[rsyslog] rsyslog as non-root user

Michael Maymann michael at maymann.org
Thu Feb 2 19:47:02 CET 2012


Hi,

David: Thanks for your reply - sounds possible... I will try this first
thing tomorrow morning and report back with findings...

Br.
~maymann

2012/2/2 <david at lang.hm>

> On Thu, 2 Feb 2012, Michael Maymann wrote:
>
>  Hi Rainer,
>>
>> I really have my doubts it has something to do with my startup script:
>> 1. I only changed the exec=/usr/sbin/rsyslogd from default
>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf.
>>
>> I'm running on RHEL6.1_x64.
>> Do you have a working /etc/init.d/rsyslog what you can share/I can
>> test...?
>>
>
>
> my guess is that this is a SELINUX related problem.
>
> what happens if you try to start rsyslog manually (not by running the
> startup script, but just running 'rsyslogd -c 6' "
>
> David Lang
>
>
>
>> Thanks in advance :-) !
>> ~maymann
>>
>> 2012/2/2 Michael Maymann <michael at maymann.org>
>>
>>  Hi,
>>>
>>> Rainer: Sorry... forgot to mention that it doesn't say anything about
>>> failing in the logs... and it actually doesn't fail... it works and after
>>> the timeout+failed notice only the proccess owned by PrivDropToUser-USER
>>> is
>>> present, but now owned by the init-proccess (mother proccess dies):
>>>
>>> # service rsyslog start
>>> Starting system logger:                                    [FAILED]
>>>
>>> BEFORE failed status:
>>> root      9126  9125  0 11:07 pts/1    00:00:00 /usr/sbin/rsyslogd -c 6
>>> <PrivDropToUser-USER>  9131  9126  0 11:07 ?        00:00:00
>>> /usr/sbin/rsyslogd -c 6
>>>
>>> AFTER failed status root-owned proccess is killed and PrivDropToUser-USER
>>> owned proccess is therefore gets owned by init:
>>> <PrivDropToUser-USER>  9131     1  0 11:07 ?        00:00:00
>>> /usr/sbin/rsyslogd -c 6
>>>
>>> Anyone who can help with this...?:
>>> here is the debug output when starting running the init-script:
>>> #/etc/init.d/rsyslog start
>>> + . /etc/init.d/functions
>>> ++ TEXTDOMAIN=initscripts
>>> ++ umask 022
>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin
>>> ++ export PATH
>>> ++ '[' -z '' ']'
>>> ++ COLUMNS=80
>>> ++ '[' -z '' ']'
>>> +++ /sbin/consoletype
>>> ++ CONSOLETYPE=pty
>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']'
>>> ++ . /etc/profile.d/lang.sh
>>> ++ unset LANGSH_SOURCED
>>> ++ '[' -z '' ']'
>>> ++ '[' -f /etc/sysconfig/init ']'
>>> ++ . /etc/sysconfig/init
>>> +++ BOOTUP=color
>>> +++ RES_COL=60
>>> +++ MOVE_TO_COL='echo -en \033[60G'
>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m'
>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m'
>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m'
>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m'
>>> +++ PROMPT=yes
>>> +++ AUTOSWAP=no
>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**'
>>> +++ SINGLE=/sbin/sushell
>>> ++ '[' pty = serial ']'
>>> ++
>>> __sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|**
>>> \.rpmorig\|\.rpmsave\)$/d'
>>> + RETVAL=0
>>> + PIDFILE=/var/run/syslogd.pid
>>> + prog=rsyslogd
>>> + exec=/usr/sbin/rsyslogd
>>> + lockfile=/var/lock/subsys/**rsyslogd
>>> + case "$1" in
>>> + start
>>> + '[' -x /usr/sbin/rsyslogd ']'
>>> + '[' -f /etc/sysconfig/rsyslog ']'
>>> + . /etc/sysconfig/rsyslog
>>> ++ SYSLOGD_OPTIONS='-c 6'
>>> + umask 077
>>> + echo -n 'Starting system logger: '
>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid
>>> /usr/sbin/rsyslogd -c 6
>>> + local gotbase= force= nicelevel corelimit
>>> + local pid base= user= nice= bg= pid_file=
>>> + local cgroup=
>>> + nicelevel=0
>>> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid
>>> ']'
>>> + case $1 in
>>> + pid_file=/var/run/syslogd.pid
>>> + shift
>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']'
>>> + '[' -z '' ']'
>>> + base=rsyslogd
>>> + __pids_var_run rsyslogd /var/run/syslogd.pid
>>> + local base=rsyslogd
>>> + local pid_file=/var/run/syslogd.pid
>>> + pid=
>>> + '[' -f /var/run/syslogd.pid ']'
>>> + return 3
>>> + '[' -n '' -a -z '' ']'
