From nobody@FreeBSD.org  Thu Jul 20 17:41:12 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B8FC816A4DA
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Jul 2006 17:41:12 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7BD7643D46
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Jul 2006 17:41:12 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k6KHfAqn090873
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Jul 2006 17:41:10 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k6KHfAAu090872;
	Thu, 20 Jul 2006 17:41:10 GMT
	(envelope-from nobody)
Message-Id: <200607201741.k6KHfAAu090872@www.freebsd.org>
Date: Thu, 20 Jul 2006 17:41:10 GMT
From: "Royce D. Williams" <royce@alaska.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: syslog.conf: lines after exclamation point ignored
X-Send-Pr-Version: www-2.3

>Number:         100616
>Category:       conf
>Synopsis:       [patch] [syslog.conf] lines after exclamation point ignored
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 20 17:50:12 GMT 2006
>Closed-Date:    
>Last-Modified:  Sun May 04 04:21:47 UTC 2014
>Originator:     Royce D. Williams
>Release:        6.1-RELEASE
>Organization:
>Environment:
FreeBSD mason 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:32:43 UTC 2006     root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
Parsing of the exclamation point in the default /etc/syslog.conf appears
to cause all lines after those lines to be ignored, even if those lines
are commented out.

This has been verified on various 4.x and 5.x boxes as well.

If this is a side effect of expected behavior, then this behavior may
need to be modified, as it is intuitive that adding a simple line to the
end of
syslog.conf should Just Work.
>How-To-Repeat:
1. Install stock 6.1.
2. Add an entry to the bottom of syslog.conf, as in:

--- syslog.conf Sat May  6 20:00:23 2006
+++ syslog.conf.test    Thu Jul 20 08:24:23 2006
@@ -30,3 +30,4 @@
 *.*                                            /var/log/slip.log
 !ppp
 *.*                                            /var/log/ppp.log
+auth.*                                         /var/log/test.log

3. # touch /var/log/test.log
4. # chmod u+w /var/log/test.log
5. # kill -HUP `cat /var/run/syslog.pid`
6. Perform an action that will generate an auth-level syslog event, such as logging in, using su, etc.
7. Verify that no entry has been written to /var/log/test.log
8. Comment out all four lines:

--- syslog.conf Sat May  6 20:00:23 2006
+++ syslog.conf.test    Thu Jul 20 09:33:10 2006
@@ -26,7 +26,8 @@
 # news.crit                                    /var/log/news/news.crit
 # news.err                                     /var/log/news/news.err
 # news.notice                                  /var/log/news/news.notice
-!startslip
-*.*                                            /var/log/slip.log
-!ppp
-*.*                                            /var/log/ppp.log
+#!startslip
+#*.*                                           /var/log/slip.log
+#!ppp
+#*.*                                           /var/log/ppp.log
+auth.*                                         /var/log/test.log

9. # kill -HUP `cat /var/run/syslog.pid`
10. Perform an action that will generate an auth-level syslog event, such as logging in, using su, etc.
11. Verify that no entry has been written to /var/log/test.log
12.  Move the test line above the four slip/PPP lines:

--- syslog.conf Sat May  6 20:00:23 2006
+++ syslog.conf.test    Thu Jul 20 09:34:19 2006
@@ -26,7 +26,8 @@
 # news.crit                                    /var/log/news/news.crit
 # news.err                                     /var/log/news/news.err
 # news.notice                                  /var/log/news/news.notice
-!startslip
-*.*                                            /var/log/slip.log
-!ppp
-*.*                                            /var/log/ppp.log
+auth.*                                         /var/log/test.log
+#!startslip
+#*.*                                           /var/log/slip.log
+#!ppp
+#*.*                                           /var/log/ppp.log

13. # kill -HUP `cat /var/run/syslog.pid`
14. Perform an action that will generate an auth-level syslog event, such as logging in, using su, etc.
15. Verify that writes are now working to /var/log/test.log


>Fix:
Not known.
>Release-Note:
>Audit-Trail:

From: David Malone <dwmalone@maths.tcd.ie>
To: bug-followup@FreeBSD.org, royce@alaska.net
Cc:  
Subject: Re: conf/100616: [patch] syslog.conf: lines after exclamation point ignored
Date: Fri, 03 Oct 2008 21:18:41 +0100

 Hi Royce,
 
 I think this is a consequence of the program specification feature
 of syslogd - have a look at the syslog.conf man page and search for
 "program specification".
 
