In message <86r43gr5nb.fsf@nine.des.no>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> wrote: >"Ronald F. Guilmette" <rfg@tristatelogic.com> writes: >> I forgot that newsyslog(8) should limit the size of /var/log/messages, >and >> that as long as you limit the size of that to a reasnable value, and as >> long as you have newsyslog(8) only keeping a finite & reasonable number >> of "rotated out" copies, then /var won't fill up. > >It can still happen, since newsyslog only runs once per hour. If /var >fills up between two newsyslog runs... Yes. Good point. So should I file a PR on this, or what? My first thought is that perhaps what's needed is per-account logging quotas, so that loging could be limited... on a per account basis... much as the usage of memory and other finite resources are. However it occurs to me that perhaps the scenario I mentioned is only one of a number of plausible scenarios that might result in total exhaustion of /var between hourly newsyslog runs. For example, I can easily envision remotely filling up your /var simply by sending you, in rapid succession, a sufficient quantity of malformed http requests, or perhaps even just an endless set of minimalist HELO/QUIT sequences to your mail server. Of course, none of these kinds of attacks will really be all that harmful to any well-attended machines that are being properly monitored by even minimally competent system administrators. But given that more and more machines these days run as "appliances" for long periods with no monitoring whatsoever, attacks which exhaust /var, or which attemp to do so, might actually be an issue worthy of attention. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"