Bug 192827 - `syslogd -s` listens on 514/udp6
Summary: `syslogd -s` listens on 514/udp6
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.0-RELEASE
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-19 10:48 UTC by florian.ermisch
Modified: 2014-09-16 08:46 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description florian.ermisch 2014-08-19 10:48:26 UTC
We got a server running 10.0-RELEASE-p7 with rsyslogd (installed via pkg) to 
receive logs via TCP. As rsyslogd failed to log local messages I've disabled 
local logging by rsyslogd and re-enabled syslogd in rc.conf adding '-s' to the 
flags b/c the manpages states:

     -s      Operate in secure mode.  Do not log messages from remote
             machines.  If specified twice, no network socket will be opened
             at all, which also disables logging to remote machines.

user@sysloghost:~% grep syslog /etc/rc.conf
hostname="sysloghost.domain.tld"
syslogd_enable="YES"
syslogd_flags="-s -v -v"
rsyslogd_enable="YES"

A few hours ago I checked on rsyslogd b/c of some monitoring glitch, ran 
`sockstat(1)` and was suprised seeing syslogd listening on 514/udp6:

user@sysloghost:~% sockstat | grep syslog
root     syslogd    68516 4  dgram  /var/run/log
root     syslogd    68516 5  dgram  /var/run/logpriv
root     syslogd    68516 6  udp6   *:514                 *:*  <=========
root     rsyslogd   25668 0  udp4   *:514                 *:*
root     rsyslogd   25668 1  tcp4   ${SYSLOG_IP}:514     ${SYSLOG_CL1}:47563
root     rsyslogd   25668 3  tcp6   *:514                 *:*
root     rsyslogd   25668 4  tcp4   *:514                 *:*
root     rsyslogd   25668 5  tcp4   ${SYSLOG_IP}:514     ${SYSLOG_CL2}:41922
root     rsyslogd   25668 7  tcp4   ${SYSLOG_IP}:514     ${SYSLOG_CL3}:48601
root     rsyslogd   25668 9  tcp4   ${SYSLOG_IP}:514     ${SYSLOG_CL4}:60310

Right now that's no problem for us as the setup is currently IPv4 only but 
clearly isn't what the manpage states and might cause problems in a similar
setup with IPv6.
Comment 1 Alexandr Krivulya 2014-08-19 11:10:57 UTC
Using -s doesn't disable listening socket.
To disable syslogd's network socket you must use "-s -s".
Comment 2 florian.ermisch 2014-08-19 18:17:46 UTC
You're right, I just took a quite glance at the part of the manpage I've pasted 
earlier today and just read "Operate in secure mode.  Do not log messages from 
remote machines.  ... no network socket will be opened at all".
Maybe the "If specified twice" should be bold or something so it's harder to
overlook.

Can someone give me a usecase for `syslogd -s` (opening the upd-socket but 
apparently not logging received log messages)? I can't imagine any common 
usecase for this behaviour (only, like, "implementing a syslog-blackhole on your 
network"). And '-s' only circumvents a malicious hosts filling the logservers 
disks with garbage but seems to still allow trafic to be directed at syslogd.
Comment 3 Ed Maste freebsd_committer 2014-09-14 14:18:14 UTC
The use case for -s is to allow sending log messages to a remote server over UDP, but not accept messages from others.
Comment 4 florian.ermisch 2014-09-16 08:46:01 UTC
(In reply to Ed Maste from comment #3)
> The use case for -s is to allow sending log messages to a remote server over
> UDP, but not accept messages from others.

So I guess I'm right that `syslogd -s` shouldn't be listening on 514/udp6 because it's only supposed to send data.