[syslog-ng] Using usertty

Alexandre Santos alexandre.rosas.santos at gmail.com
Wed Nov 4 18:54:02 UTC 2020 

Hi Gabor,

Thanks for the hint. It was really due to Linux capabilities.

When running by default syslog-ng has the following capabilities:





*root at debian10st:/home/thanos# ps -ewfH | grep syslogmessage+   410     1
 0 Oct27 ?        00:00:28   /usr/bin/dbus-daemon --system
--address=systemd: --nofork --nopidfile --systemd-activation
--syslog-onlyroot      5185  2168  0 16:07 pts/0    00:00:00
grep syslogroot      5178  4138  0 16:06 pts/1    00:00:00
/usr/sbin/syslog-ng -Fvde --cfgfile=/home/thanos/syslog-ng.2.conf
root at debian10st:/home/thanos# getpcaps 5178Capabilities for `5178': =
cap_syslog+ep
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_net_bind_service,cap_net_broadcast,cap_net_raw+p*

By changing capability of discretionary access control to also be
effective, I was able to broadcast the log messages using usertty(*)

*usr/sbin/syslog-ng -Fvde --cfgfile=/home/thanos/syslog-ng.2.conf --caps
"cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_search,cap_chown,cap_fowner=p
cap_dac_override,cap_syslog=ep"*


*root at debian10st:/home/thanos# getpcaps $(pgrep syslog-ng)Capabilities for
`5471': = cap_dac_override,cap_syslog+ep
cap_chown,cap_dac_read_search,cap_fowner,cap_net_bind_service,cap_net_broadcast,cap_net_raw+p*

Cheers,
Alex

On Wed, Nov 4, 2020 at 9:25 AM Gabor Nagy (gnagy) <
Gabor.Nagy at oneidentity.com> wrote:

> Hi Alex!
>
> When syslog-ng is running as root and you see permission access problems,
> it's most likely due to Linux capabilities [1].
> Even running as root, syslog-ng is dropping most of it's capabilities,
> unless they are configured with the --caps command line option.
>
> The easiest solution is if you don't need Linux capabilities is to use the
> "--no-caps" command line option of syslog-ng (put it into syslog-ng's
> service file for permanent setup).
> If you would like to use Linux capabilities and tune syslog-ng to use the
> necessary capabilities I recommend one of our blog posts as a starting
> point:
>
> https://www.syslog-ng.com/community/b/blog/posts/working-around-linux-capabilities-problems-for-syslog-ng
>
> I'll add some error messages to usertty() driver to detect future issues.
>
> [1] https://man7.org/linux/man-pages/man7/capabilities.7.html
>
> Regards,
> Gabor
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Alexandre Santos <alexandre.rosas.santos at gmail.com>
> *Sent:* Monday, November 2, 2020 17:21
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Using usertty
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi Gabor,
>
> Do you have some news regarding this issue?
> Another update from my side, is that if I login as root in serial console,
> I am able to get the notifications:
>
>
>
> *[pid  4155] openat(AT_FDCWD, "/dev/ttyS0",
> O_WRONLY|O_NOCTTY|O_APPEND|O_NONBLOCK) = 18</dev/ttyS0<char 4:64>> [pid
>  4155] write(18</dev/ttyS0<char 4:64>>, "2020 Nov  2 16:14:35 debian10st
> Entry local0.crit 2020-11-02T16:14:35,489343700+00:00\n", 86) = 86 [pid
>  4155] close(18</dev/ttyS0<char 4:64>>) = 0*
>
>
>
>
>
>
>
>
>
>
>
>
> *root at debian10st:/home/thanos#  w thanos  16:19:50 up 6 days, 24 min,  4
> users,  load average: 0.00, 0.00, 0.00 USER     TTY      FROM
> LOGIN@   IDLE   JCPU   PCPU WHAT thanos   pts/0    10.0.2.2         26Oct20
>  6:14   0.07s  1.85s sshd: thanos [priv] thanos   pts/1    10.0.2.2
> 26Oct20  6:37   0.12s  1.87s sshd: thanos [priv] thanos   pts/2    10.0.2.2
>         26Oct20  0.00s  0.05s  1.93s sshd: thanos [priv]
> root at debian10st:/home/thanos# w root  16:20:15 up 6 days, 24 min,  4 users,
>  load average: 0.00, 0.00, 0.00 USER     TTY      FROM             LOGIN@
> IDLE   JCPU   PCPU WHAT root     ttyS0    -                16:14   13.00s
>  0.01s  0.01s -bash *
> Any help appreciated.
> Thanks,
> Alex
>
>
> On Wed, Oct 28, 2020 at 5:24 PM Alexandre Santos <
> alexandre.rosas.santos at gmail.com> wrote:
>
> Hi Gabor,
>
> Thanks for your help, testing with echo "test" is working fine (check
> bellow), but with usertty, I still have the same problem.
>
> Furthermore, I tried strace and saw the following:
>
>
> *[pid  2177] rt_sigaction(SIGALRM, {sa_handler=0x7fa889b23e10, sa_mask=[],
> sa_flags=SA_RESTORER, sa_restorer=0x7fa889541840}, NULL, 8) = 0 [pid  2177]
> write(2</dev/pts/1<char 136:1>>, "[2020-10-28T17:15:36.178232] Posting
> message to user terminal; user='thanos', line='/dev/ttyS0'\n", 96) = 96
> [pid  2177] openat(AT_FDCWD, "/dev/ttyS0",
> O_WRONLY|O_NOCTTY|O_APPEND|O_NONBLOCK) = -1 EACCES (Permission denied)*
>
> Do you know why? I am launching syslog-ng as root. (full strace in
> attachment)
>
> Regards,
> Alex
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *thanos at debian10st:~$ echo test > /dev/ttyS0 test
> root at debian10st:/home/thanos# who am i thanos   pts/1        2020-10-26
> 20:21 (10.0.2.2) root at debian10st:/home/thanos# echo "test1" > /dev/pts/1
> test1 root at debian10st:/home/thanos# thanos at debian10st:~$ who am i thanos
> pts/0        2020-10-26 20:21 (10.0.2.2) thanos at debian10st:~$ echo "test0"
> > /dev/pts/0 test0 thanos at debian10st:~$ root at debian10st:/home/thanos# who
> am i thanos   pts/2        2020-10-26 20:26 (10.0.2.2)
> root at debian10st:/home/thanos# echo "test2" > /dev/pts/2 test2*
>
> On Wed, Oct 28, 2020 at 3:33 PM Gabor Nagy (gnagy) <
> Gabor.Nagy at oneidentity.com> wrote:
>
> Thanks for the info!
>
> It looks good, messages should be seen on ssh and on serial console too.
> Can you try out if you can write in the /dev/ttyS0 file (and/or the ssh
> login console, in your example /dev/pts/1) with a simple "echo test"
> command and see if it appears on the console, please?
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Alexandre Santos <alexandre.rosas.santos at gmail.com>
> *Sent:* Tuesday, October 27, 2020 10:20
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Using usertty
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi Gabor,
>
> I am running a Debian buster in a VBox guest.
>
> Can you check which terminals are the user 'thanos' logged in?
>
>
>
>
>
>
> *root at debian10st:/home/thanos# w thanos  09:15:47 up 22:00,  4 users,
>  load average: 0.00, 0.02, 0.00 USER     TTY      FROM             LOGIN@
> IDLE   JCPU   PCPU WHAT thanos   ttyS0    -                Mon20    8:27
> 0.05s  0.04s -bash thanos   pts/0    10.0.2.2         Mon20   12:54m  0.03s
>  0.03s -bash thanos   pts/1    10.0.2.2         Mon20   12:50m  0.12s
>  0.18s sshd: thanos [priv] thanos   pts/2    10.0.2.2         Mon20
>  1.00s  0.04s  0.20s sshd: thanos [priv]*
>
> Here are the serial configurations:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *root at debian10st:/home/thanos# stty -F /dev/ttyS0 -a speed 9600 baud; rows
> 24; columns 80; line = 0; intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof
> = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop =
> ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = <undef>; discard = <undef>;
> min = 1; time = 0; -parenb -parodd -cmspar cs8 hupcl -cstopb cread clocal
> -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr
> -icrnl ixon ixoff -iuclc -ixany -imaxbel iutf8 opost -olcuc -ocrnl onlcr
> -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig -icanon -iexten
> -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke
> -flusho -extproc root at debian10st:/home/thanos# stty -F /dev/pts/0 -a speed
> 38400 baud; rows 50; columns 184; line = 0; intr = ^C; quit = ^\; erase =
> ^H; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>;
> start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = <undef>;
> discard = <undef>; min = 1; time = 0; -parenb -parodd -cmspar cs8 -hupcl
> -cstopb cread -clocal -crtscts -ignbrk -brkint -ignpar -parmrk -inpck
> -istrip -inlcr -igncr -icrnl ixon -ixoff -iuclc ixany -imaxbel iutf8 opost
> -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
> isig -icanon iexten -echo echoe echok -echonl -noflsh -xcase -tostop
> -echoprt echoctl echoke -flusho -extproc *
>
>
>
>
>
>
>
>
>
> *root at debian10st:/home/thanos# stty -F /dev/pts/1 -a speed 38400 baud;
> rows 50; columns 184; line = 0; intr = ^C; quit = ^\; erase = ^H; kill =
> ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q;
> stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O;
> min = 1; time = 0; -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal
> -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl
> ixon -ixoff -iuclc ixany -imaxbel iutf8 opost -olcuc -ocrnl onlcr -onocr
> -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten echo
> echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho
> -extproc *
>
>
>
>
>
>
>
>
>
> *root at debian10st:/home/thanos# stty -F /dev/pts/2 -a speed 38400 baud;
> rows 50; columns 184; line = 0; intr = ^C; quit = ^\; erase = ^H; kill =
> ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q;
> stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O;
> min = 1; time = 0; -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal
> -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl
> ixon -ixoff -iuclc ixany -imaxbel iutf8 opost -olcuc -ocrnl onlcr -onocr
> -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten echo
> echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho
> -extproc *
>
> Thanks,
> Alex
>
> On Mon, Oct 26, 2020 at 10:59 AM Gabor Nagy (gnagy) <
> Gabor.Nagy at oneidentity.com> wrote:
>
> Hi Alex!
>
> I've checked your attachments and I see that the messages are sent to
> pseudo-terminals and the serial port too:
> [2020-10-23T16:40:20.647481] Posting message to user terminal;
> user='thanos', line='/dev/ttyS0'
> [2020-10-23T16:40:20.647518] Posting message to user terminal;
> user='thanos', line='/dev/pts/0'
> [2020-10-23T16:40:20.647530] Posting message to user terminal;
> user='thanos', line='/dev/pts/1'
> [2020-10-23T16:40:20.647541] Posting message to user terminal;
> user='thanos', line='/dev/pts/2'
>
> Can you check which terminals are the user 'thanos' logged in?
> E.g. use the following command on the command line:
> $w thanos
>
> If you don't see a tty with ssh login, that can explain it.
>
> About the serial port, maybe it's misconfigured.
> Syslog-ng uses simple open/write calls on the device files , e.g.
> /dev/ttyS0. Can you try out if you can write in the /dev/ttyS0 file with a
> simple "echo test" command, please?
> Can you tell us a bit more about your host and how did you set up the
> serial port?
>
> Regards,
> Gabor
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Alexandre Santos <alexandre.rosas.santos at gmail.com>
> *Sent:* Friday, October 23, 2020 17:46
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] Using usertty
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi,
> I am trying to use usertty(*) to send log all messages with severity equal
> or higher than critical to every user logged.
>
> But I am not getting any messages in serial port or ssh.
>
> I am sending the configurations and the debug log in attachment.
>
> Can you help me to understand what is happening?
>
> Thanks in advance,
> Alex
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064749117%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=7vP5RvwprdjTsnpxn%2FGKZSnLKEKNMkZSWLRNm0VcmWM%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064759123%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Xm7GImjSLVZjF%2FxVZnfekoEcneSZtZbGLVUMgQjCXbg%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064769102%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=mYy8R5ApHZkNnPpzWBej0b5puajc1UXSZRAmKGtai3Y%3D&reserved=0>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064779100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=IJAXC5HyXCssCt0wEokwSAAtyGlr95rEivm4n2oecWc%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064779100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=EmG04zdddhO3YGOAs3wy5C3cQaDjZnImfMX3oIpJXuU%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C9553d7729d9649f9de9f08d87f4b6286%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637399309064789099%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=OuBE9WCW2aBFClFyvG%2FuyfmrJTCuJRcLps6xNvnLkmQ%3D&reserved=0>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201104/4a09dff1/attachment-0001.html>

More information about the syslog-ng mailing list