[syslog-ng]cannot get sec.pl to exit after syslog-ng does

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Thu, 29 Apr 2004 12:16:09 -0400


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C42E05.485B6580
Content-Type: text/plain

Aw crap. Forget all this. I looked at it again, and anyone would be able to
DoS sec.pl using logger.
::sigh:: It looks like signal propagation from syslog-ng to sec.pl is the
right way of doing this.

-- 
"Computer science is as much about computers as 
        astronomy is about telescopes" -- Edsger Dijkstra 
--------------------------------------------------------- 
Anthony Tonns, UNIX Administrator - atonns@mail.ivillage.com 

  

> -----Original Message-----
> From: atonns@mail.ivillage.com [mailto:atonns@mail.ivillage.com] 
> Sent: Thursday, April 29, 2004 12:13 PM
> To: syslog-ng@lists.balabit.hu
> Subject: RE: [syslog-ng]cannot get sec.pl to exit after syslog-ng does
> 
> After a night of sleeping on it, I came up with a alternate 
> solution - have
> SEC detect restarts of syslog-ng. Below is the result. The 
> only fuzzy part
> is in the sec-cleanup.pl script below - what to do if you 
> don't get a TERM
> signal from sec.pl. I don't think using "logger" is the best 
> idea since
> things are restarting, etc. etc. I _guess_ it could send email out. In
> reality, it's all up to the end user.
> 
> ### syslog-ng.conf ###
> 
> source s_src {
>         sun-stream("/dev/log" door("/etc/.syslog_door"));
>         tcp(max-connections(1024));
>         udp();
>         internal();
> };
> 
> destination d_sec {
>         program("/usr/local/sbin/sec.pl -intevents -input=\"-\"
> -conf=/usr/local/etc/sec.conf");
> };
> 
> log {
>         source(s_src);
>         destination(d_sec);
> };
> 
> ### sec.conf ###
> 
> type=Single
> continue=TakeNext
> ptype=RegExp
> pattern=syslog-ng version .+ going down
> desc=syslog-ng shutdown
> action= shellcmd /usr/local/sbin/sec-cleanup.pl
> 
> type=Single
> continue=TakeNext
> ptype=RegExp
> pattern=SIGHUP received, restarting syslog-ng
> desc=syslog-ng restart
> action= shellcmd /usr/local/sbin/sec-cleanup.pl
> 
> ### sec-cleanup.pl ###
> 
> #!/usr/local/bin/perl -w
> #
> # sec-cleanup.pl
> #
> # ATonns Thu Apr 29 11:42:10 EDT 2004
> #
> # $Id$
> #
> 
> use strict;
> my $PROGNAME="sec-cleanup.pl";
> my $waittime = 10; # in seconds
> 
> ## CODE ##
> 
> my $pid = $$;
> my $ppid = getppid;
> $SIG{'TERM'} = sub {
>         print STDOUT localtime(time) . " ${PROGNAME}\[$pid\]: got TERM
> signal, exiting gracefully.\n";
>                 exit(0);
> };
> print STDOUT localtime(time) . " ${PROGNAME}\[$pid\]: killing parent
> $ppid\n";
> kill('TERM',$ppid);
> sleep($waittime);
> print STDOUT localtime(time) . " ${PROGNAME}\[$pid\]: not 
> good - timed out
> waiting for TERM signal. Exiting.\n";
> exit(1);
> 
> --
> "Computer science is as much about computers as
>         astronomy is about telescopes" -- Edsger Dijkstra
> ---------------------------------------------------------
> Anthony Tonns, UNIX Administrator - atonns@mail.ivillage.com
> iVillage Inc., 500 Seventh Avenue, New York, NY 10018 -  
> iVillage Inc. is a
> leading women's media company that includes iVillage.com, Women.com,
> gURL.com, Astrology.com, Promotions.com, iVillage Parenting 
> Network, The
> Newborn Channel, Lamaze Publishing, Business Women's Network, 
> Diversity Best
> Practices, Best Practices in Corporate Communications, and iVillage
> Consulting.  The information contained in this communication may be
> confidential, is intended only for the use of the recipient 
> named above, and
> may be construed under applicable law to be a commercial 
> email.  If you have
> received this communication in error, please delete this 
> message from your
> computer system.  If you are the recipient named above and do 
> not wish to
> receive any future commercial emails, please reply to the 
> sender with a
> message stating such preference.
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
> 
iVillage Inc., 500 Seventh Avenue, New York, NY 10018 -  iVillage Inc. is a
leading women's media company that includes iVillage.com, Women.com,
gURL.com, Astrology.com, Promotions.com, iVillage Parenting Network, The
Newborn Channel, Lamaze Publishing, Business Women's Network, Diversity Best
Practices, Best Practices in Corporate Communications, and iVillage
Consulting.  The information contained in this communication may be
confidential, is intended only for the use of the recipient named above, and
may be construed under applicable law to be a commercial email.  If you have
received this communication in error, please delete this message from your
computer system.  If you are the recipient named above and do not wish to
receive any future commercial emails, please reply to the sender with a
message stating such preference.

