Folks:
First the kudoos...thanx to:
Tim Gurbick <teg@logos.ucs.indiana.edu>
The root of the problem was an error I made in the installation of
the tcp_wrappers program....I stand humbled and appologize for the bandwidth
used by this query. Perhaps this summary will help steer someone else in
the right direction and partially atone for my sins.
There is still, however, weirdness w/ syslogd in 4.1.4. The goof I
made only served to highlight the problem.
The part that was my fault concerns reversing the two #defines of
facility and severity in the makefile for tcp_wrappers 7.2 (I was also
upgrading from 6.9 as part of the process -- there was only one define in
this release, severity, and I had to hack the code for the auth facility).
Because of the way the system defines these two codes (LOG_AUTH is
defined as (4<<3) which becomes 32 in the kernel and LOG_NOTICE is defined
as 5), all of my messages were sent using the *.emerg severity (anything
greater than 10, apparently defaults to 0 which is the LOG_EMERG severity --
there is a warning I only stumbled on to during debugging about this in the
tcp_wrappers README file) which caused the messages to get sent to all
xterm's currently logged in, hence the complaints about root owning all of
the pseudo-tty devices. Once corrected, the messages only get sent to the
console, which is in fact owned by the user logged in because "login" does
the right thing with tty ownership.
Original query and responses follow....
thanx,
b c++'ing u,
%-) sjs
--------------------------------------------------------------------------------
Stefan Jon Silverman - President SJS Associates, N.A., Inc.
572 Chestnut Street
Distributed Systems Architecture & Implementation San Francisco, Ca. 94133
Phone: 415 989 2741
E-mail: sjs@sjsinc.com Cell: 415 519 3494
--------------------------------------------------------------------------------
Weebles wobble, but they don't fall down!!!
--------------------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ORIGINAL QUERY
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Folks:
I'm in the middle of turning a clients 4.1.4 machine into an internet
firewall (tcp_wrappers, portmapper, sendmail 8.6.12, etc.) and ran into a
problem today that I have not seen on any other 4.1.x systems before this OS
release.
As is usual when I do this type of install, I compiled the tcp_wrappers
with the security logging level set to LOG_AUTH so that messages will go to
the console window, /var/adm/messages, and /var/log/syslog (with a tweaked
/etc/syslog.conf file).
Since I run X11R6 with motif, the invocation of an xterm does put an
entry in the /etc/utmp file for each open window (as opposed to openwindows
which will only show the console login).
Upon the initiation of an event that tcpd will trap on, the message
gets passed to the syslog daemon and appears normally on the console window.
What is unexpected, however, is that the syslogd then complains that root owns
the /dev pseudo-tty files for all xterms but is in conflict with the entries
in /etc/utmp. This message is then repeated for each xterm window open...ugh!!!
After checking my machine (4.1.3) the pseudo- tty's are in fact
owned by root, my login entries are in the /etc/utmp file and syslogd is not
complaining...what gives with 4.1.4????
I also noticed that prior to printing the normal tcp_wrappers messages,
a new message is printed telling me that syslogd is going to print a message.
I further noticed that on both the client machine and my machine that a
telnet or rlogin will change the ownership of the pseudo-tty device file to
that of the logged in user. And syslogd does not complain about that device.
These problems are not show-stoppers by any means, but they are very
annoying...I like to keep console messages to the minimum.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
RESPONSES
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
From: Tim Gurbick <teg@logos.ucs.indiana.edu>
In article <199506270134.SAA09642@sjsinc.com> you write:
> Since I run X11R6 with motif, the invocation of an xterm does put an
>entry in the /etc/utmp file for each open window (as opposed to openwindows
>which will only show the console login).
Sounds as if your world-writable utmp file is being updated, but because
/usr/bin/X11/xterm isn't setuid root, the ptys aren't being chown()ed
correctly. You might want to check that your xterm binary is properly-set.
good luck with it
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>From sjs Tue Jun 27 13:09:08 1995
To: teg@logos.ucs.indiana.edu
>
> In article <199506270134.SAA09642@sjsinc.com> you write:
> > Since I run X11R6 with motif, the invocation of an xterm does put an
> >entry in the /etc/utmp file for each open window (as opposed to openwindows
> >which will only show the console login).
>
> Sounds as if your world-writable utmp file is being updated, but because
> /usr/bin/X11/xterm isn't setuid root, the ptys aren't being chown()ed
> correctly. You might want to check that your xterm binary is properly-set.
>
The binary of xterm is set the same in both the 4.1.3 and 4.1.4
environments; syslogd only manifests this problem under 4.1.4.
I will try setuid'ing the xterm tomm. when I next visit my client to
see if this resolves (masks???) the problem, but this approach causes me
security concerns. I would much rather go with the "vanilla" permissions from
a X build-world (install) and find out what the problem with syslogd is.
It probably should also be noted that while rlogin is a setuid program
telnet is not and still seems to change the permissions on the /dev/ttyp? file
just fine, and not cause these problems with syslgd.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
From: Tim Gurbick <teg@peabody.iusb.indiana.edu>
The R6 xterm is alledgedly fixed with respect to the file-logging bug which
was such an interesting security hole in earlier releases. Ergo, setuid
root should be okay for it.
>It probably should also be noted that while rlogin is a setuid program
>telnet is not and still seems to change the permissions on the /dev/ttyp? file
>just fine, and not cause these problems with syslgd.
telnet calls login to do the rest.
good luck with it!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>From sjs Tue Jun 27 13:28:19 1995
To: teg@peabody.iusb.indiana.edu
>
> The R6 xterm is alledgedly fixed with respect to the file-logging bug which
> was such an interesting security hole in earlier releases. Ergo, setuid
> root should be okay for it.
>
How about using the /usr/openwin/bin/xterm instead of the X11.R6
version. For some reason it seems to take certain X-properties better than the
MIT release. Does the openwin xterm have the logging security hole fixed???
Also, do you know anything about the weirdness with syslogd in 4.1.4
(not just the /dev/ttyp? vs. /etc/utmp checking but the announcement that it
is about to send you a message)???
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
From: Tim Gurbick <teg@peabody.iusb.indiana.edu>
>How about using the /usr/openwin/bin/xterm instead of the X11.R6
>version. For some reason it seems to take certain X-properties better than the
>MIT release. Does the openwin xterm have the logging security hole fixed???
Hmmmm...there should be a patch for this problem under 4.1.3(U1) which you
can find via the sunsoft web server. If you take a look at the list of
integrated patches in the 4.1.4 release notes, you might check if it's
listed. I don't use openwin myself.
> Also, do you know anything about the weirdness with syslogd in 4.1.4
>(not just the /dev/ttyp? vs. /etc/utmp checking but the announcement that it
>is about to send you a message)???
Alas, no. I've got the disc sitting here, but have yet to install it on
anything. Others have apparently cited odd behaviour from it before.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:29 CDT