Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exploit for Linux wu.ftpd hole

From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Thu, 6 Jul 1995 06:39:06 -0400


There also apepars to be a bug in syslog.  If you do something like:



grep -v "ROOT" messages > mmm; mv mmm messages



logging is disabled.  I suspect this problem is that the file pointer
maintained by syslog is getting ahead of the physical EOF, and thus
writes will fail, but this is just a guess,


Every syslogd I've ever seen behaves this way.  The problem is that
syslogd doesn't close and re-open the messages file; rather, it keeps
its original file descriptor around.  Thus, syslogd is still writing
messages to the same file it's been writing to all along.  But the mv
destroyed that file's only name, so there's no way for anyone else to
access it; it's become a classic case of "unlinked but still open" and
will stay that way until syslogd closes it, at which point it will be
truly deleted.

This is why rotate-syslog-files scripts always send syslogd a SIGHUP,
because that makes it (among other things) close and reopen its
logfiles.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu
Previous By Date Next
Previous By Thread Next

Current thread: