Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exploit for Linux wu.ftpd hole

From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Thu, 6 Jul 1995 23:33:15 +1000

[...]

There also apepars to be a bug in syslog. If you do something like:

grep -v "ROOT" messages > mmm; mv mmm messages

Logging is disabled, I suspect this problem is that the file pointer
maintained by syslog is getting ahead of the physical EOF, and thus
writes will fail, but this is just a guess, and I havent looked at the
source to linux's syslog.


This isn't a bug.

Or rather, you don't understand fully what happens here.  Just because
the file is (now) there, doesn't mean it will be appended to.  You need
it to reread the syslog.conf file (either restart or kill -HUP).
When you do "mv mmm messages", you "delete messages", but syslogd keeps
it open and it never gets "deleted" until syslogd closes...to get a
better idea of what happens, use ls -li, keeping in mind that open files
are known by inode numbers, not names.  Oh, using lsof/ofiles/fuser helps
to show what really happens.

...which leads to a somewhat curious little number in variations of
"newsyslog" which I've seen do essentially this:

mv messages messages.0
gzip messages.0
touch messages
kill -HUP syslogd

...or any other combination where the compress is before the kill -HUP.
Correctly done, the compress should be last.
Previous By Date Next
Previous By Thread Next

Current thread: