Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190114230225.GL21289@port70.net>
Date: Tue, 15 Jan 2019 00:02:25 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: Use local time in syslog() function

* Rich Felker <dalias@...c.org> [2019-01-14 15:27:26 -0500]:
> On Mon, Jan 14, 2019 at 08:53:45PM +0100, Michael Kaufmann wrote:
> > >>I have found a bug in the implementation of syslog(). It should use
> > >>the local time instead of UTC when sending the message to /dev/log.
> > >>So in src/misc/syslog.c, the call to gmtime_r() should be replaced
> > >>with localtime_r().
> > >
> > >This is not a bug; rather, use of local time there in glibc and other
> > >systems is a bug. Local time varies by the sending process and
> > >produces inconsistent and uninterpretable log messages. Moreover the
> > >syslog() function is not specified to depend on the environment and
> > >thereby is not allowed to call any function whose behavior is
> > >dependant on the environment.
> > 
> > Thank you for responding!
> > 
> > I agree that GMT would have been a better choice, but I think local
> > time is also mandated by RFC 3164,
> > https://tools.ietf.org/html/rfc3164#section-4.1.2 : "The TIMESTAMP
> > field is the local time". Or does this RFC not apply for syslog() on
> > Linux?

note that rfc is deprecated by

https://tools.ietf.org/html/rfc5424

which has a timestamp format that always includes zone information
and i see no local time requirement any more, it also says

   The TIMESTAMP described in RFC 3164 offers less precision than the
   timestamp specified in this document.  It also lacks the year and
   time zone information.  If a message formatted according to this
   document needs to be reformatted to be in RFC 3164 format, it is
   suggested that the originator's local time zone be used, and the time
   zone information and the year be dropped.  If an RFC 3164 formatted
   message is received and must be transformed to be compliant to this
   document, the current year should be added and the time zone of the
   relay or collector MAY be used.

musl uses the old format, i don't know if existing tools depend on
this, if not then musl should use the unambigous timestamp format.

> 
> I'm not sure. Nominally it governs the udp protocol over a network,
> not the interface between local processes and syslogd over /dev/log
> (unix domain socket), so in that sense the answer is no, but of course
> in some sense it's the same protocol.
> 
> 4.2 goes on to say:
> 
>     "It should be reiterated here that the payload of any IP packet
>     destined to UDP port 514 MUST be considered to be a valid syslog
>     message. It is, however, RECOMMENDED that the syslog packet have
>     all of the parts described in Section 4.1..."
> 
> and:
> 
>     "If the originally formed message has a TIMESTAMP in the HEADER
>     part, then it SHOULD be the local time of the device within its
>     timezone."
> 
> "Local time of the device" is not defined anywhere, and in an
> environment where processes on a "device" (host?) could all have
> different local times, again the only reasonable choice for the device
> zone seems to be UTC.
> 
> One possible interpretation would be using /etc/localtime
> unconditionally (ignoring $TZ) for syslog purposes, but that would be
> a lot more work and would reintroduce all of the problems of local
> time log messages. It's far cleaner to simply configure the logging
> process to be aware that the zone of the system sending the log
> messages is UTC, if it needs to be.
> 
> > There's also this older discussion:
> > https://www.openwall.com/lists/musl/2014/01/28/2 - sorry, I have not
> > found it before.
> 
> Yes, I should have cited it but didn't have it handy.
> 
> Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.