mailing list archives
Possible syslogd DoS ?
From: Petr Baudis <pasky () pasky ji cz>
Date: Wed, 3 Oct 2001 20:09:58 +0200
I just recently came on a thought (thanks to Marek Jaros) of possible
DoS of syslogd. It uses /dev/log for receiving log messages, which has
mode 0666 on most linuxes. It should be ok, as many non-root applications
should be allowed to log things etc.
But imagine that you will send a lot of very long messages there, different
everytime in order not to get stripped into kinda 'message repeated x times'.
In this way, you can imho flood syslogd successfully, possibly filling whole
partition where /var/log resides, regardless to your quota settings on
Then, if /var/log is not on separate partition, the whole system can get
into serious problems, and especially, further events won't be obviously
logged, so you can do evil things there happily and nobody will know about it.
Discussion? Something i didn't take into account? Possible solutions?
Petr "Pasky" Baudis
n = ((n >> 1) & 0x55555555) | ((n << 1) & 0xaaaaaaaa);
n = ((n >> 2) & 0x33333333) | ((n << 2) & 0xcccccccc);
n = ((n >> 4) & 0x0f0f0f0f) | ((n << 4) & 0xf0f0f0f0);
n = ((n >> 8) & 0x00ff00ff) | ((n << 8) & 0xff00ff00);
n = ((n >> 16) & 0x0000ffff) | ((n << 16) & 0xffff0000);
-- C code which reverses the bits in a word.
My public PGP key is on: http://pasky.ji.cz/~pasky/pubkey.txt
-----BEGIN GEEK CODE BLOCK-----
GCS d- s++:++ a--- C+++ UL++++$ P+ L+++ E--- W+ N !o K- w-- !O M-
!V PS+ !PE Y+ PGP+>++ t+ 5 X(+) R++ tv- b+ DI(+) D+ G e-> h! r% y?
------END GEEK CODE BLOCK------
- Possible syslogd DoS ? Petr Baudis (Oct 03)