Debian Bug report logs - #573980
rsyslog: klog does not work when dropping privileges

version graph

Package: rsyslog; Maintainer for rsyslog is Michael Biebl <biebl@debian.org>; Source for rsyslog is src:rsyslog.

Reported by: "Stefan K." <archilles@kh-webcenter.de>

Date: Mon, 15 Mar 2010 13:06:01 UTC

Severity: normal

Found in version 4.4.2-1~bpo50+1

Fixed in version 5.8.11-1

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#573980; Package rsyslog. (Mon, 15 Mar 2010 13:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Stefan K." <archilles@kh-webcenter.de>:
New Bug report received and forwarded. Copy sent to Michael Biebl <biebl@debian.org>. (Mon, 15 Mar 2010 13:06:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Stefan K." <archilles@kh-webcenter.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rsyslog: klog does not work when dropping privileges
Date: Mon, 15 Mar 2010 13:37:12 +0100
Package: rsyslog
Version: 4.4.2-1~bpo50+1
Severity: normal

If I use the module for kernel logging ($imklog) and tell rsyslog to
drop its privileges after startup ($PrivDropToxxxx), it fills its logs
very fast (without message reduction) and consumes 100% CPU.

I was surprised to see it working that way on recent Ubuntu. They have
the option $KLogPath, but it seems to be unknown to Debian and
official rsyslog documentation. Maybe they patched their sources?

kern.info<6>|Mar 15 12:21:19 [urknall]  kernel:imklog 4.4.2, log source = /proc/kmsg started.
syslog.info<46>|Mar 15 12:21:19 [urknall]  rsyslogd: [origin software="rsyslogd" swVersion="4.4.2" x-pid="24393" x-info="http://www.rsyslog.com"] (re)start
syslog.info<46>|Mar 15 12:21:19 [urknall]  rsyslogd:rsyslogd's groupid changed to 65534
kern.err<3>|Mar 15 12:21:19 [urknall]  kernel:Cannot read proc file system: 1 - Operation not permitted.
kern.err<3>|Mar 15 12:21:19 [urknall]  kernel:last message repeated 1342 times
syslog.info<46>|Mar 15 12:21:19 [urknall]  rsyslogd:rsyslogd's userid changed to 65534
syslog.err<43>|Mar 15 12:21:19 [urknall]  rsyslogd-3003:invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
syslog.err<43>|Mar 15 12:21:19 [urknall]  rsyslogd:the last error occured in /etc/rsyslog.d/urknall.conf, line 14
syslog.err<43>|Mar 15 12:21:19 [urknall]  rsyslogd:the last error occured in /etc/rsyslog.conf, line 46
syslog.err<43>|Mar 15 12:21:19 [urknall]  rsyslogd-2124:CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
kern.err<3>|Mar 15 12:21:19 [urknall]  kernel:Cannot read proc file system: 1 - Operation not permitted.
kern.err<3>|Mar 15 12:21:24 [urknall]  kernel:last message repeated 56498 times

Allowing nobody to read /proc/kmsg (root.root r-------- by default) did not help.
Creating a system user/group like Ubuntu did not help.

Is their a trick that Ubuntu uses, I am not aware of?


-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-xen-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rsyslog depends on:
ii  libc6                  2.7-18lenny2      GNU C Library: Shared libraries
ii  lsb-base               3.2-20            Linux Standard Base 3.2 init scrip
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages rsyslog recommends:
ii  logrotate                     3.7.1-5    Log rotation utility

Versions of packages rsyslog suggests:
pn  rsyslog-doc              <none>          (no description available)
pn  rsyslog-gnutls           <none>          (no description available)
pn  rsyslog-gssapi           <none>          (no description available)
pn  rsyslog-mysql | rsyslog- <none>          (no description available)
ii  rsyslog-relp             4.4.2-1~bpo50+1 RELP protocol support for rsyslog

-- no debconf information





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#573980; Package rsyslog. (Mon, 15 Mar 2010 16:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. (Mon, 15 Mar 2010 16:48:04 GMT) Full text and rfc822 format available.

Message #10 received at 573980@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: "Stefan K." <archilles@kh-webcenter.de>, 573980@bugs.debian.org
Subject: Re: Bug#573980: rsyslog: klog does not work when dropping privileges
Date: Mon, 15 Mar 2010 17:45:13 +0100
[Message part 1 (text/plain, inline)]
On 15.03.2010 13:37, Stefan K. wrote:
> Package: rsyslog
> Version: 4.4.2-1~bpo50+1
> Severity: normal
> 
> If I use the module for kernel logging ($imklog) and tell rsyslog to
> drop its privileges after startup ($PrivDropToxxxx), it fills its logs
> very fast (without message reduction) and consumes 100% CPU.
> 
> I was surprised to see it working that way on recent Ubuntu. They have
> the option $KLogPath, but it seems to be unknown to Debian and
> official rsyslog documentation. Maybe they patched their sources?

> 
> Allowing nobody to read /proc/kmsg (root.root r-------- by default) did not help.
> Creating a system user/group like Ubuntu did not help.
> 
> Is their a trick that Ubuntu uses, I am not aware of?

There is.

Reading from /proc/kmsg requires root privileges. There is no way around that [1]
What Ubuntu does, it create a socket in /var/run, where the rsyslog process can
read with unpriviledgeg rights, and they have a separate dd process (with root
priviledges) that shovels the data from /dev/kmsg to /var/run/kmsg.

