Debian Bug report logs - #526616
syslog-ng: option owner and group parsed correctly in /etc/syslog-ng/syslog-ng.conf but not launched correctly

version graph

Package: syslog-ng; Maintainer for syslog-ng is syslog-ng maintainers <syslog-ng-maintainers@lists.alioth.debian.org>; Source for syslog-ng is src:syslog-ng.

Reported by: Jean Marc Lacroix <jeanmarc.lacroix@free.fr>

Date: Sat, 2 May 2009 10:06:02 UTC

Severity: wishlist

Found in version syslog-ng/2.0.9-4.1

Done: Gergely Nagy <algernon@balabit.hu>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#526616; Package syslog-ng. (Sat, 02 May 2009 10:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jean Marc Lacroix <jeanmarc.lacroix@free.fr>:
New Bug report received and forwarded. Copy sent to SZALAY Attila <sasa@debian.org>. (Sat, 02 May 2009 10:06:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jean Marc Lacroix <jeanmarc.lacroix@free.fr>
To: submit@bugs.debian.org, Jean Marc Lacroix <jeanmarc.lacroix@free.fr>
Subject: syslog-ng: option owner and group parsed correctly in /etc/syslog-ng/syslog-ng.conf but not launched correctly
Date: Sat, 02 May 2009 11:16:15 +0200
Package:  syslog-ng
Version:  2.0.9-4.1
Severity: grave


In order to launch syslog-ng in non root pid user, there is 2 possibilities:

First, option ---user=<user> and ---group=<group> on command line. This option
are ok but on Debian Lenny, it is not possible to use it due to the fact that
/etc/default/syslog-ng has no variable in order to support this feature.
(note 1)

Second,  in configuration file, option owner and group

If setting this feature, it seems that parameters are parsed correctly, but
the process is not launched with this id.


Test 1:
-------
sudo   /usr/sbin/syslog-ng --user u_syslog --group=grp_syslog

-> ps auxww |grep syslog-ng
u_syslog 22797  0.0  0.1   3048  1036 ?  Ss 11:06   0:00 /usr/sbin/syslog-ng --user u_syslog --group=grp_syslog


Behavior is correct except that not supported in standard configuration (look at note 1)

Test 2:
-------
-> grep _syslog /etc/syslog-ng/syslog-ng.conf
  dir_owner               (u_syslog);
  dir_group               (grp_syslog);
  owner                   (u_syslog);
  group                   (grp_syslog);

->  sudo /etc/init.d/syslog-ng restart
Stopping system logging: syslog-ng.
Starting system logging: syslog-ng.

-> ps auxww |grep syslog-ng
root     23645  0.0  0.0   2904   720 ?        Ss   11:10   0:00 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid
lacroix  23660  0.0  0.1   3404   776 pts/2    S+   11:10   0:00 grep syslog-ng


as you can see, pid is launched with root access


-- 
--------------------------------------
 -- Jean-Marc LACROIX                 --
  -- mailto : jeanmarc.lacroix@free.fr --
    ---------------------------------------




Information forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#526616; Package syslog-ng. (Sun, 03 May 2009 07:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jean Marc Lacroix <jeanmarc.lacroix@free.fr>:
Extra info received and forwarded to list. Copy sent to SZALAY Attila <sasa@debian.org>. (Sun, 03 May 2009 07:15:05 GMT) Full text and rfc822 format available.

Message #10 received at 526616@bugs.debian.org (full text, mbox):

From: Jean Marc Lacroix <jeanmarc.lacroix@free.fr>
To: 526616@bugs.debian.org
Cc: Jean Marc Lacroix <jeanmarc.lacroix@free.fr>
Subject: syslog-ng: option owner and group options for Lenny
Date: Sun, 03 May 2009 09:07:16 +0200
hi,

A complement to #526616 in order to transform Severity from 'grave'
to 'normal' to launch syslog-ng in non root pid

Please consider following patch to Lenny Debian distribution

P0: file /etc/default/syslog-ng
-------------------------------
# defined pid user for launching syslog_ng daemon. Please note that
# this user must be resolved before end of initialisation of the box, so if using NIS
# for resolving user and group, then install valid user in /etc/passwd and
# /etc/group, otherwise syslog-ng can not start (because no network when syslog start)
# Otherwise, set it to root !!

