Re: Exploit for Linux wu.ftpd hole

der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Thu, 6 Jul 1995 06:39:06 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marek Michalkiewicz: "Re: Exploit for Linux wu.ftpd hole"
Previous message: Marek Michalkiewicz: "Linux FIOSETOWN ioctl hole"
Maybe in reply to: Henri Karrenbeld: "Exploit for Linux wu.ftpd hole"
Next in thread: William McVey - wam: "Re: Exploit for Linux wu.ftpd hole"

> There also apepars to be a bug in syslog.  If you do something like:

> grep -v "ROOT" messages > mmm; mv mmm messages

> logging is disabled.  I suspect this problem is that the file pointer
> maintained by syslog is getting ahead of the physical EOF, and thus
> writes will fail, but this is just a guess,

Every syslogd I've ever seen behaves this way.  The problem is that
syslogd doesn't close and re-open the messages file; rather, it keeps
its original file descriptor around.  Thus, syslogd is still writing
messages to the same file it's been writing to all along.  But the mv
destroyed that file's only name, so there's no way for anyone else to
access it; it's become a classic case of "unlinked but still open" and
will stay that way until syslogd closes it, at which point it will be
truly deleted.

This is why rotate-syslog-files scripts always send syslogd a SIGHUP,
because that makes it (among other things) close and reopen its
logfiles.

                                        der Mouse

                            mouse@collatz.mcrcim.mcgill.edu

Next message: Marek Michalkiewicz: "Re: Exploit for Linux wu.ftpd hole"
Previous message: Marek Michalkiewicz: "Linux FIOSETOWN ioctl hole"
Maybe in reply to: Henri Karrenbeld: "Exploit for Linux wu.ftpd hole"
Next in thread: William McVey - wam: "Re: Exploit for Linux wu.ftpd hole"