------_=_NextPart_001_01C42E05.485B6580
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [syslog-ng]cannot get sec.pl to exit after syslog-ng =
does</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Aw crap. Forget all this. I looked at it again, and =
anyone would be able to DoS sec.pl using logger.</FONT>
<BR><FONT SIZE=3D2>::sigh:: It looks like signal propagation from =
syslog-ng to sec.pl is the right way of doing this.</FONT>
</P>

<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>&quot;Computer science is as much about computers as =
</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; astronomy =
is about telescopes&quot; -- Edsger Dijkstra </FONT>
<BR><FONT =
SIZE=3D2>--------------------------------------------------------- =
</FONT>
<BR><FONT SIZE=3D2>Anthony Tonns, UNIX Administrator - =
atonns@mail.ivillage.com </FONT>
</P>

<P><FONT SIZE=3D2>&nbsp; </FONT>
</P>

<P><FONT SIZE=3D2>&gt; -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>&gt; From: atonns@mail.ivillage.com [<A =
HREF=3D"mailto:atonns@mail.ivillage.com">mailto:atonns@mail.ivillage.com=
</A>] </FONT>
<BR><FONT SIZE=3D2>&gt; Sent: Thursday, April 29, 2004 12:13 PM</FONT>
<BR><FONT SIZE=3D2>&gt; To: syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=3D2>&gt; Subject: RE: [syslog-ng]cannot get sec.pl to =
exit after syslog-ng does</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; After a night of sleeping on it, I came up with =
a alternate </FONT>
<BR><FONT SIZE=3D2>&gt; solution - have</FONT>
<BR><FONT SIZE=3D2>&gt; SEC detect restarts of syslog-ng. Below is the =
result. The </FONT>
<BR><FONT SIZE=3D2>&gt; only fuzzy part</FONT>
<BR><FONT SIZE=3D2>&gt; is in the sec-cleanup.pl script below - what to =
do if you </FONT>
<BR><FONT SIZE=3D2>&gt; don't get a TERM</FONT>
<BR><FONT SIZE=3D2>&gt; signal from sec.pl. I don't think using =
&quot;logger&quot; is the best </FONT>
<BR><FONT SIZE=3D2>&gt; idea since</FONT>
<BR><FONT SIZE=3D2>&gt; things are restarting, etc. etc. I _guess_ it =
could send email out. In</FONT>
<BR><FONT SIZE=3D2>&gt; reality, it's all up to the end user.</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; ### syslog-ng.conf ###</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; source s_src {</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
sun-stream(&quot;/dev/log&quot; =
door(&quot;/etc/.syslog_door&quot;));</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
tcp(max-connections(1024));</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
udp();</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
internal();</FONT>
<BR><FONT SIZE=3D2>&gt; };</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; destination d_sec {</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
program(&quot;/usr/local/sbin/sec.pl -intevents =
-input=3D\&quot;-\&quot;</FONT>
<BR><FONT SIZE=3D2>&gt; -conf=3D/usr/local/etc/sec.conf&quot;);</FONT>
<BR><FONT SIZE=3D2>&gt; };</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; log {</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
