[1994] in bugtraq
Re: Exploit for Linux wu.ftpd hole
daemon@ATHENA.MIT.EDU (der Mouse)
Thu Jul 6 21:00:44 1995
Date: Thu, 6 Jul 1995 06:39:06 -0400
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
X-To: bugtraq@fc.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
> There also apepars to be a bug in syslog. If you do something like:
> grep -v "ROOT" messages > mmm; mv mmm messages
> logging is disabled. I suspect this problem is that the file pointer
> maintained by syslog is getting ahead of the physical EOF, and thus
> writes will fail, but this is just a guess,
Every syslogd I've ever seen behaves this way. The problem is that
syslogd doesn't close and re-open the messages file; rather, it keeps
its original file descriptor around. Thus, syslogd is still writing
messages to the same file it's been writing to all along. But the mv
destroyed that file's only name, so there's no way for anyone else to
access it; it's become a classic case of "unlinked but still open" and
will stay that way until syslogd closes it, at which point it will be
truly deleted.
This is why rotate-syslog-files scripts always send syslogd a SIGHUP,
because that makes it (among other things) close and reopen its
logfiles.
der Mouse
mouse@collatz.mcrcim.mcgill.edu
