I put together a list of potential problems after a brief glance at 4.3BSD code. These problems are probably inherited into commercial systems. Most modern systems log even more than 4.3 does. * Sendmail as have already been stated. * ftpd I guess improved ftpd might be using syslog. The standard ftpd does use it extensively when run in debug mode. And you enter usernames and paths etc all over. * remote hostnames and DNS games Most daemons log a DNS mismatch, but MAXHOSTNAME is usually small enough. This shouldn't be a problem. * Any RPC daemon run in some kind of debug mode Many of them do a lot of logging of usre data when run in debug or logging mode, for example rpc.lockd, rpc.bootparamd etc * rpc.bootparamd There are extensive use of user-supplied RPC data. * rpc.lockd There is at least one place where a user-supplied data is syslog()ed, not counting DEBUG ones. DEBUG mode can however be enabled remotely, so one has to count with them all. * rpc.mountd There is some logging done for failed operations. * rpc.statd use extensive logging, but depends on whether compiled with -DDEBUG or not. Standard SunOS binary is. Found errors being logged, with user data supplied. * lpd by supplying an invalid printer name. Uncertain ones: * bind (not verified) would surprise me if bind didn't have a lot of "dangerous" logging, since it is a decent piece of code. (This one really works back- wards. Nasty.) * popper supplying the wrong user name should perhaps do it. * other stuff in inetd.conf... * nntpd? * gopher? * httpd should be safe, it doesn't use syslog, as far as I remember. * most /bin/login's should be safe, I think. They only accept limited length usernames. * nfsd in kernel? It does quite a lot logging if nfsdebug is turned on. I might very well be wrong on these, either way. Also note that it is a rather old source I've looked at, 4.3 BSD. I guess one should make a similar list for each OS, and start recompiling. /Christian