Bug 15737
| Summary: | rc.conf should have '-s' for syslogd options | ||
|---|---|---|---|
| Product: | Base System | Reporter: | toasty <toasty> |
| Component: | conf | Assignee: | bill fumerola <billf> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 3.2-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
On Tue, 28 Dec 1999 02:23:40 CST, Kevin Day wrote:
> FreeBSD systems ship with syslogd enabled, but not with -s added to the
> command line. If the goal is to make systems secure 'out of the box', it
> would probably be wise to add -s.
Don't you think it'd be even wiser to add -ss, once PR 15414 is
resolved?
Ciao,
Sheldon.
Responsible Changed From-To: freebsd-bugs->billf I'll be looking into this (and most likely committing it soon). State Changed From-To: open->closed Committed. thanks. |
To quote syslogd's man page: The ability to log messages received in UDP packets is equivalent to an unauthenticated remote disk-filling service, and should probably be dis- abled by default. FreeBSD systems ship with syslogd enabled, but not with -s added to the command line. If the goal is to make systems secure 'out of the box', it would probably be wise to add -s. After having a new machine 'remotely disk filled' for me, it occurred to me that changing the defailt would be good. If an option to make syslogd discard foreign packets silently is desired, I'll whip up a patch. Fix: change etc/defaults/rc.conf to: ### Network daemon (miscellaneous) & NFS options: ### syslogd_enable="YES" # Run syslog daemon (or NO). -syslogd_flags="" # Flags to syslogd (if enabled). +syslogd_flags="-s" # Flags to syslogd (if enabled).