On Fri, 3 Feb 2012, Michael Maymann wrote:
Hi,
David: unfortunately this was not the case...:
# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
What else could cause this problem ?
possibly a silly question, but have you verified that the user you are
dropping privileges to has write permission on the directories that you
write logs (and any queue files) to?
David Lang
Thanks in advance :-) !
~maymann
2012/2/2 Michael Maymann <[email protected]>
Hi,
David: Thanks for your reply - sounds possible... I will try this first
thing tomorrow morning and report back with findings...
Br.
~maymann
2012/2/2 <[email protected]>
On Thu, 2 Feb 2012, Michael Maymann wrote:
Hi Rainer,
I really have my doubts it has something to do with my startup script:
1. I only changed the exec=/usr/sbin/rsyslogd from default
2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
I'm running on RHEL6.1_x64.
Do you have a working /etc/init.d/rsyslog what you can share/I can
test...?
my guess is that this is a SELINUX related problem.
what happens if you try to start rsyslog manually (not by running the
startup script, but just running 'rsyslogd -c 6' "
David Lang
Thanks in advance :-) !
~maymann
2012/2/2 Michael Maymann <[email protected]>
Hi,
Rainer: Sorry... forgot to mention that it doesn't say anything about
failing in the logs... and it actually doesn't fail... it works and
after
the timeout+failed notice only the proccess owned by
PrivDropToUser-USER is
present, but now owned by the init-proccess (mother proccess dies):
# service rsyslog start
Starting system logger: [FAILED]
BEFORE failed status:
root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6
<PrivDropToUser-USER> 9131 9126 0 11:07 ? 00:00:00
/usr/sbin/rsyslogd -c 6
AFTER failed status root-owned proccess is killed and
PrivDropToUser-USER
owned proccess is therefore gets owned by init:
<PrivDropToUser-USER> 9131 1 0 11:07 ? 00:00:00
/usr/sbin/rsyslogd -c 6
Anyone who can help with this...?:
here is the debug output when starting running the init-script:
#/etc/init.d/rsyslog start
+ . /etc/init.d/functions
++ TEXTDOMAIN=initscripts
++ umask 022
++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin
++ export PATH
++ '[' -z '' ']'
++ COLUMNS=80
++ '[' -z '' ']'
+++ /sbin/consoletype
++ CONSOLETYPE=pty
++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
++ . /etc/profile.d/lang.sh
++ unset LANGSH_SOURCED
++ '[' -z '' ']'
++ '[' -f /etc/sysconfig/init ']'
++ . /etc/sysconfig/init
+++ BOOTUP=color
+++ RES_COL=60
+++ MOVE_TO_COL='echo -en \033[60G'
+++ SETCOLOR_SUCCESS='echo -en \033[0;32m'
+++ SETCOLOR_FAILURE='echo -en \033[0;31m'
+++ SETCOLOR_WARNING='echo -en \033[0;33m'
+++ SETCOLOR_NORMAL='echo -en \033[0;39m'
+++ PROMPT=yes
+++ AUTOSWAP=no
+++ ACTIVE_CONSOLES='/dev/tty[1-6]**'
+++ SINGLE=/sbin/sushell
++ '[' pty = serial ']'
++
__sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|**
\.rpmorig\|\.rpmsave\)$/d'
+ RETVAL=0
+ PIDFILE=/var/run/syslogd.pid
+ prog=rsyslogd
+ exec=/usr/sbin/rsyslogd
+ lockfile=/var/lock/subsys/**rsyslogd
+ case "$1" in
+ start
+ '[' -x /usr/sbin/rsyslogd ']'
+ '[' -f /etc/sysconfig/rsyslog ']'
+ . /etc/sysconfig/rsyslog
++ SYSLOGD_OPTIONS='-c 6'
+ umask 077
+ echo -n 'Starting system logger: '
Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
/usr/sbin/rsyslogd -c 6
+ local gotbase= force= nicelevel corelimit
+ local pid base= user= nice= bg= pid_file=
+ local cgroup=
+ nicelevel=0
+ '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid
']'
+ case $1 in
+ pid_file=/var/run/syslogd.pid
+ shift
+ '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
+ '[' -z '' ']'
+ base=rsyslogd
+ __pids_var_run rsyslogd /var/run/syslogd.pid
+ local base=rsyslogd
+ local pid_file=/var/run/syslogd.pid
+ pid=
+ '[' -f /var/run/syslogd.pid ']'
+ return 3
+ '[' -n '' -a -z '' ']'
+ corelimit='ulimit -S -c 0'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' color = verbose -a -z '' ']'
+ '[' -z '' ']'
+ /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c
6'
...
