[lug] Weird su/sudo/login/ssh/mail problem

rm at fabula.de rm at fabula.de
Fri Apr 5 12:13:05 MST 2002 

On Fri, Apr 05, 2002 at 11:25:23AM -0700, Bear Giles wrote:
> > Hmmm, "/dev/log" is a string _constant_ used by the libc functions openlog etc.
> > What does the following yield:
> >  
> >   strings /lib/libc.so.6  | perl -ne 'print "Log socket at >$1<\n" if m|(\s*dev/log)|;'
>  
> I am simple country folk, I can only afford a 'grep'.  It's "/dev/log",
> without leading spaces.  Unless 'strings' truncates any leading spaces
> itself.

People who can 'read' perl should have Perl :-)  (BTW, how can you run
Debian without Perl, isn't that like MS-Windows without explorer?).

That funny path got me sidetracked - it shows up in traces on my Debian
system as well (need more time to investigate that ...). 

>   socket(PF_UNIX, SOCK_DGRAM, 0)          = 3
>   fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
>   connect(3, {sin_family=AF_UNIX, path="      /dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket)
>   close(3)                                = 0
>   socket(PF_UNIX, SOCK_STREAM, 0)         = 3
>   fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
>   connect(3, {sin_family=AF_UNIX, path="      /dev/log"}, 16
> 

Hmm, looks likes some of  my Debian boxes have /dev/log as a socket
of type SOCK_STREAM (like yours), some have SOCK_DGRAM
This might explain the blocking behaviour.  

Ok, i just looked at the source of the 'stable' 1.3 version of syslog and
the 'testing' 1.4 i have here on my local box, there _is_ a change in socket
type. From the CHANGES file:

 . Olaf Kirch <okir at caldera.de>
   - Remove Unix Domain Sockets and switch to Datagram Unix Sockets
 . Several bugfixes and improvements, please refer to the .c files


but why would that be a problem on your box? 



> [...] 
> But if my memory is correct, the problems did start around the time
> I sync'd against the Debian security server.  One nightmare scenario
> has long been embedding a root kit into a package on a security package
> server.

Yes, we distributed software updates for some firewall product as DEB
packets a few years ago and that was one of our main concerns  (only 
solvable with apt sources on certified host  with ssl-enabled connectiond :-/ )


Ralf

> 
> Bear
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list