[syslog-ng]syslog-ng chrooted vs timezone

Horvath Gabor Kalman syslog-ng@lists.balabit.hu
Mon, 22 Nov 2004 12:09:56 +0100


Hi,

On Fri, 19 Nov 2004 11:16:17 +0100
Balazs Scheidler <bazsi@balabit.hu> wrote:
> Probably the timezone settings are not correct within your chroot. 
That's right. Fixed. thx.

> > I am also interested to know what that io.c message is.
> > It does not seem to affect syslog-ng.
> 
> Probably some kernel hardening rejected a read request on some special
> files? Maybe /proc/kmsg? I'd check to be sure with strace to see what
> was the read which failed.
32475 open("/proc/kmsg", O_RDONLY|O_NONBLOCK|O_NOCTTY|O_LARGEFILE) = 8
.
.
32475 read(8, 0x806e960, 2048)          = -1 EPERM (Operation not permitted)
32475 getpid()                          = 32475
32475 time(NULL)                        = 1101116175
32475 time(NULL)                        = 1101116175
32475 poll([{fd=9, events=0}, {fd=5, events=POLLOUT, revents=POLLOUT}, {fd=8, events=POLLIN, revents=POLLIN}, {fd=7, ev
ents=POLLIN}, {fd=6, events=POLLIN}, {fd=3, events=POLLIN}], 6, 100) = 2
32475 write(5, "Nov 22 10:36:15 burp syslog-ng[3"..., 103) = 103
32475 time(NULL)                        = 1101116175
32475 close(8)

You are right again. What should I do? Have I forgotten something about /proc?
I tried to give the file to the group I am running syslog-ng as. Also change perms to 660. Made no difference. When I start syslog-ng as root it can read kmsg.
I am running the 2.6.8-1-686 built by debian. With debian patches applied. They may have included something in those patches...


> Probably it sent the HUP signal to the wrong PID, it's a quite common
> problem, that it reads the PID from a file called /var/run/syslogd.pid,
> instead of /var/run/syslog-ng.pid (where syslog-ng stores its pidfile).
> Syslog-ng reopens all files when receiving a HUP signal.

Well this particular build of this release on this system does not :)
I shall investigate further and get back to the list. I configured logrotate to issue reload again, so I can say some more about it tomorrow.

Thanks.

g.