[rsyslog] rsyslog as non-root user

david at lang.hm david at lang.hm
Thu Feb 2 19:19:27 CET 2012


On Thu, 2 Feb 2012, Michael Maymann wrote:

> Hi Rainer,
>
> I really have my doubts it has something to do with my startup script:
> 1. I only changed the exec=/usr/sbin/rsyslogd from default
> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
>
> I'm running on RHEL6.1_x64.
> Do you have a working /etc/init.d/rsyslog what you can share/I can test...?


my guess is that this is a SELINUX related problem.

what happens if you try to start rsyslog manually (not by running the 
startup script, but just running 'rsyslogd -c 6' "

David Lang

>
> Thanks in advance :-) !
> ~maymann
>
> 2012/2/2 Michael Maymann <michael at maymann.org>
>
>> Hi,
>>
>> Rainer: Sorry... forgot to mention that it doesn't say anything about
>> failing in the logs... and it actually doesn't fail... it works and after
>> the timeout+failed notice only the proccess owned by PrivDropToUser-USER is
>> present, but now owned by the init-proccess (mother proccess dies):
>>
>> # service rsyslog start
>> Starting system logger:                                    [FAILED]
>>
>> BEFORE failed status:
>> root      9126  9125  0 11:07 pts/1    00:00:00 /usr/sbin/rsyslogd -c 6
>> <PrivDropToUser-USER>  9131  9126  0 11:07 ?        00:00:00
>> /usr/sbin/rsyslogd -c 6
>>
>> AFTER failed status root-owned proccess is killed and PrivDropToUser-USER
>> owned proccess is therefore gets owned by init:
>> <PrivDropToUser-USER>  9131     1  0 11:07 ?        00:00:00
>> /usr/sbin/rsyslogd -c 6
>>
>> Anyone who can help with this...?:
>> here is the debug output when starting running the init-script:
>> #/etc/init.d/rsyslog start
>> + . /etc/init.d/functions
>> ++ TEXTDOMAIN=initscripts
>> ++ umask 022
>> ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
>> ++ export PATH
>> ++ '[' -z '' ']'
>> ++ COLUMNS=80
>> ++ '[' -z '' ']'
>> +++ /sbin/consoletype
>> ++ CONSOLETYPE=pty
>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
>> ++ . /etc/profile.d/lang.sh
>> ++ unset LANGSH_SOURCED
>> ++ '[' -z '' ']'
>> ++ '[' -f /etc/sysconfig/init ']'
>> ++ . /etc/sysconfig/init
>> +++ BOOTUP=color
>> +++ RES_COL=60
>> +++ MOVE_TO_COL='echo -en \033[60G'
>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m'
>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m'
>> +++ SETCOLOR_WARNING='echo -en \033[0;33m'
>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m'
>> +++ PROMPT=yes
>> +++ AUTOSWAP=no
>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]'
>> +++ SINGLE=/sbin/sushell
>> ++ '[' pty = serial ']'
>> ++
>> __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d'
>> + RETVAL=0
>> + PIDFILE=/var/run/syslogd.pid
>> + prog=rsyslogd
>> + exec=/usr/sbin/rsyslogd
>> + lockfile=/var/lock/subsys/rsyslogd
>> + case "$1" in
>> + start
>> + '[' -x /usr/sbin/rsyslogd ']'
>> + '[' -f /etc/sysconfig/rsyslog ']'
>> + . /etc/sysconfig/rsyslog
>> ++ SYSLOGD_OPTIONS='-c 6'
>> + umask 077
>> + echo -n 'Starting system logger: '
>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
>> /usr/sbin/rsyslogd -c 6
>> + local gotbase= force= nicelevel corelimit
>> + local pid base= user= nice= bg= pid_file=
>> + local cgroup=
>> + nicelevel=0
>> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid ']'
>> + case $1 in
>> + pid_file=/var/run/syslogd.pid
>> + shift
>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
