[syslog-ng] syslog-ng changes owner and permissions on a file source

Wed Nov 22 21:42:22 UTC 2017

Those options are also available as local, per-file sources.

But you are right, this might be a misfeature (or we could also call it a
bug) that should be worth changing. But we need to do that careful as this
has been the syslog-ng behaviour for over a decade :)

btw, we just had a similar github issue (
https://github.com/balabit/syslog-ng/issues/1771) just yesterday.

-- 
Bazsi

On Tue, Nov 21, 2017 at 12:13 PM, Jim Segrave <jes at j-e-s.net> wrote:

> We are running syslog-ng on a Centos-7 server:
>
> root at usenetmonitor-fe01.am4:[~]# /usr/sbin/syslog-ng -V
> syslog-ng 3 (3.12.1)
> Installer-Version: 3.12.1
> Revision:
> Compile-Date: Nov  3 2017 15:15:50
> Module-Directory: //usr/lib64/syslog-ng
> Module-Path: //usr/lib64/syslog-ng
> Available-Modules: afuser,cef,linux-kmsg-format,s
> djournal,confgen,map-value-pairs,json-plugin,affile,kvformat
> ,tfgetent,date,afstomp,csvparser,add-contextual-data,
> cryptofuncs,system-source,syslogformat,afsocket,afprog,
> pseudofile,afamqp,snmptrapd-parser,dbparser,xml,stardate,
> tags-parser,graphite,basicfuncs,disk-buffer
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: on
> Enable-Linux-Caps: on
> Enable-Systemd: on
>
> When we tried to use syslog-ng to treat a file as a source, it changes the
> owner and group to root and the permissions to 0664, which is undesireable,
> as the file must remain writeable by the apache server.
>
> This is the source definition in syslog.conf when we were testing:
>
> source s_dev {
> file("/var/log/usenetmonitor/dev/cron-logs/Usenetmonitor-Warnings.log"
> flags(no-parse) program-override("custom-test"));
> };
>
> with syslog-ng stopped, here's the status of the file:
> root at usenetmonitor-fe01:[~]# ls -lt /var/log/usenetmonitor/soc/cro
> n-logs/Usenetmonitor-Warnings.log
> -rw-r----- 1 apache apache 0 Nov 21 11:00 /var/log/usenetmonitor/soc/cro
> n-logs/Usenetmonitor-Warnings.log
>
> As soon as syslog-ng is started it becomes
>
> root at usenetmonitor-fe01:[~]# ls -lt /var/log/usenetmonitor/soc/cro
> n-logs/Usenetmonitor-Warnings.log
> -rw-r--r-- 1 root   root 0 Nov 21 11:00 /var/log/usenetmonitor/soc/cro
> n-logs/Usenetmonitor-Warnings.log
>
> Checking with strace, I find
>
> 16258 open("/var/log/usenetmonitor/dev/cron-logs/Usenetmonitor-Warnings.log",
> O_RDONLY|O_NOCTTY|O_NONBLOCK) = 24
>
> Followed shortly therafter by:
>
> 16258 fchown(24, 0, -1)                 = 0
> 16258 fchown(24, -1, 0)                 = 0
> 16258 fchmod(24, 0664)                  = 0
>
> (and no, fd 24 hasn't been closed and re-opened)
>
> It's unclear to me why syslog-ng would have any reason to change ownership
> or permissions of file sources. As there are no options for file sources to
> set what it would change it to, it seems highly undesireable that this
> happens.
>
> The only workaround is to set global options to disable changing ownership
> or permissions:
>
>     perm(-1);
>     owner(-1);
>     group(-1);
>
> and then specify those options for every destination file which is a
> maintenance burden
>
> Is there some other way to stop syslog-ng from latering files used as
> sources?
>
> --
> Jim Segrave
> jes at j-e-s.net
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=
> syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171122/8fd38834/attachment.html>