Bug 100616 - [patch] [syslog.conf] lines after exclamation point ignored
Summary: [patch] [syslog.conf] lines after exclamation point ignored
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 6.1-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-20 18:50 UTC by Royce D. Williams
Modified: 2017-12-31 22:23 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Royce D. Williams 2006-07-20 18:50:12 UTC
Parsing of the exclamation point in the default /etc/syslog.conf appears
to cause all lines after those lines to be ignored, even if those lines
are commented out.

This has been verified on various 4.x and 5.x boxes as well.

If this is a side effect of expected behavior, then this behavior may
need to be modified, as it is intuitive that adding a simple line to the
end of
syslog.conf should Just Work.

Fix: 

Not known.
How-To-Repeat: 1. Install stock 6.1.
2. Add an entry to the bottom of syslog.conf, as in:

--- syslog.conf Sat May  6 20:00:23 2006
+++ syslog.conf.test    Thu Jul 20 08:24:23 2006
@@ -30,3 +30,4 @@
 *.*                                            /var/log/slip.log
 !ppp
 *.*                                            /var/log/ppp.log
+auth.*                                         /var/log/test.log

3. # touch /var/log/test.log
4. # chmod u+w /var/log/test.log
5. # kill -HUP `cat /var/run/syslog.pid`
6. Perform an action that will generate an auth-level syslog event, such as logging in, using su, etc.
7. Verify that no entry has been written to /var/log/test.log
8. Comment out all four lines:

--- syslog.conf Sat May  6 20:00:23 2006
+++ syslog.conf.test    Thu Jul 20 09:33:10 2006
@@ -26,7 +26,8 @@
 # news.crit                                    /var/log/news/news.crit
 # news.err                                     /var/log/news/news.err
 # news.notice                                  /var/log/news/news.notice
-!startslip
-*.*                                            /var/log/slip.log
-!ppp
-*.*                                            /var/log/ppp.log
+#!startslip
+#*.*                                           /var/log/slip.log
+#!ppp
+#*.*                                           /var/log/ppp.log
+auth.*                                         /var/log/test.log

9. # kill -HUP `cat /var/run/syslog.pid`
10. Perform an action that will generate an auth-level syslog event, such as logging in, using su, etc.
11. Verify that no entry has been written to /var/log/test.log
12.  Move the test line above the four slip/PPP lines:

--- syslog.conf Sat May  6 20:00:23 2006
+++ syslog.conf.test    Thu Jul 20 09:34:19 2006
@@ -26,7 +26,8 @@
 # news.crit                                    /var/log/news/news.crit
 # news.err                                     /var/log/news/news.err
 # news.notice                                  /var/log/news/news.notice
-!startslip
-*.*                                            /var/log/slip.log
-!ppp
-*.*                                            /var/log/ppp.log
+auth.*                                         /var/log/test.log
+#!startslip
+#*.*                                           /var/log/slip.log
+#!ppp
+#*.*                                           /var/log/ppp.log

13. # kill -HUP `cat /var/run/syslog.pid`
14. Perform an action that will generate an auth-level syslog event, such as logging in, using su, etc.
15. Verify that writes are now working to /var/log/test.log
Comment 1 dwmalone 2008-10-03 21:18:41 UTC
Hi Royce,

I think this is a consequence of the program specification feature
of syslogd - have a look at the syslog.conf man page and search for
"program specification".

As a documented feature, it is probably not something that we can
change.  However, we could add a warning to syslog.conf.

	David.
Comment 2 Royce D. Williams 2008-10-07 01:08:08 UTC
Hello, David - thanks for the informative response!  Looking back at
the commits, I see that you're familiar with syslogd.c.

David Malone wrote, on 10/3/2008 12:18 PM:
> I think this is a consequence of the program specification feature
> of syslogd - have a look at the syslog.conf man page and search for
> "program specification".

Ah, I think that I get it.  I do think that there's still a remaining
bug, though; I talk about that near the end.

> As a documented feature, it is probably not something that we can
> change.  

The syslog.conf manpage says that respecting '#!' is to maintain 
compatibility with a previous version of syslog.  Looking back at 
syslog.conf and syslogd.c, it looks like support for this was added 
in rev 1.3 back in December 1994, but I don't see anything that shows 
when the previous version of syslog was replaced.

It may be difficult to gauge how many people are using this legacy 
functionality, but my instinct is that giving some warning and then 
dropping support for '#!' (while keeping support for '!' without the 
'#' in front of it) may be warranted.  The syslog.conf comments 
mention cross-platform compatibility, and I don't know if any other 
OSes still use '#!', so that may be an issue.

That being said, having the same single character be both a comment 
character and a functional one seems like a significant POLA violation
to me.  I'm not aware of any other instance of that.

> However, we could add a warning to syslog.conf.

