help-shishi
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

shishid: Usage of syslog facilities.

From: Mats Erik Andersson
Subject: shishid: Usage of syslog facilities.
Date: Wed, 15 Aug 2012 10:55:36 +0200
User-agent: Mutt/1.5.18 (2008-05-17) 
Hello again,

let me suggest changes to the way shishid(8)
is submitting messages to LOG_DAEMON. A patch
suggestion is addressing these matters.

Contrary to claim in "src/kdc.c", shishid(8) is
committing non-error messages "Trying AS-REQ"
and "Trying TGS-REQ" in facility LOG_ERR.
Change these to use LOG_DEBUG.

The mandatory use of LOG_PERROR in "src/shishid.c"
is a mistake. It is better to condition use of
LOG_PERROR in openlog() on the test

    if (arg.verbose_given > 0)

There is a further delicate issue with two LOG_INFO
messages in "src/kdc.c":

   "AS-REQ from address@hidden for address@hidden"
   "TGS-REQ from address@hidden for address@hidden"

I suggest downgrading to LOG_DEBUG and also to issue
them only if "arg.verbose_given > 0". However, both
messages present a security issue since they disclose
user information, Hence they should arguably only be sent
to LOG_AUTH, if committed at all instead of just calling
printf() for the running executable shishid(8).


Best regards,

  Mats E A

Attachment: 0001-shishid-Discriminate-syslog-use.patch
Description: Text Data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]