pkg/31417: gdm syslogs username

To: pkg-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/31417: gdm syslogs username
From: Hauke Fath <hf%spg.tu-darmstadt.de@localhost>
Date: Thu, 29 Sep 2005 13:51:00 +0000 (UTC)

>Number:         31417
>Category:       pkg
>Synopsis:       x11/gdm logs username for failed login attempts
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 29 13:51:00 +0000 2005
>Originator:     Hauke Fath <hf%spg.tu-darmstadt.de@localhost>
>Release:        NetBSD 3.0_BETA
>Organization:
-- 
/~\  The ASCII Ribbon Campaign                      Hauke Fath
\ /    No HTML/RTF in email               Institut für Nachrichtentechnik
 X     No Word docs in email                        TU Darmstadt
/ \  Respect for open standards                Ruf +49-6151-16-3281
>Environment:
        
        
System: NetBSD Goliberg 3.0_BETA NetBSD 3.0_BETA (SPG_PIII) #5: Fri Sep 23 
00:43:45 CEST 2005 
hf@heiligenberg:/var/obj/netbsd-builds/3_0/i386/sys/arch/i386/compile/SPG_PIII 
i386
Architecture: i386
Machine: i386
>Description:

        When x11/gdm logs a failed login attempt, it logs the username
        with it. This is a security risk (which is why I marked the PR
        'critical') since if the user just got out of sync with the
        login wifget, she'll have her password logged. And she has to
        get help from the admin to remove it - if she is aware of the
        fact at all.

        But it gets worse: gdm syslogs _everything_ with category
        LOG_DAEMON which goes to the usually world-readable
        /var/log/messages.

>How-To-Repeat:

        Get out of sync with the gdm greeter; find your password
        logged to /var/log/messages and the console.

        Look through the config files and the gdm documentation and
        find that at runtime you can neither change the syslog
        category, nor change the amount of data that's being loggend
        (which is quite considerable), nor disable logging of failed
        login attempts.

        Look through the source and find that at compile time, you can
        neither gnuconfigure a different syslog category, nor limit
        the amount of logged information, nor disable logging of
        failed login attempts.

>Fix:
        Stop-gap: 

        Switch back to xdm.

        gdm fixes:

        (1) Make syslog category configurable _at least_ at compile
        time. Better: Use log_auth for any sensitive data, and a
        configurable category for anything else, including debug
        information, which can then be directed to a gdm-only logfile.

        (2) Make the amount of information logged controllable at
        least at compile time. Per default, log less to console.

        (3) Introduce a config-file switch to control logging of
        failed login attempts. Default to _off_.

>Unformatted:

Prev by Date: pkg/31416: glib-2.6.6nb1 fails to compile on Tru64
Next by Date: Re: pkg/31418
Previous by Thread: pkg/31416: glib-2.6.6nb1 fails to compile on Tru64
Next by Thread: Re: pkg/31417: gdm syslogs username
Indexes:

Home | Main Index | Thread Index | Old Index