[Zope-Coders] new zLOG

Guido van Rossum guido@python.org
Wed, 27 Nov 2002 10:08:37 -0500 

> The fundamental problem with the stupid log is that the log file is
> opened by the same process which generates the log events. There are
> several solutions, but all involve adding an additional process to
> perform the writing to file.  For security it is important that this
> new process is not running as the same user id as the zope process.

Can you explain the reasoning for this (I know, once again)?  What's
the attack scenario you worry about?  Your remarks below imply that in
order to be secure, the logger must be started as root, yet the whole
point of this thread is that we don't want the logfile to be written
as root.  So blame me if I'm confused, okay? :-)

> I am not sure which option is the right default for Zope, but we
> could choose from:
> 
> 1. Zope writes log enties to stdout, and the default start script
> pipes that into a new process which writes it to a file. If started
> as root, this new process would need to suid itself.  for:
> 	easy to explain.
> 	zero admin overhead
> against: 
> 	you cant have more than one log managed this way.
> 	does not work securely unless zope is started as root.
> 
> 2. Zope creates a pipe, then forks a new process. Zope writes log
> entries to the pipe. The new process reads events from the pipe, and
> writes them to a file.  for:
> 	zero admin overhead
> 	supports multiple log files
> against:
> 	does not work securely unless zope is started as root.
> 
> 3. Zope sends log entries to some kind of external socket (unix,
> udp, and tcp all make sense). A different process listens on that
> socket, and writes to a file. Note that Zope could fork this process
> itself (but this is secure only when started as root),

(Couldn't it be a set-uid program?  Or is that yet another security
violation?)

> or it could be started externally.  for:
> 	zero admin overhead when started as root
> 	can be secure even when not started as root with a little
> 	admin overhead.
> 	supports multiple log files
> against:
> 	possibly lower performance
> 	complexity
> 
> 
> Currently I use option 3 in Zope 2.6, in the form of syslog. (Of
> course option 3 doesnt _have_ to be syslog)

Note that Chris's new zLOG supports syslog.

--Guido van Rossum (home page: http://www.python.org/~guido/)