 As a documented feature, it is probably not something that we can
 change.  However, we could add a warning to syslog.conf.
 
 	David.

From: Royce Williams <royce@alaska.net>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: bug-followup@FreeBSD.org
Subject: Re: conf/100616: [patch] syslog.conf: lines after exclamation point
 ignored
Date: Mon, 06 Oct 2008 16:08:08 -0800

 Hello, David - thanks for the informative response!  Looking back at
 the commits, I see that you're familiar with syslogd.c.
 
 David Malone wrote, on 10/3/2008 12:18 PM:
 > I think this is a consequence of the program specification feature
 > of syslogd - have a look at the syslog.conf man page and search for
 > "program specification".
 
 Ah, I think that I get it.  I do think that there's still a remaining
 bug, though; I talk about that near the end.
 
 > As a documented feature, it is probably not something that we can
 > change.  
 
 The syslog.conf manpage says that respecting '#!' is to maintain 
 compatibility with a previous version of syslog.  Looking back at 
 syslog.conf and syslogd.c, it looks like support for this was added 
 in rev 1.3 back in December 1994, but I don't see anything that shows 
 when the previous version of syslog was replaced.
 
 It may be difficult to gauge how many people are using this legacy 
 functionality, but my instinct is that giving some warning and then 
 dropping support for '#!' (while keeping support for '!' without the 
 '#' in front of it) may be warranted.  The syslog.conf comments 
 mention cross-platform compatibility, and I don't know if any other 
 OSes still use '#!', so that may be an issue.
 
 That being said, having the same single character be both a comment 
 character and a functional one seems like a significant POLA violation
 to me.  I'm not aware of any other instance of that.
 
 > However, we could add a warning to syslog.conf.
 
 Agreed.  Perhaps just above the examples themselves, as in:
 
 --- syslog.conf 2005-03-12 03:31:16.000000000 -0900
 +++ syslog.conf.new     2008-10-06 16:02:09.000000000 -0800
 @@ -26,6 +26,10 @@
  # news.crit                                    /var/log/news/news.crit
  # news.err                                     /var/log/news/news.err
  # news.notice                                  /var/log/news/news.notice
 +#   Commenting out program specifications will not work as expected.
 +#   For backwards compatibility with the previous syslog, lines
 +#   starting with '#!' have a purpose and are NOT commented out.
 +#   See 'program specification' in the syslog.conf(5) manpage.
  !startslip
  *.*                                            /var/log/slip.log
  !ppp
 
 ... or something less chatty.  Is sending this to you sufficient, or 
 should I add it to the PR?
 
 Now about the possible bug.  Even if commenting out the !startslip 
 doesn't really comment it out, but instead triggers this legacy 
 support, why would all subsequent unrelated configuration lines get 
 ignored?  From my testing, any lines added after the example '!' lines
 are ignored entirely.  Surely that's not part of the functionality?  
 Or am I missing something?  Are you able to recreate the symptom that 
 I'm seeing, as described in the PR?
 
 Royce
 
 -- 
 Royce D. Williams                                   - http://royce.ws/
  Adding manpower to a late software project makes it later.  - Brooks

From: David Malone <dwmalone@maths.tcd.ie>
To: Royce Williams <royce@alaska.net>
Cc: David Malone <dwmalone@maths.tcd.ie>, bug-followup@FreeBSD.org,
    dwmalone@maths.tcd.ie
Subject: Re: conf/100616: [patch] syslog.conf: lines after exclamation point ignored 
Date: Tue, 07 Oct 2008 09:42:50 +0100

 > The syslog.conf manpage says that respecting '#!' is to maintain 
 > compatibility with a previous version of syslog.  Looking back at 
 > syslog.conf and syslogd.c, it looks like support for this was added 
 > in rev 1.3 back in December 1994, but I don't see anything that shows 
 > when the previous version of syslog was replaced.
 