(hangs here for a long time)
...
+ '[' 1 -eq 0 ']'
+ failure 'rsyslogd startup'
+ local rc=1
+ '[' color '!=' verbose -a -z '' ']'
+ echo_failure
+ '[' color = color ']'
+ echo -en '\033[60G'
+ echo -n '['
[+ '[' color = color ']'
+ echo -en '\033[0;31m'
+ echo -n FAILED
FAILED+ '[' color = color ']'
+ echo -en '\033[0;39m'
+ echo -n ']'
]+ echo -ne '\r'
+ return 1
+ '[' -x /usr/bin/plymouth ']'
+ /usr/bin/plymouth --details
+ return 1
+ RETVAL=1
+ echo
+ '[' 1 -eq 0 ']'
+ return 1
+ exit 1
I have tried to give 777-access to /var/run and /var/lock/subsys - but
same thing happens...
Thanks in advance :-) !
Br.
~maymann
2012/2/2 Rainer Gerhards <[email protected]>
I can only help you with that part if you point me to why exactly the
script
claims what it does. So you may want to try find someone who can do
that.
I
know this is probably a trivial question, but I don't know anything ;)
Sry, rainer
-----Original Message-----
From:
[email protected].**com<[email protected]>[mailto:
rsyslog-
[email protected]] On Behalf Of Michael Maymann
Sent: Thursday, February 02, 2012 10:03 AM
To: rsyslog-users
Subject: Re: [rsyslog] rsyslog as non-root user
Here is my startup script... only thing changed is the path to the new
6.3.6-rsyslog-devel binary.
The startup-scripts works also perfectly when i comment out the
PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
have
both or one of the entries...:
#!/bin/bash
#
# rsyslog Starts rsyslogd/rklogd.
#
#
# chkconfig: 2345 12 88
# description: Syslog is the facility by which many daemons use to log
\
# messages to various system log files. It is a good idea to always \
# run rsyslog.
### BEGIN INIT INFO
# Provides: $syslog
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Enhanced system logging and kernel message
trapping
daemons
# Description: Rsyslog is an enhanced multi-threaded syslogd
supporting,
# among others, MySQL, syslog/tcp, RFC 3195, permitted
# sender lists, filtering on any message part, and fine
# grain output format control.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
RETVAL=0
PIDFILE=/var/run/syslogd.pid
prog=rsyslogd
#exec=/sbin/rsyslogd
exec=/usr/sbin/rsyslogd
lockfile=/var/lock/subsys/$**prog
start() {
[ -x $exec ] || exit 5
# Source config
if [ -f /etc/sysconfig/rsyslog ] ; then
. /etc/sysconfig/rsyslog
fi
umask 077
echo -n $"Starting system logger: "
daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
echo -n $"Shutting down system logger: "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}
reload() {
RETVAL=1
syslog=$(cat "${PIDFILE}" 2>/dev/null)
echo -n "Reloading system logger..."
if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
kill -HUP "$syslog";
RETVAL=$?
fi
if [ $RETVAL -ne 0 ]; then
failure
else
success
fi
echo
return $RETVAL
}
rhstatus() {
status -p "${PIDFILE}" $prog
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload|force-reload)
reload
;;
status)
rhstatus
;;
condrestart|try-restart)
rhstatus >/dev/null 2>&1 || exit 0
restart
;;
*)
echo $"Usage: $0
{start|stop|restart|**condrestart|try-restart|**reload|force-
reload|status}"
exit 2
esac
exit $?