>>> + corelimit='ulimit -S -c 0'
>>> + '[' -n '' ']'
>>> + '[' -n '' ']'
>>> + '[' color = verbose -a -z '' ']'
>>> + '[' -z '' ']'
>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6'
>>> ...
>>> (hangs here for a long time)
>>> ...
>>> + '[' 1 -eq 0 ']'
>>> + failure 'rsyslogd startup'
>>> + local rc=1
>>> + '[' color '!=' verbose -a -z '' ']'
>>> + echo_failure
>>> + '[' color = color ']'
>>> + echo -en '\033[60G'
>>>                                                           + echo -n '['
>>> [+ '[' color = color ']'
>>> + echo -en '\033[0;31m'
>>> + echo -n FAILED
>>> FAILED+ '[' color = color ']'
>>> + echo -en '\033[0;39m'
>>> + echo -n ']'
>>> ]+ echo -ne '\r'
>>> + return 1
>>> + '[' -x /usr/bin/plymouth ']'
>>> + /usr/bin/plymouth --details
>>> + return 1
>>> + RETVAL=1
>>> + echo
>>>
>>> + '[' 1 -eq 0 ']'
>>> + return 1
>>> + exit 1
>>>
>>> I have tried to give 777-access to /var/run and /var/lock/subsys - but
>>> same thing happens...
>>>
>>>
>>>
>>> Thanks in advance :-) !
>>>
>>> Br.
>>> ~maymann
>>>
>>>
>>>
>>> 2012/2/2 Rainer Gerhards <rgerhards at hq.adiscon.com>
>>>
>>>  I can only help you with that part if you point me to why exactly the
>>>> script
>>>> claims what it does. So you may want to try find someone who can do
>>>> that.
>>>> I
>>>> know this is probably a trivial question, but I don't know anything ;)
>>>>
>>>> Sry, rainer
>>>>
>>>>  -----Original Message-----
>>>>> From: rsyslog-bounces at lists.adiscon.**com<rsyslog-bounces at lists.adiscon.com>[mailto:
>>>>> rsyslog-
>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann
>>>>> Sent: Thursday, February 02, 2012 10:03 AM
>>>>> To: rsyslog-users
>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>
>>>>> Here is my startup script... only thing changed is the path to the new
>>>>> 6.3.6-rsyslog-devel binary.
>>>>> The startup-scripts works also perfectly when i comment out the
>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i
>>>>> have
>>>>> both or one of the entries...:
>>>>> #!/bin/bash
>>>>> #
>>>>> # rsyslog        Starts rsyslogd/rklogd.
>>>>> #
>>>>> #
>>>>> # chkconfig: 2345 12 88
>>>>> # description: Syslog is the facility by which many daemons use to log
>>>>> \
>>>>> # messages to various system log files.  It is a good idea to always \
>>>>> # run rsyslog.
>>>>> ### BEGIN INIT INFO
>>>>> # Provides: $syslog
>>>>> # Required-Start: $local_fs
>>>>> # Required-Stop: $local_fs
>>>>> # Default-Start:  2 3 4 5
>>>>> # Default-Stop: 0 1 6
>>>>> # Short-Description: Enhanced system logging and kernel message
>>>>> trapping
>>>>> daemons
>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd
>>>>> supporting,
>>>>> #              among others, MySQL, syslog/tcp, RFC 3195, permitted
>>>>> #              sender lists, filtering on any message part, and fine
>>>>> #              grain output format control.
>>>>> ### END INIT INFO
>>>>>
>>>>> # Source function library.
>>>>> . /etc/init.d/functions
>>>>>
>>>>> RETVAL=0
>>>>> PIDFILE=/var/run/syslogd.pid
>>>>>
>>>>> prog=rsyslogd
>>>>> #exec=/sbin/rsyslogd
>>>>> exec=/usr/sbin/rsyslogd
>>>>> lockfile=/var/lock/subsys/$**prog
>>>>>
>>>>> start() {
>>>>>        [ -x $exec ] || exit 5
>>>>>
>>>>>        # Source config
>>>>>        if [ -f /etc/sysconfig/rsyslog ] ; then
>>>>>                . /etc/sysconfig/rsyslog
>>>>>        fi
>>>>>        umask 077
>>>>>
>>>>>        echo -n $"Starting system logger: "
>>>>>        daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS
>>>>>        RETVAL=$?
>>>>>        echo
>>>>>        [ $RETVAL -eq 0 ] && touch $lockfile
>>>>>        return $RETVAL
>>>>> }
>>>>> stop() {
>>>>>        echo -n $"Shutting down system logger: "
>>>>>        killproc $prog
>>>>>        RETVAL=$?
>>>>>        echo
>>>>>        [ $RETVAL -eq 0 ] && rm -f $lockfile
>>>>>        return $RETVAL
>>>>> }
>>>>> reload()  {
>>>>>    RETVAL=1
>>>>>    syslog=$(cat "${PIDFILE}" 2>/dev/null)
>>>>>    echo -n "Reloading system logger..."
>>>>>    if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
>>>>>        kill -HUP "$syslog";
