Re: local users can panic linux kernel (was: SuSE syslogd advisory)

[Cy Schubert - ITSD Open Systems Group]

In message <[EMAIL PROTECTED]>, Darren Reed writes:
> In some mail from Mixter, sie said:
> >
> > The impact of the syslogd Denial Of Service vulnerability seems to
> > be bigger than expected. I found that syslog could not be stopped from
> > responding by one or a few connections, since it uses select() calls
> > to synchronously manage the connections to /dev/log. I made an attempt
> > with the attached test code, which makes about 2000 connects to syslog,
> > using multiple processes, and my system instantly died with the message:
> > 'Kernel panic: can't push onto full stack'
>
> Given that most other platforms use datagram sockets (of one type or another)
> for syslog, can anyone explain the benefit of using streams sockets ? FWIW,
> even the STREAMS driver used by Solaris has better operational properties
> than this (only one receiving device).
>
> A naive guess is to provide better reliability of sent messages.  Denial of
> Service issues (with datagram mode - flooding of packets) are still present,
> just different and are arguably more difficult to deal with for little
> overall gain.  I'd venture to say that in a friendly environment, there is
> no benefit in using stream sockets and in an unfriendly one, perhaps even
> disadvantages.

At the time the Linux syslogd was written (6+ years ago), Linux did not
support UNIX domain datagram sockets.  Now that it does support
datagram sockets, I suspect that no one has bothered to change syslogd
to use them.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Sun/DEC Team, UNIX Group    Internet:  [EMAIL PROTECTED]
ITSD                                   [EMAIL PROTECTED]
Province of BC
                      "e**(i*pi)+1=0"