SYSLOG_NG_PID_USER=syslog-ng
SYSLOG_NG_PID_GROUP=syslog-ng

# define local directorie for chroot process, otherwise, let /
SYSLOG_NG_CHROOT=/

P1: file /etc/init.d/syslog-ng
-------------------------------
change syslogng_start and create_xconsole fonctions ...

create_xconsole() {
  if [ ! -e /dev/xconsole ]
  then
    mknod --mode 660 /dev/xconsole p
    # We assume here you don't change default setting for syslog uid
    # defined in /etc/default/syslog-ng
    chown root.syslog-ng  /dev/xconsole
  fi
}


syslogng_start() {
    log_daemon_msg "Starting system logging" "$NAME"
    create_xconsole
    start-stop-daemon --start --quiet --exec "$SYSLOGNG" \
                      --pidfile "$PIDFILE" -- \
		--pidfile "$PIDFILE"  \
		--user "$SYSLOG_NG_PID_USER"  \
		--group "$SYSLOG_NG_PID_GROUP"  \
		--chroot "$SYSLOG_NG_CHROOT"

   RET="$?"
    log_end_msg $RET
    return $RET
}

P2: file /etc/syslog-ng/syslog-ng.conf
---------------------------------------
A dedicated file with correct owner and dir ..
....
options {
.......
  dir_owner               (syslog-ng);
  dir_group               (syslog-ng);
  dir_perm                (0650);
  owner                   (syslog-ng);
  group                   (syslog-ng);
  perm                    (0640);

};

consider also the file definition. In my case i suggest to use
a dedicated directory in /var/log/syslog-ng in order to simplify
syslog-ng logrotate definition....,
so my definition is :


-> grep log/syslog-ng /etc/syslog-ng/syslog-ng.conf

destination df_auth   { file("/var/log/syslog-ng/auth.log"); };
destination df_syslog { file("/var/log/syslog-ng/syslog.log"); };
destination df_cron   { file("/var/log/syslog-ng/cron.log"); };
destination df_daemon { file("/var/log/syslog-ng/daemon.log"); };
destination df_kern   { file("/var/log/syslog-ng/kern.log"); };
destination df_lpr    { file("/var/log/syslog-ng/lpr.log"); };
destination df_mail   { file("/var/log/syslog-ng/mail.log"); };
destination df_user   { file("/var/log/syslog-ng/user.log"); };
destination df_uucp   { file("/var/log/syslog-ng/uucp.log"); };
destination df_facility_dot_info   { file("/var/log/syslog-ng/$FACILITY.info.log"); };
destination df_facility_dot_notice { file("/var/log/syslog-ng/$FACILITY.notice.log"); };
destination df_facility_dot_warn   { file("/var/log/syslog-ng/$FACILITY.warn.log"); };
destination df_facility_dot_err    { file("/var/log/syslog-ng/$FACILITY.err.log"); };
destination df_facility_dot_crit   { file("/var/log/syslog-ng/$FACILITY.crit.log"); };
destination df_news_dot_notice { file("/var/log/syslog-ng/news/news.notice.log" owner("news")); };
destination df_news_dot_err    { file("/var/log/syslog-ng/news/news.err.log" owner("news")); };
destination df_news_dot_crit   { file("/var/log/syslog-ng/news/news.crit.log" owner("news")); };
destination df_debug    { file("/var/log/syslog-ng/debug.log"); };
destination df_messages { file("/var/log/syslog-ng/messages.log"); };
# auth,authpriv.*                 /var/log/syslog-ng/auth.log
# *.*;auth,authpriv.none          -/var/log/syslog-ng/syslog
# daemon.*                        -/var/log/syslog-ng/daemon.log
# kern.*                          -/var/log/syslog-ng/kern.log
# lpr.*                           -/var/log/syslog-ng/lpr.log
# mail.*                          -/var/log/syslog-ng/mail.log
# user.*                          -/var/log/syslog-ng/user.log
# uucp.*                          /var/log/syslog-ng/uucp.log
# mail.info                       -/var/log/syslog-ng/mail.info
# mail.warn                       -/var/log/syslog-ng/mail.warn
# mail.err                        /var/log/syslog-ng/mail.err
# news.crit                       /var/log/syslog-ng/news/news.crit
# news.err                        /var/log/syslog-ng/news/news.err
# news.notice                     /var/log/syslog-ng/news/news.notice
#         news.none;mail.none     -/var/log/syslog-ng/debug
#         mail,news.none          -/var/log/syslog-ng/messages

