reproducible bug in OSX's syslogd when REMOTE LOGGING
reproducible bug in OSX's syslogd when REMOTE LOGGING
- Subject: reproducible bug in OSX's syslogd when REMOTE LOGGING
- From: OpenMacNews <email@hidden>
- Date: Tue, 06 Jul 2004 16:05:20 -0700
hi all,
i think this is the right place for this ....
i've enabled REMOTE syslogging in OSX 10.3.4 by changing ~line_no:11 in /etc/rc from:
/usr/sbin/syslogd -s -m 0 -u
to
/usr/sbin/syslogd -m 0 -u
with this change, remote logging works fine. BUT, it leaves the syslog open to UDP traffic from ALL ips .
so in trying to limit logging access to ONLY specific IP, i note:
usage: syslogd [-46Acdknosuv] [-a allowed_peer]
[-b bind address] [-f config_file]
[-l log_socket] [-m mark_interval]
[-P pid_file] [-p log_socket]
PROBLEM #1:
checking the apple manpage for syslogd, there's no mention of the "-a allowed_per" flag.
which MAY be cuz its old/not updated:
HISTORY
The syslogd command appeared in 4.3BSD.
4.2 Berkeley Distribution June 6, 1993 4.2 Berkeley Distribution
so, jumping over to the FreeBSD manpages, i learn that:
-a allowed_peer
Allow allowed_peer to log to this syslogd using UDP datagrams.
Multiple -a options may be specified.
Allowed_peer can be any of the following:
ipaddr/masklen[:service] Accept datagrams from ipaddr (in the
usual dotted quad notation) with
masklen bits being taken into account
when doing the address comparison.
ipaddr can be also IPv6 address by
enclosing the address with `[' and
`]'. If specified, service is the
name or number of an UDP service (see
services(5)) the source packet must
belong to. A service of `*' allows
packets being sent from any UDP port.
The default service is `syslog'. If
ipaddr is IPv4 address, a missing
masklen will be substituted by the
historic class A or class B netmasks
if ipaddr belongs into the address
range of class A or B, respectively,
or by 24 otherwise. If ipaddr is
IPv6 address, a missing masklen will
be substituted by 128.
domainname[:service] Accept datagrams where the reverse
address lookup yields domainname for
the sender address. The meaning of
service is as explained above.
*domainname[:service] Same as before, except that any
source host whose name ends in
domainname will get permission.
The -a options are ignored if the -s option is also specified.
seems to be exactly what i want/need.
if i spec'y a SINGLE, FIXED source_port, e.g.:
/usr/sbin/syslogd -a 172.30.11.101/32:2048 -m 0 -u
remote logging WORKS.
however, since my remote box uses variable src ports, and there's no way to specify a fixed port, i need to use the "*" port wildcard.
unfortunately,
PROBLEM #2:
it chokes with "no match", not accepting the cmd/launch
/usr/sbin/syslogd -a 172.30.11.101/32:* -m 0 -u
su: /usr/sbin/syslogd: No match.
on a whim, escaping or quoting the * with either:
/usr/sbin/syslogd -a 172.30.11.101/32:\* -m 0 -u
or
/usr/sbin/syslogd -a 172.30.11.101/32:"*" -m 0 -u
gets the command accepted, and syslog launches, but it doesn't get any remote log entries.
returning to a specific port spec:
/usr/sbin/syslogd -a 172.30.11.101/32:2048 -m 0 -u
and remote logging works again as expected, as long as the src port used remains (here) 2048
BOTTOM LINE:
(1) manpage for OSX's syslogd is out of synch with its available options
(2) the manpage implies that it's BSD's syslogd, but the BSD-specified "*" port wildcard is not supported.
is this known? is there a workaround?
richard
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.