Bug#916506: /usr/bin/logger: /usr/bin/logger allows anyone to write to /var/log/syslog
On Sun, Mar 10, 2019 at 5:09 AM Andreas Henriksson wrote: > > The logger tool has no special privilegies. It's just a small tool > that helps you send messages to your syslog daemon. You could equally > well do this using for example netcat to send syslog messages over the > network, etc. I'm not sure exactly which implementation you're using and > what your configuration is there, but that's where you want to follow up > on this and reassign your bug report if needed. I'm using rsyslog which seems to be the default syslog for Debian: Mar 19 12:04:27 bear liblogging-stdlog: [origin software="rsyslogd" swVersion="8.24.0" x-pid="810" x-info="http://www.rsyslog.com;] rsyslogd was HUPed My /etc/rsyslog.d directory is empty, and I don't recall ever doing anything to customize its configuration. -- Frank
Bug#916506: /usr/bin/logger: /usr/bin/logger allows anyone to write to /var/log/syslog
Control: tags -1 + moreinfo Hello Frank Mori Hess, Thanks for your bug report. See inline reply below. On Sat, Dec 15, 2018 at 02:38:07AM -0500, Frank Mori Hess wrote: > Package: bsdutils > Version: 1:2.29.2-1+deb9u1 > Severity: normal > File: /usr/bin/logger > > Dear Maintainer, > > I was surprised to find that I can write anything I want to > /var/log/syslog using the /usr/bin/logger program as a non-root user. > My user account has no permissions on /var/log/syslog, it can't even > read it. The logger tool has no special privilegies. It's just a small tool that helps you send messages to your syslog daemon. You could equally well do this using for example netcat to send syslog messages over the network, etc. I'm not sure exactly which implementation you're using and what your configuration is there, but that's where you want to follow up on this and reassign your bug report if needed. Regards, Andreas Henriksson
Bug#916506: /usr/bin/logger: /usr/bin/logger allows anyone to write to /var/log/syslog
Package: bsdutils Version: 1:2.29.2-1+deb9u1 Severity: normal File: /usr/bin/logger Dear Maintainer, I was surprised to find that I can write anything I want to /var/log/syslog using the /usr/bin/logger program as a non-root user. My user account has no permissions on /var/log/syslog, it can't even read it. -- System Information: Debian Release: 9.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/6 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bsdutils depends on: ii libc62.24-11+deb9u3 ii libsystemd0 232-25+deb9u6 Versions of packages bsdutils recommends: ii bsdmainutils 9.0.12+nmu1 bsdutils suggests no packages. -- no debconf information