Your message dated Wed, 26 Sep 2012 18:45:27 +0200
with message-id <[email protected]>
and subject line rsyslog: klog does not work when dropping privileges
has caused the Debian Bug report #573980,
regarding rsyslog: klog does not work when dropping privileges
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
573980: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573980
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rsyslog
Version: 4.4.2-1~bpo50+1
Severity: normal
If I use the module for kernel logging ($imklog) and tell rsyslog to
drop its privileges after startup ($PrivDropToxxxx), it fills its logs
very fast (without message reduction) and consumes 100% CPU.
I was surprised to see it working that way on recent Ubuntu. They have
the option $KLogPath, but it seems to be unknown to Debian and
official rsyslog documentation. Maybe they patched their sources?
kern.info<6>|Mar 15 12:21:19 [urknall] kernel:imklog 4.4.2, log source =
/proc/kmsg started.
syslog.info<46>|Mar 15 12:21:19 [urknall] rsyslogd: [origin
software="rsyslogd" swVersion="4.4.2" x-pid="24393"
x-info="http://www.rsyslog.com";] (re)start
syslog.info<46>|Mar 15 12:21:19 [urknall] rsyslogd:rsyslogd's groupid changed
to 65534
kern.err<3>|Mar 15 12:21:19 [urknall] kernel:Cannot read proc file system: 1 -
Operation not permitted.
kern.err<3>|Mar 15 12:21:19 [urknall] kernel:last message repeated 1342 times
syslog.info<46>|Mar 15 12:21:19 [urknall] rsyslogd:rsyslogd's userid changed
to 65534
syslog.err<43>|Mar 15 12:21:19 [urknall] rsyslogd-3003:invalid or yet-unknown
config file command - have you forgotten to load a module? [try
http://www.rsyslog.com/e/3003 ]
syslog.err<43>|Mar 15 12:21:19 [urknall] rsyslogd:the last error occured in
/etc/rsyslog.d/urknall.conf, line 14
syslog.err<43>|Mar 15 12:21:19 [urknall] rsyslogd:the last error occured in
/etc/rsyslog.conf, line 46
syslog.err<43>|Mar 15 12:21:19 [urknall] rsyslogd-2124:CONFIG ERROR: could not
interpret master config file '/etc/rsyslog.conf'. [try
http://www.rsyslog.com/e/2124 ]
kern.err<3>|Mar 15 12:21:19 [urknall] kernel:Cannot read proc file system: 1 -
Operation not permitted.
kern.err<3>|Mar 15 12:21:24 [urknall] kernel:last message repeated 56498 times
Allowing nobody to read /proc/kmsg (root.root r-------- by default) did not
help.
Creating a system user/group like Ubuntu did not help.
Is their a trick that Ubuntu uses, I am not aware of?
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-xen-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages rsyslog depends on:
ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages rsyslog recommends:
ii logrotate 3.7.1-5 Log rotation utility
Versions of packages rsyslog suggests:
pn rsyslog-doc <none> (no description available)
pn rsyslog-gnutls <none> (no description available)
pn rsyslog-gssapi <none> (no description available)
pn rsyslog-mysql | rsyslog- <none> (no description available)
ii rsyslog-relp 4.4.2-1~bpo50+1 RELP protocol support for rsyslog
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 5.8.11-1
Hi Stefan,
IIRC there were some fixes for the Linux kernel which make it possible
to drop the privileges and still be able to read the kernel messages.
I've successfully tested the following configuration on a Debian sid
system (using the default 3.2 Linux kernel):
# adduser --system --group --no-create-home --quiet syslog
# Updated rsyslog.conf:
$FileOwner syslog
$FileGroup adm
$PrivDropToUser syslog
$PrivDropToGroup syslog
$FileCreateMode 0640
$DirCreateMode 0755
# chown'ed the existing log files, so rsyslog could write to them
Seeing that this worked nicely out of the box now, I'm wondering if we
should make this the default.
Our non-Linux architectures might not support that, but I'm not sure if
I really care.
Anwyway, since this particular issue is solved now, I'm going to close
this particular bug report.
As for dropping privileges by default, I created a new bug report, where
I will be tracking this. If you are interested (and you want to share
input or subscribe to it), you can find it at [1]
Cheers,
Michael
[1] http://bugs.debian.org/688889
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
--- End Message ---
