[Bug 99] New: syslog-ng unable to write to files owned by another user and not world writable
https://bugzilla.balabit.com/show_bug.cgi?id=99 Summary: syslog-ng unable to write to files owned by another user and not world writable Product: syslog-ng Version: 3.1.x Platform: PC OS/Version: Linux Status: NEW Severity: minor Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: mimosinnet@ningunlugar.org Type of the Report: bug Estimated Hours: 0.0 I used to have a new destination that logged messages into a file owned by a certain user. This worked in syslog-ng-3.0.4: destination problem { file("/var/log/problem.log" owner("o3o") group("users")); }; # ls -lisah problem.log 6268890 920K -rw------- 1 o3o users 915K 7 des 12:52 problem.log After upgrading to syslog-ng-3.1.1, I get the following message: Dec 7 12:52:37 o3o syslog-ng[12594]: Error opening file for writing; filename='/var/log/problem.log', error='Permission denied (13)' Dec 7 12:52:37 o3o syslog-ng[12594]: syslog-ng internal() messages are looping back, preventing loop by suppressing further messages; recurse_count='2' I can write to the file as the o3o user (i.e. echo "test" >> /var/log/problem.log). I have tried to put the file in the home directory with the same result: destination problem { file("/home/o3o/problem.log" owner("o3o") group("users")); }; I had to give world permissions to the file for syslog-ng to be able to write to it: destination problem { file("/var/log/problem.log" owner("o3o") group("users") perm(0622)); }; The file should only be writable for the specific user. This seems similar to this other bug: https://bugzilla.balabit.com/show_bug.cgi?id=52 Thanks for the attention! -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
What user is syslog-ng running as? I'm guessing that whatever init script your distro uses is performing a setuid when launching syslog-ng "Permission denied (13)" is a error code given by the OS, not syslog-ng. Meaning that there is nothing in the syslog-ng code that is able to fix this. -Patrick Sent: Tue Dec 07 2010 05:26:11 GMT-0700 (Mountain Standard Time) From: bugzilla@bugzilla.balabit.com To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] [Bug 99] New: syslog-ng unable to write to files owned by another user and not world writable
https://bugzilla.balabit.com/show_bug.cgi?id=99
Summary: syslog-ng unable to write to files owned by another user and not world writable Product: syslog-ng Version: 3.1.x Platform: PC OS/Version: Linux Status: NEW Severity: minor Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: mimosinnet@ningunlugar.org Type of the Report: bug Estimated Hours: 0.0
I used to have a new destination that logged messages into a file owned by a certain user. This worked in syslog-ng-3.0.4:
destination problem { file("/var/log/problem.log" owner("o3o") group("users")); };
# ls -lisah problem.log 6268890 920K -rw------- 1 o3o users 915K 7 des 12:52 problem.log
After upgrading to syslog-ng-3.1.1, I get the following message:
Dec 7 12:52:37 o3o syslog-ng[12594]: Error opening file for writing; filename='/var/log/problem.log', error='Permission denied (13)' Dec 7 12:52:37 o3o syslog-ng[12594]: syslog-ng internal() messages are looping back, preventing loop by suppressing further messages; recurse_count='2'
I can write to the file as the o3o user (i.e. echo "test" >> /var/log/problem.log).
I have tried to put the file in the home directory with the same result:
destination problem { file("/home/o3o/problem.log" owner("o3o") group("users")); };
I had to give world permissions to the file for syslog-ng to be able to write to it:
destination problem { file("/var/log/problem.log" owner("o3o") group("users") perm(0622)); };
The file should only be writable for the specific user.
This seems similar to this other bug: https://bugzilla.balabit.com/show_bug.cgi?id=52
Thanks for the attention!
On Tue, Dec 07, 2010 at 07:58:41AM -0700, Patrick H. wrote:
What user is syslog-ng running as? I'm guessing that whatever init script your distro uses is performing a setuid when launching syslog-ng "Permission denied (13)" is a error code given by the OS, not syslog-ng. Meaning that there is nothing in the syslog-ng code that is able to fix this.
-Patrick
Watch out for capabilities, apparmor, selinux as well. They are famous for breaking things when you use a daemon in a non default configuration that wasn't anticipated by the distro maintainers. Matthew.
https://bugzilla.balabit.com/show_bug.cgi?id=99 --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2010-12-08 11:31:25 --- That fix went into 3.2. The difference between your 3.0 and 3.1 installation is probably the fact that 3.0 wasn't compiled with capability support, while 3.1 was. Capability support is broken in both 3.0 and 3.1 when using owner/group for destination files. Please try to use the --no-caps option for syslog-ng, or compile syslog-ng without capability support. I could try to backport the capability related fixes to 3.1, but please check if --no-caps indeed fixes your problem. Thanks. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=99 mimosinnet <mimosinnet@ningunlugar.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |FIXED Status|NEW |RESOLVED --- Comment #2 from mimosinnet <mimosinnet@ningunlugar.org> 2010-12-08 22:15:36 --- Thanks very much for the answer. I have updated syslog-ng from 3.1.1 to 3.1.2 and the problem is solved. These are the compilation options: ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-dependency-tracking --sysconfdir=/etc/syslog-ng --with-pidfile-dir=/var/run --enable-linux-caps --disable-ipv6 --enable-pcre --enable-spoof-source --enable-sql --enable-ssl --enable-tcp-wrapper --enable-dynamic-linking and syslog-ng version: # syslog-ng --version syslog-ng 3.1.2 Installer-Version: 3.1.2 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#8bf13c304b6ab5fc1a372b49d55c78370efe14ca Compile-Date: Dec 8 2010 21:36:37 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: off Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: on -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=99 --- Comment #3 from mimosinnet <mimosinnet@ningunlugar.org> 2010-12-08 22:43:33 --- Sorry, the previous message is wrong. As you suggested, I had to disable linux-caps to solve the issue. Thanks very much! ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-dependency-tracking --sysconfdir=/etc/syslog-ng --with-pidfile-dir=/var/run --disable-linux-caps --disable-ipv6 --enable-pcre --enable-spoof-source --enable-sql --enable-ssl --enable-tcp-wrapper --enable-dynamic-linking syslog-ng 3.1.2 Installer-Version: 3.1.2 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#8bf13c304b6ab5fc1a372b49d55c78370efe14ca Compile-Date: Dec 8 2010 22:35:44 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: off Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: off Enable-Pcre: on -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (3)
-
bugzilla@bugzilla.balabit.com
-
Matthew Hall
-
Patrick H.