Bug 24444
| Summary: | syslogd(8) does not update hostname | ||
|---|---|---|---|
| Product: | Base System | Reporter: | cjclark <cjclark> |
| Component: | bin | Assignee: | Crist J. Clark <cjc> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | CC: | current |
| Priority: | Normal | ||
| Version: | 5.0-CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
cjclark@reflexcom.com writes: > I propose that syslogd(8) should reload the hostname with a > SIGHUP. I cannot think of any reason that one should not update the > hostname, but as I pointed out, there are reasons why one would want > that behavior. It should also log a message if the hostname changes. DES -- Dag-Erling Smorgrav - des@ofug.org On Fri, Jan 19, 2001 at 12:32:53PM +0100, Dag-Erling Smorgrav wrote: > cjclark@reflexcom.com writes: > > I propose that syslogd(8) should reload the hostname with a > > SIGHUP. I cannot think of any reason that one should not update the > > hostname, but as I pointed out, there are reasons why one would want > > that behavior. > > It should also log a message if the hostname changes. Should that be a responsibility of syslogd(8) or hostname(1)? Personally, it might be a slippery slope to start adding things that syslogd(8) should maintain state on, but since syslogd(8) actually uses the hostname... One also could start arguing that syslogd(8) should check the hostname everytime it logs something despite the performance hit. As for what syslogd(8) does now, if you look at the example output in the PR, notice syslogd(8) didn't even log when it was HUP'ed. IMHO, I think it is beyond the scope of syslogd(8) to actually track changes in the hostname in real-time. Noticing a change when given a HUP signal, would seem reasonable, but if hostname(1) were to log changes, that would also be fairly redundant. -- Crist J. Clark cjclark@alum.mit.edu *This message was transferred with a trial version of CommuniGate(tm) Pro* On Fri, Jan 19, 2001 at 12:32:53PM +0100, Dag-Erling Smorgrav wrote: > cjclark@reflexcom.com writes: > > I propose that syslogd(8) should reload the hostname with a > > SIGHUP. I cannot think of any reason that one should not update the > > hostname, but as I pointed out, there are reasons why one would want > > that behavior. > > It should also log a message if the hostname changes. Should that be a responsibility of syslogd(8) or hostname(1)? Personally, it might be a slippery slope to start adding things that syslogd(8) should maintain state on, but since syslogd(8) actually uses the hostname... One also could start arguing that syslogd(8) should check the hostname everytime it logs something despite the performance hit. As for what syslogd(8) does now, if you look at the example output in the PR, notice syslogd(8) didn't even log when it was HUP'ed. IMHO, I think it is beyond the scope of syslogd(8) to actually track changes in the hostname in real-time. Noticing a change when given a HUP signal, would seem reasonable, but if hostname(1) were to log changes, that would also be fairly redundant. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message "Crist J. Clark" <cjclark@reflexnet.net> writes: > On Fri, Jan 19, 2001 at 12:32:53PM +0100, Dag-Erling Smorgrav wrote: > > It should also log a message if the hostname changes. > Should that be a responsibility of syslogd(8) or hostname(1)? I meant syslogd(8), but putting it in hostname(1) might makes sense, except that hostname(1) is not the only way to set the hostname ('sysctl -w kern.hostname=foo' is another) DES -- Dag-Erling Smorgrav - des@ofug.org *This message was transferred with a trial version of CommuniGate(tm) Pro* "Crist J. Clark" <cjclark@reflexnet.net> writes: > On Fri, Jan 19, 2001 at 12:32:53PM +0100, Dag-Erling Smorgrav wrote: > > It should also log a message if the hostname changes. > Should that be a responsibility of syslogd(8) or hostname(1)? I meant syslogd(8), but putting it in hostname(1) might makes sense, except that hostname(1) is not the only way to set the hostname ('sysctl -w kern.hostname=foo' is another) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message