Re: shishid: Usage of syslog facilities.

[Simon Josefsson]

Mats Erik Andersson <address@hidden> writes:

> Hello again,
>
> let me suggest changes to the way shishid(8)
> is submitting messages to LOG_DAEMON. A patch
> suggestion is addressing these matters.
>
> Contrary to claim in "src/kdc.c", shishid(8) is
> committing non-error messages "Trying AS-REQ"
> and "Trying TGS-REQ" in facility LOG_ERR.
> Change these to use LOG_DEBUG.

These messages are rather useless, even on debug level.  I have removed
them completely.

> The mandatory use of LOG_PERROR in "src/shishid.c"
> is a mistake. It is better to condition use of
> LOG_PERROR in openlog() on the test
>
>     if (arg.verbose_given > 0)

Agreed, applied.

> There is a further delicate issue with two LOG_INFO
> messages in "src/kdc.c":
>
>    "AS-REQ from address@hidden for address@hidden"
>    "TGS-REQ from address@hidden for address@hidden"
>
> I suggest downgrading to LOG_DEBUG and also to issue
> them only if "arg.verbose_given > 0". However, both
> messages present a security issue since they disclose
> user information, Hence they should arguably only be sent
> to LOG_AUTH, if committed at all instead of just calling
> printf() for the running executable shishid(8).

I believe these are important for knowing when someone got a ticket, so
they should definitely be in the syslog.  If we are changing this one to
LOG_AUTH, many other messages should also be moved, since they also
print user information.  However, I wonder what MIT/Heimdal does, or
what other servers do, like sshd?  I think having user information in
/var/log/syslog is fairly common, but I may be mistaken.  On systems I'm
familiar with, reading the syslog requires the same privileges as
reading the authlog so for security I don't think it matters much.

/Simon