>>>>>        RETVAL=$?
>>>>>    fi
>>>>>    if [ $RETVAL -ne 0 ]; then
>>>>>        failure
>>>>>    else
>>>>>        success
>>>>>    fi
>>>>>    echo
>>>>>    return $RETVAL
>>>>> }
>>>>> rhstatus() {
>>>>>        status -p "${PIDFILE}" $prog
>>>>> }
>>>>> restart() {
>>>>>        stop
>>>>>        start
>>>>> }
>>>>>
>>>>> case "$1" in
>>>>>  start)
>>>>>        start
>>>>>        ;;
>>>>>  stop)
>>>>>        stop
>>>>>        ;;
>>>>>  restart)
>>>>>        restart
>>>>>        ;;
>>>>>  reload|force-reload)
>>>>>        reload
>>>>>        ;;
>>>>>  status)
>>>>>        rhstatus
>>>>>        ;;
>>>>>  condrestart|try-restart)
>>>>>        rhstatus >/dev/null 2>&1 || exit 0
>>>>>        restart
>>>>>        ;;
>>>>>  *)
>>>>>        echo $"Usage: $0
>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force-
>>>>> reload|status}"
>>>>>        exit 2
>>>>> esac
>>>>>
>>>>> exit $?
>>>>>
>>>>> 2012/2/2 Rainer Gerhards <rgerhards at hq.adiscon.com>
>>>>>
>>>>>
>>>>>>
>>>>>>  -----Original Message-----
>>>>>>> From: rsyslog-bounces at lists.adiscon.**com<rsyslog-bounces at lists.adiscon.com>[mailto:
>>>>>>> rsyslog-
>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann
>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM
>>>>>>> To: rsyslog-users
>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> David: thanks - got it working with permission dropping, by far my
>>>>>>> prefered
>>>>>>> configuration... just didn't know of it...:-) !
>>>>>>> Rainer: please let us know if the debug info of the "permission
>>>>>>> dropping:
>>>>>>> hang+timeout" I send you can solve anything... anyway it works now
>>>>>>>
>>>>>> -
>>>>>
>>>>>> but
>>>>>>> not optimal if other people have to service my setup...:-) !
>>>>>>>
>>>>>>
>>>>>> I have reviewed the debug log and I see nothing unexpected. From the
>>>>>> timestamps I also see that there is no hang whatsoever. So it looks
>>>>>>
>>>>> like
>>>>>
>>>>>> there is some problem with the startup script, which I don't know. I
>>>>>> suggest
>>>>>> to ask what the FAILED status is caused by. We can then look why this
>>>>>> happens.
>>>>>>
>>>>>> Sorry I have no better answer...
>>>>>> Rainer
>>>>>>
>>>>>>
>>>>>>> Thanks in advance :-) !
>>>>>>> ~maymann
>>>>>>>
>>>>>>> 2012/2/1 <david at lang.hm>
>>>>>>>
>>>>>>>  On Tue, 31 Jan 2012, Michael Maymann wrote:
>>>>>>>>
>>>>>>>>  Hi,
>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working
>>>>>>>>>
>>>>>>>> fine
>>>>>
>>>>>> running
>>>>>>>
>>>>>>>> as root.
>>>>>>>>> I would like to run it as non-root user as my logfiles are
>>>>>>>>>
>>>>>>>> located
>>>>>
>>>>>> on NFS
>>>>>>>
>>>>>>>> (and root export of NFS is generally not a good idea !).
>>>>>>>>>
>>>>>>>>> Here is my rsyslog.conf:
>>>>>>>>> #LOAD MODULES
>>>>>>>>> $ModLoad imudp
>>>>>>>>> $UDPServerRun 514
>>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>>> $ModLoad imtcp
>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>>> $template
>>>>>>>>> DYNmessages,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>>>> $MONTH%_messages"
>>>>>>>>> $template
>>>>>>>>>
>>>>>>>>>
>>>>>>>  DYNsecure,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>> **$MONTH%_secure"
>>>>>
>>>>>>  $template
>>>>>>>>>
>>>>>>>>>
>>>>>>>  DYNmaillog,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>> **$MONTH%_maillo
>>>>>
>>>>>> g"
>>>>>>>
>>>>>>>> $template
>>>>>>>>>
>>>>>>>> DYNcron,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>>>
>>>>>>>> cron"
>>>>>>>>> $template
>>>>>>>>>
>>>>>>>>>
>>>>>>>  DYNspooler,"<PATH_TO>/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>> **$MONTH%_spoole
>>>>>
>>>>>> r"
>>>>>>>
>>>>>>>> $template
>>>>>>>>>
>>>>>>>>>
>>>>>>>  DYNboot,"<PATH_TO>/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>> **boot.log"
>>>>>
>>>>>>  $template
>>>>>>>>>
>>>>>>>> DYNtraps,"<PATH_TO>/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
>>>>>>>
>>>>>>>> traps"
>>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages
>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure
