I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member. The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs). syslog-ng is running with a umask of 022 (interrogated running process to be sure). The file("/dir/${FOO}/${BAR}") destination driver has : create-dirs(yes) perm() dir-owner() dir-group() dir-perm() i.e. "don't change any perms" The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner. I can't get it working. I am always ending up with drwx--S--- dirs and -rw------- files Solaris. syslog-ng-3.12.1 -- Declan White
Why not explicitly manage the perms/ownerships with syslog-ng itself? Eg owner ("owner"); group ("group"); dir-owner ("owner"); dir-group ("group"); perm (0644); dir-perm (0755); -----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 10:39 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Umask funkiness I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member. The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs). syslog-ng is running with a umask of 022 (interrogated running process to be sure). The file("/dir/${FOO}/${BAR}") destination driver has : create-dirs(yes) perm() dir-owner() dir-group() dir-perm() i.e. "don't change any perms" The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner. I can't get it working. I am always ending up with drwx--S--- dirs and -rw------- files Solaris. syslog-ng-3.12.1 -- Declan White ______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
Already tried directory mode 04750 - no dice. It strips the g+s. And dir-group ("group") when you aren't a member of that group probably won't fly. I just need it to not touch stuff. It can only inherit these perms. It can't make them. On Fri, Feb 09, 2018 at 04:48:01PM +0000, Robin Blanchard wrote:
Why not explicitly manage the perms/ownerships with syslog-ng itself? Eg
owner ("owner"); group ("group"); dir-owner ("owner"); dir-group ("group"); perm (0644); dir-perm (0755);
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 10:39 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Umask funkiness
I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member. The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs).
syslog-ng is running with a umask of 022 (interrogated running process to be sure). The file("/dir/${FOO}/${BAR}") destination driver has : create-dirs(yes) perm() dir-owner() dir-group() dir-perm() i.e. "don't change any perms"
The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner. I can't get it working. I am always ending up with drwx--S--- dirs and -rw------- files
Solaris. syslog-ng-3.12.1
-- Declan White ______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Might be inheriting the umask of the parent process. Although you explicitly set it, I would take a poke at that.How is syslog-ng being started? Can you unset it or set it to 0000 before starting syslog-ng as a test?Jim Sent from my Verizon, Samsung Galaxy smartphone -------- Original message --------From: Declan White <declanw@is.bbc.co.uk> Date: 2/9/18 12:01 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Umask funkiness Already tried directory mode 04750 - no dice. It strips the g+s. And dir-group ("group") when you aren't a member of that group probably won't fly. I just need it to not touch stuff. It can only inherit these perms. It can't make them. On Fri, Feb 09, 2018 at 04:48:01PM +0000, Robin Blanchard wrote:
Why not explicitly manage the perms/ownerships with syslog-ng itself? Eg
owner ("owner"); group ("group"); dir-owner ("owner"); dir-group ("group"); perm (0644); dir-perm (0755);
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 10:39 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Umask funkiness
I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member. The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs).
syslog-ng is running with a umask of 022 (interrogated running process to be sure). The file("/dir/${FOO}/${BAR}") destination driver has : create-dirs(yes) perm() dir-owner() dir-group() dir-perm() i.e. "don't change any perms"
The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner. I can't get it working. I am always ending up with drwx--S--- dirs and -rw------- files
Solaris. syslog-ng-3.12.1
-- Declan White ______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
If ZFS, is ZFS aclinherit / alcmode biting you? $ ls -V /path/to/problem -----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 11:01 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Umask funkiness Already tried directory mode 04750 - no dice. It strips the g+s. And dir-group ("group") when you aren't a member of that group probably won't fly. I just need it to not touch stuff. It can only inherit these perms. It can't make them. On Fri, Feb 09, 2018 at 04:48:01PM +0000, Robin Blanchard wrote:
Why not explicitly manage the perms/ownerships with syslog-ng itself? Eg
owner ("owner"); group ("group"); dir-owner ("owner"); dir-group ("group"); perm (0644); dir-perm (0755);
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 10:39 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Umask funkiness
I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member. The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs).
