[lug] Weird su/sudo/login/ssh/mail problem

rm at fabula.de rm at fabula.de
Fri Apr 5 11:09:02 MST 2002 

On Fri, Apr 05, 2002 at 10:53:16AM -0700, Bear Giles wrote:
> > Interesting problem. Did you try 
> > 
> >  'strace -o /tmp/trace.log   sudo username' 
> 
> I had tried it, but got an "Operation not permitted" error when
> I hit the fork()/exec() wall.  
> 
> Doing it as root (which I should have done before, d'oh) the 
> last few entries are:
> 
>   socket(PF_UNIX, SOCK_DGRAM, 0)          = 3
>   fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
>   connect(3, {sin_family=AF_UNIX, path="      /dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
>   close(3)                                = 0
>   socket(PF_UNIX, SOCK_STREAM, 0)         = 3
>   fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
>   connect(3, {sin_family=AF_UNIX, path="      /dev/log"}, 16
> 
> which looks promising... until you realize that the message was 
> truncated.  The actual error may be totally unrelated but lost
> in the message below.
> 
> But I found myself wondering about the leading space in the path name.
> Could it be a configuration error in some file, perhaps due to a "helpful"
> editor replacing nasty tabs with clean spaces?  I checked for "/dev/log"
> anywhere under /etc, but couldn't find it.

Hmmm, "/dev/log" is a string _constant_ used by the libc functions openlog etc.
What does the following yield:
 
  strings /lib/libc.so.6  | perl -ne 'print "Log socket at >$1<\n" if m|(\s*dev/log)|;'

Err, is your login binary "patched" ?

 Ralf


> Besides, I've seen the logs being updated.  It couldn't be due to syslog,
> right?
> 
> Just to cover all bases, I HUP'd sysklogd and suddenly the strace
> finished.  The problem is definitely with syslog, and the missing
> return code above is "ECONNREFUSED (Connection refused)".  After
> the HUP the second connect succeeds.
> 
> This still leaves me with a mystery - why does sysklog start refusing
> connections?  There's plenty of space in the /var/log partition.
> 
> Bear
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list