Red Hat Bugzilla – Bug 18779
Denial of service attack in logrotate/samba interaction
Last modified: 2007-04-18 12:29:09 EDT
I have noticed the following scenario that can be used in a Denial Of Service attack if you have both logrotate (logrotate-3.3.2-1.i386.rpm) and
samba 2.0.7-4 installed in a RedHat 6.2 server.
If you connect (or try to connect) to this samba server, the following file gets created:
If the name of the machine has blanks in it: "best in th west", for example, you get a file like this:
/var/log/samba/log.best in th west
When logrotate gets executed, it find a line like this
/var/log/samba/log.best in th west 2000-9-28
So when executed it says
error: bad line 195 in state file /var/lib/logrotate.status
And doesn't work. So you log files, grow, grow, grow.....
You eventually get flooded. Perhaps people are running servers with more hd space than mine, but this has happened to me (I really don't know
if it has been an attack or simply a creative user, as I don't have find the user here)
I have run into the same problem on one of my servers (in my case, the log was
"log.virtual pc". Additionally, logrotate has not rotated log.inspiron7500 (I assume due
to the name ending in a digit).
It appears that a user could use a hostname like "fred.0" to create a log file that will
never get rotated out and could continue to grow in size unchecked.
One final problem, related more to samba than logrotate, is that machine logs with a
machine name of 'smb' or 'nmb' will pollute the standard log.smb and log.nmb logfiles.
Both of these bugs are fixed with newer versions of logrotate. Logrotate as shipped
with Red Hat Linux (3.5.4) does not have problems with logfiles with spaces in the
names, nor logs ending with numbers.