On Fri, Jan 19, 2001 at 11:09:24PM +0100, Dag-Erling Smorgrav wrote: > "Crist J. Clark" <cjclark@reflexnet.net> writes: > > On Fri, Jan 19, 2001 at 12:32:53PM +0100, Dag-Erling Smorgrav wrote: > > > It should also log a message if the hostname changes. > > Should that be a responsibility of syslogd(8) or hostname(1)? > > I meant syslogd(8), but putting it in hostname(1) might makes sense, > except that hostname(1) is not the only way to set the hostname > ('sysctl -w kern.hostname=foo' is another) How about just logging a sethostname(3) call? But anyway, syslogd(8) does not track the state of any other system parameters, I think asking syslogd(8) to notice a change in the hostname on its own in a real-time fashion is beyond its scope. That said, I agree that syslogd(8) making a note when its own idea of the hostname changes would be useful. If one is analyzing logs, an entry indicating that messages from a given machine no longer will be labeled as coming from 'foo' but 'foobar' would be very helpful. Patches, patches, patches: --- usr.sbin/syslogd/syslogd.c 2001/01/18 08:06:34 1.1 +++ usr.sbin/syslogd/syslogd.c 2001/01/21 00:55:53 1.3 @@ -318,7 +318,7 @@ struct sockaddr_un sunx, fromunix; struct sockaddr_storage frominet; FILE *fp; - char *p, *hname, line[MAXLINE + 1]; + char *hname, line[MAXLINE + 1]; struct timeval tv, *tvp; struct sigaction sact; sigset_t mask; @@ -395,12 +395,6 @@ consfile.f_type = F_CONSOLE; (void)strcpy(consfile.f_un.f_fname, ctty + sizeof _PATH_DEV - 1); - (void)gethostname(LocalHostName, sizeof(LocalHostName)); - if ((p = strchr(LocalHostName, '.')) != NULL) { - *p++ = '\0'; - LocalDomain = p; - } else - LocalDomain = ""; (void)strcpy(bootfile, getbootfile()); (void)signal(SIGTERM, die); (void)signal(SIGINT, Debug ? die : SIG_IGN); @@ -1340,10 +1334,23 @@ char cline[LINE_MAX]; char prog[NAME_MAX+1]; char host[MAXHOSTNAMELEN+1]; + char oldLocalHostName[MAXHOSTNAMELEN+1]; + char hostMsg[2*(MAXHOSTNAMELEN+1)+40]; dprintf("init\n"); /* + * Load hostname (may have changed) + */ + strncpy(oldLocalHostName, LocalHostName, sizeof(LocalHostName)); + (void)gethostname(LocalHostName, sizeof(LocalHostName)); + if ((p = strchr(LocalHostName, '.')) != NULL) { + *p++ = '\0'; + LocalDomain = p; + } else + LocalDomain = ""; + + /* * Close all open log files. */ Initialized = 0; @@ -1492,6 +1499,17 @@ logmsg(LOG_SYSLOG|LOG_INFO, "syslogd: restart", LocalHostName, ADDDATE); dprintf("syslogd: restarted\n"); + /* + * Log a change in hostname, but only on a restart + */ + if ((signo != 0) && + (strncmp(oldLocalHostName, LocalHostName, sizeof(LocalHostName)) != 0)) { + snprintf(hostMsg, sizeof(hostMsg), + "syslogd: hostname changed, \"%s\" to \"%s\"", + oldLocalHostName, LocalHostName); + logmsg(LOG_SYSLOG|LOG_INFO, hostMsg, LocalHostName, ADDDATE); + dprintf("%s\n", hostMsg); + } } /* -- Crist J. Clark cjclark@alum.mit.edu "Crist J. Clark" <cjclark@reflexnet.net> writes: > How about just logging a sethostname(3) call? Still doesn't help. There are (at least) two different ways of setting the hostname, one being a syscall and the other being a sysctl. One could of course have the kernel print a message to the console about it, syslogd(8) would pick that up. DES -- Dag-Erling Smorgrav - des@ofug.org > the hostname, one being a syscall and the other being a sysctl. One
> could of course have the kernel print a message to the console about
> it, syslogd(8) would pick that up.
Yes, I was about to propose this, but then I thought: why? If we go this way,
then we should definitely also log an IP address change, maybe even our default
router change MAC address... why not even hardware changes since last reboot?
Working in a security job, I can understand worries about important events
going unnoticed. But doing this in kernel is IMHO overkill, maybe it could be
interesting for TrustetBSD, but not in the normal kernel; at least, it should
be configurable at both compile time and runtime (high securelevel and/or a
sysctl).
The Right Way (tm) to do this is to use (or write) an host intrusion detection
system.