syslog-ng is running with a umask of 022 (interrogated running process to be sure). The file("/dir/${FOO}/${BAR}") destination driver has : create-dirs(yes) perm() dir-owner() dir-group() dir-perm() i.e. "don't change any perms"
The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner. I can't get it working. I am always ending up with drwx--S--- dirs and -rw------- files
Solaris. syslog-ng-3.12.1
-- Declan White ______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
i was thinking maybe indeed ACL, check with getfacl? Op 9-2-2018 om 21:08 schreef Robin Blanchard:
If ZFS, is ZFS aclinherit / alcmode biting you?
$ ls -V /path/to/problem
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 11:01 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Umask funkiness
Already tried directory mode 04750 - no dice. It strips the g+s.
And dir-group ("group") when you aren't a member of that group probably won't fly.
I just need it to not touch stuff. It can only inherit these perms. It can't make them.
On Fri, Feb 09, 2018 at 04:48:01PM +0000, Robin Blanchard wrote:
Why not explicitly manage the perms/ownerships with syslog-ng itself? Eg
owner ("owner"); group ("group"); dir-owner ("owner"); dir-group ("group"); perm (0644); dir-perm (0755);
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 10:39 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Umask funkiness
I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member. The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs).
syslog-ng is running with a umask of 022 (interrogated running process to be sure). The file("/dir/${FOO}/${BAR}") destination driver has : create-dirs(yes) perm() dir-owner() dir-group() dir-perm() i.e. "don't change any perms"
The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner. I can't get it working. I am always ending up with drwx--S--- dirs and -rw------- files
Solaris. syslog-ng-3.12.1
-- Declan White ______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Fri, Feb 09, 2018 at 08:08:02PM +0000, Robin Blanchard wrote:
If ZFS, is ZFS aclinherit / alcmode biting you?
Yes, ZFS, but I hope not - I shouldn't have any funky aclfoo around
$ ls -V /path/to/problem
logreader$ ls -Vd /logreader/ingest/2018/02 drwxr-s--- 11 logwriter logreader 11 Feb 9 00:00 /logreader/ingest/2018/02 owner@:rwxp-DaARWcCos:------:allow group@:r-x---a-R-c--s:------:allow everyone@:------a-R-c--s:------:allow sanity test: # umask 022 # ls -lag /logreader/ingest/2018/02 drwx--S--- 3 logwriter logreader 3 Feb 9 00:00 09 # UID=10020 mkdir /logreader/ingest/2018/02/test # ls -lag /logreader/ingest/2018/02 drwx--S--- 3 logwriter logreader 3 Feb 9 00:00 09 drwxr-sr-x 2 logwriter logreader 2 Feb 9 20:23 test - Declan
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 11:01 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Umask funkiness
Already tried directory mode 04750 - no dice. It strips the g+s.
And dir-group ("group") when you aren't a member of that group probably won't fly.
I just need it to not touch stuff. It can only inherit these perms. It can't make them.
On Fri, Feb 09, 2018 at 04:48:01PM +0000, Robin Blanchard wrote:
Why not explicitly manage the perms/ownerships with syslog-ng itself? Eg
owner ("owner"); group ("group"); dir-owner ("owner"); dir-group ("group"); perm (0644); dir-perm (0755);
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 10:39 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Umask funkiness
I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member. The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs).