source(s_src);</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
destination(d_sec);</FONT>
<BR><FONT SIZE=3D2>&gt; };</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; ### sec.conf ###</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; type=3DSingle</FONT>
<BR><FONT SIZE=3D2>&gt; continue=3DTakeNext</FONT>
<BR><FONT SIZE=3D2>&gt; ptype=3DRegExp</FONT>
<BR><FONT SIZE=3D2>&gt; pattern=3Dsyslog-ng version .+ going =
down</FONT>
<BR><FONT SIZE=3D2>&gt; desc=3Dsyslog-ng shutdown</FONT>
<BR><FONT SIZE=3D2>&gt; action=3D shellcmd =
/usr/local/sbin/sec-cleanup.pl</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; type=3DSingle</FONT>
<BR><FONT SIZE=3D2>&gt; continue=3DTakeNext</FONT>
<BR><FONT SIZE=3D2>&gt; ptype=3DRegExp</FONT>
<BR><FONT SIZE=3D2>&gt; pattern=3DSIGHUP received, restarting =
syslog-ng</FONT>
<BR><FONT SIZE=3D2>&gt; desc=3Dsyslog-ng restart</FONT>
<BR><FONT SIZE=3D2>&gt; action=3D shellcmd =
/usr/local/sbin/sec-cleanup.pl</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; ### sec-cleanup.pl ###</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; #!/usr/local/bin/perl -w</FONT>
<BR><FONT SIZE=3D2>&gt; #</FONT>
<BR><FONT SIZE=3D2>&gt; # sec-cleanup.pl</FONT>
<BR><FONT SIZE=3D2>&gt; #</FONT>
<BR><FONT SIZE=3D2>&gt; # ATonns Thu Apr 29 11:42:10 EDT 2004</FONT>
<BR><FONT SIZE=3D2>&gt; #</FONT>
<BR><FONT SIZE=3D2>&gt; # $Id$</FONT>
<BR><FONT SIZE=3D2>&gt; #</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; use strict;</FONT>
<BR><FONT SIZE=3D2>&gt; my =
$PROGNAME=3D&quot;sec-cleanup.pl&quot;;</FONT>
<BR><FONT SIZE=3D2>&gt; my $waittime =3D 10; # in seconds</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; ## CODE ##</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; my $pid =3D $$;</FONT>
<BR><FONT SIZE=3D2>&gt; my $ppid =3D getppid;</FONT>
<BR><FONT SIZE=3D2>&gt; $SIG{'TERM'} =3D sub {</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
print STDOUT localtime(time) . &quot; ${PROGNAME}\[$pid\]: got =
TERM</FONT>
<BR><FONT SIZE=3D2>&gt; signal, exiting gracefully.\n&quot;;</FONT>
<BR><FONT =
SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit(0);</FONT>
<BR><FONT SIZE=3D2>&gt; };</FONT>
<BR><FONT SIZE=3D2>&gt; print STDOUT localtime(time) . &quot; =
${PROGNAME}\[$pid\]: killing parent</FONT>
<BR><FONT SIZE=3D2>&gt; $ppid\n&quot;;</FONT>
<BR><FONT SIZE=3D2>&gt; kill('TERM',$ppid);</FONT>
<BR><FONT SIZE=3D2>&gt; sleep($waittime);</FONT>
<BR><FONT SIZE=3D2>&gt; print STDOUT localtime(time) . &quot; =
${PROGNAME}\[$pid\]: not </FONT>
<BR><FONT SIZE=3D2>&gt; good - timed out</FONT>
<BR><FONT SIZE=3D2>&gt; waiting for TERM signal. =
Exiting.\n&quot;;</FONT>
<BR><FONT SIZE=3D2>&gt; exit(1);</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; --</FONT>
<BR><FONT SIZE=3D2>&gt; &quot;Computer science is as much about =
computers as</FONT>
<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
astronomy is about telescopes&quot; -- Edsger Dijkstra</FONT>
<BR><FONT SIZE=3D2>&gt; =
---------------------------------------------------------</FONT>
