Re: Exploit for Linux wu.ftpd hole

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Marc W. Mengel: "Re: Exploit for Linux wu.ftpd hole"
• Previous message: Marek Michalkiewicz: "Re: Exploit for Linux wu.ftpd hole"
• In reply to: Mike Edulla: "Re: Exploit for Linux wu.ftpd hole"
• Next in thread: Marc W. Mengel: "Re: Exploit for Linux wu.ftpd hole"

[...]
> There also apepars to be a bug in syslog. If you do something like:
>
> grep -v "ROOT" messages > mmm; mv mmm messages
>
> Logging is disabled, I suspect this problem is that the file pointer
> maintained by syslog is getting ahead of the physical EOF, and thus
> writes will fail, but this is just a guess, and I havent looked at the
> source to linux's syslog.

This isn't a bug.

Or rather, you don't understand fully what happens here.  Just because
the file is (now) there, doesn't mean it will be appended to.  You need
it to reread the syslog.conf file (either restart or kill -HUP).
When you do "mv mmm messages", you "delete messages", but syslogd keeps
it open and it never gets "deleted" until syslogd closes...to get a
better idea of what happens, use ls -li, keeping in mind that open files
are known by inode numbers, not names.  Oh, using lsof/ofiles/fuser helps
to show what really happens.

...which leads to a somewhat curious little number in variations of
"newsyslog" which I've seen do essentially this:

mv messages messages.0
gzip messages.0
touch messages
kill -HUP syslogd

...or any other combination where the compress is before the kill -HUP.
Correctly done, the compress should be last.

• Next message: Marc W. Mengel: "Re: Exploit for Linux wu.ftpd hole"
• Previous message: Marek Michalkiewicz: "Re: Exploit for Linux wu.ftpd hole"
• In reply to: Mike Edulla: "Re: Exploit for Linux wu.ftpd hole"
• Next in thread: Marc W. Mengel: "Re: Exploit for Linux wu.ftpd hole"