On Mon, Oct 22, 2007 at 04:51:25PM +0000, Christian Weisgerber wrote: > Stefan Sperling <[EMAIL PROTECTED]> wrote: > > > This patch has been sitting on the list for a month now. > > Can someone please commit this? > > Theo has requested that pptp should not set net.inet.gre.allow=1 > when the package is installed,
I hate to shift the blame, but sturm@ wanted me to add this a while back. Originally the port didn't do this. The argument back then was that things should work out of the box once someone installs the port/package. But I think the security argument has more weight, so I'll gladly revert that change. > but only when the program is run, > i.e., add corresponding sysctl(3) calls to pptp proper. Sure, I could add that to pptp itself. But if we don't want to allow 'pkg_add pptp' to enable an insecure protocol, why do we want to allow executing pptp to do so? Isn't the idea to have the user _manually_ turn a knob if that knob makes the system more insecure? > > > * Add patch to ${WRKSRC}/util.c that prevents pptp > > > from logging the same stuff into both /var/log/daemon > > > and /var/log/messages. Just log to /var/log/daemon. > > That doesn't sound right. This is a syslog configuration issue. I don't know, but I don't think so. I'm using the default syslog config. Never touched it: [~] $ grep -v '^#' /etc/syslog.conf *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug;syslog,user.info /var/log/messages auth.info /var/log/authlog authpriv.debug /var/log/secure cron.info /var/cron/log daemon.info /var/log/daemon ftp.info /var/log/xferlog lpr.debug /var/log/lpd-errs mail.info /var/log/maillog *.emerg * The problem as I see it is this: pptp is using LOG_NOTICE to log 'normal' messages. For some reason unknown to me these messages end up in two different log files (daemon and messages), which is really, really annoying when trying to figure out a failed connection attempt with tail -f. ppp(8) does not spam the syslog the way pptp(8) does without the patch. ppp(8) never uses LOG_NOTICE at all, it uses LOG_INFO instead. So the patch makes pptp use LOG_INFO for normal messages, too, which settles the issue for me. Do you know a better solution? Extract from pptp/util.c without patch: /*** print a message to syslog ************************************************/ void _log(const char *func, const char *file, int line, const char *format, ...) { MAKE_STRING("log"); syslog(LOG_NOTICE, "%s", string); } Extract from /usr/src/usr.sbin/ppp/ppp/log.c, note the absence of LOG_NOTICE: static int syslogLevel(int lev) { switch (lev) { case LogLOG: return LOG_INFO; case LogDEBUG: case LogTIMER: return LOG_DEBUG; case LogWARN: return LOG_WARNING; case LogERROR: return LOG_ERR; case LogALERT: return LOG_ALERT; } return lev >= LogMIN && lev <= LogMAX ? LOG_INFO : 0; } -- stefan http://stsp.name PGP Key: 0xF59D25F0
pgpw85XY0U07z.pgp
Description: PGP signature