syslog-ng is running with a umask of 022 (interrogated running process to be sure). The file("/dir/${FOO}/${BAR}") destination driver has : create-dirs(yes) perm() dir-owner() dir-group() dir-perm() i.e. "don't change any perms"
The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner. I can't get it working. I am always ending up with drwx--S--- dirs and -rw------- files
Solaris. syslog-ng-3.12.1
-- Declan White ______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Found it.. lib/file-perms.c:278: if (mkdir(name, self->dir_perm < 0 ? 0700 : (mode_t) self->dir_perm) == -1) If you don't specify perms, you get 0700. If you DO specify perms, like 0750: mkdir("/var/tmp/syslog-ng.test/outdir_test/2018/02/10/00/19", 0750) = 0 # yay - I have inherited sgid chmod("/var/tmp/syslog-ng.test/outdir_test/2018/02/10/00/19", 0750) = 0 # and now it's gone If I try 02750: (adds the sgid) mkdir("/var/tmp/syslog-ng.test/outdir_test/2018/02/10/01/02", 02750) = 0 chmod("/var/tmp/syslog-ng.test/outdir_test/2018/02/10/01/02", 02750) = 0 You get: drwx--S--- 4 writer reader 4 Feb 10 01:02 /var/tmp/syslog-ng.test/outdir_test/2018/02/10 drwxr-x--- 3 writer reader 3 Feb 10 01:02 /var/tmp/syslog-ng.test/outdir_test/2018/02/10/01 drwxr-s--- 2 writer writer 3 Feb 10 01:02 /var/tmp/syslog-ng.test/outdir_test/2018/02/10/01/02 -rw------- 1 writer writer 7 Feb 10 01:02 /var/tmp/syslog-ng.test/outdir_test/2018/02/10/01/02/out_test.log it wipes the inherited sgid anyway - you can't set sgid on a group you're not in, so the chown(2000) attempt strips it. But then it succeeds with sgid in the deeper directory when lack of previous sgid means new dirs are made with its own GID :-) It will work if I run it as root. But I didn't plan on doing that. I'll have to retreat and perhaps change that default 700 to a 750 or a 770 in the code. - Declan On Fri, Feb 09, 2018 at 08:40:47PM +0000, Declan White wrote:
On Fri, Feb 09, 2018 at 08:08:02PM +0000, Robin Blanchard wrote:
If ZFS, is ZFS aclinherit / alcmode biting you?
Yes, ZFS, but I hope not - I shouldn't have any funky aclfoo around
$ ls -V /path/to/problem
logreader$ ls -Vd /logreader/ingest/2018/02 drwxr-s--- 11 logwriter logreader 11 Feb 9 00:00 /logreader/ingest/2018/02 owner@:rwxp-DaARWcCos:------:allow group@:r-x---a-R-c--s:------:allow everyone@:------a-R-c--s:------:allow
sanity test:
# umask 022 # ls -lag /logreader/ingest/2018/02 drwx--S--- 3 logwriter logreader 3 Feb 9 00:00 09 # UID=10020 mkdir /logreader/ingest/2018/02/test # ls -lag /logreader/ingest/2018/02 drwx--S--- 3 logwriter logreader 3 Feb 9 00:00 09 drwxr-sr-x 2 logwriter logreader 2 Feb 9 20:23 test
- Declan
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 11:01 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Umask funkiness
Already tried directory mode 04750 - no dice. It strips the g+s.
And dir-group ("group") when you aren't a member of that group probably won't fly.
I just need it to not touch stuff. It can only inherit these perms. It can't make them.
On Fri, Feb 09, 2018 at 04:48:01PM +0000, Robin Blanchard wrote:
Why not explicitly manage the perms/ownerships with syslog-ng itself? Eg
owner ("owner"); group ("group"); dir-owner ("owner"); dir-group ("group"); perm (0644); dir-perm (0755);
-----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Declan White Sent: Friday, February 9, 2018 10:39 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Umask funkiness
I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member. The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs).
syslog-ng is running with a umask of 022 (interrogated running process to be sure). The file("/dir/${FOO}/${BAR}") destination driver has : create-dirs(yes) perm() dir-owner() dir-group() dir-perm() i.e. "don't change any perms"
The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner. I can't get it working. I am always ending up with drwx--S--- dirs and -rw------- files
Solaris. syslog-ng-3.12.1
-- Declan White ______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balab... Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.... FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit....
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Abe Lebo
-
Declan White
-
james.r.hendrick
-
Robin Blanchard