[syslog-ng]/dev/log on Linux is a datagram socket, not a stream socket

Philip J. Hollenback syslog-ng@lists.balabit.hu
Thu, 3 Feb 2005 08:27:27 -0500


Is the maintainer of the syslog-ng faq at
http://www.campin.net/syslog-ng/faq.html still on this list?  Because
this is an excellent addition to the faq.

I suppose it should also be added to the reference manual.  I'm
certainly willing to submit patches to that.

Thanks,
P.

On 02/03/05, Balazs Scheidler wrote:
> On Wed, 2005-02-02 at 11:35 -0500, Philip J. Hollenback wrote:
> > The syslog-ng reference manual (and the sample syslog-ng.conf for
> > RedHat) indicate that /dev/log on linux is a stream socket.  However,
> > other utilities think that /dev/log is a datagram socket.  To see
> > this, configure syslog-ng to open /dev/log with unix_stream and then
> > strace the logger command.  logger tries to open /dev/log as a
> > datagram socket first, fails, and then falls back to opening it as a
> > stream socket:
> > 
> > socket(PF_FILE, SOCK_DGRAM, 0)          = 1
> > fcntl64(1, F_SETFD, FD_CLOEXEC)         = 0
> > connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
> > close(1)                                = 0
> > socket(PF_FILE, SOCK_STREAM, 0)         = 1
> > fcntl64(1, F_SETFD, FD_CLOEXEC)         = 0
> > connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
> > send(1, "<13>Feb  2 11:19:50 phil: test m"..., 39, 0) = 39
> > rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
> > close(1)                                = 0
> > 
> > If, however, you open /dev/log with unix_dgram and then run logger,
> > it's happier:
> > 
> > socket(PF_FILE, SOCK_DGRAM, 0)          = 1
> > fcntl64(1, F_SETFD, FD_CLOEXEC)         = 0
> > connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
> > send(1, "<13>Feb  2 11:21:28 phil: test m"..., 45, 0) = 45
> > rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
> > close(1)                                = 0
> 
> This is normal, both logger and libc tries to detect which socket is
> being used for /dev/log. It tries SOCK_DGRAM first, but that's all.
> 
> > 
> > 
> > This indicates to me that the syslog-ng documentation and sample
> > syslog-ng.conf files should be changed to show you should open
> > /dev/log with unix_dgram on linux, not with unix_stream.
> > 
> > This is with the 2.4.22 kernel, maybe this is something that changed
> > at some point?
> 
> I think it was around 1999 when /dev/log was changed from SOCK_STREAM to
> SOCK_DGRAM because of some security issue, but I still think it is
> better to use SOCK_STREAM
> 
> Here is my post from 1999 when the change occurred:
> http://www.security-express.com/archives/bugtraq/1999-q4/0071.html
> 
> and problems which the change caused:
> http://marc.theaimsgroup.com/?l=sysklogd&m=96989685607952&w=2
> 
> So I still think it is better to use SOCK_STREAM for /dev/log, albeit
> you can decide it yourself.
> 

-- 
Philip J. Hollenback
Telemetry Investments
phollenback@telemetry-investments.com