Hi everybody,
using syslog-ng with a non-privileged user causes trouble when
/proc/kmsg is defined as a source. Access to /proc/kmsg is limited to
processes with the CAP_SYS_ADMIN capability. So even resetting
/proc/kmsg's file permissions will not solve the problem. The
non-privileged user will not be able to read the file.
I've searched the web a little bit and it seems that this is a known
problem for syslog-ng that has not been solved so far [1].
Obviously klogd has the exact same problem when run as a non-privileged
user. The Ubuntu klogd maintainers came up with a workaround for this
(see [2]).
I applied the klogd workaround to syslog-ng's init script and it seems
to work well (see attached patch). The patch includes my previous
changes. Does anybody see disadvantages with this solution?
Florian
[1] https://lists.balabit.hu/pipermail/syslog-ng/2007-January/009686.html
[2] https://lists.balabit.hu/pipermail/syslog-ng/2008-November/012224.html
diff -u syslog-ng-2.0.9/debian/syslog-ng.init
syslog-ng-2.0.9/debian/syslog-ng.init
--- syslog-ng-2.0.9/debian/syslog-ng.init
+++ syslog-ng-2.0.9/debian/syslog-ng.init
@@ -51,17 +51,56 @@
SYSLOGNG="/sbin/syslog-ng"
NAME="syslog-ng"
+SYSLOGNG_OPTIONS=""
+
+# Do we have a non-root user set?
+if [ -n "$SYSLOGNG_USER" ]; then
+ SYSLOGNG_OPTIONS="-u $SYSLOGNG_USER"
+
+ # Let's create a message pipe readable
+ # by the syslog user to work around
+ # superuser privilege requirement for
+ # /proc/kmsg (credit to Ubuntu's klogd
+ # init script).
+ SYSLOGNG_RUNDIR="$SYSLOGNG_CHROOT/var/run/syslog-ng"
+ SYSLOGNG_KMSGPIPE="$SYSLOGNG_RUNDIR/kmsg"
+ SYSLOGNG_KMSGPIDFILE="$SYSLOGNG_RUNDIR/kmsg.pid"
+fi
+
+# Do we have a non-root group set?
+if [ -n "$SYSLOGNG_GROUP" ]; then
+ SYSLOGNG_OPTIONS="$SYSLOGNG_OPTIONS -g $SYSLOGNG_GROUP"
+fi
+
create_xconsole() {
if [ ! -e /dev/xconsole ]
then
mknod -m 640 /dev/xconsole p
fi
}
-
+
syslogng_start() {
log_daemon_msg "Starting system logging" "$NAME"
- start-stop-daemon --start --quiet --exec "$SYSLOGNG" \
- --pidfile "$PIDFILE" -- -p "$PIDFILE"
+
+ # Make a kmsg pipe accessible by the syslog-ng user
+ if [ -n "$SYSLOGNG_USER" ]; then
+ mkdir -p "$SYSLOGNG_RUNDIR"
+ mkfifo -m 700 "$SYSLOGNG_KMSGPIPE"
+ chown "${SYSLOGNG_USER}:root" "$SYSLOGNG_KMSGPIPE"
+
+ # shovel /proc/kmsg to pipe readable by syslog-ng user
+ start-stop-daemon --start --pidfile "$SYSLOGNG_KMSGPIDFILE" --exec
/bin/dd -b -m -- bs=1 if=/proc/kmsg of="$SYSLOGNG_KMSGPIPE"
+ fi
+
+ # Do we have a chroot jail set?
+ if [ -z "$SYSLOGNG_CHROOT" ]; then
+ start-stop-daemon --start --quiet --exec "$SYSLOGNG" \
+ --pidfile "$PIDFILE" -- $SYSLOGNG_OPTIONS -p
"$PIDFILE"
+ else
+ start-stop-daemon --start --quiet --exec "$SYSLOGNG" \
+ --pidfile "$PIDFILE" -- $SYSLOGNG_OPTIONS -p
"$PIDFILE" -C "$SYSLOGNG_CHROOT"
+ fi
+
RET="$?"
log_end_msg $RET
return $RET
@@ -73,7 +112,13 @@
--pidfile "$PIDFILE"
RET="$?"
log_end_msg $RET
- rm -f "$PIDFILE"
+
+ # stop kmsg pipe
+ start-stop-daemon --stop --quiet --oknodo --pidfile "$SYSLOGNG_KMSGPIDFILE"
+
+ # remove files
+ rm -f "$PIDFILE" "$SYSLOGNG_KMSGPIDFILE" "$SYSLOGNG_KMSGPIPE"
+
return $RET
}
