klog-read — kernel log server




klog-read is a kernel log server that feeds a log-writing service of some sort. It loops forever, reading log messages and writing them to its standard error. Usually, the source of the messages is the kernel.

No attempt is made to rectify messages, or even modify them at all.

It expects file descriptor 3 to be a FIFO that has been set up, with fifo-listen(1) or similar, to listen for incoming messages. Usually, its standard error will be redirected to an instance of cyclog(1) or similar. This will place an absolute timestamp on each log message when the message was sent to the log file by the log service, in addition to the relative timestamp (time since bootstrap) placed by the kernel.

This server does expect a stream input, however. It is not suitable for use with UDP or AF_LOCAL syslog sockets, which are datagram-based.


Unlike other kernel log servers, this server has no need to be run as the superuser. It writes to no files or directories, requires no ownership of any files or directories, and does not even need privileged permissions for FIFO access since it expects to inherit its FIFO already opened from the program that chain-loaded it.

Message content is as secure as the underlying transport. Note that Linux kernels allow (privileged) processes to write arbitrary log content to the kernel log buffer. The kernel provides no defences against forgery, no defences against malformed character encodings or control characters, nor authentication mechanisms for clients. It is indeed only in newer kernels that defences against flooding by application mode code have been introduced.

This server does not interpret or execute message content received, and does no message categorization or other such processing based upon potentially attacker-supplied information. Its read buffer is a fixed size, with no size calculations at all, let alone ones based upon potentially attacker-supplied length fields.


Jonathan de Boyne Pollard