>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog
>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron
>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler
>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot
>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>>>
>>>>>>>> 'WARNING'
>>>>>>>
>>>>>>>> then ?DYNtraps
>>>>>>>>>
>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root
>>>>>>>>>
>>>>>>>> user:
>>>>>
>>>>>>  2012-01-31T15:45:52.997693+02:****00 <hostname> rsyslogd: [origin
>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info="
>>>>>>>>> http://www.rsyslog.com"] start
>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 <hostname> rsyslogd: bind:
>>>>>>>>>
>>>>>>>> Permission
>>>>>>>
>>>>>>>> denied
>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 <hostname> rsyslogd: bind:
>>>>>>>>>
>>>>>>>> Permission
>>>>>>>
>>>>>>>> denied
>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 <hostname> rsyslogd: No UDP
>>>>>>>>>
>>>>>>>> listen
>>>>>>>
>>>>>>>> socket
>>>>>>>>> could successfully be initialized, message reception via UDP
>>>>>>>>>
>>>>>>>> disabled.
>>>>>>>
>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 <hostname> rsyslogd: imudp:
>>>>>>>>>
>>>>>>>> no
>>>>>
>>>>>>  listeners
>>>>>>>>> could be started, input not activated.
>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 <hostname> rsyslogd3:
>>>>>>>>>
>>>>>>>> activation
>>>>>
>>>>>> of
>>>>>>>
>>>>>>>> module
>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ]
>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 <hostname> rsyslogd-2077:
>>>>>>>>>
>>>>>>>> Could
>>>>>
>>>>>> not
>>>>>>>
>>>>>>>> create
>>>>>>>>> tcp listener, ignoring port 514. [try
>>>>>>>>>
>>>>>>>> http://www.rsyslog.com/e/2077
>>>>>
>>>>>> ]
>>>>>>>
>>>>>>>>
>>>>>>>>> So permissions to bind and sockets seems to be the problem...
>>>>>>>>>
>>>>>>>>>
>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without
>>>>>>>>
>>>>>>> making
>>>>>
>>>>>> some
>>>>>>>
>>>>>>>> other non-standard changes through sysctl)
>>>>>>>>
>>>>>>>>
>>>>>>>>  1. Is it possible to make rsyslog write logfiles as a non-root
>>>>>>>>
>>>>>>> user
>>>>>
>>>>>> - if
>>>>>>>
>>>>>>>> yes: how ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> permission drop features
>>>>>>>>
>>>>>>>>
>>>>>>>>  2a. Is it possible to add permissions for non-root user to run
>>>>>>>>
>>>>>>> rsyslog
>>>>>>>
>>>>>>>> server - if yes: how ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> pick a listening port > 1024 and it should work.
>>>>>>>>
>>>>>>>>
>>>>>>>>  2b. How do I start rsyslog during boot as non-root user - can
>>>>>>>>
>>>>>>> chkconfig do
>>>>>>>
>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> su can run a command as a different user.
>>>>>>>>
>>>>>>>> although as Rainer points out, you may just be looking for the
>>>>>>>>
>>>>>>> permission
>>>>>>>
>>>>>>>> dropping features that are already in rsyslog.
>>>>>>>>
>>>>>>>> David Lang
>>>>>>>>
>>>>>>>> ______________________________****_________________
>>>>>>>> rsyslog mailing list
>>>>>>>>
>>>>>>>>
>>>>>>>  http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>> <http:**//lists.adisco <http://lists.adisco>
>>>>>
>>>>>> n.net/mailman/listinfo/rsyslog**>
>>>>>>>
>>>>>>>> http://www.rsyslog.com/****professional-<http://www.rsyslog.com/**professional->
>>>>>>>>
>>>>>>> services/<http://www.rsyslog.**com/professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>> >
>>>>>>>
>>>>>>>>
>>>>>>>>  ______________________________**_________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>
>>>>>> ______________________________**_________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>
>>>>>>  ______________________________**_________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>
>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>
>>>>
>>>
>>>  ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
>>  ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>



More information about the rsyslog mailing list