 I think the idea is that you could share a syslog.conf between
 machines, some of which support the "#!" notation and some of which
 don't. For example, we used to share a syslog.conf between FreeBSD
 and SunOS machines.
 
 > +#   Commenting out program specifications will not work as expected.
 > +#   For backwards compatibility with the previous syslog, lines
 > +#   starting with '#!' have a purpose and are NOT commented out.
 > +#   See 'program specification' in the syslog.conf(5) manpage.
 
 Something like this would be good...
 
 > ... or something less chatty.  Is sending this to you sufficient, or 
 > should I add it to the PR?
 
 Personally, I think snappier would be better I think - how about:
 
 # NB: To comment out lines starting with a "!" use "##" - see syslog.conf(5).
 
 > Now about the possible bug.  Even if commenting out the !startslip 
 > doesn't really comment it out, but instead triggers this legacy 
 > support, why would all subsequent unrelated configuration lines get 
 > ignored?  From my testing, any lines added after the example '!' lines
 > are ignored entirely.  Surely that's not part of the functionality?  
 > Or am I missing something?  Are you able to recreate the symptom that 
 > I'm seeing, as described in the PR?
 
 The program specification (or a host specification) applies to all
 subsequent lines, until it is reset. To reset it, you need to have
 a line that says:
 
 !*
 
 or the equivelent "#!*". This is explained in the man page below
 in the paragraph after host specifications, but we've had several
 people confused about it, so I suspect the man page is not clear
 enough. If you have an idea bout how to make it clearer, let me
 know!
 
 	David.

From: Royce Williams <royce@alaska.net>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: bug-followup@FreeBSD.org
Subject: Re: conf/100616: [patch] syslog.conf: lines after exclamation point
 ignored
Date: Tue, 07 Oct 2008 11:08:29 -0800

 David Malone wrote, on 10/7/2008 12:42 AM:
 > Personally, I think snappier would be better I think - how about:
 > 
 > # NB: To comment out lines starting with a "!" use "##" - see syslog.conf(5).
 
 Agreed - short, to the point.
 
 >> Now about the possible bug.  Even if commenting out the !startslip 
 >> doesn't really comment it out, but instead triggers this legacy 
 >> support, why would all subsequent unrelated configuration lines get 
 >> ignored?  From my testing, any lines added after the example '!' lines
 >> are ignored entirely.  Surely that's not part of the functionality?  
 >> Or am I missing something?  Are you able to recreate the symptom that 
 >> I'm seeing, as described in the PR?
 > 
 > The program specification (or a host specification) applies to all
 > subsequent lines, until it is reset. To reset it, you need to have
 > a line that says:
 > 
 > !*
 > 
 > or the equivelent "#!*". This is explained in the man page below
 > in the paragraph after host specifications, but we've had several
 > people confused about it, so I suspect the man page is not clear
 > enough. If you have an idea bout how to make it clearer, let me
 > know!
 
 Ah.  That's what I get for only reading that paragraph!
 
 Since the existing stock syslog.conf doesn't have these resets,
 then as written, they're incomplete and should probably be fixed
 as follows:
 
 
 +++ syslog.conf.new     2008-10-07 11:03:08.000000000 -0800
 @@ -26,7 +26,10 @@
  # news.crit                                    /var/log/news/news.crit
  # news.err                                     /var/log/news/news.err
  # news.notice                                  /var/log/news/news.notice
 +# NB: To comment out lines starting with a "!" use "##" - see syslog.conf(5).
  !startslip
  *.*                                            /var/log/slip.log
 +!*
  !ppp
  *.*                                            /var/log/ppp.log
 +!*
 
 ... or something similar?
 
 In this way, POLA is restored -- unsuspecting users can add new lines 
 without being caught in the same way that I was.
 
 Royce
 
 
 -- 
 Royce D. Williams                                   - http://royce.ws/
 Progress is made by lazy men looking for easier ways to do things.~RAH
>Unformatted:
