Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exploit for Linux wu.ftpd hole

From: newsham () aloha net (Timothy Newsham)
Date: Wed, 5 Jul 1995 17:04:05 -1000


There also apepars to be a bug in syslog. If you do something like:

grep -v "ROOT" messages > mmm; mv mmm messages

Logging is disabled, I suspect this problem is that the file pointer
maintained by syslog is getting ahead of the physical EOF, and thus
writes will fail, but this is just a guess, and I havent looked at the
source to linux's syslog.


You have to HUP syslogd after doing such things on most syslogd's.
syslog usually opens all logs when it starts up and reads the config
file.  When you HUP the daemon it rereads the config file and reopens
the log files.

Explanation (you probably know this but I'll be complete):
When you remove a file it doesnt go away unless there are no links
left to it and no processes have the file open.  If syslog still
has the file open the file is unlinked from the directory but
still exists on disk.  Syslog keeps logging to the now invisible
file.  The new file you make has a new inode number and refers to
a completely different file.  When you HUP syslogd it closes the
old file (making it get deleted from the disk for real) and opens
the new file and starts logging normally again.
Previous By Date Next
Previous By Thread Next

Current thread: