On Mon, Oct 22, 2007 at 04:51:25PM +0000, Christian Weisgerber wrote: > Stefan Sperling <[EMAIL PROTECTED]> wrote: > > > This patch has been sitting on the list for a month now. > > Can someone please commit this? > > Theo has requested that pptp should not set net.inet.gre.allow=1 > when the package is installed,
I hate to shift the blame, but sturm@ wanted me to add this
a while back. Originally the port didn't do this.
The argument back then was that things should work out of
the box once someone installs the port/package.
But I think the security argument has more weight,
so I'll gladly revert that change.
> but only when the program is run,
> i.e., add corresponding sysctl(3) calls to pptp proper.
Sure, I could add that to pptp itself.
But if we don't want to allow 'pkg_add pptp' to enable
an insecure protocol, why do we want to allow executing
pptp to do so?
Isn't the idea to have the user _manually_ turn a knob
if that knob makes the system more insecure?
> > > * Add patch to ${WRKSRC}/util.c that prevents pptp
> > > from logging the same stuff into both /var/log/daemon
> > > and /var/log/messages. Just log to /var/log/daemon.
>
> That doesn't sound right. This is a syslog configuration issue.
I don't know, but I don't think so.
I'm using the default syslog config. Never touched it:
[~] $ grep -v '^#' /etc/syslog.conf
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages
auth.info /var/log/authlog
authpriv.debug /var/log/secure
cron.info /var/cron/log
daemon.info /var/log/daemon
ftp.info /var/log/xferlog
lpr.debug /var/log/lpd-errs
mail.info /var/log/maillog
*.emerg *
The problem as I see it is this:
pptp is using LOG_NOTICE to log 'normal' messages.
For some reason unknown to me these messages end up in two
different log files (daemon and messages), which is really,
really annoying when trying to figure out a failed connection
attempt with tail -f.
ppp(8) does not spam the syslog the way pptp(8) does without the patch.
ppp(8) never uses LOG_NOTICE at all, it uses LOG_INFO instead.
So the patch makes pptp use LOG_INFO for normal messages, too,
which settles the issue for me.
Do you know a better solution?
Extract from pptp/util.c without patch:
/*** print a message to syslog
************************************************/
void _log(const char *func, const char *file, int line, const char *format,
...)
{
MAKE_STRING("log");
syslog(LOG_NOTICE, "%s", string);
}
Extract from /usr/src/usr.sbin/ppp/ppp/log.c,
note the absence of LOG_NOTICE:
static int
syslogLevel(int lev)
{
switch (lev) {
case LogLOG:
return LOG_INFO;
case LogDEBUG:
case LogTIMER:
return LOG_DEBUG;
case LogWARN:
return LOG_WARNING;
case LogERROR:
return LOG_ERR;
case LogALERT:
return LOG_ALERT;
}
return lev >= LogMIN && lev <= LogMAX ? LOG_INFO : 0;
}
--
stefan
http://stsp.name PGP Key: 0xF59D25F0
pgpw85XY0U07z.pgp
Description: PGP signature
