[syslog-ng] Umask funkiness
Declan White
declanw at is.bbc.co.uk
Sat Feb 10 01:32:28 UTC 2018
Found it..
lib/file-perms.c:278: if (mkdir(name, self->dir_perm < 0 ? 0700 : (mode_t) self->dir_perm) == -1)
If you don't specify perms, you get 0700.
If you DO specify perms, like 0750:
mkdir("/var/tmp/syslog-ng.test/outdir_test/2018/02/10/00/19", 0750) = 0 # yay - I have inherited sgid
chmod("/var/tmp/syslog-ng.test/outdir_test/2018/02/10/00/19", 0750) = 0 # and now it's gone
If I try 02750: (adds the sgid)
mkdir("/var/tmp/syslog-ng.test/outdir_test/2018/02/10/01/02", 02750) = 0
chmod("/var/tmp/syslog-ng.test/outdir_test/2018/02/10/01/02", 02750) = 0
You get:
drwx--S--- 4 writer reader 4 Feb 10 01:02 /var/tmp/syslog-ng.test/outdir_test/2018/02/10
drwxr-x--- 3 writer reader 3 Feb 10 01:02 /var/tmp/syslog-ng.test/outdir_test/2018/02/10/01
drwxr-s--- 2 writer writer 3 Feb 10 01:02 /var/tmp/syslog-ng.test/outdir_test/2018/02/10/01/02
-rw------- 1 writer writer 7 Feb 10 01:02 /var/tmp/syslog-ng.test/outdir_test/2018/02/10/01/02/out_test.log
it wipes the inherited sgid anyway - you can't set sgid on a group you're not in, so the chown(2000) attempt strips it.
But then it succeeds with sgid in the deeper directory when lack of previous sgid means new dirs are made with its own GID :-)
It will work if I run it as root. But I didn't plan on doing that.
I'll have to retreat and perhaps change that default 700 to a 750 or a 770 in the code.
- Declan
On Fri, Feb 09, 2018 at 08:40:47PM +0000, Declan White wrote:
> On Fri, Feb 09, 2018 at 08:08:02PM +0000, Robin Blanchard wrote:
> > If ZFS, is ZFS aclinherit / alcmode biting you?
>
> Yes, ZFS, but I hope not - I shouldn't have any funky aclfoo around
>
> > $ ls -V /path/to/problem
>
> logreader$ ls -Vd /logreader/ingest/2018/02
> drwxr-s--- 11 logwriter logreader 11 Feb 9 00:00 /logreader/ingest/2018/02
> owner@:rwxp-DaARWcCos:------:allow
> group@:r-x---a-R-c--s:------:allow
> everyone@:------a-R-c--s:------:allow
>
> sanity test:
>
> # umask
> 022
> # ls -lag /logreader/ingest/2018/02
> drwx--S--- 3 logwriter logreader 3 Feb 9 00:00 09
> # UID=10020 mkdir /logreader/ingest/2018/02/test
> # ls -lag /logreader/ingest/2018/02
> drwx--S--- 3 logwriter logreader 3 Feb 9 00:00 09
> drwxr-sr-x 2 logwriter logreader 2 Feb 9 20:23 test
>
> - Declan
>
> > -----Original Message-----
> > From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Declan White
> > Sent: Friday, February 9, 2018 11:01 AM
> > To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
> > Subject: Re: [syslog-ng] Umask funkiness
> >
> > Already tried directory mode 04750 - no dice. It strips the g+s.
> >
> > And dir-group ("group") when you aren't a member of that group probably won't fly.
> >
> > I just need it to not touch stuff. It can only inherit these perms. It can't make them.
> >
> > On Fri, Feb 09, 2018 at 04:48:01PM +0000, Robin Blanchard wrote:
> > > Why not explicitly manage the perms/ownerships with syslog-ng itself? Eg
> > >
> > > owner ("owner");
> > > group ("group");
> > > dir-owner ("owner");
> > > dir-group ("group");
> > > perm (0644);
> > > dir-perm (0755);
> > >
> > > -----Original Message-----
> > > From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Declan White
> > > Sent: Friday, February 9, 2018 10:39 AM
> > > To: syslog-ng at lists.balabit.hu
> > > Subject: [syslog-ng] Umask funkiness
> > >
> > > I have a directory owned by the syslog-ng user. Its group however belongs to a group of which the user is not a member.
> > > The directory is g+s, so that all files and dirs made within it inherit the group owner (and the g+s in the case of dirs).
> > >
> > > syslog-ng is running with a umask of 022 (interrogated running process to be sure).
> > > The file("/dir/${FOO}/${BAR}") destination driver has :
> > > create-dirs(yes)
> > > perm()
> > > dir-owner()
> > > dir-group()
> > > dir-perm()
> > > i.e. "don't change any perms"
> > >
> > > The aim of the game is to end up with files and dirs readable, but not writable, by the inherited group owner.
> > > I can't get it working. I am always ending up with
> > > drwx--S--- dirs and
> > > -rw------- files
> > >
> > > Solaris. syslog-ng-3.12.1
> > >
> > > --
> > > Declan White
> > > ______________________________________________________________________________
> > > Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cfb444356113d48ac735e08d56fdbaa70%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537911611629716&sdata=DMBuLPhJAAJ70VVVk3Ni7qeicyri%2FG8j8VsrbNwqDSA%3D&reserved=0
> > > Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cfb444356113d48ac735e08d56fdbaa70%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537911611629716&sdata=p%2FNfPPTDrJFTEuZpuSap8L7vvR7Pk%2BN7ilP58svtR94%3D&reserved=0
> > > FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cfb444356113d48ac735e08d56fdbaa70%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537911611629716&sdata=tYkusXSejtf05DpuezwRX1i2KZeRG4Mb1bbkn0yqUbo%3D&reserved=0
> > >
> > > ______________________________________________________________________________
> > > Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cd3b7d598b7844343e24308d56fdeba4b%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537924770796315&sdata=r5%2F%2BXIuQnIXbMJ0FKDho195%2FM7YxQkWhQpzaNkbsBgI%3D&reserved=0
> > > Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cd3b7d598b7844343e24308d56fdeba4b%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537924770796315&sdata=GrpKh8WIvKn08fy%2FpOPHf3PC8NZTRug8p8uV3pfu5Ho%3D&reserved=0
> > > FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cd3b7d598b7844343e24308d56fdeba4b%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537924770796315&sdata=rrOvzP9cRnZMPZYQ04FfTt6RCQU%2BAGk70crVwEEY%2FgQ%3D&reserved=0
> > ______________________________________________________________________________
> > Member info: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cd3b7d598b7844343e24308d56fdeba4b%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537924770796315&sdata=r5%2F%2BXIuQnIXbMJ0FKDho195%2FM7YxQkWhQpzaNkbsBgI%3D&reserved=0
> > Documentation: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cd3b7d598b7844343e24308d56fdeba4b%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537924770796315&sdata=GrpKh8WIvKn08fy%2FpOPHf3PC8NZTRug8p8uV3pfu5Ho%3D&reserved=0
> > FAQ: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Crblanchard%40nephilaadvisors.com%7Cd3b7d598b7844343e24308d56fdeba4b%7C514662bec8aa4f2284bdb5261f93c9eb%7C0%7C1%7C636537924770796315&sdata=rrOvzP9cRnZMPZYQ04FfTt6RCQU%2BAGk70crVwEEY%2FgQ%3D&reserved=0
> >
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list