[syslog-ng] Using usertty

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Wed Nov 4 09:25:16 UTC 2020


Hi Alex!

When syslog-ng is running as root and you see permission access problems, it's most likely due to Linux capabilities [1].
Even running as root, syslog-ng is dropping most of it's capabilities, unless they are configured with the --caps command line option.

The easiest solution is if you don't need Linux capabilities is to use the "--no-caps" command line option of syslog-ng (put it into syslog-ng's service file for permanent setup).
If you would like to use Linux capabilities and tune syslog-ng to use the necessary capabilities I recommend one of our blog posts as a starting point:
https://www.syslog-ng.com/community/b/blog/posts/working-around-linux-capabilities-problems-for-syslog-ng

I'll add some error messages to usertty() driver to detect future issues.

[1] https://man7.org/linux/man-pages/man7/capabilities.7.html

Regards,
Gabor
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com>
Sent: Monday, November 2, 2020 17:21
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Using usertty

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi Gabor,

Do you have some news regarding this issue?
Another update from my side, is that if I login as root in serial console, I am able to get the notifications:

[pid  4155] openat(AT_FDCWD, "/dev/ttyS0", O_WRONLY|O_NOCTTY|O_APPEND|O_NONBLOCK) = 18</dev/ttyS0<char 4:64>>
[pid  4155] write(18</dev/ttyS0<char 4:64>>, "2020 Nov  2 16:14:35 debian10st Entry local0.crit 2020-11-02T16:14:35,489343700+00:00\n", 86) = 86
[pid  4155] close(18</dev/ttyS0<char 4:64>>) = 0

root at debian10st:/home/thanos#  w thanos
 16:19:50 up 6 days, 24 min,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
thanos   pts/0    10.0.2.2         26Oct20  6:14   0.07s  1.85s sshd: thanos [priv]
thanos   pts/1    10.0.2.2         26Oct20  6:37   0.12s  1.87s sshd: thanos [priv]
thanos   pts/2    10.0.2.2         26Oct20  0.00s  0.05s  1.93s sshd: thanos [priv]
root at debian10st:/home/thanos# w root
 16:20:15 up 6 days, 24 min,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     ttyS0    -                16:14   13.00s  0.01s  0.01s -bash

Any help appreciated.
Thanks,
Alex


On Wed, Oct 28, 2020 at 5:24 PM Alexandre Santos <alexandre.rosas.santos at gmail.com<mailto:alexandre.rosas.santos at gmail.com>> wrote:
Hi Gabor,

Thanks for your help, testing with echo "test" is working fine (check bellow), but with usertty, I still have the same problem.

Furthermore, I tried strace and saw the following:
[pid  2177] rt_sigaction(SIGALRM, {sa_handler=0x7fa889b23e10, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fa889541840}, NULL, 8) = 0
[pid  2177] write(2</dev/pts/1<char 136:1>>, "[2020-10-28T17:15:36.178232] Posting message to user terminal; user='thanos', line='/dev/ttyS0'\n", 96) = 96
[pid  2177] openat(AT_FDCWD, "/dev/ttyS0", O_WRONLY|O_NOCTTY|O_APPEND|O_NONBLOCK) = -1 EACCES (Permission denied)

Do you know why? I am launching syslog-ng as root. (full strace in attachment)

Regards,
Alex

thanos at debian10st:~$ echo test > /dev/ttyS0
test

root at debian10st:/home/thanos# who am i
thanos   pts/1        2020-10-26 20:21 (10.0.2.2)
root at debian10st:/home/thanos# echo "test1" > /dev/pts/1
test1
root at debian10st:/home/thanos#

thanos at debian10st:~$ who am i
thanos   pts/0        2020-10-26 20:21 (10.0.2.2)
thanos at debian10st:~$ echo "test0" > /dev/pts/0
test0
thanos at debian10st:~$

root at debian10st:/home/thanos# who am i
thanos   pts/2        2020-10-26 20:26 (10.0.2.2)
root at debian10st:/home/thanos# echo "test2" > /dev/pts/2
test2

On Wed, Oct 28, 2020 at 3:33 PM Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com<mailto:Gabor.Nagy at oneidentity.com>> wrote:
Thanks for the info!

