Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exploit for Linux wu.ftpd hole

From: karl () bagpuss demon co uk (Karl Strickland)
Date: Thu, 6 Jul 1995 02:57:10 +0100


There also apepars to be a bug in syslog. If you do something like:

grep -v "ROOT" messages > mmm; mv mmm messages

Logging is disabled, I suspect this problem is that the file pointer
maintained by syslog is getting ahead of the physical EOF, and thus
writes will fail, but this is just a guess, and I havent looked at the
source to linux's syslog.


This is not really a bug in syslog.  By executing the above commands,
you effectively unlink the file that syslog is writing to.  Your new
'mmm' file (which you then rename to messages) is a different to the 'old'
messages file - different inode.  syslog is quite happy to write to the 'old'
file, which still exists until the last reference to it goes away, even
though you cant see it.

kill -HUP syslog might re-open the file and continue logging as you would
expect, but i have not looked at linux's syslog.

By the same token though, you could always kill -9 syslog.  That would
stop logging also.

--
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl () bagpuss demon co uk
                                          |
Previous By Date Next
Previous By Thread Next

Current thread: