Re: syslog() blocks on glibc 2.1.3 with kernel 2.2.x

From: Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Date: Mon Oct 23 2000 - 13:35:48 EST

Next message: Lyle Coder: "(no subject)"
Previous message: Lyle Coder: "(no subject)"
Maybe in reply to: Patrick J. LoPresti: "syslog() blocks on glibc 2.1.3 with kernel 2.2.x"
Next in thread: Patrick J. LoPresti: "Re: syslog() blocks on glibc 2.1.3 with kernel 2.2.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

patl@cag.lcs.mit.edu (Patrick J. LoPresti):
>
> If you send SIGSTOP to syslogd on a Red Hat 6.2 system (glibc 2.1.3,
> kernel 2.2.x), within a few minutes you will find your entire machine
> grinds to a halt. For example, nobody can log in.
>
> This happens because once the /dev/log buffer fills, the syslog()
> glibc function blocks.
>
> This is a problem for us in Real Life because named and syslogd are
> deadlocking while trying to talk to each other. On our loghost,
> syslogd needs to do reverse name lookups while named needs to call
> syslog(). When traffic gets heavy all around, the deadlock is
> triggered, and it is quite unpleasant. We are about to configure
> named to use flat files instead of syslog, but that feels more like a
> workaround than a fix.

Don't configure syslogd to do reverse lookups. You can NEVER guarantee
that the reverse lookup will succeed, and can be delayed several minutes
for a single reply.

> I am not sure whether this is a glibc bug or a kernel bug. I have
> used netstat and the glibc sources to confirm that glibc is using a
> SOCK_DGRAM Unix socket to send to /dev/log. I thought DGRAM sockets
> were supposed to drop packets on the floor instead of blocking. But
> perhaps I am wrong and glibc is supposed to be explicitly marking the
> socket as non-blocking.

I consider this a configuration error. I don't believe syslogd should
ever do a reverse lookup, since the name you are trying to get may never
arrive, or if arrives, it may be spoofed.

It's not a bug, but a security feature. NO log to syslogd should be lost,
since it may be related to an attack.

> Regardless of whose bug it is, I suggest that it needs to be fixed.
> To my knowledge, other Unix systems do not behave this way; they
> simply drop messages when syslogd is not responding. IMO, that is
> correct behavior.

Not good security practice. If syslog drops messages then you can lose
messages pertaining to an attack.

It would be better to disable reverse lookups by syslogd. This might
require a recompile of syslogd.

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Lyle Coder: "(no subject)"
Previous message: Lyle Coder: "(no subject)"
Maybe in reply to: Patrick J. LoPresti: "syslog() blocks on glibc 2.1.3 with kernel 2.2.x"
Next in thread: Patrick J. LoPresti: "Re: syslog() blocks on glibc 2.1.3 with kernel 2.2.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Oct 23 2000 - 21:00:21 EST