The $KLogPath directive tell the imklog module (rsyslog), to read from
/var/run/kmsg instead of /proc/kmsg. That's all it does and it is also available
in 4.4.2.

Cheers,
Michael

[1] There were discussion using capabilities to work around that. I.e. rsyslog
would keep the CAP_ADMIN privilege when dropping root privileges which would
allow to read from /proc/kmsg.
Unfortunately CAP_ADMIN is a big hammer which retains most of your root rights,
so you wouldn't gain much.
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#573980; Package rsyslog. (Fri, 19 Mar 2010 12:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Stefan K." <archilles@kh-webcenter.de>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Fri, 19 Mar 2010 12:06:04 GMT) Full text and rfc822 format available.

Message #15 received at 573980@bugs.debian.org (full text, mbox):

From: "Stefan K." <archilles@kh-webcenter.de>
To: 573980@bugs.debian.org
Subject: Re: Bug#573980: rsyslog: klog does not work when dropping privileges
Date: Fri, 19 Mar 2010 12:45:41 +0100
Ah, yes. Thanks for the info.

I was confused because lucid lynx uses "/proc/kmsg" as path and no "dd 
proxy" anymore. As of 4.2.0-2ubuntu6 they changed the kernel interface 
to read the file directly (deroot.patch). Well, that doesn't help me as 
this is kernel 2.6.32 and i have 2.6.26. But that is not the point :)

So, i fetched a copy of 4.2.0-2ubuntu5 and tried to adapt their approach 
on my machine. I created a temporary squeeze domU (hmm, now with 4.6.1) 
and modified a copy of rsyslog´s init script. It starts, but throws 
another error.

kernel: imklog Error return from sys_sycall: 1
kernel: last message repeated 807340 times

My programming skills are limited, but I took a look into the source of 
the imklog plugin. I'm not sure, but may the "zero-fill the buffer" in 
"LogKernelLine" fail, because dd is one-way from /proc to var/run and 
therefore read-only? But the contents of the sock in /var/run should be 
a copy independent from /proc. Or does the sycall not work on socks?





Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#573980; Package rsyslog. (Thu, 09 Jun 2011 19:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Stefan K." <archilles@kh-webcenter.de>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Thu, 09 Jun 2011 19:39:07 GMT) Full text and rfc822 format available.

Message #20 received at 573980@bugs.debian.org (full text, mbox):

From: "Stefan K." <archilles@kh-webcenter.de>
To: 573980@bugs.debian.org
Subject: Re: Bug#573980: rsyslog: klog does not work when dropping privileges
Date: Wed, 08 Jun 2011 13:52:05 +0200
I´m using a simple workaround for some time now. In addition to the
normal rsyslog instance I run a second one. The "main" rsyslog doesn´t
fetch kernel messages anymore and therefore can drop its root
privileges. But it´s now listening on localhost for them.

$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
$AllowedSender UDP, 127.0.0.1

The second instance runs as root and has only a minimum configuration to
forward kernel messages to the "main" instance. So it is not reachable
from the local network and opens no unix socket(?).

$ModLoad imklog
*.* @127.0.0.1:514

/usr/sbin/rsyslogd -c5 -f /etc/rsyslog.conf.root \
  -i /var/run/klogd-emu.pid

It´s started after the "main" instance by adding it to
/etc/init.d/rsyslogd and stopped by init on shutdown/reboot with
SIGTERM. I expect this to be safer on a (exposed) server. Although this
requires some additional resources (cpu power and main memory), I guess
it should be negligible today :)




Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Wed, 26 Sep 2012 16:48:05 GMT) Full text and rfc822 format available.

Notification sent to "Stefan K." <archilles@kh-webcenter.de>:
Bug acknowledged by developer. (Wed, 26 Sep 2012 16:48:05 GMT) Full text and rfc822 format available.

Message #25 received at 573980-done@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: 573980-done@bugs.debian.org, "Stefan K." <archilles@kh-webcenter.de>
Subject: rsyslog: klog does not work when dropping privileges
Date: Wed, 26 Sep 2012 18:45:27 +0200
[Message part 1 (text/plain, inline)]
Version: 5.8.11-1

Hi Stefan,

IIRC there were some fixes for the Linux kernel which make it possible
to drop the privileges and still be able to read the kernel messages.

I've successfully tested the following configuration on a Debian sid
system (using the default 3.2 Linux kernel):

# adduser --system --group --no-create-home --quiet syslog

# Updated rsyslog.conf:

$FileOwner syslog
$FileGroup adm
$PrivDropToUser syslog
$PrivDropToGroup syslog
$FileCreateMode 0640
$DirCreateMode 0755

# chown'ed the existing log files, so rsyslog could write to them


Seeing that this worked nicely out of the box now, I'm wondering if we
should make this the default.

Our non-Linux architectures might not support that, but I'm not sure if
I really care.

Anwyway, since this particular issue is solved now, I'm going to close
this particular bug report.

As for dropping privileges by default, I created a new bug report, where
I will be tracking this. If you are interested (and you want to share
input or subscribe to it), you can find it at [1]

Cheers,
Michael

[1] http://bugs.debian.org/688889

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 25 Oct 2012 07:28:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:33:58 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.