Having said this, the proposed patch looks fine to me and I think it should be
committed.
Bye,
Andrea
--
Speak softly and carry a cellular phone.
Responsible Changed From-To: freebsd-bugs->cjc Over to originator. (FWIW, I don't think syslogd or hostname should log a hostname change; that's the job of the kernel. See PR 26787) State Changed From-To: open->closed Functionality added to -CURRENT and -STABLE. |
Many tools and progams within FreeBSD date back to a time when it was expected that a machines IP and hostname seldom, if ever, changed. Even when a IP and hostname were received at boot, it rarely changed until shutdown. With many users using protocols like DHCP where IP and hostname change with time, many tools do not deal well with this behavior. One of these tools is syslogd(8). syslogd(8) is typically started at boot time and runs until shutdown. However, syslogd(8) loads the hostname at startup and syslogd(8)'s idea of the hostname can never change while it is running. One might expect that a SIGHUP would cause syslogd(8) to load the new hostname since a SIGHUP can cause syslogd(8) to re-read its configuration file and re-open the log files, but it does not. The fact that the hostname does not change can cause confusion in the log files. It could be especially troublesome when a machine is logging to a central loghost. At any given time, the names in the log files may not have any correspondence to the names the hosts currently have. There are even issues on a host that gets its IP and hostname via DHCP at boot and the name never changes. syslogd(8) is started before any network services are initialized in /etc/rc. I propose that syslogd(8) should reload the hostname with a SIGHUP. I cannot think of any reason that one should not update the hostname, but as I pointed out, there are reasons why one would want that behavior. Fix: I do not see any reason we cannot move the code that gets the hostname from the main() function into init(). init() is called when to "reload" settings. The hostname is never used in main() before init() is called. The patch is against -CURRENT and my box has not exploded yet. Here is what the above test looks like with the change in place. # hostname -s bubbles # hostname bubbles-test.cjclark.org # kill -HUP `cat /var/run/syslog.pid ` # logger -p user.notice "syslogd hostname test" # hostname bubbles.cjclark.org # kill -HUP `cat /var/run/syslog.pid ` # logger -p user.notice "syslogd hostname test" # tail -4 /var/log/messages Jan 18 13:36:58 bubbles su: BAD SU cjc to root on /dev/ttyp0 Jan 18 13:37:03 bubbles su: cjc to root on /dev/ttyp0 Jan 18 13:38:40 bubbles-test cjc: syslogd hostname test Jan 18 13:39:11 bubbles cjc: syslogd hostname test --- syslogd.c 2001/01/18 08:06:34 +++ syslogd.c 2001/01/18 08:09:23 @@ -395,12 +395,6 @@ consfile.f_type = F_CONSOLE; (void)strcpy(consfile.f_un.f_fname, ctty + sizeof _PATH_DEV - 1); - (void)gethostname(LocalHostName, sizeof(LocalHostName)); - if ((p = strchr(LocalHostName, '.')) != NULL) { - *p++ = '\0'; - LocalDomain = p; - } else - LocalDomain = ""; (void)strcpy(bootfile, getbootfile()); (void)signal(SIGTERM, die); (void)signal(SIGINT, Debug ? die : SIG_IGN); @@ -1342,6 +1336,16 @@ char host[MAXHOSTNAMELEN+1]; dprintf("init\n"); + + /* + * Load hostname (may have changed) + */ + (void)gethostname(LocalHostName, sizeof(LocalHostName)); + if ((p = strchr(LocalHostName, '.')) != NULL) { + *p++ = '\0'; + LocalDomain = p; + } else + LocalDomain = ""; /* * Close all open log files. How-To-Repeat: # hostname -s bubbles # hostname bubbles-test.domain.org # kill -HUP `cat /var/run/syslog.pid` # logger -p user.notice "hostname test" # tail -4 /var/log/messages Jan 17 21:45:00 bubbles /boot/kernel/kernel: acd0: CDROM <CD-532E-A> at ata0-slave using BIOSPIO Jan 17 21:45:00 bubbles /boot/kernel/kernel: Mounting root from ufs:/dev/ad0s1a Jan 18 00:41:14 bubbles su: cjc to root on /dev/ttyp0 Jan 18 00:58:34 bubbles cjc: hostname test