Agreed.  Perhaps just above the examples themselves, as in:

--- syslog.conf 2005-03-12 03:31:16.000000000 -0900
+++ syslog.conf.new     2008-10-06 16:02:09.000000000 -0800
@@ -26,6 +26,10 @@
 # news.crit                                    /var/log/news/news.crit
 # news.err                                     /var/log/news/news.err
 # news.notice                                  /var/log/news/news.notice
+#   Commenting out program specifications will not work as expected.
+#   For backwards compatibility with the previous syslog, lines
+#   starting with '#!' have a purpose and are NOT commented out.
+#   See 'program specification' in the syslog.conf(5) manpage.
 !startslip
 *.*                                            /var/log/slip.log
 !ppp

... or something less chatty.  Is sending this to you sufficient, or 
should I add it to the PR?

Now about the possible bug.  Even if commenting out the !startslip 
doesn't really comment it out, but instead triggers this legacy 
support, why would all subsequent unrelated configuration lines get 
ignored?  From my testing, any lines added after the example '!' lines
are ignored entirely.  Surely that's not part of the functionality?  
Or am I missing something?  Are you able to recreate the symptom that 
I'm seeing, as described in the PR?

Royce

-- 
Royce D. Williams                                   - http://royce.ws/
 Adding manpower to a late software project makes it later.  - Brooks
Comment 3 dwmalone 2008-10-07 09:42:50 UTC
> The syslog.conf manpage says that respecting '#!' is to maintain 
> compatibility with a previous version of syslog.  Looking back at 
> syslog.conf and syslogd.c, it looks like support for this was added 
> in rev 1.3 back in December 1994, but I don't see anything that shows 
> when the previous version of syslog was replaced.

I think the idea is that you could share a syslog.conf between
machines, some of which support the "#!" notation and some of which
don't. For example, we used to share a syslog.conf between FreeBSD
and SunOS machines.

> +#   Commenting out program specifications will not work as expected.
> +#   For backwards compatibility with the previous syslog, lines
> +#   starting with '#!' have a purpose and are NOT commented out.
> +#   See 'program specification' in the syslog.conf(5) manpage.

Something like this would be good...

> ... or something less chatty.  Is sending this to you sufficient, or 
> should I add it to the PR?

Personally, I think snappier would be better I think - how about:

# NB: To comment out lines starting with a "!" use "##" - see syslog.conf(5).

> Now about the possible bug.  Even if commenting out the !startslip 
> doesn't really comment it out, but instead triggers this legacy 
> support, why would all subsequent unrelated configuration lines get 
> ignored?  From my testing, any lines added after the example '!' lines
> are ignored entirely.  Surely that's not part of the functionality?  
> Or am I missing something?  Are you able to recreate the symptom that 
> I'm seeing, as described in the PR?

The program specification (or a host specification) applies to all
subsequent lines, until it is reset. To reset it, you need to have
a line that says:

!*

or the equivelent "#!*". This is explained in the man page below
in the paragraph after host specifications, but we've had several
people confused about it, so I suspect the man page is not clear
enough. If you have an idea bout how to make it clearer, let me
know!

	David.
Comment 4 Royce D. Williams 2008-10-07 20:08:29 UTC
David Malone wrote, on 10/7/2008 12:42 AM:
> Personally, I think snappier would be better I think - how about:
> 
> # NB: To comment out lines starting with a "!" use "##" - see syslog.conf(5).

Agreed - short, to the point.

>> Now about the possible bug.  Even if commenting out the !startslip 
>> doesn't really comment it out, but instead triggers this legacy 
>> support, why would all subsequent unrelated configuration lines get 
>> ignored?  From my testing, any lines added after the example '!' lines
>> are ignored entirely.  Surely that's not part of the functionality?  
>> Or am I missing something?  Are you able to recreate the symptom that 
>> I'm seeing, as described in the PR?
> 
> The program specification (or a host specification) applies to all
> subsequent lines, until it is reset. To reset it, you need to have
> a line that says:
> 
> !*
> 
> or the equivelent "#!*". This is explained in the man page below
> in the paragraph after host specifications, but we've had several
> people confused about it, so I suspect the man page is not clear
> enough. If you have an idea bout how to make it clearer, let me
> know!

Ah.  That's what I get for only reading that paragraph!

Since the existing stock syslog.conf doesn't have these resets,
then as written, they're incomplete and should probably be fixed
as follows:


+++ syslog.conf.new     2008-10-07 11:03:08.000000000 -0800
@@ -26,7 +26,10 @@
 # news.crit                                    /var/log/news/news.crit
 # news.err                                     /var/log/news/news.err
 # news.notice                                  /var/log/news/news.notice
+# NB: To comment out lines starting with a "!" use "##" - see syslog.conf(5).
 !startslip
 *.*                                            /var/log/slip.log
+!*
 !ppp
 *.*                                            /var/log/ppp.log
+!*

... or something similar?

In this way, POLA is restored -- unsuspecting users can add new lines 
without being caught in the same way that I was.

Royce


-- 
Royce D. Williams                                   - http://royce.ws/
Progress is made by lazy men looking for easier ways to do things.~RAH
Comment 5 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:58:49 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped