[syslog-ng] syslog-ng changes owner and permissions on a file source

Tue Nov 21 11:13:46 UTC 2017

We are running syslog-ng on a Centos-7 server:

root at usenetmonitor-fe01.am4:[~]# /usr/sbin/syslog-ng -V
syslog-ng 3 (3.12.1)
Installer-Version: 3.12.1
Revision:
Compile-Date: Nov  3 2017 15:15:50
Module-Directory: //usr/lib64/syslog-ng
Module-Path: //usr/lib64/syslog-ng
Available-Modules: 
afuser,cef,linux-kmsg-format,sdjournal,confgen,map-value-pairs,json-plugin,affile,kvformat,tfgetent,date,afstomp,csvparser,add-contextual-data,cryptofuncs,system-source,syslogformat,afsocket,afprog,pseudofile,afamqp,snmptrapd-parser,dbparser,xml,stardate,tags-parser,graphite,basicfuncs,disk-buffer
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

When we tried to use syslog-ng to treat a file as a source, it changes the owner and group to root and the permissions to 0664, which is undesireable, as the file must remain writeable by the apache 
server.

This is the source definition in syslog.conf when we were testing:

source s_dev {
file("/var/log/usenetmonitor/dev/cron-logs/Usenetmonitor-Warnings.log" flags(no-parse) program-override("custom-test"));
};

with syslog-ng stopped, here's the status of the file:
root at usenetmonitor-fe01:[~]# ls -lt /var/log/usenetmonitor/soc/cron-logs/Usenetmonitor-Warnings.log
-rw-r----- 1 apache apache 0 Nov 21 11:00 /var/log/usenetmonitor/soc/cron-logs/Usenetmonitor-Warnings.log

As soon as syslog-ng is started it becomes

root at usenetmonitor-fe01:[~]# ls -lt /var/log/usenetmonitor/soc/cron-logs/Usenetmonitor-Warnings.log
-rw-r--r-- 1 root   root 0 Nov 21 11:00 /var/log/usenetmonitor/soc/cron-logs/Usenetmonitor-Warnings.log

Checking with strace, I find

16258 open("/var/log/usenetmonitor/dev/cron-logs/Usenetmonitor-Warnings.log", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 24

Followed shortly therafter by:

16258 fchown(24, 0, -1)                 = 0
16258 fchown(24, -1, 0)                 = 0
16258 fchmod(24, 0664)                  = 0

(and no, fd 24 hasn't been closed and re-opened)

It's unclear to me why syslog-ng would have any reason to change ownership or permissions of file sources. As there are no options for file sources to set what it would change it to, it seems highly 
undesireable that this happens.

The only workaround is to set global options to disable changing ownership or permissions:

     perm(-1);
     owner(-1);
     group(-1);

and then specify those options for every destination file which is a maintenance burden

Is there some other way to stop syslog-ng from latering files used as sources?

-- 
Jim Segrave
jes at j-e-s.net