[syslog-ng]libc lost logs bug

Ed Ravin [email protected]
Sun, 2 Jun 2002 19:26:56 -0400 (EDT)


Peter J. Holzer writes:

> The bug in libc is more subtle:
> Apparently[1] the syslog library function works like this:
> 
>     check if there is an open file descriptor to syslogd. If there is
>     none, try to connect in stream and dgram mode (one of them will
>     usually work).
> 
>     Write message to the socket.
> 
>     If this fails, close socket.
> 
> So, if syslog-ng (or syslogd, for that matter[2]) recreates the socket,
> the next write will fail, syslog will silently drop the message, but at
> the next syslog call it will reopen the socket and continue to log
> happily.

There is a similiar, but more insidious bug in all versions of NetBSD
up to and including 1.5.2: if a program has an open (but invalid) file
descriptor for syslog, all subsequent log messages are lost.  NetBSD
1.5.3 and 1.6 will properly re-open the socket if the write fails
(and not lose the message if the open succeeds).

While researching this problem I noticed that some programs, like sendmail,
open the socket once and reuse it, while other programs, like sshd, seem
to close and re-open the syslog socket.  The result was that I was losing
sendmail messages from my logs, but not sshd messages.

So with this bug, if I restarted syslogd (or syslog-ng), I would lose
the logs of sendmail and any other daemons that kept their syslog sockets
open.