Package: sysklogd Version: 1.4.1-17 Severity: wishlist Tags: patch, upstream
Hi,
IMHO it would be a good idea for syslogd to support tcpwrappers, as it
helps DoS via the internet. Most other daemons allow some sort of
control from where they allow access, and tcpwrappers is one of the
easiest to apply. The control feature of tcpwrappers is not so important
in this case, as syslogd intentionally logs all received messages with
sender ;-)
The patch below is in works-for-me state. In real life the feature
should probably be bracketed by options, as there are platforms without
libwrap, and probably reflected in build-depends as well.
Kind regards,
Joerg
diff -urN sysklogd-jd/Makefile sysklogd-1.4.1/Makefile
--- sysklogd-jd/Makefile 1998-10-12 22:25:15.000000000 +0200
+++ sysklogd-1.4.1/Makefile 2005-11-04 09:59:21.000000000 +0100
@@ -23,6 +23,9 @@
# uncommenting the following define.
# LIBS = ${LIBS} -linux
+# Use tcpwrappers
+LIBS = -lwrap
+
# Define the following to impart start-up delay in klogd. This is
# useful if klogd is started simultaneously or in close-proximity to syslogd.
# KLOGD_START_DELAY = -DKLOGD_DELAY=5
diff -urN sysklogd-jd/syslogd.c sysklogd-1.4.1/syslogd.c
--- sysklogd-jd/syslogd.c 2005-11-04 09:27:32.000000000 +0100
+++ sysklogd-1.4.1/syslogd.c 2005-11-04 09:56:06.000000000 +0100
@@ -491,6 +491,7 @@
#include <arpa/nameser.h>
#include <arpa/inet.h>
#include <resolv.h>
+#include <tcpd.h>
#ifndef TESTING
#include "pidfile.h"
#endif
@@ -1139,8 +1140,15 @@
* letters so we could match them against
whatever.
* -Joey
*/
- printchopped(from, line, \
+ /* When using tcpwrapper be careful to
+ * avoid loops, as it uses syslog by
+ * itself. (Hopefully unix sockets) -JD
+ */
+ if (hosts_ctl("syslogd", STRING_UNKNOWN,
+ inet_ntoa(frominet.sin_addr),
STRING_UNKNOWN)) {
+ printchopped(from, line, \
i + 2, finet);
+ }
} else if (i < 0 && errno != EINTR && errno != EAGAIN) {
dprintf("INET socket error: %d = %s.\n", \
errno, strerror(errno));
signature.asc
Description: Digital signature