2012/2/2 Rainer Gerhards <[email protected]>
-----Original Message-----
From:
[email protected].**com<[email protected]>[mailto:
rsyslog-
[email protected]] On Behalf Of Michael Maymann
Sent: Wednesday, February 01, 2012 9:08 AM
To: rsyslog-users
Subject: Re: [rsyslog] rsyslog as non-root user
Hi,
David: thanks - got it working with permission dropping, by far my
prefered
configuration... just didn't know of it...:-) !
Rainer: please let us know if the debug info of the "permission
dropping:
hang+timeout" I send you can solve anything... anyway it works now
-
but
not optimal if other people have to service my setup...:-) !
I have reviewed the debug log and I see nothing unexpected. From the
timestamps I also see that there is no hang whatsoever. So it looks
like
there is some problem with the startup script, which I don't know. I
suggest
to ask what the FAILED status is caused by. We can then look why this
happens.
Sorry I have no better answer...
Rainer
Thanks in advance :-) !
~maymann
2012/2/1 <[email protected]>
On Tue, 31 Jan 2012, Michael Maymann wrote:
Hi,
I have now setup a 6.3.6-devel rsyslog server that is working
fine
running
as root.
I would like to run it as non-root user as my logfiles are
located
on NFS
(and root export of NFS is generally not a good idea !).
Here is my rsyslog.conf:
#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514
#SET DESTINATION FOR LOGS
$template
DYNmessages,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
$MONTH%_messages"
$template
DYNsecure,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
**$MONTH%_secure"
$template
DYNmaillog,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
**$MONTH%_maillo
g"
$template
DYNcron,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_****
cron"
$template
DYNspooler,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
**$MONTH%_spoole
r"
$template
DYNboot,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
**boot.log"
$template
DYNtraps,"<PATH_TO>/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
_**
traps"
#SET LOGGING CONDITIONS
if $syslogseverity <= '6' then ?DYNmessages
if $syslogfacility-text == 'authpriv' then ?DYNsecure
if $syslogfacility-text == 'mail' then ?DYNmaillog
if $syslogfacility-text == 'cron' then ?DYNcron
if $syslogseverity-text == 'crit' then ?DYNspooler
if $syslogfacility-text == 'local7' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
then ?DYNtraps
Here is my logfile when I try to start rsyslog as a non-root
user:
2012-01-31T15:45:52.997693+02:****00 <hostname> rsyslogd: [origin
software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
http://www.rsyslog.com";] start
2012-01-31T15:45:52.997294+02:****00 <hostname> rsyslogd: bind:
Permission
denied
2012-01-31T15:45:52.997369+02:****00 <hostname> rsyslogd: bind:
Permission
denied
2012-01-31T15:45:52.997374+02:****00 <hostname> rsyslogd: No UDP
listen
socket
could successfully be initialized, message reception via UDP
disabled.
2012-01-31T15:45:52.997376+02:****00 <hostname> rsyslogd: imudp:
no
listeners
could be started, input not activated.
2012-01-31T15:45:52.997379+02:****00 <hostname> rsyslogd3:
activation
of
module
imudp failed [try http://www.rsyslog.com/e/-3 ]
2012-01-31T15:45:52.997643+02:****00 <hostname> rsyslogd-2077:
Could
not
create
tcp listener, ignoring port 514. [try
http://www.rsyslog.com/e/2077
]
So permissions to bind and sockets seems to be the problem...
yes, you cannot bind to ports <1024 as a normal user (without
making
some
other non-standard changes through sysctl)
1. Is it possible to make rsyslog write logfiles as a non-root
user
- if
yes: how ?
permission drop features
2a. Is it possible to add permissions for non-root user to run
rsyslog
server - if yes: how ?
pick a listening port > 1024 and it should work.
2b. How do I start rsyslog during boot as non-root user - can
chkconfig do
this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
su can run a command as a different user.
although as Rainer points out, you may just be looking for the
permission
dropping features that are already in rsyslog.
David Lang
______________________________****_________________
rsyslog mailing list
http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
<http:**//lists.adisco <http://lists.adisco>
n.net/mailman/listinfo/rsyslog**>
http://www.rsyslog.com/****professional-<http://www.rsyslog.com/**professional->
services/<http://www.rsyslog.**com/professional-services/<http://www.rsyslog.com/professional-services/>
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
