klogd + dd – why?
hitoht at gmail.com
hitoht at gmail.com
Mon Sep 28 10:23:47 BST 2009
On Mon, 28 Sep 2009 02:39:29 -0400, <jeremy at novawave.net> wrote:
> Excuse me; can anyone explain why it's necessary to send kernel log
> messages through dd, rather than letting klogd pick them up directly?
> Debian doesn't do it that way.
>
> Other than "it lets us run it as user klogd", which isn't a reason in
> and of itself.
IMHO, klogd must read /proc/kmsg, so klogd has root priviledge.
$ ls -altr /proc/kmsg
-r-------- 1 root root 0 2009-09-28 10:06 /proc/kmsg
and, accessing /proc/kmsg are same as "calling sys_syslog()",
it requires highly capability(like root), we cant drop root priviledge
from /proc/kmsg reader.
> Why is klogd a particular security issue? What possible benefit is
> there to running a dd process as root instead of simply running klogd
> as root, or having klogd start as root and then drop privileges?
And, sysklogd's logging code has some buffer control and some
complex interchanges, it has something *unknown* security threats
(like CVE-2000-0867[1,2]), this is risk to be avoided.
As we know, dd is very simple and secure than any logging daemons
(no string parser, fixed buffering...). dd-ing model could cast-out
untrustworthy loggers from root's special power.
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0867
[2] http://www.securityfocus.com/bid/1694/discuss
More information about the ubuntu-devel
mailing list