<BR><FONT SIZE=3D2>&gt; Anthony Tonns, UNIX Administrator - =
atonns@mail.ivillage.com</FONT>
<BR><FONT SIZE=3D2>&gt; iVillage Inc., 500 Seventh Avenue, New York, NY =
10018 -&nbsp; </FONT>
<BR><FONT SIZE=3D2>&gt; iVillage Inc. is a</FONT>
<BR><FONT SIZE=3D2>&gt; leading women's media company that includes =
iVillage.com, Women.com,</FONT>
<BR><FONT SIZE=3D2>&gt; gURL.com, Astrology.com, Promotions.com, =
iVillage Parenting </FONT>
<BR><FONT SIZE=3D2>&gt; Network, The</FONT>
<BR><FONT SIZE=3D2>&gt; Newborn Channel, Lamaze Publishing, Business =
Women's Network, </FONT>
<BR><FONT SIZE=3D2>&gt; Diversity Best</FONT>
<BR><FONT SIZE=3D2>&gt; Practices, Best Practices in Corporate =
Communications, and iVillage</FONT>
<BR><FONT SIZE=3D2>&gt; Consulting.&nbsp; The information contained in =
this communication may be</FONT>
<BR><FONT SIZE=3D2>&gt; confidential, is intended only for the use of =
the recipient </FONT>
<BR><FONT SIZE=3D2>&gt; named above, and</FONT>
<BR><FONT SIZE=3D2>&gt; may be construed under applicable law to be a =
commercial </FONT>
<BR><FONT SIZE=3D2>&gt; email.&nbsp; If you have</FONT>
<BR><FONT SIZE=3D2>&gt; received this communication in error, please =
delete this </FONT>
<BR><FONT SIZE=3D2>&gt; message from your</FONT>
<BR><FONT SIZE=3D2>&gt; computer system.&nbsp; If you are the recipient =
named above and do </FONT>
<BR><FONT SIZE=3D2>&gt; not wish to</FONT>
<BR><FONT SIZE=3D2>&gt; receive any future commercial emails, please =
reply to the </FONT>
<BR><FONT SIZE=3D2>&gt; sender with a</FONT>
<BR><FONT SIZE=3D2>&gt; message stating such preference.</FONT>
<BR><FONT SIZE=3D2>&gt; =
_______________________________________________</FONT>
<BR><FONT SIZE=3D2>&gt; syslog-ng maillist&nbsp; -&nbsp; =
syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=3D2>&gt; <A =
HREF=3D"https://lists.balabit.hu/mailman/listinfo/syslog-ng" =
TARGET=3D"_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A=
></FONT>
<BR><FONT SIZE=3D2>&gt; Frequently asked questions at <A =
HREF=3D"http://www.campin.net/syslog-ng/faq.html" =
TARGET=3D"_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>iVillage Inc., 500 Seventh Avenue, New York, NY =
10018 -&nbsp; iVillage Inc. is a leading women's media company that =
includes iVillage.com, Women.com, gURL.com, Astrology.com, =
Promotions.com, iVillage Parenting Network, The Newborn Channel, Lamaze =
Publishing, Business Women's Network, Diversity Best Practices, Best =
Practices in Corporate Communications, and iVillage Consulting.&nbsp; =
The information contained in this communication may be confidential, is =
intended only for the use of the recipient named above, and may be =
construed under applicable law to be a commercial email.&nbsp; If you =
have received this communication in error, please delete this message =
from your computer system.&nbsp; If you are the recipient named above =
and do not wish to receive any future commercial emails, please reply =
to the sender with a message stating such preference.</FONT></P>

</BODY>
</HTML>
------_=_NextPart_001_01C42E05.485B6580--