Re: Exploit for Linux wu.ftpd hole

newshamaloha.net

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Larry Kruper: "Re: Exploit for Linux wu.ftpd hole"
• Previous message: bt: "Re: Exploit for Linux wu.ftpd hole"
• In reply to: Mike Edulla: "Re: Exploit for Linux wu.ftpd hole"
• Next in thread: Larry Kruper: "Re: Exploit for Linux wu.ftpd hole"

> There also apepars to be a bug in syslog. If you do something like:
>
> grep -v "ROOT" messages > mmm; mv mmm messages
>
> Logging is disabled, I suspect this problem is that the file pointer
> maintained by syslog is getting ahead of the physical EOF, and thus
> writes will fail, but this is just a guess, and I havent looked at the
> source to linux's syslog.

You have to HUP syslogd after doing such things on most syslogd's.
syslog usually opens all logs when it starts up and reads the config
file.  When you HUP the daemon it rereads the config file and reopens
the log files.

Explanation (you probably know this but I'll be complete):
When you remove a file it doesnt go away unless there are no links
left to it and no processes have the file open.  If syslog still
has the file open the file is unlinked from the directory but
still exists on disk.  Syslog keeps logging to the now invisible
file.  The new file you make has a new inode number and refers to
a completely different file.  When you HUP syslogd it closes the
old file (making it get deleted from the disk for real) and opens
the new file and starts logging normally again.

• Next message: Larry Kruper: "Re: Exploit for Linux wu.ftpd hole"
• Previous message: bt: "Re: Exploit for Linux wu.ftpd hole"
• In reply to: Mike Edulla: "Re: Exploit for Linux wu.ftpd hole"
• Next in thread: Larry Kruper: "Re: Exploit for Linux wu.ftpd hole"