[syslog-ng]/dev/log on Linux is a datagram socket, not a stream socket

Balazs Scheidler syslog-ng@lists.balabit.hu
Thu, 03 Feb 2005 10:09:35 +0100 

On Wed, 2005-02-02 at 11:35 -0500, Philip J. Hollenback wrote:
> The syslog-ng reference manual (and the sample syslog-ng.conf for
> RedHat) indicate that /dev/log on linux is a stream socket.  However,
> other utilities think that /dev/log is a datagram socket.  To see
> this, configure syslog-ng to open /dev/log with unix_stream and then
> strace the logger command.  logger tries to open /dev/log as a
> datagram socket first, fails, and then falls back to opening it as a
> stream socket:
> 
> socket(PF_FILE, SOCK_DGRAM, 0)          = 1
> fcntl64(1, F_SETFD, FD_CLOEXEC)         = 0
> connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
> close(1)                                = 0
> socket(PF_FILE, SOCK_STREAM, 0)         = 1
> fcntl64(1, F_SETFD, FD_CLOEXEC)         = 0
> connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
> send(1, "<13>Feb  2 11:19:50 phil: test m"..., 39, 0) = 39
> rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
> close(1)                                = 0
> 
> If, however, you open /dev/log with unix_dgram and then run logger,
> it's happier:
> 
> socket(PF_FILE, SOCK_DGRAM, 0)          = 1
> fcntl64(1, F_SETFD, FD_CLOEXEC)         = 0
> connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
> send(1, "<13>Feb  2 11:21:28 phil: test m"..., 45, 0) = 45
> rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
> close(1)                                = 0

This is normal, both logger and libc tries to detect which socket is
being used for /dev/log. It tries SOCK_DGRAM first, but that's all.

> 
> 
> This indicates to me that the syslog-ng documentation and sample
> syslog-ng.conf files should be changed to show you should open
> /dev/log with unix_dgram on linux, not with unix_stream.
> 
> This is with the 2.4.22 kernel, maybe this is something that changed
> at some point?

I think it was around 1999 when /dev/log was changed from SOCK_STREAM to
SOCK_DGRAM because of some security issue, but I still think it is
better to use SOCK_STREAM

Here is my post from 1999 when the change occurred:
http://www.security-express.com/archives/bugtraq/1999-q4/0071.html

and problems which the change caused:
http://marc.theaimsgroup.com/?l=sysklogd&m=96989685607952&w=2

So I still think it is better to use SOCK_STREAM for /dev/log, albeit
you can decide it yourself.

-- 
Bazsi