| Summary: | Security issue:Failed syslog-ng restart (bad config) will stop iptables but not restart iptables | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | mike.hadjimichael |
| Component: | Current packages | Assignee: | Mr. Bones. (RETIRED) <mr_bones_> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
What firewall script are you using? I think it's a bug in the firewall script that is causing this issue. I'm not using any particular firewall package. Just a set of IPTABLES rules. These are installed by the /etc/init.d/iptables start script. Something about the /etc/init.d/syslog-ng restart script calls the iptables save script, and then the iptables stop script. I'm not familiar enough with the init.d scripting language to find it exactly. I believe that if it was a bug in the firewall script (iptables start?) then there would be some indication that it was running and failing, but as best I can tell, syslog-ng restart is not even attempting to restart iptables (as it usually does in the normal case). The need logger in iptables is the reason. I think it probably should be use logger. I made the following change in /etc/init.d/iptables
depend() {
before net
# need logger
use logger
}
After restarting both services to make sure that depencies caches were up-to-date, this seems to have fixed the problem. I guess that since iptables needed a logger, killing the logger left iptables down. That's not fail-safe!
Thanks.
file a new bug at iptables please. This isn't a syslog-ng issue. Thanks. |
If syslog-ng is restarted and fails to restart due to a bad configuration file, it does not restart iptables and reload the firewall, leaving the machine exposed with no warning. After the config file is corrected, a subsequent restart of syslog-ng will not recognize that iptables was supposed to be running and therefore restart it, so the machine is still exposed, with no warning. Reproducible: Always Steps to Reproduce: 1.introduce syntax error into /etc/syslog-ng/syslog-ng.conf 2./etc/init.d/syslog-ng restart (this will shut down iptables and syslog-ng, and then fail). Actual Results: ouzo root # nano /etc/syslog-ng/syslog-ng.conf ouzo root # /etc/init.d/syslog-ng restart * Saving iptables state... [ ok ] * Stopping firewall... [ ok ] * Stopping syslog-ng... [ ok ] syntax error at 6 Parse error reading configuration file, exiting. (line 6) * Configuration error. Please fix your configfile (/etc/syslog-ng/syslog-ng.con)[ !! ] ouzo root # nano /etc/syslog-ng/syslog-ng.conf ouzo root # /etc/init.d/syslog-ng start * Starting syslog-ng... [ ok ] ouzo root # /etc/init.d/syslog-ng restart * Stopping syslog-ng... [ ok ] * Starting syslog-ng... [ ok ] ouzo root # Expected Results: It seems that either (1) when syslog-ng fails, it should restore iptables state to the way it was, or (2) give a good warning message. ouzo root # emerge info Portage 2.0.51-r15 (default-linux/x86/2004.3, gcc-3.3.5, glibc-2.3.4.20040808-r1, 2.6.10-gentoo-r6 i686) ================================================================= System uname: 2.6.10-gentoo-r6 i686 Intel(R) Pentium(R) 4 CPU 1500MHz Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4-r1 [2.3.4 (#1, Feb 7 2005, 13:20:49)] distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]dev-lang/python: 2.3.4-r1 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.7.9-r1, 1.6.3, 1.4_p6, 1.9.4, 1.8.5-r3 sys-devel/binutils: 2.15.92.0.2-r1 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.4.21-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=i686 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control /var/www/localhost/htdocs//mythweb/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X acpi aim alsa apache2 apm arts avi berkdb bitmap-fonts cdparanoia cdr crypt cups dga dvd emacs encode esd f77 fam flac font-server foomaticdb fortran gdbm gif gimp gimpprint gnome gphoto2 gpm gstreamer gtk gtk2 guile imagemagick imlib ipv6 java jpeg kde libg++ libwww lirc mad mbox mcal mikmod mime motif mozilla mpeg mysql mythtv nas ncurses network nls nvidia offensive oggvorbis opengl oscar oss pam pda pdflib perl php plotutils png ppds python qt quicktime readline real samba scanner sdl slang slp speex spell ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts usb v4l v4l2 vcd videos wifi wmf xemacs xine xinerama xml xml2 xmms xpm xv yahoo zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY