propolice and syslog-ng

Robert Connolly robert at linuxfromscratch.org
Tue Sep 28 20:14:10 PDT 2004


Thats the problem exactly... the strace output again:

socket(PF_FILE, SOCK_DGRAM, 0)          = 3
sendto(3, "<2>fail: stack smashing attack i"..., 46, 0, {sa_family=AF_FILE, 
path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)
rt_sigaction(SIGABRT, {SIG_DFL}, NULL, 8) = 0

I checked `man syslog-ng` and found SOCK_DGRAM vs SOCK_STREAM. I assume 
sysklogd is using SOCK_DGRAM by default. From stack_protector.c I have:

if ((log = socket (AF_UNIX, SOCK_DGRAM, 0)) != -1) ...

I'm going to try this:

if ((log = socket (AF_UNIX, SOCK_DGRAM, 0)) != -1) { ... } else
if ((log = socket (AF_UNIX, SOCK_STREAM, 0)) != -1)

But its not that simple :\ Perhaps there's a wrapper service for these? I have 
to poke around in google to find examples for using both in turn. SOCK_STREAM 
needs bindings and whatnot. Perhaps someone here has experience coding for 
syslogd?

Robert

On September 28, 2004 03:33 pm, Bennett Todd wrote:
> 2004-09-28T18:59:23 Robert Connolly:
> > >From strace I'm getting:
> >
> > sendto(3, "<2>fail: stack smashing attack i"..., 46, 0,
> > {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol
> > wrong type for socket)
> >
> > From fail.c. It works with sysklogd though. I'll keep looking into
> > it. Are there often things that work with sysklog that don't work
> > the same way with syslog-ng?
>
> In my experience, _everything_ that works with sysklogd works fine
> with syslog-ng. Check your syslogng.conf. In the source clause where
> you specify /dev/log, how do you specify it?
>
> I believe if you write
>
>  unix-stream("/dev/log");
>
> it'll work identically to sysklogd as normally configured.
>
> It's sometimes worth switching to unix-dgram, which last time I
> checked also worked fine with the syslog routines in libc. This
> would (I believe) allow packet loss, rather than blocking, in the
> event writers spit msgs faster than syslog-ng can read 'em, but more
> importantly it prevents syslog-ng from needing to devote a file
> descriptor to each concurrent writer; on e.g. large mailservers with
> a modern MTA it's easy to have more processes concurrently logging
> than the log daemon can have file descriptors.
>
> -Bennett



More information about the hlfs-dev mailing list