>> + '[' -z '' ']'
>> + base=rsyslogd
>> + __pids_var_run rsyslogd /var/run/syslogd.pid
>> + local base=rsyslogd
>> + local pid_file=/var/run/syslogd.pid
>> + pid=
>> + '[' -f /var/run/syslogd.pid ']'
>> + return 3
>> + '[' -n '' -a -z '' ']'
>> + corelimit='ulimit -S -c 0'
>> + '[' -n '' ']'
>> + '[' -n '' ']'
>> + '[' color = verbose -a -z '' ']'
>> + '[' -z '' ']'
>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6'
>> ...
>> (hangs here for a long time)
>> ...
>> + '[' 1 -eq 0 ']'
>> + failure 'rsyslogd startup'
>> + local rc=1
>> + '[' color '!=' verbose -a -z '' ']'
>> + echo_failure
>> + '[' color = color ']'
>> + echo -en '\033[60G'
>>                                                            + echo -n '['
>> [+ '[' color = color ']'
>> + echo -en '\033[0;31m'
>> + echo -n FAILED
>> FAILED+ '[' color = color ']'
>> + echo -en '\033[0;39m'
>> + echo -n ']'
>> ]+ echo -ne '\r'
>> + return 1
>> + '[' -x /usr/bin/plymouth ']'
>> + /usr/bin/plymouth --details
>> + return 1
>> + RETVAL=1
>> + echo
>>
>> + '[' 1 -eq 0 ']'
>> + return 1
>> + exit 1
>>
>> I have tried to give 777-access to /var/run and /var/lock/subsys - but
>> same thing happens...
>>
>>
>>
>> Thanks in advance :-) !
>>
>> Br.
>> ~maymann
>>
>>
>>
>> 2012/2/2 Rainer Gerhards <rgerhards at hq.adiscon.com>
>>
>>> I can only help you with that part if you point me to why exactly the
>>> script
>>> claims what it does. So you may want to try find someone who can do that.
>>> I
>>> know this is probably a trivial question, but I don't know anything ;)
>>>
>>> Sry, rainer
>>>
>>>> -----Original Message-----
>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann
>>>> Sent: Thursday, February 02, 2012 10:03 AM
>>>> To: rsyslog-users
>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>
>>>> Here is my startup script... only thing changed is the path to the new
>>>> 6.3.6-rsyslog-devel binary.
>>>> The startup-scripts works also perfectly when i comment out the
>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
>>>> have
>>>> both or one of the entries...:
>>>> #!/bin/bash
>>>> #
>>>> # rsyslog        Starts rsyslogd/rklogd.
>>>> #
>>>> #
>>>> # chkconfig: 2345 12 88
>>>> # description: Syslog is the facility by which many daemons use to log
>>>> \
>>>> # messages to various system log files.  It is a good idea to always \
>>>> # run rsyslog.
>>>> ### BEGIN INIT INFO
>>>> # Provides: $syslog
>>>> # Required-Start: $local_fs
>>>> # Required-Stop: $local_fs
>>>> # Default-Start:  2 3 4 5
>>>> # Default-Stop: 0 1 6
>>>> # Short-Description: Enhanced system logging and kernel message
>>>> trapping
>>>> daemons
>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd
>>>> supporting,
>>>> #              among others, MySQL, syslog/tcp, RFC 3195, permitted
>>>> #              sender lists, filtering on any message part, and fine
>>>> #              grain output format control.
>>>> ### END INIT INFO
>>>>
>>>> # Source function library.
>>>> . /etc/init.d/functions
>>>>
>>>> RETVAL=0
>>>> PIDFILE=/var/run/syslogd.pid
>>>>
>>>> prog=rsyslogd
>>>> #exec=/sbin/rsyslogd
>>>> exec=/usr/sbin/rsyslogd
>>>> lockfile=/var/lock/subsys/$prog
>>>>
>>>> start() {
>>>>         [ -x $exec ] || exit 5
>>>>
>>>>         # Source config
>>>>         if [ -f /etc/sysconfig/rsyslog ] ; then
>>>>                 . /etc/sysconfig/rsyslog
>>>>         fi
>>>>         umask 077
>>>>
