Red Hat Bugzilla – Bug 18779
Denial of service attack in logrotate/samba interaction
Last modified: 2007-04-18 12:29:09 EDT
I have noticed the following scenario that can be used in a Denial Of Service attack if you have both logrotate (logrotate-3.3.2-1.i386.rpm) and samba 2.0.7-4 installed in a RedHat 6.2 server. If you connect (or try to connect) to this samba server, the following file gets created: /var/log/samba/log.name_of_machine If the name of the machine has blanks in it: "best in th west", for example, you get a file like this: /var/log/samba/log.best in th west When logrotate gets executed, it find a line like this /var/log/samba/log.best in th west 2000-9-28 in /var/lib/logrotate.status So when executed it says error: bad line 195 in state file /var/lib/logrotate.status And doesn't work. So you log files, grow, grow, grow..... You eventually get flooded. Perhaps people are running servers with more hd space than mine, but this has happened to me (I really don't know if it has been an attack or simply a creative user, as I don't have find the user here) Regards Eduardo
I have run into the same problem on one of my servers (in my case, the log was "log.virtual pc". Additionally, logrotate has not rotated log.inspiron7500 (I assume due to the name ending in a digit). It appears that a user could use a hostname like "fred.0" to create a log file that will never get rotated out and could continue to grow in size unchecked. One final problem, related more to samba than logrotate, is that machine logs with a machine name of 'smb' or 'nmb' will pollute the standard log.smb and log.nmb logfiles.
Both of these bugs are fixed with newer versions of logrotate. Logrotate as shipped with Red Hat Linux (3.5.4) does not have problems with logfiles with spaces in the names, nor logs ending with numbers.