Bug 18779 - Denial of service attack in logrotate/samba interaction
Denial of service attack in logrotate/samba interaction
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: logrotate (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Erik Troan
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-10 03:47 EDT by Need Real Name
Modified: 2007-04-18 12:29 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-24 13:12:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2000-10-10 03:47:17 EDT
I have noticed the following scenario that can be used in a Denial Of Service attack if you have both logrotate (logrotate-3.3.2-1.i386.rpm) and 
samba 2.0.7-4 installed in a RedHat 6.2 server.

If you connect (or try to connect) to this samba server, the following file gets created:

/var/log/samba/log.name_of_machine

If the name of the machine has blanks in it: "best in th west", for example, you get a file like this:

/var/log/samba/log.best in th west

When logrotate gets executed, it find a line like this 

/var/log/samba/log.best in th west 2000-9-28

in 

/var/lib/logrotate.status

So when executed it says

error: bad line 195 in state file /var/lib/logrotate.status

And doesn't work. So you log files, grow, grow, grow.....

You eventually get flooded. Perhaps people are running servers with more hd space than mine, but this has happened to me (I really don't know 
if it has been an attack or simply a creative user, as I don't have find the user here)


	Regards

	Eduardo
Comment 1 tom 2000-10-24 13:12:52 EDT
I have run into the same problem on one of my servers (in my case, the log was 
"log.virtual pc".  Additionally, logrotate has not rotated log.inspiron7500 (I assume due 
to the name ending in a digit).

It appears that a user could use a hostname like "fred.0" to create a log file that will 
never get rotated out and could continue to grow in size unchecked.

One final problem, related more to samba than logrotate, is that machine logs with a 
machine name of 'smb' or 'nmb' will pollute the standard log.smb and log.nmb logfiles.
Comment 2 Preston Brown 2001-06-21 15:32:53 EDT
Both of these bugs are fixed with newer versions of logrotate.  Logrotate as shipped 
with Red Hat Linux (3.5.4) does not have problems with logfiles with spaces in the 
names, nor logs ending with numbers.

Note You need to log in before you can comment on or make changes to this bug.