>>>>         echo -n $"Starting system logger: "
>>>>         daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
>>>>         RETVAL=$?
>>>>         echo
>>>>         [ $RETVAL -eq 0 ] && touch $lockfile
>>>>         return $RETVAL
>>>> }
>>>> stop() {
>>>>         echo -n $"Shutting down system logger: "
>>>>         killproc $prog
>>>>         RETVAL=$?
>>>>         echo
>>>>         [ $RETVAL -eq 0 ] && rm -f $lockfile
>>>>         return $RETVAL
>>>> }
>>>> reload()  {
>>>>     RETVAL=1
>>>>     syslog=$(cat "${PIDFILE}" 2>/dev/null)
>>>>     echo -n "Reloading system logger..."
>>>>     if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
>>>>         kill -HUP "$syslog";
>>>>         RETVAL=$?
>>>>     fi
>>>>     if [ $RETVAL -ne 0 ]; then
>>>>         failure
>>>>     else
>>>>         success
>>>>     fi
>>>>     echo
>>>>     return $RETVAL
>>>> }
>>>> rhstatus() {
>>>>         status -p "${PIDFILE}" $prog
>>>> }
>>>> restart() {
>>>>         stop
>>>>         start
>>>> }
>>>>
>>>> case "$1" in
>>>>   start)
>>>>         start
>>>>         ;;
>>>>   stop)
>>>>         stop
>>>>         ;;
>>>>   restart)
>>>>         restart
>>>>         ;;
>>>>   reload|force-reload)
>>>>         reload
>>>>         ;;
>>>>   status)
>>>>         rhstatus
>>>>         ;;
>>>>   condrestart|try-restart)
>>>>         rhstatus >/dev/null 2>&1 || exit 0
>>>>         restart
>>>>         ;;
>>>>   *)
>>>>         echo $"Usage: $0
>>>> {start|stop|restart|condrestart|try-restart|reload|force-
>>>> reload|status}"
>>>>         exit 2
>>>> esac
>>>>
>>>> exit $?
>>>>
>>>> 2012/2/2 Rainer Gerhards <rgerhards at hq.adiscon.com>
>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann
>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
>>>>>> To: rsyslog-users
>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> David: thanks - got it working with permission dropping, by far my
>>>>>> prefered
>>>>>> configuration... just didn't know of it...:-) !
>>>>>> Rainer: please let us know if the debug info of the "permission
>>>>>> dropping:
>>>>>> hang+timeout" I send you can solve anything... anyway it works now
>>>> -
>>>>>> but
>>>>>> not optimal if other people have to service my setup...:-) !
>>>>>
>>>>> I have reviewed the debug log and I see nothing unexpected. From the
>>>>> timestamps I also see that there is no hang whatsoever. So it looks
>>>> like
>>>>> there is some problem with the startup script, which I don't know. I
>>>>> suggest
>>>>> to ask what the FAILED status is caused by. We can then look why this
>>>>> happens.
>>>>>
>>>>> Sorry I have no better answer...
>>>>> Rainer
>>>>>
>>>>>>
>>>>>> Thanks in advance :-) !
>>>>>> ~maymann
>>>>>>
>>>>>> 2012/2/1 <david at lang.hm>
>>>>>>
>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote:
>>>>>>>
>>>>>>>  Hi,
>>>>>>>>
>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working
>>>> fine
>>>>>> running
>>>>>>>> as root.
>>>>>>>> I would like to run it as non-root user as my logfiles are
>>>> located
>>>>>> on NFS
>>>>>>>> (and root export of NFS is generally not a good idea !).
>>>>>>>>
>>>>>>>> Here is my rsyslog.conf:
>>>>>>>> #LOAD MODULES
>>>>>>>> $ModLoad imudp
>>>>>>>> $UDPServerRun 514
>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>> $ModLoad imtcp
>>>>>>>> $InputTCPServerRun 514
>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>> $template
