Contributed by jose on from the split-logging dept.
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the split-logging dept.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By willb () on
By Anonymous Coward () on
Instead of remote root if there is a remote bug in syslogd, the attacker could become a non-root user on the system.
Why not just vpn all system services and block all ports except for the VPN. That way your much safer. And then focus all security efforts, code audits on the VPN software.
Comments
By Anonymous Coward () on
By Anil () avsm@ on mailto:avsm@
Well, they would become the _syslogd user, but trapped inside a /var/empty chroot with no privilege except that granted by the priv parent (they can open logfiles for appending only, write to terminals, read utmp). If the priv parent smells any dodgy requests coming from the child, it'll kill itself, leaving the child with no privilege at all.
Why not just vpn all system services and block all ports except for the VPN.
Err... what?
By pogi na si psyg mabait pa () on
this is a joke. isn't it? but thanks. you made me laugh :D
"That way your much safer."
more jokes. rotflmao
By Anonymous Coward () on
By Henrik Holmboe () on
By hurm () on
syslog-ng does this
Comments
By Anonymous Coward () on
By Jeffrey () on
Yes, looks like the effect is the same on both.
Anyway, yay for privsep! =)