It looks good, messages should be seen on ssh and on serial console too.
Can you try out if you can write in the /dev/ttyS0 file (and/or the ssh login console, in your example /dev/pts/1) with a simple "echo test" command and see if it appears on the console, please?
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com<mailto:alexandre.rosas.santos at gmail.com>>
Sent: Tuesday, October 27, 2020 10:20
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] Using usertty

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi Gabor,

I am running a Debian buster in a VBox guest.

Can you check which terminals are the user 'thanos' logged in?
root at debian10st:/home/thanos# w thanos
 09:15:47 up 22:00,  4 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
thanos   ttyS0    -                Mon20    8:27   0.05s  0.04s -bash
thanos   pts/0    10.0.2.2         Mon20   12:54m  0.03s  0.03s -bash
thanos   pts/1    10.0.2.2         Mon20   12:50m  0.12s  0.18s sshd: thanos [priv]
thanos   pts/2    10.0.2.2         Mon20    1.00s  0.04s  0.20s sshd: thanos [priv]

Here are the serial configurations:
root at debian10st:/home/thanos# stty -F /dev/ttyS0 -a
speed 9600 baud; rows 24; columns 80; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = <undef>;
discard = <undef>; min = 1; time = 0;
-parenb -parodd -cmspar cs8 hupcl -cstopb cread clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnl ixon ixoff -iuclc -ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig -icanon -iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

root at debian10st:/home/thanos# stty -F /dev/pts/0 -a
speed 38400 baud; rows 50; columns 184; line = 0;
intr = ^C; quit = ^\; erase = ^H; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = <undef>;
discard = <undef>; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnl ixon -ixoff -iuclc ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig -icanon iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

root at debian10st:/home/thanos# stty -F /dev/pts/1 -a
speed 38400 baud; rows 50; columns 184; line = 0;
intr = ^C; quit = ^\; erase = ^H; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V;
discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

root at debian10st:/home/thanos# stty -F /dev/pts/2 -a
speed 38400 baud; rows 50; columns 184; line = 0;
intr = ^C; quit = ^\; erase = ^H; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V;
discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

Thanks,
Alex

On Mon, Oct 26, 2020 at 10:59 AM Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com<mailto:Gabor.Nagy at oneidentity.com>> wrote:
Hi Alex!

I've checked your attachments and I see that the messages are sent to pseudo-terminals and the serial port too:
[2020-10-23T16:40:20.647481] Posting message to user terminal; user='thanos', line='/dev/ttyS0'
[2020-10-23T16:40:20.647518] Posting message to user terminal; user='thanos', line='/dev/pts/0'
[2020-10-23T16:40:20.647530] Posting message to user terminal; user='thanos', line='/dev/pts/1'
[2020-10-23T16:40:20.647541] Posting message to user terminal; user='thanos', line='/dev/pts/2'

Can you check which terminals are the user 'thanos' logged in?
E.g. use the following command on the command line:
$w thanos

If you don't see a tty with ssh login, that can explain it.

About the serial port, maybe it's misconfigured.
Syslog-ng uses simple open/write calls on the device files , e.g. /dev/ttyS0. Can you try out if you can write in the /dev/ttyS0 file with a simple "echo test" command, please?
Can you tell us a bit more about your host and how did you set up the serial port?

Regards,
Gabor
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Alexandre Santos <alexandre.rosas.santos at gmail.com<mailto:alexandre.rosas.santos at gmail.com>>
Sent: Friday, October 23, 2020 17:46
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] Using usertty

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,
I am trying to use usertty(*) to send log all messages with severity equal or higher than critical to every user logged.

But I am not getting any messages in serial port or ssh.

I am sending the configurations and the debug log in attachment.

Can you help me to understand what is happening?

Thanks in advance,
Alex
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064749117%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=7vP5RvwprdjTsnpxn%2FGKZSnLKEKNMkZSWLRNm0VcmWM%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064759123%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Xm7GImjSLVZjF%2FxVZnfekoEcneSZtZbGLVUMgQjCXbg%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064769102%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=mYy8R5ApHZkNnPpzWBej0b5puajc1UXSZRAmKGtai3Y%3D&reserved=0>

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064779100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=IJAXC5HyXCssCt0wEokwSAAtyGlr95rEivm4n2oecWc%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064779100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=EmG04zdddhO3YGOAs3wy5C3cQaDjZnImfMX3oIpJXuU%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064789099%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=OuBE9WCW2aBFClFyvG%2FuyfmrJTCuJRcLps6xNvnLkmQ%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201104/022044c5/attachment-0001.html>


More information about the syslog-ng mailing list