P3 post installation of package syslog-ng....
---------------------------------------------
run this fragment of script in package postinstallation

syslog_add_user_and_grp ()
{
  # create dedicated user on local host, so that user and group are
  # ok even if host is not started for network point of vue ( if
  # using NIS for exemple)
  SYSLOG_USER=syslog-ng
  # We assume in following command that user syslog-ng has a same group
  # as suggested in man documentation (because a system user)
  sudo adduser  \
   --system  $SYSLOG_USER \
   --force-badname \
   --home /var/log/syslog-ng \
   --no-create-home \
   --group
  sudo install -d -m0750 -o $SYSLOG_USER -g $SYSLOG_USER  /var/log/syslog-ng
  # change access to /dev/xconsole
  sudo chown root.$SYSLOG_USER  /dev/xconsole
  sudo chmod u+rw,g+rw,o-rwx  /dev/xconsole

  # ...and enable access in read only for group syslog....
  sudo chown root.$SYSLOG_USER  /proc/kmsg
  sudo chmod g+r  /proc/kmsg
}

P4 logrotate file
-----------------
We assume here that all files are named with pattern matching
such as /var/log/syslog-ng/*.log in configuration file



/var/log/syslog-ng/*.log {
   nomail
   noolddir
   daily
   create
   compress
   notifempty
   rotate          10
   size            1M
   start           0
   compressoptions -9
   extension       .gz
   compresscmd     /bin/gzip
   uncompresscmd   /bin/gunzip
}


-- 
--------------------------------------
 -- Jean-Marc LACROIX                 --
  -- mailto : jeanmarc.lacroix@free.fr --
    ---------------------------------------




Information forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#526616; Package syslog-ng. (Sat, 23 Jan 2010 05:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Taisuke Yamada <tai@rkgk.org>:
Extra info received and forwarded to list. Copy sent to SZALAY Attila <sasa@debian.org>. (Sat, 23 Jan 2010 05:33:06 GMT) Full text and rfc822 format available.

Message #15 received at 526616@bugs.debian.org (full text, mbox):

From: Taisuke Yamada <tai@rkgk.org>
To: 526616@bugs.debian.org
Cc: tai@rakugaki.org
Subject: Re: syslog-ng: option owner and group options for Lenny
Date: Sat, 23 Jan 2010 14:29:27 +0900
[Message part 1 (text/plain, inline)]
Hi.

I've picked this bug up for DeianBSP@Tokyo, and have several comments on how
to fix.

So the requests are:

1. Allow syslog-ng to run on different user/group.
2. Allow syslog-ng to create log file/dir with different user/group,
preferrably same as #1.
3. Change log file location so logrotate configuration would be simpler.

For above requests, I propose following fix/nonfix-es:

- For 1 and 2, introduce EXTRAOPT= parameter in /etc/defaults/syslog-ng and
let
  /etc/init.d/syslog-ng pick it up. This will also allow other future tweaks
as well.

- But, since running syslog in non-root and/or chroot-ed mode is
nonstandard,
  making it "possible" should be enough. Introducing too much
auto-configuration
  and other complexity should be avoided.

- I'm against moving log files to /var/log/syslog-ng/*.log.
  Making it specific to syslog-ng will break compatibility with other
"syslog" implementations,
  and probably many user-scripts expecting "/var/log/syslog" to be exact
that location.

I'll be submitting patch, but I got a suggestion this bug isn't grave from
the first. So

1. I'll first re-rate severity of this bug to "wishlist" (so this won't be a
blocker RC-bug).
2. Then submit a patch.

Best Regards,
[Message part 2 (text/html, inline)]

Severity set to 'wishlist' from 'grave' Request was from Taisuke Yamada <tai@rkgk.org> to control@bugs.debian.org. (Sat, 23 Jan 2010 06:00:03 GMT) Full text and rfc822 format available.

Reply sent to Gergely Nagy <algernon@balabit.hu>:
You have taken responsibility. (Thu, 06 Oct 2011 15:09:09 GMT) Full text and rfc822 format available.

Notification sent to Jean Marc Lacroix <jeanmarc.lacroix@free.fr>:
Bug acknowledged by developer. (Thu, 06 Oct 2011 15:09:09 GMT) Full text and rfc822 format available.

Message #22 received at 526616-done@bugs.debian.org (full text, mbox):

From: Gergely Nagy <algernon@balabit.hu>
To: 526616-done@bugs.debian.org
Subject: group() & owner() != --group && --user
Date: Thu, 06 Oct 2011 17:04:39 +0200
The group() and owner() global options in syslog-ng.conf set the group
and owner files should be created as. They're not for setting the
user/group to run as.

The only way to control what user syslog-ng runs as, is via the
command-line, and setting that has been possible at least since squeeze,
via the SYSLOGNG_OPTS variable in /etc/default/syslog-ng.

Therefore, since running as a different user has been possible (albeit,
it also required a change in other parts of the configuration too) since
squeeze, I'm closing this bug.

-- 
|8]





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 04 Nov 2011 07:38:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 21:36:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.