>>>>>>>> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>>>> $MONTH%_messages"
>>>>>>>> $template
>>>>>>>>
>>>>>>
>>>> DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
>>>>>>>> $template
>>>>>>>>
>>>>>>
>>>> DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo
>>>>>> g"
>>>>>>>> $template
>>>>>> DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>> cron"
>>>>>>>> $template
>>>>>>>>
>>>>>>
>>>> DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole
>>>>>> r"
>>>>>>>> $template
>>>>>>>>
>>>>>>
>>>> DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
>>>>>>>> $template
>>>>>> DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>> traps"
>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>> 'WARNING'
>>>>>>>> then ?DYNtraps
>>>>>>>>
>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root
>>>> user:
>>>>>>>> 2012-01-31T15:45:52.997693+02:**00 <hostname> rsyslogd: [origin
>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
>>>>>>>> http://www.rsyslog.com"] start
>>>>>>>> 2012-01-31T15:45:52.997294+02:**00 <hostname> rsyslogd: bind:
>>>>>> Permission
>>>>>>>> denied
>>>>>>>> 2012-01-31T15:45:52.997369+02:**00 <hostname> rsyslogd: bind:
>>>>>> Permission
>>>>>>>> denied
>>>>>>>> 2012-01-31T15:45:52.997374+02:**00 <hostname> rsyslogd: No UDP
>>>>>> listen
>>>>>>>> socket
>>>>>>>> could successfully be initialized, message reception via UDP
>>>>>> disabled.
>>>>>>>> 2012-01-31T15:45:52.997376+02:**00 <hostname> rsyslogd: imudp:
>>>> no
>>>>>>>> listeners
>>>>>>>> could be started, input not activated.
>>>>>>>> 2012-01-31T15:45:52.997379+02:**00 <hostname> rsyslogd3:
>>>> activation
>>>>>> of
>>>>>>>> module
>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
>>>>>>>> 2012-01-31T15:45:52.997643+02:**00 <hostname> rsyslogd-2077:
>>>> Could
>>>>>> not
>>>>>>>> create
>>>>>>>> tcp listener, ignoring port 514. [try
>>>> http://www.rsyslog.com/e/2077
>>>>>> ]
>>>>>>>>
>>>>>>>> So permissions to bind and sockets seems to be the problem...
>>>>>>>>
>>>>>>>
>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without
>>>> making
>>>>>> some
>>>>>>> other non-standard changes through sysctl)
>>>>>>>
>>>>>>>
>>>>>>>  1. Is it possible to make rsyslog write logfiles as a non-root
>>>> user
>>>>>> - if
>>>>>>>> yes: how ?
>>>>>>>>
>>>>>>>
>>>>>>> permission drop features
>>>>>>>
>>>>>>>
>>>>>>>  2a. Is it possible to add permissions for non-root user to run
>>>>>> rsyslog
>>>>>>>> server - if yes: how ?
>>>>>>>>
>>>>>>>
>>>>>>> pick a listening port > 1024 and it should work.
>>>>>>>
>>>>>>>
>>>>>>>  2b. How do I start rsyslog during boot as non-root user - can
>>>>>> chkconfig do
>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>>>>>>>>
>>>>>>>
>>>>>>> su can run a command as a different user.
>>>>>>>
>>>>>>> although as Rainer points out, you may just be looking for the
>>>>>> permission
>>>>>>> dropping features that are already in rsyslog.
>>>>>>>
>>>>>>> David Lang
>>>>>>>
>>>>>>> ______________________________**_________________
>>>>>>> rsyslog mailing list
>>>>>>>
>>>>>>
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
>>>>>> n.net/mailman/listinfo/rsyslog>
>>>>>>> http://www.rsyslog.com/**professional-
>>>>>> services/<http://www.rsyslog.com/professional-services/>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>>
>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>



More information about the rsyslog mailing list