[syslog-ng] Compiled 3.0.3 on CentOS 5.3 with spoof source - not working

Balazs Scheidler bazsi at balabit.hu
Wed Jul 22 12:58:22 CEST 2009


On Tue, 2009-07-21 at 06:35 -0400, Scott Ware wrote:
> Here is the output that I get from running "strace":
> 
> execve("/usr/local/sbin/syslog-ng", ["/usr/local/sbin/syslog-ng"], [/*
> 22 vars */]) = 0
> brk(0)                                  = 0x8814000
> access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=41643, ...}) = 0
> mmap2(NULL, 41643, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f70000
> close(3)                                = 0
> open("/lib/librt.so.1", O_RDONLY)       = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\10\215
> \0004\0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=44060, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7f6f000
> mmap2(0x8cf000, 33324, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0x8cf000
> mmap2(0x8d6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x6) = 0x8d6000
> close(3)                                = 0
> open("/lib/libnsl.so.1", O_RDONLY)      = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \361\335\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=101404, ...}) = 0
> mmap2(0xddc000, 92104, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0xddc000
> mmap2(0xdef000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x12) = 0xdef000
> mmap2(0xdf1000, 6088, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_ANONYMOUS, -1, 0) = 0xdf1000
> close(3)                                = 0
> open("/lib/libglib-2.0.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`m\216\0004\0
> \0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=644472, ...}) = 0
> mmap2(0x8da000, 646636, PROT_READ|PROT_EXEC, MAP_PRIVATE|
> MAP_DENYWRITE, 3, 0) = 0x8da000
> mmap2(0x977000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x9c) = 0x977000
> close(3)                                = 0
> open("/usr/lib/libevtlog.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\17\0\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=12044, ...}) = 0
> mmap2(NULL, 14988, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> 0) = 0xb2b000
> mmap2(0xb2e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x2) = 0xb2e000
> close(3)                                = 0
> open("/lib/libwrap.so.0", O_RDONLY)     = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300=\207\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=32824, ...}) = 0
> mmap2(0x872000, 32188, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0x872000
> mmap2(0x879000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x7) = 0x879000
> close(3)                                = 0
> open("/lib/libc.so.6", O_RDONLY)        = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\37t\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1606808, ...}) = 0
> mmap2(0x72c000, 1324452, PROT_READ|PROT_EXEC, MAP_PRIVATE|
> MAP_DENYWRITE, 3, 0) = 0x72c000
> mmap2(0x86a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x13e) = 0x86a000
> mmap2(0x86d000, 9636, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_ANONYMOUS, -1, 0) = 0x86d000
> close(3)                                = 0
> open("/lib/libpthread.so.0", O_RDONLY)  = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000X\212\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=125612, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7f6e000
> mmap2(0x8a1000, 90592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0x8a1000
> mmap2(0x8b4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x12) = 0x8b4000
> mmap2(0x8b6000, 4576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_ANONYMOUS, -1, 0) = 0x8b6000
> close(3)                                = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7f6d000
> set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f6d6c0,
> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
> limit_in_pages:1, seg_not_present:0, useable:1}) = 0
> mprotect(0x8b4000, 4096, PROT_READ)     = 0
> mprotect(0x86a000, 8192, PROT_READ)     = 0
> mprotect(0xdef000, 4096, PROT_READ)     = 0
> mprotect(0x8d6000, 4096, PROT_READ)     = 0
> mprotect(0x723000, 4096, PROT_READ)     = 0
> munmap(0xb7f70000, 41643)               = 0
> set_tid_address(0xb7f6d708)             = 16916
> set_robust_list(0xb7f6d710, 0xc)        = 0
> futex(0xbfb87584, FUTEX_WAKE_PRIVATE, 1) = 0
> rt_sigaction(SIGRTMIN, {0x8a53d0, [], SA_SIGINFO}, NULL, 8) = 0
> rt_sigaction(SIGRT_1, {0x8a52e0, [], SA_RESTART|SA_SIGINFO}, NULL, 8)
> = 0
> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
> getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY})
> = 0
> uname({sys="Linux", node="L0982iappv0100.ius.meijer.com", ...}) = 0
> brk(0)                                  = 0x8814000
> brk(0x8835000)                          = 0x8835000
> gettimeofday({1248172733, 541317}, NULL) = 0
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
> echo ...}) = 0
> ioctl(0, TIOCNOTTY)                     = 0
> setsid()                                = 16916
> setrlimit(RLIMIT_NOFILE, {rlim_cur=4*1024, rlim_max=4*1024}) = 0
> pipe([3, 4])                            = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
> SIGCHLD, child_tidptr=0xb7f6d708) = 16917
> close(4)                                = 0
> read(3, "0\n", 6)                       = 2
> close(3)                                = 0
> exit_group(0)                           = ?
> 

this is the strace of the startup code and not relevant. please start
syslog-ng and attach strace to the running process using "-p <pid>".

Then reproduce the problem and post the relevant strace dump.

Thanks.

> 
> On Tue, Jul 21, 2009 at 5:04 AM, Balazs Scheidler <bazsi at balabit.hu>
> wrote:
>         On Sun, 2009-07-19 at 12:10 -0400, Scott Ware wrote:
>         > I have SELinux disabled, and I am running it as root.
>         >
>         
>         
>         then please run strace on the syslog-ng process to see why it
>         gets
>         permission denied problems.
>         
>         
>         
>         > On Thu, Jul 16, 2009 at 6:13 PM, Balazs Scheidler
>         <bazsi at balabit.hu>
>         > wrote:
>         >
>         >         On Tue, 2009-07-14 at 08:30 -0400, Scott Ware wrote:
>         >         > So, I complied Syslog-ng with the
>         --enable-spoof-source
>         >         option, and
>         >         > everything installed fine. However, when I have
>         the
>         >         spoof_source(yes)
>         >         > option in the config file, nothing gets
>         re-directed to my
>         >         logging
>         >         > destination.
>         >         >
>         >         > If I take the option out, everything gets
>         re-directed. Can
>         >         you
>         >         > possible help me? Thanks!
>         >
>         >
>         >         hmm.. does syslog-ng have the necessary permissions.
>         SELinux
>         >         comes to my
>         >         mind.
>         
>         >
>         --
>         Bazsi
>         
>         
>         ______________________________________________________________________________
>         Member info:
>         https://lists.balabit.hu/mailman/listinfo/syslog-ng
>         Documentation:
>         http://www.balabit.com/support/documentation/?product=syslog-ng
>         FAQ: http://www.campin.net/syslog-ng/faq.html
>         
>         
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
-- 
Bazsi




More information about the syslog-ng mailing list