12 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-01-14 9:23 Use local time in syslog() function Michael Kaufmann 2019-01-14 16:25 ` Rich Felker 2019-01-14 19:53 ` Michael Kaufmann 2019-01-14 20:27 ` Rich Felker 2019-01-14 23:02 ` Szabolcs Nagy 2019-01-15 4:12 ` Rich Felker
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/musl/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).