FS#22153 - [syslog-ng] create /dev/log as a unix-dgram socket instead of stream

Attached to Project: Arch Linux
Opened by Dave Reisner (falconindy) - Monday, 20 December 2010, 13:56 GMT
Last edited by Eric Belanger (Snowman) - Monday, 14 February 2011, 05:24 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

We currently ship a syslog-ng.conf file which opens /dev/log as a stream socket instead of a datagram socket. I would like to propose that we change this to a unix-dgram. This is a very simple change and only requires modifying a single line in the conf file that we ship.

Rationale:
1) Security -- /dev/log used to be a stream socket by default, circa 1999. Unfortunately, I can't get a link to the security issue in question, because the site is currently down, but [1] has a reference to it. glibc (as of libc6) by default will always try to open /dev/log as a DGRAM socket first.
2) Lower overhead -- Balazs Scheidler, the maintainer of syslog-ng wrongly claims in the syslog-ng FAQ [2] that a SOCK_STREAM is "better" because it doesn't lose messages like a SOCK_DGRAM. He corrects himself [3], as the linux implementation of SOCK_DGRAM type unix socket is not actually prone to losing data.
3) Many other major implementations of system loggers (such as rsyslog or klogd) use a DGRAM socket.

[1] http://marc.info/?l=syslog-ng&m=110742184716042&w=2
[2] http://www.campin.net/syslog-ng/faq.html#AEN191
[3] https://lists.balabit.hu/pipermail/syslog-ng/2008-April/011605.html
This task depends upon

Closed by  Eric Belanger (Snowman)
Monday, 14 February 2011, 05:24 GMT
Reason for closing:  Implemented
Additional comments about closing:  syslog-ng 3.2.2-1
Comment by Leonid Isaev (lisaev) - Saturday, 01 January 2011, 15:52 GMT
Apparently, debian people has been raising similar proposals since 2006:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384802

Loading...