RE: [syslog-ng] I/O error occurred while reading; fd='4',error='Operation not permitted (1)'
This cleared a few things up. Should have noticed this earlier when looking at the return code for the "read" system call: "read(4, 0x55ad20, 8192) = -1 EPERM (Operation not permitted)" This is indicative of access control restrictions. If you consider the file trying to be read ("/proc/kmsg") and it's permissions (only readable as root) it makes sense why you are getting permission errors when trying to as user "syslogng". You are also experiencing other permission related errors on certain files: /var/log/syslog /var/log/messages /dev/xconsole File attribute changes are failing due to only being modifiable as root, but being modified as user "syslogng". If you want to verify this claim, try running the daemon as root, and you should no longer see this problem. You will likely have to tune file access/location suitable to your secutiry and/or logging requirements. Regards, Justin. -----Original Message----- From: Matt Miller [mailto:syslog-ng@mattmillersf.fastmail.fm] Sent: Wed 1/3/2007 12:16 AM To: Syslog-ng users' and developers' mailing list Cc: Justin Randall Subject: RE: [syslog-ng] I/O error occurred while reading; fd='4',error='Operation not permitted (1)'
send the full output from strace without filtering specific system calls?
Attached. Thanks for your help.
"read(4, 0x55ad20, 8192) = -1 EPERM (Operation not permitted)"
This is indicative of access control restrictions. If you consider the file trying to be read ("/proc/kmsg") and it's permissions (only readable as root) it makes sense why you are getting permission errors
Okay, I see that /proc/kmsg was readable only by root. However, I don't seem to be able to get around this. As shown below I can't seem to read /proc/kmsg as user syslogng no matter what permissions I set: mmiller@xpc1:~$ ls -l /var/local/chroot/syslogng/proc/kmsg -rwxrwxrwx 1 syslogng syslogng 0 2007-01-03 18:19 /var/local/chroot/syslogng/proc/kmsg mmiller@xpc1:~$ sudo -u syslogng cat /var/local/chroot/syslogng/proc/kmsg cat: /var/local/chroot/syslogng/proc/kmsg: Operation not permitted I realize that this may not strictly be a syslog-ng issue, but how can I use syslog-ng's "-u" option for added security and still get at /proc/kmsg?
/var/log/syslog /var/log/messages /dev/xconsole
File attribute changes are failing due to only being modifiable as root, but being modified as user "syslogng".
Okay, so apparently the process needs CAP_CHOWN privilege so that the 'fchown' call can succeed? I seem to be getting these errors even if the files are already owned by the user that I specify with syslog-ng's "-u" option. Maybe syslog-ng should first check the owner of the files before trying to change the owner? I'm just guessing here. Also, I don't want to go to a lot of effort solely to get a clean 'strace.' I do, though, want to avail myself of all of syslog-ng's abilities, and I want to run as a user other than root.
On Wed, 2007-01-03 at 20:08 +0100, Matt Miller wrote:
"read(4, 0x55ad20, 8192) = -1 EPERM (Operation not permitted)"
This is indicative of access control restrictions. If you consider the file trying to be read ("/proc/kmsg") and it's permissions (only readable as root) it makes sense why you are getting permission errors
Okay, I see that /proc/kmsg was readable only by root. However, I don't seem to be able to get around this. As shown below I can't seem to read /proc/kmsg as user syslogng no matter what permissions I set:
mmiller@xpc1:~$ ls -l /var/local/chroot/syslogng/proc/kmsg -rwxrwxrwx 1 syslogng syslogng 0 2007-01-03 18:19 /var/local/chroot/syslogng/proc/kmsg
mmiller@xpc1:~$ sudo -u syslogng cat /var/local/chroot/syslogng/proc/kmsg cat: /var/local/chroot/syslogng/proc/kmsg: Operation not permitted
I realize that this may not strictly be a syslog-ng issue, but how can I use syslog-ng's "-u" option for added security and still get at /proc/kmsg?
I think this might be caused by something like SELinux, which prevents reading /proc/kmsg from a chroot. When normal access control rules are in effect, then once a file is opened it will remain readable for as long as the process keeps it opened. -- Bazsi
I can't seem to read /proc/kmsg as user syslogng no matter what permissions I set:
I think this might be caused by something like SELinux, which prevents reading /proc/kmsg from a chroot.
I'm running debian etch, and I'm pretty sure SELinux is disabled by default. I haven't taken any steps to turn this on. Also, the following seems to show that only root can read from the standard /proc/kmsg: mmiller@xpc1:~$ ls -l /proc/kmsg -rwxrwxrwx 1 mmiller mmiller 0 2007-01-03 21:37 /proc/kmsg mmiller@xpc1:~$ cat /proc/kmsg cat: /proc/kmsg: Operation not permitted So, how can "syslog-ng -u" allow me to run the daemon as an unprivileged user? If I just ignore this non-fatal problem, what limitations might I have with syslog-ng's capabilities?
participants (3)
-
Balazs Scheidler
